1 /* $OpenBSD: canohost.c,v 1.63 2008/06/12 00:03:49 dtucker Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Functions for returning the canonical host name of the remote site. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 15 #include "includes.h" 16 17 #include <sys/types.h> 18 #include <sys/socket.h> 19 20 #include <netinet/in.h> 21 #include <arpa/inet.h> 22 23 #include <ctype.h> 24 #include <errno.h> 25 #include <netdb.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <stdarg.h> 30 31 #include "xmalloc.h" 32 #include "packet.h" 33 #include "log.h" 34 #include "canohost.h" 35 #include "misc.h" 36 37 static void check_ip_options(int, char *); 38 39 /* 40 * Return the canonical name of the host at the other end of the socket. The 41 * caller should free the returned string with xfree. 42 */ 43 44 static char * 45 get_remote_hostname(int sock, int use_dns) 46 { 47 struct sockaddr_storage from; 48 int i; 49 socklen_t fromlen; 50 struct addrinfo hints, *ai, *aitop; 51 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 52 53 /* Get IP address of client. */ 54 fromlen = sizeof(from); 55 memset(&from, 0, sizeof(from)); 56 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 57 debug("getpeername failed: %.100s", strerror(errno)); 58 cleanup_exit(255); 59 } 60 61 if (from.ss_family == AF_INET) 62 check_ip_options(sock, ntop); 63 64 ipv64_normalise_mapped(&from, &fromlen); 65 66 if (from.ss_family == AF_INET6) 67 fromlen = sizeof(struct sockaddr_in6); 68 69 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 70 NULL, 0, NI_NUMERICHOST) != 0) 71 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 72 73 if (!use_dns) 74 return xstrdup(ntop); 75 76 debug3("Trying to reverse map address %.100s.", ntop); 77 /* Map the IP address to a host name. */ 78 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 79 NULL, 0, NI_NAMEREQD) != 0) { 80 /* Host name not found. Use ip address. */ 81 return xstrdup(ntop); 82 } 83 84 /* 85 * if reverse lookup result looks like a numeric hostname, 86 * someone is trying to trick us by PTR record like following: 87 * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 88 */ 89 memset(&hints, 0, sizeof(hints)); 90 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 91 hints.ai_flags = AI_NUMERICHOST; 92 if (getaddrinfo(name, NULL, &hints, &ai) == 0) { 93 logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 94 name, ntop); 95 freeaddrinfo(ai); 96 return xstrdup(ntop); 97 } 98 99 /* 100 * Convert it to all lowercase (which is expected by the rest 101 * of this software). 102 */ 103 for (i = 0; name[i]; i++) 104 if (isupper(name[i])) 105 name[i] = (char)tolower(name[i]); 106 /* 107 * Map it back to an IP address and check that the given 108 * address actually is an address of this host. This is 109 * necessary because anyone with access to a name server can 110 * define arbitrary names for an IP address. Mapping from 111 * name to IP address can be trusted better (but can still be 112 * fooled if the intruder has access to the name server of 113 * the domain). 114 */ 115 memset(&hints, 0, sizeof(hints)); 116 hints.ai_family = from.ss_family; 117 hints.ai_socktype = SOCK_STREAM; 118 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 119 logit("reverse mapping checking getaddrinfo for %.700s " 120 "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); 121 return xstrdup(ntop); 122 } 123 /* Look for the address from the list of addresses. */ 124 for (ai = aitop; ai; ai = ai->ai_next) { 125 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, 126 sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && 127 (strcmp(ntop, ntop2) == 0)) 128 break; 129 } 130 freeaddrinfo(aitop); 131 /* If we reached the end of the list, the address was not there. */ 132 if (!ai) { 133 /* Address not found for the host name. */ 134 logit("Address %.100s maps to %.600s, but this does not " 135 "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", 136 ntop, name); 137 return xstrdup(ntop); 138 } 139 return xstrdup(name); 140 } 141 142 /* 143 * If IP options are supported, make sure there are none (log and 144 * disconnect them if any are found). Basically we are worried about 145 * source routing; it can be used to pretend you are somebody 146 * (ip-address) you are not. That itself may be "almost acceptable" 147 * under certain circumstances, but rhosts autentication is useless 148 * if source routing is accepted. Notice also that if we just dropped 149 * source routing here, the other side could use IP spoofing to do 150 * rest of the interaction and could still bypass security. So we 151 * exit here if we detect any IP options. 152 */ 153 /* IPv4 only */ 154 static void 155 check_ip_options(int sock, char *ipaddr) 156 { 157 #ifdef IP_OPTIONS 158 u_char options[200]; 159 char text[sizeof(options) * 3 + 1]; 160 socklen_t option_size; 161 u_int i; 162 int ipproto; 163 struct protoent *ip; 164 165 if ((ip = getprotobyname("ip")) != NULL) 166 ipproto = ip->p_proto; 167 else 168 ipproto = IPPROTO_IP; 169 option_size = sizeof(options); 170 if (getsockopt(sock, ipproto, IP_OPTIONS, options, 171 &option_size) >= 0 && option_size != 0) { 172 text[0] = '\0'; 173 for (i = 0; i < option_size; i++) 174 snprintf(text + i*3, sizeof(text) - i*3, 175 " %2.2x", options[i]); 176 fatal("Connection from %.100s with IP options:%.800s", 177 ipaddr, text); 178 } 179 #endif /* IP_OPTIONS */ 180 } 181 182 void 183 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 184 { 185 struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; 186 struct sockaddr_in *a4 = (struct sockaddr_in *)addr; 187 struct in_addr inaddr; 188 u_int16_t port; 189 190 if (addr->ss_family != AF_INET6 || 191 !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) 192 return; 193 194 debug3("Normalising mapped IPv4 in IPv6 address"); 195 196 memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); 197 port = a6->sin6_port; 198 199 memset(addr, 0, sizeof(*a4)); 200 201 a4->sin_family = AF_INET; 202 *len = sizeof(*a4); 203 memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); 204 a4->sin_port = port; 205 } 206 207 /* 208 * Return the canonical name of the host in the other side of the current 209 * connection. The host name is cached, so it is efficient to call this 210 * several times. 211 */ 212 213 const char * 214 get_canonical_hostname(int use_dns) 215 { 216 char *host; 217 static char *canonical_host_name = NULL; 218 static char *remote_ip = NULL; 219 220 /* Check if we have previously retrieved name with same option. */ 221 if (use_dns && canonical_host_name != NULL) 222 return canonical_host_name; 223 if (!use_dns && remote_ip != NULL) 224 return remote_ip; 225 226 /* Get the real hostname if socket; otherwise return UNKNOWN. */ 227 if (packet_connection_is_on_socket()) 228 host = get_remote_hostname(packet_get_connection_in(), use_dns); 229 else 230 host = "UNKNOWN"; 231 232 if (use_dns) 233 canonical_host_name = host; 234 else 235 remote_ip = host; 236 return host; 237 } 238 239 /* 240 * Returns the local/remote IP-address/hostname of socket as a string. 241 * The returned string must be freed. 