1 /* 2 * 3 * channels.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Fri Mar 24 16:35:24 1995 ylo 11 * 12 * This file contains functions for generic socket connection forwarding. 13 * There is also code for initiating connection forwarding for X11 connections, 14 * arbitrary tcp/ip connections, and the authentication agent connection. 15 * 16 * SSH2 support added by Markus Friedl. 17 */ 18 19 #include "includes.h" 20 RCSID("$Id: channels.c,v 1.59 2000/05/30 17:23:36 markus Exp $"); 21 22 #include "ssh.h" 23 #include "packet.h" 24 #include "xmalloc.h" 25 #include "buffer.h" 26 #include "authfd.h" 27 #include "uidswap.h" 28 #include "readconf.h" 29 #include "servconf.h" 30 31 #include "channels.h" 32 #include "nchan.h" 33 #include "compat.h" 34 35 #include "ssh2.h" 36 37 /* Maximum number of fake X11 displays to try. */ 38 #define MAX_DISPLAYS 1000 39 40 /* Max len of agent socket */ 41 #define MAX_SOCKET_NAME 100 42 43 /* default window/packet sizes for tcp/x11-fwd-channel */ 44 #define CHAN_TCP_WINDOW_DEFAULT (8*1024) 45 #define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2) 46 #define CHAN_X11_WINDOW_DEFAULT (4*1024) 47 #define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2) 48 49 /* 50 * Pointer to an array containing all allocated channels. The array is 51 * dynamically extended as needed. 52 */ 53 static Channel *channels = NULL; 54 55 /* 56 * Size of the channel array. All slots of the array must always be 57 * initialized (at least the type field); unused slots are marked with type 58 * SSH_CHANNEL_FREE. 59 */ 60 static int channels_alloc = 0; 61 62 /* 63 * Maximum file descriptor value used in any of the channels. This is 64 * updated in channel_allocate. 65 */ 66 static int channel_max_fd_value = 0; 67 68 /* Name and directory of socket for authentication agent forwarding. */ 69 static char *channel_forwarded_auth_socket_name = NULL; 70 static char *channel_forwarded_auth_socket_dir = NULL; 71 72 /* Saved X11 authentication protocol name. */ 73 char *x11_saved_proto = NULL; 74 75 /* Saved X11 authentication data. This is the real data. */ 76 char *x11_saved_data = NULL; 77 unsigned int x11_saved_data_len = 0; 78 79 /* 80 * Fake X11 authentication data. This is what the server will be sending us; 81 * we should replace any occurrences of this by the real data. 82 */ 83 char *x11_fake_data = NULL; 84 unsigned int x11_fake_data_len; 85 86 /* 87 * Data structure for storing which hosts are permitted for forward requests. 88 * The local sides of any remote forwards are stored in this array to prevent 89 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 90 * network (which might be behind a firewall). 91 */ 92 typedef struct { 93 char *host_to_connect; /* Connect to 'host'. */ 94 u_short port_to_connect; /* Connect to 'port'. */ 95 u_short listen_port; /* Remote side should listen port number. */ 96 } ForwardPermission; 97 98 /* List of all permitted host/port pairs to connect. */ 99 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 100 /* Number of permitted host/port pairs in the array. */ 101 static int num_permitted_opens = 0; 102 /* 103 * If this is true, all opens are permitted. This is the case on the server 104 * on which we have to trust the client anyway, and the user could do 105 * anything after logging in anyway. 106 */ 107 static int all_opens_permitted = 0; 108 109 /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */ 110 static int have_hostname_in_open = 0; 111 112 /* Sets specific protocol options. */ 113 114 void 115 channel_set_options(int hostname_in_open) 116 { 117 have_hostname_in_open = hostname_in_open; 118 } 119 120 /* 121 * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually 122 * called by the server, because the user could connect to any port anyway, 123 * and the server has no way to know but to trust the client anyway. 124 */ 125 126 void 127 channel_permit_all_opens() 128 { 129 all_opens_permitted = 1; 130 } 131 132 /* lookup channel by id */ 133 134 Channel * 135 channel_lookup(int id) 136 { 137 Channel *c; 138 if (id < 0 && id > channels_alloc) { 139 log("channel_lookup: %d: bad id", id); 140 return NULL; 141 } 142 c = &channels[id]; 143 if (c->type == SSH_CHANNEL_FREE) { 144 log("channel_lookup: %d: bad id: channel free", id); 145 return NULL; 146 } 147 return c; 148 } 149 150 /* 151 * Register filedescriptors for a channel, used when allocating a channel or 152 * when the channel consumer/producer is ready, e.g. shell exec'd 153 */ 154 155 void 156 channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage) 157 { 158 /* Update the maximum file descriptor value. */ 159 if (rfd > channel_max_fd_value) 160 channel_max_fd_value = rfd; 161 if (wfd > channel_max_fd_value) 162 channel_max_fd_value = wfd; 163 if (efd > channel_max_fd_value) 164 channel_max_fd_value = efd; 165 /* XXX set close-on-exec -markus */ 166 167 c->rfd = rfd; 168 c->wfd = wfd; 169 c->sock = (rfd == wfd) ? rfd : -1; 170 c->efd = efd; 171 c->extended_usage = extusage; 172 if (rfd != -1) 173 set_nonblock(rfd); 174 if (wfd != -1) 175 set_nonblock(wfd); 176 if (efd != -1) 177 set_nonblock(efd); 178 } 179 180 /* 181 * Allocate a new channel object and set its type and socket. This will cause 182 * remote_name to be freed. 183 */ 184 185 int 186 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 187 int window, int maxpack, int extusage, char *remote_name) 188 { 189 int i, found; 190 Channel *c; 191 192 /* Do initial allocation if this is the first call. */ 193 if (channels_alloc == 0) { 194 chan_init(); 195 channels_alloc = 10; 196 channels = xmalloc(channels_alloc * sizeof(Channel)); 197 for (i = 0; i < channels_alloc; i++) 198 channels[i].type = SSH_CHANNEL_FREE; 199 /* 200 * Kludge: arrange a call to channel_stop_listening if we 201 * terminate with fatal(). 202 */ 203 fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL); 204 } 205 /* Try to find a free slot where to put the new channel. */ 206 for (found = -1, i = 0; i < channels_alloc; i++) 207 if (channels[i].type == SSH_CHANNEL_FREE) { 208 /* Found a free slot. */ 209 found = i; 210 break; 211 } 212 if (found == -1) { 213 /* There are no free slots. Take last+1 slot and expand the array. */ 214 found = channels_alloc; 215 channels_alloc += 10; 216 debug("channel: expanding %d", channels_alloc); 217 channels = xrealloc(channels, channels_alloc * sizeof(Channel)); 218 for (i = found; i < channels_alloc; i++) 219 channels[i].type = SSH_CHANNEL_FREE; 220 } 221 /* Initialize and return new channel number. */ 222 c = &channels[found]; 223 buffer_init(&c->input); 224 buffer_init(&c->output); 225 buffer_init(&c->extended); 226 chan_init_iostates(c); 227 channel_register_fds(c, rfd, wfd, efd, extusage); 228 c->self = found; 229 c->type = type; 230 c->ctype = ctype; 231 c->local_window = window; 232 c->local_window_max = window; 233 c->local_consumed = 0; 234 c->local_maxpacket = maxpack; 235 c->remote_id = -1; 236 c->remote_name = remote_name; 237 c->remote_window = 0; 238 c->remote_maxpacket = 0; 239 c->cb_fn = NULL; 240 c->cb_arg = NULL; 241 c->cb_event = 0; 242 c->dettach_user = NULL; 243 debug("channel %d: new [%s]", found, remote_name); 244 return found; 245 } 246 /* old interface XXX */ 247 int 248 channel_allocate(int type, int sock, char *remote_name) 249 { 250 return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name); 251 } 252 253 254 /* Close all channel fd/socket. */ 255 256 void 257 channel_close_fds(Channel *c) 258 { 259 if (c->sock != -1) { 260 close(c->sock); 261 c->sock = -1; 262 } 263 if (c->rfd != -1) { 264 close(c->rfd); 265 c->rfd = -1; 266 } 267 if (c->wfd != -1) { 268 close(c->wfd); 269 c->wfd = -1; 270 } 271 if (c->efd != -1) { 272 close(c->efd); 273 c->efd = -1; 274 } 275 } 276 277 /* Free the channel and close its fd/socket. */ 278 279 void 280 channel_free(int id) 281 { 282 Channel *c = channel_lookup(id); 283 if (c == NULL) 284 packet_disconnect("channel free: bad local channel %d", id); 285 debug("channel_free: channel %d: status: %s", id, channel_open_message()); 286 if (c->dettach_user != NULL) { 287 debug("channel_free: channel %d: dettaching channel user", id); 288 c->dettach_user(c->self, NULL); 289 } 290 if (c->sock != -1) 291 shutdown(c->sock, SHUT_RDWR); 292 channel_close_fds(c); 293 buffer_free(&c->input); 294 buffer_free(&c->output); 295 buffer_free(&c->extended); 296 c->type = SSH_CHANNEL_FREE; 297 if (c->remote_name) { 298 xfree(c->remote_name); 299 c->remote_name = NULL; 300 } 301 } 302 303 /* 304 * 'channel_pre*' are called just before select() to add any bits relevant to 305 * channels in the select bitmasks. 