Annotation of src/usr.bin/ssh/channels.c, Revision 1.59
1.1 deraadt 1: /*
1.49 markus 2: *
1.26 deraadt 3: * channels.c
1.49 markus 4: *
1.26 deraadt 5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
1.49 markus 6: *
1.26 deraadt 7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
1.49 markus 9: *
1.26 deraadt 10: * Created: Fri Mar 24 16:35:24 1995 ylo
1.49 markus 11: *
1.26 deraadt 12: * This file contains functions for generic socket connection forwarding.
13: * There is also code for initiating connection forwarding for X11 connections,
14: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.26 deraadt 17: */
1.1 deraadt 18:
19: #include "includes.h"
1.59 ! markus 20: RCSID("$Id: channels.c,v 1.58 2000/05/17 08:20:15 markus Exp $");
1.1 deraadt 21:
22: #include "ssh.h"
23: #include "packet.h"
24: #include "xmalloc.h"
25: #include "buffer.h"
26: #include "authfd.h"
27: #include "uidswap.h"
1.20 markus 28: #include "readconf.h"
1.3 deraadt 29: #include "servconf.h"
1.1 deraadt 30:
1.14 markus 31: #include "channels.h"
32: #include "nchan.h"
33: #include "compat.h"
34:
1.44 markus 35: #include "ssh2.h"
36:
1.1 deraadt 37: /* Maximum number of fake X11 displays to try. */
38: #define MAX_DISPLAYS 1000
39:
1.12 markus 40: /* Max len of agent socket */
41: #define MAX_SOCKET_NAME 100
42:
1.51 markus 43: /* default window/packet sizes for tcp/x11-fwd-channel */
44: #define CHAN_TCP_WINDOW_DEFAULT (8*1024)
45: #define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2)
46: #define CHAN_X11_WINDOW_DEFAULT (4*1024)
47: #define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2)
1.41 markus 48:
1.27 markus 49: /*
50: * Pointer to an array containing all allocated channels. The array is
51: * dynamically extended as needed.
52: */
1.1 deraadt 53: static Channel *channels = NULL;
54:
1.27 markus 55: /*
56: * Size of the channel array. All slots of the array must always be
57: * initialized (at least the type field); unused slots are marked with type
58: * SSH_CHANNEL_FREE.
59: */
1.1 deraadt 60: static int channels_alloc = 0;
61:
1.27 markus 62: /*
63: * Maximum file descriptor value used in any of the channels. This is
64: * updated in channel_allocate.
65: */
1.1 deraadt 66: static int channel_max_fd_value = 0;
67:
1.12 markus 68: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 69: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 70: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 71:
72: /* Saved X11 authentication protocol name. */
73: char *x11_saved_proto = NULL;
74:
75: /* Saved X11 authentication data. This is the real data. */
76: char *x11_saved_data = NULL;
77: unsigned int x11_saved_data_len = 0;
78:
1.27 markus 79: /*
80: * Fake X11 authentication data. This is what the server will be sending us;
81: * we should replace any occurrences of this by the real data.
82: */
1.1 deraadt 83: char *x11_fake_data = NULL;
84: unsigned int x11_fake_data_len;
85:
1.27 markus 86: /*
87: * Data structure for storing which hosts are permitted for forward requests.
88: * The local sides of any remote forwards are stored in this array to prevent
89: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
90: * network (which might be behind a firewall).
91: */
1.25 markus 92: typedef struct {
1.41 markus 93: char *host_to_connect; /* Connect to 'host'. */
94: u_short port_to_connect; /* Connect to 'port'. */
95: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 96: } ForwardPermission;
97:
98: /* List of all permitted host/port pairs to connect. */
99: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
100: /* Number of permitted host/port pairs in the array. */
101: static int num_permitted_opens = 0;
1.27 markus 102: /*
103: * If this is true, all opens are permitted. This is the case on the server
104: * on which we have to trust the client anyway, and the user could do
105: * anything after logging in anyway.
106: */
1.1 deraadt 107: static int all_opens_permitted = 0;
108:
109: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
110: static int have_hostname_in_open = 0;
111:
112: /* Sets specific protocol options. */
113:
1.49 markus 114: void
1.25 markus 115: channel_set_options(int hostname_in_open)
1.1 deraadt 116: {
1.25 markus 117: have_hostname_in_open = hostname_in_open;
1.1 deraadt 118: }
119:
1.27 markus 120: /*
121: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
122: * called by the server, because the user could connect to any port anyway,
123: * and the server has no way to know but to trust the client anyway.
124: */
1.1 deraadt 125:
1.49 markus 126: void
1.25 markus 127: channel_permit_all_opens()
1.1 deraadt 128: {
1.25 markus 129: all_opens_permitted = 1;
1.1 deraadt 130: }
131:
1.41 markus 132: /* lookup channel by id */
133:
134: Channel *
135: channel_lookup(int id)
136: {
137: Channel *c;
138: if (id < 0 && id > channels_alloc) {
139: log("channel_lookup: %d: bad id", id);
140: return NULL;
141: }
142: c = &channels[id];
143: if (c->type == SSH_CHANNEL_FREE) {
144: log("channel_lookup: %d: bad id: channel free", id);
145: return NULL;
146: }
147: return c;
1.55 markus 148: }
149:
1.27 markus 150: /*
1.55 markus 151: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 152: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 153: */
1.1 deraadt 154:
1.52 markus 155: void
156: channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
1.1 deraadt 157: {
1.25 markus 158: /* Update the maximum file descriptor value. */
1.41 markus 159: if (rfd > channel_max_fd_value)
160: channel_max_fd_value = rfd;
161: if (wfd > channel_max_fd_value)
162: channel_max_fd_value = wfd;
163: if (efd > channel_max_fd_value)
164: channel_max_fd_value = efd;
1.27 markus 165: /* XXX set close-on-exec -markus */
1.55 markus 166:
1.52 markus 167: c->rfd = rfd;
168: c->wfd = wfd;
169: c->sock = (rfd == wfd) ? rfd : -1;
170: c->efd = efd;
171: c->extended_usage = extusage;
1.55 markus 172: if (rfd != -1)
173: set_nonblock(rfd);
174: if (wfd != -1)
175: set_nonblock(wfd);
176: if (efd != -1)
177: set_nonblock(efd);
1.52 markus 178: }
179:
180: /*
181: * Allocate a new channel object and set its type and socket. This will cause
182: * remote_name to be freed.
183: */
184:
185: int
186: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
187: int window, int maxpack, int extusage, char *remote_name)
188: {
189: int i, found;
190: Channel *c;
1.25 markus 191:
192: /* Do initial allocation if this is the first call. */
193: if (channels_alloc == 0) {
1.44 markus 194: chan_init();
1.25 markus 195: channels_alloc = 10;
196: channels = xmalloc(channels_alloc * sizeof(Channel));
197: for (i = 0; i < channels_alloc; i++)
198: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 199: /*
200: * Kludge: arrange a call to channel_stop_listening if we
201: * terminate with fatal().
202: */
1.25 markus 203: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
204: }
205: /* Try to find a free slot where to put the new channel. */
206: for (found = -1, i = 0; i < channels_alloc; i++)
207: if (channels[i].type == SSH_CHANNEL_FREE) {
208: /* Found a free slot. */
209: found = i;
210: break;
211: }
212: if (found == -1) {
1.27 markus 213: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 214: found = channels_alloc;
215: channels_alloc += 10;
216: debug("channel: expanding %d", channels_alloc);
217: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
218: for (i = found; i < channels_alloc; i++)
219: channels[i].type = SSH_CHANNEL_FREE;
220: }
221: /* Initialize and return new channel number. */
222: c = &channels[found];
223: buffer_init(&c->input);
224: buffer_init(&c->output);
1.41 markus 225: buffer_init(&c->extended);
1.25 markus 226: chan_init_iostates(c);
1.52 markus 227: channel_register_fds(c, rfd, wfd, efd, extusage);
1.25 markus 228: c->self = found;
229: c->type = type;
1.41 markus 230: c->ctype = ctype;
1.51 markus 231: c->local_window = window;
232: c->local_window_max = window;
233: c->local_consumed = 0;
234: c->local_maxpacket = maxpack;
1.25 markus 235: c->remote_id = -1;
236: c->remote_name = remote_name;
1.41 markus 237: c->remote_window = 0;
238: c->remote_maxpacket = 0;
239: c->cb_fn = NULL;
240: c->cb_arg = NULL;
241: c->cb_event = 0;
242: c->dettach_user = NULL;
1.25 markus 243: debug("channel %d: new [%s]", found, remote_name);
244: return found;
1.1 deraadt 245: }
1.52 markus 246: /* old interface XXX */
1.49 markus 247: int
1.41 markus 248: channel_allocate(int type, int sock, char *remote_name)
249: {
250: return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
251: }
1.1 deraadt 252:
1.52 markus 253:
254: /* Close all channel fd/socket. */
255:
256: void
257: channel_close_fds(Channel *c)
258: {
259: if (c->sock != -1) {
260: close(c->sock);
261: c->sock = -1;
262: }
263: if (c->rfd != -1) {
264: close(c->rfd);
265: c->rfd = -1;
266: }
267: if (c->wfd != -1) {
268: close(c->wfd);
269: c->wfd = -1;
270: }
271: if (c->efd != -1) {
272: close(c->efd);
273: c->efd = -1;
274: }
275: }
276:
277: /* Free the channel and close its fd/socket. */
1.1 deraadt 278:
1.49 markus 279: void
1.41 markus 280: channel_free(int id)
1.1 deraadt 281: {
1.41 markus 282: Channel *c = channel_lookup(id);
283: if (c == NULL)
284: packet_disconnect("channel free: bad local channel %d", id);
285: debug("channel_free: channel %d: status: %s", id, channel_open_message());
1.44 markus 286: if (c->dettach_user != NULL) {
287: debug("channel_free: channel %d: dettaching channel user", id);
288: c->dettach_user(c->self, NULL);
289: }
1.54 markus 290: if (c->sock != -1)
291: shutdown(c->sock, SHUT_RDWR);
1.52 markus 292: channel_close_fds(c);
1.41 markus 293: buffer_free(&c->input);
294: buffer_free(&c->output);
295: buffer_free(&c->extended);
296: c->type = SSH_CHANNEL_FREE;
297: if (c->remote_name) {
298: xfree(c->remote_name);
299: c->remote_name = NULL;
1.25 markus 300: }
1.1 deraadt 301: }
302:
1.27 markus 303: /*
1.41 markus 304: * 'channel_pre*' are called just before select() to add any bits relevant to
305: * channels in the select bitmasks.
