Annotation of src/usr.bin/ssh/channels.c, Revision 1.42
1.1 deraadt 1: /*
1.26 deraadt 2: *
3: * channels.c
4: *
5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
6: *
7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
9: *
10: * Created: Fri Mar 24 16:35:24 1995 ylo
11: *
12: * This file contains functions for generic socket connection forwarding.
13: * There is also code for initiating connection forwarding for X11 connections,
14: * arbitrary tcp/ip connections, and the authentication agent connection.
15: *
16: */
1.1 deraadt 17:
18: #include "includes.h"
1.42 ! markus 19: RCSID("$Id: channels.c,v 1.41 2000/03/28 20:31:25 markus Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.20 markus 27: #include "readconf.h"
1.3 deraadt 28: #include "servconf.h"
1.1 deraadt 29:
1.14 markus 30: #include "channels.h"
31: #include "nchan.h"
32: #include "compat.h"
33:
1.1 deraadt 34: /* Maximum number of fake X11 displays to try. */
35: #define MAX_DISPLAYS 1000
36:
1.12 markus 37: /* Max len of agent socket */
38: #define MAX_SOCKET_NAME 100
39:
1.41 markus 40: /* default buffer for tcp-fwd-channel */
41: #define CHAN_WINDOW_DEFAULT (8*1024)
42: #define CHAN_PACKET_DEFAULT (CHAN_WINDOW_DEFAULT/2)
43:
1.27 markus 44: /*
45: * Pointer to an array containing all allocated channels. The array is
46: * dynamically extended as needed.
47: */
1.1 deraadt 48: static Channel *channels = NULL;
49:
1.27 markus 50: /*
51: * Size of the channel array. All slots of the array must always be
52: * initialized (at least the type field); unused slots are marked with type
53: * SSH_CHANNEL_FREE.
54: */
1.1 deraadt 55: static int channels_alloc = 0;
56:
1.27 markus 57: /*
58: * Maximum file descriptor value used in any of the channels. This is
59: * updated in channel_allocate.
60: */
1.1 deraadt 61: static int channel_max_fd_value = 0;
62:
1.12 markus 63: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 64: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 65: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 66:
67: /* Saved X11 authentication protocol name. */
68: char *x11_saved_proto = NULL;
69:
70: /* Saved X11 authentication data. This is the real data. */
71: char *x11_saved_data = NULL;
72: unsigned int x11_saved_data_len = 0;
73:
1.27 markus 74: /*
75: * Fake X11 authentication data. This is what the server will be sending us;
76: * we should replace any occurrences of this by the real data.
77: */
1.1 deraadt 78: char *x11_fake_data = NULL;
79: unsigned int x11_fake_data_len;
80:
1.27 markus 81: /*
82: * Data structure for storing which hosts are permitted for forward requests.
83: * The local sides of any remote forwards are stored in this array to prevent
84: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
85: * network (which might be behind a firewall).
86: */
1.25 markus 87: typedef struct {
1.41 markus 88: char *host_to_connect; /* Connect to 'host'. */
89: u_short port_to_connect; /* Connect to 'port'. */
90: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 91: } ForwardPermission;
92:
93: /* List of all permitted host/port pairs to connect. */
94: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
95: /* Number of permitted host/port pairs in the array. */
96: static int num_permitted_opens = 0;
1.27 markus 97: /*
98: * If this is true, all opens are permitted. This is the case on the server
99: * on which we have to trust the client anyway, and the user could do
100: * anything after logging in anyway.
101: */
1.1 deraadt 102: static int all_opens_permitted = 0;
103:
104: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
105: static int have_hostname_in_open = 0;
106:
107: /* Sets specific protocol options. */
108:
1.25 markus 109: void
110: channel_set_options(int hostname_in_open)
1.1 deraadt 111: {
1.25 markus 112: have_hostname_in_open = hostname_in_open;
1.1 deraadt 113: }
114:
1.27 markus 115: /*
116: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
117: * called by the server, because the user could connect to any port anyway,
118: * and the server has no way to know but to trust the client anyway.
119: */
1.1 deraadt 120:
1.25 markus 121: void
122: channel_permit_all_opens()
1.1 deraadt 123: {
1.25 markus 124: all_opens_permitted = 1;
1.1 deraadt 125: }
126:
1.41 markus 127: /* lookup channel by id */
128:
129: Channel *
130: channel_lookup(int id)
131: {
132: Channel *c;
133: if (id < 0 && id > channels_alloc) {
134: log("channel_lookup: %d: bad id", id);
135: return NULL;
136: }
137: c = &channels[id];
138: if (c->type == SSH_CHANNEL_FREE) {
139: log("channel_lookup: %d: bad id: channel free", id);
140: return NULL;
141: }
142: return c;
143: }
144:
1.27 markus 145: /*
146: * Allocate a new channel object and set its type and socket. This will cause
147: * remote_name to be freed.
148: */
1.1 deraadt 149:
1.25 markus 150: int
1.41 markus 151: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
152: int window, int maxpack, int extended_usage, char *remote_name)
1.1 deraadt 153: {
1.25 markus 154: int i, found;
155: Channel *c;
1.1 deraadt 156:
1.25 markus 157: /* Update the maximum file descriptor value. */
1.41 markus 158: if (rfd > channel_max_fd_value)
159: channel_max_fd_value = rfd;
160: if (wfd > channel_max_fd_value)
161: channel_max_fd_value = wfd;
162: if (efd > channel_max_fd_value)
163: channel_max_fd_value = efd;
1.27 markus 164: /* XXX set close-on-exec -markus */
1.25 markus 165:
166: /* Do initial allocation if this is the first call. */
167: if (channels_alloc == 0) {
168: channels_alloc = 10;
169: channels = xmalloc(channels_alloc * sizeof(Channel));
170: for (i = 0; i < channels_alloc; i++)
171: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 172: /*
173: * Kludge: arrange a call to channel_stop_listening if we
174: * terminate with fatal().
175: */
1.25 markus 176: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
177: }
178: /* Try to find a free slot where to put the new channel. */
179: for (found = -1, i = 0; i < channels_alloc; i++)
180: if (channels[i].type == SSH_CHANNEL_FREE) {
181: /* Found a free slot. */
182: found = i;
183: break;
184: }
185: if (found == -1) {
1.27 markus 186: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 187: found = channels_alloc;
188: channels_alloc += 10;
189: debug("channel: expanding %d", channels_alloc);
190: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
191: for (i = found; i < channels_alloc; i++)
192: channels[i].type = SSH_CHANNEL_FREE;
193: }
194: /* Initialize and return new channel number. */
195: c = &channels[found];
196: buffer_init(&c->input);
197: buffer_init(&c->output);
1.41 markus 198: buffer_init(&c->extended);
1.25 markus 199: chan_init_iostates(c);
200: c->self = found;
201: c->type = type;
1.41 markus 202: c->ctype = ctype;
203: c->local_window = window;
204: c->local_window_max = window;
205: c->local_consumed = 0;
206: c->local_maxpacket = maxpack;
207: c->remote_window = 0;
208: c->remote_maxpacket = 0;
209: c->rfd = rfd;
210: c->wfd = wfd;
211: c->sock = (rfd == wfd) ? rfd : -1;
212: c->efd = efd;
213: c->extended_usage = extended_usage;
1.25 markus 214: c->remote_id = -1;
215: c->remote_name = remote_name;
1.41 markus 216: c->remote_window = 0;
217: c->remote_maxpacket = 0;
218: c->cb_fn = NULL;
219: c->cb_arg = NULL;
220: c->cb_event = 0;
221: c->dettach_user = NULL;
1.25 markus 222: debug("channel %d: new [%s]", found, remote_name);
223: return found;
1.1 deraadt 224: }
1.41 markus 225: int
226: channel_allocate(int type, int sock, char *remote_name)
227: {
228: return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
229: }
1.1 deraadt 230:
231: /* Free the channel and close its socket. */
232:
1.25 markus 233: void
1.41 markus 234: channel_free(int id)
1.1 deraadt 235: {
1.41 markus 236: Channel *c = channel_lookup(id);
237: if (c == NULL)
238: packet_disconnect("channel free: bad local channel %d", id);
239: debug("channel_free: channel %d: status: %s", id, channel_open_message());
1.42 ! markus 240: if (c->sock =! -1) {
1.41 markus 241: shutdown(c->sock, SHUT_RDWR);
1.42 ! markus 242: close(c->sock);
! 243: }
1.41 markus 244: buffer_free(&c->input);
245: buffer_free(&c->output);
246: buffer_free(&c->extended);
247: c->type = SSH_CHANNEL_FREE;
248: if (c->remote_name) {
249: xfree(c->remote_name);
250: c->remote_name = NULL;
1.25 markus 251: }
1.1 deraadt 252: }
253:
1.27 markus 254: /*
1.41 markus 255: * 'channel_pre*' are called just before select() to add any bits relevant to
256: * channels in the select bitmasks.
