1 /* $OpenBSD: channels.c,v 1.375 2017/09/24 13:45:34 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include <sys/types.h> 43 #include <sys/stat.h> 44 #include <sys/ioctl.h> 45 #include <sys/un.h> 46 #include <sys/socket.h> 47 #include <sys/time.h> 48 #include <sys/queue.h> 49 50 #include <netinet/in.h> 51 #include <arpa/inet.h> 52 53 #include <errno.h> 54 #include <fcntl.h> 55 #include <limits.h> 56 #include <netdb.h> 57 #include <stdarg.h> 58 #include <stdint.h> 59 #include <stdio.h> 60 #include <stdlib.h> 61 #include <string.h> 62 #include <termios.h> 63 #include <unistd.h> 64 65 #include "xmalloc.h" 66 #include "ssh.h" 67 #include "ssh2.h" 68 #include "ssherr.h" 69 #include "sshbuf.h" 70 #include "packet.h" 71 #include "log.h" 72 #include "misc.h" 73 #include "channels.h" 74 #include "compat.h" 75 #include "canohost.h" 76 #include "key.h" 77 #include "authfd.h" 78 #include "pathnames.h" 79 80 /* -- agent forwarding */ 81 #define NUM_SOCKS 10 82 83 /* -- tcp forwarding */ 84 /* special-case port number meaning allow any port */ 85 #define FWD_PERMIT_ANY_PORT 0 86 87 /* special-case wildcard meaning allow any host */ 88 #define FWD_PERMIT_ANY_HOST "*" 89 90 /* -- X11 forwarding */ 91 /* Maximum number of fake X11 displays to try. */ 92 #define MAX_DISPLAYS 1000 93 94 /* 95 * Data structure for storing which hosts are permitted for forward requests. 96 * The local sides of any remote forwards are stored in this array to prevent 97 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 98 * network (which might be behind a firewall). 99 */ 100 /* XXX: streamlocal wants a path instead of host:port */ 101 /* Overload host_to_connect; we could just make this match Forward */ 102 /* XXX - can we use listen_host instead of listen_path? */ 103 typedef struct { 104 char *host_to_connect; /* Connect to 'host'. */ 105 int port_to_connect; /* Connect to 'port'. */ 106 char *listen_host; /* Remote side should listen address. */ 107 char *listen_path; /* Remote side should listen path. */ 108 int listen_port; /* Remote side should listen port. */ 109 Channel *downstream; /* Downstream mux*/ 110 } ForwardPermission; 111 112 typedef void chan_fn(struct ssh *, Channel *c, 113 fd_set *readset, fd_set *writeset); 114 115 /* Master structure for channels state */ 116 struct ssh_channels { 117 /* 118 * Pointer to an array containing all allocated channels. The array 119 * is dynamically extended as needed. 120 */ 121 Channel **channels; 122 123 /* 124 * Size of the channel array. All slots of the array must always be 125 * initialized (at least the type field); unused slots set to NULL 126 */ 127 u_int channels_alloc; 128 129 /* 130 * Maximum file descriptor value used in any of the channels. This is 131 * updated in channel_new. 132 */ 133 int channel_max_fd; 134 135 /* 136 * 'channel_pre*' are called just before select() to add any bits 137 * relevant to channels in the select bitmasks. 138 * 139 * 'channel_post*': perform any appropriate operations for 140 * channels which have events pending. 141 */ 142 chan_fn **channel_pre; 143 chan_fn **channel_post; 144 145 /* -- tcp forwarding */ 146 147 /* List of all permitted host/port pairs to connect by the user. */ 148 ForwardPermission *permitted_opens; 149 150 /* List of all permitted host/port pairs to connect by the admin. */ 151 ForwardPermission *permitted_adm_opens; 152 153 /* 154 * Number of permitted host/port pairs in the array permitted by 155 * the user. 156 */ 157 u_int num_permitted_opens; 158 159 /* 160 * Number of permitted host/port pair in the array permitted by 161 * the admin. 162 */ 163 u_int num_adm_permitted_opens; 164 165 /* 166 * If this is true, all opens are permitted. This is the case on 167 * the server on which we have to trust the client anyway, and the 168 * user could do anything after logging in anyway. 169 */ 170 int all_opens_permitted; 171 172 /* -- X11 forwarding */ 173 174 /* Saved X11 local (client) display. */ 175 char *x11_saved_display; 176 177 /* Saved X11 authentication protocol name. */ 178 char *x11_saved_proto; 179 180 /* Saved X11 authentication data. This is the real data. */ 181 char *x11_saved_data; 182 u_int x11_saved_data_len; 183 184 /* Deadline after which all X11 connections are refused */ 185 u_int x11_refuse_time; 186 187 /* 188 * Fake X11 authentication data. This is what the server will be 189 * sending us; we should replace any occurrences of this by the 190 * real data. 191 */ 192 u_char *x11_fake_data; 193 u_int x11_fake_data_len; 194 195 /* AF_UNSPEC or AF_INET or AF_INET6 */ 196 int IPv4or6; 197 }; 198 199 /* helper */ 200 static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype); 201 static const char *channel_rfwd_bind_host(const char *listen_host); 202 203 /* non-blocking connect helpers */ 204 static int connect_next(struct channel_connect *); 205 static void channel_connect_ctx_free(struct channel_connect *); 206 static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *); 207 static int rdynamic_connect_finish(struct ssh *, Channel *); 208 209 /* Setup helper */ 210 static void channel_handler_init(struct ssh_channels *sc); 211 212 /* -- channel core */ 213 214 void 215 channel_init_channels(struct ssh *ssh) 216 { 217 struct ssh_channels *sc; 218 219 if ((sc = calloc(1, sizeof(*sc))) == NULL || 220 (sc->channel_pre = calloc(SSH_CHANNEL_MAX_TYPE, 221 sizeof(*sc->channel_pre))) == NULL || 222 (sc->channel_post = calloc(SSH_CHANNEL_MAX_TYPE, 223 sizeof(*sc->channel_post))) == NULL) 224 fatal("%s: allocation failed", __func__); 225 sc->channels_alloc = 10; 226 sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels)); 227 sc->IPv4or6 = AF_UNSPEC; 228 channel_handler_init(sc); 229 230 ssh->chanctxt = sc; 231 } 232 233 Channel * 234 channel_by_id(struct ssh *ssh, int id) 235 { 236 Channel *c; 237 238 if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) { 239 logit("%s: %d: bad id", __func__, id); 240 return NULL; 241 } 242 c = ssh->chanctxt->channels[id]; 243 if (c == NULL) { 244 logit("%s: %d: bad id: channel free", __func__, id); 245 return NULL; 246 } 247 return c; 248 } 249 250 Channel * 251 channel_by_remote_id(struct ssh *ssh, u_int remote_id) 252 { 253 Channel *c; 254 u_int i; 255 256 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 257 c = ssh->chanctxt->channels[i]; 258 if (c != NULL && c->have_remote_id && c->remote_id == remote_id) 259 return c; 260 } 261 return NULL; 262 } 263 264 /* 265 * Returns the channel if it is allowed to receive protocol messages. 266 * Private channels, like listening sockets, may not receive messages. 267 */ 268 Channel * 269 channel_lookup(struct ssh *ssh, int id) 270 { 271 Channel *c; 272 273 if ((c = channel_by_id(ssh, id)) == NULL) 274 return NULL; 275 276 switch (c->type) { 277 case SSH_CHANNEL_X11_OPEN: 278 case SSH_CHANNEL_LARVAL: 279 case SSH_CHANNEL_CONNECTING: 280 case SSH_CHANNEL_DYNAMIC: 281 case SSH_CHANNEL_RDYNAMIC_OPEN: 282 case SSH_CHANNEL_RDYNAMIC_FINISH: 283 case SSH_CHANNEL_OPENING: 284 case SSH_CHANNEL_OPEN: 285 case SSH_CHANNEL_ABANDONED: 286 case SSH_CHANNEL_MUX_PROXY: 287 return c; 288 } 289 logit("Non-public channel %d, type %d.", id, c->type); 290 return NULL; 291 } 292 293 /* 294 * Register filedescriptors for a channel, used when allocating a channel or 295 * when the channel consumer/producer is ready, e.g. shell exec'd 296 */ 297 static void 298 channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, 299 int extusage, int nonblock, int is_tty) 300 { 301 struct ssh_channels *sc = ssh->chanctxt; 302 303 /* Update the maximum file descriptor value. */ 304 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, rfd); 305 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, wfd); 306 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, efd); 307 308 if (rfd != -1) 309 fcntl(rfd, F_SETFD, FD_CLOEXEC); 310 if (wfd != -1 && wfd != rfd) 311 fcntl(wfd, F_SETFD, FD_CLOEXEC); 312 if (efd != -1 && efd != rfd && efd != wfd) 313 fcntl(efd, F_SETFD, FD_CLOEXEC); 314 315 c->rfd = rfd; 316 c->wfd = wfd; 317 c->sock = (rfd == wfd) ? rfd : -1; 318 c->efd = efd; 319 c->extended_usage = extusage; 320 321 if ((c->isatty = is_tty) != 0) 322 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 323 324 /* enable nonblocking mode */ 325 if (nonblock) { 326 if (rfd != -1) 327 set_nonblock(rfd); 328 if (wfd != -1) 329 set_nonblock(wfd); 330 if (efd != -1) 331 set_nonblock(efd); 332 } 333 } 334 335 /* 336 * Allocate a new channel object and set its type and socket. This will cause 337 * remote_name to be freed. 338 */ 339 Channel * 340 channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, 341 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 342 { 343 struct ssh_channels *sc = ssh->chanctxt; 344 u_int i, found; 345 Channel *c; 346 347 /* Try to find a free slot where to put the new channel. */ 348 for (i = 0; i < sc->channels_alloc; i++) { 349 if (sc->channels[i] == NULL) { 350 /* Found a free slot. */ 351 found = i; 352 break; 353 } 354 } 355 if (i >= sc->channels_alloc) { 356 /* 357 * There are no free slots. Take last+1 slot and expand 358 * the array. 359 */ 360 found = sc->channels_alloc; 361 if (sc->channels_alloc > CHANNELS_MAX_CHANNELS) 362 fatal("%s: internal error: channels_alloc %d too big", 363 __func__, sc->channels_alloc); 364 sc->channels = xrecallocarray(sc->channels, sc->channels_alloc, 365 sc->channels_alloc + 10, sizeof(*sc->channels)); 366 sc->channels_alloc += 10; 367 debug2("channel: expanding %d", sc->channels_alloc); 368 } 369 /* Initialize and return new channel. */ 370 c = sc->channels[found] = xcalloc(1, sizeof(Channel)); 371 if ((c->input = sshbuf_new()) == NULL || 372 (c->output = sshbuf_new()) == NULL || 373 (c->extended = sshbuf_new()) == NULL) 374 fatal("%s: sshbuf_new failed", __func__); 375 c->ostate = CHAN_OUTPUT_OPEN; 376 c->istate = CHAN_INPUT_OPEN; 377 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0); 378 c->self = found; 379 c->type = type; 380 c->ctype = ctype; 381 c->local_window = window; 382 c->local_window_max = window; 383 c->local_maxpacket = maxpack; 384 c->remote_name = xstrdup(remote_name); 385 c->ctl_chan = -1; 386 c->delayed = 1; /* prevent call to channel_post handler */ 387 TAILQ_INIT(&c->status_confirms); 388 debug("channel %d: new [%s]", found, remote_name); 389 return c; 390 } 391 392 static void 393 channel_find_maxfd(struct ssh_channels *sc) 394 { 395 u_int i; 396 int max = 0; 397 Channel *c; 398 399 for (i = 0; i < sc->channels_alloc; i++) { 400 c = sc->channels[i]; 401 if (c != NULL) { 402 max = MAXIMUM(max, c->rfd); 403 max = MAXIMUM(max, c->wfd); 404 max = MAXIMUM(max, c->efd); 405 } 406 } 407 sc->channel_max_fd = max; 408 } 409 410 int 411 channel_close_fd(struct ssh *ssh, int *fdp) 412 { 413 struct ssh_channels *sc = ssh->chanctxt; 414 int ret = 0, fd = *fdp; 415 416 if (fd != -1) { 417 ret = close(fd); 418 *fdp = -1; 419 if (fd == sc->channel_max_fd) 420 channel_find_maxfd(sc); 421 } 422 return ret; 423 } 424 425 /* Close all channel fd/socket. */ 426 static void 427 channel_close_fds(struct ssh *ssh, Channel *c) 428 { 429 channel_close_fd(ssh, &c->sock); 430 channel_close_fd(ssh, &c->rfd); 431 channel_close_fd(ssh, &c->wfd); 432 channel_close_fd(ssh, &c->efd); 433 } 434 435 static void 436 fwd_perm_clear(ForwardPermission *fp) 437 { 438 free(fp->host_to_connect); 439 free(fp->listen_host); 440 free(fp->listen_path); 441 bzero(fp, sizeof(*fp)); 442 } 443 444 enum { FWDPERM_USER, FWDPERM_ADMIN }; 445 446 static int 447 fwd_perm_list_add(struct ssh *ssh, int which, 448 const char *host_to_connect, int port_to_connect, 449 const char *listen_host, const char *listen_path, int listen_port, 450 Channel *downstream) 451 { 452 ForwardPermission **fpl; 453 u_int n, *nfpl; 454 455 switch (which) { 456 case FWDPERM_USER: 457 fpl = &ssh->chanctxt->permitted_opens; 458 nfpl = &ssh->chanctxt->num_permitted_opens; 459 break; 460 case FWDPERM_ADMIN: 461 fpl = &ssh->chanctxt->permitted_adm_opens; 462 nfpl = &ssh->chanctxt->num_adm_permitted_opens; 463 break; 464 default: 465 fatal("%s: invalid list %d", __func__, which); 466 } 467 468 if (*nfpl >= INT_MAX) 469 fatal("%s: overflow", __func__); 470 471 *fpl = xrecallocarray(*fpl, *nfpl, *nfpl + 1, sizeof(**fpl)); 472 n = (*nfpl)++; 473 #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s)) 474 (*fpl)[n].host_to_connect = MAYBE_DUP(host_to_connect); 475 (*fpl)[n].port_to_connect = port_to_connect; 476 (*fpl)[n].listen_host = MAYBE_DUP(listen_host); 477 (*fpl)[n].listen_path = MAYBE_DUP(listen_path); 478 (*fpl)[n].listen_port = listen_port; 479 (*fpl)[n].downstream = downstream; 480 #undef MAYBE_DUP 481 return (int)n; 482 } 483 484 static void 485 mux_remove_remote_forwardings(struct ssh *ssh, Channel *c) 486 { 487 struct ssh_channels *sc = ssh->chanctxt; 488 ForwardPermission *fp; 489 int r; 490 u_int i; 491 492 for (i = 0; i < sc->num_permitted_opens; i++) { 493 fp = &sc->permitted_opens[i]; 494 if (fp->downstream != c) 495 continue; 496 497 /* cancel on the server, since mux client is gone */ 498 debug("channel %d: cleanup remote forward for %s:%u", 499 c->self, fp->listen_host, fp->listen_port); 500 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 501 (r = sshpkt_put_cstring(ssh, 502 "cancel-tcpip-forward")) != 0 || 503 (r = sshpkt_put_u8(ssh, 0)) != 0 || 504 (r = sshpkt_put_cstring(ssh, 505 channel_rfwd_bind_host(fp->listen_host))) != 0 || 506 (r = sshpkt_put_u32(ssh, fp->listen_port)) != 0 || 507 (r = sshpkt_send(ssh)) != 0) { 508 fatal("%s: channel %i: %s", __func__, 509 c->self, ssh_err(r)); 510 } 511 fwd_perm_clear(fp); /* unregister */ 512 } 513 } 514 515 /* Free the channel and close its fd/socket. */ 516 void 517 channel_free(struct ssh *ssh, Channel *c) 518 { 519 struct ssh_channels *sc = ssh->chanctxt; 520 char *s; 521 u_int i, n; 522 Channel *other; 523 struct channel_confirm *cc; 524 525 for (n = 0, i = 0; i < sc->channels_alloc; i++) { 526 if ((other = sc->channels[i]) == NULL) 527 continue; 528 n++; 529 /* detach from mux client and prepare for closing */ 530 if (c->type == SSH_CHANNEL_MUX_CLIENT && 531 other->type == SSH_CHANNEL_MUX_PROXY && 532 other->mux_ctx == c) { 533 other->mux_ctx = NULL; 534 other->type = SSH_CHANNEL_OPEN; 535 other->istate = CHAN_INPUT_CLOSED; 536 other->ostate = CHAN_OUTPUT_CLOSED; 537 } 538 } 539 debug("channel %d: free: %s, nchannels %u", c->self, 540 c->remote_name ? c->remote_name : "???", n); 541 542 if (c->type == SSH_CHANNEL_MUX_CLIENT) 543 mux_remove_remote_forwardings(ssh, c); 544 545 s = channel_open_message(ssh); 546 debug3("channel %d: status: %s", c->self, s); 547 free(s); 548 549 channel_close_fds(ssh, c); 550 sshbuf_free(c->input); 551 sshbuf_free(c->output); 552 sshbuf_free(c->extended); 553 c->input = c->output = c->extended = NULL; 554 free(c->remote_name); 555 c->remote_name = NULL; 556 free(c->path); 557 c->path = NULL; 558 free(c->listening_addr); 559 c->listening_addr = NULL; 560 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 561 if (cc->abandon_cb != NULL) 562 cc->abandon_cb(ssh, c, cc->ctx); 563 TAILQ_REMOVE(&c->status_confirms, cc, entry); 564 explicit_bzero(cc, sizeof(*cc)); 565 free(cc); 566 } 567 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 568 c->filter_cleanup(ssh, c->self, c->filter_ctx); 569 sc->channels[c->self] = NULL; 570 explicit_bzero(c, sizeof(*c)); 571 free(c); 572 } 573 574 void 575 channel_free_all(struct ssh *ssh) 576 { 577 u_int i; 578 579 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) 580 if (ssh->chanctxt->channels[i] != NULL) 581 channel_free(ssh, ssh->chanctxt->channels[i]); 582 } 583 584 /* 585 * Closes the sockets/fds of all channels. This is used to close extra file 586 * descriptors after a fork. 587 */ 588 void 589 channel_close_all(struct ssh *ssh) 590 { 591 u_int i; 592 593 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) 594 if (ssh->chanctxt->channels[i] != NULL) 595 channel_close_fds(ssh, ssh->chanctxt->channels[i]); 596 } 597 598 /* 599 * Stop listening to channels. 600 */ 601 void 602 channel_stop_listening(struct ssh *ssh) 603 { 604 u_int i; 605 Channel *c; 606 607 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 608 c = ssh->chanctxt->channels[i]; 609 if (c != NULL) { 610 switch (c->type) { 611 case SSH_CHANNEL_AUTH_SOCKET: 612 case SSH_CHANNEL_PORT_LISTENER: 613 case SSH_CHANNEL_RPORT_LISTENER: 614 case SSH_CHANNEL_X11_LISTENER: 615 case SSH_CHANNEL_UNIX_LISTENER: 616 case SSH_CHANNEL_RUNIX_LISTENER: 617 channel_close_fd(ssh, &c->sock); 618 channel_free(ssh, c); 619 break; 620 } 621 } 622 } 623 } 624 625 /* 626 * Returns true if no channel has too much buffered data, and false if one or 627 * more channel is overfull. 