channels.c revision 215116
1/* $OpenBSD: channels.c,v 1.309 2010/08/05 13:08:42 djm Exp $ */ 2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42#include "includes.h" 43 44#include <sys/types.h> 45#include <sys/ioctl.h> 46#include <sys/un.h> 47#include <sys/socket.h> 48#ifdef HAVE_SYS_TIME_H 49# include <sys/time.h> 50#endif 51 52#include <netinet/in.h> 53#include <arpa/inet.h> 54 55#include <errno.h> 56#include <fcntl.h> 57#include <netdb.h> 58#include <stdio.h> 59#include <stdlib.h> 60#include <string.h> 61#include <termios.h> 62#include <unistd.h> 63#include <stdarg.h> 64 65#include "openbsd-compat/sys-queue.h" 66#include "xmalloc.h" 67#include "ssh.h" 68#include "ssh1.h" 69#include "ssh2.h" 70#include "packet.h" 71#include "log.h" 72#include "misc.h" 73#include "buffer.h" 74#include "channels.h" 75#include "compat.h" 76#include "canohost.h" 77#include "key.h" 78#include "authfd.h" 79#include "pathnames.h" 80 81/* -- channel core */ 82 83/* 84 * Pointer to an array containing all allocated channels. The array is 85 * dynamically extended as needed. 86 */ 87static Channel **channels = NULL; 88 89/* 90 * Size of the channel array. All slots of the array must always be 91 * initialized (at least the type field); unused slots set to NULL 92 */ 93static u_int channels_alloc = 0; 94 95/* 96 * Maximum file descriptor value used in any of the channels. This is 97 * updated in channel_new. 98 */ 99static int channel_max_fd = 0; 100 101 102/* -- tcp forwarding */ 103 104/* 105 * Data structure for storing which hosts are permitted for forward requests. 106 * The local sides of any remote forwards are stored in this array to prevent 107 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 108 * network (which might be behind a firewall). 109 */ 110typedef struct { 111 char *host_to_connect; /* Connect to 'host'. */ 112 u_short port_to_connect; /* Connect to 'port'. */ 113 u_short listen_port; /* Remote side should listen port number. */ 114} ForwardPermission; 115 116/* List of all permitted host/port pairs to connect by the user. */ 117static ForwardPermission *permitted_opens = NULL; 118 119/* List of all permitted host/port pairs to connect by the admin. */ 120static ForwardPermission *permitted_adm_opens = NULL; 121 122/* Number of permitted host/port pairs in the array permitted by the user. */ 123static int num_permitted_opens = 0; 124 125/* Number of permitted host/port pair in the array permitted by the admin. */ 126static int num_adm_permitted_opens = 0; 127 128/* 129 * If this is true, all opens are permitted. This is the case on the server 130 * on which we have to trust the client anyway, and the user could do 131 * anything after logging in anyway. 132 */ 133static int all_opens_permitted = 0; 134 135 136/* -- X11 forwarding */ 137 138/* Maximum number of fake X11 displays to try. */ 139#define MAX_DISPLAYS 1000 140 141/* Saved X11 local (client) display. */ 142static char *x11_saved_display = NULL; 143 144/* Saved X11 authentication protocol name. */ 145static char *x11_saved_proto = NULL; 146 147/* Saved X11 authentication data. This is the real data. */ 148static char *x11_saved_data = NULL; 149static u_int x11_saved_data_len = 0; 150 151/* 152 * Fake X11 authentication data. This is what the server will be sending us; 153 * we should replace any occurrences of this by the real data. 154 */ 155static u_char *x11_fake_data = NULL; 156static u_int x11_fake_data_len; 157 158 159/* -- agent forwarding */ 160 161#define NUM_SOCKS 10 162 163/* AF_UNSPEC or AF_INET or AF_INET6 */ 164static int IPv4or6 = AF_UNSPEC; 165 166/* helper */ 167static void port_open_helper(Channel *c, char *rtype); 168 169/* non-blocking connect helpers */ 170static int connect_next(struct channel_connect *); 171static void channel_connect_ctx_free(struct channel_connect *); 172 173/* -- channel core */ 174 175Channel * 176channel_by_id(int id) 177{ 178 Channel *c; 179 180 if (id < 0 || (u_int)id >= channels_alloc) { 181 logit("channel_by_id: %d: bad id", id); 182 return NULL; 183 } 184 c = channels[id]; 185 if (c == NULL) { 186 logit("channel_by_id: %d: bad id: channel free", id); 187 return NULL; 188 } 189 return c; 190} 191 192/* 193 * Returns the channel if it is allowed to receive protocol messages. 194 * Private channels, like listening sockets, may not receive messages. 195 */ 196Channel * 197channel_lookup(int id) 198{ 199 Channel *c; 200 201 if ((c = channel_by_id(id)) == NULL) 202 return (NULL); 203 204 switch (c->type) { 205 case SSH_CHANNEL_X11_OPEN: 206 case SSH_CHANNEL_LARVAL: 207 case SSH_CHANNEL_CONNECTING: 208 case SSH_CHANNEL_DYNAMIC: 209 case SSH_CHANNEL_OPENING: 210 case SSH_CHANNEL_OPEN: 211 case SSH_CHANNEL_INPUT_DRAINING: 212 case SSH_CHANNEL_OUTPUT_DRAINING: 213 return (c); 214 } 215 logit("Non-public channel %d, type %d.", id, c->type); 216 return (NULL); 217} 218 219/* 220 * Register filedescriptors for a channel, used when allocating a channel or 221 * when the channel consumer/producer is ready, e.g. shell exec'd 222 */ 223static void 224channel_register_fds(Channel *c, int rfd, int wfd, int efd, 225 int extusage, int nonblock, int is_tty) 226{ 227 /* Update the maximum file descriptor value. */ 228 channel_max_fd = MAX(channel_max_fd, rfd); 229 channel_max_fd = MAX(channel_max_fd, wfd); 230 channel_max_fd = MAX(channel_max_fd, efd); 231 232 if (rfd != -1) 233 fcntl(rfd, F_SETFD, FD_CLOEXEC); 234 if (wfd != -1 && wfd != rfd) 235 fcntl(wfd, F_SETFD, FD_CLOEXEC); 236 if (efd != -1 && efd != rfd && efd != wfd) 237 fcntl(efd, F_SETFD, FD_CLOEXEC); 238 239 c->rfd = rfd; 240 c->wfd = wfd; 241 c->sock = (rfd == wfd) ? rfd : -1; 242 c->efd = efd; 243 c->extended_usage = extusage; 244 245 if ((c->isatty = is_tty) != 0) 246 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 247 c->wfd_isatty = is_tty || isatty(c->wfd); 248 249 /* enable nonblocking mode */ 250 if (nonblock) { 251 if (rfd != -1) 252 set_nonblock(rfd); 253 if (wfd != -1) 254 set_nonblock(wfd); 255 if (efd != -1) 256 set_nonblock(efd); 257 } 258} 259 260/* 261 * Allocate a new channel object and set its type and socket. This will cause 262 * remote_name to be freed. 263 */ 264Channel * 265channel_new(char *ctype, int type, int rfd, int wfd, int efd, 266 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 267{ 268 int found; 269 u_int i; 270 Channel *c; 271 272 /* Do initial allocation if this is the first call. */ 273 if (channels_alloc == 0) { 274 channels_alloc = 10; 275 channels = xcalloc(channels_alloc, sizeof(Channel *)); 276 for (i = 0; i < channels_alloc; i++) 277 channels[i] = NULL; 278 } 279 /* Try to find a free slot where to put the new channel. */ 280 for (found = -1, i = 0; i < channels_alloc; i++) 281 if (channels[i] == NULL) { 282 /* Found a free slot. */ 283 found = (int)i; 284 break; 285 } 286 if (found < 0) { 287 /* There are no free slots. Take last+1 slot and expand the array. */ 288 found = channels_alloc; 289 if (channels_alloc > 10000) 290 fatal("channel_new: internal error: channels_alloc %d " 291 "too big.", channels_alloc); 292 channels = xrealloc(channels, channels_alloc + 10, 293 sizeof(Channel *)); 294 channels_alloc += 10; 295 debug2("channel: expanding %d", channels_alloc); 296 for (i = found; i < channels_alloc; i++) 297 channels[i] = NULL; 298 } 299 /* Initialize and return new channel. */ 300 c = channels[found] = xcalloc(1, sizeof(Channel)); 301 buffer_init(&c->input); 302 buffer_init(&c->output); 303 buffer_init(&c->extended); 304 c->path = NULL; 305 c->ostate = CHAN_OUTPUT_OPEN; 306 c->istate = CHAN_INPUT_OPEN; 307 c->flags = 0; 308 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); 309 c->self = found; 310 c->type = type; 311 c->ctype = ctype; 312 c->local_window = window; 313 c->local_window_max = window; 314 c->local_consumed = 0; 315 c->local_maxpacket = maxpack; 316 c->remote_id = -1; 317 c->remote_name = xstrdup(remote_name); 318 c->remote_window = 0; 319 c->remote_maxpacket = 0; 320 c->force_drain = 0; 321 c->single_connection = 0; 322 c->detach_user = NULL; 323 c->detach_close = 0; 324 c->open_confirm = NULL; 325 c->open_confirm_ctx = NULL; 326 c->input_filter = NULL; 327 c->output_filter = NULL; 328 c->filter_ctx = NULL; 329 c->filter_cleanup = NULL; 330 c->ctl_chan = -1; 331 c->mux_rcb = NULL; 332 c->mux_ctx = NULL; 333 c->mux_pause = 0; 334 c->delayed = 1; /* prevent call to channel_post handler */ 335 TAILQ_INIT(&c->status_confirms); 336 debug("channel %d: new [%s]", found, remote_name); 337 return c; 338} 339 340static int 341channel_find_maxfd(void) 342{ 343 u_int i; 344 int max = 0; 345 Channel *c; 346 347 for (i = 0; i < channels_alloc; i++) { 348 c = channels[i]; 349 if (c != NULL) { 350 max = MAX(max, c->rfd); 351 max = MAX(max, c->wfd); 352 max = MAX(max, c->efd); 353 } 354 } 355 return max; 356} 357 358int 359channel_close_fd(int *fdp) 360{ 361 int ret = 0, fd = *fdp; 362 363 if (fd != -1) { 364 ret = close(fd); 365 *fdp = -1; 366 if (fd == channel_max_fd) 367 channel_max_fd = channel_find_maxfd(); 368 } 369 return ret; 370} 371 372/* Close all channel fd/socket. */ 373static void 374channel_close_fds(Channel *c) 375{ 376 debug3("channel %d: close_fds r %d w %d e %d", 377 c->self, c->rfd, c->wfd, c->efd); 378 379 channel_close_fd(&c->sock); 380 channel_close_fd(&c->rfd); 381 channel_close_fd(&c->wfd); 382 channel_close_fd(&c->efd); 383} 384 385/* Free the channel and close its fd/socket. */ 386void 387channel_free(Channel *c) 388{ 389 char *s; 390 u_int i, n; 391 struct channel_confirm *cc; 392 393 for (n = 0, i = 0; i < channels_alloc; i++) 394 if (channels[i]) 395 n++; 396 debug("channel %d: free: %s, nchannels %u", c->self, 397 c->remote_name ? c->remote_name : "???", n); 398 399 s = channel_open_message(); 400 debug3("channel %d: status: %s", c->self, s); 401 xfree(s); 402 403 if (c->sock != -1) 404 shutdown(c->sock, SHUT_RDWR); 405 channel_close_fds(c); 406 buffer_free(&c->input); 407 buffer_free(&c->output); 408 buffer_free(&c->extended); 409 if (c->remote_name) { 410 xfree(c->remote_name); 411 c->remote_name = NULL; 412 } 413 if (c->path) { 414 xfree(c->path); 415 c->path = NULL; 416 } 417 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 418 if (cc->abandon_cb != NULL) 419 cc->abandon_cb(c, cc->ctx); 420 TAILQ_REMOVE(&c->status_confirms, cc, entry); 421 bzero(cc, sizeof(*cc)); 422 xfree(cc); 423 } 424 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 425 c->filter_cleanup(c->self, c->filter_ctx); 426 channels[c->self] = NULL; 427 xfree(c); 428} 429 430void 431channel_free_all(void) 432{ 433 u_int i; 434 435 for (i = 0; i < channels_alloc; i++) 436 if (channels[i] != NULL) 437 channel_free(channels[i]); 438} 439 440/* 441 * Closes the sockets/fds of all channels. This is used to close extra file 442 * descriptors after a fork. 443 */ 444void 445channel_close_all(void) 446{ 447 u_int i; 448 449 for (i = 0; i < channels_alloc; i++) 450 if (channels[i] != NULL) 451 channel_close_fds(channels[i]); 452} 453 454/* 455 * Stop listening to channels. 456 */ 457void 458channel_stop_listening(void) 459{ 460 u_int i; 461 Channel *c; 462 463 for (i = 0; i < channels_alloc; i++) { 464 c = channels[i]; 465 if (c != NULL) { 466 switch (c->type) { 467 case SSH_CHANNEL_AUTH_SOCKET: 468 case SSH_CHANNEL_PORT_LISTENER: 469 case SSH_CHANNEL_RPORT_LISTENER: 470 case SSH_CHANNEL_X11_LISTENER: 471 channel_close_fd(&c->sock); 472 channel_free(c); 473 break; 474 } 475 } 476 } 477} 478 479/* 480 * Returns true if no channel has too much buffered data, and false if one or 481 * more channel is overfull. 