1 /* $OpenBSD: misc.c,v 1.134 2018/11/16 03:26:01 djm Exp $ */ 2 /* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * Copyright (c) 2005,2006 Damien Miller. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #include <sys/types.h> 28 #include <sys/ioctl.h> 29 #include <sys/socket.h> 30 #include <sys/stat.h> 31 #include <sys/time.h> 32 #include <sys/wait.h> 33 #include <sys/un.h> 34 35 #include <net/if.h> 36 #include <netinet/in.h> 37 #include <netinet/ip.h> 38 #include <netinet/tcp.h> 39 #include <arpa/inet.h> 40 41 #include <ctype.h> 42 #include <errno.h> 43 #include <fcntl.h> 44 #include <netdb.h> 45 #include <paths.h> 46 #include <pwd.h> 47 #include <libgen.h> 48 #include <limits.h> 49 #include <signal.h> 50 #include <stdarg.h> 51 #include <stdio.h> 52 #include <stdlib.h> 53 #include <string.h> 54 #include <unistd.h> 55 56 #include "xmalloc.h" 57 #include "misc.h" 58 #include "log.h" 59 #include "ssh.h" 60 #include "sshbuf.h" 61 #include "ssherr.h" 62 63 /* remove newline at end of string */ 64 char * 65 chop(char *s) 66 { 67 char *t = s; 68 while (*t) { 69 if (*t == '\n' || *t == '\r') { 70 *t = '\0'; 71 return s; 72 } 73 t++; 74 } 75 return s; 76 77 } 78 79 /* set/unset filedescriptor to non-blocking */ 80 int 81 set_nonblock(int fd) 82 { 83 int val; 84 85 val = fcntl(fd, F_GETFL); 86 if (val < 0) { 87 error("fcntl(%d, F_GETFL): %s", fd, strerror(errno)); 88 return (-1); 89 } 90 if (val & O_NONBLOCK) { 91 debug3("fd %d is O_NONBLOCK", fd); 92 return (0); 93 } 94 debug2("fd %d setting O_NONBLOCK", fd); 95 val |= O_NONBLOCK; 96 if (fcntl(fd, F_SETFL, val) == -1) { 97 debug("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd, 98 strerror(errno)); 99 return (-1); 100 } 101 return (0); 102 } 103 104 int 105 unset_nonblock(int fd) 106 { 107 int val; 108 109 val = fcntl(fd, F_GETFL); 110 if (val < 0) { 111 error("fcntl(%d, F_GETFL): %s", fd, strerror(errno)); 112 return (-1); 113 } 114 if (!(val & O_NONBLOCK)) { 115 debug3("fd %d is not O_NONBLOCK", fd); 116 return (0); 117 } 118 debug("fd %d clearing O_NONBLOCK", fd); 119 val &= ~O_NONBLOCK; 120 if (fcntl(fd, F_SETFL, val) == -1) { 121 debug("fcntl(%d, F_SETFL, ~O_NONBLOCK): %s", 122 fd, strerror(errno)); 123 return (-1); 124 } 125 return (0); 126 } 127 128 const char * 129 ssh_gai_strerror(int gaierr) 130 { 131 if (gaierr == EAI_SYSTEM && errno != 0) 132 return strerror(errno); 133 return gai_strerror(gaierr); 134 } 135 136 /* disable nagle on socket */ 137 void 138 set_nodelay(int fd) 139 { 140 int opt; 141 socklen_t optlen; 142 143 optlen = sizeof opt; 144 if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) { 145 debug("getsockopt TCP_NODELAY: %.100s", strerror(errno)); 146 return; 147 } 148 if (opt == 1) { 149 debug2("fd %d is TCP_NODELAY", fd); 150 return; 151 } 152 opt = 1; 153 debug2("fd %d setting TCP_NODELAY", fd); 154 if (setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof opt) == -1) 155 error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); 156 } 157 158 /* Allow local port reuse in TIME_WAIT */ 159 int 160 set_reuseaddr(int fd) 161 { 162 int on = 1; 163 164 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) { 165 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 166 return -1; 167 } 168 return 0; 169 } 170 171 /* Get/set routing domain */ 172 char * 173 get_rdomain(int fd) 174 { 175 int rtable; 176 char *ret; 177 socklen_t len = sizeof(rtable); 178 179 if (getsockopt(fd, SOL_SOCKET, SO_RTABLE, &rtable, &len) == -1) { 180 error("Failed to get routing domain for fd %d: %s", 181 fd, strerror(errno)); 182 return NULL; 183 } 184 xasprintf(&ret, "%d", rtable); 185 return ret; 186 } 187 188 int 189 set_rdomain(int fd, const char *name) 190 { 191 int rtable; 192 const char *errstr; 193 194 if (name == NULL) 195 return 0; /* default table */ 196 197 rtable = (int)strtonum(name, 0, 255, &errstr); 198 if (errstr != NULL) { 199 /* Shouldn't happen */ 200 error("Invalid routing domain \"%s\": %s", name, errstr); 201 return -1; 202 } 203 if (setsockopt(fd, SOL_SOCKET, SO_RTABLE, 204 &rtable, sizeof(rtable)) == -1) { 205 error("Failed to set routing domain %d on fd %d: %s", 206 rtable, fd, strerror(errno)); 207 return -1; 208 } 209 return 0; 210 } 211 212 /* Characters considered whitespace in strsep calls. */ 213 #define WHITESPACE " \t\r\n" 214 #define QUOTE "\"" 215 216 /* return next token in configuration line */ 217 static char * 218 strdelim_internal(char **s, int split_equals) 219 { 220 char *old; 221 int wspace = 0; 222 223 if (*s == NULL) 224 return NULL; 225 226 old = *s; 227 228 *s = strpbrk(*s, 229 split_equals ? WHITESPACE QUOTE "=" : WHITESPACE QUOTE); 230 if (*s == NULL) 231 return (old); 232 233 if (*s[0] == '\"') { 234 memmove(*s, *s + 1, strlen(*s)); /* move nul too */ 235 /* Find matching quote */ 236 if ((*s = strpbrk(*s, QUOTE)) == NULL) { 237 return (NULL); /* no matching quote */ 238 } else { 239 *s[0] = '\0'; 240 *s += strspn(*s + 1, WHITESPACE) + 1; 241 return (old); 242 } 243 } 244 245 /* Allow only one '=' to be skipped */ 246 if (split_equals && *s[0] == '=') 247 wspace = 1; 248 *s[0] = '\0'; 249 250 /* Skip any extra whitespace after first token */ 251 *s += strspn(*s + 1, WHITESPACE) + 1; 252 if (split_equals && *s[0] == '=' && !wspace) 253 *s += strspn(*s + 1, WHITESPACE) + 1; 254 255 return (old); 256 } 257 258 /* 259 * Return next token in configuration line; splts on whitespace or a 260 * single '=' character. 261 */ 262 char * 263 strdelim(char **s) 264 { 265 return strdelim_internal(s, 1); 266 } 267 268 /* 269 * Return next token in configuration line; splts on whitespace only. 270 */ 271 char * 272 strdelimw(char **s) 273 { 274 return strdelim_internal(s, 0); 275 } 276 277 struct passwd * 278 pwcopy(struct passwd *pw) 279 { 280 struct passwd *copy = xcalloc(1, sizeof(*copy)); 281 282 copy->pw_name = xstrdup(pw->pw_name); 283 copy->pw_passwd = xstrdup(pw->pw_passwd); 284 copy->pw_gecos = xstrdup(pw->pw_gecos); 285 copy->pw_uid = pw->pw_uid; 286 copy->pw_gid = pw->pw_gid; 287 copy->pw_expire = pw->pw_expire; 288 copy->pw_change = pw->pw_change; 289 copy->pw_class = xstrdup(pw->pw_class); 290 copy->pw_dir = xstrdup(pw->pw_dir); 291 copy->pw_shell = xstrdup(pw->pw_shell); 292 return copy; 293 } 294 295 /* 296 * Convert ASCII string to TCP/IP port number. 