1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Functions for returning the canonical host name of the remote site. 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14 #include "includes.h" 15 RCSID("$OpenBSD: canohost.c,v 1.48 2005/12/28 22:46:06 stevesk Exp $"); 16 17 #include "packet.h" 18 #include "xmalloc.h" 19 #include "log.h" 20 #include "canohost.h" 21 22 static void check_ip_options(int, char *); 23 24 /* 25 * Return the canonical name of the host at the other end of the socket. The 26 * caller should free the returned string with xfree. 27 */ 28 29 static char * 30 get_remote_hostname(int sock, int use_dns) 31 { 32 struct sockaddr_storage from; 33 int i; 34 socklen_t fromlen; 35 struct addrinfo hints, *ai, *aitop; 36 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 37 38 /* Get IP address of client. */ 39 fromlen = sizeof(from); 40 memset(&from, 0, sizeof(from)); 41 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 42 debug("getpeername failed: %.100s", strerror(errno)); 43 cleanup_exit(255); 44 } 45 46 ipv64_normalise_mapped(&from, &fromlen); 47 48 if (from.ss_family == AF_INET6) 49 fromlen = sizeof(struct sockaddr_in6); 50 51 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 52 NULL, 0, NI_NUMERICHOST) != 0) 53 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 54 55 if (from.ss_family == AF_INET) 56 check_ip_options(sock, ntop); 57 58 if (!use_dns) 59 return xstrdup(ntop); 60 61 debug3("Trying to reverse map address %.100s.", ntop); 62 /* Map the IP address to a host name. */ 63 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 64 NULL, 0, NI_NAMEREQD) != 0) { 65 /* Host name not found. Use ip address. */ 66 return xstrdup(ntop); 67 } 68 69 /* 70 * if reverse lookup result looks like a numeric hostname, 71 * someone is trying to trick us by PTR record like following: 72 * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 73 */ 74 memset(&hints, 0, sizeof(hints)); 75 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 76 hints.ai_flags = AI_NUMERICHOST; 77 if (getaddrinfo(name, "0", &hints, &ai) == 0) { 78 logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 79 name, ntop); 80 freeaddrinfo(ai); 81 return xstrdup(ntop); 82 } 83 84 /* 85 * Convert it to all lowercase (which is expected by the rest 86 * of this software). 87 */ 88 for (i = 0; name[i]; i++) 89 if (isupper(name[i])) 90 name[i] = tolower(name[i]); 91 /* 92 * Map it back to an IP address and check that the given 93 * address actually is an address of this host. This is 94 * necessary because anyone with access to a name server can 95 * define arbitrary names for an IP address. Mapping from 96 * name to IP address can be trusted better (but can still be 97 * fooled if the intruder has access to the name server of 98 * the domain). 99 */ 100 memset(&hints, 0, sizeof(hints)); 101 hints.ai_family = from.ss_family; 102 hints.ai_socktype = SOCK_STREAM; 103 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 104 logit("reverse mapping checking getaddrinfo for %.700s " 105 "failed - POSSIBLE BREAK-IN ATTEMPT!", name); 106 return xstrdup(ntop); 107 } 108 /* Look for the address from the list of addresses. */ 109 for (ai = aitop; ai; ai = ai->ai_next) { 110 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, 111 sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && 112 (strcmp(ntop, ntop2) == 0)) 113 break; 114 } 115 freeaddrinfo(aitop); 116 /* If we reached the end of the list, the address was not there. */ 117 if (!ai) { 118 /* Address not found for the host name. */ 119 logit("Address %.100s maps to %.600s, but this does not " 120 "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", 121 ntop, name); 122 return xstrdup(ntop); 123 } 