482 */ 483int 484channel_not_very_much_buffered_data(void) 485{ 486 u_int i; 487 Channel *c; 488 489 for (i = 0; i < channels_alloc; i++) { 490 c = channels[i]; 491 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 492#if 0 493 if (!compat20 && 494 buffer_len(&c->input) > packet_get_maxsize()) { 495 debug2("channel %d: big input buffer %d", 496 c->self, buffer_len(&c->input)); 497 return 0; 498 } 499#endif 500 if (buffer_len(&c->output) > packet_get_maxsize()) { 501 debug2("channel %d: big output buffer %u > %u", 502 c->self, buffer_len(&c->output), 503 packet_get_maxsize()); 504 return 0; 505 } 506 } 507 } 508 return 1; 509} 510 511/* Returns true if any channel is still open. */ 512int 513channel_still_open(void) 514{ 515 u_int i; 516 Channel *c; 517 518 for (i = 0; i < channels_alloc; i++) { 519 c = channels[i]; 520 if (c == NULL) 521 continue; 522 switch (c->type) { 523 case SSH_CHANNEL_X11_LISTENER: 524 case SSH_CHANNEL_PORT_LISTENER: 525 case SSH_CHANNEL_RPORT_LISTENER: 526 case SSH_CHANNEL_MUX_LISTENER: 527 case SSH_CHANNEL_CLOSED: 528 case SSH_CHANNEL_AUTH_SOCKET: 529 case SSH_CHANNEL_DYNAMIC: 530 case SSH_CHANNEL_CONNECTING: 531 case SSH_CHANNEL_ZOMBIE: 532 continue; 533 case SSH_CHANNEL_LARVAL: 534 if (!compat20) 535 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 536 continue; 537 case SSH_CHANNEL_OPENING: 538 case SSH_CHANNEL_OPEN: 539 case SSH_CHANNEL_X11_OPEN: 540 case SSH_CHANNEL_MUX_CLIENT: 541 return 1; 542 case SSH_CHANNEL_INPUT_DRAINING: 543 case SSH_CHANNEL_OUTPUT_DRAINING: 544 if (!compat13) 545 fatal("cannot happen: OUT_DRAIN"); 546 return 1; 547 default: 548 fatal("channel_still_open: bad channel type %d", c->type); 549 /* NOTREACHED */ 550 } 551 } 552 return 0; 553} 554 555/* Returns the id of an open channel suitable for keepaliving */ 556int 557channel_find_open(void) 558{ 559 u_int i; 560 Channel *c; 561 562 for (i = 0; i < channels_alloc; i++) { 563 c = channels[i]; 564 if (c == NULL || c->remote_id < 0) 565 continue; 566 switch (c->type) { 567 case SSH_CHANNEL_CLOSED: 568 case SSH_CHANNEL_DYNAMIC: 569 case SSH_CHANNEL_X11_LISTENER: 570 case SSH_CHANNEL_PORT_LISTENER: 571 case SSH_CHANNEL_RPORT_LISTENER: 572 case SSH_CHANNEL_MUX_LISTENER: 573 case SSH_CHANNEL_MUX_CLIENT: 574 case SSH_CHANNEL_OPENING: 575 case SSH_CHANNEL_CONNECTING: 576 case SSH_CHANNEL_ZOMBIE: 577 continue; 578 case SSH_CHANNEL_LARVAL: 579 case SSH_CHANNEL_AUTH_SOCKET: 580 case SSH_CHANNEL_OPEN: 581 case SSH_CHANNEL_X11_OPEN: 582 return i; 583 case SSH_CHANNEL_INPUT_DRAINING: 584 case SSH_CHANNEL_OUTPUT_DRAINING: 585 if (!compat13) 586 fatal("cannot happen: OUT_DRAIN"); 587 return i; 588 default: 589 fatal("channel_find_open: bad channel type %d", c->type); 590 /* NOTREACHED */ 591 } 592 } 593 return -1; 594} 595 596 597/* 598 * Returns a message describing the currently open forwarded connections, 599 * suitable for sending to the client. The message contains crlf pairs for 600 * newlines. 601 */ 602char * 603channel_open_message(void) 604{ 605 Buffer buffer; 606 Channel *c; 607 char buf[1024], *cp; 608 u_int i; 609 610 buffer_init(&buffer); 611 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 612 buffer_append(&buffer, buf, strlen(buf)); 613 for (i = 0; i < channels_alloc; i++) { 614 c = channels[i]; 615 if (c == NULL) 616 continue; 617 switch (c->type) { 618 case SSH_CHANNEL_X11_LISTENER: 619 case SSH_CHANNEL_PORT_LISTENER: 620 case SSH_CHANNEL_RPORT_LISTENER: 621 case SSH_CHANNEL_CLOSED: 622 case SSH_CHANNEL_AUTH_SOCKET: 623 case SSH_CHANNEL_ZOMBIE: 624 case SSH_CHANNEL_MUX_CLIENT: 625 case SSH_CHANNEL_MUX_LISTENER: 626 continue; 627 case SSH_CHANNEL_LARVAL: 628 case SSH_CHANNEL_OPENING: 629 case SSH_CHANNEL_CONNECTING: 630 case SSH_CHANNEL_DYNAMIC: 631 case SSH_CHANNEL_OPEN: 632 case SSH_CHANNEL_X11_OPEN: 633 case SSH_CHANNEL_INPUT_DRAINING: 634 case SSH_CHANNEL_OUTPUT_DRAINING: 635 snprintf(buf, sizeof buf, 636 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n", 637 c->self, c->remote_name, 638 c->type, c->remote_id, 639 c->istate, buffer_len(&c->input), 640 c->ostate, buffer_len(&c->output), 641 c->rfd, c->wfd, c->ctl_chan); 642 buffer_append(&buffer, buf, strlen(buf)); 643 continue; 644 default: 645 fatal("channel_open_message: bad channel type %d", c->type); 646 /* NOTREACHED */ 647 } 648 } 649 buffer_append(&buffer, "\0", 1); 650 cp = xstrdup(buffer_ptr(&buffer)); 651 buffer_free(&buffer); 652 return cp; 653} 654 655void 656channel_send_open(int id) 657{ 658 Channel *c = channel_lookup(id); 659 660 if (c == NULL) { 661 logit("channel_send_open: %d: bad id", id); 662 return; 663 } 664 debug2("channel %d: send open", id); 665 packet_start(SSH2_MSG_CHANNEL_OPEN); 666 packet_put_cstring(c->ctype); 667 packet_put_int(c->self); 668 packet_put_int(c->local_window); 669 packet_put_int(c->local_maxpacket); 670 packet_send(); 671} 672 673void 674channel_request_start(int id, char *service, int wantconfirm) 675{ 676 Channel *c = channel_lookup(id); 677 678 if (c == NULL) { 679 logit("channel_request_start: %d: unknown channel id", id); 680 return; 681 } 682 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 683 packet_start(SSH2_MSG_CHANNEL_REQUEST); 684 packet_put_int(c->remote_id); 685 packet_put_cstring(service); 686 packet_put_char(wantconfirm); 687} 688 689void 690channel_register_status_confirm(int id, channel_confirm_cb *cb, 691 channel_confirm_abandon_cb *abandon_cb, void *ctx) 692{ 693 struct channel_confirm *cc; 694 Channel *c; 695 696 if ((c = channel_lookup(id)) == NULL) 697 fatal("channel_register_expect: %d: bad id", id); 698 699 cc = xmalloc(sizeof(*cc)); 700 cc->cb = cb; 701 cc->abandon_cb = abandon_cb; 702 cc->ctx = ctx; 703 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 704} 705 706void 707channel_register_open_confirm(int id, channel_open_fn *fn, void *ctx) 708{ 709 Channel *c = channel_lookup(id); 710 711 if (c == NULL) { 712 logit("channel_register_open_confirm: %d: bad id", id); 713 return; 714 } 715 c->open_confirm = fn; 716 c->open_confirm_ctx = ctx; 717} 718 719void 720channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 721{ 722 Channel *c = channel_by_id(id); 723 724 if (c == NULL) { 725 logit("channel_register_cleanup: %d: bad id", id); 726 return; 727 } 728 c->detach_user = fn; 729 c->detach_close = do_close; 730} 731 732void 733channel_cancel_cleanup(int id) 734{ 735 Channel *c = channel_by_id(id); 736 737 if (c == NULL) { 738 logit("channel_cancel_cleanup: %d: bad id", id); 739 return; 740 } 741 c->detach_user = NULL; 742 c->detach_close = 0; 743} 744 745void 746channel_register_filter(int id, channel_infilter_fn *ifn, 747 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 748{ 749 Channel *c = channel_lookup(id); 750 751 if (c == NULL) { 752 logit("channel_register_filter: %d: bad id", id); 753 return; 754 } 755 c->input_filter = ifn; 756 c->output_filter = ofn; 757 c->filter_ctx = ctx; 758 c->filter_cleanup = cfn; 759} 760 761void 762channel_set_fds(int id, int rfd, int wfd, int efd, 763 int extusage, int nonblock, int is_tty, u_int window_max) 764{ 765 Channel *c = channel_lookup(id); 766 767 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 768 fatal("channel_activate for non-larval channel %d.", id); 769 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); 770 c->type = SSH_CHANNEL_OPEN; 771 c->local_window = c->local_window_max = window_max; 772 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 773 packet_put_int(c->remote_id); 774 packet_put_int(c->local_window); 775 packet_send(); 776} 777 778/* 779 * 'channel_pre*' are called just before select() to add any bits relevant to 780 * channels in the select bitmasks. 781 */ 782/* 783 * 'channel_post*': perform any appropriate operations for channels which 784 * have events pending. 785 */ 786typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 787chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 788chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 789 790/* ARGSUSED */ 791static void 792channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 793{ 794 FD_SET(c->sock, readset); 795} 796 797/* ARGSUSED */ 798static void 799channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 800{ 801 debug3("channel %d: waiting for connection", c->self); 802 FD_SET(c->sock, writeset); 803} 804 805static void 806channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 807{ 808 if (buffer_len(&c->input) < packet_get_maxsize()) 809 FD_SET(c->sock, readset); 810 if (buffer_len(&c->output) > 0) 811 FD_SET(c->sock, writeset); 812} 813 814static void 815channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 816{ 817 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 818 819 if (c->istate == CHAN_INPUT_OPEN && 820 limit > 0 && 821 buffer_len(&c->input) < limit && 822 buffer_check_alloc(&c->input, CHAN_RBUF)) 823 FD_SET(c->rfd, readset); 824 if (c->ostate == CHAN_OUTPUT_OPEN || 825 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 826 if (buffer_len(&c->output) > 0) { 827 FD_SET(c->wfd, writeset); 828 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 829 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 830 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 831 c->self, c->efd, buffer_len(&c->extended)); 832 else 833 chan_obuf_empty(c); 834 } 835 } 836 /** XXX check close conditions, too */ 837 if (compat20 && c->efd != -1 && 838 !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) { 839 if (c->extended_usage == CHAN_EXTENDED_WRITE && 840 buffer_len(&c->extended) > 0) 841 FD_SET(c->efd, writeset); 842 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 843 (c->extended_usage == CHAN_EXTENDED_READ || 844 c->extended_usage == CHAN_EXTENDED_IGNORE) && 845 buffer_len(&c->extended) < c->remote_window) 846 FD_SET(c->efd, readset); 847 } 848 /* XXX: What about efd? races? */ 849} 850 851/* ARGSUSED */ 852static void 853channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 854{ 855 if (buffer_len(&c->input) == 0) { 856 packet_start(SSH_MSG_CHANNEL_CLOSE); 857 packet_put_int(c->remote_id); 858 packet_send(); 859 c->type = SSH_CHANNEL_CLOSED; 860 debug2("channel %d: closing after input drain.", c->self); 861 } 862} 863 864/* ARGSUSED */ 865static void 866channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 867{ 868 if (buffer_len(&c->output) == 0) 869 chan_mark_dead(c); 870 else 871 FD_SET(c->sock, writeset); 872} 873 874/* 875 * This is a special state for X11 authentication spoofing. An opened X11 876 * connection (when authentication spoofing is being done) remains in this 877 * state until the first packet has been completely read. The authentication 878 * data in that packet is then substituted by the real data if it matches the 879 * fake data, and the channel is put into normal mode. 880 * XXX All this happens at the client side. 881 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 882 */ 883static int 884x11_open_helper(Buffer *b) 885{ 886 u_char *ucp; 887 u_int proto_len, data_len; 888 889 /* Check if the fixed size part of the packet is in buffer. */ 890 if (buffer_len(b) < 12) 891 return 0; 892 893 /* Parse the lengths of variable-length fields. */ 894 ucp = buffer_ptr(b); 895 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 896 proto_len = 256 * ucp[6] + ucp[7]; 897 data_len = 256 * ucp[8] + ucp[9]; 898 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 899 proto_len = ucp[6] + 256 * ucp[7]; 900 data_len = ucp[8] + 256 * ucp[9]; 901 } else { 902 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 903 ucp[0]); 904 return -1; 905 } 906 907 /* Check if the whole packet is in buffer. */ 908 if (buffer_len(b) < 909 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 910 return 0; 911 912 /* Check if authentication protocol matches. */ 913 if (proto_len != strlen(x11_saved_proto) || 914 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 915 debug2("X11 connection uses different authentication protocol."); 916 return -1; 917 } 918 /* Check if authentication data matches our fake data. */ 919 if (data_len != x11_fake_data_len || 920 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 921 x11_fake_data, x11_fake_data_len) != 0) { 922 debug2("X11 auth data does not match fake data."); 923 return -1; 924 } 925 /* Check fake data length */ 926 if (x11_fake_data_len != x11_saved_data_len) { 927 error("X11 fake_data_len %d != saved_data_len %d", 928 x11_fake_data_len, x11_saved_data_len); 929 return -1; 930 } 931 /* 932 * Received authentication protocol and data match 933 * our fake data. Substitute the fake data with real 934 * data. 935 */ 936 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 937 x11_saved_data, x11_saved_data_len); 938 return 1; 939} 940 941static void 942channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 943{ 944 int ret = x11_open_helper(&c->output); 945 946 if (ret == 1) { 947 /* Start normal processing for the channel. */ 948 c->type = SSH_CHANNEL_OPEN; 949 channel_pre_open_13(c, readset, writeset); 950 } else if (ret == -1) { 951 /* 952 * We have received an X11 connection that has bad 953 * authentication information. 