297 * Port must be >=0 and <=65535. 298 * Return -1 if invalid. 299 */ 300 int 301 a2port(const char *s) 302 { 303 struct servent *se; 304 long long port; 305 const char *errstr; 306 307 port = strtonum(s, 0, 65535, &errstr); 308 if (errstr == NULL) 309 return (int)port; 310 if ((se = getservbyname(s, "tcp")) != NULL) 311 return ntohs(se->s_port); 312 return -1; 313 } 314 315 int 316 a2tun(const char *s, int *remote) 317 { 318 const char *errstr = NULL; 319 char *sp, *ep; 320 int tun; 321 322 if (remote != NULL) { 323 *remote = SSH_TUNID_ANY; 324 sp = xstrdup(s); 325 if ((ep = strchr(sp, ':')) == NULL) { 326 free(sp); 327 return (a2tun(s, NULL)); 328 } 329 ep[0] = '\0'; ep++; 330 *remote = a2tun(ep, NULL); 331 tun = a2tun(sp, NULL); 332 free(sp); 333 return (*remote == SSH_TUNID_ERR ? *remote : tun); 334 } 335 336 if (strcasecmp(s, "any") == 0) 337 return (SSH_TUNID_ANY); 338 339 tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr); 340 if (errstr != NULL) 341 return (SSH_TUNID_ERR); 342 343 return (tun); 344 } 345 346 #define SECONDS 1 347 #define MINUTES (SECONDS * 60) 348 #define HOURS (MINUTES * 60) 349 #define DAYS (HOURS * 24) 350 #define WEEKS (DAYS * 7) 351 352 /* 353 * Convert a time string into seconds; format is 354 * a sequence of: 355 * time[qualifier] 356 * 357 * Valid time qualifiers are: 358 * <none> seconds 359 * s|S seconds 360 * m|M minutes 361 * h|H hours 362 * d|D days 363 * w|W weeks 364 * 365 * Examples: 366 * 90m 90 minutes 367 * 1h30m 90 minutes 368 * 2d 2 days 369 * 1w 1 week 370 * 371 * Return -1 if time string is invalid. 372 */ 373 long 374 convtime(const char *s) 375 { 376 long total, secs, multiplier = 1; 377 const char *p; 378 char *endp; 379 380 errno = 0; 381 total = 0; 382 p = s; 383 384 if (p == NULL || *p == '\0') 385 return -1; 386 387 while (*p) { 388 secs = strtol(p, &endp, 10); 389 if (p == endp || 390 (errno == ERANGE && (secs == LONG_MIN || secs == LONG_MAX)) || 391 secs < 0) 392 return -1; 393 394 switch (*endp++) { 395 case '\0': 396 endp--; 397 break; 398 case 's': 399 case 'S': 400 break; 401 case 'm': 402 case 'M': 403 multiplier = MINUTES; 404 break; 405 case 'h': 406 case 'H': 407 multiplier = HOURS; 408 break; 409 case 'd': 410 case 'D': 411 multiplier = DAYS; 412 break; 413 case 'w': 414 case 'W': 415 multiplier = WEEKS; 416 break; 417 default: 418 return -1; 419 } 420 if (secs >= LONG_MAX / multiplier) 421 return -1; 422 secs *= multiplier; 423 if (total >= LONG_MAX - secs) 424 return -1; 425 total += secs; 426 if (total < 0) 427 return -1; 428 p = endp; 429 } 430 431 return total; 432 } 433 434 /* 435 * Returns a standardized host+port identifier string. 436 * Caller must free returned string. 437 */ 438 char * 439 put_host_port(const char *host, u_short port) 440 { 441 char *hoststr; 442 443 if (port == 0 || port == SSH_DEFAULT_PORT) 444 return(xstrdup(host)); 445 if (asprintf(&hoststr, "[%s]:%d", host, (int)port) < 0) 446 fatal("put_host_port: asprintf: %s", strerror(errno)); 447 debug3("put_host_port: %s", hoststr); 448 return hoststr; 449 } 450 451 /* 452 * Search for next delimiter between hostnames/addresses and ports. 453 * Argument may be modified (for termination). 454 * Returns *cp if parsing succeeds. 455 * *cp is set to the start of the next field, if one was found. 456 * The delimiter char, if present, is stored in delim. 457 * If this is the last field, *cp is set to NULL. 458 */ 459 static char * 460 hpdelim2(char **cp, char *delim) 461 { 462 char *s, *old; 463 464 if (cp == NULL || *cp == NULL) 465 return NULL; 466 467 old = s = *cp; 468 if (*s == '[') { 469 if ((s = strchr(s, ']')) == NULL) 470 return NULL; 471 else 472 s++; 473 } else if ((s = strpbrk(s, ":/")) == NULL) 474 s = *cp + strlen(*cp); /* skip to end (see first case below) */ 475 476 switch (*s) { 477 case '\0': 478 *cp = NULL; /* no more fields*/ 479 break; 480 481 case ':': 482 case '/': 483 if (delim != NULL) 484 *delim = *s; 485 *s = '\0'; /* terminate */ 486 *cp = s + 1; 487 break; 488 489 default: 490 return NULL; 491 } 492 493 return old; 494 } 495 496 char * 497 hpdelim(char **cp) 498 { 499 return hpdelim2(cp, NULL); 500 } 501 502 char * 503 cleanhostname(char *host) 504 { 505 if (*host == '[' && host[strlen(host) - 1] == ']') { 506 host[strlen(host) - 1] = '\0'; 507 return (host + 1); 508 } else 509 return host; 510 } 511 512 char * 513 colon(char *cp) 514 { 515 int flag = 0; 516 517 if (*cp == ':') /* Leading colon is part of file name. */ 518 return NULL; 519 if (*cp == '[') 520 flag = 1; 521 522 for (; *cp; ++cp) { 523 if (*cp == '@' && *(cp+1) == '[') 524 flag = 1; 525 if (*cp == ']' && *(cp+1) == ':' && flag) 526 return (cp+1); 527 if (*cp == ':' && !flag) 528 return (cp); 529 if (*cp == '/') 530 return NULL; 531 } 532 return NULL; 533 } 534 535 /* 536 * Parse a [user@]host:[path] string. 537 * Caller must free returned user, host and path. 538 * Any of the pointer return arguments may be NULL (useful for syntax checking). 539 * If user was not specified then *userp will be set to NULL. 540 * If host was not specified then *hostp will be set to NULL. 541 * If path was not specified then *pathp will be set to ".". 542 * Returns 0 on success, -1 on failure. 