306: */
307: /*
308: * 'channel_post*': perform any appropriate operations for channels which
309: * have events pending.
1.27 markus 310: */
1.41 markus 311: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
312: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
313: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
314:
315: void
316: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
317: {
318: FD_SET(c->sock, readset);
319: }
320:
321: void
322: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
323: {
324: if (buffer_len(&c->input) < packet_get_maxsize())
325: FD_SET(c->sock, readset);
326: if (buffer_len(&c->output) > 0)
327: FD_SET(c->sock, writeset);
328: }
1.1 deraadt 329:
1.41 markus 330: void
331: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
332: {
333: /* test whether sockets are 'alive' for read/write */
334: if (c->istate == CHAN_INPUT_OPEN)
335: if (buffer_len(&c->input) < packet_get_maxsize())
336: FD_SET(c->sock, readset);
337: if (c->ostate == CHAN_OUTPUT_OPEN ||
338: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
339: if (buffer_len(&c->output) > 0) {
340: FD_SET(c->sock, writeset);
341: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
342: chan_obuf_empty(c);
343: }
344: }
345: }
346:
347: void
1.44 markus 348: channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
349: {
350: if (c->istate == CHAN_INPUT_OPEN &&
351: c->remote_window > 0 &&
352: buffer_len(&c->input) < c->remote_window)
353: FD_SET(c->rfd, readset);
354: if (c->ostate == CHAN_OUTPUT_OPEN ||
355: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
356: if (buffer_len(&c->output) > 0) {
357: FD_SET(c->wfd, writeset);
358: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
359: chan_obuf_empty(c);
360: }
361: }
362: /** XXX check close conditions, too */
363: if (c->efd != -1) {
364: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
365: buffer_len(&c->extended) > 0)
366: FD_SET(c->efd, writeset);
367: else if (c->extended_usage == CHAN_EXTENDED_READ &&
368: buffer_len(&c->extended) < c->remote_window)
369: FD_SET(c->efd, readset);
370: }
371: }
372:
373: void
1.41 markus 374: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
375: {
376: if (buffer_len(&c->input) == 0) {
377: packet_start(SSH_MSG_CHANNEL_CLOSE);
378: packet_put_int(c->remote_id);
379: packet_send();
380: c->type = SSH_CHANNEL_CLOSED;
381: debug("Closing channel %d after input drain.", c->self);
382: }
383: }
384:
385: void
386: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
387: {
388: if (buffer_len(&c->output) == 0)
389: channel_free(c->self);
1.49 markus 390: else
1.41 markus 391: FD_SET(c->sock, writeset);
392: }
393:
394: /*
395: * This is a special state for X11 authentication spoofing. An opened X11
396: * connection (when authentication spoofing is being done) remains in this
397: * state until the first packet has been completely read. The authentication
398: * data in that packet is then substituted by the real data if it matches the
399: * fake data, and the channel is put into normal mode.
1.51 markus 400: * XXX All this happens at the client side.
1.41 markus 401: */
402: int
403: x11_open_helper(Channel *c)
1.1 deraadt 404: {
1.25 markus 405: unsigned char *ucp;
406: unsigned int proto_len, data_len;
407:
1.41 markus 408: /* Check if the fixed size part of the packet is in buffer. */
409: if (buffer_len(&c->output) < 12)
410: return 0;
411:
412: /* Parse the lengths of variable-length fields. */
413: ucp = (unsigned char *) buffer_ptr(&c->output);
414: if (ucp[0] == 0x42) { /* Byte order MSB first. */
415: proto_len = 256 * ucp[6] + ucp[7];
416: data_len = 256 * ucp[8] + ucp[9];
417: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
418: proto_len = ucp[6] + 256 * ucp[7];
419: data_len = ucp[8] + 256 * ucp[9];
420: } else {
421: debug("Initial X11 packet contains bad byte order byte: 0x%x",
422: ucp[0]);
423: return -1;
424: }
425:
426: /* Check if the whole packet is in buffer. */
427: if (buffer_len(&c->output) <
428: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
429: return 0;
430:
431: /* Check if authentication protocol matches. */
432: if (proto_len != strlen(x11_saved_proto) ||
433: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
434: debug("X11 connection uses different authentication protocol.");
435: return -1;
436: }
437: /* Check if authentication data matches our fake data. */
438: if (data_len != x11_fake_data_len ||
439: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
440: x11_fake_data, x11_fake_data_len) != 0) {
441: debug("X11 auth data does not match fake data.");
442: return -1;
443: }
444: /* Check fake data length */
445: if (x11_fake_data_len != x11_saved_data_len) {
446: error("X11 fake_data_len %d != saved_data_len %d",
447: x11_fake_data_len, x11_saved_data_len);
448: return -1;
449: }
450: /*
451: * Received authentication protocol and data match
452: * our fake data. Substitute the fake data with real
453: * data.
454: */
455: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
456: x11_saved_data, x11_saved_data_len);
457: return 1;
458: }
459:
460: void
461: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
462: {
463: int ret = x11_open_helper(c);
464: if (ret == 1) {
465: /* Start normal processing for the channel. */
466: c->type = SSH_CHANNEL_OPEN;
1.47 markus 467: channel_pre_open_13(c, readset, writeset);
1.41 markus 468: } else if (ret == -1) {
469: /*
470: * We have received an X11 connection that has bad
471: * authentication information.
472: */
473: log("X11 connection rejected because of wrong authentication.\r\n");
474: buffer_clear(&c->input);
475: buffer_clear(&c->output);
476: close(c->sock);
477: c->sock = -1;
478: c->type = SSH_CHANNEL_CLOSED;
479: packet_start(SSH_MSG_CHANNEL_CLOSE);
480: packet_put_int(c->remote_id);
481: packet_send();
482: }
483: }
1.25 markus 484:
1.41 markus 485: void
1.51 markus 486: channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
1.41 markus 487: {
488: int ret = x11_open_helper(c);
489: if (ret == 1) {
490: c->type = SSH_CHANNEL_OPEN;
1.57 markus 491: if (compat20)
492: channel_pre_open_20(c, readset, writeset);
493: else
494: channel_pre_open_15(c, readset, writeset);
1.41 markus 495: } else if (ret == -1) {
496: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
1.51 markus 497: chan_read_failed(c); /** force close? */
1.41 markus 498: chan_write_failed(c);
499: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
500: }
501: }
1.25 markus 502:
1.41 markus 503: /* This is our fake X11 server socket. */
504: void
505: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
506: {
507: struct sockaddr addr;
508: int newsock, newch;
509: socklen_t addrlen;
510: char buf[16384], *remote_hostname;
1.51 markus 511: int remote_port;
1.25 markus 512:
1.41 markus 513: if (FD_ISSET(c->sock, readset)) {
514: debug("X11 connection requested.");
515: addrlen = sizeof(addr);
516: newsock = accept(c->sock, &addr, &addrlen);
517: if (newsock < 0) {
518: error("accept: %.100s", strerror(errno));
519: return;
520: }
521: remote_hostname = get_remote_hostname(newsock);
1.51 markus 522: remote_port = get_peer_port(newsock);
1.41 markus 523: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.51 markus 524: remote_hostname, remote_port);
525:
526: newch = channel_new("x11",
527: SSH_CHANNEL_OPENING, newsock, newsock, -1,
528: c->local_window_max, c->local_maxpacket,
529: 0, xstrdup(buf));
530: if (compat20) {
531: packet_start(SSH2_MSG_CHANNEL_OPEN);
532: packet_put_cstring("x11");
533: packet_put_int(newch);
534: packet_put_int(c->local_window_max);
535: packet_put_int(c->local_maxpacket);
536: /* originator host and port */
537: packet_put_cstring(remote_hostname);
1.57 markus 538: if (datafellows & SSH_BUG_X11FWD) {
539: debug("ssh2 x11 bug compat mode");
540: } else {
541: packet_put_int(remote_port);
542: }
1.51 markus 543: packet_send();
544: } else {
545: packet_start(SSH_SMSG_X11_OPEN);
546: packet_put_int(newch);
547: if (have_hostname_in_open)
548: packet_put_string(buf, strlen(buf));
549: packet_send();
550: }
1.41 markus 551: xfree(remote_hostname);
552: }
553: }
1.25 markus 554:
1.41 markus 555: /*
556: * This socket is listening for connections to a forwarded TCP/IP port.
