1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This file contains functions for generic socket connection forwarding. 6 * There is also code for initiating connection forwarding for X11 connections, 7 * arbitrary tcp/ip connections, and the authentication agent connection. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * SSH2 support added by Markus Friedl. 16 * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. 17 * Copyright (c) 1999 Dug Song. All rights reserved. 18 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 30 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 31 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 32 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 33 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 34 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 35 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 36 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 37 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 38 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 */ 40 41 #include "includes.h" 42 RCSID("$OpenBSD: channels.c,v 1.132 2001/07/17 21:04:56 markus Exp $"); 43 44 #include "ssh.h" 45 #include "ssh1.h" 46 #include "ssh2.h" 47 #include "packet.h" 48 #include "xmalloc.h" 49 #include "uidswap.h" 50 #include "log.h" 51 #include "misc.h" 52 #include "channels.h" 53 #include "compat.h" 54 #include "canohost.h" 55 #include "key.h" 56 #include "authfd.h" 57 58 59 /* -- channel core */ 60 61 /* 62 * Pointer to an array containing all allocated channels. The array is 63 * dynamically extended as needed. 64 */ 65 static Channel **channels = NULL; 66 67 /* 68 * Size of the channel array. All slots of the array must always be 69 * initialized (at least the type field); unused slots set to NULL 70 */ 71 static int channels_alloc = 0; 72 73 /* 74 * Maximum file descriptor value used in any of the channels. This is 75 * updated in channel_new. 76 */ 77 static int channel_max_fd = 0; 78 79 80 /* -- tcp forwarding */ 81 82 /* 83 * Data structure for storing which hosts are permitted for forward requests. 84 * The local sides of any remote forwards are stored in this array to prevent 85 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 86 * network (which might be behind a firewall). 87 */ 88 typedef struct { 89 char *host_to_connect; /* Connect to 'host'. */ 90 u_short port_to_connect; /* Connect to 'port'. */ 91 u_short listen_port; /* Remote side should listen port number. */ 92 } ForwardPermission; 93 94 /* List of all permitted host/port pairs to connect. */ 95 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 96 97 /* Number of permitted host/port pairs in the array. */ 98 static int num_permitted_opens = 0; 99 /* 100 * If this is true, all opens are permitted. This is the case on the server 101 * on which we have to trust the client anyway, and the user could do 102 * anything after logging in anyway. 103 */ 104 static int all_opens_permitted = 0; 105 106 107 /* -- X11 forwarding */ 108 109 /* Maximum number of fake X11 displays to try. */ 110 #define MAX_DISPLAYS 1000 111 112 /* Saved X11 authentication protocol name. */ 113 static char *x11_saved_proto = NULL; 114 115 /* Saved X11 authentication data. This is the real data. */ 116 static char *x11_saved_data = NULL; 117 static u_int x11_saved_data_len = 0; 118 119 /* 120 * Fake X11 authentication data. This is what the server will be sending us; 121 * we should replace any occurrences of this by the real data. 122 */ 123 static char *x11_fake_data = NULL; 124 static u_int x11_fake_data_len; 125 126 127 /* -- agent forwarding */ 128 129 #define NUM_SOCKS 10 130 131 /* Name and directory of socket for authentication agent forwarding. */ 132 static char *auth_sock_name = NULL; 133 static char *auth_sock_dir = NULL; 134 135 /* AF_UNSPEC or AF_INET or AF_INET6 */ 136 extern int IPv4or6; 137 138 /* helper */ 139 static void port_open_helper(Channel *c, char *rtype); 140 141 /* -- channel core */ 142 143 Channel * 144 channel_lookup(int id) 145 { 146 Channel *c; 147 148 if (id < 0 || id > channels_alloc) { 149 log("channel_lookup: %d: bad id", id); 150 return NULL; 151 } 152 c = channels[id]; 153 if (c == NULL) { 154 log("channel_lookup: %d: bad id: channel free", id); 155 return NULL; 156 } 157 return c; 158 } 159 160 /* 161 * Register filedescriptors for a channel, used when allocating a channel or 162 * when the channel consumer/producer is ready, e.g. shell exec'd 163 */ 164 165 static void 166 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 167 int extusage, int nonblock) 168 { 169 /* Update the maximum file descriptor value. */ 170 channel_max_fd = MAX(channel_max_fd, rfd); 171 channel_max_fd = MAX(channel_max_fd, wfd); 172 channel_max_fd = MAX(channel_max_fd, efd); 173 174 /* XXX set close-on-exec -markus */ 175 176 c->rfd = rfd; 177 c->wfd = wfd; 178 c->sock = (rfd == wfd) ? rfd : -1; 179 c->efd = efd; 180 c->extended_usage = extusage; 181 182 /* XXX ugly hack: nonblock is only set by the server */ 183 if (nonblock && isatty(c->rfd)) { 184 debug("channel %d: rfd %d isatty", c->self, c->rfd); 185 c->isatty = 1; 186 if (!isatty(c->wfd)) { 187 error("channel %d: wfd %d is not a tty?", 188 c->self, c->wfd); 189 } 190 } else { 191 c->isatty = 0; 192 } 193 194 /* enable nonblocking mode */ 195 if (nonblock) { 196 if (rfd != -1) 197 set_nonblock(rfd); 198 if (wfd != -1) 199 set_nonblock(wfd); 200 if (efd != -1) 201 set_nonblock(efd); 202 } 203 } 204 205 /* 206 * Allocate a new channel object and set its type and socket. This will cause 207 * remote_name to be freed. 208 */ 209 210 Channel * 211 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 212 int window, int maxpack, int extusage, char *remote_name, int nonblock) 213 { 214 int i, found; 215 Channel *c; 216 217 /* Do initial allocation if this is the first call. */ 218 if (channels_alloc == 0) { 219 chan_init(); 220 channels_alloc = 10; 221 channels = xmalloc(channels_alloc * sizeof(Channel *)); 222 for (i = 0; i < channels_alloc; i++) 223 channels[i] = NULL; 224 fatal_add_cleanup((void (*) (void *)) channel_free_all, NULL); 225 } 226 /* Try to find a free slot where to put the new channel. */ 227 for (found = -1, i = 0; i < channels_alloc; i++) 228 if (channels[i] == NULL) { 229 /* Found a free slot. */ 230 found = i; 231 break; 232 } 233 if (found == -1) { 234 /* There are no free slots. Take last+1 slot and expand the array. */ 235 found = channels_alloc; 236 channels_alloc += 10; 237 debug2("channel: expanding %d", channels_alloc); 238 channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); 239 for (i = found; i < channels_alloc; i++) 240 channels[i] = NULL; 241 } 242 /* Initialize and return new channel. */ 243 c = channels[found] = xmalloc(sizeof(Channel)); 244 buffer_init(&c->input); 245 buffer_init(&c->output); 246 buffer_init(&c->extended); 247 chan_init_iostates(c); 248 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 249 c->self = found; 250 c->type = type; 251 c->ctype = ctype; 252 c->local_window = window; 253 c->local_window_max = window; 254 c->local_consumed = 0; 255 c->local_maxpacket = maxpack; 256 c->remote_id = -1; 257 c->remote_name = remote_name; 258 c->remote_window = 0; 259 c->remote_maxpacket = 0; 260 c->cb_fn = NULL; 261 c->cb_arg = NULL; 262 c->cb_event = 0; 263 c->detach_user = NULL; 264 c->input_filter = NULL; 265 debug("channel %d: new [%s]", found, remote_name); 266 return c; 267 } 268 269 static int 270 channel_find_maxfd(void) 271 { 272 int i, max = 0; 273 Channel *c; 274 275 for (i = 0; i < channels_alloc; i++) { 276 c = channels[i]; 277 if (c != NULL) { 278 max = MAX(max, c->rfd); 279 max = MAX(max, c->wfd); 280 max = MAX(max, c->efd); 281 } 282 } 283 return max; 284 } 285 286 int 287 channel_close_fd(int *fdp) 288 { 289 int ret = 0, fd = *fdp; 290 291 if (fd != -1) { 292 ret = close(fd); 293 *fdp = -1; 294 if (fd == channel_max_fd) 295 channel_max_fd = channel_find_maxfd(); 296 } 297 return ret; 298 } 299 300 /* Close all channel fd/socket. */ 301 302 static void 303 channel_close_fds(Channel *c) 304 { 305 debug3("channel_close_fds: channel %d: r %d w %d e %d", 306 c->self, c->rfd, c->wfd, c->efd); 307 308 channel_close_fd(&c->sock); 309 channel_close_fd(&c->rfd); 310 channel_close_fd(&c->wfd); 311 channel_close_fd(&c->efd); 312 } 313 314 /* Free the channel and close its fd/socket. */ 315 316 void 317 channel_free(Channel *c) 318 { 319 char *s; 320 int i, n; 321 322 for (n = 0, i = 0; i < channels_alloc; i++) 323 if (channels[i]) 324 n++; 325 debug("channel_free: channel %d: %s, nchannels %d", c->self, 326 c->remote_name ? c->remote_name : "???", n); 327 328 s = channel_open_message(); 329 debug3("channel_free: status: %s", s); 330 xfree(s); 331 332 if (c->detach_user != NULL) { 333 debug("channel_free: channel %d: detaching channel user", c->self); 334 c->detach_user(c->self, NULL); 335 } 336 if (c->sock != -1) 337 shutdown(c->sock, SHUT_RDWR); 338 channel_close_fds(c); 339 buffer_free(&c->input); 340 buffer_free(&c->output); 341 buffer_free(&c->extended); 342 if (c->remote_name) { 343 xfree(c->remote_name); 344 c->remote_name = NULL; 345 } 346 channels[c->self] = NULL; 347 xfree(c); 348 } 349 350 void 351 channel_free_all(void) 352 { 353 int i; 354 355 for (i = 0; i < channels_alloc; i++) 356 if (channels[i] != NULL) 357 channel_free(channels[i]); 358 } 359 360 void 361 channel_detach_all(void) 362 { 363 int i; 364 Channel *c; 365 366 for (i = 0; i < channels_alloc; i++) { 367 c = channels[i]; 368 if (c != NULL && c->detach_user != NULL) { 369 debug("channel_detach_all: channel %d", c->self); 370 c->detach_user(c->self, NULL); 371 c->detach_user = NULL; 372 } 373 } 374 } 375 376 /* 377 * Closes the sockets/fds of all channels. This is used to close extra file 378 * descriptors after a fork. 379 */ 380 381 void 382 channel_close_all() 383 { 384 int i; 385 386 for (i = 0; i < channels_alloc; i++) 387 if (channels[i] != NULL) 388 channel_close_fds(channels[i]); 389 } 390 391 /* 392 * Stop listening to channels. 393 */ 394 395 void 396 channel_stop_listening(void) 397 { 398 int i; 399 Channel *c; 400 401 for (i = 0; i < channels_alloc; i++) { 402 c = channels[i]; 403 if (c != NULL) { 404 switch (c->type) { 405 case SSH_CHANNEL_AUTH_SOCKET: 406 case SSH_CHANNEL_PORT_LISTENER: 407 case SSH_CHANNEL_RPORT_LISTENER: 408 case SSH_CHANNEL_X11_LISTENER: 409 channel_close_fd(&c->sock); 410 channel_free(c); 411 break; 412 } 413 } 414 } 415 } 416 417 /* 418 * Returns true if no channel has too much buffered data, and false if one or 419 * more channel is overfull. 