Annotation of src/usr.bin/ssh/channels.c, Revision 1.68
1.1 deraadt 1: /*
1.26 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * This file contains functions for generic socket connection forwarding.
6: * There is also code for initiating connection forwarding for X11 connections,
7: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 8: *
1.67 deraadt 9: * As far as I am concerned, the code I have written for this software
10: * can be used freely for any purpose. Any derived versions of this
11: * software must be clearly marked as such, and if the derived work is
12: * incompatible with the protocol description in the RFC file, it must be
13: * called by a name other than "ssh" or "Secure Shell".
14: *
15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.67 deraadt 17: * Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
18: * Copyright (c) 1999 Dug Song. All rights reserved.
19: * Copyright (c) 1999 Theo de Raadt. All rights reserved.
20: *
21: * Redistribution and use in source and binary forms, with or without
22: * modification, are permitted provided that the following conditions
23: * are met:
24: * 1. Redistributions of source code must retain the above copyright
25: * notice, this list of conditions and the following disclaimer.
26: * 2. Redistributions in binary form must reproduce the above copyright
27: * notice, this list of conditions and the following disclaimer in the
28: * documentation and/or other materials provided with the distribution.
29: *
30: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.26 deraadt 40: */
1.1 deraadt 41:
42: #include "includes.h"
1.68 ! markus 43: RCSID("$OpenBSD: channels.c,v 1.67 2000/09/07 20:27:50 deraadt Exp $");
1.1 deraadt 44:
45: #include "ssh.h"
46: #include "packet.h"
47: #include "xmalloc.h"
48: #include "buffer.h"
49: #include "uidswap.h"
1.20 markus 50: #include "readconf.h"
1.3 deraadt 51: #include "servconf.h"
1.1 deraadt 52:
1.14 markus 53: #include "channels.h"
54: #include "nchan.h"
55: #include "compat.h"
56:
1.44 markus 57: #include "ssh2.h"
1.64 markus 58:
59: #include <openssl/rsa.h>
60: #include <openssl/dsa.h>
61: #include "key.h"
62: #include "authfd.h"
1.44 markus 63:
1.1 deraadt 64: /* Maximum number of fake X11 displays to try. */
65: #define MAX_DISPLAYS 1000
66:
1.12 markus 67: /* Max len of agent socket */
68: #define MAX_SOCKET_NAME 100
69:
1.27 markus 70: /*
71: * Pointer to an array containing all allocated channels. The array is
72: * dynamically extended as needed.
73: */
1.1 deraadt 74: static Channel *channels = NULL;
75:
1.27 markus 76: /*
77: * Size of the channel array. All slots of the array must always be
78: * initialized (at least the type field); unused slots are marked with type
79: * SSH_CHANNEL_FREE.
80: */
1.1 deraadt 81: static int channels_alloc = 0;
82:
1.27 markus 83: /*
84: * Maximum file descriptor value used in any of the channels. This is
85: * updated in channel_allocate.
86: */
1.1 deraadt 87: static int channel_max_fd_value = 0;
88:
1.12 markus 89: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 90: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 91: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 92:
93: /* Saved X11 authentication protocol name. */
94: char *x11_saved_proto = NULL;
95:
96: /* Saved X11 authentication data. This is the real data. */
97: char *x11_saved_data = NULL;
98: unsigned int x11_saved_data_len = 0;
99:
1.27 markus 100: /*
101: * Fake X11 authentication data. This is what the server will be sending us;
102: * we should replace any occurrences of this by the real data.
103: */
1.1 deraadt 104: char *x11_fake_data = NULL;
105: unsigned int x11_fake_data_len;
106:
1.27 markus 107: /*
108: * Data structure for storing which hosts are permitted for forward requests.
109: * The local sides of any remote forwards are stored in this array to prevent
110: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
111: * network (which might be behind a firewall).
112: */
1.25 markus 113: typedef struct {
1.41 markus 114: char *host_to_connect; /* Connect to 'host'. */
115: u_short port_to_connect; /* Connect to 'port'. */
116: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 117: } ForwardPermission;
118:
119: /* List of all permitted host/port pairs to connect. */
120: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
121: /* Number of permitted host/port pairs in the array. */
122: static int num_permitted_opens = 0;
1.27 markus 123: /*
124: * If this is true, all opens are permitted. This is the case on the server
125: * on which we have to trust the client anyway, and the user could do
126: * anything after logging in anyway.
127: */
1.1 deraadt 128: static int all_opens_permitted = 0;
129:
130: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
131: static int have_hostname_in_open = 0;
132:
133: /* Sets specific protocol options. */
134:
1.49 markus 135: void
1.25 markus 136: channel_set_options(int hostname_in_open)
1.1 deraadt 137: {
1.25 markus 138: have_hostname_in_open = hostname_in_open;
1.1 deraadt 139: }
140:
1.27 markus 141: /*
142: * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
143: * called by the server, because the user could connect to any port anyway,
144: * and the server has no way to know but to trust the client anyway.
145: */
1.1 deraadt 146:
1.49 markus 147: void
1.25 markus 148: channel_permit_all_opens()
1.1 deraadt 149: {
1.25 markus 150: all_opens_permitted = 1;
1.1 deraadt 151: }
152:
1.41 markus 153: /* lookup channel by id */
154:
155: Channel *
156: channel_lookup(int id)
157: {
158: Channel *c;
1.63 provos 159: if (id < 0 || id > channels_alloc) {
1.41 markus 160: log("channel_lookup: %d: bad id", id);
161: return NULL;
162: }
163: c = &channels[id];
164: if (c->type == SSH_CHANNEL_FREE) {
165: log("channel_lookup: %d: bad id: channel free", id);
166: return NULL;
167: }
168: return c;
1.55 markus 169: }
170:
1.27 markus 171: /*
1.55 markus 172: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 173: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 174: */
1.1 deraadt 175:
1.52 markus 176: void
177: channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
1.1 deraadt 178: {
1.25 markus 179: /* Update the maximum file descriptor value. */
1.41 markus 180: if (rfd > channel_max_fd_value)
181: channel_max_fd_value = rfd;
182: if (wfd > channel_max_fd_value)
183: channel_max_fd_value = wfd;
184: if (efd > channel_max_fd_value)
185: channel_max_fd_value = efd;
1.27 markus 186: /* XXX set close-on-exec -markus */
1.55 markus 187:
1.52 markus 188: c->rfd = rfd;
189: c->wfd = wfd;
190: c->sock = (rfd == wfd) ? rfd : -1;
191: c->efd = efd;
192: c->extended_usage = extusage;
1.55 markus 193: if (rfd != -1)
194: set_nonblock(rfd);
195: if (wfd != -1)
196: set_nonblock(wfd);
197: if (efd != -1)
198: set_nonblock(efd);
1.52 markus 199: }
200:
201: /*
202: * Allocate a new channel object and set its type and socket. This will cause
203: * remote_name to be freed.
204: */
205:
206: int
207: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
208: int window, int maxpack, int extusage, char *remote_name)
209: {
210: int i, found;
211: Channel *c;
1.25 markus 212:
213: /* Do initial allocation if this is the first call. */
214: if (channels_alloc == 0) {
1.44 markus 215: chan_init();
1.25 markus 216: channels_alloc = 10;
217: channels = xmalloc(channels_alloc * sizeof(Channel));
218: for (i = 0; i < channels_alloc; i++)
219: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 220: /*
221: * Kludge: arrange a call to channel_stop_listening if we
222: * terminate with fatal().
223: */
1.25 markus 224: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
225: }
226: /* Try to find a free slot where to put the new channel. */
227: for (found = -1, i = 0; i < channels_alloc; i++)
228: if (channels[i].type == SSH_CHANNEL_FREE) {
229: /* Found a free slot. */
230: found = i;
231: break;
232: }
233: if (found == -1) {
1.27 markus 234: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 235: found = channels_alloc;
236: channels_alloc += 10;
237: debug("channel: expanding %d", channels_alloc);
238: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
239: for (i = found; i < channels_alloc; i++)
240: channels[i].type = SSH_CHANNEL_FREE;
241: }
242: /* Initialize and return new channel number. */
243: c = &channels[found];
244: buffer_init(&c->input);
245: buffer_init(&c->output);
1.41 markus 246: buffer_init(&c->extended);
1.25 markus 247: chan_init_iostates(c);
1.52 markus 248: channel_register_fds(c, rfd, wfd, efd, extusage);
1.25 markus 249: c->self = found;
250: c->type = type;
1.41 markus 251: c->ctype = ctype;
1.51 markus 252: c->local_window = window;
253: c->local_window_max = window;
254: c->local_consumed = 0;
255: c->local_maxpacket = maxpack;
1.25 markus 256: c->remote_id = -1;
257: c->remote_name = remote_name;
1.41 markus 258: c->remote_window = 0;
259: c->remote_maxpacket = 0;
260: c->cb_fn = NULL;
261: c->cb_arg = NULL;
262: c->cb_event = 0;
263: c->dettach_user = NULL;
1.65 markus 264: c->input_filter = NULL;
1.25 markus 265: debug("channel %d: new [%s]", found, remote_name);
266: return found;
1.1 deraadt 267: }
1.52 markus 268: /* old interface XXX */
1.49 markus 269: int
1.41 markus 270: channel_allocate(int type, int sock, char *remote_name)
271: {
272: return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
273: }
1.1 deraadt 274:
1.52 markus 275:
276: /* Close all channel fd/socket. */
277:
278: void
279: channel_close_fds(Channel *c)
280: {
281: if (c->sock != -1) {
282: close(c->sock);
283: c->sock = -1;
284: }
285: if (c->rfd != -1) {
286: close(c->rfd);
287: c->rfd = -1;
288: }
289: if (c->wfd != -1) {
290: close(c->wfd);
291: c->wfd = -1;
292: }
293: if (c->efd != -1) {
294: close(c->efd);
295: c->efd = -1;
296: }
297: }
298:
299: /* Free the channel and close its fd/socket. */
1.1 deraadt 300:
1.49 markus 301: void
1.41 markus 302: channel_free(int id)
1.1 deraadt 303: {
1.41 markus 304: Channel *c = channel_lookup(id);
305: if (c == NULL)
306: packet_disconnect("channel free: bad local channel %d", id);
307: debug("channel_free: channel %d: status: %s", id, channel_open_message());
1.44 markus 308: if (c->dettach_user != NULL) {
309: debug("channel_free: channel %d: dettaching channel user", id);
310: c->dettach_user(c->self, NULL);
311: }
1.54 markus 312: if (c->sock != -1)
313: shutdown(c->sock, SHUT_RDWR);
1.52 markus 314: channel_close_fds(c);
1.41 markus 315: buffer_free(&c->input);
316: buffer_free(&c->output);
317: buffer_free(&c->extended);
318: c->type = SSH_CHANNEL_FREE;
319: if (c->remote_name) {
320: xfree(c->remote_name);
321: c->remote_name = NULL;
1.25 markus 322: }
1.1 deraadt 323: }
324:
1.27 markus 325: /*
1.41 markus 326: * 'channel_pre*' are called just before select() to add any bits relevant to
327: * channels in the select bitmasks.
