Annotation of src/usr.bin/ssh/channels.c, Revision 1.6
1.1 deraadt 1: /*
2:
3: channels.c
4:
5: Author: Tatu Ylonen <ylo@cs.hut.fi>
6:
7: Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: All rights reserved
9:
10: Created: Fri Mar 24 16:35:24 1995 ylo
11:
12: This file contains functions for generic socket connection forwarding.
13: There is also code for initiating connection forwarding for X11 connections,
14: arbitrary tcp/ip connections, and the authentication agent connection.
15:
16: */
17:
18: #include "includes.h"
1.6 ! deraadt 19: RCSID("$Id: channels.c,v 1.5 1999/09/29 18:16:19 dugsong Exp $");
1.1 deraadt 20:
21: #include "ssh.h"
22: #include "packet.h"
23: #include "xmalloc.h"
24: #include "buffer.h"
25: #include "authfd.h"
26: #include "uidswap.h"
1.3 deraadt 27: #include "servconf.h"
1.1 deraadt 28:
29: /* Maximum number of fake X11 displays to try. */
30: #define MAX_DISPLAYS 1000
31:
32: /* Definitions for channel types. */
33: #define SSH_CHANNEL_FREE 0 /* This channel is free (unused). */
34: #define SSH_CHANNEL_X11_LISTENER 1 /* Listening for inet X11 conn. */
35: #define SSH_CHANNEL_PORT_LISTENER 2 /* Listening on a port. */
36: #define SSH_CHANNEL_OPENING 3 /* waiting for confirmation */
37: #define SSH_CHANNEL_OPEN 4 /* normal open two-way channel */
38: #define SSH_CHANNEL_CLOSED 5 /* waiting for close confirmation */
39: #define SSH_CHANNEL_AUTH_FD 6 /* authentication fd */
40: #define SSH_CHANNEL_AUTH_SOCKET 7 /* authentication socket */
41: #define SSH_CHANNEL_AUTH_SOCKET_FD 8 /* connection to auth socket */
42: #define SSH_CHANNEL_X11_OPEN 9 /* reading first X11 packet */
43: #define SSH_CHANNEL_INPUT_DRAINING 10 /* sending remaining data to conn */
44: #define SSH_CHANNEL_OUTPUT_DRAINING 11 /* sending remaining data to app */
45:
46: /* Data structure for channel data. This is iniailized in channel_allocate
47: and cleared in channel_free. */
48:
49: typedef struct
50: {
51: int type;
52: int sock;
53: int remote_id;
54: Buffer input;
55: Buffer output;
56: char path[200]; /* path for unix domain sockets, or host name for forwards */
57: int host_port; /* port to connect for forwards */
58: int listening_port; /* port being listened for forwards */
59: char *remote_name;
60: } Channel;
61:
62: /* Pointer to an array containing all allocated channels. The array is
63: dynamically extended as needed. */
64: static Channel *channels = NULL;
65:
66: /* Size of the channel array. All slots of the array must always be
67: initialized (at least the type field); unused slots are marked with
68: type SSH_CHANNEL_FREE. */
69: static int channels_alloc = 0;
70:
71: /* Maximum file descriptor value used in any of the channels. This is updated
72: in channel_allocate. */
73: static int channel_max_fd_value = 0;
74:
75: /* These two variables are for authentication agent forwarding. */
76: static int channel_forwarded_auth_fd = -1;
77: static char *channel_forwarded_auth_socket_name = NULL;
78:
79: /* Saved X11 authentication protocol name. */
80: char *x11_saved_proto = NULL;
81:
82: /* Saved X11 authentication data. This is the real data. */
83: char *x11_saved_data = NULL;
84: unsigned int x11_saved_data_len = 0;
85:
86: /* Fake X11 authentication data. This is what the server will be sending
87: us; we should replace any occurrences of this by the real data. */
88: char *x11_fake_data = NULL;
89: unsigned int x11_fake_data_len;
90:
91: /* Data structure for storing which hosts are permitted for forward requests.
92: The local sides of any remote forwards are stored in this array to prevent
93: a corrupt remote server from accessing arbitrary TCP/IP ports on our
94: local network (which might be behind a firewall). */
95: typedef struct
96: {
97: char *host; /* Host name. */
98: int port; /* Port number. */
99: } ForwardPermission;
100:
101: /* List of all permitted host/port pairs to connect. */
102: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
103: /* Number of permitted host/port pairs in the array. */
104: static int num_permitted_opens = 0;
105: /* If this is true, all opens are permitted. This is the case on the
106: server on which we have to trust the client anyway, and the user could
107: do anything after logging in anyway. */
108: static int all_opens_permitted = 0;
109:
110: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
111: static int have_hostname_in_open = 0;
112:
113: /* Sets specific protocol options. */
114:
115: void channel_set_options(int hostname_in_open)
116: {
117: have_hostname_in_open = hostname_in_open;
118: }
119:
120: /* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
121: called by the server, because the user could connect to any port anyway,
122: and the server has no way to know but to trust the client anyway. */
123:
124: void channel_permit_all_opens()
125: {
126: all_opens_permitted = 1;
127: }
128:
129: /* Allocate a new channel object and set its type and socket.
