Annotation of src/usr.bin/ssh/channels.c, Revision 1.72.2.3
1.1 deraadt 1: /*
1.26 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * This file contains functions for generic socket connection forwarding.
6: * There is also code for initiating connection forwarding for X11 connections,
7: * arbitrary tcp/ip connections, and the authentication agent connection.
1.49 markus 8: *
1.67 deraadt 9: * As far as I am concerned, the code I have written for this software
10: * can be used freely for any purpose. Any derived versions of this
11: * software must be clearly marked as such, and if the derived work is
12: * incompatible with the protocol description in the RFC file, it must be
13: * called by a name other than "ssh" or "Secure Shell".
14: *
15: *
1.44 markus 16: * SSH2 support added by Markus Friedl.
1.67 deraadt 17: * Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
18: * Copyright (c) 1999 Dug Song. All rights reserved.
19: * Copyright (c) 1999 Theo de Raadt. All rights reserved.
20: *
21: * Redistribution and use in source and binary forms, with or without
22: * modification, are permitted provided that the following conditions
23: * are met:
24: * 1. Redistributions of source code must retain the above copyright
25: * notice, this list of conditions and the following disclaimer.
26: * 2. Redistributions in binary form must reproduce the above copyright
27: * notice, this list of conditions and the following disclaimer in the
28: * documentation and/or other materials provided with the distribution.
29: *
30: * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31: * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32: * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33: * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36: * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37: * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38: * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39: * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.26 deraadt 40: */
1.1 deraadt 41:
42: #include "includes.h"
1.72.2.3! jason 43: RCSID("$OpenBSD: channels.c,v 1.99 2001/03/16 19:06:29 markus Exp $");
1.72.2.1 jason 44:
45: #include <openssl/rsa.h>
46: #include <openssl/dsa.h>
1.1 deraadt 47:
48: #include "ssh.h"
1.72.2.1 jason 49: #include "ssh1.h"
50: #include "ssh2.h"
1.1 deraadt 51: #include "packet.h"
52: #include "xmalloc.h"
53: #include "buffer.h"
54: #include "uidswap.h"
1.72.2.1 jason 55: #include "log.h"
56: #include "misc.h"
1.14 markus 57: #include "channels.h"
58: #include "nchan.h"
59: #include "compat.h"
1.72.2.1 jason 60: #include "canohost.h"
1.64 markus 61: #include "key.h"
62: #include "authfd.h"
1.44 markus 63:
1.1 deraadt 64: /* Maximum number of fake X11 displays to try. */
65: #define MAX_DISPLAYS 1000
66:
1.12 markus 67: /* Max len of agent socket */
68: #define MAX_SOCKET_NAME 100
69:
1.27 markus 70: /*
71: * Pointer to an array containing all allocated channels. The array is
72: * dynamically extended as needed.
73: */
1.1 deraadt 74: static Channel *channels = NULL;
75:
1.27 markus 76: /*
77: * Size of the channel array. All slots of the array must always be
78: * initialized (at least the type field); unused slots are marked with type
79: * SSH_CHANNEL_FREE.
80: */
1.1 deraadt 81: static int channels_alloc = 0;
82:
1.27 markus 83: /*
84: * Maximum file descriptor value used in any of the channels. This is
85: * updated in channel_allocate.
86: */
1.72.2.1 jason 87: static int channel_max_fd = 0;
1.1 deraadt 88:
1.12 markus 89: /* Name and directory of socket for authentication agent forwarding. */
1.1 deraadt 90: static char *channel_forwarded_auth_socket_name = NULL;
1.25 markus 91: static char *channel_forwarded_auth_socket_dir = NULL;
1.1 deraadt 92:
93: /* Saved X11 authentication protocol name. */
94: char *x11_saved_proto = NULL;
95:
96: /* Saved X11 authentication data. This is the real data. */
97: char *x11_saved_data = NULL;
1.72.2.1 jason 98: u_int x11_saved_data_len = 0;
1.1 deraadt 99:
1.27 markus 100: /*
101: * Fake X11 authentication data. This is what the server will be sending us;
102: * we should replace any occurrences of this by the real data.
103: */
1.1 deraadt 104: char *x11_fake_data = NULL;
1.72.2.1 jason 105: u_int x11_fake_data_len;
1.1 deraadt 106:
1.27 markus 107: /*
108: * Data structure for storing which hosts are permitted for forward requests.
109: * The local sides of any remote forwards are stored in this array to prevent
110: * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
111: * network (which might be behind a firewall).
112: */
1.25 markus 113: typedef struct {
1.41 markus 114: char *host_to_connect; /* Connect to 'host'. */
115: u_short port_to_connect; /* Connect to 'port'. */
116: u_short listen_port; /* Remote side should listen port number. */
1.1 deraadt 117: } ForwardPermission;
118:
119: /* List of all permitted host/port pairs to connect. */
120: static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
121: /* Number of permitted host/port pairs in the array. */
122: static int num_permitted_opens = 0;
1.27 markus 123: /*
124: * If this is true, all opens are permitted. This is the case on the server
125: * on which we have to trust the client anyway, and the user could do
126: * anything after logging in anyway.
127: */
1.1 deraadt 128: static int all_opens_permitted = 0;
129:
130: /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
131: static int have_hostname_in_open = 0;
132:
1.72.2.1 jason 133: /* AF_UNSPEC or AF_INET or AF_INET6 */
134: extern int IPv4or6;
135:
1.1 deraadt 136: /* Sets specific protocol options. */
137:
1.49 markus 138: void
1.25 markus 139: channel_set_options(int hostname_in_open)
1.1 deraadt 140: {
1.25 markus 141: have_hostname_in_open = hostname_in_open;
1.1 deraadt 142: }
143:
1.41 markus 144: /* lookup channel by id */
145:
146: Channel *
147: channel_lookup(int id)
148: {
149: Channel *c;
1.63 provos 150: if (id < 0 || id > channels_alloc) {
1.41 markus 151: log("channel_lookup: %d: bad id", id);
152: return NULL;
153: }
154: c = &channels[id];
155: if (c->type == SSH_CHANNEL_FREE) {
156: log("channel_lookup: %d: bad id: channel free", id);
157: return NULL;
158: }
159: return c;
1.55 markus 160: }
161:
1.27 markus 162: /*
1.55 markus 163: * Register filedescriptors for a channel, used when allocating a channel or
1.52 markus 164: * when the channel consumer/producer is ready, e.g. shell exec'd
1.27 markus 165: */
1.1 deraadt 166:
1.52 markus 167: void
1.71 markus 168: channel_register_fds(Channel *c, int rfd, int wfd, int efd,
169: int extusage, int nonblock)
1.1 deraadt 170: {
1.25 markus 171: /* Update the maximum file descriptor value. */
1.72.2.1 jason 172: channel_max_fd = MAX(channel_max_fd, rfd);
173: channel_max_fd = MAX(channel_max_fd, wfd);
174: channel_max_fd = MAX(channel_max_fd, efd);
175:
1.27 markus 176: /* XXX set close-on-exec -markus */
1.55 markus 177:
1.52 markus 178: c->rfd = rfd;
179: c->wfd = wfd;
180: c->sock = (rfd == wfd) ? rfd : -1;
181: c->efd = efd;
182: c->extended_usage = extusage;
1.71 markus 183:
1.72.2.1 jason 184: /* XXX ugly hack: nonblock is only set by the server */
185: if (nonblock && isatty(c->rfd)) {
1.72.2.3! jason 186: debug("channel %d: rfd %d isatty", c->self, c->rfd);
1.72.2.1 jason 187: c->isatty = 1;
188: if (!isatty(c->wfd)) {
1.72.2.3! jason 189: error("channel %d: wfd %d is not a tty?",
1.72.2.1 jason 190: c->self, c->wfd);
191: }
192: } else {
193: c->isatty = 0;
194: }
195:
1.71 markus 196: /* enable nonblocking mode */
197: if (nonblock) {
198: if (rfd != -1)
199: set_nonblock(rfd);
200: if (wfd != -1)
201: set_nonblock(wfd);
202: if (efd != -1)
203: set_nonblock(efd);
204: }
1.52 markus 205: }
206:
207: /*
208: * Allocate a new channel object and set its type and socket. This will cause
209: * remote_name to be freed.
210: */
211:
212: int
213: channel_new(char *ctype, int type, int rfd, int wfd, int efd,
1.71 markus 214: int window, int maxpack, int extusage, char *remote_name, int nonblock)
1.52 markus 215: {
216: int i, found;
217: Channel *c;
1.25 markus 218:
219: /* Do initial allocation if this is the first call. */
220: if (channels_alloc == 0) {
1.44 markus 221: chan_init();
1.25 markus 222: channels_alloc = 10;
223: channels = xmalloc(channels_alloc * sizeof(Channel));
224: for (i = 0; i < channels_alloc; i++)
225: channels[i].type = SSH_CHANNEL_FREE;
1.27 markus 226: /*
227: * Kludge: arrange a call to channel_stop_listening if we
228: * terminate with fatal().
229: */
1.25 markus 230: fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
231: }
232: /* Try to find a free slot where to put the new channel. */
233: for (found = -1, i = 0; i < channels_alloc; i++)
234: if (channels[i].type == SSH_CHANNEL_FREE) {
235: /* Found a free slot. */
236: found = i;
237: break;
238: }
239: if (found == -1) {
1.27 markus 240: /* There are no free slots. Take last+1 slot and expand the array. */
1.25 markus 241: found = channels_alloc;
242: channels_alloc += 10;
1.70 markus 243: debug2("channel: expanding %d", channels_alloc);
1.25 markus 244: channels = xrealloc(channels, channels_alloc * sizeof(Channel));
245: for (i = found; i < channels_alloc; i++)
246: channels[i].type = SSH_CHANNEL_FREE;
247: }
248: /* Initialize and return new channel number. */
249: c = &channels[found];
250: buffer_init(&c->input);
251: buffer_init(&c->output);
1.41 markus 252: buffer_init(&c->extended);
1.25 markus 253: chan_init_iostates(c);
1.71 markus 254: channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
1.25 markus 255: c->self = found;
256: c->type = type;
1.41 markus 257: c->ctype = ctype;
1.51 markus 258: c->local_window = window;
259: c->local_window_max = window;
260: c->local_consumed = 0;
261: c->local_maxpacket = maxpack;
1.25 markus 262: c->remote_id = -1;
263: c->remote_name = remote_name;
1.41 markus 264: c->remote_window = 0;
265: c->remote_maxpacket = 0;
266: c->cb_fn = NULL;
267: c->cb_arg = NULL;
268: c->cb_event = 0;
269: c->dettach_user = NULL;
1.65 markus 270: c->input_filter = NULL;
1.25 markus 271: debug("channel %d: new [%s]", found, remote_name);
272: return found;
1.1 deraadt 273: }
1.52 markus 274: /* old interface XXX */
1.49 markus 275: int
1.41 markus 276: channel_allocate(int type, int sock, char *remote_name)
277: {
1.71 markus 278: return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name, 1);
1.41 markus 279: }
1.1 deraadt 280:
1.52 markus 281:
282: /* Close all channel fd/socket. */
283:
284: void
285: channel_close_fds(Channel *c)
286: {
287: if (c->sock != -1) {
288: close(c->sock);
289: c->sock = -1;
290: }
291: if (c->rfd != -1) {
292: close(c->rfd);
293: c->rfd = -1;
294: }
295: if (c->wfd != -1) {
296: close(c->wfd);
297: c->wfd = -1;
298: }
299: if (c->efd != -1) {
300: close(c->efd);
301: c->efd = -1;
302: }
303: }
304:
305: /* Free the channel and close its fd/socket. */
1.1 deraadt 306:
1.49 markus 307: void
1.41 markus 308: channel_free(int id)
1.1 deraadt 309: {
1.41 markus 310: Channel *c = channel_lookup(id);
1.72.2.1 jason 311: char *s = channel_open_message();
312:
1.41 markus 313: if (c == NULL)
314: packet_disconnect("channel free: bad local channel %d", id);
1.72.2.1 jason 315: debug("channel_free: channel %d: status: %s", id, s);
316: xfree(s);
317:
1.44 markus 318: if (c->dettach_user != NULL) {
319: debug("channel_free: channel %d: dettaching channel user", id);
320: c->dettach_user(c->self, NULL);
321: }
1.54 markus 322: if (c->sock != -1)
323: shutdown(c->sock, SHUT_RDWR);
1.52 markus 324: channel_close_fds(c);
1.41 markus 325: buffer_free(&c->input);
326: buffer_free(&c->output);
327: buffer_free(&c->extended);
328: c->type = SSH_CHANNEL_FREE;
329: if (c->remote_name) {
330: xfree(c->remote_name);
331: c->remote_name = NULL;
1.25 markus 332: }
1.1 deraadt 333: }
334:
1.27 markus 335: /*
1.41 markus 336: * 'channel_pre*' are called just before select() to add any bits relevant to
337: * channels in the select bitmasks.
