Annotation of src/usr.bin/ssh/channels.c, Revision 1.410
1.410 ! djm 1: /* $OpenBSD: channels.c,v 1.409 2022/01/01 01:55:30 jsg Exp $ */
1.1 deraadt 2: /*
1.26 deraadt 3: * Author: Tatu Ylonen <ylo@cs.hut.fi>
4: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5: * All rights reserved
6: * This file contains functions for generic socket connection forwarding.
7: * There is also code for initiating connection forwarding for X11 connections,
8: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 9: *
1.67 deraadt 10: * As far as I am concerned, the code I have written for this software
11: * can be used freely for any purpose. Any derived versions of this
12: * software must be clearly marked as such, and if the derived work is
13: * incompatible with the protocol description in the RFC file, it must be
14: * called by a name other than "ssh" or "Secure Shell".
15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.156 markus 17: * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
1.67 deraadt 18: * Copyright (c) 1999 Dug Song. All rights reserved.
19: * Copyright (c) 1999 Theo de Raadt. All rights reserved.
20: *
21: * Redistribution and use in source and binary forms, with or without
22: * modification, are permitted provided that the following conditions
23: * are met:
24: * 1. Redistributions of source code must retain the above copyright
25: * notice, this list of conditions and the following disclaimer.
26: * 2. Redistributions in binary form must reproduce the above copyright
27: * notice, this list of conditions and the following disclaimer in the
28: * documentation and/or other materials provided with the distribution.
29: *
30: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.26 deraadt 40: */
1.1 deraadt 41:
1.265 deraadt 42: #include <sys/types.h>
1.336 millert 43: #include <sys/stat.h>
1.234 stevesk 44: #include <sys/ioctl.h>
1.235 stevesk 45: #include <sys/un.h>
1.251 stevesk 46: #include <sys/socket.h>
1.261 stevesk 47: #include <sys/time.h>
1.275 djm 48: #include <sys/queue.h>
1.251 stevesk 49:
50: #include <netinet/in.h>
51: #include <arpa/inet.h>
1.233 stevesk 52:
1.254 stevesk 53: #include <errno.h>
1.298 dtucker 54: #include <fcntl.h>
1.367 djm 55: #include <limits.h>
1.255 stevesk 56: #include <netdb.h>
1.367 djm 57: #include <stdarg.h>
1.341 millert 58: #include <stdint.h>
1.263 stevesk 59: #include <stdio.h>
1.262 stevesk 60: #include <stdlib.h>
1.260 stevesk 61: #include <string.h>
1.233 stevesk 62: #include <termios.h>
1.256 stevesk 63: #include <unistd.h>
1.1 deraadt 64:
1.265 deraadt 65: #include "xmalloc.h"
1.1 deraadt 66: #include "ssh.h"
1.82 markus 67: #include "ssh2.h"
1.354 markus 68: #include "ssherr.h"
1.367 djm 69: #include "sshbuf.h"
1.1 deraadt 70: #include "packet.h"
1.82 markus 71: #include "log.h"
72: #include "misc.h"
1.14 markus 73: #include "channels.h"
74: #include "compat.h"
1.82 markus 75: #include "canohost.h"
1.383 markus 76: #include "sshkey.h"
1.64 markus 77: #include "authfd.h"
1.147 stevesk 78: #include "pathnames.h"
1.381 djm 79: #include "match.h"
1.388 djm 80:
1.367 djm 81: /* -- agent forwarding */
82: #define NUM_SOCKS 10
1.12 markus 83:
1.367 djm 84: /* -- tcp forwarding */
85: /* special-case port number meaning allow any port */
86: #define FWD_PERMIT_ANY_PORT 0
1.1 deraadt 87:
1.367 djm 88: /* special-case wildcard meaning allow any host */
89: #define FWD_PERMIT_ANY_HOST "*"
1.1 deraadt 90:
1.367 djm 91: /* -- X11 forwarding */
92: /* Maximum number of fake X11 displays to try. */
93: #define MAX_DISPLAYS 1000
1.1 deraadt 94:
1.381 djm 95: /* Per-channel callback for pre/post select() actions */
1.410 ! djm 96: typedef void chan_fn(struct ssh *, Channel *c);
1.381 djm 97:
1.27 markus 98: /*
99: * Data structure for storing which hosts are permitted for forward requests.
100: * The local sides of any remote forwards are stored in this array to prevent
101: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
102: * network (which might be behind a firewall).
103: */
1.336 millert 104: /* XXX: streamlocal wants a path instead of host:port */
105: /* Overload host_to_connect; we could just make this match Forward */
106: /* XXX - can we use listen_host instead of listen_path? */
1.381 djm 107: struct permission {
1.41 markus 108: char *host_to_connect; /* Connect to 'host'. */
1.336 millert 109: int port_to_connect; /* Connect to 'port'. */
1.333 markus 110: char *listen_host; /* Remote side should listen address. */
1.336 millert 111: char *listen_path; /* Remote side should listen path. */
112: int listen_port; /* Remote side should listen port. */
1.354 markus 113: Channel *downstream; /* Downstream mux*/
1.381 djm 114: };
115:
116: /*
117: * Stores the forwarding permission state for a single direction (local or
118: * remote).
119: */
120: struct permission_set {
121: /*
122: * List of all local permitted host/port pairs to allow for the
123: * user.
124: */
125: u_int num_permitted_user;
126: struct permission *permitted_user;
1.1 deraadt 127:
1.381 djm 128: /*
129: * List of all permitted host/port pairs to allow for the admin.
130: */
131: u_int num_permitted_admin;
132: struct permission *permitted_admin;
133:
134: /*
135: * If this is true, all opens/listens are permitted. This is the
136: * case on the server on which we have to trust the client anyway,
137: * and the user could do anything after logging in.
138: */
139: int all_permitted;
140: };
1.121 markus 141:
1.367 djm 142: /* Master structure for channels state */
143: struct ssh_channels {
144: /*
145: * Pointer to an array containing all allocated channels. The array
146: * is dynamically extended as needed.
147: */
148: Channel **channels;
1.257 dtucker 149:
1.367 djm 150: /*
151: * Size of the channel array. All slots of the array must always be
152: * initialized (at least the type field); unused slots set to NULL
153: */
154: u_int channels_alloc;
1.257 dtucker 155:
1.367 djm 156: /*
157: * Maximum file descriptor value used in any of the channels. This is
158: * updated in channel_new.
159: */
160: int channel_max_fd;
1.257 dtucker 161:
1.367 djm 162: /*
163: * 'channel_pre*' are called just before select() to add any bits
164: * relevant to channels in the select bitmasks.
165: *
166: * 'channel_post*': perform any appropriate operations for
167: * channels which have events pending.
168: */
169: chan_fn **channel_pre;
170: chan_fn **channel_post;
1.314 dtucker 171:
1.367 djm 172: /* -- tcp forwarding */
1.381 djm 173: struct permission_set local_perms;
174: struct permission_set remote_perms;
1.219 djm 175:
1.367 djm 176: /* -- X11 forwarding */
1.121 markus 177:
1.367 djm 178: /* Saved X11 local (client) display. */
179: char *x11_saved_display;
1.121 markus 180:
1.367 djm 181: /* Saved X11 authentication protocol name. */
182: char *x11_saved_proto;
1.347 djm 183:
1.367 djm 184: /* Saved X11 authentication data. This is the real data. */
185: char *x11_saved_data;
186: u_int x11_saved_data_len;
1.121 markus 187:
1.367 djm 188: /* Deadline after which all X11 connections are refused */
189: u_int x11_refuse_time;
1.121 markus 190:
1.367 djm 191: /*
192: * Fake X11 authentication data. This is what the server will be
193: * sending us; we should replace any occurrences of this by the
194: * real data.
195: */
196: u_char *x11_fake_data;
197: u_int x11_fake_data_len;
1.121 markus 198:
1.367 djm 199: /* AF_UNSPEC or AF_INET or AF_INET6 */
200: int IPv4or6;
201: };
1.1 deraadt 202:
1.121 markus 203: /* helper */
1.367 djm 204: static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype);
1.354 markus 205: static const char *channel_rfwd_bind_host(const char *listen_host);
1.103 markus 206:
1.276 djm 207: /* non-blocking connect helpers */
208: static int connect_next(struct channel_connect *);
209: static void channel_connect_ctx_free(struct channel_connect *);
1.372 markus 210: static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *);
211: static int rdynamic_connect_finish(struct ssh *, Channel *);
1.276 djm 212:
1.367 djm 213: /* Setup helper */
214: static void channel_handler_init(struct ssh_channels *sc);
215:
1.121 markus 216: /* -- channel core */
1.41 markus 217:
1.367 djm 218: void
219: channel_init_channels(struct ssh *ssh)
220: {
221: struct ssh_channels *sc;
222:
1.387 djm 223: if ((sc = calloc(1, sizeof(*sc))) == NULL)
1.403 djm 224: fatal_f("allocation failed");
1.367 djm 225: sc->channels_alloc = 10;
226: sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
227: sc->IPv4or6 = AF_UNSPEC;
228: channel_handler_init(sc);
229:
230: ssh->chanctxt = sc;
231: }
232:
1.41 markus 233: Channel *
1.367 djm 234: channel_by_id(struct ssh *ssh, int id)
1.41 markus 235: {
236: Channel *c;
1.113 markus 237:
1.367 djm 238: if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) {
1.403 djm 239: logit_f("%d: bad id", id);
1.41 markus 240: return NULL;
241: }
1.367 djm 242: c = ssh->chanctxt->channels[id];
1.113 markus 243: if (c == NULL) {
1.403 djm 244: logit_f("%d: bad id: channel free", id);
1.41 markus 245: return NULL;
246: }
247: return c;
1.55 markus 248: }
249:
1.354 markus 250: Channel *
1.368 djm 251: channel_by_remote_id(struct ssh *ssh, u_int remote_id)
1.354 markus 252: {
253: Channel *c;
254: u_int i;
255:
1.367 djm 256: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
257: c = ssh->chanctxt->channels[i];
1.368 djm 258: if (c != NULL && c->have_remote_id && c->remote_id == remote_id)
1.354 markus 259: return c;
260: }
261: return NULL;
262: }
263:
1.27 markus 264: /*
1.229 markus 265: * Returns the channel if it is allowed to receive protocol messages.
266: * Private channels, like listening sockets, may not receive messages.
267: */
268: Channel *
1.367 djm 269: channel_lookup(struct ssh *ssh, int id)
1.229 markus 270: {
271: Channel *c;
272:
1.367 djm 273: if ((c = channel_by_id(ssh, id)) == NULL)
274: return NULL;
1.229 markus 275:
1.237 deraadt 276: switch (c->type) {
1.229 markus 277: case SSH_CHANNEL_X11_OPEN:
278: case SSH_CHANNEL_LARVAL:
279: case SSH_CHANNEL_CONNECTING:
280: case SSH_CHANNEL_DYNAMIC:
1.372 markus 281: case SSH_CHANNEL_RDYNAMIC_OPEN:
282: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.229 markus 283: case SSH_CHANNEL_OPENING:
284: case SSH_CHANNEL_OPEN:
1.323 dtucker 285: case SSH_CHANNEL_ABANDONED:
1.354 markus 286: case SSH_CHANNEL_MUX_PROXY:
1.367 djm 287: return c;
1.229 markus 288: }
289: logit("Non-public channel %d, type %d.", id, c->type);
1.367 djm 290: return NULL;
1.229 markus 291: }
292:
293: /*
1.55 markus 294: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 295: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 296: */
1.127 itojun 297: static void
1.367 djm 298: channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
1.282 dtucker 299: int extusage, int nonblock, int is_tty)
1.1 deraadt 300: {
1.367 djm 301: struct ssh_channels *sc = ssh->chanctxt;
302:
1.25 markus 303: /* Update the maximum file descriptor value. */
1.367 djm 304: sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, rfd);
305: sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, wfd);
306: sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, efd);
1.84 markus 307:
1.298 dtucker 308: if (rfd != -1)
309: fcntl(rfd, F_SETFD, FD_CLOEXEC);
310: if (wfd != -1 && wfd != rfd)
311: fcntl(wfd, F_SETFD, FD_CLOEXEC);
312: if (efd != -1 && efd != rfd && efd != wfd)
313: fcntl(efd, F_SETFD, FD_CLOEXEC);
1.55 markus 314:
1.52 markus 315: c->rfd = rfd;
316: c->wfd = wfd;
317: c->sock = (rfd == wfd) ? rfd : -1;
318: c->efd = efd;
319: c->extended_usage = extusage;
1.71 markus 320:
1.282 dtucker 321: if ((c->isatty = is_tty) != 0)
1.194 markus 322: debug2("channel %d: rfd %d isatty", c->self, c->rfd);
1.91 markus 323:
1.71 markus 324: /* enable nonblocking mode */
1.407 djm 325: c->restore_block = 0;
326: if (nonblock == CHANNEL_NONBLOCK_STDIO) {
327: /*
328: * Special handling for stdio file descriptors: do not set
329: * non-blocking mode if they are TTYs. Otherwise prepare to
330: * restore their blocking state on exit to avoid interfering
331: * with other programs that follow.
332: */
333: if (rfd != -1 && !isatty(rfd) && fcntl(rfd, F_GETFL) == 0) {
334: c->restore_block |= CHANNEL_RESTORE_RFD;
335: set_nonblock(rfd);
336: }
337: if (wfd != -1 && !isatty(wfd) && fcntl(wfd, F_GETFL) == 0) {
338: c->restore_block |= CHANNEL_RESTORE_WFD;
339: set_nonblock(wfd);
340: }
341: if (efd != -1 && !isatty(efd) && fcntl(efd, F_GETFL) == 0) {
342: c->restore_block |= CHANNEL_RESTORE_EFD;
343: set_nonblock(efd);
344: }
345: } else if (nonblock) {
1.71 markus 346: if (rfd != -1)
347: set_nonblock(rfd);
348: if (wfd != -1)
349: set_nonblock(wfd);
350: if (efd != -1)
351: set_nonblock(efd);
352: }
1.52 markus 353: }
354:
355: /*
356: * Allocate a new channel object and set its type and socket. This will cause
357: * remote_name to be freed.
358: */
1.113 markus 359: Channel *
1.367 djm 360: channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
1.178 markus 361: u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
1.52 markus 362: {
1.367 djm 363: struct ssh_channels *sc = ssh->chanctxt;
364: u_int i, found;
1.52 markus 365: Channel *c;
1.402 djm 366: int r;
1.25 markus 367:
368: /* Try to find a free slot where to put the new channel. */
1.367 djm 369: for (i = 0; i < sc->channels_alloc; i++) {
370: if (sc->channels[i] == NULL) {
1.25 markus 371: /* Found a free slot. */
1.367 djm 372: found = i;
1.25 markus 373: break;
374: }
1.367 djm 375: }
376: if (i >= sc->channels_alloc) {
377: /*
378: * There are no free slots. Take last+1 slot and expand
379: * the array.
380: */
381: found = sc->channels_alloc;
382: if (sc->channels_alloc > CHANNELS_MAX_CHANNELS)
1.403 djm 383: fatal_f("internal error: channels_alloc %d too big",
384: sc->channels_alloc);
1.367 djm 385: sc->channels = xrecallocarray(sc->channels, sc->channels_alloc,
386: sc->channels_alloc + 10, sizeof(*sc->channels));
387: sc->channels_alloc += 10;
388: debug2("channel: expanding %d", sc->channels_alloc);
1.25 markus 389: }
1.113 markus 390: /* Initialize and return new channel. */
1.367 djm 391: c = sc->channels[found] = xcalloc(1, sizeof(Channel));
392: if ((c->input = sshbuf_new()) == NULL ||
393: (c->output = sshbuf_new()) == NULL ||
394: (c->extended = sshbuf_new()) == NULL)
1.403 djm 395: fatal_f("sshbuf_new failed");
1.402 djm 396: if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
1.403 djm 397: fatal_fr(r, "sshbuf_set_max_size");
1.159 markus 398: c->ostate = CHAN_OUTPUT_OPEN;
399: c->istate = CHAN_INPUT_OPEN;
1.367 djm 400: channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
1.25 markus 401: c->self = found;
402: c->type = type;
1.41 markus 403: c->ctype = ctype;
1.51 markus 404: c->local_window = window;
405: c->local_window_max = window;
406: c->local_maxpacket = maxpack;
1.190 markus 407: c->remote_name = xstrdup(remote_name);
1.302 djm 408: c->ctl_chan = -1;
1.299 markus 409: c->delayed = 1; /* prevent call to channel_post handler */
1.275 djm 410: TAILQ_INIT(&c->status_confirms);
1.25 markus 411: debug("channel %d: new [%s]", found, remote_name);
1.113 markus 412: return c;
1.1 deraadt 413: }
1.52 markus 414:
1.367 djm 415: static void
416: channel_find_maxfd(struct ssh_channels *sc)
1.132 markus 417: {
1.209 avsm 418: u_int i;
419: int max = 0;
1.132 markus 420: Channel *c;
421:
1.367 djm 422: for (i = 0; i < sc->channels_alloc; i++) {
423: c = sc->channels[i];
1.132 markus 424: if (c != NULL) {
1.352 deraadt 425: max = MAXIMUM(max, c->rfd);
426: max = MAXIMUM(max, c->wfd);
427: max = MAXIMUM(max, c->efd);
1.132 markus 428: }
429: }
1.367 djm 430: sc->channel_max_fd = max;
1.132 markus 431: }
432:
433: int
1.407 djm 434: channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
1.132 markus 435: {
1.367 djm 436: struct ssh_channels *sc = ssh->chanctxt;
1.407 djm 437: int ret, fd = *fdp;
1.132 markus 438:
1.407 djm 439: if (fd == -1)
440: return 0;
441:
442: if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
443: (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
444: (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
445: (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
446:
447: ret = close(fd);
448: *fdp = -1;
449: if (fd == sc->channel_max_fd)
450: channel_find_maxfd(sc);
1.132 markus 451: return ret;
452: }
453:
1.52 markus 454: /* Close all channel fd/socket. */
1.127 itojun 455: static void
1.367 djm 456: channel_close_fds(struct ssh *ssh, Channel *c)
457: {
1.379 tb 458: int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
459:
1.407 djm 460: channel_close_fd(ssh, c, &c->sock);
1.379 tb 461: if (rfd != sock)
1.407 djm 462: channel_close_fd(ssh, c, &c->rfd);
1.379 tb 463: if (wfd != sock && wfd != rfd)
1.407 djm 464: channel_close_fd(ssh, c, &c->wfd);
1.379 tb 465: if (efd != sock && efd != rfd && efd != wfd)
1.407 djm 466: channel_close_fd(ssh, c, &c->efd);
1.367 djm 467: }
468:
469: static void
1.381 djm 470: fwd_perm_clear(struct permission *perm)
1.52 markus 471: {
1.381 djm 472: free(perm->host_to_connect);
473: free(perm->listen_host);
474: free(perm->listen_path);
1.398 dtucker 475: memset(perm, 0, sizeof(*perm));
1.367 djm 476: }
477:
1.381 djm 478: /* Returns an printable name for the specified forwarding permission list */
479: static const char *
480: fwd_ident(int who, int where)
481: {
482: if (who == FORWARD_ADM) {
483: if (where == FORWARD_LOCAL)
484: return "admin local";
485: else if (where == FORWARD_REMOTE)
486: return "admin remote";
487: } else if (who == FORWARD_USER) {
488: if (where == FORWARD_LOCAL)
489: return "user local";
490: else if (where == FORWARD_REMOTE)
491: return "user remote";
492: }
493: fatal("Unknown forward permission list %d/%d", who, where);
494: }
495:
496: /* Returns the forwarding permission list for the specified direction */
497: static struct permission_set *
498: permission_set_get(struct ssh *ssh, int where)
499: {
500: struct ssh_channels *sc = ssh->chanctxt;
1.367 djm 501:
1.381 djm 502: switch (where) {
503: case FORWARD_LOCAL:
504: return &sc->local_perms;
505: break;
506: case FORWARD_REMOTE:
507: return &sc->remote_perms;
508: break;
509: default:
1.403 djm 510: fatal_f("invalid forwarding direction %d", where);
1.381 djm 511: }
512: }
513:
1.392 dtucker 514: /* Returns pointers to the specified forwarding list and its element count */
1.381 djm 515: static void
516: permission_set_get_array(struct ssh *ssh, int who, int where,
517: struct permission ***permpp, u_int **npermpp)
518: {
519: struct permission_set *pset = permission_set_get(ssh, where);
520:
521: switch (who) {
522: case FORWARD_USER:
523: *permpp = &pset->permitted_user;
524: *npermpp = &pset->num_permitted_user;
525: break;
526: case FORWARD_ADM:
527: *permpp = &pset->permitted_admin;
528: *npermpp = &pset->num_permitted_admin;
529: break;
530: default:
1.403 djm 531: fatal_f("invalid forwarding client %d", who);
1.381 djm 532: }
533: }
534:
1.409 jsg 535: /* Adds an entry to the specified forwarding list */
1.367 djm 536: static int
1.381 djm 537: permission_set_add(struct ssh *ssh, int who, int where,
1.367 djm 538: const char *host_to_connect, int port_to_connect,
539: const char *listen_host, const char *listen_path, int listen_port,
540: Channel *downstream)
541: {
1.381 djm 542: struct permission **permp;
543: u_int n, *npermp;
1.367 djm 544:
1.381 djm 545: permission_set_get_array(ssh, who, where, &permp, &npermp);
1.367 djm 546:
1.381 djm 547: if (*npermp >= INT_MAX)
1.403 djm 548: fatal_f("%s overflow", fwd_ident(who, where));
1.367 djm 549:
1.381 djm 550: *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp));
551: n = (*npermp)++;
1.367 djm 552: #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s))
1.381 djm 553: (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect);
554: (*permp)[n].port_to_connect = port_to_connect;
555: (*permp)[n].listen_host = MAYBE_DUP(listen_host);
556: (*permp)[n].listen_path = MAYBE_DUP(listen_path);
557: (*permp)[n].listen_port = listen_port;
558: (*permp)[n].downstream = downstream;
1.367 djm 559: #undef MAYBE_DUP
560: return (int)n;
561: }
562:
563: static void
564: mux_remove_remote_forwardings(struct ssh *ssh, Channel *c)
565: {
566: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 567: struct permission_set *pset = &sc->local_perms;
568: struct permission *perm;
1.367 djm 569: int r;
570: u_int i;
571:
1.381 djm 572: for (i = 0; i < pset->num_permitted_user; i++) {
573: perm = &pset->permitted_user[i];
574: if (perm->downstream != c)
1.367 djm 575: continue;
576:
577: /* cancel on the server, since mux client is gone */
578: debug("channel %d: cleanup remote forward for %s:%u",
1.381 djm 579: c->self, perm->listen_host, perm->listen_port);
1.367 djm 580: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
581: (r = sshpkt_put_cstring(ssh,
582: "cancel-tcpip-forward")) != 0 ||
583: (r = sshpkt_put_u8(ssh, 0)) != 0 ||
584: (r = sshpkt_put_cstring(ssh,
1.381 djm 585: channel_rfwd_bind_host(perm->listen_host))) != 0 ||
586: (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 ||
1.367 djm 587: (r = sshpkt_send(ssh)) != 0) {
1.403 djm 588: fatal_fr(r, "channel %i", c->self);
1.367 djm 589: }
1.381 djm 590: fwd_perm_clear(perm); /* unregister */
1.367 djm 591: }
1.121 markus 592: }
593:
594: /* Free the channel and close its fd/socket. */
595: void
1.367 djm 596: channel_free(struct ssh *ssh, Channel *c)
1.121 markus 597: {
1.367 djm 598: struct ssh_channels *sc = ssh->chanctxt;
1.121 markus 599: char *s;
1.209 avsm 600: u_int i, n;
1.354 markus 601: Channel *other;
1.275 djm 602: struct channel_confirm *cc;
1.121 markus 603:
1.367 djm 604: for (n = 0, i = 0; i < sc->channels_alloc; i++) {
605: if ((other = sc->channels[i]) == NULL)
606: continue;
607: n++;
608: /* detach from mux client and prepare for closing */
609: if (c->type == SSH_CHANNEL_MUX_CLIENT &&
610: other->type == SSH_CHANNEL_MUX_PROXY &&
611: other->mux_ctx == c) {
612: other->mux_ctx = NULL;
613: other->type = SSH_CHANNEL_OPEN;
614: other->istate = CHAN_INPUT_CLOSED;
615: other->ostate = CHAN_OUTPUT_CLOSED;
1.354 markus 616: }
617: }
1.209 avsm 618: debug("channel %d: free: %s, nchannels %u", c->self,
1.121 markus 619: c->remote_name ? c->remote_name : "???", n);
620:
1.408 mbuhl 621: if (c->type == SSH_CHANNEL_MUX_CLIENT) {
1.367 djm 622: mux_remove_remote_forwardings(ssh, c);
1.408 mbuhl 623: free(c->mux_ctx);
624: c->mux_ctx = NULL;
625: } else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
1.401 djm 626: free(c->mux_ctx);
627: c->mux_ctx = NULL;
628: }
1.354 markus 629:
1.384 markus 630: if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) {
631: s = channel_open_message(ssh);
632: debug3("channel %d: status: %s", c->self, s);
633: free(s);
634: }
1.121 markus 635:
1.367 djm 636: channel_close_fds(ssh, c);
637: sshbuf_free(c->input);
638: sshbuf_free(c->output);
639: sshbuf_free(c->extended);
640: c->input = c->output = c->extended = NULL;
1.321 djm 641: free(c->remote_name);
642: c->remote_name = NULL;
643: free(c->path);
644: c->path = NULL;
645: free(c->listening_addr);
646: c->listening_addr = NULL;
1.275 djm 647: while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
648: if (cc->abandon_cb != NULL)
1.367 djm 649: cc->abandon_cb(ssh, c, cc->ctx);
1.275 djm 650: TAILQ_REMOVE(&c->status_confirms, cc, entry);
1.396 jsg 651: freezero(cc, sizeof(*cc));
1.275 djm 652: }
1.280 djm 653: if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
1.367 djm 654: c->filter_cleanup(ssh, c->self, c->filter_ctx);
655: sc->channels[c->self] = NULL;
1.396 jsg 656: freezero(c, sizeof(*c));
1.121 markus 657: }
658:
659: void
1.367 djm 660: channel_free_all(struct ssh *ssh)
1.121 markus 661: {
1.209 avsm 662: u_int i;
1.390 dtucker 663: struct ssh_channels *sc = ssh->chanctxt;
1.121 markus 664:
1.390 dtucker 665: for (i = 0; i < sc->channels_alloc; i++)
666: if (sc->channels[i] != NULL)
667: channel_free(ssh, sc->channels[i]);
668:
669: free(sc->channels);
670: sc->channels = NULL;
671: sc->channels_alloc = 0;
672: sc->channel_max_fd = 0;
673:
674: free(sc->x11_saved_display);
675: sc->x11_saved_display = NULL;
676:
677: free(sc->x11_saved_proto);
678: sc->x11_saved_proto = NULL;
679:
680: free(sc->x11_saved_data);
681: sc->x11_saved_data = NULL;
682: sc->x11_saved_data_len = 0;
683:
684: free(sc->x11_fake_data);
685: sc->x11_fake_data = NULL;
686: sc->x11_fake_data_len = 0;
1.131 markus 687: }
688:
1.121 markus 689: /*
690: * Closes the sockets/fds of all channels. This is used to close extra file
691: * descriptors after a fork.
