1 /* $OpenBSD: channels.c,v 1.266 2006/08/29 10:40:18 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 44 #include <sys/types.h> 45 #include <sys/ioctl.h> 46 #include <sys/un.h> 47 #include <sys/socket.h> 48 #ifdef HAVE_SYS_TIME_H 49 # include <sys/time.h> 50 #endif 51 52 #include <netinet/in.h> 53 #include <arpa/inet.h> 54 55 #include <errno.h> 56 #include <netdb.h> 57 #include <stdio.h> 58 #include <stdlib.h> 59 #include <string.h> 60 #include <termios.h> 61 #include <unistd.h> 62 #include <stdarg.h> 63 64 #include "xmalloc.h" 65 #include "ssh.h" 66 #include "ssh1.h" 67 #include "ssh2.h" 68 #include "packet.h" 69 #include "log.h" 70 #include "misc.h" 71 #include "buffer.h" 72 #include "channels.h" 73 #include "compat.h" 74 #include "canohost.h" 75 #include "key.h" 76 #include "authfd.h" 77 #include "pathnames.h" 78 79 /* -- channel core */ 80 81 /* 82 * Pointer to an array containing all allocated channels. The array is 83 * dynamically extended as needed. 84 */ 85 static Channel **channels = NULL; 86 87 /* 88 * Size of the channel array. All slots of the array must always be 89 * initialized (at least the type field); unused slots set to NULL 90 */ 91 static u_int channels_alloc = 0; 92 93 /* 94 * Maximum file descriptor value used in any of the channels. This is 95 * updated in channel_new. 96 */ 97 static int channel_max_fd = 0; 98 99 100 /* -- tcp forwarding */ 101 102 /* 103 * Data structure for storing which hosts are permitted for forward requests. 104 * The local sides of any remote forwards are stored in this array to prevent 105 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 106 * network (which might be behind a firewall). 107 */ 108 typedef struct { 109 char *host_to_connect; /* Connect to 'host'. */ 110 u_short port_to_connect; /* Connect to 'port'. */ 111 u_short listen_port; /* Remote side should listen port number. */ 112 } ForwardPermission; 113 114 /* List of all permitted host/port pairs to connect by the user. */ 115 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 116 117 /* List of all permitted host/port pairs to connect by the admin. */ 118 static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 119 120 /* Number of permitted host/port pairs in the array permitted by the user. */ 121 static int num_permitted_opens = 0; 122 123 /* Number of permitted host/port pair in the array permitted by the admin. */ 124 static int num_adm_permitted_opens = 0; 125 126 /* 127 * If this is true, all opens are permitted. This is the case on the server 128 * on which we have to trust the client anyway, and the user could do 129 * anything after logging in anyway. 130 */ 131 static int all_opens_permitted = 0; 132 133 134 /* -- X11 forwarding */ 135 136 /* Maximum number of fake X11 displays to try. */ 137 #define MAX_DISPLAYS 1000 138 139 /* Saved X11 local (client) display. */ 140 static char *x11_saved_display = NULL; 141 142 /* Saved X11 authentication protocol name. */ 143 static char *x11_saved_proto = NULL; 144 145 /* Saved X11 authentication data. This is the real data. */ 146 static char *x11_saved_data = NULL; 147 static u_int x11_saved_data_len = 0; 148 149 /* 150 * Fake X11 authentication data. This is what the server will be sending us; 151 * we should replace any occurrences of this by the real data. 152 */ 153 static u_char *x11_fake_data = NULL; 154 static u_int x11_fake_data_len; 155 156 157 /* -- agent forwarding */ 158 159 #define NUM_SOCKS 10 160 161 /* AF_UNSPEC or AF_INET or AF_INET6 */ 162 static int IPv4or6 = AF_UNSPEC; 163 164 /* helper */ 165 static void port_open_helper(Channel *c, char *rtype); 166 167 /* -- channel core */ 168 169 Channel * 170 channel_by_id(int id) 171 { 172 Channel *c; 173 174 if (id < 0 || (u_int)id >= channels_alloc) { 175 logit("channel_by_id: %d: bad id", id); 176 return NULL; 177 } 178 c = channels[id]; 179 if (c == NULL) { 180 logit("channel_by_id: %d: bad id: channel free", id); 181 return NULL; 182 } 183 return c; 184 } 185 186 /* 187 * Returns the channel if it is allowed to receive protocol messages. 188 * Private channels, like listening sockets, may not receive messages. 189 */ 190 Channel * 191 channel_lookup(int id) 192 { 193 Channel *c; 194 195 if ((c = channel_by_id(id)) == NULL) 196 return (NULL); 197 198 switch (c->type) { 199 case SSH_CHANNEL_X11_OPEN: 200 case SSH_CHANNEL_LARVAL: 201 case SSH_CHANNEL_CONNECTING: 202 case SSH_CHANNEL_DYNAMIC: 203 case SSH_CHANNEL_OPENING: 204 case SSH_CHANNEL_OPEN: 205 case SSH_CHANNEL_INPUT_DRAINING: 206 case SSH_CHANNEL_OUTPUT_DRAINING: 207 return (c); 208 } 209 logit("Non-public channel %d, type %d.", id, c->type); 210 return (NULL); 211 } 212 213 /* 214 * Register filedescriptors for a channel, used when allocating a channel or 215 * when the channel consumer/producer is ready, e.g. shell exec'd 216 */ 217 static void 218 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 219 int extusage, int nonblock) 220 { 221 /* Update the maximum file descriptor value. */ 222 channel_max_fd = MAX(channel_max_fd, rfd); 223 channel_max_fd = MAX(channel_max_fd, wfd); 224 channel_max_fd = MAX(channel_max_fd, efd); 225 226 /* XXX set close-on-exec -markus */ 227 228 c->rfd = rfd; 229 c->wfd = wfd; 230 c->sock = (rfd == wfd) ? rfd : -1; 231 c->ctl_fd = -1; /* XXX: set elsewhere */ 232 c->efd = efd; 233 c->extended_usage = extusage; 234 235 /* XXX ugly hack: nonblock is only set by the server */ 236 if (nonblock && isatty(c->rfd)) { 237 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 238 c->isatty = 1; 239 if (!isatty(c->wfd)) { 240 error("channel %d: wfd %d is not a tty?", 241 c->self, c->wfd); 242 } 243 } else { 244 c->isatty = 0; 245 } 246 c->wfd_isatty = isatty(c->wfd); 247 248 /* enable nonblocking mode */ 249 if (nonblock) { 250 if (rfd != -1) 251 set_nonblock(rfd); 252 if (wfd != -1) 253 set_nonblock(wfd); 254 if (efd != -1) 255 set_nonblock(efd); 256 } 257 } 258 259 /* 260 * Allocate a new channel object and set its type and socket. This will cause 261 * remote_name to be freed. 262 */ 263 Channel * 264 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 265 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 266 { 267 int found; 268 u_int i; 269 Channel *c; 270 271 /* Do initial allocation if this is the first call. */ 272 if (channels_alloc == 0) { 273 channels_alloc = 10; 274 channels = xcalloc(channels_alloc, sizeof(Channel *)); 275 for (i = 0; i < channels_alloc; i++) 276 channels[i] = NULL; 277 } 278 /* Try to find a free slot where to put the new channel. */ 279 for (found = -1, i = 0; i < channels_alloc; i++) 280 if (channels[i] == NULL) { 281 /* Found a free slot. */ 282 found = (int)i; 283 break; 284 } 285 if (found < 0) { 286 /* There are no free slots. Take last+1 slot and expand the array. */ 287 found = channels_alloc; 288 if (channels_alloc > 10000) 289 fatal("channel_new: internal error: channels_alloc %d " 290 "too big.", channels_alloc); 291 channels = xrealloc(channels, channels_alloc + 10, 292 sizeof(Channel *)); 293 channels_alloc += 10; 294 debug2("channel: expanding %d", channels_alloc); 295 for (i = found; i < channels_alloc; i++) 296 channels[i] = NULL; 297 } 298 /* Initialize and return new channel. */ 299 c = channels[found] = xcalloc(1, sizeof(Channel)); 300 buffer_init(&c->input); 301 buffer_init(&c->output); 302 buffer_init(&c->extended); 303 c->ostate = CHAN_OUTPUT_OPEN; 304 c->istate = CHAN_INPUT_OPEN; 305 c->flags = 0; 306 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 307 c->self = found; 308 c->type = type; 309 c->ctype = ctype; 310 c->local_window = window; 311 c->local_window_max = window; 312 c->local_consumed = 0; 313 c->local_maxpacket = maxpack; 314 c->remote_id = -1; 315 c->remote_name = xstrdup(remote_name); 316 c->remote_window = 0; 317 c->remote_maxpacket = 0; 318 c->force_drain = 0; 319 c->single_connection = 0; 320 c->detach_user = NULL; 321 c->detach_close = 0; 322 c->confirm = NULL; 323 c->confirm_ctx = NULL; 324 c->input_filter = NULL; 325 c->output_filter = NULL; 326 debug("channel %d: new [%s]", found, remote_name); 327 return c; 328 } 329 330 static int 331 channel_find_maxfd(void) 332 { 333 u_int i; 334 int max = 0; 335 Channel *c; 336 337 for (i = 0; i < channels_alloc; i++) { 338 c = channels[i]; 339 if (c != NULL) { 340 max = MAX(max, c->rfd); 341 max = MAX(max, c->wfd); 342 max = MAX(max, c->efd); 343 } 344 } 345 return max; 346 } 347 348 int 349 channel_close_fd(int *fdp) 350 { 351 int ret = 0, fd = *fdp; 352 353 if (fd != -1) { 354 ret = close(fd); 355 *fdp = -1; 356 if (fd == channel_max_fd) 357 channel_max_fd = channel_find_maxfd(); 358 } 359 return ret; 360 } 361 362 /* Close all channel fd/socket. */ 363 static void 364 channel_close_fds(Channel *c) 365 { 366 debug3("channel %d: close_fds r %d w %d e %d c %d", 367 c->self, c->rfd, c->wfd, c->efd, c->ctl_fd); 368 369 channel_close_fd(&c->sock); 370 channel_close_fd(&c->ctl_fd); 371 channel_close_fd(&c->rfd); 372 channel_close_fd(&c->wfd); 373 channel_close_fd(&c->efd); 374 } 375 376 /* Free the channel and close its fd/socket. */ 377 void 378 channel_free(Channel *c) 379 { 380 char *s; 381 u_int i, n; 382 383 for (n = 0, i = 0; i < channels_alloc; i++) 384 if (channels[i]) 385 n++; 386 debug("channel %d: free: %s, nchannels %u", c->self, 387 c->remote_name ? c->remote_name : "???", n); 388 389 s = channel_open_message(); 390 debug3("channel %d: status: %s", c->self, s); 391 xfree(s); 392 393 if (c->sock != -1) 394 shutdown(c->sock, SHUT_RDWR); 395 if (c->ctl_fd != -1) 396 shutdown(c->ctl_fd, SHUT_RDWR); 397 channel_close_fds(c); 398 buffer_free(&c->input); 399 buffer_free(&c->output); 400 buffer_free(&c->extended); 401 if (c->remote_name) { 402 xfree(c->remote_name); 403 c->remote_name = NULL; 404 } 405 channels[c->self] = NULL; 406 xfree(c); 407 } 408 409 void 410 channel_free_all(void) 411 { 412 u_int i; 413 414 for (i = 0; i < channels_alloc; i++) 415 if (channels[i] != NULL) 416 channel_free(channels[i]); 417 } 418 419 /* 420 * Closes the sockets/fds of all channels. This is used to close extra file 421 * descriptors after a fork. 422 */ 423 void 424 channel_close_all(void) 425 { 426 u_int i; 427 428 for (i = 0; i < channels_alloc; i++) 429 if (channels[i] != NULL) 430 channel_close_fds(channels[i]); 431 } 432 433 /* 434 * Stop listening to channels. 435 */ 436 void 437 channel_stop_listening(void) 438 { 439 u_int i; 440 Channel *c; 441 442 for (i = 0; i < channels_alloc; i++) { 443 c = channels[i]; 444 if (c != NULL) { 445 switch (c->type) { 446 case SSH_CHANNEL_AUTH_SOCKET: 447 case SSH_CHANNEL_PORT_LISTENER: 448 case SSH_CHANNEL_RPORT_LISTENER: 449 case SSH_CHANNEL_X11_LISTENER: 450 channel_close_fd(&c->sock); 451 channel_free(c); 452 break; 453 } 454 } 455 } 456 } 457 458 /* 459 * Returns true if no channel has too much buffered data, and false if one or 460 * more channel is overfull. 