338: */
339: /*
340: * 'channel_post*': perform any appropriate operations for channels which
341: * have events pending.
1.27 markus 342: */
1.41 markus 343: typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
344: chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
345: chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
346:
347: void
348: channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
349: {
350: FD_SET(c->sock, readset);
351: }
352:
353: void
1.72.2.1 jason 354: channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset)
355: {
356: debug3("channel %d: waiting for connection", c->self);
357: FD_SET(c->sock, writeset);
358: }
359:
360: void
1.41 markus 361: channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
362: {
363: if (buffer_len(&c->input) < packet_get_maxsize())
364: FD_SET(c->sock, readset);
365: if (buffer_len(&c->output) > 0)
366: FD_SET(c->sock, writeset);
367: }
1.1 deraadt 368:
1.41 markus 369: void
370: channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
371: {
372: /* test whether sockets are 'alive' for read/write */
373: if (c->istate == CHAN_INPUT_OPEN)
374: if (buffer_len(&c->input) < packet_get_maxsize())
375: FD_SET(c->sock, readset);
376: if (c->ostate == CHAN_OUTPUT_OPEN ||
377: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
378: if (buffer_len(&c->output) > 0) {
379: FD_SET(c->sock, writeset);
380: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
381: chan_obuf_empty(c);
382: }
383: }
384: }
385:
386: void
1.44 markus 387: channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
388: {
389: if (c->istate == CHAN_INPUT_OPEN &&
390: c->remote_window > 0 &&
391: buffer_len(&c->input) < c->remote_window)
392: FD_SET(c->rfd, readset);
393: if (c->ostate == CHAN_OUTPUT_OPEN ||
394: c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
395: if (buffer_len(&c->output) > 0) {
396: FD_SET(c->wfd, writeset);
397: } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
398: chan_obuf_empty(c);
399: }
400: }
401: /** XXX check close conditions, too */
402: if (c->efd != -1) {
403: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
404: buffer_len(&c->extended) > 0)
405: FD_SET(c->efd, writeset);
406: else if (c->extended_usage == CHAN_EXTENDED_READ &&
407: buffer_len(&c->extended) < c->remote_window)
408: FD_SET(c->efd, readset);
409: }
410: }
411:
412: void
1.41 markus 413: channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
414: {
415: if (buffer_len(&c->input) == 0) {
416: packet_start(SSH_MSG_CHANNEL_CLOSE);
417: packet_put_int(c->remote_id);
418: packet_send();
419: c->type = SSH_CHANNEL_CLOSED;
420: debug("Closing channel %d after input drain.", c->self);
421: }
422: }
423:
424: void
425: channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
426: {
427: if (buffer_len(&c->output) == 0)
428: channel_free(c->self);
1.49 markus 429: else
1.41 markus 430: FD_SET(c->sock, writeset);
431: }
432:
433: /*
434: * This is a special state for X11 authentication spoofing. An opened X11
435: * connection (when authentication spoofing is being done) remains in this
436: * state until the first packet has been completely read. The authentication
437: * data in that packet is then substituted by the real data if it matches the
438: * fake data, and the channel is put into normal mode.
1.51 markus 439: * XXX All this happens at the client side.
1.41 markus 440: */
441: int
442: x11_open_helper(Channel *c)
1.1 deraadt 443: {
1.72.2.1 jason 444: u_char *ucp;
445: u_int proto_len, data_len;
1.25 markus 446:
1.41 markus 447: /* Check if the fixed size part of the packet is in buffer. */
448: if (buffer_len(&c->output) < 12)
449: return 0;
450:
451: /* Parse the lengths of variable-length fields. */
1.72.2.1 jason 452: ucp = (u_char *) buffer_ptr(&c->output);
1.41 markus 453: if (ucp[0] == 0x42) { /* Byte order MSB first. */
454: proto_len = 256 * ucp[6] + ucp[7];
455: data_len = 256 * ucp[8] + ucp[9];
456: } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
457: proto_len = ucp[6] + 256 * ucp[7];
458: data_len = ucp[8] + 256 * ucp[9];
459: } else {
460: debug("Initial X11 packet contains bad byte order byte: 0x%x",
461: ucp[0]);
462: return -1;
463: }
464:
465: /* Check if the whole packet is in buffer. */
466: if (buffer_len(&c->output) <
467: 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
468: return 0;
469:
470: /* Check if authentication protocol matches. */
471: if (proto_len != strlen(x11_saved_proto) ||
472: memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
473: debug("X11 connection uses different authentication protocol.");
474: return -1;
475: }
476: /* Check if authentication data matches our fake data. */
477: if (data_len != x11_fake_data_len ||
478: memcmp(ucp + 12 + ((proto_len + 3) & ~3),
479: x11_fake_data, x11_fake_data_len) != 0) {
480: debug("X11 auth data does not match fake data.");
481: return -1;
482: }
483: /* Check fake data length */
484: if (x11_fake_data_len != x11_saved_data_len) {
485: error("X11 fake_data_len %d != saved_data_len %d",
486: x11_fake_data_len, x11_saved_data_len);
487: return -1;
488: }
489: /*
490: * Received authentication protocol and data match
491: * our fake data. Substitute the fake data with real
492: * data.
493: */
494: memcpy(ucp + 12 + ((proto_len + 3) & ~3),
495: x11_saved_data, x11_saved_data_len);
496: return 1;
497: }
498:
499: void
500: channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
501: {
502: int ret = x11_open_helper(c);
503: if (ret == 1) {
504: /* Start normal processing for the channel. */
505: c->type = SSH_CHANNEL_OPEN;
1.47 markus 506: channel_pre_open_13(c, readset, writeset);
1.41 markus 507: } else if (ret == -1) {
508: /*
509: * We have received an X11 connection that has bad
510: * authentication information.
511: */
1.72.2.3! jason 512: log("X11 connection rejected because of wrong authentication.");
1.41 markus 513: buffer_clear(&c->input);
514: buffer_clear(&c->output);
515: close(c->sock);
516: c->sock = -1;
517: c->type = SSH_CHANNEL_CLOSED;
518: packet_start(SSH_MSG_CHANNEL_CLOSE);
519: packet_put_int(c->remote_id);
520: packet_send();
521: }
522: }
1.25 markus 523:
1.41 markus 524: void
1.51 markus 525: channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
1.41 markus 526: {
527: int ret = x11_open_helper(c);
528: if (ret == 1) {
529: c->type = SSH_CHANNEL_OPEN;
1.57 markus 530: if (compat20)
531: channel_pre_open_20(c, readset, writeset);
532: else
533: channel_pre_open_15(c, readset, writeset);
1.41 markus 534: } else if (ret == -1) {
535: debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
1.51 markus 536: chan_read_failed(c); /** force close? */
1.41 markus 537: chan_write_failed(c);
538: debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
539: }
540: }
1.25 markus 541:
1.41 markus 542: /* This is our fake X11 server socket. */
543: void
544: channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
545: {
546: struct sockaddr addr;
547: int newsock, newch;
548: socklen_t addrlen;
1.72.2.1 jason 549: char buf[16384], *remote_ipaddr;
1.51 markus 550: int remote_port;
1.25 markus 551:
1.41 markus 552: if (FD_ISSET(c->sock, readset)) {
553: debug("X11 connection requested.");
554: addrlen = sizeof(addr);
555: newsock = accept(c->sock, &addr, &addrlen);
556: if (newsock < 0) {
557: error("accept: %.100s", strerror(errno));
558: return;
559: }
1.72.2.1 jason 560: remote_ipaddr = get_peer_ipaddr(newsock);
1.51 markus 561: remote_port = get_peer_port(newsock);
1.41 markus 562: snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1.72.2.1 jason 563: remote_ipaddr, remote_port);
1.51 markus 564:
565: newch = channel_new("x11",
566: SSH_CHANNEL_OPENING, newsock, newsock, -1,
567: c->local_window_max, c->local_maxpacket,
1.71 markus 568: 0, xstrdup(buf), 1);
1.51 markus 569: if (compat20) {
570: packet_start(SSH2_MSG_CHANNEL_OPEN);
571: packet_put_cstring("x11");
572: packet_put_int(newch);
573: packet_put_int(c->local_window_max);
574: packet_put_int(c->local_maxpacket);
1.72.2.1 jason 575: /* originator ipaddr and port */
576: packet_put_cstring(remote_ipaddr);
1.57 markus 577: if (datafellows & SSH_BUG_X11FWD) {
578: debug("ssh2 x11 bug compat mode");
579: } else {
580: packet_put_int(remote_port);
581: }
1.51 markus 582: packet_send();
583: } else {
584: packet_start(SSH_SMSG_X11_OPEN);
585: packet_put_int(newch);
586: if (have_hostname_in_open)
587: packet_put_string(buf, strlen(buf));
588: packet_send();
589: }
1.72.2.1 jason 590: xfree(remote_ipaddr);
1.41 markus 591: }
592: }
1.25 markus 593:
1.41 markus 594: /*
595: * This socket is listening for connections to a forwarded TCP/IP port.
596: */
597: void
598: channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
599: {
600: struct sockaddr addr;
601: int newsock, newch;
602: socklen_t addrlen;
1.72.2.1 jason 603: char buf[1024], *remote_ipaddr, *rtype;
1.41 markus 604: int remote_port;
1.25 markus 605:
1.72.2.1 jason 606: rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ?
607: "forwarded-tcpip" : "direct-tcpip";
608:
1.41 markus 609: if (FD_ISSET(c->sock, readset)) {
610: debug("Connection to port %d forwarding "
611: "to %.100s port %d requested.",
612: c->listening_port, c->path, c->host_port);
613: addrlen = sizeof(addr);
614: newsock = accept(c->sock, &addr, &addrlen);
615: if (newsock < 0) {
616: error("accept: %.100s", strerror(errno));
617: return;
618: }
1.72.2.1 jason 619: remote_ipaddr = get_peer_ipaddr(newsock);
1.41 markus 620: remote_port = get_peer_port(newsock);
621: snprintf(buf, sizeof buf,
622: "listen port %d for %.100s port %d, "
623: "connect from %.200s port %d",
624: c->listening_port, c->path, c->host_port,
1.72.2.1 jason 625: remote_ipaddr, remote_port);
626:
627: newch = channel_new(rtype,
1.41 markus 628: SSH_CHANNEL_OPENING, newsock, newsock, -1,
629: c->local_window_max, c->local_maxpacket,
1.71 markus 630: 0, xstrdup(buf), 1);
1.44 markus 631: if (compat20) {
632: packet_start(SSH2_MSG_CHANNEL_OPEN);
1.72.2.1 jason 633: packet_put_cstring(rtype);
1.44 markus 634: packet_put_int(newch);
635: packet_put_int(c->local_window_max);
636: packet_put_int(c->local_maxpacket);
1.72.2.1 jason 637: if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
638: /* listen address, port */
639: packet_put_string(c->path, strlen(c->path));
640: packet_put_int(c->listening_port);
641: } else {
642: /* target host, port */
643: packet_put_string(c->path, strlen(c->path));
644: packet_put_int(c->host_port);
645: }
1.48 markus 646: /* originator host and port */
1.72.2.1 jason 647: packet_put_cstring(remote_ipaddr);
1.44 markus 648: packet_put_int(remote_port);
649: packet_send();
650: } else {
651: packet_start(SSH_MSG_PORT_OPEN);
652: packet_put_int(newch);
653: packet_put_string(c->path, strlen(c->path));
654: packet_put_int(c->host_port);
655: if (have_hostname_in_open) {
656: packet_put_string(buf, strlen(buf));
657: }
658: packet_send();
1.41 markus 659: }
1.72.2.1 jason 660: xfree(remote_ipaddr);
1.41 markus 661: }
662: }
1.25 markus 663:
1.41 markus 664: /*
665: * This is the authentication agent socket listening for connections from
666: * clients.