692: */
693: void
1.367 djm 694: channel_close_all(struct ssh *ssh)
1.121 markus 695: {
1.209 avsm 696: u_int i;
1.121 markus 697:
1.367 djm 698: for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
699: if (ssh->chanctxt->channels[i] != NULL)
700: channel_close_fds(ssh, ssh->chanctxt->channels[i]);
1.121 markus 701: }
702:
703: /*
1.131 markus 704: * Stop listening to channels.
705: */
706: void
1.367 djm 707: channel_stop_listening(struct ssh *ssh)
1.131 markus 708: {
1.209 avsm 709: u_int i;
1.131 markus 710: Channel *c;
711:
1.367 djm 712: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
713: c = ssh->chanctxt->channels[i];
1.131 markus 714: if (c != NULL) {
715: switch (c->type) {
716: case SSH_CHANNEL_AUTH_SOCKET:
717: case SSH_CHANNEL_PORT_LISTENER:
718: case SSH_CHANNEL_RPORT_LISTENER:
719: case SSH_CHANNEL_X11_LISTENER:
1.336 millert 720: case SSH_CHANNEL_UNIX_LISTENER:
721: case SSH_CHANNEL_RUNIX_LISTENER:
1.407 djm 722: channel_close_fd(ssh, c, &c->sock);
1.367 djm 723: channel_free(ssh, c);
1.131 markus 724: break;
725: }
726: }
727: }
728: }
729:
730: /*
1.121 markus 731: * Returns true if no channel has too much buffered data, and false if one or
732: * more channel is overfull.
733: */
734: int
1.367 djm 735: channel_not_very_much_buffered_data(struct ssh *ssh)
1.121 markus 736: {
737: u_int i;
1.367 djm 738: u_int maxsize = ssh_packet_get_maxsize(ssh);
1.121 markus 739: Channel *c;
740:
1.367 djm 741: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
742: c = ssh->chanctxt->channels[i];
743: if (c == NULL || c->type != SSH_CHANNEL_OPEN)
744: continue;
745: if (sshbuf_len(c->output) > maxsize) {
746: debug2("channel %d: big output buffer %zu > %u",
747: c->self, sshbuf_len(c->output), maxsize);
748: return 0;
1.121 markus 749: }
750: }
751: return 1;
752: }
753:
754: /* Returns true if any channel is still open. */
755: int
1.367 djm 756: channel_still_open(struct ssh *ssh)
1.121 markus 757: {
1.209 avsm 758: u_int i;
1.121 markus 759: Channel *c;
760:
1.367 djm 761: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
762: c = ssh->chanctxt->channels[i];
1.121 markus 763: if (c == NULL)
764: continue;
765: switch (c->type) {
766: case SSH_CHANNEL_X11_LISTENER:
767: case SSH_CHANNEL_PORT_LISTENER:
768: case SSH_CHANNEL_RPORT_LISTENER:
1.302 djm 769: case SSH_CHANNEL_MUX_LISTENER:
1.121 markus 770: case SSH_CHANNEL_CLOSED:
771: case SSH_CHANNEL_AUTH_SOCKET:
772: case SSH_CHANNEL_DYNAMIC:
1.372 markus 773: case SSH_CHANNEL_RDYNAMIC_OPEN:
1.121 markus 774: case SSH_CHANNEL_CONNECTING:
775: case SSH_CHANNEL_ZOMBIE:
1.323 dtucker 776: case SSH_CHANNEL_ABANDONED:
1.336 millert 777: case SSH_CHANNEL_UNIX_LISTENER:
778: case SSH_CHANNEL_RUNIX_LISTENER:
1.121 markus 779: continue;
780: case SSH_CHANNEL_LARVAL:
781: continue;
782: case SSH_CHANNEL_OPENING:
783: case SSH_CHANNEL_OPEN:
1.372 markus 784: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.121 markus 785: case SSH_CHANNEL_X11_OPEN:
1.302 djm 786: case SSH_CHANNEL_MUX_CLIENT:
1.354 markus 787: case SSH_CHANNEL_MUX_PROXY:
1.121 markus 788: return 1;
789: default:
1.403 djm 790: fatal_f("bad channel type %d", c->type);
1.121 markus 791: /* NOTREACHED */
792: }
793: }
794: return 0;
795: }
796:
797: /* Returns the id of an open channel suitable for keepaliving */
798: int
1.367 djm 799: channel_find_open(struct ssh *ssh)
1.121 markus 800: {
1.209 avsm 801: u_int i;
1.121 markus 802: Channel *c;
803:
1.367 djm 804: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
805: c = ssh->chanctxt->channels[i];
1.368 djm 806: if (c == NULL || !c->have_remote_id)
1.121 markus 807: continue;
808: switch (c->type) {
809: case SSH_CHANNEL_CLOSED:
810: case SSH_CHANNEL_DYNAMIC:
1.372 markus 811: case SSH_CHANNEL_RDYNAMIC_OPEN:
812: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.121 markus 813: case SSH_CHANNEL_X11_LISTENER:
814: case SSH_CHANNEL_PORT_LISTENER:
815: case SSH_CHANNEL_RPORT_LISTENER:
1.302 djm 816: case SSH_CHANNEL_MUX_LISTENER:
817: case SSH_CHANNEL_MUX_CLIENT:
1.354 markus 818: case SSH_CHANNEL_MUX_PROXY:
1.121 markus 819: case SSH_CHANNEL_OPENING:
820: case SSH_CHANNEL_CONNECTING:
821: case SSH_CHANNEL_ZOMBIE:
1.323 dtucker 822: case SSH_CHANNEL_ABANDONED:
1.336 millert 823: case SSH_CHANNEL_UNIX_LISTENER:
824: case SSH_CHANNEL_RUNIX_LISTENER:
1.121 markus 825: continue;
826: case SSH_CHANNEL_LARVAL:
827: case SSH_CHANNEL_AUTH_SOCKET:
828: case SSH_CHANNEL_OPEN:
829: case SSH_CHANNEL_X11_OPEN:
830: return i;
831: default:
1.403 djm 832: fatal_f("bad channel type %d", c->type);
1.121 markus 833: /* NOTREACHED */
834: }
835: }
836: return -1;
837: }
838:
1.385 djm 839: /* Returns the state of the channel's extended usage flag */
840: const char *
841: channel_format_extended_usage(const Channel *c)
842: {
843: if (c->efd == -1)
844: return "closed";
845:
846: switch (c->extended_usage) {
847: case CHAN_EXTENDED_WRITE:
848: return "write";
849: case CHAN_EXTENDED_READ:
850: return "read";
851: case CHAN_EXTENDED_IGNORE:
852: return "ignore";
853: default:
854: return "UNKNOWN";
855: }
856: }
857:
1.386 djm 858: static char *
859: channel_format_status(const Channel *c)
860: {
861: char *ret = NULL;
862:
863: xasprintf(&ret, "t%d %s%u i%u/%zu o%u/%zu e[%s]/%zu "
864: "fd %d/%d/%d sock %d cc %d",
865: c->type,
866: c->have_remote_id ? "r" : "nr", c->remote_id,
867: c->istate, sshbuf_len(c->input),
868: c->ostate, sshbuf_len(c->output),
869: channel_format_extended_usage(c), sshbuf_len(c->extended),
870: c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan);
871: return ret;
872: }
873:
1.121 markus 874: /*
875: * Returns a message describing the currently open forwarded connections,
876: * suitable for sending to the client. The message contains crlf pairs for
877: * newlines.
878: */
879: char *
1.367 djm 880: channel_open_message(struct ssh *ssh)
1.121 markus 881: {
1.367 djm 882: struct sshbuf *buf;
1.121 markus 883: Channel *c;
1.209 avsm 884: u_int i;
1.367 djm 885: int r;
1.386 djm 886: char *cp, *ret;
1.121 markus 887:
1.367 djm 888: if ((buf = sshbuf_new()) == NULL)
1.403 djm 889: fatal_f("sshbuf_new");
1.367 djm 890: if ((r = sshbuf_putf(buf,
891: "The following connections are open:\r\n")) != 0)
1.403 djm 892: fatal_fr(r, "sshbuf_putf");
1.367 djm 893: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
894: c = ssh->chanctxt->channels[i];
1.121 markus 895: if (c == NULL)
896: continue;
897: switch (c->type) {
898: case SSH_CHANNEL_X11_LISTENER:
899: case SSH_CHANNEL_PORT_LISTENER:
900: case SSH_CHANNEL_RPORT_LISTENER:
901: case SSH_CHANNEL_CLOSED:
902: case SSH_CHANNEL_AUTH_SOCKET:
903: case SSH_CHANNEL_ZOMBIE:
1.323 dtucker 904: case SSH_CHANNEL_ABANDONED:
1.302 djm 905: case SSH_CHANNEL_MUX_LISTENER:
1.336 millert 906: case SSH_CHANNEL_UNIX_LISTENER:
907: case SSH_CHANNEL_RUNIX_LISTENER:
1.121 markus 908: continue;
909: case SSH_CHANNEL_LARVAL:
910: case SSH_CHANNEL_OPENING:
911: case SSH_CHANNEL_CONNECTING:
912: case SSH_CHANNEL_DYNAMIC:
1.372 markus 913: case SSH_CHANNEL_RDYNAMIC_OPEN:
914: case SSH_CHANNEL_RDYNAMIC_FINISH:
1.121 markus 915: case SSH_CHANNEL_OPEN:
916: case SSH_CHANNEL_X11_OPEN:
1.354 markus 917: case SSH_CHANNEL_MUX_PROXY:
918: case SSH_CHANNEL_MUX_CLIENT:
1.386 djm 919: cp = channel_format_status(c);
920: if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n",
921: c->self, c->remote_name, cp)) != 0) {
922: free(cp);
1.403 djm 923: fatal_fr(r, "sshbuf_putf");
1.386 djm 924: }
925: free(cp);
1.121 markus 926: continue;
927: default:
1.403 djm 928: fatal_f("bad channel type %d", c->type);
1.121 markus 929: /* NOTREACHED */
930: }
931: }
1.367 djm 932: if ((ret = sshbuf_dup_string(buf)) == NULL)
1.403 djm 933: fatal_f("sshbuf_dup_string");
1.367 djm 934: sshbuf_free(buf);
935: return ret;
936: }
937:
938: static void
939: open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type)
940: {
941: int r;
942:
943: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
944: (r = sshpkt_put_cstring(ssh, type)) != 0 ||
945: (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
946: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
947: (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
1.403 djm 948: fatal_r(r, "%s: channel %i: open", where, c->self);
1.367 djm 949: }
1.121 markus 950: }
951:
952: void
1.367 djm 953: channel_send_open(struct ssh *ssh, int id)
1.121 markus 954: {
1.367 djm 955: Channel *c = channel_lookup(ssh, id);
956: int r;
1.180 deraadt 957:
1.121 markus 958: if (c == NULL) {
1.188 itojun 959: logit("channel_send_open: %d: bad id", id);
1.121 markus 960: return;
961: }
1.184 markus 962: debug2("channel %d: send open", id);
1.367 djm 963: open_preamble(ssh, __func__, c, c->ctype);
964: if ((r = sshpkt_send(ssh)) != 0)
1.403 djm 965: fatal_fr(r, "channel %i", c->self);
1.121 markus 966: }
967:
968: void
1.367 djm 969: channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
1.121 markus 970: {
1.367 djm 971: Channel *c = channel_lookup(ssh, id);
972: int r;
1.180 deraadt 973:
1.121 markus 974: if (c == NULL) {
1.403 djm 975: logit_f("%d: unknown channel id", id);
1.121 markus 976: return;
977: }
1.368 djm 978: if (!c->have_remote_id)
1.403 djm 979: fatal_f("channel %d: no remote id", c->self);
1.368 djm 980:
1.204 djm 981: debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
1.367 djm 982: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 ||
983: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
984: (r = sshpkt_put_cstring(ssh, service)) != 0 ||
985: (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) {
1.403 djm 986: fatal_fr(r, "channel %i", c->self);
1.367 djm 987: }
1.121 markus 988: }
1.241 deraadt 989:
1.121 markus 990: void
1.367 djm 991: channel_register_status_confirm(struct ssh *ssh, int id,
992: channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx)
1.275 djm 993: {
994: struct channel_confirm *cc;
995: Channel *c;
996:
1.367 djm 997: if ((c = channel_lookup(ssh, id)) == NULL)
1.403 djm 998: fatal_f("%d: bad id", id);
1.275 djm 999:
1.327 djm 1000: cc = xcalloc(1, sizeof(*cc));
1.275 djm 1001: cc->cb = cb;
1002: cc->abandon_cb = abandon_cb;
1003: cc->ctx = ctx;
1004: TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
1005: }
1006:
1007: void
1.367 djm 1008: channel_register_open_confirm(struct ssh *ssh, int id,
1009: channel_open_fn *fn, void *ctx)
1.121 markus 1010: {
1.367 djm 1011: Channel *c = channel_lookup(ssh, id);
1.180 deraadt 1012:
1.121 markus 1013: if (c == NULL) {
1.403 djm 1014: logit_f("%d: bad id", id);
1.121 markus 1015: return;
1016: }
1.275 djm 1017: c->open_confirm = fn;
1018: c->open_confirm_ctx = ctx;
1.121 markus 1019: }
1.241 deraadt 1020:
1.121 markus 1021: void
1.367 djm 1022: channel_register_cleanup(struct ssh *ssh, int id,
1023: channel_callback_fn *fn, int do_close)
1.121 markus 1024: {
1.367 djm 1025: Channel *c = channel_by_id(ssh, id);
1.180 deraadt 1026:
1.121 markus 1027: if (c == NULL) {
1.403 djm 1028: logit_f("%d: bad id", id);
1.121 markus 1029: return;
1030: }
1.131 markus 1031: c->detach_user = fn;
1.225 djm 1032: c->detach_close = do_close;
1.121 markus 1033: }
1.241 deraadt 1034:
1.121 markus 1035: void
1.367 djm 1036: channel_cancel_cleanup(struct ssh *ssh, int id)
1.121 markus 1037: {
1.367 djm 1038: Channel *c = channel_by_id(ssh, id);
1.180 deraadt 1039:
1.121 markus 1040: if (c == NULL) {
1.403 djm 1041: logit_f("%d: bad id", id);
1.121 markus 1042: return;
1.52 markus 1043: }
1.131 markus 1044: c->detach_user = NULL;
1.225 djm 1045: c->detach_close = 0;
1.121 markus 1046: }
1.241 deraadt 1047:
1.121 markus 1048: void
1.367 djm 1049: channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn,
1.280 djm 1050: channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
1.121 markus 1051: {
1.367 djm 1052: Channel *c = channel_lookup(ssh, id);
1.180 deraadt 1053:
1.121 markus 1054: if (c == NULL) {
1.403 djm 1055: logit_f("%d: bad id", id);
1.121 markus 1056: return;
1.52 markus 1057: }
1.231 reyk 1058: c->input_filter = ifn;
1059: c->output_filter = ofn;
1.279 djm 1060: c->filter_ctx = ctx;
1.280 djm 1061: c->filter_cleanup = cfn;
1.52 markus 1062: }
1063:
1.49 markus 1064: void
1.367 djm 1065: channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
1.282 dtucker 1066: int extusage, int nonblock, int is_tty, u_int window_max)
1.1 deraadt 1067: {
1.367 djm 1068: Channel *c = channel_lookup(ssh, id);
1069: int r;
1.180 deraadt 1070:
1.121 markus 1071: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
1072: fatal("channel_activate for non-larval channel %d.", id);
1.368 djm 1073: if (!c->have_remote_id)
1.403 djm 1074: fatal_f("channel %d: no remote id", c->self);
1.368 djm 1075:
1.367 djm 1076: channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
1.121 markus 1077: c->type = SSH_CHANNEL_OPEN;
1.168 markus 1078: c->local_window = c->local_window_max = window_max;
1.367 djm 1079:
1080: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
1081: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1082: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1083: (r = sshpkt_send(ssh)) != 0)
1.403 djm 1084: fatal_fr(r, "channel %i", c->self);
1.1 deraadt 1085: }
1086:
1.127 itojun 1087: static void
1.410 ! djm 1088: channel_pre_listener(struct ssh *ssh, Channel *c)
1.41 markus 1089: {
1.410 ! djm 1090: c->io_want = SSH_CHAN_IO_SOCK_R;
1.41 markus 1091: }
1092:
1.127 itojun 1093: static void
1.410 ! djm 1094: channel_pre_connecting(struct ssh *ssh, Channel *c)
1.75 markus 1095: {
1096: debug3("channel %d: waiting for connection", c->self);
1.410 ! djm 1097: c->io_want = SSH_CHAN_IO_SOCK_W;
1.75 markus 1098: }
1099:
1.127 itojun 1100: static void
1.410 ! djm 1101: channel_pre_open(struct ssh *ssh, Channel *c)
1.41 markus 1102: {
1.410 ! djm 1103: c->io_want = 0;
1.44 markus 1104: if (c->istate == CHAN_INPUT_OPEN &&
1.358 djm 1105: c->remote_window > 0 &&
1.367 djm 1106: sshbuf_len(c->input) < c->remote_window &&
1107: sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1.410 ! djm 1108: c->io_want |= SSH_CHAN_IO_RFD;
1.44 markus 1109: if (c->ostate == CHAN_OUTPUT_OPEN ||
1110: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1.367 djm 1111: if (sshbuf_len(c->output) > 0) {
1.410 ! djm 1112: c->io_want |= SSH_CHAN_IO_WFD;
1.44 markus 1113: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1.172 markus 1114: if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
1.367 djm 1115: debug2("channel %d: "
1116: "obuf_empty delayed efd %d/(%zu)", c->self,
1117: c->efd, sshbuf_len(c->extended));
1.172 markus 1118: else
1.367 djm 1119: chan_obuf_empty(ssh, c);
1.44 markus 1120: }
1121: }
1122: /** XXX check close conditions, too */
1.358 djm 1123: if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED &&
1124: c->ostate == CHAN_OUTPUT_CLOSED)) {
1.44 markus 1125: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1.367 djm 1126: sshbuf_len(c->extended) > 0)
1.410 ! djm 1127: c->io_want |= SSH_CHAN_IO_EFD_W;
1.306 djm 1128: else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
1129: (c->extended_usage == CHAN_EXTENDED_READ ||
1130: c->extended_usage == CHAN_EXTENDED_IGNORE) &&
1.367 djm 1131: sshbuf_len(c->extended) < c->remote_window)
1.410 ! djm 1132: c->io_want |= SSH_CHAN_IO_EFD_R;
1.44 markus 1133: }
1.204 djm 1134: /* XXX: What about efd? races? */
1.44 markus 1135: }
1136:
1.41 markus 1137: /*
1138: * This is a special state for X11 authentication spoofing. An opened X11
1139: * connection (when authentication spoofing is being done) remains in this
1140: * state until the first packet has been completely read. The authentication
1141: * data in that packet is then substituted by the real data if it matches the
1142: * fake data, and the channel is put into normal mode.
1.51 markus 1143: * XXX All this happens at the client side.
1.121 markus 1144: * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1.41 markus 1145: */
1.127 itojun 1146: static int
1.367 djm 1147: x11_open_helper(struct ssh *ssh, struct sshbuf *b)
1.1 deraadt 1148: {
1.367 djm 1149: struct ssh_channels *sc = ssh->chanctxt;
1.77 markus 1150: u_char *ucp;
1151: u_int proto_len, data_len;
1.25 markus 1152:
1.347 djm 1153: /* Is this being called after the refusal deadline? */
1.367 djm 1154: if (sc->x11_refuse_time != 0 &&
1155: (u_int)monotime() >= sc->x11_refuse_time) {
1.347 djm 1156: verbose("Rejected X11 connection after ForwardX11Timeout "
1157: "expired");
1158: return -1;
1159: }
1160:
1.41 markus 1161: /* Check if the fixed size part of the packet is in buffer. */
1.367 djm 1162: if (sshbuf_len(b) < 12)
1.41 markus 1163: return 0;
1164:
1165: /* Parse the lengths of variable-length fields. */
1.367 djm 1166: ucp = sshbuf_mutable_ptr(b);
1.41 markus 1167: if (ucp[0] == 0x42) { /* Byte order MSB first. */
1168: proto_len = 256 * ucp[6] + ucp[7];
1169: data_len = 256 * ucp[8] + ucp[9];
1170: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
1171: proto_len = ucp[6] + 256 * ucp[7];
1172: data_len = ucp[8] + 256 * ucp[9];
1173: } else {
1.194 markus 1174: debug2("Initial X11 packet contains bad byte order byte: 0x%x",
1.148 deraadt 1175: ucp[0]);
1.41 markus 1176: return -1;
1177: }
1178:
1179: /* Check if the whole packet is in buffer. */
1.367 djm 1180: if (sshbuf_len(b) <
1.41 markus 1181: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
1182: return 0;
1183:
1184: /* Check if authentication protocol matches. */
1.367 djm 1185: if (proto_len != strlen(sc->x11_saved_proto) ||
1186: memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) {
1.194 markus 1187: debug2("X11 connection uses different authentication protocol.");
1.41 markus 1188: return -1;
1189: }
1190: /* Check if authentication data matches our fake data. */
1.367 djm 1191: if (data_len != sc->x11_fake_data_len ||
1.308 djm 1192: timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
1.367 djm 1193: sc->x11_fake_data, sc->x11_fake_data_len) != 0) {
1.194 markus 1194: debug2("X11 auth data does not match fake data.");
1.41 markus 1195: return -1;
1196: }
1197: /* Check fake data length */
1.367 djm 1198: if (sc->x11_fake_data_len != sc->x11_saved_data_len) {
1.41 markus 1199: error("X11 fake_data_len %d != saved_data_len %d",
1.367 djm 1200: sc->x11_fake_data_len, sc->x11_saved_data_len);
1.41 markus 1201: return -1;
1202: }
1203: /*
1204: * Received authentication protocol and data match
1205: * our fake data. Substitute the fake data with real
1206: * data.
