1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This file contains functions for generic socket connection forwarding. 6 * There is also code for initiating connection forwarding for X11 connections, 7 * arbitrary tcp/ip connections, and the authentication agent connection. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * SSH2 support added by Markus Friedl. 16 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 17 * Copyright (c) 1999 Dug Song. All rights reserved. 18 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 30 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 31 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 32 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 33 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 34 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 35 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 36 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 37 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 38 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 */ 40 41 #include "includes.h" 42 RCSID("$OpenBSD: channels.c,v 1.223 2005/07/17 07:17:54 djm Exp $"); 43 44 #include "ssh.h" 45 #include "ssh1.h" 46 #include "ssh2.h" 47 #include "packet.h" 48 #include "xmalloc.h" 49 #include "log.h" 50 #include "misc.h" 51 #include "channels.h" 52 #include "compat.h" 53 #include "canohost.h" 54 #include "key.h" 55 #include "authfd.h" 56 #include "pathnames.h" 57 #include "bufaux.h" 58 59 /* -- channel core */ 60 61 #define CHAN_RBUF 16*1024 62 63 /* 64 * Pointer to an array containing all allocated channels. The array is 65 * dynamically extended as needed. 66 */ 67 static Channel **channels = NULL; 68 69 /* 70 * Size of the channel array. All slots of the array must always be 71 * initialized (at least the type field); unused slots set to NULL 72 */ 73 static u_int channels_alloc = 0; 74 75 /* 76 * Maximum file descriptor value used in any of the channels. This is 77 * updated in channel_new. 78 */ 79 static int channel_max_fd = 0; 80 81 82 /* -- tcp forwarding */ 83 84 /* 85 * Data structure for storing which hosts are permitted for forward requests. 86 * The local sides of any remote forwards are stored in this array to prevent 87 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 88 * network (which might be behind a firewall). 89 */ 90 typedef struct { 91 char *host_to_connect; /* Connect to 'host'. */ 92 u_short port_to_connect; /* Connect to 'port'. */ 93 u_short listen_port; /* Remote side should listen port number. */ 94 } ForwardPermission; 95 96 /* List of all permitted host/port pairs to connect. */ 97 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 98 99 /* Number of permitted host/port pairs in the array. */ 100 static int num_permitted_opens = 0; 101 /* 102 * If this is true, all opens are permitted. This is the case on the server 103 * on which we have to trust the client anyway, and the user could do 104 * anything after logging in anyway. 105 */ 106 static int all_opens_permitted = 0; 107 108 109 /* -- X11 forwarding */ 110 111 /* Maximum number of fake X11 displays to try. */ 112 #define MAX_DISPLAYS 1000 113 114 /* Saved X11 local (client) display. */ 115 static char *x11_saved_display = NULL; 116 117 /* Saved X11 authentication protocol name. */ 118 static char *x11_saved_proto = NULL; 119 120 /* Saved X11 authentication data. This is the real data. */ 121 static char *x11_saved_data = NULL; 122 static u_int x11_saved_data_len = 0; 123 124 /* 125 * Fake X11 authentication data. This is what the server will be sending us; 126 * we should replace any occurrences of this by the real data. 127 */ 128 static char *x11_fake_data = NULL; 129 static u_int x11_fake_data_len; 130 131 132 /* -- agent forwarding */ 133 134 #define NUM_SOCKS 10 135 136 /* AF_UNSPEC or AF_INET or AF_INET6 */ 137 static int IPv4or6 = AF_UNSPEC; 138 139 /* helper */ 140 static void port_open_helper(Channel *c, char *rtype); 141 142 /* -- channel core */ 143 144 Channel * 145 channel_lookup(int id) 146 { 147 Channel *c; 148 149 if (id < 0 || (u_int)id >= channels_alloc) { 150 logit("channel_lookup: %d: bad id", id); 151 return NULL; 152 } 153 c = channels[id]; 154 if (c == NULL) { 155 logit("channel_lookup: %d: bad id: channel free", id); 156 return NULL; 157 } 158 return c; 159 } 160 161 /* 162 * Register filedescriptors for a channel, used when allocating a channel or 163 * when the channel consumer/producer is ready, e.g. shell exec'd 164 */ 165 166 static void 167 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 168 int extusage, int nonblock) 169 { 170 /* Update the maximum file descriptor value. */ 171 channel_max_fd = MAX(channel_max_fd, rfd); 172 channel_max_fd = MAX(channel_max_fd, wfd); 173 channel_max_fd = MAX(channel_max_fd, efd); 174 175 /* XXX set close-on-exec -markus */ 176 177 c->rfd = rfd; 178 c->wfd = wfd; 179 c->sock = (rfd == wfd) ? rfd : -1; 180 c->ctl_fd = -1; /* XXX: set elsewhere */ 181 c->efd = efd; 182 c->extended_usage = extusage; 183 184 /* XXX ugly hack: nonblock is only set by the server */ 185 if (nonblock && isatty(c->rfd)) { 186 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 187 c->isatty = 1; 188 if (!isatty(c->wfd)) { 189 error("channel %d: wfd %d is not a tty?", 190 c->self, c->wfd); 191 } 192 } else { 193 c->isatty = 0; 194 } 195 c->wfd_isatty = isatty(c->wfd); 196 197 /* enable nonblocking mode */ 198 if (nonblock) { 199 if (rfd != -1) 200 set_nonblock(rfd); 201 if (wfd != -1) 202 set_nonblock(wfd); 203 if (efd != -1) 204 set_nonblock(efd); 205 } 206 } 207 208 /* 209 * Allocate a new channel object and set its type and socket. This will cause 210 * remote_name to be freed. 211 */ 212 213 Channel * 214 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 215 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 216 { 217 int found; 218 u_int i; 219 Channel *c; 220 221 /* Do initial allocation if this is the first call. */ 222 if (channels_alloc == 0) { 223 channels_alloc = 10; 224 channels = xmalloc(channels_alloc * sizeof(Channel *)); 225 for (i = 0; i < channels_alloc; i++) 226 channels[i] = NULL; 227 } 228 /* Try to find a free slot where to put the new channel. */ 229 for (found = -1, i = 0; i < channels_alloc; i++) 230 if (channels[i] == NULL) { 231 /* Found a free slot. */ 232 found = (int)i; 233 break; 234 } 235 if (found < 0) { 236 /* There are no free slots. Take last+1 slot and expand the array. */ 237 found = channels_alloc; 238 if (channels_alloc > 10000) 239 fatal("channel_new: internal error: channels_alloc %d " 240 "too big.", channels_alloc); 241 channels = xrealloc(channels, 242 (channels_alloc + 10) * sizeof(Channel *)); 243 channels_alloc += 10; 244 debug2("channel: expanding %d", channels_alloc); 245 for (i = found; i < channels_alloc; i++) 246 channels[i] = NULL; 247 } 248 /* Initialize and return new channel. */ 249 c = channels[found] = xmalloc(sizeof(Channel)); 250 memset(c, 0, sizeof(Channel)); 251 buffer_init(&c->input); 252 buffer_init(&c->output); 253 buffer_init(&c->extended); 254 c->ostate = CHAN_OUTPUT_OPEN; 255 c->istate = CHAN_INPUT_OPEN; 256 c->flags = 0; 257 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 258 c->self = found; 259 c->type = type; 260 c->ctype = ctype; 261 c->local_window = window; 262 c->local_window_max = window; 263 c->local_consumed = 0; 264 c->local_maxpacket = maxpack; 265 c->remote_id = -1; 266 c->remote_name = xstrdup(remote_name); 267 c->remote_window = 0; 268 c->remote_maxpacket = 0; 269 c->force_drain = 0; 270 c->single_connection = 0; 271 c->detach_user = NULL; 272 c->confirm = NULL; 273 c->confirm_ctx = NULL; 274 c->input_filter = NULL; 275 debug("channel %d: new [%s]", found, remote_name); 276 return c; 277 } 278 279 static int 280 channel_find_maxfd(void) 281 { 282 u_int i; 283 int max = 0; 284 Channel *c; 285 286 for (i = 0; i < channels_alloc; i++) { 287 c = channels[i]; 288 if (c != NULL) { 289 max = MAX(max, c->rfd); 290 max = MAX(max, c->wfd); 291 max = MAX(max, c->efd); 292 } 293 } 294 return max; 295 } 296 297 int 298 channel_close_fd(int *fdp) 299 { 300 int ret = 0, fd = *fdp; 301 302 if (fd != -1) { 303 ret = close(fd); 304 *fdp = -1; 305 if (fd == channel_max_fd) 306 channel_max_fd = channel_find_maxfd(); 307 } 308 return ret; 309 } 310 311 /* Close all channel fd/socket. */ 312 313 static void 314 channel_close_fds(Channel *c) 315 { 316 debug3("channel %d: close_fds r %d w %d e %d c %d", 317 c->self, c->rfd, c->wfd, c->efd, c->ctl_fd); 318 319 channel_close_fd(&c->sock); 320 channel_close_fd(&c->ctl_fd); 321 channel_close_fd(&c->rfd); 322 channel_close_fd(&c->wfd); 323 channel_close_fd(&c->efd); 324 } 325 326 /* Free the channel and close its fd/socket. */ 327 328 void 329 channel_free(Channel *c) 330 { 331 char *s; 332 u_int i, n; 333 334 for (n = 0, i = 0; i < channels_alloc; i++) 335 if (channels[i]) 336 n++; 337 debug("channel %d: free: %s, nchannels %u", c->self, 338 c->remote_name ? c->remote_name : "???", n); 339 340 s = channel_open_message(); 341 debug3("channel %d: status: %s", c->self, s); 342 xfree(s); 343 344 if (c->sock != -1) 345 shutdown(c->sock, SHUT_RDWR); 346 if (c->ctl_fd != -1) 347 shutdown(c->ctl_fd, SHUT_RDWR); 348 channel_close_fds(c); 349 buffer_free(&c->input); 350 buffer_free(&c->output); 351 buffer_free(&c->extended); 352 if (c->remote_name) { 353 xfree(c->remote_name); 354 c->remote_name = NULL; 355 } 356 channels[c->self] = NULL; 357 xfree(c); 358 } 359 360 void 361 channel_free_all(void) 362 { 363 u_int i; 364 365 for (i = 0; i < channels_alloc; i++) 366 if (channels[i] != NULL) 367 channel_free(channels[i]); 368 } 369 370 /* 371 * Closes the sockets/fds of all channels. This is used to close extra file 372 * descriptors after a fork. 373 */ 374 375 void 376 channel_close_all(void) 377 { 378 u_int i; 379 380 for (i = 0; i < channels_alloc; i++) 381 if (channels[i] != NULL) 382 channel_close_fds(channels[i]); 383 } 384 385 /* 386 * Stop listening to channels. 387 */ 388 389 void 390 channel_stop_listening(void) 391 { 392 u_int i; 393 Channel *c; 394 395 for (i = 0; i < channels_alloc; i++) { 396 c = channels[i]; 397 if (c != NULL) { 398 switch (c->type) { 399 case SSH_CHANNEL_AUTH_SOCKET: 400 case SSH_CHANNEL_PORT_LISTENER: 401 case SSH_CHANNEL_RPORT_LISTENER: 402 case SSH_CHANNEL_X11_LISTENER: 403 channel_close_fd(&c->sock); 404 channel_free(c); 405 break; 406 } 407 } 408 } 409 } 410 411 /* 412 * Returns true if no channel has too much buffered data, and false if one or 413 * more channel is overfull. 