667: */
668: void
669: channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
670: {
671: struct sockaddr addr;
672: int newsock, newch;
673: socklen_t addrlen;
1.25 markus 674:
1.41 markus 675: if (FD_ISSET(c->sock, readset)) {
676: addrlen = sizeof(addr);
677: newsock = accept(c->sock, &addr, &addrlen);
678: if (newsock < 0) {
679: error("accept from auth socket: %.100s", strerror(errno));
680: return;
681: }
1.72.2.1 jason 682: newch = channel_new("accepted auth socket",
683: SSH_CHANNEL_OPENING, newsock, newsock, -1,
684: c->local_window_max, c->local_maxpacket,
685: 0, xstrdup("accepted auth socket"), 1);
686: if (compat20) {
687: packet_start(SSH2_MSG_CHANNEL_OPEN);
688: packet_put_cstring("auth-agent@openssh.com");
689: packet_put_int(newch);
690: packet_put_int(c->local_window_max);
691: packet_put_int(c->local_maxpacket);
692: } else {
693: packet_start(SSH_SMSG_AGENT_OPEN);
694: packet_put_int(newch);
695: }
1.41 markus 696: packet_send();
697: }
698: }
1.25 markus 699:
1.72.2.1 jason 700: void
701: channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
702: {
703: if (FD_ISSET(c->sock, writeset)) {
704: int err = 0;
705: int sz = sizeof(err);
706: c->type = SSH_CHANNEL_OPEN;
707: if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, (char *)&err, &sz) < 0) {
708: debug("getsockopt SO_ERROR failed");
709: } else {
710: if (err == 0) {
711: debug("channel %d: connected)", c->self);
712: } else {
713: debug("channel %d: not connected: %s",
714: c->self, strerror(err));
715: chan_read_failed(c);
716: chan_write_failed(c);
717: }
718: }
719: }
720: }
721:
1.41 markus 722: int
723: channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
724: {
725: char buf[16*1024];
726: int len;
1.25 markus 727:
1.41 markus 728: if (c->rfd != -1 &&
729: FD_ISSET(c->rfd, readset)) {
730: len = read(c->rfd, buf, sizeof(buf));
1.53 markus 731: if (len < 0 && (errno == EINTR || errno == EAGAIN))
732: return 1;
1.41 markus 733: if (len <= 0) {
1.51 markus 734: debug("channel %d: read<=0 rfd %d len %d",
1.41 markus 735: c->self, c->rfd, len);
1.25 markus 736: if (compat13) {
1.41 markus 737: buffer_consume(&c->output, buffer_len(&c->output));
738: c->type = SSH_CHANNEL_INPUT_DRAINING;
739: debug("Channel %d status set to input draining.", c->self);
1.25 markus 740: } else {
1.41 markus 741: chan_read_failed(c);
1.25 markus 742: }
1.41 markus 743: return -1;
744: }
1.65 markus 745: if(c->input_filter != NULL) {
1.66 markus 746: if (c->input_filter(c, buf, len) == -1) {
1.65 markus 747: debug("filter stops channel %d", c->self);
748: chan_read_failed(c);
749: }
750: } else {
751: buffer_append(&c->input, buf, len);
752: }
1.41 markus 753: }
754: return 1;
755: }
756: int
757: channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
758: {
1.72.2.3! jason 759: struct termios tio;
1.41 markus 760: int len;
1.25 markus 761:
1.41 markus 762: /* Send buffered output data to the socket. */
763: if (c->wfd != -1 &&
764: FD_ISSET(c->wfd, writeset) &&
765: buffer_len(&c->output) > 0) {
766: len = write(c->wfd, buffer_ptr(&c->output),
1.53 markus 767: buffer_len(&c->output));
768: if (len < 0 && (errno == EINTR || errno == EAGAIN))
769: return 1;
1.41 markus 770: if (len <= 0) {
771: if (compat13) {
772: buffer_consume(&c->output, buffer_len(&c->output));
773: debug("Channel %d status set to input draining.", c->self);
774: c->type = SSH_CHANNEL_INPUT_DRAINING;
775: } else {
776: chan_write_failed(c);
777: }
778: return -1;
1.25 markus 779: }
1.72.2.1 jason 780: if (compat20 && c->isatty) {
781: if (tcgetattr(c->wfd, &tio) == 0 &&
782: !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
783: /*
784: * Simulate echo to reduce the impact of
1.72.2.3! jason 785: * traffic analysis. We need to match the
! 786: * size of a SSH2_MSG_CHANNEL_DATA message
! 787: * (4 byte channel id + data)
1.72.2.1 jason 788: */
1.72.2.3! jason 789: packet_send_ignore(4 + len);
1.72.2.1 jason 790: packet_send();
791: }
792: }
1.41 markus 793: buffer_consume(&c->output, len);
1.44 markus 794: if (compat20 && len > 0) {
795: c->local_consumed += len;
796: }
797: }
798: return 1;
799: }
800: int
801: channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
802: {
803: char buf[16*1024];
804: int len;
805:
1.45 markus 806: /** XXX handle drain efd, too */
1.44 markus 807: if (c->efd != -1) {
808: if (c->extended_usage == CHAN_EXTENDED_WRITE &&
809: FD_ISSET(c->efd, writeset) &&
810: buffer_len(&c->extended) > 0) {
811: len = write(c->efd, buffer_ptr(&c->extended),
812: buffer_len(&c->extended));
1.70 markus 813: debug2("channel %d: written %d to efd %d",
1.44 markus 814: c->self, len, c->efd);
1.72.2.3! jason 815: if (len < 0 && (errno == EINTR || errno == EAGAIN))
! 816: return 1;
! 817: if (len <= 0) {
! 818: debug2("channel %d: closing write-efd %d",
! 819: c->self, c->efd);
! 820: close(c->efd);
! 821: c->efd = -1;
! 822: } else {
1.44 markus 823: buffer_consume(&c->extended, len);
824: c->local_consumed += len;
825: }
826: } else if (c->extended_usage == CHAN_EXTENDED_READ &&
827: FD_ISSET(c->efd, readset)) {
828: len = read(c->efd, buf, sizeof(buf));
1.70 markus 829: debug2("channel %d: read %d from efd %d",
1.44 markus 830: c->self, len, c->efd);
1.72.2.3! jason 831: if (len < 0 && (errno == EINTR || errno == EAGAIN))
! 832: return 1;
! 833: if (len <= 0) {
! 834: debug2("channel %d: closing read-efd %d",
1.45 markus 835: c->self, c->efd);
836: close(c->efd);
837: c->efd = -1;
1.72.2.3! jason 838: } else {
1.44 markus 839: buffer_append(&c->extended, buf, len);
1.72.2.3! jason 840: }
1.44 markus 841: }
842: }
843: return 1;
844: }
845: int
1.72.2.3! jason 846: channel_check_window(Channel *c)
1.44 markus 847: {
1.46 markus 848: if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1.44 markus 849: c->local_window < c->local_window_max/2 &&
850: c->local_consumed > 0) {
851: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
852: packet_put_int(c->remote_id);
853: packet_put_int(c->local_consumed);
854: packet_send();
1.70 markus 855: debug2("channel %d: window %d sent adjust %d",
1.44 markus 856: c->self, c->local_window,
857: c->local_consumed);
858: c->local_window += c->local_consumed;
859: c->local_consumed = 0;
1.1 deraadt 860: }
1.41 markus 861: return 1;
1.1 deraadt 862: }
863:
1.41 markus 864: void
865: channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
866: {
867: channel_handle_rfd(c, readset, writeset);
868: channel_handle_wfd(c, readset, writeset);
869: }
1.1 deraadt 870:
1.41 markus 871: void
1.44 markus 872: channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
873: {
874: channel_handle_rfd(c, readset, writeset);
875: channel_handle_wfd(c, readset, writeset);
876: channel_handle_efd(c, readset, writeset);
1.72.2.3! jason 877:
! 878: channel_check_window(c);
1.44 markus 879: }
880:
881: void
1.41 markus 882: channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
1.1 deraadt 883: {
1.41 markus 884: int len;
885: /* Send buffered output data to the socket. */
886: if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
887: len = write(c->sock, buffer_ptr(&c->output),
888: buffer_len(&c->output));
889: if (len <= 0)
890: buffer_consume(&c->output, buffer_len(&c->output));
891: else
892: buffer_consume(&c->output, len);
893: }
894: }
1.25 markus 895:
1.41 markus 896: void
1.44 markus 897: channel_handler_init_20(void)
898: {
899: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
1.51 markus 900: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.44 markus 901: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
1.72.2.1 jason 902: channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
1.51 markus 903: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
1.72.2.1 jason 904: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
905: channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
1.44 markus 906:
907: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
908: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
1.72.2.1 jason 909: channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
1.51 markus 910: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
1.72.2.1 jason 911: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
912: channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
1.44 markus 913: }
914:
915: void
1.41 markus 916: channel_handler_init_13(void)
917: {
918: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
919: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
920: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
921: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
922: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
923: channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
924: channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
1.72.2.1 jason 925: channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
1.25 markus 926:
1.41 markus 927: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
928: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
929: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
930: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
931: channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
1.72.2.1 jason 932: channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
1.41 markus 933: }
1.25 markus 934:
1.41 markus 935: void
936: channel_handler_init_15(void)
937: {
938: channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
1.51 markus 939: channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
1.41 markus 940: channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
941: channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
942: channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
1.72.2.1 jason 943: channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
1.25 markus 944:
1.41 markus 945: channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
946: channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
947: channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
948: channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
1.72.2.1 jason 949: channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
1.41 markus 950: }
1.27 markus 951:
1.41 markus 952: void
953: channel_handler_init(void)
954: {
955: int i;
956: for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
957: channel_pre[i] = NULL;
958: channel_post[i] = NULL;
959: }
1.44 markus 960: if (compat20)
961: channel_handler_init_20();
962: else if (compat13)
1.41 markus 963: channel_handler_init_13();
964: else
965: channel_handler_init_15();
966: }
1.25 markus 967:
1.49 markus 968: void
1.41 markus 969: channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
970: {
971: static int did_init = 0;
972: int i;
973: Channel *c;
1.25 markus 974:
1.41 markus 975: if (!did_init) {
976: channel_handler_init();
977: did_init = 1;
978: }
979: for (i = 0; i < channels_alloc; i++) {
980: c = &channels[i];
981: if (c->type == SSH_CHANNEL_FREE)
982: continue;
983: if (ftab[c->type] == NULL)
1.25 markus 984: continue;
1.41 markus 985: (*ftab[c->type])(c, readset, writeset);
1.72.2.3! jason 986: if (chan_is_dead(c)) {
! 987: /*
! 988: * we have to remove the fd's from the select mask
! 989: * before the channels are free'd and the fd's are
! 990: * closed
! 991: */
! 992: if (c->wfd != -1)
! 993: FD_CLR(c->wfd, writeset);
! 994: if (c->rfd != -1)
! 995: FD_CLR(c->rfd, readset);
! 996: if (c->efd != -1) {
! 997: if (c->extended_usage == CHAN_EXTENDED_READ)
! 998: FD_CLR(c->efd, readset);
! 999: if (c->extended_usage == CHAN_EXTENDED_WRITE)
! 1000: FD_CLR(c->efd, writeset);
! 1001: }
! 1002: channel_free(c->self);
! 1003: }
1.1 deraadt 1004: }
1005: }
1006:
1.49 markus 1007: void
1.72.2.1 jason 1008: channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp)
1.41 markus 1009: {
1.72.2.1 jason 1010: int n;
1011: u_int sz;
1012:
1013: n = MAX(*maxfdp, channel_max_fd);
1014:
1015: sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
1016: if (*readsetp == NULL || n > *maxfdp) {
1017: if (*readsetp)
1018: xfree(*readsetp);
1019: if (*writesetp)
1020: xfree(*writesetp);
1021: *readsetp = xmalloc(sz);
1022: *writesetp = xmalloc(sz);
1023: *maxfdp = n;
1024: }
1025: memset(*readsetp, 0, sz);
1026: memset(*writesetp, 0, sz);
1027:
1028: channel_handler(channel_pre, *readsetp, *writesetp);
1.41 markus 1029: }
1030:
1.49 markus 1031: void
1.41 markus 1032: channel_after_select(fd_set * readset, fd_set * writeset)
1033: {
1034: channel_handler(channel_post, readset, writeset);
1035: }
1036:
1.72.2.1 jason 1037: /* If there is data to send to the connection, enqueue some of it now. */
1.1 deraadt 1038:
1.49 markus 1039: void
1.25 markus 1040: channel_output_poll()
1.1 deraadt 1041: {
1.25 markus 1042: int len, i;
1.41 markus 1043: Channel *c;
1.1 deraadt 1044:
1.25 markus 1045: for (i = 0; i < channels_alloc; i++) {
1.41 markus 1046: c = &channels[i];
1.37 markus 1047:
1.27 markus 1048: /* We are only interested in channels that can have buffered incoming data. */
1.37 markus 1049: if (compat13) {
1.41 markus 1050: if (c->type != SSH_CHANNEL_OPEN &&
1051: c->type != SSH_CHANNEL_INPUT_DRAINING)
1.37 markus 1052: continue;
1053: } else {
1.41 markus 1054: if (c->type != SSH_CHANNEL_OPEN)
1.37 markus 1055: continue;
1056: }
1.46 markus 1057: if (compat20 &&
1058: (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
1.72.2.3! jason 1059: /* XXX is this true? */
! 1060: debug2("channel %d: no data after CLOSE", c->self);
1.44 markus 1061: continue;
1062: }
1.25 markus 1063:
1064: /* Get the amount of buffered data for this channel. */
1.72.2.3! jason 1065: if ((c->istate == CHAN_INPUT_OPEN ||
! 1066: c->istate == CHAN_INPUT_WAIT_DRAIN) &&
! 1067: (len = buffer_len(&c->input)) > 0) {
1.27 markus 1068: /* Send some data for the other side over the secure connection. */
1.44 markus 1069: if (compat20) {
1070: if (len > c->remote_window)
1071: len = c->remote_window;
1072: if (len > c->remote_maxpacket)
1073: len = c->remote_maxpacket;
1.25 markus 1074: } else {
1.44 markus 1075: if (packet_is_interactive()) {
1076: if (len > 1024)
1077: len = 512;
1078: } else {
1079: /* Keep the packets at reasonable size. */
1080: if (len > packet_get_maxsize()/2)
1081: len = packet_get_maxsize()/2;
1082: }
1.25 markus 1083: }
1.41 markus 1084: if (len > 0) {
1.44 markus 1085: packet_start(compat20 ?
