1 /* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This file contains functions for generic socket connection forwarding. 6 * There is also code for initiating connection forwarding for X11 connections, 7 * arbitrary tcp/ip connections, and the authentication agent connection. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * SSH2 support added by Markus Friedl. 16 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 17 * Copyright (c) 1999 Dug Song. All rights reserved. 18 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 30 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 31 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 32 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 33 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 34 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 35 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 36 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 37 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 38 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 */ 40 41 #include "includes.h" 42 RCSID("$OpenBSD: channels.c,v 1.200 2004/01/19 09:24:21 markus Exp $"); 43 44 #include "ssh.h" 45 #include "ssh1.h" 46 #include "ssh2.h" 47 #include "packet.h" 48 #include "xmalloc.h" 49 #include "log.h" 50 #include "misc.h" 51 #include "channels.h" 52 #include "compat.h" 53 #include "canohost.h" 54 #include "key.h" 55 #include "authfd.h" 56 #include "pathnames.h" 57 #include "bufaux.h" 58 59 /* -- channel core */ 60 61 /* 62 * Pointer to an array containing all allocated channels. The array is 63 * dynamically extended as needed. 64 */ 65 static Channel **channels = NULL; 66 67 /* 68 * Size of the channel array. All slots of the array must always be 69 * initialized (at least the type field); unused slots set to NULL 70 */ 71 static int channels_alloc = 0; 72 73 /* 74 * Maximum file descriptor value used in any of the channels. This is 75 * updated in channel_new. 76 */ 77 static int channel_max_fd = 0; 78 79 80 /* -- tcp forwarding */ 81 82 /* 83 * Data structure for storing which hosts are permitted for forward requests. 84 * The local sides of any remote forwards are stored in this array to prevent 85 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 86 * network (which might be behind a firewall). 87 */ 88 typedef struct { 89 char *host_to_connect; /* Connect to 'host'. */ 90 u_short port_to_connect; /* Connect to 'port'. */ 91 u_short listen_port; /* Remote side should listen port number. */ 92 } ForwardPermission; 93 94 /* List of all permitted host/port pairs to connect. */ 95 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 96 97 /* Number of permitted host/port pairs in the array. */ 98 static int num_permitted_opens = 0; 99 /* 100 * If this is true, all opens are permitted. This is the case on the server 101 * on which we have to trust the client anyway, and the user could do 102 * anything after logging in anyway. 103 */ 104 static int all_opens_permitted = 0; 105 106 107 /* -- X11 forwarding */ 108 109 /* Maximum number of fake X11 displays to try. */ 110 #define MAX_DISPLAYS 1000 111 112 /* Saved X11 authentication protocol name. */ 113 static char *x11_saved_proto = NULL; 114 115 /* Saved X11 authentication data. This is the real data. */ 116 static char *x11_saved_data = NULL; 117 static u_int x11_saved_data_len = 0; 118 119 /* 120 * Fake X11 authentication data. This is what the server will be sending us; 121 * we should replace any occurrences of this by the real data. 122 */ 123 static char *x11_fake_data = NULL; 124 static u_int x11_fake_data_len; 125 126 127 /* -- agent forwarding */ 128 129 #define NUM_SOCKS 10 130 131 /* AF_UNSPEC or AF_INET or AF_INET6 */ 132 static int IPv4or6 = AF_UNSPEC; 133 134 /* helper */ 135 static void port_open_helper(Channel *c, char *rtype); 136 137 /* -- channel core */ 138 139 Channel * 140 channel_lookup(int id) 141 { 142 Channel *c; 143 144 if (id < 0 || id >= channels_alloc) { 145 logit("channel_lookup: %d: bad id", id); 146 return NULL; 147 } 148 c = channels[id]; 149 if (c == NULL) { 150 logit("channel_lookup: %d: bad id: channel free", id); 151 return NULL; 152 } 153 return c; 154 } 155 156 /* 157 * Register filedescriptors for a channel, used when allocating a channel or 158 * when the channel consumer/producer is ready, e.g. shell exec'd 159 */ 160 161 static void 162 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 163 int extusage, int nonblock) 164 { 165 /* Update the maximum file descriptor value. */ 166 channel_max_fd = MAX(channel_max_fd, rfd); 167 channel_max_fd = MAX(channel_max_fd, wfd); 168 channel_max_fd = MAX(channel_max_fd, efd); 169 170 /* XXX set close-on-exec -markus */ 171 172 c->rfd = rfd; 173 c->wfd = wfd; 174 c->sock = (rfd == wfd) ? rfd : -1; 175 c->efd = efd; 176 c->extended_usage = extusage; 177 178 /* XXX ugly hack: nonblock is only set by the server */ 179 if (nonblock && isatty(c->rfd)) { 180 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 181 c->isatty = 1; 182 if (!isatty(c->wfd)) { 183 error("channel %d: wfd %d is not a tty?", 184 c->self, c->wfd); 185 } 186 } else { 187 c->isatty = 0; 188 } 189 c->wfd_isatty = isatty(c->wfd); 190 191 /* enable nonblocking mode */ 192 if (nonblock) { 193 if (rfd != -1) 194 set_nonblock(rfd); 195 if (wfd != -1) 196 set_nonblock(wfd); 197 if (efd != -1) 198 set_nonblock(efd); 199 } 200 } 201 202 /* 203 * Allocate a new channel object and set its type and socket. This will cause 204 * remote_name to be freed. 205 */ 206 207 Channel * 208 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 209 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 210 { 211 int i, found; 212 Channel *c; 213 214 /* Do initial allocation if this is the first call. */ 215 if (channels_alloc == 0) { 216 channels_alloc = 10; 217 channels = xmalloc(channels_alloc * sizeof(Channel *)); 218 for (i = 0; i < channels_alloc; i++) 219 channels[i] = NULL; 220 } 221 /* Try to find a free slot where to put the new channel. */ 222 for (found = -1, i = 0; i < channels_alloc; i++) 223 if (channels[i] == NULL) { 224 /* Found a free slot. */ 225 found = i; 226 break; 227 } 228 if (found == -1) { 229 /* There are no free slots. Take last+1 slot and expand the array. */ 230 found = channels_alloc; 231 if (channels_alloc > 10000) 232 fatal("channel_new: internal error: channels_alloc %d " 233 "too big.", channels_alloc); 234 channels = xrealloc(channels, 235 (channels_alloc + 10) * sizeof(Channel *)); 236 channels_alloc += 10; 237 debug2("channel: expanding %d", channels_alloc); 238 for (i = found; i < channels_alloc; i++) 239 channels[i] = NULL; 240 } 241 /* Initialize and return new channel. */ 242 c = channels[found] = xmalloc(sizeof(Channel)); 243 memset(c, 0, sizeof(Channel)); 244 buffer_init(&c->input); 245 buffer_init(&c->output); 246 buffer_init(&c->extended); 247 c->ostate = CHAN_OUTPUT_OPEN; 248 c->istate = CHAN_INPUT_OPEN; 249 c->flags = 0; 250 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 251 c->self = found; 252 c->type = type; 253 c->ctype = ctype; 254 c->local_window = window; 255 c->local_window_max = window; 256 c->local_consumed = 0; 257 c->local_maxpacket = maxpack; 258 c->remote_id = -1; 259 c->remote_name = xstrdup(remote_name); 260 c->remote_window = 0; 261 c->remote_maxpacket = 0; 262 c->force_drain = 0; 263 c->single_connection = 0; 264 c->detach_user = NULL; 265 c->confirm = NULL; 266 c->input_filter = NULL; 267 debug("channel %d: new [%s]", found, remote_name); 268 return c; 269 } 270 271 static int 272 channel_find_maxfd(void) 273 { 274 int i, max = 0; 275 Channel *c; 276 277 for (i = 0; i < channels_alloc; i++) { 278 c = channels[i]; 279 if (c != NULL) { 280 max = MAX(max, c->rfd); 281 max = MAX(max, c->wfd); 282 max = MAX(max, c->efd); 283 } 284 } 285 return max; 286 } 287 288 int 289 channel_close_fd(int *fdp) 290 { 291 int ret = 0, fd = *fdp; 292 293 if (fd != -1) { 294 ret = close(fd); 295 *fdp = -1; 296 if (fd == channel_max_fd) 297 channel_max_fd = channel_find_maxfd(); 298 } 299 return ret; 300 } 301 302 /* Close all channel fd/socket. */ 303 304 static void 305 channel_close_fds(Channel *c) 306 { 307 debug3("channel %d: close_fds r %d w %d e %d", 308 c->self, c->rfd, c->wfd, c->efd); 309 310 channel_close_fd(&c->sock); 311 channel_close_fd(&c->rfd); 312 channel_close_fd(&c->wfd); 313 channel_close_fd(&c->efd); 314 } 315 316 /* Free the channel and close its fd/socket. */ 317 318 void 319 channel_free(Channel *c) 320 { 321 char *s; 322 int i, n; 323 324 for (n = 0, i = 0; i < channels_alloc; i++) 325 if (channels[i]) 326 n++; 327 debug("channel %d: free: %s, nchannels %d", c->self, 328 c->remote_name ? c->remote_name : "???", n); 329 330 s = channel_open_message(); 331 debug3("channel %d: status: %s", c->self, s); 332 xfree(s); 333 334 if (c->sock != -1) 335 shutdown(c->sock, SHUT_RDWR); 336 channel_close_fds(c); 337 buffer_free(&c->input); 338 buffer_free(&c->output); 339 buffer_free(&c->extended); 340 if (c->remote_name) { 341 xfree(c->remote_name); 342 c->remote_name = NULL; 343 } 344 channels[c->self] = NULL; 345 xfree(c); 346 } 347 348 void 349 channel_free_all(void) 350 { 351 int i; 352 353 for (i = 0; i < channels_alloc; i++) 354 if (channels[i] != NULL) 355 channel_free(channels[i]); 356 } 357 358 /* 359 * Closes the sockets/fds of all channels. This is used to close extra file 360 * descriptors after a fork. 361 */ 362 363 void 364 channel_close_all(void) 365 { 366 int i; 367 368 for (i = 0; i < channels_alloc; i++) 369 if (channels[i] != NULL) 370 channel_close_fds(channels[i]); 371 } 372 373 /* 374 * Stop listening to channels. 375 */ 376 377 void 378 channel_stop_listening(void) 379 { 380 int i; 381 Channel *c; 382 383 for (i = 0; i < channels_alloc; i++) { 384 c = channels[i]; 385 if (c != NULL) { 386 switch (c->type) { 387 case SSH_CHANNEL_AUTH_SOCKET: 388 case SSH_CHANNEL_PORT_LISTENER: 389 case SSH_CHANNEL_RPORT_LISTENER: 390 case SSH_CHANNEL_X11_LISTENER: 391 channel_close_fd(&c->sock); 392 channel_free(c); 393 break; 394 } 395 } 396 } 397 } 398 399 /* 400 * Returns true if no channel has too much buffered data, and false if one or 401 * more channel is overfull. 