1 /* $OpenBSD: canohost.c,v 1.65 2009/05/27 06:31:25 andreas Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Functions for returning the canonical host name of the remote site. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 */ 14 15 #include "includes.h" 16 17 #include <sys/types.h> 18 #include <sys/socket.h> 19 20 #include <netinet/in.h> 21 #include <arpa/inet.h> 22 23 #include <ctype.h> 24 #include <errno.h> 25 #include <netdb.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <stdarg.h> 30 31 #include "xmalloc.h" 32 #include "packet.h" 33 #include "log.h" 34 #include "canohost.h" 35 #include "misc.h" 36 37 static void check_ip_options(int, char *); 38 static char *canonical_host_ip = NULL; 39 static int cached_port = -1; 40 41 /* 42 * Return the canonical name of the host at the other end of the socket. The 43 * caller should free the returned string with xfree. 44 */ 45 46 static char * 47 get_remote_hostname(int sock, int use_dns) 48 { 49 struct sockaddr_storage from; 50 int i; 51 socklen_t fromlen; 52 struct addrinfo hints, *ai, *aitop; 53 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 54 55 /* Get IP address of client. */ 56 fromlen = sizeof(from); 57 memset(&from, 0, sizeof(from)); 58 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 59 debug("getpeername failed: %.100s", strerror(errno)); 60 cleanup_exit(255); 61 } 62 63 if (from.ss_family == AF_INET) 64 check_ip_options(sock, ntop); 65 66 ipv64_normalise_mapped(&from, &fromlen); 67 68 if (from.ss_family == AF_INET6) 69 fromlen = sizeof(struct sockaddr_in6); 70 71 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 72 NULL, 0, NI_NUMERICHOST) != 0) 73 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 74 75 if (!use_dns) 76 return xstrdup(ntop); 77 78 debug3("Trying to reverse map address %.100s.", ntop); 79 /* Map the IP address to a host name. */ 80 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 81 NULL, 0, NI_NAMEREQD) != 0) { 82 /* Host name not found. Use ip address. */ 83 return xstrdup(ntop); 84 } 85 86 /* 87 * if reverse lookup result looks like a numeric hostname, 88 * someone is trying to trick us by PTR record like following: 89 * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 90 */ 91 memset(&hints, 0, sizeof(hints)); 92 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 93 hints.ai_flags = AI_NUMERICHOST; 94 if (getaddrinfo(name, NULL, &hints, &ai) == 0) { 95 logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 96 name, ntop); 97 freeaddrinfo(ai); 98 return xstrdup(ntop); 99 } 100 101 /* 102 * Convert it to all lowercase (which is expected by the rest 103 * of this software). 104 */ 105 for (i = 0; name[i]; i++) 106 if (isupper(name[i])) 107 name[i] = (char)tolower(name[i]); 108 /* 109 * Map it back to an IP address and check that the given 110 * address actually is an address of this host. This is 111 * necessary because anyone with access to a name server can 112 * define arbitrary names for an IP address. Mapping from 113 * name to IP address can be trusted better (but can still be 114 * fooled if the intruder has access to the name server of 115 * the domain). 116 */ 117 memset(&hints, 0, sizeof(hints)); 118 hints.ai_family = from.ss_family; 119 hints.ai_socktype = SOCK_STREAM; 120 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 121 logit("reverse mapping checking getaddrinfo for %.700s " 122 "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); 123 return xstrdup(ntop); 124 } 125 /* Look for the address from the list of addresses. */ 126 for (ai = aitop; ai; ai = ai->ai_next) { 127 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, 128 sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && 129 (strcmp(ntop, ntop2) == 0)) 130 break; 131 } 132 freeaddrinfo(aitop); 133 /* If we reached the end of the list, the address was not there. */ 134 if (!ai) { 135 /* Address not found for the host name. */ 136 logit("Address %.100s maps to %.600s, but this does not " 137 "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", 138 ntop, name); 139 return xstrdup(ntop); 140 } 141 return xstrdup(name); 142 } 143 144 /* 145 * If IP options are supported, make sure there are none (log and 146 * disconnect them if any are found). Basically we are worried about 147 * source routing; it can be used to pretend you are somebody 148 * (ip-address) you are not. That itself may be "almost acceptable" 149 * under certain circumstances, but rhosts autentication is useless 150 * if source routing is accepted. Notice also that if we just dropped 151 * source routing here, the other side could use IP spoofing to do 152 * rest of the interaction and could still bypass security. So we 153 * exit here if we detect any IP options. 154 */ 155 /* IPv4 only */ 156 static void 157 check_ip_options(int sock, char *ipaddr) 158 { 159 #ifdef IP_OPTIONS 160 u_char options[200]; 161 char text[sizeof(options) * 3 + 1]; 162 socklen_t option_size; 163 u_int i; 164 int ipproto; 165 struct protoent *ip; 166 167 if ((ip = getprotobyname("ip")) != NULL) 168 ipproto = ip->p_proto; 169 else 170 ipproto = IPPROTO_IP; 171 option_size = sizeof(options); 172 if (getsockopt(sock, ipproto, IP_OPTIONS, options, 173 &option_size) >= 0 && option_size != 0) { 174 text[0] = '\0'; 175 for (i = 0; i < option_size; i++) 176 snprintf(text + i*3, sizeof(text) - i*3, 177 " %2.2x", options[i]); 178 fatal("Connection from %.100s with IP options:%.800s", 179 ipaddr, text); 180 } 181 #endif /* IP_OPTIONS */ 182 } 183 184 void 185 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 186 { 187 struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; 188 struct sockaddr_in *a4 = (struct sockaddr_in *)addr; 189 struct in_addr inaddr; 190 u_int16_t port; 191 192 if (addr->ss_family != AF_INET6 || 193 !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) 194 return; 195 196 debug3("Normalising mapped IPv4 in IPv6 address"); 197 198 memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); 199 port = a6->sin6_port; 200 201 memset(addr, 0, sizeof(*a4)); 202 203 a4->sin_family = AF_INET; 204 *len = sizeof(*a4); 205 memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); 206 a4->sin_port = port; 207 } 208 209 /* 210 * Return the canonical name of the host in the other side of the current 211 * connection. The host name is cached, so it is efficient to call this 212 * several times. 213 */ 214 215 const char * 216 get_canonical_hostname(int use_dns) 217 { 218 char *host; 219 static char *canonical_host_name = NULL; 220 static char *remote_ip = NULL; 221 222 /* Check if we have previously retrieved name with same option. */ 223 if (use_dns && canonical_host_name != NULL) 224 return canonical_host_name; 225 if (!use_dns && remote_ip != NULL) 226 return remote_ip; 227 228 /* Get the real hostname if socket; otherwise return UNKNOWN. */ 229 if (packet_connection_is_on_socket()) 230 host = get_remote_hostname(packet_get_connection_in(), use_dns); 231 else 232 host = "UNKNOWN"; 233 234 if (use_dns) 235 canonical_host_name = host; 236 else 237 remote_ip = host; 238 return host; 239 } 240 241 /* 242 * Returns the local/remote IP-address/hostname of socket as a string. 243 * The returned string must be freed. 