328: */
329: /*
330: * 'channel_post*': perform any appropriate operations for channels which
331: * have events pending.
1.27 markus 332: */
1.41 markus 333: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
334: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
335: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
336:
337: void
338: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
339: {
340: FD_SET(c->sock, readset);
341: }
342:
343: void
344: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
345: {
346: if (buffer_len(&c->input) < packet_get_maxsize())
347: FD_SET(c->sock, readset);
348: if (buffer_len(&c->output) > 0)
349: FD_SET(c->sock, writeset);
350: }
1.1 deraadt 351:
1.41 markus 352: void
353: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
354: {
355: /* test whether sockets are 'alive' for read/write */
356: if (c->istate == CHAN_INPUT_OPEN)
357: if (buffer_len(&c->input) < packet_get_maxsize())
358: FD_SET(c->sock, readset);
359: if (c->ostate == CHAN_OUTPUT_OPEN ||
360: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
361: if (buffer_len(&c->output) > 0) {
362: FD_SET(c->sock, writeset);
363: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
364: chan_obuf_empty(c);
365: }
366: }
367: }
368:
369: void
1.44 markus 370: channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
371: {
372: if (c->istate == CHAN_INPUT_OPEN &&
373: c->remote_window > 0 &&
374: buffer_len(&c->input) < c->remote_window)
375: FD_SET(c->rfd, readset);
376: if (c->ostate == CHAN_OUTPUT_OPEN ||
377: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
378: if (buffer_len(&c->output) > 0) {
379: FD_SET(c->wfd, writeset);
380: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
381: chan_obuf_empty(c);
382: }
383: }
384: /** XXX check close conditions, too */
385: if (c->efd != -1) {
386: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
387: buffer_len(&c->extended) > 0)
388: FD_SET(c->efd, writeset);
389: else if (c->extended_usage == CHAN_EXTENDED_READ &&
390: buffer_len(&c->extended) < c->remote_window)
391: FD_SET(c->efd, readset);
392: }
393: }
394:
395: void
1.41 markus 396: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
397: {
398: if (buffer_len(&c->input) == 0) {
399: packet_start(SSH_MSG_CHANNEL_CLOSE);
400: packet_put_int(c->remote_id);
401: packet_send();
402: c->type = SSH_CHANNEL_CLOSED;
403: debug("Closing channel %d after input drain.", c->self);
404: }
405: }
406:
407: void
408: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
409: {
410: if (buffer_len(&c->output) == 0)
411: channel_free(c->self);
1.49 markus 412: else
1.41 markus 413: FD_SET(c->sock, writeset);
414: }
415:
416: /*
417: * This is a special state for X11 authentication spoofing. An opened X11
418: * connection (when authentication spoofing is being done) remains in this
419: * state until the first packet has been completely read. The authentication
420: * data in that packet is then substituted by the real data if it matches the
421: * fake data, and the channel is put into normal mode.
1.51 markus 422: * XXX All this happens at the client side.
1.41 markus 423: */
424: int
425: x11_open_helper(Channel *c)
1.1 deraadt 426: {
1.25 markus 427: unsigned char *ucp;
428: unsigned int proto_len, data_len;
429:
1.41 markus 430: /* Check if the fixed size part of the packet is in buffer. */
431: if (buffer_len(&c->output) < 12)
432: return 0;
433:
434: /* Parse the lengths of variable-length fields. */
435: ucp = (unsigned char *) buffer_ptr(&c->output);
436: if (ucp[0] == 0x42) { /* Byte order MSB first. */
437: proto_len = 256 * ucp[6] + ucp[7];
438: data_len = 256 * ucp[8] + ucp[9];
439: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
440: proto_len = ucp[6] + 256 * ucp[7];
441: data_len = ucp[8] + 256 * ucp[9];
442: } else {
443: debug("Initial X11 packet contains bad byte order byte: 0x%x",
444: ucp[0]);
445: return -1;
446: }
447:
448: /* Check if the whole packet is in buffer. */
449: if (buffer_len(&c->output) <
450: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
451: return 0;
452:
453: /* Check if authentication protocol matches. */
454: if (proto_len != strlen(x11_saved_proto) ||
455: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
456: debug("X11 connection uses different authentication protocol.");
457: return -1;
458: }
459: /* Check if authentication data matches our fake data. */
460: if (data_len != x11_fake_data_len ||
461: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
462: x11_fake_data, x11_fake_data_len) != 0) {
463: debug("X11 auth data does not match fake data.");
464: return -1;
465: }
466: /* Check fake data length */
467: if (x11_fake_data_len != x11_saved_data_len) {
468: error("X11 fake_data_len %d != saved_data_len %d",
469: x11_fake_data_len, x11_saved_data_len);
470: return -1;
471: }
472: /*
473: * Received authentication protocol and data match
474: * our fake data. Substitute the fake data with real
475: * data.
476: */
477: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
478: x11_saved_data, x11_saved_data_len);
479: return 1;
480: }
481:
482: void
483: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
484: {
485: int ret = x11_open_helper(c);
486: if (ret == 1) {
487: /* Start normal processing for the channel. */
488: c->type = SSH_CHANNEL_OPEN;
1.47 markus 489: channel_pre_open_13(c, readset, writeset);
1.41 markus 490: } else if (ret == -1) {
491: /*
492: * We have received an X11 connection that has bad
493: * authentication information.
494: */
495: log("X11 connection rejected because of wrong authentication.\r\n");
496: buffer_clear(&c->input);
497: buffer_clear(&c->output);
498: close(c->sock);
499: c->sock = -1;
500: c->type = SSH_CHANNEL_CLOSED;
501: packet_start(SSH_MSG_CHANNEL_CLOSE);
502: packet_put_int(c->remote_id);
503: packet_send();
504: }
505: }
1.25 markus 506:
1.41 markus 507: void
1.51 markus 508: channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
1.41 markus 509: {
510: int ret = x11_open_helper(c);
511: if (ret == 1) {
512: c->type = SSH_CHANNEL_OPEN;
1.57 markus 513: if (compat20)
514: channel_pre_open_20(c, readset, writeset);
515: else
516: channel_pre_open_15(c, readset, writeset);
1.41 markus 517: } else if (ret == -1) {
518: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
1.51 markus 519: chan_read_failed(c); /** force close? */
1.41 markus 520: chan_write_failed(c);
521: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
522: }
523: }
1.25 markus 524:
1.41 markus 525: /* This is our fake X11 server socket. */
526: void
527: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
528: {
529: struct sockaddr addr;
530: int newsock, newch;
531: socklen_t addrlen;
532: char buf[16384], *remote_hostname;
1.51 markus 533: int remote_port;
1.25 markus 534:
1.41 markus 535: if (FD_ISSET(c->sock, readset)) {
536: debug("X11 connection requested.");
537: addrlen = sizeof(addr);
538: newsock = accept(c->sock, &addr, &addrlen);
539: if (newsock < 0) {
540: error("accept: %.100s", strerror(errno));
541: return;
542: }
543: remote_hostname = get_remote_hostname(newsock);
1.51 markus 544: remote_port = get_peer_port(newsock);
1.41 markus 545: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.51 markus 546: remote_hostname, remote_port);
547:
548: newch = channel_new("x11",
549: SSH_CHANNEL_OPENING, newsock, newsock, -1,
550: c->local_window_max, c->local_maxpacket,
551: 0, xstrdup(buf));
552: if (compat20) {
553: packet_start(SSH2_MSG_CHANNEL_OPEN);
554: packet_put_cstring("x11");
555: packet_put_int(newch);
556: packet_put_int(c->local_window_max);
557: packet_put_int(c->local_maxpacket);
558: /* originator host and port */
559: packet_put_cstring(remote_hostname);
1.57 markus 560: if (datafellows & SSH_BUG_X11FWD) {
561: debug("ssh2 x11 bug compat mode");
562: } else {
563: packet_put_int(remote_port);
564: }
1.51 markus 565: packet_send();
566: } else {
567: packet_start(SSH_SMSG_X11_OPEN);
568: packet_put_int(newch);
569: if (have_hostname_in_open)
570: packet_put_string(buf, strlen(buf));
571: packet_send();
572: }
1.41 markus 573: xfree(remote_hostname);
574: }
575: }
1.25 markus 576:
1.41 markus 577: /*
578: * This socket is listening for connections to a forwarded TCP/IP port.