954 */ 955 logit("X11 connection rejected because of wrong authentication."); 956 buffer_clear(&c->input); 957 buffer_clear(&c->output); 958 channel_close_fd(&c->sock); 959 c->sock = -1; 960 c->type = SSH_CHANNEL_CLOSED; 961 packet_start(SSH_MSG_CHANNEL_CLOSE); 962 packet_put_int(c->remote_id); 963 packet_send(); 964 } 965} 966 967static void 968channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 969{ 970 int ret = x11_open_helper(&c->output); 971 972 /* c->force_drain = 1; */ 973 974 if (ret == 1) { 975 c->type = SSH_CHANNEL_OPEN; 976 channel_pre_open(c, readset, writeset); 977 } else if (ret == -1) { 978 logit("X11 connection rejected because of wrong authentication."); 979 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 980 chan_read_failed(c); 981 buffer_clear(&c->input); 982 chan_ibuf_empty(c); 983 buffer_clear(&c->output); 984 /* for proto v1, the peer will send an IEOF */ 985 if (compat20) 986 chan_write_failed(c); 987 else 988 c->type = SSH_CHANNEL_OPEN; 989 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 990 } 991} 992 993static void 994channel_pre_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 995{ 996 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 997 buffer_check_alloc(&c->input, CHAN_RBUF)) 998 FD_SET(c->rfd, readset); 999 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1000 /* clear buffer immediately (discard any partial packet) */ 1001 buffer_clear(&c->input); 1002 chan_ibuf_empty(c); 1003 /* Start output drain. XXX just kill chan? */ 1004 chan_rcvd_oclose(c); 1005 } 1006 if (c->ostate == CHAN_OUTPUT_OPEN || 1007 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1008 if (buffer_len(&c->output) > 0) 1009 FD_SET(c->wfd, writeset); 1010 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1011 chan_obuf_empty(c); 1012 } 1013} 1014 1015/* try to decode a socks4 header */ 1016/* ARGSUSED */ 1017static int 1018channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 1019{ 1020 char *p, *host; 1021 u_int len, have, i, found, need; 1022 char username[256]; 1023 struct { 1024 u_int8_t version; 1025 u_int8_t command; 1026 u_int16_t dest_port; 1027 struct in_addr dest_addr; 1028 } s4_req, s4_rsp; 1029 1030 debug2("channel %d: decode socks4", c->self); 1031 1032 have = buffer_len(&c->input); 1033 len = sizeof(s4_req); 1034 if (have < len) 1035 return 0; 1036 p = buffer_ptr(&c->input); 1037 1038 need = 1; 1039 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1040 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1041 debug2("channel %d: socks4a request", c->self); 1042 /* ... and needs an extra string (the hostname) */ 1043 need = 2; 1044 } 1045 /* Check for terminating NUL on the string(s) */ 1046 for (found = 0, i = len; i < have; i++) { 1047 if (p[i] == '\0') { 1048 found++; 1049 if (found == need) 1050 break; 1051 } 1052 if (i > 1024) { 1053 /* the peer is probably sending garbage */ 1054 debug("channel %d: decode socks4: too long", 1055 c->self); 1056 return -1; 1057 } 1058 } 1059 if (found < need) 1060 return 0; 1061 buffer_get(&c->input, (char *)&s4_req.version, 1); 1062 buffer_get(&c->input, (char *)&s4_req.command, 1); 1063 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 1064 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 1065 have = buffer_len(&c->input); 1066 p = buffer_ptr(&c->input); 1067 len = strlen(p); 1068 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1069 len++; /* trailing '\0' */ 1070 if (len > have) 1071 fatal("channel %d: decode socks4: len %d > have %d", 1072 c->self, len, have); 1073 strlcpy(username, p, sizeof(username)); 1074 buffer_consume(&c->input, len); 1075 1076 if (c->path != NULL) { 1077 xfree(c->path); 1078 c->path = NULL; 1079 } 1080 if (need == 1) { /* SOCKS4: one string */ 1081 host = inet_ntoa(s4_req.dest_addr); 1082 c->path = xstrdup(host); 1083 } else { /* SOCKS4A: two strings */ 1084 have = buffer_len(&c->input); 1085 p = buffer_ptr(&c->input); 1086 len = strlen(p); 1087 debug2("channel %d: decode socks4a: host %s/%d", 1088 c->self, p, len); 1089 len++; /* trailing '\0' */ 1090 if (len > have) 1091 fatal("channel %d: decode socks4a: len %d > have %d", 1092 c->self, len, have); 1093 if (len > NI_MAXHOST) { 1094 error("channel %d: hostname \"%.100s\" too long", 1095 c->self, p); 1096 return -1; 1097 } 1098 c->path = xstrdup(p); 1099 buffer_consume(&c->input, len); 1100 } 1101 c->host_port = ntohs(s4_req.dest_port); 1102 1103 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1104 c->self, c->path, c->host_port, s4_req.command); 1105 1106 if (s4_req.command != 1) { 1107 debug("channel %d: cannot handle: %s cn %d", 1108 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1109 return -1; 1110 } 1111 s4_rsp.version = 0; /* vn: 0 for reply */ 1112 s4_rsp.command = 90; /* cd: req granted */ 1113 s4_rsp.dest_port = 0; /* ignored */ 1114 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1115 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1116 return 1; 1117} 1118 1119/* try to decode a socks5 header */ 1120#define SSH_SOCKS5_AUTHDONE 0x1000 1121#define SSH_SOCKS5_NOAUTH 0x00 1122#define SSH_SOCKS5_IPV4 0x01 1123#define SSH_SOCKS5_DOMAIN 0x03 1124#define SSH_SOCKS5_IPV6 0x04 1125#define SSH_SOCKS5_CONNECT 0x01 1126#define SSH_SOCKS5_SUCCESS 0x00 1127 1128/* ARGSUSED */ 1129static int 1130channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1131{ 1132 struct { 1133 u_int8_t version; 1134 u_int8_t command; 1135 u_int8_t reserved; 1136 u_int8_t atyp; 1137 } s5_req, s5_rsp; 1138 u_int16_t dest_port; 1139 u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1140 u_int have, need, i, found, nmethods, addrlen, af; 1141 1142 debug2("channel %d: decode socks5", c->self); 1143 p = buffer_ptr(&c->input); 1144 if (p[0] != 0x05) 1145 return -1; 1146 have = buffer_len(&c->input); 1147 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1148 /* format: ver | nmethods | methods */ 1149 if (have < 2) 1150 return 0; 1151 nmethods = p[1]; 1152 if (have < nmethods + 2) 1153 return 0; 1154 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1155 for (found = 0, i = 2; i < nmethods + 2; i++) { 1156 if (p[i] == SSH_SOCKS5_NOAUTH) { 1157 found = 1; 1158 break; 1159 } 1160 } 1161 if (!found) { 1162 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1163 c->self); 1164 return -1; 1165 } 1166 buffer_consume(&c->input, nmethods + 2); 1167 buffer_put_char(&c->output, 0x05); /* version */ 1168 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1169 FD_SET(c->sock, writeset); 1170 c->flags |= SSH_SOCKS5_AUTHDONE; 1171 debug2("channel %d: socks5 auth done", c->self); 1172 return 0; /* need more */ 1173 } 1174 debug2("channel %d: socks5 post auth", c->self); 1175 if (have < sizeof(s5_req)+1) 1176 return 0; /* need more */ 1177 memcpy(&s5_req, p, sizeof(s5_req)); 1178 if (s5_req.version != 0x05 || 1179 s5_req.command != SSH_SOCKS5_CONNECT || 1180 s5_req.reserved != 0x00) { 1181 debug2("channel %d: only socks5 connect supported", c->self); 1182 return -1; 1183 } 1184 switch (s5_req.atyp){ 1185 case SSH_SOCKS5_IPV4: 1186 addrlen = 4; 1187 af = AF_INET; 1188 break; 1189 case SSH_SOCKS5_DOMAIN: 1190 addrlen = p[sizeof(s5_req)]; 1191 af = -1; 1192 break; 1193 case SSH_SOCKS5_IPV6: 1194 addrlen = 16; 1195 af = AF_INET6; 1196 break; 1197 default: 1198 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1199 return -1; 1200 } 1201 need = sizeof(s5_req) + addrlen + 2; 1202 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1203 need++; 1204 if (have < need) 1205 return 0; 1206 buffer_consume(&c->input, sizeof(s5_req)); 1207 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1208 buffer_consume(&c->input, 1); /* host string length */ 1209 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1210 buffer_get(&c->input, (char *)&dest_port, 2); 1211 dest_addr[addrlen] = '\0'; 1212 if (c->path != NULL) { 1213 xfree(c->path); 1214 c->path = NULL; 1215 } 1216 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1217 if (addrlen >= NI_MAXHOST) { 1218 error("channel %d: dynamic request: socks5 hostname " 1219 "\"%.100s\" too long", c->self, dest_addr); 1220 return -1; 1221 } 1222 c->path = xstrdup(dest_addr); 1223 } else { 1224 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1225 return -1; 1226 c->path = xstrdup(ntop); 1227 } 1228 c->host_port = ntohs(dest_port); 1229 1230 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1231 c->self, c->path, c->host_port, s5_req.command); 1232 1233 s5_rsp.version = 0x05; 1234 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1235 s5_rsp.reserved = 0; /* ignored */ 1236 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1237 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; 1238 dest_port = 0; /* ignored */ 1239 1240 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1241 buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); 1242 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1243 return 1; 1244} 1245 1246Channel * 1247channel_connect_stdio_fwd(const char *host_to_connect, u_short port_to_connect, 1248 int in, int out) 1249{ 1250 Channel *c; 1251 1252 debug("channel_connect_stdio_fwd %s:%d", host_to_connect, 1253 port_to_connect); 1254 1255 c = channel_new("stdio-forward", SSH_CHANNEL_OPENING, in, out, 1256 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1257 0, "stdio-forward", /*nonblock*/0); 1258 1259 c->path = xstrdup(host_to_connect); 1260 c->host_port = port_to_connect; 1261 c->listening_port = 0; 1262 c->force_drain = 1; 1263 1264 channel_register_fds(c, in, out, -1, 0, 1, 0); 1265 port_open_helper(c, "direct-tcpip"); 1266 1267 return c; 1268} 1269 1270/* dynamic port forwarding */ 1271static void 1272channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1273{ 1274 u_char *p; 1275 u_int have; 1276 int ret; 1277 1278 have = buffer_len(&c->input); 1279 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1280 /* buffer_dump(&c->input); */ 1281 /* check if the fixed size part of the packet is in buffer. */ 1282 if (have < 3) { 1283 /* need more */ 1284 FD_SET(c->sock, readset); 1285 return; 1286 } 1287 /* try to guess the protocol */ 1288 p = buffer_ptr(&c->input); 1289 switch (p[0]) { 1290 case 0x04: 1291 ret = channel_decode_socks4(c, readset, writeset); 1292 break; 1293 case 0x05: 1294 ret = channel_decode_socks5(c, readset, writeset); 1295 break; 1296 default: 1297 ret = -1; 1298 break; 1299 } 1300 if (ret < 0) { 1301 chan_mark_dead(c); 1302 } else if (ret == 0) { 1303 debug2("channel %d: pre_dynamic: need more", c->self); 1304 /* need more */ 1305 FD_SET(c->sock, readset); 1306 } else { 1307 /* switch to the next state */ 1308 c->type = SSH_CHANNEL_OPENING; 1309 port_open_helper(c, "direct-tcpip"); 1310 } 1311} 1312 1313/* This is our fake X11 server socket. */ 1314/* ARGSUSED */ 1315static void 1316channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1317{ 1318 Channel *nc; 1319 struct sockaddr_storage addr; 1320 int newsock; 1321 socklen_t addrlen; 1322 char buf[16384], *remote_ipaddr; 1323 int remote_port; 1324 1325 if (FD_ISSET(c->sock, readset)) { 1326 debug("X11 connection requested."); 1327 addrlen = sizeof(addr); 1328 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1329 if (c->single_connection) { 1330 debug2("single_connection: closing X11 listener."); 1331 channel_close_fd(&c->sock); 1332 chan_mark_dead(c); 1333 } 1334 if (newsock < 0) { 1335 error("accept: %.100s", strerror(errno)); 1336 return; 1337 } 1338 set_nodelay(newsock); 1339 remote_ipaddr = get_peer_ipaddr(newsock); 1340 remote_port = get_peer_port(newsock); 1341 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1342 remote_ipaddr, remote_port); 1343 1344 nc = channel_new("accepted x11 socket", 1345 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1346 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1347 if (compat20) { 1348 packet_start(SSH2_MSG_CHANNEL_OPEN); 1349 packet_put_cstring("x11"); 1350 packet_put_int(nc->self); 1351 packet_put_int(nc->local_window_max); 1352 packet_put_int(nc->local_maxpacket); 1353 /* originator ipaddr and port */ 1354 packet_put_cstring(remote_ipaddr); 1355 if (datafellows & SSH_BUG_X11FWD) { 1356 debug2("ssh2 x11 bug compat mode"); 1357 } else { 1358 packet_put_int(remote_port); 1359 } 1360 packet_send(); 1361 } else { 1362 packet_start(SSH_SMSG_X11_OPEN); 1363 packet_put_int(nc->self); 1364 if (packet_get_protocol_flags() & 1365 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1366 packet_put_cstring(buf); 1367 packet_send(); 1368 } 1369 xfree(remote_ipaddr); 1370 } 1371} 1372 1373static void 1374port_open_helper(Channel *c, char *rtype) 1375{ 1376 int direct; 1377 char buf[1024]; 1378 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1379 int remote_port = get_peer_port(c->sock); 1380 1381 if (remote_port == -1) { 1382 /* Fake addr/port to appease peers that validate it (Tectia) */ 1383 xfree(remote_ipaddr); 1384 remote_ipaddr = xstrdup("127.0.0.1"); 1385 remote_port = 65535; 1386 } 1387 1388 direct = (strcmp(rtype, "direct-tcpip") == 0); 1389 1390 snprintf(buf, sizeof buf, 1391 "%s: listening port %d for %.100s port %d, " 1392 "connect from %.200s port %d", 1393 rtype, c->listening_port, c->path, c->host_port, 1394 remote_ipaddr, remote_port); 1395 1396 xfree(c->remote_name); 1397 c->remote_name = xstrdup(buf); 1398 1399 if (compat20) { 1400 packet_start(SSH2_MSG_CHANNEL_OPEN); 1401 packet_put_cstring(rtype); 1402 packet_put_int(c->self); 1403 packet_put_int(c->local_window_max); 1404 packet_put_int(c->local_maxpacket); 1405 if (direct) { 1406 /* target host, port */ 1407 packet_put_cstring(c->path); 1408 packet_put_int(c->host_port); 1409 } else { 1410 /* listen address, port */ 1411 packet_put_cstring(c->path); 1412 packet_put_int(c->listening_port); 1413 } 1414 /* originator host and port */ 1415 packet_put_cstring(remote_ipaddr); 1416 packet_put_int((u_int)remote_port); 1417 packet_send(); 1418 } else { 1419 packet_start(SSH_MSG_PORT_OPEN); 1420 packet_put_int(c->self); 1421 packet_put_cstring(c->path); 1422 packet_put_int(c->host_port); 1423 if (packet_get_protocol_flags() & 1424 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1425 packet_put_cstring(c->remote_name); 1426 packet_send(); 1427 } 1428 xfree(remote_ipaddr); 1429} 1430 1431static void 1432channel_set_reuseaddr(int fd) 1433{ 1434 int on = 1; 1435 1436 /* 1437 * Set socket options. 