543 */ 544 int 545 parse_user_host_path(const char *s, char **userp, char **hostp, char **pathp) 546 { 547 char *user = NULL, *host = NULL, *path = NULL; 548 char *sdup, *tmp; 549 int ret = -1; 550 551 if (userp != NULL) 552 *userp = NULL; 553 if (hostp != NULL) 554 *hostp = NULL; 555 if (pathp != NULL) 556 *pathp = NULL; 557 558 sdup = xstrdup(s); 559 560 /* Check for remote syntax: [user@]host:[path] */ 561 if ((tmp = colon(sdup)) == NULL) 562 goto out; 563 564 /* Extract optional path */ 565 *tmp++ = '\0'; 566 if (*tmp == '\0') 567 tmp = "."; 568 path = xstrdup(tmp); 569 570 /* Extract optional user and mandatory host */ 571 tmp = strrchr(sdup, '@'); 572 if (tmp != NULL) { 573 *tmp++ = '\0'; 574 host = xstrdup(cleanhostname(tmp)); 575 if (*sdup != '\0') 576 user = xstrdup(sdup); 577 } else { 578 host = xstrdup(cleanhostname(sdup)); 579 user = NULL; 580 } 581 582 /* Success */ 583 if (userp != NULL) { 584 *userp = user; 585 user = NULL; 586 } 587 if (hostp != NULL) { 588 *hostp = host; 589 host = NULL; 590 } 591 if (pathp != NULL) { 592 *pathp = path; 593 path = NULL; 594 } 595 ret = 0; 596 out: 597 free(sdup); 598 free(user); 599 free(host); 600 free(path); 601 return ret; 602 } 603 604 /* 605 * Parse a [user@]host[:port] string. 606 * Caller must free returned user and host. 607 * Any of the pointer return arguments may be NULL (useful for syntax checking). 608 * If user was not specified then *userp will be set to NULL. 609 * If port was not specified then *portp will be -1. 610 * Returns 0 on success, -1 on failure. 611 */ 612 int 613 parse_user_host_port(const char *s, char **userp, char **hostp, int *portp) 614 { 615 char *sdup, *cp, *tmp; 616 char *user = NULL, *host = NULL; 617 int port = -1, ret = -1; 618 619 if (userp != NULL) 620 *userp = NULL; 621 if (hostp != NULL) 622 *hostp = NULL; 623 if (portp != NULL) 624 *portp = -1; 625 626 if ((sdup = tmp = strdup(s)) == NULL) 627 return -1; 628 /* Extract optional username */ 629 if ((cp = strrchr(tmp, '@')) != NULL) { 630 *cp = '\0'; 631 if (*tmp == '\0') 632 goto out; 633 if ((user = strdup(tmp)) == NULL) 634 goto out; 635 tmp = cp + 1; 636 } 637 /* Extract mandatory hostname */ 638 if ((cp = hpdelim(&tmp)) == NULL || *cp == '\0') 639 goto out; 640 host = xstrdup(cleanhostname(cp)); 641 /* Convert and verify optional port */ 642 if (tmp != NULL && *tmp != '\0') { 643 if ((port = a2port(tmp)) <= 0) 644 goto out; 645 } 646 /* Success */ 647 if (userp != NULL) { 648 *userp = user; 649 user = NULL; 650 } 651 if (hostp != NULL) { 652 *hostp = host; 653 host = NULL; 654 } 655 if (portp != NULL) 656 *portp = port; 657 ret = 0; 658 out: 659 free(sdup); 660 free(user); 661 free(host); 662 return ret; 663 } 664 665 /* 666 * Converts a two-byte hex string to decimal. 667 * Returns the decimal value or -1 for invalid input. 668 */ 669 static int 670 hexchar(const char *s) 671 { 672 unsigned char result[2]; 673 int i; 674 675 for (i = 0; i < 2; i++) { 676 if (s[i] >= '0' && s[i] <= '9') 677 result[i] = (unsigned char)(s[i] - '0'); 678 else if (s[i] >= 'a' && s[i] <= 'f') 679 result[i] = (unsigned char)(s[i] - 'a') + 10; 680 else if (s[i] >= 'A' && s[i] <= 'F') 681 result[i] = (unsigned char)(s[i] - 'A') + 10; 682 else 683 return -1; 684 } 685 return (result[0] << 4) | result[1]; 686 } 687 688 /* 689 * Decode an url-encoded string. 690 * Returns a newly allocated string on success or NULL on failure. 691 */ 692 static char * 693 urldecode(const char *src) 694 { 695 char *ret, *dst; 696 int ch; 697 698 ret = xmalloc(strlen(src) + 1); 699 for (dst = ret; *src != '\0'; src++) { 700 switch (*src) { 701 case '+': 702 *dst++ = ' '; 703 break; 704 case '%': 705 if (!isxdigit((unsigned char)src[1]) || 706 !isxdigit((unsigned char)src[2]) || 707 (ch = hexchar(src + 1)) == -1) { 708 free(ret); 709 return NULL; 710 } 711 *dst++ = ch; 712 src += 2; 713 break; 714 default: 715 *dst++ = *src; 716 break; 717 } 718 } 719 *dst = '\0'; 720 721 return ret; 722 } 723 724 /* 725 * Parse an (scp|ssh|sftp)://[user@]host[:port][/path] URI. 726 * See https://tools.ietf.org/html/draft-ietf-secsh-scp-sftp-ssh-uri-04 727 * Either user or path may be url-encoded (but not host or port). 728 * Caller must free returned user, host and path. 729 * Any of the pointer return arguments may be NULL (useful for syntax checking) 730 * but the scheme must always be specified. 731 * If user was not specified then *userp will be set to NULL. 732 * If port was not specified then *portp will be -1. 733 * If path was not specified then *pathp will be set to NULL. 734 * Returns 0 on success, 1 if non-uri/wrong scheme, -1 on error/invalid uri. 735 */ 736 int 737 parse_uri(const char *scheme, const char *uri, char **userp, char **hostp, 738 int *portp, char **pathp) 739 { 740 char *uridup, *cp, *tmp, ch; 741 char *user = NULL, *host = NULL, *path = NULL; 742 int port = -1, ret = -1; 743 size_t len; 744 745 len = strlen(scheme); 746 if (strncmp(uri, scheme, len) != 0 || strncmp(uri + len, "://", 3) != 0) 747 return 1; 748 uri += len + 3; 749 750 if (userp != NULL) 751 *userp = NULL; 752 if (hostp != NULL) 753 *hostp = NULL; 754 if (portp != NULL) 755 *portp = -1; 756 if (pathp != NULL) 757 *pathp = NULL; 758 759 uridup = tmp = xstrdup(uri); 760 761 /* Extract optional ssh-info (username + connection params) */ 762 if ((cp = strchr(tmp, '@')) != NULL) { 763 char *delim; 764 765 *cp = '\0'; 766 /* Extract username and connection params */ 767 if ((delim = strchr(tmp, ';')) != NULL) { 768 /* Just ignore connection params for now */ 769 *delim = '\0'; 770 } 771 if (*tmp == '\0') { 772 /* Empty username */ 773 goto out; 774 } 775 if ((user = urldecode(tmp)) == NULL) 776 goto out; 777 tmp = cp + 1; 778 } 779 780 /* Extract mandatory hostname */ 781 if ((cp = hpdelim2(&tmp, &ch)) == NULL || *cp == '\0') 782 goto out; 783 host = xstrdup(cleanhostname(cp)); 784 if (!valid_domain(host, 0, NULL)) 785 goto out; 786 787 if (tmp != NULL && *tmp != '\0') { 788 if (ch == ':') { 789 /* Convert and verify port. */ 790 if ((cp = strchr(tmp, '/')) != NULL) 791 *cp = '\0'; 792 if ((port = a2port(tmp)) <= 0) 793 goto out; 794 tmp = cp ? cp + 1 : NULL; 795 } 796 if (tmp != NULL && *tmp != '\0') { 797 /* Extract optional path */ 798 if ((path = urldecode(tmp)) == NULL) 799 goto out; 800 } 801 } 802 803 /* Success */ 804 if (userp != NULL) { 805 *userp = user; 806 user = NULL; 807 } 808 if (hostp != NULL) { 809 *hostp = host; 810 host = NULL; 811 } 812 if (portp != NULL) 813 *portp = port; 814 if (pathp != NULL) { 815 *pathp = path; 816 path = NULL; 817 } 818 ret = 0; 819 out: 820 free(uridup); 821 free(user); 822 free(host); 823 free(path); 824 return ret; 825 } 826 827 /* function to assist building execv() arguments */ 828 void 829 addargs(arglist *args, char *fmt, ...) 