1 /* $OpenBSD: channels.c,v 1.336 2014/07/15 15:54:14 millert Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 __RCSID("$FreeBSD$"); 44 45 #include <sys/types.h> 46 #include <sys/stat.h> 47 #include <sys/ioctl.h> 48 #include <sys/un.h> 49 #include <sys/socket.h> 50 #ifdef HAVE_SYS_TIME_H 51 # include <sys/time.h> 52 #endif 53 54 #include <netinet/in.h> 55 #include <arpa/inet.h> 56 57 #include <errno.h> 58 #include <fcntl.h> 59 #include <netdb.h> 60 #include <stdio.h> 61 #include <stdlib.h> 62 #include <string.h> 63 #include <termios.h> 64 #include <unistd.h> 65 #include <stdarg.h> 66 67 #include "openbsd-compat/sys-queue.h" 68 #include "xmalloc.h" 69 #include "ssh.h" 70 #include "ssh1.h" 71 #include "ssh2.h" 72 #include "packet.h" 73 #include "log.h" 74 #include "misc.h" 75 #include "buffer.h" 76 #include "channels.h" 77 #include "compat.h" 78 #include "canohost.h" 79 #include "key.h" 80 #include "authfd.h" 81 #include "pathnames.h" 82 83 /* -- channel core */ 84 85 /* 86 * Pointer to an array containing all allocated channels. The array is 87 * dynamically extended as needed. 88 */ 89 static Channel **channels = NULL; 90 91 /* 92 * Size of the channel array. All slots of the array must always be 93 * initialized (at least the type field); unused slots set to NULL 94 */ 95 static u_int channels_alloc = 0; 96 97 /* 98 * Maximum file descriptor value used in any of the channels. This is 99 * updated in channel_new. 100 */ 101 static int channel_max_fd = 0; 102 103 104 /* -- tcp forwarding */ 105 106 /* 107 * Data structure for storing which hosts are permitted for forward requests. 108 * The local sides of any remote forwards are stored in this array to prevent 109 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 110 * network (which might be behind a firewall). 111 */ 112 /* XXX: streamlocal wants a path instead of host:port */ 113 /* Overload host_to_connect; we could just make this match Forward */ 114 /* XXX - can we use listen_host instead of listen_path? */ 115 typedef struct { 116 char *host_to_connect; /* Connect to 'host'. */ 117 int port_to_connect; /* Connect to 'port'. */ 118 char *listen_host; /* Remote side should listen address. */ 119 char *listen_path; /* Remote side should listen path. */ 120 int listen_port; /* Remote side should listen port. */ 121 } ForwardPermission; 122 123 /* List of all permitted host/port pairs to connect by the user. */ 124 static ForwardPermission *permitted_opens = NULL; 125 126 /* List of all permitted host/port pairs to connect by the admin. */ 127 static ForwardPermission *permitted_adm_opens = NULL; 128 129 /* Number of permitted host/port pairs in the array permitted by the user. */ 130 static int num_permitted_opens = 0; 131 132 /* Number of permitted host/port pair in the array permitted by the admin. */ 133 static int num_adm_permitted_opens = 0; 134 135 /* special-case port number meaning allow any port */ 136 #define FWD_PERMIT_ANY_PORT 0 137 138 /* 139 * If this is true, all opens are permitted. This is the case on the server 140 * on which we have to trust the client anyway, and the user could do 141 * anything after logging in anyway. 142 */ 143 static int all_opens_permitted = 0; 144 145 146 /* -- X11 forwarding */ 147 148 /* Maximum number of fake X11 displays to try. */ 149 #define MAX_DISPLAYS 1000 150 151 /* Saved X11 local (client) display. */ 152 static char *x11_saved_display = NULL; 153 154 /* Saved X11 authentication protocol name. */ 155 static char *x11_saved_proto = NULL; 156 157 /* Saved X11 authentication data. This is the real data. */ 158 static char *x11_saved_data = NULL; 159 static u_int x11_saved_data_len = 0; 160 161 /* 162 * Fake X11 authentication data. This is what the server will be sending us; 163 * we should replace any occurrences of this by the real data. 164 */ 165 static u_char *x11_fake_data = NULL; 166 static u_int x11_fake_data_len; 167 168 169 /* -- agent forwarding */ 170 171 #define NUM_SOCKS 10 172 173 /* AF_UNSPEC or AF_INET or AF_INET6 */ 174 static int IPv4or6 = AF_UNSPEC; 175 176 /* helper */ 177 static void port_open_helper(Channel *c, char *rtype); 178 179 /* non-blocking connect helpers */ 180 static int connect_next(struct channel_connect *); 181 static void channel_connect_ctx_free(struct channel_connect *); 182 183 /* -- channel core */ 184 185 Channel * 186 channel_by_id(int id) 187 { 188 Channel *c; 189 190 if (id < 0 || (u_int)id >= channels_alloc) { 191 logit("channel_by_id: %d: bad id", id); 192 return NULL; 193 } 194 c = channels[id]; 195 if (c == NULL) { 196 logit("channel_by_id: %d: bad id: channel free", id); 197 return NULL; 198 } 199 return c; 200 } 201 202 /* 203 * Returns the channel if it is allowed to receive protocol messages. 204 * Private channels, like listening sockets, may not receive messages. 205 */ 206 Channel * 207 channel_lookup(int id) 208 { 209 Channel *c; 210 211 if ((c = channel_by_id(id)) == NULL) 212 return (NULL); 213 214 switch (c->type) { 215 case SSH_CHANNEL_X11_OPEN: 216 case SSH_CHANNEL_LARVAL: 217 case SSH_CHANNEL_CONNECTING: 218 case SSH_CHANNEL_DYNAMIC: 219 case SSH_CHANNEL_OPENING: 220 case SSH_CHANNEL_OPEN: 221 case SSH_CHANNEL_INPUT_DRAINING: 222 case SSH_CHANNEL_OUTPUT_DRAINING: 223 case SSH_CHANNEL_ABANDONED: 224 return (c); 225 } 226 logit("Non-public channel %d, type %d.", id, c->type); 227 return (NULL); 228 } 229 230 /* 231 * Register filedescriptors for a channel, used when allocating a channel or 232 * when the channel consumer/producer is ready, e.g. shell exec'd 233 */ 234 static void 235 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 236 int extusage, int nonblock, int is_tty) 237 { 238 /* Update the maximum file descriptor value. */ 239 channel_max_fd = MAX(channel_max_fd, rfd); 240 channel_max_fd = MAX(channel_max_fd, wfd); 241 channel_max_fd = MAX(channel_max_fd, efd); 242 243 if (rfd != -1) 244 fcntl(rfd, F_SETFD, FD_CLOEXEC); 245 if (wfd != -1 && wfd != rfd) 246 fcntl(wfd, F_SETFD, FD_CLOEXEC); 247 if (efd != -1 && efd != rfd && efd != wfd) 248 fcntl(efd, F_SETFD, FD_CLOEXEC); 249 250 c->rfd = rfd; 251 c->wfd = wfd; 252 c->sock = (rfd == wfd) ? rfd : -1; 253 c->efd = efd; 254 c->extended_usage = extusage; 255 256 if ((c->isatty = is_tty) != 0) 257 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 258 #ifdef _AIX 259 /* XXX: Later AIX versions can't push as much data to tty */ 260 c->wfd_isatty = is_tty || isatty(c->wfd); 261 #endif 262 263 /* enable nonblocking mode */ 264 if (nonblock) { 265 if (rfd != -1) 266 set_nonblock(rfd); 267 if (wfd != -1) 268 set_nonblock(wfd); 269 if (efd != -1) 270 set_nonblock(efd); 271 } 272 } 273 274 /* 275 * Allocate a new channel object and set its type and socket. This will cause 276 * remote_name to be freed. 277 */ 278 Channel * 279 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 280 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 281 { 282 int found; 283 u_int i; 284 Channel *c; 285 286 /* Do initial allocation if this is the first call. */ 287 if (channels_alloc == 0) { 288 channels_alloc = 10; 289 channels = xcalloc(channels_alloc, sizeof(Channel *)); 290 for (i = 0; i < channels_alloc; i++) 291 channels[i] = NULL; 292 } 293 /* Try to find a free slot where to put the new channel. */ 294 for (found = -1, i = 0; i < channels_alloc; i++) 295 if (channels[i] == NULL) { 296 /* Found a free slot. */ 297 found = (int)i; 298 break; 299 } 300 if (found < 0) { 301 /* There are no free slots. Take last+1 slot and expand the array. */ 302 found = channels_alloc; 303 if (channels_alloc > 10000) 304 fatal("channel_new: internal error: channels_alloc %d " 305 "too big.", channels_alloc); 306 channels = xrealloc(channels, channels_alloc + 10, 307 sizeof(Channel *)); 308 channels_alloc += 10; 309 debug2("channel: expanding %d", channels_alloc); 310 for (i = found; i < channels_alloc; i++) 311 channels[i] = NULL; 312 } 313 /* Initialize and return new channel. */ 314 c = channels[found] = xcalloc(1, sizeof(Channel)); 315 buffer_init(&c->input); 316 buffer_init(&c->output); 317 buffer_init(&c->extended); 318 c->path = NULL; 319 c->listening_addr = NULL; 320 c->listening_port = 0; 321 c->ostate = CHAN_OUTPUT_OPEN; 322 c->istate = CHAN_INPUT_OPEN; 323 c->flags = 0; 324 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); 325 c->notbefore = 0; 326 c->self = found; 327 c->type = type; 328 c->ctype = ctype; 329 c->local_window = window; 330 c->local_window_max = window; 331 c->local_consumed = 0; 332 c->local_maxpacket = maxpack; 333 c->remote_id = -1; 334 c->remote_name = xstrdup(remote_name); 335 c->remote_window = 0; 336 c->remote_maxpacket = 0; 337 c->force_drain = 0; 338 c->single_connection = 0; 339 c->detach_user = NULL; 340 c->detach_close = 0; 341 c->open_confirm = NULL; 342 c->open_confirm_ctx = NULL; 343 c->input_filter = NULL; 344 c->output_filter = NULL; 345 c->filter_ctx = NULL; 346 c->filter_cleanup = NULL; 347 c->ctl_chan = -1; 348 c->mux_rcb = NULL; 349 c->mux_ctx = NULL; 350 c->mux_pause = 0; 351 c->delayed = 1; /* prevent call to channel_post handler */ 352 TAILQ_INIT(&c->status_confirms); 353 debug("channel %d: new [%s]", found, remote_name); 354 return c; 355 } 356 357 static int 358 channel_find_maxfd(void) 359 { 360 u_int i; 361 int max = 0; 362 Channel *c; 363 364 for (i = 0; i < channels_alloc; i++) { 365 c = channels[i]; 366 if (c != NULL) { 367 max = MAX(max, c->rfd); 368 max = MAX(max, c->wfd); 369 max = MAX(max, c->efd); 370 } 371 } 372 return max; 373 } 374 375 int 376 channel_close_fd(int *fdp) 377 { 378 int ret = 0, fd = *fdp; 379 380 if (fd != -1) { 381 ret = close(fd); 382 *fdp = -1; 383 if (fd == channel_max_fd) 384 channel_max_fd = channel_find_maxfd(); 385 } 386 return ret; 387 } 388 389 /* Close all channel fd/socket. */ 390 static void 391 channel_close_fds(Channel *c) 392 { 393 channel_close_fd(&c->sock); 394 channel_close_fd(&c->rfd); 395 channel_close_fd(&c->wfd); 396 channel_close_fd(&c->efd); 397 } 398 399 /* Free the channel and close its fd/socket. */ 400 void 401 channel_free(Channel *c) 402 { 403 char *s; 404 u_int i, n; 405 struct channel_confirm *cc; 406 407 for (n = 0, i = 0; i < channels_alloc; i++) 408 if (channels[i]) 409 n++; 410 debug("channel %d: free: %s, nchannels %u", c->self, 411 c->remote_name ? c->remote_name : "???", n); 412 413 s = channel_open_message(); 414 debug3("channel %d: status: %s", c->self, s); 415 free(s); 416 417 if (c->sock != -1) 418 shutdown(c->sock, SHUT_RDWR); 419 channel_close_fds(c); 420 buffer_free(&c->input); 421 buffer_free(&c->output); 422 buffer_free(&c->extended); 423 free(c->remote_name); 424 c->remote_name = NULL; 425 free(c->path); 426 c->path = NULL; 427 free(c->listening_addr); 428 c->listening_addr = NULL; 429 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 430 if (cc->abandon_cb != NULL) 431 cc->abandon_cb(c, cc->ctx); 432 TAILQ_REMOVE(&c->status_confirms, cc, entry); 433 explicit_bzero(cc, sizeof(*cc)); 434 free(cc); 435 } 436 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 437 c->filter_cleanup(c->self, c->filter_ctx); 438 channels[c->self] = NULL; 439 free(c); 440 } 441 442 void 443 channel_free_all(void) 444 { 445 u_int i; 446 447 for (i = 0; i < channels_alloc; i++) 448 if (channels[i] != NULL) 449 channel_free(channels[i]); 450 } 451 452 /* 453 * Closes the sockets/fds of all channels. This is used to close extra file 454 * descriptors after a fork. 455 */ 456 void 457 channel_close_all(void) 458 { 459 u_int i; 460 461 for (i = 0; i < channels_alloc; i++) 462 if (channels[i] != NULL) 463 channel_close_fds(channels[i]); 464 } 465 466 /* 467 * Stop listening to channels. 468 */ 469 void 470 channel_stop_listening(void) 471 { 472 u_int i; 473 Channel *c; 474 475 for (i = 0; i < channels_alloc; i++) { 476 c = channels[i]; 477 if (c != NULL) { 478 switch (c->type) { 479 case SSH_CHANNEL_AUTH_SOCKET: 480 case SSH_CHANNEL_PORT_LISTENER: 481 case SSH_CHANNEL_RPORT_LISTENER: 482 case SSH_CHANNEL_X11_LISTENER: 483 case SSH_CHANNEL_UNIX_LISTENER: 484 case SSH_CHANNEL_RUNIX_LISTENER: 485 channel_close_fd(&c->sock); 486 channel_free(c); 487 break; 488 } 489 } 490 } 491 } 492 493 /* 494 * Returns true if no channel has too much buffered data, and false if one or 495 * more channel is overfull. 496 */ 497 int 498 channel_not_very_much_buffered_data(void) 499 { 500 u_int i; 501 Channel *c; 502 503 for (i = 0; i < channels_alloc; i++) { 504 c = channels[i]; 505 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 506 #if 0 507 if (!compat20 && 508 buffer_len(&c->input) > packet_get_maxsize()) { 509 debug2("channel %d: big input buffer %d", 510 c->self, buffer_len(&c->input)); 511 return 0; 512 } 513 #endif 514 if (buffer_len(&c->output) > packet_get_maxsize()) { 515 debug2("channel %d: big output buffer %u > %u", 516 c->self, buffer_len(&c->output), 517 packet_get_maxsize()); 518 return 0; 519 } 520 } 521 } 522 return 1; 523 } 524 525 /* Returns true if any channel is still open. */ 526 int 527 channel_still_open(void) 528 { 529 u_int i; 530 Channel *c; 531 532 for (i = 0; i < channels_alloc; i++) { 533 c = channels[i]; 534 if (c == NULL) 535 continue; 536 switch (c->type) { 537 case SSH_CHANNEL_X11_LISTENER: 538 case SSH_CHANNEL_PORT_LISTENER: 539 case SSH_CHANNEL_RPORT_LISTENER: 540 case SSH_CHANNEL_MUX_LISTENER: 541 case SSH_CHANNEL_CLOSED: 542 case SSH_CHANNEL_AUTH_SOCKET: 543 case SSH_CHANNEL_DYNAMIC: 544 case SSH_CHANNEL_CONNECTING: 545 case SSH_CHANNEL_ZOMBIE: 546 case SSH_CHANNEL_ABANDONED: 547 case SSH_CHANNEL_UNIX_LISTENER: 548 case SSH_CHANNEL_RUNIX_LISTENER: 549 continue; 550 case SSH_CHANNEL_LARVAL: 551 if (!compat20) 552 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 553 continue; 554 case SSH_CHANNEL_OPENING: 555 case SSH_CHANNEL_OPEN: 556 case SSH_CHANNEL_X11_OPEN: 557 case SSH_CHANNEL_MUX_CLIENT: 558 return 1; 559 case SSH_CHANNEL_INPUT_DRAINING: 560 case SSH_CHANNEL_OUTPUT_DRAINING: 561 if (!compat13) 562 fatal("cannot happen: OUT_DRAIN"); 563 return 1; 564 default: 565 fatal("channel_still_open: bad channel type %d", c->type); 566 /* NOTREACHED */ 567 } 568 } 569 return 0; 570 } 571 572 /* Returns the id of an open channel suitable for keepaliving */ 573 int 574 channel_find_open(void) 575 { 576 u_int i; 577 Channel *c; 578 579 for (i = 0; i < channels_alloc; i++) { 580 c = channels[i]; 581 if (c == NULL || c->remote_id < 0) 582 continue; 583 switch (c->type) { 584 case SSH_CHANNEL_CLOSED: 585 case SSH_CHANNEL_DYNAMIC: 586 case SSH_CHANNEL_X11_LISTENER: 587 case SSH_CHANNEL_PORT_LISTENER: 588 case SSH_CHANNEL_RPORT_LISTENER: 589 case SSH_CHANNEL_MUX_LISTENER: 590 case SSH_CHANNEL_MUX_CLIENT: 591 case SSH_CHANNEL_OPENING: 592 case SSH_CHANNEL_CONNECTING: 593 case SSH_CHANNEL_ZOMBIE: 594 case SSH_CHANNEL_ABANDONED: 595 case SSH_CHANNEL_UNIX_LISTENER: 596 case SSH_CHANNEL_RUNIX_LISTENER: 597 continue; 598 case SSH_CHANNEL_LARVAL: 599 case SSH_CHANNEL_AUTH_SOCKET: 600 case SSH_CHANNEL_OPEN: 601 case SSH_CHANNEL_X11_OPEN: 602 return i; 603 case SSH_CHANNEL_INPUT_DRAINING: 604 case SSH_CHANNEL_OUTPUT_DRAINING: 605 if (!compat13) 606 fatal("cannot happen: OUT_DRAIN"); 607 return i; 608 default: 609 fatal("channel_find_open: bad channel type %d", c->type); 610 /* NOTREACHED */ 611 } 612 } 613 return -1; 614 } 615 616 617 /* 618 * Returns a message describing the currently open forwarded connections, 619 * suitable for sending to the client. The message contains crlf pairs for 620 * newlines. 