414 */ 415 416 int 417 channel_not_very_much_buffered_data(void) 418 { 419 u_int i; 420 Channel *c; 421 422 for (i = 0; i < channels_alloc; i++) { 423 c = channels[i]; 424 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 425 #if 0 426 if (!compat20 && 427 buffer_len(&c->input) > packet_get_maxsize()) { 428 debug2("channel %d: big input buffer %d", 429 c->self, buffer_len(&c->input)); 430 return 0; 431 } 432 #endif 433 if (buffer_len(&c->output) > packet_get_maxsize()) { 434 debug2("channel %d: big output buffer %u > %u", 435 c->self, buffer_len(&c->output), 436 packet_get_maxsize()); 437 return 0; 438 } 439 } 440 } 441 return 1; 442 } 443 444 /* Returns true if any channel is still open. */ 445 446 int 447 channel_still_open(void) 448 { 449 u_int i; 450 Channel *c; 451 452 for (i = 0; i < channels_alloc; i++) { 453 c = channels[i]; 454 if (c == NULL) 455 continue; 456 switch (c->type) { 457 case SSH_CHANNEL_X11_LISTENER: 458 case SSH_CHANNEL_PORT_LISTENER: 459 case SSH_CHANNEL_RPORT_LISTENER: 460 case SSH_CHANNEL_CLOSED: 461 case SSH_CHANNEL_AUTH_SOCKET: 462 case SSH_CHANNEL_DYNAMIC: 463 case SSH_CHANNEL_CONNECTING: 464 case SSH_CHANNEL_ZOMBIE: 465 continue; 466 case SSH_CHANNEL_LARVAL: 467 if (!compat20) 468 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 469 continue; 470 case SSH_CHANNEL_OPENING: 471 case SSH_CHANNEL_OPEN: 472 case SSH_CHANNEL_X11_OPEN: 473 return 1; 474 case SSH_CHANNEL_INPUT_DRAINING: 475 case SSH_CHANNEL_OUTPUT_DRAINING: 476 if (!compat13) 477 fatal("cannot happen: OUT_DRAIN"); 478 return 1; 479 default: 480 fatal("channel_still_open: bad channel type %d", c->type); 481 /* NOTREACHED */ 482 } 483 } 484 return 0; 485 } 486 487 /* Returns the id of an open channel suitable for keepaliving */ 488 489 int 490 channel_find_open(void) 491 { 492 u_int i; 493 Channel *c; 494 495 for (i = 0; i < channels_alloc; i++) { 496 c = channels[i]; 497 if (c == NULL || c->remote_id < 0) 498 continue; 499 switch (c->type) { 500 case SSH_CHANNEL_CLOSED: 501 case SSH_CHANNEL_DYNAMIC: 502 case SSH_CHANNEL_X11_LISTENER: 503 case SSH_CHANNEL_PORT_LISTENER: 504 case SSH_CHANNEL_RPORT_LISTENER: 505 case SSH_CHANNEL_OPENING: 506 case SSH_CHANNEL_CONNECTING: 507 case SSH_CHANNEL_ZOMBIE: 508 continue; 509 case SSH_CHANNEL_LARVAL: 510 case SSH_CHANNEL_AUTH_SOCKET: 511 case SSH_CHANNEL_OPEN: 512 case SSH_CHANNEL_X11_OPEN: 513 return i; 514 case SSH_CHANNEL_INPUT_DRAINING: 515 case SSH_CHANNEL_OUTPUT_DRAINING: 516 if (!compat13) 517 fatal("cannot happen: OUT_DRAIN"); 518 return i; 519 default: 520 fatal("channel_find_open: bad channel type %d", c->type); 521 /* NOTREACHED */ 522 } 523 } 524 return -1; 525 } 526 527 528 /* 529 * Returns a message describing the currently open forwarded connections, 530 * suitable for sending to the client. The message contains crlf pairs for 531 * newlines. 532 */ 533 534 char * 535 channel_open_message(void) 536 { 537 Buffer buffer; 538 Channel *c; 539 char buf[1024], *cp; 540 u_int i; 541 542 buffer_init(&buffer); 543 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 544 buffer_append(&buffer, buf, strlen(buf)); 545 for (i = 0; i < channels_alloc; i++) { 546 c = channels[i]; 547 if (c == NULL) 548 continue; 549 switch (c->type) { 550 case SSH_CHANNEL_X11_LISTENER: 551 case SSH_CHANNEL_PORT_LISTENER: 552 case SSH_CHANNEL_RPORT_LISTENER: 553 case SSH_CHANNEL_CLOSED: 554 case SSH_CHANNEL_AUTH_SOCKET: 555 case SSH_CHANNEL_ZOMBIE: 556 continue; 557 case SSH_CHANNEL_LARVAL: 558 case SSH_CHANNEL_OPENING: 559 case SSH_CHANNEL_CONNECTING: 560 case SSH_CHANNEL_DYNAMIC: 561 case SSH_CHANNEL_OPEN: 562 case SSH_CHANNEL_X11_OPEN: 563 case SSH_CHANNEL_INPUT_DRAINING: 564 case SSH_CHANNEL_OUTPUT_DRAINING: 565 snprintf(buf, sizeof buf, 566 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cfd %d)\r\n", 567 c->self, c->remote_name, 568 c->type, c->remote_id, 569 c->istate, buffer_len(&c->input), 570 c->ostate, buffer_len(&c->output), 571 c->rfd, c->wfd, c->ctl_fd); 572 buffer_append(&buffer, buf, strlen(buf)); 573 continue; 574 default: 575 fatal("channel_open_message: bad channel type %d", c->type); 576 /* NOTREACHED */ 577 } 578 } 579 buffer_append(&buffer, "\0", 1); 580 cp = xstrdup(buffer_ptr(&buffer)); 581 buffer_free(&buffer); 582 return cp; 583 } 584 585 void 586 channel_send_open(int id) 587 { 588 Channel *c = channel_lookup(id); 589 590 if (c == NULL) { 591 logit("channel_send_open: %d: bad id", id); 592 return; 593 } 594 debug2("channel %d: send open", id); 595 packet_start(SSH2_MSG_CHANNEL_OPEN); 596 packet_put_cstring(c->ctype); 597 packet_put_int(c->self); 598 packet_put_int(c->local_window); 599 packet_put_int(c->local_maxpacket); 600 packet_send(); 601 } 602 603 void 604 channel_request_start(int id, char *service, int wantconfirm) 605 { 606 Channel *c = channel_lookup(id); 607 608 if (c == NULL) { 609 logit("channel_request_start: %d: unknown channel id", id); 610 return; 611 } 612 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 613 packet_start(SSH2_MSG_CHANNEL_REQUEST); 614 packet_put_int(c->remote_id); 615 packet_put_cstring(service); 616 packet_put_char(wantconfirm); 617 } 618 void 619 channel_register_confirm(int id, channel_callback_fn *fn, void *ctx) 620 { 621 Channel *c = channel_lookup(id); 622 623 if (c == NULL) { 624 logit("channel_register_comfirm: %d: bad id", id); 625 return; 626 } 627 c->confirm = fn; 628 c->confirm_ctx = ctx; 629 } 630 void 631 channel_register_cleanup(int id, channel_callback_fn *fn) 632 { 633 Channel *c = channel_lookup(id); 634 635 if (c == NULL) { 636 logit("channel_register_cleanup: %d: bad id", id); 637 return; 638 } 639 c->detach_user = fn; 640 } 641 void 642 channel_cancel_cleanup(int id) 643 { 644 Channel *c = channel_lookup(id); 645 646 if (c == NULL) { 647 logit("channel_cancel_cleanup: %d: bad id", id); 648 return; 649 } 650 c->detach_user = NULL; 651 } 652 void 653 channel_register_filter(int id, channel_filter_fn *fn) 654 { 655 Channel *c = channel_lookup(id); 656 657 if (c == NULL) { 658 logit("channel_register_filter: %d: bad id", id); 659 return; 660 } 661 c->input_filter = fn; 662 } 663 664 void 665 channel_set_fds(int id, int rfd, int wfd, int efd, 666 int extusage, int nonblock, u_int window_max) 667 { 668 Channel *c = channel_lookup(id); 669 670 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 671 fatal("channel_activate for non-larval channel %d.", id); 672 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 673 c->type = SSH_CHANNEL_OPEN; 674 c->local_window = c->local_window_max = window_max; 675 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 676 packet_put_int(c->remote_id); 677 packet_put_int(c->local_window); 678 packet_send(); 679 } 680 681 /* 682 * 'channel_pre*' are called just before select() to add any bits relevant to 683 * channels in the select bitmasks. 684 */ 685 /* 686 * 'channel_post*': perform any appropriate operations for channels which 687 * have events pending. 688 */ 689 typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset); 690 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 691 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 692 693 static void 694 channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset) 695 { 696 FD_SET(c->sock, readset); 697 } 698 699 static void 700 channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset) 701 { 702 debug3("channel %d: waiting for connection", c->self); 703 FD_SET(c->sock, writeset); 704 } 705 706 static void 707 channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset) 708 { 709 if (buffer_len(&c->input) < packet_get_maxsize()) 710 FD_SET(c->sock, readset); 711 if (buffer_len(&c->output) > 0) 712 FD_SET(c->sock, writeset); 713 } 714 715 static void 716 channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset) 717 { 718 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 719 720 /* check buffer limits */ 721 limit = MIN(limit, (BUFFER_MAX_LEN - BUFFER_MAX_CHUNK - CHAN_RBUF)); 722 723 if (c->istate == CHAN_INPUT_OPEN && 724 limit > 0 && 725 buffer_len(&c->input) < limit) 726 FD_SET(c->rfd, readset); 727 if (c->ostate == CHAN_OUTPUT_OPEN || 728 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 729 if (buffer_len(&c->output) > 0) { 730 FD_SET(c->wfd, writeset); 731 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 732 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 733 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 734 c->self, c->efd, buffer_len(&c->extended)); 735 else 736 chan_obuf_empty(c); 737 } 738 } 739 /** XXX check close conditions, too */ 740 if (compat20 && c->efd != -1) { 741 if (c->extended_usage == CHAN_EXTENDED_WRITE && 742 buffer_len(&c->extended) > 0) 743 FD_SET(c->efd, writeset); 744 else if (!(c->flags & CHAN_EOF_SENT) && 745 c->extended_usage == CHAN_EXTENDED_READ && 746 buffer_len(&c->extended) < c->remote_window) 747 FD_SET(c->efd, readset); 748 } 749 /* XXX: What about efd? races? */ 750 if (compat20 && c->ctl_fd != -1 && 751 c->istate == CHAN_INPUT_OPEN && c->ostate == CHAN_OUTPUT_OPEN) 752 FD_SET(c->ctl_fd, readset); 753 } 754 755 static void 756 channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset) 757 { 758 if (buffer_len(&c->input) == 0) { 759 packet_start(SSH_MSG_CHANNEL_CLOSE); 760 packet_put_int(c->remote_id); 761 packet_send(); 762 c->type = SSH_CHANNEL_CLOSED; 763 debug2("channel %d: closing after input drain.", c->self); 764 } 765 } 766 767 static void 768 channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset) 769 { 770 if (buffer_len(&c->output) == 0) 771 chan_mark_dead(c); 772 else 773 FD_SET(c->sock, writeset); 774 } 775 776 /* 777 * This is a special state for X11 authentication spoofing. An opened X11 778 * connection (when authentication spoofing is being done) remains in this 779 * state until the first packet has been completely read. The authentication 780 * data in that packet is then substituted by the real data if it matches the 781 * fake data, and the channel is put into normal mode. 782 * XXX All this happens at the client side. 783 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 784 */ 785 static int 786 x11_open_helper(Buffer *b) 787 { 788 u_char *ucp; 789 u_int proto_len, data_len; 790 791 /* Check if the fixed size part of the packet is in buffer. */ 792 if (buffer_len(b) < 12) 793 return 0; 794 795 /* Parse the lengths of variable-length fields. */ 796 ucp = buffer_ptr(b); 797 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 798 proto_len = 256 * ucp[6] + ucp[7]; 799 data_len = 256 * ucp[8] + ucp[9]; 800 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 801 proto_len = ucp[6] + 256 * ucp[7]; 802 data_len = ucp[8] + 256 * ucp[9]; 803 } else { 804 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 805 ucp[0]); 806 return -1; 807 } 808 809 /* Check if the whole packet is in buffer. */ 810 if (buffer_len(b) < 811 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 812 return 0; 813 814 /* Check if authentication protocol matches. */ 815 if (proto_len != strlen(x11_saved_proto) || 816 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 817 debug2("X11 connection uses different authentication protocol."); 818 return -1; 819 } 820 /* Check if authentication data matches our fake data. */ 821 if (data_len != x11_fake_data_len || 822 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 823 x11_fake_data, x11_fake_data_len) != 0) { 824 debug2("X11 auth data does not match fake data."); 825 return -1; 826 } 827 /* Check fake data length */ 828 if (x11_fake_data_len != x11_saved_data_len) { 829 error("X11 fake_data_len %d != saved_data_len %d", 830 x11_fake_data_len, x11_saved_data_len); 831 return -1; 832 } 833 /* 834 * Received authentication protocol and data match 835 * our fake data. Substitute the fake data with real 836 * data. 837 */ 838 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 839 x11_saved_data, x11_saved_data_len); 840 return 1; 841 } 842 843 static void 844 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset) 845 { 846 int ret = x11_open_helper(&c->output); 847 848 if (ret == 1) { 849 /* Start normal processing for the channel. */ 850 c->type = SSH_CHANNEL_OPEN; 851 channel_pre_open_13(c, readset, writeset); 852 } else if (ret == -1) { 853 /* 854 * We have received an X11 connection that has bad 855 * authentication information. 