1207: */
1208: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
1.367 djm 1209: sc->x11_saved_data, sc->x11_saved_data_len);
1.41 markus 1210: return 1;
1211: }
1212:
1.127 itojun 1213: static void
1.410 ! djm 1214: channel_pre_x11_open(struct ssh *ssh, Channel *c)
1.41 markus 1215: {
1.367 djm 1216: int ret = x11_open_helper(ssh, c->output);
1.133 markus 1217:
1218: /* c->force_drain = 1; */
1219:
1.41 markus 1220: if (ret == 1) {
1221: c->type = SSH_CHANNEL_OPEN;
1.410 ! djm 1222: channel_pre_open(ssh, c);
1.41 markus 1223: } else if (ret == -1) {
1.188 itojun 1224: logit("X11 connection rejected because of wrong authentication.");
1.367 djm 1225: debug2("X11 rejected %d i%d/o%d",
1226: c->self, c->istate, c->ostate);
1227: chan_read_failed(ssh, c);
1228: sshbuf_reset(c->input);
1229: chan_ibuf_empty(ssh, c);
1230: sshbuf_reset(c->output);
1231: chan_write_failed(ssh, c);
1.194 markus 1232: debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
1.41 markus 1233: }
1234: }
1.25 markus 1235:
1.302 djm 1236: static void
1.410 ! djm 1237: channel_pre_mux_client(struct ssh *ssh, Channel *c)
1.302 djm 1238: {
1.410 ! djm 1239: c->io_want = 0;
1.304 djm 1240: if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause &&
1.367 djm 1241: sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1.410 ! djm 1242: c->io_want |= SSH_CHAN_IO_RFD;
1.302 djm 1243: if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1244: /* clear buffer immediately (discard any partial packet) */
1.367 djm 1245: sshbuf_reset(c->input);
1246: chan_ibuf_empty(ssh, c);
1.302 djm 1247: /* Start output drain. XXX just kill chan? */
1.367 djm 1248: chan_rcvd_oclose(ssh, c);
1.302 djm 1249: }
1250: if (c->ostate == CHAN_OUTPUT_OPEN ||
1251: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1.367 djm 1252: if (sshbuf_len(c->output) > 0)
1.410 ! djm 1253: c->io_want |= SSH_CHAN_IO_WFD;
1.302 djm 1254: else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN)
1.367 djm 1255: chan_obuf_empty(ssh, c);
1.302 djm 1256: }
1257: }
1258:
1.104 markus 1259: /* try to decode a socks4 header */
1.127 itojun 1260: static int
1.372 markus 1261: channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output)
1.103 markus 1262: {
1.367 djm 1263: const u_char *p;
1264: char *host;
1.292 djm 1265: u_int len, have, i, found, need;
1.148 deraadt 1266: char username[256];
1.103 markus 1267: struct {
1268: u_int8_t version;
1269: u_int8_t command;
1270: u_int16_t dest_port;
1.104 markus 1271: struct in_addr dest_addr;
1.103 markus 1272: } s4_req, s4_rsp;
1.367 djm 1273: int r;
1.103 markus 1274:
1.104 markus 1275: debug2("channel %d: decode socks4", c->self);
1.109 markus 1276:
1.372 markus 1277: have = sshbuf_len(input);
1.109 markus 1278: len = sizeof(s4_req);
1279: if (have < len)
1280: return 0;
1.372 markus 1281: p = sshbuf_ptr(input);
1.292 djm 1282:
1283: need = 1;
1284: /* SOCKS4A uses an invalid IP address 0.0.0.x */
1285: if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1286: debug2("channel %d: socks4a request", c->self);
1287: /* ... and needs an extra string (the hostname) */
1288: need = 2;
1289: }
1290: /* Check for terminating NUL on the string(s) */
1.109 markus 1291: for (found = 0, i = len; i < have; i++) {
1292: if (p[i] == '\0') {
1.292 djm 1293: found++;
1294: if (found == need)
1295: break;
1.109 markus 1296: }
1297: if (i > 1024) {
1298: /* the peer is probably sending garbage */
1299: debug("channel %d: decode socks4: too long",
1300: c->self);
1301: return -1;
1302: }
1303: }
1.292 djm 1304: if (found < need)
1.109 markus 1305: return 0;
1.372 markus 1306: if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 ||
1307: (r = sshbuf_get(input, &s4_req.command, 1)) != 0 ||
1308: (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 ||
1309: (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) {
1.403 djm 1310: debug_r(r, "channels %d: decode socks4", c->self);
1.367 djm 1311: return -1;
1312: }
1.372 markus 1313: have = sshbuf_len(input);
1314: p = sshbuf_ptr(input);
1.364 djm 1315: if (memchr(p, '\0', have) == NULL) {
1.403 djm 1316: error("channel %d: decode socks4: unterminated user", c->self);
1.364 djm 1317: return -1;
1318: }
1.103 markus 1319: len = strlen(p);
1.106 markus 1320: debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1.367 djm 1321: len++; /* trailing '\0' */
1.103 markus 1322: strlcpy(username, p, sizeof(username));
1.403 djm 1323: if ((r = sshbuf_consume(input, len)) != 0)
1324: fatal_fr(r, "channel %d: consume", c->self);
1.321 djm 1325: free(c->path);
1326: c->path = NULL;
1.292 djm 1327: if (need == 1) { /* SOCKS4: one string */
1328: host = inet_ntoa(s4_req.dest_addr);
1.293 djm 1329: c->path = xstrdup(host);
1.292 djm 1330: } else { /* SOCKS4A: two strings */
1.372 markus 1331: have = sshbuf_len(input);
1332: p = sshbuf_ptr(input);
1.364 djm 1333: if (memchr(p, '\0', have) == NULL) {
1334: error("channel %d: decode socks4a: host not nul "
1335: "terminated", c->self);
1336: return -1;
1337: }
1.292 djm 1338: len = strlen(p);
1339: debug2("channel %d: decode socks4a: host %s/%d",
1340: c->self, p, len);
1341: len++; /* trailing '\0' */
1.293 djm 1342: if (len > NI_MAXHOST) {
1.292 djm 1343: error("channel %d: hostname \"%.100s\" too long",
1344: c->self, p);
1345: return -1;
1346: }
1.293 djm 1347: c->path = xstrdup(p);
1.403 djm 1348: if ((r = sshbuf_consume(input, len)) != 0)
1349: fatal_fr(r, "channel %d: consume", c->self);
1.292 djm 1350: }
1.103 markus 1351: c->host_port = ntohs(s4_req.dest_port);
1.148 deraadt 1352:
1.194 markus 1353: debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1.292 djm 1354: c->self, c->path, c->host_port, s4_req.command);
1.103 markus 1355:
1.104 markus 1356: if (s4_req.command != 1) {
1.292 djm 1357: debug("channel %d: cannot handle: %s cn %d",
1358: c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command);
1.104 markus 1359: return -1;
1.103 markus 1360: }
1.104 markus 1361: s4_rsp.version = 0; /* vn: 0 for reply */
1362: s4_rsp.command = 90; /* cd: req granted */
1.103 markus 1363: s4_rsp.dest_port = 0; /* ignored */
1.104 markus 1364: s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */
1.403 djm 1365: if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0)
1366: fatal_fr(r, "channel %d: append reply", c->self);
1.104 markus 1367: return 1;
1368: }
1369:
1.193 markus 1370: /* try to decode a socks5 header */
1371: #define SSH_SOCKS5_AUTHDONE 0x1000
1372: #define SSH_SOCKS5_NOAUTH 0x00
1373: #define SSH_SOCKS5_IPV4 0x01
1374: #define SSH_SOCKS5_DOMAIN 0x03
1375: #define SSH_SOCKS5_IPV6 0x04
1376: #define SSH_SOCKS5_CONNECT 0x01
1377: #define SSH_SOCKS5_SUCCESS 0x00
1378:
1379: static int
1.372 markus 1380: channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
1.193 markus 1381: {
1.367 djm 1382: /* XXX use get/put_u8 instead of trusting struct padding */
1.193 markus 1383: struct {
1384: u_int8_t version;
1385: u_int8_t command;
1386: u_int8_t reserved;
1387: u_int8_t atyp;
1388: } s5_req, s5_rsp;
1389: u_int16_t dest_port;
1.324 djm 1390: char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1.367 djm 1391: const u_char *p;
1.252 djm 1392: u_int have, need, i, found, nmethods, addrlen, af;
1.367 djm 1393: int r;
1.193 markus 1394:
1395: debug2("channel %d: decode socks5", c->self);
1.372 markus 1396: p = sshbuf_ptr(input);
1.193 markus 1397: if (p[0] != 0x05)
1398: return -1;
1.372 markus 1399: have = sshbuf_len(input);
1.193 markus 1400: if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
1401: /* format: ver | nmethods | methods */
1.198 djm 1402: if (have < 2)
1.193 markus 1403: return 0;
1404: nmethods = p[1];
1405: if (have < nmethods + 2)
1406: return 0;
1407: /* look for method: "NO AUTHENTICATION REQUIRED" */
1.268 stevesk 1408: for (found = 0, i = 2; i < nmethods + 2; i++) {
1.264 stevesk 1409: if (p[i] == SSH_SOCKS5_NOAUTH) {
1.193 markus 1410: found = 1;
1411: break;
1412: }
1413: }
1414: if (!found) {
1415: debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
1416: c->self);
1417: return -1;
1418: }
1.403 djm 1419: if ((r = sshbuf_consume(input, nmethods + 2)) != 0)
1420: fatal_fr(r, "channel %d: consume", c->self);
1.367 djm 1421: /* version, method */
1.372 markus 1422: if ((r = sshbuf_put_u8(output, 0x05)) != 0 ||
1.403 djm 1423: (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0)
1424: fatal_fr(r, "channel %d: append reply", c->self);
1.193 markus 1425: c->flags |= SSH_SOCKS5_AUTHDONE;
1426: debug2("channel %d: socks5 auth done", c->self);
1427: return 0; /* need more */
1428: }
1429: debug2("channel %d: socks5 post auth", c->self);
1430: if (have < sizeof(s5_req)+1)
1431: return 0; /* need more */
1.247 deraadt 1432: memcpy(&s5_req, p, sizeof(s5_req));
1.193 markus 1433: if (s5_req.version != 0x05 ||
1434: s5_req.command != SSH_SOCKS5_CONNECT ||
1435: s5_req.reserved != 0x00) {
1.194 markus 1436: debug2("channel %d: only socks5 connect supported", c->self);
1.193 markus 1437: return -1;
1438: }
1.213 deraadt 1439: switch (s5_req.atyp){
1.193 markus 1440: case SSH_SOCKS5_IPV4:
1441: addrlen = 4;
1442: af = AF_INET;
1443: break;
1444: case SSH_SOCKS5_DOMAIN:
1445: addrlen = p[sizeof(s5_req)];
1446: af = -1;
1447: break;
1448: case SSH_SOCKS5_IPV6:
1449: addrlen = 16;
1450: af = AF_INET6;
1451: break;
1452: default:
1.194 markus 1453: debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
1.193 markus 1454: return -1;
1455: }
1.252 djm 1456: need = sizeof(s5_req) + addrlen + 2;
1457: if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1458: need++;
1459: if (have < need)
1.193 markus 1460: return 0;
1.403 djm 1461: if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0)
1462: fatal_fr(r, "channel %d: consume", c->self);
1.367 djm 1463: if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1464: /* host string length */
1.403 djm 1465: if ((r = sshbuf_consume(input, 1)) != 0)
1466: fatal_fr(r, "channel %d: consume", c->self);
1.367 djm 1467: }
1.372 markus 1468: if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 ||
1469: (r = sshbuf_get(input, &dest_port, 2)) != 0) {
1.403 djm 1470: debug_r(r, "channel %d: parse addr/port", c->self);
1.367 djm 1471: return -1;
1472: }
1.193 markus 1473: dest_addr[addrlen] = '\0';
1.321 djm 1474: free(c->path);
1475: c->path = NULL;
1.293 djm 1476: if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1.294 djm 1477: if (addrlen >= NI_MAXHOST) {
1.293 djm 1478: error("channel %d: dynamic request: socks5 hostname "
1479: "\"%.100s\" too long", c->self, dest_addr);
1480: return -1;
1481: }
1482: c->path = xstrdup(dest_addr);
1483: } else {
1484: if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
1485: return -1;
1486: c->path = xstrdup(ntop);
1487: }
1.193 markus 1488: c->host_port = ntohs(dest_port);
1.198 djm 1489:
1.194 markus 1490: debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
1.193 markus 1491: c->self, c->path, c->host_port, s5_req.command);
1492:
1493: s5_rsp.version = 0x05;
1494: s5_rsp.command = SSH_SOCKS5_SUCCESS;
1495: s5_rsp.reserved = 0; /* ignored */
1496: s5_rsp.atyp = SSH_SOCKS5_IPV4;
1497: dest_port = 0; /* ignored */
1498:
1.372 markus 1499: if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 ||
1500: (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 ||
1501: (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0)
1.403 djm 1502: fatal_fr(r, "channel %d: append reply", c->self);
1.193 markus 1503: return 1;
1.301 dtucker 1504: }
1505:
1506: Channel *
1.367 djm 1507: channel_connect_stdio_fwd(struct ssh *ssh,
1.407 djm 1508: const char *host_to_connect, u_short port_to_connect,
1509: int in, int out, int nonblock)
1.301 dtucker 1510: {
1511: Channel *c;
1512:
1.403 djm 1513: debug_f("%s:%d", host_to_connect, port_to_connect);
1.301 dtucker 1514:
1.367 djm 1515: c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
1.301 dtucker 1516: -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.407 djm 1517: 0, "stdio-forward", nonblock);
1.301 dtucker 1518:
1519: c->path = xstrdup(host_to_connect);
1520: c->host_port = port_to_connect;
1521: c->listening_port = 0;
1522: c->force_drain = 1;
1523:
1.367 djm 1524: channel_register_fds(ssh, c, in, out, -1, 0, 1, 0);
1525: port_open_helper(ssh, c, "direct-tcpip");
1.301 dtucker 1526:
1527: return c;
1.193 markus 1528: }
1529:
1.104 markus 1530: /* dynamic port forwarding */
1.127 itojun 1531: static void
1.410 ! djm 1532: channel_pre_dynamic(struct ssh *ssh, Channel *c)
1.104 markus 1533: {
1.367 djm 1534: const u_char *p;
1.217 djm 1535: u_int have;
1536: int ret;
1.103 markus 1537:
1.410 ! djm 1538: c->io_want = 0;
1.367 djm 1539: have = sshbuf_len(c->input);
1.104 markus 1540: debug2("channel %d: pre_dynamic: have %d", c->self, have);
1.367 djm 1541: /* sshbuf_dump(c->input, stderr); */
1.104 markus 1542: /* check if the fixed size part of the packet is in buffer. */
1.193 markus 1543: if (have < 3) {
1.104 markus 1544: /* need more */
1.410 ! djm 1545: c->io_want |= SSH_CHAN_IO_RFD;
1.104 markus 1546: return;
1547: }
1548: /* try to guess the protocol */
1.367 djm 1549: p = sshbuf_ptr(c->input);
1550: /* XXX sshbuf_peek_u8? */
1.104 markus 1551: switch (p[0]) {
1552: case 0x04:
1.372 markus 1553: ret = channel_decode_socks4(c, c->input, c->output);
1.193 markus 1554: break;
1555: case 0x05:
1.372 markus 1556: ret = channel_decode_socks5(c, c->input, c->output);
1.104 markus 1557: break;
1558: default:
1559: ret = -1;
1560: break;
1561: }
1562: if (ret < 0) {
1.367 djm 1563: chan_mark_dead(ssh, c);
1.104 markus 1564: } else if (ret == 0) {
1565: debug2("channel %d: pre_dynamic: need more", c->self);
1566: /* need more */
1.410 ! djm 1567: c->io_want |= SSH_CHAN_IO_RFD;
1.372 markus 1568: if (sshbuf_len(c->output))
1.410 ! djm 1569: c->io_want |= SSH_CHAN_IO_WFD;
1.104 markus 1570: } else {
1571: /* switch to the next state */
1572: c->type = SSH_CHANNEL_OPENING;
1.367 djm 1573: port_open_helper(ssh, c, "direct-tcpip");
1.104 markus 1574: }
1.103 markus 1575: }
1576:
1.372 markus 1577: /* simulate read-error */
1578: static void
1579: rdynamic_close(struct ssh *ssh, Channel *c)
1580: {
1581: c->type = SSH_CHANNEL_OPEN;
1582: chan_read_failed(ssh, c);
1583: sshbuf_reset(c->input);
1584: chan_ibuf_empty(ssh, c);
1585: sshbuf_reset(c->output);
1586: chan_write_failed(ssh, c);
1587: }
1588:
1589: /* reverse dynamic port forwarding */
1590: static void
1591: channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c)
1592: {
1593: const u_char *p;
1594: u_int have, len;
1595: int r, ret;
1596:
1597: have = sshbuf_len(c->output);
1598: debug2("channel %d: pre_rdynamic: have %d", c->self, have);
1599: /* sshbuf_dump(c->output, stderr); */
1600: /* EOF received */
1601: if (c->flags & CHAN_EOF_RCVD) {
1.403 djm 1602: if ((r = sshbuf_consume(c->output, have)) != 0)
1603: fatal_fr(r, "channel %d: consume", c->self);
1.372 markus 1604: rdynamic_close(ssh, c);
1605: return;
1606: }
1607: /* check if the fixed size part of the packet is in buffer. */
1608: if (have < 3)
1609: return;
1610: /* try to guess the protocol */
1611: p = sshbuf_ptr(c->output);
1612: switch (p[0]) {
1613: case 0x04:
1614: /* switch input/output for reverse forwarding */
1615: ret = channel_decode_socks4(c, c->output, c->input);
1616: break;
1617: case 0x05:
1618: ret = channel_decode_socks5(c, c->output, c->input);
1619: break;
1620: default:
1621: ret = -1;
1622: break;
1623: }
1624: if (ret < 0) {
1625: rdynamic_close(ssh, c);
1626: } else if (ret == 0) {
1627: debug2("channel %d: pre_rdynamic: need more", c->self);
1628: /* send socks request to peer */
1629: len = sshbuf_len(c->input);
1630: if (len > 0 && len < c->remote_window) {
1631: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
1632: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1633: (r = sshpkt_put_stringb(ssh, c->input)) != 0 ||
1634: (r = sshpkt_send(ssh)) != 0) {
1.403 djm 1635: fatal_fr(r, "channel %i: rdynamic", c->self);
1.372 markus 1636: }
1.403 djm 1637: if ((r = sshbuf_consume(c->input, len)) != 0)
1638: fatal_fr(r, "channel %d: consume", c->self);
1.372 markus 1639: c->remote_window -= len;
1640: }
1641: } else if (rdynamic_connect_finish(ssh, c) < 0) {
1642: /* the connect failed */
1643: rdynamic_close(ssh, c);
1644: }
1645: }
1646:
1.41 markus 1647: /* This is our fake X11 server socket. */
1.127 itojun 1648: static void
1.410 ! djm 1649: channel_post_x11_listener(struct ssh *ssh, Channel *c)
1.41 markus 1650: {
1.113 markus 1651: Channel *nc;
1.285 djm 1652: struct sockaddr_storage addr;
1.367 djm 1653: int r, newsock, oerrno, remote_port;
1.41 markus 1654: socklen_t addrlen;
1.85 markus 1655: char buf[16384], *remote_ipaddr;
1.25 markus 1656:
1.410 ! djm 1657: if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1.367 djm 1658: return;
1659:
1660: debug("X11 connection requested.");
1661: addrlen = sizeof(addr);
1662: newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1663: if (c->single_connection) {
1664: oerrno = errno;
1665: debug2("single_connection: closing X11 listener.");
1.407 djm 1666: channel_close_fd(ssh, c, &c->sock);
1.367 djm 1667: chan_mark_dead(ssh, c);
1668: errno = oerrno;
1669: }
1.393 deraadt 1670: if (newsock == -1) {
1.367 djm 1671: if (errno != EINTR && errno != EWOULDBLOCK &&
1672: errno != ECONNABORTED)
1673: error("accept: %.100s", strerror(errno));
1674: if (errno == EMFILE || errno == ENFILE)
1675: c->notbefore = monotime() + 1;
1676: return;
1677: }
1678: set_nodelay(newsock);
1679: remote_ipaddr = get_peer_ipaddr(newsock);
1680: remote_port = get_peer_port(newsock);
1681: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1682: remote_ipaddr, remote_port);
1683:
1684: nc = channel_new(ssh, "accepted x11 socket",
1685: SSH_CHANNEL_OPENING, newsock, newsock, -1,
1686: c->local_window_max, c->local_maxpacket, 0, buf, 1);
1687: open_preamble(ssh, __func__, nc, "x11");
1.378 djm 1688: if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1689: (r = sshpkt_put_u32(ssh, remote_port)) != 0) {
1.403 djm 1690: fatal_fr(r, "channel %i: reply", c->self);
1.41 markus 1691: }
1.367 djm 1692: if ((r = sshpkt_send(ssh)) != 0)
1.403 djm 1693: fatal_fr(r, "channel %i: send", c->self);
1.367 djm 1694: free(remote_ipaddr);
1.41 markus 1695: }
1.25 markus 1696:
1.127 itojun 1697: static void
1.367 djm 1698: port_open_helper(struct ssh *ssh, Channel *c, char *rtype)
1.103 markus 1699: {
1.328 djm 1700: char *local_ipaddr = get_local_ipaddr(c->sock);
1.350 djm 1701: int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
1.103 markus 1702: char *remote_ipaddr = get_peer_ipaddr(c->sock);
1.216 markus 1703: int remote_port = get_peer_port(c->sock);
1.367 djm 1704: int r;
1.303 djm 1705:
1706: if (remote_port == -1) {
1707: /* Fake addr/port to appease peers that validate it (Tectia) */
1.321 djm 1708: free(remote_ipaddr);
1.303 djm 1709: remote_ipaddr = xstrdup("127.0.0.1");
1710: remote_port = 65535;
1711: }
1.103 markus 1712:
1.367 djm 1713: free(c->remote_name);
1714: xasprintf(&c->remote_name,
1.103 markus 1715: "%s: listening port %d for %.100s port %d, "
1.328 djm 1716: "connect from %.200s port %d to %.100s port %d",
1.103 markus 1717: rtype, c->listening_port, c->path, c->host_port,
1.328 djm 1718: remote_ipaddr, remote_port, local_ipaddr, local_port);
1.103 markus 1719:
1.367 djm 1720: open_preamble(ssh, __func__, c, rtype);
1.358 djm 1721: if (strcmp(rtype, "direct-tcpip") == 0) {
1722: /* target host, port */
1.367 djm 1723: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1.403 djm 1724: (r = sshpkt_put_u32(ssh, c->host_port)) != 0)
1725: fatal_fr(r, "channel %i: reply", c->self);
1.358 djm 1726: } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
1727: /* target path */
1.403 djm 1728: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1729: fatal_fr(r, "channel %i: reply", c->self);
1.358 djm 1730: } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1731: /* listen path */
1.403 djm 1732: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1733: fatal_fr(r, "channel %i: reply", c->self);
1.103 markus 1734: } else {
1.358 djm 1735: /* listen address, port */
1.367 djm 1736: if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1.403 djm 1737: (r = sshpkt_put_u32(ssh, local_port)) != 0)
1738: fatal_fr(r, "channel %i: reply", c->self);
1.358 djm 1739: }
1740: if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1741: /* reserved for future owner/mode info */
1.403 djm 1742: if ((r = sshpkt_put_cstring(ssh, "")) != 0)
1743: fatal_fr(r, "channel %i: reply", c->self);
1.358 djm 1744: } else {
1745: /* originator host and port */
1.367 djm 1746: if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1.403 djm 1747: (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0)
1748: fatal_fr(r, "channel %i: reply", c->self);
1.103 markus 1749: }
1.367 djm 1750: if ((r = sshpkt_send(ssh)) != 0)
1.403 djm 1751: fatal_fr(r, "channel %i: send", c->self);
1.321 djm 1752: free(remote_ipaddr);
1.328 djm 1753: free(local_ipaddr);
1.103 markus 1754: }
1755:
1.347 djm 1756: void
1.367 djm 1757: channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time)
1.347 djm 1758: {
1.367 djm 1759: ssh->chanctxt->x11_refuse_time = refuse_time;
1.226 djm 1760: }
1761:
1.41 markus 1762: /*
1763: * This socket is listening for connections to a forwarded TCP/IP port.
1764: */
1.127 itojun 1765: static void
1.410 ! djm 1766: channel_post_port_listener(struct ssh *ssh, Channel *c)
1.41 markus 1767: {
1.103 markus 1768: Channel *nc;
1.285 djm 1769: struct sockaddr_storage addr;
1.113 markus 1770: int newsock, nextstate;
1.41 markus 1771: socklen_t addrlen;
1.103 markus 1772: char *rtype;
1.73 markus 1773:
1.410 ! djm 1774: if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1.367 djm 1775: return;
1776:
1777: debug("Connection to port %d forwarding to %.100s port %d requested.",
1778: c->listening_port, c->path, c->host_port);
1.103 markus 1779:
1.367 djm 1780: if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1781: nextstate = SSH_CHANNEL_OPENING;
1782: rtype = "forwarded-tcpip";
1783: } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) {
1784: nextstate = SSH_CHANNEL_OPENING;
1785: rtype = "forwarded-streamlocal@openssh.com";
1786: } else if (c->host_port == PORT_STREAMLOCAL) {
1787: nextstate = SSH_CHANNEL_OPENING;
1788: rtype = "direct-streamlocal@openssh.com";
1789: } else if (c->host_port == 0) {
1790: nextstate = SSH_CHANNEL_DYNAMIC;
1791: rtype = "dynamic-tcpip";
1792: } else {
1793: nextstate = SSH_CHANNEL_OPENING;
1794: rtype = "direct-tcpip";
1795: }
1.103 markus 1796:
1.367 djm 1797: addrlen = sizeof(addr);
1798: newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1.393 deraadt 1799: if (newsock == -1) {
1.367 djm 1800: if (errno != EINTR && errno != EWOULDBLOCK &&
1801: errno != ECONNABORTED)
1802: error("accept: %.100s", strerror(errno));
1803: if (errno == EMFILE || errno == ENFILE)
1804: c->notbefore = monotime() + 1;
1805: return;
1.41 markus 1806: }
1.367 djm 1807: if (c->host_port != PORT_STREAMLOCAL)
1808: set_nodelay(newsock);
1809: nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1,
1810: c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1811: nc->listening_port = c->listening_port;
1812: nc->host_port = c->host_port;
1813: if (c->path != NULL)
1814: nc->path = xstrdup(c->path);
1815:
1816: if (nextstate != SSH_CHANNEL_DYNAMIC)
1817: port_open_helper(ssh, nc, rtype);
1.41 markus 1818: }
1.25 markus 1819:
1.41 markus 1820: /*
1821: * This is the authentication agent socket listening for connections from
1822: * clients.