579: */
580: void
581: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
582: {
583: struct sockaddr addr;
584: int newsock, newch;
585: socklen_t addrlen;
586: char buf[1024], *remote_hostname;
587: int remote_port;
1.25 markus 588:
1.41 markus 589: if (FD_ISSET(c->sock, readset)) {
590: debug("Connection to port %d forwarding "
591: "to %.100s port %d requested.",
592: c->listening_port, c->path, c->host_port);
593: addrlen = sizeof(addr);
594: newsock = accept(c->sock, &addr, &addrlen);
595: if (newsock < 0) {
596: error("accept: %.100s", strerror(errno));
597: return;
598: }
599: remote_hostname = get_remote_hostname(newsock);
600: remote_port = get_peer_port(newsock);
601: snprintf(buf, sizeof buf,
602: "listen port %d for %.100s port %d, "
603: "connect from %.200s port %d",
604: c->listening_port, c->path, c->host_port,
605: remote_hostname, remote_port);
606: newch = channel_new("direct-tcpip",
607: SSH_CHANNEL_OPENING, newsock, newsock, -1,
608: c->local_window_max, c->local_maxpacket,
609: 0, xstrdup(buf));
1.44 markus 610: if (compat20) {
611: packet_start(SSH2_MSG_CHANNEL_OPEN);
612: packet_put_cstring("direct-tcpip");
613: packet_put_int(newch);
614: packet_put_int(c->local_window_max);
615: packet_put_int(c->local_maxpacket);
1.48 markus 616: /* target host and port */
1.44 markus 617: packet_put_string(c->path, strlen(c->path));
618: packet_put_int(c->host_port);
1.48 markus 619: /* originator host and port */
1.44 markus 620: packet_put_cstring(remote_hostname);
621: packet_put_int(remote_port);
622: packet_send();
623: } else {
624: packet_start(SSH_MSG_PORT_OPEN);
625: packet_put_int(newch);
626: packet_put_string(c->path, strlen(c->path));
627: packet_put_int(c->host_port);
628: if (have_hostname_in_open) {
629: packet_put_string(buf, strlen(buf));
630: }
631: packet_send();
1.41 markus 632: }
633: xfree(remote_hostname);
634: }
635: }
1.25 markus 636:
1.41 markus 637: /*
638: * This is the authentication agent socket listening for connections from
639: * clients.
640: */
641: void
642: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
643: {
644: struct sockaddr addr;
645: int newsock, newch;
646: socklen_t addrlen;
1.25 markus 647:
1.41 markus 648: if (FD_ISSET(c->sock, readset)) {
649: addrlen = sizeof(addr);
650: newsock = accept(c->sock, &addr, &addrlen);
651: if (newsock < 0) {
652: error("accept from auth socket: %.100s", strerror(errno));
653: return;
654: }
655: newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
656: xstrdup("accepted auth socket"));
657: packet_start(SSH_SMSG_AGENT_OPEN);
658: packet_put_int(newch);
659: packet_send();
660: }
661: }
1.25 markus 662:
1.41 markus 663: int
664: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
665: {
666: char buf[16*1024];
667: int len;
1.25 markus 668:
1.41 markus 669: if (c->rfd != -1 &&
670: FD_ISSET(c->rfd, readset)) {
671: len = read(c->rfd, buf, sizeof(buf));
1.53 markus 672: if (len < 0 && (errno == EINTR || errno == EAGAIN))
673: return 1;
1.41 markus 674: if (len <= 0) {
1.51 markus 675: debug("channel %d: read<=0 rfd %d len %d",
1.41 markus 676: c->self, c->rfd, len);
1.25 markus 677: if (compat13) {
1.41 markus 678: buffer_consume(&c->output, buffer_len(&c->output));
679: c->type = SSH_CHANNEL_INPUT_DRAINING;
680: debug("Channel %d status set to input draining.", c->self);
1.25 markus 681: } else {
1.41 markus 682: chan_read_failed(c);
1.25 markus 683: }
1.41 markus 684: return -1;
685: }
1.65 markus 686: if(c->input_filter != NULL) {
1.66 markus 687: if (c->input_filter(c, buf, len) == -1) {
1.65 markus 688: debug("filter stops channel %d", c->self);
689: chan_read_failed(c);
690: }
691: } else {
692: buffer_append(&c->input, buf, len);
693: }
1.41 markus 694: }
695: return 1;
696: }
697: int
698: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
699: {
700: int len;
1.25 markus 701:
1.41 markus 702: /* Send buffered output data to the socket. */
703: if (c->wfd != -1 &&
704: FD_ISSET(c->wfd, writeset) &&
705: buffer_len(&c->output) > 0) {
706: len = write(c->wfd, buffer_ptr(&c->output),
1.53 markus 707: buffer_len(&c->output));
708: if (len < 0 && (errno == EINTR || errno == EAGAIN))
709: return 1;
1.41 markus 710: if (len <= 0) {
711: if (compat13) {
712: buffer_consume(&c->output, buffer_len(&c->output));
713: debug("Channel %d status set to input draining.", c->self);
714: c->type = SSH_CHANNEL_INPUT_DRAINING;
715: } else {
716: chan_write_failed(c);
717: }
718: return -1;
1.25 markus 719: }
1.41 markus 720: buffer_consume(&c->output, len);
1.44 markus 721: if (compat20 && len > 0) {
722: c->local_consumed += len;
723: }
724: }
725: return 1;
726: }
727: int
728: channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
729: {
730: char buf[16*1024];
731: int len;
732:
1.45 markus 733: /** XXX handle drain efd, too */
1.44 markus 734: if (c->efd != -1) {
735: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
736: FD_ISSET(c->efd, writeset) &&
737: buffer_len(&c->extended) > 0) {
738: len = write(c->efd, buffer_ptr(&c->extended),
739: buffer_len(&c->extended));
740: debug("channel %d: written %d to efd %d",
741: c->self, len, c->efd);
742: if (len > 0) {
743: buffer_consume(&c->extended, len);
744: c->local_consumed += len;
745: }
746: } else if (c->extended_usage == CHAN_EXTENDED_READ &&
747: FD_ISSET(c->efd, readset)) {
748: len = read(c->efd, buf, sizeof(buf));
749: debug("channel %d: read %d from efd %d",
750: c->self, len, c->efd);
1.45 markus 751: if (len == 0) {
752: debug("channel %d: closing efd %d",
753: c->self, c->efd);
754: close(c->efd);
755: c->efd = -1;
756: } else if (len > 0)
1.44 markus 757: buffer_append(&c->extended, buf, len);
758: }
759: }
760: return 1;
761: }
762: int
763: channel_check_window(Channel *c, fd_set * readset, fd_set * writeset)
764: {
1.46 markus 765: if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.44 markus 766: c->local_window < c->local_window_max/2 &&
767: c->local_consumed > 0) {
768: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
769: packet_put_int(c->remote_id);
770: packet_put_int(c->local_consumed);
771: packet_send();
772: debug("channel %d: window %d sent adjust %d",
773: c->self, c->local_window,
774: c->local_consumed);
775: c->local_window += c->local_consumed;
776: c->local_consumed = 0;
1.1 deraadt 777: }
1.41 markus 778: return 1;
1.1 deraadt 779: }
780:
1.41 markus 781: void
782: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
783: {
784: channel_handle_rfd(c, readset, writeset);
785: channel_handle_wfd(c, readset, writeset);
786: }
1.1 deraadt 787:
1.41 markus 788: void
1.44 markus 789: channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
790: {
791: channel_handle_rfd(c, readset, writeset);
792: channel_handle_wfd(c, readset, writeset);
793: channel_handle_efd(c, readset, writeset);
794: channel_check_window(c, readset, writeset);
795: }
796:
797: void
1.41 markus 798: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 799: {
1.41 markus 800: int len;
801: /* Send buffered output data to the socket. */
802: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
803: len = write(c->sock, buffer_ptr(&c->output),
804: buffer_len(&c->output));
805: if (len <= 0)
806: buffer_consume(&c->output, buffer_len(&c->output));
807: else
808: buffer_consume(&c->output, len);
809: }
810: }
1.25 markus 811:
1.41 markus 812: void
1.44 markus 813: channel_handler_init_20(void)
814: {
815: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
1.51 markus 816: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.44 markus 817: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1.51 markus 818: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1.44 markus 819:
820: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
821: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1.51 markus 822: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1.44 markus 823: }
824:
825: void
1.41 markus 826: channel_handler_init_13(void)
827: {
828: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
829: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
830: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
831: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
832: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
833: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
834: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.25 markus 835:
1.41 markus 836: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
837: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
838: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
839: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
840: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
841: }
1.25 markus 842:
1.41 markus 843: void
844: channel_handler_init_15(void)
845: {
846: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
1.51 markus 847: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.41 markus 848: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
849: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
850: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.25 markus 851:
1.41 markus 852: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
853: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
854: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
855: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
856: }
1.27 markus 857:
1.41 markus 858: void
859: channel_handler_init(void)
860: {
861: int i;
862: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
863: channel_pre[i] = NULL;
864: channel_post[i] = NULL;
865: }
1.44 markus 866: if (compat20)
867: channel_handler_init_20();
868: else if (compat13)
1.41 markus 869: channel_handler_init_13();
870: else
871: channel_handler_init_15();
872: }
1.25 markus 873:
1.49 markus 874: void
1.41 markus 875: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
876: {
877: static int did_init = 0;
878: int i;
879: Channel *c;
1.25 markus 880:
1.41 markus 881: if (!did_init) {
882: channel_handler_init();
883: did_init = 1;
884: }
885: for (i = 0; i < channels_alloc; i++) {
886: c = &channels[i];
887: if (c->type == SSH_CHANNEL_FREE)
888: continue;
889: if (ftab[c->type] == NULL)
1.25 markus 890: continue;
1.41 markus 891: (*ftab[c->type])(c, readset, writeset);
1.44 markus 892: chan_delete_if_full_closed(c);
1.1 deraadt 893: }
894: }
895:
1.49 markus 896: void
1.41 markus 897: channel_prepare_select(fd_set * readset, fd_set * writeset)
898: {
899: channel_handler(channel_pre, readset, writeset);
900: }
901:
1.49 markus 902: void
1.41 markus 903: channel_after_select(fd_set * readset, fd_set * writeset)
904: {
905: channel_handler(channel_post, readset, writeset);
906: }
907:
1.1 deraadt 908: /* If there is data to send to the connection, send some of it now. */
909:
1.49 markus 910: void
1.25 markus 911: channel_output_poll()
1.1 deraadt 912: {
1.25 markus 913: int len, i;
1.41 markus 914: Channel *c;
1.1 deraadt 915:
1.25 markus 916: for (i = 0; i < channels_alloc; i++) {
1.41 markus 917: c = &channels[i];
1.37 markus 918:
1.27 markus 919: /* We are only interested in channels that can have buffered incoming data. */
1.37 markus 920: if (compat13) {
1.41 markus 921: if (c->type != SSH_CHANNEL_OPEN &&
922: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 923: continue;
924: } else {
1.41 markus 925: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 926: continue;
1.41 markus 927: if (c->istate != CHAN_INPUT_OPEN &&
928: c->istate != CHAN_INPUT_WAIT_DRAIN)
1.37 markus 929: continue;
930: }
1.46 markus 931: if (compat20 &&
932: (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.44 markus 933: debug("channel: %d: no data after CLOSE", c->self);
934: continue;
935: }
1.25 markus 936:
937: /* Get the amount of buffered data for this channel. */
1.41 markus 938: len = buffer_len(&c->input);
1.25 markus 939: if (len > 0) {
1.27 markus 940: /* Send some data for the other side over the secure connection. */
1.44 markus 941: if (compat20) {
942: if (len > c->remote_window)
943: len = c->remote_window;
944: if (len > c->remote_maxpacket)
945: len = c->remote_maxpacket;
1.25 markus 946: } else {
1.44 markus 947: if (packet_is_interactive()) {
948: if (len > 1024)
949: len = 512;
950: } else {
951: /* Keep the packets at reasonable size. */
952: if (len > packet_get_maxsize()/2)
953: len = packet_get_maxsize()/2;
954: }
1.25 markus 955: }
1.41 markus 956: if (len > 0) {
1.44 markus 957: packet_start(compat20 ?