130: This will cause remote_name to be freed. */
131:
132: int channel_allocate(int type, int sock, char *remote_name)
133: {
134: int i, old_channels;
135:
136: /* Update the maximum file descriptor value. */
137: if (sock > channel_max_fd_value)
138: channel_max_fd_value = sock;
139:
140: /* Do initial allocation if this is the first call. */
141: if (channels_alloc == 0)
142: {
143: channels_alloc = 10;
144: channels = xmalloc(channels_alloc * sizeof(Channel));
145: for (i = 0; i < channels_alloc; i++)
146: channels[i].type = SSH_CHANNEL_FREE;
147:
148: /* Kludge: arrange a call to channel_stop_listening if we terminate
149: with fatal(). */
150: fatal_add_cleanup((void (*)(void *))channel_stop_listening, NULL);
151: }
152:
153: /* Try to find a free slot where to put the new channel. */
154: for (i = 0; i < channels_alloc; i++)
155: if (channels[i].type == SSH_CHANNEL_FREE)
156: {
157: /* Found a free slot. Initialize the fields and return its number. */
158: buffer_init(&channels[i].input);
159: buffer_init(&channels[i].output);
160: channels[i].type = type;
161: channels[i].sock = sock;
162: channels[i].remote_id = -1;
163: channels[i].remote_name = remote_name;
164: return i;
165: }
166:
167: /* There are no free slots. Must expand the array. */
168: old_channels = channels_alloc;
169: channels_alloc += 10;
170: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
171: for (i = old_channels; i < channels_alloc; i++)
172: channels[i].type = SSH_CHANNEL_FREE;
173:
174: /* We know that the next one after the old maximum channel number is now
175: available. Initialize and return its number. */
176: buffer_init(&channels[old_channels].input);
177: buffer_init(&channels[old_channels].output);
178: channels[old_channels].type = type;
179: channels[old_channels].sock = sock;
180: channels[old_channels].remote_id = -1;
181: channels[old_channels].remote_name = remote_name;
182: return old_channels;
183: }
184:
185: /* Free the channel and close its socket. */
186:
187: void channel_free(int channel)
188: {
189: assert(channel >= 0 && channel < channels_alloc &&
190: channels[channel].type != SSH_CHANNEL_FREE);
191: shutdown(channels[channel].sock, 2);
192: close(channels[channel].sock);
193: buffer_free(&channels[channel].input);
194: buffer_free(&channels[channel].output);
195: channels[channel].type = SSH_CHANNEL_FREE;
196: if (channels[channel].remote_name)
197: {
198: xfree(channels[channel].remote_name);
199: channels[channel].remote_name = NULL;
200: }
201: }
202:
203: /* This is called just before select() to add any bits relevant to
204: channels in the select bitmasks. */
205:
206: void channel_prepare_select(fd_set *readset, fd_set *writeset)
207: {
208: int i;
209: Channel *ch;
210: unsigned char *ucp;
211: unsigned int proto_len, data_len;
212:
213: for (i = 0; i < channels_alloc; i++)
214: {
215: ch = &channels[i];
216: redo:
217: switch (ch->type)
218: {
219: case SSH_CHANNEL_X11_LISTENER:
220: case SSH_CHANNEL_PORT_LISTENER:
221: case SSH_CHANNEL_AUTH_SOCKET:
222: case SSH_CHANNEL_AUTH_SOCKET_FD:
223: case SSH_CHANNEL_AUTH_FD:
224: FD_SET(ch->sock, readset);
225: break;
226:
227: case SSH_CHANNEL_OPEN:
228: if (buffer_len(&ch->input) < 32768)
229: FD_SET(ch->sock, readset);
230: if (buffer_len(&ch->output) > 0)
231: FD_SET(ch->sock, writeset);
232: break;
233:
234: case SSH_CHANNEL_INPUT_DRAINING:
235: if (buffer_len(&ch->input) == 0)
236: {
237: packet_start(SSH_MSG_CHANNEL_CLOSE);
238: packet_put_int(ch->remote_id);
239: packet_send();
240: ch->type = SSH_CHANNEL_CLOSED;
241: debug("Closing channel %d after input drain.", i);
242: break;
243: }
244: break;
245:
246: case SSH_CHANNEL_OUTPUT_DRAINING:
247: if (buffer_len(&ch->output) == 0)
248: {
249: /* debug("Freeing channel %d after output drain.", i); */
250: channel_free(i);
251: break;
252: }
253: FD_SET(ch->sock, writeset);
254: break;
255:
256: case SSH_CHANNEL_X11_OPEN:
257: /* This is a special state for X11 authentication spoofing. An
258: opened X11 connection (when authentication spoofing is being
259: done) remains in this state until the first packet has been
260: completely read. The authentication data in that packet is
261: then substituted by the real data if it matches the fake data,
262: and the channel is put into normal mode. */
263:
264: /* Check if the fixed size part of the packet is in buffer. */
265: if (buffer_len(&ch->output) < 12)
266: break;
267:
268: /* Parse the lengths of variable-length fields. */
269: ucp = (unsigned char *)buffer_ptr(&ch->output);
270: if (ucp[0] == 0x42)
271: { /* Byte order MSB first. */
272: proto_len = 256 * ucp[6] + ucp[7];
273: data_len = 256 * ucp[8] + ucp[9];
274: }
275: else
276: if (ucp[0] == 0x6c)
277: { /* Byte order LSB first. */
278: proto_len = ucp[6] + 256 * ucp[7];
279: data_len = ucp[8] + 256 * ucp[9];
280: }
281: else
282: {
283: debug("Initial X11 packet contains bad byte order byte: 0x%x",
284: ucp[0]);
285: ch->type = SSH_CHANNEL_OPEN;
286: goto reject;
287: }
288:
289: /* Check if the whole packet is in buffer. */
290: if (buffer_len(&ch->output) <
291: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
292: break;
293:
294: /* Check if authentication protocol matches. */
295: if (proto_len != strlen(x11_saved_proto) ||
296: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0)
297: {
298: debug("X11 connection uses different authentication protocol.");
299: ch->type = SSH_CHANNEL_OPEN;
300: goto reject;
301: }
302:
303: /* Check if authentication data matches our fake data. */
304: if (data_len != x11_fake_data_len ||
305: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
306: x11_fake_data, x11_fake_data_len) != 0)
307: {
308: debug("X11 auth data does not match fake data.");
309: ch->type = SSH_CHANNEL_OPEN;
310: goto reject;
311: }
312:
313: /* Received authentication protocol and data match our fake data.
