1 /* $OpenBSD: channels.c,v 1.349 2016/02/05 13:28:19 naddy Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 44 #include <sys/types.h> 45 #include <sys/param.h> /* MIN MAX */ 46 #include <sys/stat.h> 47 #include <sys/ioctl.h> 48 #include <sys/un.h> 49 #include <sys/socket.h> 50 #ifdef HAVE_SYS_TIME_H 51 # include <sys/time.h> 52 #endif 53 54 #include <netinet/in.h> 55 #include <arpa/inet.h> 56 57 #include <errno.h> 58 #include <fcntl.h> 59 #include <netdb.h> 60 #ifdef HAVE_STDINT_H 61 #include <stdint.h> 62 #endif 63 #include <stdio.h> 64 #include <stdlib.h> 65 #include <string.h> 66 #include <termios.h> 67 #include <unistd.h> 68 #include <stdarg.h> 69 70 #include "openbsd-compat/sys-queue.h" 71 #include "xmalloc.h" 72 #include "ssh.h" 73 #include "ssh1.h" 74 #include "ssh2.h" 75 #include "packet.h" 76 #include "log.h" 77 #include "misc.h" 78 #include "buffer.h" 79 #include "channels.h" 80 #include "compat.h" 81 #include "canohost.h" 82 #include "key.h" 83 #include "authfd.h" 84 #include "pathnames.h" 85 86 /* -- channel core */ 87 88 /* 89 * Pointer to an array containing all allocated channels. The array is 90 * dynamically extended as needed. 91 */ 92 static Channel **channels = NULL; 93 94 /* 95 * Size of the channel array. All slots of the array must always be 96 * initialized (at least the type field); unused slots set to NULL 97 */ 98 static u_int channels_alloc = 0; 99 100 /* 101 * Maximum file descriptor value used in any of the channels. This is 102 * updated in channel_new. 103 */ 104 static int channel_max_fd = 0; 105 106 107 /* -- tcp forwarding */ 108 109 /* 110 * Data structure for storing which hosts are permitted for forward requests. 111 * The local sides of any remote forwards are stored in this array to prevent 112 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 113 * network (which might be behind a firewall). 114 */ 115 /* XXX: streamlocal wants a path instead of host:port */ 116 /* Overload host_to_connect; we could just make this match Forward */ 117 /* XXX - can we use listen_host instead of listen_path? */ 118 typedef struct { 119 char *host_to_connect; /* Connect to 'host'. */ 120 int port_to_connect; /* Connect to 'port'. */ 121 char *listen_host; /* Remote side should listen address. */ 122 char *listen_path; /* Remote side should listen path. */ 123 int listen_port; /* Remote side should listen port. */ 124 } ForwardPermission; 125 126 /* List of all permitted host/port pairs to connect by the user. */ 127 static ForwardPermission *permitted_opens = NULL; 128 129 /* List of all permitted host/port pairs to connect by the admin. */ 130 static ForwardPermission *permitted_adm_opens = NULL; 131 132 /* Number of permitted host/port pairs in the array permitted by the user. */ 133 static int num_permitted_opens = 0; 134 135 /* Number of permitted host/port pair in the array permitted by the admin. */ 136 static int num_adm_permitted_opens = 0; 137 138 /* special-case port number meaning allow any port */ 139 #define FWD_PERMIT_ANY_PORT 0 140 141 /* 142 * If this is true, all opens are permitted. This is the case on the server 143 * on which we have to trust the client anyway, and the user could do 144 * anything after logging in anyway. 145 */ 146 static int all_opens_permitted = 0; 147 148 149 /* -- X11 forwarding */ 150 151 /* Maximum number of fake X11 displays to try. */ 152 #define MAX_DISPLAYS 1000 153 154 /* Saved X11 local (client) display. */ 155 static char *x11_saved_display = NULL; 156 157 /* Saved X11 authentication protocol name. */ 158 static char *x11_saved_proto = NULL; 159 160 /* Saved X11 authentication data. This is the real data. */ 161 static char *x11_saved_data = NULL; 162 static u_int x11_saved_data_len = 0; 163 164 /* Deadline after which all X11 connections are refused */ 165 static u_int x11_refuse_time; 166 167 /* 168 * Fake X11 authentication data. This is what the server will be sending us; 169 * we should replace any occurrences of this by the real data. 170 */ 171 static u_char *x11_fake_data = NULL; 172 static u_int x11_fake_data_len; 173 174 175 /* -- agent forwarding */ 176 177 #define NUM_SOCKS 10 178 179 /* AF_UNSPEC or AF_INET or AF_INET6 */ 180 static int IPv4or6 = AF_UNSPEC; 181 182 /* helper */ 183 static void port_open_helper(Channel *c, char *rtype); 184 185 /* non-blocking connect helpers */ 186 static int connect_next(struct channel_connect *); 187 static void channel_connect_ctx_free(struct channel_connect *); 188 189 /* -- channel core */ 190 191 Channel * 192 channel_by_id(int id) 193 { 194 Channel *c; 195 196 if (id < 0 || (u_int)id >= channels_alloc) { 197 logit("channel_by_id: %d: bad id", id); 198 return NULL; 199 } 200 c = channels[id]; 201 if (c == NULL) { 202 logit("channel_by_id: %d: bad id: channel free", id); 203 return NULL; 204 } 205 return c; 206 } 207 208 /* 209 * Returns the channel if it is allowed to receive protocol messages. 210 * Private channels, like listening sockets, may not receive messages. 211 */ 212 Channel * 213 channel_lookup(int id) 214 { 215 Channel *c; 216 217 if ((c = channel_by_id(id)) == NULL) 218 return (NULL); 219 220 switch (c->type) { 221 case SSH_CHANNEL_X11_OPEN: 222 case SSH_CHANNEL_LARVAL: 223 case SSH_CHANNEL_CONNECTING: 224 case SSH_CHANNEL_DYNAMIC: 225 case SSH_CHANNEL_OPENING: 226 case SSH_CHANNEL_OPEN: 227 case SSH_CHANNEL_INPUT_DRAINING: 228 case SSH_CHANNEL_OUTPUT_DRAINING: 229 case SSH_CHANNEL_ABANDONED: 230 return (c); 231 } 232 logit("Non-public channel %d, type %d.", id, c->type); 233 return (NULL); 234 } 235 236 /* 237 * Register filedescriptors for a channel, used when allocating a channel or 238 * when the channel consumer/producer is ready, e.g. shell exec'd 239 */ 240 static void 241 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 242 int extusage, int nonblock, int is_tty) 243 { 244 /* Update the maximum file descriptor value. */ 245 channel_max_fd = MAX(channel_max_fd, rfd); 246 channel_max_fd = MAX(channel_max_fd, wfd); 247 channel_max_fd = MAX(channel_max_fd, efd); 248 249 if (rfd != -1) 250 fcntl(rfd, F_SETFD, FD_CLOEXEC); 251 if (wfd != -1 && wfd != rfd) 252 fcntl(wfd, F_SETFD, FD_CLOEXEC); 253 if (efd != -1 && efd != rfd && efd != wfd) 254 fcntl(efd, F_SETFD, FD_CLOEXEC); 255 256 c->rfd = rfd; 257 c->wfd = wfd; 258 c->sock = (rfd == wfd) ? rfd : -1; 259 c->efd = efd; 260 c->extended_usage = extusage; 261 262 if ((c->isatty = is_tty) != 0) 263 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 264 #ifdef _AIX 265 /* XXX: Later AIX versions can't push as much data to tty */ 266 c->wfd_isatty = is_tty || isatty(c->wfd); 267 #endif 268 269 /* enable nonblocking mode */ 270 if (nonblock) { 271 if (rfd != -1) 272 set_nonblock(rfd); 273 if (wfd != -1) 274 set_nonblock(wfd); 275 if (efd != -1) 276 set_nonblock(efd); 277 } 278 } 279 280 /* 281 * Allocate a new channel object and set its type and socket. This will cause 282 * remote_name to be freed. 283 */ 284 Channel * 285 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 286 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 287 { 288 int found; 289 u_int i; 290 Channel *c; 291 292 /* Do initial allocation if this is the first call. */ 293 if (channels_alloc == 0) { 294 channels_alloc = 10; 295 channels = xcalloc(channels_alloc, sizeof(Channel *)); 296 for (i = 0; i < channels_alloc; i++) 297 channels[i] = NULL; 298 } 299 /* Try to find a free slot where to put the new channel. */ 300 for (found = -1, i = 0; i < channels_alloc; i++) 301 if (channels[i] == NULL) { 302 /* Found a free slot. */ 303 found = (int)i; 304 break; 305 } 306 if (found < 0) { 307 /* There are no free slots. Take last+1 slot and expand the array. */ 308 found = channels_alloc; 309 if (channels_alloc > 10000) 310 fatal("channel_new: internal error: channels_alloc %d " 311 "too big.", channels_alloc); 312 channels = xreallocarray(channels, channels_alloc + 10, 313 sizeof(Channel *)); 314 channels_alloc += 10; 315 debug2("channel: expanding %d", channels_alloc); 316 for (i = found; i < channels_alloc; i++) 317 channels[i] = NULL; 318 } 319 /* Initialize and return new channel. */ 320 c = channels[found] = xcalloc(1, sizeof(Channel)); 321 buffer_init(&c->input); 322 buffer_init(&c->output); 323 buffer_init(&c->extended); 324 c->path = NULL; 325 c->listening_addr = NULL; 326 c->listening_port = 0; 327 c->ostate = CHAN_OUTPUT_OPEN; 328 c->istate = CHAN_INPUT_OPEN; 329 c->flags = 0; 330 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); 331 c->notbefore = 0; 332 c->self = found; 333 c->type = type; 334 c->ctype = ctype; 335 c->local_window = window; 336 c->local_window_max = window; 337 c->local_consumed = 0; 338 c->local_maxpacket = maxpack; 339 c->remote_id = -1; 340 c->remote_name = xstrdup(remote_name); 341 c->remote_window = 0; 342 c->remote_maxpacket = 0; 343 c->force_drain = 0; 344 c->single_connection = 0; 345 c->detach_user = NULL; 346 c->detach_close = 0; 347 c->open_confirm = NULL; 348 c->open_confirm_ctx = NULL; 349 c->input_filter = NULL; 350 c->output_filter = NULL; 351 c->filter_ctx = NULL; 352 c->filter_cleanup = NULL; 353 c->ctl_chan = -1; 354 c->mux_rcb = NULL; 355 c->mux_ctx = NULL; 356 c->mux_pause = 0; 357 c->delayed = 1; /* prevent call to channel_post handler */ 358 TAILQ_INIT(&c->status_confirms); 359 debug("channel %d: new [%s]", found, remote_name); 360 return c; 361 } 362 363 static int 364 channel_find_maxfd(void) 365 { 366 u_int i; 367 int max = 0; 368 Channel *c; 369 370 for (i = 0; i < channels_alloc; i++) { 371 c = channels[i]; 372 if (c != NULL) { 373 max = MAX(max, c->rfd); 374 max = MAX(max, c->wfd); 375 max = MAX(max, c->efd); 376 } 377 } 378 return max; 379 } 380 381 int 382 channel_close_fd(int *fdp) 383 { 384 int ret = 0, fd = *fdp; 385 386 if (fd != -1) { 387 ret = close(fd); 388 *fdp = -1; 389 if (fd == channel_max_fd) 390 channel_max_fd = channel_find_maxfd(); 391 } 392 return ret; 393 } 394 395 /* Close all channel fd/socket. */ 396 static void 397 channel_close_fds(Channel *c) 398 { 399 channel_close_fd(&c->sock); 400 channel_close_fd(&c->rfd); 401 channel_close_fd(&c->wfd); 402 channel_close_fd(&c->efd); 403 } 404 405 /* Free the channel and close its fd/socket. */ 406 void 407 channel_free(Channel *c) 408 { 409 char *s; 410 u_int i, n; 411 struct channel_confirm *cc; 412 413 for (n = 0, i = 0; i < channels_alloc; i++) 414 if (channels[i]) 415 n++; 416 debug("channel %d: free: %s, nchannels %u", c->self, 417 c->remote_name ? c->remote_name : "???", n); 418 419 s = channel_open_message(); 420 debug3("channel %d: status: %s", c->self, s); 421 free(s); 422 423 if (c->sock != -1) 424 shutdown(c->sock, SHUT_RDWR); 425 channel_close_fds(c); 426 buffer_free(&c->input); 427 buffer_free(&c->output); 428 buffer_free(&c->extended); 429 free(c->remote_name); 430 c->remote_name = NULL; 431 free(c->path); 432 c->path = NULL; 433 free(c->listening_addr); 434 c->listening_addr = NULL; 435 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 436 if (cc->abandon_cb != NULL) 437 cc->abandon_cb(c, cc->ctx); 438 TAILQ_REMOVE(&c->status_confirms, cc, entry); 439 explicit_bzero(cc, sizeof(*cc)); 440 free(cc); 441 } 442 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 443 c->filter_cleanup(c->self, c->filter_ctx); 444 channels[c->self] = NULL; 445 free(c); 446 } 447 448 void 449 channel_free_all(void) 450 { 451 u_int i; 452 453 for (i = 0; i < channels_alloc; i++) 454 if (channels[i] != NULL) 455 channel_free(channels[i]); 456 } 457 458 /* 459 * Closes the sockets/fds of all channels. This is used to close extra file 460 * descriptors after a fork. 461 */ 462 void 463 channel_close_all(void) 464 { 465 u_int i; 466 467 for (i = 0; i < channels_alloc; i++) 468 if (channels[i] != NULL) 469 channel_close_fds(channels[i]); 470 } 471 472 /* 473 * Stop listening to channels. 474 */ 475 void 476 channel_stop_listening(void) 477 { 478 u_int i; 479 Channel *c; 480 481 for (i = 0; i < channels_alloc; i++) { 482 c = channels[i]; 483 if (c != NULL) { 484 switch (c->type) { 485 case SSH_CHANNEL_AUTH_SOCKET: 486 case SSH_CHANNEL_PORT_LISTENER: 487 case SSH_CHANNEL_RPORT_LISTENER: 488 case SSH_CHANNEL_X11_LISTENER: 489 case SSH_CHANNEL_UNIX_LISTENER: 490 case SSH_CHANNEL_RUNIX_LISTENER: 491 channel_close_fd(&c->sock); 492 channel_free(c); 493 break; 494 } 495 } 496 } 497 } 498 499 /* 500 * Returns true if no channel has too much buffered data, and false if one or 501 * more channel is overfull. 502 */ 503 int 504 channel_not_very_much_buffered_data(void) 505 { 506 u_int i; 507 Channel *c; 508 509 for (i = 0; i < channels_alloc; i++) { 510 c = channels[i]; 511 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 512 #if 0 513 if (!compat20 && 514 buffer_len(&c->input) > packet_get_maxsize()) { 515 debug2("channel %d: big input buffer %d", 516 c->self, buffer_len(&c->input)); 517 return 0; 518 } 519 #endif 520 if (buffer_len(&c->output) > packet_get_maxsize()) { 521 debug2("channel %d: big output buffer %u > %u", 522 c->self, buffer_len(&c->output), 523 packet_get_maxsize()); 524 return 0; 525 } 526 } 527 } 528 return 1; 529 } 530 531 /* Returns true if any channel is still open. */ 532 int 533 channel_still_open(void) 534 { 535 u_int i; 536 Channel *c; 537 538 for (i = 0; i < channels_alloc; i++) { 539 c = channels[i]; 540 if (c == NULL) 541 continue; 542 switch (c->type) { 543 case SSH_CHANNEL_X11_LISTENER: 544 case SSH_CHANNEL_PORT_LISTENER: 545 case SSH_CHANNEL_RPORT_LISTENER: 546 case SSH_CHANNEL_MUX_LISTENER: 547 case SSH_CHANNEL_CLOSED: 548 case SSH_CHANNEL_AUTH_SOCKET: 549 case SSH_CHANNEL_DYNAMIC: 550 case SSH_CHANNEL_CONNECTING: 551 case SSH_CHANNEL_ZOMBIE: 552 case SSH_CHANNEL_ABANDONED: 553 case SSH_CHANNEL_UNIX_LISTENER: 554 case SSH_CHANNEL_RUNIX_LISTENER: 555 continue; 556 case SSH_CHANNEL_LARVAL: 557 if (!compat20) 558 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 559 continue; 560 case SSH_CHANNEL_OPENING: 561 case SSH_CHANNEL_OPEN: 562 case SSH_CHANNEL_X11_OPEN: 563 case SSH_CHANNEL_MUX_CLIENT: 564 return 1; 565 case SSH_CHANNEL_INPUT_DRAINING: 566 case SSH_CHANNEL_OUTPUT_DRAINING: 567 if (!compat13) 568 fatal("cannot happen: OUT_DRAIN"); 569 return 1; 570 default: 571 fatal("channel_still_open: bad channel type %d", c->type); 572 /* NOTREACHED */ 573 } 574 } 575 return 0; 576 } 577 578 /* Returns the id of an open channel suitable for keepaliving */ 579 int 580 channel_find_open(void) 581 { 582 u_int i; 583 Channel *c; 584 585 for (i = 0; i < channels_alloc; i++) { 586 c = channels[i]; 587 if (c == NULL || c->remote_id < 0) 588 continue; 589 switch (c->type) { 590 case SSH_CHANNEL_CLOSED: 591 case SSH_CHANNEL_DYNAMIC: 592 case SSH_CHANNEL_X11_LISTENER: 593 case SSH_CHANNEL_PORT_LISTENER: 594 case SSH_CHANNEL_RPORT_LISTENER: 595 case SSH_CHANNEL_MUX_LISTENER: 596 case SSH_CHANNEL_MUX_CLIENT: 597 case SSH_CHANNEL_OPENING: 598 case SSH_CHANNEL_CONNECTING: 599 case SSH_CHANNEL_ZOMBIE: 600 case SSH_CHANNEL_ABANDONED: 601 case SSH_CHANNEL_UNIX_LISTENER: 602 case SSH_CHANNEL_RUNIX_LISTENER: 603 continue; 604 case SSH_CHANNEL_LARVAL: 605 case SSH_CHANNEL_AUTH_SOCKET: 606 case SSH_CHANNEL_OPEN: 607 case SSH_CHANNEL_X11_OPEN: 608 return i; 609 case SSH_CHANNEL_INPUT_DRAINING: 610 case SSH_CHANNEL_OUTPUT_DRAINING: 611 if (!compat13) 612 fatal("cannot happen: OUT_DRAIN"); 613 return i; 614 default: 615 fatal("channel_find_open: bad channel type %d", c->type); 616 /* NOTREACHED */ 617 } 618 } 619 return -1; 620 } 621 622 623 /* 624 * Returns a message describing the currently open forwarded connections, 625 * suitable for sending to the client. The message contains crlf pairs for 626 * newlines. 