1 /* $OpenBSD: canohost.c,v 1.61 2006/08/03 03:34:41 deraadt Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Functions for returning the canonical host name of the remote site. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 15 #include "includes.h" 16 17 #include <sys/types.h> 18 #include <sys/socket.h> 19 20 #include <netinet/in.h> 21 #include <arpa/inet.h> 22 23 #include <ctype.h> 24 #include <errno.h> 25 #include <netdb.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <stdarg.h> 30 31 #include "xmalloc.h" 32 #include "packet.h" 33 #include "log.h" 34 #include "canohost.h" 35 36 static void check_ip_options(int, char *); 37 38 /* 39 * Return the canonical name of the host at the other end of the socket. The 40 * caller should free the returned string with xfree. 41 */ 42 43 static char * 44 get_remote_hostname(int sock, int use_dns) 45 { 46 struct sockaddr_storage from; 47 int i; 48 socklen_t fromlen; 49 struct addrinfo hints, *ai, *aitop; 50 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 51 52 /* Get IP address of client. */ 53 fromlen = sizeof(from); 54 memset(&from, 0, sizeof(from)); 55 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 56 debug("getpeername failed: %.100s", strerror(errno)); 57 cleanup_exit(255); 58 } 59 60 if (from.ss_family == AF_INET) 61 check_ip_options(sock, ntop); 62 63 ipv64_normalise_mapped(&from, &fromlen); 64 65 if (from.ss_family == AF_INET6) 66 fromlen = sizeof(struct sockaddr_in6); 67 68 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 69 NULL, 0, NI_NUMERICHOST) != 0) 70 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 71 72 if (!use_dns) 73 return xstrdup(ntop); 74 75 debug3("Trying to reverse map address %.100s.", ntop); 76 /* Map the IP address to a host name. */ 77 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 78 NULL, 0, NI_NAMEREQD) != 0) { 79 /* Host name not found. Use ip address. */ 80 return xstrdup(ntop); 81 } 82 83 /* 84 * if reverse lookup result looks like a numeric hostname, 85 * someone is trying to trick us by PTR record like following: 86 * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 87 */ 88 memset(&hints, 0, sizeof(hints)); 89 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 90 hints.ai_flags = AI_NUMERICHOST; 91 if (getaddrinfo(name, "0", &hints, &ai) == 0) { 92 logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 93 name, ntop); 94 freeaddrinfo(ai); 95 return xstrdup(ntop); 96 } 97 98 /* 99 * Convert it to all lowercase (which is expected by the rest 100 * of this software). 101 */ 102 for (i = 0; name[i]; i++) 103 if (isupper(name[i])) 104 name[i] = (char)tolower(name[i]); 105 /* 106 * Map it back to an IP address and check that the given 107 * address actually is an address of this host. This is 108 * necessary because anyone with access to a name server can 109 * define arbitrary names for an IP address. Mapping from 110 * name to IP address can be trusted better (but can still be 111 * fooled if the intruder has access to the name server of 112 * the domain). 113 */ 114 memset(&hints, 0, sizeof(hints)); 115 hints.ai_family = from.ss_family; 116 hints.ai_socktype = SOCK_STREAM; 117 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 118 logit("reverse mapping checking getaddrinfo for %.700s " 119 "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); 120 return xstrdup(ntop); 121 } 122 /* Look for the address from the list of addresses. */ 123 for (ai = aitop; ai; ai = ai->ai_next) { 124 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, 125 sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && 126 (strcmp(ntop, ntop2) == 0)) 127 break; 128 } 129 freeaddrinfo(aitop); 130 /* If we reached the end of the list, the address was not there. */ 131 if (!ai) { 132 /* Address not found for the host name. */ 