Annotation of src/usr.bin/ssh/channels.c, Revision 1.64
1.1 deraadt 1: /*
1.49 markus 2: *
1.26 deraadt 3: * channels.c
1.49 markus 4: *
1.26 deraadt 5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
1.49 markus 6: *
1.26 deraadt 7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
1.49 markus 9: *
1.26 deraadt 10: * Created: Fri Mar 24 16:35:24 1995 ylo
1.49 markus 11: *
1.26 deraadt 12: * This file contains functions for generic socket connection forwarding.
13: * There is also code for initiating connection forwarding for X11 connections,
14: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.26 deraadt 17: */
1.1 deraadt 18:
19: #include "includes.h"
1.64 ! markus 20: RCSID("$OpenBSD: channels.c,v 1.63 2000/06/25 20:17:57 provos Exp $");
1.1 deraadt 21:
22: #include "ssh.h"
23: #include "packet.h"
24: #include "xmalloc.h"
25: #include "buffer.h"
26: #include "uidswap.h"
1.20 markus 27: #include "readconf.h"
1.3 deraadt 28: #include "servconf.h"
1.1 deraadt 29:
1.14 markus 30: #include "channels.h"
31: #include "nchan.h"
32: #include "compat.h"
33:
1.44 markus 34: #include "ssh2.h"
1.64 ! markus 35:
! 36: #include <openssl/rsa.h>
! 37: #include <openssl/dsa.h>
! 38: #include "key.h"
! 39: #include "authfd.h"
1.44 markus 40:
1.1 deraadt 41: /* Maximum number of fake X11 displays to try. */
42: #define MAX_DISPLAYS 1000
43:
1.12 markus 44: /* Max len of agent socket */
45: #define MAX_SOCKET_NAME 100
46:
1.51 markus 47: /* default window/packet sizes for tcp/x11-fwd-channel */
48: #define CHAN_TCP_WINDOW_DEFAULT (8*1024)
49: #define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2)
50: #define CHAN_X11_WINDOW_DEFAULT (4*1024)
51: #define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2)
1.41 markus 52:
1.27 markus 53: /*
54: * Pointer to an array containing all allocated channels. The array is
55: * dynamically extended as needed.
56: */
1.1 deraadt 57: static Channel *channels = NULL;
58:
1.27 markus 59: /*
60: * Size of the channel array. All slots of the array must always be
61: * initialized (at least the type field); unused slots are marked with type
62: * SSH_CHANNEL_FREE.
63: */
1.1 deraadt 64: static int channels_alloc = 0;
65:
1.27 markus 66: /*
67: * Maximum file descriptor value used in any of the channels. This is
68: * updated in channel_allocate.
69: */
1.1 deraadt 70: static int channel_max_fd_value = 0;
71:
1.12 markus 72: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 73: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 74: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 75:
76: /* Saved X11 authentication protocol name. */
77: char *x11_saved_proto = NULL;
78:
79: /* Saved X11 authentication data. This is the real data. */
80: char *x11_saved_data = NULL;
81: unsigned int x11_saved_data_len = 0;
82:
1.27 markus 83: /*
84: * Fake X11 authentication data. This is what the server will be sending us;
85: * we should replace any occurrences of this by the real data.
86: */
1.1 deraadt 87: char *x11_fake_data = NULL;
88: unsigned int x11_fake_data_len;
89:
1.27 markus 90: /*
91: * Data structure for storing which hosts are permitted for forward requests.
92: * The local sides of any remote forwards are stored in this array to prevent
93: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
94: * network (which might be behind a firewall).
95: */
1.25 markus 96: typedef struct {
1.41 markus 97: char *host_to_connect; /* Connect to 'host'. */
98: u_short port_to_connect; /* Connect to 'port'. */
99: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 100: } ForwardPermission;
101:
102: /* List of all permitted host/port pairs to connect. */
103: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
104: /* Number of permitted host/port pairs in the array. */
105: static int num_permitted_opens = 0;
1.27 markus 106: /*
107: * If this is true, all opens are permitted. This is the case on the server
108: * on which we have to trust the client anyway, and the user could do
109: * anything after logging in anyway.
110: */
1.1 deraadt 111: static int all_opens_permitted = 0;
112:
113: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
114: static int have_hostname_in_open = 0;
115:
116: /* Sets specific protocol options. */
117:
1.49 markus 118: void
1.25 markus 119: channel_set_options(int hostname_in_open)
1.1 deraadt 120: {
1.25 markus 121: have_hostname_in_open = hostname_in_open;
1.1 deraadt 122: }
123:
1.27 markus 124: /*
125: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
126: * called by the server, because the user could connect to any port anyway,
127: * and the server has no way to know but to trust the client anyway.
128: */
1.1 deraadt 129:
1.49 markus 130: void
1.25 markus 131: channel_permit_all_opens()
1.1 deraadt 132: {
1.25 markus 133: all_opens_permitted = 1;
1.1 deraadt 134: }
135:
1.41 markus 136: /* lookup channel by id */
137:
138: Channel *
139: channel_lookup(int id)
140: {
141: Channel *c;
1.63 provos 142: if (id < 0 || id > channels_alloc) {
1.41 markus 143: log("channel_lookup: %d: bad id", id);
144: return NULL;
145: }
146: c = &channels[id];
147: if (c->type == SSH_CHANNEL_FREE) {
148: log("channel_lookup: %d: bad id: channel free", id);
149: return NULL;
150: }
151: return c;
1.55 markus 152: }
153:
1.27 markus 154: /*
1.55 markus 155: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 156: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 157: */
1.1 deraadt 158:
1.52 markus 159: void
160: channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
1.1 deraadt 161: {
1.25 markus 162: /* Update the maximum file descriptor value. */
1.41 markus 163: if (rfd > channel_max_fd_value)
164: channel_max_fd_value = rfd;
165: if (wfd > channel_max_fd_value)
166: channel_max_fd_value = wfd;
167: if (efd > channel_max_fd_value)
168: channel_max_fd_value = efd;
1.27 markus 169: /* XXX set close-on-exec -markus */
1.55 markus 170:
1.52 markus 171: c->rfd = rfd;
172: c->wfd = wfd;
173: c->sock = (rfd == wfd) ? rfd : -1;
174: c->efd = efd;
175: c->extended_usage = extusage;
1.55 markus 176: if (rfd != -1)
177: set_nonblock(rfd);
178: if (wfd != -1)
179: set_nonblock(wfd);
180: if (efd != -1)
181: set_nonblock(efd);
1.52 markus 182: }
183:
184: /*
185: * Allocate a new channel object and set its type and socket. This will cause
186: * remote_name to be freed.
187: */
188:
189: int
190: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
191: int window, int maxpack, int extusage, char *remote_name)
192: {
193: int i, found;
194: Channel *c;
1.25 markus 195:
196: /* Do initial allocation if this is the first call. */
197: if (channels_alloc == 0) {
1.44 markus 198: chan_init();
1.25 markus 199: channels_alloc = 10;
200: channels = xmalloc(channels_alloc * sizeof(Channel));
201: for (i = 0; i < channels_alloc; i++)
202: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 203: /*
204: * Kludge: arrange a call to channel_stop_listening if we
205: * terminate with fatal().
206: */
1.25 markus 207: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
208: }
209: /* Try to find a free slot where to put the new channel. */
210: for (found = -1, i = 0; i < channels_alloc; i++)
211: if (channels[i].type == SSH_CHANNEL_FREE) {
212: /* Found a free slot. */
213: found = i;
214: break;
215: }
216: if (found == -1) {
1.27 markus 217: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 218: found = channels_alloc;
219: channels_alloc += 10;
220: debug("channel: expanding %d", channels_alloc);
221: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
222: for (i = found; i < channels_alloc; i++)
223: channels[i].type = SSH_CHANNEL_FREE;
224: }
225: /* Initialize and return new channel number. */
226: c = &channels[found];
227: buffer_init(&c->input);
228: buffer_init(&c->output);
1.41 markus 229: buffer_init(&c->extended);
1.25 markus 230: chan_init_iostates(c);
1.52 markus 231: channel_register_fds(c, rfd, wfd, efd, extusage);
1.25 markus 232: c->self = found;
233: c->type = type;
1.41 markus 234: c->ctype = ctype;
1.51 markus 235: c->local_window = window;
236: c->local_window_max = window;
237: c->local_consumed = 0;
238: c->local_maxpacket = maxpack;
1.25 markus 239: c->remote_id = -1;
240: c->remote_name = remote_name;
1.41 markus 241: c->remote_window = 0;
242: c->remote_maxpacket = 0;
243: c->cb_fn = NULL;
244: c->cb_arg = NULL;
245: c->cb_event = 0;
246: c->dettach_user = NULL;
1.25 markus 247: debug("channel %d: new [%s]", found, remote_name);
248: return found;
1.1 deraadt 249: }
1.52 markus 250: /* old interface XXX */
1.49 markus 251: int
1.41 markus 252: channel_allocate(int type, int sock, char *remote_name)
253: {
254: return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
255: }
1.1 deraadt 256:
1.52 markus 257:
258: /* Close all channel fd/socket. */
259:
260: void
261: channel_close_fds(Channel *c)
262: {
263: if (c->sock != -1) {
264: close(c->sock);
265: c->sock = -1;
266: }
267: if (c->rfd != -1) {
268: close(c->rfd);
269: c->rfd = -1;
270: }
271: if (c->wfd != -1) {
272: close(c->wfd);
273: c->wfd = -1;
274: }
275: if (c->efd != -1) {
276: close(c->efd);
277: c->efd = -1;
278: }
279: }
280:
281: /* Free the channel and close its fd/socket. */
1.1 deraadt 282:
1.49 markus 283: void
1.41 markus 284: channel_free(int id)
1.1 deraadt 285: {
1.41 markus 286: Channel *c = channel_lookup(id);
287: if (c == NULL)
288: packet_disconnect("channel free: bad local channel %d", id);
289: debug("channel_free: channel %d: status: %s", id, channel_open_message());
1.44 markus 290: if (c->dettach_user != NULL) {
291: debug("channel_free: channel %d: dettaching channel user", id);
292: c->dettach_user(c->self, NULL);
293: }
1.54 markus 294: if (c->sock != -1)
295: shutdown(c->sock, SHUT_RDWR);
1.52 markus 296: channel_close_fds(c);
1.41 markus 297: buffer_free(&c->input);
298: buffer_free(&c->output);
299: buffer_free(&c->extended);
300: c->type = SSH_CHANNEL_FREE;
301: if (c->remote_name) {
302: xfree(c->remote_name);
303: c->remote_name = NULL;
1.25 markus 304: }
1.1 deraadt 305: }
306:
1.27 markus 307: /*
1.41 markus 308: * 'channel_pre*' are called just before select() to add any bits relevant to
309: * channels in the select bitmasks.