856 */ 857 logit("X11 connection rejected because of wrong authentication."); 858 buffer_clear(&c->input); 859 buffer_clear(&c->output); 860 channel_close_fd(&c->sock); 861 c->sock = -1; 862 c->type = SSH_CHANNEL_CLOSED; 863 packet_start(SSH_MSG_CHANNEL_CLOSE); 864 packet_put_int(c->remote_id); 865 packet_send(); 866 } 867 } 868 869 static void 870 channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset) 871 { 872 int ret = x11_open_helper(&c->output); 873 874 /* c->force_drain = 1; */ 875 876 if (ret == 1) { 877 c->type = SSH_CHANNEL_OPEN; 878 channel_pre_open(c, readset, writeset); 879 } else if (ret == -1) { 880 logit("X11 connection rejected because of wrong authentication."); 881 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 882 chan_read_failed(c); 883 buffer_clear(&c->input); 884 chan_ibuf_empty(c); 885 buffer_clear(&c->output); 886 /* for proto v1, the peer will send an IEOF */ 887 if (compat20) 888 chan_write_failed(c); 889 else 890 c->type = SSH_CHANNEL_OPEN; 891 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 892 } 893 } 894 895 /* try to decode a socks4 header */ 896 static int 897 channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) 898 { 899 char *p, *host; 900 u_int len, have, i, found; 901 char username[256]; 902 struct { 903 u_int8_t version; 904 u_int8_t command; 905 u_int16_t dest_port; 906 struct in_addr dest_addr; 907 } s4_req, s4_rsp; 908 909 debug2("channel %d: decode socks4", c->self); 910 911 have = buffer_len(&c->input); 912 len = sizeof(s4_req); 913 if (have < len) 914 return 0; 915 p = buffer_ptr(&c->input); 916 for (found = 0, i = len; i < have; i++) { 917 if (p[i] == '\0') { 918 found = 1; 919 break; 920 } 921 if (i > 1024) { 922 /* the peer is probably sending garbage */ 923 debug("channel %d: decode socks4: too long", 924 c->self); 925 return -1; 926 } 927 } 928 if (!found) 929 return 0; 930 buffer_get(&c->input, (char *)&s4_req.version, 1); 931 buffer_get(&c->input, (char *)&s4_req.command, 1); 932 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 933 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 934 have = buffer_len(&c->input); 935 p = buffer_ptr(&c->input); 936 len = strlen(p); 937 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 938 if (len > have) 939 fatal("channel %d: decode socks4: len %d > have %d", 940 c->self, len, have); 941 strlcpy(username, p, sizeof(username)); 942 buffer_consume(&c->input, len); 943 buffer_consume(&c->input, 1); /* trailing '\0' */ 944 945 host = inet_ntoa(s4_req.dest_addr); 946 strlcpy(c->path, host, sizeof(c->path)); 947 c->host_port = ntohs(s4_req.dest_port); 948 949 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 950 c->self, host, c->host_port, s4_req.command); 951 952 if (s4_req.command != 1) { 953 debug("channel %d: cannot handle: socks4 cn %d", 954 c->self, s4_req.command); 955 return -1; 956 } 957 s4_rsp.version = 0; /* vn: 0 for reply */ 958 s4_rsp.command = 90; /* cd: req granted */ 959 s4_rsp.dest_port = 0; /* ignored */ 960 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 961 buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp)); 962 return 1; 963 } 964 965 /* try to decode a socks5 header */ 966 #define SSH_SOCKS5_AUTHDONE 0x1000 967 #define SSH_SOCKS5_NOAUTH 0x00 968 #define SSH_SOCKS5_IPV4 0x01 969 #define SSH_SOCKS5_DOMAIN 0x03 970 #define SSH_SOCKS5_IPV6 0x04 971 #define SSH_SOCKS5_CONNECT 0x01 972 #define SSH_SOCKS5_SUCCESS 0x00 973 974 static int 975 channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset) 976 { 977 struct { 978 u_int8_t version; 979 u_int8_t command; 980 u_int8_t reserved; 981 u_int8_t atyp; 982 } s5_req, s5_rsp; 983 u_int16_t dest_port; 984 u_char *p, dest_addr[255+1]; 985 u_int have, i, found, nmethods, addrlen, af; 986 987 debug2("channel %d: decode socks5", c->self); 988 p = buffer_ptr(&c->input); 989 if (p[0] != 0x05) 990 return -1; 991 have = buffer_len(&c->input); 992 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 993 /* format: ver | nmethods | methods */ 994 if (have < 2) 995 return 0; 996 nmethods = p[1]; 997 if (have < nmethods + 2) 998 return 0; 999 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1000 for (found = 0, i = 2 ; i < nmethods + 2; i++) { 1001 if (p[i] == SSH_SOCKS5_NOAUTH ) { 1002 found = 1; 1003 break; 1004 } 1005 } 1006 if (!found) { 1007 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1008 c->self); 1009 return -1; 1010 } 1011 buffer_consume(&c->input, nmethods + 2); 1012 buffer_put_char(&c->output, 0x05); /* version */ 1013 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1014 FD_SET(c->sock, writeset); 1015 c->flags |= SSH_SOCKS5_AUTHDONE; 1016 debug2("channel %d: socks5 auth done", c->self); 1017 return 0; /* need more */ 1018 } 1019 debug2("channel %d: socks5 post auth", c->self); 1020 if (have < sizeof(s5_req)+1) 1021 return 0; /* need more */ 1022 memcpy((char *)&s5_req, p, sizeof(s5_req)); 1023 if (s5_req.version != 0x05 || 1024 s5_req.command != SSH_SOCKS5_CONNECT || 1025 s5_req.reserved != 0x00) { 1026 debug2("channel %d: only socks5 connect supported", c->self); 1027 return -1; 1028 } 1029 switch (s5_req.atyp){ 1030 case SSH_SOCKS5_IPV4: 1031 addrlen = 4; 1032 af = AF_INET; 1033 break; 1034 case SSH_SOCKS5_DOMAIN: 1035 addrlen = p[sizeof(s5_req)]; 1036 af = -1; 1037 break; 1038 case SSH_SOCKS5_IPV6: 1039 addrlen = 16; 1040 af = AF_INET6; 1041 break; 1042 default: 1043 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1044 return -1; 1045 } 1046 if (have < 4 + addrlen + 2) 1047 return 0; 1048 buffer_consume(&c->input, sizeof(s5_req)); 1049 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1050 buffer_consume(&c->input, 1); /* host string length */ 1051 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1052 buffer_get(&c->input, (char *)&dest_port, 2); 1053 dest_addr[addrlen] = '\0'; 1054 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1055 strlcpy(c->path, (char *)dest_addr, sizeof(c->path)); 1056 else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) 1057 return -1; 1058 c->host_port = ntohs(dest_port); 1059 1060 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1061 c->self, c->path, c->host_port, s5_req.command); 1062 1063 s5_rsp.version = 0x05; 1064 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1065 s5_rsp.reserved = 0; /* ignored */ 1066 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1067 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; 1068 dest_port = 0; /* ignored */ 1069 1070 buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp)); 1071 buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr)); 1072 buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port)); 1073 return 1; 1074 } 1075 1076 /* dynamic port forwarding */ 1077 static void 1078 channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) 1079 { 1080 u_char *p; 1081 u_int have; 1082 int ret; 1083 1084 have = buffer_len(&c->input); 1085 c->delayed = 0; 1086 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1087 /* buffer_dump(&c->input); */ 1088 /* check if the fixed size part of the packet is in buffer. */ 1089 if (have < 3) { 1090 /* need more */ 1091 FD_SET(c->sock, readset); 1092 return; 1093 } 1094 /* try to guess the protocol */ 1095 p = buffer_ptr(&c->input); 1096 switch (p[0]) { 1097 case 0x04: 1098 ret = channel_decode_socks4(c, readset, writeset); 1099 break; 1100 case 0x05: 1101 ret = channel_decode_socks5(c, readset, writeset); 1102 break; 1103 default: 1104 ret = -1; 1105 break; 1106 } 1107 if (ret < 0) { 1108 chan_mark_dead(c); 1109 } else if (ret == 0) { 1110 debug2("channel %d: pre_dynamic: need more", c->self); 1111 /* need more */ 1112 FD_SET(c->sock, readset); 1113 } else { 1114 /* switch to the next state */ 1115 c->type = SSH_CHANNEL_OPENING; 1116 port_open_helper(c, "direct-tcpip"); 1117 } 1118 } 1119 1120 /* This is our fake X11 server socket. */ 1121 static void 1122 channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset) 1123 { 1124 Channel *nc; 1125 struct sockaddr addr; 1126 int newsock; 1127 socklen_t addrlen; 1128 char buf[16384], *remote_ipaddr; 1129 int remote_port; 1130 1131 if (FD_ISSET(c->sock, readset)) { 1132 debug("X11 connection requested."); 1133 addrlen = sizeof(addr); 1134 newsock = accept(c->sock, &addr, &addrlen); 1135 if (c->single_connection) { 1136 debug2("single_connection: closing X11 listener."); 1137 channel_close_fd(&c->sock); 1138 chan_mark_dead(c); 1139 } 1140 if (newsock < 0) { 1141 error("accept: %.100s", strerror(errno)); 1142 return; 1143 } 1144 set_nodelay(newsock); 1145 remote_ipaddr = get_peer_ipaddr(newsock); 1146 remote_port = get_peer_port(newsock); 1147 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1148 remote_ipaddr, remote_port); 1149 1150 nc = channel_new("accepted x11 socket", 1151 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1152 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1153 if (compat20) { 1154 packet_start(SSH2_MSG_CHANNEL_OPEN); 1155 packet_put_cstring("x11"); 1156 packet_put_int(nc->self); 1157 packet_put_int(nc->local_window_max); 1158 packet_put_int(nc->local_maxpacket); 1159 /* originator ipaddr and port */ 1160 packet_put_cstring(remote_ipaddr); 1161 if (datafellows & SSH_BUG_X11FWD) { 1162 debug2("ssh2 x11 bug compat mode"); 1163 } else { 1164 packet_put_int(remote_port); 1165 } 1166 packet_send(); 1167 } else { 1168 packet_start(SSH_SMSG_X11_OPEN); 1169 packet_put_int(nc->self); 1170 if (packet_get_protocol_flags() & 1171 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1172 packet_put_cstring(buf); 1173 packet_send(); 1174 } 1175 xfree(remote_ipaddr); 1176 } 1177 } 1178 1179 static void 1180 port_open_helper(Channel *c, char *rtype) 1181 { 1182 int direct; 1183 char buf[1024]; 1184 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1185 int remote_port = get_peer_port(c->sock); 1186 1187 direct = (strcmp(rtype, "direct-tcpip") == 0); 1188 1189 snprintf(buf, sizeof buf, 1190 "%s: listening port %d for %.100s port %d, " 1191 "connect from %.200s port %d", 1192 rtype, c->listening_port, c->path, c->host_port, 1193 remote_ipaddr, remote_port); 1194 1195 