621 */ 622 char * 623 channel_open_message(void) 624 { 625 Buffer buffer; 626 Channel *c; 627 char buf[1024], *cp; 628 u_int i; 629 630 buffer_init(&buffer); 631 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 632 buffer_append(&buffer, buf, strlen(buf)); 633 for (i = 0; i < channels_alloc; i++) { 634 c = channels[i]; 635 if (c == NULL) 636 continue; 637 switch (c->type) { 638 case SSH_CHANNEL_X11_LISTENER: 639 case SSH_CHANNEL_PORT_LISTENER: 640 case SSH_CHANNEL_RPORT_LISTENER: 641 case SSH_CHANNEL_CLOSED: 642 case SSH_CHANNEL_AUTH_SOCKET: 643 case SSH_CHANNEL_ZOMBIE: 644 case SSH_CHANNEL_ABANDONED: 645 case SSH_CHANNEL_MUX_CLIENT: 646 case SSH_CHANNEL_MUX_LISTENER: 647 case SSH_CHANNEL_UNIX_LISTENER: 648 case SSH_CHANNEL_RUNIX_LISTENER: 649 continue; 650 case SSH_CHANNEL_LARVAL: 651 case SSH_CHANNEL_OPENING: 652 case SSH_CHANNEL_CONNECTING: 653 case SSH_CHANNEL_DYNAMIC: 654 case SSH_CHANNEL_OPEN: 655 case SSH_CHANNEL_X11_OPEN: 656 case SSH_CHANNEL_INPUT_DRAINING: 657 case SSH_CHANNEL_OUTPUT_DRAINING: 658 snprintf(buf, sizeof buf, 659 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n", 660 c->self, c->remote_name, 661 c->type, c->remote_id, 662 c->istate, buffer_len(&c->input), 663 c->ostate, buffer_len(&c->output), 664 c->rfd, c->wfd, c->ctl_chan); 665 buffer_append(&buffer, buf, strlen(buf)); 666 continue; 667 default: 668 fatal("channel_open_message: bad channel type %d", c->type); 669 /* NOTREACHED */ 670 } 671 } 672 buffer_append(&buffer, "\0", 1); 673 cp = xstrdup(buffer_ptr(&buffer)); 674 buffer_free(&buffer); 675 return cp; 676 } 677 678 void 679 channel_send_open(int id) 680 { 681 Channel *c = channel_lookup(id); 682 683 if (c == NULL) { 684 logit("channel_send_open: %d: bad id", id); 685 return; 686 } 687 debug2("channel %d: send open", id); 688 packet_start(SSH2_MSG_CHANNEL_OPEN); 689 packet_put_cstring(c->ctype); 690 packet_put_int(c->self); 691 packet_put_int(c->local_window); 692 packet_put_int(c->local_maxpacket); 693 packet_send(); 694 } 695 696 void 697 channel_request_start(int id, char *service, int wantconfirm) 698 { 699 Channel *c = channel_lookup(id); 700 701 if (c == NULL) { 702 logit("channel_request_start: %d: unknown channel id", id); 703 return; 704 } 705 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 706 packet_start(SSH2_MSG_CHANNEL_REQUEST); 707 packet_put_int(c->remote_id); 708 packet_put_cstring(service); 709 packet_put_char(wantconfirm); 710 } 711 712 void 713 channel_register_status_confirm(int id, channel_confirm_cb *cb, 714 channel_confirm_abandon_cb *abandon_cb, void *ctx) 715 { 716 struct channel_confirm *cc; 717 Channel *c; 718 719 if ((c = channel_lookup(id)) == NULL) 720 fatal("channel_register_expect: %d: bad id", id); 721 722 cc = xcalloc(1, sizeof(*cc)); 723 cc->cb = cb; 724 cc->abandon_cb = abandon_cb; 725 cc->ctx = ctx; 726 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 727 } 728 729 void 730 channel_register_open_confirm(int id, channel_open_fn *fn, void *ctx) 731 { 732 Channel *c = channel_lookup(id); 733 734 if (c == NULL) { 735 logit("channel_register_open_confirm: %d: bad id", id); 736 return; 737 } 738 c->open_confirm = fn; 739 c->open_confirm_ctx = ctx; 740 } 741 742 void 743 channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 744 { 745 Channel *c = channel_by_id(id); 746 747 if (c == NULL) { 748 logit("channel_register_cleanup: %d: bad id", id); 749 return; 750 } 751 c->detach_user = fn; 752 c->detach_close = do_close; 753 } 754 755 void 756 channel_cancel_cleanup(int id) 757 { 758 Channel *c = channel_by_id(id); 759 760 if (c == NULL) { 761 logit("channel_cancel_cleanup: %d: bad id", id); 762 return; 763 } 764 c->detach_user = NULL; 765 c->detach_close = 0; 766 } 767 768 void 769 channel_register_filter(int id, channel_infilter_fn *ifn, 770 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 771 { 772 Channel *c = channel_lookup(id); 773 774 if (c == NULL) { 775 logit("channel_register_filter: %d: bad id", id); 776 return; 777 } 778 c->input_filter = ifn; 779 c->output_filter = ofn; 780 c->filter_ctx = ctx; 781 c->filter_cleanup = cfn; 782 } 783 784 void 785 channel_set_fds(int id, int rfd, int wfd, int efd, 786 int extusage, int nonblock, int is_tty, u_int window_max) 787 { 788 Channel *c = channel_lookup(id); 789 790 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 791 fatal("channel_activate for non-larval channel %d.", id); 792 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); 793 c->type = SSH_CHANNEL_OPEN; 794 c->local_window = c->local_window_max = window_max; 795 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 796 packet_put_int(c->remote_id); 797 packet_put_int(c->local_window); 798 packet_send(); 799 } 800 801 /* 802 * 'channel_pre*' are called just before select() to add any bits relevant to 803 * channels in the select bitmasks. 804 */ 805 /* 806 * 'channel_post*': perform any appropriate operations for channels which 807 * have events pending. 808 */ 809 typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 810 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 811 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 812 813 /* ARGSUSED */ 814 static void 815 channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 816 { 817 FD_SET(c->sock, readset); 818 } 819 820 /* ARGSUSED */ 821 static void 822 channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 823 { 824 debug3("channel %d: waiting for connection", c->self); 825 FD_SET(c->sock, writeset); 826 } 827 828 static void 829 channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 830 { 831 if (buffer_len(&c->input) < packet_get_maxsize()) 832 FD_SET(c->sock, readset); 833 if (buffer_len(&c->output) > 0) 834 FD_SET(c->sock, writeset); 835 } 836 837 static void 838 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 839 { 840 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 841 842 if (c->istate == CHAN_INPUT_OPEN && 843 limit > 0 && 844 buffer_len(&c->input) < limit && 845 buffer_check_alloc(&c->input, CHAN_RBUF)) 846 FD_SET(c->rfd, readset); 847 if (c->ostate == CHAN_OUTPUT_OPEN || 848 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 849 if (buffer_len(&c->output) > 0) { 850 FD_SET(c->wfd, writeset); 851 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 852 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 853 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 854 c->self, c->efd, buffer_len(&c->extended)); 855 else 856 chan_obuf_empty(c); 857 } 858 } 859 /** XXX check close conditions, too */ 860 if (compat20 && c->efd != -1 && 861 !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) { 862 if (c->extended_usage == CHAN_EXTENDED_WRITE && 863 buffer_len(&c->extended) > 0) 864 FD_SET(c->efd, writeset); 865 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 866 (c->extended_usage == CHAN_EXTENDED_READ || 867 c->extended_usage == CHAN_EXTENDED_IGNORE) && 868 buffer_len(&c->extended) < c->remote_window) 869 FD_SET(c->efd, readset); 870 } 871 /* XXX: What about efd? races? */ 872 } 873 874 /* ARGSUSED */ 875 static void 876 channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 877 { 878 if (buffer_len(&c->input) == 0) { 879 packet_start(SSH_MSG_CHANNEL_CLOSE); 880 packet_put_int(c->remote_id); 881 packet_send(); 882 c->type = SSH_CHANNEL_CLOSED; 883 debug2("channel %d: closing after input drain.", c->self); 884 } 885 } 886 887 /* ARGSUSED */ 888 static void 889 channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 890 { 891 if (buffer_len(&c->output) == 0) 892 chan_mark_dead(c); 893 else 894 FD_SET(c->sock, writeset); 895 } 896 897 /* 898 * This is a special state for X11 authentication spoofing. An opened X11 899 * connection (when authentication spoofing is being done) remains in this 900 * state until the first packet has been completely read. The authentication 901 * data in that packet is then substituted by the real data if it matches the 902 * fake data, and the channel is put into normal mode. 903 * XXX All this happens at the client side. 904 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 905 */ 906 static int 907 x11_open_helper(Buffer *b) 908 { 909 u_char *ucp; 910 u_int proto_len, data_len; 911 912 /* Check if the fixed size part of the packet is in buffer. */ 913 if (buffer_len(b) < 12) 914 return 0; 915 916 /* Parse the lengths of variable-length fields. */ 917 ucp = buffer_ptr(b); 918 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 919 proto_len = 256 * ucp[6] + ucp[7]; 920 data_len = 256 * ucp[8] + ucp[9]; 921 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 922 proto_len = ucp[6] + 256 * ucp[7]; 923 data_len = ucp[8] + 256 * ucp[9]; 924 } else { 925 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 926 ucp[0]); 927 return -1; 928 } 929 930 /* Check if the whole packet is in buffer. */ 931 if (buffer_len(b) < 932 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 933 return 0; 934 935 /* Check if authentication protocol matches. */ 936 if (proto_len != strlen(x11_saved_proto) || 937 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 938 debug2("X11 connection uses different authentication protocol."); 939 return -1; 940 } 941 /* Check if authentication data matches our fake data. */ 942 if (data_len != x11_fake_data_len || 943 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 944 x11_fake_data, x11_fake_data_len) != 0) { 945 debug2("X11 auth data does not match fake data."); 946 return -1; 947 } 948 /* Check fake data length */ 949 if (x11_fake_data_len != x11_saved_data_len) { 950 error("X11 fake_data_len %d != saved_data_len %d", 951 x11_fake_data_len, x11_saved_data_len); 952 return -1; 953 } 954 /* 955 * Received authentication protocol and data match 956 * our fake data. Substitute the fake data with real 957 * data. 958 */ 959 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 960 x11_saved_data, x11_saved_data_len); 961 return 1; 962 } 963 964 static void 965 channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 966 { 967 int ret = x11_open_helper(&c->output); 968 969 if (ret == 1) { 970 /* Start normal processing for the channel. */ 971 c->type = SSH_CHANNEL_OPEN; 972 channel_pre_open_13(c, readset, writeset); 973 } else if (ret == -1) { 974 /* 975 * We have received an X11 connection that has bad 976 * authentication information. 977 */ 978 logit("X11 connection rejected because of wrong authentication."); 979 buffer_clear(&c->input); 980 buffer_clear(&c->output); 981 channel_close_fd(&c->sock); 982 c->sock = -1; 983 c->type = SSH_CHANNEL_CLOSED; 984 packet_start(SSH_MSG_CHANNEL_CLOSE); 985 packet_put_int(c->remote_id); 986 packet_send(); 987 } 988 } 989 990 static void 991 channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 992 { 993 int ret = x11_open_helper(&c->output); 994 995 /* c->force_drain = 1; */ 996 997 if (ret == 1) { 998 c->type = SSH_CHANNEL_OPEN; 999 channel_pre_open(c, readset, writeset); 1000 } else if (ret == -1) { 1001 logit("X11 connection rejected because of wrong authentication."); 1002 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 1003 chan_read_failed(c); 1004 buffer_clear(&c->input); 1005 chan_ibuf_empty(c); 1006 buffer_clear(&c->output); 1007 /* for proto v1, the peer will send an IEOF */ 1008 if (compat20) 1009 chan_write_failed(c); 1010 else 1011 c->type = SSH_CHANNEL_OPEN; 1012 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 1013 } 1014 } 1015 1016 static void 1017 channel_pre_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1018 { 1019 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 1020 buffer_check_alloc(&c->input, CHAN_RBUF)) 1021 FD_SET(c->rfd, readset); 1022 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1023 /* clear buffer immediately (discard any partial packet) */ 1024 buffer_clear(&c->input); 1025 chan_ibuf_empty(c); 1026 /* Start output drain. XXX just kill chan? */ 1027 chan_rcvd_oclose(c); 1028 } 1029 if (c->ostate == CHAN_OUTPUT_OPEN || 1030 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1031 if (buffer_len(&c->output) > 0) 1032 FD_SET(c->wfd, writeset); 1033 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1034 chan_obuf_empty(c); 1035 } 1036 } 1037 1038 /* try to decode a socks4 header */ 1039 /* ARGSUSED */ 1040 static int 1041 channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 1042 { 1043 char *p, *host; 1044 u_int len, have, i, found, need; 1045 char username[256]; 1046 struct { 1047 u_int8_t version; 1048 u_int8_t command; 1049 u_int16_t dest_port; 1050 struct in_addr dest_addr; 1051 } s4_req, s4_rsp; 1052 1053 debug2("channel %d: decode socks4", c->self); 1054 1055 have = buffer_len(&c->input); 1056 len = sizeof(s4_req); 1057 if (have < len) 1058 return 0; 1059 p = buffer_ptr(&c->input); 1060 1061 need = 1; 1062 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1063 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1064 debug2("channel %d: socks4a request", c->self); 1065 /* ... and needs an extra string (the hostname) */ 1066 need = 2; 1067 } 1068 /* Check for terminating NUL on the string(s) */ 1069 for (found = 0, i = len; i < have; i++) { 1070 if (p[i] == '\0') { 1071 found++; 1072 if (found == need) 1073 break; 1074 } 1075 if (i > 1024) { 1076 /* the peer is probably sending garbage */ 1077 debug("channel %d: decode socks4: too long", 1078 c->self); 1079 return -1; 1080 } 1081 } 1082 if (found < need) 1083 return 0; 1084 buffer_get(&c->input, (char *)&s4_req.version, 1); 1085 buffer_get(&c->input, (char *)&s4_req.command, 1); 1086 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 1087 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 1088 have = buffer_len(&c->input); 1089 p = buffer_ptr(&c->input); 1090 if (memchr(p, '\0', have) == NULL) 1091 fatal("channel %d: decode socks4: user not nul terminated", 1092 c->self); 1093 len = strlen(p); 1094 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1095 len++; /* trailing '\0' */ 1096 if (len > have) 1097 fatal("channel %d: decode socks4: len %d > have %d", 1098 c->self, len, have); 1099 strlcpy(username, p, sizeof(username)); 1100 buffer_consume(&c->input, len); 1101 1102 free(c->path); 1103 c->path = NULL; 1104 if (need == 1) { /* SOCKS4: one string */ 1105 host = inet_ntoa(s4_req.dest_addr); 1106 c->path = xstrdup(host); 1107 } else { /* SOCKS4A: two strings */ 1108 have = buffer_len(&c->input); 1109 p = buffer_ptr(&c->input); 1110 len = strlen(p); 1111 debug2("channel %d: decode socks4a: host %s/%d", 1112 c->self, p, len); 1113 len++; /* trailing '\0' */ 1114 if (len > have) 1115 fatal("channel %d: decode socks4a: len %d > have %d", 1116 c->self, len, have); 1117 if (len > NI_MAXHOST) { 1118 error("channel %d: hostname \"%.100s\" too long", 1119 c->self, p); 1120 return -1; 1121 } 1122 c->path = xstrdup(p); 1123 buffer_consume(&c->input, len); 1124 } 1125 c->host_port = ntohs(s4_req.dest_port); 1126 1127 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1128 c->self, c->path, c->host_port, s4_req.command); 1129 1130 if (s4_req.command != 1) { 1131 debug("channel %d: cannot handle: %s cn %d", 1132 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1133 return -1; 1134 } 1135 s4_rsp.version = 0; /* vn: 0 for reply */ 1136 s4_rsp.command = 90; /* cd: req granted */ 1137 s4_rsp.dest_port = 0; /* ignored */ 1138 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1139 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1140 return 1; 1141 } 1142 1143 /* try to decode a socks5 header */ 1144 #define SSH_SOCKS5_AUTHDONE 0x1000 1145 #define SSH_SOCKS5_NOAUTH 0x00 1146 #define SSH_SOCKS5_IPV4 0x01 