1 /* $OpenBSD: misc.c,v 1.118 2017/10/25 00:17:08 djm Exp $ */ 2 /* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/ioctl.h> 29 #include <sys/socket.h> 30 #include <sys/stat.h> 31 #include <sys/time.h> 32 #include <sys/wait.h> 33 #include <sys/un.h> 34 35 #include <net/if.h> 36 #include <netinet/in.h> 37 #include <netinet/ip.h> 38 #include <netinet/tcp.h> 39 40 #include <ctype.h> 41 #include <errno.h> 42 #include <fcntl.h> 43 #include <netdb.h> 44 #include <paths.h> 45 #include <pwd.h> 46 #include <libgen.h> 47 #include <limits.h> 48 #include <signal.h> 49 #include <stdarg.h> 50 #include <stdio.h> 51 #include <stdlib.h> 52 #include <string.h> 53 #include <unistd.h> 54 55 #include "xmalloc.h" 56 #include "misc.h" 57 #include "log.h" 58 #include "ssh.h" 59 #include "sshbuf.h" 60 #include "ssherr.h" 61 #include "uidswap.h" 62 63 /* remove newline at end of string */ 64 char * 65 chop(char *s) 66 { 67 char *t = s; 68 while (*t) { 69 if (*t == '\n' || *t == '\r') { 70 *t = '\0'; 71 return s; 72 } 73 t++; 74 } 75 return s; 76 77 } 78 79 /* set/unset filedescriptor to non-blocking */ 80 int 81 set_nonblock(int fd) 82 { 83 int val; 84 85 val = fcntl(fd, F_GETFL); 86 if (val < 0) { 87 error("fcntl(%d, F_GETFL): %s", fd, strerror(errno)); 88 return (-1); 89 } 90 if (val & O_NONBLOCK) { 91 debug3("fd %d is O_NONBLOCK", fd); 92 return (0); 93 } 94 debug2("fd %d setting O_NONBLOCK", fd); 95 val |= O_NONBLOCK; 96 if (fcntl(fd, F_SETFL, val) == -1) { 97 debug("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd, 98 strerror(errno)); 99 return (-1); 100 } 101 return (0); 102 } 103 104 int 105 unset_nonblock(int fd) 106 { 107 int val; 108 109 val = fcntl(fd, F_GETFL); 110 if (val < 0) { 111 error("fcntl(%d, F_GETFL): %s", fd, strerror(errno)); 112 return (-1); 113 } 114 if (!(val & O_NONBLOCK)) { 115 debug3("fd %d is not O_NONBLOCK", fd); 116 return (0); 117 } 118 debug("fd %d clearing O_NONBLOCK", fd); 119 val &= ~O_NONBLOCK; 120 if (fcntl(fd, F_SETFL, val) == -1) { 121 debug("fcntl(%d, F_SETFL, ~O_NONBLOCK): %s", 122 fd, strerror(errno)); 123 return (-1); 124 } 125 return (0); 126 } 127 128 const char * 129 ssh_gai_strerror(int gaierr) 130 { 131 if (gaierr == EAI_SYSTEM && errno != 0) 132 return strerror(errno); 133 return gai_strerror(gaierr); 134 } 135 136 /* disable nagle on socket */ 137 void 138 set_nodelay(int fd) 139 { 140 int opt; 141 socklen_t optlen; 142 143 optlen = sizeof opt; 144 if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) { 145 debug("getsockopt TCP_NODELAY: %.100s", strerror(errno)); 146 return; 147 } 148 if (opt == 1) { 149 debug2("fd %d is TCP_NODELAY", fd); 150 return; 151 } 152 opt = 1; 153 debug2("fd %d setting TCP_NODELAY", fd); 154 if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1) 155 error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); 156 } 157 158 /* Allow local port reuse in TIME_WAIT */ 159 int 160 set_reuseaddr(int fd) 161 { 162 int on = 1; 163 164 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) { 165 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 166 return -1; 167 } 168 return 0; 169 } 170 171 /* Get/set routing domain */ 172 char * 173 get_rdomain(int fd) 174 { 175 int rtable; 176 char *ret; 177 socklen_t len = sizeof(rtable); 178 179 if (getsockopt(fd, SOL_SOCKET, SO_RTABLE, &rtable, &len) == -1) { 180 error("Failed to get routing domain for fd %d: %s", 181 fd, strerror(errno)); 182 return NULL; 183 } 184 xasprintf(&ret, "%d", rtable); 185 return ret; 186 } 187 188 int 189 set_rdomain(int fd, const char *name) 190 { 191 int rtable; 192 const char *errstr; 193 194 if (name == NULL) 195 return 0; /* default table */ 196 197 rtable = (int)strtonum(name, 0, 255, &errstr); 198 if (errstr != NULL) { 199 /* Shouldn't happen */ 200 error("Invalid routing domain \"%s\": %s", name, errstr); 201 return -1; 202 } 203 if (setsockopt(fd, SOL_SOCKET, SO_RTABLE, 204 &rtable, sizeof(rtable)) == -1) { 205 error("Failed to set routing domain %d on fd %d: %s", 206 rtable, fd, strerror(errno)); 207 return -1; 208 } 209 return 0; 210 } 211 212 /* Characters considered whitespace in strsep calls. */ 213 #define WHITESPACE " \t\r\n" 214 #define QUOTE "\"" 215 216 /* return next token in configuration line */ 217 char * 218 strdelim(char **s) 219 { 220 char *old; 221 int wspace = 0; 222 223 if (*s == NULL) 224 return NULL; 225 226 old = *s; 227 228 *s = strpbrk(*s, WHITESPACE QUOTE "="); 229 if (*s == NULL) 230 return (old); 231 232 if (*s[0] == '\"') { 233 memmove(*s, *s + 1, strlen(*s)); /* move nul too */ 234 /* Find matching quote */ 235 if ((*s = strpbrk(*s, QUOTE)) == NULL) { 236 return (NULL); /* no matching quote */ 237 } else { 238 *s[0] = '\0'; 239 *s += strspn(*s + 1, WHITESPACE) + 1; 240 return (old); 241 } 242 } 243 244 /* Allow only one '=' to be skipped */ 245 if (*s[0] == '=') 246 wspace = 1; 247 *s[0] = '\0'; 248 249 /* Skip any extra whitespace after first token */ 250 *s += strspn(*s + 1, WHITESPACE) + 1; 251 if (*s[0] == '=' && !wspace) 252 *s += strspn(*s + 1, WHITESPACE) + 1; 253 254 return (old); 255 } 256 257 struct passwd * 258 pwcopy(struct passwd *pw) 259 { 260 struct passwd *copy = xcalloc(1, sizeof(*copy)); 261 262 copy->pw_name = xstrdup(pw->pw_name); 263 copy->pw_passwd = xstrdup(pw->pw_passwd); 264 copy->pw_gecos = xstrdup(pw->pw_gecos); 265 copy->pw_uid = pw->pw_uid; 266 copy->pw_gid = pw->pw_gid; 267 copy->pw_expire = pw->pw_expire; 268 copy->pw_change = pw->pw_change; 269 copy->pw_class = xstrdup(pw->pw_class); 270 copy->pw_dir = xstrdup(pw->pw_dir); 271 copy->pw_shell = xstrdup(pw->pw_shell); 272 return copy; 273 } 274 275 /* 276 * Convert ASCII string to TCP/IP port number. 277 * Port must be >=0 and <=65535. 278 * Return -1 if invalid. 