314: Substitute the fake data with real data. */
315: assert(x11_fake_data_len == x11_saved_data_len);
316: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
317: x11_saved_data, x11_saved_data_len);
318:
319: /* Start normal processing for the channel. */
320: ch->type = SSH_CHANNEL_OPEN;
321: goto redo;
322:
323: reject:
324: /* We have received an X11 connection that has bad authentication
325: information. */
326: log("X11 connection rejected because of wrong authentication.\r\n");
327: buffer_clear(&ch->input);
328: buffer_clear(&ch->output);
329: close(ch->sock);
330: ch->sock = -1;
331: ch->type = SSH_CHANNEL_CLOSED;
332: packet_start(SSH_MSG_CHANNEL_CLOSE);
333: packet_put_int(ch->remote_id);
334: packet_send();
335: break;
336:
337: case SSH_CHANNEL_FREE:
338: default:
339: continue;
340: }
341: }
342: }
343:
344: /* After select, perform any appropriate operations for channels which
345: have events pending. */
346:
347: void channel_after_select(fd_set *readset, fd_set *writeset)
348: {
349: struct sockaddr addr;
350: int addrlen, newsock, i, newch, len, port;
351: Channel *ch;
352: char buf[16384], *remote_hostname;
353:
354: /* Loop over all channels... */
355: for (i = 0; i < channels_alloc; i++)
356: {
357: ch = &channels[i];
358: switch (ch->type)
359: {
360: case SSH_CHANNEL_X11_LISTENER:
361: /* This is our fake X11 server socket. */
362: if (FD_ISSET(ch->sock, readset))
363: {
364: debug("X11 connection requested.");
365: addrlen = sizeof(addr);
366: newsock = accept(ch->sock, &addr, &addrlen);
367: if (newsock < 0)
368: {
369: error("accept: %.100s", strerror(errno));
370: break;
371: }
372: remote_hostname = get_remote_hostname(newsock);
373: sprintf(buf, "X11 connection from %.200s port %d",
374: remote_hostname, get_peer_port(newsock));
375: xfree(remote_hostname);
376: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
377: xstrdup(buf));
378: packet_start(SSH_SMSG_X11_OPEN);
379: packet_put_int(newch);
380: if (have_hostname_in_open)
381: packet_put_string(buf, strlen(buf));
382: packet_send();
383: }
384: break;
385:
386: case SSH_CHANNEL_PORT_LISTENER:
387: /* This socket is listening for connections to a forwarded TCP/IP
388: port. */
389: if (FD_ISSET(ch->sock, readset))
390: {
391: debug("Connection to port %d forwarding to %.100s:%d requested.",
392: ch->listening_port, ch->path, ch->host_port);
393: addrlen = sizeof(addr);
394: newsock = accept(ch->sock, &addr, &addrlen);
395: if (newsock < 0)
396: {
397: error("accept: %.100s", strerror(errno));
398: break;
399: }
400: remote_hostname = get_remote_hostname(newsock);
401: sprintf(buf, "port %d, connection from %.200s port %d",
402: ch->listening_port, remote_hostname,
403: get_peer_port(newsock));
404: xfree(remote_hostname);
405: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
406: xstrdup(buf));
407: packet_start(SSH_MSG_PORT_OPEN);
408: packet_put_int(newch);
409: packet_put_string(ch->path, strlen(ch->path));
410: packet_put_int(ch->host_port);
411: if (have_hostname_in_open)
412: packet_put_string(buf, strlen(buf));
413: packet_send();
414: }
415: break;
416:
417: case SSH_CHANNEL_AUTH_FD:
418: /* This is the authentication agent file descriptor. It is used to
419: obtain the real connection to the agent. */
420: case SSH_CHANNEL_AUTH_SOCKET_FD:
421: /* This is the temporary connection obtained by connecting the
422: authentication agent socket. */
423: if (FD_ISSET(ch->sock, readset))
424: {
425: len = recv(ch->sock, buf, sizeof(buf), 0);
426: if (len <= 0)
427: {
428: channel_free(i);
429: break;
430: }
431: if (len != 3 || (unsigned char)buf[0] != SSH_AUTHFD_CONNECT)
432: break; /* Ignore any messages of wrong length or type. */
433: port = 256 * (unsigned char)buf[1] + (unsigned char)buf[2];
434: packet_start(SSH_SMSG_AGENT_OPEN);
435: packet_put_int(port);
436: packet_send();
437: }
438: break;
439:
440: case SSH_CHANNEL_AUTH_SOCKET:
441: /* This is the authentication agent socket listening for connections
442: from clients. */
443: if (FD_ISSET(ch->sock, readset))
444: {
445: len = sizeof(addr);
446: newsock = accept(ch->sock, &addr, &len);
447: if (newsock < 0)
448: error("Accept from authentication socket failed");
449: (void)channel_allocate(SSH_CHANNEL_AUTH_SOCKET_FD, newsock,
450: xstrdup("accepted auth socket"));
451: }
452: break;
453:
454: case SSH_CHANNEL_OPEN:
455: /* This is an open two-way communication channel. It is not of
456: interest to us at this point what kind of data is being
457: transmitted. */
458: /* Read available incoming data and append it to buffer. */
459: if (FD_ISSET(ch->sock, readset))
460: {
461: len = read(ch->sock, buf, sizeof(buf));
462: if (len <= 0)
463: {
464: buffer_consume(&ch->output, buffer_len(&ch->output));
465: ch->type = SSH_CHANNEL_INPUT_DRAINING;
466: debug("Channel %d status set to input draining.", i);
467: break;
468: }
469: buffer_append(&ch->input, buf, len);
470: }
471: /* Send buffered output data to the socket. */
472: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
473: {
474: len = write(ch->sock, buffer_ptr(&ch->output),
475: buffer_len(&ch->output));
476: if (len <= 0)
477: {
478: buffer_consume(&ch->output, buffer_len(&ch->output));
479: debug("Channel %d status set to input draining.", i);
480: ch->type = SSH_CHANNEL_INPUT_DRAINING;
481: break;
482: }
483: buffer_consume(&ch->output, len);
484: }
485: break;
486:
487: case SSH_CHANNEL_OUTPUT_DRAINING:
488: /* Send buffered output data to the socket. */
489: if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0)
490: {
491: len = write(ch->sock, buffer_ptr(&ch->output),
492: buffer_len(&ch->output));
493: if (len <= 0)
494: buffer_consume(&ch->output, buffer_len(&ch->output));
495: else
496: buffer_consume(&ch->output, len);
497: }
498: break;
499:
500: case SSH_CHANNEL_X11_OPEN:
501: case SSH_CHANNEL_FREE:
502: default:
503: continue;
504: }
505: }
506: }
507:
508: /* If there is data to send to the connection, send some of it now. */
509:
510: void channel_output_poll()
511: {
512: int len, i;
513: Channel *ch;
514:
515: for (i = 0; i < channels_alloc; i++)
516: {
517: ch = &channels[i];
518: /* We are only interested in channels that can have buffered incoming
519: data. */
520: if (ch->type != SSH_CHANNEL_OPEN &&
521: ch->type != SSH_CHANNEL_INPUT_DRAINING)
522: continue;
523:
524: /* Get the amount of buffered data for this channel. */
525: len = buffer_len(&ch->input);
526: if (len > 0)
527: {
528: /* Send some data for the other side over the secure connection. */
529: if (packet_is_interactive())
530: {
531: if (len > 1024)
532: len = 512;
533: }
534: else
535: {
536: if (len > 16384)
537: len = 16384; /* Keep the packets at reasonable size. */
538: }
539: packet_start(SSH_MSG_CHANNEL_DATA);
540: packet_put_int(ch->remote_id);
541: packet_put_string(buffer_ptr(&ch->input), len);
542: packet_send();
543: buffer_consume(&ch->input, len);
544: }
545: }
546: }
547:
548: /* This is called when a packet of type CHANNEL_DATA has just been received.