1147 #define SSH_SOCKS5_DOMAIN 0x03 1148 #define SSH_SOCKS5_IPV6 0x04 1149 #define SSH_SOCKS5_CONNECT 0x01 1150 #define SSH_SOCKS5_SUCCESS 0x00 1151 1152 /* ARGSUSED */ 1153 static int 1154 channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1155 { 1156 struct { 1157 u_int8_t version; 1158 u_int8_t command; 1159 u_int8_t reserved; 1160 u_int8_t atyp; 1161 } s5_req, s5_rsp; 1162 u_int16_t dest_port; 1163 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1164 u_char *p; 1165 u_int have, need, i, found, nmethods, addrlen, af; 1166 1167 debug2("channel %d: decode socks5", c->self); 1168 p = buffer_ptr(&c->input); 1169 if (p[0] != 0x05) 1170 return -1; 1171 have = buffer_len(&c->input); 1172 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1173 /* format: ver | nmethods | methods */ 1174 if (have < 2) 1175 return 0; 1176 nmethods = p[1]; 1177 if (have < nmethods + 2) 1178 return 0; 1179 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1180 for (found = 0, i = 2; i < nmethods + 2; i++) { 1181 if (p[i] == SSH_SOCKS5_NOAUTH) { 1182 found = 1; 1183 break; 1184 } 1185 } 1186 if (!found) { 1187 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1188 c->self); 1189 return -1; 1190 } 1191 buffer_consume(&c->input, nmethods + 2); 1192 buffer_put_char(&c->output, 0x05); /* version */ 1193 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1194 FD_SET(c->sock, writeset); 1195 c->flags |= SSH_SOCKS5_AUTHDONE; 1196 debug2("channel %d: socks5 auth done", c->self); 1197 return 0; /* need more */ 1198 } 1199 debug2("channel %d: socks5 post auth", c->self); 1200 if (have < sizeof(s5_req)+1) 1201 return 0; /* need more */ 1202 memcpy(&s5_req, p, sizeof(s5_req)); 1203 if (s5_req.version != 0x05 || 1204 s5_req.command != SSH_SOCKS5_CONNECT || 1205 s5_req.reserved != 0x00) { 1206 debug2("channel %d: only socks5 connect supported", c->self); 1207 return -1; 1208 } 1209 switch (s5_req.atyp){ 1210 case SSH_SOCKS5_IPV4: 1211 addrlen = 4; 1212 af = AF_INET; 1213 break; 1214 case SSH_SOCKS5_DOMAIN: 1215 addrlen = p[sizeof(s5_req)]; 1216 af = -1; 1217 break; 1218 case SSH_SOCKS5_IPV6: 1219 addrlen = 16; 1220 af = AF_INET6; 1221 break; 1222 default: 1223 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1224 return -1; 1225 } 1226 need = sizeof(s5_req) + addrlen + 2; 1227 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1228 need++; 1229 if (have < need) 1230 return 0; 1231 buffer_consume(&c->input, sizeof(s5_req)); 1232 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1233 buffer_consume(&c->input, 1); /* host string length */ 1234 buffer_get(&c->input, &dest_addr, addrlen); 1235 buffer_get(&c->input, (char *)&dest_port, 2); 1236 dest_addr[addrlen] = '\0'; 1237 free(c->path); 1238 c->path = NULL; 1239 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1240 if (addrlen >= NI_MAXHOST) { 1241 error("channel %d: dynamic request: socks5 hostname " 1242 "\"%.100s\" too long", c->self, dest_addr); 1243 return -1; 1244 } 1245 c->path = xstrdup(dest_addr); 1246 } else { 1247 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1248 return -1; 1249 c->path = xstrdup(ntop); 1250 } 1251 c->host_port = ntohs(dest_port); 1252 1253 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1254 c->self, c->path, c->host_port, s5_req.command); 1255 1256 s5_rsp.version = 0x05; 1257 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1258 s5_rsp.reserved = 0; /* ignored */ 1259 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1260 dest_port = 0; /* ignored */ 1261 1262 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1263 buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */ 1264 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1265 return 1; 1266 } 1267 1268 Channel * 1269 channel_connect_stdio_fwd(const char *host_to_connect, u_short port_to_connect, 1270 int in, int out) 1271 { 1272 Channel *c; 1273 1274 debug("channel_connect_stdio_fwd %s:%d", host_to_connect, 1275 port_to_connect); 1276 1277 c = channel_new("stdio-forward", SSH_CHANNEL_OPENING, in, out, 1278 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1279 0, "stdio-forward", /*nonblock*/0); 1280 1281 c->path = xstrdup(host_to_connect); 1282 c->host_port = port_to_connect; 1283 c->listening_port = 0; 1284 c->force_drain = 1; 1285 1286 channel_register_fds(c, in, out, -1, 0, 1, 0); 1287 port_open_helper(c, "direct-tcpip"); 1288 1289 return c; 1290 } 1291 1292 /* dynamic port forwarding */ 1293 static void 1294 channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1295 { 1296 u_char *p; 1297 u_int have; 1298 int ret; 1299 1300 have = buffer_len(&c->input); 1301 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1302 /* buffer_dump(&c->input); */ 1303 /* check if the fixed size part of the packet is in buffer. */ 1304 if (have < 3) { 1305 /* need more */ 1306 FD_SET(c->sock, readset); 1307 return; 1308 } 1309 /* try to guess the protocol */ 1310 p = buffer_ptr(&c->input); 1311 switch (p[0]) { 1312 case 0x04: 1313 ret = channel_decode_socks4(c, readset, writeset); 1314 break; 1315 case 0x05: 1316 ret = channel_decode_socks5(c, readset, writeset); 1317 break; 1318 default: 1319 ret = -1; 1320 break; 1321 } 1322 if (ret < 0) { 1323 chan_mark_dead(c); 1324 } else if (ret == 0) { 1325 debug2("channel %d: pre_dynamic: need more", c->self); 1326 /* need more */ 1327 FD_SET(c->sock, readset); 1328 } else { 1329 /* switch to the next state */ 1330 c->type = SSH_CHANNEL_OPENING; 1331 port_open_helper(c, "direct-tcpip"); 1332 } 1333 } 1334 1335 /* This is our fake X11 server socket. */ 1336 /* ARGSUSED */ 1337 static void 1338 channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1339 { 1340 Channel *nc; 1341 struct sockaddr_storage addr; 1342 int newsock, oerrno; 1343 socklen_t addrlen; 1344 char buf[16384], *remote_ipaddr; 1345 int remote_port; 1346 1347 if (FD_ISSET(c->sock, readset)) { 1348 debug("X11 connection requested."); 1349 addrlen = sizeof(addr); 1350 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1351 if (c->single_connection) { 1352 oerrno = errno; 1353 debug2("single_connection: closing X11 listener."); 1354 channel_close_fd(&c->sock); 1355 chan_mark_dead(c); 1356 errno = oerrno; 1357 } 1358 if (newsock < 0) { 1359 if (errno != EINTR && errno != EWOULDBLOCK && 1360 errno != ECONNABORTED) 1361 error("accept: %.100s", strerror(errno)); 1362 if (errno == EMFILE || errno == ENFILE) 1363 c->notbefore = monotime() + 1; 1364 return; 1365 } 1366 set_nodelay(newsock); 1367 remote_ipaddr = get_peer_ipaddr(newsock); 1368 remote_port = get_peer_port(newsock); 1369 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1370 remote_ipaddr, remote_port); 1371 1372 nc = channel_new("accepted x11 socket", 1373 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1374 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1375 if (compat20) { 1376 packet_start(SSH2_MSG_CHANNEL_OPEN); 1377 packet_put_cstring("x11"); 1378 packet_put_int(nc->self); 1379 packet_put_int(nc->local_window_max); 1380 packet_put_int(nc->local_maxpacket); 1381 /* originator ipaddr and port */ 1382 packet_put_cstring(remote_ipaddr); 1383 if (datafellows & SSH_BUG_X11FWD) { 1384 debug2("ssh2 x11 bug compat mode"); 1385 } else { 1386 packet_put_int(remote_port); 1387 } 1388 packet_send(); 1389 } else { 1390 packet_start(SSH_SMSG_X11_OPEN); 1391 packet_put_int(nc->self); 1392 if (packet_get_protocol_flags() & 1393 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1394 packet_put_cstring(buf); 1395 packet_send(); 1396 } 1397 free(remote_ipaddr); 1398 } 1399 } 1400 1401 static void 1402 port_open_helper(Channel *c, char *rtype) 1403 { 1404 char buf[1024]; 1405 char *local_ipaddr = get_local_ipaddr(c->sock); 1406 int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1); 1407 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1408 int remote_port = get_peer_port(c->sock); 1409 1410 if (remote_port == -1) { 1411 /* Fake addr/port to appease peers that validate it (Tectia) */ 1412 free(remote_ipaddr); 1413 remote_ipaddr = xstrdup("127.0.0.1"); 1414 remote_port = 65535; 1415 } 1416 1417 snprintf(buf, sizeof buf, 1418 "%s: listening port %d for %.100s port %d, " 1419 "connect from %.200s port %d to %.100s port %d", 1420 rtype, c->listening_port, c->path, c->host_port, 1421 remote_ipaddr, remote_port, local_ipaddr, local_port); 1422 1423 free(c->remote_name); 1424 c->remote_name = xstrdup(buf); 1425 1426 if (compat20) { 1427 packet_start(SSH2_MSG_CHANNEL_OPEN); 1428 packet_put_cstring(rtype); 1429 packet_put_int(c->self); 1430 packet_put_int(c->local_window_max); 1431 packet_put_int(c->local_maxpacket); 1432 if (strcmp(rtype, "direct-tcpip") == 0) { 1433 /* target host, port */ 1434 packet_put_cstring(c->path); 1435 packet_put_int(c->host_port); 1436 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) { 1437 /* target path */ 1438 packet_put_cstring(c->path); 1439 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1440 /* listen path */ 1441 packet_put_cstring(c->path); 1442 } else { 1443 /* listen address, port */ 1444 packet_put_cstring(c->path); 1445 packet_put_int(local_port); 1446 } 1447 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1448 /* reserved for future owner/mode info */ 1449 packet_put_cstring(""); 1450 } else { 1451 /* originator host and port */ 1452 packet_put_cstring(remote_ipaddr); 1453 packet_put_int((u_int)remote_port); 1454 } 1455 packet_send(); 1456 } else { 1457 packet_start(SSH_MSG_PORT_OPEN); 1458 packet_put_int(c->self); 1459 packet_put_cstring(c->path); 1460 packet_put_int(c->host_port); 1461 if (packet_get_protocol_flags() & 1462 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1463 packet_put_cstring(c->remote_name); 1464 packet_send(); 1465 } 1466 free(remote_ipaddr); 1467 free(local_ipaddr); 1468 } 1469 1470 static void 1471 channel_set_reuseaddr(int fd) 1472 { 1473 int on = 1; 1474 1475 /* 1476 * Set socket options. 1477 * Allow local port reuse in TIME_WAIT. 1478 */ 1479 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1480 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1481 } 1482 1483 /* 1484 * This socket is listening for connections to a forwarded TCP/IP port. 1485 */ 1486 /* ARGSUSED */ 1487 static void 1488 channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1489 { 1490 Channel *nc; 1491 struct sockaddr_storage addr; 1492 int newsock, nextstate; 1493 socklen_t addrlen; 1494 char *rtype; 1495 1496 if (FD_ISSET(c->sock, readset)) { 1497 debug("Connection to port %d forwarding " 1498 "to %.100s port %d requested.", 1499 c->listening_port, c->path, c->host_port); 1500 1501 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1502 nextstate = SSH_CHANNEL_OPENING; 1503 rtype = "forwarded-tcpip"; 1504 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) { 1505 nextstate = SSH_CHANNEL_OPENING; 1506 rtype = "forwarded-streamlocal@openssh.com"; 1507 } else if (c->host_port == PORT_STREAMLOCAL) { 1508 nextstate = SSH_CHANNEL_OPENING; 1509 rtype = "direct-streamlocal@openssh.com"; 1510 } else if (c->host_port == 0) { 1511 nextstate = SSH_CHANNEL_DYNAMIC; 1512 rtype = "dynamic-tcpip"; 1513 } else { 1514 nextstate = SSH_CHANNEL_OPENING; 1515 rtype = "direct-tcpip"; 1516 } 1517 1518 addrlen = sizeof(addr); 1519 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1520 if (newsock < 0) { 1521 if (errno != EINTR && errno != EWOULDBLOCK && 1522 errno != ECONNABORTED) 1523 error("accept: %.100s", strerror(errno)); 1524 if (errno == EMFILE || errno == ENFILE) 1525 c->notbefore = monotime() + 1; 1526 return; 1527 } 1528 if (c->host_port != PORT_STREAMLOCAL) 1529 set_nodelay(newsock); 1530 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1531 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1532 nc->listening_port = c->listening_port; 1533 nc->host_port = c->host_port; 1534 if (c->path != NULL) 1535 nc->path = xstrdup(c->path); 1536 1537 if (nextstate != SSH_CHANNEL_DYNAMIC) 1538 port_open_helper(nc, rtype); 1539 } 1540 } 1541 1542 /* 1543 * This is the authentication agent socket listening for connections from 1544 * clients. 1545 */ 1546 /* ARGSUSED */ 1547 static void 1548 channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1549 { 1550 Channel *nc; 1551 int newsock; 1552 struct sockaddr_storage addr; 1553 socklen_t addrlen; 1554 1555 if (FD_ISSET(c->sock, readset)) { 1556 addrlen = sizeof(addr); 1557 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1558 if (newsock < 0) { 1559 error("accept from auth socket: %.100s", 1560 strerror(errno)); 1561 if (errno == EMFILE || errno == ENFILE) 1562 c->notbefore = monotime() + 1; 1563 return; 1564 } 1565 nc = channel_new("accepted auth socket", 1566 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1567 c->local_window_max, c->local_maxpacket, 1568 0, "accepted auth socket", 1); 1569 if (compat20) { 1570 packet_start(SSH2_MSG_CHANNEL_OPEN); 1571 packet_put_cstring("auth-agent@openssh.com"); 1572 packet_put_int(nc->self); 1573 packet_put_int(c->local_window_max); 1574 packet_put_int(c->local_maxpacket); 1575 } else { 1576 packet_start(SSH_SMSG_AGENT_OPEN); 1577 packet_put_int(nc->self); 1578 } 1579 packet_send(); 1580 } 1581 } 1582 1583 /* ARGSUSED */ 1584 static void 1585 channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1586 { 1587 int err = 0, sock; 1588 socklen_t sz = sizeof(err); 1589 1590 if (FD_ISSET(c->sock, writeset)) { 1591 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1592 err = errno; 1593 error("getsockopt SO_ERROR failed"); 1594 } 1595 if (err == 0) { 1596 debug("channel %d: connected to %s port %d", 1597 c->self, c->connect_ctx.host, c->connect_ctx.port); 1598 channel_connect_ctx_free(&c->connect_ctx); 1599 c->type = SSH_CHANNEL_OPEN; 1600 if (compat20) { 1601 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1602 packet_put_int(c->remote_id); 1603 packet_put_int(c->self); 1604 packet_put_int(c->local_window); 1605 packet_put_int(c->local_maxpacket); 1606 } else { 1607 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1608 packet_put_int(c->remote_id); 1609 packet_put_int(c->self); 1610 } 1611 } else { 1612 debug("channel %d: connection failed: %s", 1613 c->self, strerror(err)); 1614 /* Try next address, if any */ 1615 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1616 close(c->sock); 1617 c->sock = c->rfd = c->wfd = sock; 1618 channel_max_fd = channel_find_maxfd(); 1619 return; 1620 } 1621 /* Exhausted all addresses */ 1622 error("connect_to %.100s port %d: failed.", 1623 c->connect_ctx.host, c->connect_ctx.port); 1624 channel_connect_ctx_free(&c->connect_ctx); 1625 if (compat20) { 1626 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1627 packet_put_int(c->remote_id); 1628 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1629 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1630 packet_put_cstring(strerror(err)); 1631 packet_put_cstring(""); 1632 } 1633 } else { 1634 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1635 packet_put_int(c->remote_id); 1636 } 1637 chan_mark_dead(c); 1638 } 1639 packet_send(); 1640 } 1641 } 1642 1643 /* ARGSUSED */ 1644 static int 1645 channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1646 { 1647 char buf[CHAN_RBUF]; 1648 int len, force; 1649 1650 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1651 if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { 1652 errno = 0; 1653 len = read(c->rfd, buf, sizeof(buf)); 1654 if (len < 0 && (errno == EINTR || 1655 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1656 return 1; 1657 #ifndef PTY_ZEROREAD 