310: */
311: /*
312: * 'channel_post*': perform any appropriate operations for channels which
313: * have events pending.
1.27 markus 314: */
1.41 markus 315: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
316: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
317: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
318:
319: void
320: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
321: {
322: FD_SET(c->sock, readset);
323: }
324:
325: void
326: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
327: {
328: if (buffer_len(&c->input) < packet_get_maxsize())
329: FD_SET(c->sock, readset);
330: if (buffer_len(&c->output) > 0)
331: FD_SET(c->sock, writeset);
332: }
1.1 deraadt 333:
1.41 markus 334: void
335: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
336: {
337: /* test whether sockets are 'alive' for read/write */
338: if (c->istate == CHAN_INPUT_OPEN)
339: if (buffer_len(&c->input) < packet_get_maxsize())
340: FD_SET(c->sock, readset);
341: if (c->ostate == CHAN_OUTPUT_OPEN ||
342: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
343: if (buffer_len(&c->output) > 0) {
344: FD_SET(c->sock, writeset);
345: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
346: chan_obuf_empty(c);
347: }
348: }
349: }
350:
351: void
1.44 markus 352: channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
353: {
354: if (c->istate == CHAN_INPUT_OPEN &&
355: c->remote_window > 0 &&
356: buffer_len(&c->input) < c->remote_window)
357: FD_SET(c->rfd, readset);
358: if (c->ostate == CHAN_OUTPUT_OPEN ||
359: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
360: if (buffer_len(&c->output) > 0) {
361: FD_SET(c->wfd, writeset);
362: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
363: chan_obuf_empty(c);
364: }
365: }
366: /** XXX check close conditions, too */
367: if (c->efd != -1) {
368: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
369: buffer_len(&c->extended) > 0)
370: FD_SET(c->efd, writeset);
371: else if (c->extended_usage == CHAN_EXTENDED_READ &&
372: buffer_len(&c->extended) < c->remote_window)
373: FD_SET(c->efd, readset);
374: }
375: }
376:
377: void
1.41 markus 378: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
379: {
380: if (buffer_len(&c->input) == 0) {
381: packet_start(SSH_MSG_CHANNEL_CLOSE);
382: packet_put_int(c->remote_id);
383: packet_send();
384: c->type = SSH_CHANNEL_CLOSED;
385: debug("Closing channel %d after input drain.", c->self);
386: }
387: }
388:
389: void
390: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
391: {
392: if (buffer_len(&c->output) == 0)
393: channel_free(c->self);
1.49 markus 394: else
1.41 markus 395: FD_SET(c->sock, writeset);
396: }
397:
398: /*
399: * This is a special state for X11 authentication spoofing. An opened X11
400: * connection (when authentication spoofing is being done) remains in this
401: * state until the first packet has been completely read. The authentication
402: * data in that packet is then substituted by the real data if it matches the
403: * fake data, and the channel is put into normal mode.
1.51 markus 404: * XXX All this happens at the client side.
1.41 markus 405: */
406: int
407: x11_open_helper(Channel *c)
1.1 deraadt 408: {
1.25 markus 409: unsigned char *ucp;
410: unsigned int proto_len, data_len;
411:
1.41 markus 412: /* Check if the fixed size part of the packet is in buffer. */
413: if (buffer_len(&c->output) < 12)
414: return 0;
415:
416: /* Parse the lengths of variable-length fields. */
417: ucp = (unsigned char *) buffer_ptr(&c->output);
418: if (ucp[0] == 0x42) { /* Byte order MSB first. */
419: proto_len = 256 * ucp[6] + ucp[7];
420: data_len = 256 * ucp[8] + ucp[9];
421: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
422: proto_len = ucp[6] + 256 * ucp[7];
423: data_len = ucp[8] + 256 * ucp[9];
424: } else {
425: debug("Initial X11 packet contains bad byte order byte: 0x%x",
426: ucp[0]);
427: return -1;
428: }
429:
430: /* Check if the whole packet is in buffer. */
431: if (buffer_len(&c->output) <
432: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
433: return 0;
434:
435: /* Check if authentication protocol matches. */
436: if (proto_len != strlen(x11_saved_proto) ||
437: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
438: debug("X11 connection uses different authentication protocol.");
439: return -1;
440: }
441: /* Check if authentication data matches our fake data. */
442: if (data_len != x11_fake_data_len ||
443: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
444: x11_fake_data, x11_fake_data_len) != 0) {
445: debug("X11 auth data does not match fake data.");
446: return -1;
447: }
448: /* Check fake data length */
449: if (x11_fake_data_len != x11_saved_data_len) {
450: error("X11 fake_data_len %d != saved_data_len %d",
451: x11_fake_data_len, x11_saved_data_len);
452: return -1;
453: }
454: /*
455: * Received authentication protocol and data match
456: * our fake data. Substitute the fake data with real
457: * data.
458: */
459: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
460: x11_saved_data, x11_saved_data_len);
461: return 1;
462: }
463:
464: void
465: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
466: {
467: int ret = x11_open_helper(c);
468: if (ret == 1) {
469: /* Start normal processing for the channel. */
470: c->type = SSH_CHANNEL_OPEN;
1.47 markus 471: channel_pre_open_13(c, readset, writeset);
1.41 markus 472: } else if (ret == -1) {
473: /*
474: * We have received an X11 connection that has bad
475: * authentication information.
476: */
477: log("X11 connection rejected because of wrong authentication.\r\n");
478: buffer_clear(&c->input);
479: buffer_clear(&c->output);
480: close(c->sock);
481: c->sock = -1;
482: c->type = SSH_CHANNEL_CLOSED;
483: packet_start(SSH_MSG_CHANNEL_CLOSE);
484: packet_put_int(c->remote_id);
485: packet_send();
486: }
487: }
1.25 markus 488:
1.41 markus 489: void
1.51 markus 490: channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
1.41 markus 491: {
492: int ret = x11_open_helper(c);
493: if (ret == 1) {
494: c->type = SSH_CHANNEL_OPEN;
1.57 markus 495: if (compat20)
496: channel_pre_open_20(c, readset, writeset);
497: else
498: channel_pre_open_15(c, readset, writeset);
1.41 markus 499: } else if (ret == -1) {
500: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
1.51 markus 501: chan_read_failed(c); /** force close? */
1.41 markus 502: chan_write_failed(c);
503: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
504: }
505: }
1.25 markus 506:
1.41 markus 507: /* This is our fake X11 server socket. */
508: void
509: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
510: {
511: struct sockaddr addr;
512: int newsock, newch;
513: socklen_t addrlen;
514: char buf[16384], *remote_hostname;
1.51 markus 515: int remote_port;
1.25 markus 516:
1.41 markus 517: if (FD_ISSET(c->sock, readset)) {
518: debug("X11 connection requested.");
519: addrlen = sizeof(addr);
520: newsock = accept(c->sock, &addr, &addrlen);
521: if (newsock < 0) {
522: error("accept: %.100s", strerror(errno));
523: return;
524: }
525: remote_hostname = get_remote_hostname(newsock);
1.51 markus 526: remote_port = get_peer_port(newsock);
1.41 markus 527: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.51 markus 528: remote_hostname, remote_port);
529:
530: newch = channel_new("x11",
531: SSH_CHANNEL_OPENING, newsock, newsock, -1,
532: c->local_window_max, c->local_maxpacket,
533: 0, xstrdup(buf));
534: if (compat20) {
535: packet_start(SSH2_MSG_CHANNEL_OPEN);
536: packet_put_cstring("x11");
537: packet_put_int(newch);
538: packet_put_int(c->local_window_max);
539: packet_put_int(c->local_maxpacket);
540: /* originator host and port */
541: packet_put_cstring(remote_hostname);
1.57 markus 542: if (datafellows & SSH_BUG_X11FWD) {
543: debug("ssh2 x11 bug compat mode");
544: } else {
545: packet_put_int(remote_port);
546: }
1.51 markus 547: packet_send();
548: } else {
549: packet_start(SSH_SMSG_X11_OPEN);
550: packet_put_int(newch);
551: if (have_hostname_in_open)
552: packet_put_string(buf, strlen(buf));
553: packet_send();
554: }
1.41 markus 555: xfree(remote_hostname);
556: }
557: }
1.25 markus 558:
1.41 markus 559: /*
560: * This socket is listening for connections to a forwarded TCP/IP port.