461 */ 462 int 463 channel_not_very_much_buffered_data(void) 464 { 465 u_int i; 466 Channel *c; 467 468 for (i = 0; i < channels_alloc; i++) { 469 c = channels[i]; 470 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 471 #if 0 472 if (!compat20 && 473 buffer_len(&c->input) > packet_get_maxsize()) { 474 debug2("channel %d: big input buffer %d", 475 c->self, buffer_len(&c->input)); 476 return 0; 477 } 478 #endif 479 if (buffer_len(&c->output) > packet_get_maxsize()) { 480 debug2("channel %d: big output buffer %u > %u", 481 c->self, buffer_len(&c->output), 482 packet_get_maxsize()); 483 return 0; 484 } 485 } 486 } 487 return 1; 488 } 489 490 /* Returns true if any channel is still open. */ 491 int 492 channel_still_open(void) 493 { 494 u_int i; 495 Channel *c; 496 497 for (i = 0; i < channels_alloc; i++) { 498 c = channels[i]; 499 if (c == NULL) 500 continue; 501 switch (c->type) { 502 case SSH_CHANNEL_X11_LISTENER: 503 case SSH_CHANNEL_PORT_LISTENER: 504 case SSH_CHANNEL_RPORT_LISTENER: 505 case SSH_CHANNEL_CLOSED: 506 case SSH_CHANNEL_AUTH_SOCKET: 507 case SSH_CHANNEL_DYNAMIC: 508 case SSH_CHANNEL_CONNECTING: 509 case SSH_CHANNEL_ZOMBIE: 510 continue; 511 case SSH_CHANNEL_LARVAL: 512 if (!compat20) 513 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 514 continue; 515 case SSH_CHANNEL_OPENING: 516 case SSH_CHANNEL_OPEN: 517 case SSH_CHANNEL_X11_OPEN: 518 return 1; 519 case SSH_CHANNEL_INPUT_DRAINING: 520 case SSH_CHANNEL_OUTPUT_DRAINING: 521 if (!compat13) 522 fatal("cannot happen: OUT_DRAIN"); 523 return 1; 524 default: 525 fatal("channel_still_open: bad channel type %d", c->type); 526 /* NOTREACHED */ 527 } 528 } 529 return 0; 530 } 531 532 /* Returns the id of an open channel suitable for keepaliving */ 533 int 534 channel_find_open(void) 535 { 536 u_int i; 537 Channel *c; 538 539 for (i = 0; i < channels_alloc; i++) { 540 c = channels[i]; 541 if (c == NULL || c->remote_id < 0) 542 continue; 543 switch (c->type) { 544 case SSH_CHANNEL_CLOSED: 545 case SSH_CHANNEL_DYNAMIC: 546 case SSH_CHANNEL_X11_LISTENER: 547 case SSH_CHANNEL_PORT_LISTENER: 548 case SSH_CHANNEL_RPORT_LISTENER: 549 case SSH_CHANNEL_OPENING: 550 case SSH_CHANNEL_CONNECTING: 551 case SSH_CHANNEL_ZOMBIE: 552 continue; 553 case SSH_CHANNEL_LARVAL: 554 case SSH_CHANNEL_AUTH_SOCKET: 555 case SSH_CHANNEL_OPEN: 556 case SSH_CHANNEL_X11_OPEN: 557 return i; 558 case SSH_CHANNEL_INPUT_DRAINING: 559 case SSH_CHANNEL_OUTPUT_DRAINING: 560 if (!compat13) 561 fatal("cannot happen: OUT_DRAIN"); 562 return i; 563 default: 564 fatal("channel_find_open: bad channel type %d", c->type); 565 /* NOTREACHED */ 566 } 567 } 568 return -1; 569 } 570 571 572 /* 573 * Returns a message describing the currently open forwarded connections, 574 * suitable for sending to the client. The message contains crlf pairs for 575 * newlines. 576 */ 577 char * 578 channel_open_message(void) 579 { 580 Buffer buffer; 581 Channel *c; 582 char buf[1024], *cp; 583 u_int i; 584 585 buffer_init(&buffer); 586 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 587 buffer_append(&buffer, buf, strlen(buf)); 588 for (i = 0; i < channels_alloc; i++) { 589 c = channels[i]; 590 if (c == NULL) 591 continue; 592 switch (c->type) { 593 case SSH_CHANNEL_X11_LISTENER: 594 case SSH_CHANNEL_PORT_LISTENER: 595 case SSH_CHANNEL_RPORT_LISTENER: 596 case SSH_CHANNEL_CLOSED: 597 case SSH_CHANNEL_AUTH_SOCKET: 598 case SSH_CHANNEL_ZOMBIE: 599 continue; 600 case SSH_CHANNEL_LARVAL: 601 case SSH_CHANNEL_OPENING: 602 case SSH_CHANNEL_CONNECTING: 603 case SSH_CHANNEL_DYNAMIC: 604 case SSH_CHANNEL_OPEN: 605 case SSH_CHANNEL_X11_OPEN: 606 case SSH_CHANNEL_INPUT_DRAINING: 607 case SSH_CHANNEL_OUTPUT_DRAINING: 608 snprintf(buf, sizeof buf, 609 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cfd %d)\r\n", 610 c->self, c->remote_name, 611 c->type, c->remote_id, 612 c->istate, buffer_len(&c->input), 613 c->ostate, buffer_len(&c->output), 614 c->rfd, c->wfd, c->ctl_fd); 615 buffer_append(&buffer, buf, strlen(buf)); 616 continue; 617 default: 618 fatal("channel_open_message: bad channel type %d", c->type); 619 /* NOTREACHED */ 620 } 621 } 622 buffer_append(&buffer, "\0", 1); 623 cp = xstrdup(buffer_ptr(&buffer)); 624 buffer_free(&buffer); 625 return cp; 626 } 627 628 void 629 channel_send_open(int id) 630 { 631 Channel *c = channel_lookup(id); 632 633 if (c == NULL) { 634 logit("channel_send_open: %d: bad id", id); 635 return; 636 } 637 debug2("channel %d: send open", id); 638 packet_start(SSH2_MSG_CHANNEL_OPEN); 639 packet_put_cstring(c->ctype); 640 packet_put_int(c->self); 641 packet_put_int(c->local_window); 642 packet_put_int(c->local_maxpacket); 643 packet_send(); 644 } 645 646 void 647 channel_request_start(int id, char *service, int wantconfirm) 648 { 649 Channel *c = channel_lookup(id); 650 651 if (c == NULL) { 652 logit("channel_request_start: %d: unknown channel id", id); 653 return; 654 } 655 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 656 packet_start(SSH2_MSG_CHANNEL_REQUEST); 657 packet_put_int(c->remote_id); 658 packet_put_cstring(service); 659 packet_put_char(wantconfirm); 660 } 661 662 void 663 channel_register_confirm(int id, channel_callback_fn *fn, void *ctx) 664 { 665 Channel *c = channel_lookup(id); 666 667 if (c == NULL) { 668 logit("channel_register_comfirm: %d: bad id", id); 669 return; 670 } 671 c->confirm = fn; 672 c->confirm_ctx = ctx; 673 } 674 675 void 676 channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 677 { 678 Channel *c = channel_by_id(id); 679 680 if (c == NULL) { 681 logit("channel_register_cleanup: %d: bad id", id); 682 return; 683 } 684 c->detach_user = fn; 685 c->detach_close = do_close; 686 } 687 688 void 689 channel_cancel_cleanup(int id) 690 { 691 Channel *c = channel_by_id(id); 692 693 if (c == NULL) { 694 logit("channel_cancel_cleanup: %d: bad id", id); 695 return; 696 } 697 c->detach_user = NULL; 698 c->detach_close = 0; 699 } 700 701 void 702 channel_register_filter(int id, channel_infilter_fn *ifn, 703 channel_outfilter_fn *ofn) 704 { 705 Channel *c = channel_lookup(id); 706 707 if (c == NULL) { 708 logit("channel_register_filter: %d: bad id", id); 709 return; 710 } 711 c->input_filter = ifn; 712 c->output_filter = ofn; 713 } 714 715 void 716 channel_set_fds(int id, int rfd, int wfd, int efd, 717 int extusage, int nonblock, u_int window_max) 718 { 719 Channel *c = channel_lookup(id); 720 721 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 722 fatal("channel_activate for non-larval channel %d.", id); 723 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 724 c->type = SSH_CHANNEL_OPEN; 725 c->local_window = c->local_window_max = window_max; 726 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 727 packet_put_int(c->remote_id); 728 packet_put_int(c->local_window); 729 packet_send(); 730 } 731 732 /* 733 * 'channel_pre*' are called just before select() to add any bits relevant to 734 * channels in the select bitmasks. 735 */ 736 /* 737 * 'channel_post*': perform any appropriate operations for channels which 738 * have events pending. 739 */ 740 typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 741 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 742 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 743 744 /* ARGSUSED */ 745 static void 746 channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 747 { 748 FD_SET(c->sock, readset); 749 } 750 751 /* ARGSUSED */ 752 static void 753 channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 754 { 755 debug3("channel %d: waiting for connection", c->self); 756 FD_SET(c->sock, writeset); 757 } 758 759 static void 760 channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 761 { 762 if (buffer_len(&c->input) < packet_get_maxsize()) 763 FD_SET(c->sock, readset); 764 if (buffer_len(&c->output) > 0) 765 FD_SET(c->sock, writeset); 766 } 767 768 static void 769 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 770 { 771 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 772 773 if (c->istate == CHAN_INPUT_OPEN && 774 limit > 0 && 775 buffer_len(&c->input) < limit && 776 buffer_check_alloc(&c->input, CHAN_RBUF)) 777 FD_SET(c->rfd, readset); 778 if (c->ostate == CHAN_OUTPUT_OPEN || 779 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 780 if (buffer_len(&c->output) > 0) { 781 FD_SET(c->wfd, writeset); 782 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 783 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 784 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 785 c->self, c->efd, buffer_len(&c->extended)); 786 else 787 chan_obuf_empty(c); 788 } 789 } 790 /** XXX check close conditions, too */ 791 if (compat20 && c->efd != -1) { 792 if (c->extended_usage == CHAN_EXTENDED_WRITE && 793 buffer_len(&c->extended) > 0) 794 FD_SET(c->efd, writeset); 795 else if (!(c->flags & CHAN_EOF_SENT) && 796 c->extended_usage == CHAN_EXTENDED_READ && 797 buffer_len(&c->extended) < c->remote_window) 798 FD_SET(c->efd, readset); 799 } 800 /* XXX: What about efd? races? */ 801 if (compat20 && c->ctl_fd != -1 && 802 c->istate == CHAN_INPUT_OPEN && c->ostate == CHAN_OUTPUT_OPEN) 803 FD_SET(c->ctl_fd, readset); 804 } 805 806 /* ARGSUSED */ 807 static void 808 channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 809 { 810 if (buffer_len(&c->input) == 0) { 811 packet_start(SSH_MSG_CHANNEL_CLOSE); 812 packet_put_int(c->remote_id); 813 packet_send(); 814 c->type = SSH_CHANNEL_CLOSED; 815 debug2("channel %d: closing after input drain.", c->self); 816 } 817 } 818 819 /* ARGSUSED */ 820 static void 821 channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 822 { 823 if (buffer_len(&c->output) == 0) 824 chan_mark_dead(c); 825 else 826 FD_SET(c->sock, writeset); 827 } 828 829 /* 830 * This is a special state for X11 authentication spoofing. An opened X11 831 * connection (when authentication spoofing is being done) remains in this 832 * state until the first packet has been completely read. The authentication 833 * data in that packet is then substituted by the real data if it matches the 834 * fake data, and the channel is put into normal mode. 835 * XXX All this happens at the client side. 836 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 837 */ 838 static int 839 x11_open_helper(Buffer *b) 840 { 841 u_char *ucp; 842 u_int proto_len, data_len; 843 844 /* Check if the fixed size part of the packet is in buffer. */ 845 if (buffer_len(b) < 12) 846 return 0; 847 848 /* Parse the lengths of variable-length fields. */ 849 ucp = buffer_ptr(b); 850 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 851 proto_len = 256 * ucp[6] + ucp[7]; 852 data_len = 256 * ucp[8] + ucp[9]; 853 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 854 proto_len = ucp[6] + 256 * ucp[7]; 855 data_len = ucp[8] + 256 * ucp[9]; 856 } else { 857 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 858 ucp[0]); 859 return -1; 860 } 861 862 /* Check if the whole packet is in buffer. */ 863 if (buffer_len(b) < 864 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 865 return 0; 866 867 /* Check if authentication protocol matches. */ 868 if (proto_len != strlen(x11_saved_proto) || 869 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 870 debug2("X11 connection uses different authentication protocol."); 871 return -1; 872 } 873 /* Check if authentication data matches our fake data. */ 874 if (data_len != x11_fake_data_len || 875 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 876 x11_fake_data, x11_fake_data_len) != 0) { 877 debug2("X11 auth data does not match fake data."); 878 return -1; 879 } 880 /* Check fake data length */ 881 if (x11_fake_data_len != x11_saved_data_len) { 882 error("X11 fake_data_len %d != saved_data_len %d", 883 x11_fake_data_len, x11_saved_data_len); 884 return -1; 885 } 886 /* 887 * Received authentication protocol and data match 888 * our fake data. Substitute the fake data with real 889 * data. 890 */ 891 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 892 x11_saved_data, x11_saved_data_len); 893 return 1; 894 } 895 896 static void 897 channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 898 { 899 int ret = x11_open_helper(&c->output); 900 901 if (ret == 1) { 902 /* Start normal processing for the channel. */ 903 c->type = SSH_CHANNEL_OPEN; 904 channel_pre_open_13(c, readset, writeset); 905 } else if (ret == -1) { 906 /* 907 * We have received an X11 connection that has bad 908 * authentication information. 