306 */ 307 /* 308 * 'channel_post*': perform any appropriate operations for channels which 309 * have events pending. 310 */ 311 typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset); 312 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 313 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 314 315 void 316 channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset) 317 { 318 FD_SET(c->sock, readset); 319 } 320 321 void 322 channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset) 323 { 324 if (buffer_len(&c->input) < packet_get_maxsize()) 325 FD_SET(c->sock, readset); 326 if (buffer_len(&c->output) > 0) 327 FD_SET(c->sock, writeset); 328 } 329 330 void 331 channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset) 332 { 333 /* test whether sockets are 'alive' for read/write */ 334 if (c->istate == CHAN_INPUT_OPEN) 335 if (buffer_len(&c->input) < packet_get_maxsize()) 336 FD_SET(c->sock, readset); 337 if (c->ostate == CHAN_OUTPUT_OPEN || 338 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 339 if (buffer_len(&c->output) > 0) { 340 FD_SET(c->sock, writeset); 341 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 342 chan_obuf_empty(c); 343 } 344 } 345 } 346 347 void 348 channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset) 349 { 350 if (c->istate == CHAN_INPUT_OPEN && 351 c->remote_window > 0 && 352 buffer_len(&c->input) < c->remote_window) 353 FD_SET(c->rfd, readset); 354 if (c->ostate == CHAN_OUTPUT_OPEN || 355 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 356 if (buffer_len(&c->output) > 0) { 357 FD_SET(c->wfd, writeset); 358 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 359 chan_obuf_empty(c); 360 } 361 } 362 /** XXX check close conditions, too */ 363 if (c->efd != -1) { 364 if (c->extended_usage == CHAN_EXTENDED_WRITE && 365 buffer_len(&c->extended) > 0) 366 FD_SET(c->efd, writeset); 367 else if (c->extended_usage == CHAN_EXTENDED_READ && 368 buffer_len(&c->extended) < c->remote_window) 369 FD_SET(c->efd, readset); 370 } 371 } 372 373 void 374 channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset) 375 { 376 if (buffer_len(&c->input) == 0) { 377 packet_start(SSH_MSG_CHANNEL_CLOSE); 378 packet_put_int(c->remote_id); 379 packet_send(); 380 c->type = SSH_CHANNEL_CLOSED; 381 debug("Closing channel %d after input drain.", c->self); 382 } 383 } 384 385 void 386 channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset) 387 { 388 if (buffer_len(&c->output) == 0) 389 channel_free(c->self); 390 else 391 FD_SET(c->sock, writeset); 392 } 393 394 /* 395 * This is a special state for X11 authentication spoofing. An opened X11 396 * connection (when authentication spoofing is being done) remains in this 397 * state until the first packet has been completely read. The authentication 398 * data in that packet is then substituted by the real data if it matches the 399 * fake data, and the channel is put into normal mode. 400 * XXX All this happens at the client side. 401 */ 402 int 403 x11_open_helper(Channel *c) 404 { 405 unsigned char *ucp; 406 unsigned int proto_len, data_len; 407 408 /* Check if the fixed size part of the packet is in buffer. */ 409 if (buffer_len(&c->output) < 12) 410 return 0; 411 412 /* Parse the lengths of variable-length fields. */ 413 ucp = (unsigned char *) buffer_ptr(&c->output); 414 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 415 proto_len = 256 * ucp[6] + ucp[7]; 416 data_len = 256 * ucp[8] + ucp[9]; 417 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 418 proto_len = ucp[6] + 256 * ucp[7]; 419 data_len = ucp[8] + 256 * ucp[9]; 420 } else { 421 debug("Initial X11 packet contains bad byte order byte: 0x%x", 422 ucp[0]); 423 return -1; 424 } 425 426 /* Check if the whole packet is in buffer. */ 427 if (buffer_len(&c->output) < 428 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 429 return 0; 430 431 /* Check if authentication protocol matches. */ 432 if (proto_len != strlen(x11_saved_proto) || 433 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 434 debug("X11 connection uses different authentication protocol."); 435 return -1; 436 } 437 /* Check if authentication data matches our fake data. */ 438 if (data_len != x11_fake_data_len || 439 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 440 x11_fake_data, x11_fake_data_len) != 0) { 441 debug("X11 auth data does not match fake data."); 442 return -1; 443 } 444 /* Check fake data length */ 445 if (x11_fake_data_len != x11_saved_data_len) { 446 error("X11 fake_data_len %d != saved_data_len %d", 447 x11_fake_data_len, x11_saved_data_len); 448 return -1; 449 } 450 /* 451 * Received authentication protocol and data match 452 * our fake data. Substitute the fake data with real 453 * data. 454 */ 455 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 456 x11_saved_data, x11_saved_data_len); 457 return 1; 458 } 459 460 void 461 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset) 462 { 463 int ret = x11_open_helper(c); 464 if (ret == 1) { 465 /* Start normal processing for the channel. */ 466 c->type = SSH_CHANNEL_OPEN; 467 channel_pre_open_13(c, readset, writeset); 468 } else if (ret == -1) { 469 /* 470 * We have received an X11 connection that has bad 471 * authentication information. 472 */ 473 log("X11 connection rejected because of wrong authentication.\r\n"); 474 buffer_clear(&c->input); 475 buffer_clear(&c->output); 476 close(c->sock); 477 c->sock = -1; 478 c->type = SSH_CHANNEL_CLOSED; 479 packet_start(SSH_MSG_CHANNEL_CLOSE); 480 packet_put_int(c->remote_id); 481 packet_send(); 482 } 483 } 484 485 void 486 channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset) 487 { 488 int ret = x11_open_helper(c); 489 if (ret == 1) { 490 c->type = SSH_CHANNEL_OPEN; 491 if (compat20) 492 channel_pre_open_20(c, readset, writeset); 493 else 494 channel_pre_open_15(c, readset, writeset); 495 } else if (ret == -1) { 496 debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 497 chan_read_failed(c); /** force close? */ 498 chan_write_failed(c); 499 debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 500 } 501 } 502 503 /* This is our fake X11 server socket. */ 504 void 505 channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset) 506 { 507 struct sockaddr addr; 508 int newsock, newch; 509 socklen_t addrlen; 510 char buf[16384], *remote_hostname; 511 int remote_port; 512 513 if (FD_ISSET(c->sock, readset)) { 514 debug("X11 connection requested."); 515 addrlen = sizeof(addr); 516 newsock = accept(c->sock, &addr, &addrlen); 517 if (newsock < 0) { 518 error("accept: %.100s", strerror(errno)); 519 return; 520 } 521 remote_hostname = get_remote_hostname(newsock); 522 remote_port = get_peer_port(newsock); 523 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 524 remote_hostname, remote_port); 525 526 newch = channel_new("x11", 527 SSH_CHANNEL_OPENING, newsock, newsock, -1, 528 c->local_window_max, c->local_maxpacket, 529 0, xstrdup(buf)); 530 if (compat20) { 531 packet_start(SSH2_MSG_CHANNEL_OPEN); 532 packet_put_cstring("x11"); 533 packet_put_int(newch); 534 packet_put_int(c->local_window_max); 535 packet_put_int(c->local_maxpacket); 536 /* originator host and port */ 537 packet_put_cstring(remote_hostname); 538 if (datafellows & SSH_BUG_X11FWD) { 539 debug("ssh2 x11 bug compat mode"); 540 } else { 541 packet_put_int(remote_port); 542 } 543 packet_send(); 544 } else { 545 packet_start(SSH_SMSG_X11_OPEN); 546 packet_put_int(newch); 547 if (have_hostname_in_open) 548 packet_put_string(buf, strlen(buf)); 549 packet_send(); 550 } 551 xfree(remote_hostname); 552 } 553 } 554 555 /* 556 * This socket is listening for connections to a forwarded TCP/IP port. 557 */ 558 void 559 channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset) 560 { 561 struct sockaddr addr; 562 int newsock, newch; 563 socklen_t addrlen; 564 char buf[1024], *remote_hostname; 565 int remote_port; 566 567 if (FD_ISSET(c->sock, readset)) { 568 debug("Connection to port %d forwarding " 569 "to %.100s port %d requested.", 570 c->listening_port, c->path, c->host_port); 571 addrlen = sizeof(addr); 572 newsock = accept(c->sock, &addr, &addrlen); 573 if (newsock < 0) { 574 error("accept: %.100s", strerror(errno)); 575 return; 576 } 577 remote_hostname = get_remote_hostname(newsock); 578 remote_port = get_peer_port(newsock); 579 snprintf(buf, sizeof buf, 580 "listen port %d for %.100s port %d, " 581 "connect from %.200s port %d", 582 c->listening_port, c->path, c->host_port, 583 remote_hostname, remote_port); 584 newch = channel_new("direct-tcpip", 585 SSH_CHANNEL_OPENING, newsock, newsock, -1, 586 c->local_window_max, c->local_maxpacket, 587 0, xstrdup(buf)); 588 if (compat20) { 589 packet_start(SSH2_MSG_CHANNEL_OPEN); 590 packet_put_cstring("direct-tcpip"); 591 packet_put_int(newch); 592 packet_put_int(c->local_window_max); 593 packet_put_int(c->local_maxpacket); 594 /* target host and port */ 595 packet_put_string(c->path, strlen(c->path)); 596 packet_put_int(c->host_port); 597 /* originator host and port */ 598 packet_put_cstring(remote_hostname); 599 packet_put_int(remote_port); 600 packet_send(); 601 } else { 602 packet_start(SSH_MSG_PORT_OPEN); 603 packet_put_int(newch); 604 packet_put_string(c->path, strlen(c->path)); 605 packet_put_int(c->host_port); 606 if (have_hostname_in_open) { 607 packet_put_string(buf, strlen(buf)); 608 } 609 packet_send(); 610 } 611 xfree(remote_hostname); 612 } 613 } 614 615 /* 616 * This is the authentication agent socket listening for connections from 617 * clients. 618 */ 619 void 620 channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset) 621 { 622 struct sockaddr addr; 623 int newsock, newch; 624 socklen_t addrlen; 625 626 if (FD_ISSET(c->sock, readset)) { 627 addrlen = sizeof(addr); 628 newsock = accept(c->sock, &addr, &addrlen); 629 if (newsock < 0) { 630 error("accept from auth socket: %.100s", strerror(errno)); 631 return; 632 } 633 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, 634 xstrdup("accepted auth socket")); 635 packet_start(SSH_SMSG_AGENT_OPEN); 636 packet_put_int(newch); 637 packet_send(); 638 } 639 } 640 641 int 642 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset) 643 { 644 char buf[16*1024]; 645 int len; 646 647 if (c->rfd != -1 && 648 FD_ISSET(c->rfd, readset)) { 649 len = read(c->rfd, buf, sizeof(buf)); 650 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 651 return 1; 652 if (len <= 0) { 653 debug("channel %d: read<=0 rfd %d len %d", 654 c->self, c->rfd, len); 655 if (compat13) { 656 buffer_consume(&c->output, buffer_len(&c->output)); 657 c->type = SSH_CHANNEL_INPUT_DRAINING; 658 debug("Channel %d status set to input draining.", c->self); 659 } else { 660 chan_read_failed(c); 661 } 662 return -1; 663 } 664 buffer_append(&c->input, buf, len); 665 } 666 return 1; 667 } 668 int 669 channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) 670 { 671 int len; 672 673 /* Send buffered output data to the socket. */ 674 if (c->wfd != -1 && 675 FD_ISSET(c->wfd, writeset) && 676 buffer_len(&c->output) > 0) { 677 len = write(c->wfd, buffer_ptr(&c->output), 678 buffer_len(&c->output)); 679 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 680 return 1; 681 if (len <= 0) { 682 if (compat13) { 683 buffer_consume(&c->output, buffer_len(&c->output)); 684 debug("Channel %d status set to input draining.", c->self); 685 c->type = SSH_CHANNEL_INPUT_DRAINING; 686 } else { 687 chan_write_failed(c); 688 } 689 return -1; 690 } 691 buffer_consume(&c->output, len); 692 if (compat20 && len > 0) { 693 c->local_consumed += len; 694 } 695 } 696 return 1; 697 } 698 int 699 channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset) 700 { 701 char buf[16*1024]; 702 int len; 703 704 /** XXX handle drain efd, too */ 705 if (c->efd != -1) { 706 if (c->extended_usage == CHAN_EXTENDED_WRITE && 707 FD_ISSET(c->efd, writeset) && 708 buffer_len(&c->extended) > 0) { 709 len = write(c->efd, buffer_ptr(&c->extended), 710 buffer_len(&c->extended)); 711 debug("channel %d: written %d to efd %d", 712 c->self, len, c->efd); 713 if (len > 0) { 714 buffer_consume(&c->extended, len); 715 c->local_consumed += len; 716 } 717 } else if (c->extended_usage == CHAN_EXTENDED_READ && 718 FD_ISSET(c->efd, readset)) { 719 len = read(c->efd, buf, sizeof(buf)); 720 debug("channel %d: read %d from efd %d", 721 c->self, len, c->efd); 722 if (len == 0) { 723 debug("channel %d: closing efd %d", 724 c->self, c->efd); 725 close(c->efd); 726 c->efd = -1; 727 } else if (len > 0) 728 buffer_append(&c->extended, buf, len); 729 } 730 } 731 return 1; 732 } 733 int 734 channel_check_window(Channel *c, fd_set * readset, fd_set * writeset) 735 { 736 if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 737 c->local_window < c->local_window_max/2 && 738 c->local_consumed > 0) { 739 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 740 packet_put_int(c->remote_id); 741 packet_put_int(c->local_consumed); 742 packet_send(); 743 debug("channel %d: window %d sent adjust %d", 744 c->self, c->local_window, 745 c->local_consumed); 746 c->local_window += c->local_consumed; 747 c->local_consumed = 0; 748 } 749 return 1; 750 } 751 752 void 753 channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset) 754 { 755 channel_handle_rfd(c, readset, writeset); 756 channel_handle_wfd(c, readset, writeset); 757 } 758 759 void 760 channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset) 761 { 762 channel_handle_rfd(c, readset, writeset); 763 channel_handle_wfd(c, readset, writeset); 764 channel_handle_efd(c, readset, writeset); 765 channel_check_window(c, readset, writeset); 766 } 767 768 void 769 channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset) 770 { 771 int len; 772 /* Send buffered output data to the socket. */ 773 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 774 len = write(c->sock, buffer_ptr(&c->output), 775 buffer_len(&c->output)); 776 if (len <= 0) 777 buffer_consume(&c->output, buffer_len(&c->output)); 778 else 779 buffer_consume(&c->output, len); 780 } 781 } 782 783 void 784 channel_handler_init_20(void) 785 { 786 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20; 787 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 788 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 789 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 790 791 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2; 792 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 793 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 794 } 795 796 void 797 channel_handler_init_13(void) 798 { 799 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 800 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 801 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 802 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 803 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 804 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 805 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 806 807 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; 808 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 809 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 810 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 811 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 812 } 813 814 void 815 channel_handler_init_15(void) 816 { 817 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15; 818 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 819 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 820 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 821 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 822 823 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 824 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 825 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 826 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1; 827 } 828 829 void 830 channel_handler_init(void) 831 { 832 int i; 833 for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 834 channel_pre[i] = NULL; 835 channel_post[i] = NULL; 836 } 837 if (compat20) 838 channel_handler_init_20(); 839 else if (compat13) 840 channel_handler_init_13(); 841 else 842 channel_handler_init_15(); 843 } 844 845 void 846 channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset) 847 { 848 static int did_init = 0; 849 int i; 850 Channel *c; 851 852 if (!did_init) { 853 channel_handler_init(); 854 did_init = 1; 855 } 856 for (i = 0; i < channels_alloc; i++) { 857 