628 */ 629 int 630 channel_not_very_much_buffered_data(struct ssh *ssh) 631 { 632 u_int i; 633 u_int maxsize = ssh_packet_get_maxsize(ssh); 634 Channel *c; 635 636 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 637 c = ssh->chanctxt->channels[i]; 638 if (c == NULL || c->type != SSH_CHANNEL_OPEN) 639 continue; 640 if (sshbuf_len(c->output) > maxsize) { 641 debug2("channel %d: big output buffer %zu > %u", 642 c->self, sshbuf_len(c->output), maxsize); 643 return 0; 644 } 645 } 646 return 1; 647 } 648 649 /* Returns true if any channel is still open. */ 650 int 651 channel_still_open(struct ssh *ssh) 652 { 653 u_int i; 654 Channel *c; 655 656 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 657 c = ssh->chanctxt->channels[i]; 658 if (c == NULL) 659 continue; 660 switch (c->type) { 661 case SSH_CHANNEL_X11_LISTENER: 662 case SSH_CHANNEL_PORT_LISTENER: 663 case SSH_CHANNEL_RPORT_LISTENER: 664 case SSH_CHANNEL_MUX_LISTENER: 665 case SSH_CHANNEL_CLOSED: 666 case SSH_CHANNEL_AUTH_SOCKET: 667 case SSH_CHANNEL_DYNAMIC: 668 case SSH_CHANNEL_RDYNAMIC_OPEN: 669 case SSH_CHANNEL_CONNECTING: 670 case SSH_CHANNEL_ZOMBIE: 671 case SSH_CHANNEL_ABANDONED: 672 case SSH_CHANNEL_UNIX_LISTENER: 673 case SSH_CHANNEL_RUNIX_LISTENER: 674 continue; 675 case SSH_CHANNEL_LARVAL: 676 continue; 677 case SSH_CHANNEL_OPENING: 678 case SSH_CHANNEL_OPEN: 679 case SSH_CHANNEL_RDYNAMIC_FINISH: 680 case SSH_CHANNEL_X11_OPEN: 681 case SSH_CHANNEL_MUX_CLIENT: 682 case SSH_CHANNEL_MUX_PROXY: 683 return 1; 684 default: 685 fatal("%s: bad channel type %d", __func__, c->type); 686 /* NOTREACHED */ 687 } 688 } 689 return 0; 690 } 691 692 /* Returns the id of an open channel suitable for keepaliving */ 693 int 694 channel_find_open(struct ssh *ssh) 695 { 696 u_int i; 697 Channel *c; 698 699 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 700 c = ssh->chanctxt->channels[i]; 701 if (c == NULL || !c->have_remote_id) 702 continue; 703 switch (c->type) { 704 case SSH_CHANNEL_CLOSED: 705 case SSH_CHANNEL_DYNAMIC: 706 case SSH_CHANNEL_RDYNAMIC_OPEN: 707 case SSH_CHANNEL_RDYNAMIC_FINISH: 708 case SSH_CHANNEL_X11_LISTENER: 709 case SSH_CHANNEL_PORT_LISTENER: 710 case SSH_CHANNEL_RPORT_LISTENER: 711 case SSH_CHANNEL_MUX_LISTENER: 712 case SSH_CHANNEL_MUX_CLIENT: 713 case SSH_CHANNEL_MUX_PROXY: 714 case SSH_CHANNEL_OPENING: 715 case SSH_CHANNEL_CONNECTING: 716 case SSH_CHANNEL_ZOMBIE: 717 case SSH_CHANNEL_ABANDONED: 718 case SSH_CHANNEL_UNIX_LISTENER: 719 case SSH_CHANNEL_RUNIX_LISTENER: 720 continue; 721 case SSH_CHANNEL_LARVAL: 722 case SSH_CHANNEL_AUTH_SOCKET: 723 case SSH_CHANNEL_OPEN: 724 case SSH_CHANNEL_X11_OPEN: 725 return i; 726 default: 727 fatal("%s: bad channel type %d", __func__, c->type); 728 /* NOTREACHED */ 729 } 730 } 731 return -1; 732 } 733 734 /* 735 * Returns a message describing the currently open forwarded connections, 736 * suitable for sending to the client. The message contains crlf pairs for 737 * newlines. 738 */ 739 char * 740 channel_open_message(struct ssh *ssh) 741 { 742 struct sshbuf *buf; 743 Channel *c; 744 u_int i; 745 int r; 746 char *ret; 747 748 if ((buf = sshbuf_new()) == NULL) 749 fatal("%s: sshbuf_new", __func__); 750 if ((r = sshbuf_putf(buf, 751 "The following connections are open:\r\n")) != 0) 752 fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 753 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 754 c = ssh->chanctxt->channels[i]; 755 if (c == NULL) 756 continue; 757 switch (c->type) { 758 case SSH_CHANNEL_X11_LISTENER: 759 case SSH_CHANNEL_PORT_LISTENER: 760 case SSH_CHANNEL_RPORT_LISTENER: 761 case SSH_CHANNEL_CLOSED: 762 case SSH_CHANNEL_AUTH_SOCKET: 763 case SSH_CHANNEL_ZOMBIE: 764 case SSH_CHANNEL_ABANDONED: 765 case SSH_CHANNEL_MUX_LISTENER: 766 case SSH_CHANNEL_UNIX_LISTENER: 767 case SSH_CHANNEL_RUNIX_LISTENER: 768 continue; 769 case SSH_CHANNEL_LARVAL: 770 case SSH_CHANNEL_OPENING: 771 case SSH_CHANNEL_CONNECTING: 772 case SSH_CHANNEL_DYNAMIC: 773 case SSH_CHANNEL_RDYNAMIC_OPEN: 774 case SSH_CHANNEL_RDYNAMIC_FINISH: 775 case SSH_CHANNEL_OPEN: 776 case SSH_CHANNEL_X11_OPEN: 777 case SSH_CHANNEL_MUX_PROXY: 778 case SSH_CHANNEL_MUX_CLIENT: 779 if ((r = sshbuf_putf(buf, " #%d %.300s " 780 "(t%d %s%u i%u/%zu o%u/%zu fd %d/%d cc %d)\r\n", 781 c->self, c->remote_name, 782 c->type, 783 c->have_remote_id ? "r" : "nr", c->remote_id, 784 c->istate, sshbuf_len(c->input), 785 c->ostate, sshbuf_len(c->output), 786 c->rfd, c->wfd, c->ctl_chan)) != 0) 787 fatal("%s: sshbuf_putf: %s", 788 __func__, ssh_err(r)); 789 continue; 790 default: 791 fatal("%s: bad channel type %d", __func__, c->type); 792 /* NOTREACHED */ 793 } 794 } 795 if ((ret = sshbuf_dup_string(buf)) == NULL) 796 fatal("%s: sshbuf_dup_string", __func__); 797 sshbuf_free(buf); 798 return ret; 799 } 800 801 static void 802 open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type) 803 { 804 int r; 805 806 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 || 807 (r = sshpkt_put_cstring(ssh, type)) != 0 || 808 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 809 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 810 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { 811 fatal("%s: channel %i: open: %s", where, c->self, ssh_err(r)); 812 } 813 } 814 815 void 816 channel_send_open(struct ssh *ssh, int id) 817 { 818 Channel *c = channel_lookup(ssh, id); 819 int r; 820 821 if (c == NULL) { 822 logit("channel_send_open: %d: bad id", id); 823 return; 824 } 825 debug2("channel %d: send open", id); 826 open_preamble(ssh, __func__, c, c->ctype); 827 if ((r = sshpkt_send(ssh)) != 0) 828 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 829 } 830 831 void 832 channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm) 833 { 834 Channel *c = channel_lookup(ssh, id); 835 int r; 836 837 if (c == NULL) { 838 logit("%s: %d: unknown channel id", __func__, id); 839 return; 840 } 841 if (!c->have_remote_id) 842 fatal(":%s: channel %d: no remote id", __func__, c->self); 843 844 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 845 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 || 846 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 847 (r = sshpkt_put_cstring(ssh, service)) != 0 || 848 (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) { 849 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 850 } 851 } 852 853 void 854 channel_register_status_confirm(struct ssh *ssh, int id, 855 channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx) 856 { 857 struct channel_confirm *cc; 858 Channel *c; 859 860 if ((c = channel_lookup(ssh, id)) == NULL) 861 fatal("%s: %d: bad id", __func__, id); 862 863 cc = xcalloc(1, sizeof(*cc)); 864 cc->cb = cb; 865 cc->abandon_cb = abandon_cb; 866 cc->ctx = ctx; 867 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 868 } 869 870 void 871 channel_register_open_confirm(struct ssh *ssh, int id, 872 channel_open_fn *fn, void *ctx) 873 { 874 Channel *c = channel_lookup(ssh, id); 875 876 if (c == NULL) { 877 logit("%s: %d: bad id", __func__, id); 878 return; 879 } 880 c->open_confirm = fn; 881 c->open_confirm_ctx = ctx; 882 } 883 884 void 885 channel_register_cleanup(struct ssh *ssh, int id, 886 channel_callback_fn *fn, int do_close) 887 { 888 Channel *c = channel_by_id(ssh, id); 889 890 if (c == NULL) { 891 logit("%s: %d: bad id", __func__, id); 892 return; 893 } 894 c->detach_user = fn; 895 c->detach_close = do_close; 896 } 897 898 void 899 channel_cancel_cleanup(struct ssh *ssh, int id) 900 { 901 Channel *c = channel_by_id(ssh, id); 902 903 if (c == NULL) { 904 logit("%s: %d: bad id", __func__, id); 905 return; 906 } 907 c->detach_user = NULL; 908 c->detach_close = 0; 909 } 910 911 void 912 channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn, 913 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 914 { 915 Channel *c = channel_lookup(ssh, id); 916 917 if (c == NULL) { 918 logit("%s: %d: bad id", __func__, id); 919 return; 920 } 921 c->input_filter = ifn; 922 c->output_filter = ofn; 923 c->filter_ctx = ctx; 924 c->filter_cleanup = cfn; 925 } 926 927 void 928 channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd, 929 int extusage, int nonblock, int is_tty, u_int window_max) 930 { 931 Channel *c = channel_lookup(ssh, id); 932 int r; 933 934 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 935 fatal("channel_activate for non-larval channel %d.", id); 936 if (!c->have_remote_id) 937 fatal(":%s: channel %d: no remote id", __func__, c->self); 938 939 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty); 940 c->type = SSH_CHANNEL_OPEN; 941 c->local_window = c->local_window_max = window_max; 942 943 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || 944 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 945 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 946 (r = sshpkt_send(ssh)) != 0) 947 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 948 } 949 950 static void 951 channel_pre_listener(struct ssh *ssh, Channel *c, 952 fd_set *readset, fd_set *writeset) 953 { 954 FD_SET(c->sock, readset); 955 } 956 957 static void 958 channel_pre_connecting(struct ssh *ssh, Channel *c, 959 fd_set *readset, fd_set *writeset) 960 { 961 debug3("channel %d: waiting for connection", c->self); 962 FD_SET(c->sock, writeset); 963 } 964 965 static void 966 channel_pre_open(struct ssh *ssh, Channel *c, 967 fd_set *readset, fd_set *writeset) 968 { 969 if (c->istate == CHAN_INPUT_OPEN && 970 c->remote_window > 0 && 971 sshbuf_len(c->input) < c->remote_window && 972 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0) 973 FD_SET(c->rfd, readset); 974 if (c->ostate == CHAN_OUTPUT_OPEN || 975 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 976 if (sshbuf_len(c->output) > 0) { 977 FD_SET(c->wfd, writeset); 978 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 979 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 980 debug2("channel %d: " 981 "obuf_empty delayed efd %d/(%zu)", c->self, 982 c->efd, sshbuf_len(c->extended)); 983 else 984 chan_obuf_empty(ssh, c); 985 } 986 } 987 /** XXX check close conditions, too */ 988 if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED && 989 c->ostate == CHAN_OUTPUT_CLOSED)) { 990 if (c->extended_usage == CHAN_EXTENDED_WRITE && 991 sshbuf_len(c->extended) > 0) 992 FD_SET(c->efd, writeset); 993 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 994 (c->extended_usage == CHAN_EXTENDED_READ || 995 c->extended_usage == CHAN_EXTENDED_IGNORE) && 996 sshbuf_len(c->extended) < c->remote_window) 997 FD_SET(c->efd, readset); 998 } 999 /* XXX: What about efd? races? */ 1000 } 1001 1002 /* 1003 * This is a special state for X11 authentication spoofing. An opened X11 1004 * connection (when authentication spoofing is being done) remains in this 1005 * state until the first packet has been completely read. The authentication 1006 * data in that packet is then substituted by the real data if it matches the 1007 * fake data, and the channel is put into normal mode. 1008 * XXX All this happens at the client side. 1009 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 1010 */ 1011 static int 1012 x11_open_helper(struct ssh *ssh, struct sshbuf *b) 1013 { 1014 struct ssh_channels *sc = ssh->chanctxt; 1015 u_char *ucp; 1016 u_int proto_len, data_len; 1017 1018 /* Is this being called after the refusal deadline? */ 1019 if (sc->x11_refuse_time != 0 && 1020 (u_int)monotime() >= sc->x11_refuse_time) { 1021 verbose("Rejected X11 connection after ForwardX11Timeout " 1022 "expired"); 1023 return -1; 1024 } 1025 1026 /* Check if the fixed size part of the packet is in buffer. */ 1027 if (sshbuf_len(b) < 12) 1028 return 0; 1029 1030 /* Parse the lengths of variable-length fields. */ 1031 ucp = sshbuf_mutable_ptr(b); 1032 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 1033 proto_len = 256 * ucp[6] + ucp[7]; 1034 data_len = 256 * ucp[8] + ucp[9]; 1035 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 1036 proto_len = ucp[6] + 256 * ucp[7]; 1037 data_len = ucp[8] + 256 * ucp[9]; 1038 } else { 1039 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 1040 ucp[0]); 1041 return -1; 1042 } 1043 1044 /* Check if the whole packet is in buffer. */ 1045 if (sshbuf_len(b) < 1046 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 1047 return 0; 1048 1049 /* Check if authentication protocol matches. */ 1050 if (proto_len != strlen(sc->x11_saved_proto) || 1051 memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) { 1052 debug2("X11 connection uses different authentication protocol."); 1053 return -1; 1054 } 1055 /* Check if authentication data matches our fake data. */ 1056 if (data_len != sc->x11_fake_data_len || 1057 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 1058 sc->x11_fake_data, sc->x11_fake_data_len) != 0) { 1059 debug2("X11 auth data does not match fake data."); 1060 return -1; 1061 } 1062 /* Check fake data length */ 1063 if (sc->x11_fake_data_len != sc->x11_saved_data_len) { 1064 error("X11 fake_data_len %d != saved_data_len %d", 1065 sc->x11_fake_data_len, sc->x11_saved_data_len); 1066 return -1; 1067 } 1068 /* 1069 * Received authentication protocol and data match 1070 * our fake data. Substitute the fake data with real 1071 * data. 1072 */ 1073 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 1074 sc->x11_saved_data, sc->x11_saved_data_len); 1075 return 1; 1076 } 1077 1078 static void 1079 channel_pre_x11_open(struct ssh *ssh, Channel *c, 1080 fd_set *readset, fd_set *writeset) 1081 { 1082 int ret = x11_open_helper(ssh, c->output); 1083 1084 /* c->force_drain = 1; */ 1085 1086 if (ret == 1) { 1087 c->type = SSH_CHANNEL_OPEN; 1088 channel_pre_open(ssh, c, readset, writeset); 1089 } else if (ret == -1) { 1090 logit("X11 connection rejected because of wrong authentication."); 1091 debug2("X11 rejected %d i%d/o%d", 1092 c->self, c->istate, c->ostate); 1093 chan_read_failed(ssh, c); 1094 sshbuf_reset(c->input); 1095 chan_ibuf_empty(ssh, c); 1096 sshbuf_reset(c->output); 1097 chan_write_failed(ssh, c); 1098 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 1099 } 1100 } 1101 1102 static void 1103 channel_pre_mux_client(struct ssh *ssh, 1104 Channel *c, fd_set *readset, fd_set *writeset) 1105 { 1106 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 1107 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0) 1108 FD_SET(c->rfd, readset); 1109 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1110 /* clear buffer immediately (discard any partial packet) */ 1111 sshbuf_reset(c->input); 1112 chan_ibuf_empty(ssh, c); 1113 /* Start output drain. XXX just kill chan? */ 1114 chan_rcvd_oclose(ssh, c); 1115 } 1116 if (c->ostate == CHAN_OUTPUT_OPEN || 1117 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1118 if (sshbuf_len(c->output) > 0) 1119 FD_SET(c->wfd, writeset); 1120 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1121 chan_obuf_empty(ssh, c); 1122 } 1123 } 1124 1125 /* try to decode a socks4 header */ 1126 static int 1127 channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output) 1128 { 1129 const u_char *p; 1130 char *host; 1131 u_int len, have, i, found, need; 1132 char username[256]; 1133 struct { 1134 u_int8_t version; 1135 u_int8_t command; 1136 u_int16_t dest_port; 1137 struct in_addr dest_addr; 1138 } s4_req, s4_rsp; 1139 int r; 1140 1141 debug2("channel %d: decode socks4", c->self); 1142 1143 have = sshbuf_len(input); 1144 len = sizeof(s4_req); 1145 if (have < len) 1146 return 0; 1147 p = sshbuf_ptr(input); 1148 1149 need = 1; 1150 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1151 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1152 debug2("channel %d: socks4a request", c->self); 1153 /* ... and needs an extra string (the hostname) */ 1154 need = 2; 1155 } 1156 /* Check for terminating NUL on the string(s) */ 1157 for (found = 0, i = len; i < have; i++) { 1158 if (p[i] == '\0') { 1159 found++; 1160 if (found == need) 1161 break; 1162 } 1163 if (i > 1024) { 1164 /* the peer is probably sending garbage */ 1165 debug("channel %d: decode socks4: too long", 1166 c->self); 1167 return -1; 1168 } 1169 } 1170 if (found < need) 1171 return 0; 1172 if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 || 1173 (r = sshbuf_get(input, &s4_req.command, 1)) != 0 || 1174 (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 || 1175 (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) { 1176 debug("channels %d: decode socks4: %s", c->self, ssh_err(r)); 1177 return -1; 1178 } 1179 have = sshbuf_len(input); 1180 p = sshbuf_ptr(input); 1181 if (memchr(p, '\0', have) == NULL) { 1182 error("channel %d: decode socks4: user not nul terminated", 1183 c->self); 1184 return -1; 1185 } 1186 len = strlen(p); 1187 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1188 len++; /* trailing '\0' */ 1189 strlcpy(username, p, sizeof(username)); 1190 if ((r = sshbuf_consume(input, len)) != 0) { 1191 fatal("%s: channel %d: consume: %s", __func__, 1192 c->self, ssh_err(r)); 1193 } 1194 free(c->path); 1195 c->path = NULL; 1196 if (need == 1) { /* SOCKS4: one string */ 1197 host = inet_ntoa(s4_req.dest_addr); 1198 c->path = xstrdup(host); 1199 } else { /* SOCKS4A: two strings */ 1200 have = sshbuf_len(input); 1201 p = sshbuf_ptr(input); 1202 if (memchr(p, '\0', have) == NULL) { 1203 error("channel %d: decode socks4a: host not nul " 1204 "terminated", c->self); 1205 return -1; 1206 } 1207 len = strlen(p); 1208 debug2("channel %d: decode socks4a: host %s/%d", 1209 c->self, p, len); 1210 len++; /* trailing '\0' */ 1211 if (len > NI_MAXHOST) { 1212 error("channel %d: hostname \"%.100s\" too long", 1213 c->self, p); 1214 return -1; 1215 } 1216 c->path = xstrdup(p); 1217 if ((r = sshbuf_consume(input, len)) != 0) { 1218 fatal("%s: channel %d: consume: %s", __func__, 1219 c->self, ssh_err(r)); 1220 } 1221 } 1222 c->host_port = ntohs(s4_req.dest_port); 1223 1224 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1225 c->self, c->path, c->host_port, s4_req.command); 1226 1227 if (s4_req.command != 1) { 1228 debug("channel %d: cannot handle: %s cn %d", 1229 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1230 return -1; 1231 } 1232 s4_rsp.version = 0; /* vn: 0 for reply */ 1233 s4_rsp.command = 90; /* cd: req granted */ 1234 s4_rsp.dest_port = 0; /* ignored */ 1235 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1236 if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) { 1237 fatal("%s: channel %d: append reply: %s", __func__, 1238 c->self, ssh_err(r)); 1239 } 1240 return 1; 1241 } 1242 1243 /* try to decode a socks5 header */ 1244 #define SSH_SOCKS5_AUTHDONE 0x1000 1245 #define SSH_SOCKS5_NOAUTH 0x00 1246 #define SSH_SOCKS5_IPV4 0x01 1247 #define SSH_SOCKS5_DOMAIN 0x03 1248 #define