830 { 831 va_list ap; 832 char *cp; 833 u_int nalloc; 834 int r; 835 836 va_start(ap, fmt); 837 r = vasprintf(&cp, fmt, ap); 838 va_end(ap); 839 if (r == -1) 840 fatal("addargs: argument too long"); 841 842 nalloc = args->nalloc; 843 if (args->list == NULL) { 844 nalloc = 32; 845 args->num = 0; 846 } else if (args->num+2 >= nalloc) 847 nalloc *= 2; 848 849 args->list = xrecallocarray(args->list, args->nalloc, nalloc, sizeof(char *)); 850 args->nalloc = nalloc; 851 args->list[args->num++] = cp; 852 args->list[args->num] = NULL; 853 } 854 855 void 856 replacearg(arglist *args, u_int which, char *fmt, ...) 857 { 858 va_list ap; 859 char *cp; 860 int r; 861 862 va_start(ap, fmt); 863 r = vasprintf(&cp, fmt, ap); 864 va_end(ap); 865 if (r == -1) 866 fatal("replacearg: argument too long"); 867 868 if (which >= args->num) 869 fatal("replacearg: tried to replace invalid arg %d >= %d", 870 which, args->num); 871 free(args->list[which]); 872 args->list[which] = cp; 873 } 874 875 void 876 freeargs(arglist *args) 877 { 878 u_int i; 879 880 if (args->list != NULL) { 881 for (i = 0; i < args->num; i++) 882 free(args->list[i]); 883 free(args->list); 884 args->nalloc = args->num = 0; 885 args->list = NULL; 886 } 887 } 888 889 /* 890 * Expands tildes in the file name. Returns data allocated by xmalloc. 891 * Warning: this calls getpw*. 892 */ 893 char * 894 tilde_expand_filename(const char *filename, uid_t uid) 895 { 896 const char *path, *sep; 897 char user[128], *ret; 898 struct passwd *pw; 899 u_int len, slash; 900 901 if (*filename != '~') 902 return (xstrdup(filename)); 903 filename++; 904 905 path = strchr(filename, '/'); 906 if (path != NULL && path > filename) { /* ~user/path */ 907 slash = path - filename; 908 if (slash > sizeof(user) - 1) 909 fatal("tilde_expand_filename: ~username too long"); 910 memcpy(user, filename, slash); 911 user[slash] = '\0'; 912 if ((pw = getpwnam(user)) == NULL) 913 fatal("tilde_expand_filename: No such user %s", user); 914 } else if ((pw = getpwuid(uid)) == NULL) /* ~/path */ 915 fatal("tilde_expand_filename: No such uid %ld", (long)uid); 916 917 /* Make sure directory has a trailing '/' */ 918 len = strlen(pw->pw_dir); 919 if (len == 0 || pw->pw_dir[len - 1] != '/') 920 sep = "/"; 921 else 922 sep = ""; 923 924 /* Skip leading '/' from specified path */ 925 if (path != NULL) 926 filename = path + 1; 927 928 if (xasprintf(&ret, "%s%s%s", pw->pw_dir, sep, filename) >= PATH_MAX) 929 fatal("tilde_expand_filename: Path too long"); 930 931 return (ret); 932 } 933 934 /* 935 * Expand a string with a set of %[char] escapes. A number of escapes may be 936 * specified as (char *escape_chars, char *replacement) pairs. The list must 937 * be terminated by a NULL escape_char. Returns replaced string in memory 938 * allocated by xmalloc. 939 */ 940 char * 941 percent_expand(const char *string, ...) 942 { 943 #define EXPAND_MAX_KEYS 16 944 u_int num_keys, i, j; 945 struct { 946 const char *key; 947 const char *repl; 948 } keys[EXPAND_MAX_KEYS]; 949 char buf[4096]; 950 va_list ap; 951 952 /* Gather keys */ 953 va_start(ap, string); 954 for (num_keys = 0; num_keys < EXPAND_MAX_KEYS; num_keys++) { 955 keys[num_keys].key = va_arg(ap, char *); 956 if (keys[num_keys].key == NULL) 957 break; 958 keys[num_keys].repl = va_arg(ap, char *); 959 if (keys[num_keys].repl == NULL) 960 fatal("%s: NULL replacement", __func__); 961 } 962 if (num_keys == EXPAND_MAX_KEYS && va_arg(ap, char *) != NULL) 963 fatal("%s: too many keys", __func__); 964 va_end(ap); 965 966 /* Expand string */ 967 *buf = '\0'; 968 for (i = 0; *string != '\0'; string++) { 969 if (*string != '%') { 970 append: 971 buf[i++] = *string; 972 if (i >= sizeof(buf)) 973 fatal("%s: string too long", __func__); 974 buf[i] = '\0'; 975 continue; 976 } 977 string++; 978 /* %% case */ 979 if (*string == '%') 980 goto append; 981 if (*string == '\0') 982 fatal("%s: invalid format", __func__); 983 for (j = 0; j < num_keys; j++) { 984 if (strchr(keys[j].key, *string) != NULL) { 985 i = strlcat(buf, keys[j].repl, sizeof(buf)); 986 if (i >= sizeof(buf)) 987 fatal("%s: string too long", __func__); 988 break; 989 } 990 } 991 if (j >= num_keys) 992 fatal("%s: unknown key %%%c", __func__, *string); 993 } 994 return (xstrdup(buf)); 995 #undef EXPAND_MAX_KEYS 996 } 997 998 int 999 tun_open(int tun, int mode, char **ifname) 1000 { 1001 struct ifreq ifr; 1002 char name[100]; 1003 int fd = -1, sock; 1004 const char *tunbase = "tun"; 1005 1006 if (ifname != NULL) 1007 *ifname = NULL; 1008 1009 if (mode == SSH_TUNMODE_ETHERNET) 1010 tunbase = "tap"; 1011 1012 /* Open the tunnel device */ 1013 if (tun <= SSH_TUNID_MAX) { 1014 snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun); 1015 fd = open(name, O_RDWR); 1016 } else if (tun == SSH_TUNID_ANY) { 1017 for (tun = 100; tun >= 0; tun--) { 1018 snprintf(name, sizeof(name), "/dev/%s%d", 1019 tunbase, tun); 1020 if ((fd = open(name, O_RDWR)) >= 0) 1021 break; 1022 } 1023 } else { 1024 debug("%s: invalid tunnel %u", __func__, tun); 1025 return -1; 1026 } 1027 1028 if (fd < 0) { 1029 debug("%s: %s open: %s", __func__, name, strerror(errno)); 1030 return -1; 1031 } 1032 1033 debug("%s: %s mode %d fd %d", __func__, name, mode, fd); 1034 1035 /* Bring interface up if it is not already */ 1036 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun); 1037 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) 1038 goto failed; 1039 1040 if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1) { 1041 debug("%s: get interface %s flags: %s", __func__, 1042 ifr.ifr_name, strerror(errno)); 1043 goto failed; 1044 } 1045 1046 if (!