1 /* $OpenBSD: channels.c,v 1.286 2008/07/16 11:52:19 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 44 #include <sys/types.h> 45 #include <sys/ioctl.h> 46 #include <sys/un.h> 47 #include <sys/socket.h> 48 #ifdef HAVE_SYS_TIME_H 49 # include <sys/time.h> 50 #endif 51 52 #include <netinet/in.h> 53 #include <arpa/inet.h> 54 55 #include <errno.h> 56 #include <netdb.h> 57 #include <stdio.h> 58 #include <stdlib.h> 59 #include <string.h> 60 #include <termios.h> 61 #include <unistd.h> 62 #include <stdarg.h> 63 64 #include "openbsd-compat/sys-queue.h" 65 #include "xmalloc.h" 66 #include "ssh.h" 67 #include "ssh1.h" 68 #include "ssh2.h" 69 #include "packet.h" 70 #include "log.h" 71 #include "misc.h" 72 #include "buffer.h" 73 #include "channels.h" 74 #include "compat.h" 75 #include "canohost.h" 76 #include "key.h" 77 #include "authfd.h" 78 #include "pathnames.h" 79 80 /* -- channel core */ 81 82 /* 83 * Pointer to an array containing all allocated channels. The array is 84 * dynamically extended as needed. 85 */ 86 static Channel **channels = NULL; 87 88 /* 89 * Size of the channel array. All slots of the array must always be 90 * initialized (at least the type field); unused slots set to NULL 91 */ 92 static u_int channels_alloc = 0; 93 94 /* 95 * Maximum file descriptor value used in any of the channels. This is 96 * updated in channel_new. 97 */ 98 static int channel_max_fd = 0; 99 100 101 /* -- tcp forwarding */ 102 103 /* 104 * Data structure for storing which hosts are permitted for forward requests. 105 * The local sides of any remote forwards are stored in this array to prevent 106 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 107 * network (which might be behind a firewall). 108 */ 109 typedef struct { 110 char *host_to_connect; /* Connect to 'host'. */ 111 u_short port_to_connect; /* Connect to 'port'. */ 112 u_short listen_port; /* Remote side should listen port number. */ 113 } ForwardPermission; 114 115 /* List of all permitted host/port pairs to connect by the user. */ 116 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 117 118 /* List of all permitted host/port pairs to connect by the admin. */ 119 static ForwardPermission permitted_adm_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 120 121 /* Number of permitted host/port pairs in the array permitted by the user. */ 122 static int num_permitted_opens = 0; 123 124 /* Number of permitted host/port pair in the array permitted by the admin. */ 125 static int num_adm_permitted_opens = 0; 126 127 /* 128 * If this is true, all opens are permitted. This is the case on the server 129 * on which we have to trust the client anyway, and the user could do 130 * anything after logging in anyway. 131 */ 132 static int all_opens_permitted = 0; 133 134 135 /* -- X11 forwarding */ 136 137 /* Maximum number of fake X11 displays to try. */ 138 #define MAX_DISPLAYS 1000 139 140 /* Saved X11 local (client) display. */ 141 static char *x11_saved_display = NULL; 142 143 /* Saved X11 authentication protocol name. */ 144 static char *x11_saved_proto = NULL; 145 146 /* Saved X11 authentication data. This is the real data. */ 147 static char *x11_saved_data = NULL; 148 static u_int x11_saved_data_len = 0; 149 150 /* 151 * Fake X11 authentication data. This is what the server will be sending us; 152 * we should replace any occurrences of this by the real data. 153 */ 154 static u_char *x11_fake_data = NULL; 155 static u_int x11_fake_data_len; 156 157 158 /* -- agent forwarding */ 159 160 #define NUM_SOCKS 10 161 162 /* AF_UNSPEC or AF_INET or AF_INET6 */ 163 static int IPv4or6 = AF_UNSPEC; 164 165 /* helper */ 166 static void port_open_helper(Channel *c, char *rtype); 167 168 /* non-blocking connect helpers */ 169 static int connect_next(struct channel_connect *); 170 static void channel_connect_ctx_free(struct channel_connect *); 171 172 /* -- channel core */ 173 174 Channel * 175 channel_by_id(int id) 176 { 177 Channel *c; 178 179 if (id < 0 || (u_int)id >= channels_alloc) { 180 logit("channel_by_id: %d: bad id", id); 181 return NULL; 182 } 183 c = channels[id]; 184 if (c == NULL) { 185 logit("channel_by_id: %d: bad id: channel free", id); 186 return NULL; 187 } 188 return c; 189 } 190 191 /* 192 * Returns the channel if it is allowed to receive protocol messages. 193 * Private channels, like listening sockets, may not receive messages. 194 */ 195 Channel * 196 channel_lookup(int id) 197 { 198 Channel *c; 199 200 if ((c = channel_by_id(id)) == NULL) 201 return (NULL); 202 203 switch (c->type) { 204 case SSH_CHANNEL_X11_OPEN: 205 case SSH_CHANNEL_LARVAL: 206 case SSH_CHANNEL_CONNECTING: 207 case SSH_CHANNEL_DYNAMIC: 208 case SSH_CHANNEL_OPENING: 209 case SSH_CHANNEL_OPEN: 210 case SSH_CHANNEL_INPUT_DRAINING: 211 case SSH_CHANNEL_OUTPUT_DRAINING: 212 return (c); 213 } 214 logit("Non-public channel %d, type %d.", id, c->type); 215 return (NULL); 216 } 217 218 /* 219 * Register filedescriptors for a channel, used when allocating a channel or 220 * when the channel consumer/producer is ready, e.g. shell exec'd 221 */ 222 static void 223 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 224 int extusage, int nonblock, int is_tty) 225 { 226 /* Update the maximum file descriptor value. */ 227 channel_max_fd = MAX(channel_max_fd, rfd); 228 channel_max_fd = MAX(channel_max_fd, wfd); 229 channel_max_fd = MAX(channel_max_fd, efd); 230 231 /* XXX set close-on-exec -markus */ 232 233 c->rfd = rfd; 234 c->wfd = wfd; 235 c->sock = (rfd == wfd) ? rfd : -1; 236 c->ctl_fd = -1; /* XXX: set elsewhere */ 237 c->efd = efd; 238 c->extended_usage = extusage; 239 240 if ((c->isatty = is_tty) != 0) 241 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 242 c->wfd_isatty = is_tty || isatty(c->wfd); 243 244 /* enable nonblocking mode */ 245 if (nonblock) { 246 if (rfd != -1) 247 set_nonblock(rfd); 248 if (wfd != -1) 249 set_nonblock(wfd); 250 if (efd != -1) 251 set_nonblock(efd); 252 } 253 } 254 255 /* 256 * Allocate a new channel object and set its type and socket. This will cause 257 * remote_name to be freed. 258 */ 259 Channel * 260 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 261 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 262 { 263 int found; 264 u_int i; 265 Channel *c; 266 267 /* Do initial allocation if this is the first call. */ 268 if (channels_alloc == 0) { 269 channels_alloc = 10; 270 channels = xcalloc(channels_alloc, sizeof(Channel *)); 271 for (i = 0; i < channels_alloc; i++) 272 channels[i] = NULL; 273 } 274 /* Try to find a free slot where to put the new channel. */ 275 for (found = -1, i = 0; i < channels_alloc; i++) 276 if (channels[i] == NULL) { 277 /* Found a free slot. */ 278 found = (int)i; 279 break; 280 } 281 if (found < 0) { 282 /* There are no free slots. Take last+1 slot and expand the array. */ 283 found = channels_alloc; 284 if (channels_alloc > 10000) 285 fatal("channel_new: internal error: channels_alloc %d " 286 "too big.", channels_alloc); 287 channels = xrealloc(channels, channels_alloc + 10, 288 sizeof(Channel *)); 289 channels_alloc += 10; 290 debug2("channel: expanding %d", channels_alloc); 291 for (i = found; i < channels_alloc; i++) 292 channels[i] = NULL; 293 } 294 /* Initialize and return new channel. */ 295 c = channels[found] = xcalloc(1, sizeof(Channel)); 296 buffer_init(&c->input); 297 buffer_init(&c->output); 298 buffer_init(&c->extended); 299 c->ostate = CHAN_OUTPUT_OPEN; 300 c->istate = CHAN_INPUT_OPEN; 301 c->flags = 0; 302 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); 303 c->self = found; 304 c->type = type; 305 c->ctype = ctype; 306 c->local_window = window; 307 c->local_window_max = window; 308 c->local_consumed = 0; 309 c->local_maxpacket = maxpack; 310 c->remote_id = -1; 311 c->remote_name = xstrdup(remote_name); 312 c->remote_window = 0; 313 c->remote_maxpacket = 0; 314 c->force_drain = 0; 315 c->single_connection = 0; 316 c->detach_user = NULL; 317 c->detach_close = 0; 318 c->open_confirm = NULL; 319 c->open_confirm_ctx = NULL; 320 c->input_filter = NULL; 321 c->output_filter = NULL; 322 c->filter_ctx = NULL; 323 c->filter_cleanup = NULL; 324 TAILQ_INIT(&c->status_confirms); 325 debug("channel %d: new [%s]", found, remote_name); 326 return c; 327 } 328 329 static int 330 channel_find_maxfd(void) 331 { 332 u_int i; 333 int max = 0; 334 Channel *c; 335 336 for (i = 0; i < channels_alloc; i++) { 337 c = channels[i]; 338 if (c != NULL) { 339 max = MAX(max, c->rfd); 340 max = MAX(max, c->wfd); 341 max = MAX(max, c->efd); 342 } 343 } 344 return max; 345 } 346 347 int 348 channel_close_fd(int *fdp) 349 { 350 int ret = 0, fd = *fdp; 351 352 if (fd != -1) { 353 ret = close(fd); 354 *fdp = -1; 355 if (fd == channel_max_fd) 356 channel_max_fd = channel_find_maxfd(); 357 } 358 return ret; 359 } 360 361 /* Close all channel fd/socket. */ 362 static void 363 channel_close_fds(Channel *c) 364 { 365 debug3("channel %d: close_fds r %d w %d e %d c %d", 366 c->self, c->rfd, c->wfd, c->efd, c->ctl_fd); 367 368 channel_close_fd(&c->sock); 369 channel_close_fd(&c->ctl_fd); 370 channel_close_fd(&c->rfd); 371 channel_close_fd(&c->wfd); 372 channel_close_fd(&c->efd); 373 } 374 375 /* Free the channel and close its fd/socket. */ 376 void 377 channel_free(Channel *c) 378 { 379 char *s; 380 u_int i, n; 381 struct channel_confirm *cc; 382 383 for (n = 0, i = 0; i < channels_alloc; i++) 384 if (channels[i]) 385 n++; 386 debug("channel %d: free: %s, nchannels %u", c->self, 387 c->remote_name ? c->remote_name : "???", n); 388 389 s = channel_open_message(); 390 debug3("channel %d: status: %s", c->self, s); 391 xfree(s); 392 393 if (c->sock != -1) 394 shutdown(c->sock, SHUT_RDWR); 395 if (c->ctl_fd != -1) 396 shutdown(c->ctl_fd, SHUT_RDWR); 397 channel_close_fds(c); 398 buffer_free(&c->input); 399 buffer_free(&c->output); 400 buffer_free(&c->extended); 401 if (c->remote_name) { 402 xfree(c->remote_name); 403 c->remote_name = NULL; 404 } 405 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 406 if (cc->abandon_cb != NULL) 407 cc->abandon_cb(c, cc->ctx); 408 TAILQ_REMOVE(&c->status_confirms, cc, entry); 409 bzero(cc, sizeof(*cc)); 410 xfree(cc); 411 } 412 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 413 c->filter_cleanup(c->self, c->filter_ctx); 414 channels[c->self] = NULL; 415 xfree(c); 416 } 417 418 void 419 channel_free_all(void) 420 { 421 u_int i; 422 423 for (i = 0; i < channels_alloc; i++) 424 if (channels[i] != NULL) 425 channel_free(channels[i]); 426 } 427 428 /* 429 * Closes the sockets/fds of all channels. This is used to close extra file 430 * descriptors after a fork. 431 */ 432 void 433 channel_close_all(void) 434 { 435 u_int i; 436 437 for (i = 0; i < channels_alloc; i++) 438 if (channels[i] != NULL) 439 channel_close_fds(channels[i]); 440 } 441 442 /* 443 * Stop listening to channels. 444 */ 445 void 446 channel_stop_listening(void) 447 { 448 u_int i; 449 Channel *c; 450 451 for (i = 0; i < channels_alloc; i++) { 452 c = channels[i]; 453 if (c != NULL) { 454 switch (c->type) { 455 case SSH_CHANNEL_AUTH_SOCKET: 456 case SSH_CHANNEL_PORT_LISTENER: 457 case SSH_CHANNEL_RPORT_LISTENER: 458 case SSH_CHANNEL_X11_LISTENER: 459 channel_close_fd(&c->sock); 460 channel_free(c); 461 break; 462 } 463 } 464 } 465 } 466 467 /* 468 * Returns true if no channel has too much buffered data, and false if one or 469 * more channel is overfull. 