279 */ 280 int 281 a2port(const char *s) 282 { 283 long long port; 284 const char *errstr; 285 286 port = strtonum(s, 0, 65535, &errstr); 287 if (errstr != NULL) 288 return -1; 289 return (int)port; 290 } 291 292 int 293 a2tun(const char *s, int *remote) 294 { 295 const char *errstr = NULL; 296 char *sp, *ep; 297 int tun; 298 299 if (remote != NULL) { 300 *remote = SSH_TUNID_ANY; 301 sp = xstrdup(s); 302 if ((ep = strchr(sp, ':')) == NULL) { 303 free(sp); 304 return (a2tun(s, NULL)); 305 } 306 ep[0] = '\0'; ep++; 307 *remote = a2tun(ep, NULL); 308 tun = a2tun(sp, NULL); 309 free(sp); 310 return (*remote == SSH_TUNID_ERR ? *remote : tun); 311 } 312 313 if (strcasecmp(s, "any") == 0) 314 return (SSH_TUNID_ANY); 315 316 tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr); 317 if (errstr != NULL) 318 return (SSH_TUNID_ERR); 319 320 return (tun); 321 } 322 323 #define SECONDS 1 324 #define MINUTES (SECONDS * 60) 325 #define HOURS (MINUTES * 60) 326 #define DAYS (HOURS * 24) 327 #define WEEKS (DAYS * 7) 328 329 /* 330 * Convert a time string into seconds; format is 331 * a sequence of: 332 * time[qualifier] 333 * 334 * Valid time qualifiers are: 335 * <none> seconds 336 * s|S seconds 337 * m|M minutes 338 * h|H hours 339 * d|D days 340 * w|W weeks 341 * 342 * Examples: 343 * 90m 90 minutes 344 * 1h30m 90 minutes 345 * 2d 2 days 346 * 1w 1 week 347 * 348 * Return -1 if time string is invalid. 349 */ 350 long 351 convtime(const char *s) 352 { 353 long total, secs, multiplier = 1; 354 const char *p; 355 char *endp; 356 357 errno = 0; 358 total = 0; 359 p = s; 360 361 if (p == NULL || *p == '\0') 362 return -1; 363 364 while (*p) { 365 secs = strtol(p, &endp, 10); 366 if (p == endp || 367 (errno == ERANGE && (secs == LONG_MIN || secs == LONG_MAX)) || 368 secs < 0) 369 return -1; 370 371 switch (*endp++) { 372 case '\0': 373 endp--; 374 break; 375 case 's': 376 case 'S': 377 break; 378 case 'm': 379 case 'M': 380 multiplier = MINUTES; 381 break; 382 case 'h': 383 case 'H': 384 multiplier = HOURS; 385 break; 386 case 'd': 387 case 'D': 388 multiplier = DAYS; 389 break; 390 case 'w': 391 case 'W': 392 multiplier = WEEKS; 393 break; 394 default: 395 return -1; 396 } 397 if (secs >= LONG_MAX / multiplier) 398 return -1; 399 secs *= multiplier; 400 if (total >= LONG_MAX - secs) 401 return -1; 402 total += secs; 403 if (total < 0) 404 return -1; 405 p = endp; 406 } 407 408 return total; 409 } 410 411 /* 412 * Returns a standardized host+port identifier string. 413 * Caller must free returned string. 414 */ 415 char * 416 put_host_port(const char *host, u_short port) 417 { 418 char *hoststr; 419 420 if (port == 0 || port == SSH_DEFAULT_PORT) 421 return(xstrdup(host)); 422 if (asprintf(&hoststr, "[%s]:%d", host, (int)port) < 0) 423 fatal("put_host_port: asprintf: %s", strerror(errno)); 424 debug3("put_host_port: %s", hoststr); 425 return hoststr; 426 } 427 428 /* 429 * Search for next delimiter between hostnames/addresses and ports. 430 * Argument may be modified (for termination). 431 * Returns *cp if parsing succeeds. 432 * *cp is set to the start of the next field, if one was found. 433 * The delimiter char, if present, is stored in delim. 434 * If this is the last field, *cp is set to NULL. 435 */ 436 static char * 437 hpdelim2(char **cp, char *delim) 438 { 439 char *s, *old; 440 441 if (cp == NULL || *cp == NULL) 442 return NULL; 443 444 old = s = *cp; 445 if (*s == '[') { 446 if ((s = strchr(s, ']')) == NULL) 447 return NULL; 448 else 449 s++; 450 } else if ((s = strpbrk(s, ":/")) == NULL) 451 s = *cp + strlen(*cp); /* skip to end (see first case below) */ 452 453 switch (*s) { 454 case '\0': 455 *cp = NULL; /* no more fields*/ 456 break; 457 458 case ':': 459 case '/': 460 if (delim != NULL) 461 *delim = *s; 462 *s = '\0'; /* terminate */ 463 *cp = s + 1; 464 break; 465 466 default: 467 return NULL; 468 } 469 470 return old; 471 } 472 473 char * 474 hpdelim(char **cp) 475 { 476 return hpdelim2(cp, NULL); 477 } 478 479 char * 480 cleanhostname(char *host) 481 { 482 if (*host == '[' && host[strlen(host) - 1] == ']') { 483 host[strlen(host) - 1] = '\0'; 484 return (host + 1); 485 } else 486 return host; 487 } 488 489 char * 490 colon(char *cp) 491 { 492 int flag = 0; 493 494 if (*cp == ':') /* Leading colon is part of file name. */ 495 return NULL; 496 if (*cp == '[') 497 flag = 1; 498 499 for (; *cp; ++cp) { 500 if (*cp == '@' && *(cp+1) == '[') 501 flag = 1; 502 if (*cp == ']' && *(cp+1) == ':' && flag) 503 return (cp+1); 504 if (*cp == ':' && !flag) 505 return (cp); 506 if (*cp == '/') 507 return NULL; 508 } 509 return NULL; 510 } 511 512 /* 513 * Parse a [user@]host:[path] string. 514 * Caller must free returned user, host and path. 515 * Any of the pointer return arguments may be NULL (useful for syntax checking). 516 * If user was not specified then *userp will be set to NULL. 517 * If host was not specified then *hostp will be set to NULL. 518 * If path was not specified then *pathp will be set to ".". 519 * Returns 0 on success, -1 on failure. 520 */ 521 int 522 parse_user_host_path(const char *s, char **userp, char **hostp, char **pathp) 523 { 524 char *user = NULL, *host = NULL, *path = NULL; 525 char *sdup, *tmp; 526 int ret = -1; 527 528 if (userp != NULL) 529 *userp = NULL; 530 if (hostp != NULL) 531 *hostp = NULL; 532 if (pathp != NULL) 533 *pathp = NULL; 534 535 sdup = xstrdup(s); 536 537 /* Check for remote syntax: [user@]host:[path] */ 538 if ((tmp = colon(sdup)) == NULL) 539 goto out; 540 541 /* Extract optional path */ 542 *tmp++ = '\0'; 543 if (*tmp == '\0') 544 tmp = "."; 545 path = xstrdup(tmp); 546 547 /* Extract optional user and mandatory host */ 548 tmp = strrchr(sdup, '@'); 549 if (tmp != NULL) { 550 *tmp++ = '\0'; 551 host = xstrdup(cleanhostname(tmp)); 552 if (*sdup != '\0') 553 user = xstrdup(sdup); 554 } else { 555 host = xstrdup(cleanhostname(sdup)); 556 user = NULL; 557 } 558 559 /* Success */ 560 if (userp != NULL) { 561 *userp = user; 562 user = NULL; 563 } 564 if (hostp != NULL) { 565 *hostp = host; 566 host = NULL; 567 } 568 if (pathp != NULL) { 569 *pathp = path; 570 path = NULL; 571 } 572 ret = 0; 573 out: 574 free(sdup); 575 free(user); 576 free(host); 577 free(path); 578 return ret; 579 } 580 581 /* 582 * Parse a [user@]host[:port] string. 583 * Caller must free returned user and host. 584 * Any of the pointer return arguments may be NULL (useful for syntax checking). 585 * If user was not specified then *userp will be set to NULL. 586 * If port was not specified then *portp will be -1. 587 * Returns 0 on success, -1 on failure. 