1658 if (len <= 0) { 1659 #else 1660 if ((!c->isatty && len <= 0) || 1661 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1662 #endif 1663 debug2("channel %d: read<=0 rfd %d len %d", 1664 c->self, c->rfd, len); 1665 if (c->type != SSH_CHANNEL_OPEN) { 1666 debug2("channel %d: not open", c->self); 1667 chan_mark_dead(c); 1668 return -1; 1669 } else if (compat13) { 1670 buffer_clear(&c->output); 1671 c->type = SSH_CHANNEL_INPUT_DRAINING; 1672 debug2("channel %d: input draining.", c->self); 1673 } else { 1674 chan_read_failed(c); 1675 } 1676 return -1; 1677 } 1678 if (c->input_filter != NULL) { 1679 if (c->input_filter(c, buf, len) == -1) { 1680 debug2("channel %d: filter stops", c->self); 1681 chan_read_failed(c); 1682 } 1683 } else if (c->datagram) { 1684 buffer_put_string(&c->input, buf, len); 1685 } else { 1686 buffer_append(&c->input, buf, len); 1687 } 1688 } 1689 return 1; 1690 } 1691 1692 /* ARGSUSED */ 1693 static int 1694 channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1695 { 1696 struct termios tio; 1697 u_char *data = NULL, *buf; 1698 u_int dlen, olen = 0; 1699 int len; 1700 1701 /* Send buffered output data to the socket. */ 1702 if (c->wfd != -1 && 1703 FD_ISSET(c->wfd, writeset) && 1704 buffer_len(&c->output) > 0) { 1705 olen = buffer_len(&c->output); 1706 if (c->output_filter != NULL) { 1707 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1708 debug2("channel %d: filter stops", c->self); 1709 if (c->type != SSH_CHANNEL_OPEN) 1710 chan_mark_dead(c); 1711 else 1712 chan_write_failed(c); 1713 return -1; 1714 } 1715 } else if (c->datagram) { 1716 buf = data = buffer_get_string(&c->output, &dlen); 1717 } else { 1718 buf = data = buffer_ptr(&c->output); 1719 dlen = buffer_len(&c->output); 1720 } 1721 1722 if (c->datagram) { 1723 /* ignore truncated writes, datagrams might get lost */ 1724 len = write(c->wfd, buf, dlen); 1725 free(data); 1726 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1727 errno == EWOULDBLOCK)) 1728 return 1; 1729 if (len <= 0) { 1730 if (c->type != SSH_CHANNEL_OPEN) 1731 chan_mark_dead(c); 1732 else 1733 chan_write_failed(c); 1734 return -1; 1735 } 1736 goto out; 1737 } 1738 #ifdef _AIX 1739 /* XXX: Later AIX versions can't push as much data to tty */ 1740 if (compat20 && c->wfd_isatty) 1741 dlen = MIN(dlen, 8*1024); 1742 #endif 1743 1744 len = write(c->wfd, buf, dlen); 1745 if (len < 0 && 1746 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1747 return 1; 1748 if (len <= 0) { 1749 if (c->type != SSH_CHANNEL_OPEN) { 1750 debug2("channel %d: not open", c->self); 1751 chan_mark_dead(c); 1752 return -1; 1753 } else if (compat13) { 1754 buffer_clear(&c->output); 1755 debug2("channel %d: input draining.", c->self); 1756 c->type = SSH_CHANNEL_INPUT_DRAINING; 1757 } else { 1758 chan_write_failed(c); 1759 } 1760 return -1; 1761 } 1762 #ifndef BROKEN_TCGETATTR_ICANON 1763 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1764 if (tcgetattr(c->wfd, &tio) == 0 && 1765 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1766 /* 1767 * Simulate echo to reduce the impact of 1768 * traffic analysis. We need to match the 1769 * size of a SSH2_MSG_CHANNEL_DATA message 1770 * (4 byte channel id + buf) 1771 */ 1772 packet_send_ignore(4 + len); 1773 packet_send(); 1774 } 1775 } 1776 #endif 1777 buffer_consume(&c->output, len); 1778 } 1779 out: 1780 if (compat20 && olen > 0) 1781 c->local_consumed += olen - buffer_len(&c->output); 1782 return 1; 1783 } 1784 1785 static int 1786 channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1787 { 1788 char buf[CHAN_RBUF]; 1789 int len; 1790 1791 /** XXX handle drain efd, too */ 1792 if (c->efd != -1) { 1793 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1794 FD_ISSET(c->efd, writeset) && 1795 buffer_len(&c->extended) > 0) { 1796 len = write(c->efd, buffer_ptr(&c->extended), 1797 buffer_len(&c->extended)); 1798 debug2("channel %d: written %d to efd %d", 1799 c->self, len, c->efd); 1800 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1801 errno == EWOULDBLOCK)) 1802 return 1; 1803 if (len <= 0) { 1804 debug2("channel %d: closing write-efd %d", 1805 c->self, c->efd); 1806 channel_close_fd(&c->efd); 1807 } else { 1808 buffer_consume(&c->extended, len); 1809 c->local_consumed += len; 1810 } 1811 } else if (c->efd != -1 && 1812 (c->extended_usage == CHAN_EXTENDED_READ || 1813 c->extended_usage == CHAN_EXTENDED_IGNORE) && 1814 (c->detach_close || FD_ISSET(c->efd, readset))) { 1815 len = read(c->efd, buf, sizeof(buf)); 1816 debug2("channel %d: read %d from efd %d", 1817 c->self, len, c->efd); 1818 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 1819 errno == EWOULDBLOCK) && !c->detach_close))) 1820 return 1; 1821 if (len <= 0) { 1822 debug2("channel %d: closing read-efd %d", 1823 c->self, c->efd); 1824 channel_close_fd(&c->efd); 1825 } else { 1826 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 1827 debug3("channel %d: discard efd", 1828 c->self); 1829 } else 1830 buffer_append(&c->extended, buf, len); 1831 } 1832 } 1833 } 1834 return 1; 1835 } 1836 1837 static int 1838 channel_check_window(Channel *c) 1839 { 1840 if (c->type == SSH_CHANNEL_OPEN && 1841 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1842 ((c->local_window_max - c->local_window > 1843 c->local_maxpacket*3) || 1844 c->local_window < c->local_window_max/2) && 1845 c->local_consumed > 0) { 1846 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1847 packet_put_int(c->remote_id); 1848 packet_put_int(c->local_consumed); 1849 packet_send(); 1850 debug2("channel %d: window %d sent adjust %d", 1851 c->self, c->local_window, 1852 c->local_consumed); 1853 c->local_window += c->local_consumed; 1854 c->local_consumed = 0; 1855 } 1856 return 1; 1857 } 1858 1859 static void 1860 channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1861 { 1862 channel_handle_rfd(c, readset, writeset); 1863 channel_handle_wfd(c, readset, writeset); 1864 if (!compat20) 1865 return; 1866 channel_handle_efd(c, readset, writeset); 1867 channel_check_window(c); 1868 } 1869 1870 static u_int 1871 read_mux(Channel *c, u_int need) 1872 { 1873 char buf[CHAN_RBUF]; 1874 int len; 1875 u_int rlen; 1876 1877 if (buffer_len(&c->input) < need) { 1878 rlen = need - buffer_len(&c->input); 1879 len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF)); 1880 if (len <= 0) { 1881 if (errno != EINTR && errno != EAGAIN) { 1882 debug2("channel %d: ctl read<=0 rfd %d len %d", 1883 c->self, c->rfd, len); 1884 chan_read_failed(c); 1885 return 0; 1886 } 1887 } else 1888 buffer_append(&c->input, buf, len); 1889 } 1890 return buffer_len(&c->input); 1891 } 1892 1893 static void 1894 channel_post_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1895 { 1896 u_int need; 1897 ssize_t len; 1898 1899 if (!compat20) 1900 fatal("%s: entered with !compat20", __func__); 1901 1902 if (c->rfd != -1 && !c->mux_pause && FD_ISSET(c->rfd, readset) && 1903 (c->istate == CHAN_INPUT_OPEN || 1904 c->istate == CHAN_INPUT_WAIT_DRAIN)) { 1905 /* 1906 * Don't not read past the precise end of packets to 1907 * avoid disrupting fd passing. 1908 */ 1909 if (read_mux(c, 4) < 4) /* read header */ 1910 return; 1911 need = get_u32(buffer_ptr(&c->input)); 1912 #define CHANNEL_MUX_MAX_PACKET (256 * 1024) 1913 if (need > CHANNEL_MUX_MAX_PACKET) { 1914 debug2("channel %d: packet too big %u > %u", 1915 c->self, CHANNEL_MUX_MAX_PACKET, need); 1916 chan_rcvd_oclose(c); 1917 return; 1918 } 1919 if (read_mux(c, need + 4) < need + 4) /* read body */ 1920 return; 1921 if (c->mux_rcb(c) != 0) { 1922 debug("channel %d: mux_rcb failed", c->self); 1923 chan_mark_dead(c); 1924 return; 1925 } 1926 } 1927 1928 if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && 1929 buffer_len(&c->output) > 0) { 1930 len = write(c->wfd, buffer_ptr(&c->output), 1931 buffer_len(&c->output)); 1932 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1933 return; 1934 if (len <= 0) { 1935 chan_mark_dead(c); 1936 return; 1937 } 1938 buffer_consume(&c->output, len); 1939 } 1940 } 1941 1942 static void 1943 channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) 1944 { 1945 Channel *nc; 1946 struct sockaddr_storage addr; 1947 socklen_t addrlen; 1948 int newsock; 1949 uid_t euid; 1950 gid_t egid; 1951 1952 if (!FD_ISSET(c->sock, readset)) 1953 return; 1954 1955 debug("multiplexing control connection"); 1956 1957 /* 1958 * Accept connection on control socket 1959 */ 1960 memset(&addr, 0, sizeof(addr)); 1961 addrlen = sizeof(addr); 1962 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 1963 &addrlen)) == -1) { 1964 error("%s accept: %s", __func__, strerror(errno)); 1965 if (errno == EMFILE || errno == ENFILE) 1966 c->notbefore = monotime() + 1; 1967 return; 1968 } 1969 1970 if (getpeereid(newsock, &euid, &egid) < 0) { 1971 error("%s getpeereid failed: %s", __func__, 1972 strerror(errno)); 1973 close(newsock); 1974 return; 1975 } 1976 if ((euid != 0) && (getuid() != euid)) { 1977 error("multiplex uid mismatch: peer euid %u != uid %u", 1978 (u_int)euid, (u_int)getuid()); 1979 close(newsock); 1980 return; 1981 } 1982 nc = channel_new("multiplex client", SSH_CHANNEL_MUX_CLIENT, 1983 newsock, newsock, -1, c->local_window_max, 1984 c->local_maxpacket, 0, "mux-control", 1); 1985 nc->mux_rcb = c->mux_rcb; 1986 debug3("%s: new mux channel %d fd %d", __func__, 1987 nc->self, nc->sock); 1988 /* establish state */ 1989 nc->mux_rcb(nc); 1990 /* mux state transitions must not elicit protocol messages */ 1991 nc->flags |= CHAN_LOCAL; 1992 } 1993 1994 /* ARGSUSED */ 1995 static void 1996 channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 1997 { 1998 int len; 1999 2000 /* Send buffered output data to the socket. */ 2001 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 2002 len = write(c->sock, buffer_ptr(&c->output), 2003 buffer_len(&c->output)); 2004 if (len <= 0) 2005 buffer_clear(&c->output); 2006 else 2007 buffer_consume(&c->output, len); 2008 } 2009 } 2010 2011 static void 2012 channel_handler_init_20(void) 2013 { 2014 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2015 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2016 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2017 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 2018 channel_pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener; 2019 channel_pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener; 2020 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2021 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2022 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2023 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2024 channel_pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 2025 channel_pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 2026 2027 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2028 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2029 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 2030 channel_post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener; 2031 channel_post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener; 2032 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2033 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2034 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2035 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2036 channel_post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 2037 channel_post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 2038 } 2039 2040 static void 2041 channel_handler_init_13(void) 2042 { 2043 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 2044 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 2045 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2046 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2047 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2048 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 2049 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 2050 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2051 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2052 2053 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2054 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2055 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2056 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2057 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 2058 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2059 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2060 } 2061 2062 static void 2063 channel_handler_init_15(void) 2064 { 2065 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2066 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2067 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2068 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2069 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2070 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2071 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2072 2073 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2074 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2075 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2076 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2077 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2078 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2079 } 2080 2081 static void 2082 channel_handler_init(void) 2083 { 2084 int i; 2085 2086 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 2087 channel_pre[i] = NULL; 2088 channel_post[i] = NULL; 2089 } 2090 if (compat20) 2091 channel_handler_init_20(); 2092 else if (compat13) 2093 channel_handler_init_13(); 2094 else 2095 channel_handler_init_15(); 2096 } 2097 2098 /* gc dead channels */ 2099 static void 2100 channel_garbage_collect(Channel *c) 2101 { 2102 if (c == NULL) 2103 return; 2104 if (c->detach_user != NULL) { 2105 if (!chan_is_dead(c, c->detach_close)) 2106 return; 2107 debug2("channel %d: gc: notify user", c->self); 2108 c->detach_user(c->self, NULL); 2109 /* if we still have a callback */ 2110 if (c->detach_user != NULL) 2111 return; 2112 debug2("channel %d: gc: user detached", c->self); 2113 } 2114 if (!chan_is_dead(c, 1)) 2115 return; 2116 debug2("channel %d: garbage collecting", c->self); 2117 channel_free(c); 2118 } 2119 2120 static void 2121 channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, 2122 time_t *unpause_secs) 2123 { 2124 static int did_init = 0; 2125 u_int i, oalloc; 2126 Channel *c; 2127 time_t now; 2128 2129 if (!did_init) { 2130 channel_handler_init(); 2131 did_init = 1; 2132 } 2133 now = monotime(); 2134 if (unpause_secs != NULL) 2135 *unpause_secs = 0; 2136 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { 2137 c = channels[i]; 2138 if (c == NULL) 2139 continue; 2140 if (c->delayed) { 2141 if (ftab == channel_pre) 2142 c->delayed = 0; 2143 else 2144 continue; 2145 } 2146 if (ftab[c->type] != NULL) { 2147 /* 2148 * Run handlers that are not paused. 2149 */ 2150 if (c->notbefore <= now) 2151 (*ftab[c->type])(c, readset, writeset); 2152 else if (unpause_secs != NULL) { 2153 /* 2154 * Collect the time that the earliest 2155 * channel comes off pause. 2156 */ 2157 debug3("%s: chan %d: skip for %d more seconds", 2158 __func__, c->self, 2159 (int)(c->notbefore - now)); 2160 if (*unpause_secs == 0 || 2161 (c->notbefore - now) < *unpause_secs) 2162 *unpause_secs = c->notbefore - now; 2163 } 2164 } 2165 channel_garbage_collect(c); 2166 } 2167 if (unpause_secs != NULL && *unpause_secs != 0) 2168 debug3("%s: first channel unpauses in %d seconds", 2169 __func__, (int)*unpause_secs); 2170 } 2171 2172 /* 2173 * Allocate/update select bitmasks and add any bits relevant to channels in 2174 * select bitmasks. 