Annotation of src/usr.bin/ssh/channels.c, Revision 1.66
1.1 deraadt 1: /*
1.49 markus 2: *
1.26 deraadt 3: * channels.c
1.49 markus 4: *
1.26 deraadt 5: * Author: Tatu Ylonen <ylo@cs.hut.fi>
1.49 markus 6: *
1.26 deraadt 7: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8: * All rights reserved
1.49 markus 9: *
1.26 deraadt 10: * Created: Fri Mar 24 16:35:24 1995 ylo
1.49 markus 11: *
1.26 deraadt 12: * This file contains functions for generic socket connection forwarding.
13: * There is also code for initiating connection forwarding for X11 connections,
14: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.26 deraadt 17: */
1.1 deraadt 18:
19: #include "includes.h"
1.66 ! markus 20: RCSID("$OpenBSD: channels.c,v 1.65 2000/08/19 18:48:10 markus Exp $");
1.1 deraadt 21:
22: #include "ssh.h"
23: #include "packet.h"
24: #include "xmalloc.h"
25: #include "buffer.h"
26: #include "uidswap.h"
1.20 markus 27: #include "readconf.h"
1.3 deraadt 28: #include "servconf.h"
1.1 deraadt 29:
1.14 markus 30: #include "channels.h"
31: #include "nchan.h"
32: #include "compat.h"
33:
1.44 markus 34: #include "ssh2.h"
1.64 markus 35:
36: #include <openssl/rsa.h>
37: #include <openssl/dsa.h>
38: #include "key.h"
39: #include "authfd.h"
1.44 markus 40:
1.1 deraadt 41: /* Maximum number of fake X11 displays to try. */
42: #define MAX_DISPLAYS 1000
43:
1.12 markus 44: /* Max len of agent socket */
45: #define MAX_SOCKET_NAME 100
46:
1.51 markus 47: /* default window/packet sizes for tcp/x11-fwd-channel */
48: #define CHAN_TCP_WINDOW_DEFAULT (8*1024)
49: #define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2)
50: #define CHAN_X11_WINDOW_DEFAULT (4*1024)
51: #define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2)
1.41 markus 52:
1.27 markus 53: /*
54: * Pointer to an array containing all allocated channels. The array is
55: * dynamically extended as needed.
56: */
1.1 deraadt 57: static Channel *channels = NULL;
58:
1.27 markus 59: /*
60: * Size of the channel array. All slots of the array must always be
61: * initialized (at least the type field); unused slots are marked with type
62: * SSH_CHANNEL_FREE.
63: */
1.1 deraadt 64: static int channels_alloc = 0;
65:
1.27 markus 66: /*
67: * Maximum file descriptor value used in any of the channels. This is
68: * updated in channel_allocate.
69: */
1.1 deraadt 70: static int channel_max_fd_value = 0;
71:
1.12 markus 72: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 73: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 74: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 75:
76: /* Saved X11 authentication protocol name. */
77: char *x11_saved_proto = NULL;
78:
79: /* Saved X11 authentication data. This is the real data. */
80: char *x11_saved_data = NULL;
81: unsigned int x11_saved_data_len = 0;
82:
1.27 markus 83: /*
84: * Fake X11 authentication data. This is what the server will be sending us;
85: * we should replace any occurrences of this by the real data.
86: */
1.1 deraadt 87: char *x11_fake_data = NULL;
88: unsigned int x11_fake_data_len;
89:
1.27 markus 90: /*
91: * Data structure for storing which hosts are permitted for forward requests.
92: * The local sides of any remote forwards are stored in this array to prevent
93: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
94: * network (which might be behind a firewall).
95: */
1.25 markus 96: typedef struct {
1.41 markus 97: char *host_to_connect; /* Connect to 'host'. */
98: u_short port_to_connect; /* Connect to 'port'. */
99: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 100: } ForwardPermission;
101:
102: /* List of all permitted host/port pairs to connect. */
103: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
104: /* Number of permitted host/port pairs in the array. */
105: static int num_permitted_opens = 0;
1.27 markus 106: /*
107: * If this is true, all opens are permitted. This is the case on the server
108: * on which we have to trust the client anyway, and the user could do
109: * anything after logging in anyway.
110: */
1.1 deraadt 111: static int all_opens_permitted = 0;
112:
113: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
114: static int have_hostname_in_open = 0;
115:
116: /* Sets specific protocol options. */
117:
1.49 markus 118: void
1.25 markus 119: channel_set_options(int hostname_in_open)
1.1 deraadt 120: {
1.25 markus 121: have_hostname_in_open = hostname_in_open;
1.1 deraadt 122: }
123:
1.27 markus 124: /*
125: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
126: * called by the server, because the user could connect to any port anyway,
127: * and the server has no way to know but to trust the client anyway.
128: */
1.1 deraadt 129:
1.49 markus 130: void
1.25 markus 131: channel_permit_all_opens()
1.1 deraadt 132: {
1.25 markus 133: all_opens_permitted = 1;
1.1 deraadt 134: }
135:
1.41 markus 136: /* lookup channel by id */
137:
138: Channel *
139: channel_lookup(int id)
140: {
141: Channel *c;
1.63 provos 142: if (id < 0 || id > channels_alloc) {
1.41 markus 143: log("channel_lookup: %d: bad id", id);
144: return NULL;
145: }
146: c = &channels[id];
147: if (c->type == SSH_CHANNEL_FREE) {
148: log("channel_lookup: %d: bad id: channel free", id);
149: return NULL;
150: }
151: return c;
1.55 markus 152: }
153:
1.27 markus 154: /*
1.55 markus 155: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 156: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 157: */
1.1 deraadt 158:
1.52 markus 159: void
160: channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
1.1 deraadt 161: {
1.25 markus 162: /* Update the maximum file descriptor value. */
1.41 markus 163: if (rfd > channel_max_fd_value)
164: channel_max_fd_value = rfd;
165: if (wfd > channel_max_fd_value)
166: channel_max_fd_value = wfd;
167: if (efd > channel_max_fd_value)
168: channel_max_fd_value = efd;
1.27 markus 169: /* XXX set close-on-exec -markus */
1.55 markus 170:
1.52 markus 171: c->rfd = rfd;
172: c->wfd = wfd;
173: c->sock = (rfd == wfd) ? rfd : -1;
174: c->efd = efd;
175: c->extended_usage = extusage;
1.55 markus 176: if (rfd != -1)
177: set_nonblock(rfd);
178: if (wfd != -1)
179: set_nonblock(wfd);
180: if (efd != -1)
181: set_nonblock(efd);
1.52 markus 182: }
183:
184: /*
185: * Allocate a new channel object and set its type and socket. This will cause
186: * remote_name to be freed.
187: */
188:
189: int
190: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
191: int window, int maxpack, int extusage, char *remote_name)
192: {
193: int i, found;
194: Channel *c;
1.25 markus 195:
196: /* Do initial allocation if this is the first call. */
197: if (channels_alloc == 0) {
1.44 markus 198: chan_init();
1.25 markus 199: channels_alloc = 10;
200: channels = xmalloc(channels_alloc * sizeof(Channel));
201: for (i = 0; i < channels_alloc; i++)
202: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 203: /*
204: * Kludge: arrange a call to channel_stop_listening if we
205: * terminate with fatal().
206: */
1.25 markus 207: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
208: }
209: /* Try to find a free slot where to put the new channel. */
210: for (found = -1, i = 0; i < channels_alloc; i++)
211: if (channels[i].type == SSH_CHANNEL_FREE) {
212: /* Found a free slot. */
213: found = i;
214: break;
215: }
216: if (found == -1) {
1.27 markus 217: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 218: found = channels_alloc;
219: channels_alloc += 10;
220: debug("channel: expanding %d", channels_alloc);
221: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
222: for (i = found; i < channels_alloc; i++)
223: channels[i].type = SSH_CHANNEL_FREE;
224: }
225: /* Initialize and return new channel number. */
226: c = &channels[found];
227: buffer_init(&c->input);
228: buffer_init(&c->output);
1.41 markus 229: buffer_init(&c->extended);
1.25 markus 230: chan_init_iostates(c);
1.52 markus 231: channel_register_fds(c, rfd, wfd, efd, extusage);
1.25 markus 232: c->self = found;
233: c->type = type;
1.41 markus 234: c->ctype = ctype;
1.51 markus 235: c->local_window = window;
236: c->local_window_max = window;
237: c->local_consumed = 0;
238: c->local_maxpacket = maxpack;
1.25 markus 239: c->remote_id = -1;
240: c->remote_name = remote_name;
1.41 markus 241: c->remote_window = 0;
242: c->remote_maxpacket = 0;
243: c->cb_fn = NULL;
244: c->cb_arg = NULL;
245: c->cb_event = 0;
246: c->dettach_user = NULL;
1.65 markus 247: c->input_filter = NULL;
1.25 markus 248: debug("channel %d: new [%s]", found, remote_name);
249: return found;
1.1 deraadt 250: }
1.52 markus 251: /* old interface XXX */
1.49 markus 252: int
1.41 markus 253: channel_allocate(int type, int sock, char *remote_name)
254: {
255: return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
256: }
1.1 deraadt 257:
1.52 markus 258:
259: /* Close all channel fd/socket. */
260:
261: void
262: channel_close_fds(Channel *c)
263: {
264: if (c->sock != -1) {
265: close(c->sock);
266: c->sock = -1;
267: }
268: if (c->rfd != -1) {
269: close(c->rfd);
270: c->rfd = -1;
271: }
272: if (c->wfd != -1) {
273: close(c->wfd);
274: c->wfd = -1;
275: }
276: if (c->efd != -1) {
277: close(c->efd);
278: c->efd = -1;
279: }
280: }
281:
282: /* Free the channel and close its fd/socket. */
1.1 deraadt 283:
1.49 markus 284: void
1.41 markus 285: channel_free(int id)
1.1 deraadt 286: {
1.41 markus 287: Channel *c = channel_lookup(id);
288: if (c == NULL)
289: packet_disconnect("channel free: bad local channel %d", id);
290: debug("channel_free: channel %d: status: %s", id, channel_open_message());
1.44 markus 291: if (c->dettach_user != NULL) {
292: debug("channel_free: channel %d: dettaching channel user", id);
293: c->dettach_user(c->self, NULL);
294: }
1.54 markus 295: if (c->sock != -1)
296: shutdown(c->sock, SHUT_RDWR);
1.52 markus 297: channel_close_fds(c);
1.41 markus 298: buffer_free(&c->input);
299: buffer_free(&c->output);
300: buffer_free(&c->extended);
301: c->type = SSH_CHANNEL_FREE;
302: if (c->remote_name) {
303: xfree(c->remote_name);
304: c->remote_name = NULL;
1.25 markus 305: }
1.1 deraadt 306: }
307:
1.27 markus 308: /*
1.41 markus 309: * 'channel_pre*' are called just before select() to add any bits relevant to
310: * channels in the select bitmasks.