1438 * Allow local port reuse in TIME_WAIT. 1439 */ 1440 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1441 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1442} 1443 1444/* 1445 * This socket is listening for connections to a forwarded TCP/IP port. 1446 */ 1447/* ARGSUSED */ 1448static void 1449channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1450{ 1451 Channel *nc; 1452 struct sockaddr_storage addr; 1453 int newsock, nextstate; 1454 socklen_t addrlen; 1455 char *rtype; 1456 1457 if (FD_ISSET(c->sock, readset)) { 1458 debug("Connection to port %d forwarding " 1459 "to %.100s port %d requested.", 1460 c->listening_port, c->path, c->host_port); 1461 1462 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1463 nextstate = SSH_CHANNEL_OPENING; 1464 rtype = "forwarded-tcpip"; 1465 } else { 1466 if (c->host_port == 0) { 1467 nextstate = SSH_CHANNEL_DYNAMIC; 1468 rtype = "dynamic-tcpip"; 1469 } else { 1470 nextstate = SSH_CHANNEL_OPENING; 1471 rtype = "direct-tcpip"; 1472 } 1473 } 1474 1475 addrlen = sizeof(addr); 1476 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1477 if (newsock < 0) { 1478 error("accept: %.100s", strerror(errno)); 1479 return; 1480 } 1481 set_nodelay(newsock); 1482 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1483 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1484 nc->listening_port = c->listening_port; 1485 nc->host_port = c->host_port; 1486 if (c->path != NULL) 1487 nc->path = xstrdup(c->path); 1488 1489 if (nextstate != SSH_CHANNEL_DYNAMIC) 1490 port_open_helper(nc, rtype); 1491 } 1492} 1493 1494/* 1495 * This is the authentication agent socket listening for connections from 1496 * clients. 1497 */ 1498/* ARGSUSED */ 1499static void 1500channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1501{ 1502 Channel *nc; 1503 int newsock; 1504 struct sockaddr_storage addr; 1505 socklen_t addrlen; 1506 1507 if (FD_ISSET(c->sock, readset)) { 1508 addrlen = sizeof(addr); 1509 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1510 if (newsock < 0) { 1511 error("accept from auth socket: %.100s", strerror(errno)); 1512 return; 1513 } 1514 nc = channel_new("accepted auth socket", 1515 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1516 c->local_window_max, c->local_maxpacket, 1517 0, "accepted auth socket", 1); 1518 if (compat20) { 1519 packet_start(SSH2_MSG_CHANNEL_OPEN); 1520 packet_put_cstring("auth-agent@openssh.com"); 1521 packet_put_int(nc->self); 1522 packet_put_int(c->local_window_max); 1523 packet_put_int(c->local_maxpacket); 1524 } else { 1525 packet_start(SSH_SMSG_AGENT_OPEN); 1526 packet_put_int(nc->self); 1527 } 1528 packet_send(); 1529 } 1530} 1531 1532/* ARGSUSED */ 1533static void 1534channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1535{ 1536 int err = 0, sock; 1537 socklen_t sz = sizeof(err); 1538 1539 if (FD_ISSET(c->sock, writeset)) { 1540 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1541 err = errno; 1542 error("getsockopt SO_ERROR failed"); 1543 } 1544 if (err == 0) { 1545 debug("channel %d: connected to %s port %d", 1546 c->self, c->connect_ctx.host, c->connect_ctx.port); 1547 channel_connect_ctx_free(&c->connect_ctx); 1548 c->type = SSH_CHANNEL_OPEN; 1549 if (compat20) { 1550 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1551 packet_put_int(c->remote_id); 1552 packet_put_int(c->self); 1553 packet_put_int(c->local_window); 1554 packet_put_int(c->local_maxpacket); 1555 } else { 1556 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1557 packet_put_int(c->remote_id); 1558 packet_put_int(c->self); 1559 } 1560 } else { 1561 debug("channel %d: connection failed: %s", 1562 c->self, strerror(err)); 1563 /* Try next address, if any */ 1564 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1565 close(c->sock); 1566 c->sock = c->rfd = c->wfd = sock; 1567 channel_max_fd = channel_find_maxfd(); 1568 return; 1569 } 1570 /* Exhausted all addresses */ 1571 error("connect_to %.100s port %d: failed.", 1572 c->connect_ctx.host, c->connect_ctx.port); 1573 channel_connect_ctx_free(&c->connect_ctx); 1574 if (compat20) { 1575 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1576 packet_put_int(c->remote_id); 1577 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1578 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1579 packet_put_cstring(strerror(err)); 1580 packet_put_cstring(""); 1581 } 1582 } else { 1583 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1584 packet_put_int(c->remote_id); 1585 } 1586 chan_mark_dead(c); 1587 } 1588 packet_send(); 1589 } 1590} 1591 1592/* ARGSUSED */ 1593static int 1594channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1595{ 1596 char buf[CHAN_RBUF]; 1597 int len, force; 1598 1599 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1600 if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { 1601 errno = 0; 1602 len = read(c->rfd, buf, sizeof(buf)); 1603 if (len < 0 && (errno == EINTR || 1604 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1605 return 1; 1606#ifndef PTY_ZEROREAD 1607 if (len <= 0) { 1608#else 1609 if ((!c->isatty && len <= 0) || 1610 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1611#endif 1612 debug2("channel %d: read<=0 rfd %d len %d", 1613 c->self, c->rfd, len); 1614 if (c->type != SSH_CHANNEL_OPEN) { 1615 debug2("channel %d: not open", c->self); 1616 chan_mark_dead(c); 1617 return -1; 1618 } else if (compat13) { 1619 buffer_clear(&c->output); 1620 c->type = SSH_CHANNEL_INPUT_DRAINING; 1621 debug2("channel %d: input draining.", c->self); 1622 } else { 1623 chan_read_failed(c); 1624 } 1625 return -1; 1626 } 1627 if (c->input_filter != NULL) { 1628 if (c->input_filter(c, buf, len) == -1) { 1629 debug2("channel %d: filter stops", c->self); 1630 chan_read_failed(c); 1631 } 1632 } else if (c->datagram) { 1633 buffer_put_string(&c->input, buf, len); 1634 } else { 1635 buffer_append(&c->input, buf, len); 1636 } 1637 } 1638 return 1; 1639} 1640 1641/* ARGSUSED */ 1642static int 1643channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1644{ 1645 struct termios tio; 1646 u_char *data = NULL, *buf; 1647 u_int dlen, olen = 0; 1648 int len; 1649 1650 /* Send buffered output data to the socket. */ 1651 if (c->wfd != -1 && 1652 FD_ISSET(c->wfd, writeset) && 1653 buffer_len(&c->output) > 0) { 1654 olen = buffer_len(&c->output); 1655 if (c->output_filter != NULL) { 1656 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1657 debug2("channel %d: filter stops", c->self); 1658 if (c->type != SSH_CHANNEL_OPEN) 1659 chan_mark_dead(c); 1660 else 1661 chan_write_failed(c); 1662 return -1; 1663 } 1664 } else if (c->datagram) { 1665 buf = data = buffer_get_string(&c->output, &dlen); 1666 } else { 1667 buf = data = buffer_ptr(&c->output); 1668 dlen = buffer_len(&c->output); 1669 } 1670 1671 if (c->datagram) { 1672 /* ignore truncated writes, datagrams might get lost */ 1673 len = write(c->wfd, buf, dlen); 1674 xfree(data); 1675 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1676 errno == EWOULDBLOCK)) 1677 return 1; 1678 if (len <= 0) { 1679 if (c->type != SSH_CHANNEL_OPEN) 1680 chan_mark_dead(c); 1681 else 1682 chan_write_failed(c); 1683 return -1; 1684 } 1685 goto out; 1686 } 1687#ifdef _AIX 1688 /* XXX: Later AIX versions can't push as much data to tty */ 1689 if (compat20 && c->wfd_isatty) 1690 dlen = MIN(dlen, 8*1024); 1691#endif 1692 1693 len = write(c->wfd, buf, dlen); 1694 if (len < 0 && 1695 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1696 return 1; 1697 if (len <= 0) { 1698 if (c->type != SSH_CHANNEL_OPEN) { 1699 debug2("channel %d: not open", c->self); 1700 chan_mark_dead(c); 1701 return -1; 1702 } else if (compat13) { 1703 buffer_clear(&c->output); 1704 debug2("channel %d: input draining.", c->self); 1705 c->type = SSH_CHANNEL_INPUT_DRAINING; 1706 } else { 1707 chan_write_failed(c); 1708 } 1709 return -1; 1710 } 1711#ifndef BROKEN_TCGETATTR_ICANON 1712 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1713 if (tcgetattr(c->wfd, &tio) == 0 && 1714 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1715 /* 1716 * Simulate echo to reduce the impact of 1717 * traffic analysis. We need to match the 1718 * size of a SSH2_MSG_CHANNEL_DATA message 1719 * (4 byte channel id + buf) 1720 */ 1721 packet_send_ignore(4 + len); 1722 packet_send(); 1723 } 1724 } 1725#endif 1726 buffer_consume(&c->output, len); 1727 } 1728 out: 1729 if (compat20 && olen > 0) 1730 c->local_consumed += olen - buffer_len(&c->output); 1731 return 1; 1732} 1733 1734static int 1735channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1736{ 1737 char buf[CHAN_RBUF]; 1738 int len; 1739 1740/** XXX handle drain efd, too */ 1741 if (c->efd != -1) { 1742 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1743 FD_ISSET(c->efd, writeset) && 1744 buffer_len(&c->extended) > 0) { 1745 len = write(c->efd, buffer_ptr(&c->extended), 1746 buffer_len(&c->extended)); 1747 debug2("channel %d: written %d to efd %d", 1748 c->self, len, c->efd); 1749 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1750 errno == EWOULDBLOCK)) 1751 return 1; 1752 if (len <= 0) { 1753 debug2("channel %d: closing write-efd %d", 1754 c->self, c->efd); 1755 channel_close_fd(&c->efd); 1756 } else { 1757 buffer_consume(&c->extended, len); 1758 c->local_consumed += len; 1759 } 1760 } else if (c->efd != -1 && 1761 (c->extended_usage == CHAN_EXTENDED_READ || 1762 c->extended_usage == CHAN_EXTENDED_IGNORE) && 1763 (c->detach_close || FD_ISSET(c->efd, readset))) { 1764 len = read(c->efd, buf, sizeof(buf)); 1765 debug2("channel %d: read %d from efd %d", 1766 c->self, len, c->efd); 1767 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 1768 errno == EWOULDBLOCK) && !c->detach_close))) 1769 return 1; 1770 if (len <= 0) { 1771 debug2("channel %d: closing read-efd %d", 1772 c->self, c->efd); 1773 channel_close_fd(&c->efd); 1774 } else { 1775 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 1776 debug3("channel %d: discard efd", 1777 c->self); 1778 } else 1779 buffer_append(&c->extended, buf, len); 1780 } 1781 } 1782 } 1783 return 1; 1784} 1785 1786static int 1787channel_check_window(Channel *c) 1788{ 1789 if (c->type == SSH_CHANNEL_OPEN && 1790 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1791 ((c->local_window_max - c->local_window > 1792 c->local_maxpacket*3) || 1793 c->local_window < c->local_window_max/2) && 1794 c->local_consumed > 0) { 1795 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1796 packet_put_int(c->remote_id); 1797 packet_put_int(c->local_consumed); 1798 packet_send(); 1799 debug2("channel %d: window %d sent adjust %d", 1800 c->self, c->local_window, 1801 c->local_consumed); 1802 c->local_window += c->local_consumed; 1803 c->local_consumed = 0; 1804 } 1805 return 1; 1806} 1807 1808static void 1809channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1810{ 1811 channel_handle_rfd(c, readset, writeset); 1812 channel_handle_wfd(c, readset, writeset); 1813 if (!compat20) 1814 return; 1815 channel_handle_efd(c, readset, writeset); 1816 channel_check_window(c); 1817} 1818 1819static u_int 1820read_mux(Channel *c, u_int need) 1821{ 1822 char buf[CHAN_RBUF]; 1823 int len; 1824 u_int rlen; 1825 1826 if (buffer_len(&c->input) < need) { 1827 rlen = need - buffer_len(&c->input); 1828 len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF)); 1829 if (len <= 0) { 1830 if (errno != EINTR && errno != EAGAIN) { 1831 debug2("channel %d: ctl read<=0 rfd %d len %d", 1832 c->self, c->rfd, len); 1833 chan_read_failed(c); 1834 return 0; 1835 } 1836 } else 1837 buffer_append(&c->input, buf, len); 1838 } 1839 return buffer_len(&c->input); 1840} 1841 1842static void 1843channel_post_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1844{ 1845 u_int need; 1846 ssize_t len; 1847 1848 if (!compat20) 1849 fatal("%s: entered with !compat20", __func__); 1850 1851 if (c->rfd != -1 && !c->mux_pause && FD_ISSET(c->rfd, readset) && 1852 (c->istate == CHAN_INPUT_OPEN || 1853 c->istate == CHAN_INPUT_WAIT_DRAIN)) { 1854 /* 1855 * Don't not read past the precise end of packets to 1856 * avoid disrupting fd passing. 