xfree(c->remote_name); 1196 c->remote_name = xstrdup(buf); 1197 1198 if (compat20) { 1199 packet_start(SSH2_MSG_CHANNEL_OPEN); 1200 packet_put_cstring(rtype); 1201 packet_put_int(c->self); 1202 packet_put_int(c->local_window_max); 1203 packet_put_int(c->local_maxpacket); 1204 if (direct) { 1205 /* target host, port */ 1206 packet_put_cstring(c->path); 1207 packet_put_int(c->host_port); 1208 } else { 1209 /* listen address, port */ 1210 packet_put_cstring(c->path); 1211 packet_put_int(c->listening_port); 1212 } 1213 /* originator host and port */ 1214 packet_put_cstring(remote_ipaddr); 1215 packet_put_int((u_int)remote_port); 1216 packet_send(); 1217 } else { 1218 packet_start(SSH_MSG_PORT_OPEN); 1219 packet_put_int(c->self); 1220 packet_put_cstring(c->path); 1221 packet_put_int(c->host_port); 1222 if (packet_get_protocol_flags() & 1223 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1224 packet_put_cstring(c->remote_name); 1225 packet_send(); 1226 } 1227 xfree(remote_ipaddr); 1228 } 1229 1230 /* 1231 * This socket is listening for connections to a forwarded TCP/IP port. 1232 */ 1233 static void 1234 channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) 1235 { 1236 Channel *nc; 1237 struct sockaddr addr; 1238 int newsock, nextstate; 1239 socklen_t addrlen; 1240 char *rtype; 1241 1242 if (FD_ISSET(c->sock, readset)) { 1243 debug("Connection to port %d forwarding " 1244 "to %.100s port %d requested.", 1245 c->listening_port, c->path, c->host_port); 1246 1247 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1248 nextstate = SSH_CHANNEL_OPENING; 1249 rtype = "forwarded-tcpip"; 1250 } else { 1251 if (c->host_port == 0) { 1252 nextstate = SSH_CHANNEL_DYNAMIC; 1253 rtype = "dynamic-tcpip"; 1254 } else { 1255 nextstate = SSH_CHANNEL_OPENING; 1256 rtype = "direct-tcpip"; 1257 } 1258 } 1259 1260 addrlen = sizeof(addr); 1261 newsock = accept(c->sock, &addr, &addrlen); 1262 if (newsock < 0) { 1263 error("accept: %.100s", strerror(errno)); 1264 return; 1265 } 1266 set_nodelay(newsock); 1267 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1268 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1269 nc->listening_port = c->listening_port; 1270 nc->host_port = c->host_port; 1271 strlcpy(nc->path, c->path, sizeof(nc->path)); 1272 1273 if (nextstate == SSH_CHANNEL_DYNAMIC) { 1274 /* 1275 * do not call the channel_post handler until 1276 * this flag has been reset by a pre-handler. 1277 * otherwise the FD_ISSET calls might overflow 1278 */ 1279 nc->delayed = 1; 1280 } else { 1281 port_open_helper(nc, rtype); 1282 } 1283 } 1284 } 1285 1286 /* 1287 * This is the authentication agent socket listening for connections from 1288 * clients. 1289 */ 1290 static void 1291 channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset) 1292 { 1293 Channel *nc; 1294 int newsock; 1295 struct sockaddr addr; 1296 socklen_t addrlen; 1297 1298 if (FD_ISSET(c->sock, readset)) { 1299 addrlen = sizeof(addr); 1300 newsock = accept(c->sock, &addr, &addrlen); 1301 if (newsock < 0) { 1302 error("accept from auth socket: %.100s", strerror(errno)); 1303 return; 1304 } 1305 nc = channel_new("accepted auth socket", 1306 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1307 c->local_window_max, c->local_maxpacket, 1308 0, "accepted auth socket", 1); 1309 if (compat20) { 1310 packet_start(SSH2_MSG_CHANNEL_OPEN); 1311 packet_put_cstring("auth-agent@openssh.com"); 1312 packet_put_int(nc->self); 1313 packet_put_int(c->local_window_max); 1314 packet_put_int(c->local_maxpacket); 1315 } else { 1316 packet_start(SSH_SMSG_AGENT_OPEN); 1317 packet_put_int(nc->self); 1318 } 1319 packet_send(); 1320 } 1321 } 1322 1323 static void 1324 channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset) 1325 { 1326 int err = 0; 1327 socklen_t sz = sizeof(err); 1328 1329 if (FD_ISSET(c->sock, writeset)) { 1330 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1331 err = errno; 1332 error("getsockopt SO_ERROR failed"); 1333 } 1334 if (err == 0) { 1335 debug("channel %d: connected", c->self); 1336 c->type = SSH_CHANNEL_OPEN; 1337 if (compat20) { 1338 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1339 packet_put_int(c->remote_id); 1340 packet_put_int(c->self); 1341 packet_put_int(c->local_window); 1342 packet_put_int(c->local_maxpacket); 1343 } else { 1344 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1345 packet_put_int(c->remote_id); 1346 packet_put_int(c->self); 1347 } 1348 } else { 1349 debug("channel %d: not connected: %s", 1350 c->self, strerror(err)); 1351 if (compat20) { 1352 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1353 packet_put_int(c->remote_id); 1354 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1355 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1356 packet_put_cstring(strerror(err)); 1357 packet_put_cstring(""); 1358 } 1359 } else { 1360 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1361 packet_put_int(c->remote_id); 1362 } 1363 chan_mark_dead(c); 1364 } 1365 packet_send(); 1366 } 1367 } 1368 1369 static int 1370 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) 1371 { 1372 char buf[CHAN_RBUF]; 1373 int len; 1374 1375 if (c->rfd != -1 && 1376 FD_ISSET(c->rfd, readset)) { 1377 len = read(c->rfd, buf, sizeof(buf)); 1378 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1379 return 1; 1380 if (len <= 0) { 1381 debug2("channel %d: read<=0 rfd %d len %d", 1382 c->self, c->rfd, len); 1383 if (c->type != SSH_CHANNEL_OPEN) { 1384 debug2("channel %d: not open", c->self); 1385 chan_mark_dead(c); 1386 return -1; 1387 } else if (compat13) { 1388 buffer_clear(&c->output); 1389 c->type = SSH_CHANNEL_INPUT_DRAINING; 1390 debug2("channel %d: input draining.", c->self); 1391 } else { 1392 chan_read_failed(c); 1393 } 1394 return -1; 1395 } 1396 if (c->input_filter != NULL) { 1397 if (c->input_filter(c, buf, len) == -1) { 1398 debug2("channel %d: filter stops", c->self); 1399 chan_read_failed(c); 1400 } 1401 } else { 1402 buffer_append(&c->input, buf, len); 1403 } 1404 } 1405 return 1; 1406 } 1407 static int 1408 channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) 1409 { 1410 struct termios tio; 1411 u_char *data; 1412 u_int dlen; 1413 int len; 1414 1415 /* Send buffered output data to the socket. */ 1416 if (c->wfd != -1 && 1417 FD_ISSET(c->wfd, writeset) && 1418 buffer_len(&c->output) > 0) { 1419 data = buffer_ptr(&c->output); 1420 dlen = buffer_len(&c->output); 1421 #ifdef _AIX 1422 /* XXX: Later AIX versions can't push as much data to tty */ 1423 if (compat20 && c->wfd_isatty) 1424 dlen = MIN(dlen, 8*1024); 1425 #endif 1426 len = write(c->wfd, data, dlen); 1427 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1428 return 1; 1429 if (len <= 0) { 1430 if (c->type != SSH_CHANNEL_OPEN) { 1431 debug2("channel %d: not open", c->self); 1432 chan_mark_dead(c); 1433 return -1; 1434 } else if (compat13) { 1435 buffer_clear(&c->output); 1436 debug2("channel %d: input draining.", c->self); 1437 c->type = SSH_CHANNEL_INPUT_DRAINING; 1438 } else { 1439 chan_write_failed(c); 1440 } 1441 return -1; 1442 } 1443 if (compat20 && c->isatty && dlen >= 1 && data[0] != '\r') { 1444 if (tcgetattr(c->wfd, &tio) == 0 && 1445 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1446 /* 1447 * Simulate echo to reduce the impact of 1448 * traffic analysis. We need to match the 1449 * size of a SSH2_MSG_CHANNEL_DATA message 1450 * (4 byte channel id + data) 1451 */ 1452 packet_send_ignore(4 + len); 1453 packet_send(); 1454 } 1455 } 1456 buffer_consume(&c->output, len); 1457 if (compat20 && len > 0) { 1458 c->local_consumed += len; 1459 } 1460 } 1461 return 1; 1462 } 1463 static int 1464 channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) 1465 { 1466 char buf[CHAN_RBUF]; 1467 int len; 1468 1469 /** XXX handle drain efd, too */ 1470 if (c->efd != -1) { 1471 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1472 FD_ISSET(c->efd, writeset) && 1473 buffer_len(&c->extended) > 0) { 1474 len = write(c->efd, buffer_ptr(&c->extended), 1475 buffer_len(&c->extended)); 1476 debug2("channel %d: written %d to efd %d", 1477 c->self, len, c->efd); 1478 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1479 return 1; 1480 if (len <= 0) { 1481 debug2("channel %d: closing write-efd %d", 1482 c->self, c->efd); 1483 channel_close_fd(&c->efd); 1484 } else { 1485 buffer_consume(&c->extended, len); 1486 c->local_consumed += len; 1487 } 1488 } else if (c->extended_usage == CHAN_EXTENDED_READ && 1489 FD_ISSET(c->efd, readset)) { 1490 len = read(c->efd, buf, sizeof(buf)); 1491 debug2("channel %d: read %d from efd %d", 1492 c->self, len, c->efd); 1493 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1494 return 1; 1495 if (len <= 0) { 1496 debug2("channel %d: closing read-efd %d", 1497 c->self, c->efd); 1498 channel_close_fd(&c->efd); 1499 } else { 1500 buffer_append(&c->extended, buf, len); 1501 } 1502 } 1503 } 1504 return 1; 1505 } 1506 static int 1507 channel_handle_ctl(Channel *c, fd_set * readset, fd_set * writeset) 1508 { 1509 char buf[16]; 1510 int len; 1511 1512 /* Monitor control fd to detect if the slave client exits */ 1513 if (c->ctl_fd != -1 && FD_ISSET(c->ctl_fd, readset)) { 1514 len = read(c->ctl_fd, buf, sizeof(buf)); 1515 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1516 return 1; 1517 if (len <= 0) { 1518 debug2("channel %d: ctl read<=0", c->self); 1519 if (c->type != SSH_CHANNEL_OPEN) { 1520 debug2("channel %d: not open", c->self); 1521 chan_mark_dead(c); 1522 return -1; 1523 } else { 1524 chan_read_failed(c); 1525 chan_write_failed(c); 1526 } 1527 return -1; 1528 } else 1529 fatal("%s: unexpected data on ctl fd", __func__); 1530 } 1531 return 1; 1532 } 1533 static int 1534 channel_check_window(Channel *c) 1535 { 1536 if (c->type == SSH_CHANNEL_OPEN && 1537 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1538 c->local_window < c->local_window_max/2 && 1539 c->local_consumed > 0) { 1540 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1541 packet_put_int(c->remote_id); 1542 packet_put_int(c->local_consumed); 1543 packet_send(); 1544 debug2("channel %d: window %d sent adjust %d", 1545 c->self, c->local_window, 1546 c->local_consumed); 1547 c->local_window += c->local_consumed; 1548 c->local_consumed = 0; 1549 } 1550 return 1; 1551 } 1552 1553 static void 1554 channel_post_open(Channel *c, fd_set * readset, fd_set * writeset) 1555 { 1556 if (c->delayed) 1557 return; 1558 channel_handle_rfd(c, readset, writeset); 1559 channel_handle_wfd(c, readset, writeset); 1560 if (!compat20) 1561 return; 1562 channel_handle_efd(c, readset, writeset); 1563 channel_handle_ctl(c, readset, writeset); 1564 channel_check_window(c); 1565 } 1566 1567 static void 1568 channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset) 1569 { 1570 int len; 1571 1572 /* Send buffered output data to the socket. */ 1573 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1574 len = write(c->sock, buffer_ptr(&c->output), 1575 buffer_len(&c->output)); 1576 if (len <= 0) 1577 