1 /* $OpenBSD: channels.c,v 1.295 2009/02/12 03:00:56 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 44 #include <sys/types.h> 45 #include <sys/ioctl.h> 46 #include <sys/un.h> 47 #include <sys/socket.h> 48 #ifdef HAVE_SYS_TIME_H 49 # include <sys/time.h> 50 #endif 51 52 #include <netinet/in.h> 53 #include <arpa/inet.h> 54 55 #include <errno.h> 56 #include <netdb.h> 57 #include <stdio.h> 58 #include <stdlib.h> 59 #include <string.h> 60 #include <termios.h> 61 #include <unistd.h> 62 #include <stdarg.h> 63 64 #include "openbsd-compat/sys-queue.h" 65 #include "xmalloc.h" 66 #include "ssh.h" 67 #include "ssh1.h" 68 #include "ssh2.h" 69 #include "packet.h" 70 #include "log.h" 71 #include "misc.h" 72 #include "buffer.h" 73 #include "channels.h" 74 #include "compat.h" 75 #include "canohost.h" 76 #include "key.h" 77 #include "authfd.h" 78 #include "pathnames.h" 79 80 /* -- channel core */ 81 82 /* 83 * Pointer to an array containing all allocated channels. The array is 84 * dynamically extended as needed. 85 */ 86 static Channel **channels = NULL; 87 88 /* 89 * Size of the channel array. All slots of the array must always be 90 * initialized (at least the type field); unused slots set to NULL 91 */ 92 static u_int channels_alloc = 0; 93 94 /* 95 * Maximum file descriptor value used in any of the channels. This is 96 * updated in channel_new. 97 */ 98 static int channel_max_fd = 0; 99 100 101 /* -- tcp forwarding */ 102 103 /* 104 * Data structure for storing which hosts are permitted for forward requests. 105 * The local sides of any remote forwards are stored in this array to prevent 106 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 107 * network (which might be behind a firewall). 108 */ 109 typedef struct { 110 char *host_to_connect; /* Connect to 'host'. */ 111 u_short port_to_connect; /* Connect to 'port'. */ 112 u_short listen_port; /* Remote side should listen port number. */ 113 } ForwardPermission; 114 115 /* List of all permitted host/port pairs to connect by the user. */ 116 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 117 118 /* List of all permitted host/port pairs to connect by the admin. */ 119 static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 120 121 /* Number of permitted host/port pairs in the array permitted by the user. */ 122 static int num_permitted_opens = 0; 123 124 /* Number of permitted host/port pair in the array permitted by the admin. */ 125 static int num_adm_permitted_opens = 0; 126 127 /* 128 * If this is true, all opens are permitted. This is the case on the server 129 * on which we have to trust the client anyway, and the user could do 130 * anything after logging in anyway. 131 */ 132 static int all_opens_permitted = 0; 133 134 135 /* -- X11 forwarding */ 136 137 /* Maximum number of fake X11 displays to try. */ 138 #define MAX_DISPLAYS 1000 139 140 /* Saved X11 local (client) display. */ 141 static char *x11_saved_display = NULL; 142 143 /* Saved X11 authentication protocol name. */ 144 static char *x11_saved_proto = NULL; 145 146 /* Saved X11 authentication data. This is the real data. */ 147 static char *x11_saved_data = NULL; 148 static u_int x11_saved_data_len = 0; 149 150 /* 151 * Fake X11 authentication data. This is what the server will be sending us; 152 * we should replace any occurrences of this by the real data. 153 */ 154 static u_char *x11_fake_data = NULL; 155 static u_int x11_fake_data_len; 156 157 158 /* -- agent forwarding */ 159 160 #define NUM_SOCKS 10 161 162 /* AF_UNSPEC or AF_INET or AF_INET6 */ 163 static int IPv4or6 = AF_UNSPEC; 164 165 /* helper */ 166 static void port_open_helper(Channel *c, char *rtype); 167 168 /* non-blocking connect helpers */ 169 static int connect_next(struct channel_connect *); 170 static void channel_connect_ctx_free(struct channel_connect *); 171 172 /* -- channel core */ 173 174 Channel * 175 channel_by_id(int id) 176 { 177 Channel *c; 178 179 if (id < 0 || (u_int)id >= channels_alloc) { 180 logit("channel_by_id: %d: bad id", id); 181 return NULL; 182 } 183 c = channels[id]; 184 if (c == NULL) { 185 logit("channel_by_id: %d: bad id: channel free", id); 186 return NULL; 187 } 188 return c; 189 } 190 191 /* 192 * Returns the channel if it is allowed to receive protocol messages. 193 * Private channels, like listening sockets, may not receive messages. 194 */ 195 Channel * 196 channel_lookup(int id) 197 { 198 Channel *c; 199 200 if ((c = channel_by_id(id)) == NULL) 201 return (NULL); 202 203 switch (c->type) { 204 case SSH_CHANNEL_X11_OPEN: 205 case SSH_CHANNEL_LARVAL: 206 case SSH_CHANNEL_CONNECTING: 207 case SSH_CHANNEL_DYNAMIC: 208 case SSH_CHANNEL_OPENING: 209 case SSH_CHANNEL_OPEN: 210 case SSH_CHANNEL_INPUT_DRAINING: 211 case SSH_CHANNEL_OUTPUT_DRAINING: 212 return (c); 213 } 214 logit("Non-public channel %d, type %d.", id, c->type); 215 return (NULL); 216 } 217 218 /* 219 * Register filedescriptors for a channel, used when allocating a channel or 220 * when the channel consumer/producer is ready, e.g. shell exec'd 221 */ 222 static void 223 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 224 int extusage, int nonblock, int is_tty) 225 { 226 /* Update the maximum file descriptor value. */ 227 channel_max_fd = MAX(channel_max_fd, rfd); 228 channel_max_fd = MAX(channel_max_fd, wfd); 229 channel_max_fd = MAX(channel_max_fd, efd); 230 231 /* XXX set close-on-exec -markus */ 232 233 c->rfd = rfd; 234 c->wfd = wfd; 235 c->sock = (rfd == wfd) ? rfd : -1; 236 c->ctl_fd = -1; /* XXX: set elsewhere */ 237 c->efd = efd; 238 c->extended_usage = extusage; 239 240 if ((c->isatty = is_tty) != 0) 241 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 242 c->wfd_isatty = is_tty || isatty(c->wfd); 243 244 /* enable nonblocking mode */ 245 if (nonblock) { 246 if (rfd != -1) 247 set_nonblock(rfd); 248 if (wfd != -1) 249 set_nonblock(wfd); 250 if (efd != -1) 251 set_nonblock(efd); 252 } 253 } 254 255 /* 256 * Allocate a new channel object and set its type and socket. This will cause 257 * remote_name to be freed. 258 */ 259 Channel * 260 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 261 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 262 { 263 int found; 264 u_int i; 265 Channel *c; 266 267 /* Do initial allocation if this is the first call. */ 268 if (channels_alloc == 0) { 269 channels_alloc = 10; 270 channels = xcalloc(channels_alloc, sizeof(Channel *)); 271 for (i = 0; i < channels_alloc; i++) 272 channels[i] = NULL; 273 } 274 /* Try to find a free slot where to put the new channel. */ 275 for (found = -1, i = 0; i < channels_alloc; i++) 276 if (channels[i] == NULL) { 277 /* Found a free slot. */ 278 found = (int)i; 279 break; 280 } 281 if (found < 0) { 282 /* There are no free slots. Take last+1 slot and expand the array. */ 283 found = channels_alloc; 284 if (channels_alloc > 10000) 285 fatal("channel_new: internal error: channels_alloc %d " 286 "too big.", channels_alloc); 287 channels = xrealloc(channels, channels_alloc + 10, 288 sizeof(Channel *)); 289 channels_alloc += 10; 290 debug2("channel: expanding %d", channels_alloc); 291 for (i = found; i < channels_alloc; i++) 292 channels[i] = NULL; 293 } 294 /* Initialize and return new channel. */ 295 c = channels[found] = xcalloc(1, sizeof(Channel)); 296 buffer_init(&c->input); 297 buffer_init(&c->output); 298 buffer_init(&c->extended); 299 c->path = NULL; 300 c->ostate = CHAN_OUTPUT_OPEN; 301 c->istate = CHAN_INPUT_OPEN; 302 c->flags = 0; 303 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); 304 c->self = found; 305 c->type = type; 306 c->ctype = ctype; 307 c->local_window = window; 308 c->local_window_max = window; 309 c->local_consumed = 0; 310 c->local_maxpacket = maxpack; 311 c->remote_id = -1; 312 c->remote_name = xstrdup(remote_name); 313 c->remote_window = 0; 314 c->remote_maxpacket = 0; 315 c->force_drain = 0; 316 c->single_connection = 0; 317 c->detach_user = NULL; 318 c->detach_close = 0; 319 c->open_confirm = NULL; 320 c->open_confirm_ctx = NULL; 321 c->input_filter = NULL; 322 c->output_filter = NULL; 323 c->filter_ctx = NULL; 324 c->filter_cleanup = NULL; 325 TAILQ_INIT(&c->status_confirms); 326 debug("channel %d: new [%s]", found, remote_name); 327 return c; 328 } 329 330 static int 331 channel_find_maxfd(void) 332 { 333 u_int i; 334 int max = 0; 335 Channel *c; 336 337 for (i = 0; i < channels_alloc; i++) { 338 c = channels[i]; 339 if (c != NULL) { 340 max = MAX(max, c->rfd); 341 max = MAX(max, c->wfd); 342 max = MAX(max, c->efd); 343 } 344 } 345 return max; 346 } 347 348 int 349 channel_close_fd(int *fdp) 350 { 351 int ret = 0, fd = *fdp; 352 353 if (fd != -1) { 354 ret = close(fd); 355 *fdp = -1; 356 if (fd == channel_max_fd) 357 channel_max_fd = channel_find_maxfd(); 358 } 359 return ret; 360 } 361 362 /* Close all channel fd/socket. */ 363 static void 364 channel_close_fds(Channel *c) 365 { 366 debug3("channel %d: close_fds r %d w %d e %d c %d", 367 c->self, c->rfd, c->wfd, c->efd, c->ctl_fd); 368 369 channel_close_fd(&c->sock); 370 channel_close_fd(&c->ctl_fd); 371 channel_close_fd(&c->rfd); 372 channel_close_fd(&c->wfd); 373 channel_close_fd(&c->efd); 374 } 375 376 /* Free the channel and close its fd/socket. */ 377 void 378 channel_free(Channel *c) 379 { 380 char *s; 381 u_int i, n; 382 struct channel_confirm *cc; 383 384 for (n = 0, i = 0; i < channels_alloc; i++) 385 if (channels[i]) 386 n++; 387 debug("channel %d: free: %s, nchannels %u", c->self, 388 c->remote_name ? c->remote_name : "???", n); 389 390 s = channel_open_message(); 391 debug3("channel %d: status: %s", c->self, s); 392 xfree(s); 393 394 if (c->sock != -1) 395 shutdown(c->sock, SHUT_RDWR); 396 if (c->ctl_fd != -1) 397 shutdown(c->ctl_fd, SHUT_RDWR); 398 channel_close_fds(c); 399 buffer_free(&c->input); 400 buffer_free(&c->output); 401 buffer_free(&c->extended); 402 if (c->remote_name) { 403 xfree(c->remote_name); 404 c->remote_name = NULL; 405 } 406 if (c->path) { 407 xfree(c->path); 408 c->path = NULL; 409 } 410 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 411 if (cc->abandon_cb != NULL) 412 cc->abandon_cb(c, cc->ctx); 413 TAILQ_REMOVE(&c->status_confirms, cc, entry); 414 bzero(cc, sizeof(*cc)); 415 xfree(cc); 416 } 417 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 418 c->filter_cleanup(c->self, c->filter_ctx); 419 channels[c->self] = NULL; 420 xfree(c); 421 } 422 423 void 424 channel_free_all(void) 425 { 426 u_int i; 427 428 for (i = 0; i < channels_alloc; i++) 429 if (channels[i] != NULL) 430 channel_free(channels[i]); 431 } 432 433 /* 434 * Closes the sockets/fds of all channels. This is used to close extra file 435 * descriptors after a fork. 436 */ 437 void 438 channel_close_all(void) 439 { 440 u_int i; 441 442 for (i = 0; i < channels_alloc; i++) 443 if (channels[i] != NULL) 444 channel_close_fds(channels[i]); 445 } 446 447 /* 448 * Stop listening to channels. 449 */ 450 void 451 channel_stop_listening(void) 452 { 453 u_int i; 454 Channel *c; 455 456 for (i = 0; i < channels_alloc; i++) { 457 c = channels[i]; 458 if (c != NULL) { 459 switch (c->type) { 460 case SSH_CHANNEL_AUTH_SOCKET: 461 case SSH_CHANNEL_PORT_LISTENER: 462 case SSH_CHANNEL_RPORT_LISTENER: 463 case SSH_CHANNEL_X11_LISTENER: 464 channel_close_fd(&c->sock); 465 channel_free(c); 466 break; 467 } 468 } 469 } 470 } 471 472 /* 473 * Returns true if no channel has too much buffered data, and false if one or 474 * more channel is overfull. 