627 */ 628 char * 629 channel_open_message(void) 630 { 631 Buffer buffer; 632 Channel *c; 633 char buf[1024], *cp; 634 u_int i; 635 636 buffer_init(&buffer); 637 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 638 buffer_append(&buffer, buf, strlen(buf)); 639 for (i = 0; i < channels_alloc; i++) { 640 c = channels[i]; 641 if (c == NULL) 642 continue; 643 switch (c->type) { 644 case SSH_CHANNEL_X11_LISTENER: 645 case SSH_CHANNEL_PORT_LISTENER: 646 case SSH_CHANNEL_RPORT_LISTENER: 647 case SSH_CHANNEL_CLOSED: 648 case SSH_CHANNEL_AUTH_SOCKET: 649 case SSH_CHANNEL_ZOMBIE: 650 case SSH_CHANNEL_ABANDONED: 651 case SSH_CHANNEL_MUX_CLIENT: 652 case SSH_CHANNEL_MUX_LISTENER: 653 case SSH_CHANNEL_UNIX_LISTENER: 654 case SSH_CHANNEL_RUNIX_LISTENER: 655 continue; 656 case SSH_CHANNEL_LARVAL: 657 case SSH_CHANNEL_OPENING: 658 case SSH_CHANNEL_CONNECTING: 659 case SSH_CHANNEL_DYNAMIC: 660 case SSH_CHANNEL_OPEN: 661 case SSH_CHANNEL_X11_OPEN: 662 case SSH_CHANNEL_INPUT_DRAINING: 663 case SSH_CHANNEL_OUTPUT_DRAINING: 664 snprintf(buf, sizeof buf, 665 " #%d %.300s (t%d r%d i%u/%d o%u/%d fd %d/%d cc %d)\r\n", 666 c->self, c->remote_name, 667 c->type, c->remote_id, 668 c->istate, buffer_len(&c->input), 669 c->ostate, buffer_len(&c->output), 670 c->rfd, c->wfd, c->ctl_chan); 671 buffer_append(&buffer, buf, strlen(buf)); 672 continue; 673 default: 674 fatal("channel_open_message: bad channel type %d", c->type); 675 /* NOTREACHED */ 676 } 677 } 678 buffer_append(&buffer, "\0", 1); 679 cp = xstrdup((char *)buffer_ptr(&buffer)); 680 buffer_free(&buffer); 681 return cp; 682 } 683 684 void 685 channel_send_open(int id) 686 { 687 Channel *c = channel_lookup(id); 688 689 if (c == NULL) { 690 logit("channel_send_open: %d: bad id", id); 691 return; 692 } 693 debug2("channel %d: send open", id); 694 packet_start(SSH2_MSG_CHANNEL_OPEN); 695 packet_put_cstring(c->ctype); 696 packet_put_int(c->self); 697 packet_put_int(c->local_window); 698 packet_put_int(c->local_maxpacket); 699 packet_send(); 700 } 701 702 void 703 channel_request_start(int id, char *service, int wantconfirm) 704 { 705 Channel *c = channel_lookup(id); 706 707 if (c == NULL) { 708 logit("channel_request_start: %d: unknown channel id", id); 709 return; 710 } 711 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 712 packet_start(SSH2_MSG_CHANNEL_REQUEST); 713 packet_put_int(c->remote_id); 714 packet_put_cstring(service); 715 packet_put_char(wantconfirm); 716 } 717 718 void 719 channel_register_status_confirm(int id, channel_confirm_cb *cb, 720 channel_confirm_abandon_cb *abandon_cb, void *ctx) 721 { 722 struct channel_confirm *cc; 723 Channel *c; 724 725 if ((c = channel_lookup(id)) == NULL) 726 fatal("channel_register_expect: %d: bad id", id); 727 728 cc = xcalloc(1, sizeof(*cc)); 729 cc->cb = cb; 730 cc->abandon_cb = abandon_cb; 731 cc->ctx = ctx; 732 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 733 } 734 735 void 736 channel_register_open_confirm(int id, channel_open_fn *fn, void *ctx) 737 { 738 Channel *c = channel_lookup(id); 739 740 if (c == NULL) { 741 logit("channel_register_open_confirm: %d: bad id", id); 742 return; 743 } 744 c->open_confirm = fn; 745 c->open_confirm_ctx = ctx; 746 } 747 748 void 749 channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 750 { 751 Channel *c = channel_by_id(id); 752 753 if (c == NULL) { 754 logit("channel_register_cleanup: %d: bad id", id); 755 return; 756 } 757 c->detach_user = fn; 758 c->detach_close = do_close; 759 } 760 761 void 762 channel_cancel_cleanup(int id) 763 { 764 Channel *c = channel_by_id(id); 765 766 if (c == NULL) { 767 logit("channel_cancel_cleanup: %d: bad id", id); 768 return; 769 } 770 c->detach_user = NULL; 771 c->detach_close = 0; 772 } 773 774 void 775 channel_register_filter(int id, channel_infilter_fn *ifn, 776 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 777 { 778 Channel *c = channel_lookup(id); 779 780 if (c == NULL) { 781 logit("channel_register_filter: %d: bad id", id); 782 return; 783 } 784 c->input_filter = ifn; 785 c->output_filter = ofn; 786 c->filter_ctx = ctx; 787 c->filter_cleanup = cfn; 788 } 789 790 void 791 channel_set_fds(int id, int rfd, int wfd, int efd, 792 int extusage, int nonblock, int is_tty, u_int window_max) 793 { 794 Channel *c = channel_lookup(id); 795 796 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 797 fatal("channel_activate for non-larval channel %d.", id); 798 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); 799 c->type = SSH_CHANNEL_OPEN; 800 c->local_window = c->local_window_max = window_max; 801 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 802 packet_put_int(c->remote_id); 803 packet_put_int(c->local_window); 804 packet_send(); 805 } 806 807 /* 808 * 'channel_pre*' are called just before select() to add any bits relevant to 809 * channels in the select bitmasks. 810 */ 811 /* 812 * 'channel_post*': perform any appropriate operations for channels which 813 * have events pending. 814 */ 815 typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 816 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 817 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 818 819 /* ARGSUSED */ 820 static void 821 channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 822 { 823 FD_SET(c->sock, readset); 824 } 825 826 /* ARGSUSED */ 827 static void 828 channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 829 { 830 debug3("channel %d: waiting for connection", c->self); 831 FD_SET(c->sock, writeset); 832 } 833 834 static void 835 channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 836 { 837 if (buffer_len(&c->input) < packet_get_maxsize()) 838 FD_SET(c->sock, readset); 839 if (buffer_len(&c->output) > 0) 840 FD_SET(c->sock, writeset); 841 } 842 843 static void 844 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 845 { 846 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 847 848 if (c->istate == CHAN_INPUT_OPEN && 849 limit > 0 && 850 buffer_len(&c->input) < limit && 851 buffer_check_alloc(&c->input, CHAN_RBUF)) 852 FD_SET(c->rfd, readset); 853 if (c->ostate == CHAN_OUTPUT_OPEN || 854 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 855 if (buffer_len(&c->output) > 0) { 856 FD_SET(c->wfd, writeset); 857 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 858 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 859 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 860 c->self, c->efd, buffer_len(&c->extended)); 861 else 862 chan_obuf_empty(c); 863 } 864 } 865 /** XXX check close conditions, too */ 866 if (compat20 && c->efd != -1 && 867 !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) { 868 if (c->extended_usage == CHAN_EXTENDED_WRITE && 869 buffer_len(&c->extended) > 0) 870 FD_SET(c->efd, writeset); 871 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 872 (c->extended_usage == CHAN_EXTENDED_READ || 873 c->extended_usage == CHAN_EXTENDED_IGNORE) && 874 buffer_len(&c->extended) < c->remote_window) 875 FD_SET(c->efd, readset); 876 } 877 /* XXX: What about efd? races? */ 878 } 879 880 /* ARGSUSED */ 881 static void 882 channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 883 { 884 if (buffer_len(&c->input) == 0) { 885 packet_start(SSH_MSG_CHANNEL_CLOSE); 886 packet_put_int(c->remote_id); 887 packet_send(); 888 c->type = SSH_CHANNEL_CLOSED; 889 debug2("channel %d: closing after input drain.", c->self); 890 } 891 } 892 893 /* ARGSUSED */ 894 static void 895 channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 896 { 897 if (buffer_len(&c->output) == 0) 898 chan_mark_dead(c); 899 else 900 FD_SET(c->sock, writeset); 901 } 902 903 /* 904 * This is a special state for X11 authentication spoofing. An opened X11 905 * connection (when authentication spoofing is being done) remains in this 906 * state until the first packet has been completely read. The authentication 907 * data in that packet is then substituted by the real data if it matches the 908 * fake data, and the channel is put into normal mode. 909 * XXX All this happens at the client side. 910 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 911 */ 912 static int 913 x11_open_helper(Buffer *b) 914 { 915 u_char *ucp; 916 u_int proto_len, data_len; 917 918 /* Is this being called after the refusal deadline? */ 919 if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) { 920 verbose("Rejected X11 connection after ForwardX11Timeout " 921 "expired"); 922 return -1; 923 } 924 925 /* Check if the fixed size part of the packet is in buffer. */ 926 if (buffer_len(b) < 12) 927 return 0; 928 929 /* Parse the lengths of variable-length fields. */ 930 ucp = buffer_ptr(b); 931 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 932 proto_len = 256 * ucp[6] + ucp[7]; 933 data_len = 256 * ucp[8] + ucp[9]; 934 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 935 proto_len = ucp[6] + 256 * ucp[7]; 936 data_len = ucp[8] + 256 * ucp[9]; 937 } else { 938 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 939 ucp[0]); 940 return -1; 941 } 942 943 /* Check if the whole packet is in buffer. */ 944 if (buffer_len(b) < 945 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 946 return 0; 947 948 /* Check if authentication protocol matches. */ 949 if (proto_len != strlen(x11_saved_proto) || 950 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 951 debug2("X11 connection uses different authentication protocol."); 952 return -1; 953 } 954 /* Check if authentication data matches our fake data. */ 955 if (data_len != x11_fake_data_len || 956 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 957 x11_fake_data, x11_fake_data_len) != 0) { 958 debug2("X11 auth data does not match fake data."); 959 return -1; 960 } 961 /* Check fake data length */ 962 if (x11_fake_data_len != x11_saved_data_len) { 963 error("X11 fake_data_len %d != saved_data_len %d", 964 x11_fake_data_len, x11_saved_data_len); 965 return -1; 966 } 967 /* 968 * Received authentication protocol and data match 969 * our fake data. Substitute the fake data with real 970 * data. 971 */ 972 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 973 x11_saved_data, x11_saved_data_len); 974 return 1; 975 } 976 977 static void 978 channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 979 { 980 int ret = x11_open_helper(&c->output); 981 982 if (ret == 1) { 983 /* Start normal processing for the channel. */ 984 c->type = SSH_CHANNEL_OPEN; 985 channel_pre_open_13(c, readset, writeset); 986 } else if (ret == -1) { 987 /* 988 * We have received an X11 connection that has bad 989 * authentication information. 990 */ 991 logit("X11 connection rejected because of wrong authentication."); 992 buffer_clear(&c->input); 993 buffer_clear(&c->output); 994 channel_close_fd(&c->sock); 995 c->sock = -1; 996 c->type = SSH_CHANNEL_CLOSED; 997 packet_start(SSH_MSG_CHANNEL_CLOSE); 998 packet_put_int(c->remote_id); 999 packet_send(); 1000 } 1001 } 1002 1003 static void 1004 channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 1005 { 1006 int ret = x11_open_helper(&c->output); 1007 1008 /* c->force_drain = 1; */ 1009 1010 if (ret == 1) { 1011 c->type = SSH_CHANNEL_OPEN; 1012 channel_pre_open(c, readset, writeset); 1013 } else if (ret == -1) { 1014 logit("X11 connection rejected because of wrong authentication."); 1015 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 1016 chan_read_failed(c); 1017 buffer_clear(&c->input); 1018 chan_ibuf_empty(c); 1019 buffer_clear(&c->output); 1020 /* for proto v1, the peer will send an IEOF */ 1021 if (compat20) 1022 chan_write_failed(c); 1023 else 1024 c->type = SSH_CHANNEL_OPEN; 1025 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 1026 } 1027 } 1028 1029 static void 1030 channel_pre_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1031 { 1032 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 1033 buffer_check_alloc(&c->input, CHAN_RBUF)) 1034 FD_SET(c->rfd, readset); 1035 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1036 /* clear buffer immediately (discard any partial packet) */ 1037 buffer_clear(&c->input); 1038 chan_ibuf_empty(c); 1039 /* Start output drain. XXX just kill chan? */ 1040 chan_rcvd_oclose(c); 1041 } 1042 if (c->ostate == CHAN_OUTPUT_OPEN || 1043 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1044 if (buffer_len(&c->output) > 0) 1045 FD_SET(c->wfd, writeset); 1046 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1047 chan_obuf_empty(c); 1048 } 1049 } 1050 1051 /* try to decode a socks4 header */ 1052 /* ARGSUSED */ 1053 static int 1054 channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 1055 { 1056 char *p, *host; 1057 u_int len, have, i, found, need; 1058 char username[256]; 1059 struct { 1060 u_int8_t version; 1061 u_int8_t command; 1062 u_int16_t dest_port; 1063 struct in_addr dest_addr; 1064 } s4_req, s4_rsp; 1065 1066 debug2("channel %d: decode socks4", c->self); 1067 1068 have = buffer_len(&c->input); 1069 len = sizeof(s4_req); 1070 if (have < len) 1071 return 0; 1072 p = (char *)buffer_ptr(&c->input); 1073 1074 need = 1; 1075 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1076 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1077 debug2("channel %d: socks4a request", c->self); 1078 /* ... and needs an extra string (the hostname) */ 1079 need = 2; 1080 } 1081 /* Check for terminating NUL on the string(s) */ 1082 for (found = 0, i = len; i < have; i++) { 1083 if (p[i] == '\0') { 1084 found++; 1085 if (found == need) 1086 break; 1087 } 1088 if (i > 1024) { 1089 /* the peer is probably sending garbage */ 1090 debug("channel %d: decode socks4: too long", 1091 c->self); 1092 return -1; 1093 } 1094 } 1095 if (found < need) 1096 return 0; 1097 buffer_get(&c->input, (char *)&s4_req.version, 1); 1098 buffer_get(&c->input, (char *)&s4_req.command, 1); 1099 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 1100 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 1101 have = buffer_len(&c->input); 1102 p = (char *)buffer_ptr(&c->input); 1103 if (memchr(p, '\0', have) == NULL) 1104 fatal("channel %d: decode socks4: user not nul terminated", 1105 c->self); 1106 len = strlen(p); 1107 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1108 len++; /* trailing '\0' */ 1109 if (len > have) 1110 fatal("channel %d: decode socks4: len %d > have %d", 1111 c->self, len, have); 1112 strlcpy(username, p, sizeof(username)); 1113 buffer_consume(&c->input, len); 1114 1115 free(c->path); 1116 c->path = NULL; 1117 if (need == 1) { /* SOCKS4: one string */ 1118 host = inet_ntoa(s4_req.dest_addr); 1119 c->path = xstrdup(host); 1120 } else { /* SOCKS4A: two strings */ 1121 have = buffer_len(&c->input); 1122 p = (char *)buffer_ptr(&c->input); 1123 len = strlen(p); 1124 debug2("channel %d: decode socks4a: host %s/%d", 1125 c->self, p, len); 1126 len++; /* trailing '\0' */ 1127 if (len > have) 1128 fatal("channel %d: decode socks4a: len %d > have %d", 1129 c->self, len, have); 1130 if (len > NI_MAXHOST) { 1131 error("channel %d: hostname \"%.100s\" too long", 1132 c->self, p); 1133 return -1; 1134 } 1135 c->path = xstrdup(p); 1136 buffer_consume(&c->input, len); 1137 } 1138 c->host_port = ntohs(s4_req.dest_port); 1139 1140 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1141 c->self, c->path, c->host_port, s4_req.command); 1142 1143 if (s4_req.command != 1) { 1144 debug("channel %d: cannot handle: %s cn %d", 1145 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1146 return -1; 1147 } 1148 s4_rsp.version = 0; /* vn: 0 for reply */ 1149 s4_rsp.command = 90; /* cd: req granted */ 1150 s4_rsp.dest_port = 0; /* ignored */ 1151 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1152 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1153 