124 return xstrdup(name); 125 } 126 127 /* 128 * If IP options are supported, make sure there are none (log and 129 * disconnect them if any are found). Basically we are worried about 130 * source routing; it can be used to pretend you are somebody 131 * (ip-address) you are not. That itself may be "almost acceptable" 132 * under certain circumstances, but rhosts autentication is useless 133 * if source routing is accepted. Notice also that if we just dropped 134 * source routing here, the other side could use IP spoofing to do 135 * rest of the interaction and could still bypass security. So we 136 * exit here if we detect any IP options. 137 */ 138 /* IPv4 only */ 139 static void 140 check_ip_options(int sock, char *ipaddr) 141 { 142 #ifdef IP_OPTIONS 143 u_char options[200]; 144 char text[sizeof(options) * 3 + 1]; 145 socklen_t option_size; 146 u_int i; 147 int ipproto; 148 struct protoent *ip; 149 150 if ((ip = getprotobyname("ip")) != NULL) 151 ipproto = ip->p_proto; 152 else 153 ipproto = IPPROTO_IP; 154 option_size = sizeof(options); 155 if (getsockopt(sock, ipproto, IP_OPTIONS, options, 156 &option_size) >= 0 && option_size != 0) { 157 text[0] = '\0'; 158 for (i = 0; i < option_size; i++) 159 snprintf(text + i*3, sizeof(text) - i*3, 160 " %2.2x", options[i]); 161 fatal("Connection from %.100s with IP options:%.800s", 162 ipaddr, text); 163 } 164 #endif /* IP_OPTIONS */ 165 } 166 167 void 168 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 169 { 170 struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; 171 struct sockaddr_in *a4 = (struct sockaddr_in *)addr; 172 struct in_addr inaddr; 173 u_int16_t port; 174 175 if (addr->ss_family != AF_INET6 || 176 !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) 177 return; 178 179 debug3("Normalising mapped IPv4 in IPv6 address"); 180 181 memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); 182 port = a6->sin6_port; 183 184 memset(addr, 0, sizeof(*a4)); 185 186 a4->sin_family = AF_INET; 187 *len = sizeof(*a4); 188 memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); 189 a4->sin_port = port; 190 } 191 192 /* 193 * Return the canonical name of the host in the other side of the current 194 * connection. The host name is cached, so it is efficient to call this 195 * several times. 196 */ 197 198 const char * 199 get_canonical_hostname(int use_dns) 200 { 201 char *host; 202 static char *canonical_host_name = NULL; 203 static char *remote_ip = NULL; 204 205 /* Check if we have previously retrieved name with same option. */ 206 if (use_dns && canonical_host_name != NULL) 207 return canonical_host_name; 208 if (!use_dns && remote_ip != NULL) 209 return remote_ip; 210 211 /* Get the real hostname if socket; otherwise return UNKNOWN. */ 212 if (packet_connection_is_on_socket()) 213 host = get_remote_hostname(packet_get_connection_in(), use_dns); 214 else 215 host = "UNKNOWN"; 216 217 if (use_dns) 218 canonical_host_name = host; 219 else 220 remote_ip = host; 221 return host; 222 } 223 224 /* 225 * Returns the local/remote IP-address/hostname of socket as a string. 226 * The returned string must be freed. 227 */ 228 static char * 229 get_socket_address(int sock, int remote, int flags) 230 { 231 struct sockaddr_storage addr; 232 socklen_t addrlen; 233 char ntop[NI_MAXHOST]; 234 int r; 235 236 /* Get IP address of client. */ 237 addrlen = sizeof(addr); 238 memset(&addr, 0, sizeof(addr)); 239 240 if (remote) { 241 if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) 242 < 0) 243 return NULL; 244 } else { 245 if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) 246 < 0) 247 return NULL; 248 } 249 250 /* Work around Linux IPv6 weirdness */ 251 if (addr.ss_family == AF_INET6) 252 