420 */ 421 422 int 423 channel_not_very_much_buffered_data() 424 { 425 u_int i; 426 Channel *c; 427 428 for (i = 0; i < channels_alloc; i++) { 429 c = channels[i]; 430 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 431 if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) { 432 debug("channel %d: big input buffer %d", 433 c->self, buffer_len(&c->input)); 434 return 0; 435 } 436 if (buffer_len(&c->output) > packet_get_maxsize()) { 437 debug("channel %d: big output buffer %d", 438 c->self, buffer_len(&c->output)); 439 return 0; 440 } 441 } 442 } 443 return 1; 444 } 445 446 /* Returns true if any channel is still open. */ 447 448 int 449 channel_still_open() 450 { 451 int i; 452 Channel *c; 453 454 for (i = 0; i < channels_alloc; i++) { 455 c = channels[i]; 456 if (c == NULL) 457 continue; 458 switch (c->type) { 459 case SSH_CHANNEL_X11_LISTENER: 460 case SSH_CHANNEL_PORT_LISTENER: 461 case SSH_CHANNEL_RPORT_LISTENER: 462 case SSH_CHANNEL_CLOSED: 463 case SSH_CHANNEL_AUTH_SOCKET: 464 case SSH_CHANNEL_DYNAMIC: 465 case SSH_CHANNEL_CONNECTING: 466 case SSH_CHANNEL_ZOMBIE: 467 continue; 468 case SSH_CHANNEL_LARVAL: 469 if (!compat20) 470 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 471 continue; 472 case SSH_CHANNEL_OPENING: 473 case SSH_CHANNEL_OPEN: 474 case SSH_CHANNEL_X11_OPEN: 475 return 1; 476 case SSH_CHANNEL_INPUT_DRAINING: 477 case SSH_CHANNEL_OUTPUT_DRAINING: 478 if (!compat13) 479 fatal("cannot happen: OUT_DRAIN"); 480 return 1; 481 default: 482 fatal("channel_still_open: bad channel type %d", c->type); 483 /* NOTREACHED */ 484 } 485 } 486 return 0; 487 } 488 489 /* Returns the id of an open channel suitable for keepaliving */ 490 491 int 492 channel_find_open() 493 { 494 int i; 495 Channel *c; 496 497 for (i = 0; i < channels_alloc; i++) { 498 c = channels[i]; 499 if (c == NULL) 500 continue; 501 switch (c->type) { 502 case SSH_CHANNEL_CLOSED: 503 case SSH_CHANNEL_DYNAMIC: 504 case SSH_CHANNEL_X11_LISTENER: 505 case SSH_CHANNEL_PORT_LISTENER: 506 case SSH_CHANNEL_RPORT_LISTENER: 507 case SSH_CHANNEL_OPENING: 508 case SSH_CHANNEL_CONNECTING: 509 case SSH_CHANNEL_ZOMBIE: 510 continue; 511 case SSH_CHANNEL_LARVAL: 512 case SSH_CHANNEL_AUTH_SOCKET: 513 case SSH_CHANNEL_OPEN: 514 case SSH_CHANNEL_X11_OPEN: 515 return i; 516 case SSH_CHANNEL_INPUT_DRAINING: 517 case SSH_CHANNEL_OUTPUT_DRAINING: 518 if (!compat13) 519 fatal("cannot happen: OUT_DRAIN"); 520 return i; 521 default: 522 fatal("channel_find_open: bad channel type %d", c->type); 523 /* NOTREACHED */ 524 } 525 } 526 return -1; 527 } 528 529 530 /* 531 * Returns a message describing the currently open forwarded connections, 532 * suitable for sending to the client. The message contains crlf pairs for 533 * newlines. 534 */ 535 536 char * 537 channel_open_message() 538 { 539 Buffer buffer; 540 Channel *c; 541 char buf[1024], *cp; 542 int i; 543 544 buffer_init(&buffer); 545 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 546 buffer_append(&buffer, buf, strlen(buf)); 547 for (i = 0; i < channels_alloc; i++) { 548 c = channels[i]; 549 if (c == NULL) 550 continue; 551 switch (c->type) { 552 case SSH_CHANNEL_X11_LISTENER: 553 case SSH_CHANNEL_PORT_LISTENER: 554 case SSH_CHANNEL_RPORT_LISTENER: 555 case SSH_CHANNEL_CLOSED: 556 case SSH_CHANNEL_AUTH_SOCKET: 557 case SSH_CHANNEL_ZOMBIE: 558 continue; 559 case SSH_CHANNEL_LARVAL: 560 case SSH_CHANNEL_OPENING: 561 case SSH_CHANNEL_CONNECTING: 562 case SSH_CHANNEL_DYNAMIC: 563 case SSH_CHANNEL_OPEN: 564 case SSH_CHANNEL_X11_OPEN: 565 case SSH_CHANNEL_INPUT_DRAINING: 566 case SSH_CHANNEL_OUTPUT_DRAINING: 567 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n", 568 c->self, c->remote_name, 569 c->type, c->remote_id, 570 c->istate, buffer_len(&c->input), 571 c->ostate, buffer_len(&c->output), 572 c->rfd, c->wfd); 573 buffer_append(&buffer, buf, strlen(buf)); 574 continue; 575 default: 576 fatal("channel_open_message: bad channel type %d", c->type); 577 /* NOTREACHED */ 578 } 579 } 580 buffer_append(&buffer, "\0", 1); 581 cp = xstrdup(buffer_ptr(&buffer)); 582 buffer_free(&buffer); 583 return cp; 584 } 585 586 void 587 channel_send_open(int id) 588 { 589 Channel *c = channel_lookup(id); 590 if (c == NULL) { 591 log("channel_send_open: %d: bad id", id); 592 return; 593 } 594 debug("send channel open %d", id); 595 packet_start(SSH2_MSG_CHANNEL_OPEN); 596 packet_put_cstring(c->ctype); 597 packet_put_int(c->self); 598 packet_put_int(c->local_window); 599 packet_put_int(c->local_maxpacket); 600 packet_send(); 601 } 602 603 void 604 channel_request(int id, char *service, int wantconfirm) 605 { 606 channel_request_start(id, service, wantconfirm); 607 packet_send(); 608 debug("channel request %d: %s", id, service) ; 609 } 610 void 611 channel_request_start(int id, char *service, int wantconfirm) 612 { 613 Channel *c = channel_lookup(id); 614 if (c == NULL) { 615 log("channel_request: %d: bad id", id); 616 return; 617 } 618 packet_start(SSH2_MSG_CHANNEL_REQUEST); 619 packet_put_int(c->remote_id); 620 packet_put_cstring(service); 621 packet_put_char(wantconfirm); 622 } 623 void 624 channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg) 625 { 626 Channel *c = channel_lookup(id); 627 if (c == NULL) { 628 log("channel_register_callback: %d: bad id", id); 629 return; 630 } 631 c->cb_event = mtype; 632 c->cb_fn = fn; 633 c->cb_arg = arg; 634 } 635 void 636 channel_register_cleanup(int id, channel_callback_fn *fn) 637 { 638 Channel *c = channel_lookup(id); 639 if (c == NULL) { 640 log("channel_register_cleanup: %d: bad id", id); 641 return; 642 } 643 c->detach_user = fn; 644 } 645 void 646 channel_cancel_cleanup(int id) 647 { 648 Channel *c = channel_lookup(id); 649 if (c == NULL) { 650 log("channel_cancel_cleanup: %d: bad id", id); 651 return; 652 } 653 c->detach_user = NULL; 654 } 655 void 656 channel_register_filter(int id, channel_filter_fn *fn) 657 { 658 Channel *c = channel_lookup(id); 659 if (c == NULL) { 660 log("channel_register_filter: %d: bad id", id); 661 return; 662 } 663 c->input_filter = fn; 664 } 665 666 void 667 channel_set_fds(int id, int rfd, int wfd, int efd, 668 int extusage, int nonblock) 669 { 670 Channel *c = channel_lookup(id); 671 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 672 fatal("channel_activate for non-larval channel %d.", id); 673 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 674 c->type = SSH_CHANNEL_OPEN; 675 /* XXX window size? */ 676 c->local_window = c->local_window_max = c->local_maxpacket * 2; 677 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 678 packet_put_int(c->remote_id); 679 packet_put_int(c->local_window); 680 packet_send(); 681 } 682 683 /* 684 * 'channel_pre*' are called just before select() to add any bits relevant to 685 * channels in the select bitmasks. 686 */ 687 /* 688 * 'channel_post*': perform any appropriate operations for channels which 689 * have events pending. 690 */ 691 typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset); 692 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 693 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 694 695 static void 696 channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset) 697 { 698 FD_SET(c->sock, readset); 699 } 700 701 static void 702 channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset) 703 { 704 debug3("channel %d: waiting for connection", c->self); 705 FD_SET(c->sock, writeset); 706 } 707 708 static void 709 channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset) 710 { 711 if (buffer_len(&c->input) < packet_get_maxsize()) 712 FD_SET(c->sock, readset); 713 if (buffer_len(&c->output) > 0) 714 FD_SET(c->sock, writeset); 715 } 716 717 static void 718 channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset) 719 { 720 /* test whether sockets are 'alive' for read/write */ 721 if (c->istate == CHAN_INPUT_OPEN) 722 if (buffer_len(&c->input) < packet_get_maxsize()) 723 FD_SET(c->sock, readset); 724 if (c->ostate == CHAN_OUTPUT_OPEN || 725 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 726 if (buffer_len(&c->output) > 0) { 727 FD_SET(c->sock, writeset); 728 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 729 chan_obuf_empty(c); 730 } 731 } 732 } 733 734 static void 735 channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset) 736 { 737 if (c->istate == CHAN_INPUT_OPEN && 738 c->remote_window > 0 && 739 buffer_len(&c->input) < c->remote_window) 740 FD_SET(c->rfd, readset); 741 if (c->ostate == CHAN_OUTPUT_OPEN || 742 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 743 if (buffer_len(&c->output) > 0) { 744 FD_SET(c->wfd, writeset); 745 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 746 chan_obuf_empty(c); 747 } 748 } 749 /** XXX check close conditions, too */ 750 if (c->efd != -1) { 751 if (c->extended_usage == CHAN_EXTENDED_WRITE && 752 buffer_len(&c->extended) > 0) 753 FD_SET(c->efd, writeset); 754 else if (c->extended_usage == CHAN_EXTENDED_READ && 755 buffer_len(&c->extended) < c->remote_window) 756 FD_SET(c->efd, readset); 757 } 758 } 759 760 static void 761 channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset) 762 { 763 if (buffer_len(&c->input) == 0) { 764 packet_start(SSH_MSG_CHANNEL_CLOSE); 765 packet_put_int(c->remote_id); 766 packet_send(); 767 c->type = SSH_CHANNEL_CLOSED; 768 debug("channel %d: closing after input drain.", c->self); 769 } 770 } 771 772 static void 773 channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset) 774 { 775 if (buffer_len(&c->output) == 0) 776 chan_mark_dead(c); 777 else 778 FD_SET(c->sock, writeset); 779 } 780 781 /* 782 * This is a special state for X11 authentication spoofing. An opened X11 783 * connection (when authentication spoofing is being done) remains in this 784 * state until the first packet has been completely read. The authentication 785 * data in that packet is then substituted by the real data if it matches the 786 * fake data, and the channel is put into normal mode. 787 * XXX All this happens at the client side. 788 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 789 */ 790 static int 791 x11_open_helper(Buffer *b) 792 { 793 u_char *ucp; 794 u_int proto_len, data_len; 795 796 /* Check if the fixed