311: */
312: /*
313: * 'channel_post*': perform any appropriate operations for channels which
314: * have events pending.
1.27 markus 315: */
1.41 markus 316: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
317: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
318: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
319:
320: void
321: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
322: {
323: FD_SET(c->sock, readset);
324: }
325:
326: void
327: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
328: {
329: if (buffer_len(&c->input) < packet_get_maxsize())
330: FD_SET(c->sock, readset);
331: if (buffer_len(&c->output) > 0)
332: FD_SET(c->sock, writeset);
333: }
1.1 deraadt 334:
1.41 markus 335: void
336: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
337: {
338: /* test whether sockets are 'alive' for read/write */
339: if (c->istate == CHAN_INPUT_OPEN)
340: if (buffer_len(&c->input) < packet_get_maxsize())
341: FD_SET(c->sock, readset);
342: if (c->ostate == CHAN_OUTPUT_OPEN ||
343: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
344: if (buffer_len(&c->output) > 0) {
345: FD_SET(c->sock, writeset);
346: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
347: chan_obuf_empty(c);
348: }
349: }
350: }
351:
352: void
1.44 markus 353: channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
354: {
355: if (c->istate == CHAN_INPUT_OPEN &&
356: c->remote_window > 0 &&
357: buffer_len(&c->input) < c->remote_window)
358: FD_SET(c->rfd, readset);
359: if (c->ostate == CHAN_OUTPUT_OPEN ||
360: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
361: if (buffer_len(&c->output) > 0) {
362: FD_SET(c->wfd, writeset);
363: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
364: chan_obuf_empty(c);
365: }
366: }
367: /** XXX check close conditions, too */
368: if (c->efd != -1) {
369: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
370: buffer_len(&c->extended) > 0)
371: FD_SET(c->efd, writeset);
372: else if (c->extended_usage == CHAN_EXTENDED_READ &&
373: buffer_len(&c->extended) < c->remote_window)
374: FD_SET(c->efd, readset);
375: }
376: }
377:
378: void
1.41 markus 379: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
380: {
381: if (buffer_len(&c->input) == 0) {
382: packet_start(SSH_MSG_CHANNEL_CLOSE);
383: packet_put_int(c->remote_id);
384: packet_send();
385: c->type = SSH_CHANNEL_CLOSED;
386: debug("Closing channel %d after input drain.", c->self);
387: }
388: }
389:
390: void
391: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
392: {
393: if (buffer_len(&c->output) == 0)
394: channel_free(c->self);
1.49 markus 395: else
1.41 markus 396: FD_SET(c->sock, writeset);
397: }
398:
399: /*
400: * This is a special state for X11 authentication spoofing. An opened X11
401: * connection (when authentication spoofing is being done) remains in this
402: * state until the first packet has been completely read. The authentication
403: * data in that packet is then substituted by the real data if it matches the
404: * fake data, and the channel is put into normal mode.
1.51 markus 405: * XXX All this happens at the client side.
1.41 markus 406: */
407: int
408: x11_open_helper(Channel *c)
1.1 deraadt 409: {
1.25 markus 410: unsigned char *ucp;
411: unsigned int proto_len, data_len;
412:
1.41 markus 413: /* Check if the fixed size part of the packet is in buffer. */
414: if (buffer_len(&c->output) < 12)
415: return 0;
416:
417: /* Parse the lengths of variable-length fields. */
418: ucp = (unsigned char *) buffer_ptr(&c->output);
419: if (ucp[0] == 0x42) { /* Byte order MSB first. */
420: proto_len = 256 * ucp[6] + ucp[7];
421: data_len = 256 * ucp[8] + ucp[9];
422: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
423: proto_len = ucp[6] + 256 * ucp[7];
424: data_len = ucp[8] + 256 * ucp[9];
425: } else {
426: debug("Initial X11 packet contains bad byte order byte: 0x%x",
427: ucp[0]);
428: return -1;
429: }
430:
431: /* Check if the whole packet is in buffer. */
432: if (buffer_len(&c->output) <
433: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
434: return 0;
435:
436: /* Check if authentication protocol matches. */
437: if (proto_len != strlen(x11_saved_proto) ||
438: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
439: debug("X11 connection uses different authentication protocol.");
440: return -1;
441: }
442: /* Check if authentication data matches our fake data. */
443: if (data_len != x11_fake_data_len ||
444: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
445: x11_fake_data, x11_fake_data_len) != 0) {
446: debug("X11 auth data does not match fake data.");
447: return -1;
448: }
449: /* Check fake data length */
450: if (x11_fake_data_len != x11_saved_data_len) {
451: error("X11 fake_data_len %d != saved_data_len %d",
452: x11_fake_data_len, x11_saved_data_len);
453: return -1;
454: }
455: /*
456: * Received authentication protocol and data match
457: * our fake data. Substitute the fake data with real
458: * data.
459: */
460: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
461: x11_saved_data, x11_saved_data_len);
462: return 1;
463: }
464:
465: void
466: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
467: {
468: int ret = x11_open_helper(c);
469: if (ret == 1) {
470: /* Start normal processing for the channel. */
471: c->type = SSH_CHANNEL_OPEN;
1.47 markus 472: channel_pre_open_13(c, readset, writeset);
1.41 markus 473: } else if (ret == -1) {
474: /*
475: * We have received an X11 connection that has bad
476: * authentication information.
477: */
478: log("X11 connection rejected because of wrong authentication.\r\n");
479: buffer_clear(&c->input);
480: buffer_clear(&c->output);
481: close(c->sock);
482: c->sock = -1;
483: c->type = SSH_CHANNEL_CLOSED;
484: packet_start(SSH_MSG_CHANNEL_CLOSE);
485: packet_put_int(c->remote_id);
486: packet_send();
487: }
488: }
1.25 markus 489:
1.41 markus 490: void
1.51 markus 491: channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
1.41 markus 492: {
493: int ret = x11_open_helper(c);
494: if (ret == 1) {
495: c->type = SSH_CHANNEL_OPEN;
1.57 markus 496: if (compat20)
497: channel_pre_open_20(c, readset, writeset);
498: else
499: channel_pre_open_15(c, readset, writeset);
1.41 markus 500: } else if (ret == -1) {
501: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
1.51 markus 502: chan_read_failed(c); /** force close? */
1.41 markus 503: chan_write_failed(c);
504: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
505: }
506: }
1.25 markus 507:
1.41 markus 508: /* This is our fake X11 server socket. */
509: void
510: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
511: {
512: struct sockaddr addr;
513: int newsock, newch;
514: socklen_t addrlen;
515: char buf[16384], *remote_hostname;
1.51 markus 516: int remote_port;
1.25 markus 517:
1.41 markus 518: if (FD_ISSET(c->sock, readset)) {
519: debug("X11 connection requested.");
520: addrlen = sizeof(addr);
521: newsock = accept(c->sock, &addr, &addrlen);
522: if (newsock < 0) {
523: error("accept: %.100s", strerror(errno));
524: return;
525: }
526: remote_hostname = get_remote_hostname(newsock);
1.51 markus 527: remote_port = get_peer_port(newsock);
1.41 markus 528: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.51 markus 529: remote_hostname, remote_port);
530:
531: newch = channel_new("x11",
532: SSH_CHANNEL_OPENING, newsock, newsock, -1,
533: c->local_window_max, c->local_maxpacket,
534: 0, xstrdup(buf));
535: if (compat20) {
536: packet_start(SSH2_MSG_CHANNEL_OPEN);
537: packet_put_cstring("x11");
538: packet_put_int(newch);
539: packet_put_int(c->local_window_max);
540: packet_put_int(c->local_maxpacket);
541: /* originator host and port */
542: packet_put_cstring(remote_hostname);
1.57 markus 543: if (datafellows & SSH_BUG_X11FWD) {
544: debug("ssh2 x11 bug compat mode");
545: } else {
546: packet_put_int(remote_port);
547: }
1.51 markus 548: packet_send();
549: } else {
550: packet_start(SSH_SMSG_X11_OPEN);
551: packet_put_int(newch);
552: if (have_hostname_in_open)
553: packet_put_string(buf, strlen(buf));
554: packet_send();
555: }
1.41 markus 556: xfree(remote_hostname);
557: }
558: }
1.25 markus 559:
1.41 markus 560: /*
561: * This socket is listening for connections to a forwarded TCP/IP port.