257: */
258: /*
259: * 'channel_post*': perform any appropriate operations for channels which
260: * have events pending.
1.27 markus 261: */
1.41 markus 262: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
263: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
264: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
265:
266: void
267: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
268: {
269: FD_SET(c->sock, readset);
270: }
271:
272: void
273: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
274: {
275: if (buffer_len(&c->input) < packet_get_maxsize())
276: FD_SET(c->sock, readset);
277: if (buffer_len(&c->output) > 0)
278: FD_SET(c->sock, writeset);
279: }
1.1 deraadt 280:
1.41 markus 281: void
282: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
283: {
284: /* test whether sockets are 'alive' for read/write */
285: if (c->istate == CHAN_INPUT_OPEN)
286: if (buffer_len(&c->input) < packet_get_maxsize())
287: FD_SET(c->sock, readset);
288: if (c->ostate == CHAN_OUTPUT_OPEN ||
289: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
290: if (buffer_len(&c->output) > 0) {
291: FD_SET(c->sock, writeset);
292: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
293: chan_obuf_empty(c);
294: }
295: }
296: }
297:
298: void
299: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
300: {
301: if (buffer_len(&c->input) == 0) {
302: packet_start(SSH_MSG_CHANNEL_CLOSE);
303: packet_put_int(c->remote_id);
304: packet_send();
305: c->type = SSH_CHANNEL_CLOSED;
306: debug("Closing channel %d after input drain.", c->self);
307: }
308: }
309:
310: void
311: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
312: {
313: if (buffer_len(&c->output) == 0)
314: channel_free(c->self);
315: else
316: FD_SET(c->sock, writeset);
317: }
318:
319: /*
320: * This is a special state for X11 authentication spoofing. An opened X11
321: * connection (when authentication spoofing is being done) remains in this
322: * state until the first packet has been completely read. The authentication
323: * data in that packet is then substituted by the real data if it matches the
324: * fake data, and the channel is put into normal mode.
325: */
326: int
327: x11_open_helper(Channel *c)
1.1 deraadt 328: {
1.25 markus 329: unsigned char *ucp;
330: unsigned int proto_len, data_len;
331:
1.41 markus 332: /* Check if the fixed size part of the packet is in buffer. */
333: if (buffer_len(&c->output) < 12)
334: return 0;
335:
336: /* Parse the lengths of variable-length fields. */
337: ucp = (unsigned char *) buffer_ptr(&c->output);
338: if (ucp[0] == 0x42) { /* Byte order MSB first. */
339: proto_len = 256 * ucp[6] + ucp[7];
340: data_len = 256 * ucp[8] + ucp[9];
341: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
342: proto_len = ucp[6] + 256 * ucp[7];
343: data_len = ucp[8] + 256 * ucp[9];
344: } else {
345: debug("Initial X11 packet contains bad byte order byte: 0x%x",
346: ucp[0]);
347: return -1;
348: }
349:
350: /* Check if the whole packet is in buffer. */
351: if (buffer_len(&c->output) <
352: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
353: return 0;
354:
355: /* Check if authentication protocol matches. */
356: if (proto_len != strlen(x11_saved_proto) ||
357: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
358: debug("X11 connection uses different authentication protocol.");
359: return -1;
360: }
361: /* Check if authentication data matches our fake data. */
362: if (data_len != x11_fake_data_len ||
363: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
364: x11_fake_data, x11_fake_data_len) != 0) {
365: debug("X11 auth data does not match fake data.");
366: return -1;
367: }
368: /* Check fake data length */
369: if (x11_fake_data_len != x11_saved_data_len) {
370: error("X11 fake_data_len %d != saved_data_len %d",
371: x11_fake_data_len, x11_saved_data_len);
372: return -1;
373: }
374: /*
375: * Received authentication protocol and data match
376: * our fake data. Substitute the fake data with real
377: * data.
378: */
379: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
380: x11_saved_data, x11_saved_data_len);
381: return 1;
382: }
383:
384: void
385: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
386: {
387: int ret = x11_open_helper(c);
388: if (ret == 1) {
389: /* Start normal processing for the channel. */
390: c->type = SSH_CHANNEL_OPEN;
391: } else if (ret == -1) {
392: /*
393: * We have received an X11 connection that has bad
394: * authentication information.
395: */
396: log("X11 connection rejected because of wrong authentication.\r\n");
397: buffer_clear(&c->input);
398: buffer_clear(&c->output);
399: close(c->sock);
400: c->sock = -1;
401: c->type = SSH_CHANNEL_CLOSED;
402: packet_start(SSH_MSG_CHANNEL_CLOSE);
403: packet_put_int(c->remote_id);
404: packet_send();
405: }
406: }
1.25 markus 407:
1.41 markus 408: void
409: channel_pre_x11_open_15(Channel *c, fd_set * readset, fd_set * writeset)
410: {
411: int ret = x11_open_helper(c);
412: if (ret == 1) {
413: c->type = SSH_CHANNEL_OPEN;
414: } else if (ret == -1) {
415: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
416: chan_read_failed(c);
417: chan_write_failed(c);
418: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
419: }
420: }
1.25 markus 421:
1.41 markus 422: /* This is our fake X11 server socket. */
423: void
424: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
425: {
426: struct sockaddr addr;
427: int newsock, newch;
428: socklen_t addrlen;
429: char buf[16384], *remote_hostname;
1.25 markus 430:
1.41 markus 431: if (FD_ISSET(c->sock, readset)) {
432: debug("X11 connection requested.");
433: addrlen = sizeof(addr);
434: newsock = accept(c->sock, &addr, &addrlen);
435: if (newsock < 0) {
436: error("accept: %.100s", strerror(errno));
437: return;
438: }
439: remote_hostname = get_remote_hostname(newsock);
440: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
441: remote_hostname, get_peer_port(newsock));
442: xfree(remote_hostname);
443: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
444: xstrdup(buf));
445: packet_start(SSH_SMSG_X11_OPEN);
446: packet_put_int(newch);
447: if (have_hostname_in_open)
448: packet_put_string(buf, strlen(buf));
449: packet_send();
450: }
451: }
1.25 markus 452:
1.41 markus 453: /*
454: * This socket is listening for connections to a forwarded TCP/IP port.
