1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This file contains functions for generic socket connection forwarding. 6 * There is also code for initiating connection forwarding for X11 connections, 7 * arbitrary tcp/ip connections, and the authentication agent connection. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999,2000 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 RCSID("$OpenBSD: channels.c,v 1.68 2000/09/07 20:40:29 markus Exp $"); 44 45 #include "ssh.h" 46 #include "packet.h" 47 #include "xmalloc.h" 48 #include "buffer.h" 49 #include "uidswap.h" 50 #include "readconf.h" 51 #include "servconf.h" 52 53 #include "channels.h" 54 #include "nchan.h" 55 #include "compat.h" 56 57 #include "ssh2.h" 58 59 #include <openssl/rsa.h> 60 #include <openssl/dsa.h> 61 #include "key.h" 62 #include "authfd.h" 63 64 /* Maximum number of fake X11 displays to try. */ 65 #define MAX_DISPLAYS 1000 66 67 /* Max len of agent socket */ 68 #define MAX_SOCKET_NAME 100 69 70 /* 71 * Pointer to an array containing all allocated channels. The array is 72 * dynamically extended as needed. 73 */ 74 static Channel *channels = NULL; 75 76 /* 77 * Size of the channel array. All slots of the array must always be 78 * initialized (at least the type field); unused slots are marked with type 79 * SSH_CHANNEL_FREE. 80 */ 81 static int channels_alloc = 0; 82 83 /* 84 * Maximum file descriptor value used in any of the channels. This is 85 * updated in channel_allocate. 86 */ 87 static int channel_max_fd_value = 0; 88 89 /* Name and directory of socket for authentication agent forwarding. */ 90 static char *channel_forwarded_auth_socket_name = NULL; 91 static char *channel_forwarded_auth_socket_dir = NULL; 92 93 /* Saved X11 authentication protocol name. */ 94 char *x11_saved_proto = NULL; 95 96 /* Saved X11 authentication data. This is the real data. */ 97 char *x11_saved_data = NULL; 98 unsigned int x11_saved_data_len = 0; 99 100 /* 101 * Fake X11 authentication data. This is what the server will be sending us; 102 * we should replace any occurrences of this by the real data. 103 */ 104 char *x11_fake_data = NULL; 105 unsigned int x11_fake_data_len; 106 107 /* 108 * Data structure for storing which hosts are permitted for forward requests. 109 * The local sides of any remote forwards are stored in this array to prevent 110 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 111 * network (which might be behind a firewall). 112 */ 113 typedef struct { 114 char *host_to_connect; /* Connect to 'host'. */ 115 u_short port_to_connect; /* Connect to 'port'. */ 116 u_short listen_port; /* Remote side should listen port number. */ 117 } ForwardPermission; 118 119 /* List of all permitted host/port pairs to connect. */ 120 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 121 /* Number of permitted host/port pairs in the array. */ 122 static int num_permitted_opens = 0; 123 /* 124 * If this is true, all opens are permitted. This is the case on the server 125 * on which we have to trust the client anyway, and the user could do 126 * anything after logging in anyway. 127 */ 128 static int all_opens_permitted = 0; 129 130 /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */ 131 static int have_hostname_in_open = 0; 132 133 /* Sets specific protocol options. */ 134 135 void 136 channel_set_options(int hostname_in_open) 137 { 138 have_hostname_in_open = hostname_in_open; 139 } 140 141 /* 142 * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually 143 * called by the server, because the user could connect to any port anyway, 144 * and the server has no way to know but to trust the client anyway. 145 */ 146 147 void 148 channel_permit_all_opens() 149 { 150 all_opens_permitted = 1; 151 } 152 153 /* lookup channel by id */ 154 155 Channel * 156 channel_lookup(int id) 157 { 158 Channel *c; 159 if (id < 0 || id > channels_alloc) { 160 log("channel_lookup: %d: bad id", id); 161 return NULL; 162 } 163 c = &channels[id]; 164 if (c->type == SSH_CHANNEL_FREE) { 165 log("channel_lookup: %d: bad id: channel free", id); 166 return NULL; 167 } 168 return c; 169 } 170 171 /* 172 * Register filedescriptors for a channel, used when allocating a channel or 173 * when the channel consumer/producer is ready, e.g. shell exec'd 174 */ 175 176 void 177 channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage) 178 { 179 /* Update the maximum file descriptor value. */ 180 if (rfd > channel_max_fd_value) 181 channel_max_fd_value = rfd; 182 if (wfd > channel_max_fd_value) 183 channel_max_fd_value = wfd; 184 if (efd > channel_max_fd_value) 185 channel_max_fd_value = efd; 186 /* XXX set close-on-exec -markus */ 187 188 c->rfd = rfd; 189 c->wfd = wfd; 190 c->sock = (rfd == wfd) ? rfd : -1; 191 c->efd = efd; 192 c->extended_usage = extusage; 193 if (rfd != -1) 194 set_nonblock(rfd); 195 if (wfd != -1) 196 set_nonblock(wfd); 197 if (efd != -1) 198 set_nonblock(efd); 199 } 200 201 /* 202 * Allocate a new channel object and set its type and socket. This will cause 203 * remote_name to be freed. 204 */ 205 206 int 207 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 208 int window, int maxpack, int extusage, char *remote_name) 209 { 210 int i, found; 211 Channel *c; 212 213 /* Do initial allocation if this is the first call. */ 214 if (channels_alloc == 0) { 215 chan_init(); 216 channels_alloc = 10; 217 channels = xmalloc(channels_alloc * sizeof(Channel)); 218 for (i = 0; i < channels_alloc; i++) 219 channels[i].type = SSH_CHANNEL_FREE; 220 /* 221 * Kludge: arrange a call to channel_stop_listening if we 222 * terminate with fatal(). 223 */ 224 fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL); 225 } 226 /* Try to find a free slot where to put the new channel. */ 227 for (found = -1, i = 0; i < channels_alloc; i++) 228 if (channels[i].type == SSH_CHANNEL_FREE) { 229 /* Found a free slot. */ 230 found = i; 231 break; 232 } 233 if (found == -1) { 234 /* There are no free slots. Take last+1 slot and expand the array. */ 235 found = channels_alloc; 236 channels_alloc += 10; 237 debug("channel: expanding %d", channels_alloc); 238 channels = xrealloc(channels, channels_alloc * sizeof(Channel)); 239 for (i = found; i < channels_alloc; i++) 240 channels[i].type = SSH_CHANNEL_FREE; 241 } 242 /* Initialize and return new channel number. */ 243 c = &channels[found]; 244 buffer_init(&c->input); 245 buffer_init(&c->output); 246 buffer_init(&c->extended); 247 chan_init_iostates(c); 248 channel_register_fds(c, rfd, wfd, efd, extusage); 249 c->self = found; 250 c->type = type; 251 c->ctype = ctype; 252 c->local_window = window; 253 c->local_window_max = window; 254 c->local_consumed = 0; 255 c->local_maxpacket = maxpack; 256 c->remote_id = -1; 257 c->remote_name = remote_name; 258 c->remote_window = 0; 259 c->remote_maxpacket = 0; 260 c->cb_fn = NULL; 261 c->cb_arg = NULL; 262 c->cb_event = 0; 263 c->dettach_user = NULL; 264 c->input_filter = NULL; 265 debug("channel %d: new [%s]", found, remote_name); 266 return found; 267 } 268 /* old interface XXX */ 269 int 270 channel_allocate(int type, int sock, char *remote_name) 271 { 272 return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name); 273 } 274 275 276 /* Close all channel fd/socket. */ 277 278 void 279 channel_close_fds(Channel *c) 280 { 281 if (c->sock != -1) { 282 close(c->sock); 283 c->sock = -1; 284 } 285 if (c->rfd != -1) { 286 close(c->rfd); 287 c->rfd = -1; 288 } 289 if (c->wfd != -1) { 290 close(c->wfd); 291 c->wfd = -1; 292 } 293 if (c->efd != -1) { 294 close(c->efd); 295 c->efd = -1; 296 } 297 } 298 299 /* Free the channel and close its fd/socket. */ 300 301 void 302 channel_free(int id) 303 { 304 Channel *c = channel_lookup(id); 305 if (c == NULL) 306 packet_disconnect("channel free: bad local channel %d", id); 307 debug("channel_free: channel %d: status: %s", id, channel_open_message()); 308 if (c->dettach_user != NULL) { 309 debug("channel_free: channel %d: dettaching channel user", id); 310 c->dettach_user(c->self, NULL); 311 } 312 if (c->sock != -1) 313 shutdown(c->sock, SHUT_RDWR); 314 channel_close_fds(c); 315 buffer_free(&c->input); 316 buffer_free(&c->output); 317 buffer_free(&c->extended); 318 c->type = SSH_CHANNEL_FREE; 319 if (c->remote_name) { 320 xfree(c->remote_name); 321 c->remote_name = NULL; 322 } 323 } 324 325 /* 326 * 'channel_pre*' are called just before select() to add any bits relevant to 327 * channels in the select bitmasks. 