562: */
563: void
564: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
565: {
566: struct sockaddr addr;
567: int newsock, newch;
568: socklen_t addrlen;
569: char buf[1024], *remote_hostname;
570: int remote_port;
1.25 markus 571:
1.41 markus 572: if (FD_ISSET(c->sock, readset)) {
573: debug("Connection to port %d forwarding "
574: "to %.100s port %d requested.",
575: c->listening_port, c->path, c->host_port);
576: addrlen = sizeof(addr);
577: newsock = accept(c->sock, &addr, &addrlen);
578: if (newsock < 0) {
579: error("accept: %.100s", strerror(errno));
580: return;
581: }
582: remote_hostname = get_remote_hostname(newsock);
583: remote_port = get_peer_port(newsock);
584: snprintf(buf, sizeof buf,
585: "listen port %d for %.100s port %d, "
586: "connect from %.200s port %d",
587: c->listening_port, c->path, c->host_port,
588: remote_hostname, remote_port);
589: newch = channel_new("direct-tcpip",
590: SSH_CHANNEL_OPENING, newsock, newsock, -1,
591: c->local_window_max, c->local_maxpacket,
592: 0, xstrdup(buf));
1.44 markus 593: if (compat20) {
594: packet_start(SSH2_MSG_CHANNEL_OPEN);
595: packet_put_cstring("direct-tcpip");
596: packet_put_int(newch);
597: packet_put_int(c->local_window_max);
598: packet_put_int(c->local_maxpacket);
1.48 markus 599: /* target host and port */
1.44 markus 600: packet_put_string(c->path, strlen(c->path));
601: packet_put_int(c->host_port);
1.48 markus 602: /* originator host and port */
1.44 markus 603: packet_put_cstring(remote_hostname);
604: packet_put_int(remote_port);
605: packet_send();
606: } else {
607: packet_start(SSH_MSG_PORT_OPEN);
608: packet_put_int(newch);
609: packet_put_string(c->path, strlen(c->path));
610: packet_put_int(c->host_port);
611: if (have_hostname_in_open) {
612: packet_put_string(buf, strlen(buf));
613: }
614: packet_send();
1.41 markus 615: }
616: xfree(remote_hostname);
617: }
618: }
1.25 markus 619:
1.41 markus 620: /*
621: * This is the authentication agent socket listening for connections from
622: * clients.
623: */
624: void
625: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
626: {
627: struct sockaddr addr;
628: int newsock, newch;
629: socklen_t addrlen;
1.25 markus 630:
1.41 markus 631: if (FD_ISSET(c->sock, readset)) {
632: addrlen = sizeof(addr);
633: newsock = accept(c->sock, &addr, &addrlen);
634: if (newsock < 0) {
635: error("accept from auth socket: %.100s", strerror(errno));
636: return;
637: }
638: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
639: xstrdup("accepted auth socket"));
640: packet_start(SSH_SMSG_AGENT_OPEN);
641: packet_put_int(newch);
642: packet_send();
643: }
644: }
1.25 markus 645:
1.41 markus 646: int
647: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
648: {
649: char buf[16*1024];
650: int len;
1.25 markus 651:
1.41 markus 652: if (c->rfd != -1 &&
653: FD_ISSET(c->rfd, readset)) {
654: len = read(c->rfd, buf, sizeof(buf));
1.53 markus 655: if (len < 0 && (errno == EINTR || errno == EAGAIN))
656: return 1;
1.41 markus 657: if (len <= 0) {
1.51 markus 658: debug("channel %d: read<=0 rfd %d len %d",
1.41 markus 659: c->self, c->rfd, len);
1.25 markus 660: if (compat13) {
1.41 markus 661: buffer_consume(&c->output, buffer_len(&c->output));
662: c->type = SSH_CHANNEL_INPUT_DRAINING;
663: debug("Channel %d status set to input draining.", c->self);
1.25 markus 664: } else {
1.41 markus 665: chan_read_failed(c);
1.25 markus 666: }
1.41 markus 667: return -1;
668: }
1.65 markus 669: if(c->input_filter != NULL) {
1.66 ! markus 670: if (c->input_filter(c, buf, len) == -1) {
1.65 markus 671: debug("filter stops channel %d", c->self);
672: chan_read_failed(c);
673: }
674: } else {
675: buffer_append(&c->input, buf, len);
676: }
1.41 markus 677: }
678: return 1;
679: }
680: int
681: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
682: {
683: int len;
1.25 markus 684:
1.41 markus 685: /* Send buffered output data to the socket. */
686: if (c->wfd != -1 &&
687: FD_ISSET(c->wfd, writeset) &&
688: buffer_len(&c->output) > 0) {
689: len = write(c->wfd, buffer_ptr(&c->output),
1.53 markus 690: buffer_len(&c->output));
691: if (len < 0 && (errno == EINTR || errno == EAGAIN))
692: return 1;
1.41 markus 693: if (len <= 0) {
694: if (compat13) {
695: buffer_consume(&c->output, buffer_len(&c->output));
696: debug("Channel %d status set to input draining.", c->self);
697: c->type = SSH_CHANNEL_INPUT_DRAINING;
698: } else {
699: chan_write_failed(c);
700: }
701: return -1;
1.25 markus 702: }
1.41 markus 703: buffer_consume(&c->output, len);
1.44 markus 704: if (compat20 && len > 0) {
705: c->local_consumed += len;
706: }
707: }
708: return 1;
709: }
710: int
711: channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
712: {
713: char buf[16*1024];
714: int len;
715:
1.45 markus 716: /** XXX handle drain efd, too */
1.44 markus 717: if (c->efd != -1) {
718: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
719: FD_ISSET(c->efd, writeset) &&
720: buffer_len(&c->extended) > 0) {
721: len = write(c->efd, buffer_ptr(&c->extended),
722: buffer_len(&c->extended));
723: debug("channel %d: written %d to efd %d",
724: c->self, len, c->efd);
725: if (len > 0) {
726: buffer_consume(&c->extended, len);
727: c->local_consumed += len;
728: }
729: } else if (c->extended_usage == CHAN_EXTENDED_READ &&
730: FD_ISSET(c->efd, readset)) {
731: len = read(c->efd, buf, sizeof(buf));
732: debug("channel %d: read %d from efd %d",
733: c->self, len, c->efd);
1.45 markus 734: if (len == 0) {
735: debug("channel %d: closing efd %d",
736: c->self, c->efd);
737: close(c->efd);
738: c->efd = -1;
739: } else if (len > 0)
1.44 markus 740: buffer_append(&c->extended, buf, len);
741: }
742: }
743: return 1;
744: }
745: int
746: channel_check_window(Channel *c, fd_set * readset, fd_set * writeset)
747: {
1.46 markus 748: if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.44 markus 749: c->local_window < c->local_window_max/2 &&
750: c->local_consumed > 0) {
751: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
752: packet_put_int(c->remote_id);
753: packet_put_int(c->local_consumed);
754: packet_send();
755: debug("channel %d: window %d sent adjust %d",
756: c->self, c->local_window,
757: c->local_consumed);
758: c->local_window += c->local_consumed;
759: c->local_consumed = 0;
1.1 deraadt 760: }
1.41 markus 761: return 1;
1.1 deraadt 762: }
763:
1.41 markus 764: void
765: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
766: {
767: channel_handle_rfd(c, readset, writeset);
768: channel_handle_wfd(c, readset, writeset);
769: }
1.1 deraadt 770:
1.41 markus 771: void
1.44 markus 772: channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
773: {
774: channel_handle_rfd(c, readset, writeset);
775: channel_handle_wfd(c, readset, writeset);
776: channel_handle_efd(c, readset, writeset);
777: channel_check_window(c, readset, writeset);
778: }
779:
780: void
1.41 markus 781: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 782: {
1.41 markus 783: int len;
784: /* Send buffered output data to the socket. */
785: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
786: len = write(c->sock, buffer_ptr(&c->output),
787: buffer_len(&c->output));
788: if (len <= 0)
789: buffer_consume(&c->output, buffer_len(&c->output));
790: else
791: buffer_consume(&c->output, len);
792: }
793: }
1.25 markus 794:
1.41 markus 795: void
1.44 markus 796: channel_handler_init_20(void)
797: {
798: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
1.51 markus 799: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.44 markus 800: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1.51 markus 801: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1.44 markus 802:
803: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
804: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1.51 markus 805: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1.44 markus 806: }
807:
808: void
1.41 markus 809: channel_handler_init_13(void)
810: {
811: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
812: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
813: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
814: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
815: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
816: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
817: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.25 markus 818:
1.41 markus 819: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
820: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
821: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
822: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
823: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
824: }
1.25 markus 825:
1.41 markus 826: void
827: channel_handler_init_15(void)
828: {
829: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
1.51 markus 830: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.41 markus 831: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
832: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
833: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.25 markus 834:
1.41 markus 835: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
836: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
837: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
838: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
839: }
1.27 markus 840:
1.41 markus 841: void
842: channel_handler_init(void)
843: {
844: int i;
845: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
846: channel_pre[i] = NULL;
847: channel_post[i] = NULL;
848: }
1.44 markus 849: if (compat20)
850: channel_handler_init_20();
851: else if (compat13)
1.41 markus 852: channel_handler_init_13();
853: else
854: channel_handler_init_15();
855: }
1.25 markus 856:
1.49 markus 857: void
1.41 markus 858: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
859: {
860: static int did_init = 0;
861: int i;
862: Channel *c;
1.25 markus 863:
1.41 markus 864: if (!did_init) {
865: channel_handler_init();
866: did_init = 1;
867: }
868: for (i = 0; i < channels_alloc; i++) {
869: c = &channels[i];
870: if (c->type == SSH_CHANNEL_FREE)
871: continue;
872: if (ftab[c->type] == NULL)
1.25 markus 873: continue;
1.41 markus 874: (*ftab[c->type])(c, readset, writeset);
1.44 markus 875: chan_delete_if_full_closed(c);
1.1 deraadt 876: }
877: }
878:
1.49 markus 879: void
1.41 markus 880: channel_prepare_select(fd_set * readset, fd_set * writeset)
881: {
882: channel_handler(channel_pre, readset, writeset);
883: }
884:
1.49 markus 885: void
1.41 markus 886: channel_after_select(fd_set * readset, fd_set * writeset)
887: {
888: channel_handler(channel_post, readset, writeset);
889: }
890:
1.1 deraadt 891: /* If there is data to send to the connection, send some of it now. */
892:
1.49 markus 893: void
1.25 markus 894: channel_output_poll()
1.1 deraadt 895: {
1.25 markus 896: int len, i;
1.41 markus 897: Channel *c;
1.1 deraadt 898:
1.25 markus 899: for (i = 0; i < channels_alloc; i++) {
1.41 markus 900: c = &channels[i];
1.37 markus 901:
1.27 markus 902: /* We are only interested in channels that can have buffered incoming data. */
1.37 markus 903: if (compat13) {
1.41 markus 904: if (c->type != SSH_CHANNEL_OPEN &&
905: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 906: continue;
907: } else {
1.41 markus 908: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 909: continue;
1.41 markus 910: if (c->istate != CHAN_INPUT_OPEN &&
911: c->istate != CHAN_INPUT_WAIT_DRAIN)
1.37 markus 912: continue;
913: }
1.46 markus 914: if (compat20 &&
915: (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.44 markus 916: debug("channel: %d: no data after CLOSE", c->self);
917: continue;
918: }
1.25 markus 919:
920: /* Get the amount of buffered data for this channel. */
1.41 markus 921: len = buffer_len(&c->input);
1.25 markus 922: if (len > 0) {
1.27 markus 923: /* Send some data for the other side over the secure connection. */
1.44 markus 924: if (compat20) {
925: if (len > c->remote_window)
926: len = c->remote_window;
927: if (len > c->remote_maxpacket)
928: len = c->remote_maxpacket;
1.25 markus 929: } else {
1.44 markus 930: if (packet_is_interactive()) {
931: if (len > 1024)
932: len = 512;
933: } else {
934: /* Keep the packets at reasonable size. */
935: if (len > packet_get_maxsize()/2)
936: len = packet_get_maxsize()/2;
937: }
1.25 markus 938: }
1.41 markus 939: if (len > 0) {
1.44 markus 940: packet_start(compat20 ?