return 1; 1154 } 1155 1156 /* try to decode a socks5 header */ 1157 #define SSH_SOCKS5_AUTHDONE 0x1000 1158 #define SSH_SOCKS5_NOAUTH 0x00 1159 #define SSH_SOCKS5_IPV4 0x01 1160 #define SSH_SOCKS5_DOMAIN 0x03 1161 #define SSH_SOCKS5_IPV6 0x04 1162 #define SSH_SOCKS5_CONNECT 0x01 1163 #define SSH_SOCKS5_SUCCESS 0x00 1164 1165 /* ARGSUSED */ 1166 static int 1167 channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1168 { 1169 struct { 1170 u_int8_t version; 1171 u_int8_t command; 1172 u_int8_t reserved; 1173 u_int8_t atyp; 1174 } s5_req, s5_rsp; 1175 u_int16_t dest_port; 1176 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1177 u_char *p; 1178 u_int have, need, i, found, nmethods, addrlen, af; 1179 1180 debug2("channel %d: decode socks5", c->self); 1181 p = buffer_ptr(&c->input); 1182 if (p[0] != 0x05) 1183 return -1; 1184 have = buffer_len(&c->input); 1185 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1186 /* format: ver | nmethods | methods */ 1187 if (have < 2) 1188 return 0; 1189 nmethods = p[1]; 1190 if (have < nmethods + 2) 1191 return 0; 1192 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1193 for (found = 0, i = 2; i < nmethods + 2; i++) { 1194 if (p[i] == SSH_SOCKS5_NOAUTH) { 1195 found = 1; 1196 break; 1197 } 1198 } 1199 if (!found) { 1200 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1201 c->self); 1202 return -1; 1203 } 1204 buffer_consume(&c->input, nmethods + 2); 1205 buffer_put_char(&c->output, 0x05); /* version */ 1206 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1207 FD_SET(c->sock, writeset); 1208 c->flags |= SSH_SOCKS5_AUTHDONE; 1209 debug2("channel %d: socks5 auth done", c->self); 1210 return 0; /* need more */ 1211 } 1212 debug2("channel %d: socks5 post auth", c->self); 1213 if (have < sizeof(s5_req)+1) 1214 return 0; /* need more */ 1215 memcpy(&s5_req, p, sizeof(s5_req)); 1216 if (s5_req.version != 0x05 || 1217 s5_req.command != SSH_SOCKS5_CONNECT || 1218 s5_req.reserved != 0x00) { 1219 debug2("channel %d: only socks5 connect supported", c->self); 1220 return -1; 1221 } 1222 switch (s5_req.atyp){ 1223 case SSH_SOCKS5_IPV4: 1224 addrlen = 4; 1225 af = AF_INET; 1226 break; 1227 case SSH_SOCKS5_DOMAIN: 1228 addrlen = p[sizeof(s5_req)]; 1229 af = -1; 1230 break; 1231 case SSH_SOCKS5_IPV6: 1232 addrlen = 16; 1233 af = AF_INET6; 1234 break; 1235 default: 1236 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1237 return -1; 1238 } 1239 need = sizeof(s5_req) + addrlen + 2; 1240 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1241 need++; 1242 if (have < need) 1243 return 0; 1244 buffer_consume(&c->input, sizeof(s5_req)); 1245 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1246 buffer_consume(&c->input, 1); /* host string length */ 1247 buffer_get(&c->input, &dest_addr, addrlen); 1248 buffer_get(&c->input, (char *)&dest_port, 2); 1249 dest_addr[addrlen] = '\0'; 1250 free(c->path); 1251 c->path = NULL; 1252 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1253 if (addrlen >= NI_MAXHOST) { 1254 error("channel %d: dynamic request: socks5 hostname " 1255 "\"%.100s\" too long", c->self, dest_addr); 1256 return -1; 1257 } 1258 c->path = xstrdup(dest_addr); 1259 } else { 1260 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1261 return -1; 1262 c->path = xstrdup(ntop); 1263 } 1264 c->host_port = ntohs(dest_port); 1265 1266 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1267 c->self, c->path, c->host_port, s5_req.command); 1268 1269 s5_rsp.version = 0x05; 1270 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1271 s5_rsp.reserved = 0; /* ignored */ 1272 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1273 dest_port = 0; /* ignored */ 1274 1275 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1276 buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */ 1277 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1278 return 1; 1279 } 1280 1281 Channel * 1282 channel_connect_stdio_fwd(const char *host_to_connect, u_short port_to_connect, 1283 int in, int out) 1284 { 1285 Channel *c; 1286 1287 debug("channel_connect_stdio_fwd %s:%d", host_to_connect, 1288 port_to_connect); 1289 1290 c = channel_new("stdio-forward", SSH_CHANNEL_OPENING, in, out, 1291 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1292 0, "stdio-forward", /*nonblock*/0); 1293 1294 c->path = xstrdup(host_to_connect); 1295 c->host_port = port_to_connect; 1296 c->listening_port = 0; 1297 c->force_drain = 1; 1298 1299 channel_register_fds(c, in, out, -1, 0, 1, 0); 1300 port_open_helper(c, "direct-tcpip"); 1301 1302 return c; 1303 } 1304 1305 /* dynamic port forwarding */ 1306 static void 1307 channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1308 { 1309 u_char *p; 1310 u_int have; 1311 int ret; 1312 1313 have = buffer_len(&c->input); 1314 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1315 /* buffer_dump(&c->input); */ 1316 /* check if the fixed size part of the packet is in buffer. */ 1317 if (have < 3) { 1318 /* need more */ 1319 FD_SET(c->sock, readset); 1320 return; 1321 } 1322 /* try to guess the protocol */ 1323 p = buffer_ptr(&c->input); 1324 switch (p[0]) { 1325 case 0x04: 1326 ret = channel_decode_socks4(c, readset, writeset); 1327 break; 1328 case 0x05: 1329 ret = channel_decode_socks5(c, readset, writeset); 1330 break; 1331 default: 1332 ret = -1; 1333 break; 1334 } 1335 if (ret < 0) { 1336 chan_mark_dead(c); 1337 } else if (ret == 0) { 1338 debug2("channel %d: pre_dynamic: need more", c->self); 1339 /* need more */ 1340 FD_SET(c->sock, readset); 1341 } else { 1342 /* switch to the next state */ 1343 c->type = SSH_CHANNEL_OPENING; 1344 port_open_helper(c, "direct-tcpip"); 1345 } 1346 } 1347 1348 /* This is our fake X11 server socket. */ 1349 /* ARGSUSED */ 1350 static void 1351 channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1352 { 1353 Channel *nc; 1354 struct sockaddr_storage addr; 1355 int newsock, oerrno; 1356 socklen_t addrlen; 1357 char buf[16384], *remote_ipaddr; 1358 int remote_port; 1359 1360 if (FD_ISSET(c->sock, readset)) { 1361 debug("X11 connection requested."); 1362 addrlen = sizeof(addr); 1363 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1364 if (c->single_connection) { 1365 oerrno = errno; 1366 debug2("single_connection: closing X11 listener."); 1367 channel_close_fd(&c->sock); 1368 chan_mark_dead(c); 1369 errno = oerrno; 1370 } 1371 if (newsock < 0) { 1372 if (errno != EINTR && errno != EWOULDBLOCK && 1373 errno != ECONNABORTED) 1374 error("accept: %.100s", strerror(errno)); 1375 if (errno == EMFILE || errno == ENFILE) 1376 c->notbefore = monotime() + 1; 1377 return; 1378 } 1379 set_nodelay(newsock); 1380 remote_ipaddr = get_peer_ipaddr(newsock); 1381 remote_port = get_peer_port(newsock); 1382 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1383 remote_ipaddr, remote_port); 1384 1385 nc = channel_new("accepted x11 socket", 1386 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1387 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1388 if (compat20) { 1389 packet_start(SSH2_MSG_CHANNEL_OPEN); 1390 packet_put_cstring("x11"); 1391 packet_put_int(nc->self); 1392 packet_put_int(nc->local_window_max); 1393 packet_put_int(nc->local_maxpacket); 1394 /* originator ipaddr and port */ 1395 packet_put_cstring(remote_ipaddr); 1396 if (datafellows & SSH_BUG_X11FWD) { 1397 debug2("ssh2 x11 bug compat mode"); 1398 } else { 1399 packet_put_int(remote_port); 1400 } 1401 packet_send(); 1402 } else { 1403 packet_start(SSH_SMSG_X11_OPEN); 1404 packet_put_int(nc->self); 1405 if (packet_get_protocol_flags() & 1406 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1407 packet_put_cstring(buf); 1408 packet_send(); 1409 } 1410 free(remote_ipaddr); 1411 } 1412 } 1413 1414 static void 1415 port_open_helper(Channel *c, char *rtype) 1416 { 1417 char buf[1024]; 1418 char *local_ipaddr = get_local_ipaddr(c->sock); 1419 int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1); 1420 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1421 int remote_port = get_peer_port(c->sock); 1422 1423 if (remote_port == -1) { 1424 /* Fake addr/port to appease peers that validate it (Tectia) */ 1425 free(remote_ipaddr); 1426 remote_ipaddr = xstrdup("127.0.0.1"); 1427 remote_port = 65535; 1428 } 1429 1430 snprintf(buf, sizeof buf, 1431 "%s: listening port %d for %.100s port %d, " 1432 "connect from %.200s port %d to %.100s port %d", 1433 rtype, c->listening_port, c->path, c->host_port, 1434 remote_ipaddr, remote_port, local_ipaddr, local_port); 1435 1436 free(c->remote_name); 1437 c->remote_name = xstrdup(buf); 1438 1439 if (compat20) { 1440 packet_start(SSH2_MSG_CHANNEL_OPEN); 1441 packet_put_cstring(rtype); 1442 packet_put_int(c->self); 1443 packet_put_int(c->local_window_max); 1444 packet_put_int(c->local_maxpacket); 1445 if (strcmp(rtype, "direct-tcpip") == 0) { 1446 /* target host, port */ 1447 packet_put_cstring(c->path); 1448 packet_put_int(c->host_port); 1449 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) { 1450 /* target path */ 1451 packet_put_cstring(c->path); 1452 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1453 /* listen path */ 1454 packet_put_cstring(c->path); 1455 } else { 1456 /* listen address, port */ 1457 packet_put_cstring(c->path); 1458 packet_put_int(local_port); 1459 } 1460 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1461 /* reserved for future owner/mode info */ 1462 packet_put_cstring(""); 1463 } else { 1464 /* originator host and port */ 1465 packet_put_cstring(remote_ipaddr); 1466 packet_put_int((u_int)remote_port); 1467 } 1468 packet_send(); 1469 } else { 1470 packet_start(SSH_MSG_PORT_OPEN); 1471 packet_put_int(c->self); 1472 packet_put_cstring(c->path); 1473 packet_put_int(c->host_port); 1474 if (packet_get_protocol_flags() & 1475 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1476 packet_put_cstring(c->remote_name); 1477 packet_send(); 1478 } 1479 free(remote_ipaddr); 1480 free(local_ipaddr); 1481 } 1482 1483 static void 1484 channel_set_reuseaddr(int fd) 1485 { 1486 int on = 1; 1487 1488 /* 1489 * Set socket options. 1490 * Allow local port reuse in TIME_WAIT. 1491 */ 1492 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1493 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1494 } 1495 1496 void 1497 channel_set_x11_refuse_time(u_int refuse_time) 1498 { 1499 x11_refuse_time = refuse_time; 1500 } 1501 1502 /* 1503 * This socket is listening for connections to a forwarded TCP/IP port. 1504 */ 1505 /* ARGSUSED */ 1506 static void 1507 channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1508 { 1509 Channel *nc; 1510 struct sockaddr_storage addr; 1511 int newsock, nextstate; 1512 socklen_t addrlen; 1513 char *rtype; 1514 1515 if (FD_ISSET(c->sock, readset)) { 1516 debug("Connection to port %d forwarding " 1517 "to %.100s port %d requested.", 1518 c->listening_port, c->path, c->host_port); 1519 1520 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1521 nextstate = SSH_CHANNEL_OPENING; 1522 rtype = "forwarded-tcpip"; 1523 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) { 1524 nextstate = SSH_CHANNEL_OPENING; 1525 rtype = "forwarded-streamlocal@openssh.com"; 1526 } else if (c->host_port == PORT_STREAMLOCAL) { 1527 nextstate = SSH_CHANNEL_OPENING; 1528 rtype = "direct-streamlocal@openssh.com"; 1529 } else if (c->host_port == 0) { 1530 nextstate = SSH_CHANNEL_DYNAMIC; 1531 rtype = "dynamic-tcpip"; 1532 } else { 1533 nextstate = SSH_CHANNEL_OPENING; 1534 rtype = "direct-tcpip"; 1535 } 1536 1537 addrlen = sizeof(addr); 1538 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1539 if (newsock < 0) { 1540 if (errno != EINTR && errno != EWOULDBLOCK && 1541 errno != ECONNABORTED) 1542 error("accept: %.100s", strerror(errno)); 1543 if (errno == EMFILE || errno == ENFILE) 1544 c->notbefore = monotime() + 1; 1545 return; 1546 } 1547 if (c->host_port != PORT_STREAMLOCAL) 1548 set_nodelay(newsock); 1549 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1550 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1551 nc->listening_port = c->listening_port; 1552 nc->host_port = c->host_port; 1553 if (c->path != NULL) 1554 nc->path = xstrdup(c->path); 1555 1556 if (nextstate != SSH_CHANNEL_DYNAMIC) 1557 port_open_helper(nc, rtype); 1558 } 1559 } 1560 1561 /* 1562 * This is the authentication agent socket listening for connections from 1563 * clients. 1564 */ 1565 /* ARGSUSED */ 1566 static void 1567 channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1568 { 1569 Channel *nc; 1570 int newsock; 1571 struct sockaddr_storage addr; 1572 socklen_t addrlen; 1573 1574 if (FD_ISSET(c->sock, readset)) { 1575 addrlen = sizeof(addr); 1576 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1577 if (newsock < 0) { 1578 error("accept from auth socket: %.100s", 1579 strerror(errno)); 1580 if (errno == EMFILE || errno == ENFILE) 1581 c->notbefore = monotime() + 1; 1582 return; 1583 } 1584 nc = channel_new("accepted auth socket", 1585 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1586 c->local_window_max, c->local_maxpacket, 1587 0, "accepted auth socket", 1); 1588 if (compat20) { 1589 packet_start(SSH2_MSG_CHANNEL_OPEN); 1590 packet_put_cstring("auth-agent@openssh.com"); 1591 packet_put_int(nc->self); 1592 packet_put_int(c->local_window_max); 1593 packet_put_int(c->local_maxpacket); 1594 } else { 1595 packet_start(SSH_SMSG_AGENT_OPEN); 1596 packet_put_int(nc->self); 1597 } 1598 packet_send(); 1599 } 1600 } 1601 1602 /* ARGSUSED */ 1603 static void 1604 channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1605 { 1606 int err = 0, sock; 1607 socklen_t sz = sizeof(err); 1608 1609 if (FD_ISSET(c->sock, writeset)) { 1610 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1611 err = errno; 1612 error("getsockopt SO_ERROR failed"); 1613 } 1614 if (err == 0) { 1615 debug("channel %d: connected to %s port %d", 1616 c->self, c->connect_ctx.host, c->connect_ctx.port); 1617 channel_connect_ctx_free(&c->connect_ctx); 1618 c->type = SSH_CHANNEL_OPEN; 1619 if (compat20) { 1620 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1621 packet_put_int(c->remote_id); 1622 packet_put_int(c->self); 1623 packet_put_int(c->local_window); 1624 packet_put_int(c->local_maxpacket); 1625 } else { 1626 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1627 packet_put_int(c->remote_id); 1628 packet_put_int(c->self); 1629 } 1630 } else { 1631 debug("channel %d: connection failed: %s", 1632 c->self, strerror(err)); 1633 /* Try next address, if any */ 1634 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1635 close(c->sock); 1636 c->sock = c->rfd = c->wfd = sock; 1637 channel_max_fd = channel_find_maxfd(); 1638 return; 1639 } 1640 /* Exhausted all addresses */ 1641 error("connect_to %.100s port %d: failed.", 1642 c->connect_ctx.host, c->connect_ctx.port); 1643 channel_connect_ctx_free(&c->connect_ctx); 1644 if (compat20) { 1645 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1646 packet_put_int(c->remote_id); 1647 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1648 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1649 packet_put_cstring(strerror(err)); 1650 packet_put_cstring(""); 1651 } 1652 } else { 1653 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1654 packet_put_int(c->remote_id); 1655 } 1656 chan_mark_dead(c); 1657 } 1658 packet_send(); 1659 } 1660 } 1661 1662 /* ARGSUSED */ 1663 static int 1664 channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1665 { 1666 char buf[CHAN_RBUF]; 1667 int len, force; 1668 1669 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1670 if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { 1671 errno = 0; 1672 len = read(c->rfd, buf, sizeof(buf)); 1673 if (len < 0 && (errno == EINTR || 1674 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1675 return 1; 1676 #ifndef PTY_ZEROREAD 1677 if (len <= 0) { 1678 #else 1679 if ((!c->isatty && len <= 0) || 1680 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1681 #endif 1682 debug2("channel %d: read<=0 rfd %d len %d", 1683 c->self, c->rfd, len); 1684 if (c->type != SSH_CHANNEL_OPEN) { 1685 debug2("channel %d: not open", c->self); 1686 chan_mark_dead(c); 1687 return -1; 1688 } else if (compat13) { 1689 buffer_clear(&c->output); 1690 c->type = SSH_CHANNEL_INPUT_DRAINING; 1691 debug2("channel %d: input draining.", c->self); 1692 } else { 1693 chan_read_failed(c); 1694 } 1695 return -1; 1696 } 1697 if (c->input_filter != NULL) { 1698 if (c->input_filter(c, buf, len) == -1) { 1699 debug2("channel %d: filter stops", c->self); 1700 chan_read_failed(c); 1701 } 1702 } else if (c->datagram) { 1703 buffer_put_string(&c->input, buf, len); 1704 } else { 1705 buffer_append(&c->input, buf, len); 1706 } 1707 } 1708 return 1; 1709 } 1710 1711 /* ARGSUSED */ 1712 static int 1713 channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1714 { 1715 struct termios tio; 1716 u_char *data = NULL, *buf; 1717 u_int dlen, olen = 0; 1718 int len; 1719 1720 /* Send buffered output data to the socket. */ 1721 if (c->wfd != -1 && 1722 FD_ISSET(c->wfd, writeset) && 1723 buffer_len(&c->output) > 0) { 1724 olen = buffer_len(&c->output); 1725 if (c->output_filter != NULL) { 1726 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1727 debug2("channel %d: filter stops", c->self); 1728 if (c->type != SSH_CHANNEL_OPEN) 1729 chan_mark_dead(c); 1730 else 1731 chan_write_failed(c); 1732 return -1; 1733 } 1734 } else if (c->datagram) { 1735 buf = data = buffer_get_string(&c->output, &dlen); 1736 } else { 1737 buf = data = buffer_ptr(&c->output); 1738 dlen = buffer_len(&c->output); 1739 } 1740 1741 if (c->datagram) { 1742 /* ignore truncated writes, datagrams might get lost */ 1743 len = write(c->wfd, buf, dlen); 1744 free(data); 1745 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1746 errno == EWOULDBLOCK)) 1747 return 1; 1748 if (len <= 0) { 1749 if (c->type != SSH_CHANNEL_OPEN) 1750 chan_mark_dead(c); 1751 else 1752 chan_write_failed(c); 1753 return -1; 1754 } 1755 goto out; 1756 } 1757 #ifdef _AIX 1758 /* XXX: Later AIX versions can't push as much data to tty */ 1759 if (compat20 && c->wfd_isatty) 1760 dlen = MIN(dlen, 8*1024); 1761 #endif 1762 1763 len = write(c->wfd, buf, dlen); 1764 if (len < 0 && 1765 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1766 return 1; 1767 if (len <= 0) { 1768 if (c->type != SSH_CHANNEL_OPEN) { 1769 debug2("channel %d: not open", c->self); 1770 chan_mark_dead(c); 1771 return -1; 1772 } else if (compat13) { 1773 buffer_clear(&c->output); 1774 debug2("channel %d: input draining.", c->self); 1775 c->type = SSH_CHANNEL_INPUT_DRAINING; 1776 } else { 1777 chan_write_failed(c); 1778 } 1779 return -1; 1780 } 1781 #ifndef BROKEN_TCGETATTR_ICANON 1782 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1783 if (tcgetattr(c->wfd, &tio) == 0 && 1784 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1785 /* 1786 * Simulate echo to reduce the impact of 1787 * traffic analysis. We need to match the 1788 * size of a SSH2_MSG_CHANNEL_DATA message 1789 * (4 byte channel id + buf) 1790 */ 1791 packet_send_ignore(4 + len); 1792 packet_send(); 1793 } 1794 } 1795 #endif 1796 buffer_consume(&c->output, len); 1797 } 1798 out: 1799 if (compat20 && olen > 0) 1800 c->local_consumed += olen - buffer_len(&c->output); 1801 return 1; 1802 } 1803 1804 static int 1805 channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1806 { 1807 char buf[CHAN_RBUF]; 1808 int len; 1809 1810 /** XXX handle drain efd, too */ 1811 if (c->efd != -1) { 1812 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1813 FD_ISSET(c->efd, writeset) && 1814 buffer_len(&c->extended) > 0) { 1815 len = write(c->efd, buffer_ptr(&c->extended), 1816 buffer_len(&c->extended)); 1817 debug2("channel %d: written %d to efd %d", 1818 c->self, len, c->efd); 1819 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1820 errno == EWOULDBLOCK)) 1821 return 1; 1822 if (len <= 0) { 1823 debug2("channel %d: closing write-efd %d", 1824 c->self, c->efd); 1825 channel_close_fd(&c->efd); 1826 } else { 1827 buffer_consume(&c->extended, len); 1828 c->local_consumed += len; 1829 } 1830 } else if (c->efd != -1 && 1831 (c->extended_usage == CHAN_EXTENDED_READ || 1832 c->extended_usage == CHAN_EXTENDED_IGNORE) && 1833 (c->detach_close || FD_ISSET(c->efd, readset))) { 1834 len = read(c->efd, buf, sizeof(buf)); 1835 debug2("channel %d: read %d from efd %d", 1836 c->self, len, c->efd); 1837 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 1838 errno == EWOULDBLOCK) && !c->detach_close))) 1839 return 1; 1840 if (len <= 0) { 1841 debug2("channel %d: closing read-efd %d", 1842 c->self, c->efd); 1843 channel_close_fd(&c->efd); 1844 } else { 1845 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 1846 debug3("channel %d: discard efd", 1847 c->self); 1848 } else 1849 buffer_append(&c->extended, buf, len); 1850 } 1851 } 1852 } 1853 return 1; 1854 } 1855 1856 static int 1857 channel_check_window(Channel *c) 1858 { 1859 if (c->type == SSH_CHANNEL_OPEN && 1860 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1861 ((c->local_window_max - c->local_window > 1862 c->local_maxpacket*3) || 1863 c->local_window < c->local_window_max/2) && 1864 c->local_consumed > 0) { 1865 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1866 packet_put_int(c->remote_id); 1867 packet_put_int(c->local_consumed); 1868 packet_send(); 1869 debug2("channel %d: window %d sent adjust %d", 1870 c->self, c->local_window, 1871 c->local_consumed); 1872 c->local_window += c->local_consumed; 1873 c->local_consumed = 0; 1874 } 1875 return 1; 1876 } 1877 1878 static void 1879 channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1880 { 1881 channel_handle_rfd(c, readset, writeset); 1882 channel_handle_wfd(c, readset, writeset); 1883 if (!compat20) 1884 return; 1885 channel_handle_efd(c, readset, writeset); 1886 channel_check_window(c); 1887 } 1888 1889 static u_int 1890 read_mux(Channel *c, u_int need) 1891 { 1892 char buf[CHAN_RBUF]; 1893 int len; 1894 u_int rlen; 1895 1896 if (buffer_len(&c->input) < need) { 1897 rlen = need - buffer_len(&c->input); 1898 len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF)); 1899 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1900 return buffer_len(&c->input); 1901 if (len <= 0) { 1902 debug2("channel %d: ctl read<=0 rfd %d len %d", 1903 c->self, c->rfd, len); 1904 chan_read_failed(c); 1905 return 0; 1906 } else 1907 buffer_append(&c->input, buf, len); 1908 } 1909 return buffer_len(&c->input); 1910 } 1911 1912 static void 1913 channel_post_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1914 { 1915 u_int need; 1916 ssize_t len; 1917 1918 if (!compat20) 1919 fatal("%s: entered with !compat20", __func__); 1920 1921 if (c->rfd != -1 && !c->mux_pause && FD_ISSET(c->rfd, readset) && 1922 (c->istate == CHAN_INPUT_OPEN || 1923 c->istate == CHAN_INPUT_WAIT_DRAIN)) { 1924 /* 1925 * Don't not read past the precise end of packets to 1926 * avoid disrupting fd passing. 1927 */ 1928 if (read_mux(c, 4) < 4) /* read header */ 1929 return; 1930 need = get_u32(buffer_ptr(&c->input)); 1931 #define CHANNEL_MUX_MAX_PACKET (256 * 1024) 1932 if (need > CHANNEL_MUX_MAX_PACKET) { 1933 debug2("channel %d: packet too big %u > %u", 1934 c->self, CHANNEL_MUX_MAX_PACKET, need); 1935 chan_rcvd_oclose(c); 1936 return; 1937 } 1938 if (read_mux(c, need + 4) < need + 4) /* read body */ 1939 return; 1940 if (c->mux_rcb(c) != 0) { 1941 debug("channel %d: mux_rcb failed", c->self); 1942 chan_mark_dead(c); 1943 return; 1944 } 1945 } 1946 1947 if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && 1948 buffer_len(&c->output) > 0) { 1949 len = write(c->wfd, buffer_ptr(&c->output), 1950 buffer_len(&c->output)); 1951 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1952 return; 1953 if (len <= 0) { 1954 chan_mark_dead(c); 1955 return; 1956 } 1957 buffer_consume(&c->output, len); 1958 } 1959 } 1960 1961 static void 1962 channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) 1963 { 1964 Channel *nc; 1965 struct sockaddr_storage addr; 1966 socklen_t addrlen; 1967 int newsock; 1968 uid_t euid; 1969 gid_t egid; 1970 1971 if (!FD_ISSET(c->sock, readset)) 1972 return; 1973 1974 debug("multiplexing control connection"); 1975 1976 /* 1977 * Accept connection on control socket 1978 */ 1979 memset(&addr, 0, sizeof(addr)); 1980 addrlen = sizeof(addr); 1981 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 1982 &addrlen)) == -1) { 1983 error("%s accept: %s", __func__, strerror(errno)); 1984 if (errno == EMFILE || errno == ENFILE) 1985 c->notbefore = monotime() + 1; 1986 return; 1987 } 1988 1989 if (getpeereid(newsock, &euid, &egid) < 0) { 1990 error("%s getpeereid failed: %s", __func__, 1991 strerror(errno)); 1992 close(newsock); 1993 return; 1994 } 1995 if ((euid != 0) && (getuid() != euid)) { 1996 error("multiplex uid mismatch: peer euid %u != uid %u", 1997 (u_int)euid, (u_int)getuid()); 1998 close(newsock); 1999 return; 2000 } 2001 nc = channel_new("multiplex client", SSH_CHANNEL_MUX_CLIENT, 2002 newsock, newsock, -1, c->local_window_max, 2003 c->local_maxpacket, 0, "mux-control", 1); 2004 nc->mux_rcb = c->mux_rcb; 2005 debug3("%s: new mux channel %d fd %d", __func__, 2006 nc->self, nc->sock); 2007 /* establish state */ 2008 nc->mux_rcb(nc); 2009 /* mux state transitions must not elicit protocol messages */ 2010 nc->flags |= CHAN_LOCAL; 2011 } 2012 2013 /* ARGSUSED */ 2014 static void 2015 channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 2016 { 2017 int len; 2018 2019 /* Send buffered output data to the socket. */ 2020 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 2021 len = write(c->sock, buffer_ptr(&c->output), 2022 buffer_len(&c->output)); 2023 if (len <= 0) 2024 buffer_clear(&c->output); 2025 else 2026 buffer_consume(&c->output, len); 2027 } 2028 } 2029 2030 static void 2031 channel_handler_init_20(void) 2032 { 2033 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2034 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2035 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2036 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 2037 channel_pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener; 2038 channel_pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener; 2039 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2040 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2041 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2042 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2043 channel_pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 2044 channel_pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 2045 2046 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2047 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2048 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 2049 channel_post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener; 2050 channel_post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener; 2051 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2052 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2053 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2054 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2055 channel_post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 2056 channel_post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 2057 } 2058 2059 static void 2060 channel_handler_init_13(void) 2061 { 2062 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 2063 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 2064 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2065 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2066 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2067 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 2068 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 2069 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2070 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2071 2072 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2073 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2074 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2075 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2076 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 2077 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2078 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2079 } 2080 2081 static void 2082 channel_handler_init_15(void) 2083 { 2084 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2085 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2086 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2087 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2088 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2089 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2090 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2091 2092 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2093 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2094 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2095 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2096 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2097 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2098 } 2099 2100 static void 2101 channel_handler_init(void) 2102 { 2103 int i; 2104 2105 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 2106 channel_pre[i] = NULL; 2107 channel_post[i] = NULL; 2108 } 2109 if (compat20) 2110 channel_handler_init_20(); 2111 else if (compat13) 2112 channel_handler_init_13(); 2113 else 2114 channel_handler_init_15(); 2115 } 2116 2117 /* gc dead channels */ 2118 static void 2119 channel_garbage_collect(Channel *c) 2120 { 2121 if (c == NULL) 2122 return; 2123 if (c->detach_user != NULL) { 2124 if (!chan_is_dead(c, c->detach_close)) 2125 return; 2126 debug2("channel %d: gc: notify user", c->self); 2127 c->detach_user(c->self, NULL); 2128 /* if we still have a callback */ 2129 if (c->detach_user != NULL) 2130 return; 2131 debug2("channel %d: gc: user detached", c->self); 2132 } 2133 if (!chan_is_dead(c, 1)) 2134 return; 2135 debug2("channel %d: garbage collecting", c->self); 2136 channel_free(c); 2137 } 2138 2139 static void 2140 channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, 2141 time_t *unpause_secs) 2142 { 2143 static int did_init = 0; 2144 u_int i, oalloc; 2145 Channel *c; 2146 time_t now; 2147 2148 if (!did_init) { 2149 channel_handler_init(); 2150 did_init = 1; 2151 } 2152 now = monotime(); 2153 if (unpause_secs != NULL) 2154 *unpause_secs = 0; 2155 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { 2156 c = channels[i]; 2157 if (c == NULL) 2158 continue; 2159 if (c->delayed) { 2160 if (ftab == channel_pre) 2161 c->delayed = 0; 2162 else 2163 continue; 2164 } 2165 if (ftab[c->type] != NULL) { 2166 /* 2167 * Run handlers that are not paused. 2168 */ 2169 if (c->notbefore <= now) 2170 (*ftab[c->type])(c, readset, writeset); 2171 else if (unpause_secs != NULL) { 2172 /* 2173 * Collect the time that the earliest 2174 * channel comes off pause. 2175 */ 2176 debug3("%s: chan %d: skip for %d more seconds", 2177 __func__, c->self, 2178 (int)(c->notbefore - now)); 2179 if (*unpause_secs == 0 || 2180 (c->notbefore - now) < *unpause_secs) 2181 *unpause_secs = c->notbefore - now; 2182 } 2183 } 2184 channel_garbage_collect(c); 2185 } 2186 if (unpause_secs != NULL && *unpause_secs != 0) 2187 debug3("%s: first channel unpauses in %d seconds", 2188 __func__, (int)*unpause_secs); 2189 } 2190 2191 /* 2192 * Allocate/update select bitmasks and add any bits relevant to channels in 2193 * select bitmasks. 