1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Functions for returning the canonical host name of the remote site. 6 * 7 * As far as I am concerned, the code I have written for this software 8 * can be used freely for any purpose. Any derived versions of this 9 * software must be clearly marked as such, and if the derived work is 10 * incompatible with the protocol description in the RFC file, it must be 11 * called by a name other than "ssh" or "Secure Shell". 12 */ 13 14 #include "includes.h" 15 RCSID("$OpenBSD: canohost.c,v 1.38 2003/09/23 20:17:11 markus Exp $"); 16 17 #include "packet.h" 18 #include "xmalloc.h" 19 #include "log.h" 20 #include "canohost.h" 21 22 static void check_ip_options(int, char *); 23 static void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *); 24 25 /* 26 * Return the canonical name of the host at the other end of the socket. The 27 * caller should free the returned string with xfree. 28 */ 29 30 static char * 31 get_remote_hostname(int socket, int use_dns) 32 { 33 struct sockaddr_storage from; 34 int i; 35 socklen_t fromlen; 36 struct addrinfo hints, *ai, *aitop; 37 char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 38 39 /* Get IP address of client. */ 40 fromlen = sizeof(from); 41 memset(&from, 0, sizeof(from)); 42 if (getpeername(socket, (struct sockaddr *)&from, &fromlen) < 0) { 43 debug("getpeername failed: %.100s", strerror(errno)); 44 cleanup_exit(255); 45 } 46 47 if (from.ss_family == AF_INET) 48 check_ip_options(socket, ntop); 49 50 ipv64_normalise_mapped(&from, &fromlen); 51 52 if (from.ss_family == AF_INET6) 53 fromlen = sizeof(struct sockaddr_in6); 54 55 if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 56 NULL, 0, NI_NUMERICHOST) != 0) 57 fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 58 59 if (!use_dns) 60 return xstrdup(ntop); 61 62 debug3("Trying to reverse map address %.100s.", ntop); 63 /* Map the IP address to a host name. */ 64 if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 65 NULL, 0, NI_NAMEREQD) != 0) { 66 /* Host name not found. Use ip address. */ 67 return xstrdup(ntop); 68 } 69 70 /* 71 * if reverse lookup result looks like a numeric hostname, 72 * someone is trying to trick us by PTR record like following: 73 * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 74 */ 75 memset(&hints, 0, sizeof(hints)); 76 hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 77 hints.ai_flags = AI_NUMERICHOST; 78 if (getaddrinfo(name, "0", &hints, &ai) == 0) { 79 logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 80 name, ntop); 81 freeaddrinfo(ai); 82 return xstrdup(ntop); 83 } 84 85 /* 86 * Convert it to all lowercase (which is expected by the rest 87 * of this software). 88 */ 89 for (i = 0; name[i]; i++) 90 if (isupper(name[i])) 91 name[i] = tolower(name[i]); 92 /* 93 * Map it back to an IP address and check that the given 94 * address actually is an address of this host. This is 95 * necessary because anyone with access to a name server can 96 * define arbitrary names for an IP address. Mapping from 97 * name to IP address can be trusted better (but can still be 98 * fooled if the intruder has access to the name server of 99 * the domain). 100 */ 101 memset(&hints, 0, sizeof(hints)); 102 hints.ai_family = from.ss_family; 103 hints.ai_socktype = SOCK_STREAM; 104 if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 105 logit("reverse mapping checking getaddrinfo for %.700s " 106 "failed - POSSIBLE BREAKIN ATTEMPT!", name); 107 return xstrdup(ntop); 108 } 109 /* Look for the address from the list of addresses. */ 110 for (ai = aitop; ai; ai = ai->ai_next) { 111 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, 112 sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && 113 (strcmp(ntop, ntop2) == 0)) 114 break; 