xref: /openbsd-src/usr.bin/ssh/serverloop.c (revision 46035553bfdd96e63c94e32da0210227ec2e3cf1)
1 /* $OpenBSD: serverloop.c,v 1.224 2020/10/18 11:32:02 djm Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * Server main loop for handling the interactive session.
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  *
14  * SSH2 support by Markus Friedl.
15  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
16  *
17  * Redistribution and use in source and binary forms, with or without
18  * modification, are permitted provided that the following conditions
19  * are met:
20  * 1. Redistributions of source code must retain the above copyright
21  *    notice, this list of conditions and the following disclaimer.
22  * 2. Redistributions in binary form must reproduce the above copyright
23  *    notice, this list of conditions and the following disclaimer in the
24  *    documentation and/or other materials provided with the distribution.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36  */
37 
38 #include <sys/types.h>
39 #include <sys/wait.h>
40 #include <sys/socket.h>
41 #include <sys/time.h>
42 #include <sys/queue.h>
43 
44 #include <netinet/in.h>
45 
46 #include <errno.h>
47 #include <fcntl.h>
48 #include <pwd.h>
49 #include <limits.h>
50 #include <signal.h>
51 #include <string.h>
52 #include <termios.h>
53 #include <unistd.h>
54 #include <stdarg.h>
55 
56 #include "xmalloc.h"
57 #include "packet.h"
58 #include "sshbuf.h"
59 #include "log.h"
60 #include "misc.h"
61 #include "servconf.h"
62 #include "canohost.h"
63 #include "sshpty.h"
64 #include "channels.h"
65 #include "compat.h"
66 #include "ssh2.h"
67 #include "sshkey.h"
68 #include "cipher.h"
69 #include "kex.h"
70 #include "hostfile.h"
71 #include "auth.h"
72 #include "session.h"
73 #include "dispatch.h"
74 #include "auth-options.h"
75 #include "serverloop.h"
76 #include "ssherr.h"
77 
78 extern ServerOptions options;
79 
80 /* XXX */
81 extern Authctxt *the_authctxt;
82 extern struct sshauthopt *auth_opts;
83 extern int use_privsep;
84 
85 static int no_more_sessions = 0; /* Disallow further sessions. */
86 
87 /*
88  * This SIGCHLD kludge is used to detect when the child exits.  The server
89  * will exit after that, as soon as forwarded connections have terminated.
90  */
91 
92 static volatile sig_atomic_t child_terminated = 0;	/* The child has terminated. */
93 
94 /* Cleanup on signals (!use_privsep case only) */
95 static volatile sig_atomic_t received_sigterm = 0;
96 
97 /* prototypes */
98 static void server_init_dispatch(struct ssh *);
99 
100 /* requested tunnel forwarding interface(s), shared with session.c */
101 char *tun_fwd_ifnames = NULL;
102 
103 /* returns 1 if bind to specified port by specified user is permitted */
104 static int
105 bind_permitted(int port, uid_t uid)
106 {
107 	if (use_privsep)
108 		return 1; /* allow system to decide */
109 	if (port < IPPORT_RESERVED && uid != 0)
110 		return 0;
111 	return 1;
112 }
113 
114 /*
115  * we write to this pipe if a SIGCHLD is caught in order to avoid
116  * the race between select() and child_terminated
117  */
118 static int notify_pipe[2];
119 static void
120 notify_setup(void)
121 {
122 	if (pipe(notify_pipe) == -1) {
123 		error("pipe(notify_pipe) failed %s", strerror(errno));
124 	} else if ((fcntl(notify_pipe[0], F_SETFD, FD_CLOEXEC) == -1) ||
125 	    (fcntl(notify_pipe[1], F_SETFD, FD_CLOEXEC) == -1)) {
126 		error("fcntl(notify_pipe, F_SETFD) failed %s", strerror(errno));
127 		close(notify_pipe[0]);
128 		close(notify_pipe[1]);
129 	} else {
130 		set_nonblock(notify_pipe[0]);
131 		set_nonblock(notify_pipe[1]);
132 		return;
133 	}
134 	notify_pipe[0] = -1;	/* read end */
135 	notify_pipe[1] = -1;	/* write end */
136 }
137 static void
138 notify_parent(void)
139 {
140 	if (notify_pipe[1] != -1)
141 		(void)write(notify_pipe[1], "", 1);
142 }
143 static void
144 notify_prepare(fd_set *readset)
145 {
146 	if (notify_pipe[0] != -1)