2194 */ 2195 void 2196 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 2197 u_int *nallocp, time_t *minwait_secs, int rekeying) 2198 { 2199 u_int n, sz, nfdset; 2200 2201 n = MAX(*maxfdp, channel_max_fd); 2202 2203 nfdset = howmany(n+1, NFDBITS); 2204 /* Explicitly test here, because xrealloc isn't always called */ 2205 if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask)) 2206 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2207 sz = nfdset * sizeof(fd_mask); 2208 2209 /* perhaps check sz < nalloc/2 and shrink? */ 2210 if (*readsetp == NULL || sz > *nallocp) { 2211 *readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask)); 2212 *writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask)); 2213 *nallocp = sz; 2214 } 2215 *maxfdp = n; 2216 memset(*readsetp, 0, sz); 2217 memset(*writesetp, 0, sz); 2218 2219 if (!rekeying) 2220 channel_handler(channel_pre, *readsetp, *writesetp, 2221 minwait_secs); 2222 } 2223 2224 /* 2225 * After select, perform any appropriate operations for channels which have 2226 * events pending. 2227 */ 2228 void 2229 channel_after_select(fd_set *readset, fd_set *writeset) 2230 { 2231 channel_handler(channel_post, readset, writeset, NULL); 2232 } 2233 2234 2235 /* If there is data to send to the connection, enqueue some of it now. */ 2236 void 2237 channel_output_poll(void) 2238 { 2239 Channel *c; 2240 u_int i, len; 2241 2242 for (i = 0; i < channels_alloc; i++) { 2243 c = channels[i]; 2244 if (c == NULL) 2245 continue; 2246 2247 /* 2248 * We are only interested in channels that can have buffered 2249 * incoming data. 2250 */ 2251 if (compat13) { 2252 if (c->type != SSH_CHANNEL_OPEN && 2253 c->type != SSH_CHANNEL_INPUT_DRAINING) 2254 continue; 2255 } else { 2256 if (c->type != SSH_CHANNEL_OPEN) 2257 continue; 2258 } 2259 if (compat20 && 2260 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2261 /* XXX is this true? */ 2262 debug3("channel %d: will not send data after close", c->self); 2263 continue; 2264 } 2265 2266 /* Get the amount of buffered data for this channel. */ 2267 if ((c->istate == CHAN_INPUT_OPEN || 2268 c->istate == CHAN_INPUT_WAIT_DRAIN) && 2269 (len = buffer_len(&c->input)) > 0) { 2270 if (c->datagram) { 2271 if (len > 0) { 2272 u_char *data; 2273 u_int dlen; 2274 2275 data = buffer_get_string(&c->input, 2276 &dlen); 2277 if (dlen > c->remote_window || 2278 dlen > c->remote_maxpacket) { 2279 debug("channel %d: datagram " 2280 "too big for channel", 2281 c->self); 2282 free(data); 2283 continue; 2284 } 2285 packet_start(SSH2_MSG_CHANNEL_DATA); 2286 packet_put_int(c->remote_id); 2287 packet_put_string(data, dlen); 2288 packet_send(); 2289 c->remote_window -= dlen; 2290 free(data); 2291 } 2292 continue; 2293 } 2294 /* 2295 * Send some data for the other side over the secure 2296 * connection. 2297 */ 2298 if (compat20) { 2299 if (len > c->remote_window) 2300 len = c->remote_window; 2301 if (len > c->remote_maxpacket) 2302 len = c->remote_maxpacket; 2303 } else { 2304 if (packet_is_interactive()) { 2305 if (len > 1024) 2306 len = 512; 2307 } else { 2308 /* Keep the packets at reasonable size. */ 2309 if (len > packet_get_maxsize()/2) 2310 len = packet_get_maxsize()/2; 2311 } 2312 } 2313 if (len > 0) { 2314 packet_start(compat20 ? 2315 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 2316 packet_put_int(c->remote_id); 2317 packet_put_string(buffer_ptr(&c->input), len); 2318 packet_send(); 2319 buffer_consume(&c->input, len); 2320 c->remote_window -= len; 2321 } 2322 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2323 if (compat13) 2324 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 2325 /* 2326 * input-buffer is empty and read-socket shutdown: 2327 * tell peer, that we will not send more data: send IEOF. 2328 * hack for extended data: delay EOF if EFD still in use. 2329 */ 2330 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2331 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 2332 c->self, c->efd, buffer_len(&c->extended)); 2333 else 2334 chan_ibuf_empty(c); 2335 } 2336 /* Send extended data, i.e. stderr */ 2337 if (compat20 && 2338 !(c->flags & CHAN_EOF_SENT) && 2339 c->remote_window > 0 && 2340 (len = buffer_len(&c->extended)) > 0 && 2341 c->extended_usage == CHAN_EXTENDED_READ) { 2342 debug2("channel %d: rwin %u elen %u euse %d", 2343 c->self, c->remote_window, buffer_len(&c->extended), 2344 c->extended_usage); 2345 if (len > c->remote_window) 2346 len = c->remote_window; 2347 if (len > c->remote_maxpacket) 2348 len = c->remote_maxpacket; 2349 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 2350 packet_put_int(c->remote_id); 2351 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 2352 packet_put_string(buffer_ptr(&c->extended), len); 2353 packet_send(); 2354 buffer_consume(&c->extended, len); 2355 c->remote_window -= len; 2356 debug2("channel %d: sent ext data %d", c->self, len); 2357 } 2358 } 2359 } 2360 2361 2362 /* -- protocol input */ 2363 2364 /* ARGSUSED */ 2365 int 2366 channel_input_data(int type, u_int32_t seq, void *ctxt) 2367 { 2368 int id; 2369 const u_char *data; 2370 u_int data_len, win_len; 2371 Channel *c; 2372 2373 /* Get the channel number and verify it. */ 2374 id = packet_get_int(); 2375 c = channel_lookup(id); 2376 if (c == NULL) 2377 packet_disconnect("Received data for nonexistent channel %d.", id); 2378 2379 /* Ignore any data for non-open channels (might happen on close) */ 2380 if (c->type != SSH_CHANNEL_OPEN && 2381 c->type != SSH_CHANNEL_X11_OPEN) 2382 return 0; 2383 2384 /* Get the data. */ 2385 data = packet_get_string_ptr(&data_len); 2386 win_len = data_len; 2387 if (c->datagram) 2388 win_len += 4; /* string length header */ 2389 2390 /* 2391 * Ignore data for protocol > 1.3 if output end is no longer open. 2392 * For protocol 2 the sending side is reducing its window as it sends 2393 * data, so we must 'fake' consumption of the data in order to ensure 2394 * that window updates are sent back. Otherwise the connection might 2395 * deadlock. 2396 */ 2397 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2398 if (compat20) { 2399 c->local_window -= win_len; 2400 c->local_consumed += win_len; 2401 } 2402 return 0; 2403 } 2404 2405 if (compat20) { 2406 if (win_len > c->local_maxpacket) { 2407 logit("channel %d: rcvd big packet %d, maxpack %d", 2408 c->self, win_len, c->local_maxpacket); 2409 } 2410 if (win_len > c->local_window) { 2411 logit("channel %d: rcvd too much data %d, win %d", 2412 c->self, win_len, c->local_window); 2413 return 0; 2414 } 2415 c->local_window -= win_len; 2416 } 2417 if (c->datagram) 2418 buffer_put_string(&c->output, data, data_len); 2419 else 2420 buffer_append(&c->output, data, data_len); 2421 packet_check_eom(); 2422 return 0; 2423 } 2424 2425 /* ARGSUSED */ 2426 int 2427 channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2428 { 2429 int id; 2430 char *data; 2431 u_int data_len, tcode; 2432 Channel *c; 2433 2434 /* Get the channel number and verify it. */ 2435 id = packet_get_int(); 2436 c = channel_lookup(id); 2437 2438 if (c == NULL) 2439 packet_disconnect("Received extended_data for bad channel %d.", id); 2440 if (c->type != SSH_CHANNEL_OPEN) { 2441 logit("channel %d: ext data for non open", id); 2442 return 0; 2443 } 2444 if (c->flags & CHAN_EOF_RCVD) { 2445 if (datafellows & SSH_BUG_EXTEOF) 2446 debug("channel %d: accepting ext data after eof", id); 2447 else 2448 packet_disconnect("Received extended_data after EOF " 2449 "on channel %d.", id); 2450 } 2451 tcode = packet_get_int(); 2452 if (c->efd == -1 || 2453 c->extended_usage != CHAN_EXTENDED_WRITE || 2454 tcode != SSH2_EXTENDED_DATA_STDERR) { 2455 logit("channel %d: bad ext data", c->self); 2456 return 0; 2457 } 2458 data = packet_get_string(&data_len); 2459 packet_check_eom(); 2460 if (data_len > c->local_window) { 2461 logit("channel %d: rcvd too much extended_data %d, win %d", 2462 c->self, data_len, c->local_window); 2463 free(data); 2464 return 0; 2465 } 2466 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2467 c->local_window -= data_len; 2468 buffer_append(&c->extended, data, data_len); 2469 free(data); 2470 return 0; 2471 } 2472 2473 /* ARGSUSED */ 2474 int 2475 channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2476 { 2477 int id; 2478 Channel *c; 2479 2480 id = packet_get_int(); 2481 packet_check_eom(); 2482 c = channel_lookup(id); 2483 if (c == NULL) 2484 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2485 chan_rcvd_ieof(c); 2486 2487 /* XXX force input close */ 2488 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2489 debug("channel %d: FORCE input drain", c->self); 2490 c->istate = CHAN_INPUT_WAIT_DRAIN; 2491 if (buffer_len(&c->input) == 0) 2492 chan_ibuf_empty(c); 2493 } 2494 return 0; 2495 } 2496 2497 /* ARGSUSED */ 2498 int 2499 channel_input_close(int type, u_int32_t seq, void *ctxt) 2500 { 2501 int id; 2502 Channel *c; 2503 2504 id = packet_get_int(); 2505 packet_check_eom(); 2506 c = channel_lookup(id); 2507 if (c == NULL) 2508 packet_disconnect("Received close for nonexistent channel %d.", id); 2509 2510 /* 2511 * Send a confirmation that we have closed the channel and no more 2512 * data is coming for it. 2513 */ 2514 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2515 packet_put_int(c->remote_id); 2516 packet_send(); 2517 2518 /* 2519 * If the channel is in closed state, we have sent a close request, 2520 * and the other side will eventually respond with a confirmation. 2521 * Thus, we cannot free the channel here, because then there would be 2522 * no-one to receive the confirmation. The channel gets freed when 2523 * the confirmation arrives. 2524 */ 2525 if (c->type != SSH_CHANNEL_CLOSED) { 2526 /* 2527 * Not a closed channel - mark it as draining, which will 2528 * cause it to be freed later. 2529 */ 2530 buffer_clear(&c->input); 2531 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2532 } 2533 return 0; 2534 } 2535 2536 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2537 /* ARGSUSED */ 2538 int 2539 channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2540 { 2541 int id = packet_get_int(); 2542 Channel *c = channel_lookup(id); 2543 2544 packet_check_eom(); 2545 if (c == NULL) 2546 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2547 chan_rcvd_oclose(c); 2548 return 0; 2549 } 2550 2551 /* ARGSUSED */ 2552 int 2553 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2554 { 2555 int id = packet_get_int(); 2556 Channel *c = channel_lookup(id); 2557 2558 packet_check_eom(); 2559 if (c == NULL) 2560 packet_disconnect("Received close confirmation for " 2561 "out-of-range channel %d.", id); 2562 if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED) 2563 packet_disconnect("Received close confirmation for " 2564 "non-closed channel %d (type %d).", id, c->type); 2565 channel_free(c); 2566 return 0; 2567 } 2568 2569 /* ARGSUSED */ 2570 int 2571 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2572 { 2573 int id, remote_id; 2574 Channel *c; 2575 2576 id = packet_get_int(); 2577 c = channel_lookup(id); 2578 2579 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2580 packet_disconnect("Received open confirmation for " 2581 "non-opening channel %d.", id); 2582 remote_id = packet_get_int(); 2583 /* Record the remote channel number and mark that the channel is now open. */ 2584 c->remote_id = remote_id; 2585 c->type = SSH_CHANNEL_OPEN; 2586 2587 if (compat20) { 2588 c->remote_window = packet_get_int(); 2589 c->remote_maxpacket = packet_get_int(); 2590 if (c->open_confirm) { 2591 debug2("callback start"); 2592 c->open_confirm(c->self, 1, c->open_confirm_ctx); 2593 debug2("callback done"); 2594 } 2595 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2596 c->remote_window, c->remote_maxpacket); 2597 } 2598 packet_check_eom(); 2599 return 0; 2600 } 2601 2602 static char * 2603 reason2txt(int reason) 2604 { 2605 switch (reason) { 2606 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2607 return "administratively prohibited"; 2608 case SSH2_OPEN_CONNECT_FAILED: 2609 return "connect failed"; 2610 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2611 return "unknown channel type"; 2612 case SSH2_OPEN_RESOURCE_SHORTAGE: 2613 return "resource shortage"; 2614 } 2615 return "unknown reason"; 2616 } 2617 2618 /* ARGSUSED */ 2619 int 2620 channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2621 { 2622 int id, reason; 2623 char *msg = NULL, *lang = NULL; 2624 Channel *c; 2625 2626 id = packet_get_int(); 2627 c = channel_lookup(id); 2628 2629 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2630 packet_disconnect("Received open failure for " 2631 "non-opening channel %d.", id); 2632 if (compat20) { 2633 reason = packet_get_int(); 2634 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2635 msg = packet_get_string(NULL); 2636 lang = packet_get_string(NULL); 2637 } 2638 logit("channel %d: open failed: %s%s%s", id, 2639 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2640 free(msg); 2641 free(lang); 2642 if (c->open_confirm) { 2643 debug2("callback start"); 2644 c->open_confirm(c->self, 0, c->open_confirm_ctx); 2645 debug2("callback done"); 2646 } 2647 } 2648 packet_check_eom(); 2649 /* Schedule the channel for cleanup/deletion. */ 2650 chan_mark_dead(c); 2651 return 0; 2652 } 2653 2654 /* ARGSUSED */ 2655 int 2656 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2657 { 2658 Channel *c; 2659 int id; 2660 u_int adjust, tmp; 2661 2662 if (!compat20) 2663 return 0; 2664 2665 /* Get the channel number and verify it. */ 2666 id = packet_get_int(); 2667 c = channel_lookup(id); 2668 2669 if (c == NULL) { 2670 logit("Received window adjust for non-open channel %d.", id); 2671 return 0; 2672 } 2673 adjust = packet_get_int(); 2674 packet_check_eom(); 2675 debug2("channel %d: rcvd adjust %u", id, adjust); 2676 if ((tmp = c->remote_window + adjust) < c->remote_window) 2677 fatal("channel %d: adjust %u overflows remote window %u", 2678 id, adjust, c->remote_window); 2679 c->remote_window = tmp; 2680 return 0; 2681 } 2682 2683 /* ARGSUSED */ 2684 int 2685 channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2686 { 2687 Channel *c = NULL; 2688 u_short host_port; 2689 char *host, *originator_string; 2690 int remote_id; 2691 2692 remote_id = packet_get_int(); 2693 host = packet_get_string(NULL); 2694 host_port = packet_get_int(); 2695 2696 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2697 originator_string = packet_get_string(NULL); 2698 } else { 2699 originator_string = xstrdup("unknown (remote did not supply name)"); 2700 } 2701 packet_check_eom(); 2702 c = channel_connect_to_port(host, host_port, 2703 "connected socket", originator_string); 2704 free(originator_string); 2705 free(host); 2706 if (c == NULL) { 2707 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2708 packet_put_int(remote_id); 2709 packet_send(); 2710 } else 2711 c->remote_id = remote_id; 2712 return 0; 2713 } 2714 2715 /* ARGSUSED */ 2716 int 2717 channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) 2718 { 2719 Channel *c; 2720 struct channel_confirm *cc; 2721 int id; 2722 2723 /* Reset keepalive timeout */ 2724 packet_set_alive_timeouts(0); 2725 2726 id = packet_get_int(); 2727 packet_check_eom(); 2728 2729 debug2("channel_input_status_confirm: type %d id %d", type, id); 2730 2731 if ((c = channel_lookup(id)) == NULL) { 2732 logit("channel_input_status_confirm: %d: unknown", id); 2733 return 0; 2734 } 2735 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 2736 return 0; 2737 cc->cb(type, c, cc->ctx); 2738 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2739 explicit_bzero(cc, sizeof(*cc)); 2740 free(cc); 2741 return 0; 2742 } 2743 2744 /* -- tcp forwarding */ 2745 2746 void 2747 channel_set_af(int af) 2748 { 2749 IPv4or6 = af; 2750 } 2751 2752 2753 /* 2754 * Determine whether or not a port forward listens to loopback, the 2755 * specified address or wildcard. On the client, a specified bind 2756 * address will always override gateway_ports. On the server, a 2757 * gateway_ports of 1 (``yes'') will override the client's specification 2758 * and force a wildcard bind, whereas a value of 2 (``clientspecified'') 2759 * will bind to whatever address the client asked for. 2760 * 2761 * Special-case listen_addrs are: 2762 * 2763 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2764 * "" (empty string), "*" -> wildcard v4/v6 2765 * "localhost" -> loopback v4/v6 2766 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set 2767 */ 2768 static const char * 2769 channel_fwd_bind_addr(const char *listen_addr, int *wildcardp, 2770 int is_client, struct ForwardOptions *fwd_opts) 2771 { 2772 const char *addr = NULL; 2773 int wildcard = 0; 2774 2775 if (listen_addr == NULL) { 2776 /* No address specified: default to gateway_ports setting */ 2777 if (fwd_opts->gateway_ports) 2778 wildcard = 1; 2779 } else if (fwd_opts->gateway_ports || is_client) { 2780 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2781 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 2782 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2783 (!is_client && fwd_opts->gateway_ports == 1)) { 2784 wildcard = 1; 2785 /* 2786 * Notify client if they requested a specific listen 2787 * address and it was overridden. 