557: */
558: void
559: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
560: {
561: struct sockaddr addr;
562: int newsock, newch;
563: socklen_t addrlen;
564: char buf[1024], *remote_hostname;
565: int remote_port;
1.25 markus 566:
1.41 markus 567: if (FD_ISSET(c->sock, readset)) {
568: debug("Connection to port %d forwarding "
569: "to %.100s port %d requested.",
570: c->listening_port, c->path, c->host_port);
571: addrlen = sizeof(addr);
572: newsock = accept(c->sock, &addr, &addrlen);
573: if (newsock < 0) {
574: error("accept: %.100s", strerror(errno));
575: return;
576: }
577: remote_hostname = get_remote_hostname(newsock);
578: remote_port = get_peer_port(newsock);
579: snprintf(buf, sizeof buf,
580: "listen port %d for %.100s port %d, "
581: "connect from %.200s port %d",
582: c->listening_port, c->path, c->host_port,
583: remote_hostname, remote_port);
584: newch = channel_new("direct-tcpip",
585: SSH_CHANNEL_OPENING, newsock, newsock, -1,
586: c->local_window_max, c->local_maxpacket,
587: 0, xstrdup(buf));
1.44 markus 588: if (compat20) {
589: packet_start(SSH2_MSG_CHANNEL_OPEN);
590: packet_put_cstring("direct-tcpip");
591: packet_put_int(newch);
592: packet_put_int(c->local_window_max);
593: packet_put_int(c->local_maxpacket);
1.48 markus 594: /* target host and port */
1.44 markus 595: packet_put_string(c->path, strlen(c->path));
596: packet_put_int(c->host_port);
1.48 markus 597: /* originator host and port */
1.44 markus 598: packet_put_cstring(remote_hostname);
599: packet_put_int(remote_port);
600: packet_send();
601: } else {
602: packet_start(SSH_MSG_PORT_OPEN);
603: packet_put_int(newch);
604: packet_put_string(c->path, strlen(c->path));
605: packet_put_int(c->host_port);
606: if (have_hostname_in_open) {
607: packet_put_string(buf, strlen(buf));
608: }
609: packet_send();
1.41 markus 610: }
611: xfree(remote_hostname);
612: }
613: }
1.25 markus 614:
1.41 markus 615: /*
616: * This is the authentication agent socket listening for connections from
617: * clients.
618: */
619: void
620: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
621: {
622: struct sockaddr addr;
623: int newsock, newch;
624: socklen_t addrlen;
1.25 markus 625:
1.41 markus 626: if (FD_ISSET(c->sock, readset)) {
627: addrlen = sizeof(addr);
628: newsock = accept(c->sock, &addr, &addrlen);
629: if (newsock < 0) {
630: error("accept from auth socket: %.100s", strerror(errno));
631: return;
632: }
633: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
634: xstrdup("accepted auth socket"));
635: packet_start(SSH_SMSG_AGENT_OPEN);
636: packet_put_int(newch);
637: packet_send();
638: }
639: }
1.25 markus 640:
1.41 markus 641: int
642: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
643: {
644: char buf[16*1024];
645: int len;
1.25 markus 646:
1.41 markus 647: if (c->rfd != -1 &&
648: FD_ISSET(c->rfd, readset)) {
649: len = read(c->rfd, buf, sizeof(buf));
1.53 markus 650: if (len < 0 && (errno == EINTR || errno == EAGAIN))
651: return 1;
1.41 markus 652: if (len <= 0) {
1.51 markus 653: debug("channel %d: read<=0 rfd %d len %d",
1.41 markus 654: c->self, c->rfd, len);
1.25 markus 655: if (compat13) {
1.41 markus 656: buffer_consume(&c->output, buffer_len(&c->output));
657: c->type = SSH_CHANNEL_INPUT_DRAINING;
658: debug("Channel %d status set to input draining.", c->self);
1.25 markus 659: } else {
1.41 markus 660: chan_read_failed(c);
1.25 markus 661: }
1.41 markus 662: return -1;
663: }
664: buffer_append(&c->input, buf, len);
665: }
666: return 1;
667: }
668: int
669: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
670: {
671: int len;
1.25 markus 672:
1.41 markus 673: /* Send buffered output data to the socket. */
674: if (c->wfd != -1 &&
675: FD_ISSET(c->wfd, writeset) &&
676: buffer_len(&c->output) > 0) {
677: len = write(c->wfd, buffer_ptr(&c->output),
1.53 markus 678: buffer_len(&c->output));
679: if (len < 0 && (errno == EINTR || errno == EAGAIN))
680: return 1;
1.41 markus 681: if (len <= 0) {
682: if (compat13) {
683: buffer_consume(&c->output, buffer_len(&c->output));
684: debug("Channel %d status set to input draining.", c->self);
685: c->type = SSH_CHANNEL_INPUT_DRAINING;
686: } else {
687: chan_write_failed(c);
688: }
689: return -1;
1.25 markus 690: }
1.41 markus 691: buffer_consume(&c->output, len);
1.44 markus 692: if (compat20 && len > 0) {
693: c->local_consumed += len;
694: }
695: }
696: return 1;
697: }
698: int
699: channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
700: {
701: char buf[16*1024];
702: int len;
703:
1.45 markus 704: /** XXX handle drain efd, too */
1.44 markus 705: if (c->efd != -1) {
706: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
707: FD_ISSET(c->efd, writeset) &&
708: buffer_len(&c->extended) > 0) {
709: len = write(c->efd, buffer_ptr(&c->extended),
710: buffer_len(&c->extended));
711: debug("channel %d: written %d to efd %d",
712: c->self, len, c->efd);
713: if (len > 0) {
714: buffer_consume(&c->extended, len);
715: c->local_consumed += len;
716: }
717: } else if (c->extended_usage == CHAN_EXTENDED_READ &&
718: FD_ISSET(c->efd, readset)) {
719: len = read(c->efd, buf, sizeof(buf));
720: debug("channel %d: read %d from efd %d",
721: c->self, len, c->efd);
1.45 markus 722: if (len == 0) {
723: debug("channel %d: closing efd %d",
724: c->self, c->efd);
725: close(c->efd);
726: c->efd = -1;
727: } else if (len > 0)
1.44 markus 728: buffer_append(&c->extended, buf, len);
729: }
730: }
731: return 1;
732: }
733: int
734: channel_check_window(Channel *c, fd_set * readset, fd_set * writeset)
735: {
1.46 markus 736: if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.44 markus 737: c->local_window < c->local_window_max/2 &&
738: c->local_consumed > 0) {
739: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
740: packet_put_int(c->remote_id);
741: packet_put_int(c->local_consumed);
742: packet_send();
743: debug("channel %d: window %d sent adjust %d",
744: c->self, c->local_window,
745: c->local_consumed);
746: c->local_window += c->local_consumed;
747: c->local_consumed = 0;
1.1 deraadt 748: }
1.41 markus 749: return 1;
1.1 deraadt 750: }
751:
1.41 markus 752: void
753: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
754: {
755: channel_handle_rfd(c, readset, writeset);
756: channel_handle_wfd(c, readset, writeset);
757: }
1.1 deraadt 758:
1.41 markus 759: void
1.44 markus 760: channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
761: {
762: channel_handle_rfd(c, readset, writeset);
763: channel_handle_wfd(c, readset, writeset);
764: channel_handle_efd(c, readset, writeset);
765: channel_check_window(c, readset, writeset);
766: }
767:
768: void
1.41 markus 769: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 770: {
1.41 markus 771: int len;
772: /* Send buffered output data to the socket. */
773: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
774: len = write(c->sock, buffer_ptr(&c->output),
775: buffer_len(&c->output));
776: if (len <= 0)
777: buffer_consume(&c->output, buffer_len(&c->output));
778: else
779: buffer_consume(&c->output, len);
780: }
781: }
1.25 markus 782:
1.41 markus 783: void
1.44 markus 784: channel_handler_init_20(void)
785: {
786: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
1.51 markus 787: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.44 markus 788: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1.51 markus 789: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1.44 markus 790:
791: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
792: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1.51 markus 793: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1.44 markus 794: }
795:
796: void
1.41 markus 797: channel_handler_init_13(void)
798: {
799: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
800: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
801: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
802: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
803: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
804: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
805: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.25 markus 806:
1.41 markus 807: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
808: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
809: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
810: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
811: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
812: }
1.25 markus 813:
1.41 markus 814: void
815: channel_handler_init_15(void)
816: {
817: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
1.51 markus 818: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.41 markus 819: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
820: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
821: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.25 markus 822:
1.41 markus 823: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
824: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
825: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
826: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
827: }
1.27 markus 828:
1.41 markus 829: void
830: channel_handler_init(void)
831: {
832: int i;
833: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
834: channel_pre[i] = NULL;
835: channel_post[i] = NULL;
836: }
1.44 markus 837: if (compat20)
838: channel_handler_init_20();
839: else if (compat13)
1.41 markus 840: channel_handler_init_13();
841: else
842: channel_handler_init_15();
843: }
1.25 markus 844:
1.49 markus 845: void
1.41 markus 846: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
847: {
848: static int did_init = 0;
849: int i;
850: Channel *c;
1.25 markus 851:
1.41 markus 852: if (!did_init) {
853: channel_handler_init();
854: did_init = 1;
855: }
856: for (i = 0; i < channels_alloc; i++) {
857: c = &channels[i];
858: if (c->type == SSH_CHANNEL_FREE)
859: continue;
860: if (ftab[c->type] == NULL)
1.25 markus 861: continue;
1.41 markus 862: (*ftab[c->type])(c, readset, writeset);
1.44 markus 863: chan_delete_if_full_closed(c);
1.1 deraadt 864: }
865: }
866:
1.49 markus 867: void
1.41 markus 868: channel_prepare_select(fd_set * readset, fd_set * writeset)
869: {
870: channel_handler(channel_pre, readset, writeset);
871: }
872:
1.49 markus 873: void
1.41 markus 874: channel_after_select(fd_set * readset, fd_set * writeset)
875: {
876: channel_handler(channel_post, readset, writeset);
877: }
878:
1.1 deraadt 879: /* If there is data to send to the connection, send some of it now. */
880:
1.49 markus 881: void
1.25 markus 882: channel_output_poll()
1.1 deraadt 883: {
1.25 markus 884: int len, i;
1.41 markus 885: Channel *c;
1.1 deraadt 886:
1.25 markus 887: for (i = 0; i < channels_alloc; i++) {
1.41 markus 888: c = &channels[i];
1.37 markus 889:
1.27 markus 890: /* We are only interested in channels that can have buffered incoming data. */
1.37 markus 891: if (compat13) {
1.41 markus 892: if (c->type != SSH_CHANNEL_OPEN &&
893: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 894: continue;
895: } else {
1.41 markus 896: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 897: continue;
1.41 markus 898: if (c->istate != CHAN_INPUT_OPEN &&
899: c->istate != CHAN_INPUT_WAIT_DRAIN)
1.37 markus 900: continue;
901: }
1.46 markus 902: if (compat20 &&
903: (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.44 markus 904: debug("channel: %d: no data after CLOSE", c->self);
905: continue;
906: }
1.25 markus 907:
908: /* Get the amount of buffered data for this channel. */
1.41 markus 909: len = buffer_len(&c->input);
1.25 markus 910: if (len > 0) {
1.27 markus 911: /* Send some data for the other side over the secure connection. */
1.44 markus 912: if (compat20) {
913: if (len > c->remote_window)
914: len = c->remote_window;
915: if (len > c->remote_maxpacket)
916: len = c->remote_maxpacket;
1.25 markus 917: } else {
1.44 markus 918: if (packet_is_interactive()) {
919: if (len > 1024)
920: len = 512;
921: } else {
922: /* Keep the packets at reasonable size. */
923: if (len > packet_get_maxsize()/2)
924: len = packet_get_maxsize()/2;
925: }
1.25 markus 926: }
1.41 markus 927: if (len > 0) {
1.44 markus 928: packet_start(compat20 ?