2175 */ 2176 void 2177 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 2178 u_int *nallocp, time_t *minwait_secs, int rekeying) 2179 { 2180 u_int n, sz, nfdset; 2181 2182 n = MAX(*maxfdp, channel_max_fd); 2183 2184 nfdset = howmany(n+1, NFDBITS); 2185 /* Explicitly test here, because xrealloc isn't always called */ 2186 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) 2187 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2188 sz = nfdset * sizeof(fd_mask); 2189 2190 /* perhaps check sz < nalloc/2 and shrink? */ 2191 if (*readsetp == NULL || sz > *nallocp) { 2192 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); 2193 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); 2194 *nallocp = sz; 2195 } 2196 *maxfdp = n; 2197 memset(*readsetp, 0, sz); 2198 memset(*writesetp, 0, sz); 2199 2200 if (!rekeying) 2201 channel_handler(channel_pre, *readsetp, *writesetp, 2202 minwait_secs); 2203 } 2204 2205 /* 2206 * After select, perform any appropriate operations for channels which have 2207 * events pending. 2208 */ 2209 void 2210 channel_after_select(fd_set *readset, fd_set *writeset) 2211 { 2212 channel_handler(channel_post, readset, writeset, NULL); 2213 } 2214 2215 2216 /* If there is data to send to the connection, enqueue some of it now. */ 2217 void 2218 channel_output_poll(void) 2219 { 2220 Channel *c; 2221 u_int i, len; 2222 2223 for (i = 0; i < channels_alloc; i++) { 2224 c = channels[i]; 2225 if (c == NULL) 2226 continue; 2227 2228 /* 2229 * We are only interested in channels that can have buffered 2230 * incoming data. 2231 */ 2232 if (compat13) { 2233 if (c->type != SSH_CHANNEL_OPEN && 2234 c->type != SSH_CHANNEL_INPUT_DRAINING) 2235 continue; 2236 } else { 2237 if (c->type != SSH_CHANNEL_OPEN) 2238 continue; 2239 } 2240 if (compat20 && 2241 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2242 /* XXX is this true? */ 2243 debug3("channel %d: will not send data after close", c->self); 2244 continue; 2245 } 2246 2247 /* Get the amount of buffered data for this channel. */ 2248 if ((c->istate == CHAN_INPUT_OPEN || 2249 c->istate == CHAN_INPUT_WAIT_DRAIN) && 2250 (len = buffer_len(&c->input)) > 0) { 2251 if (c->datagram) { 2252 if (len > 0) { 2253 u_char *data; 2254 u_int dlen; 2255 2256 data = buffer_get_string(&c->input, 2257 &dlen); 2258 if (dlen > c->remote_window || 2259 dlen > c->remote_maxpacket) { 2260 debug("channel %d: datagram " 2261 "too big for channel", 2262 c->self); 2263 free(data); 2264 continue; 2265 } 2266 packet_start(SSH2_MSG_CHANNEL_DATA); 2267 packet_put_int(c->remote_id); 2268 packet_put_string(data, dlen); 2269 packet_send(); 2270 c->remote_window -= dlen + 4; 2271 free(data); 2272 } 2273 continue; 2274 } 2275 /* 2276 * Send some data for the other side over the secure 2277 * connection. 2278 */ 2279 if (compat20) { 2280 if (len > c->remote_window) 2281 len = c->remote_window; 2282 if (len > c->remote_maxpacket) 2283 len = c->remote_maxpacket; 2284 } else { 2285 if (packet_is_interactive()) { 2286 if (len > 1024) 2287 len = 512; 2288 } else { 2289 /* Keep the packets at reasonable size. */ 2290 if (len > packet_get_maxsize()/2) 2291 len = packet_get_maxsize()/2; 2292 } 2293 } 2294 if (len > 0) { 2295 packet_start(compat20 ? 2296 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 2297 packet_put_int(c->remote_id); 2298 packet_put_string(buffer_ptr(&c->input), len); 2299 packet_send(); 2300 buffer_consume(&c->input, len); 2301 c->remote_window -= len; 2302 } 2303 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2304 if (compat13) 2305 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 2306 /* 2307 * input-buffer is empty and read-socket shutdown: 2308 * tell peer, that we will not send more data: send IEOF. 2309 * hack for extended data: delay EOF if EFD still in use. 2310 */ 2311 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2312 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 2313 c->self, c->efd, buffer_len(&c->extended)); 2314 else 2315 chan_ibuf_empty(c); 2316 } 2317 /* Send extended data, i.e. stderr */ 2318 if (compat20 && 2319 !(c->flags & CHAN_EOF_SENT) && 2320 c->remote_window > 0 && 2321 (len = buffer_len(&c->extended)) > 0 && 2322 c->extended_usage == CHAN_EXTENDED_READ) { 2323 debug2("channel %d: rwin %u elen %u euse %d", 2324 c->self, c->remote_window, buffer_len(&c->extended), 2325 c->extended_usage); 2326 if (len > c->remote_window) 2327 len = c->remote_window; 2328 if (len > c->remote_maxpacket) 2329 len = c->remote_maxpacket; 2330 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 2331 packet_put_int(c->remote_id); 2332 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 2333 packet_put_string(buffer_ptr(&c->extended), len); 2334 packet_send(); 2335 buffer_consume(&c->extended, len); 2336 c->remote_window -= len; 2337 debug2("channel %d: sent ext data %d", c->self, len); 2338 } 2339 } 2340 } 2341 2342 2343 /* -- protocol input */ 2344 2345 /* ARGSUSED */ 2346 void 2347 channel_input_data(int type, u_int32_t seq, void *ctxt) 2348 { 2349 int id; 2350 const u_char *data; 2351 u_int data_len, win_len; 2352 Channel *c; 2353 2354 /* Get the channel number and verify it. */ 2355 id = packet_get_int(); 2356 c = channel_lookup(id); 2357 if (c == NULL) 2358 packet_disconnect("Received data for nonexistent channel %d.", id); 2359 2360 /* Ignore any data for non-open channels (might happen on close) */ 2361 if (c->type != SSH_CHANNEL_OPEN && 2362 c->type != SSH_CHANNEL_X11_OPEN) 2363 return; 2364 2365 /* Get the data. */ 2366 data = packet_get_string_ptr(&data_len); 2367 win_len = data_len; 2368 if (c->datagram) 2369 win_len += 4; /* string length header */ 2370 2371 /* 2372 * Ignore data for protocol > 1.3 if output end is no longer open. 2373 * For protocol 2 the sending side is reducing its window as it sends 2374 * data, so we must 'fake' consumption of the data in order to ensure 2375 * that window updates are sent back. Otherwise the connection might 2376 * deadlock. 2377 */ 2378 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2379 if (compat20) { 2380 c->local_window -= win_len; 2381 c->local_consumed += win_len; 2382 } 2383 return; 2384 } 2385 2386 if (compat20) { 2387 if (win_len > c->local_maxpacket) { 2388 logit("channel %d: rcvd big packet %d, maxpack %d", 2389 c->self, win_len, c->local_maxpacket); 2390 } 2391 if (win_len > c->local_window) { 2392 logit("channel %d: rcvd too much data %d, win %d", 2393 c->self, win_len, c->local_window); 2394 return; 2395 } 2396 c->local_window -= win_len; 2397 } 2398 if (c->datagram) 2399 buffer_put_string(&c->output, data, data_len); 2400 else 2401 buffer_append(&c->output, data, data_len); 2402 packet_check_eom(); 2403 } 2404 2405 /* ARGSUSED */ 2406 void 2407 channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2408 { 2409 int id; 2410 char *data; 2411 u_int data_len, tcode; 2412 Channel *c; 2413 2414 /* Get the channel number and verify it. */ 2415 id = packet_get_int(); 2416 c = channel_lookup(id); 2417 2418 if (c == NULL) 2419 packet_disconnect("Received extended_data for bad channel %d.", id); 2420 if (c->type != SSH_CHANNEL_OPEN) { 2421 logit("channel %d: ext data for non open", id); 2422 return; 2423 } 2424 if (c->flags & CHAN_EOF_RCVD) { 2425 if (datafellows & SSH_BUG_EXTEOF) 2426 debug("channel %d: accepting ext data after eof", id); 2427 else 2428 packet_disconnect("Received extended_data after EOF " 2429 "on channel %d.", id); 2430 } 2431 tcode = packet_get_int(); 2432 if (c->efd == -1 || 2433 c->extended_usage != CHAN_EXTENDED_WRITE || 2434 tcode != SSH2_EXTENDED_DATA_STDERR) { 2435 logit("channel %d: bad ext data", c->self); 2436 return; 2437 } 2438 data = packet_get_string(&data_len); 2439 packet_check_eom(); 2440 if (data_len > c->local_window) { 2441 logit("channel %d: rcvd too much extended_data %d, win %d", 2442 c->self, data_len, c->local_window); 2443 free(data); 2444 return; 2445 } 2446 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2447 c->local_window -= data_len; 2448 buffer_append(&c->extended, data, data_len); 2449 free(data); 2450 } 2451 2452 /* ARGSUSED */ 2453 void 2454 channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2455 { 2456 int id; 2457 Channel *c; 2458 2459 id = packet_get_int(); 2460 packet_check_eom(); 2461 c = channel_lookup(id); 2462 if (c == NULL) 2463 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2464 chan_rcvd_ieof(c); 2465 2466 /* XXX force input close */ 2467 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2468 debug("channel %d: FORCE input drain", c->self); 2469 c->istate = CHAN_INPUT_WAIT_DRAIN; 2470 if (buffer_len(&c->input) == 0) 2471 chan_ibuf_empty(c); 2472 } 2473 2474 } 2475 2476 /* ARGSUSED */ 2477 void 2478 channel_input_close(int type, u_int32_t seq, void *ctxt) 2479 { 2480 int id; 2481 Channel *c; 2482 2483 id = packet_get_int(); 2484 packet_check_eom(); 2485 c = channel_lookup(id); 2486 if (c == NULL) 2487 packet_disconnect("Received close for nonexistent channel %d.", id); 2488 2489 /* 2490 * Send a confirmation that we have closed the channel and no more 2491 * data is coming for it. 2492 */ 2493 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2494 packet_put_int(c->remote_id); 2495 packet_send(); 2496 2497 /* 2498 * If the channel is in closed state, we have sent a close request, 2499 * and the other side will eventually respond with a confirmation. 2500 * Thus, we cannot free the channel here, because then there would be 2501 * no-one to receive the confirmation. The channel gets freed when 2502 * the confirmation arrives. 2503 */ 2504 if (c->type != SSH_CHANNEL_CLOSED) { 2505 /* 2506 * Not a closed channel - mark it as draining, which will 2507 * cause it to be freed later. 2508 */ 2509 buffer_clear(&c->input); 2510 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2511 } 2512 } 2513 2514 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2515 /* ARGSUSED */ 2516 void 2517 channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2518 { 2519 int id = packet_get_int(); 2520 Channel *c = channel_lookup(id); 2521 2522 packet_check_eom(); 2523 if (c == NULL) 2524 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2525 chan_rcvd_oclose(c); 2526 } 2527 2528 /* ARGSUSED */ 2529 void 2530 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2531 { 2532 int id = packet_get_int(); 2533 Channel *c = channel_lookup(id); 2534 2535 packet_check_eom(); 2536 if (c == NULL) 2537 packet_disconnect("Received close confirmation for " 2538 "out-of-range channel %d.", id); 2539 if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED) 2540 packet_disconnect("Received close confirmation for " 2541 "non-closed channel %d (type %d).", id, c->type); 2542 channel_free(c); 2543 } 2544 2545 /* ARGSUSED */ 2546 void 2547 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2548 { 2549 int id, remote_id; 2550 Channel *c; 2551 2552 id = packet_get_int(); 2553 c = channel_lookup(id); 2554 2555 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2556 packet_disconnect("Received open confirmation for " 2557 "non-opening channel %d.", id); 2558 remote_id = packet_get_int(); 2559 /* Record the remote channel number and mark that the channel is now open. */ 2560 c->remote_id = remote_id; 2561 c->type = SSH_CHANNEL_OPEN; 2562 2563 if (compat20) { 2564 c->remote_window = packet_get_int(); 2565 c->remote_maxpacket = packet_get_int(); 2566 if (c->open_confirm) { 2567 debug2("callback start"); 2568 c->open_confirm(c->self, 1, c->open_confirm_ctx); 2569 debug2("callback done"); 2570 } 2571 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2572 c->remote_window, c->remote_maxpacket); 2573 } 2574 packet_check_eom(); 2575 } 2576 2577 static char * 2578 reason2txt(int reason) 2579 { 2580 switch (reason) { 2581 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2582 return "administratively prohibited"; 2583 case SSH2_OPEN_CONNECT_FAILED: 2584 return "connect failed"; 2585 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2586 return "unknown channel type"; 2587 case SSH2_OPEN_RESOURCE_SHORTAGE: 2588 return "resource shortage"; 2589 } 2590 return "unknown reason"; 2591 } 2592 2593 /* ARGSUSED */ 2594 void 2595 channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2596 { 2597 int id, reason; 2598 char *msg = NULL, *lang = NULL; 2599 Channel *c; 2600 2601 id = packet_get_int(); 2602 c = channel_lookup(id); 2603 2604 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2605 packet_disconnect("Received open failure for " 2606 "non-opening channel %d.", id); 2607 if (compat20) { 2608 reason = packet_get_int(); 2609 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2610 msg = packet_get_string(NULL); 2611 lang = packet_get_string(NULL); 2612 } 2613 logit("channel %d: open failed: %s%s%s", id, 2614 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2615 free(msg); 2616 free(lang); 2617 if (c->open_confirm) { 2618 debug2("callback start"); 2619 c->open_confirm(c->self, 0, c->open_confirm_ctx); 2620 debug2("callback done"); 2621 } 2622 } 2623 packet_check_eom(); 2624 /* Schedule the channel for cleanup/deletion. */ 2625 chan_mark_dead(c); 2626 } 2627 2628 /* ARGSUSED */ 2629 void 2630 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2631 { 2632 Channel *c; 2633 int id; 2634 u_int adjust; 2635 2636 if (!compat20) 2637 return; 2638 2639 /* Get the channel number and verify it. */ 2640 id = packet_get_int(); 2641 c = channel_lookup(id); 2642 2643 if (c == NULL) { 2644 logit("Received window adjust for non-open channel %d.", id); 2645 return; 2646 } 2647 adjust = packet_get_int(); 2648 packet_check_eom(); 2649 debug2("channel %d: rcvd adjust %u", id, adjust); 2650 c->remote_window += adjust; 2651 } 2652 2653 /* ARGSUSED */ 2654 void 2655 channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2656 { 2657 Channel *c = NULL; 2658 u_short host_port; 2659 char *host, *originator_string; 2660 int remote_id; 2661 2662 remote_id = packet_get_int(); 2663 host = packet_get_string(NULL); 2664 host_port = packet_get_int(); 2665 2666 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2667 originator_string = packet_get_string(NULL); 2668 } else { 2669 originator_string = xstrdup("unknown (remote did not supply name)"); 2670 } 2671 packet_check_eom(); 2672 c = channel_connect_to_port(host, host_port, 2673 "connected socket", originator_string); 2674 free(originator_string); 2675 free(host); 2676 if (c == NULL) { 2677 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2678 packet_put_int(remote_id); 2679 packet_send(); 2680 } else 2681 c->remote_id = remote_id; 2682 } 2683 2684 /* ARGSUSED */ 2685 void 2686 channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) 2687 { 2688 Channel *c; 2689 struct channel_confirm *cc; 2690 int id; 2691 2692 /* Reset keepalive timeout */ 2693 packet_set_alive_timeouts(0); 2694 2695 id = packet_get_int(); 2696 packet_check_eom(); 2697 2698 debug2("channel_input_status_confirm: type %d id %d", type, id); 2699 2700 if ((c = channel_lookup(id)) == NULL) { 2701 logit("channel_input_status_confirm: %d: unknown", id); 2702 return; 2703 } 2704 ; 2705 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 2706 return; 2707 cc->cb(type, c, cc->ctx); 2708 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2709 explicit_bzero(cc, sizeof(*cc)); 2710 free(cc); 2711 } 2712 2713 /* -- tcp forwarding */ 2714 2715 void 2716 channel_set_af(int af) 2717 { 2718 IPv4or6 = af; 2719 } 2720 2721 2722 /* 2723 * Determine whether or not a port forward listens to loopback, the 2724 * specified address or wildcard. On the client, a specified bind 2725 * address will always override gateway_ports. On the server, a 2726 * gateway_ports of 1 (``yes'') will override the client's specification 2727 * and force a wildcard bind, whereas a value of 2 (``clientspecified'') 2728 * will bind to whatever address the client asked for. 2729 * 2730 * Special-case listen_addrs are: 2731 * 2732 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2733 * "" (empty string), "*" -> wildcard v4/v6 2734 * "localhost" -> loopback v4/v6 2735 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set 2736 */ 2737 static const char * 2738 channel_fwd_bind_addr(const char *listen_addr, int *wildcardp, 2739 int is_client, struct ForwardOptions *fwd_opts) 2740 { 2741 const char *addr = NULL; 2742 int wildcard = 0; 2743 2744 if (listen_addr == NULL) { 2745 /* No address specified: default to gateway_ports setting */ 2746 if (fwd_opts->gateway_ports) 2747 wildcard = 1; 2748 } else if (fwd_opts->gateway_ports || is_client) { 2749 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2750 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 2751 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2752 (!is_client && fwd_opts->gateway_ports == 1)) { 2753 wildcard = 1; 2754 /* 2755 * Notify client if they requested a specific listen 2756 * address and it was overridden. 