1 /* 2 * 3 * channels.c 4 * 5 * Author: Tatu Ylonen <ylo@cs.hut.fi> 6 * 7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 8 * All rights reserved 9 * 10 * Created: Fri Mar 24 16:35:24 1995 ylo 11 * 12 * This file contains functions for generic socket connection forwarding. 13 * There is also code for initiating connection forwarding for X11 connections, 14 * arbitrary tcp/ip connections, and the authentication agent connection. 15 * 16 */ 17 18 #include "includes.h" 19 RCSID("$Id: channels.c,v 1.38 2000/01/24 20:37:29 markus Exp $"); 20 21 #include "ssh.h" 22 #include "packet.h" 23 #include "xmalloc.h" 24 #include "buffer.h" 25 #include "authfd.h" 26 #include "uidswap.h" 27 #include "readconf.h" 28 #include "servconf.h" 29 30 #include "channels.h" 31 #include "nchan.h" 32 #include "compat.h" 33 34 /* Maximum number of fake X11 displays to try. */ 35 #define MAX_DISPLAYS 1000 36 37 /* Max len of agent socket */ 38 #define MAX_SOCKET_NAME 100 39 40 /* 41 * Pointer to an array containing all allocated channels. The array is 42 * dynamically extended as needed. 43 */ 44 static Channel *channels = NULL; 45 46 /* 47 * Size of the channel array. All slots of the array must always be 48 * initialized (at least the type field); unused slots are marked with type 49 * SSH_CHANNEL_FREE. 50 */ 51 static int channels_alloc = 0; 52 53 /* 54 * Maximum file descriptor value used in any of the channels. This is 55 * updated in channel_allocate. 56 */ 57 static int channel_max_fd_value = 0; 58 59 /* Name and directory of socket for authentication agent forwarding. */ 60 static char *channel_forwarded_auth_socket_name = NULL; 61 static char *channel_forwarded_auth_socket_dir = NULL; 62 63 /* Saved X11 authentication protocol name. */ 64 char *x11_saved_proto = NULL; 65 66 /* Saved X11 authentication data. This is the real data. */ 67 char *x11_saved_data = NULL; 68 unsigned int x11_saved_data_len = 0; 69 70 /* 71 * Fake X11 authentication data. This is what the server will be sending us; 72 * we should replace any occurrences of this by the real data. 73 */ 74 char *x11_fake_data = NULL; 75 unsigned int x11_fake_data_len; 76 77 /* 78 * Data structure for storing which hosts are permitted for forward requests. 79 * The local sides of any remote forwards are stored in this array to prevent 80 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 81 * network (which might be behind a firewall). 82 */ 83 typedef struct { 84 char *host; /* Host name. */ 85 u_short port; /* Port number. */ 86 } ForwardPermission; 87 88 /* List of all permitted host/port pairs to connect. */ 89 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 90 /* Number of permitted host/port pairs in the array. */ 91 static int num_permitted_opens = 0; 92 /* 93 * If this is true, all opens are permitted. This is the case on the server 94 * on which we have to trust the client anyway, and the user could do 95 * anything after logging in anyway. 96 */ 97 static int all_opens_permitted = 0; 98 99 /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */ 100 static int have_hostname_in_open = 0; 101 102 /* Sets specific protocol options. */ 103 104 void 105 channel_set_options(int hostname_in_open) 106 { 107 have_hostname_in_open = hostname_in_open; 108 } 109 110 /* 111 * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually 112 * called by the server, because the user could connect to any port anyway, 113 * and the server has no way to know but to trust the client anyway. 114 */ 115 116 void 117 channel_permit_all_opens() 118 { 119 all_opens_permitted = 1; 120 } 121 122 /* 123 * Allocate a new channel object and set its type and socket. This will cause 124 * remote_name to be freed. 125 */ 126 127 int 128 channel_allocate(int type, int sock, char *remote_name) 129 { 130 int i, found; 131 Channel *c; 132 133 /* Update the maximum file descriptor value. */ 134 if (sock > channel_max_fd_value) 135 channel_max_fd_value = sock; 136 /* XXX set close-on-exec -markus */ 137 138 /* Do initial allocation if this is the first call. */ 139 if (channels_alloc == 0) { 140 channels_alloc = 10; 141 channels = xmalloc(channels_alloc * sizeof(Channel)); 142 for (i = 0; i < channels_alloc; i++) 143 channels[i].type = SSH_CHANNEL_FREE; 144 /* 145 * Kludge: arrange a call to channel_stop_listening if we 146 * terminate with fatal(). 