470 */ 471 int 472 channel_not_very_much_buffered_data(void) 473 { 474 u_int i; 475 Channel *c; 476 477 for (i = 0; i < channels_alloc; i++) { 478 c = channels[i]; 479 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 480 #if 0 481 if (!compat20 && 482 buffer_len(&c->input) > packet_get_maxsize()) { 483 debug2("channel %d: big input buffer %d", 484 c->self, buffer_len(&c->input)); 485 return 0; 486 } 487 #endif 488 if (buffer_len(&c->output) > packet_get_maxsize()) { 489 debug2("channel %d: big output buffer %u > %u", 490 c->self, buffer_len(&c->output), 491 packet_get_maxsize()); 492 return 0; 493 } 494 } 495 } 496 return 1; 497 } 498 499 /* Returns true if any channel is still open. */ 500 int 501 channel_still_open(void) 502 { 503 u_int i; 504 Channel *c; 505 506 for (i = 0; i < channels_alloc; i++) { 507 c = channels[i]; 508 if (c == NULL) 509 continue; 510 switch (c->type) { 511 case SSH_CHANNEL_X11_LISTENER: 512 case SSH_CHANNEL_PORT_LISTENER: 513 case SSH_CHANNEL_RPORT_LISTENER: 514 case SSH_CHANNEL_CLOSED: 515 case SSH_CHANNEL_AUTH_SOCKET: 516 case SSH_CHANNEL_DYNAMIC: 517 case SSH_CHANNEL_CONNECTING: 518 case SSH_CHANNEL_ZOMBIE: 519 continue; 520 case SSH_CHANNEL_LARVAL: 521 if (!compat20) 522 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 523 continue; 524 case SSH_CHANNEL_OPENING: 525 case SSH_CHANNEL_OPEN: 526 case SSH_CHANNEL_X11_OPEN: 527 return 1; 528 case SSH_CHANNEL_INPUT_DRAINING: 529 case SSH_CHANNEL_OUTPUT_DRAINING: 530 if (!compat13) 531 fatal("cannot happen: OUT_DRAIN"); 532 return 1; 533 default: 534 fatal("channel_still_open: bad channel type %d", c->type); 535 /* NOTREACHED */ 536 } 537 } 538 return 0; 539 } 540 541 /* Returns the id of an open channel suitable for keepaliving */ 542 int 543 channel_find_open(void) 544 { 545 u_int i; 546 Channel *c; 547 548 for (i = 0; i < channels_alloc; i++) { 549 c = channels[i]; 550 if (c == NULL || c->remote_id < 0) 551 continue; 552 switch (c->type) { 553 case SSH_CHANNEL_CLOSED: 554 case SSH_CHANNEL_DYNAMIC: 555 case SSH_CHANNEL_X11_LISTENER: 556 case SSH_CHANNEL_PORT_LISTENER: 557 case SSH_CHANNEL_RPORT_LISTENER: 558 case SSH_CHANNEL_OPENING: 559 case SSH_CHANNEL_CONNECTING: 560 case SSH_CHANNEL_ZOMBIE: 561 continue; 562 case SSH_CHANNEL_LARVAL: 563 case SSH_CHANNEL_AUTH_SOCKET: 564 case SSH_CHANNEL_OPEN: 565 case SSH_CHANNEL_X11_OPEN: 566 return i; 567 case SSH_CHANNEL_INPUT_DRAINING: 568 case SSH_CHANNEL_OUTPUT_DRAINING: 569 if (!compat13) 570 fatal("cannot happen: OUT_DRAIN"); 571 return i; 572 default: 573 fatal("channel_find_open: bad channel type %d", c->type); 574 /* NOTREACHED */ 575 } 576 } 577 return -1; 578 } 579 580 581 /* 582 * Returns a message describing the currently open forwarded connections, 583 * suitable for sending to the client. The message contains crlf pairs for 584 * newlines. 585 */ 586 char * 587 channel_open_message(void) 588 { 589 Buffer buffer; 590 Channel *c; 591 char buf[1024], *cp; 592 u_int i; 593 594 buffer_init(&buffer); 595 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 596 buffer_append(&buffer, buf, strlen(buf)); 597 for (i = 0; i < channels_alloc; i++) { 598 c = channels[i]; 599 if (c == NULL) 600 continue; 601 switch (c->type) { 602 case SSH_CHANNEL_X11_LISTENER: 603 case SSH_CHANNEL_PORT_LISTENER: 604 case SSH_CHANNEL_RPORT_LISTENER: 605 case SSH_CHANNEL_CLOSED: 606 case SSH_CHANNEL_AUTH_SOCKET: 607 case SSH_CHANNEL_ZOMBIE: 608 continue; 609 case SSH_CHANNEL_LARVAL: 610 case SSH_CHANNEL_OPENING: 611 case SSH_CHANNEL_CONNECTING: 612 case SSH_CHANNEL_DYNAMIC: 613 case SSH_CHANNEL_OPEN: 614 case SSH_CHANNEL_X11_OPEN: 615 case SSH_CHANNEL_INPUT_DRAINING: 616 case SSH_CHANNEL_OUTPUT_DRAINING: 617 snprintf(buf, sizeof buf, 618 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cfd %d)\r\n", 619 c->self, c->remote_name, 620 c->type, c->remote_id, 621 c->istate, buffer_len(&c->input), 622 c->ostate, buffer_len(&c->output), 623 c->rfd, c->wfd, c->ctl_fd); 624 buffer_append(&buffer, buf, strlen(buf)); 625 continue; 626 default: 627 fatal("channel_open_message: bad channel type %d", c->type); 628 /* NOTREACHED */ 629 } 630 } 631 buffer_append(&buffer, "\0", 1); 632 cp = xstrdup(buffer_ptr(&buffer)); 633 buffer_free(&buffer); 634 return cp; 635 } 636 637 void 638 channel_send_open(int id) 639 { 640 Channel *c = channel_lookup(id); 641 642 if (c == NULL) { 643 logit("channel_send_open: %d: bad id", id); 644 return; 645 } 646 debug2("channel %d: send open", id); 647 packet_start(SSH2_MSG_CHANNEL_OPEN); 648 packet_put_cstring(c->ctype); 649 packet_put_int(c->self); 650 packet_put_int(c->local_window); 651 packet_put_int(c->local_maxpacket); 652 packet_send(); 653 } 654 655 void 656 channel_request_start(int id, char *service, int wantconfirm) 657 { 658 Channel *c = channel_lookup(id); 659 660 if (c == NULL) { 661 logit("channel_request_start: %d: unknown channel id", id); 662 return; 663 } 664 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 665 packet_start(SSH2_MSG_CHANNEL_REQUEST); 666 packet_put_int(c->remote_id); 667 packet_put_cstring(service); 668 packet_put_char(wantconfirm); 669 } 670 671 void 672 channel_register_status_confirm(int id, channel_confirm_cb *cb, 673 channel_confirm_abandon_cb *abandon_cb, void *ctx) 674 { 675 struct channel_confirm *cc; 676 Channel *c; 677 678 if ((c = channel_lookup(id)) == NULL) 679 fatal("channel_register_expect: %d: bad id", id); 680 681 cc = xmalloc(sizeof(*cc)); 682 cc->cb = cb; 683 cc->abandon_cb = abandon_cb; 684 cc->ctx = ctx; 685 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 686 } 687 688 void 689 channel_register_open_confirm(int id, channel_callback_fn *fn, void *ctx) 690 { 691 Channel *c = channel_lookup(id); 692 693 if (c == NULL) { 694 logit("channel_register_open_comfirm: %d: bad id", id); 695 return; 696 } 697 c->open_confirm = fn; 698 c->open_confirm_ctx = ctx; 699 } 700 701 void 702 channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 703 { 704 Channel *c = channel_by_id(id); 705 706 if (c == NULL) { 707 logit("channel_register_cleanup: %d: bad id", id); 708 return; 709 } 710 c->detach_user = fn; 711 c->detach_close = do_close; 712 } 713 714 void 715 channel_cancel_cleanup(int id) 716 { 717 Channel *c = channel_by_id(id); 718 719 if (c == NULL) { 720 logit("channel_cancel_cleanup: %d: bad id", id); 721 return; 722 } 723 c->detach_user = NULL; 724 c->detach_close = 0; 725 } 726 727 void 728 channel_register_filter(int id, channel_infilter_fn *ifn, 729 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 730 { 731 Channel *c = channel_lookup(id); 732 733 if (c == NULL) { 734 logit("channel_register_filter: %d: bad id", id); 735 return; 736 } 737 c->input_filter = ifn; 738 c->output_filter = ofn; 739 c->filter_ctx = ctx; 740 c->filter_cleanup = cfn; 741 } 742 743 void 744 channel_set_fds(int id, int rfd, int wfd, int efd, 745 int extusage, int nonblock, int is_tty, u_int window_max) 746 { 747 Channel *c = channel_lookup(id); 748 749 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 750 fatal("channel_activate for non-larval channel %d.", id); 751 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); 752 c->type = SSH_CHANNEL_OPEN; 753 c->local_window = c->local_window_max = window_max; 754 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 755 packet_put_int(c->remote_id); 756 packet_put_int(c->local_window); 757 packet_send(); 758 } 759 760 /* 761 * 'channel_pre*' are called just before select() to add any bits relevant to 762 * channels in the select bitmasks. 763 */ 764 /* 765 * 'channel_post*': perform any appropriate operations for channels which 766 * have events pending. 767 */ 768 typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 769 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 770 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 771 772 /* ARGSUSED */ 773 static void 774 channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 775 { 776 FD_SET(c->sock, readset); 777 } 778 779 /* ARGSUSED */ 780 static void 781 channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 782 { 783 debug3("channel %d: waiting for connection", c->self); 784 FD_SET(c->sock, writeset); 785 } 786 787 static void 788 channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 789 { 790 if (buffer_len(&c->input) < packet_get_maxsize()) 791 FD_SET(c->sock, readset); 792 if (buffer_len(&c->output) > 0) 793 FD_SET(c->sock, writeset); 794 } 795 796 static void 797 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 798 { 799 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 800 801 if (c->istate == CHAN_INPUT_OPEN && 802 limit > 0 && 803 buffer_len(&c->input) < limit && 804 buffer_check_alloc(&c->input, CHAN_RBUF)) 805 FD_SET(c->rfd, readset); 806 if (c->ostate == CHAN_OUTPUT_OPEN || 807 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 808 if (buffer_len(&c->output) > 0) { 809 FD_SET(c->wfd, writeset); 810 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 811 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 812 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 813 c->self, c->efd, buffer_len(&c->extended)); 814 else 815 chan_obuf_empty(c); 816 } 817 } 818 /** XXX check close conditions, too */ 819 if (compat20 && c->efd != -1 && 820 !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) { 821 if (c->extended_usage == CHAN_EXTENDED_WRITE && 822 buffer_len(&c->extended) > 0) 823 FD_SET(c->efd, writeset); 824 else if (!(c->flags & CHAN_EOF_SENT) && 825 c->extended_usage == CHAN_EXTENDED_READ && 826 buffer_len(&c->extended) < c->remote_window) 827 FD_SET(c->efd, readset); 828 } 829 /* XXX: What about efd? races? */ 830 if (compat20 && c->ctl_fd != -1 && 831 c->istate == CHAN_INPUT_OPEN && c->ostate == CHAN_OUTPUT_OPEN) 832 FD_SET(c->ctl_fd, readset); 833 } 834 835 /* ARGSUSED */ 836 static void 837 channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 838 { 839 if (buffer_len(&c->input) == 0) { 840 packet_start(SSH_MSG_CHANNEL_CLOSE); 841 packet_put_int(c->remote_id); 842 packet_send(); 843 c->type = SSH_CHANNEL_CLOSED; 844 debug2("channel %d: closing after input drain.", c->self); 845 } 846 } 847 848 /* ARGSUSED */ 849 static void 850 channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 851 { 852 if (buffer_len(&c->output) == 0) 853 chan_mark_dead(c); 854 else 855 FD_SET(c->sock, writeset); 856 } 857 858 /* 859 * This is a special state for X11 authentication spoofing. An opened X11 860 * connection (when authentication spoofing is being done) remains in this 861 * state until the first packet has been completely read. The authentication 862 * data in that packet is then substituted by the real data if it matches the 863 * fake data, and the channel is put into normal mode. 864 * XXX All this happens at the client side. 865 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 866 */ 867 static int 868 x11_open_helper(Buffer *b) 869 { 870 u_char *ucp; 871 u_int proto_len, data_len; 872 873 /* Check if the fixed size part of the packet is in buffer. */ 874 if (buffer_len(b) < 12) 875 return 0; 876 877 /* Parse the lengths of variable-length fields. */ 878 ucp = buffer_ptr(b); 879 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 880 proto_len = 256 * ucp[6] + ucp[7]; 881 data_len = 256 * ucp[8] + ucp[9]; 882 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 883 proto_len = ucp[6] + 256 * ucp[7]; 884 data_len = ucp[8] + 256 * ucp[9]; 885 } else { 886 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 887 ucp[0]); 888 return -1; 889 } 890 891 /* Check if the whole packet is in buffer. */ 892 if (buffer_len(b) < 893 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 894 return 0; 895 896 /* Check if authentication protocol matches. */ 897 if (proto_len != strlen(x11_saved_proto) || 898 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 899 debug2("X11 connection uses different authentication protocol."); 900 return -1; 901 } 902 /* Check if authentication data matches our fake data. */ 903 if (data_len != x11_fake_data_len || 904 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 905 x11_fake_data, x11_fake_data_len) != 0) { 906 debug2("X11 auth data does not match fake data."); 907 return -1; 908 } 909 /* Check fake data length */ 910 if (x11_fake_data_len != x11_saved_data_len) { 911 error("X11 fake_data_len %d != saved_data_len %d", 912 x11_fake_data_len, x11_saved_data_len); 913 return -1; 914 } 915 /* 916 * Received authentication protocol and data match 917 * our fake data. Substitute the fake data with real 918 * data. 919 */ 920 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 921 x11_saved_data, x11_saved_data_len); 922 return 1; 923 } 924 925 static void 926 channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 927 { 928 int ret = x11_open_helper(&c->output); 929 930 if (ret == 1) { 931 /* Start normal processing for the channel. */ 932 c->type = SSH_CHANNEL_OPEN; 933 channel_pre_open_13(c, readset, writeset); 934 } else if (ret == -1) { 935 /* 936 * We have received an X11 connection that has bad 937 * authentication information. 