1857 */ 1858 if (read_mux(c, 4) < 4) /* read header */ 1859 return; 1860 need = get_u32(buffer_ptr(&c->input)); 1861#define CHANNEL_MUX_MAX_PACKET (256 * 1024) 1862 if (need > CHANNEL_MUX_MAX_PACKET) { 1863 debug2("channel %d: packet too big %u > %u", 1864 c->self, CHANNEL_MUX_MAX_PACKET, need); 1865 chan_rcvd_oclose(c); 1866 return; 1867 } 1868 if (read_mux(c, need + 4) < need + 4) /* read body */ 1869 return; 1870 if (c->mux_rcb(c) != 0) { 1871 debug("channel %d: mux_rcb failed", c->self); 1872 chan_mark_dead(c); 1873 return; 1874 } 1875 } 1876 1877 if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && 1878 buffer_len(&c->output) > 0) { 1879 len = write(c->wfd, buffer_ptr(&c->output), 1880 buffer_len(&c->output)); 1881 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1882 return; 1883 if (len <= 0) { 1884 chan_mark_dead(c); 1885 return; 1886 } 1887 buffer_consume(&c->output, len); 1888 } 1889} 1890 1891static void 1892channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) 1893{ 1894 Channel *nc; 1895 struct sockaddr_storage addr; 1896 socklen_t addrlen; 1897 int newsock; 1898 uid_t euid; 1899 gid_t egid; 1900 1901 if (!FD_ISSET(c->sock, readset)) 1902 return; 1903 1904 debug("multiplexing control connection"); 1905 1906 /* 1907 * Accept connection on control socket 1908 */ 1909 memset(&addr, 0, sizeof(addr)); 1910 addrlen = sizeof(addr); 1911 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 1912 &addrlen)) == -1) { 1913 error("%s accept: %s", __func__, strerror(errno)); 1914 return; 1915 } 1916 1917 if (getpeereid(newsock, &euid, &egid) < 0) { 1918 error("%s getpeereid failed: %s", __func__, 1919 strerror(errno)); 1920 close(newsock); 1921 return; 1922 } 1923 if ((euid != 0) && (getuid() != euid)) { 1924 error("multiplex uid mismatch: peer euid %u != uid %u", 1925 (u_int)euid, (u_int)getuid()); 1926 close(newsock); 1927 return; 1928 } 1929 nc = channel_new("multiplex client", SSH_CHANNEL_MUX_CLIENT, 1930 newsock, newsock, -1, c->local_window_max, 1931 c->local_maxpacket, 0, "mux-control", 1); 1932 nc->mux_rcb = c->mux_rcb; 1933 debug3("%s: new mux channel %d fd %d", __func__, 1934 nc->self, nc->sock); 1935 /* establish state */ 1936 nc->mux_rcb(nc); 1937 /* mux state transitions must not elicit protocol messages */ 1938 nc->flags |= CHAN_LOCAL; 1939} 1940 1941/* ARGSUSED */ 1942static void 1943channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 1944{ 1945 int len; 1946 1947 /* Send buffered output data to the socket. */ 1948 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1949 len = write(c->sock, buffer_ptr(&c->output), 1950 buffer_len(&c->output)); 1951 if (len <= 0) 1952 buffer_clear(&c->output); 1953 else 1954 buffer_consume(&c->output, len); 1955 } 1956} 1957 1958static void 1959channel_handler_init_20(void) 1960{ 1961 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1962 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1963 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1964 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1965 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1966 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1967 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1968 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1969 channel_pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 1970 channel_pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 1971 1972 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1973 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1974 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1975 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1976 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1977 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1978 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1979 channel_post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 1980 channel_post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 1981} 1982 1983static void 1984channel_handler_init_13(void) 1985{ 1986 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1987 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1988 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1989 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1990 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1991 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1992 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1993 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1994 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1995 1996 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1997 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1998 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1999 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2000 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 2001 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2002 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2003} 2004 2005static void 2006channel_handler_init_15(void) 2007{ 2008 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2009 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2010 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2011 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2012 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2013 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2014 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2015 2016 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2017 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2018 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2019 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2020 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2021 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2022} 2023 2024static void 2025channel_handler_init(void) 2026{ 2027 int i; 2028 2029 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 2030 channel_pre[i] = NULL; 2031 channel_post[i] = NULL; 2032 } 2033 if (compat20) 2034 channel_handler_init_20(); 2035 else if (compat13) 2036 channel_handler_init_13(); 2037 else 2038 channel_handler_init_15(); 2039} 2040 2041/* gc dead channels */ 2042static void 2043channel_garbage_collect(Channel *c) 2044{ 2045 if (c == NULL) 2046 return; 2047 if (c->detach_user != NULL) { 2048 if (!chan_is_dead(c, c->detach_close)) 2049 return; 2050 debug2("channel %d: gc: notify user", c->self); 2051 c->detach_user(c->self, NULL); 2052 /* if we still have a callback */ 2053 if (c->detach_user != NULL) 2054 return; 2055 debug2("channel %d: gc: user detached", c->self); 2056 } 2057 if (!chan_is_dead(c, 1)) 2058 return; 2059 debug2("channel %d: garbage collecting", c->self); 2060 channel_free(c); 2061} 2062 2063static void 2064channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) 2065{ 2066 static int did_init = 0; 2067 u_int i, oalloc; 2068 Channel *c; 2069 2070 if (!did_init) { 2071 channel_handler_init(); 2072 did_init = 1; 2073 } 2074 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { 2075 c = channels[i]; 2076 if (c == NULL) 2077 continue; 2078 if (c->delayed) { 2079 if (ftab == channel_pre) 2080 c->delayed = 0; 2081 else 2082 continue; 2083 } 2084 if (ftab[c->type] != NULL) 2085 (*ftab[c->type])(c, readset, writeset); 2086 channel_garbage_collect(c); 2087 } 2088} 2089 2090/* 2091 * Allocate/update select bitmasks and add any bits relevant to channels in 2092 * select bitmasks. 2093 */ 2094void 2095channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 2096 u_int *nallocp, int rekeying) 2097{ 2098 u_int n, sz, nfdset; 2099 2100 n = MAX(*maxfdp, channel_max_fd); 2101 2102 nfdset = howmany(n+1, NFDBITS); 2103 /* Explicitly test here, because xrealloc isn't always called */ 2104 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) 2105 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2106 sz = nfdset * sizeof(fd_mask); 2107 2108 /* perhaps check sz < nalloc/2 and shrink? */ 2109 if (*readsetp == NULL || sz > *nallocp) { 2110 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); 2111 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); 2112 *nallocp = sz; 2113 } 2114 *maxfdp = n; 2115 memset(*readsetp, 0, sz); 2116 memset(*writesetp, 0, sz); 2117 2118 if (!rekeying) 2119 channel_handler(channel_pre, *readsetp, *writesetp); 2120} 2121 2122/* 2123 * After select, perform any appropriate operations for channels which have 2124 * events pending. 2125 */ 2126void 2127channel_after_select(fd_set *readset, fd_set *writeset) 2128{ 2129 channel_handler(channel_post, readset, writeset); 2130} 2131 2132 2133/* If there is data to send to the connection, enqueue some of it now. */ 2134void 2135channel_output_poll(void) 2136{ 2137 Channel *c; 2138 u_int i, len; 2139 2140 for (i = 0; i < channels_alloc; i++) { 2141 c = channels[i]; 2142 if (c == NULL) 2143 continue; 2144 2145 /* 2146 * We are only interested in channels that can have buffered 2147 * incoming data. 2148 */ 2149 if (compat13) { 2150 if (c->type != SSH_CHANNEL_OPEN && 2151 c->type != SSH_CHANNEL_INPUT_DRAINING) 2152 continue; 2153 } else { 2154 if (c->type != SSH_CHANNEL_OPEN) 2155 continue; 2156 } 2157 if (compat20 && 2158 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2159 /* XXX is this true? */ 2160 debug3("channel %d: will not send data after close", c->self); 2161 continue; 2162 } 2163 2164 /* Get the amount of buffered data for this channel. */ 2165 if ((c->istate == CHAN_INPUT_OPEN || 2166 c->istate == CHAN_INPUT_WAIT_DRAIN) && 2167 (len = buffer_len(&c->input)) > 0) { 2168 if (c->datagram) { 2169 if (len > 0) { 2170 u_char *data; 2171 u_int dlen; 2172 2173 data = buffer_get_string(&c->input, 2174 &dlen); 2175 if (dlen > c->remote_window || 2176 dlen > c->remote_maxpacket) { 2177 debug("channel %d: datagram " 2178 "too big for channel", 2179 c->self); 2180 xfree(data); 2181 continue; 2182 } 2183 packet_start(SSH2_MSG_CHANNEL_DATA); 2184 packet_put_int(c->remote_id); 2185 packet_put_string(data, dlen); 2186 packet_send(); 2187 c->remote_window -= dlen + 4; 2188 xfree(data); 2189 } 2190 continue; 2191 } 2192 /* 2193 * Send some data for the other side over the secure 2194 * connection. 2195 */ 2196 if (compat20) { 2197 if (len > c->remote_window) 2198 len = c->remote_window; 2199 if (len > c->remote_maxpacket) 2200 len = c->remote_maxpacket; 2201 } else { 2202 if (packet_is_interactive()) { 2203 if (len > 1024) 2204 len = 512; 2205 } else { 2206 /* Keep the packets at reasonable size. */ 2207 if (len > packet_get_maxsize()/2) 2208 len = packet_get_maxsize()/2; 2209 } 2210 } 2211 if (len > 0) { 2212 packet_start(compat20 ? 2213 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 2214 packet_put_int(c->remote_id); 2215 packet_put_string(buffer_ptr(&c->input), len); 2216 packet_send(); 2217 buffer_consume(&c->input, len); 2218 c->remote_window -= len; 2219 } 2220 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2221 if (compat13) 2222 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 2223 /* 2224 * input-buffer is empty and read-socket shutdown: 2225 * tell peer, that we will not send more data: send IEOF. 2226 * hack for extended data: delay EOF if EFD still in use. 2227 */ 2228 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2229 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 2230 c->self, c->efd, buffer_len(&c->extended)); 2231 else 2232 chan_ibuf_empty(c); 2233 } 2234 /* Send extended data, i.e. stderr */ 2235 if (compat20 && 2236 !(c->flags & CHAN_EOF_SENT) && 2237 c->remote_window > 0 && 2238 (len = buffer_len(&c->extended)) > 0 && 2239 c->extended_usage == CHAN_EXTENDED_READ) { 2240 debug2("channel %d: rwin %u elen %u euse %d", 2241 c->self, c->remote_window, buffer_len(&c->extended), 2242 c->extended_usage); 2243 if (len > c->remote_window) 2244 len = c->remote_window; 2245 if (len > c->remote_maxpacket) 2246 len = c->remote_maxpacket; 2247 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 2248 packet_put_int(c->remote_id); 2249 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 2250 packet_put_string(buffer_ptr(&c->extended), len); 2251 packet_send(); 2252 buffer_consume(&c->extended, len); 2253 c->remote_window -= len; 2254 debug2("channel %d: sent ext data %d", c->self, len); 2255 } 2256 } 2257} 2258 2259 2260/* -- protocol input */ 2261 2262/* ARGSUSED */ 2263void 2264channel_input_data(int type, u_int32_t seq, void *ctxt) 2265{ 2266 int id; 2267 char *data; 2268 u_int data_len, win_len; 2269 Channel *c; 2270 2271 /* Get the channel number and verify it. */ 2272 id = packet_get_int(); 2273 c = channel_lookup(id); 2274 if (c == NULL) 2275 packet_disconnect("Received data for nonexistent channel %d.", id); 2276 2277 /* Ignore any data for non-open channels (might happen on close) */ 2278 if (c->type != SSH_CHANNEL_OPEN && 2279 c->type != SSH_CHANNEL_X11_OPEN) 2280 return; 2281 2282 /* Get the data. */ 2283 data = packet_get_string_ptr(&data_len); 2284 win_len = data_len; 2285 if (c->datagram) 2286 win_len += 4; /* string length header */ 2287 2288 /* 2289 * Ignore data for protocol > 1.3 if output end is no longer open. 2290 * For protocol 2 the sending side is reducing its window as it sends 2291 * data, so we must 'fake' consumption of the data in order to ensure 2292 * that window updates are sent back. Otherwise the connection might 2293 * deadlock. 