244 */ 245 static char * 246 get_socket_address(int sock, int remote, int flags) 247 { 248 struct sockaddr_storage addr; 249 socklen_t addrlen; 250 char ntop[NI_MAXHOST]; 251 int r; 252 253 /* Get IP address of client. */ 254 addrlen = sizeof(addr); 255 memset(&addr, 0, sizeof(addr)); 256 257 if (remote) { 258 if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) 259 < 0) 260 return NULL; 261 } else { 262 if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) 263 < 0) 264 return NULL; 265 } 266 267 /* Work around Linux IPv6 weirdness */ 268 if (addr.ss_family == AF_INET6) 269 addrlen = sizeof(struct sockaddr_in6); 270 271 ipv64_normalise_mapped(&addr, &addrlen); 272 273 /* Get the address in ascii. */ 274 if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, 275 sizeof(ntop), NULL, 0, flags)) != 0) { 276 error("get_socket_address: getnameinfo %d failed: %s", flags, 277 ssh_gai_strerror(r)); 278 return NULL; 279 } 280 return xstrdup(ntop); 281 } 282 283 char * 284 get_peer_ipaddr(int sock) 285 { 286 char *p; 287 288 if ((p = get_socket_address(sock, 1, NI_NUMERICHOST)) != NULL) 289 return p; 290 return xstrdup("UNKNOWN"); 291 } 292 293 char * 294 get_local_ipaddr(int sock) 295 { 296 char *p; 297 298 if ((p = get_socket_address(sock, 0, NI_NUMERICHOST)) != NULL) 299 return p; 300 return xstrdup("UNKNOWN"); 301 } 302 303 char * 304 get_local_name(int sock) 305 { 306 return get_socket_address(sock, 0, NI_NAMEREQD); 307 } 308 309 void 310 clear_cached_addr(void) 311 { 312 if (canonical_host_ip != NULL) { 313 xfree(canonical_host_ip); 314 canonical_host_ip = NULL; 315 } 316 cached_port = -1; 317 } 318 319 /* 320 * Returns the IP-address of the remote host as a string. The returned 321 * string must not be freed. 322 */ 323 324 const char * 325 get_remote_ipaddr(void) 326 { 327 /* Check whether we have cached the ipaddr. */ 328 if (canonical_host_ip == NULL) { 329 if (packet_connection_is_on_socket()) { 330 canonical_host_ip = 331 get_peer_ipaddr(packet_get_connection_in()); 332 if (canonical_host_ip == NULL) 333 cleanup_exit(255); 334 } else { 335 /* If not on socket, return UNKNOWN. */ 336 canonical_host_ip = xstrdup("UNKNOWN"); 337 } 338 } 339 return canonical_host_ip; 340 } 341 342 const char * 343 get_remote_name_or_ip(u_int utmp_len, int use_dns) 344 { 345 static const char *remote = ""; 346 if (utmp_len > 0) 347 remote = get_canonical_hostname(use_dns); 348 if (utmp_len == 0 || strlen(remote) > utmp_len) 349 remote = get_remote_ipaddr(); 350 return remote; 351 } 352 353 /* Returns the local/remote port for the socket. */ 354 355 int 356 get_sock_port(int sock, int local) 357 { 358 struct sockaddr_storage from; 359 socklen_t fromlen; 360 char strport[NI_MAXSERV]; 361 int r; 362 363 /* Get IP address of client. */ 364 fromlen = sizeof(from); 365 memset(&from, 0, sizeof(from)); 366 if (local) { 367 if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { 368 error("getsockname failed: %.100s", strerror(errno)); 369 return 0; 370 } 371 } else { 372 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 373 debug("getpeername failed: %.100s", strerror(errno)); 374 return -1; 375 } 376 } 377 378 /* Work around Linux IPv6 weirdness */ 379 if (from.ss_family == AF_INET6) 380 fromlen = sizeof(struct sockaddr_in6); 381 382 /* Return port number. */ 383 if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, 384 strport, sizeof(strport), NI_NUMERICSERV)) != 0) 385 fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s", 386 ssh_gai_strerror(r)); 387 return atoi(strport); 388 } 389 390 /* Returns remote/local port number for the current connection. */ 391 392 static int 393 get_port(int local) 394 { 395 /* 396 * If the connection is not a socket, return 65535. This is 397 * intentionally chosen to be an unprivileged port number. 398 */ 399 if (!packet_connection_is_on_socket()) 400 return 65535; 401 402 /* Get socket and return the port number. */ 403 return get_sock_port(packet_get_connection_in(), local); 404 } 405 406 int 407 get_peer_port(int sock) 408 { 409 return get_sock_port(sock, 0); 410 } 411 412 int 413 get_remote_port(void) 414 { 415 /* Cache to avoid getpeername() on a dead connection */ 416 if (cached_port == -1) 417 cached_port = get_port(0); 418 419 return cached_port; 420 } 421 422 int 423 get_local_port(void) 424 { 425 return get_port(1); 426 } 427