929: SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
1.41 markus 930: packet_put_int(c->remote_id);
931: packet_put_string(buffer_ptr(&c->input), len);
932: packet_send();
933: buffer_consume(&c->input, len);
934: c->remote_window -= len;
1.44 markus 935: debug("channel %d: send data len %d", c->self, len);
1.41 markus 936: }
937: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 938: if (compat13)
939: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 940: /*
941: * input-buffer is empty and read-socket shutdown:
942: * tell peer, that we will not send more data: send IEOF
943: */
1.41 markus 944: chan_ibuf_empty(c);
1.25 markus 945: }
1.44 markus 946: /* Send extended data, i.e. stderr */
947: if (compat20 &&
948: c->remote_window > 0 &&
949: (len = buffer_len(&c->extended)) > 0 &&
950: c->extended_usage == CHAN_EXTENDED_READ) {
951: if (len > c->remote_window)
952: len = c->remote_window;
953: if (len > c->remote_maxpacket)
954: len = c->remote_maxpacket;
955: packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
956: packet_put_int(c->remote_id);
957: packet_put_int(SSH2_EXTENDED_DATA_STDERR);
958: packet_put_string(buffer_ptr(&c->extended), len);
959: packet_send();
960: buffer_consume(&c->extended, len);
961: c->remote_window -= len;
962: }
1.25 markus 963: }
1.1 deraadt 964: }
965:
1.27 markus 966: /*
967: * This is called when a packet of type CHANNEL_DATA has just been received.
968: * The message type has already been consumed, but channel number and data is
969: * still there.
970: */
1.1 deraadt 971:
1.49 markus 972: void
1.41 markus 973: channel_input_data(int type, int plen)
1.1 deraadt 974: {
1.37 markus 975: int id;
1.25 markus 976: char *data;
977: unsigned int data_len;
1.41 markus 978: Channel *c;
1.25 markus 979:
980: /* Get the channel number and verify it. */
1.37 markus 981: id = packet_get_int();
1.41 markus 982: c = channel_lookup(id);
983: if (c == NULL)
1.37 markus 984: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 985:
986: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 987: if (c->type != SSH_CHANNEL_OPEN &&
988: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 989: return;
990:
991: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 992: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 993: return;
994:
995: /* Get the data. */
996: data = packet_get_string(&data_len);
1.48 markus 997: packet_done();
1.41 markus 998:
1.44 markus 999: if (compat20){
1000: if (data_len > c->local_maxpacket) {
1001: log("channel %d: rcvd big packet %d, maxpack %d",
1002: c->self, data_len, c->local_maxpacket);
1003: }
1004: if (data_len > c->local_window) {
1005: log("channel %d: rcvd too much data %d, win %d",
1006: c->self, data_len, c->local_window);
1007: xfree(data);
1008: return;
1009: }
1010: c->local_window -= data_len;
1011: }else{
1012: packet_integrity_check(plen, 4 + 4 + data_len, type);
1013: }
1.41 markus 1014: buffer_append(&c->output, data, data_len);
1.25 markus 1015: xfree(data);
1.1 deraadt 1016: }
1.49 markus 1017: void
1.44 markus 1018: channel_input_extended_data(int type, int plen)
1019: {
1020: int id;
1021: int tcode;
1022: char *data;
1023: unsigned int data_len;
1024: Channel *c;
1025:
1026: /* Get the channel number and verify it. */
1027: id = packet_get_int();
1028: c = channel_lookup(id);
1029:
1030: if (c == NULL)
1031: packet_disconnect("Received extended_data for bad channel %d.", id);
1032: if (c->type != SSH_CHANNEL_OPEN) {
1033: log("channel %d: ext data for non open", id);
1034: return;
1035: }
1036: tcode = packet_get_int();
1037: if (c->efd == -1 ||
1038: c->extended_usage != CHAN_EXTENDED_WRITE ||
1039: tcode != SSH2_EXTENDED_DATA_STDERR) {
1040: log("channel %d: bad ext data", c->self);
1041: return;
1042: }
1043: data = packet_get_string(&data_len);
1.48 markus 1044: packet_done();
1.44 markus 1045: if (data_len > c->local_window) {
1046: log("channel %d: rcvd too much extended_data %d, win %d",
1047: c->self, data_len, c->local_window);
1048: xfree(data);
1049: return;
1050: }
1051: debug("channel %d: rcvd ext data %d", c->self, data_len);
1052: c->local_window -= data_len;
1053: buffer_append(&c->extended, data, data_len);
1054: xfree(data);
1055: }
1056:
1.1 deraadt 1057:
1.27 markus 1058: /*
1059: * Returns true if no channel has too much buffered data, and false if one or
1060: * more channel is overfull.
1061: */
1.1 deraadt 1062:
1.49 markus 1063: int
1.25 markus 1064: channel_not_very_much_buffered_data()
1.1 deraadt 1065: {
1.25 markus 1066: unsigned int i;
1.41 markus 1067: Channel *c;
1.25 markus 1068:
1069: for (i = 0; i < channels_alloc; i++) {
1.41 markus 1070: c = &channels[i];
1071: if (c->type == SSH_CHANNEL_OPEN) {
1.44 markus 1072: if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
1.41 markus 1073: debug("channel %d: big input buffer %d",
1074: c->self, buffer_len(&c->input));
1.25 markus 1075: return 0;
1.41 markus 1076: }
1077: if (buffer_len(&c->output) > packet_get_maxsize()) {
1078: debug("channel %d: big output buffer %d",
1079: c->self, buffer_len(&c->output));
1.25 markus 1080: return 0;
1.41 markus 1081: }
1.25 markus 1082: }
1.1 deraadt 1083: }
1.25 markus 1084: return 1;
1.1 deraadt 1085: }
1086:
1.49 markus 1087: void
1.41 markus 1088: channel_input_ieof(int type, int plen)
1089: {
1090: int id;
1091: Channel *c;
1092:
1093: packet_integrity_check(plen, 4, type);
1094:
1095: id = packet_get_int();
1096: c = channel_lookup(id);
1097: if (c == NULL)
1098: packet_disconnect("Received ieof for nonexistent channel %d.", id);
1099: chan_rcvd_ieof(c);
1100: }
1.1 deraadt 1101:
1.49 markus 1102: void
1.41 markus 1103: channel_input_close(int type, int plen)
1.1 deraadt 1104: {
1.41 markus 1105: int id;
1106: Channel *c;
1.1 deraadt 1107:
1.41 markus 1108: packet_integrity_check(plen, 4, type);
1109:
1110: id = packet_get_int();
1111: c = channel_lookup(id);
1112: if (c == NULL)
1113: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 1114:
1115: /*
1116: * Send a confirmation that we have closed the channel and no more
1117: * data is coming for it.
1118: */
1.25 markus 1119: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 1120: packet_put_int(c->remote_id);
1.25 markus 1121: packet_send();
1122:
1.27 markus 1123: /*
1124: * If the channel is in closed state, we have sent a close request,
1125: * and the other side will eventually respond with a confirmation.
1126: * Thus, we cannot free the channel here, because then there would be
1127: * no-one to receive the confirmation. The channel gets freed when
1128: * the confirmation arrives.
1129: */
1.41 markus 1130: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 1131: /*
1132: * Not a closed channel - mark it as draining, which will
1133: * cause it to be freed later.