SSH_SOCKS5_IPV6 0x04 1249 #define SSH_SOCKS5_CONNECT 0x01 1250 #define SSH_SOCKS5_SUCCESS 0x00 1251 1252 static int 1253 channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) 1254 { 1255 /* XXX use get/put_u8 instead of trusting struct padding */ 1256 struct { 1257 u_int8_t version; 1258 u_int8_t command; 1259 u_int8_t reserved; 1260 u_int8_t atyp; 1261 } s5_req, s5_rsp; 1262 u_int16_t dest_port; 1263 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1264 const u_char *p; 1265 u_int have, need, i, found, nmethods, addrlen, af; 1266 int r; 1267 1268 debug2("channel %d: decode socks5", c->self); 1269 p = sshbuf_ptr(input); 1270 if (p[0] != 0x05) 1271 return -1; 1272 have = sshbuf_len(input); 1273 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1274 /* format: ver | nmethods | methods */ 1275 if (have < 2) 1276 return 0; 1277 nmethods = p[1]; 1278 if (have < nmethods + 2) 1279 return 0; 1280 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1281 for (found = 0, i = 2; i < nmethods + 2; i++) { 1282 if (p[i] == SSH_SOCKS5_NOAUTH) { 1283 found = 1; 1284 break; 1285 } 1286 } 1287 if (!found) { 1288 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1289 c->self); 1290 return -1; 1291 } 1292 if ((r = sshbuf_consume(input, nmethods + 2)) != 0) { 1293 fatal("%s: channel %d: consume: %s", __func__, 1294 c->self, ssh_err(r)); 1295 } 1296 /* version, method */ 1297 if ((r = sshbuf_put_u8(output, 0x05)) != 0 || 1298 (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0) { 1299 fatal("%s: channel %d: append reply: %s", __func__, 1300 c->self, ssh_err(r)); 1301 } 1302 c->flags |= SSH_SOCKS5_AUTHDONE; 1303 debug2("channel %d: socks5 auth done", c->self); 1304 return 0; /* need more */ 1305 } 1306 debug2("channel %d: socks5 post auth", c->self); 1307 if (have < sizeof(s5_req)+1) 1308 return 0; /* need more */ 1309 memcpy(&s5_req, p, sizeof(s5_req)); 1310 if (s5_req.version != 0x05 || 1311 s5_req.command != SSH_SOCKS5_CONNECT || 1312 s5_req.reserved != 0x00) { 1313 debug2("channel %d: only socks5 connect supported", c->self); 1314 return -1; 1315 } 1316 switch (s5_req.atyp){ 1317 case SSH_SOCKS5_IPV4: 1318 addrlen = 4; 1319 af = AF_INET; 1320 break; 1321 case SSH_SOCKS5_DOMAIN: 1322 addrlen = p[sizeof(s5_req)]; 1323 af = -1; 1324 break; 1325 case SSH_SOCKS5_IPV6: 1326 addrlen = 16; 1327 af = AF_INET6; 1328 break; 1329 default: 1330 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1331 return -1; 1332 } 1333 need = sizeof(s5_req) + addrlen + 2; 1334 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1335 need++; 1336 if (have < need) 1337 return 0; 1338 if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) { 1339 fatal("%s: channel %d: consume: %s", __func__, 1340 c->self, ssh_err(r)); 1341 } 1342 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1343 /* host string length */ 1344 if ((r = sshbuf_consume(input, 1)) != 0) { 1345 fatal("%s: channel %d: consume: %s", __func__, 1346 c->self, ssh_err(r)); 1347 } 1348 } 1349 if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 || 1350 (r = sshbuf_get(input, &dest_port, 2)) != 0) { 1351 debug("channel %d: parse addr/port: %s", c->self, ssh_err(r)); 1352 return -1; 1353 } 1354 dest_addr[addrlen] = '\0'; 1355 free(c->path); 1356 c->path = NULL; 1357 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1358 if (addrlen >= NI_MAXHOST) { 1359 error("channel %d: dynamic request: socks5 hostname " 1360 "\"%.100s\" too long", c->self, dest_addr); 1361 return -1; 1362 } 1363 c->path = xstrdup(dest_addr); 1364 } else { 1365 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1366 return -1; 1367 c->path = xstrdup(ntop); 1368 } 1369 c->host_port = ntohs(dest_port); 1370 1371 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1372 c->self, c->path, c->host_port, s5_req.command); 1373 1374 s5_rsp.version = 0x05; 1375 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1376 s5_rsp.reserved = 0; /* ignored */ 1377 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1378 dest_port = 0; /* ignored */ 1379 1380 if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 || 1381 (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 || 1382 (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0) 1383 fatal("%s: channel %d: append reply: %s", __func__, 1384 c->self, ssh_err(r)); 1385 return 1; 1386 } 1387 1388 Channel * 1389 channel_connect_stdio_fwd(struct ssh *ssh, 1390 const char *host_to_connect, u_short port_to_connect, int in, int out) 1391 { 1392 Channel *c; 1393 1394 debug("%s %s:%d", __func__, host_to_connect, port_to_connect); 1395 1396 c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out, 1397 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1398 0, "stdio-forward", /*nonblock*/0); 1399 1400 c->path = xstrdup(host_to_connect); 1401 c->host_port = port_to_connect; 1402 c->listening_port = 0; 1403 c->force_drain = 1; 1404 1405 channel_register_fds(ssh, c, in, out, -1, 0, 1, 0); 1406 port_open_helper(ssh, c, "direct-tcpip"); 1407 1408 return c; 1409 } 1410 1411 /* dynamic port forwarding */ 1412 static void 1413 channel_pre_dynamic(struct ssh *ssh, Channel *c, 1414 fd_set *readset, fd_set *writeset) 1415 { 1416 const u_char *p; 1417 u_int have; 1418 int ret; 1419 1420 have = sshbuf_len(c->input); 1421 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1422 /* sshbuf_dump(c->input, stderr); */ 1423 /* check if the fixed size part of the packet is in buffer. */ 1424 if (have < 3) { 1425 /* need more */ 1426 FD_SET(c->sock, readset); 1427 return; 1428 } 1429 /* try to guess the protocol */ 1430 p = sshbuf_ptr(c->input); 1431 /* XXX sshbuf_peek_u8? */ 1432 switch (p[0]) { 1433 case 0x04: 1434 ret = channel_decode_socks4(c, c->input, c->output); 1435 break; 1436 case 0x05: 1437 ret = channel_decode_socks5(c, c->input, c->output); 1438 break; 1439 default: 1440 ret = -1; 1441 break; 1442 } 1443 if (ret < 0) { 1444 chan_mark_dead(ssh, c); 1445 } else if (ret == 0) { 1446 debug2("channel %d: pre_dynamic: need more", c->self); 1447 /* need more */ 1448 FD_SET(c->sock, readset); 1449 if (sshbuf_len(c->output)) 1450 FD_SET(c->sock, writeset); 1451 } else { 1452 /* switch to the next state */ 1453 c->type = SSH_CHANNEL_OPENING; 1454 port_open_helper(ssh, c, "direct-tcpip"); 1455 } 1456 } 1457 1458 /* simulate read-error */ 1459 static void 1460 rdynamic_close(struct ssh *ssh, Channel *c) 1461 { 1462 c->type = SSH_CHANNEL_OPEN; 1463 chan_read_failed(ssh, c); 1464 sshbuf_reset(c->input); 1465 chan_ibuf_empty(ssh, c); 1466 sshbuf_reset(c->output); 1467 chan_write_failed(ssh, c); 1468 } 1469 1470 /* reverse dynamic port forwarding */ 1471 static void 1472 channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c) 1473 { 1474 const u_char *p; 1475 u_int have, len; 1476 int r, ret; 1477 1478 have = sshbuf_len(c->output); 1479 debug2("channel %d: pre_rdynamic: have %d", c->self, have); 1480 /* sshbuf_dump(c->output, stderr); */ 1481 /* EOF received */ 1482 if (c->flags & CHAN_EOF_RCVD) { 1483 if ((r = sshbuf_consume(c->output, have)) != 0) { 1484 fatal("%s: channel %d: consume: %s", 1485 __func__, c->self, ssh_err(r)); 1486 } 1487 rdynamic_close(ssh, c); 1488 return; 1489 } 1490 /* check if the fixed size part of the packet is in buffer. */ 1491 if (have < 3) 1492 return; 1493 /* try to guess the protocol */ 1494 p = sshbuf_ptr(c->output); 1495 switch (p[0]) { 1496 case 0x04: 1497 /* switch input/output for reverse forwarding */ 1498 ret = channel_decode_socks4(c, c->output, c->input); 1499 break; 1500 case 0x05: 1501 ret = channel_decode_socks5(c, c->output, c->input); 1502 break; 1503 default: 1504 ret = -1; 1505 break; 1506 } 1507 if (ret < 0) { 1508 rdynamic_close(ssh, c); 1509 } else if (ret == 0) { 1510 debug2("channel %d: pre_rdynamic: need more", c->self); 1511 /* send socks request to peer */ 1512 len = sshbuf_len(c->input); 1513 if (len > 0 && len < c->remote_window) { 1514 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 1515 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1516 (r = sshpkt_put_stringb(ssh, c->input)) != 0 || 1517 (r = sshpkt_send(ssh)) != 0) { 1518 fatal("%s: channel %i: rdynamic: %s", __func__, 1519 c->self, ssh_err(r)); 1520 } 1521 if ((r = sshbuf_consume(c->input, len)) != 0) { 1522 fatal("%s: channel %d: consume: %s", 1523 __func__, c->self, ssh_err(r)); 1524 } 1525 c->remote_window -= len; 1526 } 1527 } else if (rdynamic_connect_finish(ssh, c) < 0) { 1528 /* the connect failed */ 1529 rdynamic_close(ssh, c); 1530 } 1531 } 1532 1533 /* This is our fake X11 server socket. */ 1534 static void 1535 channel_post_x11_listener(struct ssh *ssh, Channel *c, 1536 fd_set *readset, fd_set *writeset) 1537 { 1538 Channel *nc; 1539 struct sockaddr_storage addr; 1540 int r, newsock, oerrno, remote_port; 1541 socklen_t addrlen; 1542 char buf[16384], *remote_ipaddr; 1543 1544 if (!FD_ISSET(c->sock, readset)) 1545 return; 1546 1547 debug("X11 connection requested."); 1548 addrlen = sizeof(addr); 1549 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1550 if (c->single_connection) { 1551 oerrno = errno; 1552 debug2("single_connection: closing X11 listener."); 1553 channel_close_fd(ssh, &c->sock); 1554 chan_mark_dead(ssh, c); 1555 errno = oerrno; 1556 } 1557 if (newsock < 0) { 1558 if (errno != EINTR && errno != EWOULDBLOCK && 1559 errno != ECONNABORTED) 1560 error("accept: %.100s", strerror(errno)); 1561 if (errno == EMFILE || errno == ENFILE) 1562 c->notbefore = monotime() + 1; 1563 return; 1564 } 1565 set_nodelay(newsock); 1566 remote_ipaddr = get_peer_ipaddr(newsock); 1567 remote_port = get_peer_port(newsock); 1568 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1569 remote_ipaddr, remote_port); 1570 1571 nc = channel_new(ssh, "accepted x11 socket", 1572 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1573 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1574 open_preamble(ssh, __func__, nc, "x11"); 1575 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0) { 1576 fatal("%s: channel %i: reply %s", __func__, 1577 c->self, ssh_err(r)); 1578 } 1579 if ((datafellows & SSH_BUG_X11FWD) != 0) 1580 debug2("channel %d: ssh2 x11 bug compat mode", nc->self); 1581 else if ((r = sshpkt_put_u32(ssh, remote_port)) != 0) { 1582 fatal("%s: channel %i: reply %s", __func__, 1583 c->self, ssh_err(r)); 1584 } 1585 if ((r = sshpkt_send(ssh)) != 0) 1586 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r)); 1587 free(remote_ipaddr); 1588 } 1589 1590 static void 1591 port_open_helper(struct ssh *ssh, Channel *c, char *rtype) 1592 { 1593 char *local_ipaddr = get_local_ipaddr(c->sock); 1594 int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock); 1595 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1596 int remote_port = get_peer_port(c->sock); 1597 int r; 1598 1599 if (remote_port == -1) { 1600 /* Fake addr/port to appease peers that validate it (Tectia) */ 1601 free(remote_ipaddr); 1602 remote_ipaddr = xstrdup("127.0.0.1"); 1603 remote_port = 65535; 1604 } 1605 1606 free(c->remote_name); 1607 xasprintf(&c->remote_name, 1608 "%s: listening port %d for %.100s port %d, " 1609 "connect from %.200s port %d to %.100s port %d", 1610 rtype, c->listening_port, c->path, c->host_port, 1611 remote_ipaddr, remote_port, local_ipaddr, local_port); 1612 1613 open_preamble(ssh, __func__, c, rtype); 1614 if (strcmp(rtype, "direct-tcpip") == 0) { 1615 /* target host, port */ 1616 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || 1617 (r = sshpkt_put_u32(ssh, c->host_port)) != 0) { 1618 fatal("%s: channel %i: reply %s", __func__, 1619 c->self, ssh_err(r)); 1620 } 1621 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) { 1622 /* target path */ 1623 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) { 1624 fatal("%s: channel %i: reply %s", __func__, 1625 c->self, ssh_err(r)); 1626 } 1627 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1628 /* listen path */ 1629 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) { 1630 fatal("%s: channel %i: reply %s", __func__, 1631 c->self, ssh_err(r)); 1632 } 1633 } else { 1634 /* listen address, port */ 1635 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || 1636 (r = sshpkt_put_u32(ssh, local_port)) != 0) { 1637 fatal("%s: channel %i: reply %s", __func__, 1638 c->self, ssh_err(r)); 1639 } 1640 } 1641 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1642 /* reserved for future owner/mode info */ 1643 if ((r = sshpkt_put_cstring(ssh, "")) != 0) { 1644 fatal("%s: channel %i: reply %s", __func__, 1645 c->self, ssh_err(r)); 1646 } 1647 } else { 1648 /* originator host and port */ 1649 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || 1650 (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) { 1651 fatal("%s: channel %i: reply %s", __func__, 1652 c->self, ssh_err(r)); 1653 } 1654 } 1655 if ((r = sshpkt_send(ssh)) != 0) 1656 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r)); 1657 free(remote_ipaddr); 1658 free(local_ipaddr); 1659 } 1660 1661 static void 1662 channel_set_reuseaddr(int fd) 1663 { 1664 int on = 1; 1665 1666 /* 1667 * Set socket options. 1668 * Allow local port reuse in TIME_WAIT. 1669 */ 1670 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1671 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1672 } 1673 1674 void 1675 channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time) 1676 { 1677 ssh->chanctxt->x11_refuse_time = refuse_time; 1678 } 1679 1680 /* 1681 * This socket is listening for connections to a forwarded TCP/IP port. 1682 */ 1683 static void 1684 channel_post_port_listener(struct ssh *ssh, Channel *c, 1685 fd_set *readset, fd_set *writeset) 1686 { 1687 Channel *nc; 1688 struct sockaddr_storage addr; 1689 int newsock, nextstate; 1690 socklen_t addrlen; 1691 char *rtype; 1692 1693 if (!FD_ISSET(c->sock, readset)) 1694 return; 1695 1696 debug("Connection to port %d forwarding to %.100s port %d requested.", 1697 c->listening_port, c->path, c->host_port); 1698 1699 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1700 nextstate = SSH_CHANNEL_OPENING; 1701 rtype = "forwarded-tcpip"; 1702 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) { 1703 nextstate = SSH_CHANNEL_OPENING; 1704 rtype = "forwarded-streamlocal@openssh.com"; 1705 } else if (c->host_port == PORT_STREAMLOCAL) { 1706 nextstate = SSH_CHANNEL_OPENING; 1707 rtype = "direct-streamlocal@openssh.com"; 1708 } else if (c->host_port == 0) { 1709 nextstate = SSH_CHANNEL_DYNAMIC; 1710 rtype = "dynamic-tcpip"; 1711 } else { 1712 nextstate = SSH_CHANNEL_OPENING; 1713 rtype = "direct-tcpip"; 1714 } 1715 1716 addrlen = sizeof(addr); 1717 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1718 if (newsock < 0) { 1719 if (errno != EINTR && errno != EWOULDBLOCK && 1720 errno != ECONNABORTED) 1721 error("accept: %.100s", strerror(errno)); 1722 if (errno == EMFILE || errno == ENFILE) 1723 c->notbefore = monotime() + 1; 1724 return; 1725 } 1726 if (c->host_port != PORT_STREAMLOCAL) 1727 set_nodelay(newsock); 1728 nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1, 1729 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1730 nc->listening_port = c->listening_port; 1731 nc->host_port = c->host_port; 1732 if (c->path != NULL) 1733 nc->path = xstrdup(c->path); 1734 1735 if (nextstate != SSH_CHANNEL_DYNAMIC) 1736 port_open_helper(ssh, nc, rtype); 1737 } 1738 1739 /* 1740 * This is the authentication agent socket listening for connections from 1741 * clients. 