561: */
562: void
563: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
564: {
565: struct sockaddr addr;
566: int newsock, newch;
567: socklen_t addrlen;
568: char buf[1024], *remote_hostname;
569: int remote_port;
1.25 markus 570:
1.41 markus 571: if (FD_ISSET(c->sock, readset)) {
572: debug("Connection to port %d forwarding "
573: "to %.100s port %d requested.",
574: c->listening_port, c->path, c->host_port);
575: addrlen = sizeof(addr);
576: newsock = accept(c->sock, &addr, &addrlen);
577: if (newsock < 0) {
578: error("accept: %.100s", strerror(errno));
579: return;
580: }
581: remote_hostname = get_remote_hostname(newsock);
582: remote_port = get_peer_port(newsock);
583: snprintf(buf, sizeof buf,
584: "listen port %d for %.100s port %d, "
585: "connect from %.200s port %d",
586: c->listening_port, c->path, c->host_port,
587: remote_hostname, remote_port);
588: newch = channel_new("direct-tcpip",
589: SSH_CHANNEL_OPENING, newsock, newsock, -1,
590: c->local_window_max, c->local_maxpacket,
591: 0, xstrdup(buf));
1.44 markus 592: if (compat20) {
593: packet_start(SSH2_MSG_CHANNEL_OPEN);
594: packet_put_cstring("direct-tcpip");
595: packet_put_int(newch);
596: packet_put_int(c->local_window_max);
597: packet_put_int(c->local_maxpacket);
1.48 markus 598: /* target host and port */
1.44 markus 599: packet_put_string(c->path, strlen(c->path));
600: packet_put_int(c->host_port);
1.48 markus 601: /* originator host and port */
1.44 markus 602: packet_put_cstring(remote_hostname);
603: packet_put_int(remote_port);
604: packet_send();
605: } else {
606: packet_start(SSH_MSG_PORT_OPEN);
607: packet_put_int(newch);
608: packet_put_string(c->path, strlen(c->path));
609: packet_put_int(c->host_port);
610: if (have_hostname_in_open) {
611: packet_put_string(buf, strlen(buf));
612: }
613: packet_send();
1.41 markus 614: }
615: xfree(remote_hostname);
616: }
617: }
1.25 markus 618:
1.41 markus 619: /*
620: * This is the authentication agent socket listening for connections from
621: * clients.
622: */
623: void
624: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
625: {
626: struct sockaddr addr;
627: int newsock, newch;
628: socklen_t addrlen;
1.25 markus 629:
1.41 markus 630: if (FD_ISSET(c->sock, readset)) {
631: addrlen = sizeof(addr);
632: newsock = accept(c->sock, &addr, &addrlen);
633: if (newsock < 0) {
634: error("accept from auth socket: %.100s", strerror(errno));
635: return;
636: }
637: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
638: xstrdup("accepted auth socket"));
639: packet_start(SSH_SMSG_AGENT_OPEN);
640: packet_put_int(newch);
641: packet_send();
642: }
643: }
1.25 markus 644:
1.41 markus 645: int
646: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
647: {
648: char buf[16*1024];
649: int len;
1.25 markus 650:
1.41 markus 651: if (c->rfd != -1 &&
652: FD_ISSET(c->rfd, readset)) {
653: len = read(c->rfd, buf, sizeof(buf));
1.53 markus 654: if (len < 0 && (errno == EINTR || errno == EAGAIN))
655: return 1;
1.41 markus 656: if (len <= 0) {
1.51 markus 657: debug("channel %d: read<=0 rfd %d len %d",
1.41 markus 658: c->self, c->rfd, len);
1.25 markus 659: if (compat13) {
1.41 markus 660: buffer_consume(&c->output, buffer_len(&c->output));
661: c->type = SSH_CHANNEL_INPUT_DRAINING;
662: debug("Channel %d status set to input draining.", c->self);
1.25 markus 663: } else {
1.41 markus 664: chan_read_failed(c);
1.25 markus 665: }
1.41 markus 666: return -1;
667: }
668: buffer_append(&c->input, buf, len);
669: }
670: return 1;
671: }
672: int
673: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
674: {
675: int len;
1.25 markus 676:
1.41 markus 677: /* Send buffered output data to the socket. */
678: if (c->wfd != -1 &&
679: FD_ISSET(c->wfd, writeset) &&
680: buffer_len(&c->output) > 0) {
681: len = write(c->wfd, buffer_ptr(&c->output),
1.53 markus 682: buffer_len(&c->output));
683: if (len < 0 && (errno == EINTR || errno == EAGAIN))
684: return 1;
1.41 markus 685: if (len <= 0) {
686: if (compat13) {
687: buffer_consume(&c->output, buffer_len(&c->output));
688: debug("Channel %d status set to input draining.", c->self);
689: c->type = SSH_CHANNEL_INPUT_DRAINING;
690: } else {
691: chan_write_failed(c);
692: }
693: return -1;
1.25 markus 694: }
1.41 markus 695: buffer_consume(&c->output, len);
1.44 markus 696: if (compat20 && len > 0) {
697: c->local_consumed += len;
698: }
699: }
700: return 1;
701: }
702: int
703: channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
704: {
705: char buf[16*1024];
706: int len;
707:
1.45 markus 708: /** XXX handle drain efd, too */
1.44 markus 709: if (c->efd != -1) {
710: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
711: FD_ISSET(c->efd, writeset) &&
712: buffer_len(&c->extended) > 0) {
713: len = write(c->efd, buffer_ptr(&c->extended),
714: buffer_len(&c->extended));
715: debug("channel %d: written %d to efd %d",
716: c->self, len, c->efd);
717: if (len > 0) {
718: buffer_consume(&c->extended, len);
719: c->local_consumed += len;
720: }
721: } else if (c->extended_usage == CHAN_EXTENDED_READ &&
722: FD_ISSET(c->efd, readset)) {
723: len = read(c->efd, buf, sizeof(buf));
724: debug("channel %d: read %d from efd %d",
725: c->self, len, c->efd);
1.45 markus 726: if (len == 0) {
727: debug("channel %d: closing efd %d",
728: c->self, c->efd);
729: close(c->efd);
730: c->efd = -1;
731: } else if (len > 0)
1.44 markus 732: buffer_append(&c->extended, buf, len);
733: }
734: }
735: return 1;
736: }
737: int
738: channel_check_window(Channel *c, fd_set * readset, fd_set * writeset)
739: {
1.46 markus 740: if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.44 markus 741: c->local_window < c->local_window_max/2 &&
742: c->local_consumed > 0) {
743: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
744: packet_put_int(c->remote_id);
745: packet_put_int(c->local_consumed);
746: packet_send();
747: debug("channel %d: window %d sent adjust %d",
748: c->self, c->local_window,
749: c->local_consumed);
750: c->local_window += c->local_consumed;
751: c->local_consumed = 0;
1.1 deraadt 752: }
1.41 markus 753: return 1;
1.1 deraadt 754: }
755:
1.41 markus 756: void
757: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
758: {
759: channel_handle_rfd(c, readset, writeset);
760: channel_handle_wfd(c, readset, writeset);
761: }
1.1 deraadt 762:
1.41 markus 763: void
1.44 markus 764: channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
765: {
766: channel_handle_rfd(c, readset, writeset);
767: channel_handle_wfd(c, readset, writeset);
768: channel_handle_efd(c, readset, writeset);
769: channel_check_window(c, readset, writeset);
770: }
771:
772: void
1.41 markus 773: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 774: {
1.41 markus 775: int len;
776: /* Send buffered output data to the socket. */
777: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
778: len = write(c->sock, buffer_ptr(&c->output),
779: buffer_len(&c->output));
780: if (len <= 0)
781: buffer_consume(&c->output, buffer_len(&c->output));
782: else
783: buffer_consume(&c->output, len);
784: }
785: }
1.25 markus 786:
1.41 markus 787: void
1.44 markus 788: channel_handler_init_20(void)
789: {
790: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
1.51 markus 791: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.44 markus 792: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1.51 markus 793: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1.44 markus 794:
795: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
796: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1.51 markus 797: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1.44 markus 798: }
799:
800: void
1.41 markus 801: channel_handler_init_13(void)
802: {
803: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
804: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
805: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
806: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
807: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
808: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
809: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.25 markus 810:
1.41 markus 811: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
812: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
813: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
814: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
815: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
816: }
1.25 markus 817:
1.41 markus 818: void
819: channel_handler_init_15(void)
820: {
821: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
1.51 markus 822: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.41 markus 823: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
824: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
825: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.25 markus 826:
1.41 markus 827: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
828: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
829: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
830: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
831: }
1.27 markus 832:
1.41 markus 833: void
834: channel_handler_init(void)
835: {
836: int i;
837: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
838: channel_pre[i] = NULL;
839: channel_post[i] = NULL;
840: }
1.44 markus 841: if (compat20)
842: channel_handler_init_20();
843: else if (compat13)
1.41 markus 844: channel_handler_init_13();
845: else
846: channel_handler_init_15();
847: }
1.25 markus 848:
1.49 markus 849: void
1.41 markus 850: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
851: {
852: static int did_init = 0;
853: int i;
854: Channel *c;
1.25 markus 855:
1.41 markus 856: if (!did_init) {
857: channel_handler_init();
858: did_init = 1;
859: }
860: for (i = 0; i < channels_alloc; i++) {
861: c = &channels[i];
862: if (c->type == SSH_CHANNEL_FREE)
863: continue;
864: if (ftab[c->type] == NULL)
1.25 markus 865: continue;
1.41 markus 866: (*ftab[c->type])(c, readset, writeset);
1.44 markus 867: chan_delete_if_full_closed(c);
1.1 deraadt 868: }
869: }
870:
1.49 markus 871: void
1.41 markus 872: channel_prepare_select(fd_set * readset, fd_set * writeset)
873: {
874: channel_handler(channel_pre, readset, writeset);
875: }
876:
1.49 markus 877: void
1.41 markus 878: channel_after_select(fd_set * readset, fd_set * writeset)
879: {
880: channel_handler(channel_post, readset, writeset);
881: }
882:
1.1 deraadt 883: /* If there is data to send to the connection, send some of it now. */
884:
1.49 markus 885: void
1.25 markus 886: channel_output_poll()
1.1 deraadt 887: {
1.25 markus 888: int len, i;
1.41 markus 889: Channel *c;
1.1 deraadt 890:
1.25 markus 891: for (i = 0; i < channels_alloc; i++) {
1.41 markus 892: c = &channels[i];
1.37 markus 893:
1.27 markus 894: /* We are only interested in channels that can have buffered incoming data. */
1.37 markus 895: if (compat13) {
1.41 markus 896: if (c->type != SSH_CHANNEL_OPEN &&
897: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 898: continue;
899: } else {
1.41 markus 900: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 901: continue;
1.41 markus 902: if (c->istate != CHAN_INPUT_OPEN &&
903: c->istate != CHAN_INPUT_WAIT_DRAIN)
1.37 markus 904: continue;
905: }
1.46 markus 906: if (compat20 &&
907: (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.44 markus 908: debug("channel: %d: no data after CLOSE", c->self);
909: continue;
910: }
1.25 markus 911:
912: /* Get the amount of buffered data for this channel. */
1.41 markus 913: len = buffer_len(&c->input);
1.25 markus 914: if (len > 0) {
1.27 markus 915: /* Send some data for the other side over the secure connection. */
1.44 markus 916: if (compat20) {
917: if (len > c->remote_window)
918: len = c->remote_window;
919: if (len > c->remote_maxpacket)
920: len = c->remote_maxpacket;
1.25 markus 921: } else {
1.44 markus 922: if (packet_is_interactive()) {
923: if (len > 1024)
924: len = 512;
925: } else {
926: /* Keep the packets at reasonable size. */
927: if (len > packet_get_maxsize()/2)
928: len = packet_get_maxsize()/2;
929: }
1.25 markus 930: }
1.41 markus 931: if (len > 0) {
1.44 markus 932: packet_start(compat20 ?