588 */ 589 int 590 parse_user_host_port(const char *s, char **userp, char **hostp, int *portp) 591 { 592 char *sdup, *cp, *tmp; 593 char *user = NULL, *host = NULL; 594 int port = -1, ret = -1; 595 596 if (userp != NULL) 597 *userp = NULL; 598 if (hostp != NULL) 599 *hostp = NULL; 600 if (portp != NULL) 601 *portp = -1; 602 603 if ((sdup = tmp = strdup(s)) == NULL) 604 return -1; 605 /* Extract optional username */ 606 if ((cp = strrchr(tmp, '@')) != NULL) { 607 *cp = '\0'; 608 if (*tmp == '\0') 609 goto out; 610 if ((user = strdup(tmp)) == NULL) 611 goto out; 612 tmp = cp + 1; 613 } 614 /* Extract mandatory hostname */ 615 if ((cp = hpdelim(&tmp)) == NULL || *cp == '\0') 616 goto out; 617 host = xstrdup(cleanhostname(cp)); 618 /* Convert and verify optional port */ 619 if (tmp != NULL && *tmp != '\0') { 620 if ((port = a2port(tmp)) <= 0) 621 goto out; 622 } 623 /* Success */ 624 if (userp != NULL) { 625 *userp = user; 626 user = NULL; 627 } 628 if (hostp != NULL) { 629 *hostp = host; 630 host = NULL; 631 } 632 if (portp != NULL) 633 *portp = port; 634 ret = 0; 635 out: 636 free(sdup); 637 free(user); 638 free(host); 639 return ret; 640 } 641 642 /* 643 * Converts a two-byte hex string to decimal. 644 * Returns the decimal value or -1 for invalid input. 645 */ 646 static int 647 hexchar(const char *s) 648 { 649 unsigned char result[2]; 650 int i; 651 652 for (i = 0; i < 2; i++) { 653 if (s[i] >= '0' && s[i] <= '9') 654 result[i] = (unsigned char)(s[i] - '0'); 655 else if (s[i] >= 'a' && s[i] <= 'f') 656 result[i] = (unsigned char)(s[i] - 'a') + 10; 657 else if (s[i] >= 'A' && s[i] <= 'F') 658 result[i] = (unsigned char)(s[i] - 'A') + 10; 659 else 660 return -1; 661 } 662 return (result[0] << 4) | result[1]; 663 } 664 665 /* 666 * Decode an url-encoded string. 667 * Returns a newly allocated string on success or NULL on failure. 668 */ 669 static char * 670 urldecode(const char *src) 671 { 672 char *ret, *dst; 673 int ch; 674 675 ret = xmalloc(strlen(src) + 1); 676 for (dst = ret; *src != '\0'; src++) { 677 switch (*src) { 678 case '+': 679 *dst++ = ' '; 680 break; 681 case '%': 682 if (!isxdigit((unsigned char)src[1]) || 683 !isxdigit((unsigned char)src[2]) || 684 (ch = hexchar(src + 1)) == -1) { 685 free(ret); 686 return NULL; 687 } 688 *dst++ = ch; 689 src += 2; 690 break; 691 default: 692 *dst++ = *src; 693 break; 694 } 695 } 696 *dst = '\0'; 697 698 return ret; 699 } 700 701 /* 702 * Parse an (scp|ssh|sftp)://[user@]host[:port][/path] URI. 703 * See https://tools.ietf.org/html/draft-ietf-secsh-scp-sftp-ssh-uri-04 704 * Either user or path may be url-encoded (but not host or port). 705 * Caller must free returned user, host and path. 706 * Any of the pointer return arguments may be NULL (useful for syntax checking) 707 * but the scheme must always be specified. 708 * If user was not specified then *userp will be set to NULL. 709 * If port was not specified then *portp will be -1. 710 * If path was not specified then *pathp will be set to NULL. 711 * Returns 0 on success, 1 if non-uri/wrong scheme, -1 on error/invalid uri. 712 */ 713 int 714 parse_uri(const char *scheme, const char *uri, char **userp, char **hostp, 715 int *portp, char **pathp) 716 { 717 char *uridup, *cp, *tmp, ch; 718 char *user = NULL, *host = NULL, *path = NULL; 719 int port = -1, ret = -1; 720 size_t len; 721 722 len = strlen(scheme); 723 if (strncmp(uri, scheme, len) != 0 || strncmp(uri + len, "://", 3) != 0) 724 return 1; 725 uri += len + 3; 726 727 if (userp != NULL) 728 *userp = NULL; 729 if (hostp != NULL) 730 *hostp = NULL; 731 if (portp != NULL) 732 *portp = -1; 733 if (pathp != NULL) 734 *pathp = NULL; 735 736 uridup = tmp = xstrdup(uri); 737 738 /* Extract optional ssh-info (username + connection params) */ 739 if ((cp = strchr(tmp, '@')) != NULL) { 740 char *delim; 741 742 *cp = '\0'; 743 /* Extract username and connection params */ 744 if ((delim = strchr(tmp, ';')) != NULL) { 745 /* Just ignore connection params for now */ 746 *delim = '\0'; 747 } 748 if (*tmp == '\0') { 749 /* Empty username */ 750 goto out; 751 } 752 if ((user = urldecode(tmp)) == NULL) 753 goto out; 754 tmp = cp + 1; 755 } 756 757 /* Extract mandatory hostname */ 758 if ((cp = hpdelim2(&tmp, &ch)) == NULL || *cp == '\0') 759 goto out; 760 host = xstrdup(cleanhostname(cp)); 761 if (!valid_domain(host, 0, NULL)) 762 goto out; 763 764 if (tmp != NULL && *tmp != '\0') { 765 if (ch == ':') { 766 /* Convert and verify port. */ 767 if ((cp = strchr(tmp, '/')) != NULL) 768 *cp = '\0'; 769 if ((port = a2port(tmp)) <= 0) 770 goto out; 771 tmp = cp ? cp + 1 : NULL; 772 } 773 if (tmp != NULL && *tmp != '\0') { 774 /* Extract optional path */ 775 if ((path = urldecode(tmp)) == NULL) 776 goto out; 777 } 778 } 779 780 /* Success */ 781 if (userp != NULL) { 782 *userp = user; 783 user = NULL; 784 } 785 if (hostp != NULL) { 786 *hostp = host; 787 host = NULL; 788 } 789 if (portp != NULL) 790 *portp = port; 791 if (pathp != NULL) { 792 *pathp = path; 793 path = NULL; 794 } 795 ret = 0; 796 out: 797 free(uridup); 798 free(user); 799 free(host); 800 free(path); 801 return ret; 802 } 803 804 /* function to assist building execv() arguments */ 805 void 806 addargs(arglist *args, char *fmt, ...) 807 { 808 va_list ap; 809 char *cp; 810 u_int nalloc; 811 int r; 812 813 va_start(ap, fmt); 814 r = vasprintf(&cp, fmt, ap); 815 va_end(ap); 816 if (r == -1) 817 fatal("addargs: argument too long"); 818 819 nalloc = args->nalloc; 820 if (args->list == NULL) { 821 nalloc = 32; 822 args->num = 0; 823 } else if (args->num+2 >= nalloc) 824 nalloc *= 2; 825 826 args->list = xrecallocarray(args->list, args->nalloc, nalloc, sizeof(char *)); 827 args->nalloc = nalloc; 828 args->list[args->num++] = cp; 829 args->list[args->num] = NULL; 830 } 831 832 void 833 replacearg(arglist *args, u_int which, char *fmt, ...) 834 { 835 va_list ap; 836 char *cp; 837 int r; 838 839 va_start(ap, fmt); 840 r = vasprintf(&cp, fmt, ap); 841 va_end(ap); 842 if (r == -1) 843 fatal("replacearg: argument too long"); 844 845 if (which >= args->num) 846 fatal("replacearg: tried to replace invalid arg %d >= %d", 847 which, args->num); 848 free(args->list[which]); 849 args->list[which] = cp; 850 } 851 852 void 853 freeargs(arglist *args) 854 { 855 u_int i; 856 857 if (args->list != NULL) { 858 for (i = 0; i < args->num; i++) 859 free(args->list[i]); 860 free(args->list); 861 args->nalloc = args->num = 0; 862 args->list = NULL; 863 } 864 } 865 866 /* 867 * Expands tildes in the file name. Returns data allocated by xmalloc. 