455: */
456: void
457: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
458: {
459: struct sockaddr addr;
460: int newsock, newch;
461: socklen_t addrlen;
462: char buf[1024], *remote_hostname;
463: int remote_port;
1.25 markus 464:
1.41 markus 465: if (FD_ISSET(c->sock, readset)) {
466: debug("Connection to port %d forwarding "
467: "to %.100s port %d requested.",
468: c->listening_port, c->path, c->host_port);
469: addrlen = sizeof(addr);
470: newsock = accept(c->sock, &addr, &addrlen);
471: if (newsock < 0) {
472: error("accept: %.100s", strerror(errno));
473: return;
474: }
475: remote_hostname = get_remote_hostname(newsock);
476: remote_port = get_peer_port(newsock);
477: snprintf(buf, sizeof buf,
478: "listen port %d for %.100s port %d, "
479: "connect from %.200s port %d",
480: c->listening_port, c->path, c->host_port,
481: remote_hostname, remote_port);
482: newch = channel_new("direct-tcpip",
483: SSH_CHANNEL_OPENING, newsock, newsock, -1,
484: c->local_window_max, c->local_maxpacket,
485: 0, xstrdup(buf));
486:
487: packet_start(SSH_MSG_PORT_OPEN);
488: packet_put_int(newch);
489: packet_put_string(c->path, strlen(c->path));
490: packet_put_int(c->host_port);
491: if (have_hostname_in_open) {
492: packet_put_string(buf, strlen(buf));
493: }
494: packet_send();
495: xfree(remote_hostname);
496: }
497: }
1.25 markus 498:
1.41 markus 499: /*
500: * This is the authentication agent socket listening for connections from
501: * clients.
502: */
503: void
504: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
505: {
506: struct sockaddr addr;
507: int newsock, newch;
508: socklen_t addrlen;
1.25 markus 509:
1.41 markus 510: if (FD_ISSET(c->sock, readset)) {
511: addrlen = sizeof(addr);
512: newsock = accept(c->sock, &addr, &addrlen);
513: if (newsock < 0) {
514: error("accept from auth socket: %.100s", strerror(errno));
515: return;
516: }
517: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
518: xstrdup("accepted auth socket"));
519: packet_start(SSH_SMSG_AGENT_OPEN);
520: packet_put_int(newch);
521: packet_send();
522: }
523: }
1.25 markus 524:
1.41 markus 525: int
526: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
527: {
528: char buf[16*1024];
529: int len;
1.25 markus 530:
1.41 markus 531: if (c->rfd != -1 &&
532: FD_ISSET(c->rfd, readset)) {
533: len = read(c->rfd, buf, sizeof(buf));
534: if (len <= 0) {
535: debug("channel %d: read<0 rfd %d len %d",
536: c->self, c->rfd, len);
1.25 markus 537: if (compat13) {
1.41 markus 538: buffer_consume(&c->output, buffer_len(&c->output));
539: c->type = SSH_CHANNEL_INPUT_DRAINING;
540: debug("Channel %d status set to input draining.", c->self);
1.25 markus 541: } else {
1.41 markus 542: chan_read_failed(c);
1.25 markus 543: }
1.41 markus 544: return -1;
545: }
546: buffer_append(&c->input, buf, len);
547: }
548: return 1;
549: }
550: int
551: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
552: {
553: int len;
1.25 markus 554:
1.41 markus 555: /* Send buffered output data to the socket. */
556: if (c->wfd != -1 &&
557: FD_ISSET(c->wfd, writeset) &&
558: buffer_len(&c->output) > 0) {
559: len = write(c->wfd, buffer_ptr(&c->output),
560: buffer_len(&c->output));
561: if (len <= 0) {
562: if (compat13) {
563: buffer_consume(&c->output, buffer_len(&c->output));
564: debug("Channel %d status set to input draining.", c->self);
565: c->type = SSH_CHANNEL_INPUT_DRAINING;
566: } else {
567: chan_write_failed(c);
568: }
569: return -1;
1.25 markus 570: }
1.41 markus 571: buffer_consume(&c->output, len);
1.1 deraadt 572: }
1.41 markus 573: return 1;
1.1 deraadt 574: }
575:
1.41 markus 576: void
577: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
578: {
579: channel_handle_rfd(c, readset, writeset);
580: channel_handle_wfd(c, readset, writeset);
581: }
1.1 deraadt 582:
1.41 markus 583: void
584: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 585: {
1.41 markus 586: int len;
587: /* Send buffered output data to the socket. */
588: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
589: len = write(c->sock, buffer_ptr(&c->output),
590: buffer_len(&c->output));
591: if (len <= 0)
592: buffer_consume(&c->output, buffer_len(&c->output));
593: else
594: buffer_consume(&c->output, len);
595: }
596: }
1.25 markus 597:
1.41 markus 598: void
599: channel_handler_init_13(void)
600: {
601: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
602: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
603: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
604: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
605: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
606: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
607: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.25 markus 608:
1.41 markus 609: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
610: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
611: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
612: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
613: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
614: }
1.25 markus 615:
1.41 markus 616: void
617: channel_handler_init_15(void)
618: {
619: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
620: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_15;
621: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
622: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
623: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.25 markus 624:
1.41 markus 625: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
626: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
627: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
628: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
629: }
1.27 markus 630:
1.41 markus 631: void
632: channel_handler_init(void)
633: {
634: int i;
635: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
636: channel_pre[i] = NULL;
637: channel_post[i] = NULL;
638: }
639: if (compat13)
640: channel_handler_init_13();
641: else
642: channel_handler_init_15();
643: }
1.25 markus 644:
1.41 markus 645: void
646: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
647: {
648: static int did_init = 0;
649: int i;
650: Channel *c;
1.25 markus 651:
1.41 markus 652: if (!did_init) {
653: channel_handler_init();
654: did_init = 1;
655: }
656: for (i = 0; i < channels_alloc; i++) {
657: c = &channels[i];
658: if (c->type == SSH_CHANNEL_FREE)
659: continue;
660: if (ftab[c->type] == NULL)
1.25 markus 661: continue;
1.41 markus 662: (*ftab[c->type])(c, readset, writeset);
1.42 ! markus 663: if (!compat13)
! 664: chan_delete_if_full_closed(c);
1.1 deraadt 665: }
666: }
667:
1.41 markus 668: void
669: channel_prepare_select(fd_set * readset, fd_set * writeset)
670: {
671: channel_handler(channel_pre, readset, writeset);
672: }
673:
674: void
675: channel_after_select(fd_set * readset, fd_set * writeset)
676: {
677: channel_handler(channel_post, readset, writeset);
678: }
679:
1.1 deraadt 680: /* If there is data to send to the connection, send some of it now. */
681:
1.25 markus 682: void
683: channel_output_poll()
1.1 deraadt 684: {
1.25 markus 685: int len, i;
1.41 markus 686: Channel *c;
1.1 deraadt 687:
1.25 markus 688: for (i = 0; i < channels_alloc; i++) {
1.41 markus 689: c = &channels[i];
1.37 markus 690:
1.27 markus 691: /* We are only interested in channels that can have buffered incoming data. */
1.37 markus 692: if (compat13) {
1.41 markus 693: if (c->type != SSH_CHANNEL_OPEN &&
694: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 695: continue;
696: } else {
1.41 markus 697: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 698: continue;
1.41 markus 699: if (c->istate != CHAN_INPUT_OPEN &&
700: c->istate != CHAN_INPUT_WAIT_DRAIN)
1.37 markus 701: continue;
702: }
1.25 markus 703:
704: /* Get the amount of buffered data for this channel. */
1.41 markus 705: len = buffer_len(&c->input);
1.25 markus 706: if (len > 0) {
1.27 markus 707: /* Send some data for the other side over the secure connection. */
1.25 markus 708: if (packet_is_interactive()) {
709: if (len > 1024)
710: len = 512;
711: } else {
712: /* Keep the packets at reasonable size. */
1.40 markus 713: if (len > packet_get_maxsize())
1.34 markus 714: len = packet_get_maxsize()/2;
1.25 markus 715: }
1.41 markus 716: if (len > 0) {
717: packet_start(SSH_MSG_CHANNEL_DATA);
718: packet_put_int(c->remote_id);
719: packet_put_string(buffer_ptr(&c->input), len);
720: packet_send();
721: buffer_consume(&c->input, len);
722: c->remote_window -= len;
723: debug("channel %d: send data len %d", c->self, len);
724: }
725: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 726: if (compat13)
727: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 728: /*
729: * input-buffer is empty and read-socket shutdown:
730: * tell peer, that we will not send more data: send IEOF
731: */
1.41 markus 732: chan_ibuf_empty(c);
1.25 markus 733: }
734: }
1.1 deraadt 735: }
736:
1.27 markus 737: /*
738: * This is called when a packet of type CHANNEL_DATA has just been received.