933: SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
1.41 markus 934: packet_put_int(c->remote_id);
935: packet_put_string(buffer_ptr(&c->input), len);
936: packet_send();
937: buffer_consume(&c->input, len);
938: c->remote_window -= len;
939: }
940: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 941: if (compat13)
942: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 943: /*
944: * input-buffer is empty and read-socket shutdown:
945: * tell peer, that we will not send more data: send IEOF
946: */
1.41 markus 947: chan_ibuf_empty(c);
1.25 markus 948: }
1.44 markus 949: /* Send extended data, i.e. stderr */
950: if (compat20 &&
951: c->remote_window > 0 &&
952: (len = buffer_len(&c->extended)) > 0 &&
953: c->extended_usage == CHAN_EXTENDED_READ) {
954: if (len > c->remote_window)
955: len = c->remote_window;
956: if (len > c->remote_maxpacket)
957: len = c->remote_maxpacket;
958: packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
959: packet_put_int(c->remote_id);
960: packet_put_int(SSH2_EXTENDED_DATA_STDERR);
961: packet_put_string(buffer_ptr(&c->extended), len);
962: packet_send();
963: buffer_consume(&c->extended, len);
964: c->remote_window -= len;
965: }
1.25 markus 966: }
1.1 deraadt 967: }
968:
1.27 markus 969: /*
970: * This is called when a packet of type CHANNEL_DATA has just been received.
971: * The message type has already been consumed, but channel number and data is
972: * still there.
973: */
1.1 deraadt 974:
1.49 markus 975: void
1.41 markus 976: channel_input_data(int type, int plen)
1.1 deraadt 977: {
1.37 markus 978: int id;
1.25 markus 979: char *data;
980: unsigned int data_len;
1.41 markus 981: Channel *c;
1.25 markus 982:
983: /* Get the channel number and verify it. */
1.37 markus 984: id = packet_get_int();
1.41 markus 985: c = channel_lookup(id);
986: if (c == NULL)
1.37 markus 987: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 988:
989: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 990: if (c->type != SSH_CHANNEL_OPEN &&
991: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 992: return;
993:
994: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 995: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 996: return;
997:
998: /* Get the data. */
999: data = packet_get_string(&data_len);
1.48 markus 1000: packet_done();
1.41 markus 1001:
1.44 markus 1002: if (compat20){
1003: if (data_len > c->local_maxpacket) {
1004: log("channel %d: rcvd big packet %d, maxpack %d",
1005: c->self, data_len, c->local_maxpacket);
1006: }
1007: if (data_len > c->local_window) {
1008: log("channel %d: rcvd too much data %d, win %d",
1009: c->self, data_len, c->local_window);
1010: xfree(data);
1011: return;
1012: }
1013: c->local_window -= data_len;
1014: }else{
1015: packet_integrity_check(plen, 4 + 4 + data_len, type);
1016: }
1.41 markus 1017: buffer_append(&c->output, data, data_len);
1.25 markus 1018: xfree(data);
1.1 deraadt 1019: }
1.49 markus 1020: void
1.44 markus 1021: channel_input_extended_data(int type, int plen)
1022: {
1023: int id;
1024: int tcode;
1025: char *data;
1026: unsigned int data_len;
1027: Channel *c;
1028:
1029: /* Get the channel number and verify it. */
1030: id = packet_get_int();
1031: c = channel_lookup(id);
1032:
1033: if (c == NULL)
1034: packet_disconnect("Received extended_data for bad channel %d.", id);
1035: if (c->type != SSH_CHANNEL_OPEN) {
1036: log("channel %d: ext data for non open", id);
1037: return;
1038: }
1039: tcode = packet_get_int();
1040: if (c->efd == -1 ||
1041: c->extended_usage != CHAN_EXTENDED_WRITE ||
1042: tcode != SSH2_EXTENDED_DATA_STDERR) {
1043: log("channel %d: bad ext data", c->self);
1044: return;
1045: }
1046: data = packet_get_string(&data_len);
1.48 markus 1047: packet_done();
1.44 markus 1048: if (data_len > c->local_window) {
1049: log("channel %d: rcvd too much extended_data %d, win %d",
1050: c->self, data_len, c->local_window);
1051: xfree(data);
1052: return;
1053: }
1054: debug("channel %d: rcvd ext data %d", c->self, data_len);
1055: c->local_window -= data_len;
1056: buffer_append(&c->extended, data, data_len);
1057: xfree(data);
1058: }
1059:
1.1 deraadt 1060:
1.27 markus 1061: /*
1062: * Returns true if no channel has too much buffered data, and false if one or
1063: * more channel is overfull.
1064: */
1.1 deraadt 1065:
1.49 markus 1066: int
1.25 markus 1067: channel_not_very_much_buffered_data()
1.1 deraadt 1068: {
1.25 markus 1069: unsigned int i;
1.41 markus 1070: Channel *c;
1.25 markus 1071:
1072: for (i = 0; i < channels_alloc; i++) {
1.41 markus 1073: c = &channels[i];
1074: if (c->type == SSH_CHANNEL_OPEN) {
1.44 markus 1075: if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
1.41 markus 1076: debug("channel %d: big input buffer %d",
1077: c->self, buffer_len(&c->input));
1.25 markus 1078: return 0;
1.41 markus 1079: }
1080: if (buffer_len(&c->output) > packet_get_maxsize()) {
1081: debug("channel %d: big output buffer %d",
1082: c->self, buffer_len(&c->output));
1.25 markus 1083: return 0;
1.41 markus 1084: }
1.25 markus 1085: }
1.1 deraadt 1086: }
1.25 markus 1087: return 1;
1.1 deraadt 1088: }
1089:
1.49 markus 1090: void
1.41 markus 1091: channel_input_ieof(int type, int plen)
1092: {
1093: int id;
1094: Channel *c;
1095:
1096: packet_integrity_check(plen, 4, type);
1097:
1098: id = packet_get_int();
1099: c = channel_lookup(id);
1100: if (c == NULL)
1101: packet_disconnect("Received ieof for nonexistent channel %d.", id);
1102: chan_rcvd_ieof(c);
1103: }
1.1 deraadt 1104:
1.49 markus 1105: void
1.41 markus 1106: channel_input_close(int type, int plen)
1.1 deraadt 1107: {
1.41 markus 1108: int id;
1109: Channel *c;
1.1 deraadt 1110:
1.41 markus 1111: packet_integrity_check(plen, 4, type);
1112:
1113: id = packet_get_int();
1114: c = channel_lookup(id);
1115: if (c == NULL)
1116: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 1117:
1118: /*
1119: * Send a confirmation that we have closed the channel and no more
1120: * data is coming for it.
1121: */
1.25 markus 1122: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 1123: packet_put_int(c->remote_id);
1.25 markus 1124: packet_send();
1125:
1.27 markus 1126: /*
1127: * If the channel is in closed state, we have sent a close request,
1128: * and the other side will eventually respond with a confirmation.
1129: * Thus, we cannot free the channel here, because then there would be
1130: * no-one to receive the confirmation. The channel gets freed when
1131: * the confirmation arrives.
1132: */
1.41 markus 1133: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 1134: /*
1135: * Not a closed channel - mark it as draining, which will
1136: * cause it to be freed later.
