Annotation of src/usr.bin/ssh/channels.c, Revision 1.62
1.1 deraadt 1: /*
1.49 markus 2: *
1.26 deraadt 3: * channels.c
1.49 markus 4: *
1.26 deraadt 5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
1.49 markus 6: *
1.26 deraadt 7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
1.49 markus 9: *
1.26 deraadt 10: * Created: Fri Mar 24 16:35:24 1995 ylo
1.49 markus 11: *
1.26 deraadt 12: * This file contains functions for generic socket connection forwarding.
13: * There is also code for initiating connection forwarding for X11 connections,
14: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.26 deraadt 17: */
1.1 deraadt 18:
19: #include "includes.h"
1.62 ! markus 20: RCSID("$OpenBSD: channels.c,v 1.61 2000/06/17 16:01:33 deraadt Exp $");
1.1 deraadt 21:
22: #include "ssh.h"
23: #include "packet.h"
24: #include "xmalloc.h"
25: #include "buffer.h"
26: #include "authfd.h"
27: #include "uidswap.h"
1.20 markus 28: #include "readconf.h"
1.3 deraadt 29: #include "servconf.h"
1.1 deraadt 30:
1.14 markus 31: #include "channels.h"
32: #include "nchan.h"
33: #include "compat.h"
34:
1.44 markus 35: #include "ssh2.h"
36:
1.1 deraadt 37: /* Maximum number of fake X11 displays to try. */
38: #define MAX_DISPLAYS 1000
39:
1.12 markus 40: /* Max len of agent socket */
41: #define MAX_SOCKET_NAME 100
42:
1.51 markus 43: /* default window/packet sizes for tcp/x11-fwd-channel */
44: #define CHAN_TCP_WINDOW_DEFAULT (8*1024)
45: #define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2)
46: #define CHAN_X11_WINDOW_DEFAULT (4*1024)
47: #define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2)
1.41 markus 48:
1.27 markus 49: /*
50: * Pointer to an array containing all allocated channels. The array is
51: * dynamically extended as needed.
52: */
1.1 deraadt 53: static Channel *channels = NULL;
54:
1.27 markus 55: /*
56: * Size of the channel array. All slots of the array must always be
57: * initialized (at least the type field); unused slots are marked with type
58: * SSH_CHANNEL_FREE.
59: */
1.1 deraadt 60: static int channels_alloc = 0;
61:
1.27 markus 62: /*
63: * Maximum file descriptor value used in any of the channels. This is
64: * updated in channel_allocate.
65: */
1.1 deraadt 66: static int channel_max_fd_value = 0;
67:
1.12 markus 68: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 69: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 70: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 71:
72: /* Saved X11 authentication protocol name. */
73: char *x11_saved_proto = NULL;
74:
75: /* Saved X11 authentication data. This is the real data. */
76: char *x11_saved_data = NULL;
77: unsigned int x11_saved_data_len = 0;
78:
1.27 markus 79: /*
80: * Fake X11 authentication data. This is what the server will be sending us;
81: * we should replace any occurrences of this by the real data.
82: */
1.1 deraadt 83: char *x11_fake_data = NULL;
84: unsigned int x11_fake_data_len;
85:
1.27 markus 86: /*
87: * Data structure for storing which hosts are permitted for forward requests.
88: * The local sides of any remote forwards are stored in this array to prevent
89: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
90: * network (which might be behind a firewall).
91: */
1.25 markus 92: typedef struct {
1.41 markus 93: char *host_to_connect; /* Connect to 'host'. */
94: u_short port_to_connect; /* Connect to 'port'. */
95: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 96: } ForwardPermission;
97:
98: /* List of all permitted host/port pairs to connect. */
99: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
100: /* Number of permitted host/port pairs in the array. */
101: static int num_permitted_opens = 0;
1.27 markus 102: /*
103: * If this is true, all opens are permitted. This is the case on the server
104: * on which we have to trust the client anyway, and the user could do
105: * anything after logging in anyway.
106: */
1.1 deraadt 107: static int all_opens_permitted = 0;
108:
109: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
110: static int have_hostname_in_open = 0;
111:
112: /* Sets specific protocol options. */
113:
1.49 markus 114: void
1.25 markus 115: channel_set_options(int hostname_in_open)
1.1 deraadt 116: {
1.25 markus 117: have_hostname_in_open = hostname_in_open;
1.1 deraadt 118: }
119:
1.27 markus 120: /*
121: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
122: * called by the server, because the user could connect to any port anyway,
123: * and the server has no way to know but to trust the client anyway.
124: */
1.1 deraadt 125:
1.49 markus 126: void
1.25 markus 127: channel_permit_all_opens()
1.1 deraadt 128: {
1.25 markus 129: all_opens_permitted = 1;
1.1 deraadt 130: }
131:
1.41 markus 132: /* lookup channel by id */
133:
134: Channel *
135: channel_lookup(int id)
136: {
137: Channel *c;
138: if (id < 0 && id > channels_alloc) {
139: log("channel_lookup: %d: bad id", id);
140: return NULL;
141: }
142: c = &channels[id];
143: if (c->type == SSH_CHANNEL_FREE) {
144: log("channel_lookup: %d: bad id: channel free", id);
145: return NULL;
146: }
147: return c;
1.55 markus 148: }
149:
1.27 markus 150: /*
1.55 markus 151: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 152: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 153: */
1.1 deraadt 154:
1.52 markus 155: void
156: channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
1.1 deraadt 157: {
1.25 markus 158: /* Update the maximum file descriptor value. */
1.41 markus 159: if (rfd > channel_max_fd_value)
160: channel_max_fd_value = rfd;
161: if (wfd > channel_max_fd_value)
162: channel_max_fd_value = wfd;
163: if (efd > channel_max_fd_value)
164: channel_max_fd_value = efd;
1.27 markus 165: /* XXX set close-on-exec -markus */
1.55 markus 166:
1.52 markus 167: c->rfd = rfd;
168: c->wfd = wfd;
169: c->sock = (rfd == wfd) ? rfd : -1;
170: c->efd = efd;
171: c->extended_usage = extusage;
1.55 markus 172: if (rfd != -1)
173: set_nonblock(rfd);
174: if (wfd != -1)
175: set_nonblock(wfd);
176: if (efd != -1)
177: set_nonblock(efd);
1.52 markus 178: }
179:
180: /*
181: * Allocate a new channel object and set its type and socket. This will cause
182: * remote_name to be freed.
183: */
184:
185: int
186: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
187: int window, int maxpack, int extusage, char *remote_name)
188: {
189: int i, found;
190: Channel *c;
1.25 markus 191:
192: /* Do initial allocation if this is the first call. */
193: if (channels_alloc == 0) {
1.44 markus 194: chan_init();
1.25 markus 195: channels_alloc = 10;
196: channels = xmalloc(channels_alloc * sizeof(Channel));
197: for (i = 0; i < channels_alloc; i++)
198: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 199: /*
200: * Kludge: arrange a call to channel_stop_listening if we
201: * terminate with fatal().
202: */
1.25 markus 203: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
204: }
205: /* Try to find a free slot where to put the new channel. */
206: for (found = -1, i = 0; i < channels_alloc; i++)
207: if (channels[i].type == SSH_CHANNEL_FREE) {
208: /* Found a free slot. */
209: found = i;
210: break;
211: }
212: if (found == -1) {
1.27 markus 213: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 214: found = channels_alloc;
215: channels_alloc += 10;
216: debug("channel: expanding %d", channels_alloc);
217: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
218: for (i = found; i < channels_alloc; i++)
219: channels[i].type = SSH_CHANNEL_FREE;
220: }
221: /* Initialize and return new channel number. */
222: c = &channels[found];
223: buffer_init(&c->input);
224: buffer_init(&c->output);
1.41 markus 225: buffer_init(&c->extended);
1.25 markus 226: chan_init_iostates(c);
1.52 markus 227: channel_register_fds(c, rfd, wfd, efd, extusage);
1.25 markus 228: c->self = found;
229: c->type = type;
1.41 markus 230: c->ctype = ctype;
1.51 markus 231: c->local_window = window;
232: c->local_window_max = window;
233: c->local_consumed = 0;
234: c->local_maxpacket = maxpack;
1.25 markus 235: c->remote_id = -1;
236: c->remote_name = remote_name;
1.41 markus 237: c->remote_window = 0;
238: c->remote_maxpacket = 0;
239: c->cb_fn = NULL;
240: c->cb_arg = NULL;
241: c->cb_event = 0;
242: c->dettach_user = NULL;
1.25 markus 243: debug("channel %d: new [%s]", found, remote_name);
244: return found;
1.1 deraadt 245: }
1.52 markus 246: /* old interface XXX */
1.49 markus 247: int
1.41 markus 248: channel_allocate(int type, int sock, char *remote_name)
249: {
250: return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
251: }
1.1 deraadt 252:
1.52 markus 253:
254: /* Close all channel fd/socket. */
255:
256: void
257: channel_close_fds(Channel *c)
258: {
259: if (c->sock != -1) {
260: close(c->sock);
261: c->sock = -1;
262: }
263: if (c->rfd != -1) {
264: close(c->rfd);
265: c->rfd = -1;
266: }
267: if (c->wfd != -1) {
268: close(c->wfd);
269: c->wfd = -1;
270: }
271: if (c->efd != -1) {
272: close(c->efd);
273: c->efd = -1;
274: }
275: }
276:
277: /* Free the channel and close its fd/socket. */
1.1 deraadt 278:
1.49 markus 279: void
1.41 markus 280: channel_free(int id)
1.1 deraadt 281: {
1.41 markus 282: Channel *c = channel_lookup(id);
283: if (c == NULL)
284: packet_disconnect("channel free: bad local channel %d", id);
285: debug("channel_free: channel %d: status: %s", id, channel_open_message());
1.44 markus 286: if (c->dettach_user != NULL) {
287: debug("channel_free: channel %d: dettaching channel user", id);
288: c->dettach_user(c->self, NULL);
289: }
1.54 markus 290: if (c->sock != -1)
291: shutdown(c->sock, SHUT_RDWR);
1.52 markus 292: channel_close_fds(c);
1.41 markus 293: buffer_free(&c->input);
294: buffer_free(&c->output);
295: buffer_free(&c->extended);
296: c->type = SSH_CHANNEL_FREE;
297: if (c->remote_name) {
298: xfree(c->remote_name);
299: c->remote_name = NULL;
1.25 markus 300: }
1.1 deraadt 301: }
302:
1.27 markus 303: /*
1.41 markus 304: * 'channel_pre*' are called just before select() to add any bits relevant to
305: * channels in the select bitmasks.