buffer_clear(&c->output); 1578 else 1579 buffer_consume(&c->output, len); 1580 } 1581 } 1582 1583 static void 1584 channel_handler_init_20(void) 1585 { 1586 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1587 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1588 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1589 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1590 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1591 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1592 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1593 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1594 1595 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1596 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1597 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1598 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1599 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1600 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1601 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1602 } 1603 1604 static void 1605 channel_handler_init_13(void) 1606 { 1607 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1608 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1609 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1610 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1611 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1612 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1613 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1614 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1615 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1616 1617 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1618 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1619 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1620 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1621 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 1622 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1623 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1624 } 1625 1626 static void 1627 channel_handler_init_15(void) 1628 { 1629 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1630 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1631 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1632 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1633 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1634 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1635 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1636 1637 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1638 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1639 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1640 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1641 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1642 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1643 } 1644 1645 static void 1646 channel_handler_init(void) 1647 { 1648 int i; 1649 1650 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 1651 channel_pre[i] = NULL; 1652 channel_post[i] = NULL; 1653 } 1654 if (compat20) 1655 channel_handler_init_20(); 1656 else if (compat13) 1657 channel_handler_init_13(); 1658 else 1659 channel_handler_init_15(); 1660 } 1661 1662 /* gc dead channels */ 1663 static void 1664 channel_garbage_collect(Channel *c) 1665 { 1666 if (c == NULL) 1667 return; 1668 if (c->detach_user != NULL) { 1669 if (!chan_is_dead(c, 0)) 1670 return; 1671 debug2("channel %d: gc: notify user", c->self); 1672 c->detach_user(c->self, NULL); 1673 /* if we still have a callback */ 1674 if (c->detach_user != NULL) 1675 return; 1676 debug2("channel %d: gc: user detached", c->self); 1677 } 1678 if (!chan_is_dead(c, 1)) 1679 return; 1680 debug2("channel %d: garbage collecting", c->self); 1681 channel_free(c); 1682 } 1683 1684 static void 1685 channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) 1686 { 1687 static int did_init = 0; 1688 u_int i; 1689 Channel *c; 1690 1691 if (!did_init) { 1692 channel_handler_init(); 1693 did_init = 1; 1694 } 1695 for (i = 0; i < channels_alloc; i++) { 1696 c = channels[i]; 1697 if (c == NULL) 1698 continue; 1699 if (ftab[c->type] != NULL) 1700 (*ftab[c->type])(c, readset, writeset); 1701 channel_garbage_collect(c); 1702 } 1703 } 1704 1705 /* 1706 * Allocate/update select bitmasks and add any bits relevant to channels in 1707 * select bitmasks. 1708 */ 1709 void 1710 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 1711 u_int *nallocp, int rekeying) 1712 { 1713 u_int n, sz; 1714 1715 n = MAX(*maxfdp, channel_max_fd); 1716 1717 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); 1718 /* perhaps check sz < nalloc/2 and shrink? */ 1719 if (*readsetp == NULL || sz > *nallocp) { 1720 *readsetp = xrealloc(*readsetp, sz); 1721 *writesetp = xrealloc(*writesetp, sz); 1722 *nallocp = sz; 1723 } 1724 *maxfdp = n; 1725 memset(*readsetp, 0, sz); 1726 memset(*writesetp, 0, sz); 1727 1728 if (!rekeying) 1729 channel_handler(channel_pre, *readsetp, *writesetp); 1730 } 1731 1732 /* 1733 * After select, perform any appropriate operations for channels which have 1734 * events pending. 1735 */ 1736 void 1737 channel_after_select(fd_set * readset, fd_set * writeset) 1738 { 1739 channel_handler(channel_post, readset, writeset); 1740 } 1741 1742 1743 /* If there is data to send to the connection, enqueue some of it now. */ 1744 1745 void 1746 channel_output_poll(void) 1747 { 1748 Channel *c; 1749 u_int i, len; 1750 1751 for (i = 0; i < channels_alloc; i++) { 1752 c = channels[i]; 1753 if (c == NULL) 1754 continue; 1755 1756 /* 1757 * We are only interested in channels that can have buffered 1758 * incoming data. 1759 */ 1760 if (compat13) { 1761 if (c->type != SSH_CHANNEL_OPEN && 1762 c->type != SSH_CHANNEL_INPUT_DRAINING) 1763 continue; 1764 } else { 1765 if (c->type != SSH_CHANNEL_OPEN) 1766 continue; 1767 } 1768 if (compat20 && 1769 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 1770 /* XXX is this true? */ 1771 debug3("channel %d: will not send data after close", c->self); 1772 continue; 1773 } 1774 1775 /* Get the amount of buffered data for this channel. */ 1776 if ((c->istate == CHAN_INPUT_OPEN || 1777 c->istate == CHAN_INPUT_WAIT_DRAIN) && 1778 (len = buffer_len(&c->input)) > 0) { 1779 /* 1780 * Send some data for the other side over the secure 1781 * connection. 1782 */ 1783 if (compat20) { 1784 if (len > c->remote_window) 1785 len = c->remote_window; 1786 if (len > c->remote_maxpacket) 1787 len = c->remote_maxpacket; 1788 } else { 1789 if (packet_is_interactive()) { 1790 if (len > 1024) 1791 len = 512; 1792 } else { 1793 /* Keep the packets at reasonable size. */ 1794 if (len > packet_get_maxsize()/2) 1795 len = packet_get_maxsize()/2; 1796 } 1797 } 1798 if (len > 0) { 1799 packet_start(compat20 ? 1800 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 1801 packet_put_int(c->remote_id); 1802 packet_put_string(buffer_ptr(&c->input), len); 1803 packet_send(); 1804 buffer_consume(&c->input, len); 1805 c->remote_window -= len; 1806 } 1807 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1808 if (compat13) 1809 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 1810 /* 1811 * input-buffer is empty and read-socket shutdown: 1812 * tell peer, that we will not send more data: send IEOF. 1813 * hack for extended data: delay EOF if EFD still in use. 1814 */ 1815 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 1816 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 1817 c->self, c->efd, buffer_len(&c->extended)); 1818 else 1819 chan_ibuf_empty(c); 1820 } 1821 /* Send extended data, i.e. stderr */ 1822 if (compat20 && 1823 !(c->flags & CHAN_EOF_SENT) && 1824 c->remote_window > 0 && 1825 (len = buffer_len(&c->extended)) > 0 && 1826 c->extended_usage == CHAN_EXTENDED_READ) { 1827 debug2("channel %d: rwin %u elen %u euse %d", 1828 c->self, c->remote_window, buffer_len(&c->extended), 1829 c->extended_usage); 1830 if (len > c->remote_window) 1831 len = c->remote_window; 1832 if (len > c->remote_maxpacket) 1833 len = c->remote_maxpacket; 1834 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 1835 packet_put_int(c->remote_id); 1836 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 1837 packet_put_string(buffer_ptr(&c->extended), len); 1838 packet_send(); 1839 buffer_consume(&c->extended, len); 1840 c->remote_window -= len; 1841 debug2("channel %d: sent ext data %d", c->self, len); 1842 } 1843 } 1844 } 1845 1846 1847 /* -- protocol input */ 1848 1849 void 1850 channel_input_data(int type, u_int32_t seq, void *ctxt) 1851 { 1852 int id; 1853 char *data; 1854 u_int data_len; 1855 Channel *c; 1856 1857 /* Get the channel number and verify it. */ 1858 id = packet_get_int(); 1859 c = channel_lookup(id); 1860 if (c == NULL) 1861 packet_disconnect("Received data for nonexistent channel %d.", id); 1862 1863 /* Ignore any data for non-open channels (might happen on close) */ 1864 if (c->type != SSH_CHANNEL_OPEN && 1865 c->type != SSH_CHANNEL_X11_OPEN) 1866 return; 1867 1868 /* Get the data. */ 1869 data = packet_get_string(&data_len); 1870 1871 /* 1872 * Ignore data for protocol > 1.3 if output end is no longer open. 1873 * For protocol 2 the sending side is reducing its window as it sends 1874 * data, so we must 'fake' consumption of the data in order to ensure 1875 * that window updates are sent back. Otherwise the connection might 1876 * deadlock. 