909 */ 910 logit("X11 connection rejected because of wrong authentication."); 911 buffer_clear(&c->input); 912 buffer_clear(&c->output); 913 channel_close_fd(&c->sock); 914 c->sock = -1; 915 c->type = SSH_CHANNEL_CLOSED; 916 packet_start(SSH_MSG_CHANNEL_CLOSE); 917 packet_put_int(c->remote_id); 918 packet_send(); 919 } 920 } 921 922 static void 923 channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 924 { 925 int ret = x11_open_helper(&c->output); 926 927 /* c->force_drain = 1; */ 928 929 if (ret == 1) { 930 c->type = SSH_CHANNEL_OPEN; 931 channel_pre_open(c, readset, writeset); 932 } else if (ret == -1) { 933 logit("X11 connection rejected because of wrong authentication."); 934 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 935 chan_read_failed(c); 936 buffer_clear(&c->input); 937 chan_ibuf_empty(c); 938 buffer_clear(&c->output); 939 /* for proto v1, the peer will send an IEOF */ 940 if (compat20) 941 chan_write_failed(c); 942 else 943 c->type = SSH_CHANNEL_OPEN; 944 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 945 } 946 } 947 948 /* try to decode a socks4 header */ 949 /* ARGSUSED */ 950 static int 951 channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 952 { 953 char *p, *host; 954 u_int len, have, i, found; 955 char username[256]; 956 struct { 957 u_int8_t version; 958 u_int8_t command; 959 u_int16_t dest_port; 960 struct in_addr dest_addr; 961 } s4_req, s4_rsp; 962 963 debug2("channel %d: decode socks4", c->self); 964 965 have = buffer_len(&c->input); 966 len = sizeof(s4_req); 967 if (have < len) 968 return 0; 969 p = buffer_ptr(&c->input); 970 for (found = 0, i = len; i < have; i++) { 971 if (p[i] == '\0') { 972 found = 1; 973 break; 974 } 975 if (i > 1024) { 976 /* the peer is probably sending garbage */ 977 debug("channel %d: decode socks4: too long", 978 c->self); 979 return -1; 980 } 981 } 982 if (!found) 983 return 0; 984 buffer_get(&c->input, (char *)&s4_req.version, 1); 985 buffer_get(&c->input, (char *)&s4_req.command, 1); 986 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 987 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 988 have = buffer_len(&c->input); 989 p = buffer_ptr(&c->input); 990 len = strlen(p); 991 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 992 if (len > have) 993 fatal("channel %d: decode socks4: len %d > have %d", 994 c->self, len, have); 995 strlcpy(username, p, sizeof(username)); 996 buffer_consume(&c->input, len); 997 buffer_consume(&c->input, 1); /* trailing '\0' */ 998 999 host = inet_ntoa(s4_req.dest_addr); 1000 strlcpy(c->path, host, sizeof(c->path)); 1001 c->host_port = ntohs(s4_req.dest_port); 1002 1003 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1004 c->self, host, c->host_port, s4_req.command); 1005 1006 if (s4_req.command != 1) { 1007 debug("channel %d: cannot handle: socks4 cn %d", 1008 c->self, s4_req.command); 1009 return -1; 1010 } 1011 s4_rsp.version = 0; /* vn: 0 for reply */ 1012 s4_rsp.command = 90; /* cd: req granted */ 1013 s4_rsp.dest_port = 0; /* ignored */ 1014 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1015 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1016 return 1; 1017 } 1018 1019 /* try to decode a socks5 header */ 1020 #define SSH_SOCKS5_AUTHDONE 0x1000 1021 #define SSH_SOCKS5_NOAUTH 0x00 1022 #define SSH_SOCKS5_IPV4 0x01 1023 #define SSH_SOCKS5_DOMAIN 0x03 1024 #define SSH_SOCKS5_IPV6 0x04 1025 #define SSH_SOCKS5_CONNECT 0x01 1026 #define SSH_SOCKS5_SUCCESS 0x00 1027 1028 /* ARGSUSED */ 1029 static int 1030 channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1031 { 1032 struct { 1033 u_int8_t version; 1034 u_int8_t command; 1035 u_int8_t reserved; 1036 u_int8_t atyp; 1037 } s5_req, s5_rsp; 1038 u_int16_t dest_port; 1039 u_char *p, dest_addr[255+1]; 1040 u_int have, need, i, found, nmethods, addrlen, af; 1041 1042 debug2("channel %d: decode socks5", c->self); 1043 p = buffer_ptr(&c->input); 1044 if (p[0] != 0x05) 1045 return -1; 1046 have = buffer_len(&c->input); 1047 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1048 /* format: ver | nmethods | methods */ 1049 if (have < 2) 1050 return 0; 1051 nmethods = p[1]; 1052 if (have < nmethods + 2) 1053 return 0; 1054 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1055 for (found = 0, i = 2 ; i < nmethods + 2; i++) { 1056 if (p[i] == SSH_SOCKS5_NOAUTH) { 1057 found = 1; 1058 break; 1059 } 1060 } 1061 if (!found) { 1062 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1063 c->self); 1064 return -1; 1065 } 1066 buffer_consume(&c->input, nmethods + 2); 1067 buffer_put_char(&c->output, 0x05); /* version */ 1068 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1069 FD_SET(c->sock, writeset); 1070 c->flags |= SSH_SOCKS5_AUTHDONE; 1071 debug2("channel %d: socks5 auth done", c->self); 1072 return 0; /* need more */ 1073 } 1074 debug2("channel %d: socks5 post auth", c->self); 1075 if (have < sizeof(s5_req)+1) 1076 return 0; /* need more */ 1077 memcpy(&s5_req, p, sizeof(s5_req)); 1078 if (s5_req.version != 0x05 || 1079 s5_req.command != SSH_SOCKS5_CONNECT || 1080 s5_req.reserved != 0x00) { 1081 debug2("channel %d: only socks5 connect supported", c->self); 1082 return -1; 1083 } 1084 switch (s5_req.atyp){ 1085 case SSH_SOCKS5_IPV4: 1086 addrlen = 4; 1087 af = AF_INET; 1088 break; 1089 case SSH_SOCKS5_DOMAIN: 1090 addrlen = p[sizeof(s5_req)]; 1091 af = -1; 1092 break; 1093 case SSH_SOCKS5_IPV6: 1094 addrlen = 16; 1095 af = AF_INET6; 1096 break; 1097 default: 1098 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1099 return -1; 1100 } 1101 need = sizeof(s5_req) + addrlen + 2; 1102 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1103 need++; 1104 if (have < need) 1105 return 0; 1106 buffer_consume(&c->input, sizeof(s5_req)); 1107 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1108 buffer_consume(&c->input, 1); /* host string length */ 1109 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1110 buffer_get(&c->input, (char *)&dest_port, 2); 1111 dest_addr[addrlen] = '\0'; 1112 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1113 strlcpy(c->path, (char *)dest_addr, sizeof(c->path)); 1114 else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) 1115 return -1; 1116 c->host_port = ntohs(dest_port); 1117 1118 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1119 c->self, c->path, c->host_port, s5_req.command); 1120 1121 s5_rsp.version = 0x05; 1122 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1123 s5_rsp.reserved = 0; /* ignored */ 1124 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1125 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; 1126 dest_port = 0; /* ignored */ 1127 1128 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1129 buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); 1130 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1131 return 1; 1132 } 1133 1134 /* dynamic port forwarding */ 1135 static void 1136 channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1137 { 1138 u_char *p; 1139 u_int have; 1140 int ret; 1141 1142 have = buffer_len(&c->input); 1143 c->delayed = 0; 1144 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1145 /* buffer_dump(&c->input); */ 1146 /* check if the fixed size part of the packet is in buffer. */ 1147 if (have < 3) { 1148 /* need more */ 1149 FD_SET(c->sock, readset); 1150 return; 1151 } 1152 /* try to guess the protocol */ 1153 p = buffer_ptr(&c->input); 1154 switch (p[0]) { 1155 case 0x04: 1156 ret = channel_decode_socks4(c, readset, writeset); 1157 break; 1158 case 0x05: 1159 ret = channel_decode_socks5(c, readset, writeset); 1160 break; 1161 default: 1162 ret = -1; 1163 break; 1164 } 1165 if (ret < 0) { 1166 chan_mark_dead(c); 1167 } else if (ret == 0) { 1168 debug2("channel %d: pre_dynamic: need more", c->self); 1169 /* need more */ 1170 FD_SET(c->sock, readset); 1171 } else { 1172 /* switch to the next state */ 1173 c->type = SSH_CHANNEL_OPENING; 1174 port_open_helper(c, "direct-tcpip"); 1175 } 1176 } 1177 1178 /* This is our fake X11 server socket. */ 1179 /* ARGSUSED */ 1180 static void 1181 channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1182 { 1183 Channel *nc; 1184 struct sockaddr addr; 1185 int newsock; 1186 socklen_t addrlen; 1187 char buf[16384], *remote_ipaddr; 1188 int remote_port; 1189 1190 if (FD_ISSET(c->sock, readset)) { 1191 debug("X11 connection requested."); 1192 addrlen = sizeof(addr); 1193 newsock = accept(c->sock, &addr, &addrlen); 1194 if (c->single_connection) { 1195 debug2("single_connection: closing X11 listener."); 1196 channel_close_fd(&c->sock); 1197 chan_mark_dead(c); 1198 } 1199 if (newsock < 0) { 1200 error("accept: %.100s", strerror(errno)); 1201 return; 1202 } 1203 set_nodelay(newsock); 1204 remote_ipaddr = get_peer_ipaddr(newsock); 1205 remote_port = get_peer_port(newsock); 1206 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1207 remote_ipaddr, remote_port); 1208 1209 nc = channel_new("accepted x11 socket", 1210 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1211 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1212 if (compat20) { 1213 packet_start(SSH2_MSG_CHANNEL_OPEN); 1214 packet_put_cstring("x11"); 1215 packet_put_int(nc->self); 1216 packet_put_int(nc->local_window_max); 1217 packet_put_int(nc->local_maxpacket); 1218 /* originator ipaddr and port */ 1219 packet_put_cstring(remote_ipaddr); 1220 if (datafellows & SSH_BUG_X11FWD) { 1221 debug2("ssh2 x11 bug compat mode"); 1222 } else { 1223 packet_put_int(remote_port); 1224 } 1225 packet_send(); 1226 } else { 1227 packet_start(SSH_SMSG_X11_OPEN); 1228 packet_put_int(nc->self); 1229 if (packet_get_protocol_flags() & 1230 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1231 packet_put_cstring(buf); 1232 packet_send(); 1233 } 1234 xfree(remote_ipaddr); 1235 } 1236 } 1237 1238 static void 1239 port_open_helper(Channel *c, char *rtype) 1240 { 1241 int direct; 1242 char buf[1024]; 1243 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1244 int remote_port = get_peer_port(c->sock); 1245 1246 direct = (strcmp(rtype, "direct-tcpip") == 0); 1247 1248 snprintf(buf, sizeof buf, 1249 "%s: listening port %d for %.100s port %d, " 1250 "connect from %.200s port %d", 1251 rtype, c->listening_port, c->path, c->host_port, 1252 remote_ipaddr, remote_port); 1253 1254 xfree(c->remote_name); 1255 c->remote_name = xstrdup(buf); 1256 1257 if (compat20) { 1258 packet_start(SSH2_MSG_CHANNEL_OPEN); 1259 packet_put_cstring(rtype); 1260 packet_put_int(c->self); 1261 packet_put_int(c->local_window_max); 1262 packet_put_int(c->local_maxpacket); 1263 if (direct) { 1264 /* target host, port */ 1265 packet_put_cstring(c->path); 1266 packet_put_int(c->host_port); 1267 } else { 1268 /* listen address, port */ 1269 packet_put_cstring(c->path); 1270 packet_put_int(c->listening_port); 1271 } 1272 /* originator host and port */ 1273 packet_put_cstring(remote_ipaddr); 1274 packet_put_int((u_int)remote_port); 1275 packet_send(); 1276 } else { 1277 packet_start(SSH_MSG_PORT_OPEN); 1278 packet_put_int(c->self); 1279 packet_put_cstring(c->path); 1280 packet_put_int(c->host_port); 1281 if (packet_get_protocol_flags() & 1282 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1283 packet_put_cstring(c->remote_name); 1284 packet_send(); 1285 } 1286 xfree(remote_ipaddr); 1287 } 1288 1289 static void 1290 channel_set_reuseaddr(int fd) 1291 { 1292 int on = 1; 1293 1294 /* 1295 * Set socket options. 