306: */
307: /*
308: * 'channel_post*': perform any appropriate operations for channels which
309: * have events pending.
1.27 markus 310: */
1.41 markus 311: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
312: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
313: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
314:
315: void
316: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
317: {
318: FD_SET(c->sock, readset);
319: }
320:
321: void
322: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
323: {
324: if (buffer_len(&c->input) < packet_get_maxsize())
325: FD_SET(c->sock, readset);
326: if (buffer_len(&c->output) > 0)
327: FD_SET(c->sock, writeset);
328: }
1.1 deraadt 329:
1.41 markus 330: void
331: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
332: {
333: /* test whether sockets are 'alive' for read/write */
334: if (c->istate == CHAN_INPUT_OPEN)
335: if (buffer_len(&c->input) < packet_get_maxsize())
336: FD_SET(c->sock, readset);
337: if (c->ostate == CHAN_OUTPUT_OPEN ||
338: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
339: if (buffer_len(&c->output) > 0) {
340: FD_SET(c->sock, writeset);
341: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
342: chan_obuf_empty(c);
343: }
344: }
345: }
346:
347: void
1.44 markus 348: channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
349: {
350: if (c->istate == CHAN_INPUT_OPEN &&
351: c->remote_window > 0 &&
352: buffer_len(&c->input) < c->remote_window)
353: FD_SET(c->rfd, readset);
354: if (c->ostate == CHAN_OUTPUT_OPEN ||
355: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
356: if (buffer_len(&c->output) > 0) {
357: FD_SET(c->wfd, writeset);
358: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
359: chan_obuf_empty(c);
360: }
361: }
362: /** XXX check close conditions, too */
363: if (c->efd != -1) {
364: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
365: buffer_len(&c->extended) > 0)
366: FD_SET(c->efd, writeset);
367: else if (c->extended_usage == CHAN_EXTENDED_READ &&
368: buffer_len(&c->extended) < c->remote_window)
369: FD_SET(c->efd, readset);
370: }
371: }
372:
373: void
1.41 markus 374: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
375: {
376: if (buffer_len(&c->input) == 0) {
377: packet_start(SSH_MSG_CHANNEL_CLOSE);
378: packet_put_int(c->remote_id);
379: packet_send();
380: c->type = SSH_CHANNEL_CLOSED;
381: debug("Closing channel %d after input drain.", c->self);
382: }
383: }
384:
385: void
386: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
387: {
388: if (buffer_len(&c->output) == 0)
389: channel_free(c->self);
1.49 markus 390: else
1.41 markus 391: FD_SET(c->sock, writeset);
392: }
393:
394: /*
395: * This is a special state for X11 authentication spoofing. An opened X11
396: * connection (when authentication spoofing is being done) remains in this
397: * state until the first packet has been completely read. The authentication
398: * data in that packet is then substituted by the real data if it matches the
399: * fake data, and the channel is put into normal mode.
1.51 markus 400: * XXX All this happens at the client side.
1.41 markus 401: */
402: int
403: x11_open_helper(Channel *c)
1.1 deraadt 404: {
1.25 markus 405: unsigned char *ucp;
406: unsigned int proto_len, data_len;
407:
1.41 markus 408: /* Check if the fixed size part of the packet is in buffer. */
409: if (buffer_len(&c->output) < 12)
410: return 0;
411:
412: /* Parse the lengths of variable-length fields. */
413: ucp = (unsigned char *) buffer_ptr(&c->output);
414: if (ucp[0] == 0x42) { /* Byte order MSB first. */
415: proto_len = 256 * ucp[6] + ucp[7];
416: data_len = 256 * ucp[8] + ucp[9];
417: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
418: proto_len = ucp[6] + 256 * ucp[7];
419: data_len = ucp[8] + 256 * ucp[9];
420: } else {
421: debug("Initial X11 packet contains bad byte order byte: 0x%x",
422: ucp[0]);
423: return -1;
424: }
425:
426: /* Check if the whole packet is in buffer. */
427: if (buffer_len(&c->output) <
428: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
429: return 0;
430:
431: /* Check if authentication protocol matches. */
432: if (proto_len != strlen(x11_saved_proto) ||
433: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
434: debug("X11 connection uses different authentication protocol.");
435: return -1;
436: }
437: /* Check if authentication data matches our fake data. */
438: if (data_len != x11_fake_data_len ||
439: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
440: x11_fake_data, x11_fake_data_len) != 0) {
441: debug("X11 auth data does not match fake data.");
442: return -1;
443: }
444: /* Check fake data length */
445: if (x11_fake_data_len != x11_saved_data_len) {
446: error("X11 fake_data_len %d != saved_data_len %d",
447: x11_fake_data_len, x11_saved_data_len);
448: return -1;
449: }
450: /*
451: * Received authentication protocol and data match
452: * our fake data. Substitute the fake data with real
453: * data.
454: */
455: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
456: x11_saved_data, x11_saved_data_len);
457: return 1;
458: }
459:
460: void
461: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
462: {
463: int ret = x11_open_helper(c);
464: if (ret == 1) {
465: /* Start normal processing for the channel. */
466: c->type = SSH_CHANNEL_OPEN;
1.47 markus 467: channel_pre_open_13(c, readset, writeset);
1.41 markus 468: } else if (ret == -1) {
469: /*
470: * We have received an X11 connection that has bad
471: * authentication information.
472: */
473: log("X11 connection rejected because of wrong authentication.\r\n");
474: buffer_clear(&c->input);
475: buffer_clear(&c->output);
476: close(c->sock);
477: c->sock = -1;
478: c->type = SSH_CHANNEL_CLOSED;
479: packet_start(SSH_MSG_CHANNEL_CLOSE);
480: packet_put_int(c->remote_id);
481: packet_send();
482: }
483: }
1.25 markus 484:
1.41 markus 485: void
1.51 markus 486: channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
1.41 markus 487: {
488: int ret = x11_open_helper(c);
489: if (ret == 1) {
490: c->type = SSH_CHANNEL_OPEN;
1.57 markus 491: if (compat20)
492: channel_pre_open_20(c, readset, writeset);
493: else
494: channel_pre_open_15(c, readset, writeset);
1.41 markus 495: } else if (ret == -1) {
496: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
1.51 markus 497: chan_read_failed(c); /** force close? */
1.41 markus 498: chan_write_failed(c);
499: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
500: }
501: }
1.25 markus 502:
1.41 markus 503: /* This is our fake X11 server socket. */
504: void
505: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
506: {
507: struct sockaddr addr;
508: int newsock, newch;
509: socklen_t addrlen;
510: char buf[16384], *remote_hostname;
1.51 markus 511: int remote_port;
1.25 markus 512:
1.41 markus 513: if (FD_ISSET(c->sock, readset)) {
514: debug("X11 connection requested.");
515: addrlen = sizeof(addr);
516: newsock = accept(c->sock, &addr, &addrlen);
517: if (newsock < 0) {
518: error("accept: %.100s", strerror(errno));
519: return;
520: }
521: remote_hostname = get_remote_hostname(newsock);
1.51 markus 522: remote_port = get_peer_port(newsock);
1.41 markus 523: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.51 markus 524: remote_hostname, remote_port);
525:
526: newch = channel_new("x11",
527: SSH_CHANNEL_OPENING, newsock, newsock, -1,
528: c->local_window_max, c->local_maxpacket,
529: 0, xstrdup(buf));
530: if (compat20) {
531: packet_start(SSH2_MSG_CHANNEL_OPEN);
532: packet_put_cstring("x11");
533: packet_put_int(newch);
534: packet_put_int(c->local_window_max);
535: packet_put_int(c->local_maxpacket);
536: /* originator host and port */
537: packet_put_cstring(remote_hostname);
1.57 markus 538: if (datafellows & SSH_BUG_X11FWD) {
539: debug("ssh2 x11 bug compat mode");
540: } else {
541: packet_put_int(remote_port);
542: }
1.51 markus 543: packet_send();
544: } else {
545: packet_start(SSH_SMSG_X11_OPEN);
546: packet_put_int(newch);
547: if (have_hostname_in_open)
548: packet_put_string(buf, strlen(buf));
549: packet_send();
550: }
1.41 markus 551: xfree(remote_hostname);
552: }
553: }
1.25 markus 554:
1.41 markus 555: /*
556: * This socket is listening for connections to a forwarded TCP/IP port.