1086: SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
1.41 markus 1087: packet_put_int(c->remote_id);
1088: packet_put_string(buffer_ptr(&c->input), len);
1089: packet_send();
1090: buffer_consume(&c->input, len);
1091: c->remote_window -= len;
1092: }
1093: } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1.25 markus 1094: if (compat13)
1095: fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
1.27 markus 1096: /*
1097: * input-buffer is empty and read-socket shutdown:
1098: * tell peer, that we will not send more data: send IEOF
1099: */
1.41 markus 1100: chan_ibuf_empty(c);
1.25 markus 1101: }
1.44 markus 1102: /* Send extended data, i.e. stderr */
1103: if (compat20 &&
1104: c->remote_window > 0 &&
1105: (len = buffer_len(&c->extended)) > 0 &&
1106: c->extended_usage == CHAN_EXTENDED_READ) {
1.72.2.3! jason 1107: debug2("channel %d: rwin %d elen %d euse %d",
! 1108: c->self, c->remote_window, buffer_len(&c->extended),
! 1109: c->extended_usage);
1.44 markus 1110: if (len > c->remote_window)
1111: len = c->remote_window;
1112: if (len > c->remote_maxpacket)
1113: len = c->remote_maxpacket;
1114: packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
1115: packet_put_int(c->remote_id);
1116: packet_put_int(SSH2_EXTENDED_DATA_STDERR);
1117: packet_put_string(buffer_ptr(&c->extended), len);
1118: packet_send();
1119: buffer_consume(&c->extended, len);
1120: c->remote_window -= len;
1.72.2.3! jason 1121: debug2("channel %d: sent ext data %d", c->self, len);
1.44 markus 1122: }
1.25 markus 1123: }
1.1 deraadt 1124: }
1125:
1.27 markus 1126: /*
1127: * This is called when a packet of type CHANNEL_DATA has just been received.
1128: * The message type has already been consumed, but channel number and data is
1129: * still there.
1130: */
1.1 deraadt 1131:
1.49 markus 1132: void
1.69 markus 1133: channel_input_data(int type, int plen, void *ctxt)
1.1 deraadt 1134: {
1.37 markus 1135: int id;
1.25 markus 1136: char *data;
1.72.2.1 jason 1137: u_int data_len;
1.41 markus 1138: Channel *c;
1.25 markus 1139:
1140: /* Get the channel number and verify it. */
1.37 markus 1141: id = packet_get_int();
1.41 markus 1142: c = channel_lookup(id);
1143: if (c == NULL)
1.37 markus 1144: packet_disconnect("Received data for nonexistent channel %d.", id);
1.25 markus 1145:
1146: /* Ignore any data for non-open channels (might happen on close) */
1.41 markus 1147: if (c->type != SSH_CHANNEL_OPEN &&
1148: c->type != SSH_CHANNEL_X11_OPEN)
1.37 markus 1149: return;
1150:
1151: /* same for protocol 1.5 if output end is no longer open */
1.41 markus 1152: if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
1.25 markus 1153: return;
1154:
1155: /* Get the data. */
1156: data = packet_get_string(&data_len);
1.48 markus 1157: packet_done();
1.41 markus 1158:
1.44 markus 1159: if (compat20){
1160: if (data_len > c->local_maxpacket) {
1161: log("channel %d: rcvd big packet %d, maxpack %d",
1162: c->self, data_len, c->local_maxpacket);
1163: }
1164: if (data_len > c->local_window) {
1165: log("channel %d: rcvd too much data %d, win %d",
1166: c->self, data_len, c->local_window);
1167: xfree(data);
1168: return;
1169: }
1170: c->local_window -= data_len;
1171: }else{
1172: packet_integrity_check(plen, 4 + 4 + data_len, type);
1173: }
1.41 markus 1174: buffer_append(&c->output, data, data_len);
1.25 markus 1175: xfree(data);
1.1 deraadt 1176: }
1.49 markus 1177: void
1.69 markus 1178: channel_input_extended_data(int type, int plen, void *ctxt)
1.44 markus 1179: {
1180: int id;
1181: int tcode;
1182: char *data;
1.72.2.1 jason 1183: u_int data_len;
1.44 markus 1184: Channel *c;
1185:
1186: /* Get the channel number and verify it. */
1187: id = packet_get_int();
1188: c = channel_lookup(id);
1189:
1190: if (c == NULL)
1191: packet_disconnect("Received extended_data for bad channel %d.", id);
1192: if (c->type != SSH_CHANNEL_OPEN) {
1193: log("channel %d: ext data for non open", id);
1194: return;
1195: }
1196: tcode = packet_get_int();
1197: if (c->efd == -1 ||
1198: c->extended_usage != CHAN_EXTENDED_WRITE ||
1199: tcode != SSH2_EXTENDED_DATA_STDERR) {
1200: log("channel %d: bad ext data", c->self);
1201: return;
1202: }
1203: data = packet_get_string(&data_len);
1.48 markus 1204: packet_done();
1.44 markus 1205: if (data_len > c->local_window) {
1206: log("channel %d: rcvd too much extended_data %d, win %d",
1207: c->self, data_len, c->local_window);
1208: xfree(data);
1209: return;
1210: }
1.70 markus 1211: debug2("channel %d: rcvd ext data %d", c->self, data_len);
1.44 markus 1212: c->local_window -= data_len;
1213: buffer_append(&c->extended, data, data_len);
1214: xfree(data);
1215: }
1216:
1.1 deraadt 1217:
1.27 markus 1218: /*
1219: * Returns true if no channel has too much buffered data, and false if one or
1220: * more channel is overfull.
1221: */
1.1 deraadt 1222:
1.49 markus 1223: int
1.25 markus 1224: channel_not_very_much_buffered_data()
1.1 deraadt 1225: {
1.72.2.1 jason 1226: u_int i;
1.41 markus 1227: Channel *c;
1.25 markus 1228:
1229: for (i = 0; i < channels_alloc; i++) {
1.41 markus 1230: c = &channels[i];
1231: if (c->type == SSH_CHANNEL_OPEN) {
1.44 markus 1232: if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
1.41 markus 1233: debug("channel %d: big input buffer %d",
1234: c->self, buffer_len(&c->input));
1.25 markus 1235: return 0;
1.41 markus 1236: }
1237: if (buffer_len(&c->output) > packet_get_maxsize()) {
1238: debug("channel %d: big output buffer %d",
1239: c->self, buffer_len(&c->output));
1.25 markus 1240: return 0;
1.41 markus 1241: }
1.25 markus 1242: }
1.1 deraadt 1243: }
1.25 markus 1244: return 1;
1.1 deraadt 1245: }
1246:
1.49 markus 1247: void
1.69 markus 1248: channel_input_ieof(int type, int plen, void *ctxt)
1.41 markus 1249: {
1250: int id;
1251: Channel *c;
1252:
1253: packet_integrity_check(plen, 4, type);
1254:
1255: id = packet_get_int();
1256: c = channel_lookup(id);
1257: if (c == NULL)
1258: packet_disconnect("Received ieof for nonexistent channel %d.", id);
1259: chan_rcvd_ieof(c);
1260: }
1.1 deraadt 1261:
1.49 markus 1262: void
1.69 markus 1263: channel_input_close(int type, int plen, void *ctxt)
1.1 deraadt 1264: {
1.41 markus 1265: int id;
1266: Channel *c;
1.1 deraadt 1267:
1.41 markus 1268: packet_integrity_check(plen, 4, type);
1269:
1270: id = packet_get_int();
1271: c = channel_lookup(id);
1272: if (c == NULL)
1273: packet_disconnect("Received close for nonexistent channel %d.", id);
1.27 markus 1274:
1275: /*
1276: * Send a confirmation that we have closed the channel and no more
1277: * data is coming for it.
1278: */
1.25 markus 1279: packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
1.41 markus 1280: packet_put_int(c->remote_id);
1.25 markus 1281: packet_send();
1282:
1.27 markus 1283: /*
1284: * If the channel is in closed state, we have sent a close request,
1285: * and the other side will eventually respond with a confirmation.
1286: * Thus, we cannot free the channel here, because then there would be
1287: * no-one to receive the confirmation. The channel gets freed when
1288: * the confirmation arrives.
1289: */
1.41 markus 1290: if (c->type != SSH_CHANNEL_CLOSED) {
1.27 markus 1291: /*
1292: * Not a closed channel - mark it as draining, which will
1293: * cause it to be freed later.