1877 */ 1878 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 1879 if (compat20) { 1880 c->local_window -= data_len; 1881 c->local_consumed += data_len; 1882 } 1883 xfree(data); 1884 return; 1885 } 1886 1887 if (compat20) { 1888 if (data_len > c->local_maxpacket) { 1889 logit("channel %d: rcvd big packet %d, maxpack %d", 1890 c->self, data_len, c->local_maxpacket); 1891 } 1892 if (data_len > c->local_window) { 1893 logit("channel %d: rcvd too much data %d, win %d", 1894 c->self, data_len, c->local_window); 1895 xfree(data); 1896 return; 1897 } 1898 c->local_window -= data_len; 1899 } 1900 packet_check_eom(); 1901 buffer_append(&c->output, data, data_len); 1902 xfree(data); 1903 } 1904 1905 void 1906 channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 1907 { 1908 int id; 1909 char *data; 1910 u_int data_len, tcode; 1911 Channel *c; 1912 1913 /* Get the channel number and verify it. */ 1914 id = packet_get_int(); 1915 c = channel_lookup(id); 1916 1917 if (c == NULL) 1918 packet_disconnect("Received extended_data for bad channel %d.", id); 1919 if (c->type != SSH_CHANNEL_OPEN) { 1920 logit("channel %d: ext data for non open", id); 1921 return; 1922 } 1923 if (c->flags & CHAN_EOF_RCVD) { 1924 if (datafellows & SSH_BUG_EXTEOF) 1925 debug("channel %d: accepting ext data after eof", id); 1926 else 1927 packet_disconnect("Received extended_data after EOF " 1928 "on channel %d.", id); 1929 } 1930 tcode = packet_get_int(); 1931 if (c->efd == -1 || 1932 c->extended_usage != CHAN_EXTENDED_WRITE || 1933 tcode != SSH2_EXTENDED_DATA_STDERR) { 1934 logit("channel %d: bad ext data", c->self); 1935 return; 1936 } 1937 data = packet_get_string(&data_len); 1938 packet_check_eom(); 1939 if (data_len > c->local_window) { 1940 logit("channel %d: rcvd too much extended_data %d, win %d", 1941 c->self, data_len, c->local_window); 1942 xfree(data); 1943 return; 1944 } 1945 debug2("channel %d: rcvd ext data %d", c->self, data_len); 1946 c->local_window -= data_len; 1947 buffer_append(&c->extended, data, data_len); 1948 xfree(data); 1949 } 1950 1951 void 1952 channel_input_ieof(int type, u_int32_t seq, void *ctxt) 1953 { 1954 int id; 1955 Channel *c; 1956 1957 id = packet_get_int(); 1958 packet_check_eom(); 1959 c = channel_lookup(id); 1960 if (c == NULL) 1961 packet_disconnect("Received ieof for nonexistent channel %d.", id); 1962 chan_rcvd_ieof(c); 1963 1964 /* XXX force input close */ 1965 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 1966 debug("channel %d: FORCE input drain", c->self); 1967 c->istate = CHAN_INPUT_WAIT_DRAIN; 1968 if (buffer_len(&c->input) == 0) 1969 chan_ibuf_empty(c); 1970 } 1971 1972 } 1973 1974 void 1975 channel_input_close(int type, u_int32_t seq, void *ctxt) 1976 { 1977 int id; 1978 Channel *c; 1979 1980 id = packet_get_int(); 1981 packet_check_eom(); 1982 c = channel_lookup(id); 1983 if (c == NULL) 1984 packet_disconnect("Received close for nonexistent channel %d.", id); 1985 1986 /* 1987 * Send a confirmation that we have closed the channel and no more 1988 * data is coming for it. 1989 */ 1990 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 1991 packet_put_int(c->remote_id); 1992 packet_send(); 1993 1994 /* 1995 * If the channel is in closed state, we have sent a close request, 1996 * and the other side will eventually respond with a confirmation. 1997 * Thus, we cannot free the channel here, because then there would be 1998 * no-one to receive the confirmation. The channel gets freed when 1999 * the confirmation arrives. 2000 */ 2001 if (c->type != SSH_CHANNEL_CLOSED) { 2002 /* 2003 * Not a closed channel - mark it as draining, which will 2004 * cause it to be freed later. 2005 */ 2006 buffer_clear(&c->input); 2007 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2008 } 2009 } 2010 2011 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2012 void 2013 channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2014 { 2015 int id = packet_get_int(); 2016 Channel *c = channel_lookup(id); 2017 2018 packet_check_eom(); 2019 if (c == NULL) 2020 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2021 chan_rcvd_oclose(c); 2022 } 2023 2024 void 2025 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2026 { 2027 int id = packet_get_int(); 2028 Channel *c = channel_lookup(id); 2029 2030 packet_check_eom(); 2031 if (c == NULL) 2032 packet_disconnect("Received close confirmation for " 2033 "out-of-range channel %d.", id); 2034 if (c->type != SSH_CHANNEL_CLOSED) 2035 packet_disconnect("Received close confirmation for " 2036 "non-closed channel %d (type %d).", id, c->type); 2037 channel_free(c); 2038 } 2039 2040 void 2041 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2042 { 2043 int id, remote_id; 2044 Channel *c; 2045 2046 id = packet_get_int(); 2047 c = channel_lookup(id); 2048 2049 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2050 packet_disconnect("Received open confirmation for " 2051 "non-opening channel %d.", id); 2052 remote_id = packet_get_int(); 2053 /* Record the remote channel number and mark that the channel is now open. */ 2054 c->remote_id = remote_id; 2055 c->type = SSH_CHANNEL_OPEN; 2056 2057 if (compat20) { 2058 c->remote_window = packet_get_int(); 2059 c->remote_maxpacket = packet_get_int(); 2060 if (c->confirm) { 2061 debug2("callback start"); 2062 c->confirm(c->self, c->confirm_ctx); 2063 debug2("callback done"); 2064 } 2065 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2066 c->remote_window, c->remote_maxpacket); 2067 } 2068 packet_check_eom(); 2069 } 2070 2071 static char * 2072 reason2txt(int reason) 2073 { 2074 switch (reason) { 2075 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2076 return "administratively prohibited"; 2077 case SSH2_OPEN_CONNECT_FAILED: 2078 return "connect failed"; 2079 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2080 return "unknown channel type"; 2081 case SSH2_OPEN_RESOURCE_SHORTAGE: 2082 return "resource shortage"; 2083 } 2084 return "unknown reason"; 2085 } 2086 2087 void 2088 channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2089 { 2090 int id, reason; 2091 char *msg = NULL, *lang = NULL; 2092 Channel *c; 2093 2094 id = packet_get_int(); 2095 c = channel_lookup(id); 2096 2097 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2098 packet_disconnect("Received open failure for " 2099 "non-opening channel %d.", id); 2100 if (compat20) { 2101 reason = packet_get_int(); 2102 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2103 msg = packet_get_string(NULL); 2104 lang = packet_get_string(NULL); 2105 } 2106 logit("channel %d: open failed: %s%s%s", id, 2107 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2108 if (msg != NULL) 2109 xfree(msg); 2110 if (lang != NULL) 2111 xfree(lang); 2112 } 2113 packet_check_eom(); 2114 /* Free the channel. This will also close the socket. */ 2115 channel_free(c); 2116 } 2117 2118 void 2119 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2120 { 2121 Channel *c; 2122 int id; 2123 u_int adjust; 2124 2125 if (!compat20) 2126 return; 2127 2128 /* Get the channel number and verify it. */ 2129 id = packet_get_int(); 2130 c = channel_lookup(id); 2131 2132 if (c == NULL || c->type != SSH_CHANNEL_OPEN) { 2133 logit("Received window adjust for " 2134 "non-open channel %d.", id); 2135 return; 2136 } 2137 adjust = packet_get_int(); 2138 packet_check_eom(); 2139 debug2("channel %d: rcvd adjust %u", id, adjust); 2140 c->remote_window += adjust; 2141 } 2142 2143 void 2144 channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2145 { 2146 Channel *c = NULL; 2147 u_short host_port; 2148 char *host, *originator_string; 2149 int remote_id, sock = -1; 2150 2151 remote_id = packet_get_int(); 2152 host = packet_get_string(NULL); 2153 host_port = packet_get_int(); 2154 2155 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2156 originator_string = packet_get_string(NULL); 2157 } else { 2158 originator_string = xstrdup("unknown (remote did not supply name)"); 2159 } 2160 packet_check_eom(); 2161 sock = channel_connect_to(host, host_port); 2162 if (sock != -1) { 2163 c = channel_new("connected socket", 2164 SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, 2165 originator_string, 1); 2166 c->remote_id = remote_id; 2167 } 2168 xfree(originator_string); 2169 if (c == NULL) { 2170 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2171 packet_put_int(remote_id); 2172 packet_send(); 2173 } 2174 xfree(host); 2175 } 2176 2177 2178 /* -- tcp forwarding */ 2179 2180 void 2181 channel_set_af(int af) 2182 { 2183 IPv4or6 = af; 2184 } 2185 2186 static int 2187 channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_port, 2188 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2189 { 2190 Channel *c; 2191 int sock, r, success = 0, on = 1, wildcard = 0, is_client; 2192 struct addrinfo hints, *ai, *aitop; 2193 const char *host, *addr; 2194 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2195 2196 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2197 listen_addr : host_to_connect; 2198 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2199 2200 if (host == NULL) { 2201 error("No forward host name."); 2202 return 0; 2203 } 2204 if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) { 2205 error("Forward host name too long."); 2206 return 0; 2207 } 2208 2209 /* 2210 * Determine whether or not a port forward listens to loopback, 2211 * specified address or wildcard. On the client, a specified bind 2212 * address will always override gateway_ports. On the server, a 2213 * gateway_ports of 1 (``yes'') will override the client's 2214 * specification and force a wildcard bind, whereas a value of 2 2215 * (``clientspecified'') will bind to whatever address the client 2216 * asked for. 2217 * 2218 * Special-case listen_addrs are: 2219 * 2220 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2221 * "" (empty string), "*" -> wildcard v4/v6 2222 * "localhost" -> loopback v4/v6 2223 */ 2224 addr = NULL; 2225 if (listen_addr == NULL) { 2226 /* No address specified: default to gateway_ports setting */ 2227 if (gateway_ports) 2228 wildcard = 1; 2229 } else if (gateway_ports || is_client) { 2230 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2231 strcmp(listen_addr, "0.0.0.0") == 0) || 2232 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2233 (!is_client && gateway_ports == 1)) 2234 wildcard = 1; 2235 else if (strcmp(listen_addr, "localhost") != 0) 2236 addr = listen_addr; 2237 } 2238 2239 debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s", 2240 type, wildcard, (addr == NULL) ? "NULL" : addr); 2241 2242 /* 2243 * getaddrinfo returns a loopback address if the hostname is 2244 * set to NULL and hints.ai_flags is not AI_PASSIVE 2245 */ 2246 memset(&hints, 0, sizeof(hints)); 2247 hints.ai_family = IPv4or6; 2248 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2249 hints.ai_socktype = SOCK_STREAM; 2250 snprintf(strport, sizeof strport, "%d", listen_port); 2251 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2252 if (addr == NULL) { 2253 /* This really shouldn't happen */ 2254 packet_disconnect("getaddrinfo: fatal error: %s", 2255 gai_strerror(r)); 2256 } else { 2257 error("channel_setup_fwd_listener: " 2258 "getaddrinfo(%.64s): %s", addr, gai_strerror(r)); 2259 } 2260 return 0; 2261 } 2262 2263 for (ai = aitop; ai; ai = ai->ai_next) { 2264 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2265 continue; 2266 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2267 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2268 error("channel_setup_fwd_listener: getnameinfo failed"); 2269 continue; 2270 } 2271 /* Create a port to listen for the host. */ 2272 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2273 if (sock < 0) { 2274 /* this is no error since kernel may not support ipv6 */ 2275 verbose("socket: %.100s", strerror(errno)); 2276 continue; 2277 } 2278 /* 2279 * Set socket options. 