557: */
558: void
559: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
560: {
561: struct sockaddr addr;
562: int newsock, newch;
563: socklen_t addrlen;
564: char buf[1024], *remote_hostname;
565: int remote_port;
1.25 markus 566:
1.41 markus 567: if (FD_ISSET(c->sock, readset)) {
568: debug("Connection to port %d forwarding "
569: "to %.100s port %d requested.",
570: c->listening_port, c->path, c->host_port);
571: addrlen = sizeof(addr);
572: newsock = accept(c->sock, &addr, &addrlen);
573: if (newsock < 0) {
574: error("accept: %.100s", strerror(errno));
575: return;
576: }
577: remote_hostname = get_remote_hostname(newsock);
578: remote_port = get_peer_port(newsock);
579: snprintf(buf, sizeof buf,
580: "listen port %d for %.100s port %d, "
581: "connect from %.200s port %d",
582: c->listening_port, c->path, c->host_port,
583: remote_hostname, remote_port);
584: newch = channel_new("direct-tcpip",
585: SSH_CHANNEL_OPENING, newsock, newsock, -1,
586: c->local_window_max, c->local_maxpacket,
587: 0, xstrdup(buf));
1.44 markus 588: if (compat20) {
589: packet_start(SSH2_MSG_CHANNEL_OPEN);
590: packet_put_cstring("direct-tcpip");
591: packet_put_int(newch);
592: packet_put_int(c->local_window_max);
593: packet_put_int(c->local_maxpacket);
1.48 markus 594: /* target host and port */
1.44 markus 595: packet_put_string(c->path, strlen(c->path));
596: packet_put_int(c->host_port);
1.48 markus 597: /* originator host and port */
1.44 markus 598: packet_put_cstring(remote_hostname);
599: packet_put_int(remote_port);
600: packet_send();
601: } else {
602: packet_start(SSH_MSG_PORT_OPEN);
603: packet_put_int(newch);
604: packet_put_string(c->path, strlen(c->path));
605: packet_put_int(c->host_port);
606: if (have_hostname_in_open) {
607: packet_put_string(buf, strlen(buf));
608: }
609: packet_send();
1.41 markus 610: }
611: xfree(remote_hostname);
612: }
613: }
1.25 markus 614:
1.41 markus 615: /*
616: * This is the authentication agent socket listening for connections from
617: * clients.
618: */
619: void
620: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
621: {
622: struct sockaddr addr;
623: int newsock, newch;
624: socklen_t addrlen;
1.25 markus 625:
1.41 markus 626: if (FD_ISSET(c->sock, readset)) {
627: addrlen = sizeof(addr);
628: newsock = accept(c->sock, &addr, &addrlen);
629: if (newsock < 0) {
630: error("accept from auth socket: %.100s", strerror(errno));
631: return;
632: }
633: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
634: xstrdup("accepted auth socket"));
635: packet_start(SSH_SMSG_AGENT_OPEN);
636: packet_put_int(newch);
637: packet_send();
638: }
639: }
1.25 markus 640:
1.41 markus 641: int
642: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
643: {
644: char buf[16*1024];
645: int len;
1.25 markus 646:
1.41 markus 647: if (c->rfd != -1 &&
648: FD_ISSET(c->rfd, readset)) {
649: len = read(c->rfd, buf, sizeof(buf));
1.53 markus 650: if (len < 0 && (errno == EINTR || errno == EAGAIN))
651: return 1;
1.41 markus 652: if (len <= 0) {
1.51 markus 653: debug("channel %d: read<=0 rfd %d len %d",
1.41 markus 654: c->self, c->rfd, len);
1.25 markus 655: if (compat13) {
1.41 markus 656: buffer_consume(&c->output, buffer_len(&c->output));
657: c->type = SSH_CHANNEL_INPUT_DRAINING;
658: debug("Channel %d status set to input draining.", c->self);
1.25 markus 659: } else {
1.41 markus 660: chan_read_failed(c);
1.25 markus 661: }
1.41 markus 662: return -1;
663: }
664: buffer_append(&c->input, buf, len);
665: }
666: return 1;
667: }
668: int
669: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
670: {
671: int len;
1.25 markus 672:
1.41 markus 673: /* Send buffered output data to the socket. */
674: if (c->wfd != -1 &&
675: FD_ISSET(c->wfd, writeset) &&
676: buffer_len(&c->output) > 0) {
677: len = write(c->wfd, buffer_ptr(&c->output),
1.53 markus 678: buffer_len(&c->output));
679: if (len < 0 && (errno == EINTR || errno == EAGAIN))
680: return 1;
1.41 markus 681: if (len <= 0) {
682: if (compat13) {
683: buffer_consume(&c->output, buffer_len(&c->output));
684: debug("Channel %d status set to input draining.", c->self);
685: c->type = SSH_CHANNEL_INPUT_DRAINING;
686: } else {
687: chan_write_failed(c);
688: }
689: return -1;
1.25 markus 690: }
1.41 markus 691: buffer_consume(&c->output, len);
1.44 markus 692: if (compat20 && len > 0) {
693: c->local_consumed += len;
694: }
695: }
696: return 1;
697: }
698: int
699: channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
700: {
701: char buf[16*1024];
702: int len;
703:
1.45 markus 704: /** XXX handle drain efd, too */
1.44 markus 705: if (c->efd != -1) {
706: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
707: FD_ISSET(c->efd, writeset) &&
708: buffer_len(&c->extended) > 0) {
709: len = write(c->efd, buffer_ptr(&c->extended),
710: buffer_len(&c->extended));
711: debug("channel %d: written %d to efd %d",
712: c->self, len, c->efd);
713: if (len > 0) {
714: buffer_consume(&c->extended, len);
715: c->local_consumed += len;
716: }
717: } else if (c->extended_usage == CHAN_EXTENDED_READ &&
718: FD_ISSET(c->efd, readset)) {
719: len = read(c->efd, buf, sizeof(buf));
720: debug("channel %d: read %d from efd %d",
721: c->self, len, c->efd);
1.45 markus 722: if (len == 0) {
723: debug("channel %d: closing efd %d",
724: c->self, c->efd);
725: close(c->efd);
726: c->efd = -1;
727: } else if (len > 0)
1.44 markus 728: buffer_append(&c->extended, buf, len);
729: }
730: }
731: return 1;
732: }
733: int
734: channel_check_window(Channel *c, fd_set * readset, fd_set * writeset)
735: {
1.46 markus 736: if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.44 markus 737: c->local_window < c->local_window_max/2 &&
738: c->local_consumed > 0) {
739: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
740: packet_put_int(c->remote_id);
741: packet_put_int(c->local_consumed);
742: packet_send();
743: debug("channel %d: window %d sent adjust %d",
744: c->self, c->local_window,
745: c->local_consumed);
746: c->local_window += c->local_consumed;
747: c->local_consumed = 0;
1.1 deraadt 748: }
1.41 markus 749: return 1;
1.1 deraadt 750: }
751:
1.41 markus 752: void
753: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
754: {
755: channel_handle_rfd(c, readset, writeset);
756: channel_handle_wfd(c, readset, writeset);
757: }
1.1 deraadt 758:
1.41 markus 759: void
1.44 markus 760: channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
761: {
762: channel_handle_rfd(c, readset, writeset);
763: channel_handle_wfd(c, readset, writeset);
764: channel_handle_efd(c, readset, writeset);
765: channel_check_window(c, readset, writeset);
766: }
767:
768: void
1.41 markus 769: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 770: {
1.41 markus 771: int len;
772: /* Send buffered output data to the socket. */
773: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
774: len = write(c->sock, buffer_ptr(&c->output),
775: buffer_len(&c->output));
776: if (len <= 0)
777: buffer_consume(&c->output, buffer_len(&c->output));
778: else
779: buffer_consume(&c->output, len);
780: }
781: }
1.25 markus 782:
1.41 markus 783: void
1.44 markus 784: channel_handler_init_20(void)
785: {
786: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
1.51 markus 787: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.44 markus 788: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1.51 markus 789: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1.44 markus 790:
791: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
792: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1.51 markus 793: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1.44 markus 794: }
795:
796: void
1.41 markus 797: channel_handler_init_13(void)
798: {
799: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
800: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
801: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
802: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
803: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
804: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
805: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.25 markus 806:
1.41 markus 807: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
808: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
809: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
810: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
811: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
812: }
1.25 markus 813:
1.41 markus 814: void
815: channel_handler_init_15(void)
816: {
817: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
1.51 markus 818: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.41 markus 819: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
820: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
821: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.25 markus 822:
1.41 markus 823: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
824: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
825: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
826: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
827: }
1.27 markus 828:
1.41 markus 829: void
830: channel_handler_init(void)
831: {
832: int i;
833: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
834: channel_pre[i] = NULL;
835: channel_post[i] = NULL;
836: }
1.44 markus 837: if (compat20)
838: channel_handler_init_20();
839: else if (compat13)
1.41 markus 840: channel_handler_init_13();
841: else
842: channel_handler_init_15();
843: }
1.25 markus 844:
1.49 markus 845: void
1.41 markus 846: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
847: {
848: static int did_init = 0;
849: int i;
850: Channel *c;
1.25 markus 851:
1.41 markus 852: if (!did_init) {
853: channel_handler_init();
854: did_init = 1;
855: }
856: for (i = 0; i < channels_alloc; i++) {
857: c = &channels[i];
858: if (c->type == SSH_CHANNEL_FREE)
859: continue;
860: if (ftab[c->type] == NULL)
1.25 markus 861: continue;
1.41 markus 862: (*ftab[c->type])(c, readset, writeset);
1.44 markus 863: chan_delete_if_full_closed(c);
1.1 deraadt 864: }
865: }
866:
1.49 markus 867: void
1.41 markus 868: channel_prepare_select(fd_set * readset, fd_set * writeset)
869: {
870: channel_handler(channel_pre, readset, writeset);
871: }
872:
1.49 markus 873: void
1.41 markus 874: channel_after_select(fd_set * readset, fd_set * writeset)
875: {
876: channel_handler(channel_post, readset, writeset);
877: }
878:
1.1 deraadt 879: /* If there is data to send to the connection, send some of it now. */
880:
1.49 markus 881: void
1.25 markus 882: channel_output_poll()
1.1 deraadt 883: {
1.25 markus 884: int len, i;
1.41 markus 885: Channel *c;
1.1 deraadt 886:
1.25 markus 887: for (i = 0; i < channels_alloc; i++) {
1.41 markus 888: c = &channels[i];
1.37 markus 889:
1.27 markus 890: /* We are only interested in channels that can have buffered incoming data. */
1.37 markus 891: if (compat13) {
1.41 markus 892: if (c->type != SSH_CHANNEL_OPEN &&
893: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 894: continue;
895: } else {
1.41 markus 896: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 897: continue;
1.41 markus 898: if (c->istate != CHAN_INPUT_OPEN &&
899: c->istate != CHAN_INPUT_WAIT_DRAIN)
1.37 markus 900: continue;
901: }
1.46 markus 902: if (compat20 &&
903: (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.44 markus 904: debug("channel: %d: no data after CLOSE", c->self);
905: continue;
906: }
1.25 markus 907:
908: /* Get the amount of buffered data for this channel. */
1.41 markus 909: len = buffer_len(&c->input);
1.25 markus 910: if (len > 0) {
1.27 markus 911: /* Send some data for the other side over the secure connection. */
1.44 markus 912: if (compat20) {
913: if (len > c->remote_window)
914: len = c->remote_window;
915: if (len > c->remote_maxpacket)
916: len = c->remote_maxpacket;
1.25 markus 917: } else {
1.44 markus 918: if (packet_is_interactive()) {
919: if (len > 1024)
920: len = 512;
921: } else {
922: /* Keep the packets at reasonable size. */
923: if (len > packet_get_maxsize()/2)
924: len = packet_get_maxsize()/2;
925: }
1.25 markus 926: }
1.41 markus 927: if (len > 0) {
1.44 markus 928: packet_start(compat20 ?