1134: */
1.41 markus 1135: buffer_consume(&c->input, buffer_len(&c->input));
1136: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 1137: }
1.1 deraadt 1138: }
1139:
1.41 markus 1140: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
1.49 markus 1141: void
1.41 markus 1142: channel_input_oclose(int type, int plen)
1143: {
1144: int id = packet_get_int();
1145: Channel *c = channel_lookup(id);
1146: packet_integrity_check(plen, 4, type);
1147: if (c == NULL)
1148: packet_disconnect("Received oclose for nonexistent channel %d.", id);
1149: chan_rcvd_oclose(c);
1150: }
1.1 deraadt 1151:
1.49 markus 1152: void
1.41 markus 1153: channel_input_close_confirmation(int type, int plen)
1.1 deraadt 1154: {
1.41 markus 1155: int id = packet_get_int();
1156: Channel *c = channel_lookup(id);
1.1 deraadt 1157:
1.48 markus 1158: packet_done();
1.41 markus 1159: if (c == NULL)
1160: packet_disconnect("Received close confirmation for "
1161: "out-of-range channel %d.", id);
1162: if (c->type != SSH_CHANNEL_CLOSED)
1163: packet_disconnect("Received close confirmation for "
1164: "non-closed channel %d (type %d).", id, c->type);
1165: channel_free(c->self);
1.1 deraadt 1166: }
1167:
1.49 markus 1168: void
1.41 markus 1169: channel_input_open_confirmation(int type, int plen)
1.1 deraadt 1170: {
1.41 markus 1171: int id, remote_id;
1172: Channel *c;
1.1 deraadt 1173:
1.44 markus 1174: if (!compat20)
1175: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 1176:
1.41 markus 1177: id = packet_get_int();
1178: c = channel_lookup(id);
1.25 markus 1179:
1.41 markus 1180: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1181: packet_disconnect("Received open confirmation for "
1182: "non-opening channel %d.", id);
1183: remote_id = packet_get_int();
1.27 markus 1184: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 1185: c->remote_id = remote_id;
1186: c->type = SSH_CHANNEL_OPEN;
1.44 markus 1187:
1188: if (compat20) {
1189: c->remote_window = packet_get_int();
1190: c->remote_maxpacket = packet_get_int();
1.48 markus 1191: packet_done();
1.44 markus 1192: if (c->cb_fn != NULL && c->cb_event == type) {
1193: debug("callback start");
1194: c->cb_fn(c->self, c->cb_arg);
1195: debug("callback done");
1196: }
1197: debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1198: c->remote_window, c->remote_maxpacket);
1199: }
1.1 deraadt 1200: }
1201:
1.49 markus 1202: void
1.41 markus 1203: channel_input_open_failure(int type, int plen)
1.1 deraadt 1204: {
1.41 markus 1205: int id;
1206: Channel *c;
1207:
1.44 markus 1208: if (!compat20)
1209: packet_integrity_check(plen, 4, type);
1.41 markus 1210:
1211: id = packet_get_int();
1212: c = channel_lookup(id);
1.25 markus 1213:
1.41 markus 1214: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1215: packet_disconnect("Received open failure for "
1216: "non-opening channel %d.", id);
1.44 markus 1217: if (compat20) {
1218: int reason = packet_get_int();
1219: char *msg = packet_get_string(NULL);
1.48 markus 1220: char *lang = packet_get_string(NULL);
1.44 markus 1221: log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
1.48 markus 1222: packet_done();
1.44 markus 1223: xfree(msg);
1.48 markus 1224: xfree(lang);
1.44 markus 1225: }
1.25 markus 1226: /* Free the channel. This will also close the socket. */
1.41 markus 1227: channel_free(id);
1.1 deraadt 1228: }
1229:
1.44 markus 1230: void
1231: channel_input_channel_request(int type, int plen)
1232: {
1233: int id;
1234: Channel *c;
1235:
1236: id = packet_get_int();
1237: c = channel_lookup(id);
1238:
1239: if (c == NULL ||
1240: (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1241: packet_disconnect("Received request for "
1242: "non-open channel %d.", id);
1243: if (c->cb_fn != NULL && c->cb_event == type) {
1244: debug("callback start");
1245: c->cb_fn(c->self, c->cb_arg);
1246: debug("callback done");
1247: } else {
1248: char *service = packet_get_string(NULL);
1249: debug("channel: %d rcvd request for %s", c->self, service);
1250: debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1251: xfree(service);
1252: }
1253: }
1254:
1.49 markus 1255: void
1.44 markus 1256: channel_input_window_adjust(int type, int plen)
1257: {
1258: Channel *c;
1259: int id, adjust;
1260:
1261: if (!compat20)
1262: return;
1263:
1264: /* Get the channel number and verify it. */
1265: id = packet_get_int();
1266: c = channel_lookup(id);
1267:
1268: if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1269: log("Received window adjust for "
1270: "non-open channel %d.", id);
1271: return;
1272: }
1273: adjust = packet_get_int();
1.48 markus 1274: packet_done();
1.44 markus 1275: debug("channel %d: rcvd adjust %d", id, adjust);
1276: c->remote_window += adjust;
1277: }
1278:
1.27 markus 1279: /*
1280: * Stops listening for channels, and removes any unix domain sockets that we
1281: * might have.
1282: */
1.1 deraadt 1283:
1.49 markus 1284: void
1.25 markus 1285: channel_stop_listening()
1.1 deraadt 1286: {
1.25 markus 1287: int i;
1288: for (i = 0; i < channels_alloc; i++) {
1289: switch (channels[i].type) {
1290: case SSH_CHANNEL_AUTH_SOCKET:
1291: close(channels[i].sock);
1292: remove(channels[i].path);
1293: channel_free(i);
1294: break;
1295: case SSH_CHANNEL_PORT_LISTENER:
1296: case SSH_CHANNEL_X11_LISTENER:
1297: close(channels[i].sock);
1298: channel_free(i);
1299: break;
1300: default:
1301: break;
1302: }
1.1 deraadt 1303: }
1304: }
1305:
1.27 markus 1306: /*
1.52 markus 1307: * Closes the sockets/fds of all channels. This is used to close extra file
1.27 markus 1308: * descriptors after a fork.
1309: */
1.1 deraadt 1310:
1.49 markus 1311: void
1.25 markus 1312: channel_close_all()
1.1 deraadt 1313: {
1.25 markus 1314: int i;
1.52 markus 1315: for (i = 0; i < channels_alloc; i++)
1.25 markus 1316: if (channels[i].type != SSH_CHANNEL_FREE)
1.52 markus 1317: channel_close_fds(&channels[i]);
1.1 deraadt 1318: }
1319:
1320: /* Returns the maximum file descriptor number used by the channels. */
1321:
1.49 markus 1322: int
1.25 markus 1323: channel_max_fd()
1.1 deraadt 1324: {
1.25 markus 1325: return channel_max_fd_value;
1.1 deraadt 1326: }
1327:
1328: /* Returns true if any channel is still open. */
1329:
1.49 markus 1330: int
1.25 markus 1331: channel_still_open()
1.1 deraadt 1332: {
1.25 markus 1333: unsigned int i;
1334: for (i = 0; i < channels_alloc; i++)
1335: switch (channels[i].type) {
1336: case SSH_CHANNEL_FREE:
1337: case SSH_CHANNEL_X11_LISTENER:
1338: case SSH_CHANNEL_PORT_LISTENER:
1339: case SSH_CHANNEL_CLOSED:
1340: case SSH_CHANNEL_AUTH_SOCKET:
1341: continue;
1.44 markus 1342: case SSH_CHANNEL_LARVAL:
1343: if (!compat20)
1344: fatal("cannot happen: SSH_CHANNEL_LARVAL");
1345: continue;
1.25 markus 1346: case SSH_CHANNEL_OPENING:
1347: case SSH_CHANNEL_OPEN:
1348: case SSH_CHANNEL_X11_OPEN:
1349: return 1;
1350: case SSH_CHANNEL_INPUT_DRAINING:
1351: case SSH_CHANNEL_OUTPUT_DRAINING:
1352: if (!compat13)
1353: fatal("cannot happen: OUT_DRAIN");
1354: return 1;
1355: default:
1356: fatal("channel_still_open: bad channel type %d", channels[i].type);
1357: /* NOTREACHED */
1358: }
1359: return 0;
1.1 deraadt 1360: }
1361:
1.27 markus 1362: /*
1363: * Returns a message describing the currently open forwarded connections,
1364: * suitable for sending to the client. The message contains crlf pairs for
1365: * newlines.
1366: */
1.1 deraadt 1367:
1.25 markus 1368: char *
1369: channel_open_message()
1.1 deraadt 1370: {
1.25 markus 1371: Buffer buffer;
1372: int i;
1373: char buf[512], *cp;
1374:
1375: buffer_init(&buffer);
1376: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 1377: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 1378: for (i = 0; i < channels_alloc; i++) {
1379: Channel *c = &channels[i];
1380: switch (c->type) {
1381: case SSH_CHANNEL_FREE:
1382: case SSH_CHANNEL_X11_LISTENER:
1383: case SSH_CHANNEL_PORT_LISTENER:
1384: case SSH_CHANNEL_CLOSED:
1385: case SSH_CHANNEL_AUTH_SOCKET:
1386: continue;
1.44 markus 1387: case SSH_CHANNEL_LARVAL:
1.25 markus 1388: case SSH_CHANNEL_OPENING:
1389: case SSH_CHANNEL_OPEN:
1390: case SSH_CHANNEL_X11_OPEN:
1391: case SSH_CHANNEL_INPUT_DRAINING:
1392: case SSH_CHANNEL_OUTPUT_DRAINING:
1.41 markus 1393: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
1.37 markus 1394: c->self, c->remote_name,
1395: c->type, c->remote_id,
1396: c->istate, buffer_len(&c->input),
1.41 markus 1397: c->ostate, buffer_len(&c->output),
1398: c->rfd, c->wfd);
1.25 markus 1399: buffer_append(&buffer, buf, strlen(buf));
1400: continue;
1401: default:
1.41 markus 1402: fatal("channel_open_message: bad channel type %d", c->type);
1.25 markus 1403: /* NOTREACHED */
1404: }
1405: }
1406: buffer_append(&buffer, "\0", 1);
1407: cp = xstrdup(buffer_ptr(&buffer));
1408: buffer_free(&buffer);
1409: return cp;
1.1 deraadt 1410: }
1411:
1.27 markus 1412: /*
1413: * Initiate forwarding of connections to local port "port" through the secure
1414: * channel to host:port from remote side.
