98 static void server_init_dispatch(struct ssh *);
123 client_alive_check(struct ssh *ssh)  in client_alive_check()  argument
130 	    ssh_packet_inc_alive_timeouts(ssh) >  in client_alive_check()
132 		sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));  in client_alive_check()
141 	if ((channel_id = channel_find_open(ssh)) == -1) {  in client_alive_check()
142 		if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||  in client_alive_check()
143 		    (r = sshpkt_put_cstring(ssh, "keepalive@openssh.com"))  in client_alive_check()
145 		    (r = sshpkt_put_u8(ssh, 1)) != 0) /* boolean: want reply */  in client_alive_check()
148 		channel_request_start(ssh, channel_id,  in client_alive_check()
151 	if ((r = sshpkt_send(ssh)) != 0)  in client_alive_check()
161 wait_until_can_do_something(struct ssh *ssh,  in wait_until_can_do_something()  argument
178 	channel_prepare_poll(ssh, pfdp, npfd_allocp, npfd_activep, 2, &timeout);  in wait_until_can_do_something()
182 	if (options.rekey_interval > 0 && !ssh_packet_is_rekeying(ssh)) {  in wait_until_can_do_something()
184 		    ssh_packet_get_rekey_timeout(ssh));  in wait_until_can_do_something()
192 		if (channel_still_open(ssh) || unused_connection_expiry == 0) {  in wait_until_can_do_something()
224 	(*pfdp)[1].events = ssh_packet_have_data_to_write(ssh) ? POLLOUT : 0;  in wait_until_can_do_something()
230 	if (child_terminated && ssh_packet_not_very_much_data_to_write(ssh))  in wait_until_can_do_something()
253 			client_alive_check(ssh);  in wait_until_can_do_something()
263 	    now > unused_connection_expiry && !channel_still_open(ssh)) {  in wait_until_can_do_something()
264 		sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));  in wait_until_can_do_something()
275 process_input(struct ssh *ssh, int connection_in)  in process_input()  argument
279 	if ((r = ssh_packet_process_read(ssh, connection_in)) == 0)  in process_input()
286 			    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));  in process_input()
290 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),  in process_input()
301 process_output(struct ssh *ssh, int connection_out)  in process_output()  argument
306 	if ((r = ssh_packet_write_poll(ssh)) < 0) {  in process_output()
307 		sshpkt_fatal(ssh, r, "%s: ssh_packet_write_poll",  in process_output()
313 process_buffered_input_packets(struct ssh *ssh)  in process_buffered_input_packets()  argument
315 	ssh_dispatch_run_fatal(ssh, DISPATCH_NONBLOCK, NULL);  in process_buffered_input_packets()
319 collect_children(struct ssh *ssh)  in collect_children()  argument
329 				session_close_by_pid(ssh, pid, status);  in collect_children()
335 server_loop2(struct ssh *ssh, Authctxt *authctxt)  in server_loop2()  argument
351 	connection_in = ssh_packet_get_connection_in(ssh);  in server_loop2()
352 	connection_out = ssh_packet_get_connection_out(ssh);  in server_loop2()
354 	server_init_dispatch(ssh);  in server_loop2()
357 		process_buffered_input_packets(ssh);  in server_loop2()
359 		if (!ssh_packet_is_rekeying(ssh) &&  in server_loop2()
360 		    ssh_packet_not_very_much_data_to_write(ssh))  in server_loop2()
361 			channel_output_poll(ssh);  in server_loop2()
370 		collect_children(ssh);  in server_loop2()
371 		wait_until_can_do_something(ssh, connection_in, connection_out,  in server_loop2()
377 		channel_after_poll(ssh, pfd, npfd_active);  in server_loop2()
379 		    process_input(ssh, connection_in) < 0)  in server_loop2()
382 		if ((r = ssh_packet_check_rekey(ssh)) != 0)  in server_loop2()
385 			process_output(ssh, connection_out);  in server_loop2()
387 	collect_children(ssh);  in server_loop2()
391 	channel_free_all(ssh);  in server_loop2()
394 	session_destroy_all(ssh, NULL);  in server_loop2()
397 	      ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),  in server_loop2()