2757 */ 2758 if (*listen_addr != '\0' && 2759 strcmp(listen_addr, "0.0.0.0") != 0 && 2760 strcmp(listen_addr, "*") != 0) { 2761 packet_send_debug("Forwarding listen address " 2762 "\"%s\" overridden by server " 2763 "GatewayPorts", listen_addr); 2764 } 2765 } else if (strcmp(listen_addr, "localhost") != 0 || 2766 strcmp(listen_addr, "127.0.0.1") == 0 || 2767 strcmp(listen_addr, "::1") == 0) { 2768 /* Accept localhost address when GatewayPorts=yes */ 2769 addr = listen_addr; 2770 } 2771 } else if (strcmp(listen_addr, "127.0.0.1") == 0 || 2772 strcmp(listen_addr, "::1") == 0) { 2773 /* 2774 * If a specific IPv4/IPv6 localhost address has been 2775 * requested then accept it even if gateway_ports is in 2776 * effect. This allows the client to prefer IPv4 or IPv6. 2777 */ 2778 addr = listen_addr; 2779 } 2780 if (wildcardp != NULL) 2781 *wildcardp = wildcard; 2782 return addr; 2783 } 2784 2785 static int 2786 channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd, 2787 int *allocated_listen_port, struct ForwardOptions *fwd_opts) 2788 { 2789 Channel *c; 2790 int sock, r, success = 0, wildcard = 0, is_client; 2791 struct addrinfo hints, *ai, *aitop; 2792 const char *host, *addr; 2793 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2794 in_port_t *lport_p; 2795 2796 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2797 fwd->listen_host : fwd->connect_host; 2798 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2799 2800 if (host == NULL) { 2801 error("No forward host name."); 2802 return 0; 2803 } 2804 if (strlen(host) >= NI_MAXHOST) { 2805 error("Forward host name too long."); 2806 return 0; 2807 } 2808 2809 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ 2810 addr = channel_fwd_bind_addr(fwd->listen_host, &wildcard, 2811 is_client, fwd_opts); 2812 debug3("%s: type %d wildcard %d addr %s", __func__, 2813 type, wildcard, (addr == NULL) ? "NULL" : addr); 2814 2815 /* 2816 * getaddrinfo returns a loopback address if the hostname is 2817 * set to NULL and hints.ai_flags is not AI_PASSIVE 2818 */ 2819 memset(&hints, 0, sizeof(hints)); 2820 hints.ai_family = IPv4or6; 2821 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2822 hints.ai_socktype = SOCK_STREAM; 2823 snprintf(strport, sizeof strport, "%d", fwd->listen_port); 2824 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2825 if (addr == NULL) { 2826 /* This really shouldn't happen */ 2827 packet_disconnect("getaddrinfo: fatal error: %s", 2828 ssh_gai_strerror(r)); 2829 } else { 2830 error("%s: getaddrinfo(%.64s): %s", __func__, addr, 2831 ssh_gai_strerror(r)); 2832 } 2833 return 0; 2834 } 2835 if (allocated_listen_port != NULL) 2836 *allocated_listen_port = 0; 2837 for (ai = aitop; ai; ai = ai->ai_next) { 2838 switch (ai->ai_family) { 2839 case AF_INET: 2840 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 2841 sin_port; 2842 break; 2843 case AF_INET6: 2844 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 2845 sin6_port; 2846 break; 2847 default: 2848 continue; 2849 } 2850 /* 2851 * If allocating a port for -R forwards, then use the 2852 * same port for all address families. 2853 */ 2854 if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 && 2855 allocated_listen_port != NULL && *allocated_listen_port > 0) 2856 *lport_p = htons(*allocated_listen_port); 2857 2858 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2859 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2860 error("%s: getnameinfo failed", __func__); 2861 continue; 2862 } 2863 /* Create a port to listen for the host. */ 2864 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2865 if (sock < 0) { 2866 /* this is no error since kernel may not support ipv6 */ 2867 verbose("socket: %.100s", strerror(errno)); 2868 continue; 2869 } 2870 2871 channel_set_reuseaddr(sock); 2872 if (ai->ai_family == AF_INET6) 2873 sock_set_v6only(sock); 2874 2875 debug("Local forwarding listening on %s port %s.", 2876 ntop, strport); 2877 2878 /* Bind the socket to the address. */ 2879 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2880 /* address can be in use ipv6 address is already bound */ 2881 if (!ai->ai_next) 2882 error("bind: %.100s", strerror(errno)); 2883 else 2884 verbose("bind: %.100s", strerror(errno)); 2885 2886 close(sock); 2887 continue; 2888 } 2889 /* Start listening for connections on the socket. */ 2890 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2891 error("listen: %.100s", strerror(errno)); 2892 close(sock); 2893 continue; 2894 } 2895 2896 /* 2897 * fwd->listen_port == 0 requests a dynamically allocated port - 2898 * record what we got. 2899 */ 2900 if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 && 2901 allocated_listen_port != NULL && 2902 *allocated_listen_port == 0) { 2903 *allocated_listen_port = get_sock_port(sock, 1); 2904 debug("Allocated listen port %d", 2905 *allocated_listen_port); 2906 } 2907 2908 /* Allocate a channel number for the socket. */ 2909 c = channel_new("port listener", type, sock, sock, -1, 2910 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2911 0, "port listener", 1); 2912 c->path = xstrdup(host); 2913 c->host_port = fwd->connect_port; 2914 c->listening_addr = addr == NULL ? NULL : xstrdup(addr); 2915 if (fwd->listen_port == 0 && allocated_listen_port != NULL && 2916 !(datafellows & SSH_BUG_DYNAMIC_RPORT)) 2917 c->listening_port = *allocated_listen_port; 2918 else 2919 c->listening_port = fwd->listen_port; 2920 success = 1; 2921 } 2922 if (success == 0) 2923 error("%s: cannot listen to port: %d", __func__, 2924 fwd->listen_port); 2925 freeaddrinfo(aitop); 2926 return success; 2927 } 2928 2929 static int 2930 channel_setup_fwd_listener_streamlocal(int type, struct Forward *fwd, 2931 struct ForwardOptions *fwd_opts) 2932 { 2933 struct sockaddr_un sunaddr; 2934 const char *path; 2935 Channel *c; 2936 int port, sock; 2937 mode_t omask; 2938 2939 switch (type) { 2940 case SSH_CHANNEL_UNIX_LISTENER: 2941 if (fwd->connect_path != NULL) { 2942 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) { 2943 error("Local connecting path too long: %s", 2944 fwd->connect_path); 2945 return 0; 2946 } 2947 path = fwd->connect_path; 2948 port = PORT_STREAMLOCAL; 2949 } else { 2950 if (fwd->connect_host == NULL) { 2951 error("No forward host name."); 2952 return 0; 2953 } 2954 if (strlen(fwd->connect_host) >= NI_MAXHOST) { 2955 error("Forward host name too long."); 2956 return 0; 2957 } 2958 path = fwd->connect_host; 2959 port = fwd->connect_port; 2960 } 2961 break; 2962 case SSH_CHANNEL_RUNIX_LISTENER: 2963 path = fwd->listen_path; 2964 port = PORT_STREAMLOCAL; 2965 break; 2966 default: 2967 error("%s: unexpected channel type %d", __func__, type); 2968 return 0; 2969 } 2970 2971 if (fwd->listen_path == NULL) { 2972 error("No forward path name."); 2973 return 0; 2974 } 2975 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) { 2976 error("Local listening path too long: %s", fwd->listen_path); 2977 return 0; 2978 } 2979 2980 debug3("%s: type %d path %s", __func__, type, fwd->listen_path); 2981 2982 /* Start a Unix domain listener. */ 2983 omask = umask(fwd_opts->streamlocal_bind_mask); 2984 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG, 2985 fwd_opts->streamlocal_bind_unlink); 2986 umask(omask); 2987 if (sock < 0) 2988 return 0; 2989 2990 debug("Local forwarding listening on path %s.", fwd->listen_path); 2991 2992 /* Allocate a channel number for the socket. */ 2993 c = channel_new("unix listener", type, sock, sock, -1, 2994 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2995 0, "unix listener", 1); 2996 c->path = xstrdup(path); 2997 c->host_port = port; 2998 c->listening_port = PORT_STREAMLOCAL; 2999 c->listening_addr = xstrdup(fwd->listen_path); 3000 return 1; 3001 } 3002 3003 static int 3004 channel_cancel_rport_listener_tcpip(const char *host, u_short port) 3005 { 3006 u_int i; 3007 int found = 0; 3008 3009 for (i = 0; i < channels_alloc; i++) { 3010 Channel *c = channels[i]; 3011 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER) 3012 continue; 3013 if (strcmp(c->path, host) == 0 && c->listening_port == port) { 3014 debug2("%s: close channel %d", __func__, i); 3015 channel_free(c); 3016 found = 1; 3017 } 3018 } 3019 3020 return (found); 3021 } 3022 3023 static int 3024 channel_cancel_rport_listener_streamlocal(const char *path) 3025 { 3026 u_int i; 3027 int found = 0; 3028 3029 for (i = 0; i < channels_alloc; i++) { 3030 Channel *c = channels[i]; 3031 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER) 3032 continue; 3033 if (c->path == NULL) 3034 continue; 3035 if (strcmp(c->path, path) == 0) { 3036 debug2("%s: close channel %d", __func__, i); 3037 channel_free(c); 3038 found = 1; 3039 } 3040 } 3041 3042 return (found); 3043 } 3044 3045 int 3046 channel_cancel_rport_listener(struct Forward *fwd) 3047 { 3048 if (fwd->listen_path != NULL) 3049 return channel_cancel_rport_listener_streamlocal(fwd->listen_path); 3050 else 3051 return channel_cancel_rport_listener_tcpip(fwd->listen_host, fwd->listen_port); 3052 } 3053 3054 static int 3055 channel_cancel_lport_listener_tcpip(const char *lhost, u_short lport, 3056 int cport, struct ForwardOptions *fwd_opts) 3057 { 3058 u_int i; 3059 int found = 0; 3060 const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, fwd_opts); 3061 3062 for (i = 0; i < channels_alloc; i++) { 3063 Channel *c = channels[i]; 3064 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER) 3065 continue; 3066 if (c->listening_port != lport) 3067 continue; 3068 if (cport == CHANNEL_CANCEL_PORT_STATIC) { 3069 /* skip dynamic forwardings */ 3070 if (c->host_port == 0) 3071 continue; 3072 } else { 3073 if (c->host_port != cport) 3074 continue; 3075 } 3076 if ((c->listening_addr == NULL && addr != NULL) || 3077 (c->listening_addr != NULL && addr == NULL)) 3078 continue; 3079 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) { 3080 debug2("%s: close channel %d", __func__, i); 3081 channel_free(c); 3082 found = 1; 3083 } 3084 } 3085 3086 return (found); 3087 } 3088 3089 static int 3090 channel_cancel_lport_listener_streamlocal(const char *path) 3091 { 3092 u_int i; 3093 int found = 0; 3094 3095 if (path == NULL) { 3096 error("%s: no path specified.", __func__); 3097 return 0; 3098 } 3099 3100 for (i = 0; i < channels_alloc; i++) { 3101 Channel *c = channels[i]; 3102 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER) 3103 continue; 3104 if (c->listening_addr == NULL) 3105 continue; 3106 if (strcmp(c->listening_addr, path) == 0) { 3107 debug2("%s: close channel %d", __func__, i); 3108 channel_free(c); 3109 found = 1; 3110 } 3111 } 3112 3113 return (found); 3114 } 3115 3116 int 3117 channel_cancel_lport_listener(struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts) 3118 { 3119 if (fwd->listen_path != NULL) 3120 return channel_cancel_lport_listener_streamlocal(fwd->listen_path); 3121 else 3122 return channel_cancel_lport_listener_tcpip(fwd->listen_host, fwd->listen_port, cport, fwd_opts); 3123 } 3124 3125 /* protocol local port fwd, used by ssh (and sshd in v1) */ 3126 int 3127 channel_setup_local_fwd_listener(struct Forward *fwd, struct ForwardOptions *fwd_opts) 3128 { 3129 if (fwd->listen_path != NULL) { 3130 return channel_setup_fwd_listener_streamlocal( 3131 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts); 3132 } else { 3133 return channel_setup_fwd_listener_tcpip(SSH_CHANNEL_PORT_LISTENER, 3134 fwd, NULL, fwd_opts); 3135 } 3136 } 3137 3138 /* protocol v2 remote port fwd, used by sshd */ 3139 int 3140 channel_setup_remote_fwd_listener(struct Forward *fwd, 3141 int *allocated_listen_port, struct ForwardOptions *fwd_opts) 3142 { 3143 if (fwd->listen_path != NULL) { 3144 return channel_setup_fwd_listener_streamlocal( 3145 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts); 3146 } else { 3147 return channel_setup_fwd_listener_tcpip( 3148 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port, 3149 fwd_opts); 3150 } 3151 } 3152 3153 /* 3154 * Translate the requested rfwd listen host to something usable for 3155 * this server. 3156 */ 3157 static const char * 3158 channel_rfwd_bind_host(const char *listen_host) 3159 { 3160 if (listen_host == NULL) { 3161 if (datafellows & SSH_BUG_RFWD_ADDR) 3162 return "127.0.0.1"; 3163 else 3164 return "localhost"; 3165 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { 3166 if (datafellows & SSH_BUG_RFWD_ADDR) 3167 return "0.0.0.0"; 3168 else 3169 return ""; 3170 } else 3171 return listen_host; 3172 } 3173 3174 /* 3175 * Initiate forwarding of connections to port "port" on remote host through 3176 * the secure channel to host:port from local side. 3177 * Returns handle (index) for updating the dynamic listen port with 3178 * channel_update_permitted_opens(). 