147 */ 148 fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL); 149 } 150 /* Try to find a free slot where to put the new channel. */ 151 for (found = -1, i = 0; i < channels_alloc; i++) 152 if (channels[i].type == SSH_CHANNEL_FREE) { 153 /* Found a free slot. */ 154 found = i; 155 break; 156 } 157 if (found == -1) { 158 /* There are no free slots. Take last+1 slot and expand the array. */ 159 found = channels_alloc; 160 channels_alloc += 10; 161 debug("channel: expanding %d", channels_alloc); 162 channels = xrealloc(channels, channels_alloc * sizeof(Channel)); 163 for (i = found; i < channels_alloc; i++) 164 channels[i].type = SSH_CHANNEL_FREE; 165 } 166 /* Initialize and return new channel number. */ 167 c = &channels[found]; 168 buffer_init(&c->input); 169 buffer_init(&c->output); 170 chan_init_iostates(c); 171 c->self = found; 172 c->type = type; 173 c->sock = sock; 174 c->remote_id = -1; 175 c->remote_name = remote_name; 176 debug("channel %d: new [%s]", found, remote_name); 177 return found; 178 } 179 180 /* Free the channel and close its socket. */ 181 182 void 183 channel_free(int channel) 184 { 185 if (channel < 0 || channel >= channels_alloc || 186 channels[channel].type == SSH_CHANNEL_FREE) 187 packet_disconnect("channel free: bad local channel %d", channel); 188 189 if (compat13) 190 shutdown(channels[channel].sock, SHUT_RDWR); 191 close(channels[channel].sock); 192 buffer_free(&channels[channel].input); 193 buffer_free(&channels[channel].output); 194 channels[channel].type = SSH_CHANNEL_FREE; 195 if (channels[channel].remote_name) { 196 xfree(channels[channel].remote_name); 197 channels[channel].remote_name = NULL; 198 } 199 } 200 201 /* 202 * This is called just before select() to add any bits relevant to channels 203 * in the select bitmasks. 204 */ 205 206 void 207 channel_prepare_select(fd_set * readset, fd_set * writeset) 208 { 209 int i; 210 Channel *ch; 211 unsigned char *ucp; 212 unsigned int proto_len, data_len; 213 214 for (i = 0; i < channels_alloc; i++) { 215 ch = &channels[i]; 216 redo: 217 switch (ch->type) { 218 case SSH_CHANNEL_X11_LISTENER: 219 case SSH_CHANNEL_PORT_LISTENER: 220 case SSH_CHANNEL_AUTH_SOCKET: 221 FD_SET(ch->sock, readset); 222 break; 223 224 case SSH_CHANNEL_OPEN: 225 if (compat13) { 226 if (buffer_len(&ch->input) < packet_get_maxsize()) 227 FD_SET(ch->sock, readset); 228 if (buffer_len(&ch->output) > 0) 229 FD_SET(ch->sock, writeset); 230 break; 231 } 232 /* test whether sockets are 'alive' for read/write */ 233 if (ch->istate == CHAN_INPUT_OPEN) 234 if (buffer_len(&ch->input) < packet_get_maxsize()) 235 FD_SET(ch->sock, readset); 236 if (ch->ostate == CHAN_OUTPUT_OPEN || 237 ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 238 if (buffer_len(&ch->output) > 0) { 239 FD_SET(ch->sock, writeset); 240 } else if (ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 241 chan_obuf_empty(ch); 242 } 243 } 244 break; 245 246 case SSH_CHANNEL_INPUT_DRAINING: 247 if (!compat13) 248 fatal("cannot happen: IN_DRAIN"); 249 if (buffer_len(&ch->input) == 0) { 250 packet_start(SSH_MSG_CHANNEL_CLOSE); 251 packet_put_int(ch->remote_id); 252 packet_send(); 253 ch->type = SSH_CHANNEL_CLOSED; 254 debug("Closing channel %d after input drain.", ch->self); 255 break; 256 } 257 break; 258 259 case SSH_CHANNEL_OUTPUT_DRAINING: 260 if (!compat13) 261 fatal("cannot happen: OUT_DRAIN"); 262 if (buffer_len(&ch->output) == 0) { 263 channel_free(i); 264 break; 265 } 266 FD_SET(ch->sock, writeset); 267 break; 268 269 case SSH_CHANNEL_X11_OPEN: 270 /* 271 * This is a special state for X11 authentication 272 * spoofing. An opened X11 connection (when 273 * authentication spoofing is being done) remains in 274 * this state until the first packet has been 275 