938 */ 939 logit("X11 connection rejected because of wrong authentication."); 940 buffer_clear(&c->input); 941 buffer_clear(&c->output); 942 channel_close_fd(&c->sock); 943 c->sock = -1; 944 c->type = SSH_CHANNEL_CLOSED; 945 packet_start(SSH_MSG_CHANNEL_CLOSE); 946 packet_put_int(c->remote_id); 947 packet_send(); 948 } 949 } 950 951 static void 952 channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 953 { 954 int ret = x11_open_helper(&c->output); 955 956 /* c->force_drain = 1; */ 957 958 if (ret == 1) { 959 c->type = SSH_CHANNEL_OPEN; 960 channel_pre_open(c, readset, writeset); 961 } else if (ret == -1) { 962 logit("X11 connection rejected because of wrong authentication."); 963 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 964 chan_read_failed(c); 965 buffer_clear(&c->input); 966 chan_ibuf_empty(c); 967 buffer_clear(&c->output); 968 /* for proto v1, the peer will send an IEOF */ 969 if (compat20) 970 chan_write_failed(c); 971 else 972 c->type = SSH_CHANNEL_OPEN; 973 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 974 } 975 } 976 977 /* try to decode a socks4 header */ 978 /* ARGSUSED */ 979 static int 980 channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 981 { 982 char *p, *host; 983 u_int len, have, i, found; 984 char username[256]; 985 struct { 986 u_int8_t version; 987 u_int8_t command; 988 u_int16_t dest_port; 989 struct in_addr dest_addr; 990 } s4_req, s4_rsp; 991 992 debug2("channel %d: decode socks4", c->self); 993 994 have = buffer_len(&c->input); 995 len = sizeof(s4_req); 996 if (have < len) 997 return 0; 998 p = buffer_ptr(&c->input); 999 for (found = 0, i = len; i < have; i++) { 1000 if (p[i] == '\0') { 1001 found = 1; 1002 break; 1003 } 1004 if (i > 1024) { 1005 /* the peer is probably sending garbage */ 1006 debug("channel %d: decode socks4: too long", 1007 c->self); 1008 return -1; 1009 } 1010 } 1011 if (!found) 1012 return 0; 1013 buffer_get(&c->input, (char *)&s4_req.version, 1); 1014 buffer_get(&c->input, (char *)&s4_req.command, 1); 1015 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 1016 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 1017 have = buffer_len(&c->input); 1018 p = buffer_ptr(&c->input); 1019 len = strlen(p); 1020 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1021 if (len > have) 1022 fatal("channel %d: decode socks4: len %d > have %d", 1023 c->self, len, have); 1024 strlcpy(username, p, sizeof(username)); 1025 buffer_consume(&c->input, len); 1026 buffer_consume(&c->input, 1); /* trailing '\0' */ 1027 1028 host = inet_ntoa(s4_req.dest_addr); 1029 strlcpy(c->path, host, sizeof(c->path)); 1030 c->host_port = ntohs(s4_req.dest_port); 1031 1032 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1033 c->self, host, c->host_port, s4_req.command); 1034 1035 if (s4_req.command != 1) { 1036 debug("channel %d: cannot handle: socks4 cn %d", 1037 c->self, s4_req.command); 1038 return -1; 1039 } 1040 s4_rsp.version = 0; /* vn: 0 for reply */ 1041 s4_rsp.command = 90; /* cd: req granted */ 1042 s4_rsp.dest_port = 0; /* ignored */ 1043 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1044 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1045 return 1; 1046 } 1047 1048 /* try to decode a socks5 header */ 1049 #define SSH_SOCKS5_AUTHDONE 0x1000 1050 #define SSH_SOCKS5_NOAUTH 0x00 1051 #define SSH_SOCKS5_IPV4 0x01 1052 #define SSH_SOCKS5_DOMAIN 0x03 1053 #define SSH_SOCKS5_IPV6 0x04 1054 #define SSH_SOCKS5_CONNECT 0x01 1055 #define SSH_SOCKS5_SUCCESS 0x00 1056 1057 /* ARGSUSED */ 1058 static int 1059 channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1060 { 1061 struct { 1062 u_int8_t version; 1063 u_int8_t command; 1064 u_int8_t reserved; 1065 u_int8_t atyp; 1066 } s5_req, s5_rsp; 1067 u_int16_t dest_port; 1068 u_char *p, dest_addr[255+1]; 1069 u_int have, need, i, found, nmethods, addrlen, af; 1070 1071 debug2("channel %d: decode socks5", c->self); 1072 p = buffer_ptr(&c->input); 1073 if (p[0] != 0x05) 1074 return -1; 1075 have = buffer_len(&c->input); 1076 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1077 /* format: ver | nmethods | methods */ 1078 if (have < 2) 1079 return 0; 1080 nmethods = p[1]; 1081 if (have < nmethods + 2) 1082 return 0; 1083 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1084 for (found = 0, i = 2; i < nmethods + 2; i++) { 1085 if (p[i] == SSH_SOCKS5_NOAUTH) { 1086 found = 1; 1087 break; 1088 } 1089 } 1090 if (!found) { 1091 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1092 c->self); 1093 return -1; 1094 } 1095 buffer_consume(&c->input, nmethods + 2); 1096 buffer_put_char(&c->output, 0x05); /* version */ 1097 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1098 FD_SET(c->sock, writeset); 1099 c->flags |= SSH_SOCKS5_AUTHDONE; 1100 debug2("channel %d: socks5 auth done", c->self); 1101 return 0; /* need more */ 1102 } 1103 debug2("channel %d: socks5 post auth", c->self); 1104 if (have < sizeof(s5_req)+1) 1105 return 0; /* need more */ 1106 memcpy(&s5_req, p, sizeof(s5_req)); 1107 if (s5_req.version != 0x05 || 1108 s5_req.command != SSH_SOCKS5_CONNECT || 1109 s5_req.reserved != 0x00) { 1110 debug2("channel %d: only socks5 connect supported", c->self); 1111 return -1; 1112 } 1113 switch (s5_req.atyp){ 1114 case SSH_SOCKS5_IPV4: 1115 addrlen = 4; 1116 af = AF_INET; 1117 break; 1118 case SSH_SOCKS5_DOMAIN: 1119 addrlen = p[sizeof(s5_req)]; 1120 af = -1; 1121 break; 1122 case SSH_SOCKS5_IPV6: 1123 addrlen = 16; 1124 af = AF_INET6; 1125 break; 1126 default: 1127 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1128 return -1; 1129 } 1130 need = sizeof(s5_req) + addrlen + 2; 1131 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1132 need++; 1133 if (have < need) 1134 return 0; 1135 buffer_consume(&c->input, sizeof(s5_req)); 1136 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1137 buffer_consume(&c->input, 1); /* host string length */ 1138 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1139 buffer_get(&c->input, (char *)&dest_port, 2); 1140 dest_addr[addrlen] = '\0'; 1141 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1142 strlcpy(c->path, (char *)dest_addr, sizeof(c->path)); 1143 else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) 1144 return -1; 1145 c->host_port = ntohs(dest_port); 1146 1147 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1148 c->self, c->path, c->host_port, s5_req.command); 1149 1150 s5_rsp.version = 0x05; 1151 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1152 s5_rsp.reserved = 0; /* ignored */ 1153 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1154 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; 1155 dest_port = 0; /* ignored */ 1156 1157 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1158 buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); 1159 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1160 return 1; 1161 } 1162 1163 /* dynamic port forwarding */ 1164 static void 1165 channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1166 { 1167 u_char *p; 1168 u_int have; 1169 int ret; 1170 1171 have = buffer_len(&c->input); 1172 c->delayed = 0; 1173 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1174 /* buffer_dump(&c->input); */ 1175 /* check if the fixed size part of the packet is in buffer. */ 1176 if (have < 3) { 1177 /* need more */ 1178 FD_SET(c->sock, readset); 1179 return; 1180 } 1181 /* try to guess the protocol */ 1182 p = buffer_ptr(&c->input); 1183 switch (p[0]) { 1184 case 0x04: 1185 ret = channel_decode_socks4(c, readset, writeset); 1186 break; 1187 case 0x05: 1188 ret = channel_decode_socks5(c, readset, writeset); 1189 break; 1190 default: 1191 ret = -1; 1192 break; 1193 } 1194 if (ret < 0) { 1195 chan_mark_dead(c); 1196 } else if (ret == 0) { 1197 debug2("channel %d: pre_dynamic: need more", c->self); 1198 /* need more */ 1199 FD_SET(c->sock, readset); 1200 } else { 1201 /* switch to the next state */ 1202 c->type = SSH_CHANNEL_OPENING; 1203 port_open_helper(c, "direct-tcpip"); 1204 } 1205 } 1206 1207 /* This is our fake X11 server socket. */ 1208 /* ARGSUSED */ 1209 static void 1210 channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1211 { 1212 Channel *nc; 1213 struct sockaddr_storage addr; 1214 int newsock; 1215 socklen_t addrlen; 1216 char buf[16384], *remote_ipaddr; 1217 int remote_port; 1218 1219 if (FD_ISSET(c->sock, readset)) { 1220 debug("X11 connection requested."); 1221 addrlen = sizeof(addr); 1222 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1223 if (c->single_connection) { 1224 debug2("single_connection: closing X11 listener."); 1225 channel_close_fd(&c->sock); 1226 chan_mark_dead(c); 1227 } 1228 if (newsock < 0) { 1229 error("accept: %.100s", strerror(errno)); 1230 return; 1231 } 1232 set_nodelay(newsock); 1233 remote_ipaddr = get_peer_ipaddr(newsock); 1234 remote_port = get_peer_port(newsock); 1235 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1236 remote_ipaddr, remote_port); 1237 1238 nc = channel_new("accepted x11 socket", 1239 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1240 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1241 if (compat20) { 1242 packet_start(SSH2_MSG_CHANNEL_OPEN); 1243 packet_put_cstring("x11"); 1244 packet_put_int(nc->self); 1245 packet_put_int(nc->local_window_max); 1246 packet_put_int(nc->local_maxpacket); 1247 /* originator ipaddr and port */ 1248 packet_put_cstring(remote_ipaddr); 1249 if (datafellows & SSH_BUG_X11FWD) { 1250 debug2("ssh2 x11 bug compat mode"); 1251 } else { 1252 packet_put_int(remote_port); 1253 } 1254 packet_send(); 1255 } else { 1256 packet_start(SSH_SMSG_X11_OPEN); 1257 packet_put_int(nc->self); 1258 if (packet_get_protocol_flags() & 1259 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1260 packet_put_cstring(buf); 1261 packet_send(); 1262 } 1263 xfree(remote_ipaddr); 1264 } 1265 } 1266 1267 static void 1268 port_open_helper(Channel *c, char *rtype) 1269 { 1270 int direct; 1271 char buf[1024]; 1272 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1273 int remote_port = get_peer_port(c->sock); 1274 1275 direct = (strcmp(rtype, "direct-tcpip") == 0); 1276 1277 snprintf(buf, sizeof buf, 1278 "%s: listening port %d for %.100s port %d, " 1279 "connect from %.200s port %d", 1280 rtype, c->listening_port, c->path, c->host_port, 1281 remote_ipaddr, remote_port); 1282 1283 xfree(c->remote_name); 1284 c->remote_name = xstrdup(buf); 1285 1286 if (compat20) { 1287 packet_start(SSH2_MSG_CHANNEL_OPEN); 1288 packet_put_cstring(rtype); 1289 packet_put_int(c->self); 1290 packet_put_int(c->local_window_max); 1291 packet_put_int(c->local_maxpacket); 1292 if (direct) { 1293 /* target host, port */ 1294 packet_put_cstring(c->path); 1295 packet_put_int(c->host_port); 1296 } else { 1297 /* listen address, port */ 1298 packet_put_cstring(c->path); 1299 packet_put_int(c->listening_port); 1300 } 1301 /* originator host and port */ 1302 packet_put_cstring(remote_ipaddr); 1303 packet_put_int((u_int)remote_port); 1304 packet_send(); 1305 } else { 1306 packet_start(SSH_MSG_PORT_OPEN); 1307 packet_put_int(c->self); 1308 packet_put_cstring(c->path); 1309 packet_put_int(c->host_port); 1310 if (packet_get_protocol_flags() & 1311 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1312 packet_put_cstring(c->remote_name); 1313 packet_send(); 1314 } 1315 xfree(remote_ipaddr); 1316 } 1317 1318 static void 1319 channel_set_reuseaddr(int fd) 1320 { 1321 int on = 1; 1322 1323 /* 1324 * Set socket options. 