1823: */
1.127 itojun 1824: static void
1.410 ! djm 1825: channel_post_auth_listener(struct ssh *ssh, Channel *c)
1.41 markus 1826: {
1.113 markus 1827: Channel *nc;
1.367 djm 1828: int r, newsock;
1.285 djm 1829: struct sockaddr_storage addr;
1.41 markus 1830: socklen_t addrlen;
1.25 markus 1831:
1.410 ! djm 1832: if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1.367 djm 1833: return;
1834:
1835: addrlen = sizeof(addr);
1836: newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1.393 deraadt 1837: if (newsock == -1) {
1.367 djm 1838: error("accept from auth socket: %.100s", strerror(errno));
1839: if (errno == EMFILE || errno == ENFILE)
1840: c->notbefore = monotime() + 1;
1841: return;
1.41 markus 1842: }
1.367 djm 1843: nc = channel_new(ssh, "accepted auth socket",
1844: SSH_CHANNEL_OPENING, newsock, newsock, -1,
1845: c->local_window_max, c->local_maxpacket,
1846: 0, "accepted auth socket", 1);
1847: open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
1848: if ((r = sshpkt_send(ssh)) != 0)
1.403 djm 1849: fatal_fr(r, "channel %i", c->self);
1.41 markus 1850: }
1.25 markus 1851:
1.127 itojun 1852: static void
1.410 ! djm 1853: channel_post_connecting(struct ssh *ssh, Channel *c)
1.75 markus 1854: {
1.372 markus 1855: int err = 0, sock, isopen, r;
1.129 stevesk 1856: socklen_t sz = sizeof(err);
1.114 markus 1857:
1.410 ! djm 1858: if ((c->io_ready & SSH_CHAN_IO_SOCK_W) == 0)
1.367 djm 1859: return;
1.368 djm 1860: if (!c->have_remote_id)
1.403 djm 1861: fatal_f("channel %d: no remote id", c->self);
1.372 markus 1862: /* for rdynamic the OPEN_CONFIRMATION has been sent already */
1863: isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH);
1.393 deraadt 1864: if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) == -1) {
1.367 djm 1865: err = errno;
1866: error("getsockopt SO_ERROR failed");
1867: }
1868: if (err == 0) {
1869: debug("channel %d: connected to %s port %d",
1870: c->self, c->connect_ctx.host, c->connect_ctx.port);
1871: channel_connect_ctx_free(&c->connect_ctx);
1872: c->type = SSH_CHANNEL_OPEN;
1.372 markus 1873: if (isopen) {
1874: /* no message necessary */
1875: } else {
1876: if ((r = sshpkt_start(ssh,
1877: SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
1878: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1879: (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
1880: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1.403 djm 1881: (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 ||
1882: (r = sshpkt_send(ssh)) != 0)
1883: fatal_fr(r, "channel %i open confirm", c->self);
1.367 djm 1884: }
1885: } else {
1886: debug("channel %d: connection failed: %s",
1887: c->self, strerror(err));
1888: /* Try next address, if any */
1889: if ((sock = connect_next(&c->connect_ctx)) > 0) {
1890: close(c->sock);
1891: c->sock = c->rfd = c->wfd = sock;
1892: channel_find_maxfd(ssh->chanctxt);
1893: return;
1894: }
1895: /* Exhausted all addresses */
1896: error("connect_to %.100s port %d: failed.",
1897: c->connect_ctx.host, c->connect_ctx.port);
1898: channel_connect_ctx_free(&c->connect_ctx);
1.372 markus 1899: if (isopen) {
1900: rdynamic_close(ssh, c);
1901: } else {
1902: if ((r = sshpkt_start(ssh,
1903: SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
1904: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1.378 djm 1905: (r = sshpkt_put_u32(ssh,
1906: SSH2_OPEN_CONNECT_FAILED)) != 0 ||
1907: (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
1.403 djm 1908: (r = sshpkt_put_cstring(ssh, "")) != 0 ||
1909: (r = sshpkt_send(ssh)) != 0)
1910: fatal_fr(r, "channel %i: failure", c->self);
1.372 markus 1911: chan_mark_dead(ssh, c);
1.75 markus 1912: }
1913: }
1914: }
1915:
1.127 itojun 1916: static int
1.410 ! djm 1917: channel_handle_rfd(struct ssh *ssh, Channel *c)
1.41 markus 1918: {
1.214 markus 1919: char buf[CHAN_RBUF];
1.367 djm 1920: ssize_t len;
1921: int r;
1.25 markus 1922:
1.410 ! djm 1923: if ((c->io_ready & SSH_CHAN_IO_RFD) == 0)
1.367 djm 1924: return 1;
1925:
1926: len = read(c->rfd, buf, sizeof(buf));
1.393 deraadt 1927: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 1928: return 1;
1929: if (len <= 0) {
1930: debug2("channel %d: read<=0 rfd %d len %zd",
1931: c->self, c->rfd, len);
1932: if (c->type != SSH_CHANNEL_OPEN) {
1933: debug2("channel %d: not open", c->self);
1934: chan_mark_dead(ssh, c);
1.41 markus 1935: return -1;
1.65 markus 1936: } else {
1.367 djm 1937: chan_read_failed(ssh, c);
1.65 markus 1938: }
1.367 djm 1939: return -1;
1940: }
1941: if (c->input_filter != NULL) {
1942: if (c->input_filter(ssh, c, buf, len) == -1) {
1943: debug2("channel %d: filter stops", c->self);
1944: chan_read_failed(ssh, c);
1945: }
1946: } else if (c->datagram) {
1947: if ((r = sshbuf_put_string(c->input, buf, len)) != 0)
1.403 djm 1948: fatal_fr(r, "channel %i: put datagram", c->self);
1949: } else if ((r = sshbuf_put(c->input, buf, len)) != 0)
1950: fatal_fr(r, "channel %i: put data", c->self);
1.41 markus 1951: return 1;
1952: }
1.241 deraadt 1953:
1.127 itojun 1954: static int
1.410 ! djm 1955: channel_handle_wfd(struct ssh *ssh, Channel *c)
1.41 markus 1956: {
1.95 markus 1957: struct termios tio;
1.367 djm 1958: u_char *data = NULL, *buf; /* XXX const; need filter API change */
1959: size_t dlen, olen = 0;
1960: int r, len;
1961:
1.410 ! djm 1962: if ((c->io_ready & SSH_CHAN_IO_WFD) == 0)
! 1963: return 1;
! 1964: if (sshbuf_len(c->output) == 0)
1.367 djm 1965: return 1;
1.25 markus 1966:
1.41 markus 1967: /* Send buffered output data to the socket. */
1.367 djm 1968: olen = sshbuf_len(c->output);
1969: if (c->output_filter != NULL) {
1970: if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) {
1971: debug2("channel %d: filter stops", c->self);
1972: if (c->type != SSH_CHANNEL_OPEN)
1973: chan_mark_dead(ssh, c);
1974: else
1975: chan_write_failed(ssh, c);
1976: return -1;
1.231 reyk 1977: }
1.367 djm 1978: } else if (c->datagram) {
1979: if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0)
1.403 djm 1980: fatal_fr(r, "channel %i: get datagram", c->self);
1.369 djm 1981: buf = data;
1.367 djm 1982: } else {
1983: buf = data = sshbuf_mutable_ptr(c->output);
1984: dlen = sshbuf_len(c->output);
1985: }
1.231 reyk 1986:
1.367 djm 1987: if (c->datagram) {
1988: /* ignore truncated writes, datagrams might get lost */
1.374 djm 1989: len = write(c->wfd, buf, dlen);
1.367 djm 1990: free(data);
1.393 deraadt 1991: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.53 markus 1992: return 1;
1.367 djm 1993: if (len <= 0)
1994: goto write_fail;
1995: goto out;
1996: }
1997:
1998: len = write(c->wfd, buf, dlen);
1.393 deraadt 1999: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2000: return 1;
2001: if (len <= 0) {
2002: write_fail:
2003: if (c->type != SSH_CHANNEL_OPEN) {
2004: debug2("channel %d: not open", c->self);
2005: chan_mark_dead(ssh, c);
1.41 markus 2006: return -1;
1.367 djm 2007: } else {
2008: chan_write_failed(ssh, c);
1.91 markus 2009: }
1.367 djm 2010: return -1;
2011: }
2012: if (c->isatty && dlen >= 1 && buf[0] != '\r') {
2013: if (tcgetattr(c->wfd, &tio) == 0 &&
2014: !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
2015: /*
2016: * Simulate echo to reduce the impact of
2017: * traffic analysis. We need to match the
2018: * size of a SSH2_MSG_CHANNEL_DATA message
2019: * (4 byte channel id + buf)
2020: */
2021: if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 ||
2022: (r = sshpkt_send(ssh)) != 0)
1.403 djm 2023: fatal_fr(r, "channel %i: ignore", c->self);
1.25 markus 2024: }
1.367 djm 2025: }
1.403 djm 2026: if ((r = sshbuf_consume(c->output, len)) != 0)
2027: fatal_fr(r, "channel %i: consume", c->self);
1.309 djm 2028: out:
1.367 djm 2029: c->local_consumed += olen - sshbuf_len(c->output);
2030:
2031: return 1;
2032: }
2033:
2034: static int
1.410 ! djm 2035: channel_handle_efd_write(struct ssh *ssh, Channel *c)
1.367 djm 2036: {
2037: int r;
2038: ssize_t len;
2039:
1.410 ! djm 2040: if ((c->io_ready & SSH_CHAN_IO_EFD_W) == 0)
! 2041: return 1;
! 2042: if (sshbuf_len(c->extended) == 0)
1.367 djm 2043: return 1;
2044:
2045: len = write(c->efd, sshbuf_ptr(c->extended),
2046: sshbuf_len(c->extended));
2047: debug2("channel %d: written %zd to efd %d", c->self, len, c->efd);
1.393 deraadt 2048: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2049: return 1;
2050: if (len <= 0) {
2051: debug2("channel %d: closing write-efd %d", c->self, c->efd);
1.407 djm 2052: channel_close_fd(ssh, c, &c->efd);
1.367 djm 2053: } else {
1.403 djm 2054: if ((r = sshbuf_consume(c->extended, len)) != 0)
2055: fatal_fr(r, "channel %i: consume", c->self);
1.367 djm 2056: c->local_consumed += len;
2057: }
1.44 markus 2058: return 1;
2059: }
1.241 deraadt 2060:
1.127 itojun 2061: static int
1.410 ! djm 2062: channel_handle_efd_read(struct ssh *ssh, Channel *c)
1.44 markus 2063: {
1.214 markus 2064: char buf[CHAN_RBUF];
1.367 djm 2065: int r;
2066: ssize_t len;
2067:
1.410 ! djm 2068: if ((c->io_ready & SSH_CHAN_IO_EFD_R) == 0)
1.367 djm 2069: return 1;
1.44 markus 2070:
1.367 djm 2071: len = read(c->efd, buf, sizeof(buf));
2072: debug2("channel %d: read %zd from efd %d", c->self, len, c->efd);
1.393 deraadt 2073: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2074: return 1;
2075: if (len <= 0) {
1.403 djm 2076: debug2("channel %d: closing read-efd %d", c->self, c->efd);
1.407 djm 2077: channel_close_fd(ssh, c, &c->efd);
1.403 djm 2078: } else if (c->extended_usage == CHAN_EXTENDED_IGNORE)
2079: debug3("channel %d: discard efd", c->self);
2080: else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
2081: fatal_fr(r, "channel %i: append", c->self);
1.44 markus 2082: return 1;
2083: }
1.241 deraadt 2084:
1.127 itojun 2085: static int
1.410 ! djm 2086: channel_handle_efd(struct ssh *ssh, Channel *c)
1.44 markus 2087: {
1.367 djm 2088: if (c->efd == -1)
2089: return 1;
2090:
2091: /** XXX handle drain efd, too */
2092:
2093: if (c->extended_usage == CHAN_EXTENDED_WRITE)
1.410 ! djm 2094: return channel_handle_efd_write(ssh, c);
1.367 djm 2095: else if (c->extended_usage == CHAN_EXTENDED_READ ||
2096: c->extended_usage == CHAN_EXTENDED_IGNORE)
1.410 ! djm 2097: return channel_handle_efd_read(ssh, c);
1.367 djm 2098:
2099: return 1;
2100: }
2101:
2102: static int
2103: channel_check_window(struct ssh *ssh, Channel *c)
2104: {
2105: int r;
2106:
1.104 markus 2107: if (c->type == SSH_CHANNEL_OPEN &&
2108: !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.270 dtucker 2109: ((c->local_window_max - c->local_window >
1.269 markus 2110: c->local_maxpacket*3) ||
2111: c->local_window < c->local_window_max/2) &&
1.44 markus 2112: c->local_consumed > 0) {
1.368 djm 2113: if (!c->have_remote_id)
1.403 djm 2114: fatal_f("channel %d: no remote id", c->self);
1.367 djm 2115: if ((r = sshpkt_start(ssh,
2116: SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
2117: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2118: (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
2119: (r = sshpkt_send(ssh)) != 0) {
1.403 djm 2120: fatal_fr(r, "channel %i", c->self);
1.367 djm 2121: }
1.403 djm 2122: debug2("channel %d: window %d sent adjust %d", c->self,
2123: c->local_window, c->local_consumed);
1.44 markus 2124: c->local_window += c->local_consumed;
2125: c->local_consumed = 0;
1.1 deraadt 2126: }
1.41 markus 2127: return 1;
1.1 deraadt 2128: }
2129:
1.127 itojun 2130: static void
1.410 ! djm 2131: channel_post_open(struct ssh *ssh, Channel *c)
1.41 markus 2132: {
1.410 ! djm 2133: channel_handle_rfd(ssh, c);
! 2134: channel_handle_wfd(ssh, c);
! 2135: channel_handle_efd(ssh, c);
1.367 djm 2136: channel_check_window(ssh, c);
1.44 markus 2137: }
2138:
1.302 djm 2139: static u_int
1.367 djm 2140: read_mux(struct ssh *ssh, Channel *c, u_int need)
1.302 djm 2141: {
2142: char buf[CHAN_RBUF];
1.367 djm 2143: ssize_t len;
1.302 djm 2144: u_int rlen;
1.367 djm 2145: int r;
1.302 djm 2146:
1.367 djm 2147: if (sshbuf_len(c->input) < need) {
2148: rlen = need - sshbuf_len(c->input);
1.352 deraadt 2149: len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF));
1.393 deraadt 2150: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2151: return sshbuf_len(c->input);
1.302 djm 2152: if (len <= 0) {
1.367 djm 2153: debug2("channel %d: ctl read<=0 rfd %d len %zd",
1.349 naddy 2154: c->self, c->rfd, len);
1.367 djm 2155: chan_read_failed(ssh, c);
1.349 naddy 2156: return 0;
1.403 djm 2157: } else if ((r = sshbuf_put(c->input, buf, len)) != 0)
2158: fatal_fr(r, "channel %i: append", c->self);
1.302 djm 2159: }
1.367 djm 2160: return sshbuf_len(c->input);
1.302 djm 2161: }
2162:
2163: static void
1.410 ! djm 2164: channel_post_mux_client_read(struct ssh *ssh, Channel *c)
1.302 djm 2165: {
2166: u_int need;
2167:
1.410 ! djm 2168: if ((c->io_ready & SSH_CHAN_IO_RFD) == 0)
1.367 djm 2169: return;
2170: if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN)
2171: return;
2172: if (c->mux_pause)
2173: return;
2174:
2175: /*
2176: * Don't not read past the precise end of packets to
2177: * avoid disrupting fd passing.
2178: */
2179: if (read_mux(ssh, c, 4) < 4) /* read header */
2180: return;
2181: /* XXX sshbuf_peek_u32 */
2182: need = PEEK_U32(sshbuf_ptr(c->input));
1.302 djm 2183: #define CHANNEL_MUX_MAX_PACKET (256 * 1024)
1.367 djm 2184: if (need > CHANNEL_MUX_MAX_PACKET) {
2185: debug2("channel %d: packet too big %u > %u",
2186: c->self, CHANNEL_MUX_MAX_PACKET, need);
2187: chan_rcvd_oclose(ssh, c);
2188: return;
2189: }
2190: if (read_mux(ssh, c, need + 4) < need + 4) /* read body */
2191: return;
2192: if (c->mux_rcb(ssh, c) != 0) {
2193: debug("channel %d: mux_rcb failed", c->self);
2194: chan_mark_dead(ssh, c);
2195: return;
1.302 djm 2196: }
1.367 djm 2197: }
2198:
2199: static void
1.410 ! djm 2200: channel_post_mux_client_write(struct ssh *ssh, Channel *c)
1.367 djm 2201: {
2202: ssize_t len;
2203: int r;
1.302 djm 2204:
1.410 ! djm 2205: if ((c->io_ready & SSH_CHAN_IO_WFD) == 0)
! 2206: return;
! 2207: if (sshbuf_len(c->output) == 0)
1.367 djm 2208: return;
2209:
2210: len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output));
1.393 deraadt 2211: if (len == -1 && (errno == EINTR || errno == EAGAIN))
1.367 djm 2212: return;
2213: if (len <= 0) {
2214: chan_mark_dead(ssh, c);
2215: return;
1.302 djm 2216: }
1.367 djm 2217: if ((r = sshbuf_consume(c->output, len)) != 0)
1.403 djm 2218: fatal_fr(r, "channel %i: consume", c->self);
1.367 djm 2219: }
2220:
2221: static void
1.410 ! djm 2222: channel_post_mux_client(struct ssh *ssh, Channel *c)
1.367 djm 2223: {
1.410 ! djm 2224: channel_post_mux_client_read(ssh, c);
! 2225: channel_post_mux_client_write(ssh, c);
1.302 djm 2226: }
2227:
2228: static void
1.410 ! djm 2229: channel_post_mux_listener(struct ssh *ssh, Channel *c)
1.302 djm 2230: {
2231: Channel *nc;
2232: struct sockaddr_storage addr;
2233: socklen_t addrlen;
2234: int newsock;
2235: uid_t euid;
2236: gid_t egid;
2237:
1.410 ! djm 2238: if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1.302 djm 2239: return;
2240:
2241: debug("multiplexing control connection");
2242:
2243: /*
2244: * Accept connection on control socket
2245: */
2246: memset(&addr, 0, sizeof(addr));
2247: addrlen = sizeof(addr);
2248: if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
2249: &addrlen)) == -1) {
1.403 djm 2250: error_f("accept: %s", strerror(errno));
1.317 djm 2251: if (errno == EMFILE || errno == ENFILE)
1.322 dtucker 2252: c->notbefore = monotime() + 1;
1.302 djm 2253: return;
2254: }
2255:
1.393 deraadt 2256: if (getpeereid(newsock, &euid, &egid) == -1) {
1.403 djm 2257: error_f("getpeereid failed: %s", strerror(errno));
1.302 djm 2258: close(newsock);
2259: return;
2260: }
2261: if ((euid != 0) && (getuid() != euid)) {
2262: error("multiplex uid mismatch: peer euid %u != uid %u",
2263: (u_int)euid, (u_int)getuid());
2264: close(newsock);
2265: return;
2266: }
1.367 djm 2267: nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT,
1.302 djm 2268: newsock, newsock, -1, c->local_window_max,
2269: c->local_maxpacket, 0, "mux-control", 1);
2270: nc->mux_rcb = c->mux_rcb;
1.403 djm 2271: debug3_f("new mux channel %d fd %d", nc->self, nc->sock);
1.302 djm 2272: /* establish state */
1.367 djm 2273: nc->mux_rcb(ssh, nc);
1.302 djm 2274: /* mux state transitions must not elicit protocol messages */
2275: nc->flags |= CHAN_LOCAL;
2276: }
2277:
1.127 itojun 2278: static void
1.367 djm 2279: channel_handler_init(struct ssh_channels *sc)
1.1 deraadt 2280: {
1.367 djm 2281: chan_fn **pre, **post;
2282:
2283: if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL ||
1.406 djm 2284: (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL)
1.403 djm 2285: fatal_f("allocation failed");
1.367 djm 2286:
2287: pre[SSH_CHANNEL_OPEN] = &channel_pre_open;
2288: pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
2289: pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
2290: pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
2291: pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener;
2292: pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener;
2293: pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
2294: pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
2295: pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
2296: pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
1.372 markus 2297: pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting;
1.367 djm 2298: pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener;
2299: pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client;
2300:
2301: post[SSH_CHANNEL_OPEN] = &channel_post_open;
2302: post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
2303: post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
2304: post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener;
2305: post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener;
2306: post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
2307: post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
2308: post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
2309: post[SSH_CHANNEL_DYNAMIC] = &channel_post_open;
1.372 markus 2310: post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting;
1.367 djm 2311: post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener;
2312: post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client;
1.180 deraadt 2313:
1.367 djm 2314: sc->channel_pre = pre;
2315: sc->channel_post = post;
1.44 markus 2316: }
2317:
1.140 markus 2318: /* gc dead channels */
2319: static void
1.367 djm 2320: channel_garbage_collect(struct ssh *ssh, Channel *c)
1.140 markus 2321: {
2322: if (c == NULL)
2323: return;
2324: if (c->detach_user != NULL) {
1.367 djm 2325: if (!chan_is_dead(ssh, c, c->detach_close))
1.140 markus 2326: return;
1.385 djm 2327:
1.194 markus 2328: debug2("channel %d: gc: notify user", c->self);
1.367 djm 2329: c->detach_user(ssh, c->self, NULL);
1.140 markus 2330: /* if we still have a callback */
2331: if (c->detach_user != NULL)
2332: return;
1.194 markus 2333: debug2("channel %d: gc: user detached", c->self);
1.140 markus 2334: }
1.367 djm 2335: if (!chan_is_dead(ssh, c, 1))
1.140 markus 2336: return;
1.194 markus 2337: debug2("channel %d: garbage collecting", c->self);
1.367 djm 2338: channel_free(ssh, c);
1.140 markus 2339: }
2340:
1.367 djm 2341: enum channel_table { CHAN_PRE, CHAN_POST };
2342:
1.127 itojun 2343: static void
1.410 ! djm 2344: channel_handler(struct ssh *ssh, int table, time_t *unpause_secs)
1.41 markus 2345: {
1.367 djm 2346: struct ssh_channels *sc = ssh->chanctxt;
2347: chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post;
1.299 markus 2348: u_int i, oalloc;
1.41 markus 2349: Channel *c;
1.317 djm 2350: time_t now;
1.25 markus 2351:
1.322 dtucker 2352: now = monotime();
1.317 djm 2353: if (unpause_secs != NULL)
2354: *unpause_secs = 0;
1.367 djm 2355: for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2356: c = sc->channels[i];
1.113 markus 2357: if (c == NULL)
1.41 markus 2358: continue;
1.299 markus 2359: if (c->delayed) {
1.367 djm 2360: if (table == CHAN_PRE)
1.299 markus 2361: c->delayed = 0;
2362: else
2363: continue;
2364: }
1.317 djm 2365: if (ftab[c->type] != NULL) {
2366: /*
2367: * Run handlers that are not paused.
2368: */
2369: if (c->notbefore <= now)
1.410 ! djm 2370: (*ftab[c->type])(ssh, c);
1.317 djm 2371: else if (unpause_secs != NULL) {
2372: /*
2373: * Collect the time that the earliest
2374: * channel comes off pause.
2375: */
1.403 djm 2376: debug3_f("chan %d: skip for %d more "
2377: "seconds", c->self,
1.317 djm 2378: (int)(c->notbefore - now));
2379: if (*unpause_secs == 0 ||
2380: (c->notbefore - now) < *unpause_secs)
2381: *unpause_secs = c->notbefore - now;
2382: }
2383: }
1.367 djm 2384: channel_garbage_collect(ssh, c);
1.1 deraadt 2385: }
1.317 djm 2386: if (unpause_secs != NULL && *unpause_secs != 0)
1.403 djm 2387: debug3_f("first channel unpauses in %d seconds",
2388: (int)*unpause_secs);
1.1 deraadt 2389: }
2390:
1.121 markus 2391: /*
1.372 markus 2392: * Create sockets before allocating the select bitmasks.