115 } 116 freeaddrinfo(aitop); 117 /* If we reached the end of the list, the address was not there. */ 118 if (!ai) { 119 /* Address not found for the host name. */ 120 logit("Address %.100s maps to %.600s, but this does not " 121 "map back to the address - POSSIBLE BREAKIN ATTEMPT!", 122 ntop, name); 123 return xstrdup(ntop); 124 } 125 return xstrdup(name); 126 } 127 128 /* 129 * If IP options are supported, make sure there are none (log and 130 * disconnect them if any are found). Basically we are worried about 131 * source routing; it can be used to pretend you are somebody 132 * (ip-address) you are not. That itself may be "almost acceptable" 133 * under certain circumstances, but rhosts autentication is useless 134 * if source routing is accepted. Notice also that if we just dropped 135 * source routing here, the other side could use IP spoofing to do 136 * rest of the interaction and could still bypass security. So we 137 * exit here if we detect any IP options. 138 */ 139 /* IPv4 only */ 140 static void 141 check_ip_options(int socket, char *ipaddr) 142 { 143 #ifdef IP_OPTIONS 144 u_char options[200]; 145 char text[sizeof(options) * 3 + 1]; 146 socklen_t option_size; 147 int i, ipproto; 148 struct protoent *ip; 149 150 if ((ip = getprotobyname("ip")) != NULL) 151 ipproto = ip->p_proto; 152 else 153 ipproto = IPPROTO_IP; 154 option_size = sizeof(options); 155 if (getsockopt(socket, ipproto, IP_OPTIONS, options, 156 &option_size) >= 0 && option_size != 0) { 157 text[0] = '\0'; 158 for (i = 0; i < option_size; i++) 159 snprintf(text + i*3, sizeof(text) - i*3, 160 " %2.2x", options[i]); 161 logit("Connection from %.100s with IP options:%.800s", 162 ipaddr, text); 163 packet_disconnect("Connection from %.100s with IP options:%.800s", 164 ipaddr, text); 165 } 166 #endif /* IP_OPTIONS */ 167 } 168 169 static void 170 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 171 { 172 struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; 173 struct sockaddr_in *a4 = (struct sockaddr_in *)addr; 174 struct in_addr inaddr; 175 u_int16_t port; 176 177 if (addr->ss_family != AF_INET6 || 178 !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) 179 return; 180 181 debug3("Normalising mapped IPv4 in IPv6 address"); 182 183 memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); 184 port = a6->sin6_port; 185 186 memset(addr, 0, sizeof(*a4)); 187 188 a4->sin_family = AF_INET; 189 *len = sizeof(*a4); 190 memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); 191 a4->sin_port = port; 192 } 193 194 /* 195 * Return the canonical name of the host in the other side of the current 196 * connection. The host name is cached, so it is efficient to call this 197 * several times. 198 */ 199 200 const char * 201 get_canonical_hostname(int use_dns) 202 { 203 static char *canonical_host_name = NULL; 204 static int use_dns_done = 0; 205 206 /* Check if we have previously retrieved name with same option. */ 207 if (canonical_host_name != NULL) { 208 if (use_dns_done != use_dns) 209 xfree(canonical_host_name); 210 else 211 return canonical_host_name; 212 } 213 214 /* Get the real hostname if socket; otherwise return UNKNOWN. */ 215 if (packet_connection_is_on_socket()) 216 canonical_host_name = get_remote_hostname( 217 packet_get_connection_in(), use_dns); 218 else 219 canonical_host_name = xstrdup("UNKNOWN"); 220 221 use_dns_done = use_dns; 222 return canonical_host_name; 223 } 224 225 /* 226 * Returns the local/remote IP-address/hostname of socket as a string. 227 * The returned string must be freed. 