2788 */ 2789 if (*listen_addr != '\0' && 2790 strcmp(listen_addr, "0.0.0.0") != 0 && 2791 strcmp(listen_addr, "*") != 0) { 2792 packet_send_debug("Forwarding listen address " 2793 "\"%s\" overridden by server " 2794 "GatewayPorts", listen_addr); 2795 } 2796 } else if (strcmp(listen_addr, "localhost") != 0 || 2797 strcmp(listen_addr, "127.0.0.1") == 0 || 2798 strcmp(listen_addr, "::1") == 0) { 2799 /* Accept localhost address when GatewayPorts=yes */ 2800 addr = listen_addr; 2801 } 2802 } else if (strcmp(listen_addr, "127.0.0.1") == 0 || 2803 strcmp(listen_addr, "::1") == 0) { 2804 /* 2805 * If a specific IPv4/IPv6 localhost address has been 2806 * requested then accept it even if gateway_ports is in 2807 * effect. This allows the client to prefer IPv4 or IPv6. 2808 */ 2809 addr = listen_addr; 2810 } 2811 if (wildcardp != NULL) 2812 *wildcardp = wildcard; 2813 return addr; 2814 } 2815 2816 static int 2817 channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, 2818 int *allocated_listen_port, struct ForwardOptions *fwd_opts) 2819 { 2820 Channel *c; 2821 int sock, r, success = 0, wildcard = 0, is_client; 2822 struct addrinfo hints, *ai, *aitop; 2823 const char *host, *addr; 2824 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2825 in_port_t *lport_p; 2826 2827 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2828 2829 if (is_client && fwd->connect_path != NULL) { 2830 host = fwd->connect_path; 2831 } else { 2832 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2833 fwd->listen_host : fwd->connect_host; 2834 if (host == NULL) { 2835 error("No forward host name."); 2836 return 0; 2837 } 2838 if (strlen(host) >= NI_MAXHOST) { 2839 error("Forward host name too long."); 2840 return 0; 2841 } 2842 } 2843 2844 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ 2845 addr = channel_fwd_bind_addr(fwd->listen_host, &wildcard, 2846 is_client, fwd_opts); 2847 debug3("%s: type %d wildcard %d addr %s", __func__, 2848 type, wildcard, (addr == NULL) ? "NULL" : addr); 2849 2850 /* 2851 * getaddrinfo returns a loopback address if the hostname is 2852 * set to NULL and hints.ai_flags is not AI_PASSIVE 2853 */ 2854 memset(&hints, 0, sizeof(hints)); 2855 hints.ai_family = IPv4or6; 2856 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2857 hints.ai_socktype = SOCK_STREAM; 2858 snprintf(strport, sizeof strport, "%d", fwd->listen_port); 2859 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2860 if (addr == NULL) { 2861 /* This really shouldn't happen */ 2862 packet_disconnect("getaddrinfo: fatal error: %s", 2863 ssh_gai_strerror(r)); 2864 } else { 2865 error("%s: getaddrinfo(%.64s): %s", __func__, addr, 2866 ssh_gai_strerror(r)); 2867 } 2868 return 0; 2869 } 2870 if (allocated_listen_port != NULL) 2871 *allocated_listen_port = 0; 2872 for (ai = aitop; ai; ai = ai->ai_next) { 2873 switch (ai->ai_family) { 2874 case AF_INET: 2875 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 2876 sin_port; 2877 break; 2878 case AF_INET6: 2879 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 2880 sin6_port; 2881 break; 2882 default: 2883 continue; 2884 } 2885 /* 2886 * If allocating a port for -R forwards, then use the 2887 * same port for all address families. 2888 */ 2889 if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 && 2890 allocated_listen_port != NULL && *allocated_listen_port > 0) 2891 *lport_p = htons(*allocated_listen_port); 2892 2893 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2894 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2895 error("%s: getnameinfo failed", __func__); 2896 continue; 2897 } 2898 /* Create a port to listen for the host. */ 2899 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2900 if (sock < 0) { 2901 /* this is no error since kernel may not support ipv6 */ 2902 verbose("socket: %.100s", strerror(errno)); 2903 continue; 2904 } 2905 2906 channel_set_reuseaddr(sock); 2907 if (ai->ai_family == AF_INET6) 2908 sock_set_v6only(sock); 2909 2910 debug("Local forwarding listening on %s port %s.", 2911 ntop, strport); 2912 2913 /* Bind the socket to the address. */ 2914 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2915 /* address can be in use ipv6 address is already bound */ 2916 if (!ai->ai_next) 2917 error("bind: %.100s", strerror(errno)); 2918 else 2919 verbose("bind: %.100s", strerror(errno)); 2920 2921 close(sock); 2922 continue; 2923 } 2924 /* Start listening for connections on the socket. */ 2925 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2926 error("listen: %.100s", strerror(errno)); 2927 close(sock); 2928 continue; 2929 } 2930 2931 /* 2932 * fwd->listen_port == 0 requests a dynamically allocated port - 2933 * record what we got. 2934 */ 2935 if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 && 2936 allocated_listen_port != NULL && 2937 *allocated_listen_port == 0) { 2938 *allocated_listen_port = get_sock_port(sock, 1); 2939 debug("Allocated listen port %d", 2940 *allocated_listen_port); 2941 } 2942 2943 /* Allocate a channel number for the socket. */ 2944 c = channel_new("port listener", type, sock, sock, -1, 2945 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2946 0, "port listener", 1); 2947 c->path = xstrdup(host); 2948 c->host_port = fwd->connect_port; 2949 c->listening_addr = addr == NULL ? NULL : xstrdup(addr); 2950 if (fwd->listen_port == 0 && allocated_listen_port != NULL && 2951 !(datafellows & SSH_BUG_DYNAMIC_RPORT)) 2952 c->listening_port = *allocated_listen_port; 2953 else 2954 c->listening_port = fwd->listen_port; 2955 success = 1; 2956 } 2957 if (success == 0) 2958 error("%s: cannot listen to port: %d", __func__, 2959 fwd->listen_port); 2960 freeaddrinfo(aitop); 2961 return success; 2962 } 2963 2964 static int 2965 channel_setup_fwd_listener_streamlocal(int type, struct Forward *fwd, 2966 struct ForwardOptions *fwd_opts) 2967 { 2968 struct sockaddr_un sunaddr; 2969 const char *path; 2970 Channel *c; 2971 int port, sock; 2972 mode_t omask; 2973 2974 switch (type) { 2975 case SSH_CHANNEL_UNIX_LISTENER: 2976 if (fwd->connect_path != NULL) { 2977 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) { 2978 error("Local connecting path too long: %s", 2979 fwd->connect_path); 2980 return 0; 2981 } 2982 path = fwd->connect_path; 2983 port = PORT_STREAMLOCAL; 2984 } else { 2985 if (fwd->connect_host == NULL) { 2986 error("No forward host name."); 2987 return 0; 2988 } 2989 if (strlen(fwd->connect_host) >= NI_MAXHOST) { 2990 error("Forward host name too long."); 2991 return 0; 2992 } 2993 path = fwd->connect_host; 2994 port = fwd->connect_port; 2995 } 2996 break; 2997 case SSH_CHANNEL_RUNIX_LISTENER: 2998 path = fwd->listen_path; 2999 port = PORT_STREAMLOCAL; 3000 break; 3001 default: 3002 error("%s: unexpected channel type %d", __func__, type); 3003 return 0; 3004 } 3005 3006 if (fwd->listen_path == NULL) { 3007 error("No forward path name."); 3008 return 0; 3009 } 3010 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) { 3011 error("Local listening path too long: %s", fwd->listen_path); 3012 return 0; 3013 } 3014 3015 debug3("%s: type %d path %s", __func__, type, fwd->listen_path); 3016 3017 /* Start a Unix domain listener. */ 3018 omask = umask(fwd_opts->streamlocal_bind_mask); 3019 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG, 3020 fwd_opts->streamlocal_bind_unlink); 3021 umask(omask); 3022 if (sock < 0) 3023 return 0; 3024 3025 debug("Local forwarding listening on path %s.", fwd->listen_path); 3026 3027 /* Allocate a channel number for the socket. */ 3028 c = channel_new("unix listener", type, sock, sock, -1, 3029 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 3030 0, "unix listener", 1); 3031 c->path = xstrdup(path); 3032 c->host_port = port; 3033 c->listening_port = PORT_STREAMLOCAL; 3034 c->listening_addr = xstrdup(fwd->listen_path); 3035 return 1; 3036 } 3037 3038 static int 3039 channel_cancel_rport_listener_tcpip(const char *host, u_short port) 3040 { 3041 u_int i; 3042 int found = 0; 3043 3044 for (i = 0; i < channels_alloc; i++) { 3045 Channel *c = channels[i]; 3046 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER) 3047 continue; 3048 if (strcmp(c->path, host) == 0 && c->listening_port == port) { 3049 debug2("%s: close channel %d", __func__, i); 3050 channel_free(c); 3051 found = 1; 3052 } 3053 } 3054 3055 return (found); 3056 } 3057 3058 static int 3059 channel_cancel_rport_listener_streamlocal(const char *path) 3060 { 3061 u_int i; 3062 int found = 0; 3063 3064 for (i = 0; i < channels_alloc; i++) { 3065 Channel *c = channels[i]; 3066 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER) 3067 continue; 3068 if (c->path == NULL) 3069 continue; 3070 if (strcmp(c->path, path) == 0) { 3071 debug2("%s: close channel %d", __func__, i); 3072 channel_free(c); 3073 found = 1; 3074 } 3075 } 3076 3077 return (found); 3078 } 3079 3080 int 3081 channel_cancel_rport_listener(struct Forward *fwd) 3082 { 3083 if (fwd->listen_path != NULL) 3084 return channel_cancel_rport_listener_streamlocal(fwd->listen_path); 3085 else 3086 return channel_cancel_rport_listener_tcpip(fwd->listen_host, fwd->listen_port); 3087 } 3088 3089 static int 3090 channel_cancel_lport_listener_tcpip(const char *lhost, u_short lport, 3091 int cport, struct ForwardOptions *fwd_opts) 3092 { 3093 u_int i; 3094 int found = 0; 3095 const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, fwd_opts); 3096 3097 for (i = 0; i < channels_alloc; i++) { 3098 Channel *c = channels[i]; 3099 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER) 3100 continue; 3101 if (c->listening_port != lport) 3102 continue; 3103 if (cport == CHANNEL_CANCEL_PORT_STATIC) { 3104 /* skip dynamic forwardings */ 3105 if (c->host_port == 0) 3106 continue; 3107 } else { 3108 if (c->host_port != cport) 3109 continue; 3110 } 3111 if ((c->listening_addr == NULL && addr != NULL) || 3112 (c->listening_addr != NULL && addr == NULL)) 3113 continue; 3114 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) { 3115 debug2("%s: close channel %d", __func__, i); 3116 channel_free(c); 3117 found = 1; 3118 } 3119 } 3120 3121 return (found); 3122 } 3123 3124 static int 3125 channel_cancel_lport_listener_streamlocal(const char *path) 3126 { 3127 u_int i; 3128 int found = 0; 3129 3130 if (path == NULL) { 3131 error("%s: no path specified.", __func__); 3132 return 0; 3133 } 3134 3135 for (i = 0; i < channels_alloc; i++) { 3136 Channel *c = channels[i]; 3137 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER) 3138 continue; 3139 if (c->listening_addr == NULL) 3140 continue; 3141 if (strcmp(c->listening_addr, path) == 0) { 3142 debug2("%s: close channel %d", __func__, i); 3143 channel_free(c); 3144 found = 1; 3145 } 3146 } 3147 3148 return (found); 3149 } 3150 3151 int 3152 channel_cancel_lport_listener(struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts) 3153 { 3154 if (fwd->listen_path != NULL) 3155 return channel_cancel_lport_listener_streamlocal(fwd->listen_path); 3156 else 3157 return channel_cancel_lport_listener_tcpip(fwd->listen_host, fwd->listen_port, cport, fwd_opts); 3158 } 3159 3160 /* protocol local port fwd, used by ssh (and sshd in v1) */ 3161 int 3162 channel_setup_local_fwd_listener(struct Forward *fwd, struct ForwardOptions *fwd_opts) 3163 { 3164 if (fwd->listen_path != NULL) { 3165 return channel_setup_fwd_listener_streamlocal( 3166 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts); 3167 } else { 3168 return channel_setup_fwd_listener_tcpip(SSH_CHANNEL_PORT_LISTENER, 3169 fwd, NULL, fwd_opts); 3170 } 3171 } 3172 3173 /* protocol v2 remote port fwd, used by sshd */ 3174 int 3175 channel_setup_remote_fwd_listener(struct Forward *fwd, 3176 int *allocated_listen_port, struct ForwardOptions *fwd_opts) 3177 { 3178 if (fwd->listen_path != NULL) { 3179 return channel_setup_fwd_listener_streamlocal( 3180 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts); 3181 } else { 3182 return channel_setup_fwd_listener_tcpip( 3183 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port, 3184 fwd_opts); 3185 } 3186 } 3187 3188 /* 3189 * Translate the requested rfwd listen host to something usable for 3190 * this server. 3191 */ 3192 static const char * 3193 channel_rfwd_bind_host(const char *listen_host) 3194 { 3195 if (listen_host == NULL) { 3196 if (datafellows & SSH_BUG_RFWD_ADDR) 3197 return "127.0.0.1"; 3198 else 3199 return "localhost"; 3200 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { 3201 if (datafellows & SSH_BUG_RFWD_ADDR) 3202 return "0.0.0.0"; 3203 else 3204 return ""; 3205 } else 3206 return listen_host; 3207 } 3208 3209 /* 3210 * Initiate forwarding of connections to port "port" on remote host through 3211 * the secure channel to host:port from local side. 3212 * Returns handle (index) for updating the dynamic listen port with 3213 * channel_update_permitted_opens(). 