941: SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
1.41 markus 942: packet_put_int(c->remote_id);
943: packet_put_string(buffer_ptr(&c->input), len);
944: packet_send();
945: buffer_consume(&c->input, len);
946: c->remote_window -= len;
947: }
948: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 949: if (compat13)
950: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 951: /*
952: * input-buffer is empty and read-socket shutdown:
953: * tell peer, that we will not send more data: send IEOF
954: */
1.41 markus 955: chan_ibuf_empty(c);
1.25 markus 956: }
1.44 markus 957: /* Send extended data, i.e. stderr */
958: if (compat20 &&
959: c->remote_window > 0 &&
960: (len = buffer_len(&c->extended)) > 0 &&
961: c->extended_usage == CHAN_EXTENDED_READ) {
962: if (len > c->remote_window)
963: len = c->remote_window;
964: if (len > c->remote_maxpacket)
965: len = c->remote_maxpacket;
966: packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
967: packet_put_int(c->remote_id);
968: packet_put_int(SSH2_EXTENDED_DATA_STDERR);
969: packet_put_string(buffer_ptr(&c->extended), len);
970: packet_send();
971: buffer_consume(&c->extended, len);
972: c->remote_window -= len;
973: }
1.25 markus 974: }
1.1 deraadt 975: }
976:
1.27 markus 977: /*
978: * This is called when a packet of type CHANNEL_DATA has just been received.
979: * The message type has already been consumed, but channel number and data is
980: * still there.
981: */
1.1 deraadt 982:
1.49 markus 983: void
1.41 markus 984: channel_input_data(int type, int plen)
1.1 deraadt 985: {
1.37 markus 986: int id;
1.25 markus 987: char *data;
988: unsigned int data_len;
1.41 markus 989: Channel *c;
1.25 markus 990:
991: /* Get the channel number and verify it. */
1.37 markus 992: id = packet_get_int();
1.41 markus 993: c = channel_lookup(id);
994: if (c == NULL)
1.37 markus 995: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 996:
997: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 998: if (c->type != SSH_CHANNEL_OPEN &&
999: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 1000: return;
1001:
1002: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 1003: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 1004: return;
1005:
1006: /* Get the data. */
1007: data = packet_get_string(&data_len);
1.48 markus 1008: packet_done();
1.41 markus 1009:
1.44 markus 1010: if (compat20){
1011: if (data_len > c->local_maxpacket) {
1012: log("channel %d: rcvd big packet %d, maxpack %d",
1013: c->self, data_len, c->local_maxpacket);
1014: }
1015: if (data_len > c->local_window) {
1016: log("channel %d: rcvd too much data %d, win %d",
1017: c->self, data_len, c->local_window);
1018: xfree(data);
1019: return;
1020: }
1021: c->local_window -= data_len;
1022: }else{
1023: packet_integrity_check(plen, 4 + 4 + data_len, type);
1024: }
1.41 markus 1025: buffer_append(&c->output, data, data_len);
1.25 markus 1026: xfree(data);
1.1 deraadt 1027: }
1.49 markus 1028: void
1.44 markus 1029: channel_input_extended_data(int type, int plen)
1030: {
1031: int id;
1032: int tcode;
1033: char *data;
1034: unsigned int data_len;
1035: Channel *c;
1036:
1037: /* Get the channel number and verify it. */
1038: id = packet_get_int();
1039: c = channel_lookup(id);
1040:
1041: if (c == NULL)
1042: packet_disconnect("Received extended_data for bad channel %d.", id);
1043: if (c->type != SSH_CHANNEL_OPEN) {
1044: log("channel %d: ext data for non open", id);
1045: return;
1046: }
1047: tcode = packet_get_int();
1048: if (c->efd == -1 ||
1049: c->extended_usage != CHAN_EXTENDED_WRITE ||
1050: tcode != SSH2_EXTENDED_DATA_STDERR) {
1051: log("channel %d: bad ext data", c->self);
1052: return;
1053: }
1054: data = packet_get_string(&data_len);
1.48 markus 1055: packet_done();
1.44 markus 1056: if (data_len > c->local_window) {
1057: log("channel %d: rcvd too much extended_data %d, win %d",
1058: c->self, data_len, c->local_window);
1059: xfree(data);
1060: return;
1061: }
1062: debug("channel %d: rcvd ext data %d", c->self, data_len);
1063: c->local_window -= data_len;
1064: buffer_append(&c->extended, data, data_len);
1065: xfree(data);
1066: }
1067:
1.1 deraadt 1068:
1.27 markus 1069: /*
1070: * Returns true if no channel has too much buffered data, and false if one or
1071: * more channel is overfull.
1072: */
1.1 deraadt 1073:
1.49 markus 1074: int
1.25 markus 1075: channel_not_very_much_buffered_data()
1.1 deraadt 1076: {
1.25 markus 1077: unsigned int i;
1.41 markus 1078: Channel *c;
1.25 markus 1079:
1080: for (i = 0; i < channels_alloc; i++) {
1.41 markus 1081: c = &channels[i];
1082: if (c->type == SSH_CHANNEL_OPEN) {
1.44 markus 1083: if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
1.41 markus 1084: debug("channel %d: big input buffer %d",
1085: c->self, buffer_len(&c->input));
1.25 markus 1086: return 0;
1.41 markus 1087: }
1088: if (buffer_len(&c->output) > packet_get_maxsize()) {
1089: debug("channel %d: big output buffer %d",
1090: c->self, buffer_len(&c->output));
1.25 markus 1091: return 0;
1.41 markus 1092: }
1.25 markus 1093: }
1.1 deraadt 1094: }
1.25 markus 1095: return 1;
1.1 deraadt 1096: }
1097:
1.49 markus 1098: void
1.41 markus 1099: channel_input_ieof(int type, int plen)
1100: {
1101: int id;
1102: Channel *c;
1103:
1104: packet_integrity_check(plen, 4, type);
1105:
1106: id = packet_get_int();
1107: c = channel_lookup(id);
1108: if (c == NULL)
1109: packet_disconnect("Received ieof for nonexistent channel %d.", id);
1110: chan_rcvd_ieof(c);
1111: }
1.1 deraadt 1112:
1.49 markus 1113: void
1.41 markus 1114: channel_input_close(int type, int plen)
1.1 deraadt 1115: {
1.41 markus 1116: int id;
1117: Channel *c;
1.1 deraadt 1118:
1.41 markus 1119: packet_integrity_check(plen, 4, type);
1120:
1121: id = packet_get_int();
1122: c = channel_lookup(id);
1123: if (c == NULL)
1124: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 1125:
1126: /*
1127: * Send a confirmation that we have closed the channel and no more
1128: * data is coming for it.
1129: */
1.25 markus 1130: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 1131: packet_put_int(c->remote_id);
1.25 markus 1132: packet_send();
1133:
1.27 markus 1134: /*
1135: * If the channel is in closed state, we have sent a close request,
1136: * and the other side will eventually respond with a confirmation.
1137: * Thus, we cannot free the channel here, because then there would be
1138: * no-one to receive the confirmation. The channel gets freed when
1139: * the confirmation arrives.
1140: */
1.41 markus 1141: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 1142: /*
1143: * Not a closed channel - mark it as draining, which will
1144: * cause it to be freed later.