958: SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
1.41 markus 959: packet_put_int(c->remote_id);
960: packet_put_string(buffer_ptr(&c->input), len);
961: packet_send();
962: buffer_consume(&c->input, len);
963: c->remote_window -= len;
964: }
965: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 966: if (compat13)
967: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 968: /*
969: * input-buffer is empty and read-socket shutdown:
970: * tell peer, that we will not send more data: send IEOF
971: */
1.41 markus 972: chan_ibuf_empty(c);
1.25 markus 973: }
1.44 markus 974: /* Send extended data, i.e. stderr */
975: if (compat20 &&
976: c->remote_window > 0 &&
977: (len = buffer_len(&c->extended)) > 0 &&
978: c->extended_usage == CHAN_EXTENDED_READ) {
979: if (len > c->remote_window)
980: len = c->remote_window;
981: if (len > c->remote_maxpacket)
982: len = c->remote_maxpacket;
983: packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
984: packet_put_int(c->remote_id);
985: packet_put_int(SSH2_EXTENDED_DATA_STDERR);
986: packet_put_string(buffer_ptr(&c->extended), len);
987: packet_send();
988: buffer_consume(&c->extended, len);
989: c->remote_window -= len;
990: }
1.25 markus 991: }
1.1 deraadt 992: }
993:
1.27 markus 994: /*
995: * This is called when a packet of type CHANNEL_DATA has just been received.
996: * The message type has already been consumed, but channel number and data is
997: * still there.
998: */
1.1 deraadt 999:
1.49 markus 1000: void
1.41 markus 1001: channel_input_data(int type, int plen)
1.1 deraadt 1002: {
1.37 markus 1003: int id;
1.25 markus 1004: char *data;
1005: unsigned int data_len;
1.41 markus 1006: Channel *c;
1.25 markus 1007:
1008: /* Get the channel number and verify it. */
1.37 markus 1009: id = packet_get_int();
1.41 markus 1010: c = channel_lookup(id);
1011: if (c == NULL)
1.37 markus 1012: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 1013:
1014: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 1015: if (c->type != SSH_CHANNEL_OPEN &&
1016: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 1017: return;
1018:
1019: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 1020: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 1021: return;
1022:
1023: /* Get the data. */
1024: data = packet_get_string(&data_len);
1.48 markus 1025: packet_done();
1.41 markus 1026:
1.44 markus 1027: if (compat20){
1028: if (data_len > c->local_maxpacket) {
1029: log("channel %d: rcvd big packet %d, maxpack %d",
1030: c->self, data_len, c->local_maxpacket);
1031: }
1032: if (data_len > c->local_window) {
1033: log("channel %d: rcvd too much data %d, win %d",
1034: c->self, data_len, c->local_window);
1035: xfree(data);
1036: return;
1037: }
1038: c->local_window -= data_len;
1039: }else{
1040: packet_integrity_check(plen, 4 + 4 + data_len, type);
1041: }
1.41 markus 1042: buffer_append(&c->output, data, data_len);
1.25 markus 1043: xfree(data);
1.1 deraadt 1044: }
1.49 markus 1045: void
1.44 markus 1046: channel_input_extended_data(int type, int plen)
1047: {
1048: int id;
1049: int tcode;
1050: char *data;
1051: unsigned int data_len;
1052: Channel *c;
1053:
1054: /* Get the channel number and verify it. */
1055: id = packet_get_int();
1056: c = channel_lookup(id);
1057:
1058: if (c == NULL)
1059: packet_disconnect("Received extended_data for bad channel %d.", id);
1060: if (c->type != SSH_CHANNEL_OPEN) {
1061: log("channel %d: ext data for non open", id);
1062: return;
1063: }
1064: tcode = packet_get_int();
1065: if (c->efd == -1 ||
1066: c->extended_usage != CHAN_EXTENDED_WRITE ||
1067: tcode != SSH2_EXTENDED_DATA_STDERR) {
1068: log("channel %d: bad ext data", c->self);
1069: return;
1070: }
1071: data = packet_get_string(&data_len);
1.48 markus 1072: packet_done();
1.44 markus 1073: if (data_len > c->local_window) {
1074: log("channel %d: rcvd too much extended_data %d, win %d",
1075: c->self, data_len, c->local_window);
1076: xfree(data);
1077: return;
1078: }
1079: debug("channel %d: rcvd ext data %d", c->self, data_len);
1080: c->local_window -= data_len;
1081: buffer_append(&c->extended, data, data_len);
1082: xfree(data);
1083: }
1084:
1.1 deraadt 1085:
1.27 markus 1086: /*
1087: * Returns true if no channel has too much buffered data, and false if one or
1088: * more channel is overfull.
1089: */
1.1 deraadt 1090:
1.49 markus 1091: int
1.25 markus 1092: channel_not_very_much_buffered_data()
1.1 deraadt 1093: {
1.25 markus 1094: unsigned int i;
1.41 markus 1095: Channel *c;
1.25 markus 1096:
1097: for (i = 0; i < channels_alloc; i++) {
1.41 markus 1098: c = &channels[i];
1099: if (c->type == SSH_CHANNEL_OPEN) {
1.44 markus 1100: if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
1.41 markus 1101: debug("channel %d: big input buffer %d",
1102: c->self, buffer_len(&c->input));
1.25 markus 1103: return 0;
1.41 markus 1104: }
1105: if (buffer_len(&c->output) > packet_get_maxsize()) {
1106: debug("channel %d: big output buffer %d",
1107: c->self, buffer_len(&c->output));
1.25 markus 1108: return 0;
1.41 markus 1109: }
1.25 markus 1110: }
1.1 deraadt 1111: }
1.25 markus 1112: return 1;
1.1 deraadt 1113: }
1114:
1.49 markus 1115: void
1.41 markus 1116: channel_input_ieof(int type, int plen)
1117: {
1118: int id;
1119: Channel *c;
1120:
1121: packet_integrity_check(plen, 4, type);
1122:
1123: id = packet_get_int();
1124: c = channel_lookup(id);
1125: if (c == NULL)
1126: packet_disconnect("Received ieof for nonexistent channel %d.", id);
1127: chan_rcvd_ieof(c);
1128: }
1.1 deraadt 1129:
1.49 markus 1130: void
1.41 markus 1131: channel_input_close(int type, int plen)
1.1 deraadt 1132: {
1.41 markus 1133: int id;
1134: Channel *c;
1.1 deraadt 1135:
1.41 markus 1136: packet_integrity_check(plen, 4, type);
1137:
1138: id = packet_get_int();
1139: c = channel_lookup(id);
1140: if (c == NULL)
1141: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 1142:
1143: /*
1144: * Send a confirmation that we have closed the channel and no more
1145: * data is coming for it.
1146: */
1.25 markus 1147: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 1148: packet_put_int(c->remote_id);
1.25 markus 1149: packet_send();
1150:
1.27 markus 1151: /*
1152: * If the channel is in closed state, we have sent a close request,
1153: * and the other side will eventually respond with a confirmation.
1154: * Thus, we cannot free the channel here, because then there would be
1155: * no-one to receive the confirmation. The channel gets freed when
1156: * the confirmation arrives.
1157: */
1.41 markus 1158: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 1159: /*
1160: * Not a closed channel - mark it as draining, which will
1161: * cause it to be freed later.