739: * The message type has already been consumed, but channel number and data is
740: * still there.
741: */
1.1 deraadt 742:
1.25 markus 743: void
1.41 markus 744: channel_input_data(int type, int plen)
1.1 deraadt 745: {
1.37 markus 746: int id;
1.25 markus 747: char *data;
748: unsigned int data_len;
1.41 markus 749: Channel *c;
1.25 markus 750:
751: /* Get the channel number and verify it. */
1.37 markus 752: id = packet_get_int();
1.41 markus 753: c = channel_lookup(id);
754: if (c == NULL)
1.37 markus 755: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 756:
757: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 758: if (c->type != SSH_CHANNEL_OPEN &&
759: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 760: return;
761:
762: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 763: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 764: return;
765:
766: /* Get the data. */
767: data = packet_get_string(&data_len);
1.41 markus 768:
769: packet_integrity_check(plen, 4 + 4 + data_len, SSH_MSG_CHANNEL_DATA);
770: buffer_append(&c->output, data, data_len);
1.25 markus 771: xfree(data);
1.1 deraadt 772: }
773:
1.27 markus 774: /*
775: * Returns true if no channel has too much buffered data, and false if one or
776: * more channel is overfull.
777: */
1.1 deraadt 778:
1.25 markus 779: int
780: channel_not_very_much_buffered_data()
1.1 deraadt 781: {
1.25 markus 782: unsigned int i;
1.41 markus 783: Channel *c;
1.25 markus 784:
785: for (i = 0; i < channels_alloc; i++) {
1.41 markus 786: c = &channels[i];
787: if (c->type == SSH_CHANNEL_OPEN) {
788: if (buffer_len(&c->input) > packet_get_maxsize()) {
789: debug("channel %d: big input buffer %d",
790: c->self, buffer_len(&c->input));
1.25 markus 791: return 0;
1.41 markus 792: }
793: if (buffer_len(&c->output) > packet_get_maxsize()) {
794: debug("channel %d: big output buffer %d",
795: c->self, buffer_len(&c->output));
1.25 markus 796: return 0;
1.41 markus 797: }
1.25 markus 798: }
1.1 deraadt 799: }
1.25 markus 800: return 1;
1.1 deraadt 801: }
802:
1.41 markus 803: void
804: channel_input_ieof(int type, int plen)
805: {
806: int id;
807: Channel *c;
808:
809: packet_integrity_check(plen, 4, type);
810:
811: id = packet_get_int();
812: c = channel_lookup(id);
813: if (c == NULL)
814: packet_disconnect("Received ieof for nonexistent channel %d.", id);
815: chan_rcvd_ieof(c);
816: }
1.1 deraadt 817:
1.25 markus 818: void
1.41 markus 819: channel_input_close(int type, int plen)
1.1 deraadt 820: {
1.41 markus 821: int id;
822: Channel *c;
1.1 deraadt 823:
1.41 markus 824: packet_integrity_check(plen, 4, type);
825:
826: id = packet_get_int();
827: c = channel_lookup(id);
828: if (c == NULL)
829: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 830:
831: /*
832: * Send a confirmation that we have closed the channel and no more
833: * data is coming for it.
834: */
1.25 markus 835: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 836: packet_put_int(c->remote_id);
1.25 markus 837: packet_send();
838:
1.27 markus 839: /*
840: * If the channel is in closed state, we have sent a close request,
841: * and the other side will eventually respond with a confirmation.
842: * Thus, we cannot free the channel here, because then there would be
843: * no-one to receive the confirmation. The channel gets freed when
844: * the confirmation arrives.
845: */
1.41 markus 846: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 847: /*
848: * Not a closed channel - mark it as draining, which will
849: * cause it to be freed later.
850: */
1.41 markus 851: buffer_consume(&c->input, buffer_len(&c->input));
852: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 853: }
1.1 deraadt 854: }
855:
1.41 markus 856: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
857: void
858: channel_input_oclose(int type, int plen)
859: {
860: int id = packet_get_int();
861: Channel *c = channel_lookup(id);
862: packet_integrity_check(plen, 4, type);
863: if (c == NULL)
864: packet_disconnect("Received oclose for nonexistent channel %d.", id);
865: chan_rcvd_oclose(c);
866: }
1.1 deraadt 867:
1.25 markus 868: void
1.41 markus 869: channel_input_close_confirmation(int type, int plen)
1.1 deraadt 870: {
1.41 markus 871: int id = packet_get_int();
872: Channel *c = channel_lookup(id);
1.1 deraadt 873:
1.41 markus 874: if (c == NULL)
875: packet_disconnect("Received close confirmation for "
876: "out-of-range channel %d.", id);
877: if (c->type != SSH_CHANNEL_CLOSED)
878: packet_disconnect("Received close confirmation for "
879: "non-closed channel %d (type %d).", id, c->type);
880: channel_free(c->self);
1.1 deraadt 881: }
882:
1.25 markus 883: void
1.41 markus 884: channel_input_open_confirmation(int type, int plen)
1.1 deraadt 885: {
1.41 markus 886: int id, remote_id;
887: Channel *c;
1.1 deraadt 888:
1.41 markus 889: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 890:
1.41 markus 891: id = packet_get_int();
892: c = channel_lookup(id);
1.25 markus 893:
1.41 markus 894: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
895: packet_disconnect("Received open confirmation for "
896: "non-opening channel %d.", id);
897: remote_id = packet_get_int();
1.27 markus 898: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 899: c->remote_id = remote_id;
900: c->type = SSH_CHANNEL_OPEN;
1.1 deraadt 901: }
902:
1.25 markus 903: void
1.41 markus 904: channel_input_open_failure(int type, int plen)
1.1 deraadt 905: {
1.41 markus 906: int id;
907: Channel *c;
908:
909: packet_integrity_check(plen, 4, type);
910:
911: id = packet_get_int();
912: c = channel_lookup(id);
1.25 markus 913:
1.41 markus 914: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
915: packet_disconnect("Received open failure for "
916: "non-opening channel %d.", id);
1.1 deraadt 917:
1.25 markus 918: /* Free the channel. This will also close the socket. */
1.41 markus 919: channel_free(id);
1.1 deraadt 920: }
921:
1.27 markus 922: /*
923: * Stops listening for channels, and removes any unix domain sockets that we
924: * might have.