1145: */
1.41 markus 1146: buffer_consume(&c->input, buffer_len(&c->input));
1147: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 1148: }
1.1 deraadt 1149: }
1150:
1.41 markus 1151: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
1.49 markus 1152: void
1.41 markus 1153: channel_input_oclose(int type, int plen)
1154: {
1155: int id = packet_get_int();
1156: Channel *c = channel_lookup(id);
1157: packet_integrity_check(plen, 4, type);
1158: if (c == NULL)
1159: packet_disconnect("Received oclose for nonexistent channel %d.", id);
1160: chan_rcvd_oclose(c);
1161: }
1.1 deraadt 1162:
1.49 markus 1163: void
1.41 markus 1164: channel_input_close_confirmation(int type, int plen)
1.1 deraadt 1165: {
1.41 markus 1166: int id = packet_get_int();
1167: Channel *c = channel_lookup(id);
1.1 deraadt 1168:
1.48 markus 1169: packet_done();
1.41 markus 1170: if (c == NULL)
1171: packet_disconnect("Received close confirmation for "
1172: "out-of-range channel %d.", id);
1173: if (c->type != SSH_CHANNEL_CLOSED)
1174: packet_disconnect("Received close confirmation for "
1175: "non-closed channel %d (type %d).", id, c->type);
1176: channel_free(c->self);
1.1 deraadt 1177: }
1178:
1.49 markus 1179: void
1.41 markus 1180: channel_input_open_confirmation(int type, int plen)
1.1 deraadt 1181: {
1.41 markus 1182: int id, remote_id;
1183: Channel *c;
1.1 deraadt 1184:
1.44 markus 1185: if (!compat20)
1186: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 1187:
1.41 markus 1188: id = packet_get_int();
1189: c = channel_lookup(id);
1.25 markus 1190:
1.41 markus 1191: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1192: packet_disconnect("Received open confirmation for "
1193: "non-opening channel %d.", id);
1194: remote_id = packet_get_int();
1.27 markus 1195: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 1196: c->remote_id = remote_id;
1197: c->type = SSH_CHANNEL_OPEN;
1.44 markus 1198:
1199: if (compat20) {
1200: c->remote_window = packet_get_int();
1201: c->remote_maxpacket = packet_get_int();
1.48 markus 1202: packet_done();
1.44 markus 1203: if (c->cb_fn != NULL && c->cb_event == type) {
1204: debug("callback start");
1205: c->cb_fn(c->self, c->cb_arg);
1206: debug("callback done");
1207: }
1208: debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1209: c->remote_window, c->remote_maxpacket);
1210: }
1.1 deraadt 1211: }
1212:
1.49 markus 1213: void
1.41 markus 1214: channel_input_open_failure(int type, int plen)
1.1 deraadt 1215: {
1.41 markus 1216: int id;
1217: Channel *c;
1218:
1.44 markus 1219: if (!compat20)
1220: packet_integrity_check(plen, 4, type);
1.41 markus 1221:
1222: id = packet_get_int();
1223: c = channel_lookup(id);
1.25 markus 1224:
1.41 markus 1225: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1226: packet_disconnect("Received open failure for "
1227: "non-opening channel %d.", id);
1.44 markus 1228: if (compat20) {
1229: int reason = packet_get_int();
1230: char *msg = packet_get_string(NULL);
1.48 markus 1231: char *lang = packet_get_string(NULL);
1.44 markus 1232: log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
1.48 markus 1233: packet_done();
1.44 markus 1234: xfree(msg);
1.48 markus 1235: xfree(lang);
1.44 markus 1236: }
1.25 markus 1237: /* Free the channel. This will also close the socket. */
1.41 markus 1238: channel_free(id);
1.1 deraadt 1239: }
1240:
1.44 markus 1241: void
1242: channel_input_channel_request(int type, int plen)
1243: {
1244: int id;
1245: Channel *c;
1246:
1247: id = packet_get_int();
1248: c = channel_lookup(id);
1249:
1250: if (c == NULL ||
1251: (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1252: packet_disconnect("Received request for "
1253: "non-open channel %d.", id);
1254: if (c->cb_fn != NULL && c->cb_event == type) {
1255: debug("callback start");
1256: c->cb_fn(c->self, c->cb_arg);
1257: debug("callback done");
1258: } else {
1259: char *service = packet_get_string(NULL);
1260: debug("channel: %d rcvd request for %s", c->self, service);
1261: debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1262: xfree(service);
1263: }
1264: }
1265:
1.49 markus 1266: void
1.44 markus 1267: channel_input_window_adjust(int type, int plen)
1268: {
1269: Channel *c;
1270: int id, adjust;
1271:
1272: if (!compat20)
1273: return;
1274:
1275: /* Get the channel number and verify it. */
1276: id = packet_get_int();
1277: c = channel_lookup(id);
1278:
1279: if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1280: log("Received window adjust for "
1281: "non-open channel %d.", id);
1282: return;
1283: }
1284: adjust = packet_get_int();
1.48 markus 1285: packet_done();
1.44 markus 1286: debug("channel %d: rcvd adjust %d", id, adjust);
1287: c->remote_window += adjust;
1288: }
1289:
1.27 markus 1290: /*
1291: * Stops listening for channels, and removes any unix domain sockets that we
1292: * might have.
1293: */
1.1 deraadt 1294:
1.49 markus 1295: void
1.25 markus 1296: channel_stop_listening()
1.1 deraadt 1297: {
1.25 markus 1298: int i;
1299: for (i = 0; i < channels_alloc; i++) {
1300: switch (channels[i].type) {
1301: case SSH_CHANNEL_AUTH_SOCKET:
1302: close(channels[i].sock);
1303: remove(channels[i].path);
1304: channel_free(i);
1305: break;
1306: case SSH_CHANNEL_PORT_LISTENER:
1307: case SSH_CHANNEL_X11_LISTENER:
1308: close(channels[i].sock);
1309: channel_free(i);
1310: break;
1311: default:
1312: break;
1313: }
1.1 deraadt 1314: }
1315: }
1316:
1.27 markus 1317: /*
1.52 markus 1318: * Closes the sockets/fds of all channels. This is used to close extra file
1.27 markus 1319: * descriptors after a fork.
1320: */
1.1 deraadt 1321:
1.49 markus 1322: void
1.25 markus 1323: channel_close_all()
1.1 deraadt 1324: {
1.25 markus 1325: int i;
1.52 markus 1326: for (i = 0; i < channels_alloc; i++)
1.25 markus 1327: if (channels[i].type != SSH_CHANNEL_FREE)
1.52 markus 1328: channel_close_fds(&channels[i]);
1.1 deraadt 1329: }
1330:
1331: /* Returns the maximum file descriptor number used by the channels. */
1332:
1.49 markus 1333: int
1.25 markus 1334: channel_max_fd()
1.1 deraadt 1335: {
1.25 markus 1336: return channel_max_fd_value;
1.1 deraadt 1337: }
1338:
1339: /* Returns true if any channel is still open. */
1340:
1.49 markus 1341: int
1.25 markus 1342: channel_still_open()
1.1 deraadt 1343: {
1.25 markus 1344: unsigned int i;
1345: for (i = 0; i < channels_alloc; i++)
1346: switch (channels[i].type) {
1347: case SSH_CHANNEL_FREE:
1348: case SSH_CHANNEL_X11_LISTENER:
1349: case SSH_CHANNEL_PORT_LISTENER:
1350: case SSH_CHANNEL_CLOSED:
1351: case SSH_CHANNEL_AUTH_SOCKET:
1352: continue;
1.44 markus 1353: case SSH_CHANNEL_LARVAL:
1354: if (!compat20)
1355: fatal("cannot happen: SSH_CHANNEL_LARVAL");
1356: continue;
1.25 markus 1357: case SSH_CHANNEL_OPENING:
1358: case SSH_CHANNEL_OPEN:
1359: case SSH_CHANNEL_X11_OPEN:
1360: return 1;
1361: case SSH_CHANNEL_INPUT_DRAINING:
1362: case SSH_CHANNEL_OUTPUT_DRAINING:
1363: if (!compat13)
1364: fatal("cannot happen: OUT_DRAIN");
1365: return 1;
1366: default:
1367: fatal("channel_still_open: bad channel type %d", channels[i].type);
1368: /* NOTREACHED */
1369: }
1370: return 0;
1.1 deraadt 1371: }
1372:
1.27 markus 1373: /*
1374: * Returns a message describing the currently open forwarded connections,
1375: * suitable for sending to the client. The message contains crlf pairs for
1376: * newlines.
1377: */
1.1 deraadt 1378:
1.25 markus 1379: char *
1380: channel_open_message()
1.1 deraadt 1381: {
1.25 markus 1382: Buffer buffer;
1383: int i;
1384: char buf[512], *cp;
1385:
1386: buffer_init(&buffer);
1387: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 1388: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 1389: for (i = 0; i < channels_alloc; i++) {
1390: Channel *c = &channels[i];
1391: switch (c->type) {
1392: case SSH_CHANNEL_FREE:
1393: case SSH_CHANNEL_X11_LISTENER:
1394: case SSH_CHANNEL_PORT_LISTENER:
1395: case SSH_CHANNEL_CLOSED:
1396: case SSH_CHANNEL_AUTH_SOCKET:
1397: continue;
1.44 markus 1398: case SSH_CHANNEL_LARVAL:
1.25 markus 1399: case SSH_CHANNEL_OPENING:
1400: case SSH_CHANNEL_OPEN:
1401: case SSH_CHANNEL_X11_OPEN:
1402: case SSH_CHANNEL_INPUT_DRAINING:
1403: case SSH_CHANNEL_OUTPUT_DRAINING:
1.41 markus 1404: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
1.37 markus 1405: c->self, c->remote_name,
1406: c->type, c->remote_id,
1407: c->istate, buffer_len(&c->input),
1.41 markus 1408: c->ostate, buffer_len(&c->output),
1409: c->rfd, c->wfd);
1.25 markus 1410: buffer_append(&buffer, buf, strlen(buf));
1411: continue;
1412: default:
1.41 markus 1413: fatal("channel_open_message: bad channel type %d", c->type);
1.25 markus 1414: /* NOTREACHED */
1415: }
1416: }
1417: buffer_append(&buffer, "\0", 1);
1418: cp = xstrdup(buffer_ptr(&buffer));
1419: buffer_free(&buffer);
1420: return cp;
1.1 deraadt 1421: }
1422:
1.27 markus 1423: /*
1424: * Initiate forwarding of connections to local port "port" through the secure
1425: * channel to host:port from remote side.