402 */ 403 404 int 405 channel_not_very_much_buffered_data(void) 406 { 407 u_int i; 408 Channel *c; 409 410 for (i = 0; i < channels_alloc; i++) { 411 c = channels[i]; 412 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 413 #if 0 414 if (!compat20 && 415 buffer_len(&c->input) > packet_get_maxsize()) { 416 debug2("channel %d: big input buffer %d", 417 c->self, buffer_len(&c->input)); 418 return 0; 419 } 420 #endif 421 if (buffer_len(&c->output) > packet_get_maxsize()) { 422 debug2("channel %d: big output buffer %u > %u", 423 c->self, buffer_len(&c->output), 424 packet_get_maxsize()); 425 return 0; 426 } 427 } 428 } 429 return 1; 430 } 431 432 /* Returns true if any channel is still open. */ 433 434 int 435 channel_still_open(void) 436 { 437 int i; 438 Channel *c; 439 440 for (i = 0; i < channels_alloc; i++) { 441 c = channels[i]; 442 if (c == NULL) 443 continue; 444 switch (c->type) { 445 case SSH_CHANNEL_X11_LISTENER: 446 case SSH_CHANNEL_PORT_LISTENER: 447 case SSH_CHANNEL_RPORT_LISTENER: 448 case SSH_CHANNEL_CLOSED: 449 case SSH_CHANNEL_AUTH_SOCKET: 450 case SSH_CHANNEL_DYNAMIC: 451 case SSH_CHANNEL_CONNECTING: 452 case SSH_CHANNEL_ZOMBIE: 453 continue; 454 case SSH_CHANNEL_LARVAL: 455 if (!compat20) 456 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 457 continue; 458 case SSH_CHANNEL_OPENING: 459 case SSH_CHANNEL_OPEN: 460 case SSH_CHANNEL_X11_OPEN: 461 return 1; 462 case SSH_CHANNEL_INPUT_DRAINING: 463 case SSH_CHANNEL_OUTPUT_DRAINING: 464 if (!compat13) 465 fatal("cannot happen: OUT_DRAIN"); 466 return 1; 467 default: 468 fatal("channel_still_open: bad channel type %d", c->type); 469 /* NOTREACHED */ 470 } 471 } 472 return 0; 473 } 474 475 /* Returns the id of an open channel suitable for keepaliving */ 476 477 int 478 channel_find_open(void) 479 { 480 int i; 481 Channel *c; 482 483 for (i = 0; i < channels_alloc; i++) { 484 c = channels[i]; 485 if (c == NULL) 486 continue; 487 switch (c->type) { 488 case SSH_CHANNEL_CLOSED: 489 case SSH_CHANNEL_DYNAMIC: 490 case SSH_CHANNEL_X11_LISTENER: 491 case SSH_CHANNEL_PORT_LISTENER: 492 case SSH_CHANNEL_RPORT_LISTENER: 493 case SSH_CHANNEL_OPENING: 494 case SSH_CHANNEL_CONNECTING: 495 case SSH_CHANNEL_ZOMBIE: 496 continue; 497 case SSH_CHANNEL_LARVAL: 498 case SSH_CHANNEL_AUTH_SOCKET: 499 case SSH_CHANNEL_OPEN: 500 case SSH_CHANNEL_X11_OPEN: 501 return i; 502 case SSH_CHANNEL_INPUT_DRAINING: 503 case SSH_CHANNEL_OUTPUT_DRAINING: 504 if (!compat13) 505 fatal("cannot happen: OUT_DRAIN"); 506 return i; 507 default: 508 fatal("channel_find_open: bad channel type %d", c->type); 509 /* NOTREACHED */ 510 } 511 } 512 return -1; 513 } 514 515 516 /* 517 * Returns a message describing the currently open forwarded connections, 518 * suitable for sending to the client. The message contains crlf pairs for 519 * newlines. 520 */ 521 522 char * 523 channel_open_message(void) 524 { 525 Buffer buffer; 526 Channel *c; 527 char buf[1024], *cp; 528 int i; 529 530 buffer_init(&buffer); 531 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 532 buffer_append(&buffer, buf, strlen(buf)); 533 for (i = 0; i < channels_alloc; i++) { 534 c = channels[i]; 535 if (c == NULL) 536 continue; 537 switch (c->type) { 538 case SSH_CHANNEL_X11_LISTENER: 539 case SSH_CHANNEL_PORT_LISTENER: 540 case SSH_CHANNEL_RPORT_LISTENER: 541 case SSH_CHANNEL_CLOSED: 542 case SSH_CHANNEL_AUTH_SOCKET: 543 case SSH_CHANNEL_ZOMBIE: 544 continue; 545 case SSH_CHANNEL_LARVAL: 546 case SSH_CHANNEL_OPENING: 547 case SSH_CHANNEL_CONNECTING: 548 case SSH_CHANNEL_DYNAMIC: 549 case SSH_CHANNEL_OPEN: 550 case SSH_CHANNEL_X11_OPEN: 551 case SSH_CHANNEL_INPUT_DRAINING: 552 case SSH_CHANNEL_OUTPUT_DRAINING: 553 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n", 554 c->self, c->remote_name, 555 c->type, c->remote_id, 556 c->istate, buffer_len(&c->input), 557 c->ostate, buffer_len(&c->output), 558 c->rfd, c->wfd); 559 buffer_append(&buffer, buf, strlen(buf)); 560 continue; 561 default: 562 fatal("channel_open_message: bad channel type %d", c->type); 563 /* NOTREACHED */ 564 } 565 } 566 buffer_append(&buffer, "\0", 1); 567 cp = xstrdup(buffer_ptr(&buffer)); 568 buffer_free(&buffer); 569 return cp; 570 } 571 572 void 573 channel_send_open(int id) 574 { 575 Channel *c = channel_lookup(id); 576 577 if (c == NULL) { 578 logit("channel_send_open: %d: bad id", id); 579 return; 580 } 581 debug2("channel %d: send open", id); 582 packet_start(SSH2_MSG_CHANNEL_OPEN); 583 packet_put_cstring(c->ctype); 584 packet_put_int(c->self); 585 packet_put_int(c->local_window); 586 packet_put_int(c->local_maxpacket); 587 packet_send(); 588 } 589 590 void 591 channel_request_start(int id, char *service, int wantconfirm) 592 { 593 Channel *c = channel_lookup(id); 594 595 if (c == NULL) { 596 logit("channel_request_start: %d: unknown channel id", id); 597 return; 598 } 599 debug2("channel %d: request %s", id, service) ; 600 packet_start(SSH2_MSG_CHANNEL_REQUEST); 601 packet_put_int(c->remote_id); 602 packet_put_cstring(service); 603 packet_put_char(wantconfirm); 604 } 605 void 606 channel_register_confirm(int id, channel_callback_fn *fn) 607 { 608 Channel *c = channel_lookup(id); 609 610 if (c == NULL) { 611 logit("channel_register_comfirm: %d: bad id", id); 612 return; 613 } 614 c->confirm = fn; 615 } 616 void 617 channel_register_cleanup(int id, channel_callback_fn *fn) 618 { 619 Channel *c = channel_lookup(id); 620 621 if (c == NULL) { 622 logit("channel_register_cleanup: %d: bad id", id); 623 return; 624 } 625 c->detach_user = fn; 626 } 627 void 628 channel_cancel_cleanup(int id) 629 { 630 Channel *c = channel_lookup(id); 631 632 if (c == NULL) { 633 logit("channel_cancel_cleanup: %d: bad id", id); 634 return; 635 } 636 c->detach_user = NULL; 637 } 638 void 639 channel_register_filter(int id, channel_filter_fn *fn) 640 { 641 Channel *c = channel_lookup(id); 642 643 if (c == NULL) { 644 logit("channel_register_filter: %d: bad id", id); 645 return; 646 } 647 c->input_filter = fn; 648 } 649 650 void 651 channel_set_fds(int id, int rfd, int wfd, int efd, 652 int extusage, int nonblock, u_int window_max) 653 { 654 Channel *c = channel_lookup(id); 655 656 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 657 fatal("channel_activate for non-larval channel %d.", id); 658 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 659 c->type = SSH_CHANNEL_OPEN; 660 c->local_window = c->local_window_max = window_max; 661 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 662 packet_put_int(c->remote_id); 663 packet_put_int(c->local_window); 664 packet_send(); 665 } 666 667 /* 668 * 'channel_pre*' are called just before select() to add any bits relevant to 669 * channels in the select bitmasks. 670 */ 671 /* 672 * 'channel_post*': perform any appropriate operations for channels which 673 * have events pending. 674 */ 675 typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset); 676 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 677 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 678 679 static void 680 channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset) 681 { 682 FD_SET(c->sock, readset); 683 } 684 685 static void 686 channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset) 687 { 688 debug3("channel %d: waiting for connection", c->self); 689 FD_SET(c->sock, writeset); 690 } 691 692 static void 693 channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset) 694 { 695 if (buffer_len(&c->input) < packet_get_maxsize()) 696 FD_SET(c->sock, readset); 697 if (buffer_len(&c->output) > 0) 698 FD_SET(c->sock, writeset); 699 } 700 701 static void 702 channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset) 703 { 704 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 705 706 if (c->istate == CHAN_INPUT_OPEN && 707 limit > 0 && 708 buffer_len(&c->input) < limit) 709 FD_SET(c->rfd, readset); 710 if (c->ostate == CHAN_OUTPUT_OPEN || 711 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 712 if (buffer_len(&c->output) > 0) { 713 FD_SET(c->wfd, writeset); 714 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 715 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 716 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 717 c->self, c->efd, buffer_len(&c->extended)); 718 else 719 chan_obuf_empty(c); 720 } 721 } 722 /** XXX check close conditions, too */ 723 if (compat20 && c->efd != -1) { 724 if (c->extended_usage == CHAN_EXTENDED_WRITE && 725 buffer_len(&c->extended) > 0) 726 FD_SET(c->efd, writeset); 727 else if (!(c->flags & CHAN_EOF_SENT) && 728 c->extended_usage == CHAN_EXTENDED_READ && 729 buffer_len(&c->extended) < c->remote_window) 730 FD_SET(c->efd, readset); 731 } 732 } 733 734 static void 735 channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset) 736 { 737 if (buffer_len(&c->input) == 0) { 738 packet_start(SSH_MSG_CHANNEL_CLOSE); 739 packet_put_int(c->remote_id); 740 packet_send(); 741 c->type = SSH_CHANNEL_CLOSED; 742 debug2("channel %d: closing after input drain.", c->self); 743 } 744 } 745 746 static void 747 channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset) 748 { 749 if (buffer_len(&c->output) == 0) 750 chan_mark_dead(c); 751 else 752 FD_SET(c->sock, writeset); 753 } 754 755 /* 756 * This is a special state for X11 authentication spoofing. An opened X11 757 * connection (when authentication spoofing is being done) remains in this 758 * state until the first packet has been completely read. The authentication 759 * data in that packet is then substituted by the real data if it matches the 760 * fake data, and the channel is put into normal mode. 761 * XXX All this happens at the client side. 762 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 763 */ 764 static int 765 x11_open_helper(Buffer *b) 766 { 767 u_char *ucp; 768 u_int proto_len, data_len; 769 770 /* Check if the fixed size part of the packet is in buffer. */ 771 if (buffer_len(b) < 12) 772 return 0; 773 774 /* Parse the lengths of variable-length fields. */ 775 ucp = buffer_ptr(b); 776 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 777 proto_len = 256 * ucp[6] + ucp[7]; 778 data_len = 256 * ucp[8] + ucp[9]; 779 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 780 proto_len = ucp[6] + 256 * ucp[7]; 781 data_len = ucp[8] + 256 * ucp[9]; 782 } else { 783 