147 		FD_SET(notify_pipe[0], readset);
148 }
149 static void
150 notify_done(fd_set *readset)
151 {
152 	char c;
153 
154 	if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset))
155 		while (read(notify_pipe[0], &c, 1) != -1)
156 			debug2_f("reading");
157 }
158 
159 /*ARGSUSED*/
160 static void
161 sigchld_handler(int sig)
162 {
163 	int save_errno = errno;
164 	child_terminated = 1;
165 	notify_parent();
166 	errno = save_errno;
167 }
168 
169 /*ARGSUSED*/
170 static void
171 sigterm_handler(int sig)
172 {
173 	received_sigterm = sig;
174 }
175 
176 static void
177 client_alive_check(struct ssh *ssh)
178 {
179 	char remote_id[512];
180 	int r, channel_id;
181 
182 	/* timeout, check to see how many we have had */
183 	if (options.client_alive_count_max > 0 &&
184 	    ssh_packet_inc_alive_timeouts(ssh) >
185 	    options.client_alive_count_max) {
186 		sshpkt_fmt_connection_id(ssh, remote_id, sizeof(remote_id));
187 		logit("Timeout, client not responding from %s", remote_id);
188 		cleanup_exit(255);
189 	}
190 
191 	/*
192 	 * send a bogus global/channel request with "wantreply",
193 	 * we should get back a failure
194 	 */
195 	if ((channel_id = channel_find_open(ssh)) == -1) {
196 		if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
197 		    (r = sshpkt_put_cstring(ssh, "keepalive@openssh.com"))
198 		    != 0 ||
199 		    (r = sshpkt_put_u8(ssh, 1)) != 0) /* boolean: want reply */
200 			fatal_fr(r, "compose");
201 	} else {
202 		channel_request_start(ssh, channel_id,
203 		    "keepalive@openssh.com", 1);
204 	}
205 	if ((r = sshpkt_send(ssh)) != 0)
206 		fatal_fr(r, "send");
207 }
208 
209 /*
210  * Sleep in select() until we can do something.  This will initialize the
211  * select masks.  Upon return, the masks will indicate which descriptors
212  * have data or can accept data.  Optionally, a maximum time can be specified
213  * for the duration of the wait (0 = infinite).
214  */
215 static void
216 wait_until_can_do_something(struct ssh *ssh,
217     int connection_in, int connection_out,
218     fd_set **readsetp, fd_set **writesetp, int *maxfdp,
219     u_int *nallocp, u_int64_t max_time_ms)
220 {
221 	struct timeval tv, *tvp;
222 	int ret;
223 	time_t minwait_secs = 0;
224 	int client_alive_scheduled = 0;
225 	/* time we last heard from the client OR sent a keepalive */
226 	static time_t last_client_time;
227 
228 	/* Allocate and update select() masks for channel descriptors. */
229 	channel_prepare_select(ssh, readsetp, writesetp, maxfdp,
230 	    nallocp, &minwait_secs);
231 
232 	/* XXX need proper deadline system for rekey/client alive */
233 	if (minwait_secs != 0)
234 		max_time_ms = MINIMUM(max_time_ms, (u_int)minwait_secs * 1000);
235 
236 	/*
237 	 * if using client_alive, set the max timeout accordingly,
238 	 * and indicate that this particular timeout was for client
239 	 * alive by setting the client_alive_scheduled flag.
240 	 *
241 	 * this could be randomized somewhat to make traffic
242 	 * analysis more difficult, but we're not doing it yet.
243 	 */
244 	if (options.client_alive_interval) {
245 		uint64_t keepalive_ms =
246 		    (uint64_t)options.client_alive_interval * 1000;
247 
248 		if (max_time_ms == 0 || max_time_ms > keepalive_ms) {
249 			max_time_ms = keepalive_ms;
250 			client_alive_scheduled = 1;
251 		}
252 		if (last_client_time == 0)
253 			last_client_time = monotime();
254 	}
255 
256 #if 0
257 	/* wrong: bad condition XXX */
258 	if (channel_not_very_much_buffered_data())
259 #endif
260 	FD_SET(connection_in, *readsetp);
261 	notify_prepare(*readsetp);
262 
263 	/*
264 	 * If we have buffered packet data going to the client, mark that
265 	 * descriptor.
266 	 */
267 	if (ssh_packet_have_data_to_write(ssh))
268 		FD_SET(connection_out, *writesetp);
269 
270 	/*
271 	 * If child has terminated and there is enough buffer space to read
272 	 * from it, then read as much as is available and exit.