1294: */
1.41 markus 1295: buffer_consume(&c->input, buffer_len(&c->input));
1296: c->type = SSH_CHANNEL_OUTPUT_DRAINING;
1.25 markus 1297: }
1.1 deraadt 1298: }
1299:
1.41 markus 1300: /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
1.49 markus 1301: void
1.69 markus 1302: channel_input_oclose(int type, int plen, void *ctxt)
1.41 markus 1303: {
1304: int id = packet_get_int();
1305: Channel *c = channel_lookup(id);
1306: packet_integrity_check(plen, 4, type);
1307: if (c == NULL)
1308: packet_disconnect("Received oclose for nonexistent channel %d.", id);
1309: chan_rcvd_oclose(c);
1310: }
1.1 deraadt 1311:
1.49 markus 1312: void
1.69 markus 1313: channel_input_close_confirmation(int type, int plen, void *ctxt)
1.1 deraadt 1314: {
1.41 markus 1315: int id = packet_get_int();
1316: Channel *c = channel_lookup(id);
1.1 deraadt 1317:
1.48 markus 1318: packet_done();
1.41 markus 1319: if (c == NULL)
1320: packet_disconnect("Received close confirmation for "
1321: "out-of-range channel %d.", id);
1322: if (c->type != SSH_CHANNEL_CLOSED)
1323: packet_disconnect("Received close confirmation for "
1324: "non-closed channel %d (type %d).", id, c->type);
1325: channel_free(c->self);
1.1 deraadt 1326: }
1327:
1.49 markus 1328: void
1.69 markus 1329: channel_input_open_confirmation(int type, int plen, void *ctxt)
1.1 deraadt 1330: {
1.41 markus 1331: int id, remote_id;
1332: Channel *c;
1.1 deraadt 1333:
1.44 markus 1334: if (!compat20)
1335: packet_integrity_check(plen, 4 + 4, type);
1.25 markus 1336:
1.41 markus 1337: id = packet_get_int();
1338: c = channel_lookup(id);
1.25 markus 1339:
1.41 markus 1340: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1341: packet_disconnect("Received open confirmation for "
1342: "non-opening channel %d.", id);
1343: remote_id = packet_get_int();
1.27 markus 1344: /* Record the remote channel number and mark that the channel is now open. */
1.41 markus 1345: c->remote_id = remote_id;
1346: c->type = SSH_CHANNEL_OPEN;
1.44 markus 1347:
1348: if (compat20) {
1349: c->remote_window = packet_get_int();
1350: c->remote_maxpacket = packet_get_int();
1.48 markus 1351: packet_done();
1.44 markus 1352: if (c->cb_fn != NULL && c->cb_event == type) {
1.70 markus 1353: debug2("callback start");
1.44 markus 1354: c->cb_fn(c->self, c->cb_arg);
1.70 markus 1355: debug2("callback done");
1.44 markus 1356: }
1357: debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1358: c->remote_window, c->remote_maxpacket);
1359: }
1.1 deraadt 1360: }
1361:
1.49 markus 1362: void
1.69 markus 1363: channel_input_open_failure(int type, int plen, void *ctxt)
1.1 deraadt 1364: {
1.72.2.1 jason 1365: int id, reason;
1366: char *msg = NULL, *lang = NULL;
1.41 markus 1367: Channel *c;
1368:
1.44 markus 1369: if (!compat20)
1370: packet_integrity_check(plen, 4, type);
1.41 markus 1371:
1372: id = packet_get_int();
1373: c = channel_lookup(id);
1.25 markus 1374:
1.41 markus 1375: if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1376: packet_disconnect("Received open failure for "
1377: "non-opening channel %d.", id);
1.44 markus 1378: if (compat20) {
1.72.2.1 jason 1379: reason = packet_get_int();
1380: if (packet_remaining() > 0) {
1381: msg = packet_get_string(NULL);
1382: lang = packet_get_string(NULL);
1383: }
1.48 markus 1384: packet_done();
1.72.2.1 jason 1385: log("channel_open_failure: %d: reason %d %s", id,
1386: reason, msg ? msg : "<no additional info>");
1387: if (msg != NULL)
1388: xfree(msg);
1389: if (lang != NULL)
1390: xfree(lang);
1.44 markus 1391: }
1.25 markus 1392: /* Free the channel. This will also close the socket. */
1.41 markus 1393: channel_free(id);
1.1 deraadt 1394: }
1395:
1.44 markus 1396: void
1.69 markus 1397: channel_input_channel_request(int type, int plen, void *ctxt)
1.44 markus 1398: {
1399: int id;
1400: Channel *c;
1401:
1402: id = packet_get_int();
1403: c = channel_lookup(id);
1404:
1405: if (c == NULL ||
1406: (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1407: packet_disconnect("Received request for "
1408: "non-open channel %d.", id);
1409: if (c->cb_fn != NULL && c->cb_event == type) {
1.70 markus 1410: debug2("callback start");
1.44 markus 1411: c->cb_fn(c->self, c->cb_arg);
1.70 markus 1412: debug2("callback done");
1.44 markus 1413: } else {
1414: char *service = packet_get_string(NULL);
1.72.2.3! jason 1415: debug("channel %d: rcvd request for %s", c->self, service);
1.70 markus 1416: debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1.44 markus 1417: xfree(service);
1418: }
1419: }
1420:
1.49 markus 1421: void
1.69 markus 1422: channel_input_window_adjust(int type, int plen, void *ctxt)
1.44 markus 1423: {
1424: Channel *c;
1425: int id, adjust;
1426:
1427: if (!compat20)
1428: return;
1429:
1430: /* Get the channel number and verify it. */
1431: id = packet_get_int();
1432: c = channel_lookup(id);
1433:
1434: if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1435: log("Received window adjust for "
1436: "non-open channel %d.", id);
1437: return;
1438: }
1439: adjust = packet_get_int();
1.48 markus 1440: packet_done();
1.70 markus 1441: debug2("channel %d: rcvd adjust %d", id, adjust);
1.44 markus 1442: c->remote_window += adjust;
1443: }
1444:
1.27 markus 1445: /*
1446: * Stops listening for channels, and removes any unix domain sockets that we
1447: * might have.
1448: */
1.1 deraadt 1449:
1.49 markus 1450: void
1.25 markus 1451: channel_stop_listening()
1.1 deraadt 1452: {
1.25 markus 1453: int i;
1454: for (i = 0; i < channels_alloc; i++) {
1455: switch (channels[i].type) {
1456: case SSH_CHANNEL_AUTH_SOCKET:
1457: close(channels[i].sock);
1.72.2.1 jason 1458: unlink(channels[i].path);
1.25 markus 1459: channel_free(i);
1460: break;
1461: case SSH_CHANNEL_PORT_LISTENER:
1.72.2.1 jason 1462: case SSH_CHANNEL_RPORT_LISTENER:
1.25 markus 1463: case SSH_CHANNEL_X11_LISTENER:
1464: close(channels[i].sock);
1465: channel_free(i);
1466: break;
1467: default:
1468: break;
1469: }
1.1 deraadt 1470: }
1471: }
1472:
1.27 markus 1473: /*
1.52 markus 1474: * Closes the sockets/fds of all channels. This is used to close extra file
1.27 markus 1475: * descriptors after a fork.
1476: */
1.1 deraadt 1477:
1.49 markus 1478: void
1.25 markus 1479: channel_close_all()
1.1 deraadt 1480: {
1.25 markus 1481: int i;
1.52 markus 1482: for (i = 0; i < channels_alloc; i++)
1.25 markus 1483: if (channels[i].type != SSH_CHANNEL_FREE)
1.52 markus 1484: channel_close_fds(&channels[i]);
1.1 deraadt 1485: }
1486:
1487: /* Returns true if any channel is still open. */
1488:
1.49 markus 1489: int
1.25 markus 1490: channel_still_open()
1.1 deraadt 1491: {
1.72.2.1 jason 1492: u_int i;
1.25 markus 1493: for (i = 0; i < channels_alloc; i++)
1494: switch (channels[i].type) {
1495: case SSH_CHANNEL_FREE:
1496: case SSH_CHANNEL_X11_LISTENER:
1497: case SSH_CHANNEL_PORT_LISTENER:
1.72.2.1 jason 1498: case SSH_CHANNEL_RPORT_LISTENER:
1.25 markus 1499: case SSH_CHANNEL_CLOSED:
1500: case SSH_CHANNEL_AUTH_SOCKET:
1.72.2.1 jason 1501: case SSH_CHANNEL_CONNECTING: /* XXX ??? */
1.25 markus 1502: continue;
1.44 markus 1503: case SSH_CHANNEL_LARVAL:
1504: if (!compat20)
1505: fatal("cannot happen: SSH_CHANNEL_LARVAL");
1506: continue;
1.25 markus 1507: case SSH_CHANNEL_OPENING:
1508: case SSH_CHANNEL_OPEN:
1509: case SSH_CHANNEL_X11_OPEN:
1510: return 1;
1511: case SSH_CHANNEL_INPUT_DRAINING:
1512: case SSH_CHANNEL_OUTPUT_DRAINING:
1513: if (!compat13)
1514: fatal("cannot happen: OUT_DRAIN");
1515: return 1;
1516: default:
1517: fatal("channel_still_open: bad channel type %d", channels[i].type);
1518: /* NOTREACHED */
1519: }
1520: return 0;
1.1 deraadt 1521: }
1522:
1.27 markus 1523: /*
1524: * Returns a message describing the currently open forwarded connections,
1525: * suitable for sending to the client. The message contains crlf pairs for
1526: * newlines.
1527: */
1.1 deraadt 1528:
1.25 markus 1529: char *
1530: channel_open_message()
1.1 deraadt 1531: {
1.25 markus 1532: Buffer buffer;
1533: int i;
1534: char buf[512], *cp;
1535:
1536: buffer_init(&buffer);
1537: snprintf(buf, sizeof buf, "The following connections are open:\r\n");
1.1 deraadt 1538: buffer_append(&buffer, buf, strlen(buf));
1.25 markus 1539: for (i = 0; i < channels_alloc; i++) {
1540: Channel *c = &channels[i];
1541: switch (c->type) {
1542: case SSH_CHANNEL_FREE:
1543: case SSH_CHANNEL_X11_LISTENER:
1544: case SSH_CHANNEL_PORT_LISTENER:
1.72.2.1 jason 1545: case SSH_CHANNEL_RPORT_LISTENER:
1.25 markus 1546: case SSH_CHANNEL_CLOSED:
1547: case SSH_CHANNEL_AUTH_SOCKET:
1548: continue;
1.44 markus 1549: case SSH_CHANNEL_LARVAL:
1.25 markus 1550: case SSH_CHANNEL_OPENING:
1.72.2.1 jason 1551: case SSH_CHANNEL_CONNECTING:
1.25 markus 1552: case SSH_CHANNEL_OPEN:
1553: case SSH_CHANNEL_X11_OPEN:
1554: case SSH_CHANNEL_INPUT_DRAINING:
1555: case SSH_CHANNEL_OUTPUT_DRAINING:
1.41 markus 1556: snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
1.37 markus 1557: c->self, c->remote_name,
1558: c->type, c->remote_id,
1559: c->istate, buffer_len(&c->input),
1.41 markus 1560: c->ostate, buffer_len(&c->output),
1561: c->rfd, c->wfd);
1.25 markus 1562: buffer_append(&buffer, buf, strlen(buf));
1563: continue;
1564: default:
1.41 markus 1565: fatal("channel_open_message: bad channel type %d", c->type);
1.25 markus 1566: /* NOTREACHED */
1567: }
1568: }
1569: buffer_append(&buffer, "\0", 1);
1570: cp = xstrdup(buffer_ptr(&buffer));
1571: buffer_free(&buffer);
1572: return cp;
1.1 deraadt 1573: }
1574:
1.27 markus 1575: /*
1576: * Initiate forwarding of connections to local port "port" through the secure
1577: * channel to host:port from remote side.
1578: */
1.72.2.1 jason 1579: int
1580: channel_request_local_forwarding(u_short listen_port, const char *host_to_connect,
1581: u_short port_to_connect, int gateway_ports)
1582: {
1583: return channel_request_forwarding(
1584: NULL, listen_port,
1585: host_to_connect, port_to_connect,
1586: gateway_ports, /*remote_fwd*/ 0);
1587: }
1.1 deraadt 1588:
1.72.2.1 jason 1589: /*
1590: * If 'remote_fwd' is true we have a '-R style' listener for protocol 2
1591: * (SSH_CHANNEL_RPORT_LISTENER).