2393: * This is necessary for things that need to happen after reading
2394: * the network-input but before channel_prepare_select().
2395: */
2396: static void
2397: channel_before_prepare_select(struct ssh *ssh)
2398: {
2399: struct ssh_channels *sc = ssh->chanctxt;
2400: Channel *c;
2401: u_int i, oalloc;
2402:
2403: for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2404: c = sc->channels[i];
2405: if (c == NULL)
2406: continue;
2407: if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN)
2408: channel_before_prepare_select_rdynamic(ssh, c);
2409: }
2410: }
2411:
2412: /*
1.121 markus 2413: * Allocate/update select bitmasks and add any bits relevant to channels in
2414: * select bitmasks.
2415: */
1.49 markus 2416: void
1.366 djm 2417: channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp,
2418: int *maxfdp, u_int *nallocp, time_t *minwait_secs)
1.41 markus 2419: {
1.410 ! djm 2420: struct ssh_channels *sc = ssh->chanctxt;
! 2421: u_int i, n, sz, nfdset, oalloc = sc->channels_alloc;
! 2422: Channel *c;
1.84 markus 2423:
1.372 markus 2424: channel_before_prepare_select(ssh); /* might update channel_max_fd */
2425:
1.367 djm 2426: n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd);
1.84 markus 2427:
1.243 djm 2428: nfdset = howmany(n+1, NFDBITS);
2429: /* Explicitly test here, because xrealloc isn't always called */
1.341 millert 2430: if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask))
1.243 djm 2431: fatal("channel_prepare_select: max_fd (%d) is too large", n);
2432: sz = nfdset * sizeof(fd_mask);
2433:
1.132 markus 2434: /* perhaps check sz < nalloc/2 and shrink? */
2435: if (*readsetp == NULL || sz > *nallocp) {
1.342 deraadt 2436: *readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask));
2437: *writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask));
1.132 markus 2438: *nallocp = sz;
1.84 markus 2439: }
1.132 markus 2440: *maxfdp = n;
1.84 markus 2441: memset(*readsetp, 0, sz);
2442: memset(*writesetp, 0, sz);
2443:
1.366 djm 2444: if (!ssh_packet_is_rekeying(ssh))
1.410 ! djm 2445: channel_handler(ssh, CHAN_PRE, minwait_secs);
! 2446:
! 2447: /* Convert c->io_want into FD_SET */
! 2448: for (i = 0; i < oalloc; i++) {
! 2449: c = sc->channels[i];
! 2450: if (c == NULL)
! 2451: continue;
! 2452: if ((c->io_want & SSH_CHAN_IO_RFD) != 0) {
! 2453: if (c->rfd == -1)
! 2454: fatal_f("channel %d: no rfd", c->self);
! 2455: FD_SET(c->rfd, *readsetp);
! 2456: }
! 2457: if ((c->io_want & SSH_CHAN_IO_WFD) != 0) {
! 2458: if (c->wfd == -1)
! 2459: fatal_f("channel %d: no wfd", c->self);
! 2460: FD_SET(c->wfd, *writesetp);
! 2461: }
! 2462: if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0) {
! 2463: if (c->efd == -1)
! 2464: fatal_f("channel %d: no efd(r)", c->self);
! 2465: FD_SET(c->efd, *readsetp);
! 2466: }
! 2467: if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0) {
! 2468: if (c->efd == -1)
! 2469: fatal_f("channel %d: no efd(w)", c->self);
! 2470: FD_SET(c->efd, *writesetp);
! 2471: }
! 2472: if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0) {
! 2473: if (c->sock == -1)
! 2474: fatal_f("channel %d: no sock(r)", c->self);
! 2475: FD_SET(c->sock, *readsetp);
! 2476: }
! 2477: if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0) {
! 2478: if (c->sock == -1)
! 2479: fatal_f("channel %d: no sock(w)", c->self);
! 2480: FD_SET(c->sock, *writesetp);
! 2481: }
! 2482: }
1.41 markus 2483: }
2484:
1.121 markus 2485: /*
2486: * After select, perform any appropriate operations for channels which have
2487: * events pending.
2488: */
1.49 markus 2489: void
1.366 djm 2490: channel_after_select(struct ssh *ssh, fd_set *readset, fd_set *writeset)
1.41 markus 2491: {
1.410 ! djm 2492: struct ssh_channels *sc = ssh->chanctxt;
! 2493: Channel *c;
! 2494: u_int i, oalloc = sc->channels_alloc;
! 2495:
! 2496: /* Convert FD_SET into c->io_ready */
! 2497: for (i = 0; i < oalloc; i++) {
! 2498: c = sc->channels[i];
! 2499: if (c == NULL)
! 2500: continue;
! 2501: c->io_ready = 0;
! 2502: if (c->rfd != -1 && FD_ISSET(c->rfd, readset))
! 2503: c->io_ready |= SSH_CHAN_IO_RFD;
! 2504: if (c->wfd != -1 && FD_ISSET(c->wfd, writeset))
! 2505: c->io_ready |= SSH_CHAN_IO_WFD;
! 2506: if (c->efd != -1 && FD_ISSET(c->efd, readset))
! 2507: c->io_ready |= SSH_CHAN_IO_EFD_R;
! 2508: if (c->efd != -1 && FD_ISSET(c->efd, writeset))
! 2509: c->io_ready |= SSH_CHAN_IO_EFD_W;
! 2510: if (c->sock != -1 && FD_ISSET(c->sock, readset))
! 2511: c->io_ready |= SSH_CHAN_IO_SOCK_R;
! 2512: if (c->sock != -1 && FD_ISSET(c->sock, writeset))
! 2513: c->io_ready |= SSH_CHAN_IO_SOCK_W;
! 2514: }
! 2515: channel_handler(ssh, CHAN_POST, NULL);
1.367 djm 2516: }
2517:
2518: /*
2519: * Enqueue data for channels with open or draining c->input.
2520: */
2521: static void
2522: channel_output_poll_input_open(struct ssh *ssh, Channel *c)
2523: {
1.373 djm 2524: size_t len, plen;
2525: const u_char *pkt;
1.367 djm 2526: int r;
2527:
2528: if ((len = sshbuf_len(c->input)) == 0) {
2529: if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
2530: /*
2531: * input-buffer is empty and read-socket shutdown:
2532: * tell peer, that we will not send more data:
2533: * send IEOF.
2534: * hack for extended data: delay EOF if EFD still
2535: * in use.
2536: */
2537: if (CHANNEL_EFD_INPUT_ACTIVE(c))
2538: debug2("channel %d: "
2539: "ibuf_empty delayed efd %d/(%zu)",
2540: c->self, c->efd, sshbuf_len(c->extended));
2541: else
2542: chan_ibuf_empty(ssh, c);
2543: }
2544: return;
2545: }
2546:
1.368 djm 2547: if (!c->have_remote_id)
1.403 djm 2548: fatal_f("channel %d: no remote id", c->self);
1.368 djm 2549:
1.367 djm 2550: if (c->datagram) {
2551: /* Check datagram will fit; drop if not */
1.373 djm 2552: if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0)
1.403 djm 2553: fatal_fr(r, "channel %i: get datagram", c->self);
1.367 djm 2554: /*
2555: * XXX this does tail-drop on the datagram queue which is
2556: * usually suboptimal compared to head-drop. Better to have
2557: * backpressure at read time? (i.e. read + discard)
2558: */
1.373 djm 2559: if (plen > c->remote_window || plen > c->remote_maxpacket) {
1.367 djm 2560: debug("channel %d: datagram too big", c->self);
2561: return;
2562: }
2563: /* Enqueue it */
2564: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2565: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1.373 djm 2566: (r = sshpkt_put_string(ssh, pkt, plen)) != 0 ||
1.403 djm 2567: (r = sshpkt_send(ssh)) != 0)
2568: fatal_fr(r, "channel %i: send datagram", c->self);
1.373 djm 2569: c->remote_window -= plen;
1.367 djm 2570: return;
2571: }
2572:
2573: /* Enqueue packet for buffered data. */
2574: if (len > c->remote_window)
2575: len = c->remote_window;
2576: if (len > c->remote_maxpacket)
2577: len = c->remote_maxpacket;
2578: if (len == 0)
2579: return;
2580: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2581: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2582: (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 ||
1.403 djm 2583: (r = sshpkt_send(ssh)) != 0)
2584: fatal_fr(r, "channel %i: send data", c->self);
1.367 djm 2585: if ((r = sshbuf_consume(c->input, len)) != 0)
1.403 djm 2586: fatal_fr(r, "channel %i: consume", c->self);
1.367 djm 2587: c->remote_window -= len;
1.41 markus 2588: }
2589:
1.367 djm 2590: /*
2591: * Enqueue data for channels with open c->extended in read mode.
2592: */
2593: static void
2594: channel_output_poll_extended_read(struct ssh *ssh, Channel *c)
2595: {
2596: size_t len;
2597: int r;
2598:
2599: if ((len = sshbuf_len(c->extended)) == 0)
2600: return;
2601:
2602: debug2("channel %d: rwin %u elen %zu euse %d", c->self,
2603: c->remote_window, sshbuf_len(c->extended), c->extended_usage);
2604: if (len > c->remote_window)
2605: len = c->remote_window;
2606: if (len > c->remote_maxpacket)
2607: len = c->remote_maxpacket;
2608: if (len == 0)
2609: return;
1.368 djm 2610: if (!c->have_remote_id)
1.403 djm 2611: fatal_f("channel %d: no remote id", c->self);
1.367 djm 2612: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 ||
2613: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2614: (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 ||
2615: (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 ||
1.403 djm 2616: (r = sshpkt_send(ssh)) != 0)
2617: fatal_fr(r, "channel %i: data", c->self);
1.367 djm 2618: if ((r = sshbuf_consume(c->extended, len)) != 0)
1.403 djm 2619: fatal_fr(r, "channel %i: consume", c->self);
1.367 djm 2620: c->remote_window -= len;
2621: debug2("channel %d: sent ext data %zu", c->self, len);
2622: }
1.121 markus 2623:
1.84 markus 2624: /* If there is data to send to the connection, enqueue some of it now. */
1.49 markus 2625: void
1.367 djm 2626: channel_output_poll(struct ssh *ssh)
1.1 deraadt 2627: {
1.367 djm 2628: struct ssh_channels *sc = ssh->chanctxt;
1.41 markus 2629: Channel *c;
1.367 djm 2630: u_int i;
1.1 deraadt 2631:
1.367 djm 2632: for (i = 0; i < sc->channels_alloc; i++) {
2633: c = sc->channels[i];
1.113 markus 2634: if (c == NULL)
2635: continue;
1.37 markus 2636:
1.121 markus 2637: /*
2638: * We are only interested in channels that can have buffered
2639: * incoming data.
2640: */
1.358 djm 2641: if (c->type != SSH_CHANNEL_OPEN)
2642: continue;
2643: if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.93 markus 2644: /* XXX is this true? */
1.367 djm 2645: debug3("channel %d: will not send data after close",
2646: c->self);
1.44 markus 2647: continue;
2648: }
1.25 markus 2649:
2650: /* Get the amount of buffered data for this channel. */
1.367 djm 2651: if (c->istate == CHAN_INPUT_OPEN ||
2652: c->istate == CHAN_INPUT_WAIT_DRAIN)
2653: channel_output_poll_input_open(ssh, c);
1.44 markus 2654: /* Send extended data, i.e. stderr */
1.358 djm 2655: if (!(c->flags & CHAN_EOF_SENT) &&
1.367 djm 2656: c->extended_usage == CHAN_EXTENDED_READ)
2657: channel_output_poll_extended_read(ssh, c);
1.25 markus 2658: }
1.1 deraadt 2659: }
2660:
1.354 markus 2661: /* -- mux proxy support */
2662:
2663: /*
2664: * When multiplexing channel messages for mux clients we have to deal
2665: * with downstream messages from the mux client and upstream messages
2666: * from the ssh server:
2667: * 1) Handling downstream messages is straightforward and happens
2668: * in channel_proxy_downstream():
2669: * - We forward all messages (mostly) unmodified to the server.
2670: * - However, in order to route messages from upstream to the correct
2671: * downstream client, we have to replace the channel IDs used by the
2672: * mux clients with a unique channel ID because the mux clients might
2673: * use conflicting channel IDs.
2674: * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
2675: * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
2676: * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
2677: * with the newly allocated channel ID.
2678: * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
1.380 djm 2679: * channels and processed by channel_proxy_upstream(). The local channel ID
1.354 markus 2680: * is then translated back to the original mux client ID.
2681: * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
2682: * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
2683: * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
2684: * downstream mux client are removed.
2685: * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
2686: * requires more work, because they are not addressed to a specific
2687: * channel. E.g. client_request_forwarded_tcpip() needs to figure
2688: * out whether the request is addressed to the local client or a
2689: * specific downstream client based on the listen-address/port.
1.380 djm 2690: * 6) Agent and X11-Forwarding have a similar problem and are currently
1.354 markus 2691: * not supported as the matching session/channel cannot be identified
2692: * easily.
2693: */
2694:
2695: /*
2696: * receive packets from downstream mux clients:
2697: * channel callback fired on read from mux client, creates
2698: * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
2699: * on channel creation.
2700: */
2701: int
1.367 djm 2702: channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
1.354 markus 2703: {
2704: Channel *c = NULL;
2705: struct sshbuf *original = NULL, *modified = NULL;
2706: const u_char *cp;
2707: char *ctype = NULL, *listen_host = NULL;
2708: u_char type;
2709: size_t have;
1.370 djm 2710: int ret = -1, r;
1.355 djm 2711: u_int id, remote_id, listen_port;
1.354 markus 2712:
1.367 djm 2713: /* sshbuf_dump(downstream->input, stderr); */
2714: if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have))
1.354 markus 2715: != 0) {
1.403 djm 2716: error_fr(r, "parse");
1.354 markus 2717: return -1;
2718: }
2719: if (have < 2) {
1.403 djm 2720: error_f("short message");
1.354 markus 2721: return -1;
2722: }
2723: type = cp[1];
2724: /* skip padlen + type */
2725: cp += 2;
2726: have -= 2;
2727: if (ssh_packet_log_type(type))
1.403 djm 2728: debug3_f("channel %u: down->up: type %u",
1.354 markus 2729: downstream->self, type);
2730:
2731: switch (type) {
2732: case SSH2_MSG_CHANNEL_OPEN:
2733: if ((original = sshbuf_from(cp, have)) == NULL ||
2734: (modified = sshbuf_new()) == NULL) {
1.403 djm 2735: error_f("alloc");
1.354 markus 2736: goto out;
2737: }
2738: if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 ||
2739: (r = sshbuf_get_u32(original, &id)) != 0) {
1.403 djm 2740: error_fr(r, "parse");
1.354 markus 2741: goto out;
2742: }
1.367 djm 2743: c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
1.406 djm 2744: -1, -1, -1, 0, 0, 0, ctype, 1);
1.354 markus 2745: c->mux_ctx = downstream; /* point to mux client */
2746: c->mux_downstream_id = id; /* original downstream id */
2747: if ((r = sshbuf_put_cstring(modified, ctype)) != 0 ||
2748: (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2749: (r = sshbuf_putb(modified, original)) != 0) {
1.403 djm 2750: error_fr(r, "compose");
1.367 djm 2751: channel_free(ssh, c);
1.354 markus 2752: goto out;
2753: }
2754: break;
2755: case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2756: /*
2757: * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
2758: * need to parse 'remote_id' instead of 'ctype'.
2759: */
2760: if ((original = sshbuf_from(cp, have)) == NULL ||
2761: (modified = sshbuf_new()) == NULL) {
1.403 djm 2762: error_f("alloc");
1.354 markus 2763: goto out;
2764: }
2765: if ((r = sshbuf_get_u32(original, &remote_id)) != 0 ||
2766: (r = sshbuf_get_u32(original, &id)) != 0) {
1.403 djm 2767: error_fr(r, "parse");
1.354 markus 2768: goto out;
2769: }
1.367 djm 2770: c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
1.406 djm 2771: -1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
1.354 markus 2772: c->mux_ctx = downstream; /* point to mux client */
2773: c->mux_downstream_id = id;
2774: c->remote_id = remote_id;
1.368 djm 2775: c->have_remote_id = 1;
1.354 markus 2776: if ((r = sshbuf_put_u32(modified, remote_id)) != 0 ||
2777: (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2778: (r = sshbuf_putb(modified, original)) != 0) {
1.403 djm 2779: error_fr(r, "compose");
1.367 djm 2780: channel_free(ssh, c);
1.354 markus 2781: goto out;
2782: }
2783: break;
2784: case SSH2_MSG_GLOBAL_REQUEST:
2785: if ((original = sshbuf_from(cp, have)) == NULL) {
1.403 djm 2786: error_f("alloc");
1.354 markus 2787: goto out;
2788: }
2789: if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) {
1.403 djm 2790: error_fr(r, "parse");
1.354 markus 2791: goto out;
2792: }
2793: if (strcmp(ctype, "tcpip-forward") != 0) {
1.403 djm 2794: error_f("unsupported request %s", ctype);
1.354 markus 2795: goto out;
2796: }
2797: if ((r = sshbuf_get_u8(original, NULL)) != 0 ||
2798: (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 ||
2799: (r = sshbuf_get_u32(original, &listen_port)) != 0) {
1.403 djm 2800: error_fr(r, "parse");
1.354 markus 2801: goto out;
2802: }
1.355 djm 2803: if (listen_port > 65535) {
1.403 djm 2804: error_f("tcpip-forward for %s: bad port %u",
2805: listen_host, listen_port);
1.355 djm 2806: goto out;
2807: }
1.354 markus 2808: /* Record that connection to this host/port is permitted. */
1.381 djm 2809: permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
1.367 djm 2810: listen_host, NULL, (int)listen_port, downstream);
1.354 markus 2811: listen_host = NULL;
2812: break;
2813: case SSH2_MSG_CHANNEL_CLOSE:
2814: if (have < 4)
2815: break;
2816: remote_id = PEEK_U32(cp);
1.367 djm 2817: if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) {
1.354 markus 2818: if (c->flags & CHAN_CLOSE_RCVD)
1.367 djm 2819: channel_free(ssh, c);
1.354 markus 2820: else
2821: c->flags |= CHAN_CLOSE_SENT;
2822: }
2823: break;
2824: }
2825: if (modified) {
2826: if ((r = sshpkt_start(ssh, type)) != 0 ||
2827: (r = sshpkt_putb(ssh, modified)) != 0 ||
2828: (r = sshpkt_send(ssh)) != 0) {
1.403 djm 2829: error_fr(r, "send");
1.354 markus 2830: goto out;
2831: }
2832: } else {
2833: if ((r = sshpkt_start(ssh, type)) != 0 ||
2834: (r = sshpkt_put(ssh, cp, have)) != 0 ||
2835: (r = sshpkt_send(ssh)) != 0) {
1.403 djm 2836: error_fr(r, "send");
1.354 markus 2837: goto out;
2838: }
2839: }
2840: ret = 0;
2841: out:
2842: free(ctype);
2843: free(listen_host);
2844: sshbuf_free(original);
2845: sshbuf_free(modified);
2846: return ret;
2847: }
2848:
2849: /*
2850: * receive packets from upstream server and de-multiplex packets
2851: * to correct downstream:
2852: * implemented as a helper for channel input handlers,
2853: * replaces local (proxy) channel ID with downstream channel ID.
2854: */
2855: int
1.363 markus 2856: channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh)
1.354 markus 2857: {
2858: struct sshbuf *b = NULL;
2859: Channel *downstream;
2860: const u_char *cp = NULL;
2861: size_t len;
2862: int r;
2863:
2864: /*
2865: * When receiving packets from the peer we need to check whether we
2866: * need to forward the packets to the mux client. In this case we
1.380 djm 2867: * restore the original channel id and keep track of CLOSE messages,
1.354 markus 2868: * so we can cleanup the channel.
2869: */
2870: if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY)
2871: return 0;
2872: if ((downstream = c->mux_ctx) == NULL)
2873: return 0;
2874: switch (type) {
2875: case SSH2_MSG_CHANNEL_CLOSE:
2876: case SSH2_MSG_CHANNEL_DATA:
2877: case SSH2_MSG_CHANNEL_EOF:
2878: case SSH2_MSG_CHANNEL_EXTENDED_DATA:
2879: case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2880: case SSH2_MSG_CHANNEL_OPEN_FAILURE:
2881: case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
2882: case SSH2_MSG_CHANNEL_SUCCESS:
2883: case SSH2_MSG_CHANNEL_FAILURE:
2884: case SSH2_MSG_CHANNEL_REQUEST:
2885: break;
2886: default:
1.403 djm 2887: debug2_f("channel %u: unsupported type %u", c->self, type);
1.354 markus 2888: return 0;
2889: }
2890: if ((b = sshbuf_new()) == NULL) {
1.403 djm 2891: error_f("alloc reply");
1.354 markus 2892: goto out;
2893: }
2894: /* get remaining payload (after id) */
2895: cp = sshpkt_ptr(ssh, &len);
2896: if (cp == NULL) {
1.403 djm 2897: error_f("no packet");
1.354 markus 2898: goto out;
2899: }
2900: /* translate id and send to muxclient */
2901: if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */
2902: (r = sshbuf_put_u8(b, type)) != 0 ||
2903: (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 ||
2904: (r = sshbuf_put(b, cp, len)) != 0 ||
1.367 djm 2905: (r = sshbuf_put_stringb(downstream->output, b)) != 0) {
1.403 djm 2906: error_fr(r, "compose muxclient");
1.354 markus 2907: goto out;
2908: }
2909: /* sshbuf_dump(b, stderr); */
2910: if (ssh_packet_log_type(type))
1.403 djm 2911: debug3_f("channel %u: up->down: type %u", c->self, type);
1.354 markus 2912: out:
2913: /* update state */
2914: switch (type) {
2915: case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2916: /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
1.368 djm 2917: if (cp && len > 4) {
1.354 markus 2918: c->remote_id = PEEK_U32(cp);
1.368 djm 2919: c->have_remote_id = 1;
2920: }
1.354 markus 2921: break;
2922: case SSH2_MSG_CHANNEL_CLOSE:
2923: if (c->flags & CHAN_CLOSE_SENT)
1.367 djm 2924: channel_free(ssh, c);
1.354 markus 2925: else
2926: c->flags |= CHAN_CLOSE_RCVD;
2927: break;
2928: }
2929: sshbuf_free(b);
2930: return 1;
2931: }
1.121 markus 2932:
2933: /* -- protocol input */
1.249 djm 2934:
1.367 djm 2935: /* Parse a channel ID from the current packet */
2936: static int
2937: channel_parse_id(struct ssh *ssh, const char *where, const char *what)
2938: {
2939: u_int32_t id;
2940: int r;
2941:
2942: if ((r = sshpkt_get_u32(ssh, &id)) != 0) {
1.403 djm 2943: error_r(r, "%s: parse id", where);
1.367 djm 2944: ssh_packet_disconnect(ssh, "Invalid %s message", what);
2945: }
2946: if (id > INT_MAX) {
1.403 djm 2947: error_r(r, "%s: bad channel id %u", where, id);
1.367 djm 2948: ssh_packet_disconnect(ssh, "Invalid %s channel id", what);
2949: }
2950: return (int)id;
2951: }
2952:
2953: /* Lookup a channel from an ID in the current packet */
2954: static Channel *
2955: channel_from_packet_id(struct ssh *ssh, const char *where, const char *what)
2956: {
2957: int id = channel_parse_id(ssh, where, what);
2958: Channel *c;
2959:
2960: if ((c = channel_lookup(ssh, id)) == NULL) {
2961: ssh_packet_disconnect(ssh,
2962: "%s packet referred to nonexistent channel %d", what, id);
2963: }
2964: return c;
2965: }
2966:
1.339 markus 2967: int
1.363 markus 2968: channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
1.1 deraadt 2969: {
1.332 djm 2970: const u_char *data;
1.367 djm 2971: size_t data_len, win_len;
2972: Channel *c = channel_from_packet_id(ssh, __func__, "data");
2973: int r;
1.25 markus 2974:
1.363 markus 2975: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 2976: return 0;
1.25 markus 2977:
2978: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 2979: if (c->type != SSH_CHANNEL_OPEN &&
1.372 markus 2980: c->type != SSH_CHANNEL_RDYNAMIC_OPEN &&
2981: c->type != SSH_CHANNEL_RDYNAMIC_FINISH &&
1.41 markus 2982: c->type != SSH_CHANNEL_X11_OPEN)
1.339 markus 2983: return 0;
1.37 markus 2984:
1.25 markus 2985: /* Get the data. */
1.389 djm 2986: if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
2987: (r = sshpkt_get_end(ssh)) != 0)
1.403 djm 2988: fatal_fr(r, "channel %i: get data", c->self);
1.367 djm 2989:
1.309 djm 2990: win_len = data_len;
2991: if (c->datagram)
2992: win_len += 4; /* string length header */
1.200 markus 2993:
2994: /*
1.367 djm 2995: * The sending side reduces its window as it sends data, so we
2996: * must 'fake' consumption of the data in order to ensure that window
2997: * updates are sent back. Otherwise the connection might deadlock.