242 */ 243 static char * 244 get_socket_address(int sock, int remote, int flags) 245 { 246 struct sockaddr_storage addr; 247 socklen_t addrlen; 248 char ntop[NI_MAXHOST]; 249 int r; 250 251 /* Get IP address of client. */ 252 addrlen = sizeof(addr); 253 memset(&addr, 0, sizeof(addr)); 254 255 if (remote) { 256 if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) 257 < 0) 258 return NULL; 259 } else { 260 if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) 261 < 0) 262 return NULL; 263 } 264 265 /* Work around Linux IPv6 weirdness */ 266 if (addr.ss_family == AF_INET6) 267 addrlen = sizeof(struct sockaddr_in6); 268 269 ipv64_normalise_mapped(&addr, &addrlen); 270 271 /* Get the address in ascii. */ 272 if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, 273 sizeof(ntop), NULL, 0, flags)) != 0) { 274 error("get_socket_address: getnameinfo %d failed: %s", flags, 275 ssh_gai_strerror(r)); 276 return NULL; 277 } 278 return xstrdup(ntop); 279 } 280 281 char * 282 get_peer_ipaddr(int sock) 283 { 284 char *p; 285 286 if ((p = get_socket_address(sock, 1, NI_NUMERICHOST)) != NULL) 287 return p; 288 return xstrdup("UNKNOWN"); 289 } 290 291 char * 292 get_local_ipaddr(int sock) 293 { 294 char *p; 295 296 if ((p = get_socket_address(sock, 0, NI_NUMERICHOST)) != NULL) 297 return p; 298 return xstrdup("UNKNOWN"); 299 } 300 301 char * 302 get_local_name(int sock) 303 { 304 return get_socket_address(sock, 0, NI_NAMEREQD); 305 } 306 307 /* 308 * Returns the IP-address of the remote host as a string. The returned 309 * string must not be freed. 310 */ 311 312 const char * 313 get_remote_ipaddr(void) 314 { 315 static char *canonical_host_ip = NULL; 316 317 /* Check whether we have cached the ipaddr. */ 318 if (canonical_host_ip == NULL) { 319 if (packet_connection_is_on_socket()) { 320 canonical_host_ip = 321 get_peer_ipaddr(packet_get_connection_in()); 322 if (canonical_host_ip == NULL) 323 cleanup_exit(255); 324 } else { 325 /* If not on socket, return UNKNOWN. */ 326 canonical_host_ip = xstrdup("UNKNOWN"); 327 } 328 } 329 return canonical_host_ip; 330 } 331 332 const char * 333 get_remote_name_or_ip(u_int utmp_len, int use_dns) 334 { 335 static const char *remote = ""; 336 if (utmp_len > 0) 337 remote = get_canonical_hostname(use_dns); 338 if (utmp_len == 0 || strlen(remote) > utmp_len) 339 remote = get_remote_ipaddr(); 340 return remote; 341 } 342 343 /* Returns the local/remote port for the socket. */ 344 345 static int 346 get_sock_port(int sock, int local) 347 { 348 struct sockaddr_storage from; 349 socklen_t fromlen; 350 char strport[NI_MAXSERV]; 351 int r; 352 353 /* Get IP address of client. */ 354 fromlen = sizeof(from); 355 memset(&from, 0, sizeof(from)); 356 if (local) { 357 if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { 358 error("getsockname failed: %.100s", strerror(errno)); 359 return 0; 360 } 361 } else { 362 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 363 debug("getpeername failed: %.100s", strerror(errno)); 364 return -1; 365 } 366 } 367 368 /* Work around Linux IPv6 weirdness */ 369 if (from.ss_family == AF_INET6) 370 fromlen = sizeof(struct sockaddr_in6); 371 372 /* Return port number. */ 373 if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, 374 strport, sizeof(strport), NI_NUMERICSERV)) != 0) 375 fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s", 376 ssh_gai_strerror(r)); 377 return atoi(strport); 378 } 379 380 /* Returns remote/local port number for the current connection. */ 381 382 static int 383 get_port(int local) 384 { 385 /* 386 * If the connection is not a socket, return 65535. This is 387 * intentionally chosen to be an unprivileged port number. 388 */ 389 if (!packet_connection_is_on_socket()) 390 return 65535; 391 392 /* Get socket and return the port number. */ 393 return get_sock_port(packet_get_connection_in(), local); 394 } 395 396 int 397 get_peer_port(int sock) 398 { 399 return get_sock_port(sock, 0); 400 } 401 402 int 403 get_remote_port(void) 404 { 405 static int port = -1; 406 407 /* Cache to avoid getpeername() on a dead connection */ 408 if (port == -1) 409 port = get_port(0); 410 411 return port; 412 } 413 414 int 415 get_local_port(void) 416 { 417 return get_port(1); 418 } 419