1426: */
1.1 deraadt 1427:
1.49 markus 1428: void
1.31 markus 1429: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 1430: u_short host_port, int gateway_ports)
1.25 markus 1431: {
1.35 markus 1432: int success, ch, sock, on = 1;
1433: struct addrinfo hints, *ai, *aitop;
1434: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.28 markus 1435: struct linger linger;
1.25 markus 1436:
1437: if (strlen(host) > sizeof(channels[0].path) - 1)
1438: packet_disconnect("Forward host name too long.");
1439:
1.28 markus 1440: /*
1.35 markus 1441: * getaddrinfo returns a loopback address if the hostname is
1442: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 1443: */
1.35 markus 1444: memset(&hints, 0, sizeof(hints));
1445: hints.ai_family = IPv4or6;
1446: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1447: hints.ai_socktype = SOCK_STREAM;
1448: snprintf(strport, sizeof strport, "%d", port);
1449: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1450: packet_disconnect("getaddrinfo: fatal error");
1451:
1452: success = 0;
1453: for (ai = aitop; ai; ai = ai->ai_next) {
1454: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1455: continue;
1456: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1457: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1458: error("channel_request_local_forwarding: getnameinfo failed");
1459: continue;
1460: }
1461: /* Create a port to listen for the host. */
1462: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1463: if (sock < 0) {
1464: /* this is no error since kernel may not support ipv6 */
1465: verbose("socket: %.100s", strerror(errno));
1466: continue;
1467: }
1468: /*
1469: * Set socket options. We would like the socket to disappear
1470: * as soon as it has been closed for whatever reason.
1471: */
1472: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1473: linger.l_onoff = 1;
1474: linger.l_linger = 5;
1475: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1476: debug("Local forwarding listening on %s port %s.", ntop, strport);
1477:
1478: /* Bind the socket to the address. */
1479: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1480: /* address can be in use ipv6 address is already bound */
1481: verbose("bind: %.100s", strerror(errno));
1482: close(sock);
1483: continue;
1484: }
1485: /* Start listening for connections on the socket. */
1486: if (listen(sock, 5) < 0) {
1487: error("listen: %.100s", strerror(errno));
1488: close(sock);
1489: continue;
1490: }
1491: /* Allocate a channel number for the socket. */
1.41 markus 1492: ch = channel_new(
1493: "port listener", SSH_CHANNEL_PORT_LISTENER,
1494: sock, sock, -1,
1.51 markus 1495: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.41 markus 1496: 0, xstrdup("port listener"));
1.35 markus 1497: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1498: channels[ch].host_port = host_port;
1499: channels[ch].listening_port = port;
1500: success = 1;
1501: }
1502: if (success == 0)
1503: packet_disconnect("cannot listen port: %d", port);
1504: freeaddrinfo(aitop);
1.25 markus 1505: }
1.1 deraadt 1506:
1.27 markus 1507: /*
1508: * Initiate forwarding of connections to port "port" on remote host through
1509: * the secure channel to host:port from local side.
1510: */
1.1 deraadt 1511:
1.49 markus 1512: void
1.41 markus 1513: channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
1514: u_short port_to_connect)
1.25 markus 1515: {
1516: int payload_len;
1517: /* Record locally that connection to this host/port is permitted. */
1518: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1519: fatal("channel_request_remote_forwarding: too many forwards");
1520:
1.41 markus 1521: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1522: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1523: permitted_opens[num_permitted_opens].listen_port = listen_port;
1.25 markus 1524: num_permitted_opens++;
1525:
1526: /* Send the forward request to the remote side. */
1.44 markus 1527: if (compat20) {
1528: const char *address_to_bind = "0.0.0.0";
1529: packet_start(SSH2_MSG_GLOBAL_REQUEST);
1530: packet_put_cstring("tcpip-forward");
1531: packet_put_char(0); /* boolean: want reply */
1532: packet_put_cstring(address_to_bind);
1533: packet_put_int(listen_port);
1534: } else {
1535: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.50 markus 1536: packet_put_int(listen_port);
1537: packet_put_cstring(host_to_connect);
1.44 markus 1538: packet_put_int(port_to_connect);
1539: packet_send();
1540: packet_write_wait();
1541: /*
1542: * Wait for response from the remote side. It will send a disconnect
1543: * message on failure, and we will never see it here.
1544: */
1545: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1546: }
1.1 deraadt 1547: }
1548:
1.27 markus 1549: /*
1550: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1551: * listening for the port, and sends back a success reply (or disconnect
1552: * message if there was an error). This never returns if there was an error.
1553: */
1.1 deraadt 1554:
1.49 markus 1555: void
1.56 markus 1556: channel_input_port_forward_request(int is_root, int gateway_ports)
1.1 deraadt 1557: {
1.31 markus 1558: u_short port, host_port;
1.25 markus 1559: char *hostname;
1.1 deraadt 1560:
1.25 markus 1561: /* Get arguments from the packet. */
1562: port = packet_get_int();
1563: hostname = packet_get_string(NULL);
1564: host_port = packet_get_int();
1565:
1.27 markus 1566: /*
1567: * Check that an unprivileged user is not trying to forward a
1568: * privileged port.
1569: */
1.25 markus 1570: if (port < IPPORT_RESERVED && !is_root)
1571: packet_disconnect("Requested forwarding of port %d but user is not root.",
1572: port);
1.33 markus 1573: /*
1574: * Initiate forwarding,
1575: */
1.56 markus 1576: channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
1.25 markus 1577:
1578: /* Free the argument string. */
1579: xfree(hostname);
1.1 deraadt 1580: }
1581:
1.41 markus 1582: /* XXX move to aux.c */
1583: int
1584: channel_connect_to(const char *host, u_short host_port)
1585: {
1586: struct addrinfo hints, *ai, *aitop;
1587: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1588: int gaierr;
1589: int sock = -1;
1590:
1591: memset(&hints, 0, sizeof(hints));
1592: hints.ai_family = IPv4or6;
1593: hints.ai_socktype = SOCK_STREAM;
1594: snprintf(strport, sizeof strport, "%d", host_port);
1595: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1596: error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
1597: return -1;
1598: }
1599: for (ai = aitop; ai; ai = ai->ai_next) {
1600: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1601: continue;
1602: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1603: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1604: error("channel_connect_to: getnameinfo failed");
1605: continue;
1606: }
1607: /* Create the socket. */
1608: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1609: if (sock < 0) {
1610: error("socket: %.100s", strerror(errno));
1611: continue;
1612: }
1613: /* Connect to the host/port. */
1614: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1615: error("connect %.100s port %s: %.100s", ntop, strport,
1616: strerror(errno));
1617: close(sock);
1618: continue; /* fail -- try next */
1619: }
1620: break; /* success */
1621:
1622: }
1623: freeaddrinfo(aitop);
1624: if (!ai) {
1625: error("connect %.100s port %d: failed.", host, host_port);
1626: return -1;
1627: }
1628: /* success */
1629: return sock;
1630: }
1.27 markus 1631: /*
1632: * This is called after receiving PORT_OPEN message. This attempts to
1633: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1634: * or CHANNEL_OPEN_FAILURE.
1635: */
1.1 deraadt 1636:
1.49 markus 1637: void
1.41 markus 1638: channel_input_port_open(int type, int plen)
1.1 deraadt 1639: {
1.31 markus 1640: u_short host_port;
1.25 markus 1641: char *host, *originator_string;
1.41 markus 1642: int remote_channel, sock = -1, newch, i, denied;
1.39 markus 1643: unsigned int host_len, originator_len;
1.25 markus 1644:
1645: /* Get remote channel number. */
1646: remote_channel = packet_get_int();
1647:
1648: /* Get host name to connect to. */
1649: host = packet_get_string(&host_len);
1650:
1651: /* Get port to connect to. */
1652: host_port = packet_get_int();
1653:
1654: /* Get remote originator name. */
1.29 markus 1655: if (have_hostname_in_open) {
1.25 markus 1656: originator_string = packet_get_string(&originator_len);
1.29 markus 1657: originator_len += 4; /* size of packet_int */
1658: } else {
1.25 markus 1659: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1660: originator_len = 0; /* no originator supplied */
1661: }
1.25 markus 1662:
1.41 markus 1663: packet_integrity_check(plen,
1664: 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
1.25 markus 1665:
1666: /* Check if opening that port is permitted. */
1.41 markus 1667: denied = 0;
1.25 markus 1668: if (!all_opens_permitted) {
1669: /* Go trough all permitted ports. */
1670: for (i = 0; i < num_permitted_opens; i++)
1.41 markus 1671: if (permitted_opens[i].port_to_connect == host_port &&
1672: strcmp(permitted_opens[i].host_to_connect, host) == 0)
1.25 markus 1673: break;
1674:
1675: /* Check if we found the requested port among those permitted. */
1676: if (i >= num_permitted_opens) {
1677: /* The port is not permitted. */
1678: log("Received request to connect to %.100s:%d, but the request was denied.",
1679: host, host_port);
1.41 markus 1680: denied = 1;
1.25 markus 1681: }
1682: }
1.41 markus 1683: sock = denied ? -1 : channel_connect_to(host, host_port);
1684: if (sock > 0) {
1685: /* Allocate a channel for this connection. */
1686: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1687: channels[newch].remote_id = remote_channel;
1688:
1689: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1690: packet_put_int(remote_channel);
1691: packet_put_int(newch);
1692: packet_send();
1693: } else {
1694: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1695: packet_put_int(remote_channel);
1696: packet_send();
1.25 markus 1697: }
1698: xfree(host);
1.1 deraadt 1699: }
1700:
1.27 markus 1701: /*
1702: * Creates an internet domain socket for listening for X11 connections.
1703: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1704: * occurs.