1325 * Allow local port reuse in TIME_WAIT. 1326 */ 1327 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1328 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1329 } 1330 1331 /* 1332 * This socket is listening for connections to a forwarded TCP/IP port. 1333 */ 1334 /* ARGSUSED */ 1335 static void 1336 channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1337 { 1338 Channel *nc; 1339 struct sockaddr_storage addr; 1340 int newsock, nextstate; 1341 socklen_t addrlen; 1342 char *rtype; 1343 1344 if (FD_ISSET(c->sock, readset)) { 1345 debug("Connection to port %d forwarding " 1346 "to %.100s port %d requested.", 1347 c->listening_port, c->path, c->host_port); 1348 1349 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1350 nextstate = SSH_CHANNEL_OPENING; 1351 rtype = "forwarded-tcpip"; 1352 } else { 1353 if (c->host_port == 0) { 1354 nextstate = SSH_CHANNEL_DYNAMIC; 1355 rtype = "dynamic-tcpip"; 1356 } else { 1357 nextstate = SSH_CHANNEL_OPENING; 1358 rtype = "direct-tcpip"; 1359 } 1360 } 1361 1362 addrlen = sizeof(addr); 1363 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1364 if (newsock < 0) { 1365 error("accept: %.100s", strerror(errno)); 1366 return; 1367 } 1368 set_nodelay(newsock); 1369 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1370 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1371 nc->listening_port = c->listening_port; 1372 nc->host_port = c->host_port; 1373 strlcpy(nc->path, c->path, sizeof(nc->path)); 1374 1375 if (nextstate == SSH_CHANNEL_DYNAMIC) { 1376 /* 1377 * do not call the channel_post handler until 1378 * this flag has been reset by a pre-handler. 1379 * otherwise the FD_ISSET calls might overflow 1380 */ 1381 nc->delayed = 1; 1382 } else { 1383 port_open_helper(nc, rtype); 1384 } 1385 } 1386 } 1387 1388 /* 1389 * This is the authentication agent socket listening for connections from 1390 * clients. 1391 */ 1392 /* ARGSUSED */ 1393 static void 1394 channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1395 { 1396 Channel *nc; 1397 int newsock; 1398 struct sockaddr_storage addr; 1399 socklen_t addrlen; 1400 1401 if (FD_ISSET(c->sock, readset)) { 1402 addrlen = sizeof(addr); 1403 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1404 if (newsock < 0) { 1405 error("accept from auth socket: %.100s", strerror(errno)); 1406 return; 1407 } 1408 nc = channel_new("accepted auth socket", 1409 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1410 c->local_window_max, c->local_maxpacket, 1411 0, "accepted auth socket", 1); 1412 if (compat20) { 1413 packet_start(SSH2_MSG_CHANNEL_OPEN); 1414 packet_put_cstring("auth-agent@openssh.com"); 1415 packet_put_int(nc->self); 1416 packet_put_int(c->local_window_max); 1417 packet_put_int(c->local_maxpacket); 1418 } else { 1419 packet_start(SSH_SMSG_AGENT_OPEN); 1420 packet_put_int(nc->self); 1421 } 1422 packet_send(); 1423 } 1424 } 1425 1426 /* ARGSUSED */ 1427 static void 1428 channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1429 { 1430 int err = 0, sock; 1431 socklen_t sz = sizeof(err); 1432 1433 if (FD_ISSET(c->sock, writeset)) { 1434 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1435 err = errno; 1436 error("getsockopt SO_ERROR failed"); 1437 } 1438 if (err == 0) { 1439 debug("channel %d: connected to %s port %d", 1440 c->self, c->connect_ctx.host, c->connect_ctx.port); 1441 channel_connect_ctx_free(&c->connect_ctx); 1442 c->type = SSH_CHANNEL_OPEN; 1443 if (compat20) { 1444 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1445 packet_put_int(c->remote_id); 1446 packet_put_int(c->self); 1447 packet_put_int(c->local_window); 1448 packet_put_int(c->local_maxpacket); 1449 } else { 1450 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1451 packet_put_int(c->remote_id); 1452 packet_put_int(c->self); 1453 } 1454 } else { 1455 debug("channel %d: connection failed: %s", 1456 c->self, strerror(err)); 1457 /* Try next address, if any */ 1458 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1459 close(c->sock); 1460 c->sock = c->rfd = c->wfd = sock; 1461 channel_max_fd = channel_find_maxfd(); 1462 return; 1463 } 1464 /* Exhausted all addresses */ 1465 error("connect_to %.100s port %d: failed.", 1466 c->connect_ctx.host, c->connect_ctx.port); 1467 channel_connect_ctx_free(&c->connect_ctx); 1468 if (compat20) { 1469 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1470 packet_put_int(c->remote_id); 1471 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1472 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1473 packet_put_cstring(strerror(err)); 1474 packet_put_cstring(""); 1475 } 1476 } else { 1477 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1478 packet_put_int(c->remote_id); 1479 } 1480 chan_mark_dead(c); 1481 } 1482 packet_send(); 1483 } 1484 } 1485 1486 /* ARGSUSED */ 1487 static int 1488 channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1489 { 1490 char buf[CHAN_RBUF]; 1491 int len, force; 1492 1493 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1494 if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { 1495 errno = 0; 1496 len = read(c->rfd, buf, sizeof(buf)); 1497 if (len < 0 && (errno == EINTR || 1498 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1499 return 1; 1500 #ifndef PTY_ZEROREAD 1501 if (len <= 0) { 1502 #else 1503 if ((!c->isatty && len <= 0) || 1504 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1505 #endif 1506 debug2("channel %d: read<=0 rfd %d len %d", 1507 c->self, c->rfd, len); 1508 if (c->type != SSH_CHANNEL_OPEN) { 1509 debug2("channel %d: not open", c->self); 1510 chan_mark_dead(c); 1511 return -1; 1512 } else if (compat13) { 1513 buffer_clear(&c->output); 1514 c->type = SSH_CHANNEL_INPUT_DRAINING; 1515 debug2("channel %d: input draining.", c->self); 1516 } else { 1517 chan_read_failed(c); 1518 } 1519 return -1; 1520 } 1521 if (c->input_filter != NULL) { 1522 if (c->input_filter(c, buf, len) == -1) { 1523 debug2("channel %d: filter stops", c->self); 1524 chan_read_failed(c); 1525 } 1526 } else if (c->datagram) { 1527 buffer_put_string(&c->input, buf, len); 1528 } else { 1529 buffer_append(&c->input, buf, len); 1530 } 1531 } 1532 return 1; 1533 } 1534 1535 /* ARGSUSED */ 1536 static int 1537 channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1538 { 1539 struct termios tio; 1540 u_char *data = NULL, *buf; 1541 u_int dlen; 1542 int len; 1543 1544 /* Send buffered output data to the socket. */ 1545 if (c->wfd != -1 && 1546 FD_ISSET(c->wfd, writeset) && 1547 buffer_len(&c->output) > 0) { 1548 if (c->output_filter != NULL) { 1549 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1550 debug2("channel %d: filter stops", c->self); 1551 if (c->type != SSH_CHANNEL_OPEN) 1552 chan_mark_dead(c); 1553 else 1554 chan_write_failed(c); 1555 return -1; 1556 } 1557 } else if (c->datagram) { 1558 buf = data = buffer_get_string(&c->output, &dlen); 1559 } else { 1560 buf = data = buffer_ptr(&c->output); 1561 dlen = buffer_len(&c->output); 1562 } 1563 1564 if (c->datagram) { 1565 /* ignore truncated writes, datagrams might get lost */ 1566 c->local_consumed += dlen + 4; 1567 len = write(c->wfd, buf, dlen); 1568 xfree(data); 1569 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1570 errno == EWOULDBLOCK)) 1571 return 1; 1572 if (len <= 0) { 1573 if (c->type != SSH_CHANNEL_OPEN) 1574 chan_mark_dead(c); 1575 else 1576 chan_write_failed(c); 1577 return -1; 1578 } 1579 return 1; 1580 } 1581 #ifdef _AIX 1582 /* XXX: Later AIX versions can't push as much data to tty */ 1583 if (compat20 && c->wfd_isatty) 1584 dlen = MIN(dlen, 8*1024); 1585 #endif 1586 1587 len = write(c->wfd, buf, dlen); 1588 if (len < 0 && 1589 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1590 return 1; 1591 if (len <= 0) { 1592 if (c->type != SSH_CHANNEL_OPEN) { 1593 debug2("channel %d: not open", c->self); 1594 chan_mark_dead(c); 1595 return -1; 1596 } else if (compat13) { 1597 buffer_clear(&c->output); 1598 debug2("channel %d: input draining.", c->self); 1599 c->type = SSH_CHANNEL_INPUT_DRAINING; 1600 } else { 1601 chan_write_failed(c); 1602 } 1603 return -1; 1604 } 1605 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1606 if (tcgetattr(c->wfd, &tio) == 0 && 1607 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1608 /* 1609 * Simulate echo to reduce the impact of 1610 * traffic analysis. We need to match the 1611 * size of a SSH2_MSG_CHANNEL_DATA message 1612 * (4 byte channel id + buf) 1613 */ 1614 packet_send_ignore(4 + len); 1615 packet_send(); 1616 } 1617 } 1618 buffer_consume(&c->output, len); 1619 if (compat20 && len > 0) { 1620 c->local_consumed += len; 1621 } 1622 } 1623 return 1; 1624 } 1625 1626 static int 1627 channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1628 { 1629 char buf[CHAN_RBUF]; 1630 int len; 1631 1632 /** XXX handle drain efd, too */ 1633 if (c->efd != -1) { 1634 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1635 FD_ISSET(c->efd, writeset) && 1636 buffer_len(&c->extended) > 0) { 1637 len = write(c->efd, buffer_ptr(&c->extended), 1638 buffer_len(&c->extended)); 1639 debug2("channel %d: written %d to efd %d", 1640 c->self, len, c->efd); 1641 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1642 errno == EWOULDBLOCK)) 1643 return 1; 1644 if (len <= 0) { 1645 debug2("channel %d: closing write-efd %d", 1646 c->self, c->efd); 1647 channel_close_fd(&c->efd); 1648 } else { 1649 buffer_consume(&c->extended, len); 1650 c->local_consumed += len; 1651 } 1652 } else if (c->extended_usage == CHAN_EXTENDED_READ && 1653 (c->detach_close || FD_ISSET(c->efd, readset))) { 1654 len = read(c->efd, buf, sizeof(buf)); 1655 debug2("channel %d: read %d from efd %d", 1656 c->self, len, c->efd); 1657 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 1658 errno == EWOULDBLOCK) && !c->detach_close))) 1659 return 1; 1660 if (len <= 0) { 1661 debug2("channel %d: closing read-efd %d", 1662 c->self, c->efd); 1663 channel_close_fd(&c->efd); 1664 } else { 1665 buffer_append(&c->extended, buf, len); 1666 } 1667 } 1668 } 1669 return 1; 1670 } 1671 1672 /* ARGSUSED */ 1673 static int 1674 channel_handle_ctl(Channel *c, fd_set *readset, fd_set *writeset) 1675 { 1676 char buf[16]; 1677 int len; 1678 1679 /* Monitor control fd to detect if the slave client exits */ 1680 if (c->ctl_fd != -1 && FD_ISSET(c->ctl_fd, readset)) { 1681 len = read(c->ctl_fd, buf, sizeof(buf)); 1682 if (len < 0 && 1683 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1684 return 1; 1685 if (len <= 0) { 1686 debug2("channel %d: ctl read<=0", c->self); 1687 if (c->type != SSH_CHANNEL_OPEN) { 1688 debug2("channel %d: not open", c->self); 1689 chan_mark_dead(c); 1690 return -1; 1691 } else { 1692 chan_read_failed(c); 1693 chan_write_failed(c); 1694 } 1695 return -1; 1696 } else 1697 fatal("%s: unexpected data on ctl fd", __func__); 1698 } 1699 return 1; 1700 } 1701 1702 static int 1703 channel_check_window(Channel *c) 1704 { 1705 if (c->type == SSH_CHANNEL_OPEN && 1706 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1707 ((c->local_window_max - c->local_window > 1708 c->local_maxpacket*3) || 1709 c->local_window < c->local_window_max/2) && 1710 c->local_consumed > 0) { 1711 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1712 packet_put_int(c->remote_id); 1713 packet_put_int(c->local_consumed); 1714 packet_send(); 1715 debug2("channel %d: window %d sent adjust %d", 1716 c->self, c->local_window, 1717 c->local_consumed); 1718 c->local_window += c->local_consumed; 1719 c->local_consumed = 0; 1720 } 1721 return 1; 1722 } 1723 1724 static void 1725 channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1726 { 1727 if (c->delayed) 1728 return; 1729 channel_handle_rfd(c, readset, writeset); 1730 channel_handle_wfd(c, readset, writeset); 1731 if (!compat20) 1732 return; 1733 channel_handle_efd(c, readset, writeset); 1734 channel_handle_ctl(c, readset, writeset); 1735 channel_check_window(c); 1736 } 1737 1738 /* ARGSUSED */ 1739 static void 1740 channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 1741 { 1742 int len; 1743 1744 /* Send buffered output data to the socket. */ 1745 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1746 len = write(c->sock, buffer_ptr(&c->output), 1747 buffer_len(&c->output)); 1748 if (len <= 0) 1749 buffer_clear(&c->output); 1750 else 1751 buffer_consume(&c->output, len); 1752 } 1753 } 1754 1755 static void 1756 channel_handler_init_20(void) 1757 { 1758 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1759 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1760 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1761 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1762 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1763 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1764 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1765 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1766 1767 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1768 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1769 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1770 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1771 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1772 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1773 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1774 } 1775 1776 static void 1777 channel_handler_init_13(void) 1778 { 1779 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1780 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1781 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1782 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1783 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1784 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1785 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1786 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1787 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1788 1789 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1790 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1791 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1792 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1793 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 1794 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1795 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1796 } 1797 1798 static void 1799 channel_handler_init_15(void) 1800 { 1801 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1802 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1803 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1804 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1805 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1806 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1807 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1808 1809 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1810 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1811 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1812 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1813 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1814 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1815 } 1816 1817 static void 1818 channel_handler_init(void) 1819 { 1820 int i; 1821 1822 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 1823 channel_pre[i] = NULL; 1824 channel_post[i] = NULL; 1825 } 1826 if (compat20) 1827 channel_handler_init_20(); 1828 else if (compat13) 1829 channel_handler_init_13(); 1830 else 1831 channel_handler_init_15(); 1832 } 1833 1834 /* gc dead channels */ 1835 static void 1836 channel_garbage_collect(Channel *c) 1837 { 1838 if (c == NULL) 1839 return; 1840 if (c->detach_user != NULL) { 1841 if (!chan_is_dead(c, c->detach_close)) 1842 return; 1843 debug2("channel %d: gc: notify user", c->self); 1844 c->detach_user(c->self, NULL); 1845 /* if we still have a callback */ 1846 if (c->detach_user != NULL) 1847 return; 1848 debug2("channel %d: gc: user detached", c->self); 1849 } 1850 if (!chan_is_dead(c, 1)) 1851 return; 1852 debug2("channel %d: garbage collecting", c->self); 1853 channel_free(c); 1854 } 1855 1856 static void 1857 channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) 1858 { 1859 static int did_init = 0; 1860 u_int i; 1861 Channel *c; 1862 1863 if (!did_init) { 1864 channel_handler_init(); 1865 did_init = 1; 1866 } 1867 for (i = 0; i < channels_alloc; i++) { 1868 c = channels[i]; 1869 if (c == NULL) 1870 continue; 1871 if (ftab[c->type] != NULL) 1872 (*ftab[c->type])(c, readset, writeset); 1873 channel_garbage_collect(c); 1874 } 1875 } 1876 1877 /* 1878 * Allocate/update select bitmasks and add any bits relevant to channels in 1879 * select bitmasks. 1880 */ 1881 void 1882 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 1883 u_int *nallocp, int rekeying) 1884 { 1885 u_int n, sz, nfdset; 1886 1887 n = MAX(*maxfdp, channel_max_fd); 1888 1889 nfdset = howmany(n+1, NFDBITS); 1890 /* Explicitly test here, because xrealloc isn't always called */ 1891 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) 1892 fatal("channel_prepare_select: max_fd (%d) is too large", n); 1893 sz = nfdset * sizeof(fd_mask); 1894 1895 /* perhaps check sz < nalloc/2 and shrink? */ 1896 if (*readsetp == NULL || sz > *nallocp) { 1897 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); 1898 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); 1899 *nallocp = sz; 1900 } 1901 *maxfdp = n; 1902 memset(*readsetp, 0, sz); 1903 memset(*writesetp, 0, sz); 1904 1905 if (!rekeying) 1906 channel_handler(channel_pre, *readsetp, *writesetp); 1907 } 1908 1909 /* 1910 * After select, perform any appropriate operations for channels which have 1911 * events pending. 1912 */ 1913 void 1914 channel_after_select(fd_set *readset, fd_set *writeset) 1915 { 1916 channel_handler(channel_post, readset, writeset); 1917 } 1918 1919 1920 /* If there is data to send to the connection, enqueue some of it now. */ 1921 void 1922 channel_output_poll(void) 1923 { 1924 Channel *c; 1925 u_int i, len; 1926 1927 for (i = 0; i < channels_alloc; i++) { 1928 c = channels[i]; 1929 if (c == NULL) 1930 continue; 1931 1932 /* 1933 * We are only interested in channels that can have buffered 1934 * incoming data. 1935 */ 1936 if (compat13) { 1937 if (c->type != SSH_CHANNEL_OPEN && 1938 c->type != SSH_CHANNEL_INPUT_DRAINING) 1939 continue; 1940 } else { 1941 if (c->type != SSH_CHANNEL_OPEN) 1942 continue; 1943 } 1944 if (compat20 && 1945 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 1946 /* XXX is this true? */ 1947 debug3("channel %d: will not send data after close", c->self); 1948 continue; 1949 } 1950 1951 /* Get the amount of buffered data for this channel. */ 1952 if ((c->istate == CHAN_INPUT_OPEN || 1953 c->istate == CHAN_INPUT_WAIT_DRAIN) && 1954 (len = buffer_len(&c->input)) > 0) { 1955 if (c->datagram) { 1956 if (len > 0) { 1957 u_char *data; 1958 u_int dlen; 1959 1960 data = buffer_get_string(&c->input, 1961 &dlen); 1962 packet_start(SSH2_MSG_CHANNEL_DATA); 1963 packet_put_int(c->remote_id); 1964 packet_put_string(data, dlen); 1965 packet_send(); 1966 c->remote_window -= dlen + 4; 1967 xfree(data); 1968 } 1969 continue; 1970 } 1971 /* 1972 * Send some data for the other side over the secure 1973 * connection. 1974 */ 1975 if (compat20) { 1976 if (len > c->remote_window) 1977 len = c->remote_window; 1978 if (len > c->remote_maxpacket) 1979 len = c->remote_maxpacket; 1980 } else { 1981 if (packet_is_interactive()) { 1982 if (len > 1024) 1983 len = 512; 1984 } else { 1985 /* Keep the packets at reasonable size. */ 1986 if (len > packet_get_maxsize()/2) 1987 len = packet_get_maxsize()/2; 1988 } 1989 } 1990 if (len > 0) { 1991 packet_start(compat20 ? 1992 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 1993 packet_put_int(c->remote_id); 1994 packet_put_string(buffer_ptr(&c->input), len); 1995 packet_send(); 1996 buffer_consume(&c->input, len); 1997 c->remote_window -= len; 1998 } 1999 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2000 if (compat13) 2001 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 2002 /* 2003 * input-buffer is empty and read-socket shutdown: 2004 * tell peer, that we will not send more data: send IEOF. 2005 * hack for extended data: delay EOF if EFD still in use. 2006 */ 2007 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2008 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 2009 c->self, c->efd, buffer_len(&c->extended)); 2010 else 2011 chan_ibuf_empty(c); 2012 } 2013 /* Send extended data, i.e. stderr */ 2014 if (compat20 && 2015 !(c->flags & CHAN_EOF_SENT) && 2016 c->remote_window > 0 && 2017 (len = buffer_len(&c->extended)) > 0 && 2018 c->extended_usage == CHAN_EXTENDED_READ) { 2019 debug2("channel %d: rwin %u elen %u euse %d", 2020 c->self, c->remote_window, buffer_len(&c->extended), 2021 c->extended_usage); 2022 if (len > c->remote_window) 2023 len = c->remote_window; 2024 if (len > c->remote_maxpacket) 2025 len = c->remote_maxpacket; 2026 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 2027 packet_put_int(c->remote_id); 2028 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 2029 packet_put_string(buffer_ptr(&c->extended), len); 2030 packet_send(); 2031 buffer_consume(&c->extended, len); 2032 c->remote_window -= len; 2033 debug2("channel %d: sent ext data %d", c->self, len); 2034 } 2035 } 2036 } 2037 2038 2039 /* -- protocol input */ 2040 2041 /* ARGSUSED */ 2042 void 2043 channel_input_data(int type, u_int32_t seq, void *ctxt) 2044 { 2045 int id; 2046 char *data; 2047 u_int data_len; 2048 Channel *c; 2049 2050 /* Get the channel number and verify it. */ 2051 id = packet_get_int(); 2052 c = channel_lookup(id); 2053 if (c == NULL) 2054 packet_disconnect("Received data for nonexistent channel %d.", id); 2055 2056 /* Ignore any data for non-open channels (might happen on close) */ 2057 if (c->type != SSH_CHANNEL_OPEN && 2058 c->type != SSH_CHANNEL_X11_OPEN) 2059 return; 2060 2061 /* Get the data. */ 2062 data = packet_get_string_ptr(&data_len); 2063 2064 /* 2065 * Ignore data for protocol > 1.3 if output end is no longer open. 2066 * For protocol 2 the sending side is reducing its window as it sends 2067 * data, so we must 'fake' consumption of the data in order to ensure 2068 * that window updates are sent back. Otherwise the connection might 2069 * deadlock. 2070 */ 2071 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2072 if (compat20) { 2073 c->local_window -= data_len; 2074 c->local_consumed += data_len; 2075 } 2076 return; 2077 } 2078 2079 if (compat20) { 2080 if (data_len > c->local_maxpacket) { 2081 logit("channel %d: rcvd big packet %d, maxpack %d", 2082 c->self, data_len, c->local_maxpacket); 2083 } 2084 if (data_len > c->local_window) { 2085 logit("channel %d: rcvd too much data %d, win %d", 2086 c->self, data_len, c->local_window); 2087 return; 2088 } 2089 c->local_window -= data_len; 2090 } 2091 if (c->datagram) 2092 buffer_put_string(&c->output, data, data_len); 2093 else 2094 buffer_append(&c->output, data, data_len); 2095 packet_check_eom(); 2096 } 2097 2098 /* ARGSUSED */ 2099 void 2100 channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2101 { 2102 int id; 2103 char *data; 2104 u_int data_len, tcode; 2105 Channel *c; 2106 2107 /* Get the channel number and verify it. */ 2108 id = packet_get_int(); 2109 c = channel_lookup(id); 2110 2111 if (c == NULL) 2112 packet_disconnect("Received extended_data for bad channel %d.", id); 2113 if (c->type != SSH_CHANNEL_OPEN) { 2114 logit("channel %d: ext data for non open", id); 2115 return; 2116 } 2117 if (c->flags & CHAN_EOF_RCVD) { 2118 if (datafellows & SSH_BUG_EXTEOF) 2119 debug("channel %d: accepting ext data after eof", id); 2120 else 2121 packet_disconnect("Received extended_data after EOF " 2122 "on channel %d.", id); 2123 } 2124 tcode = packet_get_int(); 2125 if (c->efd == -1 || 2126 c->extended_usage != CHAN_EXTENDED_WRITE || 2127 tcode != SSH2_EXTENDED_DATA_STDERR) { 2128 logit("channel %d: bad ext data", c->self); 2129 return; 2130 } 2131 data = packet_get_string(&data_len); 2132 packet_check_eom(); 2133 if (data_len > c->local_window) { 2134 logit("channel %d: rcvd too much extended_data %d, win %d", 2135 c->self, data_len, c->local_window); 2136 xfree(data); 2137 return; 2138 } 2139 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2140 c->local_window -= data_len; 2141 buffer_append(&c->extended, data, data_len); 2142 xfree(data); 2143 } 2144 2145 /* ARGSUSED */ 2146 void 2147 channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2148 { 2149 int id; 2150 Channel *c; 2151 2152 id = packet_get_int(); 2153 packet_check_eom(); 2154 c = channel_lookup(id); 2155 if (c == NULL) 2156 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2157 chan_rcvd_ieof(c); 2158 2159 /* XXX force input close */ 2160 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2161 debug("channel %d: FORCE input drain", c->self); 2162 c->istate = CHAN_INPUT_WAIT_DRAIN; 2163 if (buffer_len(&c->input) == 0) 2164 chan_ibuf_empty(c); 2165 } 2166 2167 } 2168 2169 /* ARGSUSED */ 2170 void 2171 channel_input_close(int type, u_int32_t seq, void *ctxt) 2172 { 2173 int id; 2174 Channel *c; 2175 2176 id = packet_get_int(); 2177 packet_check_eom(); 2178 c = channel_lookup(id); 2179 if (c == NULL) 2180 packet_disconnect("Received close for nonexistent channel %d.", id); 2181 2182 /* 2183 * Send a confirmation that we have closed the channel and no more 2184 * data is coming for it. 2185 */ 2186 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2187 packet_put_int(c->remote_id); 2188 packet_send(); 2189 2190 /* 2191 * If the channel is in closed state, we have sent a close request, 2192 * and the other side will eventually respond with a confirmation. 