(ifr.ifr_flags & IFF_UP)) { 1047 ifr.ifr_flags |= IFF_UP; 1048 if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1) { 1049 debug("%s: activate interface %s: %s", __func__, 1050 ifr.ifr_name, strerror(errno)); 1051 goto failed; 1052 } 1053 } 1054 1055 if (ifname != NULL) 1056 *ifname = xstrdup(ifr.ifr_name); 1057 1058 close(sock); 1059 return fd; 1060 1061 failed: 1062 if (fd >= 0) 1063 close(fd); 1064 if (sock >= 0) 1065 close(sock); 1066 return -1; 1067 } 1068 1069 void 1070 sanitise_stdfd(void) 1071 { 1072 int nullfd, dupfd; 1073 1074 if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) { 1075 fprintf(stderr, "Couldn't open /dev/null: %s\n", 1076 strerror(errno)); 1077 exit(1); 1078 } 1079 while (++dupfd <= STDERR_FILENO) { 1080 /* Only populate closed fds. */ 1081 if (fcntl(dupfd, F_GETFL) == -1 && errno == EBADF) { 1082 if (dup2(nullfd, dupfd) == -1) { 1083 fprintf(stderr, "dup2: %s\n", strerror(errno)); 1084 exit(1); 1085 } 1086 } 1087 } 1088 if (nullfd > STDERR_FILENO) 1089 close(nullfd); 1090 } 1091 1092 char * 1093 tohex(const void *vp, size_t l) 1094 { 1095 const u_char *p = (const u_char *)vp; 1096 char b[3], *r; 1097 size_t i, hl; 1098 1099 if (l > 65536) 1100 return xstrdup("tohex: length > 65536"); 1101 1102 hl = l * 2 + 1; 1103 r = xcalloc(1, hl); 1104 for (i = 0; i < l; i++) { 1105 snprintf(b, sizeof(b), "%02x", p[i]); 1106 strlcat(r, b, hl); 1107 } 1108 return (r); 1109 } 1110 1111 u_int64_t 1112 get_u64(const void *vp) 1113 { 1114 const u_char *p = (const u_char *)vp; 1115 u_int64_t v; 1116 1117 v = (u_int64_t)p[0] << 56; 1118 v |= (u_int64_t)p[1] << 48; 1119 v |= (u_int64_t)p[2] << 40; 1120 v |= (u_int64_t)p[3] << 32; 1121 v |= (u_int64_t)p[4] << 24; 1122 v |= (u_int64_t)p[5] << 16; 1123 v |= (u_int64_t)p[6] << 8; 1124 v |= (u_int64_t)p[7]; 1125 1126 return (v); 1127 } 1128 1129 u_int32_t 1130 get_u32(const void *vp) 1131 { 1132 const u_char *p = (const u_char *)vp; 1133 u_int32_t v; 1134 1135 v = (u_int32_t)p[0] << 24; 1136 v |= (u_int32_t)p[1] << 16; 1137 v |= (u_int32_t)p[2] << 8; 1138 v |= (u_int32_t)p[3]; 1139 1140 return (v); 1141 } 1142 1143 u_int32_t 1144 get_u32_le(const void *vp) 1145 { 1146 const u_char *p = (const u_char *)vp; 1147 u_int32_t v; 1148 1149 v = (u_int32_t)p[0]; 1150 v |= (u_int32_t)p[1] << 8; 1151 v |= (u_int32_t)p[2] << 16; 1152 v |= (u_int32_t)p[3] << 24; 1153 1154 return (v); 1155 } 1156 1157 u_int16_t 1158 get_u16(const void *vp) 1159 { 1160 const u_char *p = (const u_char *)vp; 1161 u_int16_t v; 1162 1163 v = (u_int16_t)p[0] << 8; 1164 v |= (u_int16_t)p[1]; 1165 1166 return (v); 1167 } 1168 1169 void 1170 put_u64(void *vp, u_int64_t v) 1171 { 1172 u_char *p = (u_char *)vp; 1173 1174 p[0] = (u_char)(v >> 56) & 0xff; 1175 p[1] = (u_char)(v >> 48) & 0xff; 1176 p[2] = (u_char)(v >> 40) & 0xff; 1177 p[3] = (u_char)(v >> 32) & 0xff; 1178 p[4] = (u_char)(v >> 24) & 0xff; 1179 p[5] = (u_char)(v >> 16) & 0xff; 1180 p[6] = (u_char)(v >> 8) & 0xff; 1181 p[7] = (u_char)v & 0xff; 1182 } 1183 1184 void 1185 put_u32(void *vp, u_int32_t v) 1186 { 1187 u_char *p = (u_char *)vp; 1188 1189 p[0] = (u_char)(v >> 24) & 0xff; 1190 p[1] = (u_char)(v >> 16) & 0xff; 1191 p[2] = (u_char)(v >> 8) & 0xff; 1192 p[3] = (u_char)v & 0xff; 1193 } 1194 1195 void 1196 put_u32_le(void *vp, u_int32_t v) 1197 { 1198 u_char *p = (u_char *)vp; 1199 1200 p[0] = (u_char)v & 0xff; 1201 p[1] = (u_char)(v >> 8) & 0xff; 1202 p[2] = (u_char)(v >> 16) & 0xff; 1203 p[3] = (u_char)(v >> 24) & 0xff; 1204 } 1205 1206 void 1207 put_u16(void *vp, u_int16_t v) 1208 { 1209 u_char *p = (u_char *)vp; 1210 1211 p[0] = (u_char)(v >> 8) & 0xff; 1212 p[1] = (u_char)v & 0xff; 1213 } 1214 1215 void 1216 ms_subtract_diff(struct timeval *start, int *ms) 1217 { 1218 struct timeval diff, finish; 1219 1220 monotime_tv(&finish); 1221 timersub(&finish, start, &diff); 1222 *ms -= (diff.tv_sec * 1000) + (diff.tv_usec / 1000); 1223 } 1224 1225 void 1226 ms_to_timeval(struct timeval *tv, int ms) 1227 { 1228 if (ms < 0) 1229 ms = 0; 1230 tv->tv_sec = ms / 1000; 1231 tv->tv_usec = (ms % 1000) * 1000; 1232 } 1233 1234 void 1235 monotime_ts(struct timespec *ts) 1236 { 1237 if (clock_gettime(CLOCK_MONOTONIC, ts) != 0) 1238 fatal("clock_gettime: %s", strerror(errno)); 1239 } 1240 1241 void 1242 monotime_tv(struct timeval *tv) 1243 { 1244 struct timespec ts; 1245 1246 monotime_ts(&ts); 1247 tv->tv_sec = ts.tv_sec; 1248 tv->tv_usec = ts.tv_nsec / 1000; 1249 } 1250 1251 time_t 1252 monotime(void) 1253 { 1254 struct timespec ts; 1255 1256 monotime_ts(&ts); 1257 return (ts.tv_sec); 1258 } 1259 1260 double 1261 monotime_double(void) 1262 { 1263 struct timespec ts; 1264 1265 monotime_ts(&ts); 1266 return (double)ts.tv_sec + (double)ts.tv_nsec / 1000000000.0; 1267 } 1268 1269 void 1270 bandwidth_limit_init(struct bwlimit *bw, u_int64_t kbps, size_t buflen) 1271 { 1272 bw->buflen = buflen; 1273 bw->rate = kbps; 1274 bw->thresh = bw->rate; 1275 bw->lamt = 0; 1276 timerclear(&bw->bwstart); 1277 timerclear(&bw->bwend); 1278 } 1279 1280 /* Callback from read/write loop to insert bandwidth-limiting delays */ 1281 void 1282 bandwidth_limit(struct bwlimit *bw, size_t read_len) 1283 { 1284 u_int64_t waitlen; 1285 struct timespec ts, rm; 1286 1287 if (!timerisset(&bw->bwstart)) { 1288 monotime_tv(&bw->bwstart); 1289 return; 1290 } 1291 1292 bw->lamt += read_len; 1293 if (bw->lamt < bw->thresh) 1294 return; 1295 1296 monotime_tv(&bw->bwend); 1297 timersub(&bw->bwend, &bw->bwstart, &bw->bwend); 1298 if (!timerisset(&bw->bwend)) 1299 return; 1300 1301 bw->lamt *= 8; 1302 waitlen = (double)1000000L * bw->lamt / bw->rate; 1303 1304 bw->bwstart.tv_sec = waitlen / 1000000L; 1305 bw->bwstart.tv_usec = waitlen % 1000000L; 1306 1307 if (timercmp(&bw->bwstart, &bw->bwend, >)) { 1308 timersub(&bw->bwstart, &bw->bwend, &bw->bwend); 1309 1310 /* Adjust