868 * Warning: this calls getpw*. 869 */ 870 char * 871 tilde_expand_filename(const char *filename, uid_t uid) 872 { 873 const char *path, *sep; 874 char user[128], *ret; 875 struct passwd *pw; 876 u_int len, slash; 877 878 if (*filename != '~') 879 return (xstrdup(filename)); 880 filename++; 881 882 path = strchr(filename, '/'); 883 if (path != NULL && path > filename) { /* ~user/path */ 884 slash = path - filename; 885 if (slash > sizeof(user) - 1) 886 fatal("tilde_expand_filename: ~username too long"); 887 memcpy(user, filename, slash); 888 user[slash] = '\0'; 889 if ((pw = getpwnam(user)) == NULL) 890 fatal("tilde_expand_filename: No such user %s", user); 891 } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ 892 fatal("tilde_expand_filename: No such uid %ld", (long)uid); 893 894 /* Make sure directory has a trailing '/' */ 895 len = strlen(pw->pw_dir); 896 if (len == 0 || pw->pw_dir[len - 1] != '/') 897 sep = "/"; 898 else 899 sep = ""; 900 901 /* Skip leading '/' from specified path */ 902 if (path != NULL) 903 filename = path + 1; 904 905 if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= PATH_MAX) 906 fatal("tilde_expand_filename: Path too long"); 907 908 return (ret); 909 } 910 911 /* 912 * Expand a string with a set of %[char] escapes. A number of escapes may be 913 * specified as (char *escape_chars, char *replacement) pairs. The list must 914 * be terminated by a NULL escape_char. Returns replaced string in memory 915 * allocated by xmalloc. 916 */ 917 char * 918 percent_expand(const char *string, ...) 919 { 920 #define EXPAND_MAX_KEYS 16 921 u_int num_keys, i, j; 922 struct { 923 const char *key; 924 const char *repl; 925 } keys[EXPAND_MAX_KEYS]; 926 char buf[4096]; 927 va_list ap; 928 929 /* Gather keys */ 930 va_start(ap, string); 931 for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) { 932 keys[num_keys].key = va_arg(ap, char *); 933 if (keys[num_keys].key == NULL) 934 break; 935 keys[num_keys].repl = va_arg(ap, char *); 936 if (keys[num_keys].repl == NULL) 937 fatal("%s: NULL replacement", __func__); 938 } 939 if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL) 940 fatal("%s: too many keys", __func__); 941 va_end(ap); 942 943 /* Expand string */ 944 *buf = '\0'; 945 for (i = 0; *string != '\0'; string++) { 946 if (*string != '%') { 947 append: 948 buf[i++] = *string; 949 if (i >= sizeof(buf)) 950 fatal("%s: string too long", __func__); 951 buf[i] = '\0'; 952 continue; 953 } 954 string++; 955 /* %% case */ 956 if (*string == '%') 957 goto append; 958 if (*string == '\0') 959 fatal("%s: invalid format", __func__); 960 for (j = 0; j < num_keys; j++) { 961 if (strchr(keys[j].key, *string) != NULL) { 962 i = strlcat(buf, keys[j].repl, sizeof(buf)); 963 if (i >= sizeof(buf)) 964 fatal("%s: string too long", __func__); 965 break; 966 } 967 } 968 if (j >= num_keys) 969 fatal("%s: unknown key %%%c", __func__, *string); 970 } 971 return (xstrdup(buf)); 972 #undef EXPAND_MAX_KEYS 973 } 974 975 /* 976 * Read an entire line from a public key file into a static buffer, discarding 977 * lines that exceed the buffer size. Returns 0 on success, -1 on failure. 978 */ 979 int 980 read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz, 981 u_long *lineno) 982 { 983 while (fgets(buf, bufsz, f) != NULL) { 984 if (buf[0] == '\0') 985 continue; 986 (*lineno)++; 987 if (buf[strlen(buf) - 1] == '\n' || feof(f)) { 988 return 0; 989 } else { 990 debug("%s: %s line %lu exceeds size limit", __func__, 991 filename, *lineno); 992 /* discard remainder of line */ 993 while (fgetc(f) != '\n' && !feof(f)) 994 ; /* nothing */ 995 } 996 } 997 return -1; 998 } 999 1000 int 1001 tun_open(int tun, int mode, char **ifname) 1002 { 1003 struct ifreq ifr; 1004 char name[100]; 1005 int fd = -1, sock; 1006 const char *tunbase = "tun"; 1007 1008 if (ifname != NULL) 1009 *ifname = NULL; 1010 1011 if (mode == SSH_TUNMODE_ETHERNET) 1012 tunbase = "tap"; 1013 1014 /* Open the tunnel device */ 1015 if (tun <= SSH_TUNID_MAX) { 1016 snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun); 1017 fd = open(name, O_RDWR); 1018 } else if (tun == SSH_TUNID_ANY) { 1019 for (tun = 100; tun >= 0; tun--) { 1020 snprintf(name, sizeof(name), "/dev/%s%d", 1021 tunbase, tun); 1022 if ((fd = open(name, O_RDWR)) >= 0) 1023 break; 1024 } 1025 } else { 1026 debug("%s: invalid tunnel %u", __func__, tun); 1027 return -1; 1028 } 1029 1030 if (fd < 0) { 1031 debug("%s: %s open: %s", __func__, name, strerror(errno)); 1032 return -1; 1033 } 1034 1035 debug("%s: %s mode %d fd %d", __func__, name, mode, fd); 1036 1037 /* Bring interface up if it is not already */ 1038 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun); 1039 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) 1040 goto failed; 1041 1042 if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) { 1043 debug("%s: get interface %s flags: %s", __func__, 1044 ifr.ifr_name, strerror(errno)); 1045 goto failed; 1046 } 1047 1048 if (!(ifr.ifr_flags & IFF_UP)) { 1049 ifr.ifr_flags |= IFF_UP; 1050 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) { 1051 debug("%s: activate interface %s: %s", __func__, 1052 ifr.ifr_name, strerror(errno)); 1053 goto failed; 1054 } 1055 } 1056 1057 if (ifname != NULL) 1058 *ifname = xstrdup(ifr.ifr_name); 1059 1060 close(sock); 1061 return fd; 1062 1063 failed: 1064 if (fd >= 0) 1065 close(fd); 1066 if (sock >= 0) 1067 close(sock); 1068 return -1; 1069 } 1070 1071 void 1072 sanitise_stdfd(void) 1073 { 1074 int nullfd, dupfd; 1075 1076 if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) { 1077 fprintf(stderr, "Couldn't open /dev/null: %s\n", 1078 strerror(errno)); 1079 exit(1); 1080 } 1081 while (++dupfd <= STDERR_FILENO) { 1082 /* Only populate closed fds. */ 1083 if (fcntl(dupfd, F_GETFL) == -1 && errno == EBADF) { 1084 if (dup2(nullfd, dupfd) == -1) { 1085 fprintf(stderr, "dup2: %s\n", strerror(errno)); 1086 exit(1); 1087 } 1088 } 1089 } 1090 if (nullfd > STDERR_FILENO) 1091 close(nullfd); 1092 } 1093 1094 char * 1095 tohex(const void *vp, size_t l) 1096 { 1097 const u_char *p = (const u_char *)vp; 1098 char b[3], *r; 1099 size_t i, hl; 1100 1101 if (l > 65536) 1102 return xstrdup("tohex: length > 65536"); 1103 1104 hl = l * 2 + 1; 1105 r = xcalloc(1, hl); 1106 for (i = 0; i < l; i++) { 1107 snprintf(b, sizeof(b), "%02x", p[i]); 1108 strlcat(r, b, hl); 1109 } 1110 return (r); 1111 } 1112 1113 u_int64_t 1114 get_u64(const void *vp) 1115 { 1116 const u_char *p = (const u_char *)vp; 1117 u_int64_t v; 1118 1119 v = (u_int64_t)p[0] << 56; 1120 v |= (u_int64_t)p[1] << 48; 1121 v |= (u_int64_t)p[2] << 40; 1122 v |= (u_int64_t)p[3] << 32; 1123 v |= (u_int64_t)p[4] << 24; 1124 v |= (u_int64_t)p[5] << 16; 1125 v |= (u_int64_t)p[6] << 8; 1126 v |= (u_int64_t)p[7]; 1127 1128 return (v); 1129 } 1130 1131 u_int32_t 1132 get_u32(const void *vp) 1133 { 1134 const u_char *p = (const u_char *)vp; 1135 u_int32_t v; 1136 1137 v = (u_int32_t)p[0] << 24; 1138 v |= (u_int32_t)p[1] << 16; 1139 v |= (u_int32_t)p[2] << 8; 1140 v |= (u_int32_t)p[3]; 1141 1142 return (v); 1143 } 1144 1145 u_int32_t 1146 get_u32_le(const void *vp) 1147 { 1148 const u_char *p = (const u_char *)vp; 1149 u_int32_t v; 1150 1151 v = (u_int32_t)p[0]; 1152 v |= (u_int32_t)p[1] << 8; 1153 v |= (u_int32_t)p[2] << 16; 1154 v |= (u_int32_t)p[3] << 24; 1155 1156 return (v); 1157 } 1158 1159 u_int16_t 1160 get_u16(const void *vp) 1161 { 1162 const u_char *p = (const u_char *)vp; 1163 u_int16_t v; 1164 1165 v = (u_int16_t)p[0] << 8; 1166 v |= (u_int16_t)p[1]; 1167 1168 return (v); 1169 } 1170 1171 void 1172 put_u64(void *vp, u_int64_t v) 1173 { 1174 u_char *p = (u_char *)vp; 1175 1176 p[0] = (u_char)(v >> 56) & 0xff; 1177 p[1] = (u_char)(v >> 48) & 0xff; 1178 p[2] = (u_char)(v >> 40) & 0xff; 1179 p[3] = (u_char)(v >> 32) & 0xff; 1180 p[4] = (u_char)(v >> 24) & 0xff; 1181 p[5] = (u_char)(v >> 16) & 0xff; 1182 p[6] = (u_char)(v >> 8) & 0xff; 1183 p[7] = (u_char)v & 0xff; 1184 } 1185 1186 void 1187 put_u32(void *vp, u_int32_t v) 1188 { 1189 u_char *p = (u_char *)vp; 1190 1191 p[0] = (u_char)(v >> 24) & 0xff; 1192 p[1] = (u_char)(v >> 16) & 0xff; 1193 p[2] = (u_char)(v >> 8) & 0xff; 1194 p[3] = (u_char)v & 0xff; 1195 } 1196 1197 void 1198 put_u32_le(void *vp, u_int32_t v) 1199 { 1200 u_char *p = (u_char *)vp; 1201 1202 p[0] = (u_char)v & 0xff; 1203 p[1] = (u_char)(v >> 8) & 0xff; 1204 p[2] = (u_char)(v >> 16) & 0xff; 1205 p[3] = (u_char)(v >> 24) & 0xff; 1206 } 1207 1208 void 1209 put_u16(void *vp, u_int16_t v) 1210 { 1211 u_char *p = (u_char *)vp; 1212 1213 p[0] = (u_char)(v >> 8) & 0xff; 1214 p[1] = (u_char)v & 0xff; 1215 } 1216 1217 void 1218 ms_subtract_diff(struct timeval *start, int *ms) 1219 { 1220 struct timeval diff, finish; 1221 1222 gettimeofday(&finish, NULL); 1223 timersub(&finish, start, &diff); 1224 *ms -= (diff.tv_sec * 1000) + (diff.tv_usec / 1000); 1225 } 1226 1227 void 1228 ms_to_timeval(struct timeval *tv, int ms) 1229 { 1230 if (ms < 0) 1231 ms = 0; 1232 tv->tv_sec = ms / 1000; 1233 tv->tv_usec = (ms % 1000) * 1000; 1234 } 1235 1236 time_t 1237 monotime(void) 1238 { 1239 struct timespec ts; 1240 1241 if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) 1242 fatal("clock_gettime: %s", strerror(errno)); 1243 1244 return (ts.tv_sec); 1245 } 1246 1247 double 1248 monotime_double(void) 1249 { 1250 struct timespec ts; 1251 1252 if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0) 1253 fatal("clock_gettime: %s", strerror(errno)); 1254 1255 return (ts.tv_sec + (double)ts.tv_nsec / 1000000000); 1256 } 1257 1258 void 1259 bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen) 1260 { 1261 bw->buflen = buflen; 1262 bw->rate = kbps; 1263 bw->thresh = bw->rate; 1264 bw->lamt = 0; 1265 timerclear(&bw->bwstart); 1266 timerclear(&bw->bwend); 1267 } 1268 1269 /* Callback from read/write loop to insert bandwidth-limiting delays */ 1270 void 1271 bandwidth_limit(struct bwlimit *bw, size_t read_len) 1272 { 1273 u_int64_t waitlen; 1274 struct timespec ts, rm; 1275 1276 if (!timerisset(&bw->bwstart)) { 1277 gettimeofday(&bw->bwstart, NULL); 1278 return; 1279 } 1280 1281 bw->lamt += read_len; 1282 if (bw->lamt < bw->thresh) 1283 return; 1284 1285 gettimeofday(&bw->bwend, NULL); 1286 timersub(&bw->bwend, &bw->bwstart, &bw->bwend); 1287 if (!timerisset(&bw->bwend)) 1288 return; 1289 1290 bw->lamt *= 8; 1291 waitlen = (double)1000000L * bw->lamt / bw->rate; 1292 1293 bw->bwstart.tv_sec = waitlen / 1000000L; 1294 bw->bwstart.tv_usec = waitlen % 1000000L; 1295 1296 if (timercmp(&bw->bwstart, &bw->bwend, >)) { 1297 timersub(&bw->bwstart, &bw->bwend, &bw->bwend); 1298 1299 /* Adjust the wait time */ 1300 if (bw->bwend.tv_sec) { 1301 bw->thresh /= 2; 1302 if (bw->thresh < bw->buflen / 4) 1303 bw->thresh = bw->buflen / 4; 1304 } else if (bw->bwend.tv_usec < 10000) { 1305 bw->thresh *= 2; 1306 if (bw->thresh > bw->buflen * 8) 1307 bw->thresh = bw->buflen * 8; 1308 } 1309 1310 TIMEVAL_TO_TIMESPEC(&bw->bwend, &ts); 1311 while (nanosleep(&ts, &rm) == -1) { 1312 if (errno != EINTR) 1313 break; 1314 ts = rm; 1315 } 1316 } 1317 1318 bw->lamt = 0; 1319 gettimeofday(&bw->bwstart, NULL); 1320 } 1321 1322 /* Make a template filename for mk[sd]temp() */ 1323 void 1324 mktemp_proto(char *s, size_t len) 1325 { 1326 const char *tmpdir; 1327 int r; 1328 1329 if ((tmpdir = getenv("TMPDIR")) != NULL) { 1330 r = snprintf(s, len, "%s/ssh-XXXXXXXXXXXX", tmpdir); 1331 if (r > 0 && (size_t)r < len) 1332 return; 1333 } 1334 r = snprintf(s, len, "/tmp/ssh-XXXXXXXXXXXX"); 1335 if (r < 0 || (size_t)r >= len) 1336 fatal("%s: template string too short", __func__); 1337 } 1338 1339 static const struct { 1340 const char *name; 1341 int value; 1342 } ipqos[] = { 1343 { "none", INT_MAX }, /* can't use 0 here; that's CS0 */ 1344 { "af11", IPTOS_DSCP_AF11 }, 1345 { "af12", IPTOS_DSCP_AF12 }, 1346 { "af13", IPTOS_DSCP_AF13 }, 1347 { "af21", IPTOS_DSCP_AF21 }, 1348 { "af22", IPTOS_DSCP_AF22 }, 1349 { "af23", IPTOS_DSCP_AF23 }, 1350 { "af31", IPTOS_DSCP_AF31 }, 1351 { "af32", IPTOS_DSCP_AF32 }, 1352 { "af33", IPTOS_DSCP_AF33 }, 1353 { "af41", IPTOS_DSCP_AF41 }, 1354 { "af42", IPTOS_DSCP_AF42 }, 1355 { "af43", IPTOS_DSCP_AF43 }, 1356 { "cs0", IPTOS_DSCP_CS0 }, 1357 { "cs1", IPTOS_DSCP_CS1 }, 1358 { "cs2", IPTOS_DSCP_CS2 }, 1359 { "cs3", IPTOS_DSCP_CS3 }, 1360 { "cs4", IPTOS_DSCP_CS4 }, 1361 { "cs5", IPTOS_DSCP_CS5 }, 1362 { "cs6", IPTOS_DSCP_CS6 }, 1363 { "cs7", IPTOS_DSCP_CS7 }, 1364 { "ef", IPTOS_DSCP_EF }, 1365 { "lowdelay", IPTOS_LOWDELAY }, 1366 { "throughput", IPTOS_THROUGHPUT }, 1367 { "reliability", IPTOS_RELIABILITY }, 1368 { NULL, -1 } 1369 }; 1370 1371 int 1372 parse_ipqos(const char *cp) 1373 { 1374 u_int i; 1375 char *ep; 1376 long val; 1377 1378 if (cp == NULL) 1379 return -1; 1380 for (i = 0; ipqos[i].name != NULL; i++) { 1381 if (strcasecmp(cp, ipqos[i].name) == 0) 1382 return ipqos[i].value; 1383 } 1384 /* Try parsing as an integer */ 1385 val = strtol(cp, &ep, 0); 1386 if (*cp == '\0' || *ep != '\0' || val < 0 || val > 255) 1387 return -1; 1388 return val; 1389 } 1390 1391 const char * 1392 iptos2str(int iptos) 1393 { 1394 int i; 1395 static char iptos_str[sizeof "0xff"]; 1396 1397 for (i = 0; ipqos[i].name != NULL; i++) { 1398 if (ipqos[i].value == iptos) 1399 return ipqos[i].name; 1400 } 1401 snprintf(iptos_str, sizeof iptos_str, "0x%02x", iptos); 1402 return iptos_str; 1403 } 1404 1405 void 1406 lowercase(char *s) 1407 { 1408 for (; *s; s++) 1409 *s = tolower((u_char)*s); 1410 } 1411 1412 int 1413 unix_listener(const char *path, int backlog, int unlink_first) 1414 { 1415 struct sockaddr_un sunaddr; 1416 int saved_errno, sock; 1417 1418 memset(&sunaddr, 0, sizeof(sunaddr)); 1419 sunaddr.sun_family = AF_UNIX; 1420 if (strlcpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path)) >= sizeof(sunaddr.sun_path)) { 1421 error("%s: \"%s\" too long for Unix domain socket", __func__, 1422 path); 1423 errno = ENAMETOOLONG; 1424 return -1; 1425 } 1426 1427 sock = socket(PF_UNIX, SOCK_STREAM, 0); 1428 if (sock < 0) { 1429 saved_errno = errno; 1430 error("socket: %.100s", strerror(errno)); 1431 errno = saved_errno; 1432 return -1; 1433 } 1434 if (unlink_first == 1) { 1435 if (unlink(path) != 0 && errno != ENOENT) 1436 error("unlink(%s): %.100s", path, strerror(errno)); 1437 } 1438 if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { 1439 saved_errno = errno; 1440 error("bind: %.100s", strerror(errno)); 1441 close(sock); 1442 error("%s: cannot bind to path: %s", __func__, path); 1443 errno = saved_errno; 1444 return -1; 1445 } 1446 if (listen(sock, backlog) < 0) { 1447 saved_errno = errno; 1448 error("listen: %.100s", strerror(errno)); 1449 close(sock); 1450 unlink(path); 1451 error("%s: cannot listen on path: %s", __func__, path); 1452 errno = saved_errno; 1453 return -1; 1454 } 1455 return sock; 1456 } 1457 1458 /* 1459 * Compares two strings that maybe be NULL. Returns non-zero if strings 1460 * are both NULL or are identical, returns zero otherwise. 1461 */ 1462 static int 1463 strcmp_maybe_null(const char *a, const char *b) 1464 { 1465 if ((a == NULL && b != NULL) || (a != NULL && b == NULL)) 1466 return 0; 1467 if (a != NULL && strcmp(a, b) != 0) 1468 return 0; 1469 return 1; 1470 } 1471 1472 /* 1473 * Compare two forwards, returning non-zero if they are identical or 1474 * zero otherwise. 1475 */ 1476 int 1477 forward_equals(const struct Forward *a, const struct Forward *b) 1478 { 1479 if (strcmp_maybe_null(a->listen_host, b->listen_host) == 0) 1480 return 0; 1481 if (a->listen_port != b->listen_port) 1482 return 0; 1483 if (strcmp_maybe_null(a->listen_path, b->listen_path) == 0) 1484 return 0; 1485 if (strcmp_maybe_null(a->connect_host, b->connect_host) == 0) 1486 return 0; 1487 if (a->connect_port != b->connect_port) 1488 return 0; 1489 if (strcmp_maybe_null(a->connect_path, b->connect_path) == 0) 1490 return 0; 1491 /* allocated_port and handle are not checked */ 1492 return 1; 1493 } 1494 1495 /* returns 1 if bind to specified port by specified user is permitted */ 1496 int 1497 bind_permitted(int port, uid_t uid) 1498 { 1499 if (port < IPPORT_RESERVED && uid != 0) 1500 return 0; 1501 return 1; 1502 } 1503 1504 /* returns 1 if process is already daemonized, 0 otherwise */ 1505 int 1506 daemonized(void) 1507 { 1508 int fd; 1509 1510 if ((fd = open(_PATH_TTY, O_RDONLY | O_NOCTTY)) >= 0) { 1511 close(fd); 1512 return 0; /* have controlling terminal */ 1513 } 1514 if (getppid() != 1) 1515 return 0; /* parent is not init */ 1516 if (getsid(0) != getpid()) 1517 return 0; /* not session leader */ 1518 debug3("already daemonized"); 1519 return 1; 1520 } 1521 1522 1523 /* 1524 * Splits 's' into an argument vector. Handles quoted string and basic 1525 * escape characters (\\, \", \'). Caller must free the argument vector 1526 * and its members. 1527 */ 1528 int 1529 argv_split(const char *s, int *argcp, char ***argvp) 1530 { 1531 int r = SSH_ERR_INTERNAL_ERROR; 1532 int argc = 0, quote, i, j; 1533 char *arg, **argv = xcalloc(1, sizeof(*argv)); 1534 1535 *argvp = NULL; 1536 *argcp = 0; 1537 1538 for (i = 0; s[i] != '\0'; i++) { 1539 /* Skip leading whitespace */ 1540 if (s[i] == ' ' || s[i] == '\t') 1541 continue; 1542 1543 /* Start of a token */ 1544 quote = 0; 1545 if (s[i] == '\\' && 1546 (s[i + 1] == '\'' || s[i + 1] == '\"' || s[i + 1] == '\\')) 1547 i++; 1548 else if (s[i] == '\'' || s[i] == '"') 1549 quote = s[i++]; 1550 1551 argv = xreallocarray(argv, (argc + 2), sizeof(*argv)); 1552 arg = argv[argc++] = xcalloc(1, strlen(s + i) + 1); 1553 argv[argc] = NULL; 1554 1555 /* Copy the token in, removing escapes */ 1556 for (j = 0; s[i] != '\0'; i++) { 1557 if (s[i] == '\\') { 1558 if (s[i + 1] == '\'' || 1559 s[i + 1] == '\"' || 1560 s[i + 1] == '\\') { 1561 i++; /* Skip '\' */ 1562 arg[j++] = s[i]; 1563 } else { 1564 /* Unrecognised escape */ 1565 arg[j++] = s[i]; 1566 } 1567 } else if (quote == 0 && (s[i] == ' ' || s[i] == '\t')) 1568 break; /* done */ 1569 else if (quote != 0 && s[i] == quote) 1570 break; /* done */ 1571 else 1572 arg[j++] = s[i]; 1573 } 1574 if (s[i] == '\0') { 1575 if (quote != 0) { 1576 /* Ran out of string looking for close quote */ 1577 r = SSH_ERR_INVALID_FORMAT; 1578 goto out; 1579 } 1580 break; 1581 } 1582 } 1583 /* Success */ 1584 *argcp = argc; 1585 *argvp = argv; 1586 argc = 0; 1587 argv = NULL; 1588 r = 0; 1589 out: 1590 if (argc != 0 && argv != NULL) { 1591 for (i = 0; i < argc; i++) 1592 free(argv[i]); 1593 free(argv); 1594 } 1595 return r; 1596 } 1597 1598 /* 1599 * Reassemble an argument vector into a string, quoting and escaping as 1600 * necessary. Caller must free returned string. 