2294 */ 2295 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2296 if (compat20) { 2297 c->local_window -= win_len; 2298 c->local_consumed += win_len; 2299 } 2300 return; 2301 } 2302 2303 if (compat20) { 2304 if (win_len > c->local_maxpacket) { 2305 logit("channel %d: rcvd big packet %d, maxpack %d", 2306 c->self, win_len, c->local_maxpacket); 2307 } 2308 if (win_len > c->local_window) { 2309 logit("channel %d: rcvd too much data %d, win %d", 2310 c->self, win_len, c->local_window); 2311 return; 2312 } 2313 c->local_window -= win_len; 2314 } 2315 if (c->datagram) 2316 buffer_put_string(&c->output, data, data_len); 2317 else 2318 buffer_append(&c->output, data, data_len); 2319 packet_check_eom(); 2320} 2321 2322/* ARGSUSED */ 2323void 2324channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2325{ 2326 int id; 2327 char *data; 2328 u_int data_len, tcode; 2329 Channel *c; 2330 2331 /* Get the channel number and verify it. */ 2332 id = packet_get_int(); 2333 c = channel_lookup(id); 2334 2335 if (c == NULL) 2336 packet_disconnect("Received extended_data for bad channel %d.", id); 2337 if (c->type != SSH_CHANNEL_OPEN) { 2338 logit("channel %d: ext data for non open", id); 2339 return; 2340 } 2341 if (c->flags & CHAN_EOF_RCVD) { 2342 if (datafellows & SSH_BUG_EXTEOF) 2343 debug("channel %d: accepting ext data after eof", id); 2344 else 2345 packet_disconnect("Received extended_data after EOF " 2346 "on channel %d.", id); 2347 } 2348 tcode = packet_get_int(); 2349 if (c->efd == -1 || 2350 c->extended_usage != CHAN_EXTENDED_WRITE || 2351 tcode != SSH2_EXTENDED_DATA_STDERR) { 2352 logit("channel %d: bad ext data", c->self); 2353 return; 2354 } 2355 data = packet_get_string(&data_len); 2356 packet_check_eom(); 2357 if (data_len > c->local_window) { 2358 logit("channel %d: rcvd too much extended_data %d, win %d", 2359 c->self, data_len, c->local_window); 2360 xfree(data); 2361 return; 2362 } 2363 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2364 c->local_window -= data_len; 2365 buffer_append(&c->extended, data, data_len); 2366 xfree(data); 2367} 2368 2369/* ARGSUSED */ 2370void 2371channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2372{ 2373 int id; 2374 Channel *c; 2375 2376 id = packet_get_int(); 2377 packet_check_eom(); 2378 c = channel_lookup(id); 2379 if (c == NULL) 2380 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2381 chan_rcvd_ieof(c); 2382 2383 /* XXX force input close */ 2384 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2385 debug("channel %d: FORCE input drain", c->self); 2386 c->istate = CHAN_INPUT_WAIT_DRAIN; 2387 if (buffer_len(&c->input) == 0) 2388 chan_ibuf_empty(c); 2389 } 2390 2391} 2392 2393/* ARGSUSED */ 2394void 2395channel_input_close(int type, u_int32_t seq, void *ctxt) 2396{ 2397 int id; 2398 Channel *c; 2399 2400 id = packet_get_int(); 2401 packet_check_eom(); 2402 c = channel_lookup(id); 2403 if (c == NULL) 2404 packet_disconnect("Received close for nonexistent channel %d.", id); 2405 2406 /* 2407 * Send a confirmation that we have closed the channel and no more 2408 * data is coming for it. 2409 */ 2410 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2411 packet_put_int(c->remote_id); 2412 packet_send(); 2413 2414 /* 2415 * If the channel is in closed state, we have sent a close request, 2416 * and the other side will eventually respond with a confirmation. 2417 * Thus, we cannot free the channel here, because then there would be 2418 * no-one to receive the confirmation. The channel gets freed when 2419 * the confirmation arrives. 2420 */ 2421 if (c->type != SSH_CHANNEL_CLOSED) { 2422 /* 2423 * Not a closed channel - mark it as draining, which will 2424 * cause it to be freed later. 2425 */ 2426 buffer_clear(&c->input); 2427 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2428 } 2429} 2430 2431/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2432/* ARGSUSED */ 2433void 2434channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2435{ 2436 int id = packet_get_int(); 2437 Channel *c = channel_lookup(id); 2438 2439 packet_check_eom(); 2440 if (c == NULL) 2441 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2442 chan_rcvd_oclose(c); 2443} 2444 2445/* ARGSUSED */ 2446void 2447channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2448{ 2449 int id = packet_get_int(); 2450 Channel *c = channel_lookup(id); 2451 2452 packet_check_eom(); 2453 if (c == NULL) 2454 packet_disconnect("Received close confirmation for " 2455 "out-of-range channel %d.", id); 2456 if (c->type != SSH_CHANNEL_CLOSED) 2457 packet_disconnect("Received close confirmation for " 2458 "non-closed channel %d (type %d).", id, c->type); 2459 channel_free(c); 2460} 2461 2462/* ARGSUSED */ 2463void 2464channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2465{ 2466 int id, remote_id; 2467 Channel *c; 2468 2469 id = packet_get_int(); 2470 c = channel_lookup(id); 2471 2472 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2473 packet_disconnect("Received open confirmation for " 2474 "non-opening channel %d.", id); 2475 remote_id = packet_get_int(); 2476 /* Record the remote channel number and mark that the channel is now open. */ 2477 c->remote_id = remote_id; 2478 c->type = SSH_CHANNEL_OPEN; 2479 2480 if (compat20) { 2481 c->remote_window = packet_get_int(); 2482 c->remote_maxpacket = packet_get_int(); 2483 if (c->open_confirm) { 2484 debug2("callback start"); 2485 c->open_confirm(c->self, 1, c->open_confirm_ctx); 2486 debug2("callback done"); 2487 } 2488 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2489 c->remote_window, c->remote_maxpacket); 2490 } 2491 packet_check_eom(); 2492} 2493 2494static char * 2495reason2txt(int reason) 2496{ 2497 switch (reason) { 2498 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2499 return "administratively prohibited"; 2500 case SSH2_OPEN_CONNECT_FAILED: 2501 return "connect failed"; 2502 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2503 return "unknown channel type"; 2504 case SSH2_OPEN_RESOURCE_SHORTAGE: 2505 return "resource shortage"; 2506 } 2507 return "unknown reason"; 2508} 2509 2510/* ARGSUSED */ 2511void 2512channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2513{ 2514 int id, reason; 2515 char *msg = NULL, *lang = NULL; 2516 Channel *c; 2517 2518 id = packet_get_int(); 2519 c = channel_lookup(id); 2520 2521 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2522 packet_disconnect("Received open failure for " 2523 "non-opening channel %d.", id); 2524 if (compat20) { 2525 reason = packet_get_int(); 2526 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2527 msg = packet_get_string(NULL); 2528 lang = packet_get_string(NULL); 2529 } 2530 logit("channel %d: open failed: %s%s%s", id, 2531 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2532 if (msg != NULL) 2533 xfree(msg); 2534 if (lang != NULL) 2535 xfree(lang); 2536 if (c->open_confirm) { 2537 debug2("callback start"); 2538 c->open_confirm(c->self, 0, c->open_confirm_ctx); 2539 debug2("callback done"); 2540 } 2541 } 2542 packet_check_eom(); 2543 /* Schedule the channel for cleanup/deletion. */ 2544 chan_mark_dead(c); 2545} 2546 2547/* ARGSUSED */ 2548void 2549channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2550{ 2551 Channel *c; 2552 int id; 2553 u_int adjust; 2554 2555 if (!compat20) 2556 return; 2557 2558 /* Get the channel number and verify it. */ 2559 id = packet_get_int(); 2560 c = channel_lookup(id); 2561 2562 if (c == NULL) { 2563 logit("Received window adjust for non-open channel %d.", id); 2564 return; 2565 } 2566 adjust = packet_get_int(); 2567 packet_check_eom(); 2568 debug2("channel %d: rcvd adjust %u", id, adjust); 2569 c->remote_window += adjust; 2570} 2571 2572/* ARGSUSED */ 2573void 2574channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2575{ 2576 Channel *c = NULL; 2577 u_short host_port; 2578 char *host, *originator_string; 2579 int remote_id; 2580 2581 remote_id = packet_get_int(); 2582 host = packet_get_string(NULL); 2583 host_port = packet_get_int(); 2584 2585 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2586 originator_string = packet_get_string(NULL); 2587 } else { 2588 originator_string = xstrdup("unknown (remote did not supply name)"); 2589 } 2590 packet_check_eom(); 2591 c = channel_connect_to(host, host_port, 2592 "connected socket", originator_string); 2593 xfree(originator_string); 2594 xfree(host); 2595 if (c == NULL) { 2596 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2597 packet_put_int(remote_id); 2598 packet_send(); 2599 } else 2600 c->remote_id = remote_id; 2601} 2602 2603/* ARGSUSED */ 2604void 2605channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) 2606{ 2607 Channel *c; 2608 struct channel_confirm *cc; 2609 int id; 2610 2611 /* Reset keepalive timeout */ 2612 packet_set_alive_timeouts(0); 2613 2614 id = packet_get_int(); 2615 packet_check_eom(); 2616 2617 debug2("channel_input_status_confirm: type %d id %d", type, id); 2618 2619 if ((c = channel_lookup(id)) == NULL) { 2620 logit("channel_input_status_confirm: %d: unknown", id); 2621 return; 2622 } 2623 ; 2624 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 2625 return; 2626 cc->cb(type, c, cc->ctx); 2627 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2628 bzero(cc, sizeof(*cc)); 2629 xfree(cc); 2630} 2631 2632/* -- tcp forwarding */ 2633 2634void 2635channel_set_af(int af) 2636{ 2637 IPv4or6 = af; 2638} 2639 2640static int 2641channel_setup_fwd_listener(int type, const char *listen_addr, 2642 u_short listen_port, int *allocated_listen_port, 2643 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2644{ 2645 Channel *c; 2646 int sock, r, success = 0, wildcard = 0, is_client; 2647 struct addrinfo hints, *ai, *aitop; 2648 const char *host, *addr; 2649 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2650 in_port_t *lport_p; 2651 2652 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2653 listen_addr : host_to_connect; 2654 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2655 2656 if (host == NULL) { 2657 error("No forward host name."); 2658 return 0; 2659 } 2660 if (strlen(host) >= NI_MAXHOST) { 2661 error("Forward host name too long."); 2662 return 0; 2663 } 2664 2665 /* 2666 * Determine whether or not a port forward listens to loopback, 2667 * specified address or wildcard. On the client, a specified bind 2668 * address will always override gateway_ports. On the server, a 2669 * gateway_ports of 1 (``yes'') will override the client's 2670 * specification and force a wildcard bind, whereas a value of 2 2671 * (``clientspecified'') will bind to whatever address the client 2672 * asked for. 2673 * 2674 * Special-case listen_addrs are: 2675 * 2676 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2677 * "" (empty string), "*" -> wildcard v4/v6 2678 * "localhost" -> loopback v4/v6 2679 */ 2680 addr = NULL; 2681 if (listen_addr == NULL) { 2682 /* No address specified: default to gateway_ports setting */ 2683 if (gateway_ports) 2684 wildcard = 1; 2685 } else if (gateway_ports || is_client) { 2686 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2687 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 2688 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2689 (!is_client && gateway_ports == 1)) 2690 wildcard = 1; 2691 else if (strcmp(listen_addr, "localhost") != 0) 2692 addr = listen_addr; 2693 } 2694 2695 debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s", 2696 type, wildcard, (addr == NULL) ? "NULL" : addr); 2697 2698 /* 2699 * getaddrinfo returns a loopback address if the hostname is 2700 * set to NULL and hints.ai_flags is not AI_PASSIVE 2701 */ 2702 memset(&hints, 0, sizeof(hints)); 2703 hints.ai_family = IPv4or6; 2704 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2705 hints.ai_socktype = SOCK_STREAM; 2706 snprintf(strport, sizeof strport, "%d", listen_port); 2707 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2708 if (addr == NULL) { 2709 /* This really shouldn't happen */ 2710 packet_disconnect("getaddrinfo: fatal error: %s", 2711 ssh_gai_strerror(r)); 2712 } else { 2713 error("channel_setup_fwd_listener: " 2714 "getaddrinfo(%.64s): %s", addr, 2715 ssh_gai_strerror(r)); 2716 } 2717 return 0; 2718 } 2719 if (allocated_listen_port != NULL) 2720 *allocated_listen_port = 0; 2721 for (ai = aitop; ai; ai = ai->ai_next) { 2722 switch (ai->ai_family) { 2723 case AF_INET: 2724 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 2725 sin_port; 2726 break; 2727 case AF_INET6: 2728 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 2729 sin6_port; 2730 break; 2731 default: 2732 continue; 2733 } 2734 /* 2735 * If allocating a port for -R forwards, then use the 2736 * same port for all address families. 