3179 */ 3180 int 3181 channel_request_remote_forwarding(struct Forward *fwd) 3182 { 3183 int type, success = 0, idx = -1; 3184 3185 /* Send the forward request to the remote side. */ 3186 if (compat20) { 3187 packet_start(SSH2_MSG_GLOBAL_REQUEST); 3188 if (fwd->listen_path != NULL) { 3189 packet_put_cstring("streamlocal-forward@openssh.com"); 3190 packet_put_char(1); /* boolean: want reply */ 3191 packet_put_cstring(fwd->listen_path); 3192 } else { 3193 packet_put_cstring("tcpip-forward"); 3194 packet_put_char(1); /* boolean: want reply */ 3195 packet_put_cstring(channel_rfwd_bind_host(fwd->listen_host)); 3196 packet_put_int(fwd->listen_port); 3197 } 3198 packet_send(); 3199 packet_write_wait(); 3200 /* Assume that server accepts the request */ 3201 success = 1; 3202 } else if (fwd->listen_path == NULL) { 3203 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 3204 packet_put_int(fwd->listen_port); 3205 packet_put_cstring(fwd->connect_host); 3206 packet_put_int(fwd->connect_port); 3207 packet_send(); 3208 packet_write_wait(); 3209 3210 /* Wait for response from the remote side. */ 3211 type = packet_read(); 3212 switch (type) { 3213 case SSH_SMSG_SUCCESS: 3214 success = 1; 3215 break; 3216 case SSH_SMSG_FAILURE: 3217 break; 3218 default: 3219 /* Unknown packet */ 3220 packet_disconnect("Protocol error for port forward request:" 3221 "received packet type %d.", type); 3222 } 3223 } else { 3224 logit("Warning: Server does not support remote stream local forwarding."); 3225 } 3226 if (success) { 3227 /* Record that connection to this host/port is permitted. */ 3228 permitted_opens = xrealloc(permitted_opens, 3229 num_permitted_opens + 1, sizeof(*permitted_opens)); 3230 idx = num_permitted_opens++; 3231 if (fwd->connect_path != NULL) { 3232 permitted_opens[idx].host_to_connect = 3233 xstrdup(fwd->connect_path); 3234 permitted_opens[idx].port_to_connect = 3235 PORT_STREAMLOCAL; 3236 } else { 3237 permitted_opens[idx].host_to_connect = 3238 xstrdup(fwd->connect_host); 3239 permitted_opens[idx].port_to_connect = 3240 fwd->connect_port; 3241 } 3242 if (fwd->listen_path != NULL) { 3243 permitted_opens[idx].listen_host = NULL; 3244 permitted_opens[idx].listen_path = 3245 xstrdup(fwd->listen_path); 3246 permitted_opens[idx].listen_port = PORT_STREAMLOCAL; 3247 } else { 3248 permitted_opens[idx].listen_host = 3249 fwd->listen_host ? xstrdup(fwd->listen_host) : NULL; 3250 permitted_opens[idx].listen_path = NULL; 3251 permitted_opens[idx].listen_port = fwd->listen_port; 3252 } 3253 } 3254 return (idx); 3255 } 3256 3257 static int 3258 open_match(ForwardPermission *allowed_open, const char *requestedhost, 3259 int requestedport) 3260 { 3261 if (allowed_open->host_to_connect == NULL) 3262 return 0; 3263 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT && 3264 allowed_open->port_to_connect != requestedport) 3265 return 0; 3266 if (strcmp(allowed_open->host_to_connect, requestedhost) != 0) 3267 return 0; 3268 return 1; 3269 } 3270 3271 /* 3272 * Note that in the listen host/port case 3273 * we don't support FWD_PERMIT_ANY_PORT and 3274 * need to translate between the configured-host (listen_host) 3275 * and what we've sent to the remote server (channel_rfwd_bind_host) 3276 */ 3277 static int 3278 open_listen_match_tcpip(ForwardPermission *allowed_open, 3279 const char *requestedhost, u_short requestedport, int translate) 3280 { 3281 const char *allowed_host; 3282 3283 if (allowed_open->host_to_connect == NULL) 3284 return 0; 3285 if (allowed_open->listen_port != requestedport) 3286 return 0; 3287 if (!translate && allowed_open->listen_host == NULL && 3288 requestedhost == NULL) 3289 return 1; 3290 allowed_host = translate ? 3291 channel_rfwd_bind_host(allowed_open->listen_host) : 3292 allowed_open->listen_host; 3293 if (allowed_host == NULL || 3294 strcmp(allowed_host, requestedhost) != 0) 3295 return 0; 3296 return 1; 3297 } 3298 3299 static int 3300 open_listen_match_streamlocal(ForwardPermission *allowed_open, 3301 const char *requestedpath) 3302 { 3303 if (allowed_open->host_to_connect == NULL) 3304 return 0; 3305 if (allowed_open->listen_port != PORT_STREAMLOCAL) 3306 return 0; 3307 if (allowed_open->listen_path == NULL || 3308 strcmp(allowed_open->listen_path, requestedpath) != 0) 3309 return 0; 3310 return 1; 3311 } 3312 3313 /* 3314 * Request cancellation of remote forwarding of connection host:port from 3315 * local side. 3316 */ 3317 static int 3318 channel_request_rforward_cancel_tcpip(const char *host, u_short port) 3319 { 3320 int i; 3321 3322 if (!compat20) 3323 return -1; 3324 3325 for (i = 0; i < num_permitted_opens; i++) { 3326 if (open_listen_match_tcpip(&permitted_opens[i], host, port, 0)) 3327 break; 3328 } 3329 if (i >= num_permitted_opens) { 3330 debug("%s: requested forward not found", __func__); 3331 return -1; 3332 } 3333 packet_start(SSH2_MSG_GLOBAL_REQUEST); 3334 packet_put_cstring("cancel-tcpip-forward"); 3335 packet_put_char(0); 3336 packet_put_cstring(channel_rfwd_bind_host(host)); 3337 packet_put_int(port); 3338 packet_send(); 3339 3340 permitted_opens[i].listen_port = 0; 3341 permitted_opens[i].port_to_connect = 0; 3342 free(permitted_opens[i].host_to_connect); 3343 permitted_opens[i].host_to_connect = NULL; 3344 free(permitted_opens[i].listen_host); 3345 permitted_opens[i].listen_host = NULL; 3346 permitted_opens[i].listen_path = NULL; 3347 3348 return 0; 3349 } 3350 3351 /* 3352 * Request cancellation of remote forwarding of Unix domain socket 3353 * path from local side. 3354 */ 3355 static int 3356 channel_request_rforward_cancel_streamlocal(const char *path) 3357 { 3358 int i; 3359 3360 if (!compat20) 3361 return -1; 3362 3363 for (i = 0; i < num_permitted_opens; i++) { 3364 if (open_listen_match_streamlocal(&permitted_opens[i], path)) 3365 break; 3366 } 3367 if (i >= num_permitted_opens) { 3368 debug("%s: requested forward not found", __func__); 3369 return -1; 3370 } 3371 packet_start(SSH2_MSG_GLOBAL_REQUEST); 3372 packet_put_cstring("cancel-streamlocal-forward@openssh.com"); 3373 packet_put_char(0); 3374 packet_put_cstring(path); 3375 packet_send(); 3376 3377 permitted_opens[i].listen_port = 0; 3378 permitted_opens[i].port_to_connect = 0; 3379 free(permitted_opens[i].host_to_connect); 3380 permitted_opens[i].host_to_connect = NULL; 3381 permitted_opens[i].listen_host = NULL; 3382 free(permitted_opens[i].listen_path); 3383 permitted_opens[i].listen_path = NULL; 3384 3385 return 0; 3386 } 3387 3388 /* 3389 * Request cancellation of remote forwarding of a connection from local side. 3390 */ 3391 int 3392 channel_request_rforward_cancel(struct Forward *fwd) 3393 { 3394 if (fwd->listen_path != NULL) { 3395 return (channel_request_rforward_cancel_streamlocal( 3396 fwd->listen_path)); 3397 } else { 3398 return (channel_request_rforward_cancel_tcpip(fwd->listen_host, 3399 fwd->listen_port ? fwd->listen_port : fwd->allocated_port)); 3400 } 3401 } 3402 3403 /* 3404 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 3405 * listening for the port, and sends back a success reply (or disconnect 3406 * message if there was an error). 3407 */ 3408 int 3409 channel_input_port_forward_request(int is_root, struct ForwardOptions *fwd_opts) 3410 { 3411 int success = 0; 3412 struct Forward fwd; 3413 3414 /* Get arguments from the packet. */ 3415 memset(&fwd, 0, sizeof(fwd)); 3416 fwd.listen_port = packet_get_int(); 3417 fwd.connect_host = packet_get_string(NULL); 3418 fwd.connect_port = packet_get_int(); 3419 3420 #ifndef HAVE_CYGWIN 3421 /* 3422 * Check that an unprivileged user is not trying to forward a 3423 * privileged port. 3424 */ 3425 if (fwd.listen_port < IPPORT_RESERVED && !is_root) 3426 packet_disconnect( 3427 "Requested forwarding of port %d but user is not root.", 3428 fwd.listen_port); 3429 if (fwd.connect_port == 0) 3430 packet_disconnect("Dynamic forwarding denied."); 3431 #endif 3432 3433 /* Initiate forwarding */ 3434 success = channel_setup_local_fwd_listener(&fwd, fwd_opts); 3435 3436 /* Free the argument string. */ 3437 free(fwd.connect_host); 3438 3439 return (success ? 0 : -1); 3440 } 3441 3442 /* 3443 * Permits opening to any host/port if permitted_opens[] is empty. This is 3444 * usually called by the server, because the user could connect to any port 3445 * anyway, and the server has no way to know but to trust the client anyway. 3446 */ 3447 void 3448 channel_permit_all_opens(void) 3449 { 3450 if (num_permitted_opens == 0) 3451 all_opens_permitted = 1; 3452 } 3453 3454 void 3455 channel_add_permitted_opens(char *host, int port) 3456 { 3457 debug("allow port forwarding to host %s port %d", host, port); 3458 3459 permitted_opens = xrealloc(permitted_opens, 3460 num_permitted_opens + 1, sizeof(*permitted_opens)); 3461 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 3462 permitted_opens[num_permitted_opens].port_to_connect = port; 3463 permitted_opens[num_permitted_opens].listen_host = NULL; 3464 permitted_opens[num_permitted_opens].listen_path = NULL; 3465 permitted_opens[num_permitted_opens].listen_port = 0; 3466 num_permitted_opens++; 3467 3468 all_opens_permitted = 0; 3469 } 3470 3471 /* 3472 * Update the listen port for a dynamic remote forward, after 3473 * the actual 'newport' has been allocated. If 'newport' < 0 is 3474 * passed then they entry will be invalidated. 3475 */ 3476 void 3477 channel_update_permitted_opens(int idx, int newport) 3478 { 3479 if (idx < 0 || idx >= num_permitted_opens) { 3480 debug("channel_update_permitted_opens: index out of range:" 3481 " %d num_permitted_opens %d", idx, num_permitted_opens); 3482 return; 3483 } 3484 debug("%s allowed port %d for forwarding to host %s port %d", 3485 newport > 0 ? "Updating" : "Removing", 3486 newport, 3487 permitted_opens[idx].host_to_connect, 3488 permitted_opens[idx].port_to_connect); 3489 if (newport >= 0) { 3490 permitted_opens[idx].listen_port = 3491 (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport; 3492 } else { 3493 permitted_opens[idx].listen_port = 0; 3494 permitted_opens[idx].port_to_connect = 0; 3495 free(permitted_opens[idx].host_to_connect); 3496 permitted_opens[idx].host_to_connect = NULL; 3497 free(permitted_opens[idx].listen_host); 3498 permitted_opens[idx].listen_host = NULL; 3499 free(permitted_opens[idx].listen_path); 3500 permitted_opens[idx].listen_path = NULL; 3501 } 3502 } 3503 3504 int 3505 channel_add_adm_permitted_opens(char *host, int port) 3506 { 3507 debug("config allows port forwarding to host %s port %d", host, port); 3508 3509 permitted_adm_opens = xrealloc(permitted_adm_opens, 3510 num_adm_permitted_opens + 1, sizeof(*permitted_adm_opens)); 3511 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 3512 = xstrdup(host); 3513 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 3514 permitted_adm_opens[num_adm_permitted_opens].listen_host = NULL; 3515 permitted_adm_opens[num_adm_permitted_opens].listen_path = NULL; 3516 permitted_adm_opens[num_adm_permitted_opens].listen_port = 0; 3517 return ++num_adm_permitted_opens; 3518 } 3519 3520 void 3521 channel_disable_adm_local_opens(void) 3522 { 3523 channel_clear_adm_permitted_opens(); 3524 permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); 3525 permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL; 3526 num_adm_permitted_opens = 1; 3527 } 3528 3529 void 3530 channel_clear_permitted_opens(void) 3531 { 3532 int i; 3533 3534 for (i = 0; i < num_permitted_opens; i++) { 3535 free(permitted_opens[i].host_to_connect); 3536 free(permitted_opens[i].listen_host); 3537 free(permitted_opens[i].listen_path); 3538 } 3539 free(permitted_opens); 3540 permitted_opens = NULL; 3541 num_permitted_opens = 0; 3542 } 3543 3544 void 3545 channel_clear_adm_permitted_opens(void) 3546 { 3547 int i; 3548 3549 for (i = 0; i < num_adm_permitted_opens; i++) { 3550 free(permitted_adm_opens[i].host_to_connect); 3551 free(permitted_adm_opens[i].listen_host); 3552 free(permitted_adm_opens[i].listen_path); 3553 } 3554 free(permitted_adm_opens); 3555 permitted_adm_opens = NULL; 3556 num_adm_permitted_opens = 0; 3557 } 3558 3559 void 3560 channel_print_adm_permitted_opens(void) 3561 { 3562 int i; 3563 3564 printf("permitopen"); 3565 if (num_adm_permitted_opens == 0) { 3566 printf(" any\n"); 3567 return; 3568 } 3569 for (i = 0; i < num_adm_permitted_opens; i++) 3570 if (permitted_adm_opens[i].host_to_connect == NULL) 3571 printf(" none"); 3572 else 3573 printf(" %s:%d", permitted_adm_opens[i].host_to_connect, 3574 permitted_adm_opens[i].port_to_connect); 3575 printf("\n"); 3576 } 3577 3578 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ 3579 int 3580 permitopen_port(const char *p) 3581 { 3582 int port; 3583 3584 if (strcmp(p, "*") == 0) 3585 return FWD_PERMIT_ANY_PORT; 3586 if ((port = a2port(p)) > 0) 3587 return port; 3588 return -1; 3589 } 3590 3591 /* Try to start non-blocking connect to next host in cctx list */ 3592 static int 3593 connect_next(struct channel_connect *cctx) 3594 { 3595 int sock, saved_errno; 3596 struct sockaddr_un *sunaddr; 3597 char ntop[NI_MAXHOST], strport[MAX(NI_MAXSERV,sizeof(sunaddr->sun_path))]; 3598 3599 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 3600 switch (cctx->ai->ai_family) { 3601 case AF_UNIX: 3602 /* unix:pathname instead of host:port */ 3603 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr; 3604 strlcpy(ntop, "unix", sizeof(ntop)); 3605 strlcpy(strport, sunaddr->sun_path, sizeof(strport)); 3606 break; 3607 case AF_INET: 3608 case AF_INET6: 3609 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 3610 ntop, sizeof(ntop), strport, sizeof(strport), 3611 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3612 error("connect_next: getnameinfo failed"); 3613 continue; 3614 } 3615 break; 3616 default: 3617 continue; 3618 } 3619 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 3620 cctx->ai->ai_protocol)) == -1) { 3621 if (cctx->ai->ai_next == NULL) 3622 error("socket: %.100s", strerror(errno)); 3623 else 3624 verbose("socket: %.100s", strerror(errno)); 3625 continue; 3626 } 3627 if (set_nonblock(sock) == -1) 3628 fatal("%s: set_nonblock(%d)", __func__, sock); 3629 if (connect(sock, cctx->ai->ai_addr, 3630 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 3631 debug("connect_next: host %.100s ([%.100s]:%s): " 3632 "%.100s", cctx->host, ntop, strport, 3633 strerror(errno)); 3634 saved_errno = errno; 3635 close(sock); 3636 errno = saved_errno; 3637 continue; /* fail -- try next */ 3638 } 3639 if (cctx->ai->ai_family != AF_UNIX) 3640 set_nodelay(sock); 3641 debug("connect_next: host %.100s ([%.100s]:%s) " 3642 "in progress, fd=%d", cctx->host, ntop, strport, sock); 3643 cctx->ai = cctx->ai->ai_next; 3644 return sock; 3645 } 3646 return -1; 3647 } 3648 3649 static void 3650 channel_connect_ctx_free(struct channel_connect *cctx) 3651 { 3652 free(cctx->host); 3653 if (cctx->aitop) { 3654 if (cctx->aitop->ai_family == AF_UNIX) 3655 free(cctx->aitop); 3656 else 3657 freeaddrinfo(cctx->aitop); 3658 } 3659 memset(cctx, 0, sizeof(*cctx)); 3660 } 3661 3662 /* Return CONNECTING channel to remote host:port or local socket path */ 3663 static Channel * 3664 connect_to(const char *name, int port, char *ctype, char *rname) 3665 { 3666 struct addrinfo hints; 3667 int gaierr; 3668 int sock = -1; 3669 char strport[NI_MAXSERV]; 3670 struct channel_connect cctx; 3671 Channel *c; 3672 3673 memset(&cctx, 0, sizeof(cctx)); 3674 3675 if (port == PORT_STREAMLOCAL) { 3676 struct sockaddr_un *sunaddr; 3677 struct addrinfo *ai; 3678 3679 if (strlen(name) > sizeof(sunaddr->sun_path)) { 3680 error("%.100s: %.100s", name, strerror(ENAMETOOLONG)); 3681 return (NULL); 3682 } 3683 3684 /* 3685 * Fake up a struct addrinfo for AF_UNIX connections. 