1601 */ 1602 char * 1603 argv_assemble(int argc, char **argv) 1604 { 1605 int i, j, ws, r; 1606 char c, *ret; 1607 struct sshbuf *buf, *arg; 1608 1609 if ((buf = sshbuf_new()) == NULL || (arg = sshbuf_new()) == NULL) 1610 fatal("%s: sshbuf_new failed", __func__); 1611 1612 for (i = 0; i < argc; i++) { 1613 ws = 0; 1614 sshbuf_reset(arg); 1615 for (j = 0; argv[i][j] != '\0'; j++) { 1616 r = 0; 1617 c = argv[i][j]; 1618 switch (c) { 1619 case ' ': 1620 case '\t': 1621 ws = 1; 1622 r = sshbuf_put_u8(arg, c); 1623 break; 1624 case '\\': 1625 case '\'': 1626 case '"': 1627 if ((r = sshbuf_put_u8(arg, '\\')) != 0) 1628 break; 1629 /* FALLTHROUGH */ 1630 default: 1631 r = sshbuf_put_u8(arg, c); 1632 break; 1633 } 1634 if (r != 0) 1635 fatal("%s: sshbuf_put_u8: %s", 1636 __func__, ssh_err(r)); 1637 } 1638 if ((i != 0 && (r = sshbuf_put_u8(buf, ' ')) != 0) || 1639 (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0) || 1640 (r = sshbuf_putb(buf, arg)) != 0 || 1641 (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0)) 1642 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1643 } 1644 if ((ret = malloc(sshbuf_len(buf) + 1)) == NULL) 1645 fatal("%s: malloc failed", __func__); 1646 memcpy(ret, sshbuf_ptr(buf), sshbuf_len(buf)); 1647 ret[sshbuf_len(buf)] = '\0'; 1648 sshbuf_free(buf); 1649 sshbuf_free(arg); 1650 return ret; 1651 } 1652 1653 /* 1654 * Runs command in a subprocess wuth a minimal environment. 1655 * Returns pid on success, 0 on failure. 1656 * The child stdout and stderr maybe captured, left attached or sent to 1657 * /dev/null depending on the contents of flags. 1658 * "tag" is prepended to log messages. 1659 * NB. "command" is only used for logging; the actual command executed is 1660 * av[0]. 1661 */ 1662 pid_t 1663 subprocess(const char *tag, struct passwd *pw, const char *command, 1664 int ac, char **av, FILE **child, u_int flags) 1665 { 1666 FILE *f = NULL; 1667 struct stat st; 1668 int fd, devnull, p[2], i; 1669 pid_t pid; 1670 char *cp, errmsg[512]; 1671 u_int envsize; 1672 char **child_env; 1673 1674 if (child != NULL) 1675 *child = NULL; 1676 1677 debug3("%s: %s command \"%s\" running as %s (flags 0x%x)", __func__, 1678 tag, command, pw->pw_name, flags); 1679 1680 /* Check consistency */ 1681 if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && 1682 (flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) { 1683 error("%s: inconsistent flags", __func__); 1684 return 0; 1685 } 1686 if (((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) != (child == NULL)) { 1687 error("%s: inconsistent flags/output", __func__); 1688 return 0; 1689 } 1690 1691 /* 1692 * If executing an explicit binary, then verify the it exists 1693 * and appears safe-ish to execute 1694 */ 1695 if (*av[0] != '/') { 1696 error("%s path is not absolute", tag); 1697 return 0; 1698 } 1699 temporarily_use_uid(pw); 1700 if (stat(av[0], &st) < 0) { 1701 error("Could not stat %s \"%s\": %s", tag, 1702 av[0], strerror(errno)); 1703 restore_uid(); 1704 return 0; 1705 } 1706 if (safe_path(av[0], &st, NULL, 0, errmsg, sizeof(errmsg)) != 0) { 1707 error("Unsafe %s \"%s\": %s", tag, av[0], errmsg); 1708 restore_uid(); 1709 return 0; 1710 } 1711 /* Prepare to keep the child's stdout if requested */ 1712 if (pipe(p) != 0) { 1713 error("%s: pipe: %s", tag, strerror(errno)); 1714 restore_uid(); 1715 return 0; 1716 } 1717 restore_uid(); 1718 1719 switch ((pid = fork())) { 1720 case -1: /* error */ 1721 error("%s: fork: %s", tag, strerror(errno)); 1722 close(p[0]); 1723 close(p[1]); 1724 return 0; 1725 case 0: /* child */ 1726 /* Prepare a minimal environment for the child. */ 1727 envsize = 5; 1728 child_env = xcalloc(sizeof(*child_env), envsize); 1729 child_set_env(&child_env, &envsize, "PATH", _PATH_STDPATH); 1730 child_set_env(&child_env, &envsize, "USER", pw->pw_name); 1731 child_set_env(&child_env, &envsize, "LOGNAME", pw->pw_name); 1732 child_set_env(&child_env, &envsize, "HOME", pw->pw_dir); 1733 if ((cp = getenv("LANG")) != NULL) 1734 child_set_env(&child_env, &envsize, "LANG", cp); 1735 1736 for (i = 0; i < NSIG; i++) 1737 signal(i, SIG_DFL); 1738 1739 if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1) { 1740 error("%s: open %s: %s", tag, _PATH_DEVNULL, 1741 strerror(errno)); 1742 _exit(1); 1743 } 1744 if (dup2(devnull, STDIN_FILENO) == -1) { 1745 error("%s: dup2: %s", tag, strerror(errno)); 1746 _exit(1); 1747 } 1748 1749 /* Set up stdout as requested; leave stderr in place for now. */ 1750 fd = -1; 1751 if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) != 0) 1752 fd = p[1]; 1753 else if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0) 1754 fd = devnull; 1755 if (fd != -1 && dup2(fd, STDOUT_FILENO) == -1) { 1756 error("%s: dup2: %s", tag, strerror(errno)); 1757 _exit(1); 1758 } 1759 closefrom(STDERR_FILENO + 1); 1760 1761 /* Don't use permanently_set_uid() here to avoid fatal() */ 1762 if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0) { 1763 error("%s: setresgid %u: %s", tag, (u_int)pw->pw_gid, 1764 strerror(errno)); 1765 _exit(1); 1766 } 1767 if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) != 0) { 1768 error("%s: setresuid %u: %s", tag, (u_int)pw->pw_uid, 1769 strerror(errno)); 1770 _exit(1); 1771 } 1772 /* stdin is pointed to /dev/null at this point */ 1773 if ((flags & SSH_SUBPROCESS_STDOUT_DISCARD) != 0 && 1774 dup2(STDIN_FILENO, STDERR_FILENO) == -1) { 1775 error("%s: dup2: %s", tag, strerror(errno)); 1776 _exit(1); 1777 } 1778 1779 execve(av[0], av, child_env); 1780 error("%s exec \"%s\": %s", tag, command, strerror(errno)); 1781 _exit(127); 1782 default: /* parent */ 1783 break; 1784 } 1785 1786 close(p[1]); 1787 if ((flags & SSH_SUBPROCESS_STDOUT_CAPTURE) == 0) 1788 close(p[0]); 1789 else if ((f = fdopen(p[0], "r")) == NULL) { 1790 error("%s: fdopen: %s", tag, strerror(errno)); 1791 close(p[0]); 1792 /* Don't leave zombie child */ 1793 kill(pid, SIGTERM); 1794 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR) 1795 ; 1796 return 0; 1797 } 1798 /* Success */ 1799 debug3("%s: %s pid %ld", __func__, tag, (long)pid); 1800 if (child != NULL) 1801 *child = f; 1802 return pid; 1803 } 1804 1805 /* Returns 0 if pid exited cleanly, non-zero otherwise */ 1806 int 1807 exited_cleanly(pid_t pid, const char *tag, const char *cmd, int quiet) 1808 { 1809 int status; 1810 1811 while (waitpid(pid, &status, 0) == -1) { 1812 if (errno != EINTR) { 1813 error("%s: waitpid: %s", tag, strerror(errno)); 1814 return -1; 1815 } 1816 } 1817 if (WIFSIGNALED(status)) { 1818 error("%s %s exited on signal %d", tag, cmd, WTERMSIG(status)); 1819 return -1; 1820 } else if (WEXITSTATUS(status) != 0) { 1821 do_log2(quiet ? SYSLOG_LEVEL_DEBUG1 : SYSLOG_LEVEL_INFO, 1822 "%s %s failed, status %d", tag, cmd, WEXITSTATUS(status)); 1823 return -1; 1824 } 1825 return 0; 1826 } 1827 1828 /* 1829 * Check a given path for security. This is defined as all components 1830 * of the path to the file must be owned by either the owner of 1831 * of the file or root and no directories must be group or world writable. 