273 	 */
274 	if (child_terminated && ssh_packet_not_very_much_data_to_write(ssh))
275 		if (max_time_ms == 0 || client_alive_scheduled)
276 			max_time_ms = 100;
277 
278 	if (max_time_ms == 0)
279 		tvp = NULL;
280 	else {
281 		tv.tv_sec = max_time_ms / 1000;
282 		tv.tv_usec = 1000 * (max_time_ms % 1000);
283 		tvp = &tv;
284 	}
285 
286 	/* Wait for something to happen, or the timeout to expire. */
287 	ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
288 
289 	if (ret == -1) {
290 		memset(*readsetp, 0, *nallocp);
291 		memset(*writesetp, 0, *nallocp);
292 		if (errno != EINTR)
293 			error("select: %.100s", strerror(errno));
294 	} else if (client_alive_scheduled) {
295 		time_t now = monotime();
296 
297 		/*
298 		 * If the select timed out, or returned for some other reason
299 		 * but we haven't heard from the client in time, send keepalive.
300 		 */
301 		if (ret == 0 || (last_client_time != 0 && last_client_time +
302 		    options.client_alive_interval <= now)) {
303 			client_alive_check(ssh);
304 			last_client_time = now;
305 		} else if (FD_ISSET(connection_in, *readsetp)) {
306 			last_client_time = now;
307 		}
308 	}
309 
310 	notify_done(*readsetp);
311 }
312 
313 /*
314  * Processes input from the client and the program.  Input data is stored
315  * in buffers and processed later.
316  */
317 static int
318 process_input(struct ssh *ssh, fd_set *readset, int connection_in)
319 {
320 	int r, len;
321 	char buf[16384];
322 
323 	/* Read and buffer any input data from the client. */
324 	if (FD_ISSET(connection_in, readset)) {
325 		len = read(connection_in, buf, sizeof(buf));
326 		if (len == 0) {
327 			verbose("Connection closed by %.100s port %d",
328 			    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
329 			return -1;
330 		} else if (len == -1) {
331 			if (errno == EINTR || errno == EAGAIN)
332 				return 0;
333 			verbose("Read error from remote host %s port %d: %s",
334 			    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
335 			    strerror(errno));
336 			cleanup_exit(255);
337 		}
338 		/* Buffer any received data. */
339 		if ((r = ssh_packet_process_incoming(ssh, buf, len)) != 0)
340 			fatal_fr(r, "ssh_packet_process_incoming");
341 	}
342 	return 0;
343 }
344 
345 /*
346  * Sends data from internal buffers to client program stdin.
347  */
348 static void
349 process_output(struct ssh *ssh, fd_set *writeset, int connection_out)
350 {
351 	int r;
352 
353 	/* Send any buffered packet data to the client. */
354 	if (FD_ISSET(connection_out, writeset)) {
355 		if ((r = ssh_packet_write_poll(ssh)) != 0) {
356 			sshpkt_fatal(ssh, r, "%s: ssh_packet_write_poll",
357 			    __func__);
358 		}
359 	}
360 }
361 
362 static void
363 process_buffered_input_packets(struct ssh *ssh)
364 {
365 	ssh_dispatch_run_fatal(ssh, DISPATCH_NONBLOCK, NULL);
366 }
367 
368 static void
369 collect_children(struct ssh *ssh)
370 {
371 	pid_t pid;
372 	sigset_t oset, nset;
373 	int status;
374 
375 	/* block SIGCHLD while we check for dead children */
376 	sigemptyset(&nset);
377 	sigaddset(&nset, SIGCHLD);
378 	sigprocmask(SIG_BLOCK, &nset, &oset);
379 	if (child_terminated) {
380 		debug("Received SIGCHLD.");
381 		while ((pid = waitpid(-1, &status, WNOHANG)) > 0 ||
382 		    (pid == -1 && errno == EINTR))
383 			if (pid > 0)
384 				session_close_by_pid(ssh, pid, status);
385 		child_terminated = 0;
386 	}
387 	sigprocmask(SIG_SETMASK, &oset, NULL);
388 }
389 
390 void
391 server_loop2(struct ssh *ssh, Authctxt *authctxt)
392 {
393 	fd_set *readset = NULL, *writeset = NULL;
394 	int max_fd;
395 	u_int nalloc = 0, connection_in, connection_out;
396 	u_int64_t rekey_timeout_ms = 0;
397 
398 	debug("Entering interactive session for SSH2.");
399 
400 	ssh_signal(SIGCHLD, sigchld_handler);
401 	child_terminated = 0;
402 	connection_in = ssh_packet_get_connection_in(ssh);