929: SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
1.41 markus 930: packet_put_int(c->remote_id);
931: packet_put_string(buffer_ptr(&c->input), len);
932: packet_send();
933: buffer_consume(&c->input, len);
934: c->remote_window -= len;
935: }
936: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 937: if (compat13)
938: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 939: /*
940: * input-buffer is empty and read-socket shutdown:
941: * tell peer, that we will not send more data: send IEOF
942: */
1.41 markus 943: chan_ibuf_empty(c);
1.25 markus 944: }
1.44 markus 945: /* Send extended data, i.e. stderr */
946: if (compat20 &&
947: c->remote_window > 0 &&
948: (len = buffer_len(&c->extended)) > 0 &&
949: c->extended_usage == CHAN_EXTENDED_READ) {
950: if (len > c->remote_window)
951: len = c->remote_window;
952: if (len > c->remote_maxpacket)
953: len = c->remote_maxpacket;
954: packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
955: packet_put_int(c->remote_id);
956: packet_put_int(SSH2_EXTENDED_DATA_STDERR);
957: packet_put_string(buffer_ptr(&c->extended), len);
958: packet_send();
959: buffer_consume(&c->extended, len);
960: c->remote_window -= len;
961: }
1.25 markus 962: }
1.1 deraadt 963: }
964:
1.27 markus 965: /*
966: * This is called when a packet of type CHANNEL_DATA has just been received.
967: * The message type has already been consumed, but channel number and data is
968: * still there.
969: */
1.1 deraadt 970:
1.49 markus 971: void
1.41 markus 972: channel_input_data(int type, int plen)
1.1 deraadt 973: {
1.37 markus 974: int id;
1.25 markus 975: char *data;
976: unsigned int data_len;
1.41 markus 977: Channel *c;
1.25 markus 978:
979: /* Get the channel number and verify it. */
1.37 markus 980: id = packet_get_int();
1.41 markus 981: c = channel_lookup(id);
982: if (c == NULL)
1.37 markus 983: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 984:
985: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 986: if (c->type != SSH_CHANNEL_OPEN &&
987: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 988: return;
989:
990: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 991: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 992: return;
993:
994: /* Get the data. */
995: data = packet_get_string(&data_len);
1.48 markus 996: packet_done();
1.41 markus 997:
1.44 markus 998: if (compat20){
999: if (data_len > c->local_maxpacket) {
1000: log("channel %d: rcvd big packet %d, maxpack %d",
1001: c->self, data_len, c->local_maxpacket);
1002: }
1003: if (data_len > c->local_window) {
1004: log("channel %d: rcvd too much data %d, win %d",
1005: c->self, data_len, c->local_window);
1006: xfree(data);
1007: return;
1008: }
1009: c->local_window -= data_len;
1010: }else{
1011: packet_integrity_check(plen, 4 + 4 + data_len, type);
1012: }
1.41 markus 1013: buffer_append(&c->output, data, data_len);
1.25 markus 1014: xfree(data);
1.1 deraadt 1015: }
1.49 markus 1016: void
1.44 markus 1017: channel_input_extended_data(int type, int plen)
1018: {
1019: int id;
1020: int tcode;
1021: char *data;
1022: unsigned int data_len;
1023: Channel *c;
1024:
1025: /* Get the channel number and verify it. */
1026: id = packet_get_int();
1027: c = channel_lookup(id);
1028:
1029: if (c == NULL)
1030: packet_disconnect("Received extended_data for bad channel %d.", id);
1031: if (c->type != SSH_CHANNEL_OPEN) {
1032: log("channel %d: ext data for non open", id);
1033: return;
1034: }
1035: tcode = packet_get_int();
1036: if (c->efd == -1 ||
1037: c->extended_usage != CHAN_EXTENDED_WRITE ||
1038: tcode != SSH2_EXTENDED_DATA_STDERR) {
1039: log("channel %d: bad ext data", c->self);
1040: return;
1041: }
1042: data = packet_get_string(&data_len);
1.48 markus 1043: packet_done();
1.44 markus 1044: if (data_len > c->local_window) {
1045: log("channel %d: rcvd too much extended_data %d, win %d",
1046: c->self, data_len, c->local_window);
1047: xfree(data);
1048: return;
1049: }
1050: debug("channel %d: rcvd ext data %d", c->self, data_len);
1051: c->local_window -= data_len;
1052: buffer_append(&c->extended, data, data_len);
1053: xfree(data);
1054: }
1055:
1.1 deraadt 1056:
1.27 markus 1057: /*
1058: * Returns true if no channel has too much buffered data, and false if one or
1059: * more channel is overfull.
1060: */
1.1 deraadt 1061:
1.49 markus 1062: int
1.25 markus 1063: channel_not_very_much_buffered_data()
1.1 deraadt 1064: {
1.25 markus 1065: unsigned int i;
1.41 markus 1066: Channel *c;
1.25 markus 1067:
1068: for (i = 0; i < channels_alloc; i++) {
1.41 markus 1069: c = &channels[i];
1070: if (c->type == SSH_CHANNEL_OPEN) {
1.44 markus 1071: if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
1.41 markus 1072: debug("channel %d: big input buffer %d",
1073: c->self, buffer_len(&c->input));
1.25 markus 1074: return 0;
1.41 markus 1075: }
1076: if (buffer_len(&c->output) > packet_get_maxsize()) {
1077: debug("channel %d: big output buffer %d",
1078: c->self, buffer_len(&c->output));
1.25 markus 1079: return 0;
1.41 markus 1080: }
1.25 markus 1081: }
1.1 deraadt 1082: }
1.25 markus 1083: return 1;
1.1 deraadt 1084: }
1085:
1.49 markus 1086: void
1.41 markus 1087: channel_input_ieof(int type, int plen)
1088: {
1089: int id;
1090: Channel *c;
1091:
1092: packet_integrity_check(plen, 4, type);
1093:
1094: id = packet_get_int();
1095: c = channel_lookup(id);
1096: if (c == NULL)
1097: packet_disconnect("Received ieof for nonexistent channel %d.", id);
1098: chan_rcvd_ieof(c);
1099: }
1.1 deraadt 1100:
1.49 markus 1101: void
1.41 markus 1102: channel_input_close(int type, int plen)
1.1 deraadt 1103: {
1.41 markus 1104: int id;
1105: Channel *c;
1.1 deraadt 1106:
1.41 markus 1107: packet_integrity_check(plen, 4, type);
1108:
1109: id = packet_get_int();
1110: c = channel_lookup(id);
1111: if (c == NULL)
1112: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 1113:
1114: /*
1115: * Send a confirmation that we have closed the channel and no more
1116: * data is coming for it.
1117: */
1.25 markus 1118: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 1119: packet_put_int(c->remote_id);
1.25 markus 1120: packet_send();
1121:
1.27 markus 1122: /*
1123: * If the channel is in closed state, we have sent a close request,
1124: * and the other side will eventually respond with a confirmation.
1125: * Thus, we cannot free the channel here, because then there would be
1126: * no-one to receive the confirmation. The channel gets freed when
1127: * the confirmation arrives.
1128: */
1.41 markus 1129: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 1130: /*
1131: * Not a closed channel - mark it as draining, which will
1132: * cause it to be freed later.