1296 * Allow local port reuse in TIME_WAIT. 1297 */ 1298 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1299 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1300 } 1301 1302 /* 1303 * This socket is listening for connections to a forwarded TCP/IP port. 1304 */ 1305 /* ARGSUSED */ 1306 static void 1307 channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1308 { 1309 Channel *nc; 1310 struct sockaddr addr; 1311 int newsock, nextstate; 1312 socklen_t addrlen; 1313 char *rtype; 1314 1315 if (FD_ISSET(c->sock, readset)) { 1316 debug("Connection to port %d forwarding " 1317 "to %.100s port %d requested.", 1318 c->listening_port, c->path, c->host_port); 1319 1320 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1321 nextstate = SSH_CHANNEL_OPENING; 1322 rtype = "forwarded-tcpip"; 1323 } else { 1324 if (c->host_port == 0) { 1325 nextstate = SSH_CHANNEL_DYNAMIC; 1326 rtype = "dynamic-tcpip"; 1327 } else { 1328 nextstate = SSH_CHANNEL_OPENING; 1329 rtype = "direct-tcpip"; 1330 } 1331 } 1332 1333 addrlen = sizeof(addr); 1334 newsock = accept(c->sock, &addr, &addrlen); 1335 if (newsock < 0) { 1336 error("accept: %.100s", strerror(errno)); 1337 return; 1338 } 1339 set_nodelay(newsock); 1340 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1341 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1342 nc->listening_port = c->listening_port; 1343 nc->host_port = c->host_port; 1344 strlcpy(nc->path, c->path, sizeof(nc->path)); 1345 1346 if (nextstate == SSH_CHANNEL_DYNAMIC) { 1347 /* 1348 * do not call the channel_post handler until 1349 * this flag has been reset by a pre-handler. 1350 * otherwise the FD_ISSET calls might overflow 1351 */ 1352 nc->delayed = 1; 1353 } else { 1354 port_open_helper(nc, rtype); 1355 } 1356 } 1357 } 1358 1359 /* 1360 * This is the authentication agent socket listening for connections from 1361 * clients. 1362 */ 1363 /* ARGSUSED */ 1364 static void 1365 channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1366 { 1367 Channel *nc; 1368 int newsock; 1369 struct sockaddr addr; 1370 socklen_t addrlen; 1371 1372 if (FD_ISSET(c->sock, readset)) { 1373 addrlen = sizeof(addr); 1374 newsock = accept(c->sock, &addr, &addrlen); 1375 if (newsock < 0) { 1376 error("accept from auth socket: %.100s", strerror(errno)); 1377 return; 1378 } 1379 nc = channel_new("accepted auth socket", 1380 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1381 c->local_window_max, c->local_maxpacket, 1382 0, "accepted auth socket", 1); 1383 if (compat20) { 1384 packet_start(SSH2_MSG_CHANNEL_OPEN); 1385 packet_put_cstring("auth-agent@openssh.com"); 1386 packet_put_int(nc->self); 1387 packet_put_int(c->local_window_max); 1388 packet_put_int(c->local_maxpacket); 1389 } else { 1390 packet_start(SSH_SMSG_AGENT_OPEN); 1391 packet_put_int(nc->self); 1392 } 1393 packet_send(); 1394 } 1395 } 1396 1397 /* ARGSUSED */ 1398 static void 1399 channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1400 { 1401 int err = 0; 1402 socklen_t sz = sizeof(err); 1403 1404 if (FD_ISSET(c->sock, writeset)) { 1405 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1406 err = errno; 1407 error("getsockopt SO_ERROR failed"); 1408 } 1409 if (err == 0) { 1410 debug("channel %d: connected", c->self); 1411 c->type = SSH_CHANNEL_OPEN; 1412 if (compat20) { 1413 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1414 packet_put_int(c->remote_id); 1415 packet_put_int(c->self); 1416 packet_put_int(c->local_window); 1417 packet_put_int(c->local_maxpacket); 1418 } else { 1419 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1420 packet_put_int(c->remote_id); 1421 packet_put_int(c->self); 1422 } 1423 } else { 1424 debug("channel %d: not connected: %s", 1425 c->self, strerror(err)); 1426 if (compat20) { 1427 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1428 packet_put_int(c->remote_id); 1429 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1430 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1431 packet_put_cstring(strerror(err)); 1432 packet_put_cstring(""); 1433 } 1434 } else { 1435 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1436 packet_put_int(c->remote_id); 1437 } 1438 chan_mark_dead(c); 1439 } 1440 packet_send(); 1441 } 1442 } 1443 1444 /* ARGSUSED */ 1445 static int 1446 channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1447 { 1448 char buf[CHAN_RBUF]; 1449 int len; 1450 1451 if (c->rfd != -1 && 1452 FD_ISSET(c->rfd, readset)) { 1453 errno = 0; 1454 len = read(c->rfd, buf, sizeof(buf)); 1455 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1456 return 1; 1457 #ifndef PTY_ZEROREAD 1458 if (len <= 0) { 1459 #else 1460 if ((!c->isatty && len <= 0) || 1461 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1462 #endif 1463 debug2("channel %d: read<=0 rfd %d len %d", 1464 c->self, c->rfd, len); 1465 if (c->type != SSH_CHANNEL_OPEN) { 1466 debug2("channel %d: not open", c->self); 1467 chan_mark_dead(c); 1468 return -1; 1469 } else if (compat13) { 1470 buffer_clear(&c->output); 1471 c->type = SSH_CHANNEL_INPUT_DRAINING; 1472 debug2("channel %d: input draining.", c->self); 1473 } else { 1474 chan_read_failed(c); 1475 } 1476 return -1; 1477 } 1478 if (c->input_filter != NULL) { 1479 if (c->input_filter(c, buf, len) == -1) { 1480 debug2("channel %d: filter stops", c->self); 1481 chan_read_failed(c); 1482 } 1483 } else if (c->datagram) { 1484 buffer_put_string(&c->input, buf, len); 1485 } else { 1486 buffer_append(&c->input, buf, len); 1487 } 1488 } 1489 return 1; 1490 } 1491 1492 /* ARGSUSED */ 1493 static int 1494 channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1495 { 1496 struct termios tio; 1497 u_char *data = NULL, *buf; 1498 u_int dlen; 1499 int len; 1500 1501 /* Send buffered output data to the socket. */ 1502 if (c->wfd != -1 && 1503 FD_ISSET(c->wfd, writeset) && 1504 buffer_len(&c->output) > 0) { 1505 if (c->output_filter != NULL) { 1506 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1507 debug2("channel %d: filter stops", c->self); 1508 if (c->type != SSH_CHANNEL_OPEN) 1509 chan_mark_dead(c); 1510 else 1511 chan_write_failed(c); 1512 return -1; 1513 } 1514 } else if (c->datagram) { 1515 buf = data = buffer_get_string(&c->output, &dlen); 1516 } else { 1517 buf = data = buffer_ptr(&c->output); 1518 dlen = buffer_len(&c->output); 1519 } 1520 1521 if (c->datagram) { 1522 /* ignore truncated writes, datagrams might get lost */ 1523 c->local_consumed += dlen + 4; 1524 len = write(c->wfd, buf, dlen); 1525 xfree(data); 1526 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1527 return 1; 1528 if (len <= 0) { 1529 if (c->type != SSH_CHANNEL_OPEN) 1530 chan_mark_dead(c); 1531 else 1532 chan_write_failed(c); 1533 return -1; 1534 } 1535 return 1; 1536 } 1537 #ifdef _AIX 1538 /* XXX: Later AIX versions can't push as much data to tty */ 1539 if (compat20 && c->wfd_isatty) 1540 dlen = MIN(dlen, 8*1024); 1541 #endif 1542 1543 len = write(c->wfd, buf, dlen); 1544 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1545 return 1; 1546 if (len <= 0) { 1547 if (c->type != SSH_CHANNEL_OPEN) { 1548 debug2("channel %d: not open", c->self); 1549 chan_mark_dead(c); 1550 return -1; 1551 } else if (compat13) { 1552 buffer_clear(&c->output); 1553 debug2("channel %d: input draining.", c->self); 1554 c->type = SSH_CHANNEL_INPUT_DRAINING; 1555 } else { 1556 chan_write_failed(c); 1557 } 1558 return -1; 1559 } 1560 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1561 if (tcgetattr(c->wfd, &tio) == 0 && 1562 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1563 /* 1564 * Simulate echo to reduce the impact of 1565 * traffic analysis. We need to match the 1566 * size of a SSH2_MSG_CHANNEL_DATA message 1567 * (4 byte channel id + buf) 1568 */ 1569 packet_send_ignore(4 + len); 1570 packet_send(); 1571 } 1572 } 1573 buffer_consume(&c->output, len); 1574 if (compat20 && len > 0) { 1575 c->local_consumed += len; 1576 } 1577 } 1578 return 1; 1579 } 1580 1581 static int 1582 channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1583 { 1584 char buf[CHAN_RBUF]; 1585 int len; 1586 1587 /** XXX handle drain efd, too */ 1588 if (c->efd != -1) { 1589 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1590 FD_ISSET(c->efd, writeset) && 1591 buffer_len(&c->extended) > 0) { 1592 len = write(c->efd, buffer_ptr(&c->extended), 1593 buffer_len(&c->extended)); 1594 debug2("channel %d: written %d to efd %d", 1595 c->self, len, c->efd); 1596 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1597 return 1; 1598 if (len <= 0) { 1599 debug2("channel %d: closing write-efd %d", 1600 c->self, c->efd); 1601 channel_close_fd(&c->efd); 1602 } else { 1603 buffer_consume(&c->extended, len); 1604 c->local_consumed += len; 1605 } 1606 } else if (c->extended_usage == CHAN_EXTENDED_READ && 1607 FD_ISSET(c->efd, readset)) { 1608 len = read(c->efd, buf, sizeof(buf)); 1609 debug2("channel %d: read %d from efd %d", 1610 c->self, len, c->efd); 1611 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1612 return 1; 1613 if (len <= 0) { 1614 debug2("channel %d: closing read-efd %d", 1615 c->self, c->efd); 1616 channel_close_fd(&c->efd); 1617 } else { 1618 buffer_append(&c->extended, buf, len); 1619 } 1620 } 1621 } 1622 return 1; 1623 } 1624 1625 /* ARGSUSED */ 1626 static int 1627 channel_handle_ctl(Channel *c, fd_set *readset, fd_set *writeset) 1628 { 1629 char buf[16]; 1630 int len; 1631 1632 /* Monitor control fd to detect if the slave client exits */ 1633 if (c->ctl_fd != -1 && FD_ISSET(c->ctl_fd, readset)) { 1634 len = read(c->ctl_fd, buf, sizeof(buf)); 1635 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1636 return 1; 1637 if (len <= 0) { 1638 debug2("channel %d: ctl read<=0", c->self); 1639 if (c->type != SSH_CHANNEL_OPEN) { 1640 debug2("channel %d: not open", c->self); 1641 chan_mark_dead(c); 1642 return -1; 1643 } else { 1644 chan_read_failed(c); 1645 chan_write_failed(c); 1646 } 1647 return -1; 1648 } else 1649 fatal("%s: unexpected data on ctl fd", __func__); 1650 } 1651 return 1; 1652 } 1653 1654 static int 1655 channel_check_window(Channel *c) 1656 { 1657 if (c->type == SSH_CHANNEL_OPEN && 1658 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1659 c->local_window < c->local_window_max/2 && 1660 c->local_consumed > 0) { 1661 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1662 packet_put_int(c->remote_id); 1663 packet_put_int(c->local_consumed); 1664 packet_send(); 1665 debug2("channel %d: window %d sent adjust %d", 1666 c->self, c->local_window, 1667 c->local_consumed); 1668 c->local_window += c->local_consumed; 1669 c->local_consumed = 0; 1670 } 1671 return 1; 1672 } 1673 1674 static void 1675 channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1676 { 1677 if (c->delayed) 1678 return; 1679 channel_handle_rfd(c, readset, writeset); 1680 channel_handle_wfd(c, readset, writeset); 1681 if (!compat20) 1682 return; 1683 channel_handle_efd(c, readset, writeset); 1684 channel_handle_ctl(c, readset, writeset); 1685 channel_check_window(c); 1686 } 1687 1688 /* ARGSUSED */ 1689 static void 1690 channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 1691 { 1692 int len; 1693 1694 /* Send buffered output data to the socket. */ 1695 