1742 */ 1743 static void 1744 channel_post_auth_listener(struct ssh *ssh, Channel *c, 1745 fd_set *readset, fd_set *writeset) 1746 { 1747 Channel *nc; 1748 int r, newsock; 1749 struct sockaddr_storage addr; 1750 socklen_t addrlen; 1751 1752 if (!FD_ISSET(c->sock, readset)) 1753 return; 1754 1755 addrlen = sizeof(addr); 1756 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1757 if (newsock < 0) { 1758 error("accept from auth socket: %.100s", strerror(errno)); 1759 if (errno == EMFILE || errno == ENFILE) 1760 c->notbefore = monotime() + 1; 1761 return; 1762 } 1763 nc = channel_new(ssh, "accepted auth socket", 1764 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1765 c->local_window_max, c->local_maxpacket, 1766 0, "accepted auth socket", 1); 1767 open_preamble(ssh, __func__, nc, "auth-agent@openssh.com"); 1768 if ((r = sshpkt_send(ssh)) != 0) 1769 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 1770 } 1771 1772 static void 1773 channel_post_connecting(struct ssh *ssh, Channel *c, 1774 fd_set *readset, fd_set *writeset) 1775 { 1776 int err = 0, sock, isopen, r; 1777 socklen_t sz = sizeof(err); 1778 1779 if (!FD_ISSET(c->sock, writeset)) 1780 return; 1781 if (!c->have_remote_id) 1782 fatal(":%s: channel %d: no remote id", __func__, c->self); 1783 /* for rdynamic the OPEN_CONFIRMATION has been sent already */ 1784 isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH); 1785 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1786 err = errno; 1787 error("getsockopt SO_ERROR failed"); 1788 } 1789 if (err == 0) { 1790 debug("channel %d: connected to %s port %d", 1791 c->self, c->connect_ctx.host, c->connect_ctx.port); 1792 channel_connect_ctx_free(&c->connect_ctx); 1793 c->type = SSH_CHANNEL_OPEN; 1794 if (isopen) { 1795 /* no message necessary */ 1796 } else { 1797 if ((r = sshpkt_start(ssh, 1798 SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || 1799 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1800 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 1801 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 1802 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) 1803 != 0) 1804 fatal("%s: channel %i: confirm: %s", __func__, 1805 c->self, ssh_err(r)); 1806 if ((r = sshpkt_send(ssh)) != 0) 1807 fatal("%s: channel %i: %s", __func__, c->self, 1808 ssh_err(r)); 1809 } 1810 } else { 1811 debug("channel %d: connection failed: %s", 1812 c->self, strerror(err)); 1813 /* Try next address, if any */ 1814 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1815 close(c->sock); 1816 c->sock = c->rfd = c->wfd = sock; 1817 channel_find_maxfd(ssh->chanctxt); 1818 return; 1819 } 1820 /* Exhausted all addresses */ 1821 error("connect_to %.100s port %d: failed.", 1822 c->connect_ctx.host, c->connect_ctx.port); 1823 channel_connect_ctx_free(&c->connect_ctx); 1824 if (isopen) { 1825 rdynamic_close(ssh, c); 1826 } else { 1827 if ((r = sshpkt_start(ssh, 1828 SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 || 1829 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1830 (r = sshpkt_put_u32(ssh, SSH2_OPEN_CONNECT_FAILED)) 1831 != 0) 1832 fatal("%s: channel %i: failure: %s", __func__, 1833 c->self, ssh_err(r)); 1834 if ((datafellows & SSH_BUG_OPENFAILURE) == 0 && 1835 ((r = sshpkt_put_cstring(ssh, strerror(err))) != 0 || 1836 (r = sshpkt_put_cstring(ssh, "")) != 0)) 1837 fatal("%s: channel %i: failure: %s", __func__, 1838 c->self, ssh_err(r)); 1839 if ((r = sshpkt_send(ssh)) != 0) 1840 fatal("%s: channel %i: %s", __func__, c->self, 1841 ssh_err(r)); 1842 chan_mark_dead(ssh, c); 1843 } 1844 } 1845 } 1846 1847 static int 1848 channel_handle_rfd(struct ssh *ssh, Channel *c, 1849 fd_set *readset, fd_set *writeset) 1850 { 1851 char buf[CHAN_RBUF]; 1852 ssize_t len; 1853 int r; 1854 1855 if (c->rfd == -1 || !FD_ISSET(c->rfd, readset)) 1856 return 1; 1857 1858 len = read(c->rfd, buf, sizeof(buf)); 1859 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1860 return 1; 1861 if (len <= 0) { 1862 debug2("channel %d: read<=0 rfd %d len %zd", 1863 c->self, c->rfd, len); 1864 if (c->type != SSH_CHANNEL_OPEN) { 1865 debug2("channel %d: not open", c->self); 1866 chan_mark_dead(ssh, c); 1867 return -1; 1868 } else { 1869 chan_read_failed(ssh, c); 1870 } 1871 return -1; 1872 } 1873 if (c->input_filter != NULL) { 1874 if (c->input_filter(ssh, c, buf, len) == -1) { 1875 debug2("channel %d: filter stops", c->self); 1876 chan_read_failed(ssh, c); 1877 } 1878 } else if (c->datagram) { 1879 if ((r = sshbuf_put_string(c->input, buf, len)) != 0) 1880 fatal("%s: channel %d: put datagram: %s", __func__, 1881 c->self, ssh_err(r)); 1882 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) { 1883 fatal("%s: channel %d: put data: %s", __func__, 1884 c->self, ssh_err(r)); 1885 } 1886 return 1; 1887 } 1888 1889 static int 1890 channel_handle_wfd(struct ssh *ssh, Channel *c, 1891 fd_set *readset, fd_set *writeset) 1892 { 1893 struct termios tio; 1894 u_char *data = NULL, *buf; /* XXX const; need filter API change */ 1895 size_t dlen, olen = 0; 1896 int r, len; 1897 1898 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) || 1899 sshbuf_len(c->output) == 0) 1900 return 1; 1901 1902 /* Send buffered output data to the socket. */ 1903 olen = sshbuf_len(c->output); 1904 if (c->output_filter != NULL) { 1905 if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) { 1906 debug2("channel %d: filter stops", c->self); 1907 if (c->type != SSH_CHANNEL_OPEN) 1908 chan_mark_dead(ssh, c); 1909 else 1910 chan_write_failed(ssh, c); 1911 return -1; 1912 } 1913 } else if (c->datagram) { 1914 if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0) 1915 fatal("%s: channel %d: get datagram: %s", __func__, 1916 c->self, ssh_err(r)); 1917 buf = data; 1918 } else { 1919 buf = data = sshbuf_mutable_ptr(c->output); 1920 dlen = sshbuf_len(c->output); 1921 } 1922 1923 if (c->datagram) { 1924 /* ignore truncated writes, datagrams might get lost */ 1925 len = write(c->wfd, buf, dlen); 1926 free(data); 1927 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1928 return 1; 1929 if (len <= 0) 1930 goto write_fail; 1931 goto out; 1932 } 1933 1934 len = write(c->wfd, buf, dlen); 1935 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1936 return 1; 1937 if (len <= 0) { 1938 write_fail: 1939 if (c->type != SSH_CHANNEL_OPEN) { 1940 debug2("channel %d: not open", c->self); 1941 chan_mark_dead(ssh, c); 1942 return -1; 1943 } else { 1944 chan_write_failed(ssh, c); 1945 } 1946 return -1; 1947 } 1948 if (c->isatty && dlen >= 1 && buf[0] != '\r') { 1949 if (tcgetattr(c->wfd, &tio) == 0 && 1950 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1951 /* 1952 * Simulate echo to reduce the impact of 1953 * traffic analysis. We need to match the 1954 * size of a SSH2_MSG_CHANNEL_DATA message 1955 * (4 byte channel id + buf) 1956 */ 1957 if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 || 1958 (r = sshpkt_send(ssh)) != 0) 1959 fatal("%s: channel %d: ignore: %s", 1960 __func__, c->self, ssh_err(r)); 1961 } 1962 } 1963 if ((r = sshbuf_consume(c->output, len)) != 0) { 1964 fatal("%s: channel %d: consume: %s", 1965 __func__, c->self, ssh_err(r)); 1966 } 1967 out: 1968 c->local_consumed += olen - sshbuf_len(c->output); 1969 1970 return 1; 1971 } 1972 1973 static int 1974 channel_handle_efd_write(struct ssh *ssh, Channel *c, 1975 fd_set *readset, fd_set *writeset) 1976 { 1977 int r; 1978 ssize_t len; 1979 1980 if (!FD_ISSET(c->efd, writeset) || sshbuf_len(c->extended) == 0) 1981 return 1; 1982 1983 len = write(c->efd, sshbuf_ptr(c->extended), 1984 sshbuf_len(c->extended)); 1985 debug2("channel %d: written %zd to efd %d", c->self, len, c->efd); 1986 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1987 return 1; 1988 if (len <= 0) { 1989 debug2("channel %d: closing write-efd %d", c->self, c->efd); 1990 channel_close_fd(ssh, &c->efd); 1991 } else { 1992 if ((r = sshbuf_consume(c->extended, len)) != 0) { 1993 fatal("%s: channel %d: consume: %s", 1994 __func__, c->self, ssh_err(r)); 1995 } 1996 c->local_consumed += len; 1997 } 1998 return 1; 1999 } 2000 2001 static int 2002 channel_handle_efd_read(struct ssh *ssh, Channel *c, 2003 fd_set *readset, fd_set *writeset) 2004 { 2005 char buf[CHAN_RBUF]; 2006 int r; 2007 ssize_t len; 2008 2009 if (!FD_ISSET(c->efd, readset)) 2010 return 1; 2011 2012 len = read(c->efd, buf, sizeof(buf)); 2013 debug2("channel %d: read %zd from efd %d", c->self, len, c->efd); 2014 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 2015 return 1; 2016 if (len <= 0) { 2017 debug2("channel %d: closing read-efd %d", 2018 c->self, c->efd); 2019 channel_close_fd(ssh, &c->efd); 2020 } else { 2021 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 2022 debug3("channel %d: discard efd", 2023 c->self); 2024 } else if ((r = sshbuf_put(c->extended, buf, len)) != 0) { 2025 fatal("%s: channel %d: append: %s", 2026 __func__, c->self, ssh_err(r)); 2027 } 2028 } 2029 return 1; 2030 } 2031 2032 static int 2033 channel_handle_efd(struct ssh *ssh, Channel *c, 2034 fd_set *readset, fd_set *writeset) 2035 { 2036 if (c->efd == -1) 2037 return 1; 2038 2039 /** XXX handle drain efd, too */ 2040 2041 if (c->extended_usage == CHAN_EXTENDED_WRITE) 2042 return channel_handle_efd_write(ssh, c, readset, writeset); 2043 else if (c->extended_usage == CHAN_EXTENDED_READ || 2044 c->extended_usage == CHAN_EXTENDED_IGNORE) 2045 return channel_handle_efd_read(ssh, c, readset, writeset); 2046 2047 return 1; 2048 } 2049 2050 static int 2051 channel_check_window(struct ssh *ssh, Channel *c) 2052 { 2053 int r; 2054 2055 if (c->type == SSH_CHANNEL_OPEN && 2056 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 2057 ((c->local_window_max - c->local_window > 2058 c->local_maxpacket*3) || 2059 c->local_window < c->local_window_max/2) && 2060 c->local_consumed > 0) { 2061 if (!c->have_remote_id) 2062 fatal(":%s: channel %d: no remote id", 2063 __func__, c->self); 2064 if ((r = sshpkt_start(ssh, 2065 SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || 2066 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2067 (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || 2068 (r = sshpkt_send(ssh)) != 0) { 2069 fatal("%s: channel %i: %s", __func__, 2070 c->self, ssh_err(r)); 2071 } 2072 debug2("channel %d: window %d sent adjust %d", 2073 c->self, c->local_window, 2074 c->local_consumed); 2075 c->local_window += c->local_consumed; 2076 c->local_consumed = 0; 2077 } 2078 return 1; 2079 } 2080 2081 static void 2082 channel_post_open(struct ssh *ssh, Channel *c, 2083 fd_set *readset, fd_set *writeset) 2084 { 2085 channel_handle_rfd(ssh, c, readset, writeset); 2086 channel_handle_wfd(ssh, c, readset, writeset); 2087 channel_handle_efd(ssh, c, readset, writeset); 2088 channel_check_window(ssh, c); 2089 } 2090 2091 static u_int 2092 read_mux(struct ssh *ssh, Channel *c, u_int need) 2093 { 2094 char buf[CHAN_RBUF]; 2095 ssize_t len; 2096 u_int rlen; 2097 int r; 2098 2099 if (sshbuf_len(c->input) < need) { 2100 rlen = need - sshbuf_len(c->input); 2101 len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF)); 2102 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 2103 return sshbuf_len(c->input); 2104 if (len <= 0) { 2105 debug2("channel %d: ctl read<=0 rfd %d len %zd", 2106 c->self, c->rfd, len); 2107 chan_read_failed(ssh, c); 2108 return 0; 2109 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) { 2110 fatal("%s: channel %d: append: %s", 2111 __func__, c->self, ssh_err(r)); 2112 } 2113 } 2114 return sshbuf_len(c->input); 2115 } 2116 2117 static void 2118 channel_post_mux_client_read(struct ssh *ssh, Channel *c, 2119 fd_set *readset, fd_set *writeset) 2120 { 2121 u_int need; 2122 2123 if (c->rfd == -1 || !FD_ISSET(c->rfd, readset)) 2124 return; 2125 if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN) 2126 return; 2127 if (c->mux_pause) 2128 return; 2129 2130 /* 2131 * Don't not read past the precise end of packets to 2132 * avoid disrupting fd passing. 2133 */ 2134 if (read_mux(ssh, c, 4) < 4) /* read header */ 2135 return; 2136 /* XXX sshbuf_peek_u32 */ 2137 need = PEEK_U32(sshbuf_ptr(c->input)); 2138 #define CHANNEL_MUX_MAX_PACKET (256 * 1024) 2139 if (need > CHANNEL_MUX_MAX_PACKET) { 2140 debug2("channel %d: packet too big %u > %u", 2141 c->self, CHANNEL_MUX_MAX_PACKET, need); 2142 chan_rcvd_oclose(ssh, c); 2143 return; 2144 } 2145 if (read_mux(ssh, c, need + 4) < need + 4) /* read body */ 2146 return; 2147 if (c->mux_rcb(ssh, c) != 0) { 2148 debug("channel %d: mux_rcb failed", c->self); 2149 chan_mark_dead(ssh, c); 2150 return; 2151 } 2152 } 2153 2154 static void 2155 channel_post_mux_client_write(struct ssh *ssh, Channel *c, 2156 fd_set *readset, fd_set *writeset) 2157 { 2158 ssize_t len; 2159 int r; 2160 2161 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) || 2162 sshbuf_len(c->output) == 0) 2163 return; 2164 2165 len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output)); 2166 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 2167 return; 2168 if (len <= 0) { 2169 chan_mark_dead(ssh, c); 2170 return; 2171 } 2172 if ((r = sshbuf_consume(c->output, len)) != 0) 2173 fatal("%s: channel %d: consume: %s", __func__, 2174 c->self, ssh_err(r)); 2175 } 2176 2177 static void 2178 channel_post_mux_client(struct ssh *ssh, Channel *c, 2179 fd_set *readset, fd_set *writeset) 2180 { 2181 channel_post_mux_client_read(ssh, c, readset, writeset); 2182 channel_post_mux_client_write(ssh, c, readset, writeset); 2183 } 2184 2185 static void 2186 channel_post_mux_listener(struct ssh *ssh, Channel *c, 2187 fd_set *readset, fd_set *writeset) 2188 { 2189 Channel *nc; 2190 struct sockaddr_storage addr; 2191 socklen_t addrlen; 2192 int newsock; 2193 uid_t euid; 2194 gid_t egid; 2195 2196 if (!FD_ISSET(c->sock, readset)) 2197 return; 2198 2199 debug("multiplexing control connection"); 2200 2201 /* 2202 * Accept connection on control socket 2203 */ 2204 memset(&addr, 0, sizeof(addr)); 2205 addrlen = sizeof(addr); 2206 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 2207 &addrlen)) == -1) { 2208 error("%s accept: %s", __func__, strerror(errno)); 2209 if (errno == EMFILE || errno == ENFILE) 2210 c->notbefore = monotime() + 1; 2211 return; 2212 } 2213 2214 if (getpeereid(newsock, &euid, &egid) < 0) { 2215 error("%s getpeereid failed: %s", __func__, 2216 strerror(errno)); 2217 close(newsock); 2218 return; 2219 } 2220 if ((euid != 0) && (getuid() != euid)) { 2221 error("multiplex uid mismatch: peer euid %u != uid %u", 2222 (u_int)euid, (u_int)getuid()); 2223 close(newsock); 2224 return; 2225 } 2226 nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT, 2227 newsock, newsock, -1, c->local_window_max, 2228 c->local_maxpacket, 0, "mux-control", 1); 2229 nc->mux_rcb = c->mux_rcb; 2230 debug3("%s: new mux channel %d fd %d", __func__, nc->self, nc->sock); 2231 /* establish state */ 2232 nc->mux_rcb(ssh, nc); 2233 /* mux state transitions must not elicit protocol messages */ 2234 nc->flags |= CHAN_LOCAL; 2235 } 2236 2237 static void 2238 channel_handler_init(struct ssh_channels *sc) 2239 { 2240 chan_fn **pre, **post; 2241 2242 if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL || 2243 (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL) 2244 fatal("%s: allocation failed", __func__); 2245 2246 pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2247 pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2248 pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2249 pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 2250 pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener; 2251 pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener; 2252 pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2253 pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2254 pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2255 pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2256 pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting; 2257 pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 2258 pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 2259 2260 post[SSH_CHANNEL_OPEN] = &channel_post_open; 2261 post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2262 post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 2263 post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener; 2264 post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener; 2265 post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2266 post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2267 post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2268 post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2269 post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting; 2270 post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 2271 post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 2272 2273 sc->channel_pre = pre; 2274 sc->channel_post = post; 2275 } 2276 2277 /* gc dead channels */ 2278 static void 2279 channel_garbage_collect(struct ssh *ssh, Channel *c) 2280 { 2281 if (c == NULL) 2282 return; 2283 if (c->detach_user != NULL) { 2284 if (!chan_is_dead(ssh, c, c->detach_close)) 2285 return; 2286 debug2("channel %d: gc: notify user", c->self); 2287 c->detach_user(ssh, c->self, NULL); 2288 /* if we still have a callback */ 2289 if (c->detach_user != NULL) 2290 return; 2291 debug2("channel %d: gc: user detached", c->self); 2292 } 2293 if (!chan_is_dead(ssh, c, 1)) 2294 return; 2295 debug2("channel %d: garbage collecting", c->self); 2296 channel_free(ssh, c); 2297 } 2298 2299 enum channel_table { CHAN_PRE, CHAN_POST }; 2300 2301 static void 2302 channel_handler(struct ssh *ssh, int table, 2303 fd_set *readset, fd_set *writeset, time_t *unpause_secs) 2304 { 2305 struct ssh_channels *sc = ssh->chanctxt; 2306 chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post; 2307 u_int i, oalloc; 2308 Channel *c; 2309 time_t now; 2310 2311 now = monotime(); 2312 if (unpause_secs != NULL) 2313 *unpause_secs = 0; 2314 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { 2315 c = sc->channels[i]; 2316 if (c == NULL) 2317 continue; 2318 if (c->delayed) { 2319 if (table == CHAN_PRE) 2320 c->delayed = 0; 2321 else 2322 continue; 2323 } 2324 if (ftab[c->type] != NULL) { 2325 /* 2326 * Run handlers that are not paused. 2327 */ 2328 if (c->notbefore <= now) 2329 (*ftab[c->type])(ssh, c, readset, writeset); 2330 else if (unpause_secs != NULL) { 2331 /* 2332 * Collect the time that the earliest 2333 * channel comes off pause. 2334 */ 2335 debug3("%s: chan %d: skip for %d more seconds", 2336 __func__, c->self, 2337 (int)(c->notbefore - now)); 2338 if (*unpause_secs == 0 || 2339 (c->notbefore - now) < *unpause_secs) 2340 *unpause_secs = c->notbefore - now; 2341 } 2342 } 2343 channel_garbage_collect(ssh, c); 2344 } 2345 if (unpause_secs != NULL && *unpause_secs != 0) 2346 debug3("%s: first channel unpauses in %d seconds", 2347 __func__, (int)*unpause_secs); 2348 } 2349 2350 /* 2351 * Create sockets before allocating the select bitmasks. 2352 * This is necessary for things that need to happen after reading 2353 * the network-input but before channel_prepare_select(). 2354 */ 2355 static void 2356 channel_before_prepare_select(struct ssh *ssh) 2357 { 2358 struct ssh_channels *sc = ssh->chanctxt; 2359 Channel *c; 2360 u_int i, oalloc; 2361 2362 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { 2363 c = sc->channels[i]; 2364 if (c == NULL) 2365 continue; 2366 if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN) 2367 channel_before_prepare_select_rdynamic(ssh, c); 2368 } 2369 } 2370 2371 /* 2372 * Allocate/update select bitmasks and add any bits relevant to channels in 2373 * select bitmasks. 