2280 * Allow local port reuse in TIME_WAIT. 2281 */ 2282 if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, 2283 sizeof(on)) == -1) 2284 error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 2285 2286 debug("Local forwarding listening on %s port %s.", ntop, strport); 2287 2288 /* Bind the socket to the address. */ 2289 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2290 /* address can be in use ipv6 address is already bound */ 2291 if (!ai->ai_next) 2292 error("bind: %.100s", strerror(errno)); 2293 else 2294 verbose("bind: %.100s", strerror(errno)); 2295 2296 close(sock); 2297 continue; 2298 } 2299 /* Start listening for connections on the socket. */ 2300 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2301 error("listen: %.100s", strerror(errno)); 2302 close(sock); 2303 continue; 2304 } 2305 /* Allocate a channel number for the socket. */ 2306 c = channel_new("port listener", type, sock, sock, -1, 2307 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2308 0, "port listener", 1); 2309 strlcpy(c->path, host, sizeof(c->path)); 2310 c->host_port = port_to_connect; 2311 c->listening_port = listen_port; 2312 success = 1; 2313 } 2314 if (success == 0) 2315 error("channel_setup_fwd_listener: cannot listen to port: %d", 2316 listen_port); 2317 freeaddrinfo(aitop); 2318 return success; 2319 } 2320 2321 int 2322 channel_cancel_rport_listener(const char *host, u_short port) 2323 { 2324 u_int i; 2325 int found = 0; 2326 2327 for (i = 0; i < channels_alloc; i++) { 2328 Channel *c = channels[i]; 2329 2330 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && 2331 strncmp(c->path, host, sizeof(c->path)) == 0 && 2332 c->listening_port == port) { 2333 debug2("%s: close channel %d", __func__, i); 2334 channel_free(c); 2335 found = 1; 2336 } 2337 } 2338 2339 return (found); 2340 } 2341 2342 /* protocol local port fwd, used by ssh (and sshd in v1) */ 2343 int 2344 channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, 2345 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2346 { 2347 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2348 listen_host, listen_port, host_to_connect, port_to_connect, 2349 gateway_ports); 2350 } 2351 2352 /* protocol v2 remote port fwd, used by sshd */ 2353 int 2354 channel_setup_remote_fwd_listener(const char *listen_address, 2355 u_short listen_port, int gateway_ports) 2356 { 2357 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2358 listen_address, listen_port, NULL, 0, gateway_ports); 2359 } 2360 2361 /* 2362 * Initiate forwarding of connections to port "port" on remote host through 2363 * the secure channel to host:port from local side. 2364 */ 2365 2366 void 2367 channel_request_remote_forwarding(const char *listen_host, u_short listen_port, 2368 const char *host_to_connect, u_short port_to_connect) 2369 { 2370 int type, success = 0; 2371 2372 /* Record locally that connection to this host/port is permitted. */ 2373 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2374 fatal("channel_request_remote_forwarding: too many forwards"); 2375 2376 /* Send the forward request to the remote side. */ 2377 if (compat20) { 2378 const char *address_to_bind; 2379 if (listen_host == NULL) 2380 address_to_bind = "localhost"; 2381 else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) 2382 address_to_bind = ""; 2383 else 2384 address_to_bind = listen_host; 2385 2386 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2387 packet_put_cstring("tcpip-forward"); 2388 packet_put_char(1); /* boolean: want reply */ 2389 packet_put_cstring(address_to_bind); 2390 packet_put_int(listen_port); 2391 packet_send(); 2392 packet_write_wait(); 2393 /* Assume that server accepts the request */ 2394 success = 1; 2395 } else { 2396 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2397 packet_put_int(listen_port); 2398 packet_put_cstring(host_to_connect); 2399 packet_put_int(port_to_connect); 2400 packet_send(); 2401 packet_write_wait(); 2402 2403 /* Wait for response from the remote side. */ 2404 type = packet_read(); 2405 switch (type) { 2406 case SSH_SMSG_SUCCESS: 2407 success = 1; 2408 break; 2409 case SSH_SMSG_FAILURE: 2410 logit("Warning: Server denied remote port forwarding."); 2411 break; 2412 default: 2413 /* Unknown packet */ 2414 packet_disconnect("Protocol error for port forward request:" 2415 "received packet type %d.", type); 2416 } 2417 } 2418 if (success) { 2419 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2420 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2421 permitted_opens[num_permitted_opens].listen_port = listen_port; 2422 num_permitted_opens++; 2423 } 2424 } 2425 2426 /* 2427 * Request cancellation of remote forwarding of connection host:port from 2428 * local side. 2429 */ 2430 void 2431 channel_request_rforward_cancel(const char *host, u_short port) 2432 { 2433 int i; 2434 2435 if (!compat20) 2436 return; 2437 2438 for (i = 0; i < num_permitted_opens; i++) { 2439 if (permitted_opens[i].host_to_connect != NULL && 2440 permitted_opens[i].listen_port == port) 2441 break; 2442 } 2443 if (i >= num_permitted_opens) { 2444 debug("%s: requested forward not found", __func__); 2445 return; 2446 } 2447 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2448 packet_put_cstring("cancel-tcpip-forward"); 2449 packet_put_char(0); 2450 packet_put_cstring(host == NULL ? "" : host); 2451 packet_put_int(port); 2452 packet_send(); 2453 2454 permitted_opens[i].listen_port = 0; 2455 permitted_opens[i].port_to_connect = 0; 2456 free(permitted_opens[i].host_to_connect); 2457 permitted_opens[i].host_to_connect = NULL; 2458 } 2459 2460 /* 2461 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2462 * listening for the port, and sends back a success reply (or disconnect 2463 * message if there was an error). This never returns if there was an error. 2464 */ 2465 2466 void 2467 channel_input_port_forward_request(int is_root, int gateway_ports) 2468 { 2469 u_short port, host_port; 2470 char *hostname; 2471 2472 /* Get arguments from the packet. */ 2473 port = packet_get_int(); 2474 hostname = packet_get_string(NULL); 2475 host_port = packet_get_int(); 2476 2477 #ifndef HAVE_CYGWIN 2478 /* 2479 * Check that an unprivileged user is not trying to forward a 2480 * privileged port. 2481 */ 2482 if (port < IPPORT_RESERVED && !is_root) 2483 packet_disconnect( 2484 "Requested forwarding of port %d but user is not root.", 2485 port); 2486 if (host_port == 0) 2487 packet_disconnect("Dynamic forwarding denied."); 2488 #endif 2489 2490 /* Initiate forwarding */ 2491 channel_setup_local_fwd_listener(NULL, port, hostname, 2492 host_port, gateway_ports); 2493 2494 /* Free the argument string. */ 2495 xfree(hostname); 2496 } 2497 2498 /* 2499 * Permits opening to any host/port if permitted_opens[] is empty. This is 2500 * usually called by the server, because the user could connect to any port 2501 * anyway, and the server has no way to know but to trust the client anyway. 2502 */ 2503 void 2504 channel_permit_all_opens(void) 2505 { 2506 if (num_permitted_opens == 0) 2507 all_opens_permitted = 1; 2508 } 2509 2510 void 2511 channel_add_permitted_opens(char *host, int port) 2512 { 2513 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2514 fatal("channel_request_remote_forwarding: too many forwards"); 2515 debug("allow port forwarding to host %s port %d", host, port); 2516 2517 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 2518 permitted_opens[num_permitted_opens].port_to_connect = port; 2519 num_permitted_opens++; 2520 2521 all_opens_permitted = 0; 2522 } 2523 2524 void 2525 channel_clear_permitted_opens(void) 2526 { 2527 int i; 2528 2529 for (i = 0; i < num_permitted_opens; i++) 2530 if (permitted_opens[i].host_to_connect != NULL) 2531 xfree(permitted_opens[i].host_to_connect); 2532 num_permitted_opens = 0; 2533 2534 } 2535 2536 2537 /* return socket to remote host, port */ 2538 static int 2539 connect_to(const char *host, u_short port) 2540 { 2541 struct addrinfo hints, *ai, *aitop; 2542 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2543 int gaierr; 2544 int sock = -1; 2545 2546 memset(&hints, 0, sizeof(hints)); 2547 hints.ai_family = IPv4or6; 2548 hints.ai_socktype = SOCK_STREAM; 2549 snprintf(strport, sizeof strport, "%d", port); 2550 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { 2551 error("connect_to %.100s: unknown host (%s)", host, 2552 gai_strerror(gaierr)); 2553 return -1; 2554 } 2555 for (ai = aitop; ai; ai = ai->ai_next) { 2556 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2557 continue; 2558 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2559 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2560 error("connect_to: getnameinfo failed"); 2561 continue; 2562 } 2563 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2564 if (sock < 0) { 2565 if (ai->ai_next == NULL) 2566 error("socket: %.100s", strerror(errno)); 2567 else 2568 verbose("socket: %.100s", strerror(errno)); 2569 continue; 2570 } 2571 if (set_nonblock(sock) == -1) 2572 fatal("%s: set_nonblock(%d)", __func__, sock); 2573 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && 2574 errno != EINPROGRESS) { 2575 error("connect_to %.100s port %s: %.100s", ntop, strport, 2576 strerror(errno)); 2577 close(sock); 2578 continue; /* fail -- try next */ 2579 } 2580 break; /* success */ 2581 2582 } 2583 freeaddrinfo(aitop); 2584 if (!ai) { 2585 error("connect_to %.100s port %d: failed.", host, port); 2586 return -1; 2587 } 2588 /* success */ 2589 set_nodelay(sock); 2590 return sock; 2591 } 2592 2593 int 2594 channel_connect_by_listen_address(u_short listen_port) 2595 { 2596 int i; 2597 2598 for (i = 0; i < num_permitted_opens; i++) 2599 if (permitted_opens[i].host_to_connect != NULL && 2600 permitted_opens[i].listen_port == listen_port) 2601 return connect_to( 2602 permitted_opens[i].host_to_connect, 2603 permitted_opens[i].port_to_connect); 2604 error("WARNING: Server requests forwarding for unknown listen_port %d", 2605 listen_port); 2606 return -1; 2607 } 2608 2609 /* Check if connecting to that port is permitted and connect. */ 2610 int 2611 channel_connect_to(const char *host, u_short port) 2612 { 2613 int i, permit; 2614 2615 permit = all_opens_permitted; 2616 if (!permit) { 2617 for (i = 0; i < num_permitted_opens; i++) 2618 if (permitted_opens[i].host_to_connect != NULL && 2619 permitted_opens[i].port_to_connect == port && 2620 strcmp(permitted_opens[i].host_to_connect, host) == 0) 2621 permit = 1; 2622 2623 } 2624 if (!permit) { 2625 logit("Received request to connect to host %.100s port %d, " 2626 "but the request was denied.", host, port); 2627 return -1; 2628 } 2629 return connect_to(host, port); 2630 } 2631 2632 void 2633 channel_send_window_changes(void) 2634 { 2635 u_int i; 2636 struct winsize ws; 2637 2638 for (i = 0; i < channels_alloc; i++) { 2639 if (channels[i] == NULL || !channels[i]->client_tty || 2640 channels[i]->type != SSH_CHANNEL_OPEN) 2641 continue; 2642 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 2643 continue; 2644 channel_request_start(i, "window-change", 0); 2645 packet_put_int(ws.ws_col); 2646 packet_put_int(ws.ws_row); 2647 packet_put_int(ws.ws_xpixel); 2648 packet_put_int(ws.ws_ypixel); 2649 packet_send(); 2650 } 2651 } 2652 2653 /* -- X11 forwarding */ 2654 2655 /* 2656 * Creates an internet domain socket for listening for X11 connections. 2657 * Returns 0 and a suitable display number for the DISPLAY variable 2658 * stored in display_numberp , or -1 if an error occurs. 