925: */
1.1 deraadt 926:
1.25 markus 927: void
928: channel_stop_listening()
1.1 deraadt 929: {
1.25 markus 930: int i;
931: for (i = 0; i < channels_alloc; i++) {
932: switch (channels[i].type) {
933: case SSH_CHANNEL_AUTH_SOCKET:
934: close(channels[i].sock);
935: remove(channels[i].path);
936: channel_free(i);
937: break;
938: case SSH_CHANNEL_PORT_LISTENER:
939: case SSH_CHANNEL_X11_LISTENER:
940: close(channels[i].sock);
941: channel_free(i);
942: break;
943: default:
944: break;
945: }
1.1 deraadt 946: }
947: }
948:
1.27 markus 949: /*
950: * Closes the sockets of all channels. This is used to close extra file
951: * descriptors after a fork.
952: */
1.1 deraadt 953:
1.25 markus 954: void
955: channel_close_all()
1.1 deraadt 956: {
1.25 markus 957: int i;
958: for (i = 0; i < channels_alloc; i++) {
959: if (channels[i].type != SSH_CHANNEL_FREE)
960: close(channels[i].sock);
961: }
1.1 deraadt 962: }
963:
964: /* Returns the maximum file descriptor number used by the channels. */
965:
1.25 markus 966: int
967: channel_max_fd()
1.1 deraadt 968: {
1.25 markus 969: return channel_max_fd_value;
1.1 deraadt 970: }
971:
972: /* Returns true if any channel is still open. */
973:
1.25 markus 974: int
975: channel_still_open()
1.1 deraadt 976: {
1.25 markus 977: unsigned int i;
978: for (i = 0; i < channels_alloc; i++)
979: switch (channels[i].type) {
980: case SSH_CHANNEL_FREE:
981: case SSH_CHANNEL_X11_LISTENER:
982: case SSH_CHANNEL_PORT_LISTENER:
983: case SSH_CHANNEL_CLOSED:
984: case SSH_CHANNEL_AUTH_SOCKET:
985: continue;
986: case SSH_CHANNEL_OPENING:
987: case SSH_CHANNEL_OPEN:
988: case SSH_CHANNEL_X11_OPEN:
989: return 1;
990: case SSH_CHANNEL_INPUT_DRAINING:
991: case SSH_CHANNEL_OUTPUT_DRAINING:
992: if (!compat13)
993: fatal("cannot happen: OUT_DRAIN");
994: return 1;
995: default:
996: fatal("channel_still_open: bad channel type %d", channels[i].type);
997: /* NOTREACHED */
998: }
999: return 0;
1.1 deraadt 1000: }
1001:
1.27 markus 1002: /*
1003: * Returns a message describing the currently open forwarded connections,
1004: * suitable for sending to the client. The message contains crlf pairs for
1005: * newlines.
1006: */
1.1 deraadt 1007:
1.25 markus 1008: char *
1009: channel_open_message()
1.1 deraadt 1010: {
1.25 markus 1011: Buffer buffer;
1012: int i;
1013: char buf[512], *cp;
1014:
1015: buffer_init(&buffer);
1016: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 1017: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 1018: for (i = 0; i < channels_alloc; i++) {
1019: Channel *c = &channels[i];
1020: switch (c->type) {
1021: case SSH_CHANNEL_FREE:
1022: case SSH_CHANNEL_X11_LISTENER:
1023: case SSH_CHANNEL_PORT_LISTENER:
1024: case SSH_CHANNEL_CLOSED:
1025: case SSH_CHANNEL_AUTH_SOCKET:
1026: continue;
1027: case SSH_CHANNEL_OPENING:
1028: case SSH_CHANNEL_OPEN:
1029: case SSH_CHANNEL_X11_OPEN:
1030: case SSH_CHANNEL_INPUT_DRAINING:
1031: case SSH_CHANNEL_OUTPUT_DRAINING:
1.41 markus 1032: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
1.37 markus 1033: c->self, c->remote_name,
1034: c->type, c->remote_id,
1035: c->istate, buffer_len(&c->input),
1.41 markus 1036: c->ostate, buffer_len(&c->output),
1037: c->rfd, c->wfd);
1.25 markus 1038: buffer_append(&buffer, buf, strlen(buf));
1039: continue;
1040: default:
1.41 markus 1041: fatal("channel_open_message: bad channel type %d", c->type);
1.25 markus 1042: /* NOTREACHED */
1043: }
1044: }
1045: buffer_append(&buffer, "\0", 1);
1046: cp = xstrdup(buffer_ptr(&buffer));
1047: buffer_free(&buffer);
1048: return cp;
1.1 deraadt 1049: }
1050:
1.27 markus 1051: /*
1052: * Initiate forwarding of connections to local port "port" through the secure
1053: * channel to host:port from remote side.
1054: */
1.1 deraadt 1055:
1.25 markus 1056: void
1.31 markus 1057: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 1058: u_short host_port, int gateway_ports)
1.25 markus 1059: {
1.35 markus 1060: int success, ch, sock, on = 1;
1061: struct addrinfo hints, *ai, *aitop;
1062: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.28 markus 1063: struct linger linger;
1.25 markus 1064:
1065: if (strlen(host) > sizeof(channels[0].path) - 1)
1066: packet_disconnect("Forward host name too long.");
1067:
1.28 markus 1068: /*
1.35 markus 1069: * getaddrinfo returns a loopback address if the hostname is
1070: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 1071: */
1.35 markus 1072: memset(&hints, 0, sizeof(hints));
1073: hints.ai_family = IPv4or6;
1074: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1075: hints.ai_socktype = SOCK_STREAM;
1076: snprintf(strport, sizeof strport, "%d", port);
1077: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1078: packet_disconnect("getaddrinfo: fatal error");
1079:
1080: success = 0;
1081: for (ai = aitop; ai; ai = ai->ai_next) {
1082: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1083: continue;
1084: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1085: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1086: error("channel_request_local_forwarding: getnameinfo failed");
1087: continue;
1088: }
1089: /* Create a port to listen for the host. */
1090: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1091: if (sock < 0) {
1092: /* this is no error since kernel may not support ipv6 */
1093: verbose("socket: %.100s", strerror(errno));
1094: continue;
1095: }
1096: /*
1097: * Set socket options. We would like the socket to disappear
1098: * as soon as it has been closed for whatever reason.