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 784 ucp[0]); 785 return -1; 786 } 787 788 /* Check if the whole packet is in buffer. */ 789 if (buffer_len(b) < 790 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 791 return 0; 792 793 /* Check if authentication protocol matches. */ 794 if (proto_len != strlen(x11_saved_proto) || 795 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 796 debug2("X11 connection uses different authentication protocol."); 797 return -1; 798 } 799 /* Check if authentication data matches our fake data. */ 800 if (data_len != x11_fake_data_len || 801 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 802 x11_fake_data, x11_fake_data_len) != 0) { 803 debug2("X11 auth data does not match fake data."); 804 return -1; 805 } 806 /* Check fake data length */ 807 if (x11_fake_data_len != x11_saved_data_len) { 808 error("X11 fake_data_len %d != saved_data_len %d", 809 x11_fake_data_len, x11_saved_data_len); 810 return -1; 811 } 812 /* 813 * Received authentication protocol and data match 814 * our fake data. Substitute the fake data with real 815 * data. 816 */ 817 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 818 x11_saved_data, x11_saved_data_len); 819 return 1; 820 } 821 822 static void 823 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset) 824 { 825 int ret = x11_open_helper(&c->output); 826 827 if (ret == 1) { 828 /* Start normal processing for the channel. */ 829 c->type = SSH_CHANNEL_OPEN; 830 channel_pre_open_13(c, readset, writeset); 831 } else if (ret == -1) { 832 /* 833 * We have received an X11 connection that has bad 834 * authentication information. 835 */ 836 logit("X11 connection rejected because of wrong authentication."); 837 buffer_clear(&c->input); 838 buffer_clear(&c->output); 839 channel_close_fd(&c->sock); 840 c->sock = -1; 841 c->type = SSH_CHANNEL_CLOSED; 842 packet_start(SSH_MSG_CHANNEL_CLOSE); 843 packet_put_int(c->remote_id); 844 packet_send(); 845 } 846 } 847 848 static void 849 channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset) 850 { 851 int ret = x11_open_helper(&c->output); 852 853 /* c->force_drain = 1; */ 854 855 if (ret == 1) { 856 c->type = SSH_CHANNEL_OPEN; 857 channel_pre_open(c, readset, writeset); 858 } else if (ret == -1) { 859 logit("X11 connection rejected because of wrong authentication."); 860 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 861 chan_read_failed(c); 862 buffer_clear(&c->input); 863 chan_ibuf_empty(c); 864 buffer_clear(&c->output); 865 /* for proto v1, the peer will send an IEOF */ 866 if (compat20) 867 chan_write_failed(c); 868 else 869 c->type = SSH_CHANNEL_OPEN; 870 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 871 } 872 } 873 874 /* try to decode a socks4 header */ 875 static int 876 channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) 877 { 878 char *p, *host; 879 int len, have, i, found; 880 char username[256]; 881 struct { 882 u_int8_t version; 883 u_int8_t command; 884 u_int16_t dest_port; 885 struct in_addr dest_addr; 886 } s4_req, s4_rsp; 887 888 debug2("channel %d: decode socks4", c->self); 889 890 have = buffer_len(&c->input); 891 len = sizeof(s4_req); 892 if (have < len) 893 return 0; 894 p = buffer_ptr(&c->input); 895 for (found = 0, i = len; i < have; i++) { 896 if (p[i] == '\0') { 897 found = 1; 898 break; 899 } 900 if (i > 1024) { 901 /* the peer is probably sending garbage */ 902 debug("channel %d: decode socks4: too long", 903 c->self); 904 return -1; 905 } 906 } 907 if (!found) 908 return 0; 909 buffer_get(&c->input, (char *)&s4_req.version, 1); 910 buffer_get(&c->input, (char *)&s4_req.command, 1); 911 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 912 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 913 have = buffer_len(&c->input); 914 p = buffer_ptr(&c->input); 915 len = strlen(p); 916 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 917 if (len > have) 918 fatal("channel %d: decode socks4: len %d > have %d", 919 c->self, len, have); 920 strlcpy(username, p, sizeof(username)); 921 buffer_consume(&c->input, len); 922 buffer_consume(&c->input, 1); /* trailing '\0' */ 923 924 host = inet_ntoa(s4_req.dest_addr); 925 strlcpy(c->path, host, sizeof(c->path)); 926 c->host_port = ntohs(s4_req.dest_port); 927 928 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 929 c->self, host, c->host_port, s4_req.command); 930 931 if (s4_req.command != 1) { 932 debug("channel %d: cannot handle: socks4 cn %d", 933 c->self, s4_req.command); 934 return -1; 935 } 936 s4_rsp.version = 0; /* vn: 0 for reply */ 937 s4_rsp.command = 90; /* cd: req granted */ 938 s4_rsp.dest_port = 0; /* ignored */ 939 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 940 buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp)); 941 return 1; 942 } 943 944 /* try to decode a socks5 header */ 945 #define SSH_SOCKS5_AUTHDONE 0x1000 946 #define SSH_SOCKS5_NOAUTH 0x00 947 #define SSH_SOCKS5_IPV4 0x01 948 #define SSH_SOCKS5_DOMAIN 0x03 949 #define SSH_SOCKS5_IPV6 0x04 950 #define SSH_SOCKS5_CONNECT 0x01 951 #define SSH_SOCKS5_SUCCESS 0x00 952 953 static int 954 channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset) 955 { 956 struct { 957 u_int8_t version; 958 u_int8_t command; 959 u_int8_t reserved; 960 u_int8_t atyp; 961 } s5_req, s5_rsp; 962 u_int16_t dest_port; 963 u_char *p, dest_addr[255+1]; 964 int i, have, found, nmethods, addrlen, af; 965 966 debug2("channel %d: decode socks5", c->self); 967 p = buffer_ptr(&c->input); 968 if (p[0] != 0x05) 969 return -1; 970 have = buffer_len(&c->input); 971 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 972 /* format: ver | nmethods | methods */ 973 if (have < 2) 974 return 0; 975 nmethods = p[1]; 976 if (have < nmethods + 2) 977 return 0; 978 /* look for method: "NO AUTHENTICATION REQUIRED" */ 979 for (found = 0, i = 2 ; i < nmethods + 2; i++) { 980 if (p[i] == SSH_SOCKS5_NOAUTH ) { 981 found = 1; 982 break; 983 } 984 } 985 if (!found) { 986 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 987 c->self); 988 return -1; 989 } 990 buffer_consume(&c->input, nmethods + 2); 991 buffer_put_char(&c->output, 0x05); /* version */ 992 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 993 FD_SET(c->sock, writeset); 994 c->flags |= SSH_SOCKS5_AUTHDONE; 995 debug2("channel %d: socks5 auth done", c->self); 996 return 0; /* need more */ 997 } 998 debug2("channel %d: socks5 post auth", c->self); 999 if (have < sizeof(s5_req)+1) 1000 return 0; /* need more */ 1001 memcpy((char *)&s5_req, p, sizeof(s5_req)); 1002 if (s5_req.version != 0x05 || 1003 s5_req.command != SSH_SOCKS5_CONNECT || 1004 s5_req.reserved != 0x00) { 1005 debug2("channel %d: only socks5 connect supported", c->self); 1006 return -1; 1007 } 1008 switch(s5_req.atyp){ 1009 case SSH_SOCKS5_IPV4: 1010 addrlen = 4; 1011 af = AF_INET; 1012 break; 1013 case SSH_SOCKS5_DOMAIN: 1014 addrlen = p[sizeof(s5_req)]; 1015 af = -1; 1016 break; 1017 case SSH_SOCKS5_IPV6: 1018 addrlen = 16; 1019 af = AF_INET6; 1020 break; 1021 default: 1022 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1023 return -1; 1024 } 1025 if (have < 4 + addrlen + 2) 1026 return 0; 1027 buffer_consume(&c->input, sizeof(s5_req)); 1028 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1029 buffer_consume(&c->input, 1); /* host string length */ 1030 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1031 buffer_get(&c->input, (char *)&dest_port, 2); 1032 dest_addr[addrlen] = '\0'; 1033 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1034 strlcpy(c->path, dest_addr, sizeof(c->path)); 1035 else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) 1036 return -1; 1037 c->host_port = ntohs(dest_port); 1038 1039 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1040 c->self, c->path, c->host_port, s5_req.command); 1041 1042 s5_rsp.version = 0x05; 1043 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1044 s5_rsp.reserved = 0; /* ignored */ 1045 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1046 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; 1047 dest_port = 0; /* ignored */ 1048 1049 buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp)); 1050 buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr)); 1051 buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port)); 1052 return 1; 1053 } 1054 1055 /* dynamic port forwarding */ 1056 static void 1057 channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset) 1058 { 1059 u_char *p; 1060 int have, ret; 1061 1062 have = buffer_len(&c->input); 1063 c->delayed = 0; 1064 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1065 /* buffer_dump(&c->input); */ 1066 /* check if the fixed size part of the packet is in buffer. */ 1067 if (have < 3) { 1068 /* need more */ 1069 FD_SET(c->sock, readset); 1070 return; 1071 } 1072 /* try to guess the protocol */ 1073 p = buffer_ptr(&c->input); 1074 switch (p[0]) { 1075 case 0x04: 1076 ret = channel_decode_socks4(c, readset, writeset); 1077 break; 1078 case 0x05: 1079 ret = channel_decode_socks5(c, readset, writeset); 1080 break; 1081 default: 1082 ret = -1; 1083 break; 1084 } 1085 if (ret < 0) { 1086 chan_mark_dead(c); 1087 } else if (ret == 0) { 1088 debug2("channel %d: pre_dynamic: need more", c->self); 1089 /* need more */ 1090 FD_SET(c->sock, readset); 1091 } else { 1092 /* switch to the next state */ 1093 c->type = SSH_CHANNEL_OPENING; 1094 port_open_helper(c, "direct-tcpip"); 1095 } 1096 } 1097 1098 /* This is our fake X11 server socket. */ 1099 static void 1100 channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset) 1101 { 1102 Channel *nc; 1103 struct sockaddr addr; 1104 int newsock; 1105 socklen_t addrlen; 1106 char buf[16384], *remote_ipaddr; 1107 int remote_port; 1108 1109 if (FD_ISSET(c->sock, readset)) { 1110 debug("X11 connection requested."); 1111 addrlen = sizeof(addr); 1112 newsock = accept(c->sock, &addr, &addrlen); 1113 if (c->single_connection) { 1114 debug2("single_connection: closing X11 listener."); 1115 channel_close_fd(&c->sock); 1116 chan_mark_dead(c); 1117 } 1118 if (newsock < 0) { 1119 error("accept: %.100s", strerror(errno)); 1120 return; 1121 } 1122 set_nodelay(newsock); 1123 remote_ipaddr = get_peer_ipaddr(newsock); 1124 remote_port = get_peer_port(newsock); 1125 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1126 