1705: */
1.1 deraadt 1706:
1.35 markus 1707: #define NUM_SOCKS 10
1708:
1.25 markus 1709: char *
1.33 markus 1710: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1711: {
1.31 markus 1712: int display_number, sock;
1713: u_short port;
1.35 markus 1714: struct addrinfo hints, *ai, *aitop;
1715: char strport[NI_MAXSERV];
1716: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1717: char display[512];
1.25 markus 1718: char hostname[MAXHOSTNAMELEN];
1719:
1.33 markus 1720: for (display_number = x11_display_offset;
1.25 markus 1721: display_number < MAX_DISPLAYS;
1722: display_number++) {
1723: port = 6000 + display_number;
1.35 markus 1724: memset(&hints, 0, sizeof(hints));
1725: hints.ai_family = IPv4or6;
1.36 markus 1726: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1727: hints.ai_socktype = SOCK_STREAM;
1728: snprintf(strport, sizeof strport, "%d", port);
1729: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1730: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1731: return NULL;
1732: }
1.35 markus 1733: for (ai = aitop; ai; ai = ai->ai_next) {
1734: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1735: continue;
1736: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1737: if (sock < 0) {
1738: error("socket: %.100s", strerror(errno));
1739: return NULL;
1740: }
1741: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1742: debug("bind port %d: %.100s", port, strerror(errno));
1743: shutdown(sock, SHUT_RDWR);
1744: close(sock);
1745: for (n = 0; n < num_socks; n++) {
1746: shutdown(socks[n], SHUT_RDWR);
1747: close(socks[n]);
1748: }
1749: num_socks = 0;
1750: break;
1751: }
1752: socks[num_socks++] = sock;
1753: if (num_socks == NUM_SOCKS)
1754: break;
1.25 markus 1755: }
1.35 markus 1756: if (num_socks > 0)
1757: break;
1.25 markus 1758: }
1759: if (display_number >= MAX_DISPLAYS) {
1760: error("Failed to allocate internet-domain X11 display socket.");
1761: return NULL;
1762: }
1763: /* Start listening for connections on the socket. */
1.35 markus 1764: for (n = 0; n < num_socks; n++) {
1765: sock = socks[n];
1766: if (listen(sock, 5) < 0) {
1767: error("listen: %.100s", strerror(errno));
1768: shutdown(sock, SHUT_RDWR);
1769: close(sock);
1770: return NULL;
1771: }
1.25 markus 1772: }
1.35 markus 1773:
1.25 markus 1774: /* Set up a suitable value for the DISPLAY variable. */
1775: if (gethostname(hostname, sizeof(hostname)) < 0)
1776: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 1777: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 1778: display_number, screen_number);
1779:
1.35 markus 1780: /* Allocate a channel for each socket. */
1781: for (n = 0; n < num_socks; n++) {
1782: sock = socks[n];
1.51 markus 1783: (void) channel_new("x11 listener",
1784: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
1785: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1786: 0, xstrdup("X11 inet listener"));
1.35 markus 1787: }
1.1 deraadt 1788:
1.25 markus 1789: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 1790: return xstrdup(display);
1.1 deraadt 1791: }
1792:
1793: #ifndef X_UNIX_PATH
1794: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1795: #endif
1796:
1797: static
1798: int
1.30 deraadt 1799: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1800: {
1.25 markus 1801: static const char *const x_sockets[] = {
1802: X_UNIX_PATH "%u",
1803: "/var/X/.X11-unix/X" "%u",
1804: "/usr/spool/sockets/X11/" "%u",
1805: NULL
1806: };
1807: int sock;
1808: struct sockaddr_un addr;
1809: const char *const * path;
1810:
1811: for (path = x_sockets; *path; ++path) {
1812: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1813: if (sock < 0)
1814: error("socket: %.100s", strerror(errno));
1815: memset(&addr, 0, sizeof(addr));
1816: addr.sun_family = AF_UNIX;
1817: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1818: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1819: return sock;
1820: close(sock);
1821: }
1822: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1823: return -1;
1.1 deraadt 1824: }
1825:
1.51 markus 1826: int
1827: x11_connect_display(void)
1.1 deraadt 1828: {
1.51 markus 1829: int display_number, sock = 0;
1.25 markus 1830: const char *display;
1.51 markus 1831: char buf[1024], *cp;
1.35 markus 1832: struct addrinfo hints, *ai, *aitop;
1833: char strport[NI_MAXSERV];
1834: int gaierr;
1.25 markus 1835:
1836: /* Try to open a socket for the local X server. */
1837: display = getenv("DISPLAY");
1838: if (!display) {
1839: error("DISPLAY not set.");
1.51 markus 1840: return -1;
1.25 markus 1841: }
1.27 markus 1842: /*
1843: * Now we decode the value of the DISPLAY variable and make a
1844: * connection to the real X server.
1845: */
1846:
1847: /*
1848: * Check if it is a unix domain socket. Unix domain displays are in
1849: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1850: */
1.25 markus 1851: if (strncmp(display, "unix:", 5) == 0 ||
1852: display[0] == ':') {
1853: /* Connect to the unix domain socket. */
1854: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1855: error("Could not parse display number from DISPLAY: %.100s",
1856: display);
1.51 markus 1857: return -1;
1.25 markus 1858: }
1859: /* Create a socket. */
1860: sock = connect_local_xsocket(display_number);
1861: if (sock < 0)
1.51 markus 1862: return -1;
1.25 markus 1863:
1864: /* OK, we now have a connection to the display. */
1.51 markus 1865: return sock;
1.25 markus 1866: }
1.27 markus 1867: /*
1868: * Connect to an inet socket. The DISPLAY value is supposedly
1869: * hostname:d[.s], where hostname may also be numeric IP address.
1870: */
1.25 markus 1871: strncpy(buf, display, sizeof(buf));
1872: buf[sizeof(buf) - 1] = 0;
1873: cp = strchr(buf, ':');
1874: if (!cp) {
1875: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 1876: return -1;
1.25 markus 1877: }
1878: *cp = 0;
1.27 markus 1879: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1880: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1881: error("Could not parse display number from DISPLAY: %.100s",
1882: display);
1.51 markus 1883: return -1;
1.25 markus 1884: }
1.35 markus 1885:
1886: /* Look up the host address */
1887: memset(&hints, 0, sizeof(hints));
1888: hints.ai_family = IPv4or6;
1889: hints.ai_socktype = SOCK_STREAM;
1890: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1891: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1892: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.51 markus 1893: return -1;
1.25 markus 1894: }
1.35 markus 1895: for (ai = aitop; ai; ai = ai->ai_next) {
1896: /* Create a socket. */
1897: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1898: if (sock < 0) {
1899: debug("socket: %.100s", strerror(errno));
1.41 markus 1900: continue;
1901: }
1902: /* Connect it to the display. */
1903: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1904: debug("connect %.100s port %d: %.100s", buf,
1905: 6000 + display_number, strerror(errno));
1906: close(sock);
1907: continue;
1908: }
1909: /* Success */
1910: break;
1.35 markus 1911: }
1912: freeaddrinfo(aitop);
1913: if (!ai) {
1.49 markus 1914: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1.35 markus 1915: strerror(errno));
1.51 markus 1916: return -1;
1.25 markus 1917: }
1.51 markus 1918: return sock;
1919: }
1920:
1921: /*
1922: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1923: * the remote channel number. We should do whatever we want, and respond
1924: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1925: */
1926:
1927: void
1928: x11_input_open(int type, int plen)
1929: {
1930: int remote_channel, sock = 0, newch;
1931: char *remote_host;
1932: unsigned int remote_len;
1.25 markus 1933:
1.51 markus 1934: /* Get remote channel number. */
1935: remote_channel = packet_get_int();
1936:
1937: /* Get remote originator name. */
1938: if (have_hostname_in_open) {
1939: remote_host = packet_get_string(&remote_len);
1940: remote_len += 4;
1941: } else {
1942: remote_host = xstrdup("unknown (remote did not supply name)");
1943: remote_len = 0;
1944: }
1.25 markus 1945:
1.51 markus 1946: debug("Received X11 open request.");
1947: packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1948:
1.51 markus 1949: /* Obtain a connection to the real X display. */
1950: sock = x11_connect_display();
1951: if (sock == -1) {
1952: /* Send refusal to the remote host. */
1953: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1954: packet_put_int(remote_channel);
1955: packet_send();
1956: } else {
1957: /* Allocate a channel for this connection. */
1958: newch = channel_allocate(
1959: (x11_saved_proto == NULL) ?
1960: SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
1961: sock, remote_host);
1962: channels[newch].remote_id = remote_channel;
1.25 markus 1963:
1.51 markus 1964: /* Send a confirmation to the remote host. */
1965: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1966: packet_put_int(remote_channel);
1967: packet_put_int(newch);
1968: packet_send();
1969: }
1.1 deraadt 1970: }
1971:
1.27 markus 1972: /*
1973: * Requests forwarding of X11 connections, generates fake authentication
1974: * data, and enables authentication spoofing.
1975: */
1.1 deraadt 1976:
1.49 markus 1977: void
1.51 markus 1978: x11_request_forwarding_with_spoofing(int client_session_id,
1979: const char *proto, const char *data)
1.1 deraadt 1980: {
1.25 markus 1981: unsigned int data_len = (unsigned int) strlen(data) / 2;
1982: unsigned int i, value;
1983: char *new_data;
1984: int screen_number;
1985: const char *cp;
1986: u_int32_t rand = 0;
1987:
1988: cp = getenv("DISPLAY");
1989: if (cp)
1990: cp = strchr(cp, ':');
1991: if (cp)
1992: cp = strchr(cp, '.');
1993: if (cp)
1994: screen_number = atoi(cp + 1);
1995: else
1996: screen_number = 0;
1997:
1998: /* Save protocol name. */
1999: x11_saved_proto = xstrdup(proto);
2000:
1.27 markus 2001: /*
2002: * Extract real authentication data and generate fake data of the
2003: * same length.