2193 * Thus, we cannot free the channel here, because then there would be 2194 * no-one to receive the confirmation. The channel gets freed when 2195 * the confirmation arrives. 2196 */ 2197 if (c->type != SSH_CHANNEL_CLOSED) { 2198 /* 2199 * Not a closed channel - mark it as draining, which will 2200 * cause it to be freed later. 2201 */ 2202 buffer_clear(&c->input); 2203 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2204 } 2205 } 2206 2207 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2208 /* ARGSUSED */ 2209 void 2210 channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2211 { 2212 int id = packet_get_int(); 2213 Channel *c = channel_lookup(id); 2214 2215 packet_check_eom(); 2216 if (c == NULL) 2217 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2218 chan_rcvd_oclose(c); 2219 } 2220 2221 /* ARGSUSED */ 2222 void 2223 channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2224 { 2225 int id = packet_get_int(); 2226 Channel *c = channel_lookup(id); 2227 2228 packet_check_eom(); 2229 if (c == NULL) 2230 packet_disconnect("Received close confirmation for " 2231 "out-of-range channel %d.", id); 2232 if (c->type != SSH_CHANNEL_CLOSED) 2233 packet_disconnect("Received close confirmation for " 2234 "non-closed channel %d (type %d).", id, c->type); 2235 channel_free(c); 2236 } 2237 2238 /* ARGSUSED */ 2239 void 2240 channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2241 { 2242 int id, remote_id; 2243 Channel *c; 2244 2245 id = packet_get_int(); 2246 c = channel_lookup(id); 2247 2248 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2249 packet_disconnect("Received open confirmation for " 2250 "non-opening channel %d.", id); 2251 remote_id = packet_get_int(); 2252 /* Record the remote channel number and mark that the channel is now open. */ 2253 c->remote_id = remote_id; 2254 c->type = SSH_CHANNEL_OPEN; 2255 2256 if (compat20) { 2257 c->remote_window = packet_get_int(); 2258 c->remote_maxpacket = packet_get_int(); 2259 if (c->open_confirm) { 2260 debug2("callback start"); 2261 c->open_confirm(c->self, c->open_confirm_ctx); 2262 debug2("callback done"); 2263 } 2264 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2265 c->remote_window, c->remote_maxpacket); 2266 } 2267 packet_check_eom(); 2268 } 2269 2270 static char * 2271 reason2txt(int reason) 2272 { 2273 switch (reason) { 2274 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2275 return "administratively prohibited"; 2276 case SSH2_OPEN_CONNECT_FAILED: 2277 return "connect failed"; 2278 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2279 return "unknown channel type"; 2280 case SSH2_OPEN_RESOURCE_SHORTAGE: 2281 return "resource shortage"; 2282 } 2283 return "unknown reason"; 2284 } 2285 2286 /* ARGSUSED */ 2287 void 2288 channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2289 { 2290 int id, reason; 2291 char *msg = NULL, *lang = NULL; 2292 Channel *c; 2293 2294 id = packet_get_int(); 2295 c = channel_lookup(id); 2296 2297 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2298 packet_disconnect("Received open failure for " 2299 "non-opening channel %d.", id); 2300 if (compat20) { 2301 reason = packet_get_int(); 2302 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2303 msg = packet_get_string(NULL); 2304 lang = packet_get_string(NULL); 2305 } 2306 logit("channel %d: open failed: %s%s%s", id, 2307 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2308 if (msg != NULL) 2309 xfree(msg); 2310 if (lang != NULL) 2311 xfree(lang); 2312 } 2313 packet_check_eom(); 2314 /* Free the channel. This will also close the socket. */ 2315 channel_free(c); 2316 } 2317 2318 /* ARGSUSED */ 2319 void 2320 channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2321 { 2322 Channel *c; 2323 int id; 2324 u_int adjust; 2325 2326 if (!compat20) 2327 return; 2328 2329 /* Get the channel number and verify it. */ 2330 id = packet_get_int(); 2331 c = channel_lookup(id); 2332 2333 if (c == NULL) { 2334 logit("Received window adjust for non-open channel %d.", id); 2335 return; 2336 } 2337 adjust = packet_get_int(); 2338 packet_check_eom(); 2339 debug2("channel %d: rcvd adjust %u", id, adjust); 2340 c->remote_window += adjust; 2341 } 2342 2343 /* ARGSUSED */ 2344 void 2345 channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2346 { 2347 Channel *c = NULL; 2348 u_short host_port; 2349 char *host, *originator_string; 2350 int remote_id; 2351 2352 remote_id = packet_get_int(); 2353 host = packet_get_string(NULL); 2354 host_port = packet_get_int(); 2355 2356 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2357 originator_string = packet_get_string(NULL); 2358 } else { 2359 originator_string = xstrdup("unknown (remote did not supply name)"); 2360 } 2361 packet_check_eom(); 2362 c = channel_connect_to(host, host_port, 2363 "connected socket", originator_string); 2364 xfree(originator_string); 2365 xfree(host); 2366 if (c == NULL) { 2367 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2368 packet_put_int(remote_id); 2369 packet_send(); 2370 } else 2371 c->remote_id = remote_id; 2372 } 2373 2374 /* ARGSUSED */ 2375 void 2376 channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) 2377 { 2378 Channel *c; 2379 struct channel_confirm *cc; 2380 int remote_id; 2381 2382 /* Reset keepalive timeout */ 2383 keep_alive_timeouts = 0; 2384 2385 remote_id = packet_get_int(); 2386 packet_check_eom(); 2387 2388 debug2("channel_input_confirm: type %d id %d", type, remote_id); 2389 2390 if ((c = channel_lookup(remote_id)) == NULL) { 2391 logit("channel_input_success_failure: %d: unknown", remote_id); 2392 return; 2393 } 2394 ; 2395 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 2396 return; 2397 cc->cb(type, c, cc->ctx); 2398 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2399 bzero(cc, sizeof(*cc)); 2400 xfree(cc); 2401 } 2402 2403 /* -- tcp forwarding */ 2404 2405 void 2406 channel_set_af(int af) 2407 { 2408 IPv4or6 = af; 2409 } 2410 2411 static int 2412 channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_port, 2413 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2414 { 2415 Channel *c; 2416 int sock, r, success = 0, wildcard = 0, is_client; 2417 struct addrinfo hints, *ai, *aitop; 2418 const char *host, *addr; 2419 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2420 2421 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2422 listen_addr : host_to_connect; 2423 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2424 2425 if (host == NULL) { 2426 error("No forward host name."); 2427 return 0; 2428 } 2429 if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) { 2430 error("Forward host name too long."); 2431 return 0; 2432 } 2433 2434 /* 2435 * Determine whether or not a port forward listens to loopback, 2436 * specified address or wildcard. On the client, a specified bind 2437 * address will always override gateway_ports. On the server, a 2438 * gateway_ports of 1 (``yes'') will override the client's 2439 * specification and force a wildcard bind, whereas a value of 2 2440 * (``clientspecified'') will bind to whatever address the client 2441 * asked for. 2442 * 2443 * Special-case listen_addrs are: 2444 * 2445 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2446 * "" (empty string), "*" -> wildcard v4/v6 2447 * "localhost" -> loopback v4/v6 2448 */ 2449 addr = NULL; 2450 if (listen_addr == NULL) { 2451 /* No address specified: default to gateway_ports setting */ 2452 if (gateway_ports) 2453 wildcard = 1; 2454 } else if (gateway_ports || is_client) { 2455 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2456 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 2457 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2458 (!is_client && gateway_ports == 1)) 2459 wildcard = 1; 2460 else if (strcmp(listen_addr, "localhost") != 0) 2461 addr = listen_addr; 2462 } 2463 2464 debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s", 2465 type, wildcard, (addr == NULL) ? "NULL" : addr); 2466 2467 /* 2468 * getaddrinfo returns a loopback address if the hostname is 2469 * set to NULL and hints.ai_flags is not AI_PASSIVE 2470 */ 2471 memset(&hints, 0, sizeof(hints)); 2472 hints.ai_family = IPv4or6; 2473 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2474 hints.ai_socktype = SOCK_STREAM; 2475 snprintf(strport, sizeof strport, "%d", listen_port); 2476 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2477 if (addr == NULL) { 2478 /* This really shouldn't happen */ 2479 packet_disconnect("getaddrinfo: fatal error: %s", 2480 ssh_gai_strerror(r)); 2481 } else { 2482 error("channel_setup_fwd_listener: " 2483 "getaddrinfo(%.64s): %s", addr, 2484 ssh_gai_strerror(r)); 2485 } 2486 return 0; 2487 } 2488 2489 for (ai = aitop; ai; ai = ai->ai_next) { 2490 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 2491 continue; 2492 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2493 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2494 error("channel_setup_fwd_listener: getnameinfo failed"); 2495 continue; 2496 } 2497 /* Create a port to listen for the host. */ 2498 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2499 if (sock < 0) { 2500 /* this is no error since kernel may not support ipv6 */ 2501 verbose("socket: %.100s", strerror(errno)); 2502 continue; 2503 } 2504 2505 channel_set_reuseaddr(sock); 2506 2507 debug("Local forwarding listening on %s port %s.", ntop, strport); 2508 2509 /* Bind the socket to the address. */ 2510 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2511 /* address can be in use ipv6 address is already bound */ 2512 if (!ai->ai_next) 2513 error("bind: %.100s", strerror(errno)); 2514 else 2515 verbose("bind: %.100s", strerror(errno)); 2516 2517 close(sock); 2518 continue; 2519 } 2520 /* Start listening for connections on the socket. */ 2521 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2522 error("listen: %.100s", strerror(errno)); 2523 close(sock); 2524 continue; 2525 } 2526 /* Allocate a channel number for the socket. */ 2527 c = channel_new("port listener", type, sock, sock, -1, 2528 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2529 0, "port listener", 1); 2530 strlcpy(c->path, host, sizeof(c->path)); 2531 c->host_port = port_to_connect; 2532 c->listening_port = listen_port; 2533 success = 1; 2534 } 2535 if (success == 0) 2536 error("channel_setup_fwd_listener: cannot listen to port: %d", 2537 listen_port); 2538 freeaddrinfo(aitop); 2539 return success; 2540 } 2541 2542 int 2543 channel_cancel_rport_listener(const char *host, u_short port) 2544 { 2545 u_int i; 2546 int found = 0; 2547 2548 for (i = 0; i < channels_alloc; i++) { 2549 Channel *c = channels[i]; 2550 2551 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && 2552 strncmp(c->path, host, sizeof(c->path)) == 0 && 2553 c->listening_port == port) { 2554 debug2("%s: close channel %d", __func__, i); 2555 channel_free(c); 2556 found = 1; 2557 } 2558 } 2559 2560 return (found); 2561 } 2562 2563 /* protocol local port fwd, used by ssh (and sshd in v1) */ 2564 int 2565 channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, 2566 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2567 { 2568 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2569 listen_host, listen_port, host_to_connect, port_to_connect, 2570 gateway_ports); 2571 } 2572 2573 /* protocol v2 remote port fwd, used by sshd */ 2574 int 2575 channel_setup_remote_fwd_listener(const char *listen_address, 2576 u_short listen_port, int gateway_ports) 2577 { 2578 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2579 listen_address, listen_port, NULL, 0, gateway_ports); 2580 } 2581 2582 /* 2583 * Initiate forwarding of connections to port "port" on remote host through 2584 * the secure channel to host:port from local side. 2585 */ 2586 2587 int 2588 channel_request_remote_forwarding(const char *listen_host, u_short listen_port, 2589 const char *host_to_connect, u_short port_to_connect) 2590 { 2591 int type, success = 0; 2592 2593 /* Record locally that connection to this host/port is permitted. */ 2594 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2595 fatal("channel_request_remote_forwarding: too many forwards"); 2596 2597 /* Send the forward request to the remote side. */ 2598 if (compat20) { 2599 const char *address_to_bind; 2600 if (listen_host == NULL) { 2601 if (datafellows & SSH_BUG_RFWD_ADDR) 2602 address_to_bind = "127.0.0.1"; 2603 else 2604 address_to_bind = "localhost"; 2605 } else if (*listen_host == '\0' || 2606 strcmp(listen_host, "*") == 0) { 2607 if (datafellows & SSH_BUG_RFWD_ADDR) 2608 address_to_bind = "0.0.0.0"; 2609 else 2610 address_to_bind = ""; 2611 } else 2612 address_to_bind = listen_host; 2613 2614 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2615 packet_put_cstring("tcpip-forward"); 2616 packet_put_char(1); /* boolean: want reply */ 2617 packet_put_cstring(address_to_bind); 2618 packet_put_int(listen_port); 2619 packet_send(); 2620 packet_write_wait(); 2621 /* Assume that server accepts the request */ 2622 success = 1; 2623 } else { 2624 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2625 packet_put_int(listen_port); 2626 packet_put_cstring(host_to_connect); 2627 packet_put_int(port_to_connect); 2628 packet_send(); 2629 packet_write_wait(); 2630 2631 /* Wait for response from the remote side. */ 2632 type = packet_read(); 2633 switch (type) { 2634 case SSH_SMSG_SUCCESS: 2635 success = 1; 2636 break; 2637 case SSH_SMSG_FAILURE: 2638 break; 2639 default: 2640 /* Unknown packet */ 2641 packet_disconnect("Protocol error for port forward request:" 2642 "received packet type %d.", type); 2643 } 2644 } 2645 if (success) { 2646 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2647 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2648 permitted_opens[num_permitted_opens].listen_port = listen_port; 2649 num_permitted_opens++; 2650 } 2651 return (success ? 0 : -1); 2652 } 2653 2654 /* 2655 * Request cancellation of remote forwarding of connection host:port from 2656 * local side. 2657 */ 2658 void 2659 channel_request_rforward_cancel(const char *host, u_short port) 2660 { 2661 int i; 2662 2663 if (!compat20) 2664 return; 2665 2666 for (i = 0; i < num_permitted_opens; i++) { 2667 if (permitted_opens[i].host_to_connect != NULL && 2668 permitted_opens[i].listen_port == port) 2669 break; 2670 } 2671 if (i >= num_permitted_opens) { 2672 debug("%s: requested forward not found", __func__); 2673 return; 2674 } 2675 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2676 packet_put_cstring("cancel-tcpip-forward"); 2677 packet_put_char(0); 2678 packet_put_cstring(host == NULL ? "" : host); 2679 packet_put_int(port); 2680 packet_send(); 2681 2682 permitted_opens[i].listen_port = 0; 2683 permitted_opens[i].port_to_connect = 0; 2684 xfree(permitted_opens[i].host_to_connect); 2685 permitted_opens[i].host_to_connect = NULL; 2686 } 2687 2688 /* 2689 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2690 * listening for the port, and sends back a success reply (or disconnect 2691 * message if there was an error). 2692 */ 2693 int 2694 channel_input_port_forward_request(int is_root, int gateway_ports) 2695 { 2696 u_short port, host_port; 2697 int success = 0; 2698 char *hostname; 2699 2700 /* Get arguments from the packet. */ 2701 port = packet_get_int(); 2702 hostname = packet_get_string(NULL); 2703 host_port = packet_get_int(); 2704 2705 #ifndef HAVE_CYGWIN 2706 /* 2707 * Check that an unprivileged user is not trying to forward a 2708 * privileged port. 2709 */ 2710 if (port < IPPORT_RESERVED && !is_root) 2711 packet_disconnect( 2712 "Requested forwarding of port %d but user is not root.", 2713 port); 2714 if (host_port == 0) 2715 packet_disconnect("Dynamic forwarding denied."); 2716 #endif 2717 2718 /* Initiate forwarding */ 2719 success = channel_setup_local_fwd_listener(NULL, port, hostname, 2720 host_port, gateway_ports); 2721 2722 /* Free the argument string. */ 2723 xfree(hostname); 2724 2725 return (success ? 0 : -1); 2726 } 2727 2728 /* 2729 * Permits opening to any host/port if permitted_opens[] is empty. This is 2730 * usually called by the server, because the user could connect to any port 2731 * anyway, and the server has no way to know but to trust the client anyway. 2732 */ 2733 void 2734 channel_permit_all_opens(void) 2735 { 2736 if (num_permitted_opens == 0) 2737 all_opens_permitted = 1; 2738 } 2739 2740 void 2741 channel_add_permitted_opens(char *host, int port) 2742 { 2743 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2744 fatal("channel_add_permitted_opens: too many forwards"); 2745 debug("allow port forwarding to host %s port %d", host, port); 2746 2747 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 2748 permitted_opens[num_permitted_opens].port_to_connect = port; 2749 num_permitted_opens++; 2750 2751 all_opens_permitted = 0; 2752 } 2753 2754 int 2755 channel_add_adm_permitted_opens(char *host, int port) 2756 { 2757 if (num_adm_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 2758 fatal("channel_add_adm_permitted_opens: too many forwards"); 2759 debug("config allows port forwarding to host %s port %d", host, port); 2760 2761 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 2762 = xstrdup(host); 2763 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 2764 return ++num_adm_permitted_opens; 2765 } 2766 2767 void 2768 channel_clear_permitted_opens(void) 2769 { 2770 int i; 2771 2772 for (i = 0; i < num_permitted_opens; i++) 2773 if (permitted_opens[i].host_to_connect != NULL) 2774 xfree(permitted_opens[i].host_to_connect); 2775 num_permitted_opens = 0; 2776 } 2777 2778 void 2779 channel_clear_adm_permitted_opens(void) 2780 { 2781 int i; 2782 2783 for (i = 0; i < num_adm_permitted_opens; i++) 2784 if (permitted_adm_opens[i].host_to_connect != NULL) 2785 xfree(permitted_adm_opens[i].host_to_connect); 2786 num_adm_permitted_opens = 0; 2787 } 2788 2789 void 2790 channel_print_adm_permitted_opens(void) 2791 { 2792 int i; 2793 2794 for (i = 0; i < num_adm_permitted_opens; i++) 2795 if (permitted_adm_opens[i].host_to_connect != NULL) 2796 printf(" %s:%d", permitted_adm_opens[i].host_to_connect, 2797 permitted_adm_opens[i].port_to_connect); 2798 } 2799 2800 /* Try to start non-blocking connect to next host in cctx list */ 2801 static int 2802 connect_next(struct channel_connect *cctx) 2803 { 2804 int sock, saved_errno; 2805 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2806 2807 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 2808 if (cctx->ai->ai_family != AF_INET && 2809 cctx->ai->ai_family != AF_INET6) 2810 continue; 2811 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 2812 ntop, sizeof(ntop), strport, sizeof(strport), 2813 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2814 error("connect_next: getnameinfo failed"); 2815 continue; 2816 } 2817 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 2818 cctx->ai->ai_protocol)) == -1) { 2819 if (cctx->ai->ai_next == NULL) 2820 error("socket: %.100s", strerror(errno)); 2821 else 2822 verbose("socket: %.100s", strerror(errno)); 2823 continue; 2824 } 2825 if (set_nonblock(sock) == -1) 2826 fatal("%s: set_nonblock(%d)", __func__, sock); 2827 if (connect(sock, cctx->ai->ai_addr, 2828 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 2829 debug("connect_next: host %.100s ([%.100s]:%s): " 2830 "%.100s", cctx->host, ntop, strport, 2831 strerror(errno)); 2832 saved_errno = errno; 2833 close(sock); 2834 errno = saved_errno; 2835 continue; /* fail -- try next */ 2836 } 2837 debug("connect_next: host %.100s ([%.100s]:%s) " 2838 "in progress, fd=%d", cctx->host, ntop, strport, sock); 2839 cctx->ai = cctx->ai->ai_next; 2840 set_nodelay(sock); 2841 return sock; 2842 } 2843 return -1; 2844 } 2845 2846 static void 2847 channel_connect_ctx_free(struct channel_connect *cctx) 2848 { 2849 xfree(cctx->host); 2850 if (cctx->aitop) 2851 freeaddrinfo(cctx->aitop); 2852 bzero(cctx, sizeof(*cctx)); 2853 cctx->host = NULL; 2854 cctx->ai = cctx->aitop = NULL; 2855 } 2856 2857 /* Return CONNECTING channel to remote host, port */ 2858 static Channel * 2859 connect_to(const char *host, u_short port, char *ctype, char *rname) 2860 { 2861 struct addrinfo hints; 2862 int gaierr; 2863 int sock = -1; 2864 char strport[NI_MAXSERV]; 2865 struct channel_connect cctx; 2866 Channel *c; 2867 2868 memset(&cctx, 0, sizeof(cctx)); 2869 memset(&hints, 0, sizeof(hints)); 2870 hints.ai_family = IPv4or6; 2871 hints.ai_socktype = SOCK_STREAM; 2872 snprintf(strport, sizeof strport, "%d", port); 2873 if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) { 2874 error("connect_to %.100s: unknown host (%s)", host, 2875 ssh_gai_strerror(gaierr)); 2876 return NULL; 2877 } 2878 2879 cctx.host = xstrdup(host); 2880 cctx.port = port; 2881 cctx.ai = cctx.aitop; 2882 2883 if ((sock = connect_next(&cctx)) == -1) { 2884 error("connect to %.100s port %d failed: %s", 2885 host, port, strerror(errno)); 2886 channel_connect_ctx_free(&cctx); 2887 return NULL; 2888 } 2889 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 2890 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 2891 c->connect_ctx = cctx; 2892 return c; 2893 } 2894 2895 Channel * 2896 channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) 2897 { 2898 int i; 2899 2900 for (i = 0; i < num_permitted_opens; i++) { 2901 if (permitted_opens[i].host_to_connect != NULL && 2902 permitted_opens[i].listen_port == listen_port) { 2903 return connect_to( 2904 permitted_opens[i].host_to_connect, 2905 permitted_opens[i].port_to_connect, ctype, rname); 2906 } 2907 } 2908 error("WARNING: Server requests forwarding for unknown listen_port %d", 2909 listen_port); 2910 return NULL; 2911 } 2912 2913 /* Check if connecting to that port is permitted and connect. */ 2914 Channel * 2915 channel_connect_to(const char *host, u_short port, char *ctype, char *rname) 2916 { 2917 int i, permit, permit_adm = 1; 2918 2919 permit = all_opens_permitted; 2920 if (!permit) { 2921 for (i = 0; i < num_permitted_opens; i++) 2922 if (permitted_opens[i].host_to_connect != NULL && 2923 permitted_opens[i].port_to_connect == port && 2924 strcmp(permitted_opens[i].host_to_connect, host) == 0) 2925 permit = 1; 2926 } 2927 2928 if (num_adm_permitted_opens > 0) { 2929 permit_adm = 0; 2930 for (i = 0; i < num_adm_permitted_opens; i++) 2931 if (permitted_adm_opens[i].host_to_connect != NULL && 2932 permitted_adm_opens[i].port_to_connect == port && 2933 strcmp(permitted_adm_opens[i].host_to_connect, host) 2934 == 0) 2935 permit_adm = 1; 2936 } 2937 2938 if (!permit || !permit_adm) { 2939 logit("Received request to connect to host %.100s port %d, " 2940 "but the request was denied.", host, port); 2941 return NULL; 2942 } 2943 return connect_to(host, port, ctype, rname); 2944 } 2945 2946 void 2947 channel_send_window_changes(void) 2948 { 2949 u_int i; 2950 struct winsize ws; 2951 2952 for (i = 0; i < channels_alloc; i++) { 2953 if (channels[i] == NULL || !channels[i]->client_tty || 2954 channels[i]->type != SSH_CHANNEL_OPEN) 2955 continue; 2956 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 2957 continue; 2958 channel_request_start(i, "window-change", 0); 2959 packet_put_int((u_int)ws.ws_col); 2960 packet_put_int((u_int)ws.ws_row); 2961 packet_put_int((u_int)ws.ws_xpixel); 2962 packet_put_int((u_int)ws.ws_ypixel); 2963 packet_send(); 2964 } 2965 } 2966 2967 /* -- X11 forwarding */ 2968 2969 /* 2970 * Creates an internet domain socket for listening for X11 connections. 