remote_ipaddr, remote_port); 1127 1128 nc = channel_new("accepted x11 socket", 1129 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1130 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1131 if (compat20) { 1132 packet_start(SSH2_MSG_CHANNEL_OPEN); 1133 packet_put_cstring("x11"); 1134 packet_put_int(nc->self); 1135 packet_put_int(nc->local_window_max); 1136 packet_put_int(nc->local_maxpacket); 1137 /* originator ipaddr and port */ 1138 packet_put_cstring(remote_ipaddr); 1139 if (datafellows & SSH_BUG_X11FWD) { 1140 debug2("ssh2 x11 bug compat mode"); 1141 } else { 1142 packet_put_int(remote_port); 1143 } 1144 packet_send(); 1145 } else { 1146 packet_start(SSH_SMSG_X11_OPEN); 1147 packet_put_int(nc->self); 1148 if (packet_get_protocol_flags() & 1149 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1150 packet_put_cstring(buf); 1151 packet_send(); 1152 } 1153 xfree(remote_ipaddr); 1154 } 1155 } 1156 1157 static void 1158 port_open_helper(Channel *c, char *rtype) 1159 { 1160 int direct; 1161 char buf[1024]; 1162 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1163 u_short remote_port = get_peer_port(c->sock); 1164 1165 direct = (strcmp(rtype, "direct-tcpip") == 0); 1166 1167 snprintf(buf, sizeof buf, 1168 "%s: listening port %d for %.100s port %d, " 1169 "connect from %.200s port %d", 1170 rtype, c->listening_port, c->path, c->host_port, 1171 remote_ipaddr, remote_port); 1172 1173 xfree(c->remote_name); 1174 c->remote_name = xstrdup(buf); 1175 1176 if (compat20) { 1177 packet_start(SSH2_MSG_CHANNEL_OPEN); 1178 packet_put_cstring(rtype); 1179 packet_put_int(c->self); 1180 packet_put_int(c->local_window_max); 1181 packet_put_int(c->local_maxpacket); 1182 if (direct) { 1183 /* target host, port */ 1184 packet_put_cstring(c->path); 1185 packet_put_int(c->host_port); 1186 } else { 1187 /* listen address, port */ 1188 packet_put_cstring(c->path); 1189 packet_put_int(c->listening_port); 1190 } 1191 /* originator host and port */ 1192 packet_put_cstring(remote_ipaddr); 1193 packet_put_int(remote_port); 1194 packet_send(); 1195 } else { 1196 packet_start(SSH_MSG_PORT_OPEN); 1197 packet_put_int(c->self); 1198 packet_put_cstring(c->path); 1199 packet_put_int(c->host_port); 1200 if (packet_get_protocol_flags() & 1201 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1202 packet_put_cstring(c->remote_name); 1203 packet_send(); 1204 } 1205 xfree(remote_ipaddr); 1206 } 1207 1208 /* 1209 * This socket is listening for connections to a forwarded TCP/IP port. 1210 */ 1211 static void 1212 channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) 1213 { 1214 Channel *nc; 1215 struct sockaddr addr; 1216 int newsock, nextstate; 1217 socklen_t addrlen; 1218 char *rtype; 1219 1220 if (FD_ISSET(c->sock, readset)) { 1221 debug("Connection to port %d forwarding " 1222 "to %.100s port %d requested.", 1223 c->listening_port, c->path, c->host_port); 1224 1225 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1226 nextstate = SSH_CHANNEL_OPENING; 1227 rtype = "forwarded-tcpip"; 1228 } else { 1229 if (c->host_port == 0) { 1230 nextstate = SSH_CHANNEL_DYNAMIC; 1231 rtype = "dynamic-tcpip"; 1232 } else { 1233 nextstate = SSH_CHANNEL_OPENING; 1234 rtype = "direct-tcpip"; 1235 } 1236 } 1237 1238 addrlen = sizeof(addr); 1239 newsock = accept(c->sock, &addr, &addrlen); 1240 if (newsock < 0) { 1241 error("accept: %.100s", strerror(errno)); 1242 return; 1243 } 1244 set_nodelay(newsock); 1245 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1246 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1247 nc->listening_port = c->listening_port; 1248 nc->host_port = c->host_port; 1249 strlcpy(nc->path, c->path, sizeof(nc->path)); 1250 1251 if (nextstate == SSH_CHANNEL_DYNAMIC) { 1252 /* 1253 * do not call the channel_post handler until 1254 * this flag has been reset by a pre-handler. 1255 * otherwise the FD_ISSET calls might overflow 1256 */ 1257 nc->delayed = 1; 1258 } else { 1259 port_open_helper(nc, rtype); 1260 } 1261 } 1262 } 1263 1264 /* 1265 * This is the authentication agent socket listening for connections from 1266 * clients. 1267 */ 1268 static void 1269 channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset) 1270 { 1271 Channel *nc; 1272 int newsock; 1273 struct sockaddr addr; 1274 socklen_t addrlen; 1275 1276 if (FD_ISSET(c->sock, readset)) { 1277 addrlen = sizeof(addr); 1278 newsock = accept(c->sock, &addr, &addrlen); 1279 if (newsock < 0) { 1280 error("accept from auth socket: %.100s", strerror(errno)); 1281 return; 1282 } 1283 nc = channel_new("accepted auth socket", 1284 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1285 c->local_window_max, c->local_maxpacket, 1286 0, "accepted auth socket", 1); 1287 if (compat20) { 1288 packet_start(SSH2_MSG_CHANNEL_OPEN); 1289 packet_put_cstring("auth-agent@openssh.com"); 1290 packet_put_int(nc->self); 1291 packet_put_int(c->local_window_max); 1292 packet_put_int(c->local_maxpacket); 1293 } else { 1294 packet_start(SSH_SMSG_AGENT_OPEN); 1295 packet_put_int(nc->self); 1296 } 1297 packet_send(); 1298 } 1299 } 1300 1301 static void 1302 channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset) 1303 { 1304 int err = 0; 1305 socklen_t sz = sizeof(err); 1306 1307 if (FD_ISSET(c->sock, writeset)) { 1308 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1309 err = errno; 1310 error("getsockopt SO_ERROR failed"); 1311 } 1312 if (err == 0) { 1313 debug("channel %d: connected", c->self); 1314 c->type = SSH_CHANNEL_OPEN; 1315 if (compat20) { 1316 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1317 packet_put_int(c->remote_id); 1318 packet_put_int(c->self); 1319 packet_put_int(c->local_window); 1320 packet_put_int(c->local_maxpacket); 1321 } else { 1322 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1323 packet_put_int(c->remote_id); 1324 packet_put_int(c->self); 1325 } 1326 } else { 1327 debug("channel %d: not connected: %s", 1328 c->self, strerror(err)); 1329 if (compat20) { 1330 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1331 packet_put_int(c->remote_id); 1332 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1333 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1334 packet_put_cstring(strerror(err)); 1335 packet_put_cstring(""); 1336 } 1337 } else { 1338 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1339 packet_put_int(c->remote_id); 1340 } 1341 chan_mark_dead(c); 1342 } 1343 packet_send(); 1344 } 1345 } 1346 1347 static int 1348 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) 1349 { 1350 char buf[16*1024]; 1351 int len; 1352 1353 if (c->rfd != -1 && 1354 FD_ISSET(c->rfd, readset)) { 1355 len = read(c->rfd, buf, sizeof(buf)); 1356 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1357 return 1; 1358 if (len <= 0) { 1359 debug2("channel %d: read<=0 rfd %d len %d", 1360 c->self, c->rfd, len); 1361 if (c->type != SSH_CHANNEL_OPEN) { 1362 debug2("channel %d: not open", c->self); 1363 chan_mark_dead(c); 1364 return -1; 1365 } else if (compat13) { 1366 buffer_clear(&c->output); 1367 c->type = SSH_CHANNEL_INPUT_DRAINING; 1368 debug2("channel %d: input draining.", c->self); 1369 } else { 1370 chan_read_failed(c); 1371 } 1372 return -1; 1373 } 1374 if (c->input_filter != NULL) { 1375 if (c->input_filter(c, buf, len) == -1) { 1376 debug2("channel %d: filter stops", c->self); 1377 chan_read_failed(c); 1378 } 1379 } else { 1380 buffer_append(&c->input, buf, len); 1381 } 1382 } 1383 return 1; 1384 } 1385 static int 1386 channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) 1387 { 1388 struct termios tio; 1389 u_char *data; 1390 u_int dlen; 1391 int len; 1392 1393 /* Send buffered output data to the socket. */ 1394 if (c->wfd != -1 && 1395 FD_ISSET(c->wfd, writeset) && 1396 buffer_len(&c->output) > 0) { 1397 data = buffer_ptr(&c->output); 1398 dlen = buffer_len(&c->output); 1399 #ifdef _AIX 1400 /* XXX: Later AIX versions can't push as much data to tty */ 1401 if (compat20 && c->wfd_isatty) 1402 dlen = MIN(dlen, 8*1024); 1403 #endif 1404 len = write(c->wfd, data, dlen); 1405 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1406 return 1; 1407 if (len <= 0) { 1408 if (c->type != SSH_CHANNEL_OPEN) { 1409 debug2("channel %d: not open", c->self); 1410 chan_mark_dead(c); 1411 return -1; 1412 } else if (compat13) { 1413 buffer_clear(&c->output); 1414 debug2("channel %d: input draining.", c->self); 1415 c->type = SSH_CHANNEL_INPUT_DRAINING; 1416 } else { 1417 chan_write_failed(c); 1418 } 1419 return -1; 1420 } 1421 if (compat20 && c->isatty && dlen >= 1 && data[0] != '\r') { 1422 if (tcgetattr(c->wfd, &tio) == 0 && 1423 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1424 /* 1425 * Simulate echo to reduce the impact of 1426 * traffic analysis. We need to match the 1427 * size of a SSH2_MSG_CHANNEL_DATA message 1428 * (4 byte channel id + data) 1429 */ 1430 packet_send_ignore(4 + len); 1431 packet_send(); 1432 } 1433 } 1434 buffer_consume(&c->output, len); 1435 if (compat20 && len > 0) { 1436 c->local_consumed += len; 1437 } 1438 } 1439 return 1; 1440 } 1441 static int 1442 channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) 1443 { 1444 char buf[16*1024]; 1445 int len; 1446 1447 /** XXX handle drain efd, too */ 1448 if (c->efd != -1) { 1449 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1450 FD_ISSET(c->efd, writeset) && 1451 buffer_len(&c->extended) > 0) { 1452 len = write(c->efd, buffer_ptr(&c->extended), 1453 buffer_len(&c->extended)); 1454 debug2("channel %d: written %d to efd %d", 1455 c->self, len, c->efd); 1456 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1457 return 1; 1458 if (len <= 0) { 1459 debug2("channel %d: closing write-efd %d", 1460 c->self, c->efd); 1461 channel_close_fd(&c->efd); 1462 } else { 1463 buffer_consume(&c->extended, len); 1464 c->local_consumed += len; 1465 } 1466 } else if (c->extended_usage == CHAN_EXTENDED_READ && 1467 FD_ISSET(c->efd, readset)) { 1468 len = read(c->efd, buf, sizeof(buf)); 1469 debug2("channel %d: read %d from efd %d", 1470 c->self, len, c->efd); 1471 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1472 return 1; 1473 if (len <= 0) { 1474 debug2("channel %d: closing read-efd %d", 1475 c->self, c->efd); 1476 channel_close_fd(&c->efd); 1477 } else { 1478 