403 	connection_out = ssh_packet_get_connection_out(ssh);
404 
405 	if (!use_privsep) {
406 		ssh_signal(SIGTERM, sigterm_handler);
407 		ssh_signal(SIGINT, sigterm_handler);
408 		ssh_signal(SIGQUIT, sigterm_handler);
409 	}
410 
411 	notify_setup();
412 
413 	max_fd = MAXIMUM(connection_in, connection_out);
414 	max_fd = MAXIMUM(max_fd, notify_pipe[0]);
415 
416 	server_init_dispatch(ssh);
417 
418 	for (;;) {
419 		process_buffered_input_packets(ssh);
420 
421 		if (!ssh_packet_is_rekeying(ssh) &&
422 		    ssh_packet_not_very_much_data_to_write(ssh))
423 			channel_output_poll(ssh);
424 		if (options.rekey_interval > 0 &&
425 		    !ssh_packet_is_rekeying(ssh)) {
426 			rekey_timeout_ms = ssh_packet_get_rekey_timeout(ssh) *
427 			    1000;
428 		} else {
429 			rekey_timeout_ms = 0;
430 		}
431 
432 		wait_until_can_do_something(ssh, connection_in, connection_out,
433 		    &readset, &writeset, &max_fd, &nalloc, rekey_timeout_ms);
434 
435 		if (received_sigterm) {
436 			logit("Exiting on signal %d", (int)received_sigterm);
437 			/* Clean up sessions, utmp, etc. */
438 			cleanup_exit(255);
439 		}
440 
441 		collect_children(ssh);
442 		if (!ssh_packet_is_rekeying(ssh))
443 			channel_after_select(ssh, readset, writeset);
444 		if (process_input(ssh, readset, connection_in) < 0)
445 			break;
446 		process_output(ssh, writeset, connection_out);
447 	}
448 	collect_children(ssh);
449 
450 	free(readset);
451 	free(writeset);
452 
453 	/* free all channels, no more reads and writes */
454 	channel_free_all(ssh);
455 
456 	/* free remaining sessions, e.g. remove wtmp entries */
457 	session_destroy_all(ssh, NULL);
458 }
459 
460 static int
461 server_input_keep_alive(int type, u_int32_t seq, struct ssh *ssh)
462 {
463 	debug("Got %d/%u for keepalive", type, seq);
464 	/*
465 	 * reset timeout, since we got a sane answer from the client.
466 	 * even if this was generated by something other than
467 	 * the bogus CHANNEL_REQUEST we send for keepalives.
468 	 */
469 	ssh_packet_set_alive_timeouts(ssh, 0);
470 	return 0;
471 }
472 
473 static Channel *
474 server_request_direct_tcpip(struct ssh *ssh, int *reason, const char **errmsg)
475 {
476 	Channel *c = NULL;
477 	char *target = NULL, *originator = NULL;
478 	u_int target_port = 0, originator_port = 0;
479 	int r;
480 
481 	if ((r = sshpkt_get_cstring(ssh, &target, NULL)) != 0 ||
482 	    (r = sshpkt_get_u32(ssh, &target_port)) != 0 ||
483 	    (r = sshpkt_get_cstring(ssh, &originator, NULL)) != 0 ||
484 	    (r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||
485 	    (r = sshpkt_get_end(ssh)) != 0)
486 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
487 	if (target_port > 0xFFFF) {
488 		error_f("invalid target port");
489 		*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
490 		goto out;
491 	}
492 	if (originator_port > 0xFFFF) {
493 		error_f("invalid originator port");
494 		*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
495 		goto out;
496 	}
497 
498 	debug_f("originator %s port %u, target %s port %u",
499 	    originator, originator_port, target, target_port);
500 
501 	/* XXX fine grained permissions */
502 	if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
503 	    auth_opts->permit_port_forwarding_flag &&
504 	    !options.disable_forwarding) {
505 		c = channel_connect_to_port(ssh, target, target_port,
506 		    "direct-tcpip", "direct-tcpip", reason, errmsg);
507 	} else {
508 		logit("refused local port forward: "
509 		    "originator %s port %d, target %s port %d",
510 		    originator, originator_port, target, target_port);
511 		if (reason != NULL)
512 			*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
513 	}
514 
515  out:
516 	free(originator);
517 	free(target);
518 	return c;
519 }
520 
521 static Channel *
522 server_request_direct_streamlocal(struct ssh *ssh)
523 {
524 	Channel *c = NULL;