403 server_input_keep_alive(int type, u_int32_t seq, struct ssh *ssh)  in server_input_keep_alive()  argument
411 	ssh_packet_set_alive_timeouts(ssh, 0);  in server_input_keep_alive()
416 server_request_direct_tcpip(struct ssh *ssh, int *reason, const char **errmsg)  in server_request_direct_tcpip()  argument
423 	if ((r = sshpkt_get_cstring(ssh, &target, NULL)) != 0 ||  in server_request_direct_tcpip()
424 	    (r = sshpkt_get_u32(ssh, &target_port)) != 0 ||  in server_request_direct_tcpip()
425 	    (r = sshpkt_get_cstring(ssh, &originator, NULL)) != 0 ||  in server_request_direct_tcpip()
426 	    (r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||  in server_request_direct_tcpip()
427 	    (r = sshpkt_get_end(ssh)) != 0)  in server_request_direct_tcpip()
428 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);  in server_request_direct_tcpip()
447 		c = channel_connect_to_port(ssh, target, target_port,  in server_request_direct_tcpip()
464 server_request_direct_streamlocal(struct ssh *ssh)  in server_request_direct_streamlocal()  argument
475 	if ((r = sshpkt_get_cstring(ssh, &target, NULL)) != 0 ||  in server_request_direct_streamlocal()
476 	    (r = sshpkt_get_cstring(ssh, &originator, NULL)) != 0 ||  in server_request_direct_streamlocal()
477 	    (r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||  in server_request_direct_streamlocal()
478 	    (r = sshpkt_get_end(ssh)) != 0)  in server_request_direct_streamlocal()
479 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);  in server_request_direct_streamlocal()
492 		c = channel_connect_to_path(ssh, target,  in server_request_direct_streamlocal()
507 server_request_tun(struct ssh *ssh)  in server_request_tun()  argument
514 	if ((r = sshpkt_get_u32(ssh, &mode)) != 0)  in server_request_tun()
515 		sshpkt_fatal(ssh, r, "%s: parse mode", __func__);  in server_request_tun()
521 		ssh_packet_send_debug(ssh, "Unsupported tunnel device mode.");  in server_request_tun()
525 		ssh_packet_send_debug(ssh, "Server has rejected tunnel device "  in server_request_tun()
530 	if ((r = sshpkt_get_u32(ssh, &tun)) != 0)  in server_request_tun()
531 		sshpkt_fatal(ssh, r, "%s: parse device", __func__);  in server_request_tun()
548 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,  in server_request_tun()
551 		c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,  in server_request_tun()
570 		ssh_packet_send_debug(ssh, "Failed to open the tunnel device.");  in server_request_tun()
575 server_request_session(struct ssh *ssh)  in server_request_session()  argument
581 	if ((r = sshpkt_get_end(ssh)) != 0)  in server_request_session()
582 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);  in server_request_session()
585 		ssh_packet_disconnect(ssh, "Possible attack: attempt to open a "  in server_request_session()
595 	c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,  in server_request_session()
602 		channel_free(ssh, c);  in server_request_session()
605 	channel_register_cleanup(ssh, c->self, session_close_by_channel, 0);  in server_request_session()
610 server_input_channel_open(int type, u_int32_t seq, struct ssh *ssh)  in server_input_channel_open()  argument
618 	if ((r = sshpkt_get_cstring(ssh, &ctype, NULL)) != 0 ||  in server_input_channel_open()
619 	    (r = sshpkt_get_u32(ssh, &rchan)) != 0 ||  in server_input_channel_open()
620 	    (r = sshpkt_get_u32(ssh, &rwindow)) != 0 ||  in server_input_channel_open()
621 	    (r = sshpkt_get_u32(ssh, &rmaxpack)) != 0)  in server_input_channel_open()
622 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);  in server_input_channel_open()
627 		c = server_request_session(ssh);  in server_input_channel_open()
629 		c = server_request_direct_tcpip(ssh, &reason, &errmsg);  in server_input_channel_open()
631 		c = server_request_direct_streamlocal(ssh);  in server_input_channel_open()
633 		c = server_request_tun(ssh);  in server_input_channel_open()