475 */ 476 int 477 channel_not_very_much_buffered_data(void) 478 { 479 u_int i; 480 Channel *c; 481 482 for (i = 0; i < channels_alloc; i++) { 483 c = channels[i]; 484 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 485 #if 0 486 if (!compat20 && 487 buffer_len(&c->input) > packet_get_maxsize()) { 488 debug2("channel %d: big input buffer %d", 489 c->self, buffer_len(&c->input)); 490 return 0; 491 } 492 #endif 493 if (buffer_len(&c->output) > packet_get_maxsize()) { 494 debug2("channel %d: big output buffer %u > %u", 495 c->self, buffer_len(&c->output), 496 packet_get_maxsize()); 497 return 0; 498 } 499 } 500 } 501 return 1; 502 } 503 504 /* Returns true if any channel is still open. */ 505 int 506 channel_still_open(void) 507 { 508 u_int i; 509 Channel *c; 510 511 for (i = 0; i < channels_alloc; i++) { 512 c = channels[i]; 513 if (c == NULL) 514 continue; 515 switch (c->type) { 516 case SSH_CHANNEL_X11_LISTENER: 517 case SSH_CHANNEL_PORT_LISTENER: 518 case SSH_CHANNEL_RPORT_LISTENER: 519 case SSH_CHANNEL_CLOSED: 520 case SSH_CHANNEL_AUTH_SOCKET: 521 case SSH_CHANNEL_DYNAMIC: 522 case SSH_CHANNEL_CONNECTING: 523 case SSH_CHANNEL_ZOMBIE: 524 continue; 525 case SSH_CHANNEL_LARVAL: 526 if (!compat20) 527 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 528 continue; 529 case SSH_CHANNEL_OPENING: 530 case SSH_CHANNEL_OPEN: 531 case SSH_CHANNEL_X11_OPEN: 532 return 1; 533 case SSH_CHANNEL_INPUT_DRAINING: 534 case SSH_CHANNEL_OUTPUT_DRAINING: 535 if (!compat13) 536 fatal("cannot happen: OUT_DRAIN"); 537 return 1; 538 default: 539 fatal("channel_still_open: bad channel type %d", c->type); 540 /* NOTREACHED */ 541 } 542 } 543 return 0; 544 } 545 546 /* Returns the id of an open channel suitable for keepaliving */ 547 int 548 channel_find_open(void) 549 { 550 u_int i; 551 Channel *c; 552 553 for (i = 0; i < channels_alloc; i++) { 554 c = channels[i]; 555 if (c == NULL || c->remote_id < 0) 556 continue; 557 switch (c->type) { 558 case SSH_CHANNEL_CLOSED: 559 case SSH_CHANNEL_DYNAMIC: 560 case SSH_CHANNEL_X11_LISTENER: 561 case SSH_CHANNEL_PORT_LISTENER: 562 case SSH_CHANNEL_RPORT_LISTENER: 563 case SSH_CHANNEL_OPENING: 564 case SSH_CHANNEL_CONNECTING: 565 case SSH_CHANNEL_ZOMBIE: 566 continue; 567 case SSH_CHANNEL_LARVAL: 568 case SSH_CHANNEL_AUTH_SOCKET: 569 case SSH_CHANNEL_OPEN: 570 case SSH_CHANNEL_X11_OPEN: 571 return i; 572 case SSH_CHANNEL_INPUT_DRAINING: 573 case SSH_CHANNEL_OUTPUT_DRAINING: 574 if (!compat13) 575 fatal("cannot happen: OUT_DRAIN"); 576 return i; 577 default: 578 fatal("channel_find_open: bad channel type %d", c->type); 579 /* NOTREACHED */ 580 } 581 } 582 return -1; 583 } 584 585 586 /* 587 * Returns a message describing the currently open forwarded connections, 588 * suitable for sending to the client. The message contains crlf pairs for 589 * newlines. 590 */ 591 char * 592 channel_open_message(void) 593 { 594 Buffer buffer; 595 Channel *c; 596 char buf[1024], *cp; 597 u_int i; 598 599 buffer_init(&buffer); 600 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 601 buffer_append(&buffer, buf, strlen(buf)); 602 for (i = 0; i < channels_alloc; i++) { 603 c = channels[i]; 604 if (c == NULL) 605 continue; 606 switch (c->type) { 607 case SSH_CHANNEL_X11_LISTENER: 608 case SSH_CHANNEL_PORT_LISTENER: 609 case SSH_CHANNEL_RPORT_LISTENER: 610 case SSH_CHANNEL_CLOSED: 611 case SSH_CHANNEL_AUTH_SOCKET: 612 case SSH_CHANNEL_ZOMBIE: 613 continue; 614 case SSH_CHANNEL_LARVAL: 615 case SSH_CHANNEL_OPENING: 616 case SSH_CHANNEL_CONNECTING: 617 case SSH_CHANNEL_DYNAMIC: 618 case SSH_CHANNEL_OPEN: 619 case SSH_CHANNEL_X11_OPEN: 620 case SSH_CHANNEL_INPUT_DRAINING: 621 case SSH_CHANNEL_OUTPUT_DRAINING: 622 snprintf(buf, sizeof buf, 623 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cfd %d)\r\n", 624 c->self, c->remote_name, 625 c->type, c->remote_id, 626 c->istate, buffer_len(&c->input), 627 c->ostate, buffer_len(&c->output), 628 c->rfd, c->wfd, c->ctl_fd); 629 buffer_append(&buffer, buf, strlen(buf)); 630 continue; 631 default: 632 fatal("channel_open_message: bad channel type %d", c->type); 633 /* NOTREACHED */ 634 } 635 } 636 buffer_append(&buffer, "\0", 1); 637 cp = xstrdup(buffer_ptr(&buffer)); 638 buffer_free(&buffer); 639 return cp; 640 } 641 642 void 643 channel_send_open(int id) 644 { 645 Channel *c = channel_lookup(id); 646 647 if (c == NULL) { 648 logit("channel_send_open: %d: bad id", id); 649 return; 650 } 651 debug2("channel %d: send open", id); 652 packet_start(SSH2_MSG_CHANNEL_OPEN); 653 packet_put_cstring(c->ctype); 654 packet_put_int(c->self); 655 packet_put_int(c->local_window); 656 packet_put_int(c->local_maxpacket); 657 packet_send(); 658 } 659 660 void 661 channel_request_start(int id, char *service, int wantconfirm) 662 { 663 Channel *c = channel_lookup(id); 664 665 if (c == NULL) { 666 logit("channel_request_start: %d: unknown channel id", id); 667 return; 668 } 669 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 670 packet_start(SSH2_MSG_CHANNEL_REQUEST); 671 packet_put_int(c->remote_id); 672 packet_put_cstring(service); 673 packet_put_char(wantconfirm); 674 } 675 676 void 677 channel_register_status_confirm(int id, channel_confirm_cb *cb, 678 channel_confirm_abandon_cb *abandon_cb, void *ctx) 679 { 680 struct channel_confirm *cc; 681 Channel *c; 682 683 if ((c = channel_lookup(id)) == NULL) 684 fatal("channel_register_expect: %d: bad id", id); 685 686 cc = xmalloc(sizeof(*cc)); 687 cc->cb = cb; 688 cc->abandon_cb = abandon_cb; 689 cc->ctx = ctx; 690 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 691 } 692 693 void 694 channel_register_open_confirm(int id, channel_callback_fn *fn, void *ctx) 695 { 696 Channel *c = channel_lookup(id); 697 698 if (c == NULL) { 699 logit("channel_register_open_confirm: %d: bad id", id); 700 return; 701 } 702 c->open_confirm = fn; 703 c->open_confirm_ctx = ctx; 704 } 705 706 void 707 channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 708 { 709 Channel *c = channel_by_id(id); 710 711 if (c == NULL) { 712 logit("channel_register_cleanup: %d: bad id", id); 713 return; 714 } 715 c->detach_user = fn; 716 c->detach_close = do_close; 717 } 718 719 void 720 channel_cancel_cleanup(int id) 721 { 722 Channel *c = channel_by_id(id); 723 724 if (c == NULL) { 725 logit("channel_cancel_cleanup: %d: bad id", id); 726 return; 727 } 728 c->detach_user = NULL; 729 c->detach_close = 0; 730 } 731 732 void 733 channel_register_filter(int id, channel_infilter_fn *ifn, 734 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 735 { 736 Channel *c = channel_lookup(id); 737 738 if (c == NULL) { 739 logit("channel_register_filter: %d: bad id", id); 740 return; 741 } 742 c->input_filter = ifn; 743 c->output_filter = ofn; 744 c->filter_ctx = ctx; 745 c->filter_cleanup = cfn; 746 } 747 748 void 749 channel_set_fds(int id, int rfd, int wfd, int efd, 750 int extusage, int nonblock, int is_tty, u_int window_max) 751 { 752 Channel *c = channel_lookup(id); 753 754 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 755 fatal("channel_activate for non-larval channel %d.", id); 756 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); 757 c->type = SSH_CHANNEL_OPEN; 758 c->local_window = c->local_window_max = window_max; 759 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 760 packet_put_int(c->remote_id); 761 packet_put_int(c->local_window); 762 packet_send(); 763 } 764 765 /* 766 * 'channel_pre*' are called just before select() to add any bits relevant to 767 * channels in the select bitmasks. 768 */ 769 /* 770 * 'channel_post*': perform any appropriate operations for channels which 771 * have events pending. 772 */ 773 typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 774 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 775 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 776 777 /* ARGSUSED */ 778 static void 779 channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 780 { 781 FD_SET(c->sock, readset); 782 } 783 784 /* ARGSUSED */ 785 static void 786 channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 787 { 788 debug3("channel %d: waiting for connection", c->self); 789 FD_SET(c->sock, writeset); 790 } 791 792 static void 793 channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 794 { 795 if (buffer_len(&c->input) < packet_get_maxsize()) 796 FD_SET(c->sock, readset); 797 if (buffer_len(&c->output) > 0) 798 FD_SET(c->sock, writeset); 799 } 800 801 static void 802 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 803 { 804 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 805 806 if (c->istate == CHAN_INPUT_OPEN && 807 limit > 0 && 808 buffer_len(&c->input) < limit && 809 buffer_check_alloc(&c->input, CHAN_RBUF)) 810 FD_SET(c->rfd, readset); 811 if (c->ostate == CHAN_OUTPUT_OPEN || 812 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 813 if (buffer_len(&c->output) > 0) { 814 FD_SET(c->wfd, writeset); 815 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 816 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 817 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 818 c->self, c->efd, buffer_len(&c->extended)); 819 else 820 chan_obuf_empty(c); 821 } 822 } 823 /** XXX check close conditions, too */ 824 if (compat20 && c->efd != -1 && 825 !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) { 826 if (c->extended_usage == CHAN_EXTENDED_WRITE && 827 buffer_len(&c->extended) > 0) 828 FD_SET(c->efd, writeset); 829 else if (!(c->flags & CHAN_EOF_SENT) && 830 c->extended_usage == CHAN_EXTENDED_READ && 831 buffer_len(&c->extended) < c->remote_window) 832 FD_SET(c->efd, readset); 833 } 834 /* XXX: What about efd? races? */ 835 if (compat20 && c->ctl_fd != -1 && 836 c->istate == CHAN_INPUT_OPEN && c->ostate == CHAN_OUTPUT_OPEN) 837 FD_SET(c->ctl_fd, readset); 838 } 839 840 /* ARGSUSED */ 841 static void 842 channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 843 { 844 if (buffer_len(&c->input) == 0) { 845 packet_start(SSH_MSG_CHANNEL_CLOSE); 846 packet_put_int(c->remote_id); 847 packet_send(); 848 c->type = SSH_CHANNEL_CLOSED; 849 debug2("channel %d: closing after input drain.", c->self); 850 } 851 } 852 853 /* ARGSUSED */ 854 static void 855 channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 856 { 857 if (buffer_len(&c->output) == 0) 858 chan_mark_dead(c); 859 else 860 FD_SET(c->sock, writeset); 861 } 862 863 /* 864 * This is a special state for X11 authentication spoofing. An opened X11 865 * connection (when authentication spoofing is being done) remains in this 866 * state until the first packet has been completely read. The authentication 867 * data in that packet is then substituted by the real data if it matches the 868 * fake data, and the channel is put into normal mode. 869 * XXX All this happens at the client side. 870 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 871 */ 872 static int 873 x11_open_helper(Buffer *b) 874 { 875 u_char *ucp; 876 u_int proto_len, data_len; 877 878 /* Check if the fixed size part of the packet is in buffer. */ 879 if (buffer_len(b) < 12) 880 return 0; 881 882 /* Parse the lengths of variable-length fields. */ 883 ucp = buffer_ptr(b); 884 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 885 proto_len = 256 * ucp[6] + ucp[7]; 886 data_len = 256 * ucp[8] + ucp[9]; 887 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 888 proto_len = ucp[6] + 256 * ucp[7]; 889 data_len = ucp[8] + 256 * ucp[9]; 890 } else { 891 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 892 ucp[0]); 893 return -1; 894 } 895 896 /* Check if the whole packet is in buffer. */ 897 if (buffer_len(b) < 898 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 899 return 0; 900 901 /* Check if authentication protocol matches. */ 902 if (proto_len != strlen(x11_saved_proto) || 903 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 904 debug2("X11 connection uses different authentication protocol."); 905 return -1; 906 } 907 /* Check if authentication data matches our fake data. */ 908 if (data_len != x11_fake_data_len || 909 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 910 x11_fake_data, x11_fake_data_len) != 0) { 911 debug2("X11 auth data does not match fake data."); 912 return -1; 913 } 914 /* Check fake data length */ 915 if (x11_fake_data_len != x11_saved_data_len) { 916 error("X11 fake_data_len %d != saved_data_len %d", 917 x11_fake_data_len, x11_saved_data_len); 918 return -1; 919 } 920 /* 921 * Received authentication protocol and data match 922 * our fake data. Substitute the fake data with real 923 * data. 924 */ 925 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 926 x11_saved_data, x11_saved_data_len); 927 return 1; 928 } 929 930 static void 931 channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 932 { 933 int ret = x11_open_helper(&c->output); 934 935 if (ret == 1) { 936 /* Start normal processing for the channel. */ 937 c->type = SSH_CHANNEL_OPEN; 938 channel_pre_open_13(c, readset, writeset); 939 } else if (ret == -1) { 940 /* 941 * We have received an X11 connection that has bad 942 * authentication information. 