size part of the packet is in buffer. */ 797 if (buffer_len(b) < 12) 798 return 0; 799 800 /* Parse the lengths of variable-length fields. */ 801 ucp = (u_char *) buffer_ptr(b); 802 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 803 proto_len = 256 * ucp[6] + ucp[7]; 804 data_len = 256 * ucp[8] + ucp[9]; 805 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 806 proto_len = ucp[6] + 256 * ucp[7]; 807 data_len = ucp[8] + 256 * ucp[9]; 808 } else { 809 debug("Initial X11 packet contains bad byte order byte: 0x%x", 810 ucp[0]); 811 return -1; 812 } 813 814 /* Check if the whole packet is in buffer. */ 815 if (buffer_len(b) < 816 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 817 return 0; 818 819 /* Check if authentication protocol matches. */ 820 if (proto_len != strlen(x11_saved_proto) || 821 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 822 debug("X11 connection uses different authentication protocol."); 823 return -1; 824 } 825 /* Check if authentication data matches our fake data. */ 826 if (data_len != x11_fake_data_len || 827 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 828 x11_fake_data, x11_fake_data_len) != 0) { 829 debug("X11 auth data does not match fake data."); 830 return -1; 831 } 832 /* Check fake data length */ 833 if (x11_fake_data_len != x11_saved_data_len) { 834 error("X11 fake_data_len %d != saved_data_len %d", 835 x11_fake_data_len, x11_saved_data_len); 836 return -1; 837 } 838 /* 839 * Received authentication protocol and data match 840 * our fake data. Substitute the fake data with real 841 * data. 842 */ 843 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 844 x11_saved_data, x11_saved_data_len); 845 return 1; 846 } 847 848 static void 849 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset) 850 { 851 int ret = x11_open_helper(&c->output); 852 if (ret == 1) { 853 /* Start normal processing for the channel. */ 854 c->type = SSH_CHANNEL_OPEN; 855 channel_pre_open_13(c, readset, writeset); 856 } else if (ret == -1) { 857 /* 858 * We have received an X11 connection that has bad 859 * authentication information. 860 */ 861 log("X11 connection rejected because of wrong authentication."); 862 buffer_clear(&c->input); 863 buffer_clear(&c->output); 864 channel_close_fd(&c->sock); 865 c->sock = -1; 866 c->type = SSH_CHANNEL_CLOSED; 867 packet_start(SSH_MSG_CHANNEL_CLOSE); 868 packet_put_int(c->remote_id); 869 packet_send(); 870 } 871 } 872 873 static void 874 channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset) 875 { 876 int ret = x11_open_helper(&c->output); 877 if (ret == 1) { 878 c->type = SSH_CHANNEL_OPEN; 879 if (compat20) 880 channel_pre_open_20(c, readset, writeset); 881 else 882 channel_pre_open_15(c, readset, writeset); 883 } else if (ret == -1) { 884 debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 885 chan_read_failed(c); /** force close? */ 886 chan_write_failed(c); 887 debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 888 } 889 } 890 891 /* try to decode a socks4 header */ 892 static int 893 channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) 894 { 895 u_char *p, *host; 896 int len, have, i, found; 897 char username[256]; 898 struct { 899 u_int8_t version; 900 u_int8_t command; 901 u_int16_t dest_port; 902 struct in_addr dest_addr; 903 } s4_req, s4_rsp; 904 905 debug2("channel %d: decode socks4", c->self); 906 907 have = buffer_len(&c->input); 908 len = sizeof(s4_req); 909 if (have < len) 910 return 0; 911 p = buffer_ptr(&c->input); 912 for (found = 0, i = len; i < have; i++) { 913 if (p[i] == '\0') { 914 found = 1; 915 break; 916 } 917 if (i > 1024) { 918 /* the peer is probably sending garbage */ 919 debug("channel %d: decode socks4: too long", 920 c->self); 921 return -1; 922 } 923 } 924 if (!found) 925 return 0; 926 buffer_get(&c->input, (char *)&s4_req.version, 1); 927 buffer_get(&c->input, (char *)&s4_req.command, 1); 928 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 929 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 930 have = buffer_len(&c->input); 931 p = buffer_ptr(&c->input); 932 len = strlen(p); 933 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 934 if (len > have) 935 fatal("channel %d: decode socks4: len %d > have %d", 936 c->self, len, have); 937 strlcpy(username, p, sizeof(username)); 938 buffer_consume(&c->input, len); 939 buffer_consume(&c->input, 1); /* trailing '\0' */ 940 941 host = inet_ntoa(s4_req.dest_addr); 942 strlcpy(c->path, host, sizeof(c->path)); 943 c->host_port = ntohs(s4_req.dest_port); 944 945 debug("channel %d: dynamic request: socks4 host %s port %u command %u", 946 c->self, host, c->host_port, s4_req.command); 947 948 if (s4_req.command != 1) { 949 debug("channel %d: cannot handle: socks4 cn %d", 950 c->self, s4_req.command); 951 return -1; 952 } 953 s4_rsp.version = 0; /* vn: 0 for reply */ 954 s4_rsp.command = 90; /* cd: req granted */ 955 s4_rsp.dest_port = 0; /* ignored */ 956 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 957 buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp)); 958 return 1; 959 } 960 961 /* dynamic port forwarding */ 962 static void 963 channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) 964 { 965 u_char *p; 966 int have, ret; 967 968 have = buffer_len(&c->input); 969 970 debug2("channel %d: pre_dynamic: have %d", c->self, have); 971 /* buffer_dump(&c->input); */ 972 /* check if the fixed size part of the packet is in buffer. */ 973 if (have < 4) { 974 /* need more */ 975 FD_SET(c->sock, readset); 976 return; 977 } 978 /* try to guess the protocol */ 979 p = buffer_ptr(&c->input); 980 switch (p[0]) { 981 case 0x04: 982 ret = channel_decode_socks4(c, readset, writeset); 983 break; 984 default: 985 ret = -1; 986 break; 987 } 988 if (ret < 0) { 989 chan_mark_dead(c); 990 } else if (ret == 0) { 991 debug2("channel %d: pre_dynamic: need more", c->self); 992 /* need more */ 993 FD_SET(c->sock, readset); 994 } else { 995 /* switch to the next state */ 996 c->type = SSH_CHANNEL_OPENING; 997 port_open_helper(c, "direct-tcpip"); 998 } 999 } 1000 1001 /* This is our fake X11 server socket. */ 1002 static void 1003 channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset) 1004 { 1005 Channel *nc; 1006 struct sockaddr addr; 1007 int newsock; 1008 socklen_t addrlen; 1009 char buf[16384], *remote_ipaddr; 1010 int remote_port; 1011 1012 if (FD_ISSET(c->sock, readset)) { 1013 debug("X11 connection requested."); 1014 addrlen = sizeof(addr); 1015 newsock = accept(c->sock, &addr, &addrlen); 1016 if (newsock < 0) { 1017 error("accept: %.100s", strerror(errno)); 1018 return; 1019 } 1020 remote_ipaddr = get_peer_ipaddr(newsock); 1021 remote_port = get_peer_port(newsock); 1022 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1023 remote_ipaddr, remote_port); 1024 1025 nc = channel_new("accepted x11 socket", 1026 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1027 c->local_window_max, c->local_maxpacket, 1028 0, xstrdup(buf), 1); 1029 if (nc == NULL) { 1030 close(newsock); 1031 xfree(remote_ipaddr); 1032 return; 1033 } 1034 if (compat20) { 1035 packet_start(SSH2_MSG_CHANNEL_OPEN); 1036 packet_put_cstring("x11"); 1037 packet_put_int(nc->self); 1038 packet_put_int(c->local_window_max); 1039 packet_put_int(c->local_maxpacket); 1040 /* originator ipaddr and port */ 1041 packet_put_cstring(remote_ipaddr); 1042 if (datafellows & SSH_BUG_X11FWD) { 1043 debug("ssh2 x11 bug compat mode"); 1044 } else { 1045 packet_put_int(remote_port); 1046 } 1047 packet_send(); 1048 } else { 1049 packet_start(SSH_SMSG_X11_OPEN); 1050 packet_put_int(nc->self); 1051 if (packet_get_protocol_flags() & 1052 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1053 packet_put_cstring(buf); 1054 packet_send(); 1055 } 1056 xfree(remote_ipaddr); 1057 } 1058 } 1059 1060 static void 1061 port_open_helper(Channel *c, char *rtype) 1062 { 1063 int direct; 1064 char buf[1024]; 1065 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1066 u_short remote_port = get_peer_port(c->sock); 1067 1068 direct = (strcmp(rtype, "direct-tcpip") == 0); 1069 1070 snprintf(buf, sizeof buf, 1071 "%s: listening port %d for %.100s port %d, " 1072 "connect from %.200s port %d", 1073 rtype, c->listening_port, c->path, c->host_port, 1074 remote_ipaddr, remote_port); 1075 1076 xfree(c->remote_name); 1077 c->remote_name = xstrdup(buf); 1078 1079 if (compat20) { 1080 packet_start(SSH2_MSG_CHANNEL_OPEN); 1081 packet_put_cstring(rtype); 1082 packet_put_int(c->self); 1083 packet_put_int(c->local_window_max); 1084 packet_put_int(c->local_maxpacket); 1085 if (direct) { 1086 /* target host, port */ 1087 packet_put_cstring(c->path); 1088 packet_put_int(c->host_port); 1089 } else { 1090 /* listen address, port */ 1091 packet_put_cstring(c->path); 1092 packet_put_int(c->listening_port); 1093 } 1094 /* originator host and port */ 1095 packet_put_cstring(remote_ipaddr); 1096 packet_put_int(remote_port); 1097 packet_send(); 1098 } else { 1099 packet_start(SSH_MSG_PORT_OPEN); 1100 packet_put_int(c->self); 1101 packet_put_cstring(c->path); 1102 packet_put_int(c->host_port); 1103 if (packet_get_protocol_flags() & 1104 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1105 packet_put_cstring(c->remote_name); 1106 packet_send(); 1107 } 1108 xfree(remote_ipaddr); 1109 } 1110 1111 /* 1112 * This socket is listening for connections to a forwarded TCP/IP port. 1113 */ 1114 static void 1115 channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) 1116 { 1117 Channel *nc; 1118 struct sockaddr addr; 1119 int newsock, nextstate; 1120 socklen_t addrlen; 1121 char *rtype; 1122 1123 if (FD_ISSET(c->sock, readset)) { 1124 debug("Connection to port %d forwarding " 1125 "to %.100s port %d requested.", 1126 c->listening_port, c->path, c->host_port); 1127 1128 rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ? 1129 "forwarded-tcpip" : "direct-tcpip"; 1130 nextstate = (c->host_port == 0 && 1131 c->type != SSH_CHANNEL_RPORT_LISTENER) ? 1132 SSH_CHANNEL_DYNAMIC : SSH_CHANNEL_OPENING; 1133 1134 addrlen = sizeof(addr); 1135 newsock = accept(c->sock, &addr, &addrlen); 1136 if (newsock < 0) { 1137 error("accept: %.100s", strerror(errno)); 1138 return; 1139 } 1140 nc = channel_new(rtype, 1141 nextstate, newsock, newsock, -1, 1142 c->local_window_max, c->local_maxpacket, 1143 0, xstrdup(rtype), 1); 1144 if (nc == NULL) { 1145 error("channel_post_port_listener: no new channel:"); 1146 close(newsock); 1147 return; 1148 } 1149 nc->listening_port = c->listening_port; 1150 nc->host_port = c->host_port; 1151 strlcpy(nc->path, c->path, sizeof(nc->path)); 1152 1153 if (nextstate != SSH_CHANNEL_DYNAMIC) 1154 port_open_helper(nc, rtype); 1155 } 1156 } 1157 1158 /* 1159 * This is the authentication agent socket listening for connections from 1160 * clients. 