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1696 len = write(c->sock, buffer_ptr(&c->output), 1697 buffer_len(&c->output)); 1698 if (len <= 0) 1699 buffer_clear(&c->output); 1700 else 1701 buffer_consume(&c->output, len); 1702 } 1703 } 1704 1705 static void 1706 channel_handler_init_20(void) 1707 { 1708 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1709 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1710 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1711 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1712 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1713 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1714 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1715 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1716 1717 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1718 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1719 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1720 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1721 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1722 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1723 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1724 } 1725 1726 static void 1727 channel_handler_init_13(void) 1728 { 1729 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1730 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1731 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1732 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1733 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1734 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1735 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1736 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1737 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1738 1739 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1740 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1741 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1742 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1743 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 1744 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1745 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1746 } 1747 1748 static void 1749 channel_handler_init_15(void) 1750 { 1751 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1752 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1753 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1754 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1755 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1756 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1757 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1758 1759 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1760 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1761 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1762 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1763 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1764 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1765 } 1766 1767 static void 1768 channel_handler_init(void) 1769 { 1770 int i; 1771 1772 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 1773 channel_pre[i] = NULL; 1774 channel_post[i] = NULL; 1775 } 1776 if (compat20) 1777 channel_handler_init_20(); 1778 else if (compat13) 1779 channel_handler_init_13(); 1780 else 1781 channel_handler_init_15(); 1782 } 1783 1784 /* gc dead channels */ 1785 static void 1786 channel_garbage_collect(Channel *c) 1787 { 1788 if (c == NULL) 1789 return; 1790 if (c->detach_user != NULL) { 1791 if (!chan_is_dead(c, c->detach_close)) 1792 return; 1793 debug2("channel %d: gc: notify user", c->self); 1794 c->detach_user(c->self, NULL); 1795 /* if we still have a callback */ 1796 if (c->detach_user != NULL) 1797 return; 1798 debug2("channel %d: gc: user detached", c->self); 1799 } 1800 if (!chan_is_dead(c, 1)) 1801 return; 1802 debug2("channel %d: garbage collecting", c->self); 1803 channel_free(c); 1804 } 1805 1806 static void 1807 channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) 1808 { 1809 static int did_init = 0; 1810 u_int i; 1811 Channel *c; 1812 1813 if (!did_init) { 1814 channel_handler_init(); 1815 did_init = 1; 1816 } 1817 for (i = 0; i < channels_alloc; i++) { 1818 c = channels[i]; 1819 if (c == NULL) 1820 continue; 1821 if (ftab[c->type] != NULL) 1822 (*ftab[c->type])(c, readset, writeset); 1823 channel_garbage_collect(c); 1824 } 1825 } 1826 1827 /* 1828 * Allocate/update select bitmasks and add any bits relevant to channels in 1829 * select bitmasks. 1830 */ 1831 void 1832 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 1833 u_int *nallocp, int rekeying) 1834 { 1835 u_int n, sz, nfdset; 1836 1837 n = MAX(*maxfdp, channel_max_fd); 1838 1839 nfdset = howmany(n+1, NFDBITS); 1840 /* Explicitly test here, because xrealloc isn't always called */ 1841 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) 1842 fatal("channel_prepare_select: max_fd (%d) is too large", n); 1843 sz = nfdset * sizeof(fd_mask); 1844 1845 /* perhaps check sz < nalloc/2 and shrink? */ 1846 if (*readsetp == NULL || sz > *nallocp) { 1847 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); 1848 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); 1849 *nallocp = sz; 1850 } 1851 *maxfdp = n; 1852 memset(*readsetp, 0, sz); 1853 memset(*writesetp, 0, sz); 1854 1855 if (!rekeying) 1856 channel_handler(channel_pre, *readsetp, *writesetp); 1857 } 1858 1859 /* 1860 * After select, perform any appropriate operations for channels which have 1861 * events pending. 1862 */ 1863 void 1864 channel_after_select(fd_set *readset, fd_set *writeset) 1865 { 1866 channel_handler(channel_post, readset, writeset); 1867 } 1868 1869 1870 /* If there is data to send to the connection, enqueue some of it now. */ 1871 void 1872 channel_output_poll(void) 1873 { 1874 Channel *c; 1875 u_int i, len; 1876 1877 for (i = 0; i < channels_alloc; i++) { 1878 c = channels[i]; 1879 if (c == NULL) 1880 continue; 1881 1882 /* 1883 * We are only interested in channels that can have buffered 1884 * incoming data. 1885 */ 1886 if (compat13) { 1887 if (c->type != SSH_CHANNEL_OPEN && 1888 c->type != SSH_CHANNEL_INPUT_DRAINING) 1889 continue; 1890 } else { 1891 if (c->type != SSH_CHANNEL_OPEN) 1892 continue; 1893 } 1894 if (compat20 && 1895 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 1896 /* XXX is this true? */ 1897 debug3("channel %d: will not send data after close", c->self); 1898 continue; 1899 } 1900 1901 /* Get the amount of buffered data for this channel. */ 1902 if ((c->istate == CHAN_INPUT_OPEN || 1903 c->istate == CHAN_INPUT_WAIT_DRAIN) && 1904 (len = buffer_len(&c->input)) > 0) { 1905 if (c->datagram) { 1906 if (len > 0) { 1907 u_char *data; 1908 u_int dlen; 1909 1910 data = buffer_get_string(&c->input, 1911 &dlen); 1912 packet_start(SSH2_MSG_CHANNEL_DATA); 1913 packet_put_int(c->remote_id); 1914 packet_put_string(data, dlen); 1915 packet_send(); 1916 c->remote_window -= dlen + 4; 1917 xfree(data); 1918 } 1919 continue; 1920 } 1921 /* 1922 * Send some data for the other side over the secure 1923 * connection. 1924 */ 1925 if (compat20) { 1926 if (len > c->remote_window) 1927 len = c->remote_window; 1928 if (len > c->remote_maxpacket) 1929 len = c->remote_maxpacket; 1930 } else { 1931 if (packet_is_interactive()) { 1932 if (len > 1024) 1933 len = 512; 1934 } else { 1935 /* Keep the packets at reasonable size. */ 1936 if (len > packet_get_maxsize()/2) 1937 len = packet_get_maxsize()/2; 1938 } 1939 } 1940 if (len > 0) { 1941 packet_start(compat20 ? 1942 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 1943 packet_put_int(c->remote_id); 1944 packet_put_string(buffer_ptr(&c->input), len); 1945 packet_send(); 1946 buffer_consume(&c->input, len); 1947 c->remote_window -= len; 1948 } 1949 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1950 if (compat13) 1951 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 1952 /* 1953 * input-buffer is empty and read-socket shutdown: 1954 * tell peer, that we will not send more data: send IEOF. 1955 * hack for extended data: delay EOF if EFD still in use. 1956 */ 1957 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 1958 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 1959 c->self, c->efd, buffer_len(&c->extended)); 1960 else 1961 chan_ibuf_empty(c); 1962 } 1963 /* Send extended data, i.e. stderr */ 1964 if (compat20 && 1965 !(c->flags & CHAN_EOF_SENT) && 1966 c->remote_window > 0 && 1967 (len = buffer_len(&c->extended)) > 0 && 1968 c->extended_usage == CHAN_EXTENDED_READ) { 1969 debug2("channel %d: rwin %u elen %u euse %d", 1970 c->self, c->remote_window, buffer_len(&c->extended), 1971 c->extended_usage); 1972 if (len > c->remote_window) 1973 len = c->remote_window; 1974 if (len > c->remote_maxpacket) 1975 len = c->remote_maxpacket; 1976 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 1977 packet_put_int(c->remote_id); 1978 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 1979 packet_put_string(buffer_ptr(&c->extended), len); 1980 packet_send(); 1981 buffer_consume(&c->extended, len); 1982 c->remote_window -= len; 1983 debug2("channel %d: sent ext data %d", c->self, len); 1984 } 1985 } 1986 } 1987 1988 1989 /* -- protocol input */ 1990 1991 /* ARGSUSED */ 1992 void 1993 channel_input_data(int type, u_int32_t seq, void *ctxt) 1994 { 1995 int id; 1996 char *data; 1997 u_int data_len; 1998 Channel *c; 1999 2000 /* Get the channel number and verify it. */ 2001 id = packet_get_int(); 2002 c = channel_lookup(id); 2003 if (c == NULL) 2004 packet_disconnect("Received data for nonexistent channel %d.", id); 2005 2006 /* Ignore any data for non-open channels (might happen on close) */ 2007 if (c->type != SSH_CHANNEL_OPEN && 2008 c->type != SSH_CHANNEL_X11_OPEN) 2009 return; 2010 2011 /* Get the data. */ 2012 data = packet_get_string(&data_len); 2013 2014 /* 2015 * Ignore data for protocol > 1.3 if output end is no longer open. 2016 * For protocol 2 the sending side is reducing its window as it sends 2017 * data, so we must 'fake' consumption of the data in order to ensure 2018 * that window updates are sent back. Otherwise the connection might 2019 * deadlock. 