328 */ 329 /* 330 * 'channel_post*': perform any appropriate operations for channels which 331 * have events pending. 332 */ 333 typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset); 334 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 335 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 336 337 void 338 channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset) 339 { 340 FD_SET(c->sock, readset); 341 } 342 343 void 344 channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset) 345 { 346 if (buffer_len(&c->input) < packet_get_maxsize()) 347 FD_SET(c->sock, readset); 348 if (buffer_len(&c->output) > 0) 349 FD_SET(c->sock, writeset); 350 } 351 352 void 353 channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset) 354 { 355 /* test whether sockets are 'alive' for read/write */ 356 if (c->istate == CHAN_INPUT_OPEN) 357 if (buffer_len(&c->input) < packet_get_maxsize()) 358 FD_SET(c->sock, readset); 359 if (c->ostate == CHAN_OUTPUT_OPEN || 360 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 361 if (buffer_len(&c->output) > 0) { 362 FD_SET(c->sock, writeset); 363 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 364 chan_obuf_empty(c); 365 } 366 } 367 } 368 369 void 370 channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset) 371 { 372 if (c->istate == CHAN_INPUT_OPEN && 373 c->remote_window > 0 && 374 buffer_len(&c->input) < c->remote_window) 375 FD_SET(c->rfd, readset); 376 if (c->ostate == CHAN_OUTPUT_OPEN || 377 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 378 if (buffer_len(&c->output) > 0) { 379 FD_SET(c->wfd, writeset); 380 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 381 chan_obuf_empty(c); 382 } 383 } 384 /** XXX check close conditions, too */ 385 if (c->efd != -1) { 386 if (c->extended_usage == CHAN_EXTENDED_WRITE && 387 buffer_len(&c->extended) > 0) 388 FD_SET(c->efd, writeset); 389 else if (c->extended_usage == CHAN_EXTENDED_READ && 390 buffer_len(&c->extended) < c->remote_window) 391 FD_SET(c->efd, readset); 392 } 393 } 394 395 void 396 channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset) 397 { 398 if (buffer_len(&c->input) == 0) { 399 packet_start(SSH_MSG_CHANNEL_CLOSE); 400 packet_put_int(c->remote_id); 401 packet_send(); 402 c->type = SSH_CHANNEL_CLOSED; 403 debug("Closing channel %d after input drain.", c->self); 404 } 405 } 406 407 void 408 channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset) 409 { 410 if (buffer_len(&c->output) == 0) 411 channel_free(c->self); 412 else 413 FD_SET(c->sock, writeset); 414 } 415 416 /* 417 * This is a special state for X11 authentication spoofing. An opened X11 418 * connection (when authentication spoofing is being done) remains in this 419 * state until the first packet has been completely read. The authentication 420 * data in that packet is then substituted by the real data if it matches the 421 * fake data, and the channel is put into normal mode. 422 * XXX All this happens at the client side. 423 */ 424 int 425 x11_open_helper(Channel *c) 426 { 427 unsigned char *ucp; 428 unsigned int proto_len, data_len; 429 430 /* Check if the fixed size part of the packet is in buffer. */ 431 if (buffer_len(&c->output) < 12) 432 return 0; 433 434 /* Parse the lengths of variable-length fields. */ 435 ucp = (unsigned char *) buffer_ptr(&c->output); 436 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 437 proto_len = 256 * ucp[6] + ucp[7]; 438 data_len = 256 * ucp[8] + ucp[9]; 439 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 440 proto_len = ucp[6] + 256 * ucp[7]; 441 data_len = ucp[8] + 256 * ucp[9]; 442 } else { 443 debug("Initial X11 packet contains bad byte order byte: 0x%x", 444 ucp[0]); 445 return -1; 446 } 447 448 /* Check if the whole packet is in buffer. */ 449 if (buffer_len(&c->output) < 450 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 451 return 0; 452 453 /* Check if authentication protocol matches. */ 454 if (proto_len != strlen(x11_saved_proto) || 455 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 456 debug("X11 connection uses different authentication protocol."); 457 return -1; 458 } 459 /* Check if authentication data matches our fake data. */ 460 if (data_len != x11_fake_data_len || 461 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 462 x11_fake_data, x11_fake_data_len) != 0) { 463 debug("X11 auth data does not match fake data."); 464 return -1; 465 } 466 /* Check fake data length */ 467 if (x11_fake_data_len != x11_saved_data_len) { 468 error("X11 fake_data_len %d != saved_data_len %d", 469 x11_fake_data_len, x11_saved_data_len); 470 return -1; 471 } 472 /* 473 * Received authentication protocol and data match 474 * our fake data. Substitute the fake data with real 475 * data. 476 */ 477 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 478 x11_saved_data, x11_saved_data_len); 479 return 1; 480 } 481 482 void 483 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset) 484 { 485 int ret = x11_open_helper(c); 486 if (ret == 1) { 487 /* Start normal processing for the channel. */ 488 c->type = SSH_CHANNEL_OPEN; 489 channel_pre_open_13(c, readset, writeset); 490 } else if (ret == -1) { 491 /* 492 * We have received an X11 connection that has bad 493 * authentication information. 494 */ 495 log("X11 connection rejected because of wrong authentication.\r\n"); 496 buffer_clear(&c->input); 497 buffer_clear(&c->output); 498 close(c->sock); 499 c->sock = -1; 500 c->type = SSH_CHANNEL_CLOSED; 501 packet_start(SSH_MSG_CHANNEL_CLOSE); 502 packet_put_int(c->remote_id); 503 packet_send(); 504 } 505 } 506 507 void 508 channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset) 509 { 510 int ret = x11_open_helper(c); 511 if (ret == 1) { 512 c->type = SSH_CHANNEL_OPEN; 513 if (compat20) 514 channel_pre_open_20(c, readset, writeset); 515 else 516 channel_pre_open_15(c, readset, writeset); 517 } else if (ret == -1) { 518 debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 519 chan_read_failed(c); /** force close? */ 520 chan_write_failed(c); 521 debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 522 } 523 } 524 525 /* This is our fake X11 server socket. */ 526 void 527 channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset) 528 { 529 struct sockaddr addr; 530 int newsock, newch; 531 socklen_t addrlen; 532 char buf[16384], *remote_hostname; 533 int remote_port; 534 535 if (FD_ISSET(c->sock, readset)) { 536 debug("X11 connection requested."); 537 addrlen = sizeof(addr); 538 newsock = accept(c->sock, &addr, &addrlen); 539 if (newsock < 0) { 540 error("accept: %.100s", strerror(errno)); 541 return; 542 } 543 remote_hostname = get_remote_hostname(newsock); 544 remote_port = get_peer_port(newsock); 545 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 546 remote_hostname, remote_port); 547 548 newch = channel_new("x11", 549 SSH_CHANNEL_OPENING, newsock, newsock, -1, 550 c->local_window_max, c->local_maxpacket, 551 0, xstrdup(buf)); 552 if (compat20) { 553 packet_start(SSH2_MSG_CHANNEL_OPEN); 554 packet_put_cstring("x11"); 555 packet_put_int(newch); 556 packet_put_int(c->local_window_max); 557 packet_put_int(c->local_maxpacket); 558 /* originator host and port */ 559 packet_put_cstring(remote_hostname); 560 if (datafellows & SSH_BUG_X11FWD) { 561 debug("ssh2 x11 bug compat mode"); 562 } else { 563 packet_put_int(remote_port); 564 } 565 packet_send(); 566 } else { 567 packet_start(SSH_SMSG_X11_OPEN); 568 packet_put_int(newch); 569 if (have_hostname_in_open) 570 packet_put_string(buf, strlen(buf)); 571 packet_send(); 572 } 573 xfree(remote_hostname); 574 } 575 } 576 577 /* 578 * This socket is listening for connections to a forwarded TCP/IP port. 579 */ 580 void 581 channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) 582 { 583 struct sockaddr addr; 584 int newsock, newch; 585 socklen_t addrlen; 586 char buf[1024], *remote_hostname; 587 int remote_port; 588 589 if (FD_ISSET(c->sock, readset)) { 590 debug("Connection to port %d forwarding " 591 "to %.100s port %d requested.", 592 c->listening_port, c->path, c->host_port); 593 addrlen = sizeof(addr); 594 newsock = accept(c->sock, &addr, &addrlen); 595 if (newsock < 0) { 596 error("accept: %.100s", strerror(errno)); 597 return; 598 } 599 remote_hostname = get_remote_hostname(newsock); 600 remote_port = get_peer_port(newsock); 601 snprintf(buf, sizeof buf, 602 "listen port %d for %.100s port %d, " 603 "connect from %.200s port %d", 604 c->listening_port, c->path, c->host_port, 605 remote_hostname, remote_port); 606 newch = channel_new("direct-tcpip", 607 SSH_CHANNEL_OPENING, newsock, newsock, -1, 608 c->local_window_max, c->local_maxpacket, 609 0, xstrdup(buf)); 610 if (compat20) { 611 packet_start(SSH2_MSG_CHANNEL_OPEN); 612 packet_put_cstring("direct-tcpip"); 613 packet_put_int(newch); 614 packet_put_int(c->local_window_max); 615 packet_put_int(c->local_maxpacket); 616 /* target host and port */ 617 packet_put_string(c->path, strlen(c->path)); 618 packet_put_int(c->host_port); 619 /* originator host and port */ 620 packet_put_cstring(remote_hostname); 621 packet_put_int(remote_port); 622 packet_send(); 623 } else { 624 packet_start(SSH_MSG_PORT_OPEN); 625 packet_put_int(newch); 626 packet_put_string(c->path, strlen(c->path)); 627 packet_put_int(c->host_port); 628 if (have_hostname_in_open) { 629 packet_put_string(buf, strlen(buf)); 630 } 631 packet_send(); 632 } 633 xfree(remote_hostname); 634 } 635 } 636 637 /* 638 * This is the authentication agent socket listening for connections from 639 * clients. 