1099: */
1100: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1101: linger.l_onoff = 1;
1102: linger.l_linger = 5;
1103: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1104: debug("Local forwarding listening on %s port %s.", ntop, strport);
1105:
1106: /* Bind the socket to the address. */
1107: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1108: /* address can be in use ipv6 address is already bound */
1109: verbose("bind: %.100s", strerror(errno));
1110: close(sock);
1111: continue;
1112: }
1113: /* Start listening for connections on the socket. */
1114: if (listen(sock, 5) < 0) {
1115: error("listen: %.100s", strerror(errno));
1116: close(sock);
1117: continue;
1118: }
1119: /* Allocate a channel number for the socket. */
1.41 markus 1120: ch = channel_new(
1121: "port listener", SSH_CHANNEL_PORT_LISTENER,
1122: sock, sock, -1,
1123: CHAN_WINDOW_DEFAULT, CHAN_PACKET_DEFAULT,
1124: 0, xstrdup("port listener"));
1.35 markus 1125: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1126: channels[ch].host_port = host_port;
1127: channels[ch].listening_port = port;
1128: success = 1;
1129: }
1130: if (success == 0)
1131: packet_disconnect("cannot listen port: %d", port);
1132: freeaddrinfo(aitop);
1.25 markus 1133: }
1.1 deraadt 1134:
1.27 markus 1135: /*
1136: * Initiate forwarding of connections to port "port" on remote host through
1137: * the secure channel to host:port from local side.
1138: */
1.1 deraadt 1139:
1.25 markus 1140: void
1.41 markus 1141: channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
1142: u_short port_to_connect)
1.25 markus 1143: {
1144: int payload_len;
1145: /* Record locally that connection to this host/port is permitted. */
1146: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1147: fatal("channel_request_remote_forwarding: too many forwards");
1148:
1.41 markus 1149: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1150: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1151: permitted_opens[num_permitted_opens].listen_port = listen_port;
1.25 markus 1152: num_permitted_opens++;
1153:
1154: /* Send the forward request to the remote side. */
1155: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.41 markus 1156: packet_put_int(port_to_connect);
1157: packet_put_string(host_to_connect, strlen(host_to_connect));
1158: packet_put_int(listen_port);
1.25 markus 1159: packet_send();
1160: packet_write_wait();
1.27 markus 1161: /*
1162: * Wait for response from the remote side. It will send a disconnect
1163: * message on failure, and we will never see it here.
1164: */
1.25 markus 1165: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1.1 deraadt 1166: }
1167:
1.27 markus 1168: /*
1169: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1170: * listening for the port, and sends back a success reply (or disconnect
1171: * message if there was an error). This never returns if there was an error.
1172: */
1.1 deraadt 1173:
1.25 markus 1174: void
1175: channel_input_port_forward_request(int is_root)
1.1 deraadt 1176: {
1.31 markus 1177: u_short port, host_port;
1.25 markus 1178: char *hostname;
1.1 deraadt 1179:
1.25 markus 1180: /* Get arguments from the packet. */
1181: port = packet_get_int();
1182: hostname = packet_get_string(NULL);
1183: host_port = packet_get_int();
1184:
1.27 markus 1185: /*
1186: * Check that an unprivileged user is not trying to forward a
1187: * privileged port.
1188: */
1.25 markus 1189: if (port < IPPORT_RESERVED && !is_root)
1190: packet_disconnect("Requested forwarding of port %d but user is not root.",
1191: port);
1.33 markus 1192: /*
1193: * Initiate forwarding,
1194: * bind port to localhost only (gateway ports == 0).
1195: */
1196: channel_request_local_forwarding(port, hostname, host_port, 0);
1.25 markus 1197:
1198: /* Free the argument string. */
1199: xfree(hostname);
1.1 deraadt 1200: }
1201:
1.41 markus 1202: /* XXX move to aux.c */
1203: int
1204: channel_connect_to(const char *host, u_short host_port)
1205: {
1206: struct addrinfo hints, *ai, *aitop;
1207: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1208: int gaierr;
1209: int sock = -1;
1210:
1211: memset(&hints, 0, sizeof(hints));
1212: hints.ai_family = IPv4or6;
1213: hints.ai_socktype = SOCK_STREAM;
1214: snprintf(strport, sizeof strport, "%d", host_port);
1215: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1216: error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
1217: return -1;
1218: }
1219: for (ai = aitop; ai; ai = ai->ai_next) {
1220: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1221: continue;
1222: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1223: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1224: error("channel_connect_to: getnameinfo failed");
1225: continue;
1226: }
1227: /* Create the socket. */
1228: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1229: if (sock < 0) {
1230: error("socket: %.100s", strerror(errno));
1231: continue;
1232: }
1233: /* Connect to the host/port. */
1234: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1235: error("connect %.100s port %s: %.100s", ntop, strport,
1236: strerror(errno));
1237: close(sock);
1238: continue; /* fail -- try next */
1239: }
1240: break; /* success */
1241:
1242: }
1243: freeaddrinfo(aitop);
1244: if (!ai) {
1245: error("connect %.100s port %d: failed.", host, host_port);
1246: return -1;
1247: }
1248: /* success */
1249: return sock;
1250: }
1.27 markus 1251: /*
1252: * This is called after receiving PORT_OPEN message. This attempts to
1253: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1254: * or CHANNEL_OPEN_FAILURE.
1255: */
1.1 deraadt 1256:
1.25 markus 1257: void
1.41 markus 1258: channel_input_port_open(int type, int plen)
1.1 deraadt 1259: {
1.31 markus 1260: u_short host_port;
1.25 markus 1261: char *host, *originator_string;
1.41 markus 1262: int remote_channel, sock = -1, newch, i, denied;
1.39 markus 1263: unsigned int host_len, originator_len;
1.25 markus 1264:
1265: /* Get remote channel number. */
1266: remote_channel = packet_get_int();
1267:
1268: /* Get host name to connect to. */
1269: host = packet_get_string(&host_len);
1270:
1271: /* Get port to connect to. */
1272: host_port = packet_get_int();
1273:
1274: /* Get remote originator name. */
1.29 markus 1275: if (have_hostname_in_open) {
1.25 markus 1276: originator_string = packet_get_string(&originator_len);
1.29 markus 1277: originator_len += 4; /* size of packet_int */
1278: } else {
1.25 markus 1279: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1280: originator_len = 0; /* no originator supplied */
1281: }
1.25 markus 1282:
1.41 markus 1283: packet_integrity_check(plen,
1284: 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
1.25 markus 1285:
1286: /* Check if opening that port is permitted. */
1.41 markus 1287: denied = 0;
1.25 markus 1288: if (!all_opens_permitted) {
1289: /* Go trough all permitted ports. */
1290: for (i = 0; i < num_permitted_opens; i++)
1.41 markus 1291: if (permitted_opens[i].port_to_connect == host_port &&
1292: strcmp(permitted_opens[i].host_to_connect, host) == 0)
1.25 markus 1293: break;
1294:
1295: /* Check if we found the requested port among those permitted. */
1296: if (i >= num_permitted_opens) {
1297: /* The port is not permitted. */
1298: log("Received request to connect to %.100s:%d, but the request was denied.",
1299: host, host_port);
1.41 markus 1300: denied = 1;
1.25 markus 1301: }
1302: }
1.41 markus 1303: sock = denied ? -1 : channel_connect_to(host, host_port);
1304: if (sock > 0) {
1305: /* Allocate a channel for this connection. */
1306: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1307: channels[newch].remote_id = remote_channel;
1308:
1309: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1310: packet_put_int(remote_channel);
1311: packet_put_int(newch);
1312: packet_send();
1313: } else {
1314: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1315: packet_put_int(remote_channel);
1316: packet_send();
1.25 markus 1317: }
1318: xfree(host);
1.1 deraadt 1319: }
1320:
1.27 markus 1321: /*
1322: * Creates an internet domain socket for listening for X11 connections.
1323: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1324: * occurs.