1415: */
1.1 deraadt 1416:
1.49 markus 1417: void
1.31 markus 1418: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 1419: u_short host_port, int gateway_ports)
1.25 markus 1420: {
1.35 markus 1421: int success, ch, sock, on = 1;
1422: struct addrinfo hints, *ai, *aitop;
1423: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.28 markus 1424: struct linger linger;
1.25 markus 1425:
1426: if (strlen(host) > sizeof(channels[0].path) - 1)
1427: packet_disconnect("Forward host name too long.");
1428:
1.28 markus 1429: /*
1.35 markus 1430: * getaddrinfo returns a loopback address if the hostname is
1431: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 1432: */
1.35 markus 1433: memset(&hints, 0, sizeof(hints));
1434: hints.ai_family = IPv4or6;
1435: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1436: hints.ai_socktype = SOCK_STREAM;
1437: snprintf(strport, sizeof strport, "%d", port);
1438: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1439: packet_disconnect("getaddrinfo: fatal error");
1440:
1441: success = 0;
1442: for (ai = aitop; ai; ai = ai->ai_next) {
1443: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1444: continue;
1445: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1446: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1447: error("channel_request_local_forwarding: getnameinfo failed");
1448: continue;
1449: }
1450: /* Create a port to listen for the host. */
1451: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1452: if (sock < 0) {
1453: /* this is no error since kernel may not support ipv6 */
1454: verbose("socket: %.100s", strerror(errno));
1455: continue;
1456: }
1457: /*
1458: * Set socket options. We would like the socket to disappear
1459: * as soon as it has been closed for whatever reason.
1460: */
1461: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1462: linger.l_onoff = 1;
1463: linger.l_linger = 5;
1464: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1465: debug("Local forwarding listening on %s port %s.", ntop, strport);
1466:
1467: /* Bind the socket to the address. */
1468: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1469: /* address can be in use ipv6 address is already bound */
1470: verbose("bind: %.100s", strerror(errno));
1471: close(sock);
1472: continue;
1473: }
1474: /* Start listening for connections on the socket. */
1475: if (listen(sock, 5) < 0) {
1476: error("listen: %.100s", strerror(errno));
1477: close(sock);
1478: continue;
1479: }
1480: /* Allocate a channel number for the socket. */
1.41 markus 1481: ch = channel_new(
1482: "port listener", SSH_CHANNEL_PORT_LISTENER,
1483: sock, sock, -1,
1.51 markus 1484: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.41 markus 1485: 0, xstrdup("port listener"));
1.35 markus 1486: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1487: channels[ch].host_port = host_port;
1488: channels[ch].listening_port = port;
1489: success = 1;
1490: }
1491: if (success == 0)
1492: packet_disconnect("cannot listen port: %d", port);
1493: freeaddrinfo(aitop);
1.25 markus 1494: }
1.1 deraadt 1495:
1.27 markus 1496: /*
1497: * Initiate forwarding of connections to port "port" on remote host through
1498: * the secure channel to host:port from local side.
1499: */
1.1 deraadt 1500:
1.49 markus 1501: void
1.41 markus 1502: channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
1503: u_short port_to_connect)
1.25 markus 1504: {
1505: int payload_len;
1506: /* Record locally that connection to this host/port is permitted. */
1507: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1508: fatal("channel_request_remote_forwarding: too many forwards");
1509:
1.41 markus 1510: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1511: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1512: permitted_opens[num_permitted_opens].listen_port = listen_port;
1.25 markus 1513: num_permitted_opens++;
1514:
1515: /* Send the forward request to the remote side. */
1.44 markus 1516: if (compat20) {
1517: const char *address_to_bind = "0.0.0.0";
1518: packet_start(SSH2_MSG_GLOBAL_REQUEST);
1519: packet_put_cstring("tcpip-forward");
1520: packet_put_char(0); /* boolean: want reply */
1521: packet_put_cstring(address_to_bind);
1522: packet_put_int(listen_port);
1523: } else {
1524: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.50 markus 1525: packet_put_int(listen_port);
1526: packet_put_cstring(host_to_connect);
1.44 markus 1527: packet_put_int(port_to_connect);
1528: packet_send();
1529: packet_write_wait();
1530: /*
1531: * Wait for response from the remote side. It will send a disconnect
1532: * message on failure, and we will never see it here.
1533: */
1534: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1535: }
1.1 deraadt 1536: }
1537:
1.27 markus 1538: /*
1539: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1540: * listening for the port, and sends back a success reply (or disconnect
1541: * message if there was an error). This never returns if there was an error.
1542: */
1.1 deraadt 1543:
1.49 markus 1544: void
1.56 markus 1545: channel_input_port_forward_request(int is_root, int gateway_ports)
1.1 deraadt 1546: {
1.31 markus 1547: u_short port, host_port;
1.25 markus 1548: char *hostname;
1.1 deraadt 1549:
1.25 markus 1550: /* Get arguments from the packet. */
1551: port = packet_get_int();
1552: hostname = packet_get_string(NULL);
1553: host_port = packet_get_int();
1554:
1.27 markus 1555: /*
1556: * Check that an unprivileged user is not trying to forward a
1557: * privileged port.
1558: */
1.25 markus 1559: if (port < IPPORT_RESERVED && !is_root)
1560: packet_disconnect("Requested forwarding of port %d but user is not root.",
1561: port);
1.33 markus 1562: /*
1563: * Initiate forwarding,
1564: */
1.56 markus 1565: channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
1.25 markus 1566:
1567: /* Free the argument string. */
1568: xfree(hostname);
1.1 deraadt 1569: }
1570:
1.41 markus 1571: /* XXX move to aux.c */
1572: int
1573: channel_connect_to(const char *host, u_short host_port)
1574: {
1575: struct addrinfo hints, *ai, *aitop;
1576: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1577: int gaierr;
1578: int sock = -1;
1579:
1580: memset(&hints, 0, sizeof(hints));
1581: hints.ai_family = IPv4or6;
1582: hints.ai_socktype = SOCK_STREAM;
1583: snprintf(strport, sizeof strport, "%d", host_port);
1584: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1585: error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
1586: return -1;
1587: }
1588: for (ai = aitop; ai; ai = ai->ai_next) {
1589: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1590: continue;
1591: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1592: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1593: error("channel_connect_to: getnameinfo failed");
1594: continue;
1595: }
1596: /* Create the socket. */
1597: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1598: if (sock < 0) {
1599: error("socket: %.100s", strerror(errno));
1600: continue;
1601: }
1602: /* Connect to the host/port. */
1603: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1604: error("connect %.100s port %s: %.100s", ntop, strport,
1605: strerror(errno));
1606: close(sock);
1607: continue; /* fail -- try next */
1608: }
1609: break; /* success */
1610:
1611: }
1612: freeaddrinfo(aitop);
1613: if (!ai) {
1614: error("connect %.100s port %d: failed.", host, host_port);
1615: return -1;
1616: }
1617: /* success */
1618: return sock;
1619: }
1.27 markus 1620: /*
1621: * This is called after receiving PORT_OPEN message. This attempts to
1622: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1623: * or CHANNEL_OPEN_FAILURE.
1624: */
1.1 deraadt 1625:
1.49 markus 1626: void
1.41 markus 1627: channel_input_port_open(int type, int plen)
1.1 deraadt 1628: {
1.31 markus 1629: u_short host_port;
1.25 markus 1630: char *host, *originator_string;
1.41 markus 1631: int remote_channel, sock = -1, newch, i, denied;
1.39 markus 1632: unsigned int host_len, originator_len;
1.25 markus 1633:
1634: /* Get remote channel number. */
1635: remote_channel = packet_get_int();
1636:
1637: /* Get host name to connect to. */
1638: host = packet_get_string(&host_len);
1639:
1640: /* Get port to connect to. */
1641: host_port = packet_get_int();
1642:
1643: /* Get remote originator name. */
1.29 markus 1644: if (have_hostname_in_open) {
1.25 markus 1645: originator_string = packet_get_string(&originator_len);
1.29 markus 1646: originator_len += 4; /* size of packet_int */
1647: } else {
1.25 markus 1648: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1649: originator_len = 0; /* no originator supplied */
1650: }
1.25 markus 1651:
1.41 markus 1652: packet_integrity_check(plen,
1653: 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
1.25 markus 1654:
1655: /* Check if opening that port is permitted. */
1.41 markus 1656: denied = 0;
1.25 markus 1657: if (!all_opens_permitted) {
1658: /* Go trough all permitted ports. */
1659: for (i = 0; i < num_permitted_opens; i++)
1.41 markus 1660: if (permitted_opens[i].port_to_connect == host_port &&
1661: strcmp(permitted_opens[i].host_to_connect, host) == 0)
1.25 markus 1662: break;
1663:
1664: /* Check if we found the requested port among those permitted. */
1665: if (i >= num_permitted_opens) {
1666: /* The port is not permitted. */
1667: log("Received request to connect to %.100s:%d, but the request was denied.",
1668: host, host_port);
1.41 markus 1669: denied = 1;
1.25 markus 1670: }
1671: }
1.41 markus 1672: sock = denied ? -1 : channel_connect_to(host, host_port);
1673: if (sock > 0) {
1674: /* Allocate a channel for this connection. */
1675: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1676: channels[newch].remote_id = remote_channel;
1677:
1678: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1679: packet_put_int(remote_channel);
1680: packet_put_int(newch);
1681: packet_send();
1682: } else {
1683: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1684: packet_put_int(remote_channel);
1685: packet_send();
1.25 markus 1686: }
1687: xfree(host);
1.1 deraadt 1688: }
1689:
1.27 markus 1690: /*
1691: * Creates an internet domain socket for listening for X11 connections.