943 */ 944 logit("X11 connection rejected because of wrong authentication."); 945 buffer_clear(&c->input); 946 buffer_clear(&c->output); 947 channel_close_fd(&c->sock); 948 c->sock = -1; 949 c->type = SSH_CHANNEL_CLOSED; 950 packet_start(SSH_MSG_CHANNEL_CLOSE); 951 packet_put_int(c->remote_id); 952 packet_send(); 953 } 954 } 955 956 static void 957 channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 958 { 959 int ret = x11_open_helper(&c->output); 960 961 /* c->force_drain = 1; */ 962 963 if (ret == 1) { 964 c->type = SSH_CHANNEL_OPEN; 965 channel_pre_open(c, readset, writeset); 966 } else if (ret == -1) { 967 logit("X11 connection rejected because of wrong authentication."); 968 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 969 chan_read_failed(c); 970 buffer_clear(&c->input); 971 chan_ibuf_empty(c); 972 buffer_clear(&c->output); 973 /* for proto v1, the peer will send an IEOF */ 974 if (compat20) 975 chan_write_failed(c); 976 else 977 c->type = SSH_CHANNEL_OPEN; 978 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 979 } 980 } 981 982 /* try to decode a socks4 header */ 983 /* ARGSUSED */ 984 static int 985 channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 986 { 987 char *p, *host; 988 u_int len, have, i, found, need; 989 char username[256]; 990 struct { 991 u_int8_t version; 992 u_int8_t command; 993 u_int16_t dest_port; 994 struct in_addr dest_addr; 995 } s4_req, s4_rsp; 996 997 debug2("channel %d: decode socks4", c->self); 998 999 have = buffer_len(&c->input); 1000 len = sizeof(s4_req); 1001 if (have < len) 1002 return 0; 1003 p = buffer_ptr(&c->input); 1004 1005 need = 1; 1006 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1007 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1008 debug2("channel %d: socks4a request", c->self); 1009 /* ... and needs an extra string (the hostname) */ 1010 need = 2; 1011 } 1012 /* Check for terminating NUL on the string(s) */ 1013 for (found = 0, i = len; i < have; i++) { 1014 if (p[i] == '\0') { 1015 found++; 1016 if (found == need) 1017 break; 1018 } 1019 if (i > 1024) { 1020 /* the peer is probably sending garbage */ 1021 debug("channel %d: decode socks4: too long", 1022 c->self); 1023 return -1; 1024 } 1025 } 1026 if (found < need) 1027 return 0; 1028 buffer_get(&c->input, (char *)&s4_req.version, 1); 1029 buffer_get(&c->input, (char *)&s4_req.command, 1); 1030 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 1031 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 1032 have = buffer_len(&c->input); 1033 p = buffer_ptr(&c->input); 1034 len = strlen(p); 1035 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1036 len++; /* trailing '\0' */ 1037 if (len > have) 1038 fatal("channel %d: decode socks4: len %d > have %d", 1039 c->self, len, have); 1040 strlcpy(username, p, sizeof(username)); 1041 buffer_consume(&c->input, len); 1042 1043 if (c->path != NULL) { 1044 xfree(c->path); 1045 c->path = NULL; 1046 } 1047 if (need == 1) { /* SOCKS4: one string */ 1048 host = inet_ntoa(s4_req.dest_addr); 1049 c->path = xstrdup(host); 1050 } else { /* SOCKS4A: two strings */ 1051 have = buffer_len(&c->input); 1052 p = buffer_ptr(&c->input); 1053 len = strlen(p); 1054 debug2("channel %d: decode socks4a: host %s/%d", 1055 c->self, p, len); 1056 len++; /* trailing '\0' */ 1057 if (len > have) 1058 fatal("channel %d: decode socks4a: len %d > have %d", 1059 c->self, len, have); 1060 if (len > NI_MAXHOST) { 1061 error("channel %d: hostname \"%.100s\" too long", 1062 c->self, p); 1063 return -1; 1064 } 1065 c->path = xstrdup(p); 1066 buffer_consume(&c->input, len); 1067 } 1068 c->host_port = ntohs(s4_req.dest_port); 1069 1070 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1071 c->self, c->path, c->host_port, s4_req.command); 1072 1073 if (s4_req.command != 1) { 1074 debug("channel %d: cannot handle: %s cn %d", 1075 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1076 return -1; 1077 } 1078 s4_rsp.version = 0; /* vn: 0 for reply */ 1079 s4_rsp.command = 90; /* cd: req granted */ 1080 s4_rsp.dest_port = 0; /* ignored */ 1081 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1082 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1083 return 1; 1084 } 1085 1086 /* try to decode a socks5 header */ 1087 #define SSH_SOCKS5_AUTHDONE 0x1000 1088 #define SSH_SOCKS5_NOAUTH 0x00 1089 #define SSH_SOCKS5_IPV4 0x01 1090 #define SSH_SOCKS5_DOMAIN 0x03 1091 #define SSH_SOCKS5_IPV6 0x04 1092 #define SSH_SOCKS5_CONNECT 0x01 1093 #define SSH_SOCKS5_SUCCESS 0x00 1094 1095 /* ARGSUSED */ 1096 static int 1097 channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1098 { 1099 struct { 1100 u_int8_t version; 1101 u_int8_t command; 1102 u_int8_t reserved; 1103 u_int8_t atyp; 1104 } s5_req, s5_rsp; 1105 u_int16_t dest_port; 1106 u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1107 u_int have, need, i, found, nmethods, addrlen, af; 1108 1109 debug2("channel %d: decode socks5", c->self); 1110 p = buffer_ptr(&c->input); 1111 if (p[0] != 0x05) 1112 return -1; 1113 have = buffer_len(&c->input); 1114 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1115 /* format: ver | nmethods | methods */ 1116 if (have < 2) 1117 return 0; 1118 nmethods = p[1]; 1119 if (have < nmethods + 2) 1120 return 0; 1121 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1122 for (found = 0, i = 2; i < nmethods + 2; i++) { 1123 if (p[i] == SSH_SOCKS5_NOAUTH) { 1124 found = 1; 1125 break; 1126 } 1127 } 1128 if (!found) { 1129 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1130 c->self); 1131 return -1; 1132 } 1133 buffer_consume(&c->input, nmethods + 2); 1134 buffer_put_char(&c->output, 0x05); /* version */ 1135 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1136 FD_SET(c->sock, writeset); 1137 c->flags |= SSH_SOCKS5_AUTHDONE; 1138 debug2("channel %d: socks5 auth done", c->self); 1139 return 0; /* need more */ 1140 } 1141 debug2("channel %d: socks5 post auth", c->self); 1142 if (have < sizeof(s5_req)+1) 1143 return 0; /* need more */ 1144 memcpy(&s5_req, p, sizeof(s5_req)); 1145 if (s5_req.version != 0x05 || 1146 s5_req.command != SSH_SOCKS5_CONNECT || 1147 s5_req.reserved != 0x00) { 1148 debug2("channel %d: only socks5 connect supported", c->self); 1149 return -1; 1150 } 1151 switch (s5_req.atyp){ 1152 case SSH_SOCKS5_IPV4: 1153 addrlen = 4; 1154 af = AF_INET; 1155 break; 1156 case SSH_SOCKS5_DOMAIN: 1157 addrlen = p[sizeof(s5_req)]; 1158 af = -1; 1159 break; 1160 case SSH_SOCKS5_IPV6: 1161 addrlen = 16; 1162 af = AF_INET6; 1163 break; 1164 default: 1165 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1166 return -1; 1167 } 1168 need = sizeof(s5_req) + addrlen + 2; 1169 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1170 need++; 1171 if (have < need) 1172 return 0; 1173 buffer_consume(&c->input, sizeof(s5_req)); 1174 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1175 buffer_consume(&c->input, 1); /* host string length */ 1176 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1177 buffer_get(&c->input, (char *)&dest_port, 2); 1178 dest_addr[addrlen] = '\0'; 1179 if (c->path != NULL) { 1180 xfree(c->path); 1181 c->path = NULL; 1182 } 1183 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1184 if (addrlen >= NI_MAXHOST) { 1185 error("channel %d: dynamic request: socks5 hostname " 1186 "\"%.100s\" too long", c->self, dest_addr); 1187 return -1; 1188 } 1189 c->path = xstrdup(dest_addr); 1190 } else { 1191 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1192 return -1; 1193 c->path = xstrdup(ntop); 1194 } 1195 c->host_port = ntohs(dest_port); 1196 1197 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1198 c->self, c->path, c->host_port, s5_req.command); 1199 1200 s5_rsp.version = 0x05; 1201 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1202 s5_rsp.reserved = 0; /* ignored */ 1203 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1204 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; 1205 dest_port = 0; /* ignored */ 1206 1207 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1208 buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); 1209 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1210 return 1; 1211 } 1212 1213 /* dynamic port forwarding */ 1214 static void 1215 channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1216 { 1217 u_char *p; 1218 u_int have; 1219 int ret; 1220 1221 have = buffer_len(&c->input); 1222 c->delayed = 0; 1223 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1224 /* buffer_dump(&c->input); */ 1225 /* check if the fixed size part of the packet is in buffer. */ 1226 if (have < 3) { 1227 /* need more */ 1228 FD_SET(c->sock, readset); 1229 return; 1230 } 1231 /* try to guess the protocol */ 1232 p = buffer_ptr(&c->input); 1233 switch (p[0]) { 1234 case 0x04: 1235 ret = channel_decode_socks4(c, readset, writeset); 1236 break; 1237 case 0x05: 1238 ret = channel_decode_socks5(c, readset, writeset); 1239 break; 1240 default: 1241 ret = -1; 1242 break; 1243 } 1244 if (ret < 0) { 1245 chan_mark_dead(c); 1246 } else if (ret == 0) { 1247 debug2("channel %d: pre_dynamic: need more", c->self); 1248 /* need more */ 1249 FD_SET(c->sock, readset); 1250 } else { 1251 /* switch to the next state */ 1252 c->type = SSH_CHANNEL_OPENING; 1253 port_open_helper(c, "direct-tcpip"); 1254 } 1255 } 1256 1257 /* This is our fake X11 server socket. */ 1258 /* ARGSUSED */ 1259 static void 1260 channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1261 { 1262 Channel *nc; 1263 struct sockaddr_storage addr; 1264 int newsock; 1265 socklen_t addrlen; 1266 char buf[16384], *remote_ipaddr; 1267 int remote_port; 1268 1269 if (FD_ISSET(c->sock, readset)) { 1270 debug("X11 connection requested."); 1271 addrlen = sizeof(addr); 1272 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1273 if (c->single_connection) { 1274 debug2("single_connection: closing X11 listener."); 1275 channel_close_fd(&c->sock); 1276 chan_mark_dead(c); 1277 } 1278 if (newsock < 0) { 1279 error("accept: %.100s", strerror(errno)); 1280 return; 1281 } 1282 set_nodelay(newsock); 1283 remote_ipaddr = get_peer_ipaddr(newsock); 1284 remote_port = get_peer_port(newsock); 1285 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1286 remote_ipaddr, remote_port); 1287 1288 nc = channel_new("accepted x11 socket", 1289 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1290 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1291 if (compat20) { 1292 packet_start(SSH2_MSG_CHANNEL_OPEN); 1293 packet_put_cstring("x11"); 1294 packet_put_int(nc->self); 1295 packet_put_int(nc->local_window_max); 1296 packet_put_int(nc->local_maxpacket); 1297 /* originator ipaddr and port */ 1298 packet_put_cstring(remote_ipaddr); 1299 if (datafellows & SSH_BUG_X11FWD) { 1300 debug2("ssh2 x11 bug compat mode"); 1301 } else { 1302 packet_put_int(remote_port); 1303 } 1304 packet_send(); 1305 } else { 1306 packet_start(SSH_SMSG_X11_OPEN); 1307 packet_put_int(nc->self); 1308 if (packet_get_protocol_flags() & 1309 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1310 packet_put_cstring(buf); 1311 packet_send(); 1312 } 1313 xfree(remote_ipaddr); 1314 } 1315 } 1316 1317 static void 1318 port_open_helper(Channel *c, char *rtype) 1319 { 1320 int direct; 1321 char buf[1024]; 1322 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1323 int remote_port = get_peer_port(c->sock); 1324 1325 direct = (strcmp(rtype, "direct-tcpip") == 0); 1326 1327 snprintf(buf, sizeof buf, 1328 "%s: listening port %d for %.100s port %d, " 1329 "connect from %.200s port %d", 1330 rtype, c->listening_port, c->path, c->host_port, 1331 remote_ipaddr, remote_port); 1332 1333 xfree(c->remote_name); 1334 c->remote_name = xstrdup(buf); 1335 1336 if (compat20) { 1337 packet_start(SSH2_MSG_CHANNEL_OPEN); 1338 packet_put_cstring(rtype); 1339 packet_put_int(c->self); 1340 packet_put_int(c->local_window_max); 1341 packet_put_int(c->local_maxpacket); 1342 if (direct) { 1343 /* target host, port */ 1344 packet_put_cstring(c->path); 1345 packet_put_int(c->host_port); 1346 } else { 1347 /* listen address, port */ 1348 packet_put_cstring(c->path); 1349 packet_put_int(c->listening_port); 1350 } 1351 /* originator host and port */ 1352 packet_put_cstring(remote_ipaddr); 1353 packet_put_int((u_int)remote_port); 1354 packet_send(); 1355 } else { 1356 packet_start(SSH_MSG_PORT_OPEN); 1357 packet_put_int(c->self); 1358 packet_put_cstring(c->path); 1359 packet_put_int(c->host_port); 1360 if (packet_get_protocol_flags() & 1361 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1362 packet_put_cstring(c->remote_name); 1363 packet_send(); 1364 } 1365 xfree(remote_ipaddr); 1366 } 1367 1368 static void 1369 channel_set_reuseaddr(int fd) 1370 { 1371 int on = 1; 1372 1373 /* 1374 * Set socket options. 