640 */ 641 void 642 channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset) 643 { 644 struct sockaddr addr; 645 int newsock, newch; 646 socklen_t addrlen; 647 648 if (FD_ISSET(c->sock, readset)) { 649 addrlen = sizeof(addr); 650 newsock = accept(c->sock, &addr, &addrlen); 651 if (newsock < 0) { 652 error("accept from auth socket: %.100s", strerror(errno)); 653 return; 654 } 655 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, 656 xstrdup("accepted auth socket")); 657 packet_start(SSH_SMSG_AGENT_OPEN); 658 packet_put_int(newch); 659 packet_send(); 660 } 661 } 662 663 int 664 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) 665 { 666 char buf[16*1024]; 667 int len; 668 669 if (c->rfd != -1 && 670 FD_ISSET(c->rfd, readset)) { 671 len = read(c->rfd, buf, sizeof(buf)); 672 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 673 return 1; 674 if (len <= 0) { 675 debug("channel %d: read<=0 rfd %d len %d", 676 c->self, c->rfd, len); 677 if (compat13) { 678 buffer_consume(&c->output, buffer_len(&c->output)); 679 c->type = SSH_CHANNEL_INPUT_DRAINING; 680 debug("Channel %d status set to input draining.", c->self); 681 } else { 682 chan_read_failed(c); 683 } 684 return -1; 685 } 686 if(c->input_filter != NULL) { 687 if (c->input_filter(c, buf, len) == -1) { 688 debug("filter stops channel %d", c->self); 689 chan_read_failed(c); 690 } 691 } else { 692 buffer_append(&c->input, buf, len); 693 } 694 } 695 return 1; 696 } 697 int 698 channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) 699 { 700 int len; 701 702 /* Send buffered output data to the socket. */ 703 if (c->wfd != -1 && 704 FD_ISSET(c->wfd, writeset) && 705 buffer_len(&c->output) > 0) { 706 len = write(c->wfd, buffer_ptr(&c->output), 707 buffer_len(&c->output)); 708 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 709 return 1; 710 if (len <= 0) { 711 if (compat13) { 712 buffer_consume(&c->output, buffer_len(&c->output)); 713 debug("Channel %d status set to input draining.", c->self); 714 c->type = SSH_CHANNEL_INPUT_DRAINING; 715 } else { 716 chan_write_failed(c); 717 } 718 return -1; 719 } 720 buffer_consume(&c->output, len); 721 if (compat20 && len > 0) { 722 c->local_consumed += len; 723 } 724 } 725 return 1; 726 } 727 int 728 channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) 729 { 730 char buf[16*1024]; 731 int len; 732 733 /** XXX handle drain efd, too */ 734 if (c->efd != -1) { 735 if (c->extended_usage == CHAN_EXTENDED_WRITE && 736 FD_ISSET(c->efd, writeset) && 737 buffer_len(&c->extended) > 0) { 738 len = write(c->efd, buffer_ptr(&c->extended), 739 buffer_len(&c->extended)); 740 debug("channel %d: written %d to efd %d", 741 c->self, len, c->efd); 742 if (len > 0) { 743 buffer_consume(&c->extended, len); 744 c->local_consumed += len; 745 } 746 } else if (c->extended_usage == CHAN_EXTENDED_READ && 747 FD_ISSET(c->efd, readset)) { 748 len = read(c->efd, buf, sizeof(buf)); 749 debug("channel %d: read %d from efd %d", 750 c->self, len, c->efd); 751 if (len == 0) { 752 debug("channel %d: closing efd %d", 753 c->self, c->efd); 754 close(c->efd); 755 c->efd = -1; 756 } else if (len > 0) 757 buffer_append(&c->extended, buf, len); 758 } 759 } 760 return 1; 761 } 762 int 763 channel_check_window(Channel *c, fd_set * readset, fd_set * writeset) 764 { 765 if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 766 c->local_window < c->local_window_max/2 && 767 c->local_consumed > 0) { 768 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 769 packet_put_int(c->remote_id); 770 packet_put_int(c->local_consumed); 771 packet_send(); 772 debug("channel %d: window %d sent adjust %d", 773 c->self, c->local_window, 774 c->local_consumed); 775 c->local_window += c->local_consumed; 776 c->local_consumed = 0; 777 } 778 return 1; 779 } 780 781 void 782 channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset) 783 { 784 channel_handle_rfd(c, readset, writeset); 785 channel_handle_wfd(c, readset, writeset); 786 } 787 788 void 789 channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset) 790 { 791 channel_handle_rfd(c, readset, writeset); 792 channel_handle_wfd(c, readset, writeset); 793 channel_handle_efd(c, readset, writeset); 794 channel_check_window(c, readset, writeset); 795 } 796 797 void 798 channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset) 799 { 800 int len; 801 /* Send buffered output data to the socket. */ 802 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 803 len = write(c->sock, buffer_ptr(&c->output), 804 buffer_len(&c->output)); 805 if (len <= 0) 806 buffer_consume(&c->output, buffer_len(&c->output)); 807 else 808 buffer_consume(&c->output, len); 809 } 810 } 811 812 void 813 channel_handler_init_20(void) 814 { 815 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20; 816 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 817 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 818 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 819 820 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2; 821 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 822 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 823 } 824 825 void 826 channel_handler_init_13(void) 827 { 828 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 829 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 830 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 831 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 832 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 833 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 834 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 835 836 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; 837 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 838 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 839 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 840 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 841 } 842 843 void 844 channel_handler_init_15(void) 845 { 846 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15; 847 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 848 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 849 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 850 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 851 852 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 853 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 854 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 855 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; 856 } 857 858 void 859 channel_handler_init(void) 860 { 861 int i; 862 for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 863 channel_pre[i] = NULL; 864 channel_post[i] = NULL; 865 } 866 if (compat20) 867 channel_handler_init_20(); 868 else if (compat13) 869 channel_handler_init_13(); 870 else 871 channel_handler_init_15(); 872 } 873 874 void 875 channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) 876 { 877 static int did_init = 0; 878 int i; 879 Channel *c; 880 881 if (!did_init) { 882 channel_handler_init(); 883 did_init = 1; 884 } 885 for (i = 0; i < channels_alloc; i++) { 886 c = &channels[i]; 887 if (c->type == SSH_CHANNEL_FREE) 888 continue; 889 if (ftab[c->type] == NULL) 