133 logit("Address %.100s maps to %.600s, but this does not " 134 "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", 135 ntop, name); 136 return xstrdup(ntop); 137 } 138 return xstrdup(name); 139 } 140 141 /* 142 * If IP options are supported, make sure there are none (log and 143 * disconnect them if any are found). Basically we are worried about 144 * source routing; it can be used to pretend you are somebody 145 * (ip-address) you are not. That itself may be "almost acceptable" 146 * under certain circumstances, but rhosts autentication is useless 147 * if source routing is accepted. Notice also that if we just dropped 148 * source routing here, the other side could use IP spoofing to do 149 * rest of the interaction and could still bypass security. So we 150 * exit here if we detect any IP options. 151 */ 152 /* IPv4 only */ 153 static void 154 check_ip_options(int sock, char *ipaddr) 155 { 156 #ifdef IP_OPTIONS 157 u_char options[200]; 158 char text[sizeof(options) * 3 + 1]; 159 socklen_t option_size; 160 u_int i; 161 int ipproto; 162 struct protoent *ip; 163 164 if ((ip = getprotobyname("ip")) != NULL) 165 ipproto = ip->p_proto; 166 else 167 ipproto = IPPROTO_IP; 168 option_size = sizeof(options); 169 if (getsockopt(sock, ipproto, IP_OPTIONS, options, 170 &option_size) >= 0 && option_size != 0) { 171 text[0] = '\0'; 172 for (i = 0; i < option_size; i++) 173 snprintf(text + i*3, sizeof(text) - i*3, 174 " %2.2x", options[i]); 175 fatal("Connection from %.100s with IP options:%.800s", 176 ipaddr, text); 177 } 178 #endif /* IP_OPTIONS */ 179 } 180 181 void 182 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 183 { 184 struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; 185 struct sockaddr_in *a4 = (struct sockaddr_in *)addr; 186 struct in_addr inaddr; 187 u_int16_t port; 188 189 if (addr->ss_family != AF_INET6 || 190 !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) 191 return; 192 193 debug3("Normalising mapped IPv4 in IPv6 address"); 194 195 memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); 196 port = a6->sin6_port; 197 198 memset(addr, 0, sizeof(*a4)); 199 200 a4->sin_family = AF_INET; 201 *len = sizeof(*a4); 202 memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); 203 a4->sin_port = port; 204 } 205 206 /* 207 * Return the canonical name of the host in the other side of the current 208 * connection. The host name is cached, so it is efficient to call this 209 * several times. 210 */ 211 212 const char * 213 get_canonical_hostname(int use_dns) 214 { 215 char *host; 216 static char *canonical_host_name = NULL; 217 static char *remote_ip = NULL; 218 219 /* Check if we have previously retrieved name with same option. */ 220 if (use_dns && canonical_host_name != NULL) 221 return canonical_host_name; 222 if (!use_dns && remote_ip != NULL) 223 return remote_ip; 224 225 /* Get the real hostname if socket; otherwise return UNKNOWN. */ 226 if (packet_connection_is_on_socket()) 227 host = get_remote_hostname(packet_get_connection_in(), use_dns); 228 else 229 host = "UNKNOWN"; 230 231 if (use_dns) 232 canonical_host_name = host; 233 else 234 remote_ip = host; 235 return host; 236 } 237 238 /* 239 * Returns the local/remote IP-address/hostname of socket as a string. 240 * The returned string must be freed. 