2020 */ 2021 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2022 if (compat20) { 2023 c->local_window -= data_len; 2024 c->local_consumed += data_len; 2025 } 2026 xfree(data); 2027 return; 2028 } 2029 2030 if (compat20) { 2031 if (data_len > c->local_maxpacket) { 2032 logit("channel %d: rcvd big packet %d, maxpack %d", 2033 c->self, data_len, c->local_maxpacket); 2034 } 2035 if (data_len > c->local_window) { 2036 logit("channel %d: rcvd too much data %d, win %d", 2037 c->self, data_len, c->local_window); 2038 xfree(data); 2039 return; 2040 } 2041 c->local_window -= data_len; 2042 } 2043 packet_check_eom(); 2044 if (c->datagram) 2045 buffer_put_string(&c->output, data, data_len); 2046 else 2047 buffer_append(&c->output, data, data_len); 2048 xfree(data); 2049 } 2050 2051 /* ARGSUSED */ 2052 void 2053 channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2054 { 2055 int id; 2056 char *data; 2057 u_int data_len, tcode; 2058 Channel *c; 2059 2060 /* Get the channel number and verify it. */ 2061 id = packet_get_int(); 2062 c = channel_lookup(id); 2063 2064 if (c == NULL) 2065 packet_disconnect("Received extended_data for bad channel %d.", id); 2066 if (c->type != SSH_CHANNEL_OPEN) { 2067 logit("channel %d: ext data for non open", id); 2068 return; 2069 } 2070 if (c->flags & CHAN_EOF_RCVD) { 2071 if (datafellows & SSH_BUG_EXTEOF) 2072 debug("channel %d: accepting ext data after eof", id); 2073 else 2074 packet_disconnect("Received extended_data after EOF " 2075 "on channel %d.", id); 2076 } 2077 tcode = packet_get_int(); 2078 if (c->efd == -1 || 2079 c->extended_usage != CHAN_EXTENDED_WRITE || 2080 tcode != SSH2_EXTENDED_DATA_STDERR) { 2081 logit("channel %d: bad ext data", c->self); 2082 return; 2083 } 2084 data = packet_get_string(&data_len); 2085 packet_check_eom(); 2086 if (data_len > c->local_window) { 2087 logit("channel %d: rcvd too much extended_data %d, win %d", 2088 c->self, data_len, c->local_window); 2089 xfree(data); 2090 return; 2091 } 2092 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2093 c->local_window -= data_len; 2094 buffer_append(&c->extended, data, data_len); 2095 xfree(data); 2096 } 2097 2098 /* ARGSUSED */ 2099 void 2100 channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2101 { 2102 int id; 2103 Channel *c; 2104 2105 id = packet_get_int(); 2106 packet_check_eom(); 2107 c = channel_lookup(id); 2108 if (c == NULL) 2109 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2110 chan_rcvd_ieof(c); 2111 2112 /* XXX force input close */ 2113 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2114 debug("channel %d: FORCE input drain", c->self); 2115 c->istate = CHAN_INPUT_WAIT_DRAIN; 2116 if (buffer_len(&c->input) == 0) 2117 chan_ibuf_empty(c); 2118 } 2119 2120 } 2121 2122 /* ARGSUSED */ 2123 void 2124 channel_input_close(int type, u_int32_t seq, void *ctxt) 2125 { 2126 int id; 2127 Channel *c; 2128 2129 id = packet_get_int(); 2130 packet_check_eom(); 2131 c = channel_lookup(id); 2132 if (c == NULL) 2133 packet_disconnect("Received close for nonexistent channel %d.", id); 2134 2135 /* 2136 * Send a confirmation that we have closed the channel and no more 2137 * data is coming for it. 2138 */ 2139 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2140 packet_put_int(c->remote_id); 2141 packet_send(); 2142 2143 /* 2144 * If the channel is in closed state, we have sent a close request, 2145 * and the other side will eventually respond with a confirmation. 2146 * Thus, we cannot free the channel here, because then there would be 2147 * no-one to receive the confirmation. The channel gets freed when 2148 * the confirmation arrives. 2149 */ 2150 if (c->type != SSH_CHANNEL_CLOSED) { 2151 /* 2152 * Not a closed channel - mark it as draining, which will 2153 * cause it to be freed later. 2154 */ 2155 buffer_clear(&c->input); 2156 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2157 } 2158 } 2159 2160 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2161 /* ARGSUSED */ 2162 void 2163 channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2164 { 2165 int id = packet_get_int(); 2166 Channel *c = channel_lookup(id); 2167 2168 packet_check_eom(); 2169 if (c == NULL) 2170 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2171 chan_rcvd_oclose(c); 2172 } 2173 2174 /* ARGSUSED */ 2175 void 2176 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2177 { 2178 int id = packet_get_int(); 2179 Channel *c = channel_lookup(id); 2180 2181 packet_check_eom(); 2182 if (c == NULL) 2183 packet_disconnect("Received close confirmation for " 2184 "out-of-range channel %d.", id); 2185 if (c->type != SSH_CHANNEL_CLOSED) 2186 packet_disconnect("Received close confirmation for " 2187 "non-closed channel %d (type %d).", id, c->type); 2188 channel_free(c); 2189 } 2190 2191 /* ARGSUSED */ 2192 void 2193 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2194 { 2195 int id, remote_id; 2196 Channel *c; 2197 2198 id = packet_get_int(); 2199 c = channel_lookup(id); 2200 2201 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2202 packet_disconnect("Received open confirmation for " 2203 "non-opening channel %d.", id); 2204 remote_id = packet_get_int(); 2205 /* Record the remote channel number and mark that the channel is now open. */ 2206 c->remote_id = remote_id; 2207 c->type = SSH_CHANNEL_OPEN; 2208 2209 if (compat20) { 2210 c->remote_window = packet_get_int(); 2211 c->remote_maxpacket = packet_get_int(); 2212 if (c->confirm) { 2213 debug2("callback start"); 2214 c->confirm(c->self, c->confirm_ctx); 2215 debug2("callback done"); 2216 } 2217 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2218 c->remote_window, c->remote_maxpacket); 2219 } 2220 packet_check_eom(); 2221 } 2222 2223 static char * 2224 reason2txt(int reason) 2225 { 2226 switch (reason) { 2227 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2228 return "administratively prohibited"; 2229 case SSH2_OPEN_CONNECT_FAILED: 2230 return "connect failed"; 2231 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2232 return "unknown channel type"; 2233 case SSH2_OPEN_RESOURCE_SHORTAGE: 2234 return "resource shortage"; 2235 } 2236 return "unknown reason"; 2237 } 2238 2239 /* ARGSUSED */ 2240 void 2241 channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2242 { 2243 int id, reason; 2244 char *msg = NULL, *lang = NULL; 2245 Channel *c; 2246 2247 id = packet_get_int(); 2248 c = channel_lookup(id); 2249 2250 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2251 packet_disconnect("Received open failure for " 2252 "non-opening channel %d.", id); 2253 if (compat20) { 2254 reason = packet_get_int(); 2255 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2256 msg = packet_get_string(NULL); 2257 lang = packet_get_string(NULL); 2258 } 2259 logit("channel %d: open failed: %s%s%s", id, 2260 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2261 if (msg != NULL) 2262 xfree(msg); 2263 if (lang != NULL) 2264 xfree(lang); 2265 } 2266 packet_check_eom(); 2267 /* Free the channel. This will also close the socket. */ 2268 channel_free(c); 2269 } 2270 2271 /* ARGSUSED */ 2272 void 2273 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2274 { 2275 Channel *c; 2276 int id; 2277 u_int adjust; 2278 2279 if (!compat20) 2280 return; 2281 2282 /* Get the channel number and verify it. */ 2283 id = packet_get_int(); 2284 c = channel_lookup(id); 2285 2286 if (c == NULL) { 2287 logit("Received window adjust for non-open channel %d.", id); 2288 return; 2289 } 2290 adjust = packet_get_int(); 2291 packet_check_eom(); 2292 debug2("channel %d: rcvd adjust %u", id, adjust); 2293 c->remote_window += adjust; 2294 } 2295 2296 /* ARGSUSED */ 2297 void 2298 channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2299 { 2300 Channel *c = NULL; 2301 u_short host_port; 2302 char *host, *originator_string; 2303 int remote_id, sock = -1; 2304 2305 remote_id = packet_get_int(); 2306 host = packet_get_string(NULL); 2307 host_port = packet_get_int(); 2308 2309 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2310 originator_string = packet_get_string(NULL); 2311 } else { 2312 originator_string = xstrdup("unknown (remote did not supply name)"); 2313 } 2314 packet_check_eom(); 2315 sock = channel_connect_to(host, host_port); 2316 if (sock != -1) { 2317 c = channel_new("connected socket", 2318 SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0, 2319 originator_string, 1); 2320 c->remote_id = remote_id; 2321 } 2322 xfree(originator_string); 2323 if (c == NULL) { 2324 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2325 packet_put_int(remote_id); 2326 packet_send(); 2327 } 2328 xfree(host); 2329 } 2330 2331 2332 /* -- tcp forwarding */ 2333 2334 void 2335 channel_set_af(int af) 2336 { 2337 IPv4or6 = af; 2338 } 2339 2340 static int 2341 channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_port, 2342 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2343 { 2344 Channel *c; 2345 int sock, r, success = 0, wildcard = 0, is_client; 2346 struct addrinfo hints, *ai, *aitop; 2347 const char *host, *addr; 2348 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2349 2350 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2351 listen_addr : host_to_connect; 2352 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2353 2354 if (host == NULL) { 2355 error("No forward host name."); 2356 return 0; 2357 } 2358 if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) { 2359 error("Forward host name too long."); 2360 return 0; 2361 } 2362 2363 /* 2364 * Determine whether or not a port forward listens to loopback, 2365 * specified address or wildcard. On the client, a specified bind 2366 * address will always override gateway_ports. On the server, a 2367 * gateway_ports of 1 (``yes'') will override the client's 2368 * specification and force a wildcard bind, whereas a value of 2 2369 * (``clientspecified'') will bind to whatever address the client 2370 * asked for. 2371 * 2372 * Special-case listen_addrs are: 2373 * 2374 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2375 * "" (empty string), "*" -> wildcard v4/v6 2376 * "localhost" -> loopback v4/v6 2377 */ 2378 addr = NULL; 2379 if (listen_addr == NULL) { 2380 /* No address specified: default to gateway_ports setting */ 2381 if (gateway_ports) 2382 wildcard = 1; 2383 } else if (gateway_ports || is_client) { 2384 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2385 strcmp(listen_addr, "0.0.0.0") == 0) || 2386 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2387 (!is_client && gateway_ports == 1)) 2388 wildcard = 1; 2389 else if (strcmp(listen_addr, "localhost") != 0) 2390 addr = listen_addr; 2391 } 2392 2393 debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s", 2394 type, wildcard, (addr == NULL) ? "NULL" : addr); 2395 2396 /* 2397 * getaddrinfo returns a loopback address if the hostname is 2398 * set to NULL and hints.ai_flags is not AI_PASSIVE 2399 */ 2400 memset(&hints, 0, sizeof(hints)); 2401 hints.ai_family = IPv4or6; 2402 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2403 hints.ai_socktype = SOCK_STREAM; 2404 snprintf(strport, sizeof strport, "%d", listen_port); 2405 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2406 if (addr == NULL) { 2407 /* This really shouldn't happen */ 2408 packet_disconnect("getaddrinfo: fatal error: %s", 2409 gai_strerror(r)); 2410 } else { 2411 error("channel_setup_fwd_listener: " 2412 "getaddrinfo(%.64s): %s", addr, gai_strerror(r)); 2413 } 2414 return 0; 2415 } 2416 2417 for (ai = aitop; ai; ai = ai->ai_next) { 2418 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2419 continue; 2420 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2421 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2422 error("channel_setup_fwd_listener: getnameinfo failed"); 2423 continue; 2424 } 2425 /* Create a port to listen for the host. */ 2426 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2427 if (sock < 0) { 2428 /* this is no error since kernel may not support ipv6 */ 2429 verbose("socket: %.100s", strerror(errno)); 2430 continue; 2431 } 2432 2433 channel_set_reuseaddr(sock); 2434 2435 debug("Local forwarding listening on %s port %s.", ntop, strport); 2436 2437 /* Bind the socket to the address. */ 2438 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2439 /* address can be in use ipv6 address is already bound */ 2440 if (!ai->ai_next) 2441 error("bind: %.100s", strerror(errno)); 2442 else 2443 verbose("bind: %.100s", strerror(errno)); 2444 2445 close(sock); 2446 continue; 2447 } 2448 /* Start listening for connections on the socket. */ 2449 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2450 error("listen: %.100s", strerror(errno)); 2451 close(sock); 2452 continue; 2453 } 2454 /* Allocate a channel number for the socket. */ 