525 	char *target = NULL, *originator = NULL;
526 	u_int originator_port = 0;
527 	struct passwd *pw = the_authctxt->pw;
528 	int r;
529 
530 	if (pw == NULL || !the_authctxt->valid)
531 		fatal_f("no/invalid user");
532 
533 	if ((r = sshpkt_get_cstring(ssh, &target, NULL)) != 0 ||
534 	    (r = sshpkt_get_cstring(ssh, &originator, NULL)) != 0 ||
535 	    (r = sshpkt_get_u32(ssh, &originator_port)) != 0 ||
536 	    (r = sshpkt_get_end(ssh)) != 0)
537 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
538 	if (originator_port > 0xFFFF) {
539 		error_f("invalid originator port");
540 		goto out;
541 	}
542 
543 	debug_f("originator %s port %d, target %s",
544 	    originator, originator_port, target);
545 
546 	/* XXX fine grained permissions */
547 	if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
548 	    auth_opts->permit_port_forwarding_flag &&
549 	    !options.disable_forwarding && (pw->pw_uid == 0 || use_privsep)) {
550 		c = channel_connect_to_path(ssh, target,
551 		    "direct-streamlocal@openssh.com", "direct-streamlocal");
552 	} else {
553 		logit("refused streamlocal port forward: "
554 		    "originator %s port %d, target %s",
555 		    originator, originator_port, target);
556 	}
557 
558 out:
559 	free(originator);
560 	free(target);
561 	return c;
562 }
563 
564 static Channel *
565 server_request_tun(struct ssh *ssh)
566 {
567 	Channel *c = NULL;
568 	u_int mode, tun;
569 	int r, sock;
570 	char *tmp, *ifname = NULL;
571 
572 	if ((r = sshpkt_get_u32(ssh, &mode)) != 0)
573 		sshpkt_fatal(ssh, r, "%s: parse mode", __func__);
574 	switch (mode) {
575 	case SSH_TUNMODE_POINTOPOINT:
576 	case SSH_TUNMODE_ETHERNET:
577 		break;
578 	default:
579 		ssh_packet_send_debug(ssh, "Unsupported tunnel device mode.");
580 		return NULL;
581 	}
582 	if ((options.permit_tun & mode) == 0) {
583 		ssh_packet_send_debug(ssh, "Server has rejected tunnel device "
584 		    "forwarding");
585 		return NULL;
586 	}
587 
588 	if ((r = sshpkt_get_u32(ssh, &tun)) != 0)
589 		sshpkt_fatal(ssh, r, "%s: parse device", __func__);
590 	if (tun > INT_MAX) {
591 		debug_f("invalid tun");
592 		goto done;
593 	}
594 	if (auth_opts->force_tun_device != -1) {
595 		if (tun != SSH_TUNID_ANY &&
596 		    auth_opts->force_tun_device != (int)tun)
597 			goto done;
598 		tun = auth_opts->force_tun_device;
599 	}
600 	sock = tun_open(tun, mode, &ifname);
601 	if (sock < 0)
602 		goto done;
603 	debug("Tunnel forwarding using interface %s", ifname);
604 
605 	c = channel_new(ssh, "tun", SSH_CHANNEL_OPEN, sock, sock, -1,
606 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
607 	c->datagram = 1;
608 
609 	/*
610 	 * Update the list of names exposed to the session
611 	 * XXX remove these if the tunnels are closed (won't matter
612 	 * much if they are already in the environment though)
613 	 */
614 	tmp = tun_fwd_ifnames;
615 	xasprintf(&tun_fwd_ifnames, "%s%s%s",
616 	    tun_fwd_ifnames == NULL ? "" : tun_fwd_ifnames,
617 	    tun_fwd_ifnames == NULL ? "" : ",",
618 	    ifname);
619 	free(tmp);
620 	free(ifname);
621 
622  done:
623 	if (c == NULL)
624 		ssh_packet_send_debug(ssh, "Failed to open the tunnel device.");
625 	return c;
626 }
627 
628 static Channel *
629 server_request_session(struct ssh *ssh)
630 {
631 	Channel *c;
632 	int r;
633 
634 	debug("input_session_request");
635 	if ((r = sshpkt_get_end(ssh)) != 0)
636 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
637 
638 	if (no_more_sessions) {
639 		ssh_packet_disconnect(ssh, "Possible attack: attempt to open a "
640 		    "session after additional sessions disabled");
641 	}
642 
643 	/*
644 	 * A server session has no fd to read or write until a
645 	 * CHANNEL_REQUEST for a shell is made, so we set the type to
646 	 * SSH_CHANNEL_LARVAL.  Additionally, a callback for handling all
647 	 * CHANNEL_REQUEST messages is registered.