1325: */
1.1 deraadt 1326:
1.35 markus 1327: #define NUM_SOCKS 10
1328:
1.25 markus 1329: char *
1.33 markus 1330: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1331: {
1.31 markus 1332: int display_number, sock;
1333: u_short port;
1.35 markus 1334: struct addrinfo hints, *ai, *aitop;
1335: char strport[NI_MAXSERV];
1336: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1337: char display[512];
1.25 markus 1338: char hostname[MAXHOSTNAMELEN];
1339:
1.33 markus 1340: for (display_number = x11_display_offset;
1.25 markus 1341: display_number < MAX_DISPLAYS;
1342: display_number++) {
1343: port = 6000 + display_number;
1.35 markus 1344: memset(&hints, 0, sizeof(hints));
1345: hints.ai_family = IPv4or6;
1.36 markus 1346: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1347: hints.ai_socktype = SOCK_STREAM;
1348: snprintf(strport, sizeof strport, "%d", port);
1349: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1350: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1351: return NULL;
1352: }
1.35 markus 1353: for (ai = aitop; ai; ai = ai->ai_next) {
1354: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1355: continue;
1356: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1357: if (sock < 0) {
1358: error("socket: %.100s", strerror(errno));
1359: return NULL;
1360: }
1361: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1362: debug("bind port %d: %.100s", port, strerror(errno));
1363: shutdown(sock, SHUT_RDWR);
1364: close(sock);
1365: for (n = 0; n < num_socks; n++) {
1366: shutdown(socks[n], SHUT_RDWR);
1367: close(socks[n]);
1368: }
1369: num_socks = 0;
1370: break;
1371: }
1372: socks[num_socks++] = sock;
1373: if (num_socks == NUM_SOCKS)
1374: break;
1.25 markus 1375: }
1.35 markus 1376: if (num_socks > 0)
1377: break;
1.25 markus 1378: }
1379: if (display_number >= MAX_DISPLAYS) {
1380: error("Failed to allocate internet-domain X11 display socket.");
1381: return NULL;
1382: }
1383: /* Start listening for connections on the socket. */
1.35 markus 1384: for (n = 0; n < num_socks; n++) {
1385: sock = socks[n];
1386: if (listen(sock, 5) < 0) {
1387: error("listen: %.100s", strerror(errno));
1388: shutdown(sock, SHUT_RDWR);
1389: close(sock);
1390: return NULL;
1391: }
1.25 markus 1392: }
1.35 markus 1393:
1.25 markus 1394: /* Set up a suitable value for the DISPLAY variable. */
1395: if (gethostname(hostname, sizeof(hostname)) < 0)
1396: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 1397: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 1398: display_number, screen_number);
1399:
1.35 markus 1400: /* Allocate a channel for each socket. */
1401: for (n = 0; n < num_socks; n++) {
1402: sock = socks[n];
1403: (void) channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1404: xstrdup("X11 inet listener"));
1405: }
1.1 deraadt 1406:
1.25 markus 1407: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 1408: return xstrdup(display);
1.1 deraadt 1409: }
1410:
1411: #ifndef X_UNIX_PATH
1412: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1413: #endif
1414:
1415: static
1416: int
1.30 deraadt 1417: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1418: {
1.25 markus 1419: static const char *const x_sockets[] = {
1420: X_UNIX_PATH "%u",
1421: "/var/X/.X11-unix/X" "%u",
1422: "/usr/spool/sockets/X11/" "%u",
1423: NULL
1424: };
1425: int sock;
1426: struct sockaddr_un addr;
1427: const char *const * path;
1428:
1429: for (path = x_sockets; *path; ++path) {
1430: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1431: if (sock < 0)
1432: error("socket: %.100s", strerror(errno));
1433: memset(&addr, 0, sizeof(addr));
1434: addr.sun_family = AF_UNIX;
1435: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1436: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1437: return sock;
1438: close(sock);
1439: }
1440: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1441: return -1;
1.1 deraadt 1442: }
1443:
1444:
1.27 markus 1445: /*
1446: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1447: * the remote channel number. We should do whatever we want, and respond
1448: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1449: */
1.1 deraadt 1450:
1.25 markus 1451: void
1.41 markus 1452: x11_input_open(int type, int plen)
1.1 deraadt 1453: {
1.35 markus 1454: int remote_channel, display_number, sock = 0, newch;
1.25 markus 1455: const char *display;
1456: char buf[1024], *cp, *remote_host;
1.39 markus 1457: unsigned int remote_len;
1.35 markus 1458: struct addrinfo hints, *ai, *aitop;
1459: char strport[NI_MAXSERV];
1460: int gaierr;
1.25 markus 1461:
1462: /* Get remote channel number. */
1463: remote_channel = packet_get_int();
1464:
1465: /* Get remote originator name. */
1.29 markus 1466: if (have_hostname_in_open) {
1.25 markus 1467: remote_host = packet_get_string(&remote_len);
1.29 markus 1468: remote_len += 4;
1469: } else {
1.25 markus 1470: remote_host = xstrdup("unknown (remote did not supply name)");
1.29 markus 1471: remote_len = 0;
1472: }
1.25 markus 1473:
1474: debug("Received X11 open request.");
1.41 markus 1475: packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1476:
1477: /* Try to open a socket for the local X server. */
1478: display = getenv("DISPLAY");
1479: if (!display) {
1480: error("DISPLAY not set.");
1481: goto fail;
1482: }
1.27 markus 1483: /*
1484: * Now we decode the value of the DISPLAY variable and make a
1485: * connection to the real X server.
1486: */
1487:
1488: /*
1489: * Check if it is a unix domain socket. Unix domain displays are in
1490: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1491: */
1.25 markus 1492: if (strncmp(display, "unix:", 5) == 0 ||
1493: display[0] == ':') {
1494: /* Connect to the unix domain socket. */
1495: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1496: error("Could not parse display number from DISPLAY: %.100s",
1497: display);
1498: goto fail;
1499: }
1500: /* Create a socket. */
1501: sock = connect_local_xsocket(display_number);
1502: if (sock < 0)
1503: goto fail;
1504:
1505: /* OK, we now have a connection to the display. */
1506: goto success;
1507: }
1.27 markus 1508: /*
1509: * Connect to an inet socket. The DISPLAY value is supposedly
1510: * hostname:d[.s], where hostname may also be numeric IP address.
1511: */
1.25 markus 1512: strncpy(buf, display, sizeof(buf));
1513: buf[sizeof(buf) - 1] = 0;
1514: cp = strchr(buf, ':');
1515: if (!cp) {
1516: error("Could not find ':' in DISPLAY: %.100s", display);
1517: goto fail;
1518: }
1519: *cp = 0;
1.27 markus 1520: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1521: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1522: error("Could not parse display number from DISPLAY: %.100s",
1523: display);
1524: goto fail;
1525: }
1.35 markus 1526:
1527: /* Look up the host address */
1528: memset(&hints, 0, sizeof(hints));
1529: hints.ai_family = IPv4or6;
1530: hints.ai_socktype = SOCK_STREAM;
1531: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1532: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1533: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.25 markus 1534: goto fail;
1535: }
1.35 markus 1536: for (ai = aitop; ai; ai = ai->ai_next) {
1537: /* Create a socket. */
1538: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1539: if (sock < 0) {
1540: debug("socket: %.100s", strerror(errno));
1.41 markus 1541: continue;
1542: }
1543: /* Connect it to the display. */
1544: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1545: debug("connect %.100s port %d: %.100s", buf,
1546: 6000 + display_number, strerror(errno));
1547: close(sock);
1548: continue;
1549: }
1550: /* Success */
1551: break;
1.35 markus 1552: }
1553: freeaddrinfo(aitop);
1554: if (!ai) {
1555: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1556: strerror(errno));
1.25 markus 1557: goto fail;
1558: }
1559: success:
1560: /* We have successfully obtained a connection to the real X display. */
1561:
1562: /* Allocate a channel for this connection. */
1563: if (x11_saved_proto == NULL)
1564: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1565: else
1566: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1567: channels[newch].remote_id = remote_channel;
1568:
1569: /* Send a confirmation to the remote host. */
1570: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1571: packet_put_int(remote_channel);
1572: packet_put_int(newch);
1573: packet_send();
1574:
1575: return;
1576:
1577: fail:
1578: /* Send refusal to the remote host. */
1579: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1580: packet_put_int(remote_channel);
1581: packet_send();
1.1 deraadt 1582: }
1583:
1.27 markus 1584: /*
1585: * Requests forwarding of X11 connections, generates fake authentication
1586: * data, and enables authentication spoofing.