642 			if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||  in server_input_channel_open()
643 			    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||  in server_input_channel_open()
644 			    (r = sshpkt_put_u32(ssh, c->self)) != 0 ||  in server_input_channel_open()
645 			    (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||  in server_input_channel_open()
646 			    (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 ||  in server_input_channel_open()
647 			    (r = sshpkt_send(ssh)) != 0) {  in server_input_channel_open()
648 				sshpkt_fatal(ssh, r,  in server_input_channel_open()
654 		if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||  in server_input_channel_open()
655 		    (r = sshpkt_put_u32(ssh, rchan)) != 0 ||  in server_input_channel_open()
656 		    (r = sshpkt_put_u32(ssh, reason)) != 0 ||  in server_input_channel_open()
657 		    (r = sshpkt_put_cstring(ssh, errmsg ? errmsg : "open failed")) != 0 ||  in server_input_channel_open()
658 		    (r = sshpkt_put_cstring(ssh, "")) != 0 ||  in server_input_channel_open()
659 		    (r = sshpkt_send(ssh)) != 0) {  in server_input_channel_open()
660 			sshpkt_fatal(ssh, r,  in server_input_channel_open()
669 server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf **respp)  in server_input_hostkeys_prove()  argument
683 	    ssh->kex->hostkey_alg)) == KEY_RSA)  in server_input_hostkeys_prove()
684 		kex_rsa_sigalg = ssh->kex->hostkey_alg;  in server_input_hostkeys_prove()
685 	while (ssh_packet_remaining(ssh) > 0) {  in server_input_hostkeys_prove()
688 		if ((r = sshpkt_get_string_direct(ssh, &blob, &blen)) != 0 ||  in server_input_hostkeys_prove()
697 		if ((ndx = ssh->kex->host_key_index(key, 1, ssh)) == -1) {  in server_input_hostkeys_prove()
706 		    (key_pub = get_hostkey_public_by_index(ndx, ssh)) == NULL) {  in server_input_hostkeys_prove()
721 			else if (ssh->kex->flags & KEX_RSA_SHA2_512_SUPPORTED)  in server_input_hostkeys_prove()
723 			else if (ssh->kex->flags & KEX_RSA_SHA2_256_SUPPORTED)  in server_input_hostkeys_prove()
731 		    ssh->kex->session_id)) != 0 ||  in server_input_hostkeys_prove()
733 		    (r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen,  in server_input_hostkeys_prove()
753 server_input_global_request(int type, u_int32_t seq, struct ssh *ssh)  in server_input_global_request()  argument
767 	if ((r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 ||  in server_input_global_request()
768 	    (r = sshpkt_get_u8(ssh, &want_reply)) != 0)  in server_input_global_request()
769 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);  in server_input_global_request()
774 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_host, NULL)) != 0 ||  in server_input_global_request()
775 		    (r = sshpkt_get_u32(ssh, &port)) != 0)  in server_input_global_request()
776 			sshpkt_fatal(ssh, r, "%s: parse tcpip-forward", __func__);  in server_input_global_request()
788 			ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");  in server_input_global_request()
791 			success = channel_setup_remote_fwd_listener(ssh, &fwd,  in server_input_global_request()
800 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_host, NULL)) != 0 ||  in server_input_global_request()
801 		    (r = sshpkt_get_u32(ssh, &port)) != 0)  in server_input_global_request()
802 			sshpkt_fatal(ssh, r, "%s: parse cancel-tcpip-forward", __func__);  in server_input_global_request()
808 			success = channel_cancel_rport_listener(ssh, &fwd);  in server_input_global_request()
811 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_path, NULL)) != 0)  in server_input_global_request()
812 			sshpkt_fatal(ssh, r, "%s: parse streamlocal-forward@openssh.com", __func__);  in server_input_global_request()
821 			ssh_packet_send_debug(ssh, "Server has disabled "  in server_input_global_request()