648 	 */
649 	c = channel_new(ssh, "session", SSH_CHANNEL_LARVAL,
650 	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
651 	    0, "server-session", 1);
652 	if (session_open(the_authctxt, c->self) != 1) {
653 		debug("session open failed, free channel %d", c->self);
654 		channel_free(ssh, c);
655 		return NULL;
656 	}
657 	channel_register_cleanup(ssh, c->self, session_close_by_channel, 0);
658 	return c;
659 }
660 
661 static int
662 server_input_channel_open(int type, u_int32_t seq, struct ssh *ssh)
663 {
664 	Channel *c = NULL;
665 	char *ctype = NULL;
666 	const char *errmsg = NULL;
667 	int r, reason = SSH2_OPEN_CONNECT_FAILED;
668 	u_int rchan = 0, rmaxpack = 0, rwindow = 0;
669 
670 	if ((r = sshpkt_get_cstring(ssh, &ctype, NULL)) != 0 ||
671 	    (r = sshpkt_get_u32(ssh, &rchan)) != 0 ||
672 	    (r = sshpkt_get_u32(ssh, &rwindow)) != 0 ||
673 	    (r = sshpkt_get_u32(ssh, &rmaxpack)) != 0)
674 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
675 	debug_f("ctype %s rchan %u win %u max %u",
676 	    ctype, rchan, rwindow, rmaxpack);
677 
678 	if (strcmp(ctype, "session") == 0) {
679 		c = server_request_session(ssh);
680 	} else if (strcmp(ctype, "direct-tcpip") == 0) {
681 		c = server_request_direct_tcpip(ssh, &reason, &errmsg);
682 	} else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) {
683 		c = server_request_direct_streamlocal(ssh);
684 	} else if (strcmp(ctype, "tun@openssh.com") == 0) {
685 		c = server_request_tun(ssh);
686 	}
687 	if (c != NULL) {
688 		debug_f("confirm %s", ctype);
689 		c->remote_id = rchan;
690 		c->have_remote_id = 1;
691 		c->remote_window = rwindow;
692 		c->remote_maxpacket = rmaxpack;
693 		if (c->type != SSH_CHANNEL_CONNECTING) {
694 			if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
695 			    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
696 			    (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
697 			    (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
698 			    (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 ||
699 			    (r = sshpkt_send(ssh)) != 0) {
700 				sshpkt_fatal(ssh, r,
701 				    "%s: send open confirm", __func__);
702 			}
703 		}
704 	} else {
705 		debug_f("failure %s", ctype);
706 		if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
707 		    (r = sshpkt_put_u32(ssh, rchan)) != 0 ||
708 		    (r = sshpkt_put_u32(ssh, reason)) != 0 ||
709 		    (r = sshpkt_put_cstring(ssh, errmsg ? errmsg : "open failed")) != 0 ||
710 		    (r = sshpkt_put_cstring(ssh, "")) != 0 ||
711 		    (r = sshpkt_send(ssh)) != 0) {
712 			sshpkt_fatal(ssh, r,
713 			    "%s: send open failure", __func__);
714 		}
715 	}
716 	free(ctype);
717 	return 0;
718 }
719 
720 static int
721 server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf **respp)
722 {
723 	struct sshbuf *resp = NULL;
724 	struct sshbuf *sigbuf = NULL;
725 	struct sshkey *key = NULL, *key_pub = NULL, *key_prv = NULL;
726 	int r, ndx, kexsigtype, use_kexsigtype, success = 0;
727 	const u_char *blob;
728 	u_char *sig = 0;
729 	size_t blen, slen;
730 
731 	if ((resp = sshbuf_new()) == NULL || (sigbuf = sshbuf_new()) == NULL)
732 		fatal_f("sshbuf_new");
733 
734 	kexsigtype = sshkey_type_plain(
735 	    sshkey_type_from_name(ssh->kex->hostkey_alg));
736 	while (ssh_packet_remaining(ssh) > 0) {
737 		sshkey_free(key);
738 		key = NULL;
739 		if ((r = sshpkt_get_string_direct(ssh, &blob, &blen)) != 0 ||
740 		    (r = sshkey_from_blob(blob, blen, &key)) != 0) {
741 			error_fr(r, "parse key");
742 			goto out;
743 		}
744 		/*
745 		 * Better check that this is actually one of our hostkeys
746 		 * before attempting to sign anything with it.
747 		 */
748 		if ((ndx = ssh->kex->host_key_index(key, 1, ssh)) == -1) {
749 			error_f("unknown host %s key", sshkey_type(key));
750 			goto out;
751 		}
752 		/*
753 		 * XXX refactor: make kex->sign just use an index rather
754 		 * than passing in public and private keys
755 		 */
756 		if ((key_prv = get_hostkey_by_index(ndx)) == NULL &&
757 		    (key_pub = get_hostkey_public_by_index(ndx, ssh)) == NULL) {
758 			error_f("can't retrieve hostkey %d", ndx);
759 			goto out;
760 		}
761 		sshbuf_reset(sigbuf);
762 		free(sig);
763 		sig = NULL;
764 		/*
765 		 * For RSA keys, prefer to use the signature type negotiated
766 		 * during KEX to the default (SHA1).