1133: */
1.41 markus 1134: buffer_consume(&c->input, buffer_len(&c->input));
1135: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 1136: }
1.1 deraadt 1137: }
1138:
1.41 markus 1139: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
1.49 markus 1140: void
1.41 markus 1141: channel_input_oclose(int type, int plen)
1142: {
1143: int id = packet_get_int();
1144: Channel *c = channel_lookup(id);
1145: packet_integrity_check(plen, 4, type);
1146: if (c == NULL)
1147: packet_disconnect("Received oclose for nonexistent channel %d.", id);
1148: chan_rcvd_oclose(c);
1149: }
1.1 deraadt 1150:
1.49 markus 1151: void
1.41 markus 1152: channel_input_close_confirmation(int type, int plen)
1.1 deraadt 1153: {
1.41 markus 1154: int id = packet_get_int();
1155: Channel *c = channel_lookup(id);
1.1 deraadt 1156:
1.48 markus 1157: packet_done();
1.41 markus 1158: if (c == NULL)
1159: packet_disconnect("Received close confirmation for "
1160: "out-of-range channel %d.", id);
1161: if (c->type != SSH_CHANNEL_CLOSED)
1162: packet_disconnect("Received close confirmation for "
1163: "non-closed channel %d (type %d).", id, c->type);
1164: channel_free(c->self);
1.1 deraadt 1165: }
1166:
1.49 markus 1167: void
1.41 markus 1168: channel_input_open_confirmation(int type, int plen)
1.1 deraadt 1169: {
1.41 markus 1170: int id, remote_id;
1171: Channel *c;
1.1 deraadt 1172:
1.44 markus 1173: if (!compat20)
1174: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 1175:
1.41 markus 1176: id = packet_get_int();
1177: c = channel_lookup(id);
1.25 markus 1178:
1.41 markus 1179: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1180: packet_disconnect("Received open confirmation for "
1181: "non-opening channel %d.", id);
1182: remote_id = packet_get_int();
1.27 markus 1183: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 1184: c->remote_id = remote_id;
1185: c->type = SSH_CHANNEL_OPEN;
1.44 markus 1186:
1187: if (compat20) {
1188: c->remote_window = packet_get_int();
1189: c->remote_maxpacket = packet_get_int();
1.48 markus 1190: packet_done();
1.44 markus 1191: if (c->cb_fn != NULL && c->cb_event == type) {
1192: debug("callback start");
1193: c->cb_fn(c->self, c->cb_arg);
1194: debug("callback done");
1195: }
1196: debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1197: c->remote_window, c->remote_maxpacket);
1198: }
1.1 deraadt 1199: }
1200:
1.49 markus 1201: void
1.41 markus 1202: channel_input_open_failure(int type, int plen)
1.1 deraadt 1203: {
1.41 markus 1204: int id;
1205: Channel *c;
1206:
1.44 markus 1207: if (!compat20)
1208: packet_integrity_check(plen, 4, type);
1.41 markus 1209:
1210: id = packet_get_int();
1211: c = channel_lookup(id);
1.25 markus 1212:
1.41 markus 1213: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1214: packet_disconnect("Received open failure for "
1215: "non-opening channel %d.", id);
1.44 markus 1216: if (compat20) {
1217: int reason = packet_get_int();
1218: char *msg = packet_get_string(NULL);
1.48 markus 1219: char *lang = packet_get_string(NULL);
1.44 markus 1220: log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
1.48 markus 1221: packet_done();
1.44 markus 1222: xfree(msg);
1.48 markus 1223: xfree(lang);
1.44 markus 1224: }
1.25 markus 1225: /* Free the channel. This will also close the socket. */
1.41 markus 1226: channel_free(id);
1.1 deraadt 1227: }
1228:
1.44 markus 1229: void
1230: channel_input_channel_request(int type, int plen)
1231: {
1232: int id;
1233: Channel *c;
1234:
1235: id = packet_get_int();
1236: c = channel_lookup(id);
1237:
1238: if (c == NULL ||
1239: (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1240: packet_disconnect("Received request for "
1241: "non-open channel %d.", id);
1242: if (c->cb_fn != NULL && c->cb_event == type) {
1243: debug("callback start");
1244: c->cb_fn(c->self, c->cb_arg);
1245: debug("callback done");
1246: } else {
1247: char *service = packet_get_string(NULL);
1248: debug("channel: %d rcvd request for %s", c->self, service);
1249: debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1250: xfree(service);
1251: }
1252: }
1253:
1.49 markus 1254: void
1.44 markus 1255: channel_input_window_adjust(int type, int plen)
1256: {
1257: Channel *c;
1258: int id, adjust;
1259:
1260: if (!compat20)
1261: return;
1262:
1263: /* Get the channel number and verify it. */
1264: id = packet_get_int();
1265: c = channel_lookup(id);
1266:
1267: if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1268: log("Received window adjust for "
1269: "non-open channel %d.", id);
1270: return;
1271: }
1272: adjust = packet_get_int();
1.48 markus 1273: packet_done();
1.44 markus 1274: debug("channel %d: rcvd adjust %d", id, adjust);
1275: c->remote_window += adjust;
1276: }
1277:
1.27 markus 1278: /*
1279: * Stops listening for channels, and removes any unix domain sockets that we
1280: * might have.
1281: */
1.1 deraadt 1282:
1.49 markus 1283: void
1.25 markus 1284: channel_stop_listening()
1.1 deraadt 1285: {
1.25 markus 1286: int i;
1287: for (i = 0; i < channels_alloc; i++) {
1288: switch (channels[i].type) {
1289: case SSH_CHANNEL_AUTH_SOCKET:
1290: close(channels[i].sock);
1291: remove(channels[i].path);
1292: channel_free(i);
1293: break;
1294: case SSH_CHANNEL_PORT_LISTENER:
1295: case SSH_CHANNEL_X11_LISTENER:
1296: close(channels[i].sock);
1297: channel_free(i);
1298: break;
1299: default:
1300: break;
1301: }
1.1 deraadt 1302: }
1303: }
1304:
1.27 markus 1305: /*
1.52 markus 1306: * Closes the sockets/fds of all channels. This is used to close extra file
1.27 markus 1307: * descriptors after a fork.
1308: */
1.1 deraadt 1309:
1.49 markus 1310: void
1.25 markus 1311: channel_close_all()
1.1 deraadt 1312: {
1.25 markus 1313: int i;
1.52 markus 1314: for (i = 0; i < channels_alloc; i++)
1.25 markus 1315: if (channels[i].type != SSH_CHANNEL_FREE)
1.52 markus 1316: channel_close_fds(&channels[i]);
1.1 deraadt 1317: }
1318:
1319: /* Returns the maximum file descriptor number used by the channels. */
1320:
1.49 markus 1321: int
1.25 markus 1322: channel_max_fd()
1.1 deraadt 1323: {
1.25 markus 1324: return channel_max_fd_value;
1.1 deraadt 1325: }
1326:
1327: /* Returns true if any channel is still open. */
1328:
1.49 markus 1329: int
1.25 markus 1330: channel_still_open()
1.1 deraadt 1331: {
1.25 markus 1332: unsigned int i;
1333: for (i = 0; i < channels_alloc; i++)
1334: switch (channels[i].type) {
1335: case SSH_CHANNEL_FREE:
1336: case SSH_CHANNEL_X11_LISTENER:
1337: case SSH_CHANNEL_PORT_LISTENER:
1338: case SSH_CHANNEL_CLOSED:
1339: case SSH_CHANNEL_AUTH_SOCKET:
1340: continue;
1.44 markus 1341: case SSH_CHANNEL_LARVAL:
1342: if (!compat20)
1343: fatal("cannot happen: SSH_CHANNEL_LARVAL");
1344: continue;
1.25 markus 1345: case SSH_CHANNEL_OPENING:
1346: case SSH_CHANNEL_OPEN:
1347: case SSH_CHANNEL_X11_OPEN:
1348: return 1;
1349: case SSH_CHANNEL_INPUT_DRAINING:
1350: case SSH_CHANNEL_OUTPUT_DRAINING:
1351: if (!compat13)
1352: fatal("cannot happen: OUT_DRAIN");
1353: return 1;
1354: default:
1355: fatal("channel_still_open: bad channel type %d", channels[i].type);
1356: /* NOTREACHED */
1357: }
1358: return 0;
1.1 deraadt 1359: }
1360:
1.27 markus 1361: /*
1362: * Returns a message describing the currently open forwarded connections,
1363: * suitable for sending to the client. The message contains crlf pairs for
1364: * newlines.
1365: */
1.1 deraadt 1366:
1.25 markus 1367: char *
1368: channel_open_message()
1.1 deraadt 1369: {
1.25 markus 1370: Buffer buffer;
1371: int i;
1372: char buf[512], *cp;
1373:
1374: buffer_init(&buffer);
1375: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 1376: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 1377: for (i = 0; i < channels_alloc; i++) {
1378: Channel *c = &channels[i];
1379: switch (c->type) {
1380: case SSH_CHANNEL_FREE:
1381: case SSH_CHANNEL_X11_LISTENER:
1382: case SSH_CHANNEL_PORT_LISTENER:
1383: case SSH_CHANNEL_CLOSED:
1384: case SSH_CHANNEL_AUTH_SOCKET:
1385: continue;
1.44 markus 1386: case SSH_CHANNEL_LARVAL:
1.25 markus 1387: case SSH_CHANNEL_OPENING:
1388: case SSH_CHANNEL_OPEN:
1389: case SSH_CHANNEL_X11_OPEN:
1390: case SSH_CHANNEL_INPUT_DRAINING:
1391: case SSH_CHANNEL_OUTPUT_DRAINING:
1.41 markus 1392: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
1.37 markus 1393: c->self, c->remote_name,
1394: c->type, c->remote_id,
1395: c->istate, buffer_len(&c->input),
1.41 markus 1396: c->ostate, buffer_len(&c->output),
1397: c->rfd, c->wfd);
1.25 markus 1398: buffer_append(&buffer, buf, strlen(buf));
1399: continue;
1400: default:
1.41 markus 1401: fatal("channel_open_message: bad channel type %d", c->type);
1.25 markus 1402: /* NOTREACHED */
1403: }
1404: }
1405: buffer_append(&buffer, "\0", 1);
1406: cp = xstrdup(buffer_ptr(&buffer));
1407: buffer_free(&buffer);
1408: return cp;
1.1 deraadt 1409: }
1410:
1.27 markus 1411: /*
1412: * Initiate forwarding of connections to local port "port" through the secure
1413: * channel to host:port from remote side.