3214 */ 3215 int 3216 channel_request_remote_forwarding(struct Forward *fwd) 3217 { 3218 int type, success = 0, idx = -1; 3219 3220 /* Send the forward request to the remote side. */ 3221 if (compat20) { 3222 packet_start(SSH2_MSG_GLOBAL_REQUEST); 3223 if (fwd->listen_path != NULL) { 3224 packet_put_cstring("streamlocal-forward@openssh.com"); 3225 packet_put_char(1); /* boolean: want reply */ 3226 packet_put_cstring(fwd->listen_path); 3227 } else { 3228 packet_put_cstring("tcpip-forward"); 3229 packet_put_char(1); /* boolean: want reply */ 3230 packet_put_cstring(channel_rfwd_bind_host(fwd->listen_host)); 3231 packet_put_int(fwd->listen_port); 3232 } 3233 packet_send(); 3234 packet_write_wait(); 3235 /* Assume that server accepts the request */ 3236 success = 1; 3237 } else if (fwd->listen_path == NULL) { 3238 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 3239 packet_put_int(fwd->listen_port); 3240 packet_put_cstring(fwd->connect_host); 3241 packet_put_int(fwd->connect_port); 3242 packet_send(); 3243 packet_write_wait(); 3244 3245 /* Wait for response from the remote side. */ 3246 type = packet_read(); 3247 switch (type) { 3248 case SSH_SMSG_SUCCESS: 3249 success = 1; 3250 break; 3251 case SSH_SMSG_FAILURE: 3252 break; 3253 default: 3254 /* Unknown packet */ 3255 packet_disconnect("Protocol error for port forward request:" 3256 "received packet type %d.", type); 3257 } 3258 } else { 3259 logit("Warning: Server does not support remote stream local forwarding."); 3260 } 3261 if (success) { 3262 /* Record that connection to this host/port is permitted. */ 3263 permitted_opens = xreallocarray(permitted_opens, 3264 num_permitted_opens + 1, sizeof(*permitted_opens)); 3265 idx = num_permitted_opens++; 3266 if (fwd->connect_path != NULL) { 3267 permitted_opens[idx].host_to_connect = 3268 xstrdup(fwd->connect_path); 3269 permitted_opens[idx].port_to_connect = 3270 PORT_STREAMLOCAL; 3271 } else { 3272 permitted_opens[idx].host_to_connect = 3273 xstrdup(fwd->connect_host); 3274 permitted_opens[idx].port_to_connect = 3275 fwd->connect_port; 3276 } 3277 if (fwd->listen_path != NULL) { 3278 permitted_opens[idx].listen_host = NULL; 3279 permitted_opens[idx].listen_path = 3280 xstrdup(fwd->listen_path); 3281 permitted_opens[idx].listen_port = PORT_STREAMLOCAL; 3282 } else { 3283 permitted_opens[idx].listen_host = 3284 fwd->listen_host ? xstrdup(fwd->listen_host) : NULL; 3285 permitted_opens[idx].listen_path = NULL; 3286 permitted_opens[idx].listen_port = fwd->listen_port; 3287 } 3288 } 3289 return (idx); 3290 } 3291 3292 static int 3293 open_match(ForwardPermission *allowed_open, const char *requestedhost, 3294 int requestedport) 3295 { 3296 if (allowed_open->host_to_connect == NULL) 3297 return 0; 3298 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT && 3299 allowed_open->port_to_connect != requestedport) 3300 return 0; 3301 if (strcmp(allowed_open->host_to_connect, requestedhost) != 0) 3302 return 0; 3303 return 1; 3304 } 3305 3306 /* 3307 * Note that in the listen host/port case 3308 * we don't support FWD_PERMIT_ANY_PORT and 3309 * need to translate between the configured-host (listen_host) 3310 * and what we've sent to the remote server (channel_rfwd_bind_host) 3311 */ 3312 static int 3313 open_listen_match_tcpip(ForwardPermission *allowed_open, 3314 const char *requestedhost, u_short requestedport, int translate) 3315 { 3316 const char *allowed_host; 3317 3318 if (allowed_open->host_to_connect == NULL) 3319 return 0; 3320 if (allowed_open->listen_port != requestedport) 3321 return 0; 3322 if (!translate && allowed_open->listen_host == NULL && 3323 requestedhost == NULL) 3324 return 1; 3325 allowed_host = translate ? 3326 channel_rfwd_bind_host(allowed_open->listen_host) : 3327 allowed_open->listen_host; 3328 if (allowed_host == NULL || 3329 strcmp(allowed_host, requestedhost) != 0) 3330 return 0; 3331 return 1; 3332 } 3333 3334 static int 3335 open_listen_match_streamlocal(ForwardPermission *allowed_open, 3336 const char *requestedpath) 3337 { 3338 if (allowed_open->host_to_connect == NULL) 3339 return 0; 3340 if (allowed_open->listen_port != PORT_STREAMLOCAL) 3341 return 0; 3342 if (allowed_open->listen_path == NULL || 3343 strcmp(allowed_open->listen_path, requestedpath) != 0) 3344 return 0; 3345 return 1; 3346 } 3347 3348 /* 3349 * Request cancellation of remote forwarding of connection host:port from 3350 * local side. 3351 */ 3352 static int 3353 channel_request_rforward_cancel_tcpip(const char *host, u_short port) 3354 { 3355 int i; 3356 3357 if (!compat20) 3358 return -1; 3359 3360 for (i = 0; i < num_permitted_opens; i++) { 3361 if (open_listen_match_tcpip(&permitted_opens[i], host, port, 0)) 3362 break; 3363 } 3364 if (i >= num_permitted_opens) { 3365 debug("%s: requested forward not found", __func__); 3366 return -1; 3367 } 3368 packet_start(SSH2_MSG_GLOBAL_REQUEST); 3369 packet_put_cstring("cancel-tcpip-forward"); 3370 packet_put_char(0); 3371 packet_put_cstring(channel_rfwd_bind_host(host)); 3372 packet_put_int(port); 3373 packet_send(); 3374 3375 permitted_opens[i].listen_port = 0; 3376 permitted_opens[i].port_to_connect = 0; 3377 free(permitted_opens[i].host_to_connect); 3378 permitted_opens[i].host_to_connect = NULL; 3379 free(permitted_opens[i].listen_host); 3380 permitted_opens[i].listen_host = NULL; 3381 permitted_opens[i].listen_path = NULL; 3382 3383 return 0; 3384 } 3385 3386 /* 3387 * Request cancellation of remote forwarding of Unix domain socket 3388 * path from local side. 3389 */ 3390 static int 3391 channel_request_rforward_cancel_streamlocal(const char *path) 3392 { 3393 int i; 3394 3395 if (!compat20) 3396 return -1; 3397 3398 for (i = 0; i < num_permitted_opens; i++) { 3399 if (open_listen_match_streamlocal(&permitted_opens[i], path)) 3400 break; 3401 } 3402 if (i >= num_permitted_opens) { 3403 debug("%s: requested forward not found", __func__); 3404 return -1; 3405 } 3406 packet_start(SSH2_MSG_GLOBAL_REQUEST); 3407 packet_put_cstring("cancel-streamlocal-forward@openssh.com"); 3408 packet_put_char(0); 3409 packet_put_cstring(path); 3410 packet_send(); 3411 3412 permitted_opens[i].listen_port = 0; 3413 permitted_opens[i].port_to_connect = 0; 3414 free(permitted_opens[i].host_to_connect); 3415 permitted_opens[i].host_to_connect = NULL; 3416 permitted_opens[i].listen_host = NULL; 3417 free(permitted_opens[i].listen_path); 3418 permitted_opens[i].listen_path = NULL; 3419 3420 return 0; 3421 } 3422 3423 /* 3424 * Request cancellation of remote forwarding of a connection from local side. 3425 */ 3426 int 3427 channel_request_rforward_cancel(struct Forward *fwd) 3428 { 3429 if (fwd->listen_path != NULL) { 3430 return (channel_request_rforward_cancel_streamlocal( 3431 fwd->listen_path)); 3432 } else { 3433 return (channel_request_rforward_cancel_tcpip(fwd->listen_host, 3434 fwd->listen_port ? fwd->listen_port : fwd->allocated_port)); 3435 } 3436 } 3437 3438 /* 3439 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 3440 * listening for the port, and sends back a success reply (or disconnect 3441 * message if there was an error). 3442 */ 3443 int 3444 channel_input_port_forward_request(int is_root, struct ForwardOptions *fwd_opts) 3445 { 3446 int success = 0; 3447 struct Forward fwd; 3448 3449 /* Get arguments from the packet. */ 3450 memset(&fwd, 0, sizeof(fwd)); 3451 fwd.listen_port = packet_get_int(); 3452 fwd.connect_host = packet_get_string(NULL); 3453 fwd.connect_port = packet_get_int(); 3454 3455 #ifndef HAVE_CYGWIN 3456 /* 3457 * Check that an unprivileged user is not trying to forward a 3458 * privileged port. 3459 */ 3460 if (fwd.listen_port < IPPORT_RESERVED && !is_root) 3461 packet_disconnect( 3462 "Requested forwarding of port %d but user is not root.", 3463 fwd.listen_port); 3464 if (fwd.connect_port == 0) 3465 packet_disconnect("Dynamic forwarding denied."); 3466 #endif 3467 3468 /* Initiate forwarding */ 3469 success = channel_setup_local_fwd_listener(&fwd, fwd_opts); 3470 3471 /* Free the argument string. */ 3472 free(fwd.connect_host); 3473 3474 return (success ? 0 : -1); 3475 } 3476 3477 /* 3478 * Permits opening to any host/port if permitted_opens[] is empty. This is 3479 * usually called by the server, because the user could connect to any port 3480 * anyway, and the server has no way to know but to trust the client anyway. 3481 */ 3482 void 3483 channel_permit_all_opens(void) 3484 { 3485 if (num_permitted_opens == 0) 3486 all_opens_permitted = 1; 3487 } 3488 3489 void 3490 channel_add_permitted_opens(char *host, int port) 3491 { 3492 debug("allow port forwarding to host %s port %d", host, port); 3493 3494 permitted_opens = xreallocarray(permitted_opens, 3495 num_permitted_opens + 1, sizeof(*permitted_opens)); 3496 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 3497 permitted_opens[num_permitted_opens].port_to_connect = port; 3498 permitted_opens[num_permitted_opens].listen_host = NULL; 3499 permitted_opens[num_permitted_opens].listen_path = NULL; 3500 permitted_opens[num_permitted_opens].listen_port = 0; 3501 num_permitted_opens++; 3502 3503 all_opens_permitted = 0; 3504 } 3505 3506 /* 3507 * Update the listen port for a dynamic remote forward, after 3508 * the actual 'newport' has been allocated. If 'newport' < 0 is 3509 * passed then they entry will be invalidated. 3510 */ 3511 void 3512 channel_update_permitted_opens(int idx, int newport) 3513 { 3514 if (idx < 0 || idx >= num_permitted_opens) { 3515 debug("channel_update_permitted_opens: index out of range:" 3516 " %d num_permitted_opens %d", idx, num_permitted_opens); 3517 return; 3518 } 3519 debug("%s allowed port %d for forwarding to host %s port %d", 3520 newport > 0 ? "Updating" : "Removing", 3521 newport, 3522 permitted_opens[idx].host_to_connect, 3523 permitted_opens[idx].port_to_connect); 3524 if (newport >= 0) { 3525 permitted_opens[idx].listen_port = 3526 (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport; 3527 } else { 3528 permitted_opens[idx].listen_port = 0; 3529 permitted_opens[idx].port_to_connect = 0; 3530 free(permitted_opens[idx].host_to_connect); 3531 permitted_opens[idx].host_to_connect = NULL; 3532 free(permitted_opens[idx].listen_host); 3533 permitted_opens[idx].listen_host = NULL; 3534 free(permitted_opens[idx].listen_path); 3535 permitted_opens[idx].listen_path = NULL; 3536 } 3537 } 3538 3539 int 3540 channel_add_adm_permitted_opens(char *host, int port) 3541 { 3542 debug("config allows port forwarding to host %s port %d", host, port); 3543 3544 permitted_adm_opens = xreallocarray(permitted_adm_opens, 3545 num_adm_permitted_opens + 1, sizeof(*permitted_adm_opens)); 3546 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 3547 = xstrdup(host); 3548 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 3549 permitted_adm_opens[num_adm_permitted_opens].listen_host = NULL; 3550 permitted_adm_opens[num_adm_permitted_opens].listen_path = NULL; 3551 permitted_adm_opens[num_adm_permitted_opens].listen_port = 0; 3552 return ++num_adm_permitted_opens; 3553 } 3554 3555 void 3556 channel_disable_adm_local_opens(void) 3557 { 3558 channel_clear_adm_permitted_opens(); 3559 permitted_adm_opens = xcalloc(sizeof(*permitted_adm_opens), 1); 3560 permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL; 3561 num_adm_permitted_opens = 1; 3562 } 3563 3564 void 3565 channel_clear_permitted_opens(void) 3566 { 3567 int i; 3568 3569 for (i = 0; i < num_permitted_opens; i++) { 3570 free(permitted_opens[i].host_to_connect); 3571 free(permitted_opens[i].listen_host); 3572 free(permitted_opens[i].listen_path); 3573 } 3574 free(permitted_opens); 3575 permitted_opens = NULL; 3576 num_permitted_opens = 0; 3577 } 3578 3579 void 3580 channel_clear_adm_permitted_opens(void) 3581 { 3582 int i; 3583 3584 for (i = 0; i < num_adm_permitted_opens; i++) { 3585 free(permitted_adm_opens[i].host_to_connect); 3586 free(permitted_adm_opens[i].listen_host); 3587 free(permitted_adm_opens[i].listen_path); 3588 } 3589 free(permitted_adm_opens); 3590 permitted_adm_opens = NULL; 3591 num_adm_permitted_opens = 0; 3592 } 3593 3594 void 3595 channel_print_adm_permitted_opens(void) 3596 { 3597 int i; 3598 3599 printf("permitopen"); 3600 if (num_adm_permitted_opens == 0) { 3601 printf(" any\n"); 3602 return; 3603 } 3604 for (i = 0; i < num_adm_permitted_opens; i++) 3605 if (permitted_adm_opens[i].host_to_connect == NULL) 3606 printf(" none"); 3607 else 3608 printf(" %s:%d", permitted_adm_opens[i].host_to_connect, 3609 permitted_adm_opens[i].port_to_connect); 3610 printf("\n"); 3611 } 3612 3613 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ 3614 int 3615 permitopen_port(const char *p) 3616 { 3617 int port; 3618 3619 if (strcmp(p, "*") == 0) 3620 return FWD_PERMIT_ANY_PORT; 3621 if ((port = a2port(p)) > 0) 3622 return port; 3623 return -1; 3624 } 3625 3626 /* Try to start non-blocking connect to next host in cctx list */ 3627 static int 3628 connect_next(struct channel_connect *cctx) 3629 { 3630 int sock, saved_errno; 3631 struct sockaddr_un *sunaddr; 3632 char ntop[NI_MAXHOST], strport[MAX(NI_MAXSERV,sizeof(sunaddr->sun_path))]; 3633 3634 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 3635 switch (cctx->ai->ai_family) { 3636 case AF_UNIX: 3637 /* unix:pathname instead of host:port */ 3638 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr; 3639 strlcpy(ntop, "unix", sizeof(ntop)); 3640 strlcpy(strport, sunaddr->sun_path, sizeof(strport)); 3641 break; 3642 case AF_INET: 3643 case AF_INET6: 3644 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 3645 ntop, sizeof(ntop), strport, sizeof(strport), 3646 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3647 error("connect_next: getnameinfo failed"); 3648 continue; 3649 } 3650 break; 3651 default: 3652 continue; 3653 } 3654 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 3655 cctx->ai->ai_protocol)) == -1) { 3656 if (cctx->ai->ai_next == NULL) 3657 error("socket: %.100s", strerror(errno)); 3658 else 3659 verbose("socket: %.100s", strerror(errno)); 3660 continue; 3661 } 3662 if (set_nonblock(sock) == -1) 3663 fatal("%s: set_nonblock(%d)", __func__, sock); 3664 if (connect(sock, cctx->ai->ai_addr, 3665 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 3666 debug("connect_next: host %.100s ([%.100s]:%s): " 3667 "%.100s", cctx->host, ntop, strport, 3668 strerror(errno)); 3669 saved_errno = errno; 3670 close(sock); 3671 errno = saved_errno; 3672 continue; /* fail -- try next */ 3673 } 3674 if (cctx->ai->ai_family != AF_UNIX) 3675 set_nodelay(sock); 3676 debug("connect_next: host %.100s ([%.100s]:%s) " 3677 "in progress, fd=%d", cctx->host, ntop, strport, sock); 3678 cctx->ai = cctx->ai->ai_next; 3679 return sock; 3680 } 3681 return -1; 3682 } 3683 3684 static void 3685 channel_connect_ctx_free(struct channel_connect *cctx) 3686 { 3687 free(cctx->host); 3688 if (cctx->aitop) { 3689 if (cctx->aitop->ai_family == AF_UNIX) 3690 free(cctx->aitop); 3691 else 3692 freeaddrinfo(cctx->aitop); 3693 } 3694 memset(cctx, 0, sizeof(*cctx)); 3695 } 3696 3697 /* Return CONNECTING channel to remote host:port or local socket path */ 3698 static Channel * 3699 connect_to(const char *name, int port, char *ctype, char *rname) 3700 { 3701 struct addrinfo hints; 3702 int gaierr; 3703 int sock = -1; 3704 char strport[NI_MAXSERV]; 3705 struct channel_connect cctx; 3706 Channel *c; 3707 3708 memset(&cctx, 0, sizeof(cctx)); 3709 3710 if (port == PORT_STREAMLOCAL) { 3711 struct sockaddr_un *sunaddr; 3712 struct addrinfo *ai; 3713 3714 if (strlen(name) > sizeof(sunaddr->sun_path)) { 3715 error("%.100s: %.100s", name, strerror(ENAMETOOLONG)); 3716 return (NULL); 3717 } 3718 3719 /* 3720 * Fake up a struct addrinfo for AF_UNIX connections. 