767 		 */
768 		use_kexsigtype = kexsigtype == KEY_RSA &&
769 		    sshkey_type_plain(key->type) == KEY_RSA;
770 		if ((r = sshbuf_put_cstring(sigbuf,
771 		    "hostkeys-prove-00@openssh.com")) != 0 ||
772 		    (r = sshbuf_put_string(sigbuf,
773 		    ssh->kex->session_id, ssh->kex->session_id_len)) != 0 ||
774 		    (r = sshkey_puts(key, sigbuf)) != 0 ||
775 		    (r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen,
776 		    sshbuf_ptr(sigbuf), sshbuf_len(sigbuf),
777 		    use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 ||
778 		    (r = sshbuf_put_string(resp, sig, slen)) != 0) {
779 			error_fr(r, "assemble signature");
780 			goto out;
781 		}
782 	}
783 	/* Success */
784 	*respp = resp;
785 	resp = NULL; /* don't free it */
786 	success = 1;
787  out:
788 	free(sig);
789 	sshbuf_free(resp);
790 	sshbuf_free(sigbuf);
791 	sshkey_free(key);
792 	return success;
793 }
794 
795 static int
796 server_input_global_request(int type, u_int32_t seq, struct ssh *ssh)
797 {
798 	char *rtype = NULL;
799 	u_char want_reply = 0;
800 	int r, success = 0, allocated_listen_port = 0;
801 	u_int port = 0;
802 	struct sshbuf *resp = NULL;
803 	struct passwd *pw = the_authctxt->pw;
804 	struct Forward fwd;
805 
806 	memset(&fwd, 0, sizeof(fwd));
807 	if (pw == NULL || !the_authctxt->valid)
808 		fatal_f("no/invalid user");
809 
810 	if ((r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 ||
811 	    (r = sshpkt_get_u8(ssh, &want_reply)) != 0)
812 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
813 	debug_f("rtype %s want_reply %d", rtype, want_reply);
814 
815 	/* -R style forwarding */
816 	if (strcmp(rtype, "tcpip-forward") == 0) {
817 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_host, NULL)) != 0 ||
818 		    (r = sshpkt_get_u32(ssh, &port)) != 0)
819 			sshpkt_fatal(ssh, r, "%s: parse tcpip-forward", __func__);
820 		debug_f("tcpip-forward listen %s port %u",
821 		    fwd.listen_host, port);
822 		if (port <= INT_MAX)
823 			fwd.listen_port = (int)port;
824 		/* check permissions */
825 		if (port > INT_MAX ||
826 		    (options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
827 		    !auth_opts->permit_port_forwarding_flag ||
828 		    options.disable_forwarding ||
829 		    (!want_reply && fwd.listen_port == 0) ||
830 		    (fwd.listen_port != 0 &&
831 		     !bind_permitted(fwd.listen_port, pw->pw_uid))) {
832 			success = 0;
833 			ssh_packet_send_debug(ssh, "Server has disabled port forwarding.");
834 		} else {
835 			/* Start listening on the port */
836 			success = channel_setup_remote_fwd_listener(ssh, &fwd,
837 			    &allocated_listen_port, &options.fwd_opts);
838 		}
839 		if ((resp = sshbuf_new()) == NULL)
840 			fatal_f("sshbuf_new");
841 		if (allocated_listen_port != 0 &&
842 		    (r = sshbuf_put_u32(resp, allocated_listen_port)) != 0)
843 			fatal_fr(r, "sshbuf_put_u32");
844 	} else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
845 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_host, NULL)) != 0 ||
846 		    (r = sshpkt_get_u32(ssh, &port)) != 0)
847 			sshpkt_fatal(ssh, r, "%s: parse cancel-tcpip-forward", __func__);
848 
849 		debug_f("cancel-tcpip-forward addr %s port %d",
850 		    fwd.listen_host, port);
851 		if (port <= INT_MAX) {
852 			fwd.listen_port = (int)port;
853 			success = channel_cancel_rport_listener(ssh, &fwd);
854 		}
855 	} else if (strcmp(rtype, "streamlocal-forward@openssh.com") == 0) {
856 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_path, NULL)) != 0)
857 			sshpkt_fatal(ssh, r, "%s: parse streamlocal-forward@openssh.com", __func__);
858 		debug_f("streamlocal-forward listen path %s",
859 		    fwd.listen_path);
860 
861 		/* check permissions */
862 		if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
863 		    || !auth_opts->permit_port_forwarding_flag ||
864 		    options.disable_forwarding ||
865 		    (pw->pw_uid != 0 && !use_privsep)) {
866 			success = 0;
867 			ssh_packet_send_debug(ssh, "Server has disabled "
868 			    "streamlocal forwarding.");
869 		} else {
870 			/* Start listening on the socket */
871 			success = channel_setup_remote_fwd_listener(ssh,
872 			    &fwd, NULL, &options.fwd_opts);
873 		}
874 	} else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) {
875 		if ((r = sshpkt_get_cstring(ssh, &fwd.listen_path, NULL)) != 0)
876 			sshpkt_fatal(ssh, r, "%s: parse cancel-streamlocal-forward@openssh.com", __func__);
877 		debug_f("cancel-streamlocal-forward path %s",
878 		    fwd.listen_path);
879 
880 		success = channel_cancel_rport_listener(ssh, &fwd);
881 	} else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) {
882 		no_more_sessions = 1;
883 		success = 1;
884 	} else if (strcmp(rtype, "hostkeys-prove-00@openssh.com") == 0) {
885 		success = server_input_hostkeys_prove(ssh, &resp);
886 	}
887 	/* XXX sshpkt_get_end() */
888 	if (want_reply) {
889 		if ((r = sshpkt_start(ssh, success ?