1162: */
1.41 markus 1163: buffer_consume(&c->input, buffer_len(&c->input));
1164: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 1165: }
1.1 deraadt 1166: }
1167:
1.41 markus 1168: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
1.49 markus 1169: void
1.41 markus 1170: channel_input_oclose(int type, int plen)
1171: {
1172: int id = packet_get_int();
1173: Channel *c = channel_lookup(id);
1174: packet_integrity_check(plen, 4, type);
1175: if (c == NULL)
1176: packet_disconnect("Received oclose for nonexistent channel %d.", id);
1177: chan_rcvd_oclose(c);
1178: }
1.1 deraadt 1179:
1.49 markus 1180: void
1.41 markus 1181: channel_input_close_confirmation(int type, int plen)
1.1 deraadt 1182: {
1.41 markus 1183: int id = packet_get_int();
1184: Channel *c = channel_lookup(id);
1.1 deraadt 1185:
1.48 markus 1186: packet_done();
1.41 markus 1187: if (c == NULL)
1188: packet_disconnect("Received close confirmation for "
1189: "out-of-range channel %d.", id);
1190: if (c->type != SSH_CHANNEL_CLOSED)
1191: packet_disconnect("Received close confirmation for "
1192: "non-closed channel %d (type %d).", id, c->type);
1193: channel_free(c->self);
1.1 deraadt 1194: }
1195:
1.49 markus 1196: void
1.41 markus 1197: channel_input_open_confirmation(int type, int plen)
1.1 deraadt 1198: {
1.41 markus 1199: int id, remote_id;
1200: Channel *c;
1.1 deraadt 1201:
1.44 markus 1202: if (!compat20)
1203: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 1204:
1.41 markus 1205: id = packet_get_int();
1206: c = channel_lookup(id);
1.25 markus 1207:
1.41 markus 1208: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1209: packet_disconnect("Received open confirmation for "
1210: "non-opening channel %d.", id);
1211: remote_id = packet_get_int();
1.27 markus 1212: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 1213: c->remote_id = remote_id;
1214: c->type = SSH_CHANNEL_OPEN;
1.44 markus 1215:
1216: if (compat20) {
1217: c->remote_window = packet_get_int();
1218: c->remote_maxpacket = packet_get_int();
1.48 markus 1219: packet_done();
1.44 markus 1220: if (c->cb_fn != NULL && c->cb_event == type) {
1221: debug("callback start");
1222: c->cb_fn(c->self, c->cb_arg);
1223: debug("callback done");
1224: }
1225: debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1226: c->remote_window, c->remote_maxpacket);
1227: }
1.1 deraadt 1228: }
1229:
1.49 markus 1230: void
1.41 markus 1231: channel_input_open_failure(int type, int plen)
1.1 deraadt 1232: {
1.41 markus 1233: int id;
1234: Channel *c;
1235:
1.44 markus 1236: if (!compat20)
1237: packet_integrity_check(plen, 4, type);
1.41 markus 1238:
1239: id = packet_get_int();
1240: c = channel_lookup(id);
1.25 markus 1241:
1.41 markus 1242: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1243: packet_disconnect("Received open failure for "
1244: "non-opening channel %d.", id);
1.44 markus 1245: if (compat20) {
1246: int reason = packet_get_int();
1247: char *msg = packet_get_string(NULL);
1.48 markus 1248: char *lang = packet_get_string(NULL);
1.44 markus 1249: log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
1.48 markus 1250: packet_done();
1.44 markus 1251: xfree(msg);
1.48 markus 1252: xfree(lang);
1.44 markus 1253: }
1.25 markus 1254: /* Free the channel. This will also close the socket. */
1.41 markus 1255: channel_free(id);
1.1 deraadt 1256: }
1257:
1.44 markus 1258: void
1259: channel_input_channel_request(int type, int plen)
1260: {
1261: int id;
1262: Channel *c;
1263:
1264: id = packet_get_int();
1265: c = channel_lookup(id);
1266:
1267: if (c == NULL ||
1268: (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1269: packet_disconnect("Received request for "
1270: "non-open channel %d.", id);
1271: if (c->cb_fn != NULL && c->cb_event == type) {
1272: debug("callback start");
1273: c->cb_fn(c->self, c->cb_arg);
1274: debug("callback done");
1275: } else {
1276: char *service = packet_get_string(NULL);
1277: debug("channel: %d rcvd request for %s", c->self, service);
1278: debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1279: xfree(service);
1280: }
1281: }
1282:
1.49 markus 1283: void
1.44 markus 1284: channel_input_window_adjust(int type, int plen)
1285: {
1286: Channel *c;
1287: int id, adjust;
1288:
1289: if (!compat20)
1290: return;
1291:
1292: /* Get the channel number and verify it. */
1293: id = packet_get_int();
1294: c = channel_lookup(id);
1295:
1296: if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1297: log("Received window adjust for "
1298: "non-open channel %d.", id);
1299: return;
1300: }
1301: adjust = packet_get_int();
1.48 markus 1302: packet_done();
1.44 markus 1303: debug("channel %d: rcvd adjust %d", id, adjust);
1304: c->remote_window += adjust;
1305: }
1306:
1.27 markus 1307: /*
1308: * Stops listening for channels, and removes any unix domain sockets that we
1309: * might have.
1310: */
1.1 deraadt 1311:
1.49 markus 1312: void
1.25 markus 1313: channel_stop_listening()
1.1 deraadt 1314: {
1.25 markus 1315: int i;
1316: for (i = 0; i < channels_alloc; i++) {
1317: switch (channels[i].type) {
1318: case SSH_CHANNEL_AUTH_SOCKET:
1319: close(channels[i].sock);
1320: remove(channels[i].path);
1321: channel_free(i);
1322: break;
1323: case SSH_CHANNEL_PORT_LISTENER:
1324: case SSH_CHANNEL_X11_LISTENER:
1325: close(channels[i].sock);
1326: channel_free(i);
1327: break;
1328: default:
1329: break;
1330: }
1.1 deraadt 1331: }
1332: }
1333:
1.27 markus 1334: /*
1.52 markus 1335: * Closes the sockets/fds of all channels. This is used to close extra file
1.27 markus 1336: * descriptors after a fork.
1337: */
1.1 deraadt 1338:
1.49 markus 1339: void
1.25 markus 1340: channel_close_all()
1.1 deraadt 1341: {
1.25 markus 1342: int i;
1.52 markus 1343: for (i = 0; i < channels_alloc; i++)
1.25 markus 1344: if (channels[i].type != SSH_CHANNEL_FREE)
1.52 markus 1345: channel_close_fds(&channels[i]);
1.1 deraadt 1346: }
1347:
1348: /* Returns the maximum file descriptor number used by the channels. */
1349:
1.49 markus 1350: int
1.25 markus 1351: channel_max_fd()
1.1 deraadt 1352: {
1.25 markus 1353: return channel_max_fd_value;
1.1 deraadt 1354: }
1355:
1356: /* Returns true if any channel is still open. */
1357:
1.49 markus 1358: int
1.25 markus 1359: channel_still_open()
1.1 deraadt 1360: {
1.25 markus 1361: unsigned int i;
1362: for (i = 0; i < channels_alloc; i++)
1363: switch (channels[i].type) {
1364: case SSH_CHANNEL_FREE:
1365: case SSH_CHANNEL_X11_LISTENER:
1366: case SSH_CHANNEL_PORT_LISTENER:
1367: case SSH_CHANNEL_CLOSED:
1368: case SSH_CHANNEL_AUTH_SOCKET:
1369: continue;
1.44 markus 1370: case SSH_CHANNEL_LARVAL:
1371: if (!compat20)
1372: fatal("cannot happen: SSH_CHANNEL_LARVAL");
1373: continue;
1.25 markus 1374: case SSH_CHANNEL_OPENING:
1375: case SSH_CHANNEL_OPEN:
1376: case SSH_CHANNEL_X11_OPEN:
1377: return 1;
1378: case SSH_CHANNEL_INPUT_DRAINING:
1379: case SSH_CHANNEL_OUTPUT_DRAINING:
1380: if (!compat13)
1381: fatal("cannot happen: OUT_DRAIN");
1382: return 1;
1383: default:
1384: fatal("channel_still_open: bad channel type %d", channels[i].type);
1385: /* NOTREACHED */
1386: }
1387: return 0;
1.1 deraadt 1388: }
1389:
1.27 markus 1390: /*
1391: * Returns a message describing the currently open forwarded connections,
1392: * suitable for sending to the client. The message contains crlf pairs for
1393: * newlines.
1394: */
1.1 deraadt 1395:
1.25 markus 1396: char *
1397: channel_open_message()
1.1 deraadt 1398: {
1.25 markus 1399: Buffer buffer;
1400: int i;
1401: char buf[512], *cp;
1402:
1403: buffer_init(&buffer);
1404: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 1405: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 1406: for (i = 0; i < channels_alloc; i++) {
1407: Channel *c = &channels[i];
1408: switch (c->type) {
1409: case SSH_CHANNEL_FREE:
1410: case SSH_CHANNEL_X11_LISTENER:
1411: case SSH_CHANNEL_PORT_LISTENER:
1412: case SSH_CHANNEL_CLOSED:
1413: case SSH_CHANNEL_AUTH_SOCKET:
1414: continue;
1.44 markus 1415: case SSH_CHANNEL_LARVAL:
1.25 markus 1416: case SSH_CHANNEL_OPENING:
1417: case SSH_CHANNEL_OPEN:
1418: case SSH_CHANNEL_X11_OPEN:
1419: case SSH_CHANNEL_INPUT_DRAINING:
1420: case SSH_CHANNEL_OUTPUT_DRAINING:
1.41 markus 1421: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
1.37 markus 1422: c->self, c->remote_name,
1423: c->type, c->remote_id,
1424: c->istate, buffer_len(&c->input),
1.41 markus 1425: c->ostate, buffer_len(&c->output),
1426: c->rfd, c->wfd);
1.25 markus 1427: buffer_append(&buffer, buf, strlen(buf));
1428: continue;
1429: default:
1.41 markus 1430: fatal("channel_open_message: bad channel type %d", c->type);
1.25 markus 1431: /* NOTREACHED */
1432: }
1433: }
1434: buffer_append(&buffer, "\0", 1);
1435: cp = xstrdup(buffer_ptr(&buffer));
1436: buffer_free(&buffer);
1437: return cp;
1.1 deraadt 1438: }
1439:
1.27 markus 1440: /*
1441: * Initiate forwarding of connections to local port "port" through the secure
1442: * channel to host:port from remote side.