buffer_append(&c->extended, buf, len); 1479 } 1480 } 1481 } 1482 return 1; 1483 } 1484 static int 1485 channel_check_window(Channel *c) 1486 { 1487 if (c->type == SSH_CHANNEL_OPEN && 1488 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1489 c->local_window < c->local_window_max/2 && 1490 c->local_consumed > 0) { 1491 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1492 packet_put_int(c->remote_id); 1493 packet_put_int(c->local_consumed); 1494 packet_send(); 1495 debug2("channel %d: window %d sent adjust %d", 1496 c->self, c->local_window, 1497 c->local_consumed); 1498 c->local_window += c->local_consumed; 1499 c->local_consumed = 0; 1500 } 1501 return 1; 1502 } 1503 1504 static void 1505 channel_post_open(Channel *c, fd_set * readset, fd_set * writeset) 1506 { 1507 if (c->delayed) 1508 return; 1509 channel_handle_rfd(c, readset, writeset); 1510 channel_handle_wfd(c, readset, writeset); 1511 if (!compat20) 1512 return; 1513 channel_handle_efd(c, readset, writeset); 1514 channel_check_window(c); 1515 } 1516 1517 static void 1518 channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset) 1519 { 1520 int len; 1521 1522 /* Send buffered output data to the socket. */ 1523 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1524 len = write(c->sock, buffer_ptr(&c->output), 1525 buffer_len(&c->output)); 1526 if (len <= 0) 1527 buffer_clear(&c->output); 1528 else 1529 buffer_consume(&c->output, len); 1530 } 1531 } 1532 1533 static void 1534 channel_handler_init_20(void) 1535 { 1536 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1537 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1538 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1539 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1540 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1541 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1542 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1543 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1544 1545 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1546 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1547 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1548 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1549 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1550 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1551 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1552 } 1553 1554 static void 1555 channel_handler_init_13(void) 1556 { 1557 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1558 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1559 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1560 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1561 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1562 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1563 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1564 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1565 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1566 1567 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1568 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1569 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1570 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1571 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 1572 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1573 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1574 } 1575 1576 static void 1577 channel_handler_init_15(void) 1578 { 1579 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1580 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1581 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1582 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1583 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1584 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1585 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1586 1587 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1588 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1589 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1590 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1591 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1592 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1593 } 1594 1595 static void 1596 channel_handler_init(void) 1597 { 1598 int i; 1599 1600 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 1601 channel_pre[i] = NULL; 1602 channel_post[i] = NULL; 1603 } 1604 if (compat20) 1605 channel_handler_init_20(); 1606 else if (compat13) 1607 channel_handler_init_13(); 1608 else 1609 channel_handler_init_15(); 1610 } 1611 1612 /* gc dead channels */ 1613 static void 1614 channel_garbage_collect(Channel *c) 1615 { 1616 if (c == NULL) 1617 return; 1618 if (c->detach_user != NULL) { 1619 if (!chan_is_dead(c, 0)) 1620 return; 1621 debug2("channel %d: gc: notify user", c->self); 1622 c->detach_user(c->self, NULL); 1623 /* if we still have a callback */ 1624 if (c->detach_user != NULL) 1625 return; 1626 debug2("channel %d: gc: user detached", c->self); 1627 } 1628 if (!chan_is_dead(c, 1)) 1629 return; 1630 debug2("channel %d: garbage collecting", c->self); 1631 channel_free(c); 1632 } 1633 1634 static void 1635 channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) 1636 { 1637 static int did_init = 0; 1638 int i; 1639 Channel *c; 1640 1641 if (!did_init) { 1642 channel_handler_init(); 1643 did_init = 1; 1644 } 1645 for (i = 0; i < channels_alloc; i++) { 1646 c = channels[i]; 1647 if (c == NULL) 1648 continue; 1649 if (ftab[c->type] != NULL) 1650 (*ftab[c->type])(c, readset, writeset); 1651 channel_garbage_collect(c); 1652 } 1653 } 1654 1655 /* 1656 * Allocate/update select bitmasks and add any bits relevant to channels in 1657 * select bitmasks. 1658 */ 1659 void 1660 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 1661 int *nallocp, int rekeying) 1662 { 1663 int n; 1664 u_int sz; 1665 1666 n = MAX(*maxfdp, channel_max_fd); 1667 1668 sz = howmany(n+1, NFDBITS) * sizeof(fd_mask); 1669 /* perhaps check sz < nalloc/2 and shrink? */ 1670 if (*readsetp == NULL || sz > *nallocp) { 1671 *readsetp = xrealloc(*readsetp, sz); 1672 *writesetp = xrealloc(*writesetp, sz); 1673 *nallocp = sz; 1674 } 1675 *maxfdp = n; 1676 memset(*readsetp, 0, sz); 1677 memset(*writesetp, 0, sz); 1678 1679 if (!rekeying) 1680 channel_handler(channel_pre, *readsetp, *writesetp); 1681 } 1682 1683 /* 1684 * After select, perform any appropriate operations for channels which have 1685 * events pending. 1686 */ 1687 void 1688 channel_after_select(fd_set * readset, fd_set * writeset) 1689 { 1690 channel_handler(channel_post, readset, writeset); 1691 } 1692 1693 1694 /* If there is data to send to the connection, enqueue some of it now. */ 1695 1696 void 1697 channel_output_poll(void) 1698 { 1699 Channel *c; 1700 int i; 1701 u_int len; 1702 1703 for (i = 0; i < channels_alloc; i++) { 1704 c = channels[i]; 1705 if (c == NULL) 1706 continue; 1707 1708 /* 1709 * We are only interested in channels that can have buffered 1710 * incoming data. 1711 */ 1712 if (compat13) { 1713 if (c->type != SSH_CHANNEL_OPEN && 1714 c->type != SSH_CHANNEL_INPUT_DRAINING) 1715 continue; 1716 } else { 1717 if (c->type != SSH_CHANNEL_OPEN) 1718 continue; 1719 } 1720 if (compat20 && 1721 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 1722 /* XXX is this true? */ 1723 debug3("channel %d: will not send data after close", c->self); 1724 continue; 1725 } 1726 1727 /* Get the amount of buffered data for this channel. */ 1728 if ((c->istate == CHAN_INPUT_OPEN || 1729 c->istate == CHAN_INPUT_WAIT_DRAIN) && 1730 (len = buffer_len(&c->input)) > 0) { 1731 /* 1732 * Send some data for the other side over the secure 1733 * connection. 1734 */ 1735 if (compat20) { 1736 if (len > c->remote_window) 1737 len = c->remote_window; 1738 if (len > c->remote_maxpacket) 1739 len = c->remote_maxpacket; 1740 } else { 1741 if (packet_is_interactive()) { 1742 if (len > 1024) 1743 len = 512; 1744 } else { 1745 /* Keep the packets at reasonable size. */ 1746 if (len > packet_get_maxsize()/2) 1747 len = packet_get_maxsize()/2; 1748 } 1749 } 1750 if (len > 0) { 1751 packet_start(compat20 ? 1752 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 1753 packet_put_int(c->remote_id); 1754 packet_put_string(buffer_ptr(&c->input), len); 1755 packet_send(); 1756 buffer_consume(&c->input, len); 1757 c->remote_window -= len; 1758 } 1759 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1760 if (compat13) 1761 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 1762 /* 1763 * input-buffer is empty and read-socket shutdown: 1764 * tell peer, that we will not send more data: send IEOF. 1765 * hack for extended data: delay EOF if EFD still in use. 1766 */ 1767 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 1768 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 1769 c->self, c->efd, buffer_len(&c->extended)); 1770 else 1771 chan_ibuf_empty(c); 1772 } 1773 /* Send extended data, i.e. stderr */ 1774 if (compat20 && 1775 !(c->flags & CHAN_EOF_SENT) && 1776 c->remote_window > 0 && 1777 (len = buffer_len(&c->extended)) > 0 && 1778 c->extended_usage == CHAN_EXTENDED_READ) { 1779 debug2("channel %d: rwin %u elen %u euse %d", 1780 c->self, c->remote_window, buffer_len(&c->extended), 1781 c->extended_usage); 1782 if (len > c->remote_window) 1783 len = c->remote_window; 1784 if (len > c->remote_maxpacket) 1785 len = c->remote_maxpacket; 1786 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 1787 packet_put_int(c->remote_id); 1788 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 1789 packet_put_string(buffer_ptr(&c->extended), len); 1790 packet_send(); 1791 buffer_consume(&c->extended, len); 1792 c->remote_window -= len; 1793 debug2("channel %d: sent ext data %d", c->self, len); 1794 } 1795 } 1796 } 1797 1798 1799 /* -- protocol input */ 1800 1801 void 1802 channel_input_data(int type, u_int32_t seq, void *ctxt) 1803 { 1804 int id; 1805 char *data; 1806 u_int data_len; 1807 Channel *c; 1808 1809 /* Get the channel number and verify it. */ 1810 id = packet_get_int(); 1811 c = channel_lookup(id); 1812 if (c == NULL) 1813 packet_disconnect("Received data for nonexistent channel %d.", id); 1814 1815 /* Ignore any data for non-open channels (might happen on close) */ 1816 if (c->type != SSH_CHANNEL_OPEN && 1817 c->type != SSH_CHANNEL_X11_OPEN) 1818 return; 1819 1820 /* Get the data. */ 1821 data = packet_get_string(&data_len); 1822 1823 /* 1824 * Ignore data for protocol > 1.3 if output end is no longer open. 1825 * For protocol 2 the sending side is reducing its window as it sends 1826 * data, so we must 'fake' consumption of the data in order to ensure 1827 * that window updates are sent back. Otherwise the connection might 1828 * deadlock. 