2971 * Returns 0 and a suitable display number for the DISPLAY variable 2972 * stored in display_numberp , or -1 if an error occurs. 2973 */ 2974 int 2975 x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 2976 int single_connection, u_int *display_numberp, int **chanids) 2977 { 2978 Channel *nc = NULL; 2979 int display_number, sock; 2980 u_short port; 2981 struct addrinfo hints, *ai, *aitop; 2982 char strport[NI_MAXSERV]; 2983 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 2984 2985 if (chanids == NULL) 2986 return -1; 2987 2988 for (display_number = x11_display_offset; 2989 display_number < MAX_DISPLAYS; 2990 display_number++) { 2991 port = 6000 + display_number; 2992 memset(&hints, 0, sizeof(hints)); 2993 hints.ai_family = IPv4or6; 2994 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 2995 hints.ai_socktype = SOCK_STREAM; 2996 snprintf(strport, sizeof strport, "%d", port); 2997 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 2998 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 2999 return -1; 3000 } 3001 for (ai = aitop; ai; ai = ai->ai_next) { 3002 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 3003 continue; 3004 sock = socket(ai->ai_family, ai->ai_socktype, 3005 ai->ai_protocol); 3006 if (sock < 0) { 3007 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { 3008 error("socket: %.100s", strerror(errno)); 3009 freeaddrinfo(aitop); 3010 return -1; 3011 } else { 3012 debug("x11_create_display_inet: Socket family %d not supported", 3013 ai->ai_family); 3014 continue; 3015 } 3016 } 3017 #ifdef IPV6_V6ONLY 3018 if (ai->ai_family == AF_INET6) { 3019 int on = 1; 3020 if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) 3021 error("setsockopt IPV6_V6ONLY: %.100s", strerror(errno)); 3022 } 3023 #endif 3024 if (x11_use_localhost) 3025 channel_set_reuseaddr(sock); 3026 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3027 debug2("bind port %d: %.100s", port, strerror(errno)); 3028 close(sock); 3029 3030 for (n = 0; n < num_socks; n++) { 3031 close(socks[n]); 3032 } 3033 num_socks = 0; 3034 break; 3035 } 3036 socks[num_socks++] = sock; 3037 if (num_socks == NUM_SOCKS) 3038 break; 3039 } 3040 freeaddrinfo(aitop); 3041 if (num_socks > 0) 3042 break; 3043 } 3044 if (display_number >= MAX_DISPLAYS) { 3045 error("Failed to allocate internet-domain X11 display socket."); 3046 return -1; 3047 } 3048 /* Start listening for connections on the socket. */ 3049 for (n = 0; n < num_socks; n++) { 3050 sock = socks[n]; 3051 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3052 error("listen: %.100s", strerror(errno)); 3053 close(sock); 3054 return -1; 3055 } 3056 } 3057 3058 /* Allocate a channel for each socket. */ 3059 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 3060 for (n = 0; n < num_socks; n++) { 3061 sock = socks[n]; 3062 nc = channel_new("x11 listener", 3063 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 3064 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 3065 0, "X11 inet listener", 1); 3066 nc->single_connection = single_connection; 3067 (*chanids)[n] = nc->self; 3068 } 3069 (*chanids)[n] = -1; 3070 3071 /* Return the display number for the DISPLAY environment variable. */ 3072 *display_numberp = display_number; 3073 return (0); 3074 } 3075 3076 static int 3077 connect_local_xsocket(u_int dnr) 3078 { 3079 int sock; 3080 struct sockaddr_un addr; 3081 3082 sock = socket(AF_UNIX, SOCK_STREAM, 0); 3083 if (sock < 0) 3084 error("socket: %.100s", strerror(errno)); 3085 memset(&addr, 0, sizeof(addr)); 3086 addr.sun_family = AF_UNIX; 3087 snprintf(addr.sun_path, sizeof addr.sun_path, _PATH_UNIX_X, dnr); 3088 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 3089 return sock; 3090 close(sock); 3091 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 3092 return -1; 3093 } 3094 3095 int 3096 x11_connect_display(void) 3097 { 3098 u_int display_number; 3099 const char *display; 3100 char buf[1024], *cp; 3101 struct addrinfo hints, *ai, *aitop; 3102 char strport[NI_MAXSERV]; 3103 int gaierr, sock = 0; 3104 3105 /* Try to open a socket for the local X server. */ 3106 display = getenv("DISPLAY"); 3107 if (!display) { 3108 error("DISPLAY not set."); 3109 return -1; 3110 } 3111 /* 3112 * Now we decode the value of the DISPLAY variable and make a 3113 * connection to the real X server. 3114 */ 3115 3116 /* 3117 * Check if it is a unix domain socket. Unix domain displays are in 3118 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 3119 */ 3120 if (strncmp(display, "unix:", 5) == 0 || 3121 display[0] == ':') { 3122 /* Connect to the unix domain socket. */ 3123 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 3124 error("Could not parse display number from DISPLAY: %.100s", 3125 display); 3126 return -1; 3127 } 3128 /* Create a socket. */ 3129 sock = connect_local_xsocket(display_number); 3130 if (sock < 0) 3131 return -1; 3132 3133 /* OK, we now have a connection to the display. */ 3134 return sock; 3135 } 3136 /* 3137 * Connect to an inet socket. The DISPLAY value is supposedly 3138 * hostname:d[.s], where hostname may also be numeric IP address. 3139 */ 3140 strlcpy(buf, display, sizeof(buf)); 3141 cp = strchr(buf, ':'); 3142 if (!cp) { 3143 error("Could not find ':' in DISPLAY: %.100s", display); 3144 return -1; 3145 } 3146 *cp = 0; 3147 /* buf now contains the host name. But first we parse the display number. */ 3148 if (sscanf(cp + 1, "%u", &display_number) != 1) { 3149 error("Could not parse display number from DISPLAY: %.100s", 3150 display); 3151 return -1; 3152 } 3153 3154 /* Look up the host address */ 3155 memset(&hints, 0, sizeof(hints)); 3156 hints.ai_family = IPv4or6; 3157 hints.ai_socktype = SOCK_STREAM; 3158 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 3159 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 3160 error("%.100s: unknown host. (%s)", buf, 3161 ssh_gai_strerror(gaierr)); 3162 return -1; 3163 } 3164 for (ai = aitop; ai; ai = ai->ai_next) { 3165 /* Create a socket. */ 3166 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3167 if (sock < 0) { 3168 debug2("socket: %.100s", strerror(errno)); 3169 continue; 3170 } 3171 /* Connect it to the display. */ 3172 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3173 debug2("connect %.100s port %u: %.100s", buf, 3174 6000 + display_number, strerror(errno)); 3175 close(sock); 3176 continue; 3177 } 3178 /* Success */ 3179 break; 3180 } 3181 freeaddrinfo(aitop); 3182 if (!ai) { 3183 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 3184 strerror(errno)); 3185 return -1; 3186 } 3187 set_nodelay(sock); 3188 return sock; 3189 } 3190 3191 /* 3192 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 3193 * the remote channel number. We should do whatever we want, and respond 3194 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 3195 */ 3196 3197 /* ARGSUSED */ 3198 void 3199 x11_input_open(int type, u_int32_t seq, void *ctxt) 3200 { 3201 Channel *c = NULL; 3202 int remote_id, sock = 0; 3203 char *remote_host; 3204 3205 debug("Received X11 open request."); 3206 3207 remote_id = packet_get_int(); 3208 3209 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 3210 remote_host = packet_get_string(NULL); 3211 } else { 3212 remote_host = xstrdup("unknown (remote did not supply name)"); 3213 } 3214 packet_check_eom(); 3215 3216 /* Obtain a connection to the real X display. */ 3217 sock = x11_connect_display(); 3218 if (sock != -1) { 3219 /* Allocate a channel for this connection. */ 3220 c = channel_new("connected x11 socket", 3221 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 3222 remote_host, 1); 3223 c->remote_id = remote_id; 3224 c->force_drain = 1; 3225 } 3226 xfree(remote_host); 3227 if (c == NULL) { 3228 /* Send refusal to the remote host. */ 3229 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3230 packet_put_int(remote_id); 3231 } else { 3232 /* Send a confirmation to the remote host. */ 3233 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 3234 packet_put_int(remote_id); 3235 packet_put_int(c->self); 3236 } 3237 packet_send(); 3238 } 3239 3240 /* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 3241 /* ARGSUSED */ 3242 void 3243 deny_input_open(int type, u_int32_t seq, void *ctxt) 3244 { 3245 int rchan = packet_get_int(); 3246 3247 switch (type) { 3248 case SSH_SMSG_AGENT_OPEN: 3249 error("Warning: ssh server tried agent forwarding."); 3250 break; 3251 case SSH_SMSG_X11_OPEN: 3252 error("Warning: ssh server tried X11 forwarding."); 3253 break; 3254 default: 3255 error("deny_input_open: type %d", type); 3256 break; 3257 } 3258 error("Warning: this is probably a break-in attempt by a malicious server."); 3259 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3260 packet_put_int(rchan); 3261 packet_send(); 3262 } 3263 3264 /* 3265 * Requests forwarding of X11 connections, generates fake authentication 3266 * data, and enables authentication spoofing. 3267 * This should be called in the client only. 3268 */ 3269 void 3270 x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 3271 const char *proto, const char *data) 3272 { 3273 u_int data_len = (u_int) strlen(data) / 2; 3274 u_int i, value; 3275 char *new_data; 3276 int screen_number; 3277 const char *cp; 3278 u_int32_t rnd = 0; 3279 3280 if (x11_saved_display == NULL) 3281 x11_saved_display = xstrdup(disp); 3282 else if (strcmp(disp, x11_saved_display) != 0) { 3283 error("x11_request_forwarding_with_spoofing: different " 3284 "$DISPLAY already forwarded"); 3285 return; 3286 } 3287 3288 cp = strchr(disp, ':'); 3289 if (cp) 3290 cp = strchr(cp, '.'); 3291 if (cp) 3292 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 3293 else 3294 screen_number = 0; 3295 3296 if (x11_saved_proto == NULL) { 3297 /* Save protocol name. */ 3298 x11_saved_proto = xstrdup(proto); 3299 /* 3300 * Extract real authentication data and generate fake data 3301 * of the same length. 3302 */ 3303 x11_saved_data = xmalloc(data_len); 3304 x11_fake_data = xmalloc(data_len); 3305 for (i = 0; i < data_len; i++) { 3306 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3307 fatal("x11_request_forwarding: bad " 3308 "authentication data: %.100s", data); 3309 if (i % 4 == 0) 3310 rnd = arc4random(); 3311 x11_saved_data[i] = value; 3312 x11_fake_data[i] = rnd & 0xff; 3313 rnd >>= 8; 3314 } 3315 x11_saved_data_len = data_len; 3316 x11_fake_data_len = data_len; 3317 } 3318 3319 /* Convert the fake data into hex. */ 3320 new_data = tohex(x11_fake_data, data_len); 3321 3322 /* Send the request packet. */ 3323 if (compat20) { 3324 channel_request_start(client_session_id, "x11-req", 0); 3325 packet_put_char(0); /* XXX bool single connection */ 3326 } else { 3327 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 3328 } 3329 packet_put_cstring(proto); 3330 packet_put_cstring(new_data); 3331 packet_put_int(screen_number); 3332 packet_send(); 3333 packet_write_wait(); 3334 xfree(new_data); 3335 } 3336 3337 3338 /* -- agent forwarding */ 3339 3340 /* Sends a message to the server to request authentication fd forwarding. */ 3341 3342 void 3343 auth_request_forwarding(void) 3344 { 3345 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 3346 packet_send(); 3347 packet_write_wait(); 3348 } 3349