1443: */
1.1 deraadt 1444:
1.49 markus 1445: void
1.31 markus 1446: channel_request_local_forwarding(u_short port, const char *host,
1.33 markus 1447: u_short host_port, int gateway_ports)
1.25 markus 1448: {
1.35 markus 1449: int success, ch, sock, on = 1;
1450: struct addrinfo hints, *ai, *aitop;
1451: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.28 markus 1452: struct linger linger;
1.25 markus 1453:
1454: if (strlen(host) > sizeof(channels[0].path) - 1)
1455: packet_disconnect("Forward host name too long.");
1456:
1.28 markus 1457: /*
1.35 markus 1458: * getaddrinfo returns a loopback address if the hostname is
1459: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 1460: */
1.35 markus 1461: memset(&hints, 0, sizeof(hints));
1462: hints.ai_family = IPv4or6;
1463: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1464: hints.ai_socktype = SOCK_STREAM;
1465: snprintf(strport, sizeof strport, "%d", port);
1466: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1467: packet_disconnect("getaddrinfo: fatal error");
1468:
1469: success = 0;
1470: for (ai = aitop; ai; ai = ai->ai_next) {
1471: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1472: continue;
1473: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1474: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1475: error("channel_request_local_forwarding: getnameinfo failed");
1476: continue;
1477: }
1478: /* Create a port to listen for the host. */
1479: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1480: if (sock < 0) {
1481: /* this is no error since kernel may not support ipv6 */
1482: verbose("socket: %.100s", strerror(errno));
1483: continue;
1484: }
1485: /*
1486: * Set socket options. We would like the socket to disappear
1487: * as soon as it has been closed for whatever reason.
1488: */
1489: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1490: linger.l_onoff = 1;
1491: linger.l_linger = 5;
1492: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1493: debug("Local forwarding listening on %s port %s.", ntop, strport);
1494:
1495: /* Bind the socket to the address. */
1496: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1497: /* address can be in use ipv6 address is already bound */
1498: verbose("bind: %.100s", strerror(errno));
1499: close(sock);
1500: continue;
1501: }
1502: /* Start listening for connections on the socket. */
1503: if (listen(sock, 5) < 0) {
1504: error("listen: %.100s", strerror(errno));
1505: close(sock);
1506: continue;
1507: }
1508: /* Allocate a channel number for the socket. */
1.41 markus 1509: ch = channel_new(
1510: "port listener", SSH_CHANNEL_PORT_LISTENER,
1511: sock, sock, -1,
1.51 markus 1512: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.41 markus 1513: 0, xstrdup("port listener"));
1.35 markus 1514: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1515: channels[ch].host_port = host_port;
1516: channels[ch].listening_port = port;
1517: success = 1;
1518: }
1519: if (success == 0)
1520: packet_disconnect("cannot listen port: %d", port);
1521: freeaddrinfo(aitop);
1.25 markus 1522: }
1.1 deraadt 1523:
1.27 markus 1524: /*
1525: * Initiate forwarding of connections to port "port" on remote host through
1526: * the secure channel to host:port from local side.
1527: */
1.1 deraadt 1528:
1.49 markus 1529: void
1.41 markus 1530: channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
1531: u_short port_to_connect)
1.25 markus 1532: {
1533: int payload_len;
1534: /* Record locally that connection to this host/port is permitted. */
1535: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1536: fatal("channel_request_remote_forwarding: too many forwards");
1537:
1.41 markus 1538: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1539: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1540: permitted_opens[num_permitted_opens].listen_port = listen_port;
1.25 markus 1541: num_permitted_opens++;
1542:
1543: /* Send the forward request to the remote side. */
1.44 markus 1544: if (compat20) {
1545: const char *address_to_bind = "0.0.0.0";
1546: packet_start(SSH2_MSG_GLOBAL_REQUEST);
1547: packet_put_cstring("tcpip-forward");
1548: packet_put_char(0); /* boolean: want reply */
1549: packet_put_cstring(address_to_bind);
1550: packet_put_int(listen_port);
1551: } else {
1552: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.50 markus 1553: packet_put_int(listen_port);
1554: packet_put_cstring(host_to_connect);
1.44 markus 1555: packet_put_int(port_to_connect);
1556: packet_send();
1557: packet_write_wait();
1558: /*
1559: * Wait for response from the remote side. It will send a disconnect
1560: * message on failure, and we will never see it here.
1561: */
1562: packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1563: }
1.1 deraadt 1564: }
1565:
1.27 markus 1566: /*
1567: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1568: * listening for the port, and sends back a success reply (or disconnect
1569: * message if there was an error). This never returns if there was an error.
1570: */
1.1 deraadt 1571:
1.49 markus 1572: void
1.56 markus 1573: channel_input_port_forward_request(int is_root, int gateway_ports)
1.1 deraadt 1574: {
1.31 markus 1575: u_short port, host_port;
1.25 markus 1576: char *hostname;
1.1 deraadt 1577:
1.25 markus 1578: /* Get arguments from the packet. */
1579: port = packet_get_int();
1580: hostname = packet_get_string(NULL);
1581: host_port = packet_get_int();
1582:
1.27 markus 1583: /*
1584: * Check that an unprivileged user is not trying to forward a
1585: * privileged port.
1586: */
1.25 markus 1587: if (port < IPPORT_RESERVED && !is_root)
1588: packet_disconnect("Requested forwarding of port %d but user is not root.",
1589: port);
1.33 markus 1590: /*
1591: * Initiate forwarding,
1592: */
1.56 markus 1593: channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
1.25 markus 1594:
1595: /* Free the argument string. */
1596: xfree(hostname);
1.1 deraadt 1597: }
1598:
1.41 markus 1599: /* XXX move to aux.c */
1600: int
1601: channel_connect_to(const char *host, u_short host_port)
1602: {
1603: struct addrinfo hints, *ai, *aitop;
1604: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1605: int gaierr;
1606: int sock = -1;
1607:
1608: memset(&hints, 0, sizeof(hints));
1609: hints.ai_family = IPv4or6;
1610: hints.ai_socktype = SOCK_STREAM;
1611: snprintf(strport, sizeof strport, "%d", host_port);
1612: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1613: error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
1614: return -1;
1615: }
1616: for (ai = aitop; ai; ai = ai->ai_next) {
1617: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1618: continue;
1619: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1620: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1621: error("channel_connect_to: getnameinfo failed");
1622: continue;
1623: }
1624: /* Create the socket. */
1625: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1626: if (sock < 0) {
1627: error("socket: %.100s", strerror(errno));
1628: continue;
1629: }
1630: /* Connect to the host/port. */
1631: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1632: error("connect %.100s port %s: %.100s", ntop, strport,
1633: strerror(errno));
1634: close(sock);
1635: continue; /* fail -- try next */
1636: }
1637: break; /* success */
1638:
1639: }
1640: freeaddrinfo(aitop);
1641: if (!ai) {
1642: error("connect %.100s port %d: failed.", host, host_port);
1643: return -1;
1644: }
1645: /* success */
1646: return sock;
1647: }
1.27 markus 1648: /*
1649: * This is called after receiving PORT_OPEN message. This attempts to
1650: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1651: * or CHANNEL_OPEN_FAILURE.
1652: */
1.1 deraadt 1653:
1.49 markus 1654: void
1.41 markus 1655: channel_input_port_open(int type, int plen)
1.1 deraadt 1656: {
1.31 markus 1657: u_short host_port;
1.25 markus 1658: char *host, *originator_string;
1.41 markus 1659: int remote_channel, sock = -1, newch, i, denied;
1.39 markus 1660: unsigned int host_len, originator_len;
1.25 markus 1661:
1662: /* Get remote channel number. */
1663: remote_channel = packet_get_int();
1664:
1665: /* Get host name to connect to. */
1666: host = packet_get_string(&host_len);
1667:
1668: /* Get port to connect to. */
1669: host_port = packet_get_int();
1670:
1671: /* Get remote originator name. */
1.29 markus 1672: if (have_hostname_in_open) {
1.25 markus 1673: originator_string = packet_get_string(&originator_len);
1.29 markus 1674: originator_len += 4; /* size of packet_int */
1675: } else {
1.25 markus 1676: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1677: originator_len = 0; /* no originator supplied */
1678: }
1.25 markus 1679:
1.41 markus 1680: packet_integrity_check(plen,
1681: 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
1.25 markus 1682:
1683: /* Check if opening that port is permitted. */
1.41 markus 1684: denied = 0;
1.25 markus 1685: if (!all_opens_permitted) {
1686: /* Go trough all permitted ports. */
1687: for (i = 0; i < num_permitted_opens; i++)
1.41 markus 1688: if (permitted_opens[i].port_to_connect == host_port &&
1689: strcmp(permitted_opens[i].host_to_connect, host) == 0)
1.25 markus 1690: break;
1691:
1692: /* Check if we found the requested port among those permitted. */
1693: if (i >= num_permitted_opens) {
1694: /* The port is not permitted. */
1695: log("Received request to connect to %.100s:%d, but the request was denied.",
1696: host, host_port);
1.41 markus 1697: denied = 1;
1.25 markus 1698: }
1699: }
1.41 markus 1700: sock = denied ? -1 : channel_connect_to(host, host_port);
1701: if (sock > 0) {
1702: /* Allocate a channel for this connection. */
1703: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1704: channels[newch].remote_id = remote_channel;
1705:
1706: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1707: packet_put_int(remote_channel);
1708: packet_put_int(newch);
1709: packet_send();
1710: } else {
1711: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1712: packet_put_int(remote_channel);
1713: packet_send();
1.25 markus 1714: }
1715: xfree(host);
1.1 deraadt 1716: }
1717:
1.27 markus 1718: /*
1719: * Creates an internet domain socket for listening for X11 connections.
1720: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1721: * occurs.