890 continue; 891 (*ftab[c->type])(c, readset, writeset); 892 chan_delete_if_full_closed(c); 893 } 894 } 895 896 void 897 channel_prepare_select(fd_set * readset, fd_set * writeset) 898 { 899 channel_handler(channel_pre, readset, writeset); 900 } 901 902 void 903 channel_after_select(fd_set * readset, fd_set * writeset) 904 { 905 channel_handler(channel_post, readset, writeset); 906 } 907 908 /* If there is data to send to the connection, send some of it now. */ 909 910 void 911 channel_output_poll() 912 { 913 int len, i; 914 Channel *c; 915 916 for (i = 0; i < channels_alloc; i++) { 917 c = &channels[i]; 918 919 /* We are only interested in channels that can have buffered incoming data. */ 920 if (compat13) { 921 if (c->type != SSH_CHANNEL_OPEN && 922 c->type != SSH_CHANNEL_INPUT_DRAINING) 923 continue; 924 } else { 925 if (c->type != SSH_CHANNEL_OPEN) 926 continue; 927 if (c->istate != CHAN_INPUT_OPEN && 928 c->istate != CHAN_INPUT_WAIT_DRAIN) 929 continue; 930 } 931 if (compat20 && 932 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 933 debug("channel: %d: no data after CLOSE", c->self); 934 continue; 935 } 936 937 /* Get the amount of buffered data for this channel. */ 938 len = buffer_len(&c->input); 939 if (len > 0) { 940 /* Send some data for the other side over the secure connection. */ 941 if (compat20) { 942 if (len > c->remote_window) 943 len = c->remote_window; 944 if (len > c->remote_maxpacket) 945 len = c->remote_maxpacket; 946 } else { 947 if (packet_is_interactive()) { 948 if (len > 1024) 949 len = 512; 950 } else { 951 /* Keep the packets at reasonable size. */ 952 if (len > packet_get_maxsize()/2) 953 len = packet_get_maxsize()/2; 954 } 955 } 956 if (len > 0) { 957 packet_start(compat20 ? 958 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 959 packet_put_int(c->remote_id); 960 packet_put_string(buffer_ptr(&c->input), len); 961 packet_send(); 962 buffer_consume(&c->input, len); 963 c->remote_window -= len; 964 } 965 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 966 if (compat13) 967 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 968 /* 969 * input-buffer is empty and read-socket shutdown: 970 * tell peer, that we will not send more data: send IEOF 971 */ 972 chan_ibuf_empty(c); 973 } 974 /* Send extended data, i.e. stderr */ 975 if (compat20 && 976 c->remote_window > 0 && 977 (len = buffer_len(&c->extended)) > 0 && 978 c->extended_usage == CHAN_EXTENDED_READ) { 979 if (len > c->remote_window) 980 len = c->remote_window; 981 if (len > c->remote_maxpacket) 982 len = c->remote_maxpacket; 983 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 984 packet_put_int(c->remote_id); 985 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 986 packet_put_string(buffer_ptr(&c->extended), len); 987 packet_send(); 988 buffer_consume(&c->extended, len); 989 c->remote_window -= len; 990 } 991 } 992 } 993 994 /* 995 * This is called when a packet of type CHANNEL_DATA has just been received. 996 * The message type has already been consumed, but channel number and data is 997 * still there. 998 */ 999 1000 void 1001 channel_input_data(int type, int plen) 1002 { 1003 int id; 1004 char *data; 1005 unsigned int data_len; 1006 Channel *c; 1007 1008 /* Get the channel number and verify it. */ 1009 id = packet_get_int(); 1010 c = channel_lookup(id); 1011 if (c == NULL) 1012 packet_disconnect("Received data for nonexistent channel %d.", id); 1013 1014 /* Ignore any data for non-open channels (might happen on close) */ 1015 if (c->type != SSH_CHANNEL_OPEN && 1016 c->type != SSH_CHANNEL_X11_OPEN) 1017 return; 1018 1019 /* same for protocol 1.5 if output end is no longer open */ 1020 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) 1021 return; 1022 1023 /* Get the data. */ 1024 data = packet_get_string(&data_len); 1025 packet_done(); 1026 1027 if (compat20){ 1028 if (data_len > c->local_maxpacket) { 1029 log("channel %d: rcvd big packet %d, maxpack %d", 1030 c->self, data_len, c->local_maxpacket); 1031 } 1032 if (data_len > c->local_window) { 1033 log("channel %d: rcvd too much data %d, win %d", 1034 c->self, data_len, c->local_window); 1035 xfree(data); 1036 return; 1037 } 1038 c->local_window -= data_len; 1039 }else{ 1040 packet_integrity_check(plen, 4 + 4 + data_len, type); 1041 } 1042 buffer_append(&c->output, data, data_len); 1043 xfree(data); 1044 } 1045 void 1046 channel_input_extended_data(int type, int plen) 1047 { 1048 int id; 1049 int tcode; 1050 char *data; 1051 unsigned int data_len; 1052 Channel *c; 1053 1054 /* Get the channel number and verify it. */ 1055 id = packet_get_int(); 1056 c = channel_lookup(id); 1057 1058 if (c == NULL) 1059 packet_disconnect("Received extended_data for bad channel %d.", id); 1060 if (c->type != SSH_CHANNEL_OPEN) { 1061 log("channel %d: ext data for non open", id); 1062 return; 1063 } 1064 tcode = packet_get_int(); 1065 if (c->efd == -1 || 1066 c->extended_usage != CHAN_EXTENDED_WRITE || 1067 tcode != SSH2_EXTENDED_DATA_STDERR) { 1068 log("channel %d: bad ext data", c->self); 1069 return; 1070 } 1071 data = packet_get_string(&data_len); 1072 packet_done(); 1073 if (data_len > c->local_window) { 1074 log("channel %d: rcvd too much extended_data %d, win %d", 1075 c->self, data_len, c->local_window); 1076 xfree(data); 1077 return; 1078 } 1079 debug("channel %d: rcvd ext data %d", c->self, data_len); 1080 c->local_window -= data_len; 1081 buffer_append(&c->extended, data, data_len); 1082 xfree(data); 1083 } 1084 1085 1086 /* 1087 * Returns true if no channel has too much buffered data, and false if one or 1088 * more channel is overfull. 1089 */ 1090 1091 int 1092 channel_not_very_much_buffered_data() 1093 { 1094 unsigned int i; 1095 Channel *c; 1096 1097 for (i = 0; i < channels_alloc; i++) { 1098 c = &channels[i]; 1099 if (c->type == SSH_CHANNEL_OPEN) { 1100 if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) { 1101 debug("channel %d: big input buffer %d", 1102 c->self, buffer_len(&c->input)); 1103 return 0; 1104 } 1105 if (buffer_len(&c->output) > packet_get_maxsize()) { 1106 debug("channel %d: big output buffer %d", 1107 c->self, buffer_len(&c->output)); 1108 return 0; 1109 } 1110 } 1111 } 1112 return 1; 1113 } 1114 1115 void 1116 channel_input_ieof(int type, int plen) 1117 { 1118 int id; 1119 Channel *c; 1120 1121 packet_integrity_check(plen, 4, type); 1122 1123 id = packet_get_int(); 1124 c = channel_lookup(id); 1125 if (c == NULL) 1126 packet_disconnect("Received ieof for nonexistent channel %d.", id); 1127 chan_rcvd_ieof(c); 1128 } 1129 1130 void 1131 channel_input_close(int type, int plen) 1132 { 1133 int id; 1134 Channel *c; 1135 1136 packet_integrity_check(plen, 4, type); 1137 1138 id = packet_get_int(); 1139 c = channel_lookup(id); 1140 if (c == NULL) 1141 packet_disconnect("Received close for nonexistent channel %d.", id); 1142 1143 /* 1144 * Send a confirmation that we have closed the channel and no more 1145 * data is coming for it. 1146 */ 1147 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 1148 packet_put_int(c->remote_id); 1149 packet_send(); 1150 1151 /* 1152 * If the channel is in closed state, we have sent a close request, 1153 * and the other side will eventually respond with a confirmation. 1154 * Thus, we cannot free the channel here, because then there would be 1155 * no-one to receive the confirmation. The channel gets freed when 1156 * the confirmation arrives. 1157 */ 1158 if (c->type != SSH_CHANNEL_CLOSED) { 1159 /* 1160 * Not a closed channel - mark it as draining, which will 1161 * cause it to be freed later. 