1.200 markus 2998: */
1.358 djm 2999: if (c->ostate != CHAN_OUTPUT_OPEN) {
3000: c->local_window -= win_len;
3001: c->local_consumed += win_len;
1.339 markus 3002: return 0;
1.200 markus 3003: }
1.41 markus 3004:
1.358 djm 3005: if (win_len > c->local_maxpacket) {
1.367 djm 3006: logit("channel %d: rcvd big packet %zu, maxpack %u",
1.358 djm 3007: c->self, win_len, c->local_maxpacket);
1.367 djm 3008: return 0;
1.358 djm 3009: }
3010: if (win_len > c->local_window) {
1.367 djm 3011: logit("channel %d: rcvd too much data %zu, win %u",
1.358 djm 3012: c->self, win_len, c->local_window);
3013: return 0;
1.44 markus 3014: }
1.358 djm 3015: c->local_window -= win_len;
3016:
1.367 djm 3017: if (c->datagram) {
3018: if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
1.403 djm 3019: fatal_fr(r, "channel %i: append datagram", c->self);
1.367 djm 3020: } else if ((r = sshbuf_put(c->output, data, data_len)) != 0)
1.403 djm 3021: fatal_fr(r, "channel %i: append data", c->self);
1.367 djm 3022:
1.339 markus 3023: return 0;
1.1 deraadt 3024: }
1.121 markus 3025:
1.339 markus 3026: int
1.363 markus 3027: channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
1.44 markus 3028: {
1.367 djm 3029: const u_char *data;
3030: size_t data_len;
3031: u_int32_t tcode;
3032: Channel *c = channel_from_packet_id(ssh, __func__, "extended data");
3033: int r;
1.44 markus 3034:
1.363 markus 3035: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3036: return 0;
1.44 markus 3037: if (c->type != SSH_CHANNEL_OPEN) {
1.367 djm 3038: logit("channel %d: ext data for non open", c->self);
1.339 markus 3039: return 0;
1.172 markus 3040: }
3041: if (c->flags & CHAN_EOF_RCVD) {
1.404 djm 3042: if (ssh->compat & SSH_BUG_EXTEOF)
1.367 djm 3043: debug("channel %d: accepting ext data after eof",
3044: c->self);
1.172 markus 3045: else
1.367 djm 3046: ssh_packet_disconnect(ssh, "Received extended_data "
3047: "after EOF on channel %d.", c->self);
3048: }
3049:
3050: if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) {
1.403 djm 3051: error_fr(r, "parse tcode");
1.367 djm 3052: ssh_packet_disconnect(ssh, "Invalid extended_data message");
1.44 markus 3053: }
3054: if (c->efd == -1 ||
3055: c->extended_usage != CHAN_EXTENDED_WRITE ||
3056: tcode != SSH2_EXTENDED_DATA_STDERR) {
1.188 itojun 3057: logit("channel %d: bad ext data", c->self);
1.339 markus 3058: return 0;
1.44 markus 3059: }
1.389 djm 3060: if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
3061: (r = sshpkt_get_end(ssh)) != 0) {
1.403 djm 3062: error_fr(r, "parse data");
1.367 djm 3063: ssh_packet_disconnect(ssh, "Invalid extended_data message");
3064: }
3065:
1.44 markus 3066: if (data_len > c->local_window) {
1.367 djm 3067: logit("channel %d: rcvd too much extended_data %zu, win %u",
1.44 markus 3068: c->self, data_len, c->local_window);
1.339 markus 3069: return 0;
1.44 markus 3070: }
1.367 djm 3071: debug2("channel %d: rcvd ext data %zu", c->self, data_len);
3072: /* XXX sshpkt_getb? */
3073: if ((r = sshbuf_put(c->extended, data, data_len)) != 0)
1.403 djm 3074: error_fr(r, "append");
1.44 markus 3075: c->local_window -= data_len;
1.339 markus 3076: return 0;
1.44 markus 3077: }
3078:
1.339 markus 3079: int
1.363 markus 3080: channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
1.41 markus 3081: {
1.367 djm 3082: Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
1.389 djm 3083: int r;
1.367 djm 3084:
1.389 djm 3085: if ((r = sshpkt_get_end(ssh)) != 0) {
1.403 djm 3086: error_fr(r, "parse data");
1.389 djm 3087: ssh_packet_disconnect(ssh, "Invalid ieof message");
3088: }
1.41 markus 3089:
1.363 markus 3090: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3091: return 0;
1.367 djm 3092: chan_rcvd_ieof(ssh, c);
1.133 markus 3093:
3094: /* XXX force input close */
1.156 markus 3095: if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
1.133 markus 3096: debug("channel %d: FORCE input drain", c->self);
3097: c->istate = CHAN_INPUT_WAIT_DRAIN;
1.367 djm 3098: if (sshbuf_len(c->input) == 0)
3099: chan_ibuf_empty(ssh, c);
1.133 markus 3100: }
1.339 markus 3101: return 0;
1.41 markus 3102: }
1.1 deraadt 3103:
1.339 markus 3104: int
1.363 markus 3105: channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
1.41 markus 3106: {
1.367 djm 3107: Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
1.389 djm 3108: int r;
1.151 markus 3109:
1.363 markus 3110: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3111: return 0;
1.389 djm 3112: if ((r = sshpkt_get_end(ssh)) != 0) {
1.403 djm 3113: error_fr(r, "parse data");
1.389 djm 3114: ssh_packet_disconnect(ssh, "Invalid oclose message");
3115: }
1.367 djm 3116: chan_rcvd_oclose(ssh, c);
1.339 markus 3117: return 0;
1.1 deraadt 3118: }
3119:
1.339 markus 3120: int
1.363 markus 3121: channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
1.1 deraadt 3122: {
1.367 djm 3123: Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation");
3124: u_int32_t remote_window, remote_maxpacket;
3125: int r;
1.25 markus 3126:
1.363 markus 3127: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3128: return 0;
3129: if (c->type != SSH_CHANNEL_OPENING)
1.389 djm 3130: ssh_packet_disconnect(ssh, "Received open confirmation for "
1.367 djm 3131: "non-opening channel %d.", c->self);
3132: /*
3133: * Record the remote channel number and mark that the channel
3134: * is now open.
3135: */
1.368 djm 3136: if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 ||
3137: (r = sshpkt_get_u32(ssh, &remote_window)) != 0 ||
1.389 djm 3138: (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 ||
3139: (r = sshpkt_get_end(ssh)) != 0) {
1.403 djm 3140: error_fr(r, "window/maxpacket");
1.389 djm 3141: ssh_packet_disconnect(ssh, "Invalid open confirmation message");
1.367 djm 3142: }
3143:
1.368 djm 3144: c->have_remote_id = 1;
1.367 djm 3145: c->remote_window = remote_window;
3146: c->remote_maxpacket = remote_maxpacket;
1.41 markus 3147: c->type = SSH_CHANNEL_OPEN;
1.358 djm 3148: if (c->open_confirm) {
1.403 djm 3149: debug2_f("channel %d: callback start", c->self);
1.367 djm 3150: c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
1.403 djm 3151: debug2_f("channel %d: callback done", c->self);
1.44 markus 3152: }
1.358 djm 3153: debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
3154: c->remote_window, c->remote_maxpacket);
1.339 markus 3155: return 0;
1.1 deraadt 3156: }
3157:
1.127 itojun 3158: static char *
1.114 markus 3159: reason2txt(int reason)
3160: {
1.143 deraadt 3161: switch (reason) {
1.114 markus 3162: case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
3163: return "administratively prohibited";
3164: case SSH2_OPEN_CONNECT_FAILED:
3165: return "connect failed";
3166: case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
3167: return "unknown channel type";
3168: case SSH2_OPEN_RESOURCE_SHORTAGE:
3169: return "resource shortage";
3170: }
1.117 stevesk 3171: return "unknown reason";
1.114 markus 3172: }
3173:
1.339 markus 3174: int
1.363 markus 3175: channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
1.1 deraadt 3176: {
1.367 djm 3177: Channel *c = channel_from_packet_id(ssh, __func__, "open failure");
3178: u_int32_t reason;
3179: char *msg = NULL;
3180: int r;
1.25 markus 3181:
1.363 markus 3182: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3183: return 0;
3184: if (c->type != SSH_CHANNEL_OPENING)
1.389 djm 3185: ssh_packet_disconnect(ssh, "Received open failure for "
1.367 djm 3186: "non-opening channel %d.", c->self);
3187: if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
1.403 djm 3188: error_fr(r, "parse reason");
1.389 djm 3189: ssh_packet_disconnect(ssh, "Invalid open failure message");
1.367 djm 3190: }
1.378 djm 3191: /* skip language */
3192: if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
1.389 djm 3193: (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0 ||
3194: (r = sshpkt_get_end(ssh)) != 0) {
1.403 djm 3195: error_fr(r, "parse msg/lang");
1.389 djm 3196: ssh_packet_disconnect(ssh, "Invalid open failure message");
1.358 djm 3197: }
1.367 djm 3198: logit("channel %d: open failed: %s%s%s", c->self,
1.358 djm 3199: reason2txt(reason), msg ? ": ": "", msg ? msg : "");
3200: free(msg);
3201: if (c->open_confirm) {
1.403 djm 3202: debug2_f("channel %d: callback start", c->self);
1.367 djm 3203: c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx);
1.403 djm 3204: debug2_f("channel %d: callback done", c->self);
1.44 markus 3205: }
1.291 djm 3206: /* Schedule the channel for cleanup/deletion. */
1.367 djm 3207: chan_mark_dead(ssh, c);
1.339 markus 3208: return 0;
1.44 markus 3209: }
3210:
1.339 markus 3211: int
1.363 markus 3212: channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
1.121 markus 3213: {
1.367 djm 3214: int id = channel_parse_id(ssh, __func__, "window adjust");
1.121 markus 3215: Channel *c;
1.367 djm 3216: u_int32_t adjust;
3217: u_int new_rwin;
3218: int r;
1.1 deraadt 3219:
1.367 djm 3220: if ((c = channel_lookup(ssh, id)) == NULL) {
1.229 markus 3221: logit("Received window adjust for non-open channel %d.", id);
1.339 markus 3222: return 0;
1.372 markus 3223: }
1.367 djm 3224:
1.363 markus 3225: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3226: return 0;
1.389 djm 3227: if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 ||
3228: (r = sshpkt_get_end(ssh)) != 0) {
1.403 djm 3229: error_fr(r, "parse adjust");
1.389 djm 3230: ssh_packet_disconnect(ssh, "Invalid window adjust message");
1.367 djm 3231: }
3232: debug2("channel %d: rcvd adjust %u", c->self, adjust);
3233: if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
1.346 djm 3234: fatal("channel %d: adjust %u overflows remote window %u",
1.367 djm 3235: c->self, adjust, c->remote_window);
3236: }
3237: c->remote_window = new_rwin;
1.339 markus 3238: return 0;
1.121 markus 3239: }
1.1 deraadt 3240:
1.339 markus 3241: int
1.363 markus 3242: channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
1.275 djm 3243: {
1.367 djm 3244: int id = channel_parse_id(ssh, __func__, "status confirm");
1.275 djm 3245: Channel *c;
3246: struct channel_confirm *cc;
3247:
3248: /* Reset keepalive timeout */
1.389 djm 3249: ssh_packet_set_alive_timeouts(ssh, 0);
1.275 djm 3250:
1.403 djm 3251: debug2_f("type %d id %d", type, id);
1.275 djm 3252:
1.367 djm 3253: if ((c = channel_lookup(ssh, id)) == NULL) {
1.403 djm 3254: logit_f("%d: unknown", id);
1.339 markus 3255: return 0;
1.367 djm 3256: }
1.363 markus 3257: if (channel_proxy_upstream(c, type, seq, ssh))
1.354 markus 3258: return 0;
1.394 dtucker 3259: if (sshpkt_get_end(ssh) != 0)
1.389 djm 3260: ssh_packet_disconnect(ssh, "Invalid status confirm message");
1.275 djm 3261: if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
1.339 markus 3262: return 0;
1.367 djm 3263: cc->cb(ssh, type, c, cc->ctx);
1.275 djm 3264: TAILQ_REMOVE(&c->status_confirms, cc, entry);
1.396 jsg 3265: freezero(cc, sizeof(*cc));
1.339 markus 3266: return 0;
1.275 djm 3267: }
1.121 markus 3268:
3269: /* -- tcp forwarding */
1.135 markus 3270:
3271: void
1.367 djm 3272: channel_set_af(struct ssh *ssh, int af)
1.135 markus 3273: {
1.367 djm 3274: ssh->chanctxt->IPv4or6 = af;
1.135 markus 3275: }
1.121 markus 3276:
1.312 djm 3277:
3278: /*
3279: * Determine whether or not a port forward listens to loopback, the
3280: * specified address or wildcard. On the client, a specified bind
3281: * address will always override gateway_ports. On the server, a
3282: * gateway_ports of 1 (``yes'') will override the client's specification
3283: * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
3284: * will bind to whatever address the client asked for.
3285: *
3286: * Special-case listen_addrs are:
3287: *
3288: * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
3289: * "" (empty string), "*" -> wildcard v4/v6
3290: * "localhost" -> loopback v4/v6
1.334 djm 3291: * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set
1.312 djm 3292: */
3293: static const char *
1.389 djm 3294: channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp,
1.336 millert 3295: int is_client, struct ForwardOptions *fwd_opts)
1.312 djm 3296: {
3297: const char *addr = NULL;
3298: int wildcard = 0;
3299:
3300: if (listen_addr == NULL) {
3301: /* No address specified: default to gateway_ports setting */
1.336 millert 3302: if (fwd_opts->gateway_ports)
1.312 djm 3303: wildcard = 1;
1.336 millert 3304: } else if (fwd_opts->gateway_ports || is_client) {
1.404 djm 3305: if (((ssh->compat & SSH_OLD_FORWARD_ADDR) &&
1.312 djm 3306: strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
3307: *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
1.336 millert 3308: (!is_client && fwd_opts->gateway_ports == 1)) {
1.312 djm 3309: wildcard = 1;
1.326 djm 3310: /*
3311: * Notify client if they requested a specific listen
3312: * address and it was overridden.
3313: */
3314: if (*listen_addr != '\0' &&
3315: strcmp(listen_addr, "0.0.0.0") != 0 &&
3316: strcmp(listen_addr, "*") != 0) {
1.389 djm 3317: ssh_packet_send_debug(ssh,
3318: "Forwarding listen address "
1.326 djm 3319: "\"%s\" overridden by server "
3320: "GatewayPorts", listen_addr);
3321: }
1.334 djm 3322: } else if (strcmp(listen_addr, "localhost") != 0 ||
3323: strcmp(listen_addr, "127.0.0.1") == 0 ||
3324: strcmp(listen_addr, "::1") == 0) {
1.395 djm 3325: /*
3326: * Accept explicit localhost address when
3327: * GatewayPorts=yes. The "localhost" hostname is
3328: * deliberately skipped here so it will listen on all
3329: * available local address families.
3330: */
1.334 djm 3331: addr = listen_addr;
1.326 djm 3332: }
1.334 djm 3333: } else if (strcmp(listen_addr, "127.0.0.1") == 0 ||
3334: strcmp(listen_addr, "::1") == 0) {
3335: /*
3336: * If a specific IPv4/IPv6 localhost address has been
3337: * requested then accept it even if gateway_ports is in
3338: * effect. This allows the client to prefer IPv4 or IPv6.
3339: */
3340: addr = listen_addr;
1.312 djm 3341: }
3342: if (wildcardp != NULL)
3343: *wildcardp = wildcard;
3344: return addr;
3345: }
3346:
1.160 markus 3347: static int
1.367 djm 3348: channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
3349: struct Forward *fwd, int *allocated_listen_port,
3350: struct ForwardOptions *fwd_opts)
1.25 markus 3351: {
1.113 markus 3352: Channel *c;
1.226 djm 3353: int sock, r, success = 0, wildcard = 0, is_client;
1.35 markus 3354: struct addrinfo hints, *ai, *aitop;
1.212 djm 3355: const char *host, *addr;
1.35 markus 3356: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.295 djm 3357: in_port_t *lport_p;
1.25 markus 3358:
1.212 djm 3359: is_client = (type == SSH_CHANNEL_PORT_LISTENER);
1.87 markus 3360:
1.344 millert 3361: if (is_client && fwd->connect_path != NULL) {
3362: host = fwd->connect_path;
3363: } else {
3364: host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
3365: fwd->listen_host : fwd->connect_host;
3366: if (host == NULL) {
3367: error("No forward host name.");
3368: return 0;
3369: }
3370: if (strlen(host) >= NI_MAXHOST) {
3371: error("Forward host name too long.");
3372: return 0;
3373: }
1.87 markus 3374: }
1.25 markus 3375:
1.312 djm 3376: /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
1.389 djm 3377: addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard,
1.336 millert 3378: is_client, fwd_opts);
1.403 djm 3379: debug3_f("type %d wildcard %d addr %s", type, wildcard,
3380: (addr == NULL) ? "NULL" : addr);
1.212 djm 3381:
3382: /*
1.35 markus 3383: * getaddrinfo returns a loopback address if the hostname is
3384: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 3385: */
1.35 markus 3386: memset(&hints, 0, sizeof(hints));
1.367 djm 3387: hints.ai_family = ssh->chanctxt->IPv4or6;
1.212 djm 3388: hints.ai_flags = wildcard ? AI_PASSIVE : 0;
1.35 markus 3389: hints.ai_socktype = SOCK_STREAM;
1.336 millert 3390: snprintf(strport, sizeof strport, "%d", fwd->listen_port);
1.212 djm 3391: if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
3392: if (addr == NULL) {
3393: /* This really shouldn't happen */
1.389 djm 3394: ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s",
1.271 dtucker 3395: ssh_gai_strerror(r));
1.212 djm 3396: } else {
1.403 djm 3397: error_f("getaddrinfo(%.64s): %s", addr,
1.271 dtucker 3398: ssh_gai_strerror(r));
1.212 djm 3399: }
1.218 markus 3400: return 0;
1.212 djm 3401: }
1.295 djm 3402: if (allocated_listen_port != NULL)
3403: *allocated_listen_port = 0;
1.35 markus 3404: for (ai = aitop; ai; ai = ai->ai_next) {
1.295 djm 3405: switch (ai->ai_family) {
3406: case AF_INET:
3407: lport_p = &((struct sockaddr_in *)ai->ai_addr)->
3408: sin_port;
3409: break;
3410: case AF_INET6:
3411: lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
3412: sin6_port;
3413: break;
3414: default:
1.35 markus 3415: continue;
1.295 djm 3416: }
3417: /*
3418: * If allocating a port for -R forwards, then use the
3419: * same port for all address families.
3420: */
1.367 djm 3421: if (type == SSH_CHANNEL_RPORT_LISTENER &&
3422: fwd->listen_port == 0 && allocated_listen_port != NULL &&
3423: *allocated_listen_port > 0)
1.295 djm 3424: *lport_p = htons(*allocated_listen_port);
3425:
1.35 markus 3426: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1.367 djm 3427: strport, sizeof(strport),
3428: NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1.403 djm 3429: error_f("getnameinfo failed");
1.35 markus 3430: continue;
3431: }
3432: /* Create a port to listen for the host. */
1.300 dtucker 3433: sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
1.393 deraadt 3434: if (sock == -1) {
1.35 markus 3435: /* this is no error since kernel may not support ipv6 */
1.377 djm 3436: verbose("socket [%s]:%s: %.100s", ntop, strport,
3437: strerror(errno));
1.35 markus 3438: continue;
3439: }
1.226 djm 3440:
1.376 djm 3441: set_reuseaddr(sock);
1.182 stevesk 3442:
1.295 djm 3443: debug("Local forwarding listening on %s port %s.",
3444: ntop, strport);
1.35 markus 3445:
3446: /* Bind the socket to the address. */
1.393 deraadt 3447: if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1.367 djm 3448: /*
3449: * address can be in if use ipv6 address is
3450: * already bound
3451: */
1.377 djm 3452: verbose("bind [%s]:%s: %.100s",
3453: ntop, strport, strerror(errno));
1.35 markus 3454: close(sock);
3455: continue;
3456: }
3457: /* Start listening for connections on the socket. */
1.393 deraadt 3458: if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
1.377 djm 3459: error("listen [%s]:%s: %.100s", ntop, strport,
3460: strerror(errno));
1.35 markus 3461: close(sock);
3462: continue;
3463: }
1.295 djm 3464:
3465: /*
1.336 millert 3466: * fwd->listen_port == 0 requests a dynamically allocated port -
1.295 djm 3467: * record what we got.