1137: */
1.41 markus 1138: buffer_consume(&c->input, buffer_len(&c->input));
1139: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 1140: }
1.1 deraadt 1141: }
1142:
1.41 markus 1143: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
1.49 markus 1144: void
1.41 markus 1145: channel_input_oclose(int type, int plen)
1146: {
1147: int id = packet_get_int();
1148: Channel *c = channel_lookup(id);
1149: packet_integrity_check(plen, 4, type);
1150: if (c == NULL)
1151: packet_disconnect("Received oclose for nonexistent channel %d.", id);
1152: chan_rcvd_oclose(c);
1153: }
1.1 deraadt 1154:
1.49 markus 1155: void
1.41 markus 1156: channel_input_close_confirmation(int type, int plen)
1.1 deraadt 1157: {
1.41 markus 1158: int id = packet_get_int();
1159: Channel *c = channel_lookup(id);
1.1 deraadt 1160:
1.48 markus 1161: packet_done();
1.41 markus 1162: if (c == NULL)
1163: packet_disconnect("Received close confirmation for "
1164: "out-of-range channel %d.", id);
1165: if (c->type != SSH_CHANNEL_CLOSED)
1166: packet_disconnect("Received close confirmation for "
1167: "non-closed channel %d (type %d).", id, c->type);
1168: channel_free(c->self);
1.1 deraadt 1169: }
1170:
1.49 markus 1171: void
1.41 markus 1172: channel_input_open_confirmation(int type, int plen)
1.1 deraadt 1173: {
1.41 markus 1174: int id, remote_id;
1175: Channel *c;
1.1 deraadt 1176:
1.44 markus 1177: if (!compat20)
1178: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 1179:
1.41 markus 1180: id = packet_get_int();
1181: c = channel_lookup(id);
1.25 markus 1182:
1.41 markus 1183: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1184: packet_disconnect("Received open confirmation for "
1185: "non-opening channel %d.", id);
1186: remote_id = packet_get_int();
1.27 markus 1187: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 1188: c->remote_id = remote_id;
1189: c->type = SSH_CHANNEL_OPEN;
1.44 markus 1190:
1191: if (compat20) {
1192: c->remote_window = packet_get_int();
1193: c->remote_maxpacket = packet_get_int();
1.48 markus 1194: packet_done();
1.44 markus 1195: if (c->cb_fn != NULL && c->cb_event == type) {
1196: debug("callback start");
1197: c->cb_fn(c->self, c->cb_arg);
1198: debug("callback done");
1199: }
1200: debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1201: c->remote_window, c->remote_maxpacket);
1202: }
1.1 deraadt 1203: }
1204:
1.49 markus 1205: void
1.41 markus 1206: channel_input_open_failure(int type, int plen)
1.1 deraadt 1207: {
1.41 markus 1208: int id;
1209: Channel *c;
1210:
1.44 markus 1211: if (!compat20)
1212: packet_integrity_check(plen, 4, type);
1.41 markus 1213:
1214: id = packet_get_int();
1215: c = channel_lookup(id);
1.25 markus 1216:
1.41 markus 1217: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1218: packet_disconnect("Received open failure for "
1219: "non-opening channel %d.", id);
1.44 markus 1220: if (compat20) {
1221: int reason = packet_get_int();
1222: char *msg = packet_get_string(NULL);
1.48 markus 1223: char *lang = packet_get_string(NULL);
1.44 markus 1224: log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
1.48 markus 1225: packet_done();
1.44 markus 1226: xfree(msg);
1.48 markus 1227: xfree(lang);
1.44 markus 1228: }
1.25 markus 1229: /* Free the channel. This will also close the socket. */
1.41 markus 1230: channel_free(id);
1.1 deraadt 1231: }
1232:
1.44 markus 1233: void
1234: channel_input_channel_request(int type, int plen)
1235: {
1236: int id;
1237: Channel *c;
1238:
1239: id = packet_get_int();
1240: c = channel_lookup(id);
1241:
1242: if (c == NULL ||
1243: (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1244: packet_disconnect("Received request for "
1245: "non-open channel %d.", id);
1246: if (c->cb_fn != NULL && c->cb_event == type) {
1247: debug("callback start");
1248: c->cb_fn(c->self, c->cb_arg);
1249: debug("callback done");
1250: } else {
1251: char *service = packet_get_string(NULL);
1252: debug("channel: %d rcvd request for %s", c->self, service);
1253: debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1254: xfree(service);
1255: }
1256: }
1257:
1.49 markus 1258: void
1.44 markus 1259: channel_input_window_adjust(int type, int plen)
1260: {
1261: Channel *c;
1262: int id, adjust;
1263:
1264: if (!compat20)
1265: return;
1266:
1267: /* Get the channel number and verify it. */
1268: id = packet_get_int();
1269: c = channel_lookup(id);
1270:
1271: if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1272: log("Received window adjust for "
1273: "non-open channel %d.", id);
1274: return;
1275: }
1276: adjust = packet_get_int();
1.48 markus 1277: packet_done();
1.44 markus 1278: debug("channel %d: rcvd adjust %d", id, adjust);
1279: c->remote_window += adjust;
1280: }
1281:
1.27 markus 1282: /*
1283: * Stops listening for channels, and removes any unix domain sockets that we
1284: * might have.
1285: */
1.1 deraadt 1286:
1.49 markus 1287: void
1.25 markus 1288: channel_stop_listening()
1.1 deraadt 1289: {
1.25 markus 1290: int i;
1291: for (i = 0; i < channels_alloc; i++) {
1292: switch (channels[i].type) {
1293: case SSH_CHANNEL_AUTH_SOCKET:
1294: close(channels[i].sock);
1295: remove(channels[i].path);
1296: channel_free(i);
1297: break;
1298: case SSH_CHANNEL_PORT_LISTENER:
1299: case SSH_CHANNEL_X11_LISTENER:
1300: close(channels[i].sock);
1301: channel_free(i);
1302: break;
1303: default:
1304: break;
1305: }
1.1 deraadt 1306: }
1307: }
1308:
1.27 markus 1309: /*
1.52 markus 1310: * Closes the sockets/fds of all channels. This is used to close extra file
1.27 markus 1311: * descriptors after a fork.
1312: */
1.1 deraadt 1313:
1.49 markus 1314: void
1.25 markus 1315: channel_close_all()
1.1 deraadt 1316: {
1.25 markus 1317: int i;
1.52 markus 1318: for (i = 0; i < channels_alloc; i++)
1.25 markus 1319: if (channels[i].type != SSH_CHANNEL_FREE)
1.52 markus 1320: channel_close_fds(&channels[i]);
1.1 deraadt 1321: }
1322:
1323: /* Returns the maximum file descriptor number used by the channels. */
1324:
1.49 markus 1325: int
1.25 markus 1326: channel_max_fd()
1.1 deraadt 1327: {
1.25 markus 1328: return channel_max_fd_value;
1.1 deraadt 1329: }
1330:
1331: /* Returns true if any channel is still open. */
1332:
1.49 markus 1333: int
1.25 markus 1334: channel_still_open()
1.1 deraadt 1335: {
1.25 markus 1336: unsigned int i;
1337: for (i = 0; i < channels_alloc; i++)
1338: switch (channels[i].type) {
1339: case SSH_CHANNEL_FREE:
1340: case SSH_CHANNEL_X11_LISTENER:
1341: case SSH_CHANNEL_PORT_LISTENER:
1342: case SSH_CHANNEL_CLOSED:
1343: case SSH_CHANNEL_AUTH_SOCKET:
1344: continue;
1.44 markus 1345: case SSH_CHANNEL_LARVAL:
1346: if (!compat20)
1347: fatal("cannot happen: SSH_CHANNEL_LARVAL");
1348: continue;
1.25 markus 1349: case SSH_CHANNEL_OPENING:
1350: case SSH_CHANNEL_OPEN:
1351: case SSH_CHANNEL_X11_OPEN:
1352: return 1;
1353: case SSH_CHANNEL_INPUT_DRAINING:
1354: case SSH_CHANNEL_OUTPUT_DRAINING:
1355: if (!compat13)
1356: fatal("cannot happen: OUT_DRAIN");
1357: return 1;
1358: default:
1359: fatal("channel_still_open: bad channel type %d", channels[i].type);
1360: /* NOTREACHED */
1361: }
1362: return 0;
1.1 deraadt 1363: }
1364:
1.27 markus 1365: /*
1366: * Returns a message describing the currently open forwarded connections,
1367: * suitable for sending to the client. The message contains crlf pairs for
1368: * newlines.
1369: */
1.1 deraadt 1370:
1.25 markus 1371: char *
1372: channel_open_message()
1.1 deraadt 1373: {
1.25 markus 1374: Buffer buffer;
1375: int i;
1376: char buf[512], *cp;
1377:
1378: buffer_init(&buffer);
1379: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 1380: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 1381: for (i = 0; i < channels_alloc; i++) {
1382: Channel *c = &channels[i];
1383: switch (c->type) {
1384: case SSH_CHANNEL_FREE:
1385: case SSH_CHANNEL_X11_LISTENER:
1386: case SSH_CHANNEL_PORT_LISTENER:
1387: case SSH_CHANNEL_CLOSED:
1388: case SSH_CHANNEL_AUTH_SOCKET:
1389: continue;
1.44 markus 1390: case SSH_CHANNEL_LARVAL:
1.25 markus 1391: case SSH_CHANNEL_OPENING:
1392: case SSH_CHANNEL_OPEN:
1393: case SSH_CHANNEL_X11_OPEN:
1394: case SSH_CHANNEL_INPUT_DRAINING:
1395: case SSH_CHANNEL_OUTPUT_DRAINING:
1.41 markus 1396: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
1.37 markus 1397: c->self, c->remote_name,
1398: c->type, c->remote_id,
1399: c->istate, buffer_len(&c->input),
1.41 markus 1400: c->ostate, buffer_len(&c->output),
1401: c->rfd, c->wfd);
1.25 markus 1402: buffer_append(&buffer, buf, strlen(buf));
1403: continue;
1404: default:
1.41 markus 1405: fatal("channel_open_message: bad channel type %d", c->type);
1.25 markus 1406: /* NOTREACHED */
1407: }
1408: }
1409: buffer_append(&buffer, "\0", 1);
1410: cp = xstrdup(buffer_ptr(&buffer));
1411: buffer_free(&buffer);
1412: return cp;
1.1 deraadt 1413: }
1414:
1.27 markus 1415: /*
1416: * Initiate forwarding of connections to local port "port" through the secure
1417: * channel to host:port from remote side.