1692: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1693: * occurs.
1694: */
1.1 deraadt 1695:
1.35 markus 1696: #define NUM_SOCKS 10
1697:
1.25 markus 1698: char *
1.33 markus 1699: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1700: {
1.31 markus 1701: int display_number, sock;
1702: u_short port;
1.35 markus 1703: struct addrinfo hints, *ai, *aitop;
1704: char strport[NI_MAXSERV];
1705: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1706: char display[512];
1.25 markus 1707: char hostname[MAXHOSTNAMELEN];
1708:
1.33 markus 1709: for (display_number = x11_display_offset;
1.25 markus 1710: display_number < MAX_DISPLAYS;
1711: display_number++) {
1712: port = 6000 + display_number;
1.35 markus 1713: memset(&hints, 0, sizeof(hints));
1714: hints.ai_family = IPv4or6;
1.36 markus 1715: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1716: hints.ai_socktype = SOCK_STREAM;
1717: snprintf(strport, sizeof strport, "%d", port);
1718: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1719: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1720: return NULL;
1721: }
1.35 markus 1722: for (ai = aitop; ai; ai = ai->ai_next) {
1723: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1724: continue;
1725: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1726: if (sock < 0) {
1727: error("socket: %.100s", strerror(errno));
1728: return NULL;
1729: }
1730: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1731: debug("bind port %d: %.100s", port, strerror(errno));
1732: shutdown(sock, SHUT_RDWR);
1733: close(sock);
1734: for (n = 0; n < num_socks; n++) {
1735: shutdown(socks[n], SHUT_RDWR);
1736: close(socks[n]);
1737: }
1738: num_socks = 0;
1739: break;
1740: }
1741: socks[num_socks++] = sock;
1742: if (num_socks == NUM_SOCKS)
1743: break;
1.25 markus 1744: }
1.35 markus 1745: if (num_socks > 0)
1746: break;
1.25 markus 1747: }
1748: if (display_number >= MAX_DISPLAYS) {
1749: error("Failed to allocate internet-domain X11 display socket.");
1750: return NULL;
1751: }
1752: /* Start listening for connections on the socket. */
1.35 markus 1753: for (n = 0; n < num_socks; n++) {
1754: sock = socks[n];
1755: if (listen(sock, 5) < 0) {
1756: error("listen: %.100s", strerror(errno));
1757: shutdown(sock, SHUT_RDWR);
1758: close(sock);
1759: return NULL;
1760: }
1.25 markus 1761: }
1.35 markus 1762:
1.25 markus 1763: /* Set up a suitable value for the DISPLAY variable. */
1764: if (gethostname(hostname, sizeof(hostname)) < 0)
1765: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 1766: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 1767: display_number, screen_number);
1768:
1.35 markus 1769: /* Allocate a channel for each socket. */
1770: for (n = 0; n < num_socks; n++) {
1771: sock = socks[n];
1.51 markus 1772: (void) channel_new("x11 listener",
1773: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
1774: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1775: 0, xstrdup("X11 inet listener"));
1.35 markus 1776: }
1.1 deraadt 1777:
1.25 markus 1778: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 1779: return xstrdup(display);
1.1 deraadt 1780: }
1781:
1782: #ifndef X_UNIX_PATH
1783: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1784: #endif
1785:
1786: static
1787: int
1.30 deraadt 1788: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1789: {
1.25 markus 1790: static const char *const x_sockets[] = {
1791: X_UNIX_PATH "%u",
1792: "/var/X/.X11-unix/X" "%u",
1793: "/usr/spool/sockets/X11/" "%u",
1794: NULL
1795: };
1796: int sock;
1797: struct sockaddr_un addr;
1798: const char *const * path;
1799:
1800: for (path = x_sockets; *path; ++path) {
1801: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1802: if (sock < 0)
1803: error("socket: %.100s", strerror(errno));
1804: memset(&addr, 0, sizeof(addr));
1805: addr.sun_family = AF_UNIX;
1806: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1807: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1808: return sock;
1809: close(sock);
1810: }
1811: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1812: return -1;
1.1 deraadt 1813: }
1814:
1.51 markus 1815: int
1816: x11_connect_display(void)
1.1 deraadt 1817: {
1.51 markus 1818: int display_number, sock = 0;
1.25 markus 1819: const char *display;
1.51 markus 1820: char buf[1024], *cp;
1.35 markus 1821: struct addrinfo hints, *ai, *aitop;
1822: char strport[NI_MAXSERV];
1823: int gaierr;
1.25 markus 1824:
1825: /* Try to open a socket for the local X server. */
1826: display = getenv("DISPLAY");
1827: if (!display) {
1828: error("DISPLAY not set.");
1.51 markus 1829: return -1;
1.25 markus 1830: }
1.27 markus 1831: /*
1832: * Now we decode the value of the DISPLAY variable and make a
1833: * connection to the real X server.
1834: */
1835:
1836: /*
1837: * Check if it is a unix domain socket. Unix domain displays are in
1838: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1839: */
1.25 markus 1840: if (strncmp(display, "unix:", 5) == 0 ||
1841: display[0] == ':') {
1842: /* Connect to the unix domain socket. */
1843: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1844: error("Could not parse display number from DISPLAY: %.100s",
1845: display);
1.51 markus 1846: return -1;
1.25 markus 1847: }
1848: /* Create a socket. */
1849: sock = connect_local_xsocket(display_number);
1850: if (sock < 0)
1.51 markus 1851: return -1;
1.25 markus 1852:
1853: /* OK, we now have a connection to the display. */
1.51 markus 1854: return sock;
1.25 markus 1855: }
1.27 markus 1856: /*
1857: * Connect to an inet socket. The DISPLAY value is supposedly
1858: * hostname:d[.s], where hostname may also be numeric IP address.
1859: */
1.25 markus 1860: strncpy(buf, display, sizeof(buf));
1861: buf[sizeof(buf) - 1] = 0;
1862: cp = strchr(buf, ':');
1863: if (!cp) {
1864: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 1865: return -1;
1.25 markus 1866: }
1867: *cp = 0;
1.27 markus 1868: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1869: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1870: error("Could not parse display number from DISPLAY: %.100s",
1871: display);
1.51 markus 1872: return -1;
1.25 markus 1873: }
1.35 markus 1874:
1875: /* Look up the host address */
1876: memset(&hints, 0, sizeof(hints));
1877: hints.ai_family = IPv4or6;
1878: hints.ai_socktype = SOCK_STREAM;
1879: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1880: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1881: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.51 markus 1882: return -1;
1.25 markus 1883: }
1.35 markus 1884: for (ai = aitop; ai; ai = ai->ai_next) {
1885: /* Create a socket. */
1886: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1887: if (sock < 0) {
1888: debug("socket: %.100s", strerror(errno));
1.41 markus 1889: continue;
1890: }
1891: /* Connect it to the display. */
1892: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1893: debug("connect %.100s port %d: %.100s", buf,
1894: 6000 + display_number, strerror(errno));
1895: close(sock);
1896: continue;
1897: }
1898: /* Success */
1899: break;
1.35 markus 1900: }
1901: freeaddrinfo(aitop);
1902: if (!ai) {
1.49 markus 1903: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1.35 markus 1904: strerror(errno));
1.51 markus 1905: return -1;
1.25 markus 1906: }
1.51 markus 1907: return sock;
1908: }
1909:
1910: /*
1911: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1912: * the remote channel number. We should do whatever we want, and respond
1913: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1914: */
1915:
1916: void
1917: x11_input_open(int type, int plen)
1918: {
1919: int remote_channel, sock = 0, newch;
1920: char *remote_host;
1921: unsigned int remote_len;
1.25 markus 1922:
1.51 markus 1923: /* Get remote channel number. */
1924: remote_channel = packet_get_int();
1925:
1926: /* Get remote originator name. */
1927: if (have_hostname_in_open) {
1928: remote_host = packet_get_string(&remote_len);
1929: remote_len += 4;
1930: } else {
1931: remote_host = xstrdup("unknown (remote did not supply name)");
1932: remote_len = 0;
1933: }
1.25 markus 1934:
1.51 markus 1935: debug("Received X11 open request.");
1936: packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1937:
1.51 markus 1938: /* Obtain a connection to the real X display. */
1939: sock = x11_connect_display();
1940: if (sock == -1) {
1941: /* Send refusal to the remote host. */
1942: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1943: packet_put_int(remote_channel);
1944: packet_send();
1945: } else {
1946: /* Allocate a channel for this connection. */
1947: newch = channel_allocate(
1948: (x11_saved_proto == NULL) ?
1949: SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
1950: sock, remote_host);
1951: channels[newch].remote_id = remote_channel;
1.25 markus 1952:
1.51 markus 1953: /* Send a confirmation to the remote host. */
1954: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1955: packet_put_int(remote_channel);
1956: packet_put_int(newch);
1957: packet_send();
1958: }
1.1 deraadt 1959: }
1960:
1.27 markus 1961: /*
1962: * Requests forwarding of X11 connections, generates fake authentication
1963: * data, and enables authentication spoofing.
1964: */
1.1 deraadt 1965:
1.49 markus 1966: void
1.51 markus 1967: x11_request_forwarding_with_spoofing(int client_session_id,
1968: const char *proto, const char *data)
1.1 deraadt 1969: {
1.25 markus 1970: unsigned int data_len = (unsigned int) strlen(data) / 2;
1971: unsigned int i, value;
1972: char *new_data;
1973: int screen_number;
1974: const char *cp;
1975: u_int32_t rand = 0;
1976:
1977: cp = getenv("DISPLAY");
1978: if (cp)
1979: cp = strchr(cp, ':');
1980: if (cp)
1981: cp = strchr(cp, '.');
1982: if (cp)
1983: screen_number = atoi(cp + 1);
1984: else
1985: screen_number = 0;
1986:
1987: /* Save protocol name. */
1988: x11_saved_proto = xstrdup(proto);
1989:
1.27 markus 1990: /*
1991: * Extract real authentication data and generate fake data of the
1992: * same length.