c = &channels[i]; 858 if (c->type == SSH_CHANNEL_FREE) 859 continue; 860 if (ftab[c->type] == NULL) 861 continue; 862 (*ftab[c->type])(c, readset, writeset); 863 chan_delete_if_full_closed(c); 864 } 865 } 866 867 void 868 channel_prepare_select(fd_set * readset, fd_set * writeset) 869 { 870 channel_handler(channel_pre, readset, writeset); 871 } 872 873 void 874 channel_after_select(fd_set * readset, fd_set * writeset) 875 { 876 channel_handler(channel_post, readset, writeset); 877 } 878 879 /* If there is data to send to the connection, send some of it now. */ 880 881 void 882 channel_output_poll() 883 { 884 int len, i; 885 Channel *c; 886 887 for (i = 0; i < channels_alloc; i++) { 888 c = &channels[i]; 889 890 /* We are only interested in channels that can have buffered incoming data. */ 891 if (compat13) { 892 if (c->type != SSH_CHANNEL_OPEN && 893 c->type != SSH_CHANNEL_INPUT_DRAINING) 894 continue; 895 } else { 896 if (c->type != SSH_CHANNEL_OPEN) 897 continue; 898 if (c->istate != CHAN_INPUT_OPEN && 899 c->istate != CHAN_INPUT_WAIT_DRAIN) 900 continue; 901 } 902 if (compat20 && 903 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 904 debug("channel: %d: no data after CLOSE", c->self); 905 continue; 906 } 907 908 /* Get the amount of buffered data for this channel. */ 909 len = buffer_len(&c->input); 910 if (len > 0) { 911 /* Send some data for the other side over the secure connection. */ 912 if (compat20) { 913 if (len > c->remote_window) 914 len = c->remote_window; 915 if (len > c->remote_maxpacket) 916 len = c->remote_maxpacket; 917 } else { 918 if (packet_is_interactive()) { 919 if (len > 1024) 920 len = 512; 921 } else { 922 /* Keep the packets at reasonable size. */ 923 if (len > packet_get_maxsize()/2) 924 len = packet_get_maxsize()/2; 925 } 926 } 927 if (len > 0) { 928 packet_start(compat20 ? 929 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 930 packet_put_int(c->remote_id); 931 packet_put_string(buffer_ptr(&c->input), len); 932 packet_send(); 933 buffer_consume(&c->input, len); 934 c->remote_window -= len; 935 debug("channel %d: send data len %d", c->self, len); 936 } 937 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 938 if (compat13) 939 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 940 /* 941 * input-buffer is empty and read-socket shutdown: 942 * tell peer, that we will not send more data: send IEOF 943 */ 944 chan_ibuf_empty(c); 945 } 946 /* Send extended data, i.e. stderr */ 947 if (compat20 && 948 c->remote_window > 0 && 949 (len = buffer_len(&c->extended)) > 0 && 950 c->extended_usage == CHAN_EXTENDED_READ) { 951 if (len > c->remote_window) 952 len = c->remote_window; 953 if (len > c->remote_maxpacket) 954 len = c->remote_maxpacket; 955 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 956 packet_put_int(c->remote_id); 957 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 958 packet_put_string(buffer_ptr(&c->extended), len); 959 packet_send(); 960 buffer_consume(&c->extended, len); 961 c->remote_window -= len; 962 } 963 } 964 } 965 966 /* 967 * This is called when a packet of type CHANNEL_DATA has just been received. 968 * The message type has already been consumed, but channel number and data is 969 * still there. 970 */ 971 972 void 973 channel_input_data(int type, int plen) 974 { 975 int id; 976 char *data; 977 unsigned int data_len; 978 Channel *c; 979 980 /* Get the channel number and verify it. */ 981 id = packet_get_int(); 982 c = channel_lookup(id); 983 if (c == NULL) 984 packet_disconnect("Received data for nonexistent channel %d.", id); 985 986 /* Ignore any data for non-open channels (might happen on close) */ 987 if (c->type != SSH_CHANNEL_OPEN && 988 c->type != SSH_CHANNEL_X11_OPEN) 989 return; 990 991 /* same for protocol 1.5 if output end is no longer open */ 992 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) 993 return; 994 995 /* Get the data. */ 996 data = packet_get_string(&data_len); 997 packet_done(); 998 999 if (compat20){ 1000 if (data_len > c->local_maxpacket) { 1001 log("channel %d: rcvd big packet %d, maxpack %d", 1002 c->self, data_len, c->local_maxpacket); 1003 } 1004 if (data_len > c->local_window) { 1005 log("channel %d: rcvd too much data %d, win %d", 1006 c->self, data_len, c->local_window); 1007 xfree(data); 1008 return; 1009 } 1010 c->local_window -= data_len; 1011 }else{ 1012 packet_integrity_check(plen, 4 + 4 + data_len, type); 1013 } 1014 buffer_append(&c->output, data, data_len); 1015 xfree(data); 1016 } 1017 void 1018 channel_input_extended_data(int type, int plen) 1019 { 1020 int id; 1021 int tcode; 1022 char *data; 1023 unsigned int data_len; 1024 Channel *c; 1025 1026 /* Get the channel number and verify it. */ 1027 id = packet_get_int(); 1028 c = channel_lookup(id); 1029 1030 if (c == NULL) 1031 packet_disconnect("Received extended_data for bad channel %d.", id); 1032 if (c->type != SSH_CHANNEL_OPEN) { 1033 log("channel %d: ext data for non open", id); 1034 return; 1035 } 1036 tcode = packet_get_int(); 1037 if (c->efd == -1 || 1038 c->extended_usage != CHAN_EXTENDED_WRITE || 1039 tcode != SSH2_EXTENDED_DATA_STDERR) { 1040 log("channel %d: bad ext data", c->self); 1041 return; 1042 } 1043 data = packet_get_string(&data_len); 1044 packet_done(); 1045 if (data_len > c->local_window) { 1046 log("channel %d: rcvd too much extended_data %d, win %d", 1047 c->self, data_len, c->local_window); 1048 xfree(data); 1049 return; 1050 } 1051 debug("channel %d: rcvd ext data %d", c->self, data_len); 1052 c->local_window -= data_len; 1053 buffer_append(&c->extended, data, data_len); 1054 xfree(data); 1055 } 1056 1057 1058 /* 1059 * Returns true if no channel has too much buffered data, and false if one or 1060 * more channel is overfull. 1061 */ 1062 1063 int 1064 channel_not_very_much_buffered_data() 1065 { 1066 unsigned int i; 1067 Channel *c; 1068 1069 for (i = 0; i < channels_alloc; i++) { 1070 c = &channels[i]; 1071 if (c->type == SSH_CHANNEL_OPEN) { 1072 if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) { 1073 debug("channel %d: big input buffer %d", 1074 c->self, buffer_len(&c->input)); 1075 return 0; 1076 } 1077 if (buffer_len(&c->output) > packet_get_maxsize()) { 1078 debug("channel %d: big output buffer %d", 1079 c->self, buffer_len(&c->output)); 1080 return 0; 1081 } 1082 } 1083 } 1084 return 1; 1085 } 1086 1087 void 1088 channel_input_ieof(int type, int plen) 1089 { 1090 int id; 1091 Channel *c; 1092 1093 packet_integrity_check(plen, 4, type); 1094 1095 id = packet_get_int(); 1096 c = channel_lookup(id); 1097 if (c == NULL) 1098 packet_disconnect("Received ieof for nonexistent channel %d.", id); 1099 chan_rcvd_ieof(c); 1100 } 1101 1102 void 1103 channel_input_close(int type, int plen) 1104 { 1105 int id; 1106 Channel *c; 1107 1108 packet_integrity_check(plen, 4, type); 1109 1110 id = packet_get_int(); 1111 c = channel_lookup(id); 1112 if (c == NULL) 1113 packet_disconnect("Received close for nonexistent channel %d.", id); 1114 1115 /* 1116 * Send a confirmation that we have closed the channel and no more 1117 * data is coming for it. 1118 */ 1119 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 1120 packet_put_int(c->remote_id); 1121 packet_send(); 1122 1123 /* 1124 * If the channel is in closed state, we have sent a close request, 1125 * and the other side will eventually respond with a confirmation. 1126 * Thus, we cannot free the channel here, because then there would be 1127 * no-one to receive the confirmation. The channel gets freed when 1128 * the confirmation arrives. 1129 */ 1130 if (c->type != SSH_CHANNEL_CLOSED) { 1131 /* 1132 * Not a closed channel - mark it as draining, which will 1133 * cause it to be freed later. 