1375 * Allow local port reuse in TIME_WAIT. 1376 */ 1377 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1378 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1379 } 1380 1381 /* 1382 * This socket is listening for connections to a forwarded TCP/IP port. 1383 */ 1384 /* ARGSUSED */ 1385 static void 1386 channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1387 { 1388 Channel *nc; 1389 struct sockaddr_storage addr; 1390 int newsock, nextstate; 1391 socklen_t addrlen; 1392 char *rtype; 1393 1394 if (FD_ISSET(c->sock, readset)) { 1395 debug("Connection to port %d forwarding " 1396 "to %.100s port %d requested.", 1397 c->listening_port, c->path, c->host_port); 1398 1399 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1400 nextstate = SSH_CHANNEL_OPENING; 1401 rtype = "forwarded-tcpip"; 1402 } else { 1403 if (c->host_port == 0) { 1404 nextstate = SSH_CHANNEL_DYNAMIC; 1405 rtype = "dynamic-tcpip"; 1406 } else { 1407 nextstate = SSH_CHANNEL_OPENING; 1408 rtype = "direct-tcpip"; 1409 } 1410 } 1411 1412 addrlen = sizeof(addr); 1413 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1414 if (newsock < 0) { 1415 error("accept: %.100s", strerror(errno)); 1416 return; 1417 } 1418 set_nodelay(newsock); 1419 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1420 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1421 nc->listening_port = c->listening_port; 1422 nc->host_port = c->host_port; 1423 if (c->path != NULL) 1424 nc->path = xstrdup(c->path); 1425 1426 if (nextstate == SSH_CHANNEL_DYNAMIC) { 1427 /* 1428 * do not call the channel_post handler until 1429 * this flag has been reset by a pre-handler. 1430 * otherwise the FD_ISSET calls might overflow 1431 */ 1432 nc->delayed = 1; 1433 } else { 1434 port_open_helper(nc, rtype); 1435 } 1436 } 1437 } 1438 1439 /* 1440 * This is the authentication agent socket listening for connections from 1441 * clients. 1442 */ 1443 /* ARGSUSED */ 1444 static void 1445 channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1446 { 1447 Channel *nc; 1448 int newsock; 1449 struct sockaddr_storage addr; 1450 socklen_t addrlen; 1451 1452 if (FD_ISSET(c->sock, readset)) { 1453 addrlen = sizeof(addr); 1454 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1455 if (newsock < 0) { 1456 error("accept from auth socket: %.100s", strerror(errno)); 1457 return; 1458 } 1459 nc = channel_new("accepted auth socket", 1460 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1461 c->local_window_max, c->local_maxpacket, 1462 0, "accepted auth socket", 1); 1463 if (compat20) { 1464 packet_start(SSH2_MSG_CHANNEL_OPEN); 1465 packet_put_cstring("auth-agent@openssh.com"); 1466 packet_put_int(nc->self); 1467 packet_put_int(c->local_window_max); 1468 packet_put_int(c->local_maxpacket); 1469 } else { 1470 packet_start(SSH_SMSG_AGENT_OPEN); 1471 packet_put_int(nc->self); 1472 } 1473 packet_send(); 1474 } 1475 } 1476 1477 /* ARGSUSED */ 1478 static void 1479 channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1480 { 1481 int err = 0, sock; 1482 socklen_t sz = sizeof(err); 1483 1484 if (FD_ISSET(c->sock, writeset)) { 1485 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1486 err = errno; 1487 error("getsockopt SO_ERROR failed"); 1488 } 1489 if (err == 0) { 1490 debug("channel %d: connected to %s port %d", 1491 c->self, c->connect_ctx.host, c->connect_ctx.port); 1492 channel_connect_ctx_free(&c->connect_ctx); 1493 c->type = SSH_CHANNEL_OPEN; 1494 if (compat20) { 1495 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1496 packet_put_int(c->remote_id); 1497 packet_put_int(c->self); 1498 packet_put_int(c->local_window); 1499 packet_put_int(c->local_maxpacket); 1500 } else { 1501 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1502 packet_put_int(c->remote_id); 1503 packet_put_int(c->self); 1504 } 1505 } else { 1506 debug("channel %d: connection failed: %s", 1507 c->self, strerror(err)); 1508 /* Try next address, if any */ 1509 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1510 close(c->sock); 1511 c->sock = c->rfd = c->wfd = sock; 1512 channel_max_fd = channel_find_maxfd(); 1513 return; 1514 } 1515 /* Exhausted all addresses */ 1516 error("connect_to %.100s port %d: failed.", 1517 c->connect_ctx.host, c->connect_ctx.port); 1518 channel_connect_ctx_free(&c->connect_ctx); 1519 if (compat20) { 1520 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1521 packet_put_int(c->remote_id); 1522 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1523 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1524 packet_put_cstring(strerror(err)); 1525 packet_put_cstring(""); 1526 } 1527 } else { 1528 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1529 packet_put_int(c->remote_id); 1530 } 1531 chan_mark_dead(c); 1532 } 1533 packet_send(); 1534 } 1535 } 1536 1537 /* ARGSUSED */ 1538 static int 1539 channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1540 { 1541 char buf[CHAN_RBUF]; 1542 int len, force; 1543 1544 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1545 if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { 1546 errno = 0; 1547 len = read(c->rfd, buf, sizeof(buf)); 1548 if (len < 0 && (errno == EINTR || 1549 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1550 return 1; 1551 #ifndef PTY_ZEROREAD 1552 if (len <= 0) { 1553 #else 1554 if ((!c->isatty && len <= 0) || 1555 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1556 #endif 1557 debug2("channel %d: read<=0 rfd %d len %d", 1558 c->self, c->rfd, len); 1559 if (c->type != SSH_CHANNEL_OPEN) { 1560 debug2("channel %d: not open", c->self); 1561 chan_mark_dead(c); 1562 return -1; 1563 } else if (compat13) { 1564 buffer_clear(&c->output); 1565 c->type = SSH_CHANNEL_INPUT_DRAINING; 1566 debug2("channel %d: input draining.", c->self); 1567 } else { 1568 chan_read_failed(c); 1569 } 1570 return -1; 1571 } 1572 if (c->input_filter != NULL) { 1573 if (c->input_filter(c, buf, len) == -1) { 1574 debug2("channel %d: filter stops", c->self); 1575 chan_read_failed(c); 1576 } 1577 } else if (c->datagram) { 1578 buffer_put_string(&c->input, buf, len); 1579 } else { 1580 buffer_append(&c->input, buf, len); 1581 } 1582 } 1583 return 1; 1584 } 1585 1586 /* ARGSUSED */ 1587 static int 1588 channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1589 { 1590 struct termios tio; 1591 u_char *data = NULL, *buf; 1592 u_int dlen; 1593 int len; 1594 1595 /* Send buffered output data to the socket. */ 1596 if (c->wfd != -1 && 1597 FD_ISSET(c->wfd, writeset) && 1598 buffer_len(&c->output) > 0) { 1599 if (c->output_filter != NULL) { 1600 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1601 debug2("channel %d: filter stops", c->self); 1602 if (c->type != SSH_CHANNEL_OPEN) 1603 chan_mark_dead(c); 1604 else 1605 chan_write_failed(c); 1606 return -1; 1607 } 1608 } else if (c->datagram) { 1609 buf = data = buffer_get_string(&c->output, &dlen); 1610 } else { 1611 buf = data = buffer_ptr(&c->output); 1612 dlen = buffer_len(&c->output); 1613 } 1614 1615 if (c->datagram) { 1616 /* ignore truncated writes, datagrams might get lost */ 1617 c->local_consumed += dlen + 4; 1618 len = write(c->wfd, buf, dlen); 1619 xfree(data); 1620 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1621 errno == EWOULDBLOCK)) 1622 return 1; 1623 if (len <= 0) { 1624 if (c->type != SSH_CHANNEL_OPEN) 1625 chan_mark_dead(c); 1626 else 1627 chan_write_failed(c); 1628 return -1; 1629 } 1630 return 1; 1631 } 1632 #ifdef _AIX 1633 /* XXX: Later AIX versions can't push as much data to tty */ 1634 if (compat20 && c->wfd_isatty) 1635 dlen = MIN(dlen, 8*1024); 1636 #endif 1637 1638 len = write(c->wfd, buf, dlen); 1639 if (len < 0 && 1640 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1641 return 1; 1642 if (len <= 0) { 1643 if (c->type != SSH_CHANNEL_OPEN) { 1644 debug2("channel %d: not open", c->self); 1645 chan_mark_dead(c); 1646 return -1; 1647 } else if (compat13) { 1648 buffer_clear(&c->output); 1649 debug2("channel %d: input draining.", c->self); 1650 c->type = SSH_CHANNEL_INPUT_DRAINING; 1651 } else { 1652 chan_write_failed(c); 1653 } 1654 return -1; 1655 } 1656 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1657 if (tcgetattr(c->wfd, &tio) == 0 && 1658 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1659 /* 1660 * Simulate echo to reduce the impact of 1661 * traffic analysis. We need to match the 1662 * size of a SSH2_MSG_CHANNEL_DATA message 1663 * (4 byte channel id + buf) 1664 */ 1665 packet_send_ignore(4 + len); 1666 packet_send(); 1667 } 1668 } 1669 buffer_consume(&c->output, len); 1670 if (compat20 && len > 0) { 1671 c->local_consumed += len; 1672 } 1673 } 1674 return 1; 1675 } 1676 1677 static int 1678 channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1679 { 1680 char buf[CHAN_RBUF]; 1681 int len; 1682 1683 /** XXX handle drain efd, too */ 1684 if (c->efd != -1) { 1685 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1686 FD_ISSET(c->efd, writeset) && 1687 buffer_len(&c->extended) > 0) { 1688 len = write(c->efd, buffer_ptr(&c->extended), 1689 buffer_len(&c->extended)); 1690 debug2("channel %d: written %d to efd %d", 1691 c->self, len, c->efd); 1692 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1693 errno == EWOULDBLOCK)) 1694 return 1; 1695 if (len <= 0) { 1696 debug2("channel %d: closing write-efd %d", 1697 c->self, c->efd); 1698 channel_close_fd(&c->efd); 1699 } else { 1700 buffer_consume(&c->extended, len); 1701 c->local_consumed += len; 1702 } 1703 } else if (c->extended_usage == CHAN_EXTENDED_READ && 1704 (c->detach_close || FD_ISSET(c->efd, readset))) { 1705 len = read(c->efd, buf, sizeof(buf)); 1706 debug2("channel %d: read %d from efd %d", 1707 c->self, len, c->efd); 1708 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 1709 errno == EWOULDBLOCK) && !c->detach_close))) 1710 return 1; 1711 if (len <= 0) { 1712 debug2("channel %d: closing read-efd %d", 1713 c->self, c->efd); 1714 channel_close_fd(&c->efd); 1715 } else { 1716 buffer_append(&c->extended, buf, len); 1717 } 1718 } 1719 } 1720 return 1; 1721 } 1722 1723 /* ARGSUSED */ 1724 static int 1725 channel_handle_ctl(Channel *c, fd_set *readset, fd_set *writeset) 1726 { 1727 char buf[16]; 1728 int len; 1729 1730 /* Monitor control fd to detect if the slave client exits */ 1731 if (c->ctl_fd != -1 && FD_ISSET(c->ctl_fd, readset)) { 1732 len = read(c->ctl_fd, buf, sizeof(buf)); 1733 if (len < 0 && 1734 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1735 return 1; 1736 if (len <= 0) { 1737 debug2("channel %d: ctl read<=0", c->self); 1738 if (c->type != SSH_CHANNEL_OPEN) { 1739 debug2("channel %d: not open", c->self); 1740 chan_mark_dead(c); 1741 return -1; 1742 } else { 1743 chan_read_failed(c); 1744 chan_write_failed(c); 1745 } 1746 return -1; 1747 } else 1748 fatal("%s: unexpected data on ctl fd", __func__); 1749 } 1750 return 1; 1751 } 1752 1753 static int 1754 channel_check_window(Channel *c) 1755 { 1756 if (c->type == SSH_CHANNEL_OPEN && 1757 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1758 ((c->local_window_max - c->local_window > 1759 c->local_maxpacket*3) || 1760 c->local_window < c->local_window_max/2) && 1761 c->local_consumed > 0) { 1762 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1763 packet_put_int(c->remote_id); 1764 packet_put_int(c->local_consumed); 1765 packet_send(); 1766 debug2("channel %d: window %d sent adjust %d", 1767 c->self, c->local_window, 1768 c->local_consumed); 1769 c->local_window += c->local_consumed; 1770 c->local_consumed = 0; 1771 } 1772 return 1; 1773 } 1774 1775 static void 1776 channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1777 { 1778 if (c->delayed) 1779 return; 1780 channel_handle_rfd(c, readset, writeset); 1781 channel_handle_wfd(c, readset, writeset); 1782 if (!compat20) 1783 return; 1784 channel_handle_efd(c, readset, writeset); 1785 channel_handle_ctl(c, readset, writeset); 1786 channel_check_window(c); 1787 } 1788 1789 /* ARGSUSED */ 1790 static void 1791 channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 1792 { 1793 int len; 1794 1795 /* Send buffered output data to the socket. */ 1796 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1797 len = write(c->sock, buffer_ptr(&c->output), 1798 buffer_len(&c->output)); 1799 if (len <= 0) 1800 buffer_clear(&c->output); 1801 else 1802 buffer_consume(&c->output, len); 1803 } 1804 } 1805 1806 static