1592: */
1593: int
1594: channel_request_forwarding(
1595: const char *listen_address, u_short listen_port,
1596: const char *host_to_connect, u_short port_to_connect,
1597: int gateway_ports, int remote_fwd)
1.25 markus 1598: {
1.72.2.1 jason 1599: int success, ch, sock, on = 1, ctype;
1.35 markus 1600: struct addrinfo hints, *ai, *aitop;
1601: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1.72.2.1 jason 1602: const char *host;
1.28 markus 1603: struct linger linger;
1.25 markus 1604:
1.72.2.1 jason 1605: success = 0;
1606:
1607: if (remote_fwd) {
1608: host = listen_address;
1609: ctype = SSH_CHANNEL_RPORT_LISTENER;
1610: } else {
1611: host = host_to_connect;
1612: ctype =SSH_CHANNEL_PORT_LISTENER;
1613: }
1.25 markus 1614:
1.72.2.1 jason 1615: if (strlen(host) > sizeof(channels[0].path) - 1) {
1616: error("Forward host name too long.");
1617: return success;
1618: }
1619:
1620: /* XXX listen_address is currently ignored */
1.28 markus 1621: /*
1.35 markus 1622: * getaddrinfo returns a loopback address if the hostname is
1623: * set to NULL and hints.ai_flags is not AI_PASSIVE
1.28 markus 1624: */
1.35 markus 1625: memset(&hints, 0, sizeof(hints));
1626: hints.ai_family = IPv4or6;
1627: hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1628: hints.ai_socktype = SOCK_STREAM;
1.72.2.1 jason 1629: snprintf(strport, sizeof strport, "%d", listen_port);
1.35 markus 1630: if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1631: packet_disconnect("getaddrinfo: fatal error");
1632:
1633: for (ai = aitop; ai; ai = ai->ai_next) {
1634: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1635: continue;
1636: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1637: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1.72.2.1 jason 1638: error("channel_request_forwarding: getnameinfo failed");
1.35 markus 1639: continue;
1640: }
1641: /* Create a port to listen for the host. */
1642: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1643: if (sock < 0) {
1644: /* this is no error since kernel may not support ipv6 */
1645: verbose("socket: %.100s", strerror(errno));
1646: continue;
1647: }
1648: /*
1649: * Set socket options. We would like the socket to disappear
1650: * as soon as it has been closed for whatever reason.
1651: */
1652: setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1653: linger.l_onoff = 1;
1654: linger.l_linger = 5;
1655: setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1656: debug("Local forwarding listening on %s port %s.", ntop, strport);
1657:
1658: /* Bind the socket to the address. */
1659: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1660: /* address can be in use ipv6 address is already bound */
1661: verbose("bind: %.100s", strerror(errno));
1662: close(sock);
1663: continue;
1664: }
1665: /* Start listening for connections on the socket. */
1666: if (listen(sock, 5) < 0) {
1667: error("listen: %.100s", strerror(errno));
1668: close(sock);
1669: continue;
1670: }
1671: /* Allocate a channel number for the socket. */
1.72.2.1 jason 1672: ch = channel_new("port listener", ctype, sock, sock, -1,
1.51 markus 1673: CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.71 markus 1674: 0, xstrdup("port listener"), 1);
1.35 markus 1675: strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1.72.2.1 jason 1676: channels[ch].host_port = port_to_connect;
1677: channels[ch].listening_port = listen_port;
1.35 markus 1678: success = 1;
1679: }
1680: if (success == 0)
1.72.2.1 jason 1681: error("channel_request_forwarding: cannot listen to port: %d",
1682: listen_port);
1.35 markus 1683: freeaddrinfo(aitop);
1.72.2.1 jason 1684: return success;
1.25 markus 1685: }
1.1 deraadt 1686:
1.27 markus 1687: /*
1688: * Initiate forwarding of connections to port "port" on remote host through
1689: * the secure channel to host:port from local side.
1690: */
1.1 deraadt 1691:
1.49 markus 1692: void
1.72.2.1 jason 1693: channel_request_remote_forwarding(u_short listen_port,
1694: const char *host_to_connect, u_short port_to_connect)
1.25 markus 1695: {
1.72.2.1 jason 1696: int payload_len, type, success = 0;
1697:
1.25 markus 1698: /* Record locally that connection to this host/port is permitted. */
1699: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1700: fatal("channel_request_remote_forwarding: too many forwards");
1701:
1702: /* Send the forward request to the remote side. */
1.44 markus 1703: if (compat20) {
1704: const char *address_to_bind = "0.0.0.0";
1705: packet_start(SSH2_MSG_GLOBAL_REQUEST);
1706: packet_put_cstring("tcpip-forward");
1707: packet_put_char(0); /* boolean: want reply */
1708: packet_put_cstring(address_to_bind);
1709: packet_put_int(listen_port);
1.72.2.1 jason 1710: packet_send();
1711: packet_write_wait();
1712: /* Assume that server accepts the request */
1713: success = 1;
1.44 markus 1714: } else {
1715: packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1.50 markus 1716: packet_put_int(listen_port);
1717: packet_put_cstring(host_to_connect);
1.44 markus 1718: packet_put_int(port_to_connect);
1719: packet_send();
1720: packet_write_wait();
1.72.2.1 jason 1721:
1722: /* Wait for response from the remote side. */
1723: type = packet_read(&payload_len);
1724: switch (type) {
1725: case SSH_SMSG_SUCCESS:
1726: success = 1;
1727: break;
1728: case SSH_SMSG_FAILURE:
1729: log("Warning: Server denied remote port forwarding.");
1730: break;
1731: default:
1732: /* Unknown packet */
1733: packet_disconnect("Protocol error for port forward request:"
1734: "received packet type %d.", type);
1735: }
1736: }
1737: if (success) {
1738: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1739: permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1740: permitted_opens[num_permitted_opens].listen_port = listen_port;
1741: num_permitted_opens++;
1.44 markus 1742: }
1.1 deraadt 1743: }
1744:
1.27 markus 1745: /*
1746: * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1747: * listening for the port, and sends back a success reply (or disconnect
1748: * message if there was an error). This never returns if there was an error.
1749: */
1.1 deraadt 1750:
1.49 markus 1751: void
1.56 markus 1752: channel_input_port_forward_request(int is_root, int gateway_ports)
1.1 deraadt 1753: {
1.31 markus 1754: u_short port, host_port;
1.25 markus 1755: char *hostname;
1.1 deraadt 1756:
1.25 markus 1757: /* Get arguments from the packet. */
1758: port = packet_get_int();
1759: hostname = packet_get_string(NULL);
1760: host_port = packet_get_int();
1761:
1.27 markus 1762: /*
1763: * Check that an unprivileged user is not trying to forward a
1764: * privileged port.
1765: */
1.25 markus 1766: if (port < IPPORT_RESERVED && !is_root)
1767: packet_disconnect("Requested forwarding of port %d but user is not root.",
1768: port);
1.72.2.1 jason 1769: /* Initiate forwarding */
1.56 markus 1770: channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
1.25 markus 1771:
1772: /* Free the argument string. */
1773: xfree(hostname);
1.1 deraadt 1774: }
1775:
1.72.2.3! jason 1776: /*
! 1777: * Permits opening to any host/port if permitted_opens[] is empty. This is
! 1778: * usually called by the server, because the user could connect to any port
! 1779: * anyway, and the server has no way to know but to trust the client anyway.
! 1780: */
! 1781: void
! 1782: channel_permit_all_opens()
! 1783: {
! 1784: if (num_permitted_opens == 0)
! 1785: all_opens_permitted = 1;
! 1786: }
! 1787:
! 1788: void
! 1789: channel_add_permitted_opens(char *host, int port)
! 1790: {
! 1791: if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
! 1792: fatal("channel_request_remote_forwarding: too many forwards");
! 1793: debug("allow port forwarding to host %s port %d", host, port);
! 1794:
! 1795: permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
! 1796: permitted_opens[num_permitted_opens].port_to_connect = port;
! 1797: num_permitted_opens++;
! 1798:
! 1799: all_opens_permitted = 0;
! 1800: }
! 1801:
! 1802: void
! 1803: channel_clear_permitted_opens(void)
! 1804: {
! 1805: int i;
! 1806:
! 1807: for (i = 0; i < num_permitted_opens; i++)
! 1808: xfree(permitted_opens[i].host_to_connect);
! 1809: num_permitted_opens = 0;
! 1810:
! 1811: }
! 1812:
! 1813:
! 1814: /* return socket to remote host, port */
1.41 markus 1815: int
1.72.2.3! jason 1816: connect_to(const char *host, u_short port)
1.41 markus 1817: {
1818: struct addrinfo hints, *ai, *aitop;
1819: char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1820: int gaierr;
1821: int sock = -1;
1822:
1823: memset(&hints, 0, sizeof(hints));
1824: hints.ai_family = IPv4or6;
1825: hints.ai_socktype = SOCK_STREAM;
1.72.2.3! jason 1826: snprintf(strport, sizeof strport, "%d", port);
1.41 markus 1827: if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1.72.2.3! jason 1828: error("connect_to %.100s: unknown host (%s)", host,
! 1829: gai_strerror(gaierr));
1.41 markus 1830: return -1;
1831: }
1832: for (ai = aitop; ai; ai = ai->ai_next) {
1833: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1834: continue;
1835: if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1836: strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1.72.2.3! jason 1837: error("connect_to: getnameinfo failed");
1.41 markus 1838: continue;
1839: }
1840: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1841: if (sock < 0) {
1842: error("socket: %.100s", strerror(errno));
1843: continue;
1844: }
1.72.2.1 jason 1845: if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
1846: fatal("connect_to: F_SETFL: %s", strerror(errno));
1847: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
1848: errno != EINPROGRESS) {
1.72.2.3! jason 1849: error("connect_to %.100s port %s: %.100s", ntop, strport,
1.41 markus 1850: strerror(errno));
1851: close(sock);
1.72.2.1 jason 1852: continue; /* fail -- try next */
1.41 markus 1853: }
1854: break; /* success */
1855:
1856: }
1857: freeaddrinfo(aitop);
1858: if (!ai) {
1.72.2.3! jason 1859: error("connect_to %.100s port %d: failed.", host, port);
1.41 markus 1860: return -1;
1861: }
1862: /* success */
1863: return sock;
1864: }
1.72.2.3! jason 1865:
1.72.2.1 jason 1866: int
1867: channel_connect_by_listen_adress(u_short listen_port)
1868: {
1869: int i;
1.72.2.3! jason 1870:
1.72.2.1 jason 1871: for (i = 0; i < num_permitted_opens; i++)
1872: if (permitted_opens[i].listen_port == listen_port)
1.72.2.3! jason 1873: return connect_to(
1.72.2.1 jason 1874: permitted_opens[i].host_to_connect,
1875: permitted_opens[i].port_to_connect);
1876: error("WARNING: Server requests forwarding for unknown listen_port %d",
1877: listen_port);
1878: return -1;
1879: }
1880:
1.72.2.3! jason 1881: /* Check if connecting to that port is permitted and connect. */
! 1882: int
! 1883: channel_connect_to(const char *host, u_short port)
! 1884: {
! 1885: int i, permit;
! 1886:
! 1887: permit = all_opens_permitted;
! 1888: if (!permit) {
! 1889: for (i = 0; i < num_permitted_opens; i++)
! 1890: if (permitted_opens[i].port_to_connect == port &&
! 1891: strcmp(permitted_opens[i].host_to_connect, host) == 0)
! 1892: permit = 1;
! 1893:
! 1894: }
! 1895: if (!permit) {
! 1896: log("Received request to connect to host %.100s port %d, "
! 1897: "but the request was denied.", host, port);
! 1898: return -1;
! 1899: }
! 1900: return connect_to(host, port);
! 1901: }
! 1902:
1.27 markus 1903: /*
1904: * This is called after receiving PORT_OPEN message. This attempts to
1905: * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1906: * or CHANNEL_OPEN_FAILURE.