1134 */ 1135 buffer_consume(&c->input, buffer_len(&c->input)); 1136 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 1137 } 1138 } 1139 1140 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 1141 void 1142 channel_input_oclose(int type, int plen) 1143 { 1144 int id = packet_get_int(); 1145 Channel *c = channel_lookup(id); 1146 packet_integrity_check(plen, 4, type); 1147 if (c == NULL) 1148 packet_disconnect("Received oclose for nonexistent channel %d.", id); 1149 chan_rcvd_oclose(c); 1150 } 1151 1152 void 1153 channel_input_close_confirmation(int type, int plen) 1154 { 1155 int id = packet_get_int(); 1156 Channel *c = channel_lookup(id); 1157 1158 packet_done(); 1159 if (c == NULL) 1160 packet_disconnect("Received close confirmation for " 1161 "out-of-range channel %d.", id); 1162 if (c->type != SSH_CHANNEL_CLOSED) 1163 packet_disconnect("Received close confirmation for " 1164 "non-closed channel %d (type %d).", id, c->type); 1165 channel_free(c->self); 1166 } 1167 1168 void 1169 channel_input_open_confirmation(int type, int plen) 1170 { 1171 int id, remote_id; 1172 Channel *c; 1173 1174 if (!compat20) 1175 packet_integrity_check(plen, 4 + 4, type); 1176 1177 id = packet_get_int(); 1178 c = channel_lookup(id); 1179 1180 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 1181 packet_disconnect("Received open confirmation for " 1182 "non-opening channel %d.", id); 1183 remote_id = packet_get_int(); 1184 /* Record the remote channel number and mark that the channel is now open. */ 1185 c->remote_id = remote_id; 1186 c->type = SSH_CHANNEL_OPEN; 1187 1188 if (compat20) { 1189 c->remote_window = packet_get_int(); 1190 c->remote_maxpacket = packet_get_int(); 1191 packet_done(); 1192 if (c->cb_fn != NULL && c->cb_event == type) { 1193 debug("callback start"); 1194 c->cb_fn(c->self, c->cb_arg); 1195 debug("callback done"); 1196 } 1197 debug("channel %d: open confirm rwindow %d rmax %d", c->self, 1198 c->remote_window, c->remote_maxpacket); 1199 } 1200 } 1201 1202 void 1203 channel_input_open_failure(int type, int plen) 1204 { 1205 int id; 1206 Channel *c; 1207 1208 if (!compat20) 1209 packet_integrity_check(plen, 4, type); 1210 1211 id = packet_get_int(); 1212 c = channel_lookup(id); 1213 1214 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 1215 packet_disconnect("Received open failure for " 1216 "non-opening channel %d.", id); 1217 if (compat20) { 1218 int reason = packet_get_int(); 1219 char *msg = packet_get_string(NULL); 1220 char *lang = packet_get_string(NULL); 1221 log("channel_open_failure: %d: reason %d: %s", id, reason, msg); 1222 packet_done(); 1223 xfree(msg); 1224 xfree(lang); 1225 } 1226 /* Free the channel. This will also close the socket. */ 1227 channel_free(id); 1228 } 1229 1230 void 1231 channel_input_channel_request(int type, int plen) 1232 { 1233 int id; 1234 Channel *c; 1235 1236 id = packet_get_int(); 1237 c = channel_lookup(id); 1238 1239 if (c == NULL || 1240 (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL)) 1241 packet_disconnect("Received request for " 1242 "non-open channel %d.", id); 1243 if (c->cb_fn != NULL && c->cb_event == type) { 1244 debug("callback start"); 1245 c->cb_fn(c->self, c->cb_arg); 1246 debug("callback done"); 1247 } else { 1248 char *service = packet_get_string(NULL); 1249 debug("channel: %d rcvd request for %s", c->self, service); 1250 debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event); 1251 xfree(service); 1252 } 1253 } 1254 1255 void 1256 channel_input_window_adjust(int type, int plen) 1257 { 1258 Channel *c; 1259 int id, adjust; 1260 1261 if (!compat20) 1262 return; 1263 1264 /* Get the channel number and verify it. */ 1265 id = packet_get_int(); 1266 c = channel_lookup(id); 1267 1268 if (c == NULL || c->type != SSH_CHANNEL_OPEN) { 1269 log("Received window adjust for " 1270 "non-open channel %d.", id); 1271 return; 1272 } 1273 adjust = packet_get_int(); 1274 packet_done(); 1275 debug("channel %d: rcvd adjust %d", id, adjust); 1276 c->remote_window += adjust; 1277 } 1278 1279 /* 1280 * Stops listening for channels, and removes any unix domain sockets that we 1281 * might have. 1282 */ 1283 1284 void 1285 channel_stop_listening() 1286 { 1287 int i; 1288 for (i = 0; i < channels_alloc; i++) { 1289 switch (channels[i].type) { 1290 case SSH_CHANNEL_AUTH_SOCKET: 1291 close(channels[i].sock); 1292 remove(channels[i].path); 1293 channel_free(i); 1294 break; 1295 case SSH_CHANNEL_PORT_LISTENER: 1296 case SSH_CHANNEL_X11_LISTENER: 1297 close(channels[i].sock); 1298 channel_free(i); 1299 break; 1300 default: 1301 break; 1302 } 1303 } 1304 } 1305 1306 /* 1307 * Closes the sockets/fds of all channels. This is used to close extra file 1308 * descriptors after a fork. 1309 */ 1310 1311 void 1312 channel_close_all() 1313 { 1314 int i; 1315 for (i = 0; i < channels_alloc; i++) 1316 if (channels[i].type != SSH_CHANNEL_FREE) 1317 channel_close_fds(&channels[i]); 1318 } 1319 1320 /* Returns the maximum file descriptor number used by the channels. */ 1321 1322 int 1323 channel_max_fd() 1324 { 1325 return channel_max_fd_value; 1326 } 1327 1328 /* Returns true if any channel is still open. */ 1329 1330 int 1331 channel_still_open() 1332 { 1333 unsigned int i; 1334 for (i = 0; i < channels_alloc; i++) 1335 switch (channels[i].type) { 1336 case SSH_CHANNEL_FREE: 1337 case SSH_CHANNEL_X11_LISTENER: 1338 case SSH_CHANNEL_PORT_LISTENER: 1339 case SSH_CHANNEL_CLOSED: 1340 case SSH_CHANNEL_AUTH_SOCKET: 1341 continue; 1342 case SSH_CHANNEL_LARVAL: 1343 if (!compat20) 1344 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 1345 continue; 1346 case SSH_CHANNEL_OPENING: 1347 case SSH_CHANNEL_OPEN: 1348 case SSH_CHANNEL_X11_OPEN: 1349 return 1; 1350 case SSH_CHANNEL_INPUT_DRAINING: 1351 case SSH_CHANNEL_OUTPUT_DRAINING: 1352 if (!compat13) 1353 fatal("cannot happen: OUT_DRAIN"); 1354 return 1; 1355 default: 1356 fatal("channel_still_open: bad channel type %d", channels[i].type); 1357 /* NOTREACHED */ 1358 } 1359 return 0; 1360 } 1361 1362 /* 1363 * Returns a message describing the currently open forwarded connections, 1364 * suitable for sending to the client. The message contains crlf pairs for 1365 * newlines. 1366 */ 1367 1368 char * 1369 channel_open_message() 1370 { 1371 Buffer buffer; 1372 int i; 1373 char buf[512], *cp; 1374 1375 buffer_init(&buffer); 1376 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 1377 buffer_append(&buffer, buf, strlen(buf)); 1378 for (i = 0; i < channels_alloc; i++) { 1379 Channel *c = &channels[i]; 1380 switch (c->type) { 1381 case SSH_CHANNEL_FREE: 1382 case SSH_CHANNEL_X11_LISTENER: 1383 case SSH_CHANNEL_PORT_LISTENER: 1384 case SSH_CHANNEL_CLOSED: 1385 case SSH_CHANNEL_AUTH_SOCKET: 1386 continue; 1387 case SSH_CHANNEL_LARVAL: 1388 case SSH_CHANNEL_OPENING: 1389 case SSH_CHANNEL_OPEN: 1390 case SSH_CHANNEL_X11_OPEN: 1391 case SSH_CHANNEL_INPUT_DRAINING: 1392 case SSH_CHANNEL_OUTPUT_DRAINING: 1393 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n", 1394 c->self, c->remote_name, 1395 c->type, c->remote_id, 1396 c->istate, buffer_len(&c->input), 1397 c->ostate, buffer_len(&c->output), 1398 c->rfd, c->wfd); 1399 buffer_append(&buffer, buf, strlen(buf)); 1400 continue; 1401 default: 1402 fatal("channel_open_message: bad channel type %d", c->type); 1403 /* NOTREACHED */ 1404 } 1405 } 1406 buffer_append(&buffer, "\0", 1); 1407 cp = xstrdup(buffer_ptr(&buffer)); 1408 buffer_free(&buffer); 1409 return cp; 1410 } 1411 1412 /* 1413 * Initiate forwarding of connections to local port "port" through the secure 1414 * channel to host:port from remote side. 1415 */ 1416 1417 void 1418 channel_request_local_forwarding(u_short port, const char *host, 1419 u_short host_port, int gateway_ports) 1420 { 1421 int success, ch, sock, on = 1; 1422 struct addrinfo hints, *ai, *aitop; 1423 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 1424 struct linger linger; 1425 1426 if (strlen(host) > sizeof(channels[0].path) - 1) 1427 packet_disconnect("Forward host name too long."); 1428 1429 /* 1430 * getaddrinfo returns a loopback address if the hostname is 1431 * set to NULL and hints.ai_flags is not AI_PASSIVE 1432 */ 1433 memset(&hints, 0, sizeof(hints)); 1434 hints.ai_family = IPv4or6; 1435 hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; 1436 hints.ai_socktype = SOCK_STREAM; 1437 snprintf(strport, sizeof strport, "%d", port); 1438 if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) 1439 packet_disconnect("getaddrinfo: fatal error"); 1440 1441 success = 0; 1442 for (ai = aitop; ai; ai = ai->ai_next) { 1443 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1444 continue; 1445 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 1446 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 1447 error("channel_request_local_forwarding: getnameinfo failed"); 1448 continue; 1449 } 1450 /* Create a port to listen for the host. */ 1451 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1452 if (sock < 0) { 1453 /* this is no error since kernel may not support ipv6 */ 1454 verbose("socket: %.100s", strerror(errno)); 1455 continue; 1456 } 1457 /* 1458 * Set socket options. We would like the socket to disappear 1459 * as soon as it has been closed for whatever reason. 