void 1807 channel_handler_init_20(void) 1808 { 1809 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1810 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1811 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1812 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1813 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1814 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1815 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1816 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1817 1818 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1819 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1820 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1821 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1822 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1823 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1824 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1825 } 1826 1827 static void 1828 channel_handler_init_13(void) 1829 { 1830 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1831 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1832 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1833 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1834 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1835 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1836 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1837 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1838 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1839 1840 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1841 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1842 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1843 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1844 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 1845 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1846 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1847 } 1848 1849 static void 1850 channel_handler_init_15(void) 1851 { 1852 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1853 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1854 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1855 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1856 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1857 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1858 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1859 1860 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1861 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1862 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1863 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1864 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1865 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1866 } 1867 1868 static void 1869 channel_handler_init(void) 1870 { 1871 int i; 1872 1873 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 1874 channel_pre[i] = NULL; 1875 channel_post[i] = NULL; 1876 } 1877 if (compat20) 1878 channel_handler_init_20(); 1879 else if (compat13) 1880 channel_handler_init_13(); 1881 else 1882 channel_handler_init_15(); 1883 } 1884 1885 /* gc dead channels */ 1886 static void 1887 channel_garbage_collect(Channel *c) 1888 { 1889 if (c == NULL) 1890 return; 1891 if (c->detach_user != NULL) { 1892 if (!chan_is_dead(c, c->detach_close)) 1893 return; 1894 debug2("channel %d: gc: notify user", c->self); 1895 c->detach_user(c->self, NULL); 1896 /* if we still have a callback */ 1897 if (c->detach_user != NULL) 1898 return; 1899 debug2("channel %d: gc: user detached", c->self); 1900 } 1901 if (!chan_is_dead(c, 1)) 1902 return; 1903 debug2("channel %d: garbage collecting", c->self); 1904 channel_free(c); 1905 } 1906 1907 static void 1908 channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) 1909 { 1910 static int did_init = 0; 1911 u_int i; 1912 Channel *c; 1913 1914 if (!did_init) { 1915 channel_handler_init(); 1916 did_init = 1; 1917 } 1918 for (i = 0; i < channels_alloc; i++) { 1919 c = channels[i]; 1920 if (c == NULL) 1921 continue; 1922 if (ftab[c->type] != NULL) 1923 (*ftab[c->type])(c, readset, writeset); 1924 channel_garbage_collect(c); 1925 } 1926 } 1927 1928 /* 1929 * Allocate/update select bitmasks and add any bits relevant to channels in 1930 * select bitmasks. 1931 */ 1932 void 1933 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 1934 u_int *nallocp, int rekeying) 1935 { 1936 u_int n, sz, nfdset; 1937 1938 n = MAX(*maxfdp, channel_max_fd); 1939 1940 nfdset = howmany(n+1, NFDBITS); 1941 /* Explicitly test here, because xrealloc isn't always called */ 1942 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) 1943 fatal("channel_prepare_select: max_fd (%d) is too large", n); 1944 sz = nfdset * sizeof(fd_mask); 1945 1946 /* perhaps check sz < nalloc/2 and shrink? */ 1947 if (*readsetp == NULL || sz > *nallocp) { 1948 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); 1949 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); 1950 *nallocp = sz; 1951 } 1952 *maxfdp = n; 1953 memset(*readsetp, 0, sz); 1954 memset(*writesetp, 0, sz); 1955 1956 if (!rekeying) 1957 channel_handler(channel_pre, *readsetp, *writesetp); 1958 } 1959 1960 /* 1961 * After select, perform any appropriate operations for channels which have 1962 * events pending. 1963 */ 1964 void 1965 channel_after_select(fd_set *readset, fd_set *writeset) 1966 { 1967 channel_handler(channel_post, readset, writeset); 1968 } 1969 1970 1971 /* If there is data to send to the connection, enqueue some of it now. */ 1972 void 1973 channel_output_poll(void) 1974 { 1975 Channel *c; 1976 u_int i, len; 1977 1978 for (i = 0; i < channels_alloc; i++) { 1979 c = channels[i]; 1980 if (c == NULL) 1981 continue; 1982 1983 /* 1984 * We are only interested in channels that can have buffered 1985 * incoming data. 1986 */ 1987 if (compat13) { 1988 if (c->type != SSH_CHANNEL_OPEN && 1989 c->type != SSH_CHANNEL_INPUT_DRAINING) 1990 continue; 1991 } else { 1992 if (c->type != SSH_CHANNEL_OPEN) 1993 continue; 1994 } 1995 if (compat20 && 1996 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 1997 /* XXX is this true? */ 1998 debug3("channel %d: will not send data after close", c->self); 1999 continue; 2000 } 2001 2002 /* Get the amount of buffered data for this channel. */ 2003 if ((c->istate == CHAN_INPUT_OPEN || 2004 c->istate == CHAN_INPUT_WAIT_DRAIN) && 2005 (len = buffer_len(&c->input)) > 0) { 2006 if (c->datagram) { 2007 if (len > 0) { 2008 u_char *data; 2009 u_int dlen; 2010 2011 data = buffer_get_string(&c->input, 2012 &dlen); 2013 packet_start(SSH2_MSG_CHANNEL_DATA); 2014 packet_put_int(c->remote_id); 2015 packet_put_string(data, dlen); 2016 packet_send(); 2017 c->remote_window -= dlen + 4; 2018 xfree(data); 2019 } 2020 continue; 2021 } 2022 /* 2023 * Send some data for the other side over the secure 2024 * connection. 2025 */ 2026 if (compat20) { 2027 if (len > c->remote_window) 2028 len = c->remote_window; 2029 if (len > c->remote_maxpacket) 2030 len = c->remote_maxpacket; 2031 } else { 2032 if (packet_is_interactive()) { 2033 if (len > 1024) 2034 len = 512; 2035 } else { 2036 /* Keep the packets at reasonable size. */ 2037 if (len > packet_get_maxsize()/2) 2038 len = packet_get_maxsize()/2; 2039 } 2040 } 2041 if (len > 0) { 2042 packet_start(compat20 ? 2043 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 2044 packet_put_int(c->remote_id); 2045 packet_put_string(buffer_ptr(&c->input), len); 2046 packet_send(); 2047 buffer_consume(&c->input, len); 2048 c->remote_window -= len; 2049 } 2050 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2051 if (compat13) 2052 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 2053 /* 2054 * input-buffer is empty and read-socket shutdown: 2055 * tell peer, that we will not send more data: send IEOF. 2056 * hack for extended data: delay EOF if EFD still in use. 2057 */ 2058 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2059 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 2060 c->self, c->efd, buffer_len(&c->extended)); 2061 else 2062 chan_ibuf_empty(c); 2063 } 2064 /* Send extended data, i.e. stderr */ 2065 if (compat20 && 2066 !(c->flags & CHAN_EOF_SENT) && 2067 c->remote_window > 0 && 2068 (len = buffer_len(&c->extended)) > 0 && 2069 c->extended_usage == CHAN_EXTENDED_READ) { 2070 debug2("channel %d: rwin %u elen %u euse %d", 2071 c->self, c->remote_window, buffer_len(&c->extended), 2072 c->extended_usage); 2073 if (len > c->remote_window) 2074 len = c->remote_window; 2075 if (len > c->remote_maxpacket) 2076 len = c->remote_maxpacket; 2077 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 2078 packet_put_int(c->remote_id); 2079 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 2080 packet_put_string(buffer_ptr(&c->extended), len); 2081 packet_send(); 2082 buffer_consume(&c->extended, len); 2083 c->remote_window -= len; 2084 debug2("channel %d: sent ext data %d", c->self, len); 2085 } 2086 } 2087 } 2088 2089 2090 /* -- protocol input */ 2091 2092 /* ARGSUSED */ 2093 void 2094 channel_input_data(int type, u_int32_t seq, void *ctxt) 2095 { 2096 int id; 2097 char *data; 2098 u_int data_len; 2099 Channel *c; 2100 2101 /* Get the channel number and verify it. */ 2102 id = packet_get_int(); 2103 c = channel_lookup(id); 2104 if (c == NULL) 2105 packet_disconnect("Received data for nonexistent channel %d.", id); 2106 2107 /* Ignore any data for non-open channels (might happen on close) */ 2108 if (c->type != SSH_CHANNEL_OPEN && 2109 c->type != SSH_CHANNEL_X11_OPEN) 2110 return; 2111 2112 /* Get the data. */ 2113 data = packet_get_string_ptr(&data_len); 2114 2115 /* 2116 * Ignore data for protocol > 1.3 if output end is no longer open. 2117 * For protocol 2 the sending side is reducing its window as it sends 2118 * data, so we must 'fake' consumption of the data in order to ensure 2119 * that window updates are sent back. Otherwise the connection might 2120 * deadlock. 2121 */ 2122 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2123 if (compat20) { 2124 c->local_window -= data_len; 2125 c->local_consumed += data_len; 2126 } 2127 return; 2128 } 2129 2130 if (compat20) { 2131 if (data_len > c->local_maxpacket) { 2132 logit("channel %d: rcvd big packet %d, maxpack %d", 2133 c->self, data_len, c->local_maxpacket); 2134 } 2135 if (data_len > c->local_window) { 2136 logit("channel %d: rcvd too much data %d, win %d", 2137 c->self, data_len, c->local_window); 2138 return; 2139 } 2140 c->local_window -= data_len; 2141 } 2142 if (c->datagram) 2143 buffer_put_string(&c->output, data, data_len); 2144 else 2145 buffer_append(&c->output, data, data_len); 2146 packet_check_eom(); 2147 } 2148 2149 /* ARGSUSED */ 2150 void 2151 channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2152 { 2153 int id; 2154 char *data; 2155 u_int data_len, tcode; 2156 Channel *c; 2157 2158 /* Get the channel number and verify it. */ 2159 id = packet_get_int(); 2160 c = channel_lookup(id); 2161 2162 if (c == NULL) 2163 packet_disconnect("Received extended_data for bad channel %d.", id); 2164 if (c->type != SSH_CHANNEL_OPEN) { 2165 logit("channel %d: ext data for non open", id); 2166 return; 2167 } 2168 if (c->flags & CHAN_EOF_RCVD) { 2169 if (datafellows & SSH_BUG_EXTEOF) 2170 debug("channel %d: accepting ext data after eof", id); 2171 else 2172 packet_disconnect("Received extended_data after EOF " 2173 "on channel %d.", id); 2174 } 2175 tcode = packet_get_int(); 2176 if (c->efd == -1 || 2177 c->extended_usage != CHAN_EXTENDED_WRITE || 2178 tcode != SSH2_EXTENDED_DATA_STDERR) { 2179 logit("channel %d: bad ext data", c->self); 2180 return; 2181 } 2182 data = packet_get_string(&data_len); 2183 packet_check_eom(); 2184 if (data_len > c->local_window) { 2185 logit("channel %d: rcvd too much extended_data %d, win %d", 2186 c->self, data_len, c->local_window); 2187 xfree(data); 2188 return; 2189 } 2190 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2191 c->local_window -= data_len; 2192 buffer_append(&c->extended, data, data_len); 2193 xfree(data); 2194 } 2195 2196 /* ARGSUSED */ 2197 void 2198 channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2199 { 2200 int id; 2201 Channel *c; 2202 2203 id = packet_get_int(); 2204 packet_check_eom(); 2205 c = channel_lookup(id); 2206 if (c == NULL) 2207 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2208 chan_rcvd_ieof(c); 2209 2210 /* XXX force input close */ 2211 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2212 debug("channel %d: FORCE input drain", c->self); 2213 c->istate = CHAN_INPUT_WAIT_DRAIN; 2214 if (buffer_len(&c->input) == 0) 2215 chan_ibuf_empty(c); 2216 } 2217 2218 } 2219 2220 /* ARGSUSED */ 2221 void 2222 channel_input_close(int type, u_int32_t seq, void *ctxt) 2223 { 2224 int id; 2225 Channel *c; 2226 2227 id = packet_get_int(); 2228 packet_check_eom(); 2229 c = channel_lookup(id); 2230 if (c == NULL) 2231 packet_disconnect("Received close for nonexistent channel %d.", id); 2232 2233 /* 2234 * Send a confirmation that we have closed the channel and no more 2235 * data is coming for it. 2236 */ 2237 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2238 packet_put_int(c->remote_id); 2239 packet_send(); 2240 2241 /* 2242 * If the channel is in closed state, we have sent a close request, 2243 * and the other side will eventually respond with a confirmation. 