1829 */ 1830 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 1831 if (compat20) { 1832 c->local_window -= data_len; 1833 c->local_consumed += data_len; 1834 } 1835 xfree(data); 1836 return; 1837 } 1838 1839 if (compat20) { 1840 if (data_len > c->local_maxpacket) { 1841 logit("channel %d: rcvd big packet %d, maxpack %d", 1842 c->self, data_len, c->local_maxpacket); 1843 } 1844 if (data_len > c->local_window) { 1845 logit("channel %d: rcvd too much data %d, win %d", 1846 c->self, data_len, c->local_window); 1847 xfree(data); 1848 return; 1849 } 1850 c->local_window -= data_len; 1851 } 1852 packet_check_eom(); 1853 buffer_append(&c->output, data, data_len); 1854 xfree(data); 1855 } 1856 1857 void 1858 channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 1859 { 1860 int id; 1861 char *data; 1862 u_int data_len, tcode; 1863 Channel *c; 1864 1865 /* Get the channel number and verify it. */ 1866 id = packet_get_int(); 1867 c = channel_lookup(id); 1868 1869 if (c == NULL) 1870 packet_disconnect("Received extended_data for bad channel %d.", id); 1871 if (c->type != SSH_CHANNEL_OPEN) { 1872 logit("channel %d: ext data for non open", id); 1873 return; 1874 } 1875 if (c->flags & CHAN_EOF_RCVD) { 1876 if (datafellows & SSH_BUG_EXTEOF) 1877 debug("channel %d: accepting ext data after eof", id); 1878 else 1879 packet_disconnect("Received extended_data after EOF " 1880 "on channel %d.", id); 1881 } 1882 tcode = packet_get_int(); 1883 if (c->efd == -1 || 1884 c->extended_usage != CHAN_EXTENDED_WRITE || 1885 tcode != SSH2_EXTENDED_DATA_STDERR) { 1886 logit("channel %d: bad ext data", c->self); 1887 return; 1888 } 1889 data = packet_get_string(&data_len); 1890 packet_check_eom(); 1891 if (data_len > c->local_window) { 1892 logit("channel %d: rcvd too much extended_data %d, win %d", 1893 c->self, data_len, c->local_window); 1894 xfree(data); 1895 return; 1896 } 1897 debug2("channel %d: rcvd ext data %d", c->self, data_len); 1898 c->local_window -= data_len; 1899 buffer_append(&c->extended, data, data_len); 1900 xfree(data); 1901 } 1902 1903 void 1904 channel_input_ieof(int type, u_int32_t seq, void *ctxt) 1905 { 1906 int id; 1907 Channel *c; 1908 1909 id = packet_get_int(); 1910 packet_check_eom(); 1911 c = channel_lookup(id); 1912 if (c == NULL) 1913 packet_disconnect("Received ieof for nonexistent channel %d.", id); 1914 chan_rcvd_ieof(c); 1915 1916 /* XXX force input close */ 1917 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 1918 debug("channel %d: FORCE input drain", c->self); 1919 c->istate = CHAN_INPUT_WAIT_DRAIN; 1920 if (buffer_len(&c->input) == 0) 1921 chan_ibuf_empty(c); 1922 } 1923 1924 } 1925 1926 void 1927 channel_input_close(int type, u_int32_t seq, void *ctxt) 1928 { 1929 int id; 1930 Channel *c; 1931 1932 id = packet_get_int(); 1933 packet_check_eom(); 1934 c = channel_lookup(id); 1935 if (c == NULL) 1936 packet_disconnect("Received close for nonexistent channel %d.", id); 1937 1938 /* 1939 * Send a confirmation that we have closed the channel and no more 1940 * data is coming for it. 1941 */ 1942 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 1943 packet_put_int(c->remote_id); 1944 packet_send(); 1945 1946 /* 1947 * If the channel is in closed state, we have sent a close request, 1948 * and the other side will eventually respond with a confirmation. 1949 * Thus, we cannot free the channel here, because then there would be 1950 * no-one to receive the confirmation. The channel gets freed when 1951 * the confirmation arrives. 1952 */ 1953 if (c->type != SSH_CHANNEL_CLOSED) { 1954 /* 1955 * Not a closed channel - mark it as draining, which will 1956 * cause it to be freed later. 1957 */ 1958 buffer_clear(&c->input); 1959 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 1960 } 1961 } 1962 1963 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 1964 void 1965 channel_input_oclose(int type, u_int32_t seq, void *ctxt) 1966 { 1967 int id = packet_get_int(); 1968 Channel *c = channel_lookup(id); 1969 1970 packet_check_eom(); 1971 if (c == NULL) 1972 packet_disconnect("Received oclose for nonexistent channel %d.", id); 1973 chan_rcvd_oclose(c); 1974 } 1975 1976 void 1977 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 1978 { 1979 int id = packet_get_int(); 1980 Channel *c = channel_lookup(id); 1981 1982 packet_check_eom(); 1983 if (c == NULL) 1984 packet_disconnect("Received close confirmation for " 1985 "out-of-range channel %d.", id); 1986 if (c->type != SSH_CHANNEL_CLOSED) 1987 packet_disconnect("Received close confirmation for " 1988 "non-closed channel %d (type %d).", id, c->type); 1989 channel_free(c); 1990 } 1991 1992 void 1993 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 1994 { 1995 int id, remote_id; 1996 Channel *c; 1997 1998 id = packet_get_int(); 1999 c = channel_lookup(id); 2000 2001 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2002 packet_disconnect("Received open confirmation for " 2003 "non-opening channel %d.", id); 2004 remote_id = packet_get_int(); 2005 /* Record the remote channel number and mark that the channel is now open. */ 2006 c->remote_id = remote_id; 2007 c->type = SSH_CHANNEL_OPEN; 2008 2009 if (compat20) { 2010 c->remote_window = packet_get_int(); 2011 c->remote_maxpacket = packet_get_int(); 2012 if (c->confirm) { 2013 debug2("callback start"); 2014 c->confirm(c->self, NULL); 2015 debug2("callback done"); 2016 } 2017 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2018 c->remote_window, c->remote_maxpacket); 2019 } 2020 packet_check_eom(); 2021 } 2022 2023 static char * 2024 reason2txt(int reason) 2025 { 2026 switch (reason) { 2027 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2028 return "administratively prohibited"; 2029 case SSH2_OPEN_CONNECT_FAILED: 2030 return "connect failed"; 2031 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2032 return "unknown channel type"; 2033 case SSH2_OPEN_RESOURCE_SHORTAGE: 2034 return "resource shortage"; 2035 } 2036 return "unknown reason"; 2037 } 2038 2039 void 2040 channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2041 { 2042 int id, reason; 2043 char *msg = NULL, *lang = NULL; 2044 Channel *c; 2045 2046 id = packet_get_int(); 2047 c = channel_lookup(id); 2048 2049 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2050 packet_disconnect("Received open failure for " 2051 "non-opening channel %d.", id); 2052 if (compat20) { 2053 reason = packet_get_int(); 2054 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2055 msg = packet_get_string(NULL); 2056 lang = packet_get_string(NULL); 2057 } 2058 logit("channel %d: open failed: %s%s%s", id, 2059 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2060 if (msg != NULL) 2061 xfree(msg); 2062 if (lang != NULL) 2063 xfree(lang); 2064 } 2065 packet_check_eom(); 2066 /* Free the channel. This will also close the socket. */ 2067 channel_free(c); 2068 } 2069 2070 void 2071 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2072 { 2073 Channel *c; 2074 int id; 2075 u_int adjust; 2076 2077 if (!compat20) 2078 return; 2079 2080 /* Get the channel number and verify it. */ 2081 id = packet_get_int(); 2082 c = channel_lookup(id); 2083 2084 if (c == NULL || c->type != SSH_CHANNEL_OPEN) { 2085 logit("Received window adjust for " 2086 "non-open channel %d.", id); 2087 return; 2088 } 2089 adjust = packet_get_int(); 2090 packet_check_eom(); 2091 debug2("channel %d: rcvd adjust %u", id, adjust); 2092 c->remote_window += adjust; 2093 } 2094 2095 void 2096 channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2097 { 2098 Channel *c = NULL; 2099 u_short host_port; 2100 char *host, *originator_string; 2101 int remote_id, sock = -1; 2102 2103 remote_id = packet_get_int(); 2104 host = packet_get_string(NULL); 2105 host_port = packet_get_int(); 2106 2107 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2108 originator_string = packet_get_string(NULL); 2109 } else { 2110 originator_string = xstrdup("unknown (remote did not supply name)"); 2111 } 2112 packet_check_eom(); 2113 sock = channel_connect_to(host, host_port); 2114 if (sock != -1) { 2115 c = channel_new("connected socket", 2116 SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, 2117 originator_string, 1); 2118 c->remote_id = remote_id; 2119 } 2120 xfree(originator_string); 2121 if (c == NULL) { 2122 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2123 packet_put_int(remote_id); 2124 packet_send(); 2125 } 2126 xfree(host); 2127 } 2128 2129 2130 /* -- tcp forwarding */ 2131 2132 void 2133 channel_set_af(int af) 2134 { 2135 IPv4or6 = af; 2136 } 2137 2138 static int 2139 channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_port, 2140 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2141 { 2142 Channel *c; 2143 int success, sock, on = 1; 2144 struct addrinfo hints, *ai, *aitop; 2145 const char *host; 2146 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2147 2148 success = 0; 2149 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2150 listen_addr : host_to_connect; 2151 2152 if (host == NULL) { 2153 error("No forward host name."); 2154 return success; 2155 } 2156 if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) { 2157 error("Forward host name too long."); 2158 return success; 2159 } 2160 2161 /* 2162 * getaddrinfo returns a loopback address if the hostname is 2163 * set to NULL and hints.ai_flags is not AI_PASSIVE 2164 */ 2165 memset(&hints, 0, sizeof(hints)); 2166 hints.ai_family = IPv4or6; 2167 hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; 2168 hints.ai_socktype = SOCK_STREAM; 2169 snprintf(strport, sizeof strport, "%d", listen_port); 2170 if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) 2171 packet_disconnect("getaddrinfo: fatal error"); 2172 2173 for (ai = aitop; ai; ai = ai->ai_next) { 2174 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2175 continue; 2176 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2177 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2178 error("channel_setup_fwd_listener: getnameinfo failed"); 2179 continue; 2180 } 2181 /* Create a port to listen for the host. */ 2182 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2183 if (sock < 0) { 2184 /* this is no error since kernel may not support ipv6 */ 2185 verbose("socket: %.100s", strerror(errno)); 2186 continue; 2187 } 2188 /* 2189 * Set socket options. 