241 */ 242 static char * 243 get_socket_address(int sock, int remote, int flags) 244 { 245 struct sockaddr_storage addr; 246 socklen_t addrlen; 247 char ntop[NI_MAXHOST]; 248 int r; 249 250 /* Get IP address of client. */ 251 addrlen = sizeof(addr); 252 memset(&addr, 0, sizeof(addr)); 253 254 if (remote) { 255 if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) 256 < 0) 257 return NULL; 258 } else { 259 if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) 260 < 0) 261 return NULL; 262 } 263 264 /* Work around Linux IPv6 weirdness */ 265 if (addr.ss_family == AF_INET6) 266 addrlen = sizeof(struct sockaddr_in6); 267 268 ipv64_normalise_mapped(&addr, &addrlen); 269 270 /* Get the address in ascii. */ 271 if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, 272 sizeof(ntop), NULL, 0, flags)) != 0) { 273 error("get_socket_address: getnameinfo %d failed: %s", flags, 274 r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r)); 275 return NULL; 276 } 277 return xstrdup(ntop); 278 } 279 280 char * 281 get_peer_ipaddr(int sock) 282 { 283 char *p; 284 285 if ((p = get_socket_address(sock, 1, NI_NUMERICHOST)) != NULL) 286 return p; 287 return xstrdup("UNKNOWN"); 288 } 289 290 char * 291 get_local_ipaddr(int sock) 292 { 293 char *p; 294 295 if ((p = get_socket_address(sock, 0, NI_NUMERICHOST)) != NULL) 296 return p; 297 return xstrdup("UNKNOWN"); 298 } 299 300 char * 301 get_local_name(int sock) 302 { 303 return get_socket_address(sock, 0, NI_NAMEREQD); 304 } 305 306 /* 307 * Returns the IP-address of the remote host as a string. The returned 308 * string must not be freed. 309 */ 310 311 const char * 312 get_remote_ipaddr(void) 313 { 314 static char *canonical_host_ip = NULL; 315 316 /* Check whether we have cached the ipaddr. */ 317 if (canonical_host_ip == NULL) { 318 if (packet_connection_is_on_socket()) { 319 canonical_host_ip = 320 get_peer_ipaddr(packet_get_connection_in()); 321 if (canonical_host_ip == NULL) 322 cleanup_exit(255); 323 } else { 324 /* If not on socket, return UNKNOWN. */ 325 canonical_host_ip = xstrdup("UNKNOWN"); 326 } 327 } 328 return canonical_host_ip; 329 } 330 331 const char * 332 get_remote_name_or_ip(u_int utmp_len, int use_dns) 333 { 334 static const char *remote = ""; 335 if (utmp_len > 0) 336 remote = get_canonical_hostname(use_dns); 337 if (utmp_len == 0 || strlen(remote) > utmp_len) 338 remote = get_remote_ipaddr(); 339 return remote; 340 } 341 342 /* Returns the local/remote port for the socket. */ 343 344 static int 345 get_sock_port(int sock, int local) 346 { 347 struct sockaddr_storage from; 348 socklen_t fromlen; 349 char strport[NI_MAXSERV]; 350 int r; 351 352 /* Get IP address of client. */ 353 fromlen = sizeof(from); 354 memset(&from, 0, sizeof(from)); 355 if (local) { 356 if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { 357 error("getsockname failed: %.100s", strerror(errno)); 358 return 0; 359 } 360 } else { 361 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 362 debug("getpeername failed: %.100s", strerror(errno)); 363 return -1; 364 } 365 } 366 367 /* Work around Linux IPv6 weirdness */ 368 if (from.ss_family == AF_INET6) 369 fromlen = sizeof(struct sockaddr_in6); 370 371 /* Return port number. */ 372 if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, 373 strport, sizeof(strport), NI_NUMERICSERV)) != 0) 374 fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s", 375 r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r)); 376 return atoi(strport); 377 } 378 379 /* Returns remote/local port number for the current connection. */ 380 381 static int 382 get_port(int local) 383 { 384 /* 385 * If the connection is not a socket, return 65535. This is 386 * intentionally chosen to be an unprivileged port number. 387 */ 388 if (!packet_connection_is_on_socket()) 389 return 65535; 390 391 /* Get socket and return the port number. */ 392 return get_sock_port(packet_get_connection_in(), local); 393 } 394 395 int 396 get_peer_port(int sock) 397 { 398 return get_sock_port(sock, 0); 399 } 400 401 int 402 get_remote_port(void) 403 { 404 static int port = -1; 405 406 /* Cache to avoid getpeername() on a dead connection */ 407 if (port == -1) 408 port = get_port(0); 409 410 return port; 411 } 412 413 int 414 get_local_port(void) 415 { 416 return get_port(1); 417 } 418