549: The message type has already been consumed, but channel number and data
550: is still there. */
551:
552: void channel_input_data(int payload_len)
553: {
554: int channel;
555: char *data;
556: unsigned int data_len;
557:
558: /* Get the channel number and verify it. */
559: channel = packet_get_int();
560: if (channel < 0 || channel >= channels_alloc ||
561: channels[channel].type == SSH_CHANNEL_FREE)
562: packet_disconnect("Received data for nonexistent channel %d.", channel);
563:
564: /* Ignore any data for non-open channels (might happen on close) */
565: if (channels[channel].type != SSH_CHANNEL_OPEN &&
566: channels[channel].type != SSH_CHANNEL_X11_OPEN)
567: return;
568:
569: /* Get the data. */
570: data = packet_get_string(&data_len);
571: packet_integrity_check(payload_len, 4 + 4+data_len, SSH_MSG_CHANNEL_DATA);
572: buffer_append(&channels[channel].output, data, data_len);
573: xfree(data);
574: }
575:
576: /* Returns true if no channel has too much buffered data, and false if
577: one or more channel is overfull. */
578:
579: int channel_not_very_much_buffered_data()
580: {
581: unsigned int i;
582: Channel *ch;
583:
584: for (i = 0; i < channels_alloc; i++)
585: {
586: ch = &channels[i];
587: switch (channels[i].type)
588: {
589: case SSH_CHANNEL_X11_LISTENER:
590: case SSH_CHANNEL_PORT_LISTENER:
591: case SSH_CHANNEL_AUTH_SOCKET:
592: case SSH_CHANNEL_AUTH_SOCKET_FD:
593: case SSH_CHANNEL_AUTH_FD:
594: continue;
595: case SSH_CHANNEL_OPEN:
596: if (buffer_len(&ch->input) > 32768)
597: return 0;
598: if (buffer_len(&ch->output) > 32768)
599: return 0;
600: continue;
601: case SSH_CHANNEL_INPUT_DRAINING:
602: case SSH_CHANNEL_OUTPUT_DRAINING:
603: case SSH_CHANNEL_X11_OPEN:
604: case SSH_CHANNEL_FREE:
605: default:
606: continue;
607: }
608: }
609: return 1;
610: }
611:
612: /* This is called after receiving CHANNEL_CLOSE. */
613:
614: void channel_input_close()
615: {
616: int channel;
617:
618: /* Get the channel number and verify it. */
619: channel = packet_get_int();
620: if (channel < 0 || channel >= channels_alloc ||
621: channels[channel].type == SSH_CHANNEL_FREE)
622: packet_disconnect("Received data for nonexistent channel %d.", channel);
623:
624: /* Send a confirmation that we have closed the channel and no more data is
625: coming for it. */
626: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
627: packet_put_int(channels[channel].remote_id);
628: packet_send();
629:
630: /* If the channel is in closed state, we have sent a close request, and
631: the other side will eventually respond with a confirmation. Thus,
632: we cannot free the channel here, because then there would be no-one to
633: receive the confirmation. The channel gets freed when the confirmation
634: arrives. */
635: if (channels[channel].type != SSH_CHANNEL_CLOSED)
636: {
637: /* Not a closed channel - mark it as draining, which will cause it to
638: be freed later. */
639: buffer_consume(&channels[channel].input,
640: buffer_len(&channels[channel].input));
641: channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING;
642: /* debug("Setting status to output draining; output len = %d",
643: buffer_len(&channels[channel].output)); */
644: }
645: }
646:
647: /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION. */
648:
649: void channel_input_close_confirmation()
650: {
651: int channel;
652:
653: /* Get the channel number and verify it. */
654: channel = packet_get_int();
655: if (channel < 0 || channel >= channels_alloc)
656: packet_disconnect("Received close confirmation for out-of-range channel %d.",
657: channel);
658: if (channels[channel].type != SSH_CHANNEL_CLOSED)
659: packet_disconnect("Received close confirmation for non-closed channel %d (type %d).",
660: channel, channels[channel].type);
661:
662: /* Free the channel. */
663: channel_free(channel);
664: }
665:
666: /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */
667:
668: void channel_input_open_confirmation()
669: {
670: int channel, remote_channel;
671:
672: /* Get the channel number and verify it. */
673: channel = packet_get_int();
674: if (channel < 0 || channel >= channels_alloc ||
675: channels[channel].type != SSH_CHANNEL_OPENING)
676: packet_disconnect("Received open confirmation for non-opening channel %d.",
677: channel);
678:
679: /* Get remote side's id for this channel. */
680: remote_channel = packet_get_int();
681:
682: /* Record the remote channel number and mark that the channel is now open. */
683: channels[channel].remote_id = remote_channel;
684: channels[channel].type = SSH_CHANNEL_OPEN;
685: }
686:
687: /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */
688:
689: void channel_input_open_failure()
690: {
691: int channel;
692:
693: /* Get the channel number and verify it. */
694: channel = packet_get_int();
695: if (channel < 0 || channel >= channels_alloc ||
696: channels[channel].type != SSH_CHANNEL_OPENING)
697: packet_disconnect("Received open failure for non-opening channel %d.",
698: channel);
699:
700: /* Free the channel. This will also close the socket. */
701: channel_free(channel);
702: }
703:
704: /* Stops listening for channels, and removes any unix domain sockets that
705: we might have. */
706:
707: void channel_stop_listening()
708: {
709: int i;
710: for (i = 0; i < channels_alloc; i++)
711: {
712: switch (channels[i].type)
713: {
714: case SSH_CHANNEL_AUTH_SOCKET:
715: close(channels[i].sock);
716: remove(channels[i].path);
717: channel_free(i);
718: break;
719: case SSH_CHANNEL_PORT_LISTENER:
720: case SSH_CHANNEL_X11_LISTENER:
721: close(channels[i].sock);
722: channel_free(i);
723: break;
724: default:
725: break;
726: }
727: }
728: }
729:
730: /* Closes the sockets of all channels. This is used to close extra file
731: descriptors after a fork. */
732:
733: void channel_close_all()
734: {
735: int i;
736: for (i = 0; i < channels_alloc; i++)
737: {
738: if (channels[i].type != SSH_CHANNEL_FREE)
739: close(channels[i].sock);
740: }
741: }
742:
743: /* Returns the maximum file descriptor number used by the channels. */
744:
745: int channel_max_fd()
746: {
747: return channel_max_fd_value;
748: }
749:
750: /* Returns true if any channel is still open. */
751:
752: int channel_still_open()