the wait time */ 1311 if (bw->bwend.tv_sec) { 1312 bw->thresh /= 2; 1313 if (bw->thresh < bw->buflen / 4) 1314 bw->thresh = bw->buflen / 4; 1315 } else if (bw->bwend.tv_usec < 10000) { 1316 bw->thresh *= 2; 1317 if (bw->thresh > bw->buflen * 8) 1318 bw->thresh = bw->buflen * 8; 1319 } 1320 1321 TIMEVAL_TO_TIMESPEC(&bw->bwend, &ts); 1322 while (nanosleep(&ts, &rm) == -1) { 1323 if (errno != EINTR) 1324 break; 1325 ts = rm; 1326 } 1327 } 1328 1329 bw->lamt = 0; 1330 monotime_tv(&bw->bwstart); 1331 } 1332 1333 /* Make a template filename for mk[sd]temp() */ 1334 void 1335 mktemp_proto(char *s, size_t len) 1336 { 1337 const char *tmpdir; 1338 int r; 1339 1340 if ((tmpdir = getenv("TMPDIR")) != NULL) { 1341 r = snprintf(s, len, "%s/ssh-XXXXXXXXXXXX", tmpdir); 1342 if (r > 0 && (size_t)r < len) 1343 return; 1344 } 1345 r = snprintf(s, len, "/tmp/ssh-XXXXXXXXXXXX"); 1346 if (r < 0 || (size_t)r >= len) 1347 fatal("%s: template string too short", __func__); 1348 } 1349 1350 static const struct { 1351 const char *name; 1352 int value; 1353 } ipqos[] = { 1354 { "none", INT_MAX }, /* can't use 0 here; that's CS0 */ 1355 { "af11", IPTOS_DSCP_AF11 }, 1356 { "af12", IPTOS_DSCP_AF12 }, 1357 { "af13", IPTOS_DSCP_AF13 }, 1358 { "af21", IPTOS_DSCP_AF21 }, 1359 { "af22", IPTOS_DSCP_AF22 }, 1360 { "af23", IPTOS_DSCP_AF23 }, 1361 { "af31", IPTOS_DSCP_AF31 }, 1362 { "af32", IPTOS_DSCP_AF32 }, 1363 { "af33", IPTOS_DSCP_AF33 }, 1364 { "af41", IPTOS_DSCP_AF41 }, 1365 { "af42", IPTOS_DSCP_AF42 }, 1366 { "af43", IPTOS_DSCP_AF43 }, 1367 { "cs0", IPTOS_DSCP_CS0 }, 1368 { "cs1", IPTOS_DSCP_CS1 }, 1369 { "cs2", IPTOS_DSCP_CS2 }, 1370 { "cs3", IPTOS_DSCP_CS3 }, 1371 { "cs4", IPTOS_DSCP_CS4 }, 1372 { "cs5", IPTOS_DSCP_CS5 }, 1373 { "cs6", IPTOS_DSCP_CS6 }, 1374 { "cs7", IPTOS_DSCP_CS7 }, 1375 { "ef", IPTOS_DSCP_EF }, 1376 { "lowdelay", IPTOS_LOWDELAY }, 1377 { "throughput", IPTOS_THROUGHPUT }, 1378 { "reliability", IPTOS_RELIABILITY }, 1379 { NULL, -1 } 1380 }; 1381 1382 int 1383 parse_ipqos(const char *cp) 1384 { 1385 u_int i; 1386 char *ep; 1387 long val; 1388 1389 if (cp == NULL) 1390 return -1; 1391 for (i = 0; ipqos[i].name != NULL; i++) { 1392 if (strcasecmp(cp, ipqos[i].name) == 0) 1393 return ipqos[i].value; 1394 } 1395 /* Try parsing as an integer */ 1396 val = strtol(cp, &ep, 0); 1397 if (*cp == '\0' || *ep != '\0' || val < 0 || val > 255) 1398 return -1; 1399 return val; 1400 } 1401 1402 const char * 1403 iptos2str(int iptos) 1404 { 1405 int i; 1406 static char iptos_str[sizeof "0xff"]; 1407 1408 for (i = 0; ipqos[i].name != NULL; i++) { 1409 if (ipqos[i].value == iptos) 1410 return ipqos[i].name; 1411 } 1412 snprintf(iptos_str, sizeof iptos_str, "0x%02x", iptos); 1413 return iptos_str; 1414 } 1415 1416 void 1417 lowercase(char *s) 1418 { 1419 for (; *s; s++) 1420 *s = tolower((u_char)*s); 1421 } 1422 1423 int 1424 unix_listener(const char *path, int backlog, int unlink_first) 1425 { 1426 struct sockaddr_un sunaddr; 1427 int saved_errno, sock; 1428 1429 memset(&sunaddr, 0, sizeof(sunaddr)); 1430 sunaddr.sun_family = AF_UNIX; 1431 if (strlcpy(sunaddr.sun_path, path, 1432 sizeof(sunaddr.sun_path)) >= sizeof(sunaddr.sun_path)) { 1433 error("%s: path \"%s\" too long for Unix domain socket", 1434 __func__, path); 1435 errno = ENAMETOOLONG; 1436 return -1; 1437 } 1438 1439 sock = socket(PF_UNIX, SOCK_STREAM, 0); 1440 if (sock < 0) { 1441 saved_errno = errno; 1442 error("%s: socket: %.100s", __func__, strerror(errno)); 1443 errno = saved_errno; 1444 return -1; 1445 } 1446 if (unlink_first == 1) { 1447 if (unlink(path) != 0 && errno != ENOENT) 1448 error("unlink(%s): %.100s", path, strerror(errno)); 1449 } 1450 if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) { 1451 saved_errno = errno; 1452 error("%s: cannot bind to path %s: %s", 1453 __func__, path, strerror(errno)); 1454 close(sock); 1455 errno = saved_errno; 1456 return -1; 1457 } 1458 if (listen(sock, backlog) < 0) { 1459 saved_errno = errno; 1460 error("%s: cannot listen on path %s: %s", 1461 __func__, path, strerror(errno)); 1462 close(sock); 1463 unlink(path); 1464 errno = saved_errno; 1465 return -1; 1466 } 1467 return sock; 1468 } 1469 1470 /* 1471 * Compares two strings that maybe be NULL. Returns non-zero if strings 1472 * are both NULL or are identical, returns zero otherwise. 1473 */ 1474 static int 1475 strcmp_maybe_null(const char *a, const char *b) 1476 { 1477 if ((a == NULL && b != NULL) || (a != NULL && b == NULL)) 1478 return 0; 1479 if (a != NULL && strcmp(a, b) != 0) 1480 return 0; 1481 return 1; 1482 } 1483 1484 /* 1485 * Compare two forwards, returning non-zero if they are identical or 1486 * zero otherwise. 1487 */ 1488 int 1489 forward_equals(const struct Forward *a, const struct Forward *b) 1490 { 1491 if (strcmp_maybe_null(a->listen_host, b->listen_host) == 0) 1492 return 0; 1493 if (a->listen_port != b->listen_port) 1494 return 0; 1495 if (strcmp_maybe_null(a->listen_path, b->listen_path) == 0) 1496 return 0; 1497 if (strcmp_maybe_null(a->connect_host, b->connect_host) == 0) 1498 return 0; 1499 if (a->connect_port != b->connect_port) 1500 return 0; 1501 if (strcmp_maybe_null(a->connect_path, b->connect_path) == 0) 1502 return 0; 1503 /* allocated_port and handle are not checked */ 1504 return 1; 1505 } 1506 1507 /* returns 1 if process is already daemonized, 0 otherwise */ 1508 int 1509 daemonized(void) 1510 { 1511 int fd; 1512 1513 if ((fd = open(_PATH_TTY, O_RDONLY | O_NOCTTY)) >= 0) { 1514 close(fd); 1515 return 0; /* have controlling terminal */ 1516 } 1517 if (getppid() != 1) 1518 return 0; /* parent is not init */ 1519 if (getsid(0) != getpid()) 1520 return 0; /* not session leader */ 1521 debug3("already daemonized"); 1522 return 1; 1523 } 1524 1525 1526 /* 1527 * Splits 's' into an argument vector. Handles quoted string and basic 1528 * escape characters (\\, \", \'). Caller must free the argument vector 1529 * and its members. 