1414: */
1.1 deraadt 1415:
1.49 markus 1416: void
1.31 markus 1417: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 1418: u_short host_port, int gateway_ports)
1.25 markus 1419: {
1.35 markus 1420: int success, ch, sock, on = 1;
1421: struct addrinfo hints, *ai, *aitop;
1422: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.28 markus 1423: struct linger linger;
1.25 markus 1424:
1425: if (strlen(host) > sizeof(channels[0].path) - 1)
1426: packet_disconnect("Forward host name too long.");
1427:
1.28 markus 1428: /*
1.35 markus 1429: * getaddrinfo returns a loopback address if the hostname is
1430: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 1431: */
1.35 markus 1432: memset(&hints, 0, sizeof(hints));
1433: hints.ai_family = IPv4or6;
1434: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1435: hints.ai_socktype = SOCK_STREAM;
1436: snprintf(strport, sizeof strport, "%d", port);
1437: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1438: packet_disconnect("getaddrinfo: fatal error");
1439:
1440: success = 0;
1441: for (ai = aitop; ai; ai = ai->ai_next) {
1442: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1443: continue;
1444: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1445: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1446: error("channel_request_local_forwarding: getnameinfo failed");
1447: continue;
1448: }
1449: /* Create a port to listen for the host. */
1450: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1451: if (sock < 0) {
1452: /* this is no error since kernel may not support ipv6 */
1453: verbose("socket: %.100s", strerror(errno));
1454: continue;
1455: }
1456: /*
1457: * Set socket options. We would like the socket to disappear
1458: * as soon as it has been closed for whatever reason.
1459: */
1460: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1461: linger.l_onoff = 1;
1462: linger.l_linger = 5;
1463: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1464: debug("Local forwarding listening on %s port %s.", ntop, strport);
1465:
1466: /* Bind the socket to the address. */
1467: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1468: /* address can be in use ipv6 address is already bound */
1469: verbose("bind: %.100s", strerror(errno));
1470: close(sock);
1471: continue;
1472: }
1473: /* Start listening for connections on the socket. */
1474: if (listen(sock, 5) < 0) {
1475: error("listen: %.100s", strerror(errno));
1476: close(sock);
1477: continue;
1478: }
1479: /* Allocate a channel number for the socket. */
1.41 markus 1480: ch = channel_new(
1481: "port listener", SSH_CHANNEL_PORT_LISTENER,
1482: sock, sock, -1,
1.51 markus 1483: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.41 markus 1484: 0, xstrdup("port listener"));
1.35 markus 1485: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1486: channels[ch].host_port = host_port;
1487: channels[ch].listening_port = port;
1488: success = 1;
1489: }
1490: if (success == 0)
1491: packet_disconnect("cannot listen port: %d", port);
1492: freeaddrinfo(aitop);
1.25 markus 1493: }
1.1 deraadt 1494:
1.27 markus 1495: /*
1496: * Initiate forwarding of connections to port "port" on remote host through
1497: * the secure channel to host:port from local side.
1498: */
1.1 deraadt 1499:
1.49 markus 1500: void
1.41 markus 1501: channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
1502: u_short port_to_connect)
1.25 markus 1503: {
1504: int payload_len;
1505: /* Record locally that connection to this host/port is permitted. */
1506: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1507: fatal("channel_request_remote_forwarding: too many forwards");
1508:
1.41 markus 1509: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1510: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1511: permitted_opens[num_permitted_opens].listen_port = listen_port;
1.25 markus 1512: num_permitted_opens++;
1513:
1514: /* Send the forward request to the remote side. */
1.44 markus 1515: if (compat20) {
1516: const char *address_to_bind = "0.0.0.0";
1517: packet_start(SSH2_MSG_GLOBAL_REQUEST);
1518: packet_put_cstring("tcpip-forward");
1519: packet_put_char(0); /* boolean: want reply */
1520: packet_put_cstring(address_to_bind);
1521: packet_put_int(listen_port);
1522: } else {
1523: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.50 markus 1524: packet_put_int(listen_port);
1525: packet_put_cstring(host_to_connect);
1.44 markus 1526: packet_put_int(port_to_connect);
1527: packet_send();
1528: packet_write_wait();
1529: /*
1530: * Wait for response from the remote side. It will send a disconnect
1531: * message on failure, and we will never see it here.
1532: */
1533: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1534: }
1.1 deraadt 1535: }
1536:
1.27 markus 1537: /*
1538: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1539: * listening for the port, and sends back a success reply (or disconnect
1540: * message if there was an error). This never returns if there was an error.
1541: */
1.1 deraadt 1542:
1.49 markus 1543: void
1.56 markus 1544: channel_input_port_forward_request(int is_root, int gateway_ports)
1.1 deraadt 1545: {
1.31 markus 1546: u_short port, host_port;
1.25 markus 1547: char *hostname;
1.1 deraadt 1548:
1.25 markus 1549: /* Get arguments from the packet. */
1550: port = packet_get_int();
1551: hostname = packet_get_string(NULL);
1552: host_port = packet_get_int();
1553:
1.27 markus 1554: /*
1555: * Check that an unprivileged user is not trying to forward a
1556: * privileged port.
1557: */
1.25 markus 1558: if (port < IPPORT_RESERVED && !is_root)
1559: packet_disconnect("Requested forwarding of port %d but user is not root.",
1560: port);
1.33 markus 1561: /*
1562: * Initiate forwarding,
1563: */
1.56 markus 1564: channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
1.25 markus 1565:
1566: /* Free the argument string. */
1567: xfree(hostname);
1.1 deraadt 1568: }
1569:
1.41 markus 1570: /* XXX move to aux.c */
1571: int
1572: channel_connect_to(const char *host, u_short host_port)
1573: {
1574: struct addrinfo hints, *ai, *aitop;
1575: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1576: int gaierr;
1577: int sock = -1;
1578:
1579: memset(&hints, 0, sizeof(hints));
1580: hints.ai_family = IPv4or6;
1581: hints.ai_socktype = SOCK_STREAM;
1582: snprintf(strport, sizeof strport, "%d", host_port);
1583: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1584: error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
1585: return -1;
1586: }
1587: for (ai = aitop; ai; ai = ai->ai_next) {
1588: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1589: continue;
1590: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1591: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1592: error("channel_connect_to: getnameinfo failed");
1593: continue;
1594: }
1595: /* Create the socket. */
1596: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1597: if (sock < 0) {
1598: error("socket: %.100s", strerror(errno));
1599: continue;
1600: }
1601: /* Connect to the host/port. */
1602: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1603: error("connect %.100s port %s: %.100s", ntop, strport,
1604: strerror(errno));
1605: close(sock);
1606: continue; /* fail -- try next */
1607: }
1608: break; /* success */
1609:
1610: }
1611: freeaddrinfo(aitop);
1612: if (!ai) {
1613: error("connect %.100s port %d: failed.", host, host_port);
1614: return -1;
1615: }
1616: /* success */
1617: return sock;
1618: }
1.27 markus 1619: /*
1620: * This is called after receiving PORT_OPEN message. This attempts to
1621: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1622: * or CHANNEL_OPEN_FAILURE.
1623: */
1.1 deraadt 1624:
1.49 markus 1625: void
1.41 markus 1626: channel_input_port_open(int type, int plen)
1.1 deraadt 1627: {
1.31 markus 1628: u_short host_port;
1.25 markus 1629: char *host, *originator_string;
1.41 markus 1630: int remote_channel, sock = -1, newch, i, denied;
1.39 markus 1631: unsigned int host_len, originator_len;
1.25 markus 1632:
1633: /* Get remote channel number. */
1634: remote_channel = packet_get_int();
1635:
1636: /* Get host name to connect to. */
1637: host = packet_get_string(&host_len);
1638:
1639: /* Get port to connect to. */
1640: host_port = packet_get_int();
1641:
1642: /* Get remote originator name. */
1.29 markus 1643: if (have_hostname_in_open) {
1.25 markus 1644: originator_string = packet_get_string(&originator_len);
1.29 markus 1645: originator_len += 4; /* size of packet_int */
1646: } else {
1.25 markus 1647: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1648: originator_len = 0; /* no originator supplied */
1649: }
1.25 markus 1650:
1.41 markus 1651: packet_integrity_check(plen,
1652: 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
1.25 markus 1653:
1654: /* Check if opening that port is permitted. */
1.41 markus 1655: denied = 0;
1.25 markus 1656: if (!all_opens_permitted) {
1657: /* Go trough all permitted ports. */
1658: for (i = 0; i < num_permitted_opens; i++)
1.41 markus 1659: if (permitted_opens[i].port_to_connect == host_port &&
1660: strcmp(permitted_opens[i].host_to_connect, host) == 0)
1.25 markus 1661: break;
1662:
1663: /* Check if we found the requested port among those permitted. */
1664: if (i >= num_permitted_opens) {
1665: /* The port is not permitted. */
1666: log("Received request to connect to %.100s:%d, but the request was denied.",
1667: host, host_port);
1.41 markus 1668: denied = 1;
1.25 markus 1669: }
1670: }
1.41 markus 1671: sock = denied ? -1 : channel_connect_to(host, host_port);
1672: if (sock > 0) {
1673: /* Allocate a channel for this connection. */
1674: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1675: channels[newch].remote_id = remote_channel;
1676:
1677: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1678: packet_put_int(remote_channel);
1679: packet_put_int(newch);
1680: packet_send();
1681: } else {
1682: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1683: packet_put_int(remote_channel);
1684: packet_send();
1.25 markus 1685: }
1686: xfree(host);
1.1 deraadt 1687: }
1688:
1.27 markus 1689: /*
1690: * Creates an internet domain socket for listening for X11 connections.