753: {
754: unsigned int i;
755: for (i = 0; i < channels_alloc; i++)
756: switch (channels[i].type)
757: {
758: case SSH_CHANNEL_FREE:
759: case SSH_CHANNEL_X11_LISTENER:
760: case SSH_CHANNEL_PORT_LISTENER:
761: case SSH_CHANNEL_CLOSED:
762: case SSH_CHANNEL_AUTH_FD:
763: case SSH_CHANNEL_AUTH_SOCKET:
764: case SSH_CHANNEL_AUTH_SOCKET_FD:
765: continue;
766: case SSH_CHANNEL_OPENING:
767: case SSH_CHANNEL_OPEN:
768: case SSH_CHANNEL_X11_OPEN:
769: case SSH_CHANNEL_INPUT_DRAINING:
770: case SSH_CHANNEL_OUTPUT_DRAINING:
771: return 1;
772: default:
773: fatal("channel_still_open: bad channel type %d", channels[i].type);
774: /*NOTREACHED*/
775: }
776: return 0;
777: }
778:
779: /* Returns a message describing the currently open forwarded
780: connections, suitable for sending to the client. The message
781: contains crlf pairs for newlines. */
782:
783: char *channel_open_message()
784: {
785: Buffer buffer;
786: int i;
787: char buf[512], *cp;
788:
789: buffer_init(&buffer);
790: sprintf(buf, "The following connections are open:\r\n");
791: buffer_append(&buffer, buf, strlen(buf));
792: for (i = 0; i < channels_alloc; i++)
793: switch (channels[i].type)
794: {
795: case SSH_CHANNEL_FREE:
796: case SSH_CHANNEL_X11_LISTENER:
797: case SSH_CHANNEL_PORT_LISTENER:
798: case SSH_CHANNEL_CLOSED:
799: case SSH_CHANNEL_AUTH_FD:
800: case SSH_CHANNEL_AUTH_SOCKET:
801: case SSH_CHANNEL_AUTH_SOCKET_FD:
802: continue;
803: case SSH_CHANNEL_OPENING:
804: case SSH_CHANNEL_OPEN:
805: case SSH_CHANNEL_X11_OPEN:
806: case SSH_CHANNEL_INPUT_DRAINING:
807: case SSH_CHANNEL_OUTPUT_DRAINING:
808: sprintf(buf, " %.300s\r\n", channels[i].remote_name);
809: buffer_append(&buffer, buf, strlen(buf));
810: continue;
811: default:
812: fatal("channel_still_open: bad channel type %d", channels[i].type);
813: /*NOTREACHED*/
814: }
815: buffer_append(&buffer, "\0", 1);
816: cp = xstrdup(buffer_ptr(&buffer));
817: buffer_free(&buffer);
818: return cp;
819: }
820:
821: /* Initiate forwarding of connections to local port "port" through the secure
822: channel to host:port from remote side. */
823:
824: void channel_request_local_forwarding(int port, const char *host,
825: int host_port)
826: {
827: int ch, sock;
828: struct sockaddr_in sin;
1.4 deraadt 829: extern Options options;
1.1 deraadt 830:
831: if (strlen(host) > sizeof(channels[0].path) - 1)
832: packet_disconnect("Forward host name too long.");
833:
834: /* Create a port to listen for the host. */
835: sock = socket(AF_INET, SOCK_STREAM, 0);
836: if (sock < 0)
837: packet_disconnect("socket: %.100s", strerror(errno));
838:
839: /* Initialize socket address. */
840: memset(&sin, 0, sizeof(sin));
841: sin.sin_family = AF_INET;
1.4 deraadt 842: if (options.gateway_ports == 1)
843: sin.sin_addr.s_addr = htonl(INADDR_ANY);
844: else
845: sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
1.1 deraadt 846: sin.sin_port = htons(port);
847:
848: /* Bind the socket to the address. */
849: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
850: packet_disconnect("bind: %.100s", strerror(errno));
851:
852: /* Start listening for connections on the socket. */
853: if (listen(sock, 5) < 0)
854: packet_disconnect("listen: %.100s", strerror(errno));
855:
856: /* Allocate a channel number for the socket. */
857: ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock,
858: xstrdup("port listener"));
859: strcpy(channels[ch].path, host); /* note: host name stored here */
860: channels[ch].host_port = host_port; /* port on host to connect to */
861: channels[ch].listening_port = port; /* port being listened */
862: }
863:
864: /* Initiate forwarding of connections to port "port" on remote host through
865: the secure channel to host:port from local side. */
866:
867: void channel_request_remote_forwarding(int port, const char *host,
868: int remote_port)
869: {
870: int payload_len;
871: /* Record locally that connection to this host/port is permitted. */
872: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
873: fatal("channel_request_remote_forwarding: too many forwards");
874: permitted_opens[num_permitted_opens].host = xstrdup(host);
875: permitted_opens[num_permitted_opens].port = remote_port;
876: num_permitted_opens++;
877:
878: /* Send the forward request to the remote side. */
879: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
880: packet_put_int(port);
881: packet_put_string(host, strlen(host));
882: packet_put_int(remote_port);
883: packet_send();
884: packet_write_wait();
885:
886: /* Wait for response from the remote side. It will send a disconnect
887: message on failure, and we will never see it here. */
888: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
889: }
890:
891: /* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
892: listening for the port, and sends back a success reply (or disconnect
893: message if there was an error). This never returns if there was an
894: error. */
895:
896: void channel_input_port_forward_request(int is_root)
897: {
898: int port, host_port;
899: char *hostname;
900:
901: /* Get arguments from the packet. */
902: port = packet_get_int();
903: hostname = packet_get_string(NULL);
904: host_port = packet_get_int();
905:
906: /* Port numbers are 16 bit quantities. */
907: if ((port & 0xffff) != port)
908: packet_disconnect("Requested forwarding of nonexistent port %d.", port);
909:
910:
911: /* Check that an unprivileged user is not trying to forward a privileged
912: port. */
913: if (port < 1024 && !is_root)
914: packet_disconnect("Requested forwarding of port %d but user is not root.",
915: port);
916:
917: /* Initiate forwarding. */
918: channel_request_local_forwarding(port, hostname, host_port);
919:
920: /* Free the argument string. */
921: xfree(hostname);
922: }
923:
924: /* This is called after receiving PORT_OPEN message. This attempts to connect
925: to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or
926: CHANNEL_OPEN_FAILURE. */
927:
928: void channel_input_port_open(int payload_len)
929: {
930: int remote_channel, sock, newch, host_port, i;
931: struct sockaddr_in sin;
932: char *host, *originator_string;
933: struct hostent *hp;
934: int host_len, originator_len;
935:
936: /* Get remote channel number. */