1162 */ 1163 buffer_consume(&c->input, buffer_len(&c->input)); 1164 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 1165 } 1166 } 1167 1168 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 1169 void 1170 channel_input_oclose(int type, int plen) 1171 { 1172 int id = packet_get_int(); 1173 Channel *c = channel_lookup(id); 1174 packet_integrity_check(plen, 4, type); 1175 if (c == NULL) 1176 packet_disconnect("Received oclose for nonexistent channel %d.", id); 1177 chan_rcvd_oclose(c); 1178 } 1179 1180 void 1181 channel_input_close_confirmation(int type, int plen) 1182 { 1183 int id = packet_get_int(); 1184 Channel *c = channel_lookup(id); 1185 1186 packet_done(); 1187 if (c == NULL) 1188 packet_disconnect("Received close confirmation for " 1189 "out-of-range channel %d.", id); 1190 if (c->type != SSH_CHANNEL_CLOSED) 1191 packet_disconnect("Received close confirmation for " 1192 "non-closed channel %d (type %d).", id, c->type); 1193 channel_free(c->self); 1194 } 1195 1196 void 1197 channel_input_open_confirmation(int type, int plen) 1198 { 1199 int id, remote_id; 1200 Channel *c; 1201 1202 if (!compat20) 1203 packet_integrity_check(plen, 4 + 4, type); 1204 1205 id = packet_get_int(); 1206 c = channel_lookup(id); 1207 1208 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 1209 packet_disconnect("Received open confirmation for " 1210 "non-opening channel %d.", id); 1211 remote_id = packet_get_int(); 1212 /* Record the remote channel number and mark that the channel is now open. */ 1213 c->remote_id = remote_id; 1214 c->type = SSH_CHANNEL_OPEN; 1215 1216 if (compat20) { 1217 c->remote_window = packet_get_int(); 1218 c->remote_maxpacket = packet_get_int(); 1219 packet_done(); 1220 if (c->cb_fn != NULL && c->cb_event == type) { 1221 debug("callback start"); 1222 c->cb_fn(c->self, c->cb_arg); 1223 debug("callback done"); 1224 } 1225 debug("channel %d: open confirm rwindow %d rmax %d", c->self, 1226 c->remote_window, c->remote_maxpacket); 1227 } 1228 } 1229 1230 void 1231 channel_input_open_failure(int type, int plen) 1232 { 1233 int id; 1234 Channel *c; 1235 1236 if (!compat20) 1237 packet_integrity_check(plen, 4, type); 1238 1239 id = packet_get_int(); 1240 c = channel_lookup(id); 1241 1242 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 1243 packet_disconnect("Received open failure for " 1244 "non-opening channel %d.", id); 1245 if (compat20) { 1246 int reason = packet_get_int(); 1247 char *msg = packet_get_string(NULL); 1248 char *lang = packet_get_string(NULL); 1249 log("channel_open_failure: %d: reason %d: %s", id, reason, msg); 1250 packet_done(); 1251 xfree(msg); 1252 xfree(lang); 1253 } 1254 /* Free the channel. This will also close the socket. */ 1255 channel_free(id); 1256 } 1257 1258 void 1259 channel_input_channel_request(int type, int plen) 1260 { 1261 int id; 1262 Channel *c; 1263 1264 id = packet_get_int(); 1265 c = channel_lookup(id); 1266 1267 if (c == NULL || 1268 (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL)) 1269 packet_disconnect("Received request for " 1270 "non-open channel %d.", id); 1271 if (c->cb_fn != NULL && c->cb_event == type) { 1272 debug("callback start"); 1273 c->cb_fn(c->self, c->cb_arg); 1274 debug("callback done"); 1275 } else { 1276 char *service = packet_get_string(NULL); 1277 debug("channel: %d rcvd request for %s", c->self, service); 1278 debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event); 1279 xfree(service); 1280 } 1281 } 1282 1283 void 1284 channel_input_window_adjust(int type, int plen) 1285 { 1286 Channel *c; 1287 int id, adjust; 1288 1289 if (!compat20) 1290 return; 1291 1292 /* Get the channel number and verify it. */ 1293 id = packet_get_int(); 1294 c = channel_lookup(id); 1295 1296 if (c == NULL || c->type != SSH_CHANNEL_OPEN) { 1297 log("Received window adjust for " 1298 "non-open channel %d.", id); 1299 return; 1300 } 1301 adjust = packet_get_int(); 1302 packet_done(); 1303 debug("channel %d: rcvd adjust %d", id, adjust); 1304 c->remote_window += adjust; 1305 } 1306 1307 /* 1308 * Stops listening for channels, and removes any unix domain sockets that we 1309 * might have. 1310 */ 1311 1312 void 1313 channel_stop_listening() 1314 { 1315 int i; 1316 for (i = 0; i < channels_alloc; i++) { 1317 switch (channels[i].type) { 1318 case SSH_CHANNEL_AUTH_SOCKET: 1319 close(channels[i].sock); 1320 remove(channels[i].path); 1321 channel_free(i); 1322 break; 1323 case SSH_CHANNEL_PORT_LISTENER: 1324 case SSH_CHANNEL_X11_LISTENER: 1325 close(channels[i].sock); 1326 channel_free(i); 1327 break; 1328 default: 1329 break; 1330 } 1331 } 1332 } 1333 1334 /* 1335 * Closes the sockets/fds of all channels. This is used to close extra file 1336 * descriptors after a fork. 1337 */ 1338 1339 void 1340 channel_close_all() 1341 { 1342 int i; 1343 for (i = 0; i < channels_alloc; i++) 1344 if (channels[i].type != SSH_CHANNEL_FREE) 1345 channel_close_fds(&channels[i]); 1346 } 1347 1348 /* Returns the maximum file descriptor number used by the channels. */ 1349 1350 int 1351 channel_max_fd() 1352 { 1353 return channel_max_fd_value; 1354 } 1355 1356 /* Returns true if any channel is still open. */ 1357 1358 int 1359 channel_still_open() 1360 { 1361 unsigned int i; 1362 for (i = 0; i < channels_alloc; i++) 1363 switch (channels[i].type) { 1364 case SSH_CHANNEL_FREE: 1365 case SSH_CHANNEL_X11_LISTENER: 1366 case SSH_CHANNEL_PORT_LISTENER: 1367 case SSH_CHANNEL_CLOSED: 1368 case SSH_CHANNEL_AUTH_SOCKET: 1369 continue; 1370 case SSH_CHANNEL_LARVAL: 1371 if (!compat20) 1372 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 1373 continue; 1374 case SSH_CHANNEL_OPENING: 1375 case SSH_CHANNEL_OPEN: 1376 case SSH_CHANNEL_X11_OPEN: 1377 return 1; 1378 case SSH_CHANNEL_INPUT_DRAINING: 1379 case SSH_CHANNEL_OUTPUT_DRAINING: 1380 if (!compat13) 1381 fatal("cannot happen: OUT_DRAIN"); 1382 return 1; 1383 default: 1384 fatal("channel_still_open: bad channel type %d", channels[i].type); 1385 /* NOTREACHED */ 1386 } 1387 return 0; 1388 } 1389 1390 /* 1391 * Returns a message describing the currently open forwarded connections, 1392 * suitable for sending to the client. The message contains crlf pairs for 1393 * newlines. 1394 */ 1395 1396 char * 1397 channel_open_message() 1398 { 1399 Buffer buffer; 1400 int i; 1401 char buf[512], *cp; 1402 1403 buffer_init(&buffer); 1404 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 1405 buffer_append(&buffer, buf, strlen(buf)); 1406 for (i = 0; i < channels_alloc; i++) { 1407 Channel *c = &channels[i]; 1408 switch (c->type) { 1409 case SSH_CHANNEL_FREE: 1410 case SSH_CHANNEL_X11_LISTENER: 1411 case SSH_CHANNEL_PORT_LISTENER: 1412 case SSH_CHANNEL_CLOSED: 1413 case SSH_CHANNEL_AUTH_SOCKET: 1414 continue; 1415 case SSH_CHANNEL_LARVAL: 1416 case SSH_CHANNEL_OPENING: 1417 case SSH_CHANNEL_OPEN: 1418 case SSH_CHANNEL_X11_OPEN: 1419 case SSH_CHANNEL_INPUT_DRAINING: 1420 case SSH_CHANNEL_OUTPUT_DRAINING: 1421 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n", 1422 c->self, c->remote_name, 1423 c->type, c->remote_id, 1424 c->istate, buffer_len(&c->input), 1425 c->ostate, buffer_len(&c->output), 1426 c->rfd, c->wfd); 1427 buffer_append(&buffer, buf, strlen(buf)); 1428 continue; 1429 default: 1430 fatal("channel_open_message: bad channel type %d", c->type); 1431 /* NOTREACHED */ 1432 } 1433 } 1434 buffer_append(&buffer, "\0", 1); 1435 cp = xstrdup(buffer_ptr(&buffer)); 1436 buffer_free(&buffer); 1437 return cp; 1438 } 1439 1440 /* 1441 * Initiate forwarding of connections to local port "port" through the secure 1442 * channel to host:port from remote side. 1443 */ 1444 1445 void 1446 channel_request_local_forwarding(u_short port, const char *host, 1447 u_short host_port, int gateway_ports) 1448 { 1449 int success, ch, sock, on = 1; 1450 struct addrinfo hints, *ai, *aitop; 1451 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 1452 struct linger linger; 1453 1454 if (strlen(host) > sizeof(channels[0].path) - 1) 1455 packet_disconnect("Forward host name too long."); 1456 1457 /* 1458 * getaddrinfo returns a loopback address if the hostname is 1459 * set to NULL and hints.ai_flags is not AI_PASSIVE 1460 */ 1461 memset(&hints, 0, sizeof(hints)); 1462 hints.ai_family = IPv4or6; 1463 hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; 1464 hints.ai_socktype = SOCK_STREAM; 1465 snprintf(strport, sizeof strport, "%d", port); 1466 if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) 1467 packet_disconnect("getaddrinfo: fatal error"); 1468 1469 success = 0; 1470 for (ai = aitop; ai; ai = ai->ai_next) { 1471 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1472 continue; 1473 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 1474 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 1475 error("channel_request_local_forwarding: getnameinfo failed"); 1476 continue; 1477 } 1478 /* Create a port to listen for the host. */ 1479 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1480 if (sock < 0) { 1481 /* this is no error since kernel may not support ipv6 */ 1482 verbose("socket: %.100s", strerror(errno)); 1483 continue; 1484 } 1485 /* 1486 * Set socket options. We would like the socket to disappear 1487 * as soon as it has been closed for whatever reason. 1488 */ 1489 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); 1490 linger.l_onoff = 1; 1491 linger.l_linger = 5; 1492 setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); 1493 debug("Local forwarding listening on %s port %s.", ntop, strport); 1494 1495 /* Bind the socket to the address. */ 1496 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1497 /* address can be in use ipv6 address is already bound */ 1498 verbose("bind: %.100s", strerror(errno)); 1499 close(sock); 1500 continue; 1501 } 1502 /* Start listening for connections on the socket. */ 1503 if (listen(sock, 5) < 0) { 1504 error("listen: %.100s", strerror(errno)); 1505 close(sock); 1506 continue; 1507 } 1508 /* Allocate a channel number for the socket. */ 1509 ch = channel_new( 1510 "port listener", SSH_CHANNEL_PORT_LISTENER, 1511 sock, sock, -1, 1512 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1513 0, xstrdup("port listener")); 1514 strlcpy(channels[ch].path, host, sizeof(channels[ch].path)); 1515 channels[ch].host_port = host_port; 1516 channels[ch].listening_port = port; 1517 success = 1; 1518 } 1519 if (success == 0) 1520 packet_disconnect("cannot listen port: %d", port); 1521 freeaddrinfo(aitop); 1522 } 1523 1524 /* 1525 * Initiate forwarding of connections to port "port" on remote host through 1526 * the secure channel to host:port from local side. 1527 */ 1528 1529 void 1530 channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect, 1531 u_short port_to_connect) 1532 { 1533 int payload_len; 1534 /* Record locally that connection to this host/port is permitted. */ 1535 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 1536 fatal("channel_request_remote_forwarding: too many forwards"); 1537 1538 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 1539 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 1540 permitted_opens[num_permitted_opens].listen_port = listen_port; 1541 num_permitted_opens++; 1542 1543 /* Send the forward request to the remote side. */ 1544 if (compat20) { 1545 const char *address_to_bind = "0.0.0.0"; 1546 packet_start(SSH2_MSG_GLOBAL_REQUEST); 1547 packet_put_cstring("tcpip-forward"); 1548 packet_put_char(0); /* boolean: want reply */ 1549 packet_put_cstring(address_to_bind); 1550 packet_put_int(listen_port); 1551 } else { 1552 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 1553 packet_put_int(listen_port); 1554 packet_put_cstring(host_to_connect); 1555 packet_put_int(port_to_connect); 1556 packet_send(); 1557 packet_write_wait(); 1558 /* 1559 * Wait for response from the remote side. It will send a disconnect 1560 * message on failure, and we will never see it here. 1561 */ 1562 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); 1563 } 1564 } 1565 1566 /* 1567 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 1568 * listening for the port, and sends back a success reply (or disconnect 1569 * message if there was an error). This never returns if there was an error. 1570 */ 1571 1572 void 1573 channel_input_port_forward_request(int is_root, int gateway_ports) 1574 { 1575 u_short port, host_port; 1576 char *hostname; 1577 1578 /* Get arguments from the packet. */ 1579 port = packet_get_int(); 1580 hostname = packet_get_string(NULL); 1581 host_port = packet_get_int(); 1582 1583 /* 1584 * Check that an unprivileged user is not trying to forward a 1585 * privileged port. 1586 */ 1587 if (port < IPPORT_RESERVED && !is_root) 1588 packet_disconnect("Requested forwarding of port %d but user is not root.", 1589 port); 1590 /* 1591 * Initiate forwarding, 1592 */ 1593 channel_request_local_forwarding(port, hostname, host_port, gateway_ports); 1594 1595 /* Free the argument string. */ 1596 xfree(hostname); 1597 } 1598 1599 /* XXX move to aux.c */ 1600 int 1601 channel_connect_to(const char *host, u_short host_port) 1602 { 1603 struct addrinfo hints, *ai, *aitop; 1604 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 1605 int gaierr; 1606 int sock = -1; 1607 1608 memset(&hints, 0, sizeof(hints)); 1609 hints.ai_family = IPv4or6; 1610 hints.ai_socktype = SOCK_STREAM; 1611 snprintf(strport, sizeof strport, "%d", host_port); 1612 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { 1613 error("%.100s: unknown host (%s)", host, gai_strerror(gaierr)); 1614 return -1; 1615 } 1616 for (ai = aitop; ai; ai = ai->ai_next) { 1617 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1618 continue; 1619 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 1620 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 1621 error("channel_connect_to: getnameinfo failed"); 1622 continue; 1623 } 1624 /* Create the socket. */ 1625 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1626 if (sock < 0) { 1627 error("socket: %.100s", strerror(errno)); 1628 continue; 1629 } 1630 /* Connect to the host/port. */ 1631 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1632 error("connect %.100s port %s: %.100s", ntop, strport, 1633 strerror(errno)); 1634 close(sock); 1635 continue; /* fail -- try next */ 1636 } 1637 break; /* success */ 1638 1639 } 1640 freeaddrinfo(aitop); 1641 if (!ai) { 1642 error("connect %.100s port %d: failed.", host, host_port); 1643 return -1; 1644 } 1645 /* success */ 1646 return sock; 1647 } 1648 /* 1649 * This is called after receiving PORT_OPEN message. This attempts to 1650 * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION 1651 * or CHANNEL_OPEN_FAILURE. 1652 */ 1653 1654 void 1655 channel_input_port_open(int type, int plen) 1656 { 1657 u_short host_port; 1658 char *host, *originator_string; 1659 int remote_channel, sock = -1, newch, i, denied; 1660 unsigned int host_len, originator_len; 1661 1662 /* Get remote channel number. */ 1663 remote_channel = packet_get_int(); 1664 1665 /* Get host name to connect to. */ 1666 host = packet_get_string(&host_len); 1667 1668 /* Get port to connect to. */ 1669 host_port = packet_get_int(); 1670 1671 /* Get remote originator name. */ 1672 if (have_hostname_in_open) { 1673 originator_string = packet_get_string(&originator_len); 1674 originator_len += 4; /* size of packet_int */ 1675 } else { 1676 originator_string = xstrdup("unknown (remote did not supply name)"); 1677 originator_len = 0; /* no originator supplied */ 1678 } 1679 1680 packet_integrity_check(plen, 1681 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN); 1682 1683 /* Check if opening that port is permitted. */ 1684 denied = 0; 1685 if (!all_opens_permitted) { 1686 /* Go trough all permitted ports. */ 1687 for (i = 0; i < num_permitted_opens; i++) 1688 if (permitted_opens[i].port_to_connect == host_port && 1689 strcmp(permitted_opens[i].host_to_connect, host) == 0) 1690 break; 1691 1692 /* Check if we found the requested port among those permitted. */ 1693 if (i >= num_permitted_opens) { 1694 /* The port is not permitted. */ 1695 log("Received request to connect to %.100s:%d, but the request was denied.", 1696 host, host_port); 1697 denied = 1; 1698 } 1699 } 1700 sock = denied ? -1 : channel_connect_to(host, host_port); 1701 if (sock > 0) { 1702 /* Allocate a channel for this connection. */ 1703 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string); 1704 channels[newch].remote_id = remote_channel; 1705 1706 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1707 packet_put_int(remote_channel); 1708 packet_put_int(newch); 1709 packet_send(); 1710 } else { 1711 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1712 packet_put_int(remote_channel); 1713 packet_send(); 1714 } 1715 xfree(host); 1716 } 1717 1718 /* 1719 * Creates an internet domain socket for listening for X11 connections. 1720 * Returns a suitable value for the DISPLAY variable, or NULL if an error 1721 * occurs. 1722 */ 1723 1724 #define NUM_SOCKS 10 1725 1726 char * 1727 x11_create_display_inet(int screen_number, int x11_display_offset) 1728 { 1729 int display_number, sock; 1730 u_short port; 1731 struct addrinfo hints, *ai, *aitop; 1732 char strport[NI_MAXSERV]; 1733 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 1734 char display[512]; 1735 char hostname[MAXHOSTNAMELEN]; 1736 1737 for (display_number = x11_display_offset; 1738 display_number < MAX_DISPLAYS; 1739 display_number++) { 1740 port = 6000 + display_number; 1741 memset(&hints, 0, sizeof(hints)); 1742 hints.ai_family = IPv4or6; 1743 hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */ 1744 hints.ai_socktype = SOCK_STREAM; 1745 snprintf(strport, sizeof strport, "%d", port); 1746 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 1747 error("getaddrinfo: %.100s", gai_strerror(gaierr)); 1748 return NULL; 1749 } 1750 for (ai = aitop; ai; ai = ai->ai_next) { 1751 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1752 continue; 1753 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1754 if (sock < 0) { 1755 error("socket: %.100s", strerror(errno)); 1756 return NULL; 1757 } 1758 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1759 debug("bind port %d: %.100s", port, strerror(errno)); 1760 shutdown(sock, SHUT_RDWR); 1761 close(sock); 1762 for (n = 0; n < num_socks; n++) { 1763 shutdown(socks[n], SHUT_RDWR); 1764 close(socks[n]); 1765 } 1766 num_socks = 0; 1767 break; 1768 } 1769 socks[num_socks++] = sock; 1770 if (num_socks == NUM_SOCKS) 1771 break; 1772 } 1773 if (num_socks > 0) 1774 break; 1775 } 1776 if (display_number >= MAX_DISPLAYS) { 1777 error("Failed to allocate internet-domain X11 display socket."); 1778 return NULL; 1779 } 1780 /* Start listening for connections on the socket. */ 1781 for (n = 0; n < num_socks; n++) { 1782 sock = socks[n]; 1783 if (listen(sock, 5) < 0) { 1784 error("listen: %.100s", strerror(errno)); 1785 shutdown(sock, SHUT_RDWR); 1786 close(sock); 1787 return NULL; 1788 } 1789 } 1790 1791 /* Set up a suitable value for the DISPLAY variable. */ 1792 if (gethostname(hostname, sizeof(hostname)) < 0) 1793 fatal("gethostname: %.100s", strerror(errno)); 1794 snprintf(display, sizeof display, "%.400s:%d.%d", hostname, 1795 display_number, screen_number); 1796 1797 /* Allocate a channel for each socket. */ 1798 for (n = 0; n < num_socks; n++) { 1799 sock = socks[n]; 1800 (void) channel_new("x11 listener", 1801 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 1802 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 1803 0, xstrdup("X11 inet listener")); 1804 } 1805 1806 /* Return a suitable value for the DISPLAY environment variable. */ 1807 return xstrdup(display); 1808 } 1809 1810 #ifndef X_UNIX_PATH 1811 #define X_UNIX_PATH "/tmp/.X11-unix/X" 1812 #endif 1813 1814 static 1815 int 1816 connect_local_xsocket(unsigned int dnr) 1817 { 1818 static const char *const x_sockets[] = { 1819 X_UNIX_PATH "%u", 1820 "/var/X/.X11-unix/X" "%u", 1821 "/usr/spool/sockets/X11/" "%u", 1822 NULL 1823 }; 1824 int sock; 1825 struct sockaddr_un addr; 1826 const char *const * path; 1827 1828 for (path = x_sockets; *path; ++path) { 1829 sock = socket(AF_UNIX, SOCK_STREAM, 0); 1830 if (sock < 0) 1831 error("socket: %.100s", strerror(errno)); 1832 memset(&addr, 0, sizeof(addr)); 1833 addr.sun_family = AF_UNIX; 1834 snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr); 1835 if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0) 1836 return sock; 1837 close(sock); 1838 } 1839 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 1840 return -1; 1841 } 1842 1843 int 1844 x11_connect_display(void) 1845 { 1846 int display_number, sock = 0; 1847 const char *display; 1848 char buf[1024], *cp; 1849 struct addrinfo hints, *ai, *aitop; 1850 char strport[NI_MAXSERV]; 1851 int gaierr; 1852 1853 /* Try to open a socket for the local X server. */ 1854 display = getenv("DISPLAY"); 1855 if (!display) { 1856 error("DISPLAY not set."); 1857 return -1; 1858 } 1859 /* 1860 * Now we decode the value of the DISPLAY variable and make a 1861 * connection to the real X server. 1862 */ 1863 1864 /* 1865 * Check if it is a unix domain socket. Unix domain displays are in 1866 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 1867 */ 1868 if (strncmp(display, "unix:", 5) == 0 || 1869 display[0] == ':') { 1870 /* Connect to the unix domain socket. */ 1871 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) { 1872 error("Could not parse display number from DISPLAY: %.100s", 1873 display); 1874 return -1; 1875 } 1876 /* Create a socket. */ 1877 sock = connect_local_xsocket(display_number); 1878 if (sock < 0) 1879 return -1; 1880 1881 /* OK, we now have a connection to the display. */ 1882 return sock; 1883 } 1884 /* 1885 * Connect to an inet socket. The DISPLAY value is supposedly 1886 * hostname:d[.s], where hostname may also be numeric IP address. 1887 */ 1888 strncpy(buf, display, sizeof(buf)); 1889 buf[sizeof(buf) - 1] = 0; 1890 cp = strchr(buf, ':'); 1891 if (!cp) { 1892 error("Could not find ':' in DISPLAY: %.100s", display); 1893 return -1; 1894 } 1895 *cp = 0; 1896 /* buf now contains the host name. But first we parse the display number. */ 1897 if (sscanf(cp + 1, "%d", &display_number) != 1) { 1898 error("Could not parse display number from DISPLAY: %.100s", 1899 display); 1900 return -1; 1901 } 1902 1903 /* Look up the host address */ 1904 memset(&hints, 0, sizeof(hints)); 1905 hints.ai_family = IPv4or6; 1906 hints.ai_socktype = SOCK_STREAM; 1907 snprintf(strport, sizeof strport, "%d", 6000 + display_number); 1908 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 1909 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); 1910 return -1; 1911 } 1912 for (ai = aitop; ai; ai = ai->ai_next) { 1913 /* Create a socket. */ 1914 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1915 if (sock < 0) { 1916 debug("socket: %.100s", strerror(errno)); 1917 continue; 1918 } 1919 /* Connect it to the display. */ 1920 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1921 debug("connect %.100s port %d: %.100s", buf, 1922 6000 + display_number, strerror(errno)); 1923 close(sock); 1924 continue; 1925 } 1926 /* Success */ 1927 break; 1928 } 1929 freeaddrinfo(aitop); 1930 if (!ai) { 1931 error("connect %.100s port %d: %.100s", buf, 6000 + display_number, 1932 strerror(errno)); 1933 return -1; 1934 } 1935 return sock; 1936 } 1937 1938 /* 1939 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 1940 * the remote channel number. We should do whatever we want, and respond 1941 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 1942 */ 1943 1944 void 1945 x11_input_open(int type, int plen) 1946 { 1947 int remote_channel, sock = 0, newch; 1948 char *remote_host; 1949 unsigned int remote_len; 1950 1951 /* Get remote channel number. */ 1952 remote_channel = packet_get_int(); 1953 1954 /* Get remote originator name. */ 1955 if (have_hostname_in_open) { 1956 remote_host = packet_get_string(&remote_len); 1957 remote_len += 4; 1958 } else { 1959 remote_host = xstrdup("unknown (remote did not supply name)"); 1960 remote_len = 0; 1961 } 1962 1963 debug("Received X11 open request."); 1964 packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN); 1965 1966 /* Obtain a connection to the real X display. */ 1967 sock = x11_connect_display(); 1968 if (sock == -1) { 1969 /* Send refusal to the remote host. */ 1970 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1971 packet_put_int(remote_channel); 1972 packet_send(); 1973 } else { 1974 /* Allocate a channel for this connection. */ 1975 newch = channel_allocate( 1976 (x11_saved_proto == NULL) ? 1977 SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN, 1978 sock, remote_host); 1979 channels[newch].remote_id = remote_channel; 1980 1981 /* Send a confirmation to the remote host. */ 1982 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1983 packet_put_int(remote_channel); 1984 packet_put_int(newch); 1985 packet_send(); 1986 } 1987 } 1988 1989 /* 1990 * Requests forwarding of X11 connections, generates fake authentication 1991 * data, and enables authentication spoofing. 1992 */ 1993 1994 void 1995 x11_request_forwarding_with_spoofing(int client_session_id, 1996 const char *proto, const char *data) 1997 { 1998 unsigned int data_len = (unsigned int) strlen(data) / 2; 1999 unsigned int i, value; 2000 char *new_data; 2001 int screen_number; 2002 const char *cp; 2003 u_int32_t rand = 0; 2004 2005 cp = getenv("DISPLAY"); 2006 if (cp) 2007 cp = strchr(cp, ':'); 2008 if (cp) 2009 cp = strchr(cp, '.'); 2010 if (cp) 2011 screen_number = atoi(cp + 1); 2012 else 2013 screen_number = 0; 2014 2015 /* Save protocol name. */ 2016 x11_saved_proto = xstrdup(proto); 2017 2018 /* 2019 * Extract real authentication data and generate fake data of the 2020 * same length. 2021 */ 2022 x11_saved_data = xmalloc(data_len); 2023 x11_fake_data = xmalloc(data_len); 2024 for (i = 0; i < data_len; i++) { 2025 if (sscanf(data + 2 * i, "%2x", &value) != 1) 2026 fatal("x11_request_forwarding: bad authentication data: %.100s", data); 2027 if (i % 4 == 0) 2028 rand = arc4random(); 2029 x11_saved_data[i] = value; 2030 x11_fake_data[i] = rand & 0xff; 2031 rand >>= 8; 2032 } 2033 x11_saved_data_len = data_len; 2034 x11_fake_data_len = data_len; 2035 2036 /* Convert the fake data into hex. */ 2037 new_data = xmalloc(2 * data_len + 1); 2038 for (i = 0; i < data_len; i++) 2039 sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]); 2040 2041 /* Send the request packet. */ 2042 if (compat20) { 2043 channel_request_start(client_session_id, "x11-req", 0); 2044 packet_put_char(0); /* XXX bool single connection */ 2045 } else { 2046 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 2047 } 2048 packet_put_cstring(proto); 2049 packet_put_cstring(new_data); 2050 packet_put_int(screen_number); 2051 packet_send(); 2052 packet_write_wait(); 2053 xfree(new_data); 2054 } 2055 2056 /* Sends a message to the server to request authentication fd forwarding. */ 2057 2058 void 2059 auth_request_forwarding() 2060 { 2061 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 2062 packet_send(); 2063 packet_write_wait(); 2064 } 2065 2066 /* 2067 * Returns the name of the forwarded authentication socket. Returns NULL if 2068 * there is no forwarded authentication socket. The returned value points to 2069 * a static buffer. 2070 */ 2071 2072 char * 2073 auth_get_socket_name() 2074 { 2075 return channel_forwarded_auth_socket_name; 2076 } 2077 2078 /* removes the agent forwarding socket */ 2079 2080 void 2081 cleanup_socket(void) 2082 { 2083 remove(channel_forwarded_auth_socket_name); 2084 rmdir(channel_forwarded_auth_socket_dir); 2085 } 2086 2087 /* 2088 * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. 2089 * This starts forwarding authentication requests. 2090 */ 2091 2092 int 2093 auth_input_request_forwarding(struct passwd * pw) 2094 { 2095 int sock, newch; 2096 struct sockaddr_un sunaddr; 2097 2098 if (auth_get_socket_name() != NULL) 2099 fatal("Protocol error: authentication forwarding requested twice."); 2100 2101 /* Temporarily drop privileged uid for mkdir/bind. */ 2102 temporarily_use_uid(pw->pw_uid); 2103 2104 /* Allocate a buffer for the socket name, and format the name. */ 2105 channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME); 2106 channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME); 2107 strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); 2108 2109 /* Create private directory for socket */ 2110 if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) { 2111 packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s", 2112 strerror(errno)); 2113 restore_uid(); 2114 xfree(channel_forwarded_auth_socket_name); 2115 xfree(channel_forwarded_auth_socket_dir); 2116 channel_forwarded_auth_socket_name = NULL; 2117 channel_forwarded_auth_socket_dir = NULL; 2118 return 0; 2119 } 2120 snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", 2121 channel_forwarded_auth_socket_dir, (int) getpid()); 2122 2123 if (atexit(cleanup_socket) < 0) { 2124 int saved = errno; 2125 cleanup_socket(); 2126 packet_disconnect("socket: %.100s", strerror(saved)); 2127 } 2128 /* Create the socket. */ 2129 sock = socket(AF_UNIX, SOCK_STREAM, 0); 2130 if (sock < 0) 2131 packet_disconnect("socket: %.100s", strerror(errno)); 2132 2133 /* Bind it to the name. */ 2134 memset(&sunaddr, 0, sizeof(sunaddr)); 2135 sunaddr.sun_family = AF_UNIX; 2136 strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name, 2137 sizeof(sunaddr.sun_path)); 2138 2139 if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) 2140 packet_disconnect("bind: %.100s", strerror(errno)); 2141 2142 /* Restore the privileged uid. */ 2143 restore_uid(); 2144 2145 /* Start listening on the socket. */ 2146 if (listen(sock, 5) < 0) 2147 packet_disconnect("listen: %.100s", strerror(errno)); 2148 2149 /* Allocate a channel for the authentication agent socket. */ 2150 newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock, 2151 xstrdup("auth socket")); 2152 strlcpy(channels[newch].path, channel_forwarded_auth_socket_name, 2153 sizeof(channels[newch].path)); 2154 return 1; 2155 } 2156 2157 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ 2158 2159 void 2160 auth_input_open_request(int type, int plen) 2161 { 2162 int remch, sock, newch; 2163 char *dummyname; 2164 2165 packet_integrity_check(plen, 4, type); 2166 2167 /* Read the remote channel number from the message. */ 2168 remch = packet_get_int(); 2169 2170 /* 2171 * Get a connection to the local authentication agent (this may again 2172 * get forwarded). 2173 */ 2174 sock = ssh_get_authentication_socket(); 2175 2176 /* 2177 * If we could not connect the agent, send an error message back to 2178 * the server. This should never happen unless the agent dies, 2179 * because authentication forwarding is only enabled if we have an 2180 * agent. 2181 */ 2182 if (sock < 0) { 2183 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2184 packet_put_int(remch); 2185 packet_send(); 2186 return; 2187 } 2188 debug("Forwarding authentication connection."); 2189 2190 /* 2191 * Dummy host name. This will be freed when the channel is freed; it 2192 * will still be valid in the packet_put_string below since the 2193 * channel cannot yet be freed at that point. 2194 */ 2195 dummyname = xstrdup("authentication agent connection"); 2196 2197 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname); 2198 channels[newch].remote_id = remch; 2199 2200 /* Send a confirmation to the remote host. */ 2201 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 2202 packet_put_int(remch); 2203 packet_put_int(newch); 2204 packet_send(); 2205 } 2206 2207 void 2208 channel_start_open(int id) 2209 { 2210 Channel *c = channel_lookup(id); 2211 if (c == NULL) { 2212 log("channel_open: %d: bad id", id); 2213 return; 2214 } 2215 debug("send channel open %d", id); 2216 packet_start(SSH2_MSG_CHANNEL_OPEN); 2217 packet_put_cstring(c->ctype); 2218 packet_put_int(c->self); 2219 packet_put_int(c->local_window); 2220 packet_put_int(c->local_maxpacket); 2221 } 2222 void 2223 channel_open(int id) 2224 { 2225 /* XXX REMOVE ME */ 2226 channel_start_open(id); 2227 packet_send(); 2228 } 2229 void 2230 channel_request(int id, char *service, int wantconfirm) 2231 { 2232 channel_request_start(id, service, wantconfirm); 2233 packet_send(); 2234 debug("channel request %d: %s", id, service) ; 2235 } 2236 void 2237 channel_request_start(int id, char *service, int wantconfirm) 2238 { 2239 Channel *c = channel_lookup(id); 2240 if (c == NULL) { 2241 log("channel_request: %d: bad id", id); 2242 return; 2243 } 2244 packet_start(SSH2_MSG_CHANNEL_REQUEST); 2245 packet_put_int(c->remote_id); 2246 packet_put_cstring(service); 2247 packet_put_char(wantconfirm); 2248 } 2249 void 2250 channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg) 2251 { 2252 Channel *c = channel_lookup(id); 2253 if (c == NULL) { 2254 log("channel_register_callback: %d: bad id", id); 2255 return; 2256 } 2257 c->cb_event = mtype; 2258 c->cb_fn = fn; 2259 c->cb_arg = arg; 2260 } 2261 void 2262 channel_register_cleanup(int id, channel_callback_fn *fn) 2263 { 2264 Channel *c = channel_lookup(id); 2265 if (c == NULL) { 2266 log("channel_register_cleanup: %d: bad id", id); 2267 return; 2268 } 2269 c->dettach_user = fn; 2270 } 2271 void 2272 channel_cancel_cleanup(int id) 2273 { 2274 Channel *c = channel_lookup(id); 2275 if (c == NULL) { 2276 log("channel_cancel_cleanup: %d: bad id", id); 2277 return; 2278 } 2279 c->dettach_user = NULL; 2280 } 2281 void 2282 channel_register_filter(int id, channel_filter_fn *fn) 2283 { 2284 Channel *c = channel_lookup(id); 2285 if (c == NULL) { 2286 log("channel_register_filter: %d: bad id", id); 2287 return; 2288 } 2289 c->input_filter = fn; 2290 } 2291 2292 void 2293 channel_set_fds(int id, int rfd, int wfd, int efd, int extusage) 2294 { 2295 Channel *c = channel_lookup(id); 2296 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 2297 fatal("channel_activate for non-larval channel %d.", id); 2298 2299 channel_register_fds(c, rfd, wfd, efd, extusage); 2300 c->type = SSH_CHANNEL_OPEN; 2301 /* XXX window size? */ 2302 c->local_window = c->local_window_max = c->local_maxpacket * 2; 2303 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 2304 packet_put_int(c->remote_id); 2305 packet_put_int(c->local_window); 2306 packet_send(); 2307 } 2308