2737 */ 2738 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2739 allocated_listen_port != NULL && *allocated_listen_port > 0) 2740 *lport_p = htons(*allocated_listen_port); 2741 2742 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2743 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2744 error("channel_setup_fwd_listener: getnameinfo failed"); 2745 continue; 2746 } 2747 /* Create a port to listen for the host. */ 2748 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2749 if (sock < 0) { 2750 /* this is no error since kernel may not support ipv6 */ 2751 verbose("socket: %.100s", strerror(errno)); 2752 continue; 2753 } 2754 2755 channel_set_reuseaddr(sock); 2756 if (ai->ai_family == AF_INET6) 2757 sock_set_v6only(sock); 2758 2759 debug("Local forwarding listening on %s port %s.", 2760 ntop, strport); 2761 2762 /* Bind the socket to the address. */ 2763 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2764 /* address can be in use ipv6 address is already bound */ 2765 if (!ai->ai_next) 2766 error("bind: %.100s", strerror(errno)); 2767 else 2768 verbose("bind: %.100s", strerror(errno)); 2769 2770 close(sock); 2771 continue; 2772 } 2773 /* Start listening for connections on the socket. */ 2774 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2775 error("listen: %.100s", strerror(errno)); 2776 close(sock); 2777 continue; 2778 } 2779 2780 /* 2781 * listen_port == 0 requests a dynamically allocated port - 2782 * record what we got. 2783 */ 2784 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2785 allocated_listen_port != NULL && 2786 *allocated_listen_port == 0) { 2787 *allocated_listen_port = get_sock_port(sock, 1); 2788 debug("Allocated listen port %d", 2789 *allocated_listen_port); 2790 } 2791 2792 /* Allocate a channel number for the socket. */ 2793 c = channel_new("port listener", type, sock, sock, -1, 2794 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2795 0, "port listener", 1); 2796 c->path = xstrdup(host); 2797 c->host_port = port_to_connect; 2798 c->listening_port = listen_port; 2799 success = 1; 2800 } 2801 if (success == 0) 2802 error("channel_setup_fwd_listener: cannot listen to port: %d", 2803 listen_port); 2804 freeaddrinfo(aitop); 2805 return success; 2806} 2807 2808int 2809channel_cancel_rport_listener(const char *host, u_short port) 2810{ 2811 u_int i; 2812 int found = 0; 2813 2814 for (i = 0; i < channels_alloc; i++) { 2815 Channel *c = channels[i]; 2816 2817 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && 2818 strcmp(c->path, host) == 0 && c->listening_port == port) { 2819 debug2("%s: close channel %d", __func__, i); 2820 channel_free(c); 2821 found = 1; 2822 } 2823 } 2824 2825 return (found); 2826} 2827 2828/* protocol local port fwd, used by ssh (and sshd in v1) */ 2829int 2830channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, 2831 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2832{ 2833 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2834 listen_host, listen_port, NULL, host_to_connect, port_to_connect, 2835 gateway_ports); 2836} 2837 2838/* protocol v2 remote port fwd, used by sshd */ 2839int 2840channel_setup_remote_fwd_listener(const char *listen_address, 2841 u_short listen_port, int *allocated_listen_port, int gateway_ports) 2842{ 2843 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2844 listen_address, listen_port, allocated_listen_port, 2845 NULL, 0, gateway_ports); 2846} 2847 2848/* 2849 * Initiate forwarding of connections to port "port" on remote host through 2850 * the secure channel to host:port from local side. 2851 */ 2852 2853int 2854channel_request_remote_forwarding(const char *listen_host, u_short listen_port, 2855 const char *host_to_connect, u_short port_to_connect) 2856{ 2857 int type, success = 0; 2858 2859 /* Send the forward request to the remote side. */ 2860 if (compat20) { 2861 const char *address_to_bind; 2862 if (listen_host == NULL) { 2863 if (datafellows & SSH_BUG_RFWD_ADDR) 2864 address_to_bind = "127.0.0.1"; 2865 else 2866 address_to_bind = "localhost"; 2867 } else if (*listen_host == '\0' || 2868 strcmp(listen_host, "*") == 0) { 2869 if (datafellows & SSH_BUG_RFWD_ADDR) 2870 address_to_bind = "0.0.0.0"; 2871 else 2872 address_to_bind = ""; 2873 } else 2874 address_to_bind = listen_host; 2875 2876 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2877 packet_put_cstring("tcpip-forward"); 2878 packet_put_char(1); /* boolean: want reply */ 2879 packet_put_cstring(address_to_bind); 2880 packet_put_int(listen_port); 2881 packet_send(); 2882 packet_write_wait(); 2883 /* Assume that server accepts the request */ 2884 success = 1; 2885 } else { 2886 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2887 packet_put_int(listen_port); 2888 packet_put_cstring(host_to_connect); 2889 packet_put_int(port_to_connect); 2890 packet_send(); 2891 packet_write_wait(); 2892 2893 /* Wait for response from the remote side. */ 2894 type = packet_read(); 2895 switch (type) { 2896 case SSH_SMSG_SUCCESS: 2897 success = 1; 2898 break; 2899 case SSH_SMSG_FAILURE: 2900 break; 2901 default: 2902 /* Unknown packet */ 2903 packet_disconnect("Protocol error for port forward request:" 2904 "received packet type %d.", type); 2905 } 2906 } 2907 if (success) { 2908 /* Record that connection to this host/port is permitted. */ 2909 permitted_opens = xrealloc(permitted_opens, 2910 num_permitted_opens + 1, sizeof(*permitted_opens)); 2911 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2912 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2913 permitted_opens[num_permitted_opens].listen_port = listen_port; 2914 num_permitted_opens++; 2915 } 2916 return (success ? 0 : -1); 2917} 2918 2919/* 2920 * Request cancellation of remote forwarding of connection host:port from 2921 * local side. 2922 */ 2923void 2924channel_request_rforward_cancel(const char *host, u_short port) 2925{ 2926 int i; 2927 2928 if (!compat20) 2929 return; 2930 2931 for (i = 0; i < num_permitted_opens; i++) { 2932 if (permitted_opens[i].host_to_connect != NULL && 2933 permitted_opens[i].listen_port == port) 2934 break; 2935 } 2936 if (i >= num_permitted_opens) { 2937 debug("%s: requested forward not found", __func__); 2938 return; 2939 } 2940 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2941 packet_put_cstring("cancel-tcpip-forward"); 2942 packet_put_char(0); 2943 packet_put_cstring(host == NULL ? "" : host); 2944 packet_put_int(port); 2945 packet_send(); 2946 2947 permitted_opens[i].listen_port = 0; 2948 permitted_opens[i].port_to_connect = 0; 2949 xfree(permitted_opens[i].host_to_connect); 2950 permitted_opens[i].host_to_connect = NULL; 2951} 2952 2953/* 2954 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2955 * listening for the port, and sends back a success reply (or disconnect 2956 * message if there was an error). 2957 */ 2958int 2959channel_input_port_forward_request(int is_root, int gateway_ports) 2960{ 2961 u_short port, host_port; 2962 int success = 0; 2963 char *hostname; 2964 2965 /* Get arguments from the packet. */ 2966 port = packet_get_int(); 2967 hostname = packet_get_string(NULL); 2968 host_port = packet_get_int(); 2969 2970#ifndef HAVE_CYGWIN 2971 /* 2972 * Check that an unprivileged user is not trying to forward a 2973 * privileged port. 2974 */ 2975 if (port < IPPORT_RESERVED && !is_root) 2976 packet_disconnect( 2977 "Requested forwarding of port %d but user is not root.", 2978 port); 2979 if (host_port == 0) 2980 packet_disconnect("Dynamic forwarding denied."); 2981#endif 2982 2983 /* Initiate forwarding */ 2984 success = channel_setup_local_fwd_listener(NULL, port, hostname, 2985 host_port, gateway_ports); 2986 2987 /* Free the argument string. */ 2988 xfree(hostname); 2989 2990 return (success ? 0 : -1); 2991} 2992 2993/* 2994 * Permits opening to any host/port if permitted_opens[] is empty. This is 2995 * usually called by the server, because the user could connect to any port 2996 * anyway, and the server has no way to know but to trust the client anyway. 2997 */ 2998void 2999channel_permit_all_opens(void) 3000{ 3001 if (num_permitted_opens == 0) 3002 all_opens_permitted = 1; 3003} 3004 3005void 3006channel_add_permitted_opens(char *host, int port) 3007{ 3008 debug("allow port forwarding to host %s port %d", host, port); 3009 3010 permitted_opens = xrealloc(permitted_opens, 3011 num_permitted_opens + 1, sizeof(*permitted_opens)); 3012 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 3013 permitted_opens[num_permitted_opens].port_to_connect = port; 3014 num_permitted_opens++; 3015 3016 all_opens_permitted = 0; 3017} 3018 3019int 3020channel_add_adm_permitted_opens(char *host, int port) 3021{ 3022 debug("config allows port forwarding to host %s port %d", host, port); 3023 3024 permitted_adm_opens = xrealloc(permitted_adm_opens, 3025 num_adm_permitted_opens + 1, sizeof(*permitted_adm_opens)); 3026 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 3027 = xstrdup(host); 3028 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 3029 return ++num_adm_permitted_opens; 3030} 3031 3032void 3033channel_clear_permitted_opens(void) 3034{ 3035 int i; 3036 3037 for (i = 0; i < num_permitted_opens; i++) 3038 if (permitted_opens[i].host_to_connect != NULL) 3039 xfree(permitted_opens[i].host_to_connect); 3040 if (num_permitted_opens > 0) { 3041 xfree(permitted_opens); 3042 permitted_opens = NULL; 3043 } 3044 num_permitted_opens = 0; 3045} 3046 3047void 3048channel_clear_adm_permitted_opens(void) 3049{ 3050 int i; 3051 3052 for (i = 0; i < num_adm_permitted_opens; i++) 3053 if (permitted_adm_opens[i].host_to_connect != NULL) 3054 xfree(permitted_adm_opens[i].host_to_connect); 3055 if (num_adm_permitted_opens > 0) { 3056 xfree(permitted_adm_opens); 3057 permitted_adm_opens = NULL; 3058 } 3059 num_adm_permitted_opens = 0; 3060} 3061 3062void 3063channel_print_adm_permitted_opens(void) 3064{ 3065 int i; 3066 3067 printf("permitopen"); 3068 if (num_adm_permitted_opens == 0) { 3069 printf(" any\n"); 3070 return; 3071 } 3072 for (i = 0; i < num_adm_permitted_opens; i++) 3073 if (permitted_adm_opens[i].host_to_connect != NULL) 3074 printf(" %s:%d", permitted_adm_opens[i].host_to_connect, 3075 permitted_adm_opens[i].port_to_connect); 3076 printf("\n"); 3077} 3078 3079/* Try to start non-blocking connect to next host in cctx list */ 3080static int 3081connect_next(struct channel_connect *cctx) 3082{ 3083 int sock, saved_errno; 3084 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 3085 3086 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 3087 if (cctx->ai->ai_family != AF_INET && 3088 cctx->ai->ai_family != AF_INET6) 3089 continue; 3090 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 3091 ntop, sizeof(ntop), strport, sizeof(strport), 3092 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3093 error("connect_next: getnameinfo failed"); 3094 continue; 3095 } 3096 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 3097 cctx->ai->ai_protocol)) == -1) { 3098 if (cctx->ai->ai_next == NULL) 3099 error("socket: %.100s", strerror(errno)); 3100 else 3101 verbose("socket: %.100s", strerror(errno)); 3102 continue; 3103 } 3104 if (set_nonblock(sock) == -1) 3105 fatal("%s: set_nonblock(%d)", __func__, sock); 3106 if (connect(sock, cctx->ai->ai_addr, 3107 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 3108 debug("connect_next: host %.100s ([%.100s]:%s): " 3109 "%.100s", cctx->host, ntop, strport, 3110 strerror(errno)); 3111 saved_errno = errno; 3112 close(sock); 3113 errno = saved_errno; 3114 continue; /* fail -- try next */ 3115 } 3116 debug("connect_next: host %.100s ([%.100s]:%s) " 3117 "in progress, fd=%d", cctx->host, ntop, strport, sock); 3118 cctx->ai = cctx->ai->ai_next; 3119 set_nodelay(sock); 3120 return sock; 3121 } 3122 return -1; 3123} 3124 3125static void 3126channel_connect_ctx_free(struct channel_connect *cctx) 3127{ 3128 xfree(cctx->host); 3129 if (cctx->aitop) 3130 freeaddrinfo(cctx->aitop); 3131 bzero(cctx, sizeof(*cctx)); 3132 cctx->host = NULL; 3133 cctx->ai = cctx->aitop = NULL; 3134} 3135 3136/* Return CONNECTING channel to remote host, port */ 3137static Channel * 3138connect_to(const char *host, u_short port, char *ctype, char *rname) 3139{ 3140 struct addrinfo hints; 3141 int gaierr; 3142 int sock = -1; 3143 char strport[NI_MAXSERV]; 3144 struct channel_connect cctx; 3145 Channel *c; 3146 3147 memset(&cctx, 0, sizeof(cctx)); 3148 memset(&hints, 0, sizeof(hints)); 3149 hints.ai_family = IPv4or6; 3150 hints.ai_socktype = SOCK_STREAM; 3151 snprintf(strport, sizeof strport, "%d", port); 3152 if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) { 3153 error("connect_to %.100s: unknown host (%s)", host, 3154 ssh_gai_strerror(gaierr)); 3155 return NULL; 3156 } 3157 3158 cctx.host = xstrdup(host); 3159 cctx.port = port; 3160 cctx.ai = cctx.aitop; 3161 3162 if ((sock = connect_next(&cctx)) == -1) { 3163 error("connect to %.100s port %d failed: %s", 3164 host, port, strerror(errno)); 3165 channel_connect_ctx_free(&cctx); 3166 return NULL; 3167 } 3168 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 3169 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 3170 c->connect_ctx = cctx; 3171 return c; 3172} 3173 3174Channel * 3175channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) 3176{ 3177 int i; 3178 3179 for (i = 0; i < num_permitted_opens; i++) { 3180 if (permitted_opens[i].host_to_connect != NULL && 3181 permitted_opens[i].listen_port == listen_port) { 3182 return connect_to( 3183 permitted_opens[i].host_to_connect, 3184 permitted_opens[i].port_to_connect, ctype, rname); 3185 } 3186 } 3187 error("WARNING: Server requests forwarding for unknown listen_port %d", 3188 listen_port); 3189 return NULL; 3190} 3191 3192/* Check if connecting to that port is permitted and connect. */ 3193Channel * 3194channel_connect_to(const char *host, u_short port, char *ctype, char *rname) 3195{ 3196 int i, permit, permit_adm = 1; 3197 3198 permit = all_opens_permitted; 3199 if (!permit) { 3200 for (i = 0; i < num_permitted_opens; i++) 3201 if (permitted_opens[i].host_to_connect != NULL && 3202 permitted_opens[i].port_to_connect == port && 3203 strcmp(permitted_opens[i].host_to_connect, host) == 0) 3204 permit = 1; 3205 } 3206 3207 if (num_adm_permitted_opens > 0) { 3208 permit_adm = 0; 3209 for (i = 0; i < num_adm_permitted_opens; i++) 3210 if (permitted_adm_opens[i].host_to_connect != NULL && 3211 permitted_adm_opens[i].port_to_connect == port && 3212 strcmp(permitted_adm_opens[i].host_to_connect, host) 3213 == 0) 3214 permit_adm = 1; 3215 } 3216 3217 if (!permit || !permit_adm) { 3218 logit("Received request to connect to host %.100s port %d, " 3219 "but the request was denied.", host, port); 3220 return NULL; 3221 } 3222 return connect_to(host, port, ctype, rname); 3223} 3224 3225void 3226channel_send_window_changes(void) 3227{ 3228 u_int i; 3229 struct winsize ws; 3230 3231 for (i = 0; i < channels_alloc; i++) { 3232 if (channels[i] == NULL || !channels[i]->client_tty || 3233 channels[i]->type != SSH_CHANNEL_OPEN) 3234 continue; 3235 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 3236 continue; 3237 channel_request_start(i, "window-change", 0); 3238 packet_put_int((u_int)ws.ws_col); 3239 packet_put_int((u_int)ws.ws_row); 3240 packet_put_int((u_int)ws.ws_xpixel); 3241 packet_put_int((u_int)ws.ws_ypixel); 3242 packet_send(); 3243 } 3244} 3245 3246/* -- X11 forwarding */ 3247 3248/* 3249 * Creates an internet domain socket for listening for X11 connections. 