937: remote_channel = packet_get_int();
938:
939: /* Get host name to connect to. */
940: host = packet_get_string(&host_len);
941:
942: /* Get port to connect to. */
943: host_port = packet_get_int();
944:
945: /* Get remote originator name. */
946: if (have_hostname_in_open)
947: originator_string = packet_get_string(&originator_len);
948: else
949: originator_string = xstrdup("unknown (remote did not supply name)");
950:
951: packet_integrity_check(payload_len,
952: 4 + 4 + host_len + 4 + 4 + originator_len,
953: SSH_MSG_PORT_OPEN);
954:
955: /* Check if opening that port is permitted. */
956: if (!all_opens_permitted)
957: {
958: /* Go trough all permitted ports. */
959: for (i = 0; i < num_permitted_opens; i++)
960: if (permitted_opens[i].port == host_port &&
961: strcmp(permitted_opens[i].host, host) == 0)
962: break;
963:
964: /* Check if we found the requested port among those permitted. */
965: if (i >= num_permitted_opens)
966: {
967: /* The port is not permitted. */
968: log("Received request to connect to %.100s:%d, but the request was denied.",
969: host, host_port);
970: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
971: packet_put_int(remote_channel);
972: packet_send();
973: }
974: }
975:
976: memset(&sin, 0, sizeof(sin));
977: #ifdef BROKEN_INET_ADDR
978: sin.sin_addr.s_addr = inet_network(host);
979: #else /* BROKEN_INET_ADDR */
980: sin.sin_addr.s_addr = inet_addr(host);
981: #endif /* BROKEN_INET_ADDR */
982: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
983: {
984: /* It was a valid numeric host address. */
985: sin.sin_family = AF_INET;
986: }
987: else
988: {
989: /* Look up the host address from the name servers. */
990: hp = gethostbyname(host);
991: if (!hp)
992: {
993: error("%.100s: unknown host.", host);
994: goto fail;
995: }
996: if (!hp->h_addr_list[0])
997: {
998: error("%.100s: host has no IP address.", host);
999: goto fail;
1000: }
1001: sin.sin_family = hp->h_addrtype;
1002: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1003: sizeof(sin.sin_addr));
1004: }
1005: sin.sin_port = htons(host_port);
1006:
1007: /* Create the socket. */
1008: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1009: if (sock < 0)
1010: {
1011: error("socket: %.100s", strerror(errno));
1012: goto fail;
1013: }
1014:
1015: /* Connect to the host/port. */
1016: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1017: {
1018: error("connect %.100s:%d: %.100s", host, host_port,
1019: strerror(errno));
1020: close(sock);
1021: goto fail;
1022: }
1023:
1024: /* Successful connection. */
1025:
1026: /* Allocate a channel for this connection. */
1027: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1028: channels[newch].remote_id = remote_channel;
1029:
1030: /* Send a confirmation to the remote host. */
1031: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1032: packet_put_int(remote_channel);
1033: packet_put_int(newch);
1034: packet_send();
1035:
1036: /* Free the argument string. */
1037: xfree(host);
1038:
1039: return;
1040:
1041: fail:
1042: /* Free the argument string. */
1043: xfree(host);
1044:
1045: /* Send refusal to the remote host. */
1046: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1047: packet_put_int(remote_channel);
1048: packet_send();
1049: }
1050:
1051: /* Creates an internet domain socket for listening for X11 connections.
1052: Returns a suitable value for the DISPLAY variable, or NULL if an error
1053: occurs. */
1054:
1055: char *x11_create_display_inet(int screen_number)
1056: {
1.3 deraadt 1057: extern ServerOptions options;
1.1 deraadt 1058: int display_number, port, sock;
1059: struct sockaddr_in sin;
1060: char buf[512];
1.6 ! deraadt 1061: char hostname[MAXHOSTNAMELEN];
1.1 deraadt 1062:
1.3 deraadt 1063: for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++)
1.1 deraadt 1064: {
1065: port = 6000 + display_number;
1066: memset(&sin, 0, sizeof(sin));
1067: sin.sin_family = AF_INET;
1.4 deraadt 1068: sin.sin_addr.s_addr = htonl(INADDR_ANY);
1.1 deraadt 1069: sin.sin_port = htons(port);
1070:
1071: sock = socket(AF_INET, SOCK_STREAM, 0);
1072: if (sock < 0)
1073: {
1074: error("socket: %.100s", strerror(errno));
1075: return NULL;
1076: }
1077:
1078: if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1079: {
1080: debug("bind port %d: %.100s", port, strerror(errno));
1081: shutdown(sock, 2);
1082: close(sock);
1083: continue;
1084: }
1085: break;
1086: }
1087: if (display_number >= MAX_DISPLAYS)
1088: {
1089: error("Failed to allocate internet-domain X11 display socket.");
1090: return NULL;
1091: }
1092:
1093: /* Start listening for connections on the socket. */
1094: if (listen(sock, 5) < 0)
1095: {
1096: error("listen: %.100s", strerror(errno));
1097: shutdown(sock, 2);
1098: close(sock);
1099: return NULL;
1100: }
1101:
1102: /* Set up a suitable value for the DISPLAY variable. */
1103: if (gethostname(hostname, sizeof(hostname)) < 0)
1104: fatal("gethostname: %.100s", strerror(errno));
1.6 ! deraadt 1105: snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname,
! 1106: display_number, screen_number);
1.1 deraadt 1107:
1108: /* Allocate a channel for the socket. */
1109: (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1110: xstrdup("X11 inet listener"));
1111:
1112: /* Return a suitable value for the DISPLAY environment variable. */
1113: return xstrdup(buf);
1114: }
1115:
1116: #ifndef X_UNIX_PATH
1117: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1118: #endif
1119:
1120: static
1121: int
1122: connect_local_xsocket(unsigned dnr)
1123: {
1124: static const char *const x_sockets[] = {
1125: X_UNIX_PATH "%u",
1126: "/var/X/.X11-unix/X" "%u",
1127: "/usr/spool/sockets/X11/" "%u",
1128: NULL
1129: };
1130: int sock;
1131: struct sockaddr_un addr;
1132: const char *const *path;
1133:
1134: for (path = x_sockets; *path; ++path)
1135: {
1136: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1137: if (sock < 0)
1138: error("socket: %.100s", strerror(errno));
1139: memset(&addr, 0, sizeof(addr));
1140: addr.sun_family = AF_UNIX;
1141: sprintf(addr.sun_path, *path, dnr);
1142: if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
1143: return sock;
1144: close(sock);
1145: }