1418: */
1.1 deraadt 1419:
1.49 markus 1420: void
1.31 markus 1421: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 1422: u_short host_port, int gateway_ports)
1.25 markus 1423: {
1.35 markus 1424: int success, ch, sock, on = 1;
1425: struct addrinfo hints, *ai, *aitop;
1426: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.28 markus 1427: struct linger linger;
1.25 markus 1428:
1429: if (strlen(host) > sizeof(channels[0].path) - 1)
1430: packet_disconnect("Forward host name too long.");
1431:
1.28 markus 1432: /*
1.35 markus 1433: * getaddrinfo returns a loopback address if the hostname is
1434: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 1435: */
1.35 markus 1436: memset(&hints, 0, sizeof(hints));
1437: hints.ai_family = IPv4or6;
1438: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1439: hints.ai_socktype = SOCK_STREAM;
1440: snprintf(strport, sizeof strport, "%d", port);
1441: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1442: packet_disconnect("getaddrinfo: fatal error");
1443:
1444: success = 0;
1445: for (ai = aitop; ai; ai = ai->ai_next) {
1446: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1447: continue;
1448: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1449: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1450: error("channel_request_local_forwarding: getnameinfo failed");
1451: continue;
1452: }
1453: /* Create a port to listen for the host. */
1454: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1455: if (sock < 0) {
1456: /* this is no error since kernel may not support ipv6 */
1457: verbose("socket: %.100s", strerror(errno));
1458: continue;
1459: }
1460: /*
1461: * Set socket options. We would like the socket to disappear
1462: * as soon as it has been closed for whatever reason.
1463: */
1464: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1465: linger.l_onoff = 1;
1466: linger.l_linger = 5;
1467: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1468: debug("Local forwarding listening on %s port %s.", ntop, strport);
1469:
1470: /* Bind the socket to the address. */
1471: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1472: /* address can be in use ipv6 address is already bound */
1473: verbose("bind: %.100s", strerror(errno));
1474: close(sock);
1475: continue;
1476: }
1477: /* Start listening for connections on the socket. */
1478: if (listen(sock, 5) < 0) {
1479: error("listen: %.100s", strerror(errno));
1480: close(sock);
1481: continue;
1482: }
1483: /* Allocate a channel number for the socket. */
1.41 markus 1484: ch = channel_new(
1485: "port listener", SSH_CHANNEL_PORT_LISTENER,
1486: sock, sock, -1,
1.51 markus 1487: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.41 markus 1488: 0, xstrdup("port listener"));
1.35 markus 1489: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1490: channels[ch].host_port = host_port;
1491: channels[ch].listening_port = port;
1492: success = 1;
1493: }
1494: if (success == 0)
1495: packet_disconnect("cannot listen port: %d", port);
1496: freeaddrinfo(aitop);
1.25 markus 1497: }
1.1 deraadt 1498:
1.27 markus 1499: /*
1500: * Initiate forwarding of connections to port "port" on remote host through
1501: * the secure channel to host:port from local side.
1502: */
1.1 deraadt 1503:
1.49 markus 1504: void
1.41 markus 1505: channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
1506: u_short port_to_connect)
1.25 markus 1507: {
1508: int payload_len;
1509: /* Record locally that connection to this host/port is permitted. */
1510: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1511: fatal("channel_request_remote_forwarding: too many forwards");
1512:
1.41 markus 1513: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1514: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1515: permitted_opens[num_permitted_opens].listen_port = listen_port;
1.25 markus 1516: num_permitted_opens++;
1517:
1518: /* Send the forward request to the remote side. */
1.44 markus 1519: if (compat20) {
1520: const char *address_to_bind = "0.0.0.0";
1521: packet_start(SSH2_MSG_GLOBAL_REQUEST);
1522: packet_put_cstring("tcpip-forward");
1523: packet_put_char(0); /* boolean: want reply */
1524: packet_put_cstring(address_to_bind);
1525: packet_put_int(listen_port);
1526: } else {
1527: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.50 markus 1528: packet_put_int(listen_port);
1529: packet_put_cstring(host_to_connect);
1.44 markus 1530: packet_put_int(port_to_connect);
1531: packet_send();
1532: packet_write_wait();
1533: /*
1534: * Wait for response from the remote side. It will send a disconnect
1535: * message on failure, and we will never see it here.
1536: */
1537: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1538: }
1.1 deraadt 1539: }
1540:
1.27 markus 1541: /*
1542: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1543: * listening for the port, and sends back a success reply (or disconnect
1544: * message if there was an error). This never returns if there was an error.
1545: */
1.1 deraadt 1546:
1.49 markus 1547: void
1.56 markus 1548: channel_input_port_forward_request(int is_root, int gateway_ports)
1.1 deraadt 1549: {
1.31 markus 1550: u_short port, host_port;
1.25 markus 1551: char *hostname;
1.1 deraadt 1552:
1.25 markus 1553: /* Get arguments from the packet. */
1554: port = packet_get_int();
1555: hostname = packet_get_string(NULL);
1556: host_port = packet_get_int();
1557:
1.27 markus 1558: /*
1559: * Check that an unprivileged user is not trying to forward a
1560: * privileged port.
1561: */
1.25 markus 1562: if (port < IPPORT_RESERVED && !is_root)
1563: packet_disconnect("Requested forwarding of port %d but user is not root.",
1564: port);
1.33 markus 1565: /*
1566: * Initiate forwarding,
1567: */
1.56 markus 1568: channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
1.25 markus 1569:
1570: /* Free the argument string. */
1571: xfree(hostname);
1.1 deraadt 1572: }
1573:
1.41 markus 1574: /* XXX move to aux.c */
1575: int
1576: channel_connect_to(const char *host, u_short host_port)
1577: {
1578: struct addrinfo hints, *ai, *aitop;
1579: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1580: int gaierr;
1581: int sock = -1;
1582:
1583: memset(&hints, 0, sizeof(hints));
1584: hints.ai_family = IPv4or6;
1585: hints.ai_socktype = SOCK_STREAM;
1586: snprintf(strport, sizeof strport, "%d", host_port);
1587: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1588: error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
1589: return -1;
1590: }
1591: for (ai = aitop; ai; ai = ai->ai_next) {
1592: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1593: continue;
1594: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1595: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1596: error("channel_connect_to: getnameinfo failed");
1597: continue;
1598: }
1599: /* Create the socket. */
1600: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1601: if (sock < 0) {
1602: error("socket: %.100s", strerror(errno));
1603: continue;
1604: }
1605: /* Connect to the host/port. */
1606: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1607: error("connect %.100s port %s: %.100s", ntop, strport,
1608: strerror(errno));
1609: close(sock);
1610: continue; /* fail -- try next */
1611: }
1612: break; /* success */
1613:
1614: }
1615: freeaddrinfo(aitop);
1616: if (!ai) {
1617: error("connect %.100s port %d: failed.", host, host_port);
1618: return -1;
1619: }
1620: /* success */
1621: return sock;
1622: }
1.27 markus 1623: /*
1624: * This is called after receiving PORT_OPEN message. This attempts to
1625: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1626: * or CHANNEL_OPEN_FAILURE.
1627: */
1.1 deraadt 1628:
1.49 markus 1629: void
1.41 markus 1630: channel_input_port_open(int type, int plen)
1.1 deraadt 1631: {
1.31 markus 1632: u_short host_port;
1.25 markus 1633: char *host, *originator_string;
1.41 markus 1634: int remote_channel, sock = -1, newch, i, denied;
1.39 markus 1635: unsigned int host_len, originator_len;
1.25 markus 1636:
1637: /* Get remote channel number. */
1638: remote_channel = packet_get_int();
1639:
1640: /* Get host name to connect to. */
1641: host = packet_get_string(&host_len);
1642:
1643: /* Get port to connect to. */
1644: host_port = packet_get_int();
1645:
1646: /* Get remote originator name. */
1.29 markus 1647: if (have_hostname_in_open) {
1.25 markus 1648: originator_string = packet_get_string(&originator_len);
1.29 markus 1649: originator_len += 4; /* size of packet_int */
1650: } else {
1.25 markus 1651: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1652: originator_len = 0; /* no originator supplied */
1653: }
1.25 markus 1654:
1.41 markus 1655: packet_integrity_check(plen,
1656: 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
1.25 markus 1657:
1658: /* Check if opening that port is permitted. */
1.41 markus 1659: denied = 0;
1.25 markus 1660: if (!all_opens_permitted) {
1661: /* Go trough all permitted ports. */
1662: for (i = 0; i < num_permitted_opens; i++)
1.41 markus 1663: if (permitted_opens[i].port_to_connect == host_port &&
1664: strcmp(permitted_opens[i].host_to_connect, host) == 0)
1.25 markus 1665: break;
1666:
1667: /* Check if we found the requested port among those permitted. */
1668: if (i >= num_permitted_opens) {
1669: /* The port is not permitted. */
1670: log("Received request to connect to %.100s:%d, but the request was denied.",
1671: host, host_port);
1.41 markus 1672: denied = 1;
1.25 markus 1673: }
1674: }
1.41 markus 1675: sock = denied ? -1 : channel_connect_to(host, host_port);
1676: if (sock > 0) {
1677: /* Allocate a channel for this connection. */
1678: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1679: channels[newch].remote_id = remote_channel;
1680:
1681: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1682: packet_put_int(remote_channel);
1683: packet_put_int(newch);
1684: packet_send();
1685: } else {
1686: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1687: packet_put_int(remote_channel);
1688: packet_send();
1.25 markus 1689: }
1690: xfree(host);
1.1 deraadt 1691: }
1692:
1.27 markus 1693: /*
1694: * Creates an internet domain socket for listening for X11 connections.