825 			success = channel_setup_remote_fwd_listener(ssh,  in server_input_global_request()
829 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_path, NULL)) != 0)  in server_input_global_request()
830 			sshpkt_fatal(ssh, r, "%s: parse cancel-streamlocal-forward@openssh.com", __func__);  in server_input_global_request()
834 		success = channel_cancel_rport_listener(ssh, &fwd);  in server_input_global_request()
839 		success = server_input_hostkeys_prove(ssh, &resp);  in server_input_global_request()
843 		if ((r = sshpkt_start(ssh, success ?  in server_input_global_request()
845 		    (success && resp != NULL && (r = sshpkt_putb(ssh, resp)) != 0) ||  in server_input_global_request()
846 		    (r = sshpkt_send(ssh)) != 0 ||  in server_input_global_request()
847 		    (r = ssh_packet_write_wait(ssh)) < 0)  in server_input_global_request()
848 			sshpkt_fatal(ssh, r, "%s: send reply", __func__);  in server_input_global_request()
858 server_input_channel_req(int type, u_int32_t seq, struct ssh *ssh)  in server_input_channel_req()  argument
866 	if ((r = sshpkt_get_u32(ssh, &id)) != 0 ||  in server_input_channel_req()
867 	    (r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 ||  in server_input_channel_req()
868 	    (r = sshpkt_get_u8(ssh, &want_reply)) != 0)  in server_input_channel_req()
869 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);  in server_input_channel_req()
874 	if (id >= INT_MAX || (c = channel_lookup(ssh, (int)id)) == NULL) {  in server_input_channel_req()
875 		ssh_packet_disconnect(ssh, "%s: unknown channel %d",  in server_input_channel_req()
879 		if ((r = sshpkt_get_end(ssh)) != 0)  in server_input_channel_req()
880 			sshpkt_fatal(ssh, r, "%s: parse packet", __func__);  in server_input_channel_req()
881 		chan_rcvd_eow(ssh, c);  in server_input_channel_req()
884 		success = session_input_channel_req(ssh, c, rtype);  in server_input_channel_req()
888 		if ((r = sshpkt_start(ssh, success ?  in server_input_channel_req()
890 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||  in server_input_channel_req()
891 		    (r = sshpkt_send(ssh)) != 0)  in server_input_channel_req()
892 			sshpkt_fatal(ssh, r, "%s: send reply", __func__);  in server_input_channel_req()
899 server_init_dispatch(struct ssh *ssh)  in server_init_dispatch()  argument
902 	ssh_dispatch_init(ssh, &dispatch_protocol_error);  in server_init_dispatch()
903 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);  in server_init_dispatch()
904 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_DATA, &channel_input_data);  in server_init_dispatch()
905 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);  in server_init_dispatch()
906 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);  in server_init_dispatch()
907 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open);  in server_init_dispatch()
908 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);  in server_init_dispatch()
909 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);  in server_init_dispatch()
910 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_REQUEST, &server_input_channel_req);  in server_init_dispatch()
911 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);  in server_init_dispatch()
912 	ssh_dispatch_set(ssh, SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);  in server_init_dispatch()
914 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_SUCCESS, &server_input_keep_alive);  in server_init_dispatch()
915 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_FAILURE, &server_input_keep_alive);  in server_init_dispatch()
916 	ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_SUCCESS, &server_input_keep_alive);  in server_init_dispatch()
917 	ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_FAILURE, &server_input_keep_alive);  in server_init_dispatch()
919 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);  in server_init_dispatch()