1460 */ 1461 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); 1462 linger.l_onoff = 1; 1463 linger.l_linger = 5; 1464 setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); 1465 debug("Local forwarding listening on %s port %s.", ntop, strport); 1466 1467 /* Bind the socket to the address. */ 1468 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1469 /* address can be in use ipv6 address is already bound */ 1470 verbose("bind: %.100s", strerror(errno)); 1471 close(sock); 1472 continue; 1473 } 1474 /* Start listening for connections on the socket. */ 1475 if (listen(sock, 5) < 0) { 1476 error("listen: %.100s", strerror(errno)); 1477 close(sock); 1478 continue; 1479 } 1480 /* Allocate a channel number for the socket. */ 1481 ch = channel_new( 1482 "port listener", SSH_CHANNEL_PORT_LISTENER, 1483 sock, sock, -1, 1484 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1485 0, xstrdup("port listener")); 1486 strlcpy(channels[ch].path, host, sizeof(channels[ch].path)); 1487 channels[ch].host_port = host_port; 1488 channels[ch].listening_port = port; 1489 success = 1; 1490 } 1491 if (success == 0) 1492 packet_disconnect("cannot listen port: %d", port); 1493 freeaddrinfo(aitop); 1494 } 1495 1496 /* 1497 * Initiate forwarding of connections to port "port" on remote host through 1498 * the secure channel to host:port from local side. 1499 */ 1500 1501 void 1502 channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect, 1503 u_short port_to_connect) 1504 { 1505 int payload_len; 1506 /* Record locally that connection to this host/port is permitted. */ 1507 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 1508 fatal("channel_request_remote_forwarding: too many forwards"); 1509 1510 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 1511 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 1512 permitted_opens[num_permitted_opens].listen_port = listen_port; 1513 num_permitted_opens++; 1514 1515 /* Send the forward request to the remote side. */ 1516 if (compat20) { 1517 const char *address_to_bind = "0.0.0.0"; 1518 packet_start(SSH2_MSG_GLOBAL_REQUEST); 1519 packet_put_cstring("tcpip-forward"); 1520 packet_put_char(0); /* boolean: want reply */ 1521 packet_put_cstring(address_to_bind); 1522 packet_put_int(listen_port); 1523 } else { 1524 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 1525 packet_put_int(listen_port); 1526 packet_put_cstring(host_to_connect); 1527 packet_put_int(port_to_connect); 1528 packet_send(); 1529 packet_write_wait(); 1530 /* 1531 * Wait for response from the remote side. It will send a disconnect 1532 * message on failure, and we will never see it here. 1533 */ 1534 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); 1535 } 1536 } 1537 1538 /* 1539 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 1540 * listening for the port, and sends back a success reply (or disconnect 1541 * message if there was an error). This never returns if there was an error. 1542 */ 1543 1544 void 1545 channel_input_port_forward_request(int is_root, int gateway_ports) 1546 { 1547 u_short port, host_port; 1548 char *hostname; 1549 1550 /* Get arguments from the packet. */ 1551 port = packet_get_int(); 1552 hostname = packet_get_string(NULL); 1553 host_port = packet_get_int(); 1554 1555 /* 1556 * Check that an unprivileged user is not trying to forward a 1557 * privileged port. 1558 */ 1559 if (port < IPPORT_RESERVED && !is_root) 1560 packet_disconnect("Requested forwarding of port %d but user is not root.", 1561 port); 1562 /* 1563 * Initiate forwarding, 1564 */ 1565 channel_request_local_forwarding(port, hostname, host_port, gateway_ports); 1566 1567 /* Free the argument string. */ 1568 xfree(hostname); 1569 } 1570 1571 /* XXX move to aux.c */ 1572 int 1573 channel_connect_to(const char *host, u_short host_port) 1574 { 1575 struct addrinfo hints, *ai, *aitop; 1576 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 1577 int gaierr; 1578 int sock = -1; 1579 1580 memset(&hints, 0, sizeof(hints)); 1581 hints.ai_family = IPv4or6; 1582 hints.ai_socktype = SOCK_STREAM; 1583 snprintf(strport, sizeof strport, "%d", host_port); 1584 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { 1585 error("%.100s: unknown host (%s)", host, gai_strerror(gaierr)); 1586 return -1; 1587 } 1588 for (ai = aitop; ai; ai = ai->ai_next) { 1589 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1590 continue; 1591 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 1592 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 1593 error("channel_connect_to: getnameinfo failed"); 1594 continue; 1595 } 1596 /* Create the socket. */ 1597 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1598 if (sock < 0) { 1599 error("socket: %.100s", strerror(errno)); 1600 continue; 1601 } 1602 /* Connect to the host/port. */ 1603 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1604 error("connect %.100s port %s: %.100s", ntop, strport, 1605 strerror(errno)); 1606 close(sock); 1607 continue; /* fail -- try next */ 1608 } 1609 break; /* success */ 1610 1611 } 1612 freeaddrinfo(aitop); 1613 if (!ai) { 1614 error("connect %.100s port %d: failed.", host, host_port); 1615 return -1; 1616 } 1617 /* success */ 1618 return sock; 1619 } 1620 /* 1621 * This is called after receiving PORT_OPEN message. This attempts to 1622 * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION 1623 * or CHANNEL_OPEN_FAILURE. 1624 */ 1625 1626 void 1627 channel_input_port_open(int type, int plen) 1628 { 1629 u_short host_port; 1630 char *host, *originator_string; 1631 int remote_channel, sock = -1, newch, i, denied; 1632 unsigned int host_len, originator_len; 1633 1634 /* Get remote channel number. */ 1635 remote_channel = packet_get_int(); 1636 1637 /* Get host name to connect to. */ 1638 host = packet_get_string(&host_len); 1639 1640 /* Get port to connect to. */ 1641 host_port = packet_get_int(); 1642 1643 /* Get remote originator name. */ 1644 if (have_hostname_in_open) { 1645 originator_string = packet_get_string(&originator_len); 1646 originator_len += 4; /* size of packet_int */ 1647 } else { 1648 originator_string = xstrdup("unknown (remote did not supply name)"); 1649 originator_len = 0; /* no originator supplied */ 1650 } 1651 1652 packet_integrity_check(plen, 1653 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN); 1654 1655 /* Check if opening that port is permitted. */ 1656 denied = 0; 1657 if (!all_opens_permitted) { 1658 /* Go trough all permitted ports. */ 1659 for (i = 0; i < num_permitted_opens; i++) 1660 if (permitted_opens[i].port_to_connect == host_port && 1661 strcmp(permitted_opens[i].host_to_connect, host) == 0) 1662 break; 1663 1664 /* Check if we found the requested port among those permitted. */ 1665 if (i >= num_permitted_opens) { 1666 /* The port is not permitted. */ 1667 log("Received request to connect to %.100s:%d, but the request was denied.", 1668 host, host_port); 1669 denied = 1; 1670 } 1671 } 1672 sock = denied ? -1 : channel_connect_to(host, host_port); 1673 if (sock > 0) { 1674 /* Allocate a channel for this connection. */ 1675 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string); 1676 channels[newch].remote_id = remote_channel; 1677 1678 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1679 packet_put_int(remote_channel); 1680 packet_put_int(newch); 1681 packet_send(); 1682 } else { 1683 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1684 packet_put_int(remote_channel); 1685 packet_send(); 1686 } 1687 xfree(host); 1688 } 1689 1690 /* 1691 * Creates an internet domain socket for listening for X11 connections. 1692 * Returns a suitable value for the DISPLAY variable, or NULL if an error 1693 * occurs. 