2244 * Thus, we cannot free the channel here, because then there would be 2245 * no-one to receive the confirmation. The channel gets freed when 2246 * the confirmation arrives. 2247 */ 2248 if (c->type != SSH_CHANNEL_CLOSED) { 2249 /* 2250 * Not a closed channel - mark it as draining, which will 2251 * cause it to be freed later. 2252 */ 2253 buffer_clear(&c->input); 2254 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2255 } 2256 } 2257 2258 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2259 /* ARGSUSED */ 2260 void 2261 channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2262 { 2263 int id = packet_get_int(); 2264 Channel *c = channel_lookup(id); 2265 2266 packet_check_eom(); 2267 if (c == NULL) 2268 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2269 chan_rcvd_oclose(c); 2270 } 2271 2272 /* ARGSUSED */ 2273 void 2274 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2275 { 2276 int id = packet_get_int(); 2277 Channel *c = channel_lookup(id); 2278 2279 packet_check_eom(); 2280 if (c == NULL) 2281 packet_disconnect("Received close confirmation for " 2282 "out-of-range channel %d.", id); 2283 if (c->type != SSH_CHANNEL_CLOSED) 2284 packet_disconnect("Received close confirmation for " 2285 "non-closed channel %d (type %d).", id, c->type); 2286 channel_free(c); 2287 } 2288 2289 /* ARGSUSED */ 2290 void 2291 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2292 { 2293 int id, remote_id; 2294 Channel *c; 2295 2296 id = packet_get_int(); 2297 c = channel_lookup(id); 2298 2299 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2300 packet_disconnect("Received open confirmation for " 2301 "non-opening channel %d.", id); 2302 remote_id = packet_get_int(); 2303 /* Record the remote channel number and mark that the channel is now open. */ 2304 c->remote_id = remote_id; 2305 c->type = SSH_CHANNEL_OPEN; 2306 2307 if (compat20) { 2308 c->remote_window = packet_get_int(); 2309 c->remote_maxpacket = packet_get_int(); 2310 if (c->open_confirm) { 2311 debug2("callback start"); 2312 c->open_confirm(c->self, c->open_confirm_ctx); 2313 debug2("callback done"); 2314 } 2315 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2316 c->remote_window, c->remote_maxpacket); 2317 } 2318 packet_check_eom(); 2319 } 2320 2321 static char * 2322 reason2txt(int reason) 2323 { 2324 switch (reason) { 2325 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2326 return "administratively prohibited"; 2327 case SSH2_OPEN_CONNECT_FAILED: 2328 return "connect failed"; 2329 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2330 return "unknown channel type"; 2331 case SSH2_OPEN_RESOURCE_SHORTAGE: 2332 return "resource shortage"; 2333 } 2334 return "unknown reason"; 2335 } 2336 2337 /* ARGSUSED */ 2338 void 2339 channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2340 { 2341 int id, reason; 2342 char *msg = NULL, *lang = NULL; 2343 Channel *c; 2344 2345 id = packet_get_int(); 2346 c = channel_lookup(id); 2347 2348 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2349 packet_disconnect("Received open failure for " 2350 "non-opening channel %d.", id); 2351 if (compat20) { 2352 reason = packet_get_int(); 2353 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2354 msg = packet_get_string(NULL); 2355 lang = packet_get_string(NULL); 2356 } 2357 logit("channel %d: open failed: %s%s%s", id, 2358 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2359 if (msg != NULL) 2360 xfree(msg); 2361 if (lang != NULL) 2362 xfree(lang); 2363 } 2364 packet_check_eom(); 2365 /* Schedule the channel for cleanup/deletion. */ 2366 chan_mark_dead(c); 2367 } 2368 2369 /* ARGSUSED */ 2370 void 2371 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2372 { 2373 Channel *c; 2374 int id; 2375 u_int adjust; 2376 2377 if (!compat20) 2378 return; 2379 2380 /* Get the channel number and verify it. */ 2381 id = packet_get_int(); 2382 c = channel_lookup(id); 2383 2384 if (c == NULL) { 2385 logit("Received window adjust for non-open channel %d.", id); 2386 return; 2387 } 2388 adjust = packet_get_int(); 2389 packet_check_eom(); 2390 debug2("channel %d: rcvd adjust %u", id, adjust); 2391 c->remote_window += adjust; 2392 } 2393 2394 /* ARGSUSED */ 2395 void 2396 channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2397 { 2398 Channel *c = NULL; 2399 u_short host_port; 2400 char *host, *originator_string; 2401 int remote_id; 2402 2403 remote_id = packet_get_int(); 2404 host = packet_get_string(NULL); 2405 host_port = packet_get_int(); 2406 2407 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2408 originator_string = packet_get_string(NULL); 2409 } else { 2410 originator_string = xstrdup("unknown (remote did not supply name)"); 2411 } 2412 packet_check_eom(); 2413 c = channel_connect_to(host, host_port, 2414 "connected socket", originator_string); 2415 xfree(originator_string); 2416 xfree(host); 2417 if (c == NULL) { 2418 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2419 packet_put_int(remote_id); 2420 packet_send(); 2421 } else 2422 c->remote_id = remote_id; 2423 } 2424 2425 /* ARGSUSED */ 2426 void 2427 channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) 2428 { 2429 Channel *c; 2430 struct channel_confirm *cc; 2431 int id; 2432 2433 /* Reset keepalive timeout */ 2434 keep_alive_timeouts = 0; 2435 2436 id = packet_get_int(); 2437 packet_check_eom(); 2438 2439 debug2("channel_input_status_confirm: type %d id %d", type, id); 2440 2441 if ((c = channel_lookup(id)) == NULL) { 2442 logit("channel_input_status_confirm: %d: unknown", id); 2443 return; 2444 } 2445 ; 2446 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 2447 return; 2448 cc->cb(type, c, cc->ctx); 2449 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2450 bzero(cc, sizeof(*cc)); 2451 xfree(cc); 2452 } 2453 2454 /* -- tcp forwarding */ 2455 2456 void 2457 channel_set_af(int af) 2458 { 2459 IPv4or6 = af; 2460 } 2461 2462 static int 2463 channel_setup_fwd_listener(int type, const char *listen_addr, 2464 u_short listen_port, int *allocated_listen_port, 2465 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2466 { 2467 Channel *c; 2468 int sock, r, success = 0, wildcard = 0, is_client; 2469 struct addrinfo hints, *ai, *aitop; 2470 const char *host, *addr; 2471 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2472 in_port_t *lport_p; 2473 2474 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2475 listen_addr : host_to_connect; 2476 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2477 2478 if (host == NULL) { 2479 error("No forward host name."); 2480 return 0; 2481 } 2482 if (strlen(host) >= NI_MAXHOST) { 2483 error("Forward host name too long."); 2484 return 0; 2485 } 2486 2487 /* 2488 * Determine whether or not a port forward listens to loopback, 2489 * specified address or wildcard. On the client, a specified bind 2490 * address will always override gateway_ports. On the server, a 2491 * gateway_ports of 1 (``yes'') will override the client's 2492 * specification and force a wildcard bind, whereas a value of 2 2493 * (``clientspecified'') will bind to whatever address the client 2494 * asked for. 2495 * 2496 * Special-case listen_addrs are: 2497 * 2498 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2499 * "" (empty string), "*" -> wildcard v4/v6 2500 * "localhost" -> loopback v4/v6 2501 */ 2502 addr = NULL; 2503 if (listen_addr == NULL) { 2504 /* No address specified: default to gateway_ports setting */ 2505 if (gateway_ports) 2506 wildcard = 1; 2507 } else if (gateway_ports || is_client) { 2508 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2509 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 2510 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2511 (!is_client && gateway_ports == 1)) 2512 wildcard = 1; 2513 else if (strcmp(listen_addr, "localhost") != 0) 2514 addr = listen_addr; 2515 } 2516 2517 debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s", 2518 type, wildcard, (addr == NULL) ? "NULL" : addr); 2519 2520 /* 2521 * getaddrinfo returns a loopback address if the hostname is 2522 * set to NULL and hints.ai_flags is not AI_PASSIVE 2523 */ 2524 memset(&hints, 0, sizeof(hints)); 2525 hints.ai_family = IPv4or6; 2526 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2527 hints.ai_socktype = SOCK_STREAM; 2528 snprintf(strport, sizeof strport, "%d", listen_port); 2529 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2530 if (addr == NULL) { 2531 /* This really shouldn't happen */ 2532 packet_disconnect("getaddrinfo: fatal error: %s", 2533 ssh_gai_strerror(r)); 2534 } else { 2535 error("channel_setup_fwd_listener: " 2536 "getaddrinfo(%.64s): %s", addr, 2537 ssh_gai_strerror(r)); 2538 } 2539 return 0; 2540 } 2541 if (allocated_listen_port != NULL) 2542 *allocated_listen_port = 0; 2543 for (ai = aitop; ai; ai = ai->ai_next) { 2544 switch (ai->ai_family) { 2545 case AF_INET: 2546 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 2547 sin_port; 2548 break; 2549 case AF_INET6: 2550 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 2551 sin6_port; 2552 break; 2553 default: 2554 continue; 2555 } 2556 /* 2557 * If allocating a port for -R forwards, then use the 2558 * same port for all address families. 2559 */ 2560 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2561 allocated_listen_port != NULL && *allocated_listen_port > 0) 2562 *lport_p = htons(*allocated_listen_port); 2563 2564 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2565 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2566 error("channel_setup_fwd_listener: getnameinfo failed"); 2567 continue; 2568 } 2569 /* Create a port to listen for the host. */ 2570 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2571 if (sock < 0) { 2572 /* this is no error since kernel may not support ipv6 */ 2573 verbose("socket: %.100s", strerror(errno)); 2574 continue; 2575 } 2576 2577 channel_set_reuseaddr(sock); 2578 2579 debug("Local forwarding listening on %s port %s.", 2580 ntop, strport); 2581 2582 /* Bind the socket to the address. */ 2583 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2584 /* address can be in use ipv6 address is already bound */ 2585 if (!ai->ai_next) 2586 error("bind: %.100s", strerror(errno)); 2587 else 2588 verbose("bind: %.100s", strerror(errno)); 2589 2590 close(sock); 2591 continue; 2592 } 2593 /* Start listening for connections on the socket. */ 2594 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2595 error("listen: %.100s", strerror(errno)); 2596 close(sock); 2597 continue; 2598 } 2599 2600 /* 2601 * listen_port == 0 requests a dynamically allocated port - 2602 * record what we got. 2603 */ 2604 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2605 allocated_listen_port != NULL && 2606 *allocated_listen_port == 0) { 2607 *allocated_listen_port = get_sock_port(sock, 1); 2608 debug("Allocated listen port %d", 2609 *allocated_listen_port); 2610 } 2611 2612 /* Allocate a channel number for the socket. */ 2613 c = channel_new("port listener", type, sock, sock, -1, 2614 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2615 0, "port listener", 1); 2616 c->path = xstrdup(host); 2617 c->host_port = port_to_connect; 2618 c->listening_port = listen_port; 2619 success = 1; 2620 } 2621 if (success == 0) 2622 error("channel_setup_fwd_listener: cannot listen to port: %d", 2623 listen_port); 2624 freeaddrinfo(aitop); 2625 return success; 2626 } 2627 2628 int 2629 channel_cancel_rport_listener(const char *host, u_short