2374 */ 2375 void 2376 channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp, 2377 int *maxfdp, u_int *nallocp, time_t *minwait_secs) 2378 { 2379 u_int n, sz, nfdset; 2380 2381 channel_before_prepare_select(ssh); /* might update channel_max_fd */ 2382 2383 n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd); 2384 2385 nfdset = howmany(n+1, NFDBITS); 2386 /* Explicitly test here, because xrealloc isn't always called */ 2387 if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask)) 2388 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2389 sz = nfdset * sizeof(fd_mask); 2390 2391 /* perhaps check sz < nalloc/2 and shrink? */ 2392 if (*readsetp == NULL || sz > *nallocp) { 2393 *readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask)); 2394 *writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask)); 2395 *nallocp = sz; 2396 } 2397 *maxfdp = n; 2398 memset(*readsetp, 0, sz); 2399 memset(*writesetp, 0, sz); 2400 2401 if (!ssh_packet_is_rekeying(ssh)) 2402 channel_handler(ssh, CHAN_PRE, *readsetp, *writesetp, 2403 minwait_secs); 2404 } 2405 2406 /* 2407 * After select, perform any appropriate operations for channels which have 2408 * events pending. 2409 */ 2410 void 2411 channel_after_select(struct ssh *ssh, fd_set *readset, fd_set *writeset) 2412 { 2413 channel_handler(ssh, CHAN_POST, readset, writeset, NULL); 2414 } 2415 2416 /* 2417 * Enqueue data for channels with open or draining c->input. 2418 */ 2419 static void 2420 channel_output_poll_input_open(struct ssh *ssh, Channel *c) 2421 { 2422 size_t len, plen; 2423 const u_char *pkt; 2424 int r; 2425 2426 if ((len = sshbuf_len(c->input)) == 0) { 2427 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2428 /* 2429 * input-buffer is empty and read-socket shutdown: 2430 * tell peer, that we will not send more data: 2431 * send IEOF. 2432 * hack for extended data: delay EOF if EFD still 2433 * in use. 2434 */ 2435 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2436 debug2("channel %d: " 2437 "ibuf_empty delayed efd %d/(%zu)", 2438 c->self, c->efd, sshbuf_len(c->extended)); 2439 else 2440 chan_ibuf_empty(ssh, c); 2441 } 2442 return; 2443 } 2444 2445 if (!c->have_remote_id) 2446 fatal(":%s: channel %d: no remote id", __func__, c->self); 2447 2448 if (c->datagram) { 2449 /* Check datagram will fit; drop if not */ 2450 if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0) 2451 fatal("%s: channel %d: get datagram: %s", __func__, 2452 c->self, ssh_err(r)); 2453 /* 2454 * XXX this does tail-drop on the datagram queue which is 2455 * usually suboptimal compared to head-drop. Better to have 2456 * backpressure at read time? (i.e. read + discard) 2457 */ 2458 if (plen > c->remote_window || plen > c->remote_maxpacket) { 2459 debug("channel %d: datagram too big", c->self); 2460 return; 2461 } 2462 /* Enqueue it */ 2463 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 2464 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2465 (r = sshpkt_put_string(ssh, pkt, plen)) != 0 || 2466 (r = sshpkt_send(ssh)) != 0) { 2467 fatal("%s: channel %i: datagram: %s", __func__, 2468 c->self, ssh_err(r)); 2469 } 2470 c->remote_window -= plen; 2471 return; 2472 } 2473 2474 /* Enqueue packet for buffered data. */ 2475 if (len > c->remote_window) 2476 len = c->remote_window; 2477 if (len > c->remote_maxpacket) 2478 len = c->remote_maxpacket; 2479 if (len == 0) 2480 return; 2481 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 2482 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2483 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 || 2484 (r = sshpkt_send(ssh)) != 0) { 2485 fatal("%s: channel %i: data: %s", __func__, 2486 c->self, ssh_err(r)); 2487 } 2488 if ((r = sshbuf_consume(c->input, len)) != 0) 2489 fatal("%s: channel %i: consume: %s", __func__, 2490 c->self, ssh_err(r)); 2491 c->remote_window -= len; 2492 } 2493 2494 /* 2495 * Enqueue data for channels with open c->extended in read mode. 2496 */ 2497 static void 2498 channel_output_poll_extended_read(struct ssh *ssh, Channel *c) 2499 { 2500 size_t len; 2501 int r; 2502 2503 if ((len = sshbuf_len(c->extended)) == 0) 2504 return; 2505 2506 debug2("channel %d: rwin %u elen %zu euse %d", c->self, 2507 c->remote_window, sshbuf_len(c->extended), c->extended_usage); 2508 if (len > c->remote_window) 2509 len = c->remote_window; 2510 if (len > c->remote_maxpacket) 2511 len = c->remote_maxpacket; 2512 if (len == 0) 2513 return; 2514 if (!c->have_remote_id) 2515 fatal(":%s: channel %d: no remote id", __func__, c->self); 2516 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 || 2517 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2518 (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 || 2519 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 || 2520 (r = sshpkt_send(ssh)) != 0) { 2521 fatal("%s: channel %i: data: %s", __func__, 2522 c->self, ssh_err(r)); 2523 } 2524 if ((r = sshbuf_consume(c->extended, len)) != 0) 2525 fatal("%s: channel %i: consume: %s", __func__, 2526 c->self, ssh_err(r)); 2527 c->remote_window -= len; 2528 debug2("channel %d: sent ext data %zu", c->self, len); 2529 } 2530 2531 /* If there is data to send to the connection, enqueue some of it now. */ 2532 void 2533 channel_output_poll(struct ssh *ssh) 2534 { 2535 struct ssh_channels *sc = ssh->chanctxt; 2536 Channel *c; 2537 u_int i; 2538 2539 for (i = 0; i < sc->channels_alloc; i++) { 2540 c = sc->channels[i]; 2541 if (c == NULL) 2542 continue; 2543 2544 /* 2545 * We are only interested in channels that can have buffered 2546 * incoming data. 2547 */ 2548 if (c->type != SSH_CHANNEL_OPEN) 2549 continue; 2550 if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2551 /* XXX is this true? */ 2552 debug3("channel %d: will not send data after close", 2553 c->self); 2554 continue; 2555 } 2556 2557 /* Get the amount of buffered data for this channel. */ 2558 if (c->istate == CHAN_INPUT_OPEN || 2559 c->istate == CHAN_INPUT_WAIT_DRAIN) 2560 channel_output_poll_input_open(ssh, c); 2561 /* Send extended data, i.e. stderr */ 2562 if (!(c->flags & CHAN_EOF_SENT) && 2563 c->extended_usage == CHAN_EXTENDED_READ) 2564 channel_output_poll_extended_read(ssh, c); 2565 } 2566 } 2567 2568 /* -- mux proxy support */ 2569 2570 /* 2571 * When multiplexing channel messages for mux clients we have to deal 2572 * with downstream messages from the mux client and upstream messages 2573 * from the ssh server: 2574 * 1) Handling downstream messages is straightforward and happens 2575 * in channel_proxy_downstream(): 2576 * - We forward all messages (mostly) unmodified to the server. 2577 * - However, in order to route messages from upstream to the correct 2578 * downstream client, we have to replace the channel IDs used by the 2579 * mux clients with a unique channel ID because the mux clients might 2580 * use conflicting channel IDs. 2581 * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and 2582 * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local 2583 * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID 2584 * with the newly allocated channel ID. 2585 * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY 2586 * channels and procesed by channel_proxy_upstream(). The local channel ID 2587 * is then translated back to the original mux client ID. 2588 * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE 2589 * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels. 2590 * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the 2591 * downstream mux client are removed. 2592 * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server 2593 * requires more work, because they are not addressed to a specific 2594 * channel. E.g. client_request_forwarded_tcpip() needs to figure 2595 * out whether the request is addressed to the local client or a 2596 * specific downstream client based on the listen-address/port. 2597 * 6) Agent and X11-Forwarding have a similar problem and are currenly 2598 * not supported as the matching session/channel cannot be identified 2599 * easily. 2600 */ 2601 2602 /* 2603 * receive packets from downstream mux clients: 2604 * channel callback fired on read from mux client, creates 2605 * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs 2606 * on channel creation. 2607 */ 2608 int 2609 channel_proxy_downstream(struct ssh *ssh, Channel *downstream) 2610 { 2611 Channel *c = NULL; 2612 struct sshbuf *original = NULL, *modified = NULL; 2613 const u_char *cp; 2614 char *ctype = NULL, *listen_host = NULL; 2615 u_char type; 2616 size_t have; 2617 int ret = -1, r; 2618 u_int id, remote_id, listen_port; 2619 2620 /* sshbuf_dump(downstream->input, stderr); */ 2621 if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have)) 2622 != 0) { 2623 error("%s: malformed message: %s", __func__, ssh_err(r)); 2624 return -1; 2625 } 2626 if (have < 2) { 2627 error("%s: short message", __func__); 2628 return -1; 2629 } 2630 type = cp[1]; 2631 /* skip padlen + type */ 2632 cp += 2; 2633 have -= 2; 2634 if (ssh_packet_log_type(type)) 2635 debug3("%s: channel %u: down->up: type %u", __func__, 2636 downstream->self, type); 2637 2638 switch (type) { 2639 case SSH2_MSG_CHANNEL_OPEN: 2640 if ((original = sshbuf_from(cp, have)) == NULL || 2641 (modified = sshbuf_new()) == NULL) { 2642 error("%s: alloc", __func__); 2643 goto out; 2644 } 2645 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 || 2646 (r = sshbuf_get_u32(original, &id)) != 0) { 2647 error("%s: parse error %s", __func__, ssh_err(r)); 2648 goto out; 2649 } 2650 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY, 2651 -1, -1, -1, 0, 0, 0, ctype, 1); 2652 c->mux_ctx = downstream; /* point to mux client */ 2653 c->mux_downstream_id = id; /* original downstream id */ 2654 if ((r = sshbuf_put_cstring(modified, ctype)) != 0 || 2655 (r = sshbuf_put_u32(modified, c->self)) != 0 || 2656 (r = sshbuf_putb(modified, original)) != 0) { 2657 error("%s: compose error %s", __func__, ssh_err(r)); 2658 channel_free(ssh, c); 2659 goto out; 2660 } 2661 break; 2662 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2663 /* 2664 * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we 2665 * need to parse 'remote_id' instead of 'ctype'. 2666 */ 2667 if ((original = sshbuf_from(cp, have)) == NULL || 2668 (modified = sshbuf_new()) == NULL) { 2669 error("%s: alloc", __func__); 2670 goto out; 2671 } 2672 if ((r = sshbuf_get_u32(original, &remote_id)) != 0 || 2673 (r = sshbuf_get_u32(original, &id)) != 0) { 2674 error("%s: parse error %s", __func__, ssh_err(r)); 2675 goto out; 2676 } 2677 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY, 2678 -1, -1, -1, 0, 0, 0, "mux-down-connect", 1); 2679 c->mux_ctx = downstream; /* point to mux client */ 2680 c->mux_downstream_id = id; 2681 c->remote_id = remote_id; 2682 c->have_remote_id = 1; 2683 if ((r = sshbuf_put_u32(modified, remote_id)) != 0 || 2684 (r = sshbuf_put_u32(modified, c->self)) != 0 || 2685 (r = sshbuf_putb(modified, original)) != 0) { 2686 error("%s: compose error %s", __func__, ssh_err(r)); 2687 channel_free(ssh, c); 2688 goto out; 2689 } 2690 break; 2691 case SSH2_MSG_GLOBAL_REQUEST: 2692 if ((original = sshbuf_from(cp, have)) == NULL) { 2693 error("%s: alloc", __func__); 2694 goto out; 2695 } 2696 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) { 2697 error("%s: parse error %s", __func__, ssh_err(r)); 2698 goto out; 2699 } 2700 if (strcmp(ctype, "tcpip-forward") != 0) { 2701 error("%s: unsupported request %s", __func__, ctype); 2702 goto out; 2703 } 2704 if ((r = sshbuf_get_u8(original, NULL)) != 0 || 2705 (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 || 2706 (r = sshbuf_get_u32(original, &listen_port)) != 0) { 2707 error("%s: parse error %s", __func__, ssh_err(r)); 2708 goto out; 2709 } 2710 if (listen_port > 65535) { 2711 error("%s: tcpip-forward for %s: bad port %u", 2712 __func__, listen_host, listen_port); 2713 goto out; 2714 } 2715 /* Record that connection to this host/port is permitted. */ 2716 fwd_perm_list_add(ssh, FWDPERM_USER, "<mux>", -1, 2717 listen_host, NULL, (int)listen_port, downstream); 2718 listen_host = NULL; 2719 break; 2720 case SSH2_MSG_CHANNEL_CLOSE: 2721 if (have < 4) 2722 break; 2723 remote_id = PEEK_U32(cp); 2724 if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) { 2725 if (c->flags & CHAN_CLOSE_RCVD) 2726 channel_free(ssh, c); 2727 else 2728 c->flags |= CHAN_CLOSE_SENT; 2729 } 2730 break; 2731 } 2732 if (modified) { 2733 if ((r = sshpkt_start(ssh, type)) != 0 || 2734 (r = sshpkt_putb(ssh, modified)) != 0 || 2735 (r = sshpkt_send(ssh)) != 0) { 2736 error("%s: send %s", __func__, ssh_err(r)); 2737 goto out; 2738 } 2739 } else { 2740 if ((r = sshpkt_start(ssh, type)) != 0 || 2741 (r = sshpkt_put(ssh, cp, have)) != 0 || 2742 (r = sshpkt_send(ssh)) != 0) { 2743 error("%s: send %s", __func__, ssh_err(r)); 2744 goto out; 2745 } 2746 } 2747 ret = 0; 2748 out: 2749 free(ctype); 2750 free(listen_host); 2751 sshbuf_free(original); 2752 sshbuf_free(modified); 2753 return ret; 2754 } 2755 2756 /* 2757 * receive packets from upstream server and de-multiplex packets 2758 * to correct downstream: 2759 * implemented as a helper for channel input handlers, 2760 * replaces local (proxy) channel ID with downstream channel ID. 2761 */ 2762 int 2763 channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh) 2764 { 2765 struct sshbuf *b = NULL; 2766 Channel *downstream; 2767 const u_char *cp = NULL; 2768 size_t len; 2769 int r; 2770 2771 /* 2772 * When receiving packets from the peer we need to check whether we 2773 * need to forward the packets to the mux client. In this case we 2774 * restore the orignal channel id and keep track of CLOSE messages, 2775 * so we can cleanup the channel. 2776 */ 2777 if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY) 2778 return 0; 2779 if ((downstream = c->mux_ctx) == NULL) 2780 return 0; 2781 switch (type) { 2782 case SSH2_MSG_CHANNEL_CLOSE: 2783 case SSH2_MSG_CHANNEL_DATA: 2784 case SSH2_MSG_CHANNEL_EOF: 2785 case SSH2_MSG_CHANNEL_EXTENDED_DATA: 2786 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2787 case SSH2_MSG_CHANNEL_OPEN_FAILURE: 2788 case SSH2_MSG_CHANNEL_WINDOW_ADJUST: 2789 case SSH2_MSG_CHANNEL_SUCCESS: 2790 case SSH2_MSG_CHANNEL_FAILURE: 2791 case SSH2_MSG_CHANNEL_REQUEST: 2792 break; 2793 default: 2794 debug2("%s: channel %u: unsupported type %u", __func__, 2795 c->self, type); 2796 return 0; 2797 } 2798 if ((b = sshbuf_new()) == NULL) { 2799 error("%s: alloc reply", __func__); 2800 goto out; 2801 } 2802 /* get remaining payload (after id) */ 2803 cp = sshpkt_ptr(ssh, &len); 2804 if (cp == NULL) { 2805 error("%s: no packet", __func__); 2806 goto out; 2807 } 2808 /* translate id and send to muxclient */ 2809 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */ 2810 (r = sshbuf_put_u8(b, type)) != 0 || 2811 (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 || 2812 (r = sshbuf_put(b, cp, len)) != 0 || 2813 (r = sshbuf_put_stringb(downstream->output, b)) != 0) { 2814 error("%s: compose for muxclient %s", __func__, ssh_err(r)); 2815 goto out; 2816 } 2817 /* sshbuf_dump(b, stderr); */ 2818 if (ssh_packet_log_type(type)) 2819 debug3("%s: channel %u: up->down: type %u", __func__, c->self, 2820 type); 2821 out: 2822 /* update state */ 2823 switch (type) { 2824 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2825 /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */ 2826 if (cp && len > 4) { 2827 c->remote_id = PEEK_U32(cp); 2828 c->have_remote_id = 1; 2829 } 2830 break; 2831 case SSH2_MSG_CHANNEL_CLOSE: 2832 if (c->flags & CHAN_CLOSE_SENT) 2833 channel_free(ssh, c); 2834 else 2835 c->flags |= CHAN_CLOSE_RCVD; 2836 break; 2837 } 2838 sshbuf_free(b); 2839 return 1; 2840 } 2841 2842 /* -- protocol input */ 2843 2844 /* Parse a channel ID from the current packet */ 2845 static int 2846 channel_parse_id(struct ssh *ssh, const char *where, const char *what) 2847 { 2848 u_int32_t id; 2849 int r; 2850 2851 if ((r = sshpkt_get_u32(ssh, &id)) != 0) { 2852 error("%s: parse id: %s", where, ssh_err(r)); 2853 ssh_packet_disconnect(ssh, "Invalid %s message", what); 2854 } 2855 if (id > INT_MAX) { 2856 error("%s: bad channel id %u: %s", where, id, ssh_err(r)); 2857 ssh_packet_disconnect(ssh, "Invalid %s channel id", what); 2858 } 2859 return (int)id; 2860 } 2861 2862 /* Lookup a channel from an ID in the current packet */ 2863 static Channel * 2864 channel_from_packet_id(struct ssh *ssh, const char *where, const char *what) 2865 { 2866 int id = channel_parse_id(ssh, where, what); 2867 Channel *c; 2868 2869 if ((c = channel_lookup(ssh, id)) == NULL) { 2870 ssh_packet_disconnect(ssh, 2871 "%s packet referred to nonexistent channel %d", what, id); 2872 } 2873 return c; 2874 } 2875 2876 int 2877 channel_input_data(int type, u_int32_t seq, struct ssh *ssh) 2878 { 2879 const u_char *data; 2880 size_t data_len, win_len; 2881 Channel *c = channel_from_packet_id(ssh, __func__, "data"); 2882 int r; 2883 2884 if (channel_proxy_upstream(c, type, seq, ssh)) 2885 return 0; 2886 2887 /* Ignore any data for non-open channels (might happen on close) */ 2888 if (c->type != SSH_CHANNEL_OPEN && 2889 c->type != SSH_CHANNEL_RDYNAMIC_OPEN && 2890 c->type != SSH_CHANNEL_RDYNAMIC_FINISH && 2891 c->type != SSH_CHANNEL_X11_OPEN) 2892 return 0; 2893 2894 /* Get the data. */ 2895 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0) 2896 fatal("%s: channel %d: get data: %s", __func__, 2897 c->self, ssh_err(r)); 2898 ssh_packet_check_eom(ssh); 2899 2900 win_len = data_len; 2901 if (c->datagram) 2902 win_len += 4; /* string length header */ 2903 2904 /* 2905 * The sending side reduces its window as it sends data, so we 2906 * must 'fake' consumption of the data in order to ensure that window 2907 * updates are sent back. Otherwise the connection might deadlock. 