3686 * channel_connect_ctx_free() must check ai_family 3687 * and use free() not freeaddirinfo() for AF_UNIX. 3688 */ 3689 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr)); 3690 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr)); 3691 ai->ai_addr = (struct sockaddr *)(ai + 1); 3692 ai->ai_addrlen = sizeof(*sunaddr); 3693 ai->ai_family = AF_UNIX; 3694 ai->ai_socktype = SOCK_STREAM; 3695 ai->ai_protocol = PF_UNSPEC; 3696 sunaddr = (struct sockaddr_un *)ai->ai_addr; 3697 sunaddr->sun_family = AF_UNIX; 3698 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); 3699 cctx.aitop = ai; 3700 } else { 3701 memset(&hints, 0, sizeof(hints)); 3702 hints.ai_family = IPv4or6; 3703 hints.ai_socktype = SOCK_STREAM; 3704 snprintf(strport, sizeof strport, "%d", port); 3705 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) { 3706 error("connect_to %.100s: unknown host (%s)", name, 3707 ssh_gai_strerror(gaierr)); 3708 return NULL; 3709 } 3710 } 3711 3712 cctx.host = xstrdup(name); 3713 cctx.port = port; 3714 cctx.ai = cctx.aitop; 3715 3716 if ((sock = connect_next(&cctx)) == -1) { 3717 error("connect to %.100s port %d failed: %s", 3718 name, port, strerror(errno)); 3719 channel_connect_ctx_free(&cctx); 3720 return NULL; 3721 } 3722 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 3723 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 3724 c->connect_ctx = cctx; 3725 return c; 3726 } 3727 3728 Channel * 3729 channel_connect_by_listen_address(const char *listen_host, 3730 u_short listen_port, char *ctype, char *rname) 3731 { 3732 int i; 3733 3734 for (i = 0; i < num_permitted_opens; i++) { 3735 if (open_listen_match_tcpip(&permitted_opens[i], listen_host, 3736 listen_port, 1)) { 3737 return connect_to( 3738 permitted_opens[i].host_to_connect, 3739 permitted_opens[i].port_to_connect, ctype, rname); 3740 } 3741 } 3742 error("WARNING: Server requests forwarding for unknown listen_port %d", 3743 listen_port); 3744 return NULL; 3745 } 3746 3747 Channel * 3748 channel_connect_by_listen_path(const char *path, char *ctype, char *rname) 3749 { 3750 int i; 3751 3752 for (i = 0; i < num_permitted_opens; i++) { 3753 if (open_listen_match_streamlocal(&permitted_opens[i], path)) { 3754 return connect_to( 3755 permitted_opens[i].host_to_connect, 3756 permitted_opens[i].port_to_connect, ctype, rname); 3757 } 3758 } 3759 error("WARNING: Server requests forwarding for unknown path %.100s", 3760 path); 3761 return NULL; 3762 } 3763 3764 /* Check if connecting to that port is permitted and connect. */ 3765 Channel * 3766 channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname) 3767 { 3768 int i, permit, permit_adm = 1; 3769 3770 permit = all_opens_permitted; 3771 if (!permit) { 3772 for (i = 0; i < num_permitted_opens; i++) 3773 if (open_match(&permitted_opens[i], host, port)) { 3774 permit = 1; 3775 break; 3776 } 3777 } 3778 3779 if (num_adm_permitted_opens > 0) { 3780 permit_adm = 0; 3781 for (i = 0; i < num_adm_permitted_opens; i++) 3782 if (open_match(&permitted_adm_opens[i], host, port)) { 3783 permit_adm = 1; 3784 break; 3785 } 3786 } 3787 3788 if (!permit || !permit_adm) { 3789 logit("Received request to connect to host %.100s port %d, " 3790 "but the request was denied.", host, port); 3791 return NULL; 3792 } 3793 return connect_to(host, port, ctype, rname); 3794 } 3795 3796 /* Check if connecting to that path is permitted and connect. */ 3797 Channel * 3798 channel_connect_to_path(const char *path, char *ctype, char *rname) 3799 { 3800 int i, permit, permit_adm = 1; 3801 3802 permit = all_opens_permitted; 3803 if (!permit) { 3804 for (i = 0; i < num_permitted_opens; i++) 3805 if (open_match(&permitted_opens[i], path, PORT_STREAMLOCAL)) { 3806 permit = 1; 3807 break; 3808 } 3809 } 3810 3811 if (num_adm_permitted_opens > 0) { 3812 permit_adm = 0; 3813 for (i = 0; i < num_adm_permitted_opens; i++) 3814 if (open_match(&permitted_adm_opens[i], path, PORT_STREAMLOCAL)) { 3815 permit_adm = 1; 3816 break; 3817 } 3818 } 3819 3820 if (!permit || !permit_adm) { 3821 logit("Received request to connect to path %.100s, " 3822 "but the request was denied.", path); 3823 return NULL; 3824 } 3825 return connect_to(path, PORT_STREAMLOCAL, ctype, rname); 3826 } 3827 3828 void 3829 channel_send_window_changes(void) 3830 { 3831 u_int i; 3832 struct winsize ws; 3833 3834 for (i = 0; i < channels_alloc; i++) { 3835 if (channels[i] == NULL || !channels[i]->client_tty || 3836 channels[i]->type != SSH_CHANNEL_OPEN) 3837 continue; 3838 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 3839 continue; 3840 channel_request_start(i, "window-change", 0); 3841 packet_put_int((u_int)ws.ws_col); 3842 packet_put_int((u_int)ws.ws_row); 3843 packet_put_int((u_int)ws.ws_xpixel); 3844 packet_put_int((u_int)ws.ws_ypixel); 3845 packet_send(); 3846 } 3847 } 3848 3849 /* -- X11 forwarding */ 3850 3851 /* 3852 * Creates an internet domain socket for listening for X11 connections. 3853 * Returns 0 and a suitable display number for the DISPLAY variable 3854 * stored in display_numberp , or -1 if an error occurs. 3855 */ 3856 int 3857 x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 3858 int single_connection, u_int *display_numberp, int **chanids) 3859 { 3860 Channel *nc = NULL; 3861 int display_number, sock; 3862 u_short port; 3863 struct addrinfo hints, *ai, *aitop; 3864 char strport[NI_MAXSERV]; 3865 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 3866 3867 if (chanids == NULL) 3868 return -1; 3869 3870 for (display_number = x11_display_offset; 3871 display_number < MAX_DISPLAYS; 3872 display_number++) { 3873 port = 6000 + display_number; 3874 memset(&hints, 0, sizeof(hints)); 3875 hints.ai_family = IPv4or6; 3876 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 3877 hints.ai_socktype = SOCK_STREAM; 3878 snprintf(strport, sizeof strport, "%d", port); 3879 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 3880 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 3881 return -1; 3882 } 3883 for (ai = aitop; ai; ai = ai->ai_next) { 3884 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 3885 continue; 3886 sock = socket(ai->ai_family, ai->ai_socktype, 3887 ai->ai_protocol); 3888 if (sock < 0) { 3889 if ((errno != EINVAL) && (errno != EAFNOSUPPORT) 3890 #ifdef EPFNOSUPPORT 3891 && (errno != EPFNOSUPPORT) 3892 #endif 3893 ) { 3894 error("socket: %.100s", strerror(errno)); 3895 freeaddrinfo(aitop); 3896 return -1; 3897 } else { 3898 debug("x11_create_display_inet: Socket family %d not supported", 3899 ai->ai_family); 3900 continue; 3901 } 3902 } 3903 if (ai->ai_family == AF_INET6) 3904 sock_set_v6only(sock); 3905 if (x11_use_localhost) 3906 channel_set_reuseaddr(sock); 3907 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3908 debug2("bind port %d: %.100s", port, strerror(errno)); 3909 close(sock); 3910 3911 for (n = 0; n < num_socks; n++) { 3912 close(socks[n]); 3913 } 3914 num_socks = 0; 3915 break; 3916 } 3917 socks[num_socks++] = sock; 3918 if (num_socks == NUM_SOCKS) 3919 break; 3920 } 3921 freeaddrinfo(aitop); 3922 if (num_socks > 0) 3923 break; 3924 } 3925 if (display_number >= MAX_DISPLAYS) { 3926 error("Failed to allocate internet-domain X11 display socket."); 3927 return -1; 3928 } 3929 /* Start listening for connections on the socket. */ 3930 for (n = 0; n < num_socks; n++) { 3931 sock = socks[n]; 3932 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3933 error("listen: %.100s", strerror(errno)); 3934 close(sock); 3935 return -1; 3936 } 3937 } 3938 3939 /* Allocate a channel for each socket. */ 3940 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 3941 for (n = 0; n < num_socks; n++) { 3942 sock = socks[n]; 3943 nc = channel_new("x11 listener", 3944 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 3945 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 3946 0, "X11 inet listener", 1); 3947 nc->single_connection = single_connection; 3948 (*chanids)[n] = nc->self; 3949 } 3950 (*chanids)[n] = -1; 3951 3952 /* Return the display number for the DISPLAY environment variable. */ 3953 *display_numberp = display_number; 3954 return (0); 3955 } 3956 3957 static int 3958 connect_local_xsocket_path(const char *pathname) 3959 { 3960 int sock; 3961 struct sockaddr_un addr; 3962 3963 sock = socket(AF_UNIX, SOCK_STREAM, 0); 3964 if (sock < 0) 3965 error("socket: %.100s", strerror(errno)); 3966 memset(&addr, 0, sizeof(addr)); 3967 addr.sun_family = AF_UNIX; 3968 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 3969 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 3970 return sock; 3971 close(sock); 3972 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 3973 return -1; 3974 } 3975 3976 static int 3977 connect_local_xsocket(u_int dnr) 3978 { 3979 char buf[1024]; 3980 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 3981 return connect_local_xsocket_path(buf); 3982 } 3983 3984 int 3985 x11_connect_display(void) 3986 { 3987 u_int display_number; 3988 const char *display; 3989 char buf[1024], *cp; 3990 struct addrinfo hints, *ai, *aitop; 3991 char strport[NI_MAXSERV]; 3992 int gaierr, sock = 0; 3993 3994 /* Try to open a socket for the local X server. */ 3995 display = getenv("DISPLAY"); 3996 if (!display) { 3997 error("DISPLAY not set."); 3998 return -1; 3999 } 4000 /* 4001 * Now we decode the value of the DISPLAY variable and make a 4002 * connection to the real X server. 4003 */ 4004 4005 /* Check if the display is from launchd. */ 4006 #ifdef __APPLE__ 4007 if (strncmp(display, "/tmp/launch", 11) == 0) { 4008 sock = connect_local_xsocket_path(display); 4009 if (sock < 0) 4010 return -1; 4011 4012 /* OK, we now have a connection to the display. */ 4013 return sock; 4014 } 4015 #endif 4016 /* 4017 * Check if it is a unix domain socket. Unix domain displays are in 4018 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 4019 */ 4020 if (strncmp(display, "unix:", 5) == 0 || 4021 display[0] == ':') { 4022 /* Connect to the unix domain socket. */ 4023 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 4024 error("Could not parse display number from DISPLAY: %.100s", 4025 display); 4026 return -1; 4027 } 4028 /* Create a socket. */ 4029 sock = connect_local_xsocket(display_number); 4030 if (sock < 0) 4031 return -1; 4032 4033 /* OK, we now have a connection to the display. */ 4034 return sock; 4035 } 4036 /* 4037 * Connect to an inet socket. The DISPLAY value is supposedly 4038 * hostname:d[.s], where hostname may also be numeric IP address. 4039 */ 4040 strlcpy(buf, display, sizeof(buf)); 4041 cp = strchr(buf, ':'); 4042 if (!cp) { 4043 error("Could not find ':' in DISPLAY: %.100s", display); 4044 return -1; 4045 } 4046 *cp = 0; 4047 /* buf now contains the host name. But first we parse the display number. */ 4048 if (sscanf(cp + 1, "%u", &display_number) != 1) { 4049 error("Could not parse display number from DISPLAY: %.100s", 4050 display); 4051 return -1; 4052 } 4053 4054 /* Look up the host address */ 4055 memset(&hints, 0, sizeof(hints)); 4056 hints.ai_family = IPv4or6; 4057 hints.ai_socktype = SOCK_STREAM; 4058 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 4059 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 4060 error("%.100s: unknown host. (%s)", buf, 4061 ssh_gai_strerror(gaierr)); 4062 return -1; 4063 } 4064 for (ai = aitop; ai; ai = ai->ai_next) { 4065 /* Create a socket. */ 4066 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 4067 if (sock < 0) { 4068 debug2("socket: %.100s", strerror(errno)); 4069 continue; 4070 } 4071 /* Connect it to the display. */ 4072 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 4073 debug2("connect %.100s port %u: %.100s", buf, 4074 6000 + display_number, strerror(errno)); 4075 close(sock); 4076 continue; 4077 } 4078 /* Success */ 4079 break; 4080 } 4081 freeaddrinfo(aitop); 4082 if (!ai) { 4083 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 4084 strerror(errno)); 4085 return -1; 4086 } 4087 set_nodelay(sock); 4088 return sock; 4089 } 4090 4091 /* 4092 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 4093 * the remote channel number. We should do whatever we want, and respond 4094 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 4095 */ 4096 4097 /* ARGSUSED */ 4098 void 4099 x11_input_open(int type, u_int32_t seq, void *ctxt) 4100 { 4101 Channel *c = NULL; 4102 int remote_id, sock = 0; 4103 char *remote_host; 4104 4105 debug("Received X11 open request."); 4106 4107 remote_id = packet_get_int(); 4108 4109 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 4110 remote_host = packet_get_string(NULL); 4111 } else { 4112 remote_host = xstrdup("unknown (remote did not supply name)"); 4113 } 4114 packet_check_eom(); 4115 4116 /* Obtain a connection to the real X display. */ 4117 sock = x11_connect_display(); 4118 if (sock != -1) { 4119 /* Allocate a channel for this connection. */ 4120 c = channel_new("connected x11 socket", 4121 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 4122 remote_host, 1); 4123 c->remote_id = remote_id; 4124 c->force_drain = 1; 4125 } 4126 free(remote_host); 4127 if (c == NULL) { 4128 /* Send refusal to the remote host. */ 4129 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 4130 packet_put_int(remote_id); 4131 } else { 4132 /* Send a confirmation to the remote host. */ 4133 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 4134 packet_put_int(remote_id); 4135 packet_put_int(c->self); 4136 } 4137 packet_send(); 4138 } 4139 4140 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 4141 /* ARGSUSED */ 4142 void 4143 deny_input_open(int type, u_int32_t seq, void *ctxt) 4144 { 4145 int rchan = packet_get_int(); 4146 4147 switch (type) { 4148 case SSH_SMSG_AGENT_OPEN: 4149 error("Warning: ssh server tried agent forwarding."); 4150 break; 4151 case SSH_SMSG_X11_OPEN: 4152 error("Warning: ssh server tried X11 forwarding."); 4153 break; 4154 default: 4155 error("deny_input_open: type %d", type); 4156 break; 4157 } 4158 error("Warning: this is probably a break-in attempt by a malicious server."); 4159 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 4160 packet_put_int(rchan); 4161 packet_send(); 4162 } 4163 4164 /* 4165 * Requests forwarding of X11 connections, generates fake authentication 4166 * data, and enables authentication spoofing. 4167 * This should be called in the client only. 4168 */ 4169 void 4170 x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 4171 const char *proto, const char *data, int want_reply) 4172 { 4173 u_int data_len = (u_int) strlen(data) / 2; 4174 u_int i, value; 4175 char *new_data; 4176 int screen_number; 4177 const char *cp; 4178 u_int32_t rnd = 0; 4179 4180 if (x11_saved_display == NULL) 4181 x11_saved_display = xstrdup(disp); 4182 else if (strcmp(disp, x11_saved_display) != 0) { 4183 error("x11_request_forwarding_with_spoofing: different " 4184 "$DISPLAY already forwarded"); 4185 return; 4186 } 4187 4188 cp = strchr(disp, ':'); 4189 if (cp) 4190 cp = strchr(cp, '.'); 4191 if (cp) 4192 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 4193 else 4194 screen_number = 0; 4195 4196 if (x11_saved_proto == NULL) { 4197 /* Save protocol name. */ 4198 x11_saved_proto = xstrdup(proto); 4199 /* 4200 * Extract real authentication data and generate fake data 4201 * of the same length. 4202 */ 4203 x11_saved_data = xmalloc(data_len); 4204 x11_fake_data = xmalloc(data_len); 4205 for (i = 0; i < data_len; i++) { 4206 if (sscanf(data + 2 * i, "%2x", &value) != 1) 4207 fatal("x11_request_forwarding: bad " 4208 "authentication data: %.100s", data); 4209 if (i % 4 == 0) 4210 rnd = arc4random(); 4211 x11_saved_data[i] = value; 4212 x11_fake_data[i] = rnd & 0xff; 4213 rnd >>= 8; 4214 } 4215 x11_saved_data_len = data_len; 4216 x11_fake_data_len = data_len; 4217 } 4218 4219 /* Convert the fake data into hex. */ 4220 new_data = tohex(x11_fake_data, data_len); 4221 4222 /* Send the request packet. */ 4223 if (compat20) { 4224 channel_request_start(client_session_id, "x11-req", want_reply); 4225 packet_put_char(0); /* XXX bool single connection */ 4226 } else { 4227 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 4228 } 4229 packet_put_cstring(proto); 4230 packet_put_cstring(new_data); 4231 packet_put_int(screen_number); 4232 packet_send(); 4233 packet_write_wait(); 4234 free(new_data); 4235 } 4236 4237 4238 /* -- agent forwarding */ 4239 4240 /* Sends a message to the server to request authentication fd forwarding. */ 4241 4242 void 4243 auth_request_forwarding(void) 4244 { 4245 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 4246 packet_send(); 4247 packet_write_wait(); 4248 } 4249