1691: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1692: * occurs.
1693: */
1.1 deraadt 1694:
1.35 markus 1695: #define NUM_SOCKS 10
1696:
1.25 markus 1697: char *
1.33 markus 1698: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1699: {
1.31 markus 1700: int display_number, sock;
1701: u_short port;
1.35 markus 1702: struct addrinfo hints, *ai, *aitop;
1703: char strport[NI_MAXSERV];
1704: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1705: char display[512];
1.25 markus 1706: char hostname[MAXHOSTNAMELEN];
1707:
1.33 markus 1708: for (display_number = x11_display_offset;
1.25 markus 1709: display_number < MAX_DISPLAYS;
1710: display_number++) {
1711: port = 6000 + display_number;
1.35 markus 1712: memset(&hints, 0, sizeof(hints));
1713: hints.ai_family = IPv4or6;
1.36 markus 1714: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1715: hints.ai_socktype = SOCK_STREAM;
1716: snprintf(strport, sizeof strport, "%d", port);
1717: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1718: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1719: return NULL;
1720: }
1.35 markus 1721: for (ai = aitop; ai; ai = ai->ai_next) {
1722: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1723: continue;
1724: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1725: if (sock < 0) {
1726: error("socket: %.100s", strerror(errno));
1727: return NULL;
1728: }
1729: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1730: debug("bind port %d: %.100s", port, strerror(errno));
1731: shutdown(sock, SHUT_RDWR);
1732: close(sock);
1733: for (n = 0; n < num_socks; n++) {
1734: shutdown(socks[n], SHUT_RDWR);
1735: close(socks[n]);
1736: }
1737: num_socks = 0;
1738: break;
1739: }
1740: socks[num_socks++] = sock;
1741: if (num_socks == NUM_SOCKS)
1742: break;
1.25 markus 1743: }
1.35 markus 1744: if (num_socks > 0)
1745: break;
1.25 markus 1746: }
1747: if (display_number >= MAX_DISPLAYS) {
1748: error("Failed to allocate internet-domain X11 display socket.");
1749: return NULL;
1750: }
1751: /* Start listening for connections on the socket. */
1.35 markus 1752: for (n = 0; n < num_socks; n++) {
1753: sock = socks[n];
1754: if (listen(sock, 5) < 0) {
1755: error("listen: %.100s", strerror(errno));
1756: shutdown(sock, SHUT_RDWR);
1757: close(sock);
1758: return NULL;
1759: }
1.25 markus 1760: }
1.35 markus 1761:
1.25 markus 1762: /* Set up a suitable value for the DISPLAY variable. */
1763: if (gethostname(hostname, sizeof(hostname)) < 0)
1764: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 1765: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 1766: display_number, screen_number);
1767:
1.35 markus 1768: /* Allocate a channel for each socket. */
1769: for (n = 0; n < num_socks; n++) {
1770: sock = socks[n];
1.51 markus 1771: (void) channel_new("x11 listener",
1772: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
1773: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1774: 0, xstrdup("X11 inet listener"));
1.35 markus 1775: }
1.1 deraadt 1776:
1.25 markus 1777: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 1778: return xstrdup(display);
1.1 deraadt 1779: }
1780:
1781: #ifndef X_UNIX_PATH
1782: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1783: #endif
1784:
1785: static
1786: int
1.30 deraadt 1787: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1788: {
1.25 markus 1789: static const char *const x_sockets[] = {
1790: X_UNIX_PATH "%u",
1791: "/var/X/.X11-unix/X" "%u",
1792: "/usr/spool/sockets/X11/" "%u",
1793: NULL
1794: };
1795: int sock;
1796: struct sockaddr_un addr;
1797: const char *const * path;
1798:
1799: for (path = x_sockets; *path; ++path) {
1800: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1801: if (sock < 0)
1802: error("socket: %.100s", strerror(errno));
1803: memset(&addr, 0, sizeof(addr));
1804: addr.sun_family = AF_UNIX;
1805: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1806: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1807: return sock;
1808: close(sock);
1809: }
1810: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1811: return -1;
1.1 deraadt 1812: }
1813:
1.51 markus 1814: int
1815: x11_connect_display(void)
1.1 deraadt 1816: {
1.51 markus 1817: int display_number, sock = 0;
1.25 markus 1818: const char *display;
1.51 markus 1819: char buf[1024], *cp;
1.35 markus 1820: struct addrinfo hints, *ai, *aitop;
1821: char strport[NI_MAXSERV];
1822: int gaierr;
1.25 markus 1823:
1824: /* Try to open a socket for the local X server. */
1825: display = getenv("DISPLAY");
1826: if (!display) {
1827: error("DISPLAY not set.");
1.51 markus 1828: return -1;
1.25 markus 1829: }
1.27 markus 1830: /*
1831: * Now we decode the value of the DISPLAY variable and make a
1832: * connection to the real X server.
1833: */
1834:
1835: /*
1836: * Check if it is a unix domain socket. Unix domain displays are in
1837: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1838: */
1.25 markus 1839: if (strncmp(display, "unix:", 5) == 0 ||
1840: display[0] == ':') {
1841: /* Connect to the unix domain socket. */
1842: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1843: error("Could not parse display number from DISPLAY: %.100s",
1844: display);
1.51 markus 1845: return -1;
1.25 markus 1846: }
1847: /* Create a socket. */
1848: sock = connect_local_xsocket(display_number);
1849: if (sock < 0)
1.51 markus 1850: return -1;
1.25 markus 1851:
1852: /* OK, we now have a connection to the display. */
1.51 markus 1853: return sock;
1.25 markus 1854: }
1.27 markus 1855: /*
1856: * Connect to an inet socket. The DISPLAY value is supposedly
1857: * hostname:d[.s], where hostname may also be numeric IP address.
1858: */
1.25 markus 1859: strncpy(buf, display, sizeof(buf));
1860: buf[sizeof(buf) - 1] = 0;
1861: cp = strchr(buf, ':');
1862: if (!cp) {
1863: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 1864: return -1;
1.25 markus 1865: }
1866: *cp = 0;
1.27 markus 1867: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1868: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1869: error("Could not parse display number from DISPLAY: %.100s",
1870: display);
1.51 markus 1871: return -1;
1.25 markus 1872: }
1.35 markus 1873:
1874: /* Look up the host address */
1875: memset(&hints, 0, sizeof(hints));
1876: hints.ai_family = IPv4or6;
1877: hints.ai_socktype = SOCK_STREAM;
1878: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1879: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1880: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.51 markus 1881: return -1;
1.25 markus 1882: }
1.35 markus 1883: for (ai = aitop; ai; ai = ai->ai_next) {
1884: /* Create a socket. */
1885: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1886: if (sock < 0) {
1887: debug("socket: %.100s", strerror(errno));
1.41 markus 1888: continue;
1889: }
1890: /* Connect it to the display. */
1891: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1892: debug("connect %.100s port %d: %.100s", buf,
1893: 6000 + display_number, strerror(errno));
1894: close(sock);
1895: continue;
1896: }
1897: /* Success */
1898: break;
1.35 markus 1899: }
1900: freeaddrinfo(aitop);
1901: if (!ai) {
1.49 markus 1902: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1.35 markus 1903: strerror(errno));
1.51 markus 1904: return -1;
1.25 markus 1905: }
1.51 markus 1906: return sock;
1907: }
1908:
1909: /*
1910: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1911: * the remote channel number. We should do whatever we want, and respond
1912: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1913: */
1914:
1915: void
1916: x11_input_open(int type, int plen)
1917: {
1918: int remote_channel, sock = 0, newch;
1919: char *remote_host;
1920: unsigned int remote_len;
1.25 markus 1921:
1.51 markus 1922: /* Get remote channel number. */
1923: remote_channel = packet_get_int();
1924:
1925: /* Get remote originator name. */
1926: if (have_hostname_in_open) {
1927: remote_host = packet_get_string(&remote_len);
1928: remote_len += 4;
1929: } else {
1930: remote_host = xstrdup("unknown (remote did not supply name)");
1931: remote_len = 0;
1932: }
1.25 markus 1933:
1.51 markus 1934: debug("Received X11 open request.");
1935: packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1936:
1.51 markus 1937: /* Obtain a connection to the real X display. */
1938: sock = x11_connect_display();
1939: if (sock == -1) {
1940: /* Send refusal to the remote host. */
1941: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1942: packet_put_int(remote_channel);
1943: packet_send();
1944: } else {
1945: /* Allocate a channel for this connection. */
1946: newch = channel_allocate(
1947: (x11_saved_proto == NULL) ?
1948: SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
1949: sock, remote_host);
1950: channels[newch].remote_id = remote_channel;
1.25 markus 1951:
1.51 markus 1952: /* Send a confirmation to the remote host. */
1953: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1954: packet_put_int(remote_channel);
1955: packet_put_int(newch);
1956: packet_send();
1957: }
1.1 deraadt 1958: }
1959:
1.27 markus 1960: /*
1961: * Requests forwarding of X11 connections, generates fake authentication
1962: * data, and enables authentication spoofing.
1963: */
1.1 deraadt 1964:
1.49 markus 1965: void
1.51 markus 1966: x11_request_forwarding_with_spoofing(int client_session_id,
1967: const char *proto, const char *data)
1.1 deraadt 1968: {
1.25 markus 1969: unsigned int data_len = (unsigned int) strlen(data) / 2;
1970: unsigned int i, value;
1971: char *new_data;
1972: int screen_number;
1973: const char *cp;
1974: u_int32_t rand = 0;
1975:
1976: cp = getenv("DISPLAY");
1977: if (cp)
1978: cp = strchr(cp, ':');
1979: if (cp)
1980: cp = strchr(cp, '.');
1981: if (cp)
1982: screen_number = atoi(cp + 1);
1983: else
1984: screen_number = 0;
1985:
1986: /* Save protocol name. */
1987: x11_saved_proto = xstrdup(proto);
1988:
1.27 markus 1989: /*
1990: * Extract real authentication data and generate fake data of the
1991: * same length.