1161 */ 1162 static void 1163 channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset) 1164 { 1165 Channel *nc; 1166 char *name; 1167 int newsock; 1168 struct sockaddr addr; 1169 socklen_t addrlen; 1170 1171 if (FD_ISSET(c->sock, readset)) { 1172 addrlen = sizeof(addr); 1173 newsock = accept(c->sock, &addr, &addrlen); 1174 if (newsock < 0) { 1175 error("accept from auth socket: %.100s", strerror(errno)); 1176 return; 1177 } 1178 name = xstrdup("accepted auth socket"); 1179 nc = channel_new("accepted auth socket", 1180 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1181 c->local_window_max, c->local_maxpacket, 1182 0, name, 1); 1183 if (nc == NULL) { 1184 error("channel_post_auth_listener: channel_new failed"); 1185 xfree(name); 1186 close(newsock); 1187 } 1188 if (compat20) { 1189 packet_start(SSH2_MSG_CHANNEL_OPEN); 1190 packet_put_cstring("auth-agent@openssh.com"); 1191 packet_put_int(nc->self); 1192 packet_put_int(c->local_window_max); 1193 packet_put_int(c->local_maxpacket); 1194 } else { 1195 packet_start(SSH_SMSG_AGENT_OPEN); 1196 packet_put_int(nc->self); 1197 } 1198 packet_send(); 1199 } 1200 } 1201 1202 static void 1203 channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset) 1204 { 1205 int err = 0; 1206 socklen_t sz = sizeof(err); 1207 1208 if (FD_ISSET(c->sock, writeset)) { 1209 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, (char *)&err, 1210 &sz) < 0) { 1211 err = errno; 1212 error("getsockopt SO_ERROR failed"); 1213 } 1214 if (err == 0) { 1215 debug("channel %d: connected", c->self); 1216 c->type = SSH_CHANNEL_OPEN; 1217 if (compat20) { 1218 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1219 packet_put_int(c->remote_id); 1220 packet_put_int(c->self); 1221 packet_put_int(c->local_window); 1222 packet_put_int(c->local_maxpacket); 1223 } else { 1224 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1225 packet_put_int(c->remote_id); 1226 packet_put_int(c->self); 1227 } 1228 } else { 1229 debug("channel %d: not connected: %s", 1230 c->self, strerror(err)); 1231 if (compat20) { 1232 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1233 packet_put_int(c->remote_id); 1234 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1235 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1236 packet_put_cstring(strerror(err)); 1237 packet_put_cstring(""); 1238 } 1239 } else { 1240 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1241 packet_put_int(c->remote_id); 1242 } 1243 chan_mark_dead(c); 1244 } 1245 packet_send(); 1246 } 1247 } 1248 1249 static int 1250 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) 1251 { 1252 char buf[16*1024]; 1253 int len; 1254 1255 if (c->rfd != -1 && 1256 FD_ISSET(c->rfd, readset)) { 1257 len = read(c->rfd, buf, sizeof(buf)); 1258 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1259 return 1; 1260 if (len <= 0) { 1261 debug("channel %d: read<=0 rfd %d len %d", 1262 c->self, c->rfd, len); 1263 if (c->type != SSH_CHANNEL_OPEN) { 1264 debug("channel %d: not open", c->self); 1265 chan_mark_dead(c); 1266 return -1; 1267 } else if (compat13) { 1268 buffer_consume(&c->output, buffer_len(&c->output)); 1269 c->type = SSH_CHANNEL_INPUT_DRAINING; 1270 debug("channel %d: input draining.", c->self); 1271 } else { 1272 chan_read_failed(c); 1273 } 1274 return -1; 1275 } 1276 if(c->input_filter != NULL) { 1277 if (c->input_filter(c, buf, len) == -1) { 1278 debug("channel %d: filter stops", c->self); 1279 chan_read_failed(c); 1280 } 1281 } else { 1282 buffer_append(&c->input, buf, len); 1283 } 1284 } 1285 return 1; 1286 } 1287 static int 1288 channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) 1289 { 1290 struct termios tio; 1291 int len; 1292 1293 /* Send buffered output data to the socket. */ 1294 if (c->wfd != -1 && 1295 FD_ISSET(c->wfd, writeset) && 1296 buffer_len(&c->output) > 0) { 1297 len = write(c->wfd, buffer_ptr(&c->output), 1298 buffer_len(&c->output)); 1299 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1300 return 1; 1301 if (len <= 0) { 1302 if (c->type != SSH_CHANNEL_OPEN) { 1303 debug("channel %d: not open", c->self); 1304 chan_mark_dead(c); 1305 return -1; 1306 } else if (compat13) { 1307 buffer_consume(&c->output, buffer_len(&c->output)); 1308 debug("channel %d: input draining.", c->self); 1309 c->type = SSH_CHANNEL_INPUT_DRAINING; 1310 } else { 1311 chan_write_failed(c); 1312 } 1313 return -1; 1314 } 1315 if (compat20 && c->isatty) { 1316 if (tcgetattr(c->wfd, &tio) == 0 && 1317 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1318 /* 1319 * Simulate echo to reduce the impact of 1320 * traffic analysis. We need to match the 1321 * size of a SSH2_MSG_CHANNEL_DATA message 1322 * (4 byte channel id + data) 1323 */ 1324 packet_send_ignore(4 + len); 1325 packet_send(); 1326 } 1327 } 1328 buffer_consume(&c->output, len); 1329 if (compat20 && len > 0) { 1330 c->local_consumed += len; 1331 } 1332 } 1333 return 1; 1334 } 1335 static int 1336 channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) 1337 { 1338 char buf[16*1024]; 1339 int len; 1340 1341 /** XXX handle drain efd, too */ 1342 if (c->efd != -1) { 1343 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1344 FD_ISSET(c->efd, writeset) && 1345 buffer_len(&c->extended) > 0) { 1346 len = write(c->efd, buffer_ptr(&c->extended), 1347 buffer_len(&c->extended)); 1348 debug2("channel %d: written %d to efd %d", 1349 c->self, len, c->efd); 1350 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1351 return 1; 1352 if (len <= 0) { 1353 debug2("channel %d: closing write-efd %d", 1354 c->self, c->efd); 1355 channel_close_fd(&c->efd); 1356 } else { 1357 buffer_consume(&c->extended, len); 1358 c->local_consumed += len; 1359 } 1360 } else if (c->extended_usage == CHAN_EXTENDED_READ && 1361 FD_ISSET(c->efd, readset)) { 1362 len = read(c->efd, buf, sizeof(buf)); 1363 debug2("channel %d: read %d from efd %d", 1364 c->self, len, c->efd); 1365 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1366 return 1; 1367 if (len <= 0) { 1368 debug2("channel %d: closing read-efd %d", 1369 c->self, c->efd); 1370 channel_close_fd(&c->efd); 1371 } else { 1372 buffer_append(&c->extended, buf, len); 1373 } 1374 } 1375 } 1376 return 1; 1377 } 1378 static int 1379 channel_check_window(Channel *c) 1380 { 1381 if (c->type == SSH_CHANNEL_OPEN && 1382 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1383 c->local_window < c->local_window_max/2 && 1384 c->local_consumed > 0) { 1385 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1386 packet_put_int(c->remote_id); 1387 packet_put_int(c->local_consumed); 1388 packet_send(); 1389 debug2("channel %d: window %d sent adjust %d", 1390 c->self, c->local_window, 1391 c->local_consumed); 1392 c->local_window += c->local_consumed; 1393 c->local_consumed = 0; 1394 } 1395 return 1; 1396 } 1397 1398 static void 1399 channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset) 1400 { 1401 channel_handle_rfd(c, readset, writeset); 1402 channel_handle_wfd(c, readset, writeset); 1403 } 1404 1405 static void 1406 channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset) 1407 { 1408 channel_handle_rfd(c, readset, writeset); 1409 channel_handle_wfd(c, readset, writeset); 1410 channel_handle_efd(c, readset, writeset); 1411 1412 channel_check_window(c); 1413 } 1414 1415 static void 1416 channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset) 1417 { 1418 int len; 1419 /* Send buffered output data to the socket. */ 1420 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1421 len = write(c->sock, buffer_ptr(&c->output), 1422 buffer_len(&c->output)); 1423 if (len <= 0) 1424 buffer_consume(&c->output, buffer_len(&c->output)); 1425 else 1426 buffer_consume(&c->output, len); 1427 } 1428 } 1429 1430 static void 1431 channel_handler_init_20(void) 1432 { 1433 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20; 1434 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1435 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1436 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1437 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1438 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1439 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1440 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1441 1442 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2; 1443 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1444 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1445 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1446 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1447 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1448 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_2; 1449 } 1450 1451 static void 1452 channel_handler_init_13(void) 1453 { 1454 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1455 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1456 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1457 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1458 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1459 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1460 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1461 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1462 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1463 1464 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; 1465 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1466 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1467 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1468 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 1469 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1470 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_1; 1471 } 1472 1473 static void 1474 channel_handler_init_15(void) 1475 { 1476 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15; 1477 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1478 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1479 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1480 