228 */ 229 static char * 230 get_socket_address(int socket, int remote, int flags) 231 { 232 struct sockaddr_storage addr; 233 socklen_t addrlen; 234 char ntop[NI_MAXHOST]; 235 236 /* Get IP address of client. */ 237 addrlen = sizeof(addr); 238 memset(&addr, 0, sizeof(addr)); 239 240 if (remote) { 241 if (getpeername(socket, (struct sockaddr *)&addr, &addrlen) 242 < 0) 243 return NULL; 244 } else { 245 if (getsockname(socket, (struct sockaddr *)&addr, &addrlen) 246 < 0) 247 return NULL; 248 } 249 250 /* Work around Linux IPv6 weirdness */ 251 if (addr.ss_family == AF_INET6) 252 addrlen = sizeof(struct sockaddr_in6); 253 254 /* Get the address in ascii. */ 255 if (getnameinfo((struct sockaddr *)&addr, addrlen, ntop, sizeof(ntop), 256 NULL, 0, flags) != 0) { 257 error("get_socket_address: getnameinfo %d failed", flags); 258 return NULL; 259 } 260 return xstrdup(ntop); 261 } 262 263 char * 264 get_peer_ipaddr(int socket) 265 { 266 char *p; 267 268 if ((p = get_socket_address(socket, 1, NI_NUMERICHOST)) != NULL) 269 return p; 270 return xstrdup("UNKNOWN"); 271 } 272 273 char * 274 get_local_ipaddr(int socket) 275 { 276 char *p; 277 278 if ((p = get_socket_address(socket, 0, NI_NUMERICHOST)) != NULL) 279 return p; 280 return xstrdup("UNKNOWN"); 281 } 282 283 char * 284 get_local_name(int socket) 285 { 286 return get_socket_address(socket, 0, NI_NAMEREQD); 287 } 288 289 /* 290 * Returns the IP-address of the remote host as a string. The returned 291 * string must not be freed. 292 */ 293 294 const char * 295 get_remote_ipaddr(void) 296 { 297 static char *canonical_host_ip = NULL; 298 299 /* Check whether we have cached the ipaddr. */ 300 if (canonical_host_ip == NULL) { 301 if (packet_connection_is_on_socket()) { 302 canonical_host_ip = 303 get_peer_ipaddr(packet_get_connection_in()); 304 if (canonical_host_ip == NULL) 305 cleanup_exit(255); 306 } else { 307 /* If not on socket, return UNKNOWN. */ 308 canonical_host_ip = xstrdup("UNKNOWN"); 309 } 310 } 311 return canonical_host_ip; 312 } 313 314 const char * 315 get_remote_name_or_ip(u_int utmp_len, int use_dns) 316 { 317 static const char *remote = ""; 318 if (utmp_len > 0) 319 remote = get_canonical_hostname(use_dns); 320 if (utmp_len == 0 || strlen(remote) > utmp_len) 321 remote = get_remote_ipaddr(); 322 return remote; 323 } 324 325 /* Returns the local/remote port for the socket. */ 326 327 static int 328 get_sock_port(int sock, int local) 329 { 330 struct sockaddr_storage from; 331 socklen_t fromlen; 332 char strport[NI_MAXSERV]; 333 334 /* Get IP address of client. */ 335 fromlen = sizeof(from); 336 memset(&from, 0, sizeof(from)); 337 if (local) { 338 if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { 339 error("getsockname failed: %.100s", strerror(errno)); 340 return 0; 341 } 342 } else { 343 if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 344 debug("getpeername failed: %.100s", strerror(errno)); 345 cleanup_exit(255); 346 } 347 } 348 349 /* Work around Linux IPv6 weirdness */ 350 if (from.ss_family == AF_INET6) 351 fromlen = sizeof(struct sockaddr_in6); 352 353 /* Return port number. */ 354 if (getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, 355 strport, sizeof(strport), NI_NUMERICSERV) != 0) 356 fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed"); 357 return atoi(strport); 358 } 359 360 /* Returns remote/local port number for the current connection. */ 361 362 static int 363 get_port(int local) 364 { 365 /* 366 * If the connection is not a socket, return 65535. This is 367 * intentionally chosen to be an unprivileged port number. 368 */ 369 if (!packet_connection_is_on_socket()) 370 return 65535; 371 372 /* Get socket and return the port number. */ 373 return get_sock_port(packet_get_connection_in(), local); 374 } 375 376 int 377 get_peer_port(int sock) 378 { 379 return get_sock_port(sock, 0); 380 } 381 382 int 383 get_remote_port(void) 384 { 385 return get_port(0); 386 } 387 388 int 389 get_local_port(void) 390 { 391 return get_port(1); 392 } 393