2908 */ 2909 if (c->ostate != CHAN_OUTPUT_OPEN) { 2910 c->local_window -= win_len; 2911 c->local_consumed += win_len; 2912 return 0; 2913 } 2914 2915 if (win_len > c->local_maxpacket) { 2916 logit("channel %d: rcvd big packet %zu, maxpack %u", 2917 c->self, win_len, c->local_maxpacket); 2918 return 0; 2919 } 2920 if (win_len > c->local_window) { 2921 logit("channel %d: rcvd too much data %zu, win %u", 2922 c->self, win_len, c->local_window); 2923 return 0; 2924 } 2925 c->local_window -= win_len; 2926 2927 if (c->datagram) { 2928 if ((r = sshbuf_put_string(c->output, data, data_len)) != 0) 2929 fatal("%s: channel %d: append datagram: %s", 2930 __func__, c->self, ssh_err(r)); 2931 } else if ((r = sshbuf_put(c->output, data, data_len)) != 0) 2932 fatal("%s: channel %d: append data: %s", 2933 __func__, c->self, ssh_err(r)); 2934 2935 return 0; 2936 } 2937 2938 int 2939 channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh) 2940 { 2941 const u_char *data; 2942 size_t data_len; 2943 u_int32_t tcode; 2944 Channel *c = channel_from_packet_id(ssh, __func__, "extended data"); 2945 int r; 2946 2947 if (channel_proxy_upstream(c, type, seq, ssh)) 2948 return 0; 2949 if (c->type != SSH_CHANNEL_OPEN) { 2950 logit("channel %d: ext data for non open", c->self); 2951 return 0; 2952 } 2953 if (c->flags & CHAN_EOF_RCVD) { 2954 if (datafellows & SSH_BUG_EXTEOF) 2955 debug("channel %d: accepting ext data after eof", 2956 c->self); 2957 else 2958 ssh_packet_disconnect(ssh, "Received extended_data " 2959 "after EOF on channel %d.", c->self); 2960 } 2961 2962 if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) { 2963 error("%s: parse tcode: %s", __func__, ssh_err(r)); 2964 ssh_packet_disconnect(ssh, "Invalid extended_data message"); 2965 } 2966 if (c->efd == -1 || 2967 c->extended_usage != CHAN_EXTENDED_WRITE || 2968 tcode != SSH2_EXTENDED_DATA_STDERR) { 2969 logit("channel %d: bad ext data", c->self); 2970 return 0; 2971 } 2972 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0) { 2973 error("%s: parse data: %s", __func__, ssh_err(r)); 2974 ssh_packet_disconnect(ssh, "Invalid extended_data message"); 2975 } 2976 ssh_packet_check_eom(ssh); 2977 2978 if (data_len > c->local_window) { 2979 logit("channel %d: rcvd too much extended_data %zu, win %u", 2980 c->self, data_len, c->local_window); 2981 return 0; 2982 } 2983 debug2("channel %d: rcvd ext data %zu", c->self, data_len); 2984 /* XXX sshpkt_getb? */ 2985 if ((r = sshbuf_put(c->extended, data, data_len)) != 0) 2986 error("%s: append: %s", __func__, ssh_err(r)); 2987 c->local_window -= data_len; 2988 return 0; 2989 } 2990 2991 int 2992 channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh) 2993 { 2994 Channel *c = channel_from_packet_id(ssh, __func__, "ieof"); 2995 2996 ssh_packet_check_eom(ssh); 2997 2998 if (channel_proxy_upstream(c, type, seq, ssh)) 2999 return 0; 3000 chan_rcvd_ieof(ssh, c); 3001 3002 /* XXX force input close */ 3003 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 3004 debug("channel %d: FORCE input drain", c->self); 3005 c->istate = CHAN_INPUT_WAIT_DRAIN; 3006 if (sshbuf_len(c->input) == 0) 3007 chan_ibuf_empty(ssh, c); 3008 } 3009 return 0; 3010 } 3011 3012 int 3013 channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh) 3014 { 3015 Channel *c = channel_from_packet_id(ssh, __func__, "oclose"); 3016 3017 if (channel_proxy_upstream(c, type, seq, ssh)) 3018 return 0; 3019 ssh_packet_check_eom(ssh); 3020 chan_rcvd_oclose(ssh, c); 3021 return 0; 3022 } 3023 3024 int 3025 channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh) 3026 { 3027 Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation"); 3028 u_int32_t remote_window, remote_maxpacket; 3029 int r; 3030 3031 if (channel_proxy_upstream(c, type, seq, ssh)) 3032 return 0; 3033 if (c->type != SSH_CHANNEL_OPENING) 3034 packet_disconnect("Received open confirmation for " 3035 "non-opening channel %d.", c->self); 3036 /* 3037 * Record the remote channel number and mark that the channel 3038 * is now open. 3039 */ 3040 if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 || 3041 (r = sshpkt_get_u32(ssh, &remote_window)) != 0 || 3042 (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0) { 3043 error("%s: window/maxpacket: %s", __func__, ssh_err(r)); 3044 packet_disconnect("Invalid open confirmation message"); 3045 } 3046 ssh_packet_check_eom(ssh); 3047 3048 c->have_remote_id = 1; 3049 c->remote_window = remote_window; 3050 c->remote_maxpacket = remote_maxpacket; 3051 c->type = SSH_CHANNEL_OPEN; 3052 if (c->open_confirm) { 3053 debug2("%s: channel %d: callback start", __func__, c->self); 3054 c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx); 3055 debug2("%s: channel %d: callback done", __func__, c->self); 3056 } 3057 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 3058 c->remote_window, c->remote_maxpacket); 3059 return 0; 3060 } 3061 3062 static char * 3063 reason2txt(int reason) 3064 { 3065 switch (reason) { 3066 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 3067 return "administratively prohibited"; 3068 case SSH2_OPEN_CONNECT_FAILED: 3069 return "connect failed"; 3070 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 3071 return "unknown channel type"; 3072 case SSH2_OPEN_RESOURCE_SHORTAGE: 3073 return "resource shortage"; 3074 } 3075 return "unknown reason"; 3076 } 3077 3078 int 3079 channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh) 3080 { 3081 Channel *c = channel_from_packet_id(ssh, __func__, "open failure"); 3082 u_int32_t reason; 3083 char *msg = NULL; 3084 int r; 3085 3086 if (channel_proxy_upstream(c, type, seq, ssh)) 3087 return 0; 3088 if (c->type != SSH_CHANNEL_OPENING) 3089 packet_disconnect("Received open failure for " 3090 "non-opening channel %d.", c->self); 3091 if ((r = sshpkt_get_u32(ssh, &reason)) != 0) { 3092 error("%s: reason: %s", __func__, ssh_err(r)); 3093 packet_disconnect("Invalid open failure message"); 3094 } 3095 if ((datafellows & SSH_BUG_OPENFAILURE) == 0) { 3096 /* skip language */ 3097 if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 || 3098 (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0) { 3099 error("%s: message/lang: %s", __func__, ssh_err(r)); 3100 packet_disconnect("Invalid open failure message"); 3101 } 3102 } 3103 ssh_packet_check_eom(ssh); 3104 logit("channel %d: open failed: %s%s%s", c->self, 3105 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 3106 free(msg); 3107 if (c->open_confirm) { 3108 debug2("%s: channel %d: callback start", __func__, c->self); 3109 c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx); 3110 debug2("%s: channel %d: callback done", __func__, c->self); 3111 } 3112 /* Schedule the channel for cleanup/deletion. */ 3113 chan_mark_dead(ssh, c); 3114 return 0; 3115 } 3116 3117 int 3118 channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh) 3119 { 3120 int id = channel_parse_id(ssh, __func__, "window adjust"); 3121 Channel *c; 3122 u_int32_t adjust; 3123 u_int new_rwin; 3124 int r; 3125 3126 if ((c = channel_lookup(ssh, id)) == NULL) { 3127 logit("Received window adjust for non-open channel %d.", id); 3128 return 0; 3129 } 3130 3131 if (channel_proxy_upstream(c, type, seq, ssh)) 3132 return 0; 3133 if ((r = sshpkt_get_u32(ssh, &adjust)) != 0) { 3134 error("%s: adjust: %s", __func__, ssh_err(r)); 3135 packet_disconnect("Invalid window adjust message"); 3136 } 3137 ssh_packet_check_eom(ssh); 3138 debug2("channel %d: rcvd adjust %u", c->self, adjust); 3139 if ((new_rwin = c->remote_window + adjust) < c->remote_window) { 3140 fatal("channel %d: adjust %u overflows remote window %u", 3141 c->self, adjust, c->remote_window); 3142 } 3143 c->remote_window = new_rwin; 3144 return 0; 3145 } 3146 3147 int 3148 channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh) 3149 { 3150 int id = channel_parse_id(ssh, __func__, "status confirm"); 3151 Channel *c; 3152 struct channel_confirm *cc; 3153 3154 /* Reset keepalive timeout */ 3155 packet_set_alive_timeouts(0); 3156 3157 debug2("%s: type %d id %d", __func__, type, id); 3158 3159 if ((c = channel_lookup(ssh, id)) == NULL) { 3160 logit("%s: %d: unknown", __func__, id); 3161 return 0; 3162 } 3163 if (channel_proxy_upstream(c, type, seq, ssh)) 3164 return 0; 3165 ssh_packet_check_eom(ssh); 3166 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 3167 return 0; 3168 cc->cb(ssh, type, c, cc->ctx); 3169 TAILQ_REMOVE(&c->status_confirms, cc, entry); 3170 explicit_bzero(cc, sizeof(*cc)); 3171 free(cc); 3172 return 0; 3173 } 3174 3175 /* -- tcp forwarding */ 3176 3177 void 3178 channel_set_af(struct ssh *ssh, int af) 3179 { 3180 ssh->chanctxt->IPv4or6 = af; 3181 } 3182 3183 3184 /* 3185 * Determine whether or not a port forward listens to loopback, the 3186 * specified address or wildcard. On the client, a specified bind 3187 * address will always override gateway_ports. On the server, a 3188 * gateway_ports of 1 (``yes'') will override the client's specification 3189 * and force a wildcard bind, whereas a value of 2 (``clientspecified'') 3190 * will bind to whatever address the client asked for. 3191 * 3192 * Special-case listen_addrs are: 3193 * 3194 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 3195 * "" (empty string), "*" -> wildcard v4/v6 3196 * "localhost" -> loopback v4/v6 3197 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set 3198 */ 3199 static const char * 3200 channel_fwd_bind_addr(const char *listen_addr, int *wildcardp, 3201 int is_client, struct ForwardOptions *fwd_opts) 3202 { 3203 const char *addr = NULL; 3204 int wildcard = 0; 3205 3206 if (listen_addr == NULL) { 3207 /* No address specified: default to gateway_ports setting */ 3208 if (fwd_opts->gateway_ports) 3209 wildcard = 1; 3210 } else if (fwd_opts->gateway_ports || is_client) { 3211 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 3212 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 3213 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 3214 (!is_client && fwd_opts->gateway_ports == 1)) { 3215 wildcard = 1; 3216 /* 3217 * Notify client if they requested a specific listen 3218 * address and it was overridden. 3219 */ 3220 if (*listen_addr != '\0' && 3221 strcmp(listen_addr, "0.0.0.0") != 0 && 3222 strcmp(listen_addr, "*") != 0) { 3223 packet_send_debug("Forwarding listen address " 3224 "\"%s\" overridden by server " 3225 "GatewayPorts", listen_addr); 3226 } 3227 } else if (strcmp(listen_addr, "localhost") != 0 || 3228 strcmp(listen_addr, "127.0.0.1") == 0 || 3229 strcmp(listen_addr, "::1") == 0) { 3230 /* Accept localhost address when GatewayPorts=yes */ 3231 addr = listen_addr; 3232 } 3233 } else if (strcmp(listen_addr, "127.0.0.1") == 0 || 3234 strcmp(listen_addr, "::1") == 0) { 3235 /* 3236 * If a specific IPv4/IPv6 localhost address has been 3237 * requested then accept it even if gateway_ports is in 3238 * effect. This allows the client to prefer IPv4 or IPv6. 3239 */ 3240 addr = listen_addr; 3241 } 3242 if (wildcardp != NULL) 3243 *wildcardp = wildcard; 3244 return addr; 3245 } 3246 3247 static int 3248 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, 3249 struct Forward *fwd, int *allocated_listen_port, 3250 struct ForwardOptions *fwd_opts) 3251 { 3252 Channel *c; 3253 int sock, r, success = 0, wildcard = 0, is_client; 3254 struct addrinfo hints, *ai, *aitop; 3255 const char *host, *addr; 3256 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 3257 in_port_t *lport_p; 3258 3259 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 3260 3261 if (is_client && fwd->connect_path != NULL) { 3262 host = fwd->connect_path; 3263 } else { 3264 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 3265 fwd->listen_host : fwd->connect_host; 3266 if (host == NULL) { 3267 error("No forward host name."); 3268 return 0; 3269 } 3270 if (strlen(host) >= NI_MAXHOST) { 3271 error("Forward host name too long."); 3272 return 0; 3273 } 3274 } 3275 3276 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ 3277 addr = channel_fwd_bind_addr(fwd->listen_host, &wildcard, 3278 is_client, fwd_opts); 3279 debug3("%s: type %d wildcard %d addr %s", __func__, 3280 type, wildcard, (addr == NULL) ? "NULL" : addr); 3281 3282 /* 3283 * getaddrinfo returns a loopback address if the hostname is 3284 * set to NULL and hints.ai_flags is not AI_PASSIVE 3285 */ 3286 memset(&hints, 0, sizeof(hints)); 3287 hints.ai_family = ssh->chanctxt->IPv4or6; 3288 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 3289 hints.ai_socktype = SOCK_STREAM; 3290 snprintf(strport, sizeof strport, "%d", fwd->listen_port); 3291 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 3292 if (addr == NULL) { 3293 /* This really shouldn't happen */ 3294 packet_disconnect("getaddrinfo: fatal error: %s", 3295 ssh_gai_strerror(r)); 3296 } else { 3297 error("%s: getaddrinfo(%.64s): %s", __func__, addr, 3298 ssh_gai_strerror(r)); 3299 } 3300 return 0; 3301 } 3302 if (allocated_listen_port != NULL) 3303 *allocated_listen_port = 0; 3304 for (ai = aitop; ai; ai = ai->ai_next) { 3305 switch (ai->ai_family) { 3306 case AF_INET: 3307 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 3308 sin_port; 3309 break; 3310 case AF_INET6: 3311 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 3312 sin6_port; 3313 break; 3314 default: 3315 continue; 3316 } 3317 /* 3318 * If allocating a port for -R forwards, then use the 3319 * same port for all address families. 3320 */ 3321 if (type == SSH_CHANNEL_RPORT_LISTENER && 3322 fwd->listen_port == 0 && allocated_listen_port != NULL && 3323 *allocated_listen_port > 0) 3324 *lport_p = htons(*allocated_listen_port); 3325 3326 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 3327 strport, sizeof(strport), 3328 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3329 error("%s: getnameinfo failed", __func__); 3330 continue; 3331 } 3332 /* Create a port to listen for the host. */ 3333 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3334 if (sock < 0) { 3335 /* this is no error since kernel may not support ipv6 */ 3336 verbose("socket: %.100s", strerror(errno)); 3337 continue; 3338 } 3339 3340 channel_set_reuseaddr(sock); 3341 3342 debug("Local forwarding listening on %s port %s.", 3343 ntop, strport); 3344 3345 /* Bind the socket to the address. */ 3346 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3347 /* 3348 * address can be in if use ipv6 address is 3349 * already bound 3350 */ 3351 verbose("bind: %.100s", strerror(errno)); 3352 close(sock); 3353 continue; 3354 } 3355 /* Start listening for connections on the socket. */ 3356 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3357 error("listen: %.100s", strerror(errno)); 3358 close(sock); 3359 continue; 3360 } 3361 3362 /* 3363 * fwd->listen_port == 0 requests a dynamically allocated port - 3364 * record what we got. 3365 */ 3366 if (type == SSH_CHANNEL_RPORT_LISTENER && 3367 fwd->listen_port == 0 && 3368 allocated_listen_port != NULL && 3369 *allocated_listen_port == 0) { 3370 *allocated_listen_port = get_local_port(sock); 3371 debug("Allocated listen port %d", 3372 *allocated_listen_port); 3373 } 3374 3375 /* Allocate a channel number for the socket. */ 3376 c = channel_new(ssh, "port listener", type, sock, sock, -1, 3377 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 3378 0, "port listener", 1); 3379 c->path = xstrdup(host); 3380 c->host_port = fwd->connect_port; 3381 c->listening_addr = addr == NULL ? NULL : xstrdup(addr); 3382 if (fwd->listen_port == 0 && allocated_listen_port != NULL && 3383 !