1722: */
1.1 deraadt 1723:
1.35 markus 1724: #define NUM_SOCKS 10
1725:
1.25 markus 1726: char *
1.33 markus 1727: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1728: {
1.31 markus 1729: int display_number, sock;
1730: u_short port;
1.35 markus 1731: struct addrinfo hints, *ai, *aitop;
1732: char strport[NI_MAXSERV];
1733: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1734: char display[512];
1.25 markus 1735: char hostname[MAXHOSTNAMELEN];
1736:
1.33 markus 1737: for (display_number = x11_display_offset;
1.25 markus 1738: display_number < MAX_DISPLAYS;
1739: display_number++) {
1740: port = 6000 + display_number;
1.35 markus 1741: memset(&hints, 0, sizeof(hints));
1742: hints.ai_family = IPv4or6;
1.36 markus 1743: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1744: hints.ai_socktype = SOCK_STREAM;
1745: snprintf(strport, sizeof strport, "%d", port);
1746: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1747: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1748: return NULL;
1749: }
1.35 markus 1750: for (ai = aitop; ai; ai = ai->ai_next) {
1751: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1752: continue;
1753: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1754: if (sock < 0) {
1755: error("socket: %.100s", strerror(errno));
1756: return NULL;
1757: }
1758: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1759: debug("bind port %d: %.100s", port, strerror(errno));
1760: shutdown(sock, SHUT_RDWR);
1761: close(sock);
1762: for (n = 0; n < num_socks; n++) {
1763: shutdown(socks[n], SHUT_RDWR);
1764: close(socks[n]);
1765: }
1766: num_socks = 0;
1767: break;
1768: }
1769: socks[num_socks++] = sock;
1770: if (num_socks == NUM_SOCKS)
1771: break;
1.25 markus 1772: }
1.35 markus 1773: if (num_socks > 0)
1774: break;
1.25 markus 1775: }
1776: if (display_number >= MAX_DISPLAYS) {
1777: error("Failed to allocate internet-domain X11 display socket.");
1778: return NULL;
1779: }
1780: /* Start listening for connections on the socket. */
1.35 markus 1781: for (n = 0; n < num_socks; n++) {
1782: sock = socks[n];
1783: if (listen(sock, 5) < 0) {
1784: error("listen: %.100s", strerror(errno));
1785: shutdown(sock, SHUT_RDWR);
1786: close(sock);
1787: return NULL;
1788: }
1.25 markus 1789: }
1.35 markus 1790:
1.25 markus 1791: /* Set up a suitable value for the DISPLAY variable. */
1792: if (gethostname(hostname, sizeof(hostname)) < 0)
1793: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 1794: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 1795: display_number, screen_number);
1796:
1.35 markus 1797: /* Allocate a channel for each socket. */
1798: for (n = 0; n < num_socks; n++) {
1799: sock = socks[n];
1.51 markus 1800: (void) channel_new("x11 listener",
1801: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
1802: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1803: 0, xstrdup("X11 inet listener"));
1.35 markus 1804: }
1.1 deraadt 1805:
1.25 markus 1806: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 1807: return xstrdup(display);
1.1 deraadt 1808: }
1809:
1810: #ifndef X_UNIX_PATH
1811: #define X_UNIX_PATH "/tmp/.X11-unix/X"
1812: #endif
1813:
1814: static
1815: int
1.30 deraadt 1816: connect_local_xsocket(unsigned int dnr)
1.1 deraadt 1817: {
1.25 markus 1818: static const char *const x_sockets[] = {
1819: X_UNIX_PATH "%u",
1820: "/var/X/.X11-unix/X" "%u",
1821: "/usr/spool/sockets/X11/" "%u",
1822: NULL
1823: };
1824: int sock;
1825: struct sockaddr_un addr;
1826: const char *const * path;
1827:
1828: for (path = x_sockets; *path; ++path) {
1829: sock = socket(AF_UNIX, SOCK_STREAM, 0);
1830: if (sock < 0)
1831: error("socket: %.100s", strerror(errno));
1832: memset(&addr, 0, sizeof(addr));
1833: addr.sun_family = AF_UNIX;
1834: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1835: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1836: return sock;
1837: close(sock);
1838: }
1839: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1840: return -1;
1.1 deraadt 1841: }
1842:
1.51 markus 1843: int
1844: x11_connect_display(void)
1.1 deraadt 1845: {
1.51 markus 1846: int display_number, sock = 0;
1.25 markus 1847: const char *display;
1.51 markus 1848: char buf[1024], *cp;
1.35 markus 1849: struct addrinfo hints, *ai, *aitop;
1850: char strport[NI_MAXSERV];
1851: int gaierr;
1.25 markus 1852:
1853: /* Try to open a socket for the local X server. */
1854: display = getenv("DISPLAY");
1855: if (!display) {
1856: error("DISPLAY not set.");
1.51 markus 1857: return -1;
1.25 markus 1858: }
1.27 markus 1859: /*
1860: * Now we decode the value of the DISPLAY variable and make a
1861: * connection to the real X server.
1862: */
1863:
1864: /*
1865: * Check if it is a unix domain socket. Unix domain displays are in
1866: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1867: */
1.25 markus 1868: if (strncmp(display, "unix:", 5) == 0 ||
1869: display[0] == ':') {
1870: /* Connect to the unix domain socket. */
1871: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1872: error("Could not parse display number from DISPLAY: %.100s",
1873: display);
1.51 markus 1874: return -1;
1.25 markus 1875: }
1876: /* Create a socket. */
1877: sock = connect_local_xsocket(display_number);
1878: if (sock < 0)
1.51 markus 1879: return -1;
1.25 markus 1880:
1881: /* OK, we now have a connection to the display. */
1.51 markus 1882: return sock;
1.25 markus 1883: }
1.27 markus 1884: /*
1885: * Connect to an inet socket. The DISPLAY value is supposedly
1886: * hostname:d[.s], where hostname may also be numeric IP address.
1887: */
1.25 markus 1888: strncpy(buf, display, sizeof(buf));
1889: buf[sizeof(buf) - 1] = 0;
1890: cp = strchr(buf, ':');
1891: if (!cp) {
1892: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 1893: return -1;
1.25 markus 1894: }
1895: *cp = 0;
1.27 markus 1896: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 1897: if (sscanf(cp + 1, "%d", &display_number) != 1) {
1898: error("Could not parse display number from DISPLAY: %.100s",
1899: display);
1.51 markus 1900: return -1;
1.25 markus 1901: }
1.35 markus 1902:
1903: /* Look up the host address */
1904: memset(&hints, 0, sizeof(hints));
1905: hints.ai_family = IPv4or6;
1906: hints.ai_socktype = SOCK_STREAM;
1907: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1908: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1909: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.51 markus 1910: return -1;
1.25 markus 1911: }
1.35 markus 1912: for (ai = aitop; ai; ai = ai->ai_next) {
1913: /* Create a socket. */
1914: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1915: if (sock < 0) {
1916: debug("socket: %.100s", strerror(errno));
1.41 markus 1917: continue;
1918: }
1919: /* Connect it to the display. */
1920: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1921: debug("connect %.100s port %d: %.100s", buf,
1922: 6000 + display_number, strerror(errno));
1923: close(sock);
1924: continue;
1925: }
1926: /* Success */
1927: break;
1.35 markus 1928: }
1929: freeaddrinfo(aitop);
1930: if (!ai) {
1.49 markus 1931: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1.35 markus 1932: strerror(errno));
1.51 markus 1933: return -1;
1.25 markus 1934: }
1.51 markus 1935: return sock;
1936: }
1937:
1938: /*
1939: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1940: * the remote channel number. We should do whatever we want, and respond
1941: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1942: */
1943:
1944: void
1945: x11_input_open(int type, int plen)
1946: {
1947: int remote_channel, sock = 0, newch;
1948: char *remote_host;
1949: unsigned int remote_len;
1.25 markus 1950:
1.51 markus 1951: /* Get remote channel number. */
1952: remote_channel = packet_get_int();
1953:
1954: /* Get remote originator name. */
1955: if (have_hostname_in_open) {
1956: remote_host = packet_get_string(&remote_len);
1957: remote_len += 4;
1958: } else {
1959: remote_host = xstrdup("unknown (remote did not supply name)");
1960: remote_len = 0;
1961: }
1.25 markus 1962:
1.51 markus 1963: debug("Received X11 open request.");
1964: packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 1965:
1.51 markus 1966: /* Obtain a connection to the real X display. */
1967: sock = x11_connect_display();
1968: if (sock == -1) {
1969: /* Send refusal to the remote host. */
1970: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1971: packet_put_int(remote_channel);
1972: packet_send();
1973: } else {
1974: /* Allocate a channel for this connection. */
1975: newch = channel_allocate(
1976: (x11_saved_proto == NULL) ?
1977: SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
1978: sock, remote_host);
1979: channels[newch].remote_id = remote_channel;
1.25 markus 1980:
1.51 markus 1981: /* Send a confirmation to the remote host. */
1982: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1983: packet_put_int(remote_channel);
1984: packet_put_int(newch);
1985: packet_send();
1986: }
1.1 deraadt 1987: }
1988:
1.27 markus 1989: /*
1990: * Requests forwarding of X11 connections, generates fake authentication
1991: * data, and enables authentication spoofing.
1992: */
1.1 deraadt 1993:
1.49 markus 1994: void
1.51 markus 1995: x11_request_forwarding_with_spoofing(int client_session_id,
1996: const char *proto, const char *data)
1.1 deraadt 1997: {
1.25 markus 1998: unsigned int data_len = (unsigned int) strlen(data) / 2;
1999: unsigned int i, value;
2000: char *new_data;
2001: int screen_number;
2002: const char *cp;
2003: u_int32_t rand = 0;
2004:
2005: cp = getenv("DISPLAY");
2006: if (cp)
2007: cp = strchr(cp, ':');
2008: if (cp)
2009: cp = strchr(cp, '.');
2010: if (cp)
2011: screen_number = atoi(cp + 1);
2012: else
2013: screen_number = 0;
2014:
2015: /* Save protocol name. */
2016: x11_saved_proto = xstrdup(proto);
2017:
1.27 markus 2018: /*
2019: * Extract real authentication data and generate fake data of the
2020: * same length.