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1481 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1482 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1483 1484 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1485 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1486 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1487 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; 1488 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1489 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open_1; 1490 } 1491 1492 static void 1493 channel_handler_init(void) 1494 { 1495 int i; 1496 for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 1497 channel_pre[i] = NULL; 1498 channel_post[i] = NULL; 1499 } 1500 if (compat20) 1501 channel_handler_init_20(); 1502 else if (compat13) 1503 channel_handler_init_13(); 1504 else 1505 channel_handler_init_15(); 1506 } 1507 1508 static void 1509 channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) 1510 { 1511 static int did_init = 0; 1512 int i; 1513 Channel *c; 1514 1515 if (!did_init) { 1516 channel_handler_init(); 1517 did_init = 1; 1518 } 1519 for (i = 0; i < channels_alloc; i++) { 1520 c = channels[i]; 1521 if (c == NULL) 1522 continue; 1523 if (ftab[c->type] != NULL) 1524 (*ftab[c->type])(c, readset, writeset); 1525 if (chan_is_dead(c)) { 1526 /* 1527 * we have to remove the fd's from the select mask 1528 * before the channels are free'd and the fd's are 1529 * closed 1530 */ 1531 if (c->wfd != -1) 1532 FD_CLR(c->wfd, writeset); 1533 if (c->rfd != -1) 1534 FD_CLR(c->rfd, readset); 1535 if (c->efd != -1) { 1536 if (c->extended_usage == CHAN_EXTENDED_READ) 1537 FD_CLR(c->efd, readset); 1538 if (c->extended_usage == CHAN_EXTENDED_WRITE) 1539 FD_CLR(c->efd, writeset); 1540 } 1541 channel_free(c); 1542 } 1543 } 1544 } 1545 1546 /* 1547 * Allocate/update select bitmasks and add any bits relevant to channels in 1548 * select bitmasks. 1549 */ 1550 void 1551 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 1552 int *nallocp, int rekeying) 1553 { 1554 int n; 1555 u_int sz; 1556 1557 n = MAX(*maxfdp, channel_max_fd); 1558 1559 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); 1560 /* perhaps check sz < nalloc/2 and shrink? */ 1561 if (*readsetp == NULL || sz > *nallocp) { 1562 *readsetp = xrealloc(*readsetp, sz); 1563 *writesetp = xrealloc(*writesetp, sz); 1564 *nallocp = sz; 1565 } 1566 *maxfdp = n; 1567 memset(*readsetp, 0, sz); 1568 memset(*writesetp, 0, sz); 1569 1570 if (!rekeying) 1571 channel_handler(channel_pre, *readsetp, *writesetp); 1572 } 1573 1574 /* 1575 * After select, perform any appropriate operations for channels which have 1576 * events pending. 1577 */ 1578 void 1579 channel_after_select(fd_set * readset, fd_set * writeset) 1580 { 1581 channel_handler(channel_post, readset, writeset); 1582 } 1583 1584 1585 /* If there is data to send to the connection, enqueue some of it now. */ 1586 1587 void 1588 channel_output_poll() 1589 { 1590 int len, i; 1591 Channel *c; 1592 1593 for (i = 0; i < channels_alloc; i++) { 1594 c = channels[i]; 1595 if (c == NULL) 1596 continue; 1597 1598 /* 1599 * We are only interested in channels that can have buffered 1600 * incoming data. 1601 */ 1602 if (compat13) { 1603 if (c->type != SSH_CHANNEL_OPEN && 1604 c->type != SSH_CHANNEL_INPUT_DRAINING) 1605 continue; 1606 } else { 1607 if (c->type != SSH_CHANNEL_OPEN) 1608 continue; 1609 } 1610 if (compat20 && 1611 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 1612 /* XXX is this true? */ 1613 debug2("channel %d: no data after CLOSE", c->self); 1614 continue; 1615 } 1616 1617 /* Get the amount of buffered data for this channel. */ 1618 if ((c->istate == CHAN_INPUT_OPEN || 1619 c->istate == CHAN_INPUT_WAIT_DRAIN) && 1620 (len = buffer_len(&c->input)) > 0) { 1621 /* 1622 * Send some data for the other side over the secure 1623 * connection. 1624 */ 1625 if (compat20) { 1626 if (len > c->remote_window) 1627 len = c->remote_window; 1628 if (len > c->remote_maxpacket) 1629 len = c->remote_maxpacket; 1630 } else { 1631 if (packet_is_interactive()) { 1632 if (len > 1024) 1633 len = 512; 1634 } else { 1635 /* Keep the packets at reasonable size. */ 1636 if (len > packet_get_maxsize()/2) 1637 len = packet_get_maxsize()/2; 1638 } 1639 } 1640 if (len > 0) { 1641 packet_start(compat20 ? 1642 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 1643 packet_put_int(c->remote_id); 1644 packet_put_string(buffer_ptr(&c->input), len); 1645 packet_send(); 1646 buffer_consume(&c->input, len); 1647 c->remote_window -= len; 1648 } 1649 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1650 if (compat13) 1651 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 1652 /* 1653 * input-buffer is empty and read-socket shutdown: 1654 * tell peer, that we will not send more data: send IEOF 1655 */ 1656 chan_ibuf_empty(c); 1657 } 1658 /* Send extended data, i.e. stderr */ 1659 if (compat20 && 1660 c->remote_window > 0 && 1661 (len = buffer_len(&c->extended)) > 0 && 1662 c->extended_usage == CHAN_EXTENDED_READ) { 1663 debug2("channel %d: rwin %d elen %d euse %d", 1664 c->self, c->remote_window, buffer_len(&c->extended), 1665 c->extended_usage); 1666 if (len > c->remote_window) 1667 len = c->remote_window; 1668 if (len > c->remote_maxpacket) 1669 len = c->remote_maxpacket; 1670 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 1671 packet_put_int(c->remote_id); 1672 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 1673 packet_put_string(buffer_ptr(&c->extended), len); 1674 packet_send(); 1675 buffer_consume(&c->extended, len); 1676 c->remote_window -= len; 1677 debug2("channel %d: sent ext data %d", c->self, len); 1678 } 1679 } 1680 } 1681 1682 1683 /* -- protocol input */ 1684 1685 void 1686 channel_input_data(int type, int plen, void *ctxt) 1687 { 1688 int id; 1689 char *data; 1690 u_int data_len; 1691 Channel *c; 1692 1693 /* Get the channel number and verify it. */ 1694 id = packet_get_int(); 1695 c = channel_lookup(id); 1696 if (c == NULL) 1697 packet_disconnect("Received data for nonexistent channel %d.", id); 1698 1699 /* Ignore any data for non-open channels (might happen on close) */ 1700 if (c->type != SSH_CHANNEL_OPEN && 1701 c->type != SSH_CHANNEL_X11_OPEN) 1702 return; 1703 1704 /* same for protocol 1.5 if output end is no longer open */ 1705 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) 1706 return; 1707 1708 /* Get the data. */ 1709 data = packet_get_string(&data_len); 1710 packet_done(); 1711 1712 if (compat20){ 1713 if (data_len > c->local_maxpacket) { 1714 log("channel %d: rcvd big packet %d, maxpack %d", 1715 c->self, data_len, c->local_maxpacket); 1716 } 1717 if (data_len > c->local_window) { 1718 log("channel %d: rcvd too much data %d, win %d", 1719 c->self, data_len, c->local_window); 1720 xfree(data); 1721 return; 1722 } 1723 c->local_window -= data_len; 1724 }else{ 1725 packet_integrity_check(plen, 4 + 4 + data_len, type); 1726 } 1727 buffer_append(&c->output, data, data_len); 1728 xfree(data); 1729 } 1730 1731 void 1732 channel_input_extended_data(int type, int plen, void *ctxt) 1733 { 1734 int id; 1735 int tcode; 1736 char *data; 1737 u_int data_len; 1738 Channel *c; 1739 1740 /* Get the channel number and verify it. */ 1741 id = packet_get_int(); 1742 c = channel_lookup(id); 1743 1744 if (c == NULL) 1745 packet_disconnect("Received extended_data for bad channel %d.", id); 1746 if (c->type != SSH_CHANNEL_OPEN) { 1747 log("channel %d: ext data for non open", id); 1748 return; 1749 } 1750 tcode = packet_get_int(); 1751 if (c->efd == -1 || 1752 c->extended_usage != CHAN_EXTENDED_WRITE || 1753 tcode != SSH2_EXTENDED_DATA_STDERR) { 1754 log("channel %d: bad ext data", c->self); 1755 return; 1756 } 1757 data = packet_get_string(&data_len); 1758 packet_done(); 1759 if (data_len > c->local_window) { 1760 log("channel %d: rcvd too much extended_data %d, win %d", 1761 c->self, data_len, c->local_window); 1762 xfree(data); 1763 return; 1764 } 1765 debug2("channel %d: rcvd ext data %d", c->self, data_len); 1766 c->local_window -= data_len; 1767 buffer_append(&c->extended, data, data_len); 1768 xfree(data); 1769 } 1770 1771 void 1772 channel_input_ieof(int type, int plen, void *ctxt) 1773 { 1774 int id; 1775 Channel *c; 1776 1777 packet_integrity_check(plen, 4, type); 1778 1779 id = packet_get_int(); 1780 c = channel_lookup(id); 1781 if (c == NULL) 1782 packet_disconnect("Received ieof for nonexistent channel %d.", id); 1783 chan_rcvd_ieof(c); 1784 } 1785 1786 void 1787 channel_input_close(int type, int plen, void *ctxt) 1788 { 1789 int id; 1790 Channel *c; 1791 1792 packet_integrity_check(plen, 4, type); 1793 1794 id = packet_get_int(); 1795 c = channel_lookup(id); 1796 if (c == NULL) 1797 packet_disconnect("Received close for nonexistent channel %d.", id); 1798 1799 /* 1800 * Send a confirmation that we have closed the channel and no more 1801 * data is coming for it. 1802 */ 1803 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 1804 packet_put_int(c->remote_id); 1805 packet_send(); 1806 1807 /* 1808 * If the channel is in closed state, we have sent a close request, 1809 * and the other side will eventually respond with a confirmation. 1810 * Thus, we cannot free the channel here, because then there would be 1811 * no-one to receive the confirmation. The channel gets freed when 1812 * the confirmation arrives. 1813 */ 1814 if (c->type != SSH_CHANNEL_CLOSED) { 1815 /* 1816 * Not a closed channel - mark it as draining, which will 1817 * cause it to be freed later. 