890 		    SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE)) != 0 ||
891 		    (success && resp != NULL && (r = sshpkt_putb(ssh, resp)) != 0) ||
892 		    (r = sshpkt_send(ssh)) != 0 ||
893 		    (r = ssh_packet_write_wait(ssh)) != 0)
894 			sshpkt_fatal(ssh, r, "%s: send reply", __func__);
895 	}
896 	free(fwd.listen_host);
897 	free(fwd.listen_path);
898 	free(rtype);
899 	sshbuf_free(resp);
900 	return 0;
901 }
902 
903 static int
904 server_input_channel_req(int type, u_int32_t seq, struct ssh *ssh)
905 {
906 	Channel *c;
907 	int r, success = 0;
908 	char *rtype = NULL;
909 	u_char want_reply = 0;
910 	u_int id = 0;
911 
912 	if ((r = sshpkt_get_u32(ssh, &id)) != 0 ||
913 	    (r = sshpkt_get_cstring(ssh, &rtype, NULL)) != 0 ||
914 	    (r = sshpkt_get_u8(ssh, &want_reply)) != 0)
915 		sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
916 
917 	debug("server_input_channel_req: channel %u request %s reply %d",
918 	    id, rtype, want_reply);
919 
920 	if (id >= INT_MAX || (c = channel_lookup(ssh, (int)id)) == NULL) {
921 		ssh_packet_disconnect(ssh, "%s: unknown channel %d",
922 		    __func__, id);
923 	}
924 	if (!strcmp(rtype, "eow@openssh.com")) {
925 		if ((r = sshpkt_get_end(ssh)) != 0)
926 			sshpkt_fatal(ssh, r, "%s: parse packet", __func__);
927 		chan_rcvd_eow(ssh, c);
928 	} else if ((c->type == SSH_CHANNEL_LARVAL ||
929 	    c->type == SSH_CHANNEL_OPEN) && strcmp(c->ctype, "session") == 0)
930 		success = session_input_channel_req(ssh, c, rtype);
931 	if (want_reply && !(c->flags & CHAN_CLOSE_SENT)) {
932 		if (!c->have_remote_id)
933 			fatal_f("channel %d: no remote_id", c->self);
934 		if ((r = sshpkt_start(ssh, success ?
935 		    SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE)) != 0 ||
936 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
937 		    (r = sshpkt_send(ssh)) != 0)
938 			sshpkt_fatal(ssh, r, "%s: send reply", __func__);
939 	}
940 	free(rtype);
941 	return 0;
942 }
943 
944 static void
945 server_init_dispatch(struct ssh *ssh)
946 {
947 	debug("server_init_dispatch");
948 	ssh_dispatch_init(ssh, &dispatch_protocol_error);
949 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose);
950 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_DATA, &channel_input_data);
951 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
952 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
953 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open);
954 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
955 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
956 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_REQUEST, &server_input_channel_req);
957 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust);
958 	ssh_dispatch_set(ssh, SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request);
959 	/* client_alive */
960 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_SUCCESS, &server_input_keep_alive);
961 	ssh_dispatch_set(ssh, SSH2_MSG_CHANNEL_FAILURE, &server_input_keep_alive);
962 	ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_SUCCESS, &server_input_keep_alive);
963 	ssh_dispatch_set(ssh, SSH2_MSG_REQUEST_FAILURE, &server_input_keep_alive);
964 	/* rekeying */
965 	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, &kex_input_kexinit);
966 }
967