2021: */
1.25 markus 2022: x11_saved_data = xmalloc(data_len);
2023: x11_fake_data = xmalloc(data_len);
2024: for (i = 0; i < data_len; i++) {
2025: if (sscanf(data + 2 * i, "%2x", &value) != 1)
2026: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
2027: if (i % 4 == 0)
2028: rand = arc4random();
2029: x11_saved_data[i] = value;
2030: x11_fake_data[i] = rand & 0xff;
2031: rand >>= 8;
2032: }
2033: x11_saved_data_len = data_len;
2034: x11_fake_data_len = data_len;
2035:
2036: /* Convert the fake data into hex. */
2037: new_data = xmalloc(2 * data_len + 1);
2038: for (i = 0; i < data_len; i++)
2039: sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
2040:
2041: /* Send the request packet. */
1.51 markus 2042: if (compat20) {
2043: channel_request_start(client_session_id, "x11-req", 0);
2044: packet_put_char(0); /* XXX bool single connection */
2045: } else {
2046: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
2047: }
2048: packet_put_cstring(proto);
2049: packet_put_cstring(new_data);
1.25 markus 2050: packet_put_int(screen_number);
2051: packet_send();
2052: packet_write_wait();
2053: xfree(new_data);
1.1 deraadt 2054: }
2055:
2056: /* Sends a message to the server to request authentication fd forwarding. */
2057:
1.49 markus 2058: void
1.25 markus 2059: auth_request_forwarding()
1.1 deraadt 2060: {
1.25 markus 2061: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2062: packet_send();
2063: packet_write_wait();
1.1 deraadt 2064: }
2065:
1.27 markus 2066: /*
2067: * Returns the name of the forwarded authentication socket. Returns NULL if
2068: * there is no forwarded authentication socket. The returned value points to
2069: * a static buffer.
2070: */
1.1 deraadt 2071:
1.25 markus 2072: char *
2073: auth_get_socket_name()
1.1 deraadt 2074: {
1.25 markus 2075: return channel_forwarded_auth_socket_name;
1.1 deraadt 2076: }
2077:
1.12 markus 2078: /* removes the agent forwarding socket */
2079:
1.49 markus 2080: void
1.25 markus 2081: cleanup_socket(void)
2082: {
2083: remove(channel_forwarded_auth_socket_name);
2084: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 2085: }
2086:
1.27 markus 2087: /*
1.59 markus 2088: * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1.27 markus 2089: * This starts forwarding authentication requests.
2090: */
1.1 deraadt 2091:
1.59 markus 2092: int
1.25 markus 2093: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 2094: {
1.25 markus 2095: int sock, newch;
2096: struct sockaddr_un sunaddr;
2097:
2098: if (auth_get_socket_name() != NULL)
2099: fatal("Protocol error: authentication forwarding requested twice.");
2100:
2101: /* Temporarily drop privileged uid for mkdir/bind. */
2102: temporarily_use_uid(pw->pw_uid);
2103:
2104: /* Allocate a buffer for the socket name, and format the name. */
2105: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
2106: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
2107: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
2108:
2109: /* Create private directory for socket */
1.59 markus 2110: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
2111: packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
2112: strerror(errno));
2113: restore_uid();
2114: xfree(channel_forwarded_auth_socket_name);
2115: xfree(channel_forwarded_auth_socket_dir);
2116: channel_forwarded_auth_socket_name = NULL;
2117: channel_forwarded_auth_socket_dir = NULL;
2118: return 0;
2119: }
1.25 markus 2120: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
2121: channel_forwarded_auth_socket_dir, (int) getpid());
2122:
2123: if (atexit(cleanup_socket) < 0) {
2124: int saved = errno;
2125: cleanup_socket();
2126: packet_disconnect("socket: %.100s", strerror(saved));
2127: }
2128: /* Create the socket. */
2129: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2130: if (sock < 0)
2131: packet_disconnect("socket: %.100s", strerror(errno));
2132:
2133: /* Bind it to the name. */
2134: memset(&sunaddr, 0, sizeof(sunaddr));
2135: sunaddr.sun_family = AF_UNIX;
2136: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
2137: sizeof(sunaddr.sun_path));
2138:
2139: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2140: packet_disconnect("bind: %.100s", strerror(errno));
2141:
2142: /* Restore the privileged uid. */
2143: restore_uid();
2144:
2145: /* Start listening on the socket. */
2146: if (listen(sock, 5) < 0)
2147: packet_disconnect("listen: %.100s", strerror(errno));
2148:
2149: /* Allocate a channel for the authentication agent socket. */
2150: newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
2151: xstrdup("auth socket"));
1.32 deraadt 2152: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
2153: sizeof(channels[newch].path));
1.59 markus 2154: return 1;
1.1 deraadt 2155: }
2156:
2157: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2158:
1.49 markus 2159: void
1.41 markus 2160: auth_input_open_request(int type, int plen)
1.1 deraadt 2161: {
1.25 markus 2162: int remch, sock, newch;
2163: char *dummyname;
1.41 markus 2164:
2165: packet_integrity_check(plen, 4, type);
1.25 markus 2166:
2167: /* Read the remote channel number from the message. */
2168: remch = packet_get_int();
2169:
1.27 markus 2170: /*
2171: * Get a connection to the local authentication agent (this may again
2172: * get forwarded).
2173: */
1.25 markus 2174: sock = ssh_get_authentication_socket();
2175:
1.27 markus 2176: /*
2177: * If we could not connect the agent, send an error message back to
2178: * the server. This should never happen unless the agent dies,
2179: * because authentication forwarding is only enabled if we have an
2180: * agent.
2181: */
1.25 markus 2182: if (sock < 0) {
2183: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2184: packet_put_int(remch);
2185: packet_send();
2186: return;
2187: }
2188: debug("Forwarding authentication connection.");
1.1 deraadt 2189:
1.27 markus 2190: /*
2191: * Dummy host name. This will be freed when the channel is freed; it
2192: * will still be valid in the packet_put_string below since the
2193: * channel cannot yet be freed at that point.
2194: */
1.25 markus 2195: dummyname = xstrdup("authentication agent connection");
2196:
2197: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
2198: channels[newch].remote_id = remch;
2199:
2200: /* Send a confirmation to the remote host. */
2201: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2202: packet_put_int(remch);
2203: packet_put_int(newch);
1.44 markus 2204: packet_send();
2205: }
2206:
2207: void
1.51 markus 2208: channel_start_open(int id)
1.44 markus 2209: {
2210: Channel *c = channel_lookup(id);
2211: if (c == NULL) {
2212: log("channel_open: %d: bad id", id);
2213: return;
2214: }
1.51 markus 2215: debug("send channel open %d", id);
1.44 markus 2216: packet_start(SSH2_MSG_CHANNEL_OPEN);
2217: packet_put_cstring(c->ctype);
2218: packet_put_int(c->self);
2219: packet_put_int(c->local_window);
2220: packet_put_int(c->local_maxpacket);
1.51 markus 2221: }
2222: void
2223: channel_open(int id)
2224: {
2225: /* XXX REMOVE ME */
2226: channel_start_open(id);
1.44 markus 2227: packet_send();
2228: }
2229: void
2230: channel_request(int id, char *service, int wantconfirm)
2231: {
2232: channel_request_start(id, service, wantconfirm);
2233: packet_send();
2234: debug("channel request %d: %s", id, service) ;
2235: }
2236: void
2237: channel_request_start(int id, char *service, int wantconfirm)
2238: {
2239: Channel *c = channel_lookup(id);
2240: if (c == NULL) {
2241: log("channel_request: %d: bad id", id);
2242: return;
2243: }
2244: packet_start(SSH2_MSG_CHANNEL_REQUEST);
2245: packet_put_int(c->remote_id);
2246: packet_put_cstring(service);
2247: packet_put_char(wantconfirm);
2248: }
2249: void
2250: channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
2251: {
2252: Channel *c = channel_lookup(id);
2253: if (c == NULL) {
2254: log("channel_register_callback: %d: bad id", id);
2255: return;
2256: }
2257: c->cb_event = mtype;
2258: c->cb_fn = fn;
2259: c->cb_arg = arg;
2260: }
2261: void
2262: channel_register_cleanup(int id, channel_callback_fn *fn)
2263: {
2264: Channel *c = channel_lookup(id);
2265: if (c == NULL) {
2266: log("channel_register_cleanup: %d: bad id", id);
2267: return;
2268: }
2269: c->dettach_user = fn;
2270: }
2271: void
2272: channel_cancel_cleanup(int id)
2273: {
2274: Channel *c = channel_lookup(id);
2275: if (c == NULL) {
2276: log("channel_cancel_cleanup: %d: bad id", id);
2277: return;
2278: }
2279: c->dettach_user = NULL;
1.65 markus 2280: }
2281: void
2282: channel_register_filter(int id, channel_filter_fn *fn)
2283: {
2284: Channel *c = channel_lookup(id);
2285: if (c == NULL) {
2286: log("channel_register_filter: %d: bad id", id);
2287: return;
2288: }
2289: c->input_filter = fn;
1.44 markus 2290: }
2291:
2292: void
2293: channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
2294: {
2295: Channel *c = channel_lookup(id);
2296: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
2297: fatal("channel_activate for non-larval channel %d.", id);
1.52 markus 2298:
2299: channel_register_fds(c, rfd, wfd, efd, extusage);
1.44 markus 2300: c->type = SSH_CHANNEL_OPEN;
2301: /* XXX window size? */
1.68 ! markus 2302: c->local_window = c->local_window_max = c->local_maxpacket * 2;
1.44 markus 2303: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
2304: packet_put_int(c->remote_id);
2305: packet_put_int(c->local_window);
1.25 markus 2306: packet_send();
1.1 deraadt 2307: }