1694 */ 1695 1696 #define NUM_SOCKS 10 1697 1698 char * 1699 x11_create_display_inet(int screen_number, int x11_display_offset) 1700 { 1701 int display_number, sock; 1702 u_short port; 1703 struct addrinfo hints, *ai, *aitop; 1704 char strport[NI_MAXSERV]; 1705 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 1706 char display[512]; 1707 char hostname[MAXHOSTNAMELEN]; 1708 1709 for (display_number = x11_display_offset; 1710 display_number < MAX_DISPLAYS; 1711 display_number++) { 1712 port = 6000 + display_number; 1713 memset(&hints, 0, sizeof(hints)); 1714 hints.ai_family = IPv4or6; 1715 hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */ 1716 hints.ai_socktype = SOCK_STREAM; 1717 snprintf(strport, sizeof strport, "%d", port); 1718 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 1719 error("getaddrinfo: %.100s", gai_strerror(gaierr)); 1720 return NULL; 1721 } 1722 for (ai = aitop; ai; ai = ai->ai_next) { 1723 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1724 continue; 1725 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1726 if (sock < 0) { 1727 error("socket: %.100s", strerror(errno)); 1728 return NULL; 1729 } 1730 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1731 debug("bind port %d: %.100s", port, strerror(errno)); 1732 shutdown(sock, SHUT_RDWR); 1733 close(sock); 1734 for (n = 0; n < num_socks; n++) { 1735 shutdown(socks[n], SHUT_RDWR); 1736 close(socks[n]); 1737 } 1738 num_socks = 0; 1739 break; 1740 } 1741 socks[num_socks++] = sock; 1742 if (num_socks == NUM_SOCKS) 1743 break; 1744 } 1745 if (num_socks > 0) 1746 break; 1747 } 1748 if (display_number >= MAX_DISPLAYS) { 1749 error("Failed to allocate internet-domain X11 display socket."); 1750 return NULL; 1751 } 1752 /* Start listening for connections on the socket. */ 1753 for (n = 0; n < num_socks; n++) { 1754 sock = socks[n]; 1755 if (listen(sock, 5) < 0) { 1756 error("listen: %.100s", strerror(errno)); 1757 shutdown(sock, SHUT_RDWR); 1758 close(sock); 1759 return NULL; 1760 } 1761 } 1762 1763 /* Set up a suitable value for the DISPLAY variable. */ 1764 if (gethostname(hostname, sizeof(hostname)) < 0) 1765 fatal("gethostname: %.100s", strerror(errno)); 1766 snprintf(display, sizeof display, "%.400s:%d.%d", hostname, 1767 display_number, screen_number); 1768 1769 /* Allocate a channel for each socket. */ 1770 for (n = 0; n < num_socks; n++) { 1771 sock = socks[n]; 1772 (void) channel_new("x11 listener", 1773 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 1774 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 1775 0, xstrdup("X11 inet listener")); 1776 } 1777 1778 /* Return a suitable value for the DISPLAY environment variable. */ 1779 return xstrdup(display); 1780 } 1781 1782 #ifndef X_UNIX_PATH 1783 #define X_UNIX_PATH "/tmp/.X11-unix/X" 1784 #endif 1785 1786 static 1787 int 1788 connect_local_xsocket(unsigned int dnr) 1789 { 1790 static const char *const x_sockets[] = { 1791 X_UNIX_PATH "%u", 1792 "/var/X/.X11-unix/X" "%u", 1793 "/usr/spool/sockets/X11/" "%u", 1794 NULL 1795 }; 1796 int sock; 1797 struct sockaddr_un addr; 1798 const char *const * path; 1799 1800 for (path = x_sockets; *path; ++path) { 1801 sock = socket(AF_UNIX, SOCK_STREAM, 0); 1802 if (sock < 0) 1803 error("socket: %.100s", strerror(errno)); 1804 memset(&addr, 0, sizeof(addr)); 1805 addr.sun_family = AF_UNIX; 1806 snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr); 1807 if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0) 1808 return sock; 1809 close(sock); 1810 } 1811 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 1812 return -1; 1813 } 1814 1815 int 1816 x11_connect_display(void) 1817 { 1818 int display_number, sock = 0; 1819 const char *display; 1820 char buf[1024], *cp; 1821 struct addrinfo hints, *ai, *aitop; 1822 char strport[NI_MAXSERV]; 1823 int gaierr; 1824 1825 /* Try to open a socket for the local X server. */ 1826 display = getenv("DISPLAY"); 1827 if (!display) { 1828 error("DISPLAY not set."); 1829 return -1; 1830 } 1831 /* 1832 * Now we decode the value of the DISPLAY variable and make a 1833 * connection to the real X server. 1834 */ 1835 1836 /* 1837 * Check if it is a unix domain socket. Unix domain displays are in 1838 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 1839 */ 1840 if (strncmp(display, "unix:", 5) == 0 || 1841 display[0] == ':') { 1842 /* Connect to the unix domain socket. */ 1843 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) { 1844 error("Could not parse display number from DISPLAY: %.100s", 1845 display); 1846 return -1; 1847 } 1848 /* Create a socket. */ 1849 sock = connect_local_xsocket(display_number); 1850 if (sock < 0) 1851 return -1; 1852 1853 /* OK, we now have a connection to the display. */ 1854 return sock; 1855 } 1856 /* 1857 * Connect to an inet socket. The DISPLAY value is supposedly 1858 * hostname:d[.s], where hostname may also be numeric IP address. 1859 */ 1860 strncpy(buf, display, sizeof(buf)); 1861 buf[sizeof(buf) - 1] = 0; 1862 cp = strchr(buf, ':'); 1863 if (!cp) { 1864 error("Could not find ':' in DISPLAY: %.100s", display); 1865 return -1; 1866 } 1867 *cp = 0; 1868 /* buf now contains the host name. But first we parse the display number. */ 1869 if (sscanf(cp + 1, "%d", &display_number) != 1) { 1870 error("Could not parse display number from DISPLAY: %.100s", 1871 display); 1872 return -1; 1873 } 1874 1875 /* Look up the host address */ 1876 memset(&hints, 0, sizeof(hints)); 1877 hints.ai_family = IPv4or6; 1878 hints.ai_socktype = SOCK_STREAM; 1879 snprintf(strport, sizeof strport, "%d", 6000 + display_number); 1880 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 1881 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); 1882 return -1; 1883 } 1884 for (ai = aitop; ai; ai = ai->ai_next) { 1885 /* Create a socket. */ 1886 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1887 if (sock < 0) { 1888 debug("socket: %.100s", strerror(errno)); 1889 continue; 1890 } 1891 /* Connect it to the display. */ 1892 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1893 debug("connect %.100s port %d: %.100s", buf, 1894 6000 + display_number, strerror(errno)); 1895 close(sock); 1896 continue; 1897 } 1898 /* Success */ 1899 break; 1900 } 1901 freeaddrinfo(aitop); 1902 if (!ai) { 1903 error("connect %.100s port %d: %.100s", buf, 6000 + display_number, 1904 strerror(errno)); 1905 return -1; 1906 } 1907 return sock; 1908 } 1909 1910 /* 1911 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 1912 * the remote channel number. We should do whatever we want, and respond 1913 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 1914 */ 1915 1916 void 1917 x11_input_open(int type, int plen) 1918 { 1919 int remote_channel, sock = 0, newch; 1920 char *remote_host; 1921 unsigned int remote_len; 1922 1923 /* Get remote channel number. */ 1924 remote_channel = packet_get_int(); 1925 1926 /* Get remote originator name. */ 1927 if (have_hostname_in_open) { 1928 remote_host = packet_get_string(&remote_len); 1929 remote_len += 4; 1930 } else { 1931 remote_host = xstrdup("unknown (remote did not supply name)"); 1932 remote_len = 0; 1933 } 1934 1935 debug("Received X11 open request."); 1936 packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN); 1937 1938 /* Obtain a connection to the real X display. */ 1939 sock = x11_connect_display(); 1940 if (sock == -1) { 1941 /* Send refusal to the remote host. */ 1942 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1943 packet_put_int(remote_channel); 1944 packet_send(); 1945 } else { 1946 /* Allocate a channel for this connection. */ 1947 newch = channel_allocate( 1948 (x11_saved_proto == NULL) ? 1949 SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN, 1950 sock, remote_host); 1951 channels[newch].remote_id = remote_channel; 1952 1953 /* Send a confirmation to the remote host. */ 1954 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1955 packet_put_int(remote_channel); 1956 packet_put_int(newch); 1957 packet_send(); 1958 } 1959 } 1960 1961 /* 1962 * Requests forwarding of X11 connections, generates fake authentication 1963 * data, and enables authentication spoofing. 1964 */ 1965 1966 void 1967 x11_request_forwarding_with_spoofing(int client_session_id, 1968 const char *proto, const char *data) 1969 { 1970 unsigned int data_len = (unsigned int) strlen(data) / 2; 1971 unsigned int i, value; 1972 char *new_data; 1973 int screen_number; 1974 const char *cp; 1975 u_int32_t rand = 0; 1976 1977 cp = getenv("DISPLAY"); 1978 if (cp) 1979 cp = strchr(cp, ':'); 1980 if (cp) 1981 cp = strchr(cp, '.'); 1982 if (cp) 1983 screen_number = atoi(cp + 1); 1984 else 1985 screen_number = 0; 1986 1987 /* Save protocol name. */ 1988 x11_saved_proto = xstrdup(proto); 1989 1990 /* 1991 * Extract real authentication data and generate fake data of the 1992 * same length. 