1146: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1147: return -1;
1148: }
1149:
1150:
1151: /* This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1152: the remote channel number. We should do whatever we want, and respond
1153: with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */
1154:
1155: void x11_input_open(int payload_len)
1156: {
1157: int remote_channel, display_number, sock, newch;
1158: const char *display;
1159: struct sockaddr_in sin;
1160: char buf[1024], *cp, *remote_host;
1161: struct hostent *hp;
1162: int remote_len;
1163:
1164: /* Get remote channel number. */
1165: remote_channel = packet_get_int();
1166:
1167: /* Get remote originator name. */
1168: if (have_hostname_in_open)
1169: remote_host = packet_get_string(&remote_len);
1170: else
1171: remote_host = xstrdup("unknown (remote did not supply name)");
1172:
1173: debug("Received X11 open request.");
1174: packet_integrity_check(payload_len, 4 + 4+remote_len, SSH_SMSG_X11_OPEN);
1175:
1176: /* Try to open a socket for the local X server. */
1177: display = getenv("DISPLAY");
1178: if (!display)
1179: {
1180: error("DISPLAY not set.");
1181: goto fail;
1182: }
1183:
1184: /* Now we decode the value of the DISPLAY variable and make a connection
1185: to the real X server. */
1186:
1187: /* Check if it is a unix domain socket. Unix domain displays are in one
1188: of the following formats: unix:d[.s], :d[.s], ::d[.s] */
1189: if (strncmp(display, "unix:", 5) == 0 ||
1190: display[0] == ':')
1191: {
1192: /* Connect to the unix domain socket. */
1193: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1)
1194: {
1195: error("Could not parse display number from DISPLAY: %.100s",
1196: display);
1197: goto fail;
1198: }
1199: /* Create a socket. */
1200: sock = connect_local_xsocket(display_number);
1201: if (sock < 0)
1202: goto fail;
1203:
1204: /* OK, we now have a connection to the display. */
1205: goto success;
1206: }
1207:
1208: /* Connect to an inet socket. The DISPLAY value is supposedly
1209: hostname:d[.s], where hostname may also be numeric IP address. */
1210: strncpy(buf, display, sizeof(buf));
1211: buf[sizeof(buf) - 1] = 0;
1212: cp = strchr(buf, ':');
1213: if (!cp)
1214: {
1215: error("Could not find ':' in DISPLAY: %.100s", display);
1216: goto fail;
1217: }
1218: *cp = 0;
1219: /* buf now contains the host name. But first we parse the display number. */
1220: if (sscanf(cp + 1, "%d", &display_number) != 1)
1221: {
1222: error("Could not parse display number from DISPLAY: %.100s",
1223: display);
1224: goto fail;
1225: }
1226:
1227: /* Try to parse the host name as a numeric IP address. */
1228: memset(&sin, 0, sizeof(sin));
1229: #ifdef BROKEN_INET_ADDR
1230: sin.sin_addr.s_addr = inet_network(buf);
1231: #else /* BROKEN_INET_ADDR */
1232: sin.sin_addr.s_addr = inet_addr(buf);
1233: #endif /* BROKEN_INET_ADDR */
1234: if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff)
1235: {
1236: /* It was a valid numeric host address. */
1237: sin.sin_family = AF_INET;
1238: }
1239: else
1240: {
1241: /* Not a numeric IP address. */
1242: /* Look up the host address from the name servers. */
1243: hp = gethostbyname(buf);
1244: if (!hp)
1245: {
1246: error("%.100s: unknown host.", buf);
1247: goto fail;
1248: }
1249: if (!hp->h_addr_list[0])
1250: {
1251: error("%.100s: host has no IP address.", buf);
1252: goto fail;
1253: }
1254: sin.sin_family = hp->h_addrtype;
1255: memcpy(&sin.sin_addr, hp->h_addr_list[0],
1256: sizeof(sin.sin_addr));
1257: }
1258: /* Set port number. */
1259: sin.sin_port = htons(6000 + display_number);
1260:
1261: /* Create a socket. */
1262: sock = socket(sin.sin_family, SOCK_STREAM, 0);
1263: if (sock < 0)
1264: {
1265: error("socket: %.100s", strerror(errno));
1266: goto fail;
1267: }
1268: /* Connect it to the display. */
1269: if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
1270: {
1271: error("connect %.100s:%d: %.100s", buf, 6000 + display_number,
1272: strerror(errno));
1273: close(sock);
1274: goto fail;
1275: }
1276:
1277: success:
1278: /* We have successfully obtained a connection to the real X display. */
1279:
1280: /* Allocate a channel for this connection. */
1281: if (x11_saved_proto == NULL)
1282: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1283: else
1284: newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1285: channels[newch].remote_id = remote_channel;
1286:
1287: /* Send a confirmation to the remote host. */
1288: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1289: packet_put_int(remote_channel);
1290: packet_put_int(newch);
1291: packet_send();
1292:
1293: return;
1294:
1295: fail:
1296: /* Send refusal to the remote host. */
1297: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1298: packet_put_int(remote_channel);
1299: packet_send();
1300: }
1301:
1302: /* Requests forwarding of X11 connections, generates fake authentication
1303: data, and enables authentication spoofing. */
1304:
1.2 provos 1305: void x11_request_forwarding_with_spoofing(const char *proto, const char *data)
1.1 deraadt 1306: {
1307: unsigned int data_len = (unsigned int)strlen(data) / 2;
1308: unsigned int i, value;
1309: char *new_data;
1310: int screen_number;
1311: const char *cp;
1.5 dugsong 1312: u_int32_t rand = 0;
1.1 deraadt 1313:
1314: cp = getenv("DISPLAY");
1315: if (cp)
1316: cp = strchr(cp, ':');
1317: if (cp)
1318: cp = strchr(cp, '.');
1319: if (cp)
1320: screen_number = atoi(cp + 1);
1321: else
1322: screen_number = 0;
1323:
1324: /* Save protocol name. */
1325: x11_saved_proto = xstrdup(proto);
1326:
1327: /* Extract real authentication data and generate fake data of the same
1328: length. */
1329: x11_saved_data = xmalloc(data_len);
1330: x11_fake_data = xmalloc(data_len);
1331: for (i = 0; i < data_len; i++)
1332: {
1333: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1334: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1.2 provos 1335: if (i % 4 == 0)
1336: rand = arc4random();
1.1 deraadt 1337: x11_saved_data[i] = value;
1.2 provos 1338: x11_fake_data[i] = rand & 0xff;
1339: rand >>= 8;
1.1 deraadt 1340: }
1341: x11_saved_data_len = data_len;
1342: x11_fake_data_len = data_len;
1343:
1344: /* Convert the fake data into hex. */
1345: new_data = xmalloc(2 * data_len + 1);