2190 * Allow local port reuse in TIME_WAIT. 2191 */ 2192 if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, 2193 sizeof(on)) == -1) 2194 error("setsockopt SO_REUSEADDR: %s", strerror(errno)); 2195 2196 debug("Local forwarding listening on %s port %s.", ntop, strport); 2197 2198 /* Bind the socket to the address. */ 2199 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2200 /* address can be in use ipv6 address is already bound */ 2201 if (!ai->ai_next) 2202 error("bind: %.100s", strerror(errno)); 2203 else 2204 verbose("bind: %.100s", strerror(errno)); 2205 2206 close(sock); 2207 continue; 2208 } 2209 /* Start listening for connections on the socket. */ 2210 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2211 error("listen: %.100s", strerror(errno)); 2212 close(sock); 2213 continue; 2214 } 2215 /* Allocate a channel number for the socket. */ 2216 c = channel_new("port listener", type, sock, sock, -1, 2217 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2218 0, "port listener", 1); 2219 strlcpy(c->path, host, sizeof(c->path)); 2220 c->host_port = port_to_connect; 2221 c->listening_port = listen_port; 2222 success = 1; 2223 } 2224 if (success == 0) 2225 error("channel_setup_fwd_listener: cannot listen to port: %d", 2226 listen_port); 2227 freeaddrinfo(aitop); 2228 return success; 2229 } 2230 2231 /* protocol local port fwd, used by ssh (and sshd in v1) */ 2232 int 2233 channel_setup_local_fwd_listener(u_short listen_port, 2234 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2235 { 2236 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2237 NULL, listen_port, host_to_connect, port_to_connect, gateway_ports); 2238 } 2239 2240 /* protocol v2 remote port fwd, used by sshd */ 2241 int 2242 channel_setup_remote_fwd_listener(const char *listen_address, 2243 u_short listen_port, int gateway_ports) 2244 { 2245 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2246 listen_address, listen_port, NULL, 0, gateway_ports); 2247 } 2248 2249 /* 2250 * Initiate forwarding of connections to port "port" on remote host through 2251 * the secure channel to host:port from local side. 2252 */ 2253 2254 void 2255 channel_request_remote_forwarding(u_short listen_port, 2256 const char *host_to_connect, u_short port_to_connect) 2257 { 2258 int type, success = 0; 2259 2260 /* Record locally that connection to this host/port is permitted. */ 2261 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2262 fatal("channel_request_remote_forwarding: too many forwards"); 2263 2264 /* Send the forward request to the remote side. */ 2265 if (compat20) { 2266 const char *address_to_bind = "0.0.0.0"; 2267 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2268 packet_put_cstring("tcpip-forward"); 2269 packet_put_char(1); /* boolean: want reply */ 2270 packet_put_cstring(address_to_bind); 2271 packet_put_int(listen_port); 2272 packet_send(); 2273 packet_write_wait(); 2274 /* Assume that server accepts the request */ 2275 success = 1; 2276 } else { 2277 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2278 packet_put_int(listen_port); 2279 packet_put_cstring(host_to_connect); 2280 packet_put_int(port_to_connect); 2281 packet_send(); 2282 packet_write_wait(); 2283 2284 /* Wait for response from the remote side. */ 2285 type = packet_read(); 2286 switch (type) { 2287 case SSH_SMSG_SUCCESS: 2288 success = 1; 2289 break; 2290 case SSH_SMSG_FAILURE: 2291 logit("Warning: Server denied remote port forwarding."); 2292 break; 2293 default: 2294 /* Unknown packet */ 2295 packet_disconnect("Protocol error for port forward request:" 2296 "received packet type %d.", type); 2297 } 2298 } 2299 if (success) { 2300 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2301 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2302 permitted_opens[num_permitted_opens].listen_port = listen_port; 2303 num_permitted_opens++; 2304 } 2305 } 2306 2307 /* 2308 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2309 * listening for the port, and sends back a success reply (or disconnect 2310 * message if there was an error). This never returns if there was an error. 2311 */ 2312 2313 void 2314 channel_input_port_forward_request(int is_root, int gateway_ports) 2315 { 2316 u_short port, host_port; 2317 char *hostname; 2318 2319 /* Get arguments from the packet. */ 2320 port = packet_get_int(); 2321 hostname = packet_get_string(NULL); 2322 host_port = packet_get_int(); 2323 2324 #ifndef HAVE_CYGWIN 2325 /* 2326 * Check that an unprivileged user is not trying to forward a 2327 * privileged port. 2328 */ 2329 if (port < IPPORT_RESERVED && !is_root) 2330 packet_disconnect( 2331 "Requested forwarding of port %d but user is not root.", 2332 port); 2333 if (host_port == 0) 2334 packet_disconnect("Dynamic forwarding denied."); 2335 #endif 2336 2337 /* Initiate forwarding */ 2338 channel_setup_local_fwd_listener(port, hostname, host_port, gateway_ports); 2339 2340 /* Free the argument string. */ 2341 xfree(hostname); 2342 } 2343 2344 /* 2345 * Permits opening to any host/port if permitted_opens[] is empty. This is 2346 * usually called by the server, because the user could connect to any port 2347 * anyway, and the server has no way to know but to trust the client anyway. 2348 */ 2349 void 2350 channel_permit_all_opens(void) 2351 { 2352 if (num_permitted_opens == 0) 2353 all_opens_permitted = 1; 2354 } 2355 2356 void 2357 channel_add_permitted_opens(char *host, int port) 2358 { 2359 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2360 fatal("channel_request_remote_forwarding: too many forwards"); 2361 debug("allow port forwarding to host %s port %d", host, port); 2362 2363 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 2364 permitted_opens[num_permitted_opens].port_to_connect = port; 2365 num_permitted_opens++; 2366 2367 all_opens_permitted = 0; 2368 } 2369 2370 void 2371 channel_clear_permitted_opens(void) 2372 { 2373 int i; 2374 2375 for (i = 0; i < num_permitted_opens; i++) 2376 xfree(permitted_opens[i].host_to_connect); 2377 num_permitted_opens = 0; 2378 2379 } 2380 2381 2382 /* return socket to remote host, port */ 2383 static int 2384 connect_to(const char *host, u_short port) 2385 { 2386 struct addrinfo hints, *ai, *aitop; 2387 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2388 int gaierr; 2389 int sock = -1; 2390 2391 memset(&hints, 0, sizeof(hints)); 2392 hints.ai_family = IPv4or6; 2393 hints.ai_socktype = SOCK_STREAM; 2394 snprintf(strport, sizeof strport, "%d", port); 2395 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { 2396 error("connect_to %.100s: unknown host (%s)", host, 2397 gai_strerror(gaierr)); 2398 return -1; 2399 } 2400 for (ai = aitop; ai; ai = ai->ai_next) { 2401 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2402 continue; 2403 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2404 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2405 error("connect_to: getnameinfo failed"); 2406 continue; 2407 } 2408 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2409 if (sock < 0) { 2410 if (ai->ai_next == NULL) 2411 error("socket: %.100s", strerror(errno)); 2412 else 2413 verbose("socket: %.100s", strerror(errno)); 2414 continue; 2415 } 2416 if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0) 2417 fatal("connect_to: F_SETFL: %s", strerror(errno)); 2418 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && 2419 errno != EINPROGRESS) { 2420 error("connect_to %.100s port %s: %.100s", ntop, strport, 2421 strerror(errno)); 2422 close(sock); 2423 continue; /* fail -- try next */ 2424 } 2425 break; /* success */ 2426 2427 } 2428 freeaddrinfo(aitop); 2429 if (!ai) { 2430 error("connect_to %.100s port %d: failed.", host, port); 2431 return -1; 2432 } 2433 /* success */ 2434 set_nodelay(sock); 2435 return sock; 2436 } 2437 2438 int 2439 channel_connect_by_listen_address(u_short listen_port) 2440 { 2441 int i; 2442 2443 for (i = 0; i < num_permitted_opens; i++) 2444 if (permitted_opens[i].listen_port == listen_port) 2445 return connect_to( 2446 permitted_opens[i].host_to_connect, 2447 permitted_opens[i].port_to_connect); 2448 error("WARNING: Server requests forwarding for unknown listen_port %d", 2449 listen_port); 2450 return -1; 2451 } 2452 2453 /* Check if connecting to that port is permitted and connect. */ 2454 int 2455 channel_connect_to(const char *host, u_short port) 2456 { 2457 int i, permit; 2458 2459 permit = all_opens_permitted; 2460 if (!permit) { 2461 for (i = 0; i < num_permitted_opens; i++) 2462 if (permitted_opens[i].port_to_connect == port && 2463 strcmp(permitted_opens[i].host_to_connect, host) == 0) 2464 permit = 1; 2465 2466 } 2467 if (!permit) { 2468 logit("Received request to connect to host %.100s port %d, " 2469 "but the request was denied.", host, port); 2470 return -1; 2471 } 2472 return connect_to(host, port); 2473 } 2474 2475 /* -- X11 forwarding */ 2476 2477 /* 2478 * Creates an internet domain socket for listening for X11 connections. 2479 * Returns 0 and a suitable display number for the DISPLAY variable 2480 * stored in display_numberp , or -1 if an error occurs. 