1993 */ 1994 x11_saved_data = xmalloc(data_len); 1995 x11_fake_data = xmalloc(data_len); 1996 for (i = 0; i < data_len; i++) { 1997 if (sscanf(data + 2 * i, "%2x", &value) != 1) 1998 fatal("x11_request_forwarding: bad authentication data: %.100s", data); 1999 if (i % 4 == 0) 2000 rand = arc4random(); 2001 x11_saved_data[i] = value; 2002 x11_fake_data[i] = rand & 0xff; 2003 rand >>= 8; 2004 } 2005 x11_saved_data_len = data_len; 2006 x11_fake_data_len = data_len; 2007 2008 /* Convert the fake data into hex. */ 2009 new_data = xmalloc(2 * data_len + 1); 2010 for (i = 0; i < data_len; i++) 2011 sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]); 2012 2013 /* Send the request packet. */ 2014 if (compat20) { 2015 channel_request_start(client_session_id, "x11-req", 0); 2016 packet_put_char(0); /* XXX bool single connection */ 2017 } else { 2018 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 2019 } 2020 packet_put_cstring(proto); 2021 packet_put_cstring(new_data); 2022 packet_put_int(screen_number); 2023 packet_send(); 2024 packet_write_wait(); 2025 xfree(new_data); 2026 } 2027 2028 /* Sends a message to the server to request authentication fd forwarding. */ 2029 2030 void 2031 auth_request_forwarding() 2032 { 2033 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 2034 packet_send(); 2035 packet_write_wait(); 2036 } 2037 2038 /* 2039 * Returns the name of the forwarded authentication socket. Returns NULL if 2040 * there is no forwarded authentication socket. The returned value points to 2041 * a static buffer. 2042 */ 2043 2044 char * 2045 auth_get_socket_name() 2046 { 2047 return channel_forwarded_auth_socket_name; 2048 } 2049 2050 /* removes the agent forwarding socket */ 2051 2052 void 2053 cleanup_socket(void) 2054 { 2055 remove(channel_forwarded_auth_socket_name); 2056 rmdir(channel_forwarded_auth_socket_dir); 2057 } 2058 2059 /* 2060 * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. 2061 * This starts forwarding authentication requests. 2062 */ 2063 2064 int 2065 auth_input_request_forwarding(struct passwd * pw) 2066 { 2067 int sock, newch; 2068 struct sockaddr_un sunaddr; 2069 2070 if (auth_get_socket_name() != NULL) 2071 fatal("Protocol error: authentication forwarding requested twice."); 2072 2073 /* Temporarily drop privileged uid for mkdir/bind. */ 2074 temporarily_use_uid(pw->pw_uid); 2075 2076 /* Allocate a buffer for the socket name, and format the name. */ 2077 channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME); 2078 channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME); 2079 strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); 2080 2081 /* Create private directory for socket */ 2082 if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) { 2083 packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s", 2084 strerror(errno)); 2085 restore_uid(); 2086 xfree(channel_forwarded_auth_socket_name); 2087 xfree(channel_forwarded_auth_socket_dir); 2088 channel_forwarded_auth_socket_name = NULL; 2089 channel_forwarded_auth_socket_dir = NULL; 2090 return 0; 2091 } 2092 snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", 2093 channel_forwarded_auth_socket_dir, (int) getpid()); 2094 2095 if (atexit(cleanup_socket) < 0) { 2096 int saved = errno; 2097 cleanup_socket(); 2098 packet_disconnect("socket: %.100s", strerror(saved)); 2099 } 2100 /* Create the socket. */ 2101 sock = socket(AF_UNIX, SOCK_STREAM, 0); 2102 if (sock < 0) 2103 packet_disconnect("socket: %.100s", strerror(errno)); 2104 2105 /* Bind it to the name. */ 2106 memset(&sunaddr, 0, sizeof(sunaddr)); 2107 sunaddr.sun_family = AF_UNIX; 2108 strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name, 2109 sizeof(sunaddr.sun_path)); 2110 2111 if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) 2112 packet_disconnect("bind: %.100s", strerror(errno)); 2113 2114 /* Restore the privileged uid. */ 2115 restore_uid(); 2116 2117 /* Start listening on the socket. */ 2118 if (listen(sock, 5) < 0) 2119 packet_disconnect("listen: %.100s", strerror(errno)); 2120 2121 /* Allocate a channel for the authentication agent socket. */ 2122 newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock, 2123 xstrdup("auth socket")); 2124 strlcpy(channels[newch].path, channel_forwarded_auth_socket_name, 2125 sizeof(channels[newch].path)); 2126 return 1; 2127 } 2128 2129 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ 2130 2131 void 2132 auth_input_open_request(int type, int plen) 2133 { 2134 int remch, sock, newch; 2135 char *dummyname; 2136 2137 packet_integrity_check(plen, 4, type); 2138 2139 /* Read the remote channel number from the message. */ 2140 remch = packet_get_int(); 2141 2142 /* 2143 * Get a connection to the local authentication agent (this may again 2144 * get forwarded). 2145 */ 2146 sock = ssh_get_authentication_socket(); 2147 2148 /* 2149 * If we could not connect the agent, send an error message back to 2150 * the server. This should never happen unless the agent dies, 2151 * because authentication forwarding is only enabled if we have an 2152 * agent. 2153 */ 2154 if (sock < 0) { 2155 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2156 packet_put_int(remch); 2157 packet_send(); 2158 return; 2159 } 2160 debug("Forwarding authentication connection."); 2161 2162 /* 2163 * Dummy host name. This will be freed when the channel is freed; it 2164 * will still be valid in the packet_put_string below since the 2165 * channel cannot yet be freed at that point. 2166 */ 2167 dummyname = xstrdup("authentication agent connection"); 2168 2169 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname); 2170 channels[newch].remote_id = remch; 2171 2172 /* Send a confirmation to the remote host. */ 2173 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 2174 packet_put_int(remch); 2175 packet_put_int(newch); 2176 packet_send(); 2177 } 2178 2179 void 2180 channel_start_open(int id) 2181 { 2182 Channel *c = channel_lookup(id); 2183 if (c == NULL) { 2184 log("channel_open: %d: bad id", id); 2185 return; 2186 } 2187 debug("send channel open %d", id); 2188 packet_start(SSH2_MSG_CHANNEL_OPEN); 2189 packet_put_cstring(c->ctype); 2190 packet_put_int(c->self); 2191 packet_put_int(c->local_window); 2192 packet_put_int(c->local_maxpacket); 2193 } 2194 void 2195 channel_open(int id) 2196 { 2197 /* XXX REMOVE ME */ 2198 channel_start_open(id); 2199 packet_send(); 2200 } 2201 void 2202 channel_request(int id, char *service, int wantconfirm) 2203 { 2204 channel_request_start(id, service, wantconfirm); 2205 packet_send(); 2206 debug("channel request %d: %s", id, service) ; 2207 } 2208 void 2209 channel_request_start(int id, char *service, int wantconfirm) 2210 { 2211 Channel *c = channel_lookup(id); 2212 if (c == NULL) { 2213 log("channel_request: %d: bad id", id); 2214 return; 2215 } 2216 packet_start(SSH2_MSG_CHANNEL_REQUEST); 2217 packet_put_int(c->remote_id); 2218 packet_put_cstring(service); 2219 packet_put_char(wantconfirm); 2220 } 2221 void 2222 channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg) 2223 { 2224 Channel *c = channel_lookup(id); 2225 if (c == NULL) { 2226 log("channel_register_callback: %d: bad id", id); 2227 return; 2228 } 2229 c->cb_event = mtype; 2230 c->cb_fn = fn; 2231 c->cb_arg = arg; 2232 } 2233 void 2234 channel_register_cleanup(int id, channel_callback_fn *fn) 2235 { 2236 Channel *c = channel_lookup(id); 2237 if (c == NULL) { 2238 log("channel_register_cleanup: %d: bad id", id); 2239 return; 2240 } 2241 c->dettach_user = fn; 2242 } 2243 void 2244 channel_cancel_cleanup(int id) 2245 { 2246 Channel *c = channel_lookup(id); 2247 if (c == NULL) { 2248 log("channel_cancel_cleanup: %d: bad id", id); 2249 return; 2250 } 2251 c->dettach_user = NULL; 2252 } 2253 2254 void 2255 channel_set_fds(int id, int rfd, int wfd, int efd, int extusage) 2256 { 2257 Channel *c = channel_lookup(id); 2258 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 2259 fatal("channel_activate for non-larval channel %d.", id); 2260 2261 channel_register_fds(c, rfd, wfd, efd, extusage); 2262 c->type = SSH_CHANNEL_OPEN; 2263 /* XXX window size? */ 2264 c->local_window = c->local_window_max = c->local_maxpacket/2; 2265 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 2266 packet_put_int(c->remote_id); 2267 packet_put_int(c->local_window); 2268 packet_send(); 2269 } 2270