3468: */
1.367 djm 3469: if (type == SSH_CHANNEL_RPORT_LISTENER &&
3470: fwd->listen_port == 0 &&
1.295 djm 3471: allocated_listen_port != NULL &&
3472: *allocated_listen_port == 0) {
1.350 djm 3473: *allocated_listen_port = get_local_port(sock);
1.295 djm 3474: debug("Allocated listen port %d",
3475: *allocated_listen_port);
3476: }
3477:
1.35 markus 3478: /* Allocate a channel number for the socket. */
1.367 djm 3479: c = channel_new(ssh, "port listener", type, sock, sock, -1,
1.51 markus 3480: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.190 markus 3481: 0, "port listener", 1);
1.293 djm 3482: c->path = xstrdup(host);
1.336 millert 3483: c->host_port = fwd->connect_port;
1.312 djm 3484: c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
1.336 millert 3485: if (fwd->listen_port == 0 && allocated_listen_port != NULL &&
1.404 djm 3486: !(ssh->compat & SSH_BUG_DYNAMIC_RPORT))
1.315 markus 3487: c->listening_port = *allocated_listen_port;
3488: else
1.336 millert 3489: c->listening_port = fwd->listen_port;
1.35 markus 3490: success = 1;
3491: }
3492: if (success == 0)
1.403 djm 3493: error_f("cannot listen to port: %d", fwd->listen_port);
1.35 markus 3494: freeaddrinfo(aitop);
1.87 markus 3495: return success;
1.25 markus 3496: }
1.1 deraadt 3497:
1.336 millert 3498: static int
1.367 djm 3499: channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type,
3500: struct Forward *fwd, struct ForwardOptions *fwd_opts)
1.336 millert 3501: {
3502: struct sockaddr_un sunaddr;
3503: const char *path;
3504: Channel *c;
3505: int port, sock;
3506: mode_t omask;
3507:
3508: switch (type) {
3509: case SSH_CHANNEL_UNIX_LISTENER:
3510: if (fwd->connect_path != NULL) {
3511: if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
3512: error("Local connecting path too long: %s",
3513: fwd->connect_path);
3514: return 0;
3515: }
3516: path = fwd->connect_path;
3517: port = PORT_STREAMLOCAL;
3518: } else {
3519: if (fwd->connect_host == NULL) {
3520: error("No forward host name.");
3521: return 0;
3522: }
3523: if (strlen(fwd->connect_host) >= NI_MAXHOST) {
3524: error("Forward host name too long.");
3525: return 0;
3526: }
3527: path = fwd->connect_host;
3528: port = fwd->connect_port;
3529: }
3530: break;
3531: case SSH_CHANNEL_RUNIX_LISTENER:
3532: path = fwd->listen_path;
3533: port = PORT_STREAMLOCAL;
3534: break;
3535: default:
1.403 djm 3536: error_f("unexpected channel type %d", type);
1.336 millert 3537: return 0;
3538: }
3539:
3540: if (fwd->listen_path == NULL) {
3541: error("No forward path name.");
3542: return 0;
3543: }
3544: if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
3545: error("Local listening path too long: %s", fwd->listen_path);
3546: return 0;
3547: }
3548:
1.403 djm 3549: debug3_f("type %d path %s", type, fwd->listen_path);
1.336 millert 3550:
3551: /* Start a Unix domain listener. */
3552: omask = umask(fwd_opts->streamlocal_bind_mask);
3553: sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
3554: fwd_opts->streamlocal_bind_unlink);
3555: umask(omask);
3556: if (sock < 0)
3557: return 0;
3558:
3559: debug("Local forwarding listening on path %s.", fwd->listen_path);
3560:
3561: /* Allocate a channel number for the socket. */
1.367 djm 3562: c = channel_new(ssh, "unix listener", type, sock, sock, -1,
1.336 millert 3563: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3564: 0, "unix listener", 1);
3565: c->path = xstrdup(path);
3566: c->host_port = port;
3567: c->listening_port = PORT_STREAMLOCAL;
3568: c->listening_addr = xstrdup(fwd->listen_path);
3569: return 1;
3570: }
3571:
3572: static int
1.367 djm 3573: channel_cancel_rport_listener_tcpip(struct ssh *ssh,
3574: const char *host, u_short port)
1.202 djm 3575: {
1.209 avsm 3576: u_int i;
3577: int found = 0;
1.202 djm 3578:
1.367 djm 3579: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3580: Channel *c = ssh->chanctxt->channels[i];
1.312 djm 3581: if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
3582: continue;
3583: if (strcmp(c->path, host) == 0 && c->listening_port == port) {
1.403 djm 3584: debug2_f("close channel %d", i);
1.367 djm 3585: channel_free(ssh, c);
1.312 djm 3586: found = 1;
3587: }
3588: }
3589:
1.367 djm 3590: return found;
1.312 djm 3591: }
3592:
1.336 millert 3593: static int
1.367 djm 3594: channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path)
1.336 millert 3595: {
3596: u_int i;
3597: int found = 0;
3598:
1.367 djm 3599: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3600: Channel *c = ssh->chanctxt->channels[i];
1.336 millert 3601: if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER)
3602: continue;
3603: if (c->path == NULL)
3604: continue;
3605: if (strcmp(c->path, path) == 0) {
1.403 djm 3606: debug2_f("close channel %d", i);
1.367 djm 3607: channel_free(ssh, c);
1.336 millert 3608: found = 1;
3609: }
3610: }
3611:
1.367 djm 3612: return found;
1.336 millert 3613: }
3614:
1.312 djm 3615: int
1.367 djm 3616: channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd)
1.336 millert 3617: {
1.367 djm 3618: if (fwd->listen_path != NULL) {
3619: return channel_cancel_rport_listener_streamlocal(ssh,
3620: fwd->listen_path);
3621: } else {
3622: return channel_cancel_rport_listener_tcpip(ssh,
3623: fwd->listen_host, fwd->listen_port);
3624: }
1.336 millert 3625: }
3626:
3627: static int
1.367 djm 3628: channel_cancel_lport_listener_tcpip(struct ssh *ssh,
3629: const char *lhost, u_short lport, int cport,
3630: struct ForwardOptions *fwd_opts)
1.312 djm 3631: {
3632: u_int i;
3633: int found = 0;
1.389 djm 3634: const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL, 1, fwd_opts);
1.202 djm 3635:
1.367 djm 3636: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3637: Channel *c = ssh->chanctxt->channels[i];
1.312 djm 3638: if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
3639: continue;
1.313 markus 3640: if (c->listening_port != lport)
1.312 djm 3641: continue;
1.313 markus 3642: if (cport == CHANNEL_CANCEL_PORT_STATIC) {
3643: /* skip dynamic forwardings */
3644: if (c->host_port == 0)
3645: continue;
3646: } else {
3647: if (c->host_port != cport)
3648: continue;
3649: }
1.312 djm 3650: if ((c->listening_addr == NULL && addr != NULL) ||
3651: (c->listening_addr != NULL && addr == NULL))
3652: continue;
3653: if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
1.403 djm 3654: debug2_f("close channel %d", i);
1.367 djm 3655: channel_free(ssh, c);
1.202 djm 3656: found = 1;
3657: }
3658: }
3659:
1.367 djm 3660: return found;
1.202 djm 3661: }
3662:
1.336 millert 3663: static int
1.367 djm 3664: channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path)
1.336 millert 3665: {
3666: u_int i;
3667: int found = 0;
3668:
3669: if (path == NULL) {
1.403 djm 3670: error_f("no path specified.");
1.336 millert 3671: return 0;
3672: }
3673:
1.367 djm 3674: for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3675: Channel *c = ssh->chanctxt->channels[i];
1.336 millert 3676: if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER)
3677: continue;
3678: if (c->listening_addr == NULL)
3679: continue;
3680: if (strcmp(c->listening_addr, path) == 0) {
1.403 djm 3681: debug2_f("close channel %d", i);
1.367 djm 3682: channel_free(ssh, c);
1.336 millert 3683: found = 1;
3684: }
3685: }
3686:
1.367 djm 3687: return found;
1.336 millert 3688: }
3689:
3690: int
1.367 djm 3691: channel_cancel_lport_listener(struct ssh *ssh,
3692: struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts)
1.336 millert 3693: {
1.367 djm 3694: if (fwd->listen_path != NULL) {
3695: return channel_cancel_lport_listener_streamlocal(ssh,
3696: fwd->listen_path);
3697: } else {
3698: return channel_cancel_lport_listener_tcpip(ssh,
3699: fwd->listen_host, fwd->listen_port, cport, fwd_opts);
3700: }
1.336 millert 3701: }
3702:
1.362 markus 3703: /* protocol local port fwd, used by ssh */
1.160 markus 3704: int
1.367 djm 3705: channel_setup_local_fwd_listener(struct ssh *ssh,
3706: struct Forward *fwd, struct ForwardOptions *fwd_opts)
1.160 markus 3707: {
1.336 millert 3708: if (fwd->listen_path != NULL) {
1.367 djm 3709: return channel_setup_fwd_listener_streamlocal(ssh,
1.336 millert 3710: SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts);
3711: } else {
1.367 djm 3712: return channel_setup_fwd_listener_tcpip(ssh,
3713: SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts);
1.336 millert 3714: }
1.160 markus 3715: }
3716:
1.381 djm 3717: /* Matches a remote forwarding permission against a requested forwarding */
3718: static int
3719: remote_open_match(struct permission *allowed_open, struct Forward *fwd)
3720: {
3721: int ret;
3722: char *lhost;
3723:
3724: /* XXX add ACLs for streamlocal */
3725: if (fwd->listen_path != NULL)
3726: return 1;
3727:
3728: if (fwd->listen_host == NULL || allowed_open->listen_host == NULL)
3729: return 0;
3730:
3731: if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT &&
3732: allowed_open->listen_port != fwd->listen_port)
3733: return 0;
3734:
3735: /* Match hostnames case-insensitively */
3736: lhost = xstrdup(fwd->listen_host);
3737: lowercase(lhost);
3738: ret = match_pattern(lhost, allowed_open->listen_host);
3739: free(lhost);
3740:
3741: return ret;
3742: }
3743:
3744: /* Checks whether a requested remote forwarding is permitted */
3745: static int
3746: check_rfwd_permission(struct ssh *ssh, struct Forward *fwd)
3747: {
3748: struct ssh_channels *sc = ssh->chanctxt;
3749: struct permission_set *pset = &sc->remote_perms;
3750: u_int i, permit, permit_adm = 1;
3751: struct permission *perm;
3752:
3753: /* XXX apply GatewayPorts override before checking? */
3754:
3755: permit = pset->all_permitted;
3756: if (!permit) {
3757: for (i = 0; i < pset->num_permitted_user; i++) {
3758: perm = &pset->permitted_user[i];
3759: if (remote_open_match(perm, fwd)) {
3760: permit = 1;
3761: break;
3762: }
3763: }
3764: }
3765:
3766: if (pset->num_permitted_admin > 0) {
3767: permit_adm = 0;
3768: for (i = 0; i < pset->num_permitted_admin; i++) {
3769: perm = &pset->permitted_admin[i];
3770: if (remote_open_match(perm, fwd)) {
3771: permit_adm = 1;
3772: break;
3773: }
3774: }
3775: }
3776:
3777: return permit && permit_adm;
3778: }
3779:
1.160 markus 3780: /* protocol v2 remote port fwd, used by sshd */
3781: int
1.367 djm 3782: channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
1.336 millert 3783: int *allocated_listen_port, struct ForwardOptions *fwd_opts)
1.160 markus 3784: {
1.381 djm 3785: if (!check_rfwd_permission(ssh, fwd)) {
1.389 djm 3786: ssh_packet_send_debug(ssh, "port forwarding refused");
1.391 florian 3787: if (fwd->listen_path != NULL)
3788: /* XXX always allowed, see remote_open_match() */
3789: logit("Received request from %.100s port %d to "
3790: "remote forward to path \"%.100s\", "
3791: "but the request was denied.",
3792: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
3793: fwd->listen_path);
3794: else if(fwd->listen_host != NULL)
3795: logit("Received request from %.100s port %d to "
3796: "remote forward to host %.100s port %d, "
3797: "but the request was denied.",
3798: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
3799: fwd->listen_host, fwd->listen_port );
3800: else
3801: logit("Received request from %.100s port %d to remote "
3802: "forward, but the request was denied.",
3803: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
1.381 djm 3804: return 0;
3805: }
1.336 millert 3806: if (fwd->listen_path != NULL) {
1.367 djm 3807: return channel_setup_fwd_listener_streamlocal(ssh,
1.336 millert 3808: SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);
3809: } else {
1.367 djm 3810: return channel_setup_fwd_listener_tcpip(ssh,
1.336 millert 3811: SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,
3812: fwd_opts);
3813: }
1.160 markus 3814: }
3815:
1.27 markus 3816: /*
1.312 djm 3817: * Translate the requested rfwd listen host to something usable for
3818: * this server.
3819: */
3820: static const char *
3821: channel_rfwd_bind_host(const char *listen_host)
3822: {
3823: if (listen_host == NULL) {
1.378 djm 3824: return "localhost";
1.312 djm 3825: } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
1.378 djm 3826: return "";
1.312 djm 3827: } else
3828: return listen_host;
3829: }
3830:
3831: /*
1.27 markus 3832: * Initiate forwarding of connections to port "port" on remote host through
3833: * the secure channel to host:port from local side.
1.315 markus 3834: * Returns handle (index) for updating the dynamic listen port with
1.381 djm 3835: * channel_update_permission().
1.27 markus 3836: */
1.253 markus 3837: int
1.367 djm 3838: channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
1.25 markus 3839: {
1.367 djm 3840: int r, success = 0, idx = -1;
3841: char *host_to_connect, *listen_host, *listen_path;
3842: int port_to_connect, listen_port;
1.73 markus 3843:
1.25 markus 3844: /* Send the forward request to the remote side. */
1.358 djm 3845: if (fwd->listen_path != NULL) {
1.367 djm 3846: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3847: (r = sshpkt_put_cstring(ssh,
3848: "streamlocal-forward@openssh.com")) != 0 ||
3849: (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3850: (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 ||
3851: (r = sshpkt_send(ssh)) != 0 ||
3852: (r = ssh_packet_write_wait(ssh)) != 0)
1.403 djm 3853: fatal_fr(r, "request streamlocal");
1.336 millert 3854: } else {
1.367 djm 3855: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3856: (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 ||
3857: (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3858: (r = sshpkt_put_cstring(ssh,
3859: channel_rfwd_bind_host(fwd->listen_host))) != 0 ||
3860: (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 ||
3861: (r = sshpkt_send(ssh)) != 0 ||
3862: (r = ssh_packet_write_wait(ssh)) != 0)
1.403 djm 3863: fatal_fr(r, "request tcpip-forward");
1.73 markus 3864: }
1.358 djm 3865: /* Assume that server accepts the request */
3866: success = 1;
1.73 markus 3867: if (success) {
1.305 djm 3868: /* Record that connection to this host/port is permitted. */
1.367 djm 3869: host_to_connect = listen_host = listen_path = NULL;
3870: port_to_connect = listen_port = 0;
1.336 millert 3871: if (fwd->connect_path != NULL) {
1.367 djm 3872: host_to_connect = xstrdup(fwd->connect_path);
3873: port_to_connect = PORT_STREAMLOCAL;
1.336 millert 3874: } else {
1.367 djm 3875: host_to_connect = xstrdup(fwd->connect_host);
3876: port_to_connect = fwd->connect_port;
1.336 millert 3877: }
3878: if (fwd->listen_path != NULL) {
1.367 djm 3879: listen_path = xstrdup(fwd->listen_path);
3880: listen_port = PORT_STREAMLOCAL;
1.336 millert 3881: } else {
1.367 djm 3882: if (fwd->listen_host != NULL)
3883: listen_host = xstrdup(fwd->listen_host);
3884: listen_port = fwd->listen_port;
3885: }
1.381 djm 3886: idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL,
1.367 djm 3887: host_to_connect, port_to_connect,
3888: listen_host, listen_path, listen_port, NULL);
1.44 markus 3889: }
1.367 djm 3890: return idx;
1.1 deraadt 3891: }
3892:
1.333 markus 3893: static int
1.381 djm 3894: open_match(struct permission *allowed_open, const char *requestedhost,
1.336 millert 3895: int requestedport)
1.333 markus 3896: {
3897: if (allowed_open->host_to_connect == NULL)
3898: return 0;
3899: if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
3900: allowed_open->port_to_connect != requestedport)
3901: return 0;
1.351 dtucker 3902: if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
3903: strcmp(allowed_open->host_to_connect, requestedhost) != 0)
1.333 markus 3904: return 0;
3905: return 1;
3906: }
3907:
3908: /*
1.336 millert 3909: * Note that in the listen host/port case
1.333 markus 3910: * we don't support FWD_PERMIT_ANY_PORT and
3911: * need to translate between the configured-host (listen_host)
3912: * and what we've sent to the remote server (channel_rfwd_bind_host)
3913: */
3914: static int
1.381 djm 3915: open_listen_match_tcpip(struct permission *allowed_open,
1.336 millert 3916: const char *requestedhost, u_short requestedport, int translate)
1.333 markus 3917: {
3918: const char *allowed_host;
3919:
3920: if (allowed_open->host_to_connect == NULL)
3921: return 0;
3922: if (allowed_open->listen_port != requestedport)
3923: return 0;
1.335 djm 3924: if (!translate && allowed_open->listen_host == NULL &&
3925: requestedhost == NULL)
3926: return 1;
1.333 markus 3927: allowed_host = translate ?
3928: channel_rfwd_bind_host(allowed_open->listen_host) :
3929: allowed_open->listen_host;
1.382 djm 3930: if (allowed_host == NULL || requestedhost == NULL ||
1.333 markus 3931: strcmp(allowed_host, requestedhost) != 0)
3932: return 0;
3933: return 1;
3934: }
3935:
1.336 millert 3936: static int
1.381 djm 3937: open_listen_match_streamlocal(struct permission *allowed_open,
1.336 millert 3938: const char *requestedpath)
3939: {
3940: if (allowed_open->host_to_connect == NULL)
3941: return 0;
3942: if (allowed_open->listen_port != PORT_STREAMLOCAL)
3943: return 0;
3944: if (allowed_open->listen_path == NULL ||
3945: strcmp(allowed_open->listen_path, requestedpath) != 0)
3946: return 0;
3947: return 1;
3948: }
3949:
1.27 markus 3950: /*
1.208 deraadt 3951: * Request cancellation of remote forwarding of connection host:port from
1.202 djm 3952: * local side.
3953: */
1.336 millert 3954: static int
1.367 djm 3955: channel_request_rforward_cancel_tcpip(struct ssh *ssh,
3956: const char *host, u_short port)
1.202 djm 3957: {
1.367 djm 3958: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 3959: struct permission_set *pset = &sc->local_perms;
1.367 djm 3960: int r;
3961: u_int i;
1.397 markus 3962: struct permission *perm = NULL;
1.202 djm 3963:
1.381 djm 3964: for (i = 0; i < pset->num_permitted_user; i++) {
3965: perm = &pset->permitted_user[i];
3966: if (open_listen_match_tcpip(perm, host, port, 0))
1.202 djm 3967: break;
1.381 djm 3968: perm = NULL;
1.202 djm 3969: }
1.381 djm 3970: if (perm == NULL) {
1.403 djm 3971: debug_f("requested forward not found");
1.312 djm 3972: return -1;
1.202 djm 3973: }
1.367 djm 3974: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3975: (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 ||
3976: (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
3977: (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 ||
3978: (r = sshpkt_put_u32(ssh, port)) != 0 ||
3979: (r = sshpkt_send(ssh)) != 0)
1.403 djm 3980: fatal_fr(r, "send cancel");
1.367 djm 3981:
1.381 djm 3982: fwd_perm_clear(perm); /* unregister */
1.336 millert 3983:
3984: return 0;
3985: }
3986:
3987: /*
3988: * Request cancellation of remote forwarding of Unix domain socket
3989: * path from local side.
3990: */
3991: static int
1.367 djm 3992: channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path)
1.336 millert 3993: {
1.367 djm 3994: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 3995: struct permission_set *pset = &sc->local_perms;
1.367 djm 3996: int r;
3997: u_int i;
1.397 markus 3998: struct permission *perm = NULL;
1.336 millert 3999:
1.381 djm 4000: for (i = 0; i < pset->num_permitted_user; i++) {
4001: perm = &pset->permitted_user[i];
4002: if (open_listen_match_streamlocal(perm, path))
1.336 millert 4003: break;
1.381 djm 4004: perm = NULL;
1.336 millert 4005: }
1.381 djm 4006: if (perm == NULL) {
1.403 djm 4007: debug_f("requested forward not found");
1.336 millert 4008: return -1;
4009: }
1.367 djm 4010: if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4011: (r = sshpkt_put_cstring(ssh,
4012: "cancel-streamlocal-forward@openssh.com")) != 0 ||
4013: (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
4014: (r = sshpkt_put_cstring(ssh, path)) != 0 ||
4015: (r = sshpkt_send(ssh)) != 0)
1.403 djm 4016: fatal_fr(r, "send cancel");
1.367 djm 4017:
1.381 djm 4018: fwd_perm_clear(perm); /* unregister */
1.312 djm 4019:
4020: return 0;
1.202 djm 4021: }
4022:
4023: /*
1.336 millert 4024: * Request cancellation of remote forwarding of a connection from local side.
4025: */
4026: int
1.367 djm 4027: channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd)
1.336 millert 4028: {
4029: if (fwd->listen_path != NULL) {
1.367 djm 4030: return channel_request_rforward_cancel_streamlocal(ssh,
4031: fwd->listen_path);
1.336 millert 4032: } else {
1.367 djm 4033: return channel_request_rforward_cancel_tcpip(ssh,
4034: fwd->listen_host,
4035: fwd->listen_port ? fwd->listen_port : fwd->allocated_port);
1.336 millert 4036: }
1.1 deraadt 4037: }
4038:
1.99 markus 4039: /*
1.381 djm 4040: * Permits opening to any host/port if permitted_user[] is empty. This is
1.99 markus 4041: * usually called by the server, because the user could connect to any port
4042: * anyway, and the server has no way to know but to trust the client anyway.
4043: */
4044: void
1.381 djm 4045: channel_permit_all(struct ssh *ssh, int where)
4046: {
4047: struct permission_set *pset = permission_set_get(ssh, where);
4048:
4049: if (pset->num_permitted_user == 0)
4050: pset->all_permitted = 1;
4051: }
4052:
4053: /*
4054: * Permit the specified host/port for forwarding.
4055: */
4056: void
4057: channel_add_permission(struct ssh *ssh, int who, int where,
4058: char *host, int port)
4059: {
4060: int local = where == FORWARD_LOCAL;
4061: struct permission_set *pset = permission_set_get(ssh, where);
4062:
4063: debug("allow %s forwarding to host %s port %d",
4064: fwd_ident(who, where), host, port);
4065: /*
4066: * Remote forwards set listen_host/port, local forwards set
4067: * host/port_to_connect.
4068: */
4069: permission_set_add(ssh, who, where,
4070: local ? host : 0, local ? port : 0,
4071: local ? NULL : host, NULL, local ? 0 : port, NULL);
4072: pset->all_permitted = 0;
4073: }
4074:
4075: /*
4076: * Administratively disable forwarding.
4077: */
4078: void
4079: channel_disable_admin(struct ssh *ssh, int where)
1.99 markus 4080: {
1.381 djm 4081: channel_clear_permission(ssh, FORWARD_ADM, where);
4082: permission_set_add(ssh, FORWARD_ADM, where,
4083: NULL, 0, NULL, NULL, 0, NULL);
1.99 markus 4084: }
4085:
1.381 djm 4086: /*
4087: * Clear a list of permitted opens.
4088: */
1.101 markus 4089: void
1.381 djm 4090: channel_clear_permission(struct ssh *ssh, int who, int where)
1.99 markus 4091: {
1.381 djm 4092: struct permission **permp;
4093: u_int *npermp;
1.367 djm 4094:
1.381 djm 4095: permission_set_get_array(ssh, who, where, &permp, &npermp);
4096: *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp));
4097: *npermp = 0;
1.315 markus 4098: }
4099:
4100: /*
4101: * Update the listen port for a dynamic remote forward, after
4102: * the actual 'newport' has been allocated. If 'newport' < 0 is
4103: * passed then they entry will be invalidated.
4104: */
4105: void
1.381 djm 4106: channel_update_permission(struct ssh *ssh, int idx, int newport)
1.315 markus 4107: {
1.381 djm 4108: struct permission_set *pset = &ssh->chanctxt->local_perms;
1.367 djm 4109:
1.381 djm 4110: if (idx < 0 || (u_int)idx >= pset->num_permitted_user) {
1.403 djm 4111: debug_f("index out of range: %d num_permitted_user %d",
4112: idx, pset->num_permitted_user);
1.315 markus 4113: return;
4114: }
4115: debug("%s allowed port %d for forwarding to host %s port %d",
4116: newport > 0 ? "Updating" : "Removing",
4117: newport,
1.381 djm 4118: pset->permitted_user[idx].host_to_connect,
4119: pset->permitted_user[idx].port_to_connect);
1.367 djm 4120: if (newport <= 0)
1.381 djm 4121: fwd_perm_clear(&pset->permitted_user[idx]);
1.367 djm 4122: else {
1.381 djm 4123: pset->permitted_user[idx].listen_port =
1.404 djm 4124: (ssh->compat & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
1.315 markus 4125: }
1.99 markus 4126: }
4127:
1.314 dtucker 4128: /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
4129: int
4130: permitopen_port(const char *p)
4131: {
4132: int port;
4133:
4134: if (strcmp(p, "*") == 0)
4135: return FWD_PERMIT_ANY_PORT;
4136: if ((port = a2port(p)) > 0)
4137: return port;
4138: return -1;
4139: }
4140:
1.276 djm 4141: /* Try to start non-blocking connect to next host in cctx list */
1.127 itojun 4142: static int
1.276 djm 4143: connect_next(struct channel_connect *cctx)
1.41 markus 4144: {
1.276 djm 4145: int sock, saved_errno;
1.336 millert 4146: struct sockaddr_un *sunaddr;
1.367 djm 4147: char ntop[NI_MAXHOST];
4148: char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))];
1.41 markus 4149:
1.276 djm 4150: for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
1.336 millert 4151: switch (cctx->ai->ai_family) {
4152: case AF_UNIX:
4153: /* unix:pathname instead of host:port */
4154: sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
4155: strlcpy(ntop, "unix", sizeof(ntop));
4156: strlcpy(strport, sunaddr->sun_path, sizeof(strport));
4157: break;
4158: case AF_INET:
4159: case AF_INET6:
4160: if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
4161: ntop, sizeof(ntop), strport, sizeof(strport),
4162: NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
4163: error("connect_next: getnameinfo failed");
4164: continue;
4165: }
4166: break;
4167: default:
1.41 markus 4168: continue;
4169: }
1.300 dtucker 4170: if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
4171: cctx->ai->ai_protocol)) == -1) {
1.276 djm 4172: if (cctx->ai->ai_next == NULL)
1.186 djm 4173: error("socket: %.100s", strerror(errno));
4174: else
4175: verbose("socket: %.100s", strerror(errno));
1.41 markus 4176: continue;
4177: }
1.205 djm 4178: if (set_nonblock(sock) == -1)
1.403 djm 4179: fatal_f("set_nonblock(%d)", sock);
1.276 djm 4180: if (connect(sock, cctx->ai->ai_addr,
4181: cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
4182: debug("connect_next: host %.100s ([%.100s]:%s): "
4183: "%.100s", cctx->host, ntop, strport,
1.41 markus 4184: strerror(errno));
1.276 djm 4185: saved_errno = errno;
1.41 markus 4186: close(sock);
1.276 djm 4187: errno = saved_errno;
1.89 stevesk 4188: continue; /* fail -- try next */
1.41 markus 4189: }
1.336 millert 4190: if (cctx->ai->ai_family != AF_UNIX)
4191: set_nodelay(sock);
1.276 djm 4192: debug("connect_next: host %.100s ([%.100s]:%s) "
4193: "in progress, fd=%d", cctx->host, ntop, strport, sock);
4194: cctx->ai = cctx->ai->ai_next;
4195: return sock;
4196: }
4197: return -1;
4198: }
1.41 markus 4199:
1.276 djm 4200: static void
4201: channel_connect_ctx_free(struct channel_connect *cctx)
4202: {
1.321 djm 4203: free(cctx->host);
1.336 millert 4204: if (cctx->aitop) {
4205: if (cctx->aitop->ai_family == AF_UNIX)
4206: free(cctx->aitop);
4207: else
4208: freeaddrinfo(cctx->aitop);
4209: }
1.329 tedu 4210: memset(cctx, 0, sizeof(*cctx));
1.276 djm 4211: }
4212:
1.357 dtucker 4213: /*
1.372 markus 4214: * Return connecting socket to remote host:port or local socket path,
1.357 dtucker 4215: * passing back the failure reason if appropriate.
4216: */
1.372 markus 4217: static int
4218: connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype,
4219: char *ctype, char *rname, struct channel_connect *cctx,
4220: int *reason, const char **errmsg)
1.276 djm 4221: {
4222: struct addrinfo hints;
4223: int gaierr;
4224: int sock = -1;
4225: char strport[NI_MAXSERV];
1.336 millert 4226:
4227: if (port == PORT_STREAMLOCAL) {
4228: struct sockaddr_un *sunaddr;
4229: struct addrinfo *ai;
4230:
4231: if (strlen(name) > sizeof(sunaddr->sun_path)) {
4232: error("%.100s: %.100s", name, strerror(ENAMETOOLONG));
1.372 markus 4233: return -1;
1.336 millert 4234: }
4235:
4236: /*
4237: * Fake up a struct addrinfo for AF_UNIX connections.