addrlen = sizeof(struct sockaddr_in6); 253 254 ipv64_normalise_mapped(&addr, &addrlen); 255 256 /* Get the address in ascii. */ 257 if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, 258 sizeof(ntop), NULL, 0, flags)) != 0) { 259 error("get_socket_address: getnameinfo %d failed: %s", flags, 260 r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r)); 261 return NULL; 262 } 263 return xstrdup(ntop); 264 } 265 266 char * 267 get_peer_ipaddr(int sock) 268 { 269 char *p; 270 271 if ((p = get_socket_address(sock, 1, NI_NUMERICHOST)) != NULL) 272 return p; 273 return xstrdup("UNKNOWN"); 274 } 275 276 char * 277 get_local_ipaddr(int sock) 278 { 279 char *p; 280 281 if ((p = get_socket_address(sock, 0, NI_NUMERICHOST)) != NULL) 282 return p; 283 return xstrdup("UNKNOWN"); 284 } 285 286 char * 287 get_local_name(int sock) 288 { 289 return get_socket_address(sock, 0, NI_NAMEREQD); 290 } 291 292 /* 293 * Returns the IP-address of the remote host as a string. The returned 294 * string must not be freed. 295 */ 296 297 const char * 298 get_remote_ipaddr(void) 299 { 300 static char *canonical_host_ip = NULL; 301 302 /* Check whether we have cached the ipaddr. */ 303 if (canonical_host_ip == NULL) { 304 if (packet_connection_is_on_socket()) { 305 canonical_host_ip = 306 get_peer_ipaddr(packet_get_connection_in()); 307 if (canonical_host_ip == NULL) 308 cleanup_exit(255); 309 } else { 310 /* If not on socket, return UNKNOWN. */ 311 canonical_host_ip = xstrdup("UNKNOWN"); 312 } 313 } 314 return canonical_host_ip; 315 } 316 317 const char * 318 get_remote_name_or_ip(u_int utmp_len, int use_dns) 319 { 320 static const char *remote = ""; 321 if (utmp_len > 0) 322 remote = get_canonical_hostname(use_dns); 323 if (utmp_len == 0 || strlen(remote) > utmp_len) 324 remote = get_remote_ipaddr(); 325 return remote; 326 } 327 328 /* Returns the local/remote port for the socket. */ 329 330 static int 331 get_sock_port(int sock, int local) 332 { 333 struct sockaddr_storage from; 334 socklen_t fromlen; 335 char strport[NI_MAXSERV]; 336 int r; 337 338 /* Get IP address of client. */ 339 fromlen = sizeof(from); 340 memset(&from, 0, sizeof(from)); 341 if (local) { 342 if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { 343 error("getsockname failed: %.100s", strerror(errno)); 344 return 0; 345 } 346 } else { 347 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 348 debug("getpeername failed: %.100s", strerror(errno)); 349 return -1; 350 } 351 } 352 353 /* Work around Linux IPv6 weirdness */ 354 if (from.ss_family == AF_INET6) 355 fromlen = sizeof(struct sockaddr_in6); 356 357 /* Return port number. */ 358 if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, 359 strport, sizeof(strport), NI_NUMERICSERV)) != 0) 360 fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s", 361 r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r)); 362 return atoi(strport); 363 } 364 365 /* Returns remote/local port number for the current connection. */ 366 367 static int 368 get_port(int local) 369 { 370 /* 371 * If the connection is not a socket, return 65535. This is 372 * intentionally chosen to be an unprivileged port number. 373 */ 374 if (!packet_connection_is_on_socket()) 375 return 65535; 376 377 /* Get socket and return the port number. */ 378 return get_sock_port(packet_get_connection_in(), local); 379 } 380 381 int 382 get_peer_port(int sock) 383 { 384 return get_sock_port(sock, 0); 385 } 386 387 int 388 get_remote_port(void) 389 { 390 static int port = -1; 391 392 /* Cache to avoid getpeername() on a dead connection */ 393 if (port == -1) 394 port = get_port(0); 395 396 return port; 397 } 398 399 int 400 get_local_port(void) 401 { 402 return get_port(1); 403 } 404