1907: */
1.1 deraadt 1908:
1.49 markus 1909: void
1.69 markus 1910: channel_input_port_open(int type, int plen, void *ctxt)
1.1 deraadt 1911: {
1.31 markus 1912: u_short host_port;
1.25 markus 1913: char *host, *originator_string;
1.72.2.3! jason 1914: int remote_channel, sock = -1, newch;
1.25 markus 1915:
1916: remote_channel = packet_get_int();
1.72.2.3! jason 1917: host = packet_get_string(NULL);
1.25 markus 1918: host_port = packet_get_int();
1919:
1.29 markus 1920: if (have_hostname_in_open) {
1.72.2.3! jason 1921: originator_string = packet_get_string(NULL);
1.29 markus 1922: } else {
1.25 markus 1923: originator_string = xstrdup("unknown (remote did not supply name)");
1.29 markus 1924: }
1.72.2.3! jason 1925: packet_done();
! 1926: sock = channel_connect_to(host, host_port);
! 1927: if (sock != -1) {
1.72.2.1 jason 1928: newch = channel_allocate(SSH_CHANNEL_CONNECTING,
1929: sock, originator_string);
1.41 markus 1930: channels[newch].remote_id = remote_channel;
1931:
1.72.2.3! jason 1932: /*XXX delay answer? */
1.41 markus 1933: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1934: packet_put_int(remote_channel);
1935: packet_put_int(newch);
1936: packet_send();
1937: } else {
1938: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1939: packet_put_int(remote_channel);
1940: packet_send();
1.25 markus 1941: }
1942: xfree(host);
1.1 deraadt 1943: }
1944:
1.27 markus 1945: /*
1946: * Creates an internet domain socket for listening for X11 connections.
1947: * Returns a suitable value for the DISPLAY variable, or NULL if an error
1948: * occurs.
1949: */
1.1 deraadt 1950:
1.35 markus 1951: #define NUM_SOCKS 10
1952:
1.25 markus 1953: char *
1.33 markus 1954: x11_create_display_inet(int screen_number, int x11_display_offset)
1.1 deraadt 1955: {
1.31 markus 1956: int display_number, sock;
1957: u_short port;
1.35 markus 1958: struct addrinfo hints, *ai, *aitop;
1959: char strport[NI_MAXSERV];
1960: int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1961: char display[512];
1.25 markus 1962: char hostname[MAXHOSTNAMELEN];
1963:
1.33 markus 1964: for (display_number = x11_display_offset;
1.25 markus 1965: display_number < MAX_DISPLAYS;
1966: display_number++) {
1967: port = 6000 + display_number;
1.35 markus 1968: memset(&hints, 0, sizeof(hints));
1969: hints.ai_family = IPv4or6;
1.36 markus 1970: hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1.35 markus 1971: hints.ai_socktype = SOCK_STREAM;
1972: snprintf(strport, sizeof strport, "%d", port);
1973: if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1974: error("getaddrinfo: %.100s", gai_strerror(gaierr));
1.25 markus 1975: return NULL;
1976: }
1.35 markus 1977: for (ai = aitop; ai; ai = ai->ai_next) {
1978: if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1979: continue;
1980: sock = socket(ai->ai_family, SOCK_STREAM, 0);
1981: if (sock < 0) {
1982: error("socket: %.100s", strerror(errno));
1983: return NULL;
1984: }
1985: if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1986: debug("bind port %d: %.100s", port, strerror(errno));
1987: shutdown(sock, SHUT_RDWR);
1988: close(sock);
1989: for (n = 0; n < num_socks; n++) {
1990: shutdown(socks[n], SHUT_RDWR);
1991: close(socks[n]);
1992: }
1993: num_socks = 0;
1994: break;
1995: }
1996: socks[num_socks++] = sock;
1997: if (num_socks == NUM_SOCKS)
1998: break;
1.25 markus 1999: }
1.72.2.1 jason 2000: freeaddrinfo(aitop);
1.35 markus 2001: if (num_socks > 0)
2002: break;
1.25 markus 2003: }
2004: if (display_number >= MAX_DISPLAYS) {
2005: error("Failed to allocate internet-domain X11 display socket.");
2006: return NULL;
2007: }
2008: /* Start listening for connections on the socket. */
1.35 markus 2009: for (n = 0; n < num_socks; n++) {
2010: sock = socks[n];
2011: if (listen(sock, 5) < 0) {
2012: error("listen: %.100s", strerror(errno));
2013: shutdown(sock, SHUT_RDWR);
2014: close(sock);
2015: return NULL;
2016: }
1.25 markus 2017: }
1.35 markus 2018:
1.25 markus 2019: /* Set up a suitable value for the DISPLAY variable. */
2020: if (gethostname(hostname, sizeof(hostname)) < 0)
2021: fatal("gethostname: %.100s", strerror(errno));
1.35 markus 2022: snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
1.25 markus 2023: display_number, screen_number);
2024:
1.35 markus 2025: /* Allocate a channel for each socket. */
2026: for (n = 0; n < num_socks; n++) {
2027: sock = socks[n];
1.51 markus 2028: (void) channel_new("x11 listener",
2029: SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
2030: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
1.71 markus 2031: 0, xstrdup("X11 inet listener"), 1);
1.35 markus 2032: }
1.1 deraadt 2033:
1.25 markus 2034: /* Return a suitable value for the DISPLAY environment variable. */
1.35 markus 2035: return xstrdup(display);
1.1 deraadt 2036: }
2037:
2038: #ifndef X_UNIX_PATH
2039: #define X_UNIX_PATH "/tmp/.X11-unix/X"
2040: #endif
2041:
2042: static
2043: int
1.72.2.1 jason 2044: connect_local_xsocket(u_int dnr)
1.1 deraadt 2045: {
1.25 markus 2046: static const char *const x_sockets[] = {
2047: X_UNIX_PATH "%u",
2048: "/var/X/.X11-unix/X" "%u",
2049: "/usr/spool/sockets/X11/" "%u",
2050: NULL
2051: };
2052: int sock;
2053: struct sockaddr_un addr;
2054: const char *const * path;
2055:
2056: for (path = x_sockets; *path; ++path) {
2057: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2058: if (sock < 0)
2059: error("socket: %.100s", strerror(errno));
2060: memset(&addr, 0, sizeof(addr));
2061: addr.sun_family = AF_UNIX;
2062: snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
2063: if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
2064: return sock;
2065: close(sock);
2066: }
2067: error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
2068: return -1;
1.1 deraadt 2069: }
2070:
1.51 markus 2071: int
2072: x11_connect_display(void)
1.1 deraadt 2073: {
1.51 markus 2074: int display_number, sock = 0;
1.25 markus 2075: const char *display;
1.51 markus 2076: char buf[1024], *cp;
1.35 markus 2077: struct addrinfo hints, *ai, *aitop;
2078: char strport[NI_MAXSERV];
2079: int gaierr;
1.25 markus 2080:
2081: /* Try to open a socket for the local X server. */
2082: display = getenv("DISPLAY");
2083: if (!display) {
2084: error("DISPLAY not set.");
1.51 markus 2085: return -1;
1.25 markus 2086: }
1.27 markus 2087: /*
2088: * Now we decode the value of the DISPLAY variable and make a
2089: * connection to the real X server.
2090: */
2091:
2092: /*
2093: * Check if it is a unix domain socket. Unix domain displays are in
2094: * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
2095: */
1.25 markus 2096: if (strncmp(display, "unix:", 5) == 0 ||
2097: display[0] == ':') {
2098: /* Connect to the unix domain socket. */
2099: if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
2100: error("Could not parse display number from DISPLAY: %.100s",
2101: display);
1.51 markus 2102: return -1;
1.25 markus 2103: }
2104: /* Create a socket. */
2105: sock = connect_local_xsocket(display_number);
2106: if (sock < 0)
1.51 markus 2107: return -1;
1.25 markus 2108:
2109: /* OK, we now have a connection to the display. */
1.51 markus 2110: return sock;
1.25 markus 2111: }
1.27 markus 2112: /*
2113: * Connect to an inet socket. The DISPLAY value is supposedly
2114: * hostname:d[.s], where hostname may also be numeric IP address.
2115: */
1.25 markus 2116: strncpy(buf, display, sizeof(buf));
2117: buf[sizeof(buf) - 1] = 0;
2118: cp = strchr(buf, ':');
2119: if (!cp) {
2120: error("Could not find ':' in DISPLAY: %.100s", display);
1.51 markus 2121: return -1;
1.25 markus 2122: }
2123: *cp = 0;
1.27 markus 2124: /* buf now contains the host name. But first we parse the display number. */
1.25 markus 2125: if (sscanf(cp + 1, "%d", &display_number) != 1) {
2126: error("Could not parse display number from DISPLAY: %.100s",
2127: display);
1.51 markus 2128: return -1;
1.25 markus 2129: }
1.35 markus 2130:
2131: /* Look up the host address */
2132: memset(&hints, 0, sizeof(hints));
2133: hints.ai_family = IPv4or6;
2134: hints.ai_socktype = SOCK_STREAM;
2135: snprintf(strport, sizeof strport, "%d", 6000 + display_number);
2136: if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
2137: error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
1.51 markus 2138: return -1;
1.25 markus 2139: }
1.35 markus 2140: for (ai = aitop; ai; ai = ai->ai_next) {
2141: /* Create a socket. */
2142: sock = socket(ai->ai_family, SOCK_STREAM, 0);
2143: if (sock < 0) {
2144: debug("socket: %.100s", strerror(errno));
1.41 markus 2145: continue;
2146: }
2147: /* Connect it to the display. */
2148: if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2149: debug("connect %.100s port %d: %.100s", buf,
2150: 6000 + display_number, strerror(errno));
2151: close(sock);
2152: continue;
2153: }
2154: /* Success */
2155: break;
1.35 markus 2156: }
2157: freeaddrinfo(aitop);
2158: if (!ai) {
1.49 markus 2159: error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1.35 markus 2160: strerror(errno));
1.51 markus 2161: return -1;
1.25 markus 2162: }
1.51 markus 2163: return sock;
2164: }
2165:
2166: /*
2167: * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
2168: * the remote channel number. We should do whatever we want, and respond
2169: * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
2170: */
2171:
2172: void
1.69 markus 2173: x11_input_open(int type, int plen, void *ctxt)
1.51 markus 2174: {
2175: int remote_channel, sock = 0, newch;
2176: char *remote_host;
1.72.2.1 jason 2177: u_int remote_len;
1.25 markus 2178:
1.51 markus 2179: /* Get remote channel number. */
2180: remote_channel = packet_get_int();
2181:
2182: /* Get remote originator name. */
2183: if (have_hostname_in_open) {
2184: remote_host = packet_get_string(&remote_len);
2185: remote_len += 4;
2186: } else {
2187: remote_host = xstrdup("unknown (remote did not supply name)");
2188: remote_len = 0;
2189: }
1.25 markus 2190:
1.51 markus 2191: debug("Received X11 open request.");
2192: packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
1.25 markus 2193:
1.51 markus 2194: /* Obtain a connection to the real X display. */
2195: sock = x11_connect_display();
2196: if (sock == -1) {
2197: /* Send refusal to the remote host. */
2198: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2199: packet_put_int(remote_channel);
2200: packet_send();
2201: } else {
2202: /* Allocate a channel for this connection. */
2203: newch = channel_allocate(
2204: (x11_saved_proto == NULL) ?
2205: SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
2206: sock, remote_host);
2207: channels[newch].remote_id = remote_channel;
1.25 markus 2208:
1.51 markus 2209: /* Send a confirmation to the remote host. */
2210: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2211: packet_put_int(remote_channel);
2212: packet_put_int(newch);
2213: packet_send();
2214: }
1.72 markus 2215: }
2216:
2217: /* dummy protocol handler that denies SSH-1 requests (agent/x11) */
2218: void
2219: deny_input_open(int type, int plen, void *ctxt)
2220: {
2221: int rchan = packet_get_int();
2222: switch(type){
2223: case SSH_SMSG_AGENT_OPEN:
2224: error("Warning: ssh server tried agent forwarding.");
2225: break;
2226: case SSH_SMSG_X11_OPEN:
2227: error("Warning: ssh server tried X11 forwarding.");
2228: break;
2229: default:
2230: error("deny_input_open: type %d plen %d", type, plen);
2231: break;
2232: }
2233: error("Warning: this is probably a break in attempt by a malicious server.");
2234: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2235: packet_put_int(rchan);
2236: packet_send();
1.1 deraadt 2237: }
2238:
1.27 markus 2239: /*
2240: * Requests forwarding of X11 connections, generates fake authentication
2241: * data, and enables authentication spoofing.