4238: * channel_connect_ctx_free() must check ai_family
4239: * and use free() not freeaddirinfo() for AF_UNIX.
4240: */
4241: ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr));
4242: memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr));
4243: ai->ai_addr = (struct sockaddr *)(ai + 1);
4244: ai->ai_addrlen = sizeof(*sunaddr);
4245: ai->ai_family = AF_UNIX;
1.372 markus 4246: ai->ai_socktype = socktype;
1.336 millert 4247: ai->ai_protocol = PF_UNSPEC;
4248: sunaddr = (struct sockaddr_un *)ai->ai_addr;
4249: sunaddr->sun_family = AF_UNIX;
4250: strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
1.372 markus 4251: cctx->aitop = ai;
1.336 millert 4252: } else {
4253: memset(&hints, 0, sizeof(hints));
1.367 djm 4254: hints.ai_family = ssh->chanctxt->IPv4or6;
1.372 markus 4255: hints.ai_socktype = socktype;
1.336 millert 4256: snprintf(strport, sizeof strport, "%d", port);
1.372 markus 4257: if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop))
1.357 dtucker 4258: != 0) {
4259: if (errmsg != NULL)
4260: *errmsg = ssh_gai_strerror(gaierr);
4261: if (reason != NULL)
4262: *reason = SSH2_OPEN_CONNECT_FAILED;
1.336 millert 4263: error("connect_to %.100s: unknown host (%s)", name,
4264: ssh_gai_strerror(gaierr));
1.372 markus 4265: return -1;
1.336 millert 4266: }
1.41 markus 4267: }
1.276 djm 4268:
1.372 markus 4269: cctx->host = xstrdup(name);
4270: cctx->port = port;
4271: cctx->ai = cctx->aitop;
1.276 djm 4272:
1.372 markus 4273: if ((sock = connect_next(cctx)) == -1) {
1.276 djm 4274: error("connect to %.100s port %d failed: %s",
1.336 millert 4275: name, port, strerror(errno));
1.372 markus 4276: return -1;
4277: }
4278:
4279: return sock;
4280: }
4281:
4282: /* Return CONNECTING channel to remote host:port or local socket path */
4283: static Channel *
4284: connect_to(struct ssh *ssh, const char *host, int port,
4285: char *ctype, char *rname)
4286: {
4287: struct channel_connect cctx;
4288: Channel *c;
4289: int sock;
4290:
4291: memset(&cctx, 0, sizeof(cctx));
4292: sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4293: &cctx, NULL, NULL);
4294: if (sock == -1) {
1.276 djm 4295: channel_connect_ctx_free(&cctx);
4296: return NULL;
1.41 markus 4297: }
1.367 djm 4298: c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
1.276 djm 4299: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
1.372 markus 4300: c->host_port = port;
4301: c->path = xstrdup(host);
1.276 djm 4302: c->connect_ctx = cctx;
1.372 markus 4303:
1.276 djm 4304: return c;
1.41 markus 4305: }
1.99 markus 4306:
1.354 markus 4307: /*
4308: * returns either the newly connected channel or the downstream channel
4309: * that needs to deal with this connection.
4310: */
1.276 djm 4311: Channel *
1.367 djm 4312: channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host,
1.333 markus 4313: u_short listen_port, char *ctype, char *rname)
1.73 markus 4314: {
1.367 djm 4315: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4316: struct permission_set *pset = &sc->local_perms;
1.367 djm 4317: u_int i;
1.381 djm 4318: struct permission *perm;
1.99 markus 4319:
1.381 djm 4320: for (i = 0; i < pset->num_permitted_user; i++) {
4321: perm = &pset->permitted_user[i];
4322: if (open_listen_match_tcpip(perm,
4323: listen_host, listen_port, 1)) {
4324: if (perm->downstream)
4325: return perm->downstream;
4326: if (perm->port_to_connect == 0)
1.372 markus 4327: return rdynamic_connect_prepare(ssh,
4328: ctype, rname);
1.367 djm 4329: return connect_to(ssh,
1.381 djm 4330: perm->host_to_connect, perm->port_to_connect,
1.367 djm 4331: ctype, rname);
1.276 djm 4332: }
4333: }
1.74 markus 4334: error("WARNING: Server requests forwarding for unknown listen_port %d",
4335: listen_port);
1.276 djm 4336: return NULL;
1.73 markus 4337: }
4338:
1.336 millert 4339: Channel *
1.367 djm 4340: channel_connect_by_listen_path(struct ssh *ssh, const char *path,
4341: char *ctype, char *rname)
1.336 millert 4342: {
1.367 djm 4343: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4344: struct permission_set *pset = &sc->local_perms;
1.367 djm 4345: u_int i;
1.381 djm 4346: struct permission *perm;
1.336 millert 4347:
1.381 djm 4348: for (i = 0; i < pset->num_permitted_user; i++) {
4349: perm = &pset->permitted_user[i];
4350: if (open_listen_match_streamlocal(perm, path)) {
1.367 djm 4351: return connect_to(ssh,
1.381 djm 4352: perm->host_to_connect, perm->port_to_connect,
1.367 djm 4353: ctype, rname);
1.336 millert 4354: }
4355: }
4356: error("WARNING: Server requests forwarding for unknown path %.100s",
4357: path);
4358: return NULL;
4359: }
4360:
1.99 markus 4361: /* Check if connecting to that port is permitted and connect. */
1.276 djm 4362: Channel *
1.367 djm 4363: channel_connect_to_port(struct ssh *ssh, const char *host, u_short port,
4364: char *ctype, char *rname, int *reason, const char **errmsg)
1.99 markus 4365: {
1.367 djm 4366: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4367: struct permission_set *pset = &sc->local_perms;
1.372 markus 4368: struct channel_connect cctx;
4369: Channel *c;
1.367 djm 4370: u_int i, permit, permit_adm = 1;
1.372 markus 4371: int sock;
1.381 djm 4372: struct permission *perm;
1.99 markus 4373:
1.381 djm 4374: permit = pset->all_permitted;
1.99 markus 4375: if (!permit) {
1.381 djm 4376: for (i = 0; i < pset->num_permitted_user; i++) {
4377: perm = &pset->permitted_user[i];
4378: if (open_match(perm, host, port)) {
1.99 markus 4379: permit = 1;
1.333 markus 4380: break;
4381: }
1.367 djm 4382: }
1.257 dtucker 4383: }
1.99 markus 4384:
1.381 djm 4385: if (pset->num_permitted_admin > 0) {
1.257 dtucker 4386: permit_adm = 0;
1.381 djm 4387: for (i = 0; i < pset->num_permitted_admin; i++) {
4388: perm = &pset->permitted_admin[i];
4389: if (open_match(perm, host, port)) {
1.257 dtucker 4390: permit_adm = 1;
1.333 markus 4391: break;
4392: }
1.367 djm 4393: }
1.99 markus 4394: }
1.257 dtucker 4395:
4396: if (!permit || !permit_adm) {
1.391 florian 4397: logit("Received request from %.100s port %d to connect to "
4398: "host %.100s port %d, but the request was denied.",
4399: ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port);
1.357 dtucker 4400: if (reason != NULL)
4401: *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
1.276 djm 4402: return NULL;
1.99 markus 4403: }
1.372 markus 4404:
4405: memset(&cctx, 0, sizeof(cctx));
4406: sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4407: &cctx, reason, errmsg);
4408: if (sock == -1) {
4409: channel_connect_ctx_free(&cctx);
4410: return NULL;
4411: }
4412:
4413: c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4414: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4415: c->host_port = port;
4416: c->path = xstrdup(host);
4417: c->connect_ctx = cctx;
4418:
4419: return c;
1.336 millert 4420: }
4421:
4422: /* Check if connecting to that path is permitted and connect. */
4423: Channel *
1.367 djm 4424: channel_connect_to_path(struct ssh *ssh, const char *path,
4425: char *ctype, char *rname)
1.336 millert 4426: {
1.367 djm 4427: struct ssh_channels *sc = ssh->chanctxt;
1.381 djm 4428: struct permission_set *pset = &sc->local_perms;
1.367 djm 4429: u_int i, permit, permit_adm = 1;
1.381 djm 4430: struct permission *perm;
1.336 millert 4431:
1.381 djm 4432: permit = pset->all_permitted;
1.336 millert 4433: if (!permit) {
1.381 djm 4434: for (i = 0; i < pset->num_permitted_user; i++) {
4435: perm = &pset->permitted_user[i];
4436: if (open_match(perm, path, PORT_STREAMLOCAL)) {
1.336 millert 4437: permit = 1;
4438: break;
4439: }
1.367 djm 4440: }
1.336 millert 4441: }
4442:
1.381 djm 4443: if (pset->num_permitted_admin > 0) {
1.336 millert 4444: permit_adm = 0;
1.381 djm 4445: for (i = 0; i < pset->num_permitted_admin; i++) {
4446: perm = &pset->permitted_admin[i];
4447: if (open_match(perm, path, PORT_STREAMLOCAL)) {
1.336 millert 4448: permit_adm = 1;
4449: break;
4450: }
1.367 djm 4451: }
1.336 millert 4452: }
4453:
4454: if (!permit || !permit_adm) {
4455: logit("Received request to connect to path %.100s, "
4456: "but the request was denied.", path);
4457: return NULL;
4458: }
1.367 djm 4459: return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname);
1.204 djm 4460: }
4461:
4462: void
1.367 djm 4463: channel_send_window_changes(struct ssh *ssh)
1.204 djm 4464: {
1.367 djm 4465: struct ssh_channels *sc = ssh->chanctxt;
4466: struct winsize ws;
4467: int r;
1.209 avsm 4468: u_int i;
1.204 djm 4469:
1.367 djm 4470: for (i = 0; i < sc->channels_alloc; i++) {
4471: if (sc->channels[i] == NULL || !sc->channels[i]->client_tty ||
4472: sc->channels[i]->type != SSH_CHANNEL_OPEN)
1.204 djm 4473: continue;
1.393 deraadt 4474: if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) == -1)
1.204 djm 4475: continue;
1.367 djm 4476: channel_request_start(ssh, i, "window-change", 0);
4477: if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 ||
4478: (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
4479: (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
4480: (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 ||
4481: (r = sshpkt_send(ssh)) != 0)
1.403 djm 4482: fatal_fr(r, "channel %u; send window-change", i);
1.204 djm 4483: }
1.372 markus 4484: }
4485:
4486: /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */
4487: static Channel *
4488: rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname)
4489: {
4490: Channel *c;
4491: int r;
4492:
4493: c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1,
4494: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4495: c->host_port = 0;
4496: c->path = NULL;
4497:
4498: /*
4499: * We need to open the channel before we have a FD,
4500: * so that we can get SOCKS header from peer.
4501: */
4502: if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
4503: (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
4504: (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
4505: (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1.403 djm 4506: (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0)
4507: fatal_fr(r, "channel %i; confirm", c->self);
1.372 markus 4508: return c;
4509: }
4510:
4511: /* Return CONNECTING socket to remote host:port or local socket path */
4512: static int
4513: rdynamic_connect_finish(struct ssh *ssh, Channel *c)
4514: {
1.405 markus 4515: struct ssh_channels *sc = ssh->chanctxt;
4516: struct permission_set *pset = &sc->local_perms;
4517: struct permission *perm;
1.372 markus 4518: struct channel_connect cctx;
1.405 markus 4519: u_int i, permit_adm = 1;
1.372 markus 4520: int sock;
1.405 markus 4521:
4522: if (pset->num_permitted_admin > 0) {
4523: permit_adm = 0;
4524: for (i = 0; i < pset->num_permitted_admin; i++) {
4525: perm = &pset->permitted_admin[i];
4526: if (open_match(perm, c->path, c->host_port)) {
4527: permit_adm = 1;
4528: break;
4529: }
4530: }
4531: }
4532: if (!permit_adm) {
4533: debug_f("requested forward not permitted");
4534: return -1;
4535: }
1.372 markus 4536:
4537: memset(&cctx, 0, sizeof(cctx));
4538: sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL,
4539: NULL, &cctx, NULL, NULL);
4540: if (sock == -1)
4541: channel_connect_ctx_free(&cctx);
4542: else {
4543: /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */
4544: c->type = SSH_CHANNEL_RDYNAMIC_FINISH;
4545: c->connect_ctx = cctx;
4546: channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0);
4547: }
4548: return sock;
1.99 markus 4549: }
4550:
1.121 markus 4551: /* -- X11 forwarding */
1.1 deraadt 4552:
1.27 markus 4553: /*
4554: * Creates an internet domain socket for listening for X11 connections.
1.176 deraadt 4555: * Returns 0 and a suitable display number for the DISPLAY variable
4556: * stored in display_numberp , or -1 if an error occurs.
1.27 markus 4557: */
1.141 stevesk 4558: int
1.367 djm 4559: x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
4560: int x11_use_localhost, int single_connection,
4561: u_int *display_numberp, int **chanids)
1.1 deraadt 4562: {
1.149 markus 4563: Channel *nc = NULL;
1.31 markus 4564: int display_number, sock;
4565: u_short port;
1.35 markus 4566: struct addrinfo hints, *ai, *aitop;
4567: char strport[NI_MAXSERV];
4568: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1.25 markus 4569:
1.224 markus 4570: if (chanids == NULL)
4571: return -1;
4572:
1.33 markus 4573: for (display_number = x11_display_offset;
1.148 deraadt 4574: display_number < MAX_DISPLAYS;
4575: display_number++) {
1.25 markus 4576: port = 6000 + display_number;
1.35 markus 4577: memset(&hints, 0, sizeof(hints));
1.367 djm 4578: hints.ai_family = ssh->chanctxt->IPv4or6;
1.163 stevesk 4579: hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
1.35 markus 4580: hints.ai_socktype = SOCK_STREAM;
4581: snprintf(strport, sizeof strport, "%d", port);
1.367 djm 4582: if ((gaierr = getaddrinfo(NULL, strport,
4583: &hints, &aitop)) != 0) {
1.271 dtucker 4584: error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
1.141 stevesk 4585: return -1;
1.25 markus 4586: }
1.35 markus 4587: for (ai = aitop; ai; ai = ai->ai_next) {
1.367 djm 4588: if (ai->ai_family != AF_INET &&
4589: ai->ai_family != AF_INET6)
1.35 markus 4590: continue;
1.300 dtucker 4591: sock = socket(ai->ai_family, ai->ai_socktype,
4592: ai->ai_protocol);
1.393 deraadt 4593: if (sock == -1) {
1.35 markus 4594: error("socket: %.100s", strerror(errno));
1.203 markus 4595: freeaddrinfo(aitop);
1.141 stevesk 4596: return -1;
1.35 markus 4597: }
1.376 djm 4598: set_reuseaddr(sock);
1.393 deraadt 4599: if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1.403 djm 4600: debug2_f("bind port %d: %.100s", port,
4601: strerror(errno));
1.35 markus 4602: close(sock);
1.367 djm 4603: for (n = 0; n < num_socks; n++)
1.35 markus 4604: close(socks[n]);
4605: num_socks = 0;
4606: break;
4607: }
4608: socks[num_socks++] = sock;
4609: if (num_socks == NUM_SOCKS)
4610: break;
1.25 markus 4611: }
1.83 stevesk 4612: freeaddrinfo(aitop);
1.35 markus 4613: if (num_socks > 0)
4614: break;
1.25 markus 4615: }
4616: if (display_number >= MAX_DISPLAYS) {
4617: error("Failed to allocate internet-domain X11 display socket.");
1.141 stevesk 4618: return -1;
1.25 markus 4619: }
4620: /* Start listening for connections on the socket. */
1.35 markus 4621: for (n = 0; n < num_socks; n++) {
4622: sock = socks[n];
1.393 deraadt 4623: if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
1.35 markus 4624: error("listen: %.100s", strerror(errno));
4625: close(sock);
1.141 stevesk 4626: return -1;
1.35 markus 4627: }
1.25 markus 4628: }
1.35 markus 4629:
4630: /* Allocate a channel for each socket. */
1.242 djm 4631: *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
1.35 markus 4632: for (n = 0; n < num_socks; n++) {
4633: sock = socks[n];
1.367 djm 4634: nc = channel_new(ssh, "x11 listener",
1.51 markus 4635: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
4636: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1.190 markus 4637: 0, "X11 inet listener", 1);
1.167 markus 4638: nc->single_connection = single_connection;
1.224 markus 4639: (*chanids)[n] = nc->self;
1.35 markus 4640: }
1.224 markus 4641: (*chanids)[n] = -1;
1.1 deraadt 4642:
1.141 stevesk 4643: /* Return the display number for the DISPLAY environment variable. */
1.176 deraadt 4644: *display_numberp = display_number;
1.367 djm 4645: return 0;
1.1 deraadt 4646: }
4647:
1.127 itojun 4648: static int
1.77 markus 4649: connect_local_xsocket(u_int dnr)
1.1 deraadt 4650: {
1.25 markus 4651: int sock;
4652: struct sockaddr_un addr;
4653:
1.147 stevesk 4654: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1.393 deraadt 4655: if (sock == -1)
1.147 stevesk 4656: error("socket: %.100s", strerror(errno));
4657: memset(&addr, 0, sizeof(addr));
4658: addr.sun_family = AF_UNIX;
4659: snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr);
1.239 deraadt 4660: if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1.147 stevesk 4661: return sock;
4662: close(sock);
1.25 markus 4663: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
4664: return -1;
1.1 deraadt 4665: }
4666:
1.51 markus 4667: int
1.367 djm 4668: x11_connect_display(struct ssh *ssh)
1.1 deraadt 4669: {
1.248 deraadt 4670: u_int display_number;
1.25 markus 4671: const char *display;
1.51 markus 4672: char buf[1024], *cp;
1.35 markus 4673: struct addrinfo hints, *ai, *aitop;
4674: char strport[NI_MAXSERV];
1.248 deraadt 4675: int gaierr, sock = 0;
1.25 markus 4676:
4677: /* Try to open a socket for the local X server. */
4678: display = getenv("DISPLAY");
4679: if (!display) {
4680: error("DISPLAY not set.");
1.51 markus 4681: return -1;
1.25 markus 4682: }
1.27 markus 4683: /*
4684: * Now we decode the value of the DISPLAY variable and make a
4685: * connection to the real X server.
4686: */
4687:
4688: /*
4689: * Check if it is a unix domain socket. Unix domain displays are in
4690: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
4691: */
1.25 markus 4692: if (strncmp(display, "unix:", 5) == 0 ||
4693: display[0] == ':') {
4694: /* Connect to the unix domain socket. */
1.367 djm 4695: if (sscanf(strrchr(display, ':') + 1, "%u",
4696: &display_number) != 1) {
4697: error("Could not parse display number from DISPLAY: "
4698: "%.100s", display);
1.51 markus 4699: return -1;
1.25 markus 4700: }
4701: /* Create a socket. */
4702: sock = connect_local_xsocket(display_number);
4703: if (sock < 0)
1.51 markus 4704: return -1;
1.25 markus 4705:
4706: /* OK, we now have a connection to the display. */
1.51 markus 4707: return sock;
1.25 markus 4708: }
1.27 markus 4709: /*
4710: * Connect to an inet socket. The DISPLAY value is supposedly
4711: * hostname:d[.s], where hostname may also be numeric IP address.
4712: */
1.145 stevesk 4713: strlcpy(buf, display, sizeof(buf));
1.25 markus 4714: cp = strchr(buf, ':');
4715: if (!cp) {
4716: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 4717: return -1;
1.25 markus 4718: }
4719: *cp = 0;
1.367 djm 4720: /*
4721: * buf now contains the host name. But first we parse the
4722: * display number.
4723: */
1.248 deraadt 4724: if (sscanf(cp + 1, "%u", &display_number) != 1) {
1.25 markus 4725: error("Could not parse display number from DISPLAY: %.100s",
1.148 deraadt 4726: display);
1.51 markus 4727: return -1;
1.25 markus 4728: }
1.35 markus 4729:
4730: /* Look up the host address */
4731: memset(&hints, 0, sizeof(hints));
1.367 djm 4732: hints.ai_family = ssh->chanctxt->IPv4or6;
1.35 markus 4733: hints.ai_socktype = SOCK_STREAM;
1.248 deraadt 4734: snprintf(strport, sizeof strport, "%u", 6000 + display_number);
1.35 markus 4735: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1.271 dtucker 4736: error("%.100s: unknown host. (%s)", buf,
4737: ssh_gai_strerror(gaierr));
1.51 markus 4738: return -1;
1.25 markus 4739: }
1.35 markus 4740: for (ai = aitop; ai; ai = ai->ai_next) {
4741: /* Create a socket. */
1.300 dtucker 4742: sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
1.393 deraadt 4743: if (sock == -1) {
1.194 markus 4744: debug2("socket: %.100s", strerror(errno));
1.41 markus 4745: continue;
4746: }
4747: /* Connect it to the display. */
1.393 deraadt 4748: if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
1.248 deraadt 4749: debug2("connect %.100s port %u: %.100s", buf,
1.41 markus 4750: 6000 + display_number, strerror(errno));
4751: close(sock);
4752: continue;
4753: }
4754: /* Success */
4755: break;
1.35 markus 4756: }
4757: freeaddrinfo(aitop);
4758: if (!ai) {
1.367 djm 4759: error("connect %.100s port %u: %.100s", buf,
4760: 6000 + display_number, strerror(errno));
1.51 markus 4761: return -1;
1.25 markus 4762: }
1.162 stevesk 4763: set_nodelay(sock);
1.51 markus 4764: return sock;
4765: }
4766:
4767: /*
1.27 markus 4768: * Requests forwarding of X11 connections, generates fake authentication
4769: * data, and enables authentication spoofing.
1.121 markus 4770: * This should be called in the client only.
1.27 markus 4771: */
1.49 markus 4772: void
1.367 djm 4773: x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
4774: const char *disp, const char *proto, const char *data, int want_reply)
1.1 deraadt 4775: {
1.367 djm 4776: struct ssh_channels *sc = ssh->chanctxt;
1.77 markus 4777: u_int data_len = (u_int) strlen(data) / 2;
1.219 djm 4778: u_int i, value;
1.367 djm 4779: const char *cp;
1.25 markus 4780: char *new_data;
1.367 djm 4781: int r, screen_number;
1.25 markus 4782:
1.367 djm 4783: if (sc->x11_saved_display == NULL)
4784: sc->x11_saved_display = xstrdup(disp);
4785: else if (strcmp(disp, sc->x11_saved_display) != 0) {
1.219 djm 4786: error("x11_request_forwarding_with_spoofing: different "
4787: "$DISPLAY already forwarded");
4788: return;
4789: }
4790:
1.266 djm 4791: cp = strchr(disp, ':');
1.25 markus 4792: if (cp)
4793: cp = strchr(cp, '.');
4794: if (cp)
1.245 deraadt 4795: screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
1.25 markus 4796: else
4797: screen_number = 0;
4798:
1.367 djm 4799: if (sc->x11_saved_proto == NULL) {
1.219 djm 4800: /* Save protocol name. */
1.367 djm 4801: sc->x11_saved_proto = xstrdup(proto);
1.353 natano 4802:
4803: /* Extract real authentication data. */
1.367 djm 4804: sc->x11_saved_data = xmalloc(data_len);
1.219 djm 4805: for (i = 0; i < data_len; i++) {
1.403 djm 4806: if (sscanf(data + 2 * i, "%2x", &value) != 1) {
1.219 djm 4807: fatal("x11_request_forwarding: bad "
4808: "authentication data: %.100s", data);
1.403 djm 4809: }
1.367 djm 4810: sc->x11_saved_data[i] = value;
1.219 djm 4811: }
1.367 djm 4812: sc->x11_saved_data_len = data_len;
1.353 natano 4813:
4814: /* Generate fake data of the same length. */
1.367 djm 4815: sc->x11_fake_data = xmalloc(data_len);
4816: arc4random_buf(sc->x11_fake_data, data_len);
4817: sc->x11_fake_data_len = data_len;
1.25 markus 4818: }
4819:
4820: /* Convert the fake data into hex. */
1.367 djm 4821: new_data = tohex(sc->x11_fake_data, data_len);
1.25 markus 4822:
4823: /* Send the request packet. */
1.367 djm 4824: channel_request_start(ssh, client_session_id, "x11-req", want_reply);
4825: if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */
4826: (r = sshpkt_put_cstring(ssh, proto)) != 0 ||
4827: (r = sshpkt_put_cstring(ssh, new_data)) != 0 ||
4828: (r = sshpkt_put_u32(ssh, screen_number)) != 0 ||
4829: (r = sshpkt_send(ssh)) != 0 ||
4830: (r = ssh_packet_write_wait(ssh)) != 0)
1.403 djm 4831: fatal_fr(r, "send x11-req");
1.321 djm 4832: free(new_data);
1.1 deraadt 4833: }