1530 */ 1531 int 1532 argv_split(const char *s, int *argcp, char ***argvp) 1533 { 1534 int r = SSH_ERR_INTERNAL_ERROR; 1535 int argc = 0, quote, i, j; 1536 char *arg, **argv = xcalloc(1, sizeof(*argv)); 1537 1538 *argvp = NULL; 1539 *argcp = 0; 1540 1541 for (i = 0; s[i] != '\0'; i++) { 1542 /* Skip leading whitespace */ 1543 if (s[i] == ' ' || s[i] == '\t') 1544 continue; 1545 1546 /* Start of a token */ 1547 quote = 0; 1548 if (s[i] == '\\' && 1549 (s[i + 1] == '\'' || s[i + 1] == '\"' || s[i + 1] == '\\')) 1550 i++; 1551 else if (s[i] == '\'' || s[i] == '"') 1552 quote = s[i++]; 1553 1554 argv = xreallocarray(argv, (argc + 2), sizeof(*argv)); 1555 arg = argv[argc++] = xcalloc(1, strlen(s + i) + 1); 1556 argv[argc] = NULL; 1557 1558 /* Copy the token in, removing escapes */ 1559 for (j = 0; s[i] != '\0'; i++) { 1560 if (s[i] == '\\') { 1561 if (s[i + 1] == '\'' || 1562 s[i + 1] == '\"' || 1563 s[i + 1] == '\\') { 1564 i++; /* Skip '\' */ 1565 arg[j++] = s[i]; 1566 } else { 1567 /* Unrecognised escape */ 1568 arg[j++] = s[i]; 1569 } 1570 } else if (quote == 0 && (s[i] == ' ' || s[i] == '\t')) 1571 break; /* done */ 1572 else if (quote != 0 && s[i] == quote) 1573 break; /* done */ 1574 else 1575 arg[j++] = s[i]; 1576 } 1577 if (s[i] == '\0') { 1578 if (quote != 0) { 1579 /* Ran out of string looking for close quote */ 1580 r = SSH_ERR_INVALID_FORMAT; 1581 goto out; 1582 } 1583 break; 1584 } 1585 } 1586 /* Success */ 1587 *argcp = argc; 1588 *argvp = argv; 1589 argc = 0; 1590 argv = NULL; 1591 r = 0; 1592 out: 1593 if (argc != 0 && argv != NULL) { 1594 for (i = 0; i < argc; i++) 1595 free(argv[i]); 1596 free(argv); 1597 } 1598 return r; 1599 } 1600 1601 /* 1602 * Reassemble an argument vector into a string, quoting and escaping as 1603 * necessary. Caller must free returned string. 1604 */ 1605 char * 1606 argv_assemble(int argc, char **argv) 1607 { 1608 int i, j, ws, r; 1609 char c, *ret; 1610 struct sshbuf *buf, *arg; 1611 1612 if ((buf = sshbuf_new()) == NULL || (arg = sshbuf_new()) == NULL) 1613 fatal("%s: sshbuf_new failed", __func__); 1614 1615 for (i = 0; i < argc; i++) { 1616 ws = 0; 1617 sshbuf_reset(arg); 1618 for (j = 0; argv[i][j] != '\0'; j++) { 1619 r = 0; 1620 c = argv[i][j]; 1621 switch (c) { 1622 case ' ': 1623 case '\t': 1624 ws = 1; 1625 r = sshbuf_put_u8(arg, c); 1626 break; 1627 case '\\': 1628 case '\'': 1629 case '"': 1630 if ((r = sshbuf_put_u8(arg, '\\')) != 0) 1631 break; 1632 /* FALLTHROUGH */ 1633 default: 1634 r = sshbuf_put_u8(arg, c); 1635 break; 1636 } 1637 if (r != 0) 1638 fatal("%s: sshbuf_put_u8: %s", 1639 __func__, ssh_err(r)); 1640 } 1641 if ((i != 0 && (r = sshbuf_put_u8(buf, ' ')) != 0) || 1642 (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0) || 1643 (r = sshbuf_putb(buf, arg)) != 0 || 1644 (ws != 0 && (r = sshbuf_put_u8(buf, '"')) != 0)) 1645 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1646 } 1647 if ((ret = malloc(sshbuf_len(buf) + 1)) == NULL) 1648 fatal("%s: malloc failed", __func__); 1649 memcpy(ret, sshbuf_ptr(buf), sshbuf_len(buf)); 1650 ret[sshbuf_len(buf)] = '\0'; 1651 sshbuf_free(buf); 1652 sshbuf_free(arg); 1653 return ret; 1654 } 1655 1656 /* Returns 0 if pid exited cleanly, non-zero otherwise */ 1657 int 1658 exited_cleanly(pid_t pid, const char *tag, const char *cmd, int quiet) 1659 { 1660 int status; 1661 1662 while (waitpid(pid, &status, 0) == -1) { 1663 if (errno != EINTR) { 1664 error("%s: waitpid: %s", tag, strerror(errno)); 1665 return -1; 1666 } 1667 } 1668 if (WIFSIGNALED(status)) { 1669 error("%s %s exited on signal %d", tag, cmd, WTERMSIG(status)); 1670 return -1; 1671 } else if (WEXITSTATUS(status) != 0) { 1672 do_log2(quiet ? SYSLOG_LEVEL_DEBUG1 : SYSLOG_LEVEL_INFO, 1673 "%s %s failed, status %d", tag, cmd, WEXITSTATUS(status)); 1674 return -1; 1675 } 1676 return 0; 1677 } 1678 1679 /* 1680 * Check a given path for security. This is defined as all components 1681 * of the path to the file must be owned by either the owner of 1682 * of the file or root and no directories must be group or world writable. 1683 * 1684 * XXX Should any specific check be done for sym links ? 1685 * 1686 * Takes a file name, its stat information (preferably from fstat() to 1687 * avoid races), the uid of the expected owner, their home directory and an 1688 * error buffer plus max size as arguments. 1689 * 1690 * Returns 0 on success and -1 on failure 1691 */ 1692 int 1693 safe_path(const char *name, struct stat *stp, const char *pw_dir, 1694 uid_t uid, char *err, size_t errlen) 1695 { 1696 char buf[PATH_MAX], homedir[PATH_MAX]; 1697 char *cp; 1698 int comparehome = 0; 1699 struct stat st; 1700 1701 if (realpath(name, buf) == NULL) { 1702 snprintf(err, errlen, "realpath %s failed: %s", name, 1703 strerror(errno)); 1704 return -1; 1705 } 1706 if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL) 1707 comparehome = 1; 1708 1709 if (!S_ISREG(stp->st_mode)) { 1710 snprintf(err, errlen, "%s is not a regular file", buf); 1711 return -1; 1712 } 1713 if ((stp->st_uid != 0 && stp->st_uid != uid) || 1714 (stp->st_mode & 022) != 0) { 1715 snprintf(err, errlen, "bad ownership or modes for file %s", 1716 buf); 1717 return -1; 1718 } 1719 1720 /* for each component of the canonical path, walking upwards */ 1721 for (;;) { 1722 if ((cp = dirname(buf)) == NULL) { 1723 snprintf(err, errlen, "dirname() failed"); 1724 return -1; 1725 } 1726 strlcpy(buf, cp, sizeof(buf)); 1727 1728 if (stat(buf, &st) < 0 || 1729 (st.st_uid != 0 && st.st_uid != uid) || 1730 (st.st_mode & 022) != 0) { 1731 snprintf(err, errlen, 1732 "bad ownership or modes for directory %s", buf); 1733 return -1; 1734 } 1735 1736 /* If are past the homedir then we can stop */ 1737 if (comparehome && strcmp(homedir, buf) == 0) 1738 break; 1739 1740 /* 1741 * dirname should always complete with a "/" path, 1742 * but we can be paranoid and check for "." too 1743 */ 1744 if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0)) 1745 break; 1746 } 1747 return 0; 1748 } 1749 1750 /* 1751 * Version of safe_path() that accepts an open file descriptor to 1752 * avoid races. 