2242: */
1.1 deraadt 2243:
1.49 markus 2244: void
1.51 markus 2245: x11_request_forwarding_with_spoofing(int client_session_id,
2246: const char *proto, const char *data)
1.1 deraadt 2247: {
1.72.2.1 jason 2248: u_int data_len = (u_int) strlen(data) / 2;
2249: u_int i, value, len;
1.25 markus 2250: char *new_data;
2251: int screen_number;
2252: const char *cp;
2253: u_int32_t rand = 0;
2254:
2255: cp = getenv("DISPLAY");
2256: if (cp)
2257: cp = strchr(cp, ':');
2258: if (cp)
2259: cp = strchr(cp, '.');
2260: if (cp)
2261: screen_number = atoi(cp + 1);
2262: else
2263: screen_number = 0;
2264:
2265: /* Save protocol name. */
2266: x11_saved_proto = xstrdup(proto);
2267:
1.27 markus 2268: /*
2269: * Extract real authentication data and generate fake data of the
2270: * same length.
2271: */
1.25 markus 2272: x11_saved_data = xmalloc(data_len);
2273: x11_fake_data = xmalloc(data_len);
2274: for (i = 0; i < data_len; i++) {
2275: if (sscanf(data + 2 * i, "%2x", &value) != 1)
2276: fatal("x11_request_forwarding: bad authentication data: %.100s", data);
2277: if (i % 4 == 0)
2278: rand = arc4random();
2279: x11_saved_data[i] = value;
2280: x11_fake_data[i] = rand & 0xff;
2281: rand >>= 8;
2282: }
2283: x11_saved_data_len = data_len;
2284: x11_fake_data_len = data_len;
2285:
2286: /* Convert the fake data into hex. */
1.72.2.1 jason 2287: len = 2 * data_len + 1;
2288: new_data = xmalloc(len);
1.25 markus 2289: for (i = 0; i < data_len; i++)
1.72.2.1 jason 2290: snprintf(new_data + 2 * i, len - 2 * i,
2291: "%02x", (u_char) x11_fake_data[i]);
1.25 markus 2292:
2293: /* Send the request packet. */
1.51 markus 2294: if (compat20) {
2295: channel_request_start(client_session_id, "x11-req", 0);
2296: packet_put_char(0); /* XXX bool single connection */
2297: } else {
2298: packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
2299: }
2300: packet_put_cstring(proto);
2301: packet_put_cstring(new_data);
1.25 markus 2302: packet_put_int(screen_number);
2303: packet_send();
2304: packet_write_wait();
2305: xfree(new_data);
1.1 deraadt 2306: }
2307:
2308: /* Sends a message to the server to request authentication fd forwarding. */
2309:
1.49 markus 2310: void
1.25 markus 2311: auth_request_forwarding()
1.1 deraadt 2312: {
1.25 markus 2313: packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2314: packet_send();
2315: packet_write_wait();
1.1 deraadt 2316: }
2317:
1.27 markus 2318: /*
2319: * Returns the name of the forwarded authentication socket. Returns NULL if
2320: * there is no forwarded authentication socket. The returned value points to
2321: * a static buffer.
2322: */
1.1 deraadt 2323:
1.25 markus 2324: char *
2325: auth_get_socket_name()
1.1 deraadt 2326: {
1.25 markus 2327: return channel_forwarded_auth_socket_name;
1.1 deraadt 2328: }
2329:
1.12 markus 2330: /* removes the agent forwarding socket */
2331:
1.49 markus 2332: void
1.25 markus 2333: cleanup_socket(void)
2334: {
1.72.2.1 jason 2335: unlink(channel_forwarded_auth_socket_name);
1.25 markus 2336: rmdir(channel_forwarded_auth_socket_dir);
1.12 markus 2337: }
2338:
1.27 markus 2339: /*
1.59 markus 2340: * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
1.27 markus 2341: * This starts forwarding authentication requests.
2342: */
1.1 deraadt 2343:
1.59 markus 2344: int
1.25 markus 2345: auth_input_request_forwarding(struct passwd * pw)
1.1 deraadt 2346: {
1.25 markus 2347: int sock, newch;
2348: struct sockaddr_un sunaddr;
2349:
2350: if (auth_get_socket_name() != NULL)
2351: fatal("Protocol error: authentication forwarding requested twice.");
2352:
2353: /* Temporarily drop privileged uid for mkdir/bind. */
2354: temporarily_use_uid(pw->pw_uid);
2355:
2356: /* Allocate a buffer for the socket name, and format the name. */
2357: channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
2358: channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
2359: strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
2360:
2361: /* Create private directory for socket */
1.59 markus 2362: if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
2363: packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
2364: strerror(errno));
2365: restore_uid();
2366: xfree(channel_forwarded_auth_socket_name);
2367: xfree(channel_forwarded_auth_socket_dir);
2368: channel_forwarded_auth_socket_name = NULL;
2369: channel_forwarded_auth_socket_dir = NULL;
2370: return 0;
2371: }
1.25 markus 2372: snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
2373: channel_forwarded_auth_socket_dir, (int) getpid());
2374:
2375: if (atexit(cleanup_socket) < 0) {
2376: int saved = errno;
2377: cleanup_socket();
2378: packet_disconnect("socket: %.100s", strerror(saved));
2379: }
2380: /* Create the socket. */
2381: sock = socket(AF_UNIX, SOCK_STREAM, 0);
2382: if (sock < 0)
2383: packet_disconnect("socket: %.100s", strerror(errno));
2384:
2385: /* Bind it to the name. */
2386: memset(&sunaddr, 0, sizeof(sunaddr));
2387: sunaddr.sun_family = AF_UNIX;
2388: strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
2389: sizeof(sunaddr.sun_path));
2390:
2391: if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2392: packet_disconnect("bind: %.100s", strerror(errno));
2393:
2394: /* Restore the privileged uid. */
2395: restore_uid();
2396:
2397: /* Start listening on the socket. */
2398: if (listen(sock, 5) < 0)
2399: packet_disconnect("listen: %.100s", strerror(errno));
2400:
2401: /* Allocate a channel for the authentication agent socket. */
1.72.2.1 jason 2402: newch = channel_new("auth socket",
2403: SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
2404: CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
2405: 0, xstrdup("auth socket"), 1);
2406:
1.32 deraadt 2407: strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
2408: sizeof(channels[newch].path));
1.59 markus 2409: return 1;
1.1 deraadt 2410: }
2411:
2412: /* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2413:
1.49 markus 2414: void
1.69 markus 2415: auth_input_open_request(int type, int plen, void *ctxt)
1.1 deraadt 2416: {
1.25 markus 2417: int remch, sock, newch;
2418: char *dummyname;
1.41 markus 2419:
2420: packet_integrity_check(plen, 4, type);
1.25 markus 2421:
2422: /* Read the remote channel number from the message. */
2423: remch = packet_get_int();
2424:
1.27 markus 2425: /*
2426: * Get a connection to the local authentication agent (this may again
2427: * get forwarded).
2428: */
1.25 markus 2429: sock = ssh_get_authentication_socket();
2430:
1.27 markus 2431: /*
2432: * If we could not connect the agent, send an error message back to
2433: * the server. This should never happen unless the agent dies,
2434: * because authentication forwarding is only enabled if we have an
2435: * agent.
2436: */
1.25 markus 2437: if (sock < 0) {
2438: packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2439: packet_put_int(remch);
2440: packet_send();
2441: return;
2442: }
2443: debug("Forwarding authentication connection.");
1.1 deraadt 2444:
1.27 markus 2445: /*
2446: * Dummy host name. This will be freed when the channel is freed; it
2447: * will still be valid in the packet_put_string below since the
2448: * channel cannot yet be freed at that point.
2449: */
1.25 markus 2450: dummyname = xstrdup("authentication agent connection");
2451:
2452: newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
2453: channels[newch].remote_id = remch;
2454:
2455: /* Send a confirmation to the remote host. */
2456: packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2457: packet_put_int(remch);
2458: packet_put_int(newch);
1.44 markus 2459: packet_send();
2460: }
2461:
2462: void
1.51 markus 2463: channel_start_open(int id)
1.44 markus 2464: {
2465: Channel *c = channel_lookup(id);
2466: if (c == NULL) {
2467: log("channel_open: %d: bad id", id);
2468: return;
2469: }
1.51 markus 2470: debug("send channel open %d", id);
1.44 markus 2471: packet_start(SSH2_MSG_CHANNEL_OPEN);
2472: packet_put_cstring(c->ctype);
2473: packet_put_int(c->self);
2474: packet_put_int(c->local_window);
2475: packet_put_int(c->local_maxpacket);
1.51 markus 2476: }
2477: void
2478: channel_open(int id)
2479: {
2480: /* XXX REMOVE ME */
2481: channel_start_open(id);
1.44 markus 2482: packet_send();
2483: }
2484: void
2485: channel_request(int id, char *service, int wantconfirm)
2486: {
2487: channel_request_start(id, service, wantconfirm);
2488: packet_send();
2489: debug("channel request %d: %s", id, service) ;
2490: }
2491: void
2492: channel_request_start(int id, char *service, int wantconfirm)
2493: {
2494: Channel *c = channel_lookup(id);
2495: if (c == NULL) {
2496: log("channel_request: %d: bad id", id);
2497: return;
2498: }
2499: packet_start(SSH2_MSG_CHANNEL_REQUEST);
2500: packet_put_int(c->remote_id);
2501: packet_put_cstring(service);
2502: packet_put_char(wantconfirm);
2503: }
2504: void
2505: channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
2506: {
2507: Channel *c = channel_lookup(id);
2508: if (c == NULL) {
2509: log("channel_register_callback: %d: bad id", id);
2510: return;
2511: }
2512: c->cb_event = mtype;
2513: c->cb_fn = fn;
2514: c->cb_arg = arg;
2515: }
2516: void
2517: channel_register_cleanup(int id, channel_callback_fn *fn)
2518: {
2519: Channel *c = channel_lookup(id);
2520: if (c == NULL) {
2521: log("channel_register_cleanup: %d: bad id", id);
2522: return;
2523: }
2524: c->dettach_user = fn;
2525: }
2526: void
2527: channel_cancel_cleanup(int id)
2528: {
2529: Channel *c = channel_lookup(id);
2530: if (c == NULL) {
2531: log("channel_cancel_cleanup: %d: bad id", id);
2532: return;
2533: }
2534: c->dettach_user = NULL;
1.65 markus 2535: }
1.72.2.1 jason 2536: void
1.65 markus 2537: channel_register_filter(int id, channel_filter_fn *fn)
2538: {
2539: Channel *c = channel_lookup(id);
2540: if (c == NULL) {
2541: log("channel_register_filter: %d: bad id", id);
2542: return;
2543: }
2544: c->input_filter = fn;
1.44 markus 2545: }
2546:
2547: void
1.71 markus 2548: channel_set_fds(int id, int rfd, int wfd, int efd,
2549: int extusage, int nonblock)
1.44 markus 2550: {
2551: Channel *c = channel_lookup(id);
2552: if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
2553: fatal("channel_activate for non-larval channel %d.", id);
1.71 markus 2554: channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
1.44 markus 2555: c->type = SSH_CHANNEL_OPEN;
2556: /* XXX window size? */
1.68 markus 2557: c->local_window = c->local_window_max = c->local_maxpacket * 2;
1.44 markus 2558: packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
2559: packet_put_int(c->remote_id);
2560: packet_put_int(c->local_window);
1.25 markus 2561: packet_send();
1.1 deraadt 2562: }