1587: */
1.1 deraadt 1588:
1.25 markus 1589: void
1590: x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1591: {
1.25 markus 1592: unsigned int data_len = (unsigned int) strlen(data) / 2;
1593: unsigned int i, value;
1594: char *new_data;
1595: int screen_number;
1596: const char *cp;
1597: u_int32_t rand = 0;
1598:
1599: cp = getenv("DISPLAY");
1600: if (cp)
1601: cp = strchr(cp, ':');
1602: if (cp)
1603: cp = strchr(cp, '.');
1604: if (cp)
1605: screen_number = atoi(cp + 1);
1606: else
1607: screen_number = 0;
1608:
1609: /* Save protocol name. */
1610: x11_saved_proto = xstrdup(proto);
1611:
1.27 markus 1612: /*
1613: * Extract real authentication data and generate fake data of the
1614: * same length.
1615: */
1.25 markus 1616: x11_saved_data = xmalloc(data_len);
1617: x11_fake_data = xmalloc(data_len);
1618: for (i = 0; i < data_len; i++) {
1619: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1620: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1621: if (i % 4 == 0)
1622: rand = arc4random();
1623: x11_saved_data[i] = value;
1624: x11_fake_data[i] = rand & 0xff;
1625: rand >>= 8;
1626: }
1627: x11_saved_data_len = data_len;
1628: x11_fake_data_len = data_len;
1629:
1630: /* Convert the fake data into hex. */
1631: new_data = xmalloc(2 * data_len + 1);
1632: for (i = 0; i < data_len; i++)
1633: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
1634:
1635: /* Send the request packet. */
1636: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1637: packet_put_string(proto, strlen(proto));
1638: packet_put_string(new_data, strlen(new_data));
1639: packet_put_int(screen_number);
1640: packet_send();
1641: packet_write_wait();
1642: xfree(new_data);
1.1 deraadt 1643: }
1644:
1645: /* Sends a message to the server to request authentication fd forwarding. */
1646:
1.25 markus 1647: void
1648: auth_request_forwarding()
1.1 deraadt 1649: {
1.25 markus 1650: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1651: packet_send();
1652: packet_write_wait();
1.1 deraadt 1653: }
1654:
1.27 markus 1655: /*
1656: * Returns the name of the forwarded authentication socket. Returns NULL if
1657: * there is no forwarded authentication socket. The returned value points to
1658: * a static buffer.
1659: */
1.1 deraadt 1660:
1.25 markus 1661: char *
1662: auth_get_socket_name()
1.1 deraadt 1663: {
1.25 markus 1664: return channel_forwarded_auth_socket_name;
1.1 deraadt 1665: }
1666:
1.12 markus 1667: /* removes the agent forwarding socket */
1668:
1.25 markus 1669: void
1670: cleanup_socket(void)
1671: {
1672: remove(channel_forwarded_auth_socket_name);
1673: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 1674: }
1675:
1.27 markus 1676: /*
1677: * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1678: * This starts forwarding authentication requests.
1679: */
1.1 deraadt 1680:
1.25 markus 1681: void
1682: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 1683: {
1.25 markus 1684: int sock, newch;
1685: struct sockaddr_un sunaddr;
1686:
1687: if (auth_get_socket_name() != NULL)
1688: fatal("Protocol error: authentication forwarding requested twice.");
1689:
1690: /* Temporarily drop privileged uid for mkdir/bind. */
1691: temporarily_use_uid(pw->pw_uid);
1692:
1693: /* Allocate a buffer for the socket name, and format the name. */
1694: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
1695: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
1696: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
1697:
1698: /* Create private directory for socket */
1699: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
1700: packet_disconnect("mkdtemp: %.100s", strerror(errno));
1701: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
1702: channel_forwarded_auth_socket_dir, (int) getpid());
1703:
1704: if (atexit(cleanup_socket) < 0) {
1705: int saved = errno;
1706: cleanup_socket();
1707: packet_disconnect("socket: %.100s", strerror(saved));
1708: }
1709: /* Create the socket. */
1710: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1711: if (sock < 0)
1712: packet_disconnect("socket: %.100s", strerror(errno));
1713:
1714: /* Bind it to the name. */
1715: memset(&sunaddr, 0, sizeof(sunaddr));
1716: sunaddr.sun_family = AF_UNIX;
1717: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1718: sizeof(sunaddr.sun_path));
1719:
1720: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
1721: packet_disconnect("bind: %.100s", strerror(errno));
1722:
1723: /* Restore the privileged uid. */
1724: restore_uid();
1725:
1726: /* Start listening on the socket. */
1727: if (listen(sock, 5) < 0)
1728: packet_disconnect("listen: %.100s", strerror(errno));
1729:
1730: /* Allocate a channel for the authentication agent socket. */
1731: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1732: xstrdup("auth socket"));
1.32 deraadt 1733: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
1734: sizeof(channels[newch].path));
1.1 deraadt 1735: }
1736:
1737: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1738:
1.25 markus 1739: void
1.41 markus 1740: auth_input_open_request(int type, int plen)
1.1 deraadt 1741: {
1.25 markus 1742: int remch, sock, newch;
1743: char *dummyname;
1.41 markus 1744:
1745: packet_integrity_check(plen, 4, type);
1.25 markus 1746:
1747: /* Read the remote channel number from the message. */
1748: remch = packet_get_int();
1749:
1.27 markus 1750: /*
1751: * Get a connection to the local authentication agent (this may again
1752: * get forwarded).
1753: */
1.25 markus 1754: sock = ssh_get_authentication_socket();
1755:
1.27 markus 1756: /*
1757: * If we could not connect the agent, send an error message back to
1758: * the server. This should never happen unless the agent dies,
1759: * because authentication forwarding is only enabled if we have an
1760: * agent.
1761: */
1.25 markus 1762: if (sock < 0) {
1763: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1764: packet_put_int(remch);
1765: packet_send();
1766: return;
1767: }
1768: debug("Forwarding authentication connection.");
1.1 deraadt 1769:
1.27 markus 1770: /*
1771: * Dummy host name. This will be freed when the channel is freed; it
1772: * will still be valid in the packet_put_string below since the
1773: * channel cannot yet be freed at that point.
1774: */
1.25 markus 1775: dummyname = xstrdup("authentication agent connection");
1776:
1777: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
1778: channels[newch].remote_id = remch;
1779:
1780: /* Send a confirmation to the remote host. */
1781: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1782: packet_put_int(remch);
1783: packet_put_int(newch);
1784: packet_send();
1.1 deraadt 1785: }