1695: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1696: * occurs.
1697: */
1.1 deraadt 1698:
1.35 markus 1699: #define NUM_SOCKS 10
1700:
1.25 markus 1701: char *
1.33 markus 1702: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1703: {
1.31 markus 1704: int display_number, sock;
1705: u_short port;
1.35 markus 1706: struct addrinfo hints, *ai, *aitop;
1707: char strport[NI_MAXSERV];
1708: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1709: char display[512];
1.25 markus 1710: char hostname[MAXHOSTNAMELEN];
1711:
1.33 markus 1712: for (display_number = x11_display_offset;
1.25 markus 1713: display_number < MAX_DISPLAYS;
1714: display_number++) {
1715: port = 6000 + display_number;
1.35 markus 1716: memset(&hints, 0, sizeof(hints));
1717: hints.ai_family = IPv4or6;
1.36 markus 1718: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1719: hints.ai_socktype = SOCK_STREAM;
1720: snprintf(strport, sizeof strport, "%d", port);
1721: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1722: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1723: return NULL;
1724: }
1.35 markus 1725: for (ai = aitop; ai; ai = ai->ai_next) {
1726: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1727: continue;
1728: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1729: if (sock < 0) {
1730: error("socket: %.100s", strerror(errno));
1731: return NULL;
1732: }
1733: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1734: debug("bind port %d: %.100s", port, strerror(errno));
1735: shutdown(sock, SHUT_RDWR);
1736: close(sock);
1737: for (n = 0; n < num_socks; n++) {
1738: shutdown(socks[n], SHUT_RDWR);
1739: close(socks[n]);
1740: }
1741: num_socks = 0;
1742: break;
1743: }
1744: socks[num_socks++] = sock;
1745: if (num_socks == NUM_SOCKS)
1746: break;
1.25 markus 1747: }
1.35 markus 1748: if (num_socks > 0)
1749: break;
1.25 markus 1750: }
1751: if (display_number >= MAX_DISPLAYS) {
1752: error("Failed to allocate internet-domain X11 display socket.");
1753: return NULL;
1754: }
1755: /* Start listening for connections on the socket. */
1.35 markus 1756: for (n = 0; n < num_socks; n++) {
1757: sock = socks[n];
1758: if (listen(sock, 5) < 0) {
1759: error("listen: %.100s", strerror(errno));
1760: shutdown(sock, SHUT_RDWR);
1761: close(sock);
1762: return NULL;
1763: }
1.25 markus 1764: }
1.35 markus 1765:
1.25 markus 1766: /* Set up a suitable value for the DISPLAY variable. */
1767: if (gethostname(hostname, sizeof(hostname)) < 0)
1768: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 1769: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 1770: display_number, screen_number);
1771:
1.35 markus 1772: /* Allocate a channel for each socket. */
1773: for (n = 0; n < num_socks; n++) {
1774: sock = socks[n];
1.51 markus 1775: (void) channel_new("x11 listener",
1776: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
1777: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1778: 0, xstrdup("X11 inet listener"));
1.35 markus 1779: }
1.1 deraadt 1780:
1.25 markus 1781: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 1782: return xstrdup(display);
1.1 deraadt 1783: }
1784:
1785: #ifndef X_UNIX_PATH
1786: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1787: #endif
1788:
1789: static
1790: int
1.30 deraadt 1791: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1792: {
1.25 markus 1793: static const char *const x_sockets[] = {
1794: X_UNIX_PATH "%u",
1795: "/var/X/.X11-unix/X" "%u",
1796: "/usr/spool/sockets/X11/" "%u",
1797: NULL
1798: };
1799: int sock;
1800: struct sockaddr_un addr;
1801: const char *const * path;
1802:
1803: for (path = x_sockets; *path; ++path) {
1804: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1805: if (sock < 0)
1806: error("socket: %.100s", strerror(errno));
1807: memset(&addr, 0, sizeof(addr));
1808: addr.sun_family = AF_UNIX;
1809: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1810: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1811: return sock;
1812: close(sock);
1813: }
1814: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1815: return -1;
1.1 deraadt 1816: }
1817:
1.51 markus 1818: int
1819: x11_connect_display(void)
1.1 deraadt 1820: {
1.51 markus 1821: int display_number, sock = 0;
1.25 markus 1822: const char *display;
1.51 markus 1823: char buf[1024], *cp;
1.35 markus 1824: struct addrinfo hints, *ai, *aitop;
1825: char strport[NI_MAXSERV];
1826: int gaierr;
1.25 markus 1827:
1828: /* Try to open a socket for the local X server. */
1829: display = getenv("DISPLAY");
1830: if (!display) {
1831: error("DISPLAY not set.");
1.51 markus 1832: return -1;
1.25 markus 1833: }
1.27 markus 1834: /*
1835: * Now we decode the value of the DISPLAY variable and make a
1836: * connection to the real X server.
1837: */
1838:
1839: /*
1840: * Check if it is a unix domain socket. Unix domain displays are in
1841: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1842: */
1.25 markus 1843: if (strncmp(display, "unix:", 5) == 0 ||
1844: display[0] == ':') {
1845: /* Connect to the unix domain socket. */
1846: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1847: error("Could not parse display number from DISPLAY: %.100s",
1848: display);
1.51 markus 1849: return -1;
1.25 markus 1850: }
1851: /* Create a socket. */
1852: sock = connect_local_xsocket(display_number);
1853: if (sock < 0)
1.51 markus 1854: return -1;
1.25 markus 1855:
1856: /* OK, we now have a connection to the display. */
1.51 markus 1857: return sock;
1.25 markus 1858: }
1.27 markus 1859: /*
1860: * Connect to an inet socket. The DISPLAY value is supposedly
1861: * hostname:d[.s], where hostname may also be numeric IP address.
1862: */
1.25 markus 1863: strncpy(buf, display, sizeof(buf));
1864: buf[sizeof(buf) - 1] = 0;
1865: cp = strchr(buf, ':');
1866: if (!cp) {
1867: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 1868: return -1;
1.25 markus 1869: }
1870: *cp = 0;
1.27 markus 1871: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1872: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1873: error("Could not parse display number from DISPLAY: %.100s",
1874: display);
1.51 markus 1875: return -1;
1.25 markus 1876: }
1.35 markus 1877:
1878: /* Look up the host address */
1879: memset(&hints, 0, sizeof(hints));
1880: hints.ai_family = IPv4or6;
1881: hints.ai_socktype = SOCK_STREAM;
1882: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1883: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1884: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.51 markus 1885: return -1;
1.25 markus 1886: }
1.35 markus 1887: for (ai = aitop; ai; ai = ai->ai_next) {
1888: /* Create a socket. */
1889: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1890: if (sock < 0) {
1891: debug("socket: %.100s", strerror(errno));
1.41 markus 1892: continue;
1893: }
1894: /* Connect it to the display. */
1895: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1896: debug("connect %.100s port %d: %.100s", buf,
1897: 6000 + display_number, strerror(errno));
1898: close(sock);
1899: continue;
1900: }
1901: /* Success */
1902: break;
1.35 markus 1903: }
1904: freeaddrinfo(aitop);
1905: if (!ai) {
1.49 markus 1906: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1.35 markus 1907: strerror(errno));
1.51 markus 1908: return -1;
1.25 markus 1909: }
1.51 markus 1910: return sock;
1911: }
1912:
1913: /*
1914: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1915: * the remote channel number. We should do whatever we want, and respond
1916: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1917: */
1918:
1919: void
1920: x11_input_open(int type, int plen)
1921: {
1922: int remote_channel, sock = 0, newch;
1923: char *remote_host;
1924: unsigned int remote_len;
1.25 markus 1925:
1.51 markus 1926: /* Get remote channel number. */
1927: remote_channel = packet_get_int();
1928:
1929: /* Get remote originator name. */
1930: if (have_hostname_in_open) {
1931: remote_host = packet_get_string(&remote_len);
1932: remote_len += 4;
1933: } else {
1934: remote_host = xstrdup("unknown (remote did not supply name)");
1935: remote_len = 0;
1936: }
1.25 markus 1937:
1.51 markus 1938: debug("Received X11 open request.");
1939: packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1940:
1.51 markus 1941: /* Obtain a connection to the real X display. */
1942: sock = x11_connect_display();
1943: if (sock == -1) {
1944: /* Send refusal to the remote host. */
1945: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1946: packet_put_int(remote_channel);
1947: packet_send();
1948: } else {
1949: /* Allocate a channel for this connection. */
1950: newch = channel_allocate(
1951: (x11_saved_proto == NULL) ?
1952: SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
1953: sock, remote_host);
1954: channels[newch].remote_id = remote_channel;
1.25 markus 1955:
1.51 markus 1956: /* Send a confirmation to the remote host. */
1957: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1958: packet_put_int(remote_channel);
1959: packet_put_int(newch);
1960: packet_send();
1961: }
1.1 deraadt 1962: }
1963:
1.27 markus 1964: /*
1965: * Requests forwarding of X11 connections, generates fake authentication
1966: * data, and enables authentication spoofing.
1967: */
1.1 deraadt 1968:
1.49 markus 1969: void
1.51 markus 1970: x11_request_forwarding_with_spoofing(int client_session_id,
1971: const char *proto, const char *data)
1.1 deraadt 1972: {
1.25 markus 1973: unsigned int data_len = (unsigned int) strlen(data) / 2;
1974: unsigned int i, value;
1975: char *new_data;
1976: int screen_number;
1977: const char *cp;
1978: u_int32_t rand = 0;
1979:
1980: cp = getenv("DISPLAY");
1981: if (cp)
1982: cp = strchr(cp, ':');
1983: if (cp)
1984: cp = strchr(cp, '.');
1985: if (cp)
1986: screen_number = atoi(cp + 1);
1987: else
1988: screen_number = 0;
1989:
1990: /* Save protocol name. */
1991: x11_saved_proto = xstrdup(proto);
1992:
1.27 markus 1993: /*
1994: * Extract real authentication data and generate fake data of the
1995: * same length.