port) 2630 { 2631 u_int i; 2632 int found = 0; 2633 2634 for (i = 0; i < channels_alloc; i++) { 2635 Channel *c = channels[i]; 2636 2637 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && 2638 strcmp(c->path, host) == 0 && c->listening_port == port) { 2639 debug2("%s: close channel %d", __func__, i); 2640 channel_free(c); 2641 found = 1; 2642 } 2643 } 2644 2645 return (found); 2646 } 2647 2648 /* protocol local port fwd, used by ssh (and sshd in v1) */ 2649 int 2650 channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, 2651 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2652 { 2653 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2654 listen_host, listen_port, NULL, host_to_connect, port_to_connect, 2655 gateway_ports); 2656 } 2657 2658 /* protocol v2 remote port fwd, used by sshd */ 2659 int 2660 channel_setup_remote_fwd_listener(const char *listen_address, 2661 u_short listen_port, int *allocated_listen_port, int gateway_ports) 2662 { 2663 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2664 listen_address, listen_port, allocated_listen_port, 2665 NULL, 0, gateway_ports); 2666 } 2667 2668 /* 2669 * Initiate forwarding of connections to port "port" on remote host through 2670 * the secure channel to host:port from local side. 2671 */ 2672 2673 int 2674 channel_request_remote_forwarding(const char *listen_host, u_short listen_port, 2675 const char *host_to_connect, u_short port_to_connect) 2676 { 2677 int type, success = 0; 2678 2679 /* Record locally that connection to this host/port is permitted. */ 2680 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2681 fatal("channel_request_remote_forwarding: too many forwards"); 2682 2683 /* Send the forward request to the remote side. */ 2684 if (compat20) { 2685 const char *address_to_bind; 2686 if (listen_host == NULL) { 2687 if (datafellows & SSH_BUG_RFWD_ADDR) 2688 address_to_bind = "127.0.0.1"; 2689 else 2690 address_to_bind = "localhost"; 2691 } else if (*listen_host == '\0' || 2692 strcmp(listen_host, "*") == 0) { 2693 if (datafellows & SSH_BUG_RFWD_ADDR) 2694 address_to_bind = "0.0.0.0"; 2695 else 2696 address_to_bind = ""; 2697 } else 2698 address_to_bind = listen_host; 2699 2700 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2701 packet_put_cstring("tcpip-forward"); 2702 packet_put_char(1); /* boolean: want reply */ 2703 packet_put_cstring(address_to_bind); 2704 packet_put_int(listen_port); 2705 packet_send(); 2706 packet_write_wait(); 2707 /* Assume that server accepts the request */ 2708 success = 1; 2709 } else { 2710 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2711 packet_put_int(listen_port); 2712 packet_put_cstring(host_to_connect); 2713 packet_put_int(port_to_connect); 2714 packet_send(); 2715 packet_write_wait(); 2716 2717 /* Wait for response from the remote side. */ 2718 type = packet_read(); 2719 switch (type) { 2720 case SSH_SMSG_SUCCESS: 2721 success = 1; 2722 break; 2723 case SSH_SMSG_FAILURE: 2724 break; 2725 default: 2726 /* Unknown packet */ 2727 packet_disconnect("Protocol error for port forward request:" 2728 "received packet type %d.", type); 2729 } 2730 } 2731 if (success) { 2732 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2733 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2734 permitted_opens[num_permitted_opens].listen_port = listen_port; 2735 num_permitted_opens++; 2736 } 2737 return (success ? 0 : -1); 2738 } 2739 2740 /* 2741 * Request cancellation of remote forwarding of connection host:port from 2742 * local side. 2743 */ 2744 void 2745 channel_request_rforward_cancel(const char *host, u_short port) 2746 { 2747 int i; 2748 2749 if (!compat20) 2750 return; 2751 2752 for (i = 0; i < num_permitted_opens; i++) { 2753 if (permitted_opens[i].host_to_connect != NULL && 2754 permitted_opens[i].listen_port == port) 2755 break; 2756 } 2757 if (i >= num_permitted_opens) { 2758 debug("%s: requested forward not found", __func__); 2759 return; 2760 } 2761 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2762 packet_put_cstring("cancel-tcpip-forward"); 2763 packet_put_char(0); 2764 packet_put_cstring(host == NULL ? "" : host); 2765 packet_put_int(port); 2766 packet_send(); 2767 2768 permitted_opens[i].listen_port = 0; 2769 permitted_opens[i].port_to_connect = 0; 2770 xfree(permitted_opens[i].host_to_connect); 2771 permitted_opens[i].host_to_connect = NULL; 2772 } 2773 2774 /* 2775 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2776 * listening for the port, and sends back a success reply (or disconnect 2777 * message if there was an error). 2778 */ 2779 int 2780 channel_input_port_forward_request(int is_root, int gateway_ports) 2781 { 2782 u_short port, host_port; 2783 int success = 0; 2784 char *hostname; 2785 2786 /* Get arguments from the packet. */ 2787 port = packet_get_int(); 2788 hostname = packet_get_string(NULL); 2789 host_port = packet_get_int(); 2790 2791 #ifndef HAVE_CYGWIN 2792 /* 2793 * Check that an unprivileged user is not trying to forward a 2794 * privileged port. 2795 */ 2796 if (port < IPPORT_RESERVED && !is_root) 2797 packet_disconnect( 2798 "Requested forwarding of port %d but user is not root.", 2799 port); 2800 if (host_port == 0) 2801 packet_disconnect("Dynamic forwarding denied."); 2802 #endif 2803 2804 /* Initiate forwarding */ 2805 success = channel_setup_local_fwd_listener(NULL, port, hostname, 2806 host_port, gateway_ports); 2807 2808 /* Free the argument string. */ 2809 xfree(hostname); 2810 2811 return (success ? 0 : -1); 2812 } 2813 2814 /* 2815 * Permits opening to any host/port if permitted_opens[] is empty. This is 2816 * usually called by the server, because the user could connect to any port 2817 * anyway, and the server has no way to know but to trust the client anyway. 2818 */ 2819 void 2820 channel_permit_all_opens(void) 2821 { 2822 if (num_permitted_opens == 0) 2823 all_opens_permitted = 1; 2824 } 2825 2826 void 2827 channel_add_permitted_opens(char *host, int port) 2828 { 2829 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2830 fatal("channel_add_permitted_opens: too many forwards"); 2831 debug("allow port forwarding to host %s port %d", host, port); 2832 2833 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 2834 permitted_opens[num_permitted_opens].port_to_connect = port; 2835 num_permitted_opens++; 2836 2837 all_opens_permitted = 0; 2838 } 2839 2840 int 2841 channel_add_adm_permitted_opens(char *host, int port) 2842 { 2843 if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2844 fatal("channel_add_adm_permitted_opens: too many forwards"); 2845 debug("config allows port forwarding to host %s port %d", host, port); 2846 2847 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 2848 = xstrdup(host); 2849 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 2850 return ++num_adm_permitted_opens; 2851 } 2852 2853 void 2854 channel_clear_permitted_opens(void) 2855 { 2856 int i; 2857 2858 for (i = 0; i < num_permitted_opens; i++) 2859 if (permitted_opens[i].host_to_connect != NULL) 2860 xfree(permitted_opens[i].host_to_connect); 2861 num_permitted_opens = 0; 2862 } 2863 2864 void 2865 channel_clear_adm_permitted_opens(void) 2866 { 2867 int i; 2868 2869 for (i = 0; i < num_adm_permitted_opens; i++) 2870 if (permitted_adm_opens[i].host_to_connect != NULL) 2871 xfree(permitted_adm_opens[i].host_to_connect); 2872 num_adm_permitted_opens = 0; 2873 } 2874 2875 void 2876 channel_print_adm_permitted_opens(void) 2877 { 2878 int i; 2879 2880 printf("permitopen"); 2881 if (num_adm_permitted_opens == 0) { 2882 printf(" any\n"); 2883 return; 2884 } 2885 for (i = 0; i < num_adm_permitted_opens; i++) 2886 if (permitted_adm_opens[i].host_to_connect != NULL) 2887 printf(" %s:%d", permitted_adm_opens[i].host_to_connect, 2888 permitted_adm_opens[i].port_to_connect); 2889 printf("\n"); 2890 } 2891 2892 /* Try to start non-blocking connect to next host in cctx list */ 2893 static int 2894 connect_next(struct channel_connect *cctx) 2895 { 2896 int sock, saved_errno; 2897 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2898 2899 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 2900 if (cctx->ai->ai_family != AF_INET && 2901 cctx->ai->ai_family != AF_INET6) 2902 continue; 2903 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 2904 ntop, sizeof(ntop), strport, sizeof(strport), 2905 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2906 error("connect_next: getnameinfo failed"); 2907 continue; 2908 } 2909 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 2910 cctx->ai->ai_protocol)) == -1) { 2911 if (cctx->ai->ai_next == NULL) 2912 error("socket: %.100s", strerror(errno)); 2913 else 2914 verbose("socket: %.100s", strerror(errno)); 2915 continue; 2916 } 2917 if (set_nonblock(sock) == -1) 2918 fatal("%s: set_nonblock(%d)", __func__, sock); 2919 if (connect(sock, cctx->ai->ai_addr, 2920 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 2921 debug("connect_next: host %.100s ([%.100s]:%s): " 2922 "%.100s", cctx->host, ntop, strport, 2923 strerror(errno)); 2924 saved_errno = errno; 2925 close(sock); 2926 errno = saved_errno; 2927 continue; /* fail -- try next */ 2928 } 2929 debug("connect_next: host %.100s ([%.100s]:%s) " 2930 "in progress, fd=%d", cctx->host, ntop, strport, sock); 2931 cctx->ai = cctx->ai->ai_next; 2932 set_nodelay(sock); 2933 return sock; 2934 } 2935 return -1; 2936 } 2937 2938 static void 2939 channel_connect_ctx_free(struct channel_connect *cctx) 2940 { 2941 xfree(cctx->host); 2942 if (cctx->aitop) 2943 freeaddrinfo(cctx->aitop); 2944 bzero(cctx, sizeof(*cctx)); 2945 cctx->host = NULL; 2946 cctx->ai = cctx->aitop = NULL; 2947 } 2948 2949 /* Return CONNECTING channel to remote host, port */ 2950 static Channel * 2951 connect_to(const char *host, u_short port, char *ctype, char *rname) 2952 { 2953 struct addrinfo hints; 2954 int gaierr; 2955 int sock = -1; 2956 char strport[NI_MAXSERV]; 2957 struct channel_connect cctx; 2958 Channel *c; 2959 2960 memset(&cctx, 0, sizeof(cctx)); 2961 memset(&hints, 0, sizeof(hints)); 2962 hints.ai_family = IPv4or6; 2963 hints.ai_socktype = SOCK_STREAM; 2964 snprintf(strport, sizeof strport, "%d", port); 2965 if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) { 2966 error("connect_to %.100s: unknown host (%s)", host, 2967 ssh_gai_strerror(gaierr)); 2968 return NULL; 2969 } 2970 2971 cctx.host = xstrdup(host); 2972 cctx.port = port; 2973 cctx.ai = cctx.aitop; 2974 2975 if ((sock = connect_next(&cctx)) == -1) { 2976 error("connect to %.100s port %d failed: %s", 2977 host, port, strerror(errno)); 2978 channel_connect_ctx_free(&cctx); 2979 return NULL; 2980 } 2981 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 2982 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 2983 c->connect_ctx = cctx; 2984 return c; 2985 } 2986 2987 Channel * 2988 channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) 2989 { 2990 int i; 2991 2992 for (i = 0; i < num_permitted_opens; i++) { 2993 if (permitted_opens[i].host_to_connect != NULL && 2994 permitted_opens[i].listen_port == listen_port) { 2995 return connect_to( 2996 permitted_opens[i].host_to_connect, 2997 permitted_opens[i].port_to_connect, ctype, rname); 2998 } 2999 } 3000 error("WARNING: Server requests forwarding for unknown listen_port %d", 3001 listen_port); 3002 return NULL; 3003 } 3004 3005 /* Check if connecting to that port is permitted and connect. */ 3006 Channel * 3007 channel_connect_to(const char *host, u_short port, char *ctype, char *rname) 3008 { 3009 int i, permit, permit_adm = 1; 3010 3011 permit = all_opens_permitted; 3012 if (!permit) { 3013 for (i = 0; i < num_permitted_opens; i++) 3014 if (permitted_opens[i].host_to_connect != NULL && 3015 permitted_opens[i].port_to_connect == port && 3016 strcmp(permitted_opens[i].host_to_connect, host) == 0) 3017 permit = 1; 3018 } 3019 3020 if (num_adm_permitted_opens > 0) { 3021 permit_adm = 0; 3022 for (i = 0; i < num_adm_permitted_opens; i++) 3023 if (permitted_adm_opens[i].host_to_connect != NULL && 3024 permitted_adm_opens[i].port_to_connect == port && 3025 strcmp(permitted_adm_opens[i].host_to_connect, host) 3026 == 0) 3027 permit_adm = 1; 3028 } 3029 3030 if (!permit || !permit_adm) { 3031 logit("Received request to connect to host %.100s port %d, " 3032 "but the request was denied.", host, port); 3033 return NULL; 3034 } 3035 return connect_to(host, port, ctype, rname); 3036 } 3037 3038 void 3039 channel_send_window_changes(void) 3040 { 3041 u_int i; 3042 struct winsize ws; 3043 3044 for (i = 0; i < channels_alloc; i++) { 3045 if (channels[i] == NULL || !channels[i]->client_tty || 3046 channels[i]->type != SSH_CHANNEL_OPEN) 3047 continue; 3048 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 3049 continue; 3050 channel_request_start(i, "window-change", 0); 3051 packet_put_int((u_int)ws.ws_col); 3052 packet_put_int((u_int)ws.ws_row); 3053 packet_put_int((u_int)ws.ws_xpixel); 3054 packet_put_int((u_int)ws.ws_ypixel); 3055 packet_send(); 3056 } 3057 } 3058 3059 /* -- X11 forwarding */ 3060 3061 /* 3062 * Creates an internet domain socket for listening for X11 connections. 