(datafellows & SSH_BUG_DYNAMIC_RPORT)) 3384 c->listening_port = *allocated_listen_port; 3385 else 3386 c->listening_port = fwd->listen_port; 3387 success = 1; 3388 } 3389 if (success == 0) 3390 error("%s: cannot listen to port: %d", __func__, 3391 fwd->listen_port); 3392 freeaddrinfo(aitop); 3393 return success; 3394 } 3395 3396 static int 3397 channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type, 3398 struct Forward *fwd, struct ForwardOptions *fwd_opts) 3399 { 3400 struct sockaddr_un sunaddr; 3401 const char *path; 3402 Channel *c; 3403 int port, sock; 3404 mode_t omask; 3405 3406 switch (type) { 3407 case SSH_CHANNEL_UNIX_LISTENER: 3408 if (fwd->connect_path != NULL) { 3409 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) { 3410 error("Local connecting path too long: %s", 3411 fwd->connect_path); 3412 return 0; 3413 } 3414 path = fwd->connect_path; 3415 port = PORT_STREAMLOCAL; 3416 } else { 3417 if (fwd->connect_host == NULL) { 3418 error("No forward host name."); 3419 return 0; 3420 } 3421 if (strlen(fwd->connect_host) >= NI_MAXHOST) { 3422 error("Forward host name too long."); 3423 return 0; 3424 } 3425 path = fwd->connect_host; 3426 port = fwd->connect_port; 3427 } 3428 break; 3429 case SSH_CHANNEL_RUNIX_LISTENER: 3430 path = fwd->listen_path; 3431 port = PORT_STREAMLOCAL; 3432 break; 3433 default: 3434 error("%s: unexpected channel type %d", __func__, type); 3435 return 0; 3436 } 3437 3438 if (fwd->listen_path == NULL) { 3439 error("No forward path name."); 3440 return 0; 3441 } 3442 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) { 3443 error("Local listening path too long: %s", fwd->listen_path); 3444 return 0; 3445 } 3446 3447 debug3("%s: type %d path %s", __func__, type, fwd->listen_path); 3448 3449 /* Start a Unix domain listener. */ 3450 omask = umask(fwd_opts->streamlocal_bind_mask); 3451 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG, 3452 fwd_opts->streamlocal_bind_unlink); 3453 umask(omask); 3454 if (sock < 0) 3455 return 0; 3456 3457 debug("Local forwarding listening on path %s.", fwd->listen_path); 3458 3459 /* Allocate a channel number for the socket. */ 3460 c = channel_new(ssh, "unix listener", type, sock, sock, -1, 3461 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 3462 0, "unix listener", 1); 3463 c->path = xstrdup(path); 3464 c->host_port = port; 3465 c->listening_port = PORT_STREAMLOCAL; 3466 c->listening_addr = xstrdup(fwd->listen_path); 3467 return 1; 3468 } 3469 3470 static int 3471 channel_cancel_rport_listener_tcpip(struct ssh *ssh, 3472 const char *host, u_short port) 3473 { 3474 u_int i; 3475 int found = 0; 3476 3477 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3478 Channel *c = ssh->chanctxt->channels[i]; 3479 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER) 3480 continue; 3481 if (strcmp(c->path, host) == 0 && c->listening_port == port) { 3482 debug2("%s: close channel %d", __func__, i); 3483 channel_free(ssh, c); 3484 found = 1; 3485 } 3486 } 3487 3488 return found; 3489 } 3490 3491 static int 3492 channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path) 3493 { 3494 u_int i; 3495 int found = 0; 3496 3497 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3498 Channel *c = ssh->chanctxt->channels[i]; 3499 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER) 3500 continue; 3501 if (c->path == NULL) 3502 continue; 3503 if (strcmp(c->path, path) == 0) { 3504 debug2("%s: close channel %d", __func__, i); 3505 channel_free(ssh, c); 3506 found = 1; 3507 } 3508 } 3509 3510 return found; 3511 } 3512 3513 int 3514 channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd) 3515 { 3516 if (fwd->listen_path != NULL) { 3517 return channel_cancel_rport_listener_streamlocal(ssh, 3518 fwd->listen_path); 3519 } else { 3520 return channel_cancel_rport_listener_tcpip(ssh, 3521 fwd->listen_host, fwd->listen_port); 3522 } 3523 } 3524 3525 static int 3526 channel_cancel_lport_listener_tcpip(struct ssh *ssh, 3527 const char *lhost, u_short lport, int cport, 3528 struct ForwardOptions *fwd_opts) 3529 { 3530 u_int i; 3531 int found = 0; 3532 const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, fwd_opts); 3533 3534 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3535 Channel *c = ssh->chanctxt->channels[i]; 3536 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER) 3537 continue; 3538 if (c->listening_port != lport) 3539 continue; 3540 if (cport == CHANNEL_CANCEL_PORT_STATIC) { 3541 /* skip dynamic forwardings */ 3542 if (c->host_port == 0) 3543 continue; 3544 } else { 3545 if (c->host_port != cport) 3546 continue; 3547 } 3548 if ((c->listening_addr == NULL && addr != NULL) || 3549 (c->listening_addr != NULL && addr == NULL)) 3550 continue; 3551 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) { 3552 debug2("%s: close channel %d", __func__, i); 3553 channel_free(ssh, c); 3554 found = 1; 3555 } 3556 } 3557 3558 return found; 3559 } 3560 3561 static int 3562 channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path) 3563 { 3564 u_int i; 3565 int found = 0; 3566 3567 if (path == NULL) { 3568 error("%s: no path specified.", __func__); 3569 return 0; 3570 } 3571 3572 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3573 Channel *c = ssh->chanctxt->channels[i]; 3574 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER) 3575 continue; 3576 if (c->listening_addr == NULL) 3577 continue; 3578 if (strcmp(c->listening_addr, path) == 0) { 3579 debug2("%s: close channel %d", __func__, i); 3580 channel_free(ssh, c); 3581 found = 1; 3582 } 3583 } 3584 3585 return found; 3586 } 3587 3588 int 3589 channel_cancel_lport_listener(struct ssh *ssh, 3590 struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts) 3591 { 3592 if (fwd->listen_path != NULL) { 3593 return channel_cancel_lport_listener_streamlocal(ssh, 3594 fwd->listen_path); 3595 } else { 3596 return channel_cancel_lport_listener_tcpip(ssh, 3597 fwd->listen_host, fwd->listen_port, cport, fwd_opts); 3598 } 3599 } 3600 3601 /* protocol local port fwd, used by ssh */ 3602 int 3603 channel_setup_local_fwd_listener(struct ssh *ssh, 3604 struct Forward *fwd, struct ForwardOptions *fwd_opts) 3605 { 3606 if (fwd->listen_path != NULL) { 3607 return channel_setup_fwd_listener_streamlocal(ssh, 3608 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts); 3609 } else { 3610 return channel_setup_fwd_listener_tcpip(ssh, 3611 SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts); 3612 } 3613 } 3614 3615 /* protocol v2 remote port fwd, used by sshd */ 3616 int 3617 channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, 3618 int *allocated_listen_port, struct ForwardOptions *fwd_opts) 3619 { 3620 if (fwd->listen_path != NULL) { 3621 return channel_setup_fwd_listener_streamlocal(ssh, 3622 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts); 3623 } else { 3624 return channel_setup_fwd_listener_tcpip(ssh, 3625 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port, 3626 fwd_opts); 3627 } 3628 } 3629 3630 /* 3631 * Translate the requested rfwd listen host to something usable for 3632 * this server. 3633 */ 3634 static const char * 3635 channel_rfwd_bind_host(const char *listen_host) 3636 { 3637 if (listen_host == NULL) { 3638 if (datafellows & SSH_BUG_RFWD_ADDR) 3639 return "127.0.0.1"; 3640 else 3641 return "localhost"; 3642 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { 3643 if (datafellows & SSH_BUG_RFWD_ADDR) 3644 return "0.0.0.0"; 3645 else 3646 return ""; 3647 } else 3648 return listen_host; 3649 } 3650 3651 /* 3652 * Initiate forwarding of connections to port "port" on remote host through 3653 * the secure channel to host:port from local side. 3654 * Returns handle (index) for updating the dynamic listen port with 3655 * channel_update_permitted_opens(). 3656 */ 3657 int 3658 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) 3659 { 3660 int r, success = 0, idx = -1; 3661 char *host_to_connect, *listen_host, *listen_path; 3662 int port_to_connect, listen_port; 3663 3664 /* Send the forward request to the remote side. */ 3665 if (fwd->listen_path != NULL) { 3666 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3667 (r = sshpkt_put_cstring(ssh, 3668 "streamlocal-forward@openssh.com")) != 0 || 3669 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ 3670 (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 || 3671 (r = sshpkt_send(ssh)) != 0 || 3672 (r = ssh_packet_write_wait(ssh)) != 0) 3673 fatal("%s: request streamlocal: %s", 3674 __func__, ssh_err(r)); 3675 } else { 3676 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3677 (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 || 3678 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ 3679 (r = sshpkt_put_cstring(ssh, 3680 channel_rfwd_bind_host(fwd->listen_host))) != 0 || 3681 (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 || 3682 (r = sshpkt_send(ssh)) != 0 || 3683 (r = ssh_packet_write_wait(ssh)) != 0) 3684 fatal("%s: request tcpip-forward: %s", 3685 __func__, ssh_err(r)); 3686 } 3687 /* Assume that server accepts the request */ 3688 success = 1; 3689 if (success) { 3690 /* Record that connection to this host/port is permitted. */ 3691 host_to_connect = listen_host = listen_path = NULL; 3692 port_to_connect = listen_port = 0; 3693 if (fwd->connect_path != NULL) { 3694 host_to_connect = xstrdup(fwd->connect_path); 3695 port_to_connect = PORT_STREAMLOCAL; 3696 } else { 3697 host_to_connect = xstrdup(fwd->connect_host); 3698 port_to_connect = fwd->connect_port; 3699 } 3700 if (fwd->listen_path != NULL) { 3701 listen_path = xstrdup(fwd->listen_path); 3702 listen_port = PORT_STREAMLOCAL; 3703 } else { 3704 if (fwd->listen_host != NULL) 3705 listen_host = xstrdup(fwd->listen_host); 3706 listen_port = fwd->listen_port; 3707 } 3708 idx = fwd_perm_list_add(ssh, FWDPERM_USER, 3709 host_to_connect, port_to_connect, 3710 listen_host, listen_path, listen_port, NULL); 3711 } 3712 return idx; 3713 } 3714 3715 static int 3716 open_match(ForwardPermission *allowed_open, const char *requestedhost, 3717 int requestedport) 3718 { 3719 if (allowed_open->host_to_connect == NULL) 3720 return 0; 3721 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT && 3722 allowed_open->port_to_connect != requestedport) 3723 return 0; 3724 if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 && 3725 strcmp(allowed_open->host_to_connect, requestedhost) != 0) 3726 return 0; 3727 return 1; 3728 } 3729 3730 /* 3731 * Note that in the listen host/port case 3732 * we don't support FWD_PERMIT_ANY_PORT and 3733 * need to translate between the configured-host (listen_host) 3734 * and what we've sent to the remote server (channel_rfwd_bind_host) 3735 */ 3736 static int 3737 open_listen_match_tcpip(ForwardPermission *allowed_open, 3738 const char *requestedhost, u_short requestedport, int translate) 3739 { 3740 const char *allowed_host; 3741 3742 if (allowed_open->host_to_connect == NULL) 3743 return 0; 3744 if (allowed_open->listen_port != requestedport) 3745 return 0; 3746 if (!translate && allowed_open->listen_host == NULL && 3747 requestedhost == NULL) 3748 return 1; 3749 allowed_host = translate ? 3750 channel_rfwd_bind_host(allowed_open->listen_host) : 3751 allowed_open->listen_host; 3752 if (allowed_host == NULL || 3753 strcmp(allowed_host, requestedhost) != 0) 3754 return 0; 3755 return 1; 3756 } 3757 3758 static int 3759 open_listen_match_streamlocal(ForwardPermission *allowed_open, 3760 const char *requestedpath) 3761 { 3762 if (allowed_open->host_to_connect == NULL) 3763 return 0; 3764 if (allowed_open->listen_port != PORT_STREAMLOCAL) 3765 return 0; 3766 if (allowed_open->listen_path == NULL || 3767 strcmp(allowed_open->listen_path, requestedpath) != 0) 3768 return 0; 3769 return 1; 3770 } 3771 3772 /* 3773 * Request cancellation of remote forwarding of connection host:port from 3774 * local side. 3775 */ 3776 static int 3777 channel_request_rforward_cancel_tcpip(struct ssh *ssh, 3778 const char *host, u_short port) 3779 { 3780 struct ssh_channels *sc = ssh->chanctxt; 3781 int r; 3782 u_int i; 3783 ForwardPermission *fp; 3784 3785 for (i = 0; i < sc->num_permitted_opens; i++) { 3786 fp = &sc->permitted_opens[i]; 3787 if (open_listen_match_tcpip(fp, host, port, 0)) 3788 break; 3789 fp = NULL; 3790 } 3791 if (fp == NULL) { 3792 debug("%s: requested forward not found", __func__); 3793 return -1; 3794 } 3795 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3796 (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 || 3797 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ 3798 (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 || 3799 (r = sshpkt_put_u32(ssh, port)) != 0 || 3800 (r = sshpkt_send(ssh)) != 0) 3801 fatal("%s: send cancel: %s", __func__, ssh_err(r)); 3802 3803 fwd_perm_clear(fp); /* unregister */ 3804 3805 return 0; 3806 } 3807 3808 /* 3809 * Request cancellation of remote forwarding of Unix domain socket 3810 * path from local side. 3811 */ 3812 static int 3813 channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path) 3814 { 3815 struct ssh_channels *sc = ssh->chanctxt; 3816 int r; 3817 u_int i; 3818 ForwardPermission *fp; 3819 3820 for (i = 0; i < sc->num_permitted_opens; i++) { 3821 fp = &sc->permitted_opens[i]; 3822 if (open_listen_match_streamlocal(fp, path)) 3823 break; 3824 fp = NULL; 3825 } 3826 if (fp == NULL) { 3827 debug("%s: requested forward not found", __func__); 3828 return -1; 3829 } 3830 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3831 (r = sshpkt_put_cstring(ssh, 3832 "cancel-streamlocal-forward@openssh.com")) != 0 || 3833 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ 3834 (r = sshpkt_put_cstring(ssh, path)) != 0 || 3835 (r = sshpkt_send(ssh)) != 0) 3836 fatal("%s: send cancel: %s", __func__, ssh_err(r)); 3837 3838 fwd_perm_clear(fp); /* unregister */ 3839 3840 return 0; 3841 } 3842 3843 /* 3844 * Request cancellation of remote forwarding of a connection from local side. 3845 */ 3846 int 3847 channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd) 3848 { 3849 if (fwd->listen_path != NULL) { 3850 return channel_request_rforward_cancel_streamlocal(ssh, 3851 fwd->listen_path); 3852 } else { 3853 return channel_request_rforward_cancel_tcpip(ssh, 3854 fwd->listen_host, 3855 fwd->listen_port ? fwd->listen_port : fwd->allocated_port); 3856 } 3857 } 3858 3859 /* 3860 * Permits opening to any host/port if permitted_opens[] is empty. This is 3861 * usually called by the server, because the user could connect to any port 3862 * anyway, and the server has no way to know but to trust the client anyway. 3863 */ 3864 void 3865 channel_permit_all_opens(struct ssh *ssh) 3866 { 3867 if (ssh->chanctxt->num_permitted_opens == 0) 3868 ssh->chanctxt->all_opens_permitted = 1; 3869 } 3870 3871 void 3872 channel_add_permitted_opens(struct ssh *ssh, char *host, int port) 3873 { 3874 struct ssh_channels *sc = ssh->chanctxt; 3875 3876 debug("allow port forwarding to host %s port %d", host, port); 3877 fwd_perm_list_add(ssh, FWDPERM_USER, host, port, NULL, NULL, 0, NULL); 3878 sc->all_opens_permitted = 0; 3879 } 3880 3881 /* 3882 * Update the listen port for a dynamic remote forward, after 3883 * the actual 'newport' has been allocated. If 'newport' < 0 is 3884 * passed then they entry will be invalidated. 3885 */ 3886 void 3887 channel_update_permitted_opens(struct ssh *ssh, int idx, int newport) 3888 { 3889 struct ssh_channels *sc = ssh->chanctxt; 3890 3891 if (idx < 0 || (u_int)idx >= sc->num_permitted_opens) { 3892 debug("%s: index out of range: %d num_permitted_opens %d", 3893 __func__, idx, sc->num_permitted_opens); 3894 return; 3895 } 3896 debug("%s allowed port %d for forwarding to host %s port %d", 3897 newport > 0 ? "Updating" : "Removing", 3898 newport, 3899 sc->permitted_opens[idx].host_to_connect, 3900 sc->permitted_opens[idx].port_to_connect); 3901 if (newport <= 0) 3902 fwd_perm_clear(&sc->permitted_opens[idx]); 3903 else { 3904 sc->permitted_opens[idx].listen_port = 3905 (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport; 3906 } 3907 } 3908 3909 int 3910 channel_add_adm_permitted_opens(struct ssh *ssh, char *host, int port) 3911 { 3912 debug("config allows port forwarding to host %s port %d", host, port); 3913 return fwd_perm_list_add(ssh, FWDPERM_ADMIN, host, port, 3914 NULL, NULL, 0, NULL); 3915 } 3916 3917 void 3918 channel_disable_adm_local_opens(struct ssh *ssh) 3919 { 3920 channel_clear_adm_permitted_opens(ssh); 3921 fwd_perm_list_add(ssh, FWDPERM_ADMIN, NULL, 0, NULL, NULL, 0, NULL); 3922 } 3923 3924 void 3925 channel_clear_permitted_opens(struct ssh *ssh) 3926 { 3927 struct ssh_channels *sc = ssh->chanctxt; 3928 3929 sc->permitted_opens = xrecallocarray(sc->permitted_opens, 3930 sc->num_permitted_opens, 0, sizeof(*sc->permitted_opens)); 3931 sc->num_permitted_opens = 0; 3932 } 3933 3934 void 3935 channel_clear_adm_permitted_opens(struct ssh *ssh) 3936 { 3937 struct ssh_channels *sc = ssh->chanctxt; 3938 3939 sc->permitted_adm_opens = xrecallocarray(sc->permitted_adm_opens, 3940 sc->num_adm_permitted_opens, 0, sizeof(*sc->permitted_adm_opens)); 3941 sc->num_adm_permitted_opens = 0; 3942 } 3943 3944 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ 3945 int 3946 permitopen_port(const char *p) 3947 { 3948 int port; 3949 3950 if (strcmp(p, "*") == 0) 3951 return FWD_PERMIT_ANY_PORT; 3952 if ((port = a2port(p)) > 0) 3953 return port; 3954 return -1; 3955 } 3956 3957 /* Try to start non-blocking connect to next host in cctx list */ 3958 static int 3959 connect_next(struct channel_connect *cctx) 3960 { 3961 int sock, saved_errno; 3962 struct sockaddr_un *sunaddr; 3963 char ntop[NI_MAXHOST]; 3964 char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))]; 3965 3966 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 3967 switch (cctx->ai->ai_family) { 3968 case AF_UNIX: 3969 /* unix:pathname instead of host:port */ 3970 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr; 3971 strlcpy(ntop, "unix", sizeof(ntop)); 3972 strlcpy(strport, sunaddr->sun_path, sizeof(strport)); 3973 break; 3974 case AF_INET: 3975 case AF_INET6: 3976 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 3977 ntop, sizeof(ntop), strport, sizeof(strport), 3978 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3979 error("connect_next: getnameinfo failed"); 3980 continue; 3981 } 3982 break; 3983 default: 3984 continue; 3985 } 3986 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 3987 cctx->ai->ai_protocol)) == -1) { 3988 if (cctx->ai->ai_next == NULL) 3989 error("socket: %.100s", strerror(errno)); 3990 else 3991 verbose("socket: %.100s", strerror(errno)); 3992 continue; 3993 } 3994 if (set_nonblock(sock) == -1) 3995 fatal("%s: set_nonblock(%d)", __func__, sock); 3996 if (connect(sock, cctx->ai->ai_addr, 3997 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 3998 debug("connect_next: host %.100s ([%.100s]:%s): " 3999 "%.100s", cctx->host, ntop, strport, 4000 strerror(errno)); 4001 saved_errno = errno; 4002 close(sock); 4003 errno = saved_errno; 4004 continue; /* fail -- try next */ 4005 } 4006 if (cctx->ai->ai_family != AF_UNIX) 4007 set_nodelay(sock); 4008 debug("connect_next: host %.100s ([%.100s]:%s) " 4009 "in progress, fd=%d", cctx->host, ntop, strport, sock); 4010 cctx->ai = cctx->ai->ai_next; 4011 return sock; 4012 } 4013 return -1; 4014 } 4015 4016 static void 4017 channel_connect_ctx_free(struct channel_connect *cctx) 4018 { 4019 free(cctx->host); 4020 if (cctx->aitop) { 4021 if (cctx->aitop->ai_family == AF_UNIX) 4022 free(cctx->aitop); 4023 else 4024 freeaddrinfo(cctx->aitop); 4025 } 4026 memset(cctx, 0, sizeof(*cctx)); 4027 } 4028 4029 /* 4030 * Return connecting socket to remote host:port or local socket path, 4031 * passing back the failure reason if appropriate. 4032 */ 4033 static int 4034 connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, 4035 char *ctype, char *rname, struct channel_connect *cctx, 4036 int *reason, const char **errmsg) 4037 { 4038 struct addrinfo hints; 4039 int gaierr; 4040 int sock = -1; 4041 char strport[NI_MAXSERV]; 4042 4043 if (port == PORT_STREAMLOCAL) { 4044 struct sockaddr_un *sunaddr; 4045 struct addrinfo *ai; 4046 4047 if (strlen(name) > sizeof(sunaddr->sun_path)) { 4048 error("%.100s: %.100s", name, strerror(ENAMETOOLONG)); 4049 return -1; 4050 } 4051 4052 /* 4053 * Fake up a struct addrinfo for AF_UNIX connections. 