2481 */ 2482 int 2483 x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 2484 int single_connection, u_int *display_numberp) 2485 { 2486 Channel *nc = NULL; 2487 int display_number, sock; 2488 u_short port; 2489 struct addrinfo hints, *ai, *aitop; 2490 char strport[NI_MAXSERV]; 2491 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 2492 2493 for (display_number = x11_display_offset; 2494 display_number < MAX_DISPLAYS; 2495 display_number++) { 2496 port = 6000 + display_number; 2497 memset(&hints, 0, sizeof(hints)); 2498 hints.ai_family = IPv4or6; 2499 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 2500 hints.ai_socktype = SOCK_STREAM; 2501 snprintf(strport, sizeof strport, "%d", port); 2502 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 2503 error("getaddrinfo: %.100s", gai_strerror(gaierr)); 2504 return -1; 2505 } 2506 for (ai = aitop; ai; ai = ai->ai_next) { 2507 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2508 continue; 2509 sock = socket(ai->ai_family, ai->ai_socktype, 2510 ai->ai_protocol); 2511 if (sock < 0) { 2512 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { 2513 error("socket: %.100s", strerror(errno)); 2514 return -1; 2515 } else { 2516 debug("x11_create_display_inet: Socket family %d not supported", 2517 ai->ai_family); 2518 continue; 2519 } 2520 } 2521 #ifdef IPV6_V6ONLY 2522 if (ai->ai_family == AF_INET6) { 2523 int on = 1; 2524 if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) 2525 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); 2526 } 2527 #endif 2528 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2529 debug2("bind port %d: %.100s", port, strerror(errno)); 2530 close(sock); 2531 2532 if (ai->ai_next) 2533 continue; 2534 2535 for (n = 0; n < num_socks; n++) { 2536 close(socks[n]); 2537 } 2538 num_socks = 0; 2539 break; 2540 } 2541 socks[num_socks++] = sock; 2542 #ifndef DONT_TRY_OTHER_AF 2543 if (num_socks == NUM_SOCKS) 2544 break; 2545 #else 2546 if (x11_use_localhost) { 2547 if (num_socks == NUM_SOCKS) 2548 break; 2549 } else { 2550 break; 2551 } 2552 #endif 2553 } 2554 freeaddrinfo(aitop); 2555 if (num_socks > 0) 2556 break; 2557 } 2558 if (display_number >= MAX_DISPLAYS) { 2559 error("Failed to allocate internet-domain X11 display socket."); 2560 return -1; 2561 } 2562 /* Start listening for connections on the socket. */ 2563 for (n = 0; n < num_socks; n++) { 2564 sock = socks[n]; 2565 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2566 error("listen: %.100s", strerror(errno)); 2567 close(sock); 2568 return -1; 2569 } 2570 } 2571 2572 /* Allocate a channel for each socket. */ 2573 for (n = 0; n < num_socks; n++) { 2574 sock = socks[n]; 2575 nc = channel_new("x11 listener", 2576 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 2577 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2578 0, "X11 inet listener", 1); 2579 nc->single_connection = single_connection; 2580 } 2581 2582 /* Return the display number for the DISPLAY environment variable. */ 2583 *display_numberp = display_number; 2584 return (0); 2585 } 2586 2587 static int 2588 connect_local_xsocket(u_int dnr) 2589 { 2590 int sock; 2591 struct sockaddr_un addr; 2592 2593 sock = socket(AF_UNIX, SOCK_STREAM, 0); 2594 if (sock < 0) 2595 error("socket: %.100s", strerror(errno)); 2596 memset(&addr, 0, sizeof(addr)); 2597 addr.sun_family = AF_UNIX; 2598 snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr); 2599 if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0) 2600 return sock; 2601 close(sock); 2602 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 2603 return -1; 2604 } 2605 2606 int 2607 x11_connect_display(void) 2608 { 2609 int display_number, sock = 0; 2610 const char *display; 2611 char buf[1024], *cp; 2612 struct addrinfo hints, *ai, *aitop; 2613 char strport[NI_MAXSERV]; 2614 int gaierr; 2615 2616 /* Try to open a socket for the local X server. */ 2617 display = getenv("DISPLAY"); 2618 if (!display) { 2619 error("DISPLAY not set."); 2620 return -1; 2621 } 2622 /* 2623 * Now we decode the value of the DISPLAY variable and make a 2624 * connection to the real X server. 2625 */ 2626 2627 /* 2628 * Check if it is a unix domain socket. Unix domain displays are in 2629 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 2630 */ 2631 if (strncmp(display, "unix:", 5) == 0 || 2632 display[0] == ':') { 2633 /* Connect to the unix domain socket. */ 2634 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) { 2635 error("Could not parse display number from DISPLAY: %.100s", 2636 display); 2637 return -1; 2638 } 2639 /* Create a socket. */ 2640 sock = connect_local_xsocket(display_number); 2641 if (sock < 0) 2642 return -1; 2643 2644 /* OK, we now have a connection to the display. */ 2645 return sock; 2646 } 2647 /* 2648 * Connect to an inet socket. The DISPLAY value is supposedly 2649 * hostname:d[.s], where hostname may also be numeric IP address. 2650 */ 2651 strlcpy(buf, display, sizeof(buf)); 2652 cp = strchr(buf, ':'); 2653 if (!cp) { 2654 error("Could not find ':' in DISPLAY: %.100s", display); 2655 return -1; 2656 } 2657 *cp = 0; 2658 /* buf now contains the host name. But first we parse the display number. */ 2659 if (sscanf(cp + 1, "%d", &display_number) != 1) { 2660 error("Could not parse display number from DISPLAY: %.100s", 2661 display); 2662 return -1; 2663 } 2664 2665 /* Look up the host address */ 2666 memset(&hints, 0, sizeof(hints)); 2667 hints.ai_family = IPv4or6; 2668 hints.ai_socktype = SOCK_STREAM; 2669 snprintf(strport, sizeof strport, "%d", 6000 + display_number); 2670 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 2671 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); 2672 return -1; 2673 } 2674 for (ai = aitop; ai; ai = ai->ai_next) { 2675 /* Create a socket. */ 2676 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2677 if (sock < 0) { 2678 debug2("socket: %.100s", strerror(errno)); 2679 continue; 2680 } 2681 /* Connect it to the display. */ 2682 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2683 debug2("connect %.100s port %d: %.100s", buf, 2684 6000 + display_number, strerror(errno)); 2685 close(sock); 2686 continue; 2687 } 2688 /* Success */ 2689 break; 2690 } 2691 freeaddrinfo(aitop); 2692 if (!ai) { 2693 error("connect %.100s port %d: %.100s", buf, 6000 + display_number, 2694 strerror(errno)); 2695 return -1; 2696 } 2697 set_nodelay(sock); 2698 return sock; 2699 } 2700 2701 /* 2702 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 2703 * the remote channel number. We should do whatever we want, and respond 2704 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 2705 */ 2706 2707 void 2708 x11_input_open(int type, u_int32_t seq, void *ctxt) 2709 { 2710 Channel *c = NULL; 2711 int remote_id, sock = 0; 2712 char *remote_host; 2713 2714 debug("Received X11 open request."); 2715 2716 remote_id = packet_get_int(); 2717 2718 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2719 remote_host = packet_get_string(NULL); 2720 } else { 2721 remote_host = xstrdup("unknown (remote did not supply name)"); 2722 } 2723 packet_check_eom(); 2724 2725 /* Obtain a connection to the real X display. */ 2726 sock = x11_connect_display(); 2727 if (sock != -1) { 2728 /* Allocate a channel for this connection. */ 2729 c = channel_new("connected x11 socket", 2730 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 2731 remote_host, 1); 2732 c->remote_id = remote_id; 2733 c->force_drain = 1; 2734 } 2735 xfree(remote_host); 2736 if (c == NULL) { 2737 /* Send refusal to the remote host. */ 2738 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2739 packet_put_int(remote_id); 2740 } else { 2741 /* Send a confirmation to the remote host. */ 2742 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 2743 packet_put_int(remote_id); 2744 packet_put_int(c->self); 2745 } 2746 packet_send(); 2747 } 2748 2749 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 2750 void 2751 deny_input_open(int type, u_int32_t seq, void *ctxt) 2752 { 2753 int rchan = packet_get_int(); 2754 2755 switch (type) { 2756 case SSH_SMSG_AGENT_OPEN: 2757 error("Warning: ssh server tried agent forwarding."); 2758 break; 2759 case SSH_SMSG_X11_OPEN: 2760 error("Warning: ssh server tried X11 forwarding."); 2761 break; 2762 default: 2763 error("deny_input_open: type %d", type); 2764 break; 2765 } 2766 error("Warning: this is probably a break in attempt by a malicious server."); 2767 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2768 packet_put_int(rchan); 2769 packet_send(); 2770 } 2771 2772 /* 2773 * Requests forwarding of X11 connections, generates fake authentication 2774 * data, and enables authentication spoofing. 2775 * This should be called in the client only. 2776 */ 2777 void 2778 x11_request_forwarding_with_spoofing(int client_session_id, 2779 const char *proto, const char *data) 2780 { 2781 u_int data_len = (u_int) strlen(data) / 2; 2782 u_int i, value, len; 2783 char *new_data; 2784 int screen_number; 2785 const char *cp; 2786 u_int32_t rand = 0; 2787 2788 cp = getenv("DISPLAY"); 2789 if (cp) 2790 cp = strchr(cp, ':'); 2791 if (cp) 2792 cp = strchr(cp, '.'); 2793 if (cp) 2794 screen_number = atoi(cp + 1); 2795 else 2796 screen_number = 0; 2797 2798 /* Save protocol name. */ 2799 x11_saved_proto = xstrdup(proto); 2800 2801 /* 2802 * Extract real authentication data and generate fake data of the 2803 * same length. 2804 */ 2805 x11_saved_data = xmalloc(data_len); 2806 x11_fake_data = xmalloc(data_len); 2807 for (i = 0; i < data_len; i++) { 2808 if (sscanf(data + 2 * i, "%2x", &value) != 1) 2809 fatal("x11_request_forwarding: bad authentication data: %.100s", data); 2810 if (i % 4 == 0) 2811 rand = arc4random(); 2812 x11_saved_data[i] = value; 2813 x11_fake_data[i] = rand & 0xff; 2814 rand >>= 8; 2815 } 2816 x11_saved_data_len = data_len; 2817 x11_fake_data_len = data_len; 2818 2819 /* Convert the fake data into hex. */ 2820 len = 2 * data_len + 1; 2821 new_data = xmalloc(len); 2822 for (i = 0; i < data_len; i++) 2823 snprintf(new_data + 2 * i, len - 2 * i, 2824 "%02x", (u_char) x11_fake_data[i]); 2825 2826 /* Send the request packet. */ 2827 if (compat20) { 2828 channel_request_start(client_session_id, "x11-req", 0); 2829 packet_put_char(0); /* XXX bool single connection */ 2830 } else { 2831 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 2832 } 2833 packet_put_cstring(proto); 2834 packet_put_cstring(new_data); 2835 packet_put_int(screen_number); 2836 packet_send(); 2837 packet_write_wait(); 2838 xfree(new_data); 2839 } 2840 2841 2842 /* -- agent forwarding */ 2843 2844 /* Sends a message to the server to request authentication fd forwarding. */ 2845 2846 void 2847 auth_request_forwarding(void) 2848 { 2849 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 2850 packet_send(); 2851 packet_write_wait(); 2852 } 2853