3250 * Returns 0 and a suitable display number for the DISPLAY variable 3251 * stored in display_numberp , or -1 if an error occurs. 3252 */ 3253int 3254x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 3255 int single_connection, u_int *display_numberp, int **chanids) 3256{ 3257 Channel *nc = NULL; 3258 int display_number, sock; 3259 u_short port; 3260 struct addrinfo hints, *ai, *aitop; 3261 char strport[NI_MAXSERV]; 3262 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 3263 3264 if (chanids == NULL) 3265 return -1; 3266 3267 for (display_number = x11_display_offset; 3268 display_number < MAX_DISPLAYS; 3269 display_number++) { 3270 port = 6000 + display_number; 3271 memset(&hints, 0, sizeof(hints)); 3272 hints.ai_family = IPv4or6; 3273 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 3274 hints.ai_socktype = SOCK_STREAM; 3275 snprintf(strport, sizeof strport, "%d", port); 3276 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 3277 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 3278 return -1; 3279 } 3280 for (ai = aitop; ai; ai = ai->ai_next) { 3281 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 3282 continue; 3283 sock = socket(ai->ai_family, ai->ai_socktype, 3284 ai->ai_protocol); 3285 if (sock < 0) { 3286 if ((errno != EINVAL) && (errno != EAFNOSUPPORT) 3287#ifdef EPFNOSUPPORT 3288 && (errno != EPFNOSUPPORT) 3289#endif 3290 ) { 3291 error("socket: %.100s", strerror(errno)); 3292 freeaddrinfo(aitop); 3293 return -1; 3294 } else { 3295 debug("x11_create_display_inet: Socket family %d not supported", 3296 ai->ai_family); 3297 continue; 3298 } 3299 } 3300 if (ai->ai_family == AF_INET6) 3301 sock_set_v6only(sock); 3302 if (x11_use_localhost) 3303 channel_set_reuseaddr(sock); 3304 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3305 debug2("bind port %d: %.100s", port, strerror(errno)); 3306 close(sock); 3307 3308 for (n = 0; n < num_socks; n++) { 3309 close(socks[n]); 3310 } 3311 num_socks = 0; 3312 break; 3313 } 3314 socks[num_socks++] = sock; 3315 if (num_socks == NUM_SOCKS) 3316 break; 3317 } 3318 freeaddrinfo(aitop); 3319 if (num_socks > 0) 3320 break; 3321 } 3322 if (display_number >= MAX_DISPLAYS) { 3323 error("Failed to allocate internet-domain X11 display socket."); 3324 return -1; 3325 } 3326 /* Start listening for connections on the socket. */ 3327 for (n = 0; n < num_socks; n++) { 3328 sock = socks[n]; 3329 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3330 error("listen: %.100s", strerror(errno)); 3331 close(sock); 3332 return -1; 3333 } 3334 } 3335 3336 /* Allocate a channel for each socket. */ 3337 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 3338 for (n = 0; n < num_socks; n++) { 3339 sock = socks[n]; 3340 nc = channel_new("x11 listener", 3341 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 3342 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 3343 0, "X11 inet listener", 1); 3344 nc->single_connection = single_connection; 3345 (*chanids)[n] = nc->self; 3346 } 3347 (*chanids)[n] = -1; 3348 3349 /* Return the display number for the DISPLAY environment variable. */ 3350 *display_numberp = display_number; 3351 return (0); 3352} 3353 3354static int 3355connect_local_xsocket_path(const char *pathname) 3356{ 3357 int sock; 3358 struct sockaddr_un addr; 3359 3360 sock = socket(AF_UNIX, SOCK_STREAM, 0); 3361 if (sock < 0) 3362 error("socket: %.100s", strerror(errno)); 3363 memset(&addr, 0, sizeof(addr)); 3364 addr.sun_family = AF_UNIX; 3365 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 3366 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 3367 return sock; 3368 close(sock); 3369 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 3370 return -1; 3371} 3372 3373static int 3374connect_local_xsocket(u_int dnr) 3375{ 3376 char buf[1024]; 3377 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 3378 return connect_local_xsocket_path(buf); 3379} 3380 3381int 3382x11_connect_display(void) 3383{ 3384 u_int display_number; 3385 const char *display; 3386 char buf[1024], *cp; 3387 struct addrinfo hints, *ai, *aitop; 3388 char strport[NI_MAXSERV]; 3389 int gaierr, sock = 0; 3390 3391 /* Try to open a socket for the local X server. */ 3392 display = getenv("DISPLAY"); 3393 if (!display) { 3394 error("DISPLAY not set."); 3395 return -1; 3396 } 3397 /* 3398 * Now we decode the value of the DISPLAY variable and make a 3399 * connection to the real X server. 3400 */ 3401 3402 /* Check if the display is from launchd. */ 3403#ifdef __APPLE__ 3404 if (strncmp(display, "/tmp/launch", 11) == 0) { 3405 sock = connect_local_xsocket_path(display); 3406 if (sock < 0) 3407 return -1; 3408 3409 /* OK, we now have a connection to the display. */ 3410 return sock; 3411 } 3412#endif 3413 /* 3414 * Check if it is a unix domain socket. Unix domain displays are in 3415 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 3416 */ 3417 if (strncmp(display, "unix:", 5) == 0 || 3418 display[0] == ':') { 3419 /* Connect to the unix domain socket. */ 3420 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 3421 error("Could not parse display number from DISPLAY: %.100s", 3422 display); 3423 return -1; 3424 } 3425 /* Create a socket. */ 3426 sock = connect_local_xsocket(display_number); 3427 if (sock < 0) 3428 return -1; 3429 3430 /* OK, we now have a connection to the display. */ 3431 return sock; 3432 } 3433 /* 3434 * Connect to an inet socket. The DISPLAY value is supposedly 3435 * hostname:d[.s], where hostname may also be numeric IP address. 3436 */ 3437 strlcpy(buf, display, sizeof(buf)); 3438 cp = strchr(buf, ':'); 3439 if (!cp) { 3440 error("Could not find ':' in DISPLAY: %.100s", display); 3441 return -1; 3442 } 3443 *cp = 0; 3444 /* buf now contains the host name. But first we parse the display number. */ 3445 if (sscanf(cp + 1, "%u", &display_number) != 1) { 3446 error("Could not parse display number from DISPLAY: %.100s", 3447 display); 3448 return -1; 3449 } 3450 3451 /* Look up the host address */ 3452 memset(&hints, 0, sizeof(hints)); 3453 hints.ai_family = IPv4or6; 3454 hints.ai_socktype = SOCK_STREAM; 3455 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 3456 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 3457 error("%.100s: unknown host. (%s)", buf, 3458 ssh_gai_strerror(gaierr)); 3459 return -1; 3460 } 3461 for (ai = aitop; ai; ai = ai->ai_next) { 3462 /* Create a socket. */ 3463 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3464 if (sock < 0) { 3465 debug2("socket: %.100s", strerror(errno)); 3466 continue; 3467 } 3468 /* Connect it to the display. */ 3469 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3470 debug2("connect %.100s port %u: %.100s", buf, 3471 6000 + display_number, strerror(errno)); 3472 close(sock); 3473 continue; 3474 } 3475 /* Success */ 3476 break; 3477 } 3478 freeaddrinfo(aitop); 3479 if (!ai) { 3480 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 3481 strerror(errno)); 3482 return -1; 3483 } 3484 set_nodelay(sock); 3485 return sock; 3486} 3487 3488/* 3489 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 3490 * the remote channel number. We should do whatever we want, and respond 3491 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 3492 */ 3493 3494/* ARGSUSED */ 3495void 3496x11_input_open(int type, u_int32_t seq, void *ctxt) 3497{ 3498 Channel *c = NULL; 3499 int remote_id, sock = 0; 3500 char *remote_host; 3501 3502 debug("Received X11 open request."); 3503 3504 remote_id = packet_get_int(); 3505 3506 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 3507 remote_host = packet_get_string(NULL); 3508 } else { 3509 remote_host = xstrdup("unknown (remote did not supply name)"); 3510 } 3511 packet_check_eom(); 3512 3513 /* Obtain a connection to the real X display. */ 3514 sock = x11_connect_display(); 3515 if (sock != -1) { 3516 /* Allocate a channel for this connection. */ 3517 c = channel_new("connected x11 socket", 3518 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 3519 remote_host, 1); 3520 c->remote_id = remote_id; 3521 c->force_drain = 1; 3522 } 3523 xfree(remote_host); 3524 if (c == NULL) { 3525 /* Send refusal to the remote host. */ 3526 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3527 packet_put_int(remote_id); 3528 } else { 3529 /* Send a confirmation to the remote host. */ 3530 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 3531 packet_put_int(remote_id); 3532 packet_put_int(c->self); 3533 } 3534 packet_send(); 3535} 3536 3537/* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 3538/* ARGSUSED */ 3539void 3540deny_input_open(int type, u_int32_t seq, void *ctxt) 3541{ 3542 int rchan = packet_get_int(); 3543 3544 switch (type) { 3545 case SSH_SMSG_AGENT_OPEN: 3546 error("Warning: ssh server tried agent forwarding."); 3547 break; 3548 case SSH_SMSG_X11_OPEN: 3549 error("Warning: ssh server tried X11 forwarding."); 3550 break; 3551 default: 3552 error("deny_input_open: type %d", type); 3553 break; 3554 } 3555 error("Warning: this is probably a break-in attempt by a malicious server."); 3556 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3557 packet_put_int(rchan); 3558 packet_send(); 3559} 3560 3561/* 3562 * Requests forwarding of X11 connections, generates fake authentication 3563 * data, and enables authentication spoofing. 3564 * This should be called in the client only. 3565 */ 3566void 3567x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 3568 const char *proto, const char *data) 3569{ 3570 u_int data_len = (u_int) strlen(data) / 2; 3571 u_int i, value; 3572 char *new_data; 3573 int screen_number; 3574 const char *cp; 3575 u_int32_t rnd = 0; 3576 3577 if (x11_saved_display == NULL) 3578 x11_saved_display = xstrdup(disp); 3579 else if (strcmp(disp, x11_saved_display) != 0) { 3580 error("x11_request_forwarding_with_spoofing: different " 3581 "$DISPLAY already forwarded"); 3582 return; 3583 } 3584 3585 cp = strchr(disp, ':'); 3586 if (cp) 3587 cp = strchr(cp, '.'); 3588 if (cp) 3589 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 3590 else 3591 screen_number = 0; 3592 3593 if (x11_saved_proto == NULL) { 3594 /* Save protocol name. */ 3595 x11_saved_proto = xstrdup(proto); 3596 /* 3597 * Extract real authentication data and generate fake data 3598 * of the same length. 3599 */ 3600 x11_saved_data = xmalloc(data_len); 3601 x11_fake_data = xmalloc(data_len); 3602 for (i = 0; i < data_len; i++) { 3603 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3604 fatal("x11_request_forwarding: bad " 3605 "authentication data: %.100s", data); 3606 if (i % 4 == 0) 3607 rnd = arc4random(); 3608 x11_saved_data[i] = value; 3609 x11_fake_data[i] = rnd & 0xff; 3610 rnd >>= 8; 3611 } 3612 x11_saved_data_len = data_len; 3613 x11_fake_data_len = data_len; 3614 } 3615 3616 /* Convert the fake data into hex. */ 3617 new_data = tohex(x11_fake_data, data_len); 3618 3619 /* Send the request packet. */ 3620 if (compat20) { 3621 channel_request_start(client_session_id, "x11-req", 0); 3622 packet_put_char(0); /* XXX bool single connection */ 3623 } else { 3624 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 3625 } 3626 packet_put_cstring(proto); 3627 packet_put_cstring(new_data); 3628 packet_put_int(screen_number); 3629 packet_send(); 3630 packet_write_wait(); 3631 xfree(new_data); 3632} 3633 3634 3635/* -- agent forwarding */ 3636 3637/* Sends a message to the server to request authentication fd forwarding. */ 3638 3639void 3640auth_request_forwarding(void) 3641{ 3642 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 3643 packet_send(); 3644 packet_write_wait(); 3645} 3646