2004: */
1.25 markus 2005: x11_saved_data = xmalloc(data_len);
2006: x11_fake_data = xmalloc(data_len);
2007: for (i = 0; i < data_len; i++) {
2008: if (sscanf(data + 2 * i, "%2x", &value) != 1)
2009: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
2010: if (i % 4 == 0)
2011: rand = arc4random();
2012: x11_saved_data[i] = value;
2013: x11_fake_data[i] = rand & 0xff;
2014: rand >>= 8;
2015: }
2016: x11_saved_data_len = data_len;
2017: x11_fake_data_len = data_len;
2018:
2019: /* Convert the fake data into hex. */
2020: new_data = xmalloc(2 * data_len + 1);
2021: for (i = 0; i < data_len; i++)
2022: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
2023:
2024: /* Send the request packet. */
1.51 markus 2025: if (compat20) {
2026: channel_request_start(client_session_id, "x11-req", 0);
2027: packet_put_char(0); /* XXX bool single connection */
2028: } else {
2029: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
2030: }
2031: packet_put_cstring(proto);
2032: packet_put_cstring(new_data);
1.25 markus 2033: packet_put_int(screen_number);
2034: packet_send();
2035: packet_write_wait();
2036: xfree(new_data);
1.1 deraadt 2037: }
2038:
2039: /* Sends a message to the server to request authentication fd forwarding. */
2040:
1.49 markus 2041: void
1.25 markus 2042: auth_request_forwarding()
1.1 deraadt 2043: {
1.25 markus 2044: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2045: packet_send();
2046: packet_write_wait();
1.1 deraadt 2047: }
2048:
1.27 markus 2049: /*
2050: * Returns the name of the forwarded authentication socket. Returns NULL if
2051: * there is no forwarded authentication socket. The returned value points to
2052: * a static buffer.
2053: */
1.1 deraadt 2054:
1.25 markus 2055: char *
2056: auth_get_socket_name()
1.1 deraadt 2057: {
1.25 markus 2058: return channel_forwarded_auth_socket_name;
1.1 deraadt 2059: }
2060:
1.12 markus 2061: /* removes the agent forwarding socket */
2062:
1.49 markus 2063: void
1.25 markus 2064: cleanup_socket(void)
2065: {
2066: remove(channel_forwarded_auth_socket_name);
2067: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 2068: }
2069:
1.27 markus 2070: /*
1.59 markus 2071: * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1.27 markus 2072: * This starts forwarding authentication requests.
2073: */
1.1 deraadt 2074:
1.59 markus 2075: int
1.25 markus 2076: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 2077: {
1.25 markus 2078: int sock, newch;
2079: struct sockaddr_un sunaddr;
2080:
2081: if (auth_get_socket_name() != NULL)
2082: fatal("Protocol error: authentication forwarding requested twice.");
2083:
2084: /* Temporarily drop privileged uid for mkdir/bind. */
2085: temporarily_use_uid(pw->pw_uid);
2086:
2087: /* Allocate a buffer for the socket name, and format the name. */
2088: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
2089: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
2090: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
2091:
2092: /* Create private directory for socket */
1.59 markus 2093: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
2094: packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
2095: strerror(errno));
2096: restore_uid();
2097: xfree(channel_forwarded_auth_socket_name);
2098: xfree(channel_forwarded_auth_socket_dir);
2099: channel_forwarded_auth_socket_name = NULL;
2100: channel_forwarded_auth_socket_dir = NULL;
2101: return 0;
2102: }
1.25 markus 2103: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
2104: channel_forwarded_auth_socket_dir, (int) getpid());
2105:
2106: if (atexit(cleanup_socket) < 0) {
2107: int saved = errno;
2108: cleanup_socket();
2109: packet_disconnect("socket: %.100s", strerror(saved));
2110: }
2111: /* Create the socket. */
2112: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2113: if (sock < 0)
2114: packet_disconnect("socket: %.100s", strerror(errno));
2115:
2116: /* Bind it to the name. */
2117: memset(&sunaddr, 0, sizeof(sunaddr));
2118: sunaddr.sun_family = AF_UNIX;
2119: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
2120: sizeof(sunaddr.sun_path));
2121:
2122: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2123: packet_disconnect("bind: %.100s", strerror(errno));
2124:
2125: /* Restore the privileged uid. */
2126: restore_uid();
2127:
2128: /* Start listening on the socket. */
2129: if (listen(sock, 5) < 0)
2130: packet_disconnect("listen: %.100s", strerror(errno));
2131:
2132: /* Allocate a channel for the authentication agent socket. */
2133: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
2134: xstrdup("auth socket"));
1.32 deraadt 2135: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
2136: sizeof(channels[newch].path));
1.59 markus 2137: return 1;
1.1 deraadt 2138: }
2139:
2140: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2141:
1.49 markus 2142: void
1.41 markus 2143: auth_input_open_request(int type, int plen)
1.1 deraadt 2144: {
1.25 markus 2145: int remch, sock, newch;
2146: char *dummyname;
1.41 markus 2147:
2148: packet_integrity_check(plen, 4, type);
1.25 markus 2149:
2150: /* Read the remote channel number from the message. */
2151: remch = packet_get_int();
2152:
1.27 markus 2153: /*
2154: * Get a connection to the local authentication agent (this may again
2155: * get forwarded).
2156: */
1.25 markus 2157: sock = ssh_get_authentication_socket();
2158:
1.27 markus 2159: /*
2160: * If we could not connect the agent, send an error message back to
2161: * the server. This should never happen unless the agent dies,
2162: * because authentication forwarding is only enabled if we have an
2163: * agent.
2164: */
1.25 markus 2165: if (sock < 0) {
2166: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2167: packet_put_int(remch);
2168: packet_send();
2169: return;
2170: }
2171: debug("Forwarding authentication connection.");
1.1 deraadt 2172:
1.27 markus 2173: /*
2174: * Dummy host name. This will be freed when the channel is freed; it
2175: * will still be valid in the packet_put_string below since the
2176: * channel cannot yet be freed at that point.
2177: */
1.25 markus 2178: dummyname = xstrdup("authentication agent connection");
2179:
2180: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
2181: channels[newch].remote_id = remch;
2182:
2183: /* Send a confirmation to the remote host. */
2184: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2185: packet_put_int(remch);
2186: packet_put_int(newch);
1.44 markus 2187: packet_send();
2188: }
2189:
2190: void
1.51 markus 2191: channel_start_open(int id)
1.44 markus 2192: {
2193: Channel *c = channel_lookup(id);
2194: if (c == NULL) {
2195: log("channel_open: %d: bad id", id);
2196: return;
2197: }
1.51 markus 2198: debug("send channel open %d", id);
1.44 markus 2199: packet_start(SSH2_MSG_CHANNEL_OPEN);
2200: packet_put_cstring(c->ctype);
2201: packet_put_int(c->self);
2202: packet_put_int(c->local_window);
2203: packet_put_int(c->local_maxpacket);
1.51 markus 2204: }
2205: void
2206: channel_open(int id)
2207: {
2208: /* XXX REMOVE ME */
2209: channel_start_open(id);
1.44 markus 2210: packet_send();
2211: }
2212: void
2213: channel_request(int id, char *service, int wantconfirm)
2214: {
2215: channel_request_start(id, service, wantconfirm);
2216: packet_send();
2217: debug("channel request %d: %s", id, service) ;
2218: }
2219: void
2220: channel_request_start(int id, char *service, int wantconfirm)
2221: {
2222: Channel *c = channel_lookup(id);
2223: if (c == NULL) {
2224: log("channel_request: %d: bad id", id);
2225: return;
2226: }
2227: packet_start(SSH2_MSG_CHANNEL_REQUEST);
2228: packet_put_int(c->remote_id);
2229: packet_put_cstring(service);
2230: packet_put_char(wantconfirm);
2231: }
2232: void
2233: channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
2234: {
2235: Channel *c = channel_lookup(id);
2236: if (c == NULL) {
2237: log("channel_register_callback: %d: bad id", id);
2238: return;
2239: }
2240: c->cb_event = mtype;
2241: c->cb_fn = fn;
2242: c->cb_arg = arg;
2243: }
2244: void
2245: channel_register_cleanup(int id, channel_callback_fn *fn)
2246: {
2247: Channel *c = channel_lookup(id);
2248: if (c == NULL) {
2249: log("channel_register_cleanup: %d: bad id", id);
2250: return;
2251: }
2252: c->dettach_user = fn;
2253: }
2254: void
2255: channel_cancel_cleanup(int id)
2256: {
2257: Channel *c = channel_lookup(id);
2258: if (c == NULL) {
2259: log("channel_cancel_cleanup: %d: bad id", id);
2260: return;
2261: }
2262: c->dettach_user = NULL;
1.65 markus 2263: }
2264: void
2265: channel_register_filter(int id, channel_filter_fn *fn)
2266: {
2267: Channel *c = channel_lookup(id);
2268: if (c == NULL) {
2269: log("channel_register_filter: %d: bad id", id);
2270: return;
2271: }
2272: c->input_filter = fn;
1.44 markus 2273: }
2274:
2275: void
2276: channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
2277: {
2278: Channel *c = channel_lookup(id);
2279: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
2280: fatal("channel_activate for non-larval channel %d.", id);
1.52 markus 2281:
2282: channel_register_fds(c, rfd, wfd, efd, extusage);
1.44 markus 2283: c->type = SSH_CHANNEL_OPEN;
2284: /* XXX window size? */
2285: c->local_window = c->local_window_max = c->local_maxpacket/2;
2286: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
2287: packet_put_int(c->remote_id);
2288: packet_put_int(c->local_window);
1.25 markus 2289: packet_send();
1.1 deraadt 2290: }