1832 * 1833 * XXX Should any specific check be done for sym links ? 1834 * 1835 * Takes a file name, its stat information (preferably from fstat() to 1836 * avoid races), the uid of the expected owner, their home directory and an 1837 * error buffer plus max size as arguments. 1838 * 1839 * Returns 0 on success and -1 on failure 1840 */ 1841 int 1842 safe_path(const char *name, struct stat *stp, const char *pw_dir, 1843 uid_t uid, char *err, size_t errlen) 1844 { 1845 char buf[PATH_MAX], homedir[PATH_MAX]; 1846 char *cp; 1847 int comparehome = 0; 1848 struct stat st; 1849 1850 if (realpath(name, buf) == NULL) { 1851 snprintf(err, errlen, "realpath %s failed: %s", name, 1852 strerror(errno)); 1853 return -1; 1854 } 1855 if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL) 1856 comparehome = 1; 1857 1858 if (!S_ISREG(stp->st_mode)) { 1859 snprintf(err, errlen, "%s is not a regular file", buf); 1860 return -1; 1861 } 1862 if ((stp->st_uid != 0 && stp->st_uid != uid) || 1863 (stp->st_mode & 022) != 0) { 1864 snprintf(err, errlen, "bad ownership or modes for file %s", 1865 buf); 1866 return -1; 1867 } 1868 1869 /* for each component of the canonical path, walking upwards */ 1870 for (;;) { 1871 if ((cp = dirname(buf)) == NULL) { 1872 snprintf(err, errlen, "dirname() failed"); 1873 return -1; 1874 } 1875 strlcpy(buf, cp, sizeof(buf)); 1876 1877 if (stat(buf, &st) < 0 || 1878 (st.st_uid != 0 && st.st_uid != uid) || 1879 (st.st_mode & 022) != 0) { 1880 snprintf(err, errlen, 1881 "bad ownership or modes for directory %s", buf); 1882 return -1; 1883 } 1884 1885 /* If are past the homedir then we can stop */ 1886 if (comparehome && strcmp(homedir, buf) == 0) 1887 break; 1888 1889 /* 1890 * dirname should always complete with a "/" path, 1891 * but we can be paranoid and check for "." too 1892 */ 1893 if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0)) 1894 break; 1895 } 1896 return 0; 1897 } 1898 1899 /* 1900 * Version of safe_path() that accepts an open file descriptor to 1901 * avoid races. 1902 * 1903 * Returns 0 on success and -1 on failure 1904 */ 1905 int 1906 safe_path_fd(int fd, const char *file, struct passwd *pw, 1907 char *err, size_t errlen) 1908 { 1909 struct stat st; 1910 1911 /* check the open file to avoid races */ 1912 if (fstat(fd, &st) < 0) { 1913 snprintf(err, errlen, "cannot stat file %s: %s", 1914 file, strerror(errno)); 1915 return -1; 1916 } 1917 return safe_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen); 1918 } 1919 1920 /* 1921 * Sets the value of the given variable in the environment. If the variable 1922 * already exists, its value is overridden. 1923 */ 1924 void 1925 child_set_env(char ***envp, u_int *envsizep, const char *name, 1926 const char *value) 1927 { 1928 char **env; 1929 u_int envsize; 1930 u_int i, namelen; 1931 1932 if (strchr(name, '=') != NULL) { 1933 error("Invalid environment variable \"%.100s\"", name); 1934 return; 1935 } 1936 1937 /* 1938 * Find the slot where the value should be stored. If the variable 1939 * already exists, we reuse the slot; otherwise we append a new slot 1940 * at the end of the array, expanding if necessary. 1941 */ 1942 env = *envp; 1943 namelen = strlen(name); 1944 for (i = 0; env[i]; i++) 1945 if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=') 1946 break; 1947 if (env[i]) { 1948 /* Reuse the slot. */ 1949 free(env[i]); 1950 } else { 1951 /* New variable. Expand if necessary. */ 1952 envsize = *envsizep; 1953 if (i >= envsize - 1) { 1954 if (envsize >= 1000) 1955 fatal("child_set_env: too many env vars"); 1956 envsize += 50; 1957 env = (*envp) = xreallocarray(env, envsize, sizeof(char *)); 1958 *envsizep = envsize; 1959 } 1960 /* Need to set the NULL pointer at end of array beyond the new slot. */ 1961 env[i + 1] = NULL; 1962 } 1963 1964 /* Allocate space and format the variable in the appropriate slot. */ 1965 env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1); 1966 snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value); 1967 } 1968 1969 /* 1970 * Check and optionally lowercase a domain name, also removes trailing '.' 1971 * Returns 1 on success and 0 on failure, storing an error message in errstr. 1972 */ 1973 int 1974 valid_domain(char *name, int makelower, const char **errstr) 1975 { 1976 size_t i, l = strlen(name); 1977 u_char c, last = '\0'; 1978 static char errbuf[256]; 1979 1980 if (l == 0) { 1981 strlcpy(errbuf, "empty domain name", sizeof(errbuf)); 1982 goto bad; 1983 } 1984 if (!isalpha((u_char)name[0]) && !isdigit((u_char)name[0])) { 1985 snprintf(errbuf, sizeof(errbuf), "domain name \"%.100s\" " 1986 "starts with invalid character", name); 1987 goto bad; 1988 } 1989 for (i = 0; i < l; i++) { 1990 c = tolower((u_char)name[i]); 1991 if (makelower) 1992 name[i] = (char)c; 1993 if (last == '.' && c == '.') { 1994 snprintf(errbuf, sizeof(errbuf), "domain name " 1995 "\"%.100s\" contains consecutive separators", name); 1996 goto bad; 1997 } 1998 if (c != '.' && c != '-' && !isalnum(c) && 1999 c != '_') /* technically invalid, but common */ { 2000 snprintf(errbuf, sizeof(errbuf), "domain name " 2001 "\"%.100s\" contains invalid characters", name); 2002 goto bad; 2003 } 2004 last = c; 2005 } 2006 if (name[l - 1] == '.') 2007 name[l - 1] = '\0'; 2008 if (errstr != NULL) 2009 *errstr = NULL; 2010 return 1; 2011 bad: 2012 if (errstr != NULL) 2013 *errstr = errbuf; 2014 return 0; 2015 } 2016