1993: */
1.25 markus 1994: x11_saved_data = xmalloc(data_len);
1995: x11_fake_data = xmalloc(data_len);
1996: for (i = 0; i < data_len; i++) {
1997: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1998: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1999: if (i % 4 == 0)
2000: rand = arc4random();
2001: x11_saved_data[i] = value;
2002: x11_fake_data[i] = rand & 0xff;
2003: rand >>= 8;
2004: }
2005: x11_saved_data_len = data_len;
2006: x11_fake_data_len = data_len;
2007:
2008: /* Convert the fake data into hex. */
2009: new_data = xmalloc(2 * data_len + 1);
2010: for (i = 0; i < data_len; i++)
2011: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
2012:
2013: /* Send the request packet. */
1.51 markus 2014: if (compat20) {
2015: channel_request_start(client_session_id, "x11-req", 0);
2016: packet_put_char(0); /* XXX bool single connection */
2017: } else {
2018: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
2019: }
2020: packet_put_cstring(proto);
2021: packet_put_cstring(new_data);
1.25 markus 2022: packet_put_int(screen_number);
2023: packet_send();
2024: packet_write_wait();
2025: xfree(new_data);
1.1 deraadt 2026: }
2027:
2028: /* Sends a message to the server to request authentication fd forwarding. */
2029:
1.49 markus 2030: void
1.25 markus 2031: auth_request_forwarding()
1.1 deraadt 2032: {
1.25 markus 2033: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2034: packet_send();
2035: packet_write_wait();
1.1 deraadt 2036: }
2037:
1.27 markus 2038: /*
2039: * Returns the name of the forwarded authentication socket. Returns NULL if
2040: * there is no forwarded authentication socket. The returned value points to
2041: * a static buffer.
2042: */
1.1 deraadt 2043:
1.25 markus 2044: char *
2045: auth_get_socket_name()
1.1 deraadt 2046: {
1.25 markus 2047: return channel_forwarded_auth_socket_name;
1.1 deraadt 2048: }
2049:
1.12 markus 2050: /* removes the agent forwarding socket */
2051:
1.49 markus 2052: void
1.25 markus 2053: cleanup_socket(void)
2054: {
2055: remove(channel_forwarded_auth_socket_name);
2056: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 2057: }
2058:
1.27 markus 2059: /*
1.59 ! markus 2060: * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1.27 markus 2061: * This starts forwarding authentication requests.
2062: */
1.1 deraadt 2063:
1.59 ! markus 2064: int
1.25 markus 2065: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 2066: {
1.25 markus 2067: int sock, newch;
2068: struct sockaddr_un sunaddr;
2069:
2070: if (auth_get_socket_name() != NULL)
2071: fatal("Protocol error: authentication forwarding requested twice.");
2072:
2073: /* Temporarily drop privileged uid for mkdir/bind. */
2074: temporarily_use_uid(pw->pw_uid);
2075:
2076: /* Allocate a buffer for the socket name, and format the name. */
2077: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
2078: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
2079: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
2080:
2081: /* Create private directory for socket */
1.59 ! markus 2082: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
! 2083: packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
! 2084: strerror(errno));
! 2085: restore_uid();
! 2086: xfree(channel_forwarded_auth_socket_name);
! 2087: xfree(channel_forwarded_auth_socket_dir);
! 2088: channel_forwarded_auth_socket_name = NULL;
! 2089: channel_forwarded_auth_socket_dir = NULL;
! 2090: return 0;
! 2091: }
1.25 markus 2092: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
2093: channel_forwarded_auth_socket_dir, (int) getpid());
2094:
2095: if (atexit(cleanup_socket) < 0) {
2096: int saved = errno;
2097: cleanup_socket();
2098: packet_disconnect("socket: %.100s", strerror(saved));
2099: }
2100: /* Create the socket. */
2101: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2102: if (sock < 0)
2103: packet_disconnect("socket: %.100s", strerror(errno));
2104:
2105: /* Bind it to the name. */
2106: memset(&sunaddr, 0, sizeof(sunaddr));
2107: sunaddr.sun_family = AF_UNIX;
2108: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
2109: sizeof(sunaddr.sun_path));
2110:
2111: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2112: packet_disconnect("bind: %.100s", strerror(errno));
2113:
2114: /* Restore the privileged uid. */
2115: restore_uid();
2116:
2117: /* Start listening on the socket. */
2118: if (listen(sock, 5) < 0)
2119: packet_disconnect("listen: %.100s", strerror(errno));
2120:
2121: /* Allocate a channel for the authentication agent socket. */
2122: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
2123: xstrdup("auth socket"));
1.32 deraadt 2124: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
2125: sizeof(channels[newch].path));
1.59 ! markus 2126: return 1;
1.1 deraadt 2127: }
2128:
2129: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2130:
1.49 markus 2131: void
1.41 markus 2132: auth_input_open_request(int type, int plen)
1.1 deraadt 2133: {
1.25 markus 2134: int remch, sock, newch;
2135: char *dummyname;
1.41 markus 2136:
2137: packet_integrity_check(plen, 4, type);
1.25 markus 2138:
2139: /* Read the remote channel number from the message. */
2140: remch = packet_get_int();
2141:
1.27 markus 2142: /*
2143: * Get a connection to the local authentication agent (this may again
2144: * get forwarded).
2145: */
1.25 markus 2146: sock = ssh_get_authentication_socket();
2147:
1.27 markus 2148: /*
2149: * If we could not connect the agent, send an error message back to
2150: * the server. This should never happen unless the agent dies,
2151: * because authentication forwarding is only enabled if we have an
2152: * agent.
2153: */
1.25 markus 2154: if (sock < 0) {
2155: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2156: packet_put_int(remch);
2157: packet_send();
2158: return;
2159: }
2160: debug("Forwarding authentication connection.");
1.1 deraadt 2161:
1.27 markus 2162: /*
2163: * Dummy host name. This will be freed when the channel is freed; it
2164: * will still be valid in the packet_put_string below since the
2165: * channel cannot yet be freed at that point.
2166: */
1.25 markus 2167: dummyname = xstrdup("authentication agent connection");
2168:
2169: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
2170: channels[newch].remote_id = remch;
2171:
2172: /* Send a confirmation to the remote host. */
2173: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2174: packet_put_int(remch);
2175: packet_put_int(newch);
1.44 markus 2176: packet_send();
2177: }
2178:
2179: void
1.51 markus 2180: channel_start_open(int id)
1.44 markus 2181: {
2182: Channel *c = channel_lookup(id);
2183: if (c == NULL) {
2184: log("channel_open: %d: bad id", id);
2185: return;
2186: }
1.51 markus 2187: debug("send channel open %d", id);
1.44 markus 2188: packet_start(SSH2_MSG_CHANNEL_OPEN);
2189: packet_put_cstring(c->ctype);
2190: packet_put_int(c->self);
2191: packet_put_int(c->local_window);
2192: packet_put_int(c->local_maxpacket);
1.51 markus 2193: }
2194: void
2195: channel_open(int id)
2196: {
2197: /* XXX REMOVE ME */
2198: channel_start_open(id);
1.44 markus 2199: packet_send();
2200: }
2201: void
2202: channel_request(int id, char *service, int wantconfirm)
2203: {
2204: channel_request_start(id, service, wantconfirm);
2205: packet_send();
2206: debug("channel request %d: %s", id, service) ;
2207: }
2208: void
2209: channel_request_start(int id, char *service, int wantconfirm)
2210: {
2211: Channel *c = channel_lookup(id);
2212: if (c == NULL) {
2213: log("channel_request: %d: bad id", id);
2214: return;
2215: }
2216: packet_start(SSH2_MSG_CHANNEL_REQUEST);
2217: packet_put_int(c->remote_id);
2218: packet_put_cstring(service);
2219: packet_put_char(wantconfirm);
2220: }
2221: void
2222: channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
2223: {
2224: Channel *c = channel_lookup(id);
2225: if (c == NULL) {
2226: log("channel_register_callback: %d: bad id", id);
2227: return;
2228: }
2229: c->cb_event = mtype;
2230: c->cb_fn = fn;
2231: c->cb_arg = arg;
2232: }
2233: void
2234: channel_register_cleanup(int id, channel_callback_fn *fn)
2235: {
2236: Channel *c = channel_lookup(id);
2237: if (c == NULL) {
2238: log("channel_register_cleanup: %d: bad id", id);
2239: return;
2240: }
2241: c->dettach_user = fn;
2242: }
2243: void
2244: channel_cancel_cleanup(int id)
2245: {
2246: Channel *c = channel_lookup(id);
2247: if (c == NULL) {
2248: log("channel_cancel_cleanup: %d: bad id", id);
2249: return;
2250: }
2251: c->dettach_user = NULL;
2252: }
2253:
2254: void
2255: channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
2256: {
2257: Channel *c = channel_lookup(id);
2258: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
2259: fatal("channel_activate for non-larval channel %d.", id);
1.52 markus 2260:
2261: channel_register_fds(c, rfd, wfd, efd, extusage);
1.44 markus 2262: c->type = SSH_CHANNEL_OPEN;
2263: /* XXX window size? */
2264: c->local_window = c->local_window_max = c->local_maxpacket/2;
2265: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
2266: packet_put_int(c->remote_id);
2267: packet_put_int(c->local_window);
1.25 markus 2268: packet_send();
1.1 deraadt 2269: }