1346: for (i = 0; i < data_len; i++)
1347: sprintf(new_data + 2 * i, "%02x", (unsigned char)x11_fake_data[i]);
1348:
1349: /* Send the request packet. */
1350: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1351: packet_put_string(proto, strlen(proto));
1352: packet_put_string(new_data, strlen(new_data));
1353: packet_put_int(screen_number);
1354: packet_send();
1355: packet_write_wait();
1356: xfree(new_data);
1357: }
1358:
1359: /* Sends a message to the server to request authentication fd forwarding. */
1360:
1361: void auth_request_forwarding()
1362: {
1363: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
1364: packet_send();
1365: packet_write_wait();
1366: }
1367:
1368: /* Returns the number of the file descriptor to pass to child programs as
1369: the authentication fd. Returns -1 if there is no forwarded authentication
1370: fd. */
1371:
1372: int auth_get_fd()
1373: {
1374: return channel_forwarded_auth_fd;
1375: }
1376:
1377: /* Returns the name of the forwarded authentication socket. Returns NULL
1378: if there is no forwarded authentication socket. The returned value
1379: points to a static buffer. */
1380:
1381: char *auth_get_socket_name()
1382: {
1383: return channel_forwarded_auth_socket_name;
1384: }
1385:
1386: /* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1387: This starts forwarding authentication requests. */
1388:
1389: void auth_input_request_forwarding(struct passwd *pw)
1390: {
1391: int pfd = get_permanent_fd(pw->pw_shell);
1392: #ifdef HAVE_UMASK
1393: mode_t savedumask;
1394: #endif /* HAVE_UMASK */
1395:
1396: if (pfd < 0)
1397: {
1398: int sock, newch;
1399: struct sockaddr_un sunaddr;
1400:
1401: if (auth_get_socket_name() != NULL)
1402: fatal("Protocol error: authentication forwarding requested twice.");
1403:
1404: /* Allocate a buffer for the socket name, and format the name. */
1405: channel_forwarded_auth_socket_name = xmalloc(100);
1406: sprintf(channel_forwarded_auth_socket_name, SSH_AGENT_SOCKET,
1407: (int)getpid());
1408:
1409: /* Create the socket. */
1410: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1411: if (sock < 0)
1412: packet_disconnect("socket: %.100s", strerror(errno));
1413:
1414: /* Bind it to the name. */
1415: memset(&sunaddr, 0, sizeof(sunaddr));
1416: sunaddr.sun_family = AF_UNIX;
1417: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
1418: sizeof(sunaddr.sun_path));
1419:
1420: #ifdef HAVE_UMASK
1421: savedumask = umask(0077);
1422: #endif /* HAVE_UMASK */
1423:
1424: /* Temporarily use a privileged uid. */
1425: temporarily_use_uid(pw->pw_uid);
1426:
1427: if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
1428: packet_disconnect("bind: %.100s", strerror(errno));
1429:
1430: /* Restore the privileged uid. */
1431: restore_uid();
1432:
1433: #ifdef HAVE_UMASK
1434: umask(savedumask);
1435: #endif /* HAVE_UMASK */
1436:
1437: /* Start listening on the socket. */
1438: if (listen(sock, 5) < 0)
1439: packet_disconnect("listen: %.100s", strerror(errno));
1440:
1441: /* Allocate a channel for the authentication agent socket. */
1442: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
1443: xstrdup("auth socket"));
1444: strcpy(channels[newch].path, channel_forwarded_auth_socket_name);
1445: }
1446: else
1447: {
1448: int sockets[2], i, cnt, newfd;
1449: int *dups = xmalloc(sizeof (int) * (pfd + 1));
1450:
1451: if (auth_get_fd() != -1)
1452: fatal("Protocol error: authentication forwarding requested twice.");
1453:
1454: /* Create a socket pair. */
1455: if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0)
1456: packet_disconnect("socketpair: %.100s", strerror(errno));
1457:
1458: /* Dup some descriptors to get the authentication fd to pfd,
1459: because some shells arbitrarily close descriptors below that.
1460: Don't use dup2 because maybe some systems don't have it?? */
1461: for (cnt = 0;; cnt++)
1462: {
1463: if ((dups[cnt] = dup(packet_get_connection_in())) < 0)
1464: fatal("auth_input_request_forwarding: dup failed");
1465: if (dups[cnt] == pfd)
1466: break;
1467: }
1468: close(dups[cnt]);
1469:
1470: /* Move the file descriptor we pass to children up high where
1471: the shell won't close it. */
1472: newfd = dup(sockets[1]);
1473: if (newfd != pfd)
1474: fatal ("auth_input_request_forwarding: dup didn't return %d.", pfd);
1475: close(sockets[1]);
1476: sockets[1] = newfd;
1477: /* Close duped descriptors. */
1478: for (i = 0; i < cnt; i++)
1479: close(dups[i]);
1480: free(dups);
1481:
1482: /* Record the file descriptor to be passed to children. */
1483: channel_forwarded_auth_fd = sockets[1];
1484:
1485: /* Allcate a channel for the authentication fd. */
1486: (void)channel_allocate(SSH_CHANNEL_AUTH_FD, sockets[0],
1487: xstrdup("auth fd"));
1488: }
1489: }
1490:
1491: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
1492:
1493: void auth_input_open_request()
1494: {
1495: int port, sock, newch;
1496: char *dummyname;
1497:
1498: /* Read the port number from the message. */
1499: port = packet_get_int();
1500:
1501: /* Get a connection to the local authentication agent (this may again get
1502: forwarded). */
1503: sock = ssh_get_authentication_connection_fd();
1504:
1505: /* If we could not connect the agent, just return. This will cause the
1506: client to timeout and fail. This should never happen unless the agent
1507: dies, because authentication forwarding is only enabled if we have an
1508: agent. */
1509: if (sock < 0)
1510: return;
1511:
1512: debug("Forwarding authentication connection.");
1513:
1514: /* Dummy host name. This will be freed when the channel is freed; it will
1515: still be valid in the packet_put_string below since the channel cannot
1516: yet be freed at that point. */
1517: dummyname = xstrdup("authentication agent connection");
1518:
1519: /* Allocate a channel for the new connection. */
1520: newch = channel_allocate(SSH_CHANNEL_OPENING, sock, dummyname);
1521:
1522: /* Fake a forwarding request. */
1523: packet_start(SSH_MSG_PORT_OPEN);
1524: packet_put_int(newch);
1525: packet_put_string("localhost", strlen("localhost"));
1526: packet_put_int(port);
1527: if (have_hostname_in_open)
1528: packet_put_string(dummyname, strlen(dummyname));
1529: packet_send();
1530: }