1818 */ 1819 buffer_consume(&c->input, buffer_len(&c->input)); 1820 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 1821 } 1822 } 1823 1824 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 1825 void 1826 channel_input_oclose(int type, int plen, void *ctxt) 1827 { 1828 int id = packet_get_int(); 1829 Channel *c = channel_lookup(id); 1830 packet_integrity_check(plen, 4, type); 1831 if (c == NULL) 1832 packet_disconnect("Received oclose for nonexistent channel %d.", id); 1833 chan_rcvd_oclose(c); 1834 } 1835 1836 void 1837 channel_input_close_confirmation(int type, int plen, void *ctxt) 1838 { 1839 int id = packet_get_int(); 1840 Channel *c = channel_lookup(id); 1841 1842 packet_done(); 1843 if (c == NULL) 1844 packet_disconnect("Received close confirmation for " 1845 "out-of-range channel %d.", id); 1846 if (c->type != SSH_CHANNEL_CLOSED) 1847 packet_disconnect("Received close confirmation for " 1848 "non-closed channel %d (type %d).", id, c->type); 1849 channel_free(c); 1850 } 1851 1852 void 1853 channel_input_open_confirmation(int type, int plen, void *ctxt) 1854 { 1855 int id, remote_id; 1856 Channel *c; 1857 1858 if (!compat20) 1859 packet_integrity_check(plen, 4 + 4, type); 1860 1861 id = packet_get_int(); 1862 c = channel_lookup(id); 1863 1864 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 1865 packet_disconnect("Received open confirmation for " 1866 "non-opening channel %d.", id); 1867 remote_id = packet_get_int(); 1868 /* Record the remote channel number and mark that the channel is now open. */ 1869 c->remote_id = remote_id; 1870 c->type = SSH_CHANNEL_OPEN; 1871 1872 if (compat20) { 1873 c->remote_window = packet_get_int(); 1874 c->remote_maxpacket = packet_get_int(); 1875 packet_done(); 1876 if (c->cb_fn != NULL && c->cb_event == type) { 1877 debug2("callback start"); 1878 c->cb_fn(c->self, c->cb_arg); 1879 debug2("callback done"); 1880 } 1881 debug("channel %d: open confirm rwindow %d rmax %d", c->self, 1882 c->remote_window, c->remote_maxpacket); 1883 } 1884 } 1885 1886 static char * 1887 reason2txt(int reason) 1888 { 1889 switch(reason) { 1890 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 1891 return "administratively prohibited"; 1892 case SSH2_OPEN_CONNECT_FAILED: 1893 return "connect failed"; 1894 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 1895 return "unknown channel type"; 1896 case SSH2_OPEN_RESOURCE_SHORTAGE: 1897 return "resource shortage"; 1898 } 1899 return "unknown reason"; 1900 } 1901 1902 void 1903 channel_input_open_failure(int type, int plen, void *ctxt) 1904 { 1905 int id, reason; 1906 char *msg = NULL, *lang = NULL; 1907 Channel *c; 1908 1909 if (!compat20) 1910 packet_integrity_check(plen, 4, type); 1911 1912 id = packet_get_int(); 1913 c = channel_lookup(id); 1914 1915 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 1916 packet_disconnect("Received open failure for " 1917 "non-opening channel %d.", id); 1918 if (compat20) { 1919 reason = packet_get_int(); 1920 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1921 msg = packet_get_string(NULL); 1922 lang = packet_get_string(NULL); 1923 } 1924 packet_done(); 1925 log("channel %d: open failed: %s%s%s", id, 1926 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 1927 if (msg != NULL) 1928 xfree(msg); 1929 if (lang != NULL) 1930 xfree(lang); 1931 } 1932 /* Free the channel. This will also close the socket. */ 1933 channel_free(c); 1934 } 1935 1936 void 1937 channel_input_channel_request(int type, int plen, void *ctxt) 1938 { 1939 int id; 1940 Channel *c; 1941 1942 id = packet_get_int(); 1943 c = channel_lookup(id); 1944 1945 if (c == NULL || 1946 (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL)) 1947 packet_disconnect("Received request for " 1948 "non-open channel %d.", id); 1949 if (c->cb_fn != NULL && c->cb_event == type) { 1950 debug2("callback start"); 1951 c->cb_fn(c->self, c->cb_arg); 1952 debug2("callback done"); 1953 } else { 1954 char *service = packet_get_string(NULL); 1955 debug("channel %d: rcvd request for %s", c->self, service); 1956 debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event); 1957 xfree(service); 1958 } 1959 } 1960 1961 void 1962 channel_input_window_adjust(int type, int plen, void *ctxt) 1963 { 1964 Channel *c; 1965 int id, adjust; 1966 1967 if (!compat20) 1968 return; 1969 1970 /* Get the channel number and verify it. */ 1971 id = packet_get_int(); 1972 c = channel_lookup(id); 1973 1974 if (c == NULL || c->type != SSH_CHANNEL_OPEN) { 1975 log("Received window adjust for " 1976 "non-open channel %d.", id); 1977 return; 1978 } 1979 adjust = packet_get_int(); 1980 packet_done(); 1981 debug2("channel %d: rcvd adjust %d", id, adjust); 1982 c->remote_window += adjust; 1983 } 1984 1985 void 1986 channel_input_port_open(int type, int plen, void *ctxt) 1987 { 1988 Channel *c = NULL; 1989 u_short host_port; 1990 char *host, *originator_string; 1991 int remote_id, sock = -1; 1992 1993 remote_id = packet_get_int(); 1994 host = packet_get_string(NULL); 1995 host_port = packet_get_int(); 1996 1997 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 1998 originator_string = packet_get_string(NULL); 1999 } else { 2000 originator_string = xstrdup("unknown (remote did not supply name)"); 2001 } 2002 packet_done(); 2003 sock = channel_connect_to(host, host_port); 2004 if (sock != -1) { 2005 c = channel_new("connected socket", 2006 SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, 2007 originator_string, 1); 2008 if (c == NULL) { 2009 error("channel_input_port_open: channel_new failed"); 2010 close(sock); 2011 } else { 2012 c->remote_id = remote_id; 2013 } 2014 } 2015 if (c == NULL) { 2016 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2017 packet_put_int(remote_id); 2018 packet_send(); 2019 } 2020 xfree(host); 2021 } 2022 2023 2024 /* -- tcp forwarding */ 2025 2026 /* 2027 * Initiate forwarding of connections to local port "port" through the secure 2028 * channel to host:port from remote side. 2029 */ 2030 int 2031 channel_request_local_forwarding(u_short listen_port, const char *host_to_connect, 2032 u_short port_to_connect, int gateway_ports) 2033 { 2034 return channel_request_forwarding( 2035 NULL, listen_port, 2036 host_to_connect, port_to_connect, 2037 gateway_ports, /*remote_fwd*/ 0); 2038 } 2039 2040 /* 2041 * If 'remote_fwd' is true we have a '-R style' listener for protocol 2 2042 * (SSH_CHANNEL_RPORT_LISTENER). 2043 */ 2044 int 2045 channel_request_forwarding( 2046 const char *listen_address, u_short listen_port, 2047 const char *host_to_connect, u_short port_to_connect, 2048 int gateway_ports, int remote_fwd) 2049 { 2050 Channel *c; 2051 int success, sock, on = 1, type; 2052 struct addrinfo hints, *ai, *aitop; 2053 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2054 const char *host; 2055 struct linger linger; 2056 2057 success = 0; 2058 2059 if (remote_fwd) { 2060 host = listen_address; 2061 type = SSH_CHANNEL_RPORT_LISTENER; 2062 } else { 2063 host = host_to_connect; 2064 type = SSH_CHANNEL_PORT_LISTENER; 2065 } 2066 2067 if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) { 2068 error("Forward host name too long."); 2069 return success; 2070 } 2071 2072 /* XXX listen_address is currently ignored */ 2073 /* 2074 * getaddrinfo returns a loopback address if the hostname is 2075 * set to NULL and hints.ai_flags is not AI_PASSIVE 2076 */ 2077 memset(&hints, 0, sizeof(hints)); 2078 hints.ai_family = IPv4or6; 2079 hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; 2080 hints.ai_socktype = SOCK_STREAM; 2081 snprintf(strport, sizeof strport, "%d", listen_port); 2082 if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) 2083 packet_disconnect("getaddrinfo: fatal error"); 2084 2085 for (ai = aitop; ai; ai = ai->ai_next) { 2086 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2087 continue; 2088 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2089 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2090 error("channel_request_forwarding: getnameinfo failed"); 2091 continue; 2092 } 2093 /* Create a port to listen for the host. */ 2094 sock = socket(ai->ai_family, SOCK_STREAM, 0); 2095 if (sock < 0) { 2096 /* this is no error since kernel may not support ipv6 */ 2097 verbose("socket: %.100s", strerror(errno)); 2098 continue; 2099 } 2100 /* 2101 * Set socket options. We would like the socket to disappear 2102 * as soon as it has been closed for whatever reason. 2103 */ 2104 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); 2105 linger.l_onoff = 1; 2106 linger.l_linger = 5; 2107 setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); 2108 debug("Local forwarding listening on %s port %s.", ntop, strport); 2109 2110 /* Bind the socket to the address. */ 2111 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2112 /* address can be in use ipv6 address is already bound */ 2113 verbose("bind: %.100s", strerror(errno)); 2114 close(sock); 2115 continue; 2116 } 2117 /* Start listening for connections on the socket. */ 2118 if (listen(sock, 5) < 0) { 2119 error("listen: %.100s", strerror(errno)); 2120 close(sock); 2121 continue; 2122 } 2123 /* Allocate a channel number for the socket. */ 2124 c = channel_new("port listener", type, sock, sock, -1, 2125 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2126 0, xstrdup("port listener"), 1); 2127 if (c == NULL) { 2128 error("channel_request_forwarding: channel_new failed"); 2129 close(sock); 2130 continue; 2131 } 2132 strlcpy(c->path, host, sizeof(c->path)); 2133 c->host_port = port_to_connect; 2134 c->listening_port = listen_port; 2135 success = 1; 2136 } 2137 if (success == 0) 2138 error("channel_request_forwarding: cannot listen to port: %d", 2139 listen_port); 2140 freeaddrinfo(aitop); 2141 return success; 2142 } 2143 2144 /* 2145 * Initiate forwarding of connections to port "port" on remote host through 2146 * the secure channel to host:port from local side. 2147 */ 2148 2149 void 2150 channel_request_remote_forwarding(u_short listen_port, 2151 const char *host_to_connect, u_short port_to_connect) 2152 { 2153 int payload_len, type, success = 0; 2154 2155 /* Record locally that connection to this host/port is permitted. */ 2156 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2157 fatal("channel_request_remote_forwarding: too many forwards"); 2158 2159 /* Send the forward request to the remote side. */ 2160 if (compat20) { 2161 const char *address_to_bind = "0.0.0.0"; 2162 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2163 packet_put_cstring("tcpip-forward"); 2164 packet_put_char(0); /* boolean: want reply */ 2165 packet_put_cstring(address_to_bind); 2166 packet_put_int(listen_port); 2167 packet_send(); 2168 packet_write_wait(); 2169 /* Assume that server accepts the request */ 2170 success = 1; 2171 } else { 2172 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2173 packet_put_int(listen_port); 2174 packet_put_cstring(host_to_connect); 2175 packet_put_int(port_to_connect); 2176 packet_send(); 2177 packet_write_wait(); 2178 2179 /* Wait for response from the remote side. */ 2180 type = packet_read(&payload_len); 2181 switch (type) { 2182 case SSH_SMSG_SUCCESS: 2183 success = 1; 2184 break; 2185 case SSH_SMSG_FAILURE: 2186 log("Warning: Server denied remote port forwarding."); 2187 break; 2188 default: 2189 /* Unknown packet */ 2190 packet_disconnect("Protocol error for port forward request:" 2191 "received packet type %d.", type); 2192 } 2193 } 2194 if (success) { 2195 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2196 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2197 permitted_opens[num_permitted_opens].listen_port = listen_port; 2198 num_permitted_opens++; 2199 } 2200 } 2201 2202 /* 2203 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2204 * listening for the port, and sends back a success reply (or disconnect 2205 * message if there was an error). This never returns if there was an error. 