2659 */ 2660 int 2661 x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 2662 int single_connection, u_int *display_numberp, int **chanids) 2663 { 2664 Channel *nc = NULL; 2665 int display_number, sock; 2666 u_short port; 2667 struct addrinfo hints, *ai, *aitop; 2668 char strport[NI_MAXSERV]; 2669 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 2670 2671 for (display_number = x11_display_offset; 2672 display_number < MAX_DISPLAYS; 2673 display_number++) { 2674 port = 6000 + display_number; 2675 memset(&hints, 0, sizeof(hints)); 2676 hints.ai_family = IPv4or6; 2677 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 2678 hints.ai_socktype = SOCK_STREAM; 2679 snprintf(strport, sizeof strport, "%d", port); 2680 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 2681 error("getaddrinfo: %.100s", gai_strerror(gaierr)); 2682 return -1; 2683 } 2684 for (ai = aitop; ai; ai = ai->ai_next) { 2685 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2686 continue; 2687 sock = socket(ai->ai_family, ai->ai_socktype, 2688 ai->ai_protocol); 2689 if (sock < 0) { 2690 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { 2691 error("socket: %.100s", strerror(errno)); 2692 freeaddrinfo(aitop); 2693 return -1; 2694 } else { 2695 debug("x11_create_display_inet: Socket family %d not supported", 2696 ai->ai_family); 2697 continue; 2698 } 2699 } 2700 #ifdef IPV6_V6ONLY 2701 if (ai->ai_family == AF_INET6) { 2702 int on = 1; 2703 if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) 2704 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); 2705 } 2706 #endif 2707 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2708 debug2("bind port %d: %.100s", port, strerror(errno)); 2709 close(sock); 2710 2711 if (ai->ai_next) 2712 continue; 2713 2714 for (n = 0; n < num_socks; n++) { 2715 close(socks[n]); 2716 } 2717 num_socks = 0; 2718 break; 2719 } 2720 socks[num_socks++] = sock; 2721 #ifndef DONT_TRY_OTHER_AF 2722 if (num_socks == NUM_SOCKS) 2723 break; 2724 #else 2725 if (x11_use_localhost) { 2726 if (num_socks == NUM_SOCKS) 2727 break; 2728 } else { 2729 break; 2730 } 2731 #endif 2732 } 2733 freeaddrinfo(aitop); 2734 if (num_socks > 0) 2735 break; 2736 } 2737 if (display_number >= MAX_DISPLAYS) { 2738 error("Failed to allocate internet-domain X11 display socket."); 2739 return -1; 2740 } 2741 /* Start listening for connections on the socket. */ 2742 for (n = 0; n < num_socks; n++) { 2743 sock = socks[n]; 2744 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2745 error("listen: %.100s", strerror(errno)); 2746 close(sock); 2747 return -1; 2748 } 2749 } 2750 2751 /* Allocate a channel for each socket. */ 2752 if (chanids != NULL) 2753 *chanids = xmalloc(sizeof(**chanids) * (num_socks + 1)); 2754 for (n = 0; n < num_socks; n++) { 2755 sock = socks[n]; 2756 nc = channel_new("x11 listener", 2757 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 2758 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2759 0, "X11 inet listener", 1); 2760 nc->single_connection = single_connection; 2761 if (*chanids != NULL) 2762 (*chanids)[n] = nc->self; 2763 } 2764 if (*chanids != NULL) 2765 (*chanids)[n] = -1; 2766 2767 /* Return the display number for the DISPLAY environment variable. */ 2768 *display_numberp = display_number; 2769 return (0); 2770 } 2771 2772 static int 2773 connect_local_xsocket(u_int dnr) 2774 { 2775 int sock; 2776 struct sockaddr_un addr; 2777 2778 sock = socket(AF_UNIX, SOCK_STREAM, 0); 2779 if (sock < 0) 2780 error("socket: %.100s", strerror(errno)); 2781 memset(&addr, 0, sizeof(addr)); 2782 addr.sun_family = AF_UNIX; 2783 snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr); 2784 if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0) 2785 return sock; 2786 close(sock); 2787 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 2788 return -1; 2789 } 2790 2791 int 2792 x11_connect_display(void) 2793 { 2794 int display_number, sock = 0; 2795 const char *display; 2796 char buf[1024], *cp; 2797 struct addrinfo hints, *ai, *aitop; 2798 char strport[NI_MAXSERV]; 2799 int gaierr; 2800 2801 /* Try to open a socket for the local X server. */ 2802 display = getenv("DISPLAY"); 2803 if (!display) { 2804 error("DISPLAY not set."); 2805 return -1; 2806 } 2807 /* 2808 * Now we decode the value of the DISPLAY variable and make a 2809 * connection to the real X server. 2810 */ 2811 2812 /* 2813 * Check if it is a unix domain socket. Unix domain displays are in 2814 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 2815 */ 2816 if (strncmp(display, "unix:", 5) == 0 || 2817 display[0] == ':') { 2818 /* Connect to the unix domain socket. */ 2819 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) { 2820 error("Could not parse display number from DISPLAY: %.100s", 2821 display); 2822 return -1; 2823 } 2824 /* Create a socket. */ 2825 sock = connect_local_xsocket(display_number); 2826 if (sock < 0) 2827 return -1; 2828 2829 /* OK, we now have a connection to the display. */ 2830 return sock; 2831 } 2832 /* 2833 * Connect to an inet socket. The DISPLAY value is supposedly 2834 * hostname:d[.s], where hostname may also be numeric IP address. 2835 */ 2836 strlcpy(buf, display, sizeof(buf)); 2837 cp = strchr(buf, ':'); 2838 if (!cp) { 2839 error("Could not find ':' in DISPLAY: %.100s", display); 2840 return -1; 2841 } 2842 *cp = 0; 2843 /* buf now contains the host name. But first we parse the display number. */ 2844 if (sscanf(cp + 1, "%d", &display_number) != 1) { 2845 error("Could not parse display number from DISPLAY: %.100s", 2846 display); 2847 return -1; 2848 } 2849 2850 /* Look up the host address */ 2851 memset(&hints, 0, sizeof(hints)); 2852 hints.ai_family = IPv4or6; 2853 hints.ai_socktype = SOCK_STREAM; 2854 snprintf(strport, sizeof strport, "%d", 6000 + display_number); 2855 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 2856 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); 2857 return -1; 2858 } 2859 for (ai = aitop; ai; ai = ai->ai_next) { 2860 /* Create a socket. */ 2861 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2862 if (sock < 0) { 2863 debug2("socket: %.100s", strerror(errno)); 2864 continue; 2865 } 2866 /* Connect it to the display. */ 2867 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2868 debug2("connect %.100s port %d: %.100s", buf, 2869 6000 + display_number, strerror(errno)); 2870 close(sock); 2871 continue; 2872 } 2873 /* Success */ 2874 break; 2875 } 2876 freeaddrinfo(aitop); 2877 if (!ai) { 2878 error("connect %.100s port %d: %.100s", buf, 6000 + display_number, 2879 strerror(errno)); 2880 return -1; 2881 } 2882 set_nodelay(sock); 2883 return sock; 2884 } 2885 2886 /* 2887 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 2888 * the remote channel number. We should do whatever we want, and respond 2889 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 2890 */ 2891 2892 void 2893 x11_input_open(int type, u_int32_t seq, void *ctxt) 2894 { 2895 Channel *c = NULL; 2896 int remote_id, sock = 0; 2897 char *remote_host; 2898 2899 debug("Received X11 open request."); 2900 2901 remote_id = packet_get_int(); 2902 2903 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2904 remote_host = packet_get_string(NULL); 2905 } else { 2906 remote_host = xstrdup("unknown (remote did not supply name)"); 2907 } 2908 packet_check_eom(); 2909 2910 /* Obtain a connection to the real X display. */ 2911 sock = x11_connect_display(); 2912 if (sock != -1) { 2913 /* Allocate a channel for this connection. */ 2914 c = channel_new("connected x11 socket", 2915 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 2916 remote_host, 1); 2917 c->remote_id = remote_id; 2918 c->force_drain = 1; 2919 } 2920 xfree(remote_host); 2921 if (c == NULL) { 2922 /* Send refusal to the remote host. */ 2923 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2924 packet_put_int(remote_id); 2925 } else { 2926 /* Send a confirmation to the remote host. */ 2927 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 2928 packet_put_int(remote_id); 2929 packet_put_int(c->self); 2930 } 2931 packet_send(); 2932 } 2933 2934 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 2935 void 2936 deny_input_open(int type, u_int32_t seq, void *ctxt) 2937 { 2938 int rchan = packet_get_int(); 2939 2940 switch (type) { 2941 case SSH_SMSG_AGENT_OPEN: 2942 error("Warning: ssh server tried agent forwarding."); 2943 break; 2944 case SSH_SMSG_X11_OPEN: 2945 error("Warning: ssh server tried X11 forwarding."); 2946 break; 2947 default: 2948 error("deny_input_open: type %d", type); 2949 break; 2950 } 2951 error("Warning: this is probably a break in attempt by a malicious server."); 2952 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2953 packet_put_int(rchan); 2954 packet_send(); 2955 } 2956 2957 /* 2958 * Requests forwarding of X11 connections, generates fake authentication 2959 * data, and enables authentication spoofing. 2960 * This should be called in the client only. 2961 */ 2962 void 2963 x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 2964 const char *proto, const char *data) 2965 { 2966 u_int data_len = (u_int) strlen(data) / 2; 2967 u_int i, value; 2968 char *new_data; 2969 int screen_number; 2970 const char *cp; 2971 u_int32_t rnd = 0; 2972 2973 if (x11_saved_display == NULL) 2974 x11_saved_display = xstrdup(disp); 2975 else if (strcmp(disp, x11_saved_display) != 0) { 2976 error("x11_request_forwarding_with_spoofing: different " 2977 "$DISPLAY already forwarded"); 2978 return; 2979 } 2980 2981 cp = disp; 2982 if (disp) 2983 cp = strchr(disp, ':'); 2984 if (cp) 2985 cp = strchr(cp, '.'); 2986 if (cp) 2987 screen_number = atoi(cp + 1); 2988 else 2989 screen_number = 0; 2990 2991 if (x11_saved_proto == NULL) { 2992 /* Save protocol name. */ 2993 x11_saved_proto = xstrdup(proto); 2994 /* 2995 * Extract real authentication data and generate fake data 2996 * of the same length. 2997 */ 2998 x11_saved_data = xmalloc(data_len); 2999 x11_fake_data = xmalloc(data_len); 3000 for (i = 0; i < data_len; i++) { 3001 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3002 fatal("x11_request_forwarding: bad " 3003 "authentication data: %.100s", data); 3004 if (i % 4 == 0) 3005 rnd = arc4random(); 3006 x11_saved_data[i] = value; 3007 x11_fake_data[i] = rnd & 0xff; 3008 rnd >>= 8; 3009 } 3010 x11_saved_data_len = data_len; 3011 x11_fake_data_len = data_len; 3012 } 3013 3014 /* Convert the fake data into hex. */ 3015 new_data = tohex(x11_fake_data, data_len); 3016 3017 /* Send the request packet. */ 3018 if (compat20) { 3019 channel_request_start(client_session_id, "x11-req", 0); 3020 packet_put_char(0); /* XXX bool single connection */ 3021 } else { 3022 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 3023 } 3024 packet_put_cstring(proto); 3025 packet_put_cstring(new_data); 3026 packet_put_int(screen_number); 3027 packet_send(); 3028 packet_write_wait(); 3029 xfree(new_data); 3030 } 3031 3032 3033 /* -- agent forwarding */ 3034 3035 /* Sends a message to the server to request authentication fd forwarding. */ 3036 3037 void 3038 auth_request_forwarding(void) 3039 { 3040 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 3041 packet_send(); 3042 packet_write_wait(); 3043 } 3044