2455 c = channel_new("port listener", type, sock, sock, -1, 2456 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2457 0, "port listener", 1); 2458 strlcpy(c->path, host, sizeof(c->path)); 2459 c->host_port = port_to_connect; 2460 c->listening_port = listen_port; 2461 success = 1; 2462 } 2463 if (success == 0) 2464 error("channel_setup_fwd_listener: cannot listen to port: %d", 2465 listen_port); 2466 freeaddrinfo(aitop); 2467 return success; 2468 } 2469 2470 int 2471 channel_cancel_rport_listener(const char *host, u_short port) 2472 { 2473 u_int i; 2474 int found = 0; 2475 2476 for (i = 0; i < channels_alloc; i++) { 2477 Channel *c = channels[i]; 2478 2479 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && 2480 strncmp(c->path, host, sizeof(c->path)) == 0 && 2481 c->listening_port == port) { 2482 debug2("%s: close channel %d", __func__, i); 2483 channel_free(c); 2484 found = 1; 2485 } 2486 } 2487 2488 return (found); 2489 } 2490 2491 /* protocol local port fwd, used by ssh (and sshd in v1) */ 2492 int 2493 channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, 2494 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2495 { 2496 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2497 listen_host, listen_port, host_to_connect, port_to_connect, 2498 gateway_ports); 2499 } 2500 2501 /* protocol v2 remote port fwd, used by sshd */ 2502 int 2503 channel_setup_remote_fwd_listener(const char *listen_address, 2504 u_short listen_port, int gateway_ports) 2505 { 2506 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2507 listen_address, listen_port, NULL, 0, gateway_ports); 2508 } 2509 2510 /* 2511 * Initiate forwarding of connections to port "port" on remote host through 2512 * the secure channel to host:port from local side. 2513 */ 2514 2515 int 2516 channel_request_remote_forwarding(const char *listen_host, u_short listen_port, 2517 const char *host_to_connect, u_short port_to_connect) 2518 { 2519 int type, success = 0; 2520 2521 /* Record locally that connection to this host/port is permitted. */ 2522 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2523 fatal("channel_request_remote_forwarding: too many forwards"); 2524 2525 /* Send the forward request to the remote side. */ 2526 if (compat20) { 2527 const char *address_to_bind; 2528 if (listen_host == NULL) 2529 address_to_bind = "localhost"; 2530 else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) 2531 address_to_bind = ""; 2532 else 2533 address_to_bind = listen_host; 2534 2535 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2536 packet_put_cstring("tcpip-forward"); 2537 packet_put_char(1); /* boolean: want reply */ 2538 packet_put_cstring(address_to_bind); 2539 packet_put_int(listen_port); 2540 packet_send(); 2541 packet_write_wait(); 2542 /* Assume that server accepts the request */ 2543 success = 1; 2544 } else { 2545 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2546 packet_put_int(listen_port); 2547 packet_put_cstring(host_to_connect); 2548 packet_put_int(port_to_connect); 2549 packet_send(); 2550 packet_write_wait(); 2551 2552 /* Wait for response from the remote side. */ 2553 type = packet_read(); 2554 switch (type) { 2555 case SSH_SMSG_SUCCESS: 2556 success = 1; 2557 break; 2558 case SSH_SMSG_FAILURE: 2559 break; 2560 default: 2561 /* Unknown packet */ 2562 packet_disconnect("Protocol error for port forward request:" 2563 "received packet type %d.", type); 2564 } 2565 } 2566 if (success) { 2567 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2568 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2569 permitted_opens[num_permitted_opens].listen_port = listen_port; 2570 num_permitted_opens++; 2571 } 2572 return (success ? 0 : -1); 2573 } 2574 2575 /* 2576 * Request cancellation of remote forwarding of connection host:port from 2577 * local side. 2578 */ 2579 void 2580 channel_request_rforward_cancel(const char *host, u_short port) 2581 { 2582 int i; 2583 2584 if (!compat20) 2585 return; 2586 2587 for (i = 0; i < num_permitted_opens; i++) { 2588 if (permitted_opens[i].host_to_connect != NULL && 2589 permitted_opens[i].listen_port == port) 2590 break; 2591 } 2592 if (i >= num_permitted_opens) { 2593 debug("%s: requested forward not found", __func__); 2594 return; 2595 } 2596 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2597 packet_put_cstring("cancel-tcpip-forward"); 2598 packet_put_char(0); 2599 packet_put_cstring(host == NULL ? "" : host); 2600 packet_put_int(port); 2601 packet_send(); 2602 2603 permitted_opens[i].listen_port = 0; 2604 permitted_opens[i].port_to_connect = 0; 2605 xfree(permitted_opens[i].host_to_connect); 2606 permitted_opens[i].host_to_connect = NULL; 2607 } 2608 2609 /* 2610 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2611 * listening for the port, and sends back a success reply (or disconnect 2612 * message if there was an error). 2613 */ 2614 int 2615 channel_input_port_forward_request(int is_root, int gateway_ports) 2616 { 2617 u_short port, host_port; 2618 int success = 0; 2619 char *hostname; 2620 2621 /* Get arguments from the packet. */ 2622 port = packet_get_int(); 2623 hostname = packet_get_string(NULL); 2624 host_port = packet_get_int(); 2625 2626 #ifndef HAVE_CYGWIN 2627 /* 2628 * Check that an unprivileged user is not trying to forward a 2629 * privileged port. 2630 */ 2631 if (port < IPPORT_RESERVED && !is_root) 2632 packet_disconnect( 2633 "Requested forwarding of port %d but user is not root.", 2634 port); 2635 if (host_port == 0) 2636 packet_disconnect("Dynamic forwarding denied."); 2637 #endif 2638 2639 /* Initiate forwarding */ 2640 success = channel_setup_local_fwd_listener(NULL, port, hostname, 2641 host_port, gateway_ports); 2642 2643 /* Free the argument string. */ 2644 xfree(hostname); 2645 2646 return (success ? 0 : -1); 2647 } 2648 2649 /* 2650 * Permits opening to any host/port if permitted_opens[] is empty. This is 2651 * usually called by the server, because the user could connect to any port 2652 * anyway, and the server has no way to know but to trust the client anyway. 2653 */ 2654 void 2655 channel_permit_all_opens(void) 2656 { 2657 if (num_permitted_opens == 0) 2658 all_opens_permitted = 1; 2659 } 2660 2661 void 2662 channel_add_permitted_opens(char *host, int port) 2663 { 2664 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2665 fatal("channel_add_permitted_opens: too many forwards"); 2666 debug("allow port forwarding to host %s port %d", host, port); 2667 2668 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 2669 permitted_opens[num_permitted_opens].port_to_connect = port; 2670 num_permitted_opens++; 2671 2672 all_opens_permitted = 0; 2673 } 2674 2675 int 2676 channel_add_adm_permitted_opens(char *host, int port) 2677 { 2678 if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2679 fatal("channel_add_adm_permitted_opens: too many forwards"); 2680 debug("config allows port forwarding to host %s port %d", host, port); 2681 2682 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 2683 = xstrdup(host); 2684 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 2685 return ++num_adm_permitted_opens; 2686 } 2687 2688 void 2689 channel_clear_permitted_opens(void) 2690 { 2691 int i; 2692 2693 for (i = 0; i < num_permitted_opens; i++) 2694 if (permitted_opens[i].host_to_connect != NULL) 2695 xfree(permitted_opens[i].host_to_connect); 2696 num_permitted_opens = 0; 2697 } 2698 2699 void 2700 channel_clear_adm_permitted_opens(void) 2701 { 2702 int i; 2703 2704 for (i = 0; i < num_adm_permitted_opens; i++) 2705 if (permitted_adm_opens[i].host_to_connect != NULL) 2706 xfree(permitted_adm_opens[i].host_to_connect); 2707 num_adm_permitted_opens = 0; 2708 } 2709 2710 /* return socket to remote host, port */ 2711 static int 2712 connect_to(const char *host, u_short port) 2713 { 2714 struct addrinfo hints, *ai, *aitop; 2715 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2716 int gaierr; 2717 int sock = -1; 2718 2719 memset(&hints, 0, sizeof(hints)); 2720 hints.ai_family = IPv4or6; 2721 hints.ai_socktype = SOCK_STREAM; 2722 snprintf(strport, sizeof strport, "%d", port); 2723 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { 2724 error("connect_to %.100s: unknown host (%s)", host, 2725 gai_strerror(gaierr)); 2726 return -1; 2727 } 2728 for (ai = aitop; ai; ai = ai->ai_next) { 2729 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2730 continue; 2731 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2732 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2733 error("connect_to: getnameinfo failed"); 2734 continue; 2735 } 2736 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2737 if (sock < 0) { 2738 if (ai->ai_next == NULL) 2739 error("socket: %.100s", strerror(errno)); 2740 else 2741 verbose("socket: %.100s", strerror(errno)); 2742 continue; 2743 } 2744 if (set_nonblock(sock) == -1) 2745 fatal("%s: set_nonblock(%d)", __func__, sock); 2746 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 && 2747 errno != EINPROGRESS) { 2748 error("connect_to %.100s port %s: %.100s", ntop, strport, 2749 strerror(errno)); 2750 close(sock); 2751 continue; /* fail -- try next */ 2752 } 2753 break; /* success */ 2754 2755 } 2756 freeaddrinfo(aitop); 2757 if (!ai) { 2758 error("connect_to %.100s port %d: failed.", host, port); 2759 return -1; 2760 } 2761 /* success */ 2762 set_nodelay(sock); 2763 return sock; 2764 } 2765 2766 int 2767 channel_connect_by_listen_address(u_short listen_port) 2768 { 2769 int i; 2770 2771 for (i = 0; i < num_permitted_opens; i++) 2772 if (permitted_opens[i].host_to_connect != NULL && 2773 permitted_opens[i].listen_port == listen_port) 2774 return connect_to( 2775 permitted_opens[i].host_to_connect, 2776 permitted_opens[i].port_to_connect); 2777 error("WARNING: Server requests forwarding for unknown listen_port %d", 2778 listen_port); 2779 return -1; 2780 } 2781 2782 /* Check if connecting to that port is permitted and connect. */ 2783 int 2784 channel_connect_to(const char *host, u_short port) 2785 { 2786 int i, permit, permit_adm = 1; 2787 2788 permit = all_opens_permitted; 2789 if (!permit) { 2790 for (i = 0; i < num_permitted_opens; i++) 2791 if (permitted_opens[i].host_to_connect != NULL && 2792 permitted_opens[i].port_to_connect == port && 2793 strcmp(permitted_opens[i].host_to_connect, host) == 0) 2794 permit = 1; 2795 } 2796 2797 if (num_adm_permitted_opens > 0) { 2798 permit_adm = 0; 2799 for (i = 0; i < num_adm_permitted_opens; i++) 2800 if (permitted_adm_opens[i].host_to_connect != NULL && 2801 permitted_adm_opens[i].port_to_connect == port && 2802 strcmp(permitted_adm_opens[i].host_to_connect, host) 2803 == 0) 2804 permit_adm = 1; 2805 } 2806 2807 if (!permit || !permit_adm) { 2808 logit("Received request to connect to host %.100s port %d, " 2809 "but the request was denied.", host, port); 2810 return -1; 2811 } 2812 return connect_to(host, port); 2813 } 2814 2815 void 2816 channel_send_window_changes(void) 2817 { 2818 u_int i; 2819 struct winsize ws; 2820 2821 for (i = 0; i < channels_alloc; i++) { 2822 if (channels[i] == NULL || !channels[i]->client_tty || 2823 channels[i]->type != SSH_CHANNEL_OPEN) 2824 continue; 2825 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 2826 continue; 2827 channel_request_start(i, "window-change", 0); 2828 packet_put_int((u_int)ws.ws_col); 2829 packet_put_int((u_int)ws.ws_row); 2830 packet_put_int((u_int)ws.ws_xpixel); 2831 packet_put_int((u_int)ws.ws_ypixel); 2832 packet_send(); 2833 } 2834 } 2835 2836 /* -- X11 forwarding */ 2837 2838 /* 2839 * Creates an internet domain socket for listening for X11 connections. 