2206 */ 2207 2208 void 2209 channel_input_port_forward_request(int is_root, int gateway_ports) 2210 { 2211 u_short port, host_port; 2212 char *hostname; 2213 2214 /* Get arguments from the packet. */ 2215 port = packet_get_int(); 2216 hostname = packet_get_string(NULL); 2217 host_port = packet_get_int(); 2218 2219 /* 2220 * Check that an unprivileged user is not trying to forward a 2221 * privileged port. 2222 */ 2223 if (port < IPPORT_RESERVED && !is_root) 2224 packet_disconnect("Requested forwarding of port %d but user is not root.", 2225 port); 2226 /* Initiate forwarding */ 2227 channel_request_local_forwarding(port, hostname, host_port, gateway_ports); 2228 2229 /* Free the argument string. */ 2230 xfree(hostname); 2231 } 2232 2233 /* 2234 * Permits opening to any host/port if permitted_opens[] is empty. This is 2235 * usually called by the server, because the user could connect to any port 2236 * anyway, and the server has no way to know but to trust the client anyway. 2237 */ 2238 void 2239 channel_permit_all_opens() 2240 { 2241 if (num_permitted_opens == 0) 2242 all_opens_permitted = 1; 2243 } 2244 2245 void 2246 channel_add_permitted_opens(char *host, int port) 2247 { 2248 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2249 fatal("channel_request_remote_forwarding: too many forwards"); 2250 debug("allow port forwarding to host %s port %d", host, port); 2251 2252 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 2253 permitted_opens[num_permitted_opens].port_to_connect = port; 2254 num_permitted_opens++; 2255 2256 all_opens_permitted = 0; 2257 } 2258 2259 void 2260 channel_clear_permitted_opens(void) 2261 { 2262 int i; 2263 2264 for (i = 0; i < num_permitted_opens; i++) 2265 xfree(permitted_opens[i].host_to_connect); 2266 num_permitted_opens = 0; 2267 2268 } 2269 2270 2271 /* return socket to remote host, port */ 2272 static int 2273 connect_to(const char *host, u_short port) 2274 { 2275 struct addrinfo hints, *ai, *aitop; 2276 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2277 int gaierr; 2278 int sock = -1; 2279 2280 memset(&hints, 0, sizeof(hints)); 2281 hints.ai_family = IPv4or6; 2282 hints.ai_socktype = SOCK_STREAM; 2283 snprintf(strport, sizeof strport, "%d", port); 2284 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { 2285 error("connect_to %.100s: unknown host (%s)", host, 2286 gai_strerror(gaierr)); 2287 return -1; 2288 } 2289 for (ai = aitop; ai; ai = ai->ai_next) { 2290 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2291 continue; 2292 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2293 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2294 error("connect_to: getnameinfo failed"); 2295 continue; 2296 } 2297 sock = socket(ai->ai_family, SOCK_STREAM, 0); 2298 if (sock < 0) { 2299 error("socket: %.100s", strerror(errno)); 2300 continue; 2301 } 2302 if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) 2303 fatal("connect_to: F_SETFL: %s", strerror(errno)); 2304 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && 2305 errno != EINPROGRESS) { 2306 error("connect_to %.100s port %s: %.100s", ntop, strport, 2307 strerror(errno)); 2308 close(sock); 2309 continue; /* fail -- try next */ 2310 } 2311 break; /* success */ 2312 2313 } 2314 freeaddrinfo(aitop); 2315 if (!ai) { 2316 error("connect_to %.100s port %d: failed.", host, port); 2317 return -1; 2318 } 2319 /* success */ 2320 return sock; 2321 } 2322 2323 int 2324 channel_connect_by_listen_address(u_short listen_port) 2325 { 2326 int i; 2327 2328 for (i = 0; i < num_permitted_opens; i++) 2329 if (permitted_opens[i].listen_port == listen_port) 2330 return connect_to( 2331 permitted_opens[i].host_to_connect, 2332 permitted_opens[i].port_to_connect); 2333 error("WARNING: Server requests forwarding for unknown listen_port %d", 2334 listen_port); 2335 return -1; 2336 } 2337 2338 /* Check if connecting to that port is permitted and connect. */ 2339 int 2340 channel_connect_to(const char *host, u_short port) 2341 { 2342 int i, permit; 2343 2344 permit = all_opens_permitted; 2345 if (!permit) { 2346 for (i = 0; i < num_permitted_opens; i++) 2347 if (permitted_opens[i].port_to_connect == port && 2348 strcmp(permitted_opens[i].host_to_connect, host) == 0) 2349 permit = 1; 2350 2351 } 2352 if (!permit) { 2353 log("Received request to connect to host %.100s port %d, " 2354 "but the request was denied.", host, port); 2355 return -1; 2356 } 2357 return connect_to(host, port); 2358 } 2359 2360 /* -- X11 forwarding */ 2361 2362 /* 2363 * Creates an internet domain socket for listening for X11 connections. 2364 * Returns a suitable value for the DISPLAY variable, or NULL if an error 2365 * occurs. 2366 */ 2367 char * 2368 x11_create_display_inet(int screen_number, int x11_display_offset) 2369 { 2370 int display_number, sock; 2371 u_short port; 2372 struct addrinfo hints, *ai, *aitop; 2373 char strport[NI_MAXSERV]; 2374 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 2375 char display[512]; 2376 char hostname[MAXHOSTNAMELEN]; 2377 2378 for (display_number = x11_display_offset; 2379 display_number < MAX_DISPLAYS; 2380 display_number++) { 2381 port = 6000 + display_number; 2382 memset(&hints, 0, sizeof(hints)); 2383 hints.ai_family = IPv4or6; 2384 hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */ 2385 hints.ai_socktype = SOCK_STREAM; 2386 snprintf(strport, sizeof strport, "%d", port); 2387 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 2388 error("getaddrinfo: %.100s", gai_strerror(gaierr)); 2389 return NULL; 2390 } 2391 for (ai = aitop; ai; ai = ai->ai_next) { 2392 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2393 continue; 2394 sock = socket(ai->ai_family, SOCK_STREAM, 0); 2395 if (sock < 0) { 2396 error("socket: %.100s", strerror(errno)); 2397 return NULL; 2398 } 2399 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2400 debug("bind port %d: %.100s", port, strerror(errno)); 2401 shutdown(sock, SHUT_RDWR); 2402 close(sock); 2403 for (n = 0; n < num_socks; n++) { 2404 shutdown(socks[n], SHUT_RDWR); 2405 close(socks[n]); 2406 } 2407 num_socks = 0; 2408 break; 2409 } 2410 socks[num_socks++] = sock; 2411 if (num_socks == NUM_SOCKS) 2412 break; 2413 } 2414 freeaddrinfo(aitop); 2415 if (num_socks > 0) 2416 break; 2417 } 2418 if (display_number >= MAX_DISPLAYS) { 2419 error("Failed to allocate internet-domain X11 display socket."); 2420 return NULL; 2421 } 2422 /* Start listening for connections on the socket. */ 2423 for (n = 0; n < num_socks; n++) { 2424 sock = socks[n]; 2425 if (listen(sock, 5) < 0) { 2426 error("listen: %.100s", strerror(errno)); 2427 shutdown(sock, SHUT_RDWR); 2428 close(sock); 2429 return NULL; 2430 } 2431 } 2432 2433 /* Set up a suitable value for the DISPLAY variable. */ 2434 if (gethostname(hostname, sizeof(hostname)) < 0) 2435 fatal("gethostname: %.100s", strerror(errno)); 2436 snprintf(display, sizeof display, "%.400s:%d.%d", hostname, 2437 display_number, screen_number); 2438 2439 /* Allocate a channel for each socket. */ 2440 for (n = 0; n < num_socks; n++) { 2441 sock = socks[n]; 2442 (void) channel_new("x11 listener", 2443 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 2444 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2445 0, xstrdup("X11 inet listener"), 1); 2446 } 2447 2448 /* Return a suitable value for the DISPLAY environment variable. */ 2449 return xstrdup(display); 2450 } 2451 2452 #ifndef X_UNIX_PATH 2453 #define X_UNIX_PATH "/tmp/.X11-unix/X" 2454 #endif 2455 2456 static int 2457 connect_local_xsocket(u_int dnr) 2458 { 2459 static const char *const x_sockets[] = { 2460 X_UNIX_PATH "%u", 2461 "/var/X/.X11-unix/X" "%u", 2462 "/usr/spool/sockets/X11/" "%u", 2463 NULL 2464 }; 2465 int sock; 2466 struct sockaddr_un addr; 2467 const char *const * path; 2468 2469 for (path = x_sockets; *path; ++path) { 2470 sock = socket(AF_UNIX, SOCK_STREAM, 0); 2471 if (sock < 0) 2472 error("socket: %.100s", strerror(errno)); 2473 memset(&addr, 0, sizeof(addr)); 2474 addr.sun_family = AF_UNIX; 2475 snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr); 2476 if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0) 2477 return sock; 2478 close(sock); 2479 } 2480 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 2481 return -1; 2482 } 2483 2484 int 2485 x11_connect_display(void) 2486 { 2487 int display_number, sock = 0; 2488 const char *display; 2489 char buf[1024], *cp; 2490 struct addrinfo hints, *ai, *aitop; 2491 char strport[NI_MAXSERV]; 2492 int gaierr; 2493 2494 /* Try to open a socket for the local X server. */ 2495 display = getenv("DISPLAY"); 2496 if (!display) { 2497 error("DISPLAY not set."); 2498 return -1; 2499 } 2500 /* 2501 * Now we decode the value of the DISPLAY variable and make a 2502 * connection to the real X server. 2503 */ 2504 2505 /* 2506 * Check if it is a unix domain socket. Unix domain displays are in 2507 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 2508 */ 2509 if (strncmp(display, "unix:", 5) == 0 || 2510 display[0] == ':') { 2511 /* Connect to the unix domain socket. */ 2512 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) { 2513 error("Could not parse display number from DISPLAY: %.100s", 2514 display); 2515 return -1; 2516 } 2517 /* Create a socket. */ 2518 sock = connect_local_xsocket(display_number); 2519 if (sock < 0) 2520 return -1; 2521 2522 /* OK, we now have a connection to the display. */ 2523 return sock; 2524 } 2525 /* 2526 * Connect to an inet socket. The DISPLAY value is supposedly 2527 * hostname:d[.s], where hostname may also be numeric IP address. 