1753 * 1754 * Returns 0 on success and -1 on failure 1755 */ 1756 int 1757 safe_path_fd(int fd, const char *file, struct passwd *pw, 1758 char *err, size_t errlen) 1759 { 1760 struct stat st; 1761 1762 /* check the open file to avoid races */ 1763 if (fstat(fd, &st) < 0) { 1764 snprintf(err, errlen, "cannot stat file %s: %s", 1765 file, strerror(errno)); 1766 return -1; 1767 } 1768 return safe_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen); 1769 } 1770 1771 /* 1772 * Sets the value of the given variable in the environment. If the variable 1773 * already exists, its value is overridden. 1774 */ 1775 void 1776 child_set_env(char ***envp, u_int *envsizep, const char *name, 1777 const char *value) 1778 { 1779 char **env; 1780 u_int envsize; 1781 u_int i, namelen; 1782 1783 if (strchr(name, '=') != NULL) { 1784 error("Invalid environment variable \"%.100s\"", name); 1785 return; 1786 } 1787 1788 /* 1789 * Find the slot where the value should be stored. If the variable 1790 * already exists, we reuse the slot; otherwise we append a new slot 1791 * at the end of the array, expanding if necessary. 1792 */ 1793 env = *envp; 1794 namelen = strlen(name); 1795 for (i = 0; env[i]; i++) 1796 if (strncmp(env[i], name, namelen) == 0 && env[i][namelen] == '=') 1797 break; 1798 if (env[i]) { 1799 /* Reuse the slot. */ 1800 free(env[i]); 1801 } else { 1802 /* New variable. Expand if necessary. */ 1803 envsize = *envsizep; 1804 if (i >= envsize - 1) { 1805 if (envsize >= 1000) 1806 fatal("child_set_env: too many env vars"); 1807 envsize += 50; 1808 env = (*envp) = xreallocarray(env, envsize, sizeof(char *)); 1809 *envsizep = envsize; 1810 } 1811 /* Need to set the NULL pointer at end of array beyond the new slot. */ 1812 env[i + 1] = NULL; 1813 } 1814 1815 /* Allocate space and format the variable in the appropriate slot. */ 1816 /* XXX xasprintf */ 1817 env[i] = xmalloc(strlen(name) + 1 + strlen(value) + 1); 1818 snprintf(env[i], strlen(name) + 1 + strlen(value) + 1, "%s=%s", name, value); 1819 } 1820 1821 /* 1822 * Check and optionally lowercase a domain name, also removes trailing '.' 1823 * Returns 1 on success and 0 on failure, storing an error message in errstr. 1824 */ 1825 int 1826 valid_domain(char *name, int makelower, const char **errstr) 1827 { 1828 size_t i, l = strlen(name); 1829 u_char c, last = '\0'; 1830 static char errbuf[256]; 1831 1832 if (l == 0) { 1833 strlcpy(errbuf, "empty domain name", sizeof(errbuf)); 1834 goto bad; 1835 } 1836 if (!isalpha((u_char)name[0]) && !isdigit((u_char)name[0])) { 1837 snprintf(errbuf, sizeof(errbuf), "domain name \"%.100s\" " 1838 "starts with invalid character", name); 1839 goto bad; 1840 } 1841 for (i = 0; i < l; i++) { 1842 c = tolower((u_char)name[i]); 1843 if (makelower) 1844 name[i] = (char)c; 1845 if (last == '.' && c == '.') { 1846 snprintf(errbuf, sizeof(errbuf), "domain name " 1847 "\"%.100s\" contains consecutive separators", name); 1848 goto bad; 1849 } 1850 if (c != '.' && c != '-' && !isalnum(c) && 1851 c != '_') /* technically invalid, but common */ { 1852 snprintf(errbuf, sizeof(errbuf), "domain name " 1853 "\"%.100s\" contains invalid characters", name); 1854 goto bad; 1855 } 1856 last = c; 1857 } 1858 if (name[l - 1] == '.') 1859 name[l - 1] = '\0'; 1860 if (errstr != NULL) 1861 *errstr = NULL; 1862 return 1; 1863 bad: 1864 if (errstr != NULL) 1865 *errstr = errbuf; 1866 return 0; 1867 } 1868 1869 /* 1870 * Verify that a environment variable name (not including initial '$') is 1871 * valid; consisting of one or more alphanumeric or underscore characters only. 1872 * Returns 1 on valid, 0 otherwise. 1873 */ 1874 int 1875 valid_env_name(const char *name) 1876 { 1877 const char *cp; 1878 1879 if (name[0] == '\0') 1880 return 0; 1881 for (cp = name; *cp != '\0'; cp++) { 1882 if (!isalnum((u_char)*cp) && *cp != '_') 1883 return 0; 1884 } 1885 return 1; 1886 } 1887 1888 const char * 1889 atoi_err(const char *nptr, int *val) 1890 { 1891 const char *errstr = NULL; 1892 long long num; 1893 1894 if (nptr == NULL || *nptr == '\0') 1895 return "missing"; 1896 num = strtonum(nptr, 0, INT_MAX, &errstr); 1897 if (errstr == NULL) 1898 *val = (int)num; 1899 return errstr; 1900 } 1901 1902 int 1903 parse_absolute_time(const char *s, uint64_t *tp) 1904 { 1905 struct tm tm; 1906 time_t tt; 1907 char buf[32], *fmt; 1908 1909 *tp = 0; 1910 1911 /* 1912 * POSIX strptime says "The application shall ensure that there 1913 * is white-space or other non-alphanumeric characters between 1914 * any two conversion specifications" so arrange things this way. 1915 */ 1916 switch (strlen(s)) { 1917 case 8: /* YYYYMMDD */ 1918 fmt = "%Y-%m-%d"; 1919 snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6); 1920 break; 1921 case 12: /* YYYYMMDDHHMM */ 1922 fmt = "%Y-%m-%dT%H:%M"; 1923 snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s", 1924 s, s + 4, s + 6, s + 8, s + 10); 1925 break; 1926 case 14: /* YYYYMMDDHHMMSS */ 1927 fmt = "%Y-%m-%dT%H:%M:%S"; 1928 snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s", 1929 s, s + 4, s + 6, s + 8, s + 10, s + 12); 1930 break; 1931 default: 1932 return SSH_ERR_INVALID_FORMAT; 1933 } 1934 1935 memset(&tm, 0, sizeof(tm)); 1936 if (strptime(buf, fmt, &tm) == NULL) 1937 return SSH_ERR_INVALID_FORMAT; 1938 if ((tt = mktime(&tm)) < 0) 1939 return SSH_ERR_INVALID_FORMAT; 1940 /* success */ 1941 *tp = (uint64_t)tt; 1942 return 0; 1943 } 1944 1945 void 1946 format_absolute_time(uint64_t t, char *buf, size_t len) 1947 { 1948 time_t tt = t > INT_MAX ? INT_MAX : t; /* XXX revisit in 2038 :P */ 1949 struct tm tm; 1950 1951 localtime_r(&tt, &tm); 1952 strftime(buf, len, "%Y-%m-%dT%H:%M:%S", &tm); 1953 } 1954 1955 /* check if path is absolute */ 1956 int 1957 path_absolute(const char *path) 1958 { 1959 return (*path == '/') ? 1 : 0; 1960 } 1961