1996: */
1.25 markus 1997: x11_saved_data = xmalloc(data_len);
1998: x11_fake_data = xmalloc(data_len);
1999: for (i = 0; i < data_len; i++) {
2000: if (sscanf(data + 2 * i, "%2x", &value) != 1)
2001: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
2002: if (i % 4 == 0)
2003: rand = arc4random();
2004: x11_saved_data[i] = value;
2005: x11_fake_data[i] = rand & 0xff;
2006: rand >>= 8;
2007: }
2008: x11_saved_data_len = data_len;
2009: x11_fake_data_len = data_len;
2010:
2011: /* Convert the fake data into hex. */
2012: new_data = xmalloc(2 * data_len + 1);
2013: for (i = 0; i < data_len; i++)
2014: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
2015:
2016: /* Send the request packet. */
1.51 markus 2017: if (compat20) {
2018: channel_request_start(client_session_id, "x11-req", 0);
2019: packet_put_char(0); /* XXX bool single connection */
2020: } else {
2021: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
2022: }
2023: packet_put_cstring(proto);
2024: packet_put_cstring(new_data);
1.25 markus 2025: packet_put_int(screen_number);
2026: packet_send();
2027: packet_write_wait();
2028: xfree(new_data);
1.1 deraadt 2029: }
2030:
2031: /* Sends a message to the server to request authentication fd forwarding. */
2032:
1.49 markus 2033: void
1.25 markus 2034: auth_request_forwarding()
1.1 deraadt 2035: {
1.25 markus 2036: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2037: packet_send();
2038: packet_write_wait();
1.1 deraadt 2039: }
2040:
1.27 markus 2041: /*
2042: * Returns the name of the forwarded authentication socket. Returns NULL if
2043: * there is no forwarded authentication socket. The returned value points to
2044: * a static buffer.
2045: */
1.1 deraadt 2046:
1.25 markus 2047: char *
2048: auth_get_socket_name()
1.1 deraadt 2049: {
1.25 markus 2050: return channel_forwarded_auth_socket_name;
1.1 deraadt 2051: }
2052:
1.12 markus 2053: /* removes the agent forwarding socket */
2054:
1.49 markus 2055: void
1.25 markus 2056: cleanup_socket(void)
2057: {
2058: remove(channel_forwarded_auth_socket_name);
2059: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 2060: }
2061:
1.27 markus 2062: /*
1.59 markus 2063: * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1.27 markus 2064: * This starts forwarding authentication requests.
2065: */
1.1 deraadt 2066:
1.59 markus 2067: int
1.25 markus 2068: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 2069: {
1.25 markus 2070: int sock, newch;
2071: struct sockaddr_un sunaddr;
2072:
2073: if (auth_get_socket_name() != NULL)
2074: fatal("Protocol error: authentication forwarding requested twice.");
2075:
2076: /* Temporarily drop privileged uid for mkdir/bind. */
2077: temporarily_use_uid(pw->pw_uid);
2078:
2079: /* Allocate a buffer for the socket name, and format the name. */
2080: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
2081: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
2082: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
2083:
2084: /* Create private directory for socket */
1.59 markus 2085: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
2086: packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
2087: strerror(errno));
2088: restore_uid();
2089: xfree(channel_forwarded_auth_socket_name);
2090: xfree(channel_forwarded_auth_socket_dir);
2091: channel_forwarded_auth_socket_name = NULL;
2092: channel_forwarded_auth_socket_dir = NULL;
2093: return 0;
2094: }
1.25 markus 2095: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
2096: channel_forwarded_auth_socket_dir, (int) getpid());
2097:
2098: if (atexit(cleanup_socket) < 0) {
2099: int saved = errno;
2100: cleanup_socket();
2101: packet_disconnect("socket: %.100s", strerror(saved));
2102: }
2103: /* Create the socket. */
2104: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2105: if (sock < 0)
2106: packet_disconnect("socket: %.100s", strerror(errno));
2107:
2108: /* Bind it to the name. */
2109: memset(&sunaddr, 0, sizeof(sunaddr));
2110: sunaddr.sun_family = AF_UNIX;
2111: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
2112: sizeof(sunaddr.sun_path));
2113:
2114: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2115: packet_disconnect("bind: %.100s", strerror(errno));
2116:
2117: /* Restore the privileged uid. */
2118: restore_uid();
2119:
2120: /* Start listening on the socket. */
2121: if (listen(sock, 5) < 0)
2122: packet_disconnect("listen: %.100s", strerror(errno));
2123:
2124: /* Allocate a channel for the authentication agent socket. */
2125: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
2126: xstrdup("auth socket"));
1.32 deraadt 2127: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
2128: sizeof(channels[newch].path));
1.59 markus 2129: return 1;
1.1 deraadt 2130: }
2131:
2132: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2133:
1.49 markus 2134: void
1.41 markus 2135: auth_input_open_request(int type, int plen)
1.1 deraadt 2136: {
1.25 markus 2137: int remch, sock, newch;
2138: char *dummyname;
1.41 markus 2139:
2140: packet_integrity_check(plen, 4, type);
1.25 markus 2141:
2142: /* Read the remote channel number from the message. */
2143: remch = packet_get_int();
2144:
1.27 markus 2145: /*
2146: * Get a connection to the local authentication agent (this may again
2147: * get forwarded).
2148: */
1.25 markus 2149: sock = ssh_get_authentication_socket();
2150:
1.27 markus 2151: /*
2152: * If we could not connect the agent, send an error message back to
2153: * the server. This should never happen unless the agent dies,
2154: * because authentication forwarding is only enabled if we have an
2155: * agent.
2156: */
1.25 markus 2157: if (sock < 0) {
2158: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2159: packet_put_int(remch);
2160: packet_send();
2161: return;
2162: }
2163: debug("Forwarding authentication connection.");
1.1 deraadt 2164:
1.27 markus 2165: /*
2166: * Dummy host name. This will be freed when the channel is freed; it
2167: * will still be valid in the packet_put_string below since the
2168: * channel cannot yet be freed at that point.
2169: */
1.25 markus 2170: dummyname = xstrdup("authentication agent connection");
2171:
2172: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
2173: channels[newch].remote_id = remch;
2174:
2175: /* Send a confirmation to the remote host. */
2176: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2177: packet_put_int(remch);
2178: packet_put_int(newch);
1.44 markus 2179: packet_send();
2180: }
2181:
2182: void
1.51 markus 2183: channel_start_open(int id)
1.44 markus 2184: {
2185: Channel *c = channel_lookup(id);
2186: if (c == NULL) {
2187: log("channel_open: %d: bad id", id);
2188: return;
2189: }
1.51 markus 2190: debug("send channel open %d", id);
1.44 markus 2191: packet_start(SSH2_MSG_CHANNEL_OPEN);
2192: packet_put_cstring(c->ctype);
2193: packet_put_int(c->self);
2194: packet_put_int(c->local_window);
2195: packet_put_int(c->local_maxpacket);
1.51 markus 2196: }
2197: void
2198: channel_open(int id)
2199: {
2200: /* XXX REMOVE ME */
2201: channel_start_open(id);
1.44 markus 2202: packet_send();
2203: }
2204: void
2205: channel_request(int id, char *service, int wantconfirm)
2206: {
2207: channel_request_start(id, service, wantconfirm);
2208: packet_send();
2209: debug("channel request %d: %s", id, service) ;
2210: }
2211: void
2212: channel_request_start(int id, char *service, int wantconfirm)
2213: {
2214: Channel *c = channel_lookup(id);
2215: if (c == NULL) {
2216: log("channel_request: %d: bad id", id);
2217: return;
2218: }
2219: packet_start(SSH2_MSG_CHANNEL_REQUEST);
2220: packet_put_int(c->remote_id);
2221: packet_put_cstring(service);
2222: packet_put_char(wantconfirm);
2223: }
2224: void
2225: channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
2226: {
2227: Channel *c = channel_lookup(id);
2228: if (c == NULL) {
2229: log("channel_register_callback: %d: bad id", id);
2230: return;
2231: }
2232: c->cb_event = mtype;
2233: c->cb_fn = fn;
2234: c->cb_arg = arg;
2235: }
2236: void
2237: channel_register_cleanup(int id, channel_callback_fn *fn)
2238: {
2239: Channel *c = channel_lookup(id);
2240: if (c == NULL) {
2241: log("channel_register_cleanup: %d: bad id", id);
2242: return;
2243: }
2244: c->dettach_user = fn;
2245: }
2246: void
2247: channel_cancel_cleanup(int id)
2248: {
2249: Channel *c = channel_lookup(id);
2250: if (c == NULL) {
2251: log("channel_cancel_cleanup: %d: bad id", id);
2252: return;
2253: }
2254: c->dettach_user = NULL;
2255: }
2256:
2257: void
2258: channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
2259: {
2260: Channel *c = channel_lookup(id);
2261: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
2262: fatal("channel_activate for non-larval channel %d.", id);
1.52 markus 2263:
2264: channel_register_fds(c, rfd, wfd, efd, extusage);
1.44 markus 2265: c->type = SSH_CHANNEL_OPEN;
2266: /* XXX window size? */
2267: c->local_window = c->local_window_max = c->local_maxpacket/2;
2268: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
2269: packet_put_int(c->remote_id);
2270: packet_put_int(c->local_window);
1.25 markus 2271: packet_send();
1.1 deraadt 2272: }