2528 */ 2529 strncpy(buf, display, sizeof(buf)); 2530 buf[sizeof(buf) - 1] = 0; 2531 cp = strchr(buf, ':'); 2532 if (!cp) { 2533 error("Could not find ':' in DISPLAY: %.100s", display); 2534 return -1; 2535 } 2536 *cp = 0; 2537 /* buf now contains the host name. But first we parse the display number. */ 2538 if (sscanf(cp + 1, "%d", &display_number) != 1) { 2539 error("Could not parse display number from DISPLAY: %.100s", 2540 display); 2541 return -1; 2542 } 2543 2544 /* Look up the host address */ 2545 memset(&hints, 0, sizeof(hints)); 2546 hints.ai_family = IPv4or6; 2547 hints.ai_socktype = SOCK_STREAM; 2548 snprintf(strport, sizeof strport, "%d", 6000 + display_number); 2549 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 2550 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); 2551 return -1; 2552 } 2553 for (ai = aitop; ai; ai = ai->ai_next) { 2554 /* Create a socket. */ 2555 sock = socket(ai->ai_family, SOCK_STREAM, 0); 2556 if (sock < 0) { 2557 debug("socket: %.100s", strerror(errno)); 2558 continue; 2559 } 2560 /* Connect it to the display. */ 2561 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2562 debug("connect %.100s port %d: %.100s", buf, 2563 6000 + display_number, strerror(errno)); 2564 close(sock); 2565 continue; 2566 } 2567 /* Success */ 2568 break; 2569 } 2570 freeaddrinfo(aitop); 2571 if (!ai) { 2572 error("connect %.100s port %d: %.100s", buf, 6000 + display_number, 2573 strerror(errno)); 2574 return -1; 2575 } 2576 return sock; 2577 } 2578 2579 /* 2580 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 2581 * the remote channel number. We should do whatever we want, and respond 2582 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 2583 */ 2584 2585 void 2586 x11_input_open(int type, int plen, void *ctxt) 2587 { 2588 Channel *c = NULL; 2589 int remote_id, sock = 0; 2590 char *remote_host; 2591 2592 debug("Received X11 open request."); 2593 2594 remote_id = packet_get_int(); 2595 2596 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2597 remote_host = packet_get_string(NULL); 2598 } else { 2599 remote_host = xstrdup("unknown (remote did not supply name)"); 2600 } 2601 packet_done(); 2602 2603 /* Obtain a connection to the real X display. */ 2604 sock = x11_connect_display(); 2605 if (sock != -1) { 2606 /* Allocate a channel for this connection. */ 2607 c = channel_new("connected x11 socket", 2608 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 2609 remote_host, 1); 2610 if (c == NULL) { 2611 error("x11_input_open: channel_new failed"); 2612 close(sock); 2613 } else { 2614 c->remote_id = remote_id; 2615 } 2616 } 2617 if (c == NULL) { 2618 /* Send refusal to the remote host. */ 2619 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2620 packet_put_int(remote_id); 2621 } else { 2622 /* Send a confirmation to the remote host. */ 2623 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 2624 packet_put_int(remote_id); 2625 packet_put_int(c->self); 2626 } 2627 packet_send(); 2628 } 2629 2630 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 2631 void 2632 deny_input_open(int type, int plen, void *ctxt) 2633 { 2634 int rchan = packet_get_int(); 2635 switch(type){ 2636 case SSH_SMSG_AGENT_OPEN: 2637 error("Warning: ssh server tried agent forwarding."); 2638 break; 2639 case SSH_SMSG_X11_OPEN: 2640 error("Warning: ssh server tried X11 forwarding."); 2641 break; 2642 default: 2643 error("deny_input_open: type %d plen %d", type, plen); 2644 break; 2645 } 2646 error("Warning: this is probably a break in attempt by a malicious server."); 2647 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2648 packet_put_int(rchan); 2649 packet_send(); 2650 } 2651 2652 /* 2653 * Requests forwarding of X11 connections, generates fake authentication 2654 * data, and enables authentication spoofing. 2655 * This should be called in the client only. 2656 */ 2657 void 2658 x11_request_forwarding_with_spoofing(int client_session_id, 2659 const char *proto, const char *data) 2660 { 2661 u_int data_len = (u_int) strlen(data) / 2; 2662 u_int i, value, len; 2663 char *new_data; 2664 int screen_number; 2665 const char *cp; 2666 u_int32_t rand = 0; 2667 2668 cp = getenv("DISPLAY"); 2669 if (cp) 2670 cp = strchr(cp, ':'); 2671 if (cp) 2672 cp = strchr(cp, '.'); 2673 if (cp) 2674 screen_number = atoi(cp + 1); 2675 else 2676 screen_number = 0; 2677 2678 /* Save protocol name. */ 2679 x11_saved_proto = xstrdup(proto); 2680 2681 /* 2682 * Extract real authentication data and generate fake data of the 2683 * same length. 2684 */ 2685 x11_saved_data = xmalloc(data_len); 2686 x11_fake_data = xmalloc(data_len); 2687 for (i = 0; i < data_len; i++) { 2688 if (sscanf(data + 2 * i, "%2x", &value) != 1) 2689 fatal("x11_request_forwarding: bad authentication data: %.100s", data); 2690 if (i % 4 == 0) 2691 rand = arc4random(); 2692 x11_saved_data[i] = value; 2693 x11_fake_data[i] = rand & 0xff; 2694 rand >>= 8; 2695 } 2696 x11_saved_data_len = data_len; 2697 x11_fake_data_len = data_len; 2698 2699 /* Convert the fake data into hex. */ 2700 len = 2 * data_len + 1; 2701 new_data = xmalloc(len); 2702 for (i = 0; i < data_len; i++) 2703 snprintf(new_data + 2 * i, len - 2 * i, 2704 "%02x", (u_char) x11_fake_data[i]); 2705 2706 /* Send the request packet. */ 2707 if (compat20) { 2708 channel_request_start(client_session_id, "x11-req", 0); 2709 packet_put_char(0); /* XXX bool single connection */ 2710 } else { 2711 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 2712 } 2713 packet_put_cstring(proto); 2714 packet_put_cstring(new_data); 2715 packet_put_int(screen_number); 2716 packet_send(); 2717 packet_write_wait(); 2718 xfree(new_data); 2719 } 2720 2721 2722 /* -- agent forwarding */ 2723 2724 /* Sends a message to the server to request authentication fd forwarding. */ 2725 2726 void 2727 auth_request_forwarding() 2728 { 2729 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 2730 packet_send(); 2731 packet_write_wait(); 2732 } 2733 2734 /* 2735 * Returns the name of the forwarded authentication socket. Returns NULL if 2736 * there is no forwarded authentication socket. The returned value points to 2737 * a static buffer. 2738 */ 2739 2740 char * 2741 auth_get_socket_name() 2742 { 2743 return auth_sock_name; 2744 } 2745 2746 /* removes the agent forwarding socket */ 2747 2748 void 2749 auth_sock_cleanup_proc(void *_pw) 2750 { 2751 struct passwd *pw = _pw; 2752 2753 if (auth_sock_name) { 2754 temporarily_use_uid(pw); 2755 unlink(auth_sock_name); 2756 rmdir(auth_sock_dir); 2757 auth_sock_name = NULL; 2758 restore_uid(); 2759 } 2760 } 2761 2762 /* 2763 * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. 2764 * This starts forwarding authentication requests. 2765 */ 2766 2767 int 2768 auth_input_request_forwarding(struct passwd * pw) 2769 { 2770 Channel *nc; 2771 int sock; 2772 struct sockaddr_un sunaddr; 2773 2774 if (auth_get_socket_name() != NULL) { 2775 error("authentication forwarding requested twice."); 2776 return 0; 2777 } 2778 2779 /* Temporarily drop privileged uid for mkdir/bind. */ 2780 temporarily_use_uid(pw); 2781 2782 /* Allocate a buffer for the socket name, and format the name. */ 2783 auth_sock_name = xmalloc(MAXPATHLEN); 2784 auth_sock_dir = xmalloc(MAXPATHLEN); 2785 strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); 2786 2787 /* Create private directory for socket */ 2788 if (mkdtemp(auth_sock_dir) == NULL) { 2789 packet_send_debug("Agent forwarding disabled: " 2790 "mkdtemp() failed: %.100s", strerror(errno)); 2791 restore_uid(); 2792 xfree(auth_sock_name); 2793 xfree(auth_sock_dir); 2794 auth_sock_name = NULL; 2795 auth_sock_dir = NULL; 2796 return 0; 2797 } 2798 snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%d", 2799 auth_sock_dir, (int) getpid()); 2800 2801 /* delete agent socket on fatal() */ 2802 fatal_add_cleanup(auth_sock_cleanup_proc, pw); 2803 2804 /* Create the socket. */ 2805 sock = socket(AF_UNIX, SOCK_STREAM, 0); 2806 if (sock < 0) 2807 packet_disconnect("socket: %.100s", strerror(errno)); 2808 2809 /* Bind it to the name. */ 2810 memset(&sunaddr, 0, sizeof(sunaddr)); 2811 sunaddr.sun_family = AF_UNIX; 2812 strncpy(sunaddr.sun_path, auth_sock_name, 2813 sizeof(sunaddr.sun_path)); 2814 2815 if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) 2816 packet_disconnect("bind: %.100s", strerror(errno)); 2817 2818 /* Restore the privileged uid. */ 2819 restore_uid(); 2820 2821 /* Start listening on the socket. */ 2822 if (listen(sock, 5) < 0) 2823 packet_disconnect("listen: %.100s", strerror(errno)); 2824 2825 /* Allocate a channel for the authentication agent socket. */ 2826 nc = channel_new("auth socket", 2827 SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1, 2828 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2829 0, xstrdup("auth socket"), 1); 2830 if (nc == NULL) { 2831 error("auth_input_request_forwarding: channel_new failed"); 2832 auth_sock_cleanup_proc(pw); 2833 fatal_remove_cleanup(auth_sock_cleanup_proc, pw); 2834 close(sock); 2835 return 0; 2836 } 2837 strlcpy(nc->path, auth_sock_name, sizeof(nc->path)); 2838 return 1; 2839 } 2840 2841 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ 2842 2843 void 2844 auth_input_open_request(int type, int plen, void *ctxt) 2845 { 2846 Channel *c = NULL; 2847 int remote_id, sock; 2848 char *name; 2849 2850 packet_integrity_check(plen, 4, type); 2851 2852 /* Read the remote channel number from the message. */ 2853 remote_id = packet_get_int(); 2854 2855 /* 2856 * Get a connection to the local authentication agent (this may again 2857 * get forwarded). 2858 */ 2859 sock = ssh_get_authentication_socket(); 2860 2861 /* 2862 * If we could not connect the agent, send an error message back to 2863 * the server. This should never happen unless the agent dies, 2864 * because authentication forwarding is only enabled if we have an 2865 * agent. 2866 */ 2867 if (sock >= 0) { 2868 name = xstrdup("authentication agent connection"); 2869 c = channel_new("", SSH_CHANNEL_OPEN, sock, sock, 2870 -1, 0, 0, 0, name, 1); 2871 if (c == NULL) { 2872 error("auth_input_open_request: channel_new failed"); 2873 xfree(name); 2874 close(sock); 2875 } else { 2876 c->remote_id = remote_id; 2877 } 2878 } 2879 if (c == NULL) { 2880 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2881 packet_put_int(remote_id); 2882 } else { 2883 /* Send a confirmation to the remote host. */ 2884 debug("Forwarding authentication connection."); 2885 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 2886 packet_put_int(remote_id); 2887 packet_put_int(c->self); 2888 } 2889 packet_send(); 2890 } 2891