4054 * channel_connect_ctx_free() must check ai_family 4055 * and use free() not freeaddirinfo() for AF_UNIX. 4056 */ 4057 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr)); 4058 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr)); 4059 ai->ai_addr = (struct sockaddr *)(ai + 1); 4060 ai->ai_addrlen = sizeof(*sunaddr); 4061 ai->ai_family = AF_UNIX; 4062 ai->ai_socktype = socktype; 4063 ai->ai_protocol = PF_UNSPEC; 4064 sunaddr = (struct sockaddr_un *)ai->ai_addr; 4065 sunaddr->sun_family = AF_UNIX; 4066 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); 4067 cctx->aitop = ai; 4068 } else { 4069 memset(&hints, 0, sizeof(hints)); 4070 hints.ai_family = ssh->chanctxt->IPv4or6; 4071 hints.ai_socktype = socktype; 4072 snprintf(strport, sizeof strport, "%d", port); 4073 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop)) 4074 != 0) { 4075 if (errmsg != NULL) 4076 *errmsg = ssh_gai_strerror(gaierr); 4077 if (reason != NULL) 4078 *reason = SSH2_OPEN_CONNECT_FAILED; 4079 error("connect_to %.100s: unknown host (%s)", name, 4080 ssh_gai_strerror(gaierr)); 4081 return -1; 4082 } 4083 } 4084 4085 cctx->host = xstrdup(name); 4086 cctx->port = port; 4087 cctx->ai = cctx->aitop; 4088 4089 if ((sock = connect_next(cctx)) == -1) { 4090 error("connect to %.100s port %d failed: %s", 4091 name, port, strerror(errno)); 4092 return -1; 4093 } 4094 4095 return sock; 4096 } 4097 4098 /* Return CONNECTING channel to remote host:port or local socket path */ 4099 static Channel * 4100 connect_to(struct ssh *ssh, const char *host, int port, 4101 char *ctype, char *rname) 4102 { 4103 struct channel_connect cctx; 4104 Channel *c; 4105 int sock; 4106 4107 memset(&cctx, 0, sizeof(cctx)); 4108 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, 4109 &cctx, NULL, NULL); 4110 if (sock == -1) { 4111 channel_connect_ctx_free(&cctx); 4112 return NULL; 4113 } 4114 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 4115 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4116 c->host_port = port; 4117 c->path = xstrdup(host); 4118 c->connect_ctx = cctx; 4119 4120 return c; 4121 } 4122 4123 /* 4124 * returns either the newly connected channel or the downstream channel 4125 * that needs to deal with this connection. 4126 */ 4127 Channel * 4128 channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host, 4129 u_short listen_port, char *ctype, char *rname) 4130 { 4131 struct ssh_channels *sc = ssh->chanctxt; 4132 u_int i; 4133 ForwardPermission *fp; 4134 4135 for (i = 0; i < sc->num_permitted_opens; i++) { 4136 fp = &sc->permitted_opens[i]; 4137 if (open_listen_match_tcpip(fp, listen_host, listen_port, 1)) { 4138 if (fp->downstream) 4139 return fp->downstream; 4140 if (fp->port_to_connect == 0) 4141 return rdynamic_connect_prepare(ssh, 4142 ctype, rname); 4143 return connect_to(ssh, 4144 fp->host_to_connect, fp->port_to_connect, 4145 ctype, rname); 4146 } 4147 } 4148 error("WARNING: Server requests forwarding for unknown listen_port %d", 4149 listen_port); 4150 return NULL; 4151 } 4152 4153 Channel * 4154 channel_connect_by_listen_path(struct ssh *ssh, const char *path, 4155 char *ctype, char *rname) 4156 { 4157 struct ssh_channels *sc = ssh->chanctxt; 4158 u_int i; 4159 ForwardPermission *fp; 4160 4161 for (i = 0; i < sc->num_permitted_opens; i++) { 4162 fp = &sc->permitted_opens[i]; 4163 if (open_listen_match_streamlocal(fp, path)) { 4164 return connect_to(ssh, 4165 fp->host_to_connect, fp->port_to_connect, 4166 ctype, rname); 4167 } 4168 } 4169 error("WARNING: Server requests forwarding for unknown path %.100s", 4170 path); 4171 return NULL; 4172 } 4173 4174 /* Check if connecting to that port is permitted and connect. */ 4175 Channel * 4176 channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, 4177 char *ctype, char *rname, int *reason, const char **errmsg) 4178 { 4179 struct ssh_channels *sc = ssh->chanctxt; 4180 struct channel_connect cctx; 4181 Channel *c; 4182 u_int i, permit, permit_adm = 1; 4183 int sock; 4184 ForwardPermission *fp; 4185 4186 permit = sc->all_opens_permitted; 4187 if (!permit) { 4188 for (i = 0; i < sc->num_permitted_opens; i++) { 4189 fp = &sc->permitted_opens[i]; 4190 if (open_match(fp, host, port)) { 4191 permit = 1; 4192 break; 4193 } 4194 } 4195 } 4196 4197 if (sc->num_adm_permitted_opens > 0) { 4198 permit_adm = 0; 4199 for (i = 0; i < sc->num_adm_permitted_opens; i++) { 4200 fp = &sc->permitted_adm_opens[i]; 4201 if (open_match(fp, host, port)) { 4202 permit_adm = 1; 4203 break; 4204 } 4205 } 4206 } 4207 4208 if (!permit || !permit_adm) { 4209 logit("Received request to connect to host %.100s port %d, " 4210 "but the request was denied.", host, port); 4211 if (reason != NULL) 4212 *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; 4213 return NULL; 4214 } 4215 4216 memset(&cctx, 0, sizeof(cctx)); 4217 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, 4218 &cctx, reason, errmsg); 4219 if (sock == -1) { 4220 channel_connect_ctx_free(&cctx); 4221 return NULL; 4222 } 4223 4224 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 4225 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4226 c->host_port = port; 4227 c->path = xstrdup(host); 4228 c->connect_ctx = cctx; 4229 4230 return c; 4231 } 4232 4233 /* Check if connecting to that path is permitted and connect. */ 4234 Channel * 4235 channel_connect_to_path(struct ssh *ssh, const char *path, 4236 char *ctype, char *rname) 4237 { 4238 struct ssh_channels *sc = ssh->chanctxt; 4239 u_int i, permit, permit_adm = 1; 4240 ForwardPermission *fp; 4241 4242 permit = sc->all_opens_permitted; 4243 if (!permit) { 4244 for (i = 0; i < sc->num_permitted_opens; i++) { 4245 fp = &sc->permitted_opens[i]; 4246 if (open_match(fp, path, PORT_STREAMLOCAL)) { 4247 permit = 1; 4248 break; 4249 } 4250 } 4251 } 4252 4253 if (sc->num_adm_permitted_opens > 0) { 4254 permit_adm = 0; 4255 for (i = 0; i < sc->num_adm_permitted_opens; i++) { 4256 fp = &sc->permitted_adm_opens[i]; 4257 if (open_match(fp, path, PORT_STREAMLOCAL)) { 4258 permit_adm = 1; 4259 break; 4260 } 4261 } 4262 } 4263 4264 if (!permit || !permit_adm) { 4265 logit("Received request to connect to path %.100s, " 4266 "but the request was denied.", path); 4267 return NULL; 4268 } 4269 return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname); 4270 } 4271 4272 void 4273 channel_send_window_changes(struct ssh *ssh) 4274 { 4275 struct ssh_channels *sc = ssh->chanctxt; 4276 struct winsize ws; 4277 int r; 4278 u_int i; 4279 4280 for (i = 0; i < sc->channels_alloc; i++) { 4281 if (sc->channels[i] == NULL || !sc->channels[i]->client_tty || 4282 sc->channels[i]->type != SSH_CHANNEL_OPEN) 4283 continue; 4284 if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 4285 continue; 4286 channel_request_start(ssh, i, "window-change", 0); 4287 if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 || 4288 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 || 4289 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 || 4290 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 || 4291 (r = sshpkt_send(ssh)) != 0) 4292 fatal("%s: channel %u: send window-change: %s", 4293 __func__, i, ssh_err(r)); 4294 } 4295 } 4296 4297 /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */ 4298 static Channel * 4299 rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname) 4300 { 4301 Channel *c; 4302 int r; 4303 4304 c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1, 4305 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4306 c->host_port = 0; 4307 c->path = NULL; 4308 4309 /* 4310 * We need to open the channel before we have a FD, 4311 * so that we can get SOCKS header from peer. 4312 */ 4313 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || 4314 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 4315 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 4316 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 4317 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { 4318 fatal("%s: channel %i: confirm: %s", __func__, 4319 c->self, ssh_err(r)); 4320 } 4321 return c; 4322 } 4323 4324 /* Return CONNECTING socket to remote host:port or local socket path */ 4325 static int 4326 rdynamic_connect_finish(struct ssh *ssh, Channel *c) 4327 { 4328 struct channel_connect cctx; 4329 int sock; 4330 4331 memset(&cctx, 0, sizeof(cctx)); 4332 sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL, 4333 NULL, &cctx, NULL, NULL); 4334 if (sock == -1) 4335 channel_connect_ctx_free(&cctx); 4336 else { 4337 /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */ 4338 c->type = SSH_CHANNEL_RDYNAMIC_FINISH; 4339 c->connect_ctx = cctx; 4340 channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0); 4341 } 4342 return sock; 4343 } 4344 4345 /* -- X11 forwarding */ 4346 4347 /* 4348 * Creates an internet domain socket for listening for X11 connections. 4349 * Returns 0 and a suitable display number for the DISPLAY variable 4350 * stored in display_numberp , or -1 if an error occurs. 4351 */ 4352 int 4353 x11_create_display_inet(struct ssh *ssh, int x11_display_offset, 4354 int x11_use_localhost, int single_connection, 4355 u_int *display_numberp, int **chanids) 4356 { 4357 Channel *nc = NULL; 4358 int display_number, sock; 4359 u_short port; 4360 struct addrinfo hints, *ai, *aitop; 4361 char strport[NI_MAXSERV]; 4362 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 4363 4364 if (chanids == NULL) 4365 return -1; 4366 4367 for (display_number = x11_display_offset; 4368 display_number < MAX_DISPLAYS; 4369 display_number++) { 4370 port = 6000 + display_number; 4371 memset(&hints, 0, sizeof(hints)); 4372 hints.ai_family = ssh->chanctxt->IPv4or6; 4373 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 4374 hints.ai_socktype = SOCK_STREAM; 4375 snprintf(strport, sizeof strport, "%d", port); 4376 if ((gaierr = getaddrinfo(NULL, strport, 4377 &hints, &aitop)) != 0) { 4378 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 4379 return -1; 4380 } 4381 for (ai = aitop; ai; ai = ai->ai_next) { 4382 if (ai->ai_family != AF_INET && 4383 ai->ai_family != AF_INET6) 4384 continue; 4385 sock = socket(ai->ai_family, ai->ai_socktype, 4386 ai->ai_protocol); 4387 if (sock < 0) { 4388 error("socket: %.100s", strerror(errno)); 4389 freeaddrinfo(aitop); 4390 return -1; 4391 } 4392 channel_set_reuseaddr(sock); 4393 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 4394 debug2("%s: bind port %d: %.100s", __func__, 4395 port, strerror(errno)); 4396 close(sock); 4397 for (n = 0; n < num_socks; n++) 4398 close(socks[n]); 4399 num_socks = 0; 4400 break; 4401 } 4402 socks[num_socks++] = sock; 4403 if (num_socks == NUM_SOCKS) 4404 break; 4405 } 4406 freeaddrinfo(aitop); 4407 if (num_socks > 0) 4408 break; 4409 } 4410 if (display_number >= MAX_DISPLAYS) { 4411 error("Failed to allocate internet-domain X11 display socket."); 4412 return -1; 4413 } 4414 /* Start listening for connections on the socket. */ 4415 for (n = 0; n < num_socks; n++) { 4416 sock = socks[n]; 4417 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 4418 error("listen: %.100s", strerror(errno)); 4419 close(sock); 4420 return -1; 4421 } 4422 } 4423 4424 /* Allocate a channel for each socket. */ 4425 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 4426 for (n = 0; n < num_socks; n++) { 4427 sock = socks[n]; 4428 nc = channel_new(ssh, "x11 listener", 4429 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 4430 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 4431 0, "X11 inet listener", 1); 4432 nc->single_connection = single_connection; 4433 (*chanids)[n] = nc->self; 4434 } 4435 (*chanids)[n] = -1; 4436 4437 /* Return the display number for the DISPLAY environment variable. */ 4438 *display_numberp = display_number; 4439 return 0; 4440 } 4441 4442 static int 4443 connect_local_xsocket(u_int dnr) 4444 { 4445 int sock; 4446 struct sockaddr_un addr; 4447 4448 sock = socket(AF_UNIX, SOCK_STREAM, 0); 4449 if (sock < 0) 4450 error("socket: %.100s", strerror(errno)); 4451 memset(&addr, 0, sizeof(addr)); 4452 addr.sun_family = AF_UNIX; 4453 snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr); 4454 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 4455 return sock; 4456 close(sock); 4457 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 4458 return -1; 4459 } 4460 4461 int 4462 x11_connect_display(struct ssh *ssh) 4463 { 4464 u_int display_number; 4465 const char *display; 4466 char buf[1024], *cp; 4467 struct addrinfo hints, *ai, *aitop; 4468 char strport[NI_MAXSERV]; 4469 int gaierr, sock = 0; 4470 4471 /* Try to open a socket for the local X server. */ 4472 display = getenv("DISPLAY"); 4473 if (!display) { 4474 error("DISPLAY not set."); 4475 return -1; 4476 } 4477 /* 4478 * Now we decode the value of the DISPLAY variable and make a 4479 * connection to the real X server. 4480 */ 4481 4482 /* 4483 * Check if it is a unix domain socket. Unix domain displays are in 4484 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 4485 */ 4486 if (strncmp(display, "unix:", 5) == 0 || 4487 display[0] == ':') { 4488 /* Connect to the unix domain socket. */ 4489 if (sscanf(strrchr(display, ':') + 1, "%u", 4490 &display_number) != 1) { 4491 error("Could not parse display number from DISPLAY: " 4492 "%.100s", display); 4493 return -1; 4494 } 4495 /* Create a socket. */ 4496 sock = connect_local_xsocket(display_number); 4497 if (sock < 0) 4498 return -1; 4499 4500 /* OK, we now have a connection to the display. */ 4501 return sock; 4502 } 4503 /* 4504 * Connect to an inet socket. The DISPLAY value is supposedly 4505 * hostname:d[.s], where hostname may also be numeric IP address. 4506 */ 4507 strlcpy(buf, display, sizeof(buf)); 4508 cp = strchr(buf, ':'); 4509 if (!cp) { 4510 error("Could not find ':' in DISPLAY: %.100s", display); 4511 return -1; 4512 } 4513 *cp = 0; 4514 /* 4515 * buf now contains the host name. But first we parse the 4516 * display number. 4517 */ 4518 if (sscanf(cp + 1, "%u", &display_number) != 1) { 4519 error("Could not parse display number from DISPLAY: %.100s", 4520 display); 4521 return -1; 4522 } 4523 4524 /* Look up the host address */ 4525 memset(&hints, 0, sizeof(hints)); 4526 hints.ai_family = ssh->chanctxt->IPv4or6; 4527 hints.ai_socktype = SOCK_STREAM; 4528 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 4529 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 4530 error("%.100s: unknown host. (%s)", buf, 4531 ssh_gai_strerror(gaierr)); 4532 return -1; 4533 } 4534 for (ai = aitop; ai; ai = ai->ai_next) { 4535 /* Create a socket. */ 4536 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 4537 if (sock < 0) { 4538 debug2("socket: %.100s", strerror(errno)); 4539 continue; 4540 } 4541 /* Connect it to the display. */ 4542 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 4543 debug2("connect %.100s port %u: %.100s", buf, 4544 6000 + display_number, strerror(errno)); 4545 close(sock); 4546 continue; 4547 } 4548 /* Success */ 4549 break; 4550 } 4551 freeaddrinfo(aitop); 4552 if (!ai) { 4553 error("connect %.100s port %u: %.100s", buf, 4554 6000 + display_number, strerror(errno)); 4555 return -1; 4556 } 4557 set_nodelay(sock); 4558 return sock; 4559 } 4560 4561 /* 4562 * Requests forwarding of X11 connections, generates fake authentication 4563 * data, and enables authentication spoofing. 4564 * This should be called in the client only. 4565 */ 4566 void 4567 x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id, 4568 const char *disp, const char *proto, const char *data, int want_reply) 4569 { 4570 struct ssh_channels *sc = ssh->chanctxt; 4571 u_int data_len = (u_int) strlen(data) / 2; 4572 u_int i, value; 4573 const char *cp; 4574 char *new_data; 4575 int r, screen_number; 4576 4577 if (sc->x11_saved_display == NULL) 4578 sc->x11_saved_display = xstrdup(disp); 4579 else if (strcmp(disp, sc->x11_saved_display) != 0) { 4580 error("x11_request_forwarding_with_spoofing: different " 4581 "$DISPLAY already forwarded"); 4582 return; 4583 } 4584 4585 cp = strchr(disp, ':'); 4586 if (cp) 4587 cp = strchr(cp, '.'); 4588 if (cp) 4589 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 4590 else 4591 screen_number = 0; 4592 4593 if (sc->x11_saved_proto == NULL) { 4594 /* Save protocol name. */ 4595 sc->x11_saved_proto = xstrdup(proto); 4596 4597 /* Extract real authentication data. */ 4598 sc->x11_saved_data = xmalloc(data_len); 4599 for (i = 0; i < data_len; i++) { 4600 if (sscanf(data + 2 * i, "%2x", &value) != 1) 4601 fatal("x11_request_forwarding: bad " 4602 "authentication data: %.100s", data); 4603 sc->x11_saved_data[i] = value; 4604 } 4605 sc->x11_saved_data_len = data_len; 4606 4607 /* Generate fake data of the same length. */ 4608 sc->x11_fake_data = xmalloc(data_len); 4609 arc4random_buf(sc->x11_fake_data, data_len); 4610 sc->x11_fake_data_len = data_len; 4611 } 4612 4613 /* Convert the fake data into hex. */ 4614 new_data = tohex(sc->x11_fake_data, data_len); 4615 4616 /* Send the request packet. */ 4617 channel_request_start(ssh, client_session_id, "x11-req", want_reply); 4618 if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */ 4619 (r = sshpkt_put_cstring(ssh, proto)) != 0 || 4620 (r = sshpkt_put_cstring(ssh, new_data)) != 0 || 4621 (r = sshpkt_put_u32(ssh, screen_number)) != 0 || 4622 (r = sshpkt_send(ssh)) != 0 || 4623 (r = ssh_packet_write_wait(ssh)) != 0) 4624 fatal("%s: send x11-req: %s", __func__, ssh_err(r)); 4625 free(new_data); 4626 } 4627