1992: */
1.25 markus 1993: x11_saved_data = xmalloc(data_len);
1994: x11_fake_data = xmalloc(data_len);
1995: for (i = 0; i < data_len; i++) {
1996: if (sscanf(data + 2 * i, "%2x", &value) != 1)
1997: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1998: if (i % 4 == 0)
1999: rand = arc4random();
2000: x11_saved_data[i] = value;
2001: x11_fake_data[i] = rand & 0xff;
2002: rand >>= 8;
2003: }
2004: x11_saved_data_len = data_len;
2005: x11_fake_data_len = data_len;
2006:
2007: /* Convert the fake data into hex. */
2008: new_data = xmalloc(2 * data_len + 1);
2009: for (i = 0; i < data_len; i++)
2010: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
2011:
2012: /* Send the request packet. */
1.51 markus 2013: if (compat20) {
2014: channel_request_start(client_session_id, "x11-req", 0);
2015: packet_put_char(0); /* XXX bool single connection */
2016: } else {
2017: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
2018: }
2019: packet_put_cstring(proto);
2020: packet_put_cstring(new_data);
1.25 markus 2021: packet_put_int(screen_number);
2022: packet_send();
2023: packet_write_wait();
2024: xfree(new_data);
1.1 deraadt 2025: }
2026:
2027: /* Sends a message to the server to request authentication fd forwarding. */
2028:
1.49 markus 2029: void
1.25 markus 2030: auth_request_forwarding()
1.1 deraadt 2031: {
1.25 markus 2032: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2033: packet_send();
2034: packet_write_wait();
1.1 deraadt 2035: }
2036:
1.27 markus 2037: /*
2038: * Returns the name of the forwarded authentication socket. Returns NULL if
2039: * there is no forwarded authentication socket. The returned value points to
2040: * a static buffer.
2041: */
1.1 deraadt 2042:
1.25 markus 2043: char *
2044: auth_get_socket_name()
1.1 deraadt 2045: {
1.25 markus 2046: return channel_forwarded_auth_socket_name;
1.1 deraadt 2047: }
2048:
1.12 markus 2049: /* removes the agent forwarding socket */
2050:
1.49 markus 2051: void
1.25 markus 2052: cleanup_socket(void)
2053: {
2054: remove(channel_forwarded_auth_socket_name);
2055: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 2056: }
2057:
1.27 markus 2058: /*
1.59 markus 2059: * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1.27 markus 2060: * This starts forwarding authentication requests.
2061: */
1.1 deraadt 2062:
1.59 markus 2063: int
1.25 markus 2064: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 2065: {
1.25 markus 2066: int sock, newch;
2067: struct sockaddr_un sunaddr;
2068:
2069: if (auth_get_socket_name() != NULL)
2070: fatal("Protocol error: authentication forwarding requested twice.");
2071:
2072: /* Temporarily drop privileged uid for mkdir/bind. */
2073: temporarily_use_uid(pw->pw_uid);
2074:
2075: /* Allocate a buffer for the socket name, and format the name. */
2076: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
2077: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
2078: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
2079:
2080: /* Create private directory for socket */
1.59 markus 2081: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
2082: packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
2083: strerror(errno));
2084: restore_uid();
2085: xfree(channel_forwarded_auth_socket_name);
2086: xfree(channel_forwarded_auth_socket_dir);
2087: channel_forwarded_auth_socket_name = NULL;
2088: channel_forwarded_auth_socket_dir = NULL;
2089: return 0;
2090: }
1.25 markus 2091: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
2092: channel_forwarded_auth_socket_dir, (int) getpid());
2093:
2094: if (atexit(cleanup_socket) < 0) {
2095: int saved = errno;
2096: cleanup_socket();
2097: packet_disconnect("socket: %.100s", strerror(saved));
2098: }
2099: /* Create the socket. */
2100: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2101: if (sock < 0)
2102: packet_disconnect("socket: %.100s", strerror(errno));
2103:
2104: /* Bind it to the name. */
2105: memset(&sunaddr, 0, sizeof(sunaddr));
2106: sunaddr.sun_family = AF_UNIX;
2107: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
2108: sizeof(sunaddr.sun_path));
2109:
2110: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2111: packet_disconnect("bind: %.100s", strerror(errno));
2112:
2113: /* Restore the privileged uid. */
2114: restore_uid();
2115:
2116: /* Start listening on the socket. */
2117: if (listen(sock, 5) < 0)
2118: packet_disconnect("listen: %.100s", strerror(errno));
2119:
2120: /* Allocate a channel for the authentication agent socket. */
2121: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
2122: xstrdup("auth socket"));
1.32 deraadt 2123: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
2124: sizeof(channels[newch].path));
1.59 markus 2125: return 1;
1.1 deraadt 2126: }
2127:
2128: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2129:
1.49 markus 2130: void
1.41 markus 2131: auth_input_open_request(int type, int plen)
1.1 deraadt 2132: {
1.25 markus 2133: int remch, sock, newch;
2134: char *dummyname;
1.41 markus 2135:
2136: packet_integrity_check(plen, 4, type);
1.25 markus 2137:
2138: /* Read the remote channel number from the message. */
2139: remch = packet_get_int();
2140:
1.27 markus 2141: /*
2142: * Get a connection to the local authentication agent (this may again
2143: * get forwarded).
2144: */
1.25 markus 2145: sock = ssh_get_authentication_socket();
2146:
1.27 markus 2147: /*
2148: * If we could not connect the agent, send an error message back to
2149: * the server. This should never happen unless the agent dies,
2150: * because authentication forwarding is only enabled if we have an
2151: * agent.
2152: */
1.25 markus 2153: if (sock < 0) {
2154: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2155: packet_put_int(remch);
2156: packet_send();
2157: return;
2158: }
2159: debug("Forwarding authentication connection.");
1.1 deraadt 2160:
1.27 markus 2161: /*
2162: * Dummy host name. This will be freed when the channel is freed; it
2163: * will still be valid in the packet_put_string below since the
2164: * channel cannot yet be freed at that point.
2165: */
1.25 markus 2166: dummyname = xstrdup("authentication agent connection");
2167:
2168: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
2169: channels[newch].remote_id = remch;
2170:
2171: /* Send a confirmation to the remote host. */
2172: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2173: packet_put_int(remch);
2174: packet_put_int(newch);
1.44 markus 2175: packet_send();
2176: }
2177:
2178: void
1.51 markus 2179: channel_start_open(int id)
1.44 markus 2180: {
2181: Channel *c = channel_lookup(id);
2182: if (c == NULL) {
2183: log("channel_open: %d: bad id", id);
2184: return;
2185: }
1.51 markus 2186: debug("send channel open %d", id);
1.44 markus 2187: packet_start(SSH2_MSG_CHANNEL_OPEN);
2188: packet_put_cstring(c->ctype);
2189: packet_put_int(c->self);
2190: packet_put_int(c->local_window);
2191: packet_put_int(c->local_maxpacket);
1.51 markus 2192: }
2193: void
2194: channel_open(int id)
2195: {
2196: /* XXX REMOVE ME */
2197: channel_start_open(id);
1.44 markus 2198: packet_send();
2199: }
2200: void
2201: channel_request(int id, char *service, int wantconfirm)
2202: {
2203: channel_request_start(id, service, wantconfirm);
2204: packet_send();
2205: debug("channel request %d: %s", id, service) ;
2206: }
2207: void
2208: channel_request_start(int id, char *service, int wantconfirm)
2209: {
2210: Channel *c = channel_lookup(id);
2211: if (c == NULL) {
2212: log("channel_request: %d: bad id", id);
2213: return;
2214: }
2215: packet_start(SSH2_MSG_CHANNEL_REQUEST);
2216: packet_put_int(c->remote_id);
2217: packet_put_cstring(service);
2218: packet_put_char(wantconfirm);
2219: }
2220: void
2221: channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
2222: {
2223: Channel *c = channel_lookup(id);
2224: if (c == NULL) {
2225: log("channel_register_callback: %d: bad id", id);
2226: return;
2227: }
2228: c->cb_event = mtype;
2229: c->cb_fn = fn;
2230: c->cb_arg = arg;
2231: }
2232: void
2233: channel_register_cleanup(int id, channel_callback_fn *fn)
2234: {
2235: Channel *c = channel_lookup(id);
2236: if (c == NULL) {
2237: log("channel_register_cleanup: %d: bad id", id);
2238: return;
2239: }
2240: c->dettach_user = fn;
2241: }
2242: void
2243: channel_cancel_cleanup(int id)
2244: {
2245: Channel *c = channel_lookup(id);
2246: if (c == NULL) {
2247: log("channel_cancel_cleanup: %d: bad id", id);
2248: return;
2249: }
2250: c->dettach_user = NULL;
2251: }
2252:
2253: void
2254: channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
2255: {
2256: Channel *c = channel_lookup(id);
2257: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
2258: fatal("channel_activate for non-larval channel %d.", id);
1.52 markus 2259:
2260: channel_register_fds(c, rfd, wfd, efd, extusage);
1.44 markus 2261: c->type = SSH_CHANNEL_OPEN;
2262: /* XXX window size? */
2263: c->local_window = c->local_window_max = c->local_maxpacket/2;
2264: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
2265: packet_put_int(c->remote_id);
2266: packet_put_int(c->local_window);
1.25 markus 2267: packet_send();
1.1 deraadt 2268: }