3721 * channel_connect_ctx_free() must check ai_family 3722 * and use free() not freeaddirinfo() for AF_UNIX. 3723 */ 3724 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr)); 3725 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr)); 3726 ai->ai_addr = (struct sockaddr *)(ai + 1); 3727 ai->ai_addrlen = sizeof(*sunaddr); 3728 ai->ai_family = AF_UNIX; 3729 ai->ai_socktype = SOCK_STREAM; 3730 ai->ai_protocol = PF_UNSPEC; 3731 sunaddr = (struct sockaddr_un *)ai->ai_addr; 3732 sunaddr->sun_family = AF_UNIX; 3733 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); 3734 cctx.aitop = ai; 3735 } else { 3736 memset(&hints, 0, sizeof(hints)); 3737 hints.ai_family = IPv4or6; 3738 hints.ai_socktype = SOCK_STREAM; 3739 snprintf(strport, sizeof strport, "%d", port); 3740 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) { 3741 error("connect_to %.100s: unknown host (%s)", name, 3742 ssh_gai_strerror(gaierr)); 3743 return NULL; 3744 } 3745 } 3746 3747 cctx.host = xstrdup(name); 3748 cctx.port = port; 3749 cctx.ai = cctx.aitop; 3750 3751 if ((sock = connect_next(&cctx)) == -1) { 3752 error("connect to %.100s port %d failed: %s", 3753 name, port, strerror(errno)); 3754 channel_connect_ctx_free(&cctx); 3755 return NULL; 3756 } 3757 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 3758 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 3759 c->connect_ctx = cctx; 3760 return c; 3761 } 3762 3763 Channel * 3764 channel_connect_by_listen_address(const char *listen_host, 3765 u_short listen_port, char *ctype, char *rname) 3766 { 3767 int i; 3768 3769 for (i = 0; i < num_permitted_opens; i++) { 3770 if (open_listen_match_tcpip(&permitted_opens[i], listen_host, 3771 listen_port, 1)) { 3772 return connect_to( 3773 permitted_opens[i].host_to_connect, 3774 permitted_opens[i].port_to_connect, ctype, rname); 3775 } 3776 } 3777 error("WARNING: Server requests forwarding for unknown listen_port %d", 3778 listen_port); 3779 return NULL; 3780 } 3781 3782 Channel * 3783 channel_connect_by_listen_path(const char *path, char *ctype, char *rname) 3784 { 3785 int i; 3786 3787 for (i = 0; i < num_permitted_opens; i++) { 3788 if (open_listen_match_streamlocal(&permitted_opens[i], path)) { 3789 return connect_to( 3790 permitted_opens[i].host_to_connect, 3791 permitted_opens[i].port_to_connect, ctype, rname); 3792 } 3793 } 3794 error("WARNING: Server requests forwarding for unknown path %.100s", 3795 path); 3796 return NULL; 3797 } 3798 3799 /* Check if connecting to that port is permitted and connect. */ 3800 Channel * 3801 channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname) 3802 { 3803 int i, permit, permit_adm = 1; 3804 3805 permit = all_opens_permitted; 3806 if (!permit) { 3807 for (i = 0; i < num_permitted_opens; i++) 3808 if (open_match(&permitted_opens[i], host, port)) { 3809 permit = 1; 3810 break; 3811 } 3812 } 3813 3814 if (num_adm_permitted_opens > 0) { 3815 permit_adm = 0; 3816 for (i = 0; i < num_adm_permitted_opens; i++) 3817 if (open_match(&permitted_adm_opens[i], host, port)) { 3818 permit_adm = 1; 3819 break; 3820 } 3821 } 3822 3823 if (!permit || !permit_adm) { 3824 logit("Received request to connect to host %.100s port %d, " 3825 "but the request was denied.", host, port); 3826 return NULL; 3827 } 3828 return connect_to(host, port, ctype, rname); 3829 } 3830 3831 /* Check if connecting to that path is permitted and connect. */ 3832 Channel * 3833 channel_connect_to_path(const char *path, char *ctype, char *rname) 3834 { 3835 int i, permit, permit_adm = 1; 3836 3837 permit = all_opens_permitted; 3838 if (!permit) { 3839 for (i = 0; i < num_permitted_opens; i++) 3840 if (open_match(&permitted_opens[i], path, PORT_STREAMLOCAL)) { 3841 permit = 1; 3842 break; 3843 } 3844 } 3845 3846 if (num_adm_permitted_opens > 0) { 3847 permit_adm = 0; 3848 for (i = 0; i < num_adm_permitted_opens; i++) 3849 if (open_match(&permitted_adm_opens[i], path, PORT_STREAMLOCAL)) { 3850 permit_adm = 1; 3851 break; 3852 } 3853 } 3854 3855 if (!permit || !permit_adm) { 3856 logit("Received request to connect to path %.100s, " 3857 "but the request was denied.", path); 3858 return NULL; 3859 } 3860 return connect_to(path, PORT_STREAMLOCAL, ctype, rname); 3861 } 3862 3863 void 3864 channel_send_window_changes(void) 3865 { 3866 u_int i; 3867 struct winsize ws; 3868 3869 for (i = 0; i < channels_alloc; i++) { 3870 if (channels[i] == NULL || !channels[i]->client_tty || 3871 channels[i]->type != SSH_CHANNEL_OPEN) 3872 continue; 3873 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 3874 continue; 3875 channel_request_start(i, "window-change", 0); 3876 packet_put_int((u_int)ws.ws_col); 3877 packet_put_int((u_int)ws.ws_row); 3878 packet_put_int((u_int)ws.ws_xpixel); 3879 packet_put_int((u_int)ws.ws_ypixel); 3880 packet_send(); 3881 } 3882 } 3883 3884 /* -- X11 forwarding */ 3885 3886 /* 3887 * Creates an internet domain socket for listening for X11 connections. 3888 * Returns 0 and a suitable display number for the DISPLAY variable 3889 * stored in display_numberp , or -1 if an error occurs. 3890 */ 3891 int 3892 x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 3893 int single_connection, u_int *display_numberp, int **chanids) 3894 { 3895 Channel *nc = NULL; 3896 int display_number, sock; 3897 u_short port; 3898 struct addrinfo hints, *ai, *aitop; 3899 char strport[NI_MAXSERV]; 3900 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 3901 3902 if (chanids == NULL) 3903 return -1; 3904 3905 for (display_number = x11_display_offset; 3906 display_number < MAX_DISPLAYS; 3907 display_number++) { 3908 port = 6000 + display_number; 3909 memset(&hints, 0, sizeof(hints)); 3910 hints.ai_family = IPv4or6; 3911 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 3912 hints.ai_socktype = SOCK_STREAM; 3913 snprintf(strport, sizeof strport, "%d", port); 3914 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 3915 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 3916 return -1; 3917 } 3918 for (ai = aitop; ai; ai = ai->ai_next) { 3919 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 3920 continue; 3921 sock = socket(ai->ai_family, ai->ai_socktype, 3922 ai->ai_protocol); 3923 if (sock < 0) { 3924 if ((errno != EINVAL) && (errno != EAFNOSUPPORT) 3925 #ifdef EPFNOSUPPORT 3926 && (errno != EPFNOSUPPORT) 3927 #endif 3928 ) { 3929 error("socket: %.100s", strerror(errno)); 3930 freeaddrinfo(aitop); 3931 return -1; 3932 } else { 3933 debug("x11_create_display_inet: Socket family %d not supported", 3934 ai->ai_family); 3935 continue; 3936 } 3937 } 3938 if (ai->ai_family == AF_INET6) 3939 sock_set_v6only(sock); 3940 if (x11_use_localhost) 3941 channel_set_reuseaddr(sock); 3942 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3943 debug2("bind port %d: %.100s", port, strerror(errno)); 3944 close(sock); 3945 3946 for (n = 0; n < num_socks; n++) { 3947 close(socks[n]); 3948 } 3949 num_socks = 0; 3950 break; 3951 } 3952 socks[num_socks++] = sock; 3953 if (num_socks == NUM_SOCKS) 3954 break; 3955 } 3956 freeaddrinfo(aitop); 3957 if (num_socks > 0) 3958 break; 3959 } 3960 if (display_number >= MAX_DISPLAYS) { 3961 error("Failed to allocate internet-domain X11 display socket."); 3962 return -1; 3963 } 3964 /* Start listening for connections on the socket. */ 3965 for (n = 0; n < num_socks; n++) { 3966 sock = socks[n]; 3967 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3968 error("listen: %.100s", strerror(errno)); 3969 close(sock); 3970 return -1; 3971 } 3972 } 3973 3974 /* Allocate a channel for each socket. */ 3975 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 3976 for (n = 0; n < num_socks; n++) { 3977 sock = socks[n]; 3978 nc = channel_new("x11 listener", 3979 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 3980 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 3981 0, "X11 inet listener", 1); 3982 nc->single_connection = single_connection; 3983 (*chanids)[n] = nc->self; 3984 } 3985 (*chanids)[n] = -1; 3986 3987 /* Return the display number for the DISPLAY environment variable. */ 3988 *display_numberp = display_number; 3989 return (0); 3990 } 3991 3992 static int 3993 connect_local_xsocket_path(const char *pathname) 3994 { 3995 int sock; 3996 struct sockaddr_un addr; 3997 3998 sock = socket(AF_UNIX, SOCK_STREAM, 0); 3999 if (sock < 0) 4000 error("socket: %.100s", strerror(errno)); 4001 memset(&addr, 0, sizeof(addr)); 4002 addr.sun_family = AF_UNIX; 4003 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 4004 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 4005 return sock; 4006 close(sock); 4007 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 4008 return -1; 4009 } 4010 4011 static int 4012 connect_local_xsocket(u_int dnr) 4013 { 4014 char buf[1024]; 4015 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 4016 return connect_local_xsocket_path(buf); 4017 } 4018 4019 int 4020 x11_connect_display(void) 4021 { 4022 u_int display_number; 4023 const char *display; 4024 char buf[1024], *cp; 4025 struct addrinfo hints, *ai, *aitop; 4026 char strport[NI_MAXSERV]; 4027 int gaierr, sock = 0; 4028 4029 /* Try to open a socket for the local X server. */ 4030 display = getenv("DISPLAY"); 4031 if (!display) { 4032 error("DISPLAY not set."); 4033 return -1; 4034 } 4035 /* 4036 * Now we decode the value of the DISPLAY variable and make a 4037 * connection to the real X server. 4038 */ 4039 4040 /* Check if the display is from launchd. */ 4041 #ifdef __APPLE__ 4042 if (strncmp(display, "/tmp/launch", 11) == 0) { 4043 sock = connect_local_xsocket_path(display); 4044 if (sock < 0) 4045 return -1; 4046 4047 /* OK, we now have a connection to the display. */ 4048 return sock; 4049 } 4050 #endif 4051 /* 4052 * Check if it is a unix domain socket. Unix domain displays are in 4053 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 4054 */ 4055 if (strncmp(display, "unix:", 5) == 0 || 4056 display[0] == ':') { 4057 /* Connect to the unix domain socket. */ 4058 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 4059 error("Could not parse display number from DISPLAY: %.100s", 4060 display); 4061 return -1; 4062 } 4063 /* Create a socket. */ 4064 sock = connect_local_xsocket(display_number); 4065 if (sock < 0) 4066 return -1; 4067 4068 /* OK, we now have a connection to the display. */ 4069 return sock; 4070 } 4071 /* 4072 * Connect to an inet socket. The DISPLAY value is supposedly 4073 * hostname:d[.s], where hostname may also be numeric IP address. 4074 */ 4075 strlcpy(buf, display, sizeof(buf)); 4076 cp = strchr(buf, ':'); 4077 if (!cp) { 4078 error("Could not find ':' in DISPLAY: %.100s", display); 4079 return -1; 4080 } 4081 *cp = 0; 4082 /* buf now contains the host name. But first we parse the display number. */ 4083 if (sscanf(cp + 1, "%u", &display_number) != 1) { 4084 error("Could not parse display number from DISPLAY: %.100s", 4085 display); 4086 return -1; 4087 } 4088 4089 /* Look up the host address */ 4090 memset(&hints, 0, sizeof(hints)); 4091 hints.ai_family = IPv4or6; 4092 hints.ai_socktype = SOCK_STREAM; 4093 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 4094 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 4095 error("%.100s: unknown host. (%s)", buf, 4096 ssh_gai_strerror(gaierr)); 4097 return -1; 4098 } 4099 for (ai = aitop; ai; ai = ai->ai_next) { 4100 /* Create a socket. */ 4101 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 4102 if (sock < 0) { 4103 debug2("socket: %.100s", strerror(errno)); 4104 continue; 4105 } 4106 /* Connect it to the display. */ 4107 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 4108 debug2("connect %.100s port %u: %.100s", buf, 4109 6000 + display_number, strerror(errno)); 4110 close(sock); 4111 continue; 4112 } 4113 /* Success */ 4114 break; 4115 } 4116 freeaddrinfo(aitop); 4117 if (!ai) { 4118 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 4119 strerror(errno)); 4120 return -1; 4121 } 4122 set_nodelay(sock); 4123 return sock; 4124 } 4125 4126 /* 4127 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 4128 * the remote channel number. We should do whatever we want, and respond 4129 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 4130 */ 4131 4132 /* ARGSUSED */ 4133 int 4134 x11_input_open(int type, u_int32_t seq, void *ctxt) 4135 { 4136 Channel *c = NULL; 4137 int remote_id, sock = 0; 4138 char *remote_host; 4139 4140 debug("Received X11 open request."); 4141 4142 remote_id = packet_get_int(); 4143 4144 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 4145 remote_host = packet_get_string(NULL); 4146 } else { 4147 remote_host = xstrdup("unknown (remote did not supply name)"); 4148 } 4149 packet_check_eom(); 4150 4151 /* Obtain a connection to the real X display. */ 4152 sock = x11_connect_display(); 4153 if (sock != -1) { 4154 /* Allocate a channel for this connection. */ 4155 c = channel_new("connected x11 socket", 4156 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 4157 remote_host, 1); 4158 c->remote_id = remote_id; 4159 c->force_drain = 1; 4160 } 4161 free(remote_host); 4162 if (c == NULL) { 4163 /* Send refusal to the remote host. */ 4164 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 4165 packet_put_int(remote_id); 4166 } else { 4167 /* Send a confirmation to the remote host. */ 4168 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 4169 packet_put_int(remote_id); 4170 packet_put_int(c->self); 4171 } 4172 packet_send(); 4173 return 0; 4174 } 4175 4176 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 4177 /* ARGSUSED */ 4178 int 4179 deny_input_open(int type, u_int32_t seq, void *ctxt) 4180 { 4181 int rchan = packet_get_int(); 4182 4183 switch (type) { 4184 case SSH_SMSG_AGENT_OPEN: 4185 error("Warning: ssh server tried agent forwarding."); 4186 break; 4187 case SSH_SMSG_X11_OPEN: 4188 error("Warning: ssh server tried X11 forwarding."); 4189 break; 4190 default: 4191 error("deny_input_open: type %d", type); 4192 break; 4193 } 4194 error("Warning: this is probably a break-in attempt by a malicious server."); 4195 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 4196 packet_put_int(rchan); 4197 packet_send(); 4198 return 0; 4199 } 4200 4201 /* 4202 * Requests forwarding of X11 connections, generates fake authentication 4203 * data, and enables authentication spoofing. 4204 * This should be called in the client only. 4205 */ 4206 void 4207 x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 4208 const char *proto, const char *data, int want_reply) 4209 { 4210 u_int data_len = (u_int) strlen(data) / 2; 4211 u_int i, value; 4212 char *new_data; 4213 int screen_number; 4214 const char *cp; 4215 u_int32_t rnd = 0; 4216 4217 if (x11_saved_display == NULL) 4218 x11_saved_display = xstrdup(disp); 4219 else if (strcmp(disp, x11_saved_display) != 0) { 4220 error("x11_request_forwarding_with_spoofing: different " 4221 "$DISPLAY already forwarded"); 4222 return; 4223 } 4224 4225 cp = strchr(disp, ':'); 4226 if (cp) 4227 cp = strchr(cp, '.'); 4228 if (cp) 4229 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 4230 else 4231 screen_number = 0; 4232 4233 if (x11_saved_proto == NULL) { 4234 /* Save protocol name. */ 4235 x11_saved_proto = xstrdup(proto); 4236 /* 4237 * Extract real authentication data and generate fake data 4238 * of the same length. 4239 */ 4240 x11_saved_data = xmalloc(data_len); 4241 x11_fake_data = xmalloc(data_len); 4242 for (i = 0; i < data_len; i++) { 4243 if (sscanf(data + 2 * i, "%2x", &value) != 1) 4244 fatal("x11_request_forwarding: bad " 4245 "authentication data: %.100s", data); 4246 if (i % 4 == 0) 4247 rnd = arc4random(); 4248 x11_saved_data[i] = value; 4249 x11_fake_data[i] = rnd & 0xff; 4250 rnd >>= 8; 4251 } 4252 x11_saved_data_len = data_len; 4253 x11_fake_data_len = data_len; 4254 } 4255 4256 /* Convert the fake data into hex. */ 4257 new_data = tohex(x11_fake_data, data_len); 4258 4259 /* Send the request packet. */ 4260 if (compat20) { 4261 channel_request_start(client_session_id, "x11-req", want_reply); 4262 packet_put_char(0); /* XXX bool single connection */ 4263 } else { 4264 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 4265 } 4266 packet_put_cstring(proto); 4267 packet_put_cstring(new_data); 4268 packet_put_int(screen_number); 4269 packet_send(); 4270 packet_write_wait(); 4271 free(new_data); 4272 } 4273 4274 4275 /* -- agent forwarding */ 4276 4277 /* Sends a message to the server to request authentication fd forwarding. */ 4278 4279 void 4280 auth_request_forwarding(void) 4281 { 4282 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 4283 packet_send(); 4284 packet_write_wait(); 4285 } 4286