2840 * Returns 0 and a suitable display number for the DISPLAY variable 2841 * stored in display_numberp , or -1 if an error occurs. 2842 */ 2843 int 2844 x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 2845 int single_connection, u_int *display_numberp, int **chanids) 2846 { 2847 Channel *nc = NULL; 2848 int display_number, sock; 2849 u_short port; 2850 struct addrinfo hints, *ai, *aitop; 2851 char strport[NI_MAXSERV]; 2852 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 2853 2854 if (chanids == NULL) 2855 return -1; 2856 2857 for (display_number = x11_display_offset; 2858 display_number < MAX_DISPLAYS; 2859 display_number++) { 2860 port = 6000 + display_number; 2861 memset(&hints, 0, sizeof(hints)); 2862 hints.ai_family = IPv4or6; 2863 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 2864 hints.ai_socktype = SOCK_STREAM; 2865 snprintf(strport, sizeof strport, "%d", port); 2866 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 2867 error("getaddrinfo: %.100s", gai_strerror(gaierr)); 2868 return -1; 2869 } 2870 for (ai = aitop; ai; ai = ai->ai_next) { 2871 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2872 continue; 2873 sock = socket(ai->ai_family, ai->ai_socktype, 2874 ai->ai_protocol); 2875 if (sock < 0) { 2876 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { 2877 error("socket: %.100s", strerror(errno)); 2878 freeaddrinfo(aitop); 2879 return -1; 2880 } else { 2881 debug("x11_create_display_inet: Socket family %d not supported", 2882 ai->ai_family); 2883 continue; 2884 } 2885 } 2886 #ifdef IPV6_V6ONLY 2887 if (ai->ai_family == AF_INET6) { 2888 int on = 1; 2889 if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) 2890 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); 2891 } 2892 #endif 2893 channel_set_reuseaddr(sock); 2894 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2895 debug2("bind port %d: %.100s", port, strerror(errno)); 2896 close(sock); 2897 2898 if (ai->ai_next) 2899 continue; 2900 2901 for (n = 0; n < num_socks; n++) { 2902 close(socks[n]); 2903 } 2904 num_socks = 0; 2905 break; 2906 } 2907 socks[num_socks++] = sock; 2908 #ifndef DONT_TRY_OTHER_AF 2909 if (num_socks == NUM_SOCKS) 2910 break; 2911 #else 2912 if (x11_use_localhost) { 2913 if (num_socks == NUM_SOCKS) 2914 break; 2915 } else { 2916 break; 2917 } 2918 #endif 2919 } 2920 freeaddrinfo(aitop); 2921 if (num_socks > 0) 2922 break; 2923 } 2924 if (display_number >= MAX_DISPLAYS) { 2925 error("Failed to allocate internet-domain X11 display socket."); 2926 return -1; 2927 } 2928 /* Start listening for connections on the socket. */ 2929 for (n = 0; n < num_socks; n++) { 2930 sock = socks[n]; 2931 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2932 error("listen: %.100s", strerror(errno)); 2933 close(sock); 2934 return -1; 2935 } 2936 } 2937 2938 /* Allocate a channel for each socket. */ 2939 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 2940 for (n = 0; n < num_socks; n++) { 2941 sock = socks[n]; 2942 nc = channel_new("x11 listener", 2943 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 2944 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 2945 0, "X11 inet listener", 1); 2946 nc->single_connection = single_connection; 2947 (*chanids)[n] = nc->self; 2948 } 2949 (*chanids)[n] = -1; 2950 2951 /* Return the display number for the DISPLAY environment variable. */ 2952 *display_numberp = display_number; 2953 return (0); 2954 } 2955 2956 static int 2957 connect_local_xsocket(u_int dnr) 2958 { 2959 int sock; 2960 struct sockaddr_un addr; 2961 2962 sock = socket(AF_UNIX, SOCK_STREAM, 0); 2963 if (sock < 0) 2964 error("socket: %.100s", strerror(errno)); 2965 memset(&addr, 0, sizeof(addr)); 2966 addr.sun_family = AF_UNIX; 2967 snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr); 2968 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 2969 return sock; 2970 close(sock); 2971 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 2972 return -1; 2973 } 2974 2975 int 2976 x11_connect_display(void) 2977 { 2978 u_int display_number; 2979 const char *display; 2980 char buf[1024], *cp; 2981 struct addrinfo hints, *ai, *aitop; 2982 char strport[NI_MAXSERV]; 2983 int gaierr, sock = 0; 2984 2985 /* Try to open a socket for the local X server. */ 2986 display = getenv("DISPLAY"); 2987 if (!display) { 2988 error("DISPLAY not set."); 2989 return -1; 2990 } 2991 /* 2992 * Now we decode the value of the DISPLAY variable and make a 2993 * connection to the real X server. 2994 */ 2995 2996 /* 2997 * Check if it is a unix domain socket. Unix domain displays are in 2998 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 2999 */ 3000 if (strncmp(display, "unix:", 5) == 0 || 3001 display[0] == ':') { 3002 /* Connect to the unix domain socket. */ 3003 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 3004 error("Could not parse display number from DISPLAY: %.100s", 3005 display); 3006 return -1; 3007 } 3008 /* Create a socket. */ 3009 sock = connect_local_xsocket(display_number); 3010 if (sock < 0) 3011 return -1; 3012 3013 /* OK, we now have a connection to the display. */ 3014 return sock; 3015 } 3016 /* 3017 * Connect to an inet socket. The DISPLAY value is supposedly 3018 * hostname:d[.s], where hostname may also be numeric IP address. 3019 */ 3020 strlcpy(buf, display, sizeof(buf)); 3021 cp = strchr(buf, ':'); 3022 if (!cp) { 3023 error("Could not find ':' in DISPLAY: %.100s", display); 3024 return -1; 3025 } 3026 *cp = 0; 3027 /* buf now contains the host name. But first we parse the display number. */ 3028 if (sscanf(cp + 1, "%u", &display_number) != 1) { 3029 error("Could not parse display number from DISPLAY: %.100s", 3030 display); 3031 return -1; 3032 } 3033 3034 /* Look up the host address */ 3035 memset(&hints, 0, sizeof(hints)); 3036 hints.ai_family = IPv4or6; 3037 hints.ai_socktype = SOCK_STREAM; 3038 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 3039 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 3040 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); 3041 return -1; 3042 } 3043 for (ai = aitop; ai; ai = ai->ai_next) { 3044 /* Create a socket. */ 3045 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3046 if (sock < 0) { 3047 debug2("socket: %.100s", strerror(errno)); 3048 continue; 3049 } 3050 /* Connect it to the display. */ 3051 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3052 debug2("connect %.100s port %u: %.100s", buf, 3053 6000 + display_number, strerror(errno)); 3054 close(sock); 3055 continue; 3056 } 3057 /* Success */ 3058 break; 3059 } 3060 freeaddrinfo(aitop); 3061 if (!ai) { 3062 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 3063 strerror(errno)); 3064 return -1; 3065 } 3066 set_nodelay(sock); 3067 return sock; 3068 } 3069 3070 /* 3071 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 3072 * the remote channel number. We should do whatever we want, and respond 3073 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 3074 */ 3075 3076 /* ARGSUSED */ 3077 void 3078 x11_input_open(int type, u_int32_t seq, void *ctxt) 3079 { 3080 Channel *c = NULL; 3081 int remote_id, sock = 0; 3082 char *remote_host; 3083 3084 debug("Received X11 open request."); 3085 3086 remote_id = packet_get_int(); 3087 3088 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 3089 remote_host = packet_get_string(NULL); 3090 } else { 3091 remote_host = xstrdup("unknown (remote did not supply name)"); 3092 } 3093 packet_check_eom(); 3094 3095 /* Obtain a connection to the real X display. */ 3096 sock = x11_connect_display(); 3097 if (sock != -1) { 3098 /* Allocate a channel for this connection. */ 3099 c = channel_new("connected x11 socket", 3100 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 3101 remote_host, 1); 3102 c->remote_id = remote_id; 3103 c->force_drain = 1; 3104 } 3105 xfree(remote_host); 3106 if (c == NULL) { 3107 /* Send refusal to the remote host. */ 3108 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3109 packet_put_int(remote_id); 3110 } else { 3111 /* Send a confirmation to the remote host. */ 3112 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 3113 packet_put_int(remote_id); 3114 packet_put_int(c->self); 3115 } 3116 packet_send(); 3117 } 3118 3119 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 3120 /* ARGSUSED */ 3121 void 3122 deny_input_open(int type, u_int32_t seq, void *ctxt) 3123 { 3124 int rchan = packet_get_int(); 3125 3126 switch (type) { 3127 case SSH_SMSG_AGENT_OPEN: 3128 error("Warning: ssh server tried agent forwarding."); 3129 break; 3130 case SSH_SMSG_X11_OPEN: 3131 error("Warning: ssh server tried X11 forwarding."); 3132 break; 3133 default: 3134 error("deny_input_open: type %d", type); 3135 break; 3136 } 3137 error("Warning: this is probably a break-in attempt by a malicious server."); 3138 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3139 packet_put_int(rchan); 3140 packet_send(); 3141 } 3142 3143 /* 3144 * Requests forwarding of X11 connections, generates fake authentication 3145 * data, and enables authentication spoofing. 3146 * This should be called in the client only. 3147 */ 3148 void 3149 x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 3150 const char *proto, const char *data) 3151 { 3152 u_int data_len = (u_int) strlen(data) / 2; 3153 u_int i, value; 3154 char *new_data; 3155 int screen_number; 3156 const char *cp; 3157 u_int32_t rnd = 0; 3158 3159 if (x11_saved_display == NULL) 3160 x11_saved_display = xstrdup(disp); 3161 else if (strcmp(disp, x11_saved_display) != 0) { 3162 error("x11_request_forwarding_with_spoofing: different " 3163 "$DISPLAY already forwarded"); 3164 return; 3165 } 3166 3167 cp = strchr(disp, ':'); 3168 if (cp) 3169 cp = strchr(cp, '.'); 3170 if (cp) 3171 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 3172 else 3173 screen_number = 0; 3174 3175 if (x11_saved_proto == NULL) { 3176 /* Save protocol name. */ 3177 x11_saved_proto = xstrdup(proto); 3178 /* 3179 * Extract real authentication data and generate fake data 3180 * of the same length. 3181 */ 3182 x11_saved_data = xmalloc(data_len); 3183 x11_fake_data = xmalloc(data_len); 3184 for (i = 0; i < data_len; i++) { 3185 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3186 fatal("x11_request_forwarding: bad " 3187 "authentication data: %.100s", data); 3188 if (i % 4 == 0) 3189 rnd = arc4random(); 3190 x11_saved_data[i] = value; 3191 x11_fake_data[i] = rnd & 0xff; 3192 rnd >>= 8; 3193 } 3194 x11_saved_data_len = data_len; 3195 x11_fake_data_len = data_len; 3196 } 3197 3198 /* Convert the fake data into hex. */ 3199 new_data = tohex(x11_fake_data, data_len); 3200 3201 /* Send the request packet. */ 3202 if (compat20) { 3203 channel_request_start(client_session_id, "x11-req", 0); 3204 packet_put_char(0); /* XXX bool single connection */ 3205 } else { 3206 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 3207 } 3208 packet_put_cstring(proto); 3209 packet_put_cstring(new_data); 3210 packet_put_int(screen_number); 3211 packet_send(); 3212 packet_write_wait(); 3213 xfree(new_data); 3214 } 3215 3216 3217 /* -- agent forwarding */ 3218 3219 /* Sends a message to the server to request authentication fd forwarding. */ 3220 3221 void 3222 auth_request_forwarding(void) 3223 { 3224 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 3225 packet_send(); 3226 packet_write_wait(); 3227 } 3228