3063 * Returns 0 and a suitable display number for the DISPLAY variable 3064 * stored in display_numberp , or -1 if an error occurs. 3065 */ 3066 int 3067 x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 3068 int single_connection, u_int *display_numberp, int **chanids) 3069 { 3070 Channel *nc = NULL; 3071 int display_number, sock; 3072 u_short port; 3073 struct addrinfo hints, *ai, *aitop; 3074 char strport[NI_MAXSERV]; 3075 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 3076 3077 if (chanids == NULL) 3078 return -1; 3079 3080 for (display_number = x11_display_offset; 3081 display_number < MAX_DISPLAYS; 3082 display_number++) { 3083 port = 6000 + display_number; 3084 memset(&hints, 0, sizeof(hints)); 3085 hints.ai_family = IPv4or6; 3086 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 3087 hints.ai_socktype = SOCK_STREAM; 3088 snprintf(strport, sizeof strport, "%d", port); 3089 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 3090 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 3091 return -1; 3092 } 3093 for (ai = aitop; ai; ai = ai->ai_next) { 3094 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 3095 continue; 3096 sock = socket(ai->ai_family, ai->ai_socktype, 3097 ai->ai_protocol); 3098 if (sock < 0) { 3099 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { 3100 error("socket: %.100s", strerror(errno)); 3101 freeaddrinfo(aitop); 3102 return -1; 3103 } else { 3104 debug("x11_create_display_inet: Socket family %d not supported", 3105 ai->ai_family); 3106 continue; 3107 } 3108 } 3109 #ifdef IPV6_V6ONLY 3110 if (ai->ai_family == AF_INET6) { 3111 int on = 1; 3112 if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) 3113 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); 3114 } 3115 #endif 3116 if (x11_use_localhost) 3117 channel_set_reuseaddr(sock); 3118 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3119 debug2("bind port %d: %.100s", port, strerror(errno)); 3120 close(sock); 3121 3122 for (n = 0; n < num_socks; n++) { 3123 close(socks[n]); 3124 } 3125 num_socks = 0; 3126 break; 3127 } 3128 socks[num_socks++] = sock; 3129 if (num_socks == NUM_SOCKS) 3130 break; 3131 } 3132 freeaddrinfo(aitop); 3133 if (num_socks > 0) 3134 break; 3135 } 3136 if (display_number >= MAX_DISPLAYS) { 3137 error("Failed to allocate internet-domain X11 display socket."); 3138 return -1; 3139 } 3140 /* Start listening for connections on the socket. */ 3141 for (n = 0; n < num_socks; n++) { 3142 sock = socks[n]; 3143 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3144 error("listen: %.100s", strerror(errno)); 3145 close(sock); 3146 return -1; 3147 } 3148 } 3149 3150 /* Allocate a channel for each socket. */ 3151 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 3152 for (n = 0; n < num_socks; n++) { 3153 sock = socks[n]; 3154 nc = channel_new("x11 listener", 3155 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 3156 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 3157 0, "X11 inet listener", 1); 3158 nc->single_connection = single_connection; 3159 (*chanids)[n] = nc->self; 3160 } 3161 (*chanids)[n] = -1; 3162 3163 /* Return the display number for the DISPLAY environment variable. */ 3164 *display_numberp = display_number; 3165 return (0); 3166 } 3167 3168 static int 3169 connect_local_xsocket_path(const char *pathname) 3170 { 3171 int sock; 3172 struct sockaddr_un addr; 3173 3174 sock = socket(AF_UNIX, SOCK_STREAM, 0); 3175 if (sock < 0) 3176 error("socket: %.100s", strerror(errno)); 3177 memset(&addr, 0, sizeof(addr)); 3178 addr.sun_family = AF_UNIX; 3179 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 3180 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 3181 return sock; 3182 close(sock); 3183 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 3184 return -1; 3185 } 3186 3187 static int 3188 connect_local_xsocket(u_int dnr) 3189 { 3190 char buf[1024]; 3191 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 3192 return connect_local_xsocket_path(buf); 3193 } 3194 3195 int 3196 x11_connect_display(void) 3197 { 3198 u_int display_number; 3199 const char *display; 3200 char buf[1024], *cp; 3201 struct addrinfo hints, *ai, *aitop; 3202 char strport[NI_MAXSERV]; 3203 int gaierr, sock = 0; 3204 3205 /* Try to open a socket for the local X server. */ 3206 display = getenv("DISPLAY"); 3207 if (!display) { 3208 error("DISPLAY not set."); 3209 return -1; 3210 } 3211 /* 3212 * Now we decode the value of the DISPLAY variable and make a 3213 * connection to the real X server. 3214 */ 3215 3216 /* Check if the display is from launchd. */ 3217 #ifdef __APPLE__ 3218 if (strncmp(display, "/tmp/launch", 11) == 0) { 3219 sock = connect_local_xsocket_path(display); 3220 if (sock < 0) 3221 return -1; 3222 3223 /* OK, we now have a connection to the display. */ 3224 return sock; 3225 } 3226 #endif 3227 /* 3228 * Check if it is a unix domain socket. Unix domain displays are in 3229 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 3230 */ 3231 if (strncmp(display, "unix:", 5) == 0 || 3232 display[0] == ':') { 3233 /* Connect to the unix domain socket. */ 3234 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 3235 error("Could not parse display number from DISPLAY: %.100s", 3236 display); 3237 return -1; 3238 } 3239 /* Create a socket. */ 3240 sock = connect_local_xsocket(display_number); 3241 if (sock < 0) 3242 return -1; 3243 3244 /* OK, we now have a connection to the display. */ 3245 return sock; 3246 } 3247 /* 3248 * Connect to an inet socket. The DISPLAY value is supposedly 3249 * hostname:d[.s], where hostname may also be numeric IP address. 3250 */ 3251 strlcpy(buf, display, sizeof(buf)); 3252 cp = strchr(buf, ':'); 3253 if (!cp) { 3254 error("Could not find ':' in DISPLAY: %.100s", display); 3255 return -1; 3256 } 3257 *cp = 0; 3258 /* buf now contains the host name. But first we parse the display number. */ 3259 if (sscanf(cp + 1, "%u", &display_number) != 1) { 3260 error("Could not parse display number from DISPLAY: %.100s", 3261 display); 3262 return -1; 3263 } 3264 3265 /* Look up the host address */ 3266 memset(&hints, 0, sizeof(hints)); 3267 hints.ai_family = IPv4or6; 3268 hints.ai_socktype = SOCK_STREAM; 3269 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 3270 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 3271 error("%.100s: unknown host. (%s)", buf, 3272 ssh_gai_strerror(gaierr)); 3273 return -1; 3274 } 3275 for (ai = aitop; ai; ai = ai->ai_next) { 3276 /* Create a socket. */ 3277 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3278 if (sock < 0) { 3279 debug2("socket: %.100s", strerror(errno)); 3280 continue; 3281 } 3282 /* Connect it to the display. */ 3283 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3284 debug2("connect %.100s port %u: %.100s", buf, 3285 6000 + display_number, strerror(errno)); 3286 close(sock); 3287 continue; 3288 } 3289 /* Success */ 3290 break; 3291 } 3292 freeaddrinfo(aitop); 3293 if (!ai) { 3294 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 3295 strerror(errno)); 3296 return -1; 3297 } 3298 set_nodelay(sock); 3299 return sock; 3300 } 3301 3302 /* 3303 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 3304 * the remote channel number. We should do whatever we want, and respond 3305 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 3306 */ 3307 3308 /* ARGSUSED */ 3309 void 3310 x11_input_open(int type, u_int32_t seq, void *ctxt) 3311 { 3312 Channel *c = NULL; 3313 int remote_id, sock = 0; 3314 char *remote_host; 3315 3316 debug("Received X11 open request."); 3317 3318 remote_id = packet_get_int(); 3319 3320 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 3321 remote_host = packet_get_string(NULL); 3322 } else { 3323 remote_host = xstrdup("unknown (remote did not supply name)"); 3324 } 3325 packet_check_eom(); 3326 3327 /* Obtain a connection to the real X display. */ 3328 sock = x11_connect_display(); 3329 if (sock != -1) { 3330 /* Allocate a channel for this connection. */ 3331 c = channel_new("connected x11 socket", 3332 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 3333 remote_host, 1); 3334 c->remote_id = remote_id; 3335 c->force_drain = 1; 3336 } 3337 xfree(remote_host); 3338 if (c == NULL) { 3339 /* Send refusal to the remote host. */ 3340 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3341 packet_put_int(remote_id); 3342 } else { 3343 /* Send a confirmation to the remote host. */ 3344 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 3345 packet_put_int(remote_id); 3346 packet_put_int(c->self); 3347 } 3348 packet_send(); 3349 } 3350 3351 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 3352 /* ARGSUSED */ 3353 void 3354 deny_input_open(int type, u_int32_t seq, void *ctxt) 3355 { 3356 int rchan = packet_get_int(); 3357 3358 switch (type) { 3359 case SSH_SMSG_AGENT_OPEN: 3360 error("Warning: ssh server tried agent forwarding."); 3361 break; 3362 case SSH_SMSG_X11_OPEN: 3363 error("Warning: ssh server tried X11 forwarding."); 3364 break; 3365 default: 3366 error("deny_input_open: type %d", type); 3367 break; 3368 } 3369 error("Warning: this is probably a break-in attempt by a malicious server."); 3370 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3371 packet_put_int(rchan); 3372 packet_send(); 3373 } 3374 3375 /* 3376 * Requests forwarding of X11 connections, generates fake authentication 3377 * data, and enables authentication spoofing. 3378 * This should be called in the client only. 3379 */ 3380 void 3381 x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 3382 const char *proto, const char *data) 3383 { 3384 u_int data_len = (u_int) strlen(data) / 2; 3385 u_int i, value; 3386 char *new_data; 3387 int screen_number; 3388 const char *cp; 3389 u_int32_t rnd = 0; 3390 3391 if (x11_saved_display == NULL) 3392 x11_saved_display = xstrdup(disp); 3393 else if (strcmp(disp, x11_saved_display) != 0) { 3394 error("x11_request_forwarding_with_spoofing: different " 3395 "$DISPLAY already forwarded"); 3396 return; 3397 } 3398 3399 cp = strchr(disp, ':'); 3400 if (cp) 3401 cp = strchr(cp, '.'); 3402 if (cp) 3403 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 3404 else 3405 screen_number = 0; 3406 3407 if (x11_saved_proto == NULL) { 3408 /* Save protocol name. */ 3409 x11_saved_proto = xstrdup(proto); 3410 /* 3411 * Extract real authentication data and generate fake data 3412 * of the same length. 3413 */ 3414 x11_saved_data = xmalloc(data_len); 3415 x11_fake_data = xmalloc(data_len); 3416 for (i = 0; i < data_len; i++) { 3417 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3418 fatal("x11_request_forwarding: bad " 3419 "authentication data: %.100s", data); 3420 if (i % 4 == 0) 3421 rnd = arc4random(); 3422 x11_saved_data[i] = value; 3423 x11_fake_data[i] = rnd & 0xff; 3424 rnd >>= 8; 3425 } 3426 x11_saved_data_len = data_len; 3427 x11_fake_data_len = data_len; 3428 } 3429 3430 /* Convert the fake data into hex. */ 3431 new_data = tohex(x11_fake_data, data_len); 3432 3433 /* Send the request packet. */ 3434 if (compat20) { 3435 channel_request_start(client_session_id, "x11-req", 0); 3436 packet_put_char(0); /* XXX bool single connection */ 3437 } else { 3438 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 3439 } 3440 packet_put_cstring(proto); 3441 packet_put_cstring(new_data); 3442 packet_put_int(screen_number); 3443 packet_send(); 3444 packet_write_wait(); 3445 xfree(new_data); 3446 } 3447 3448 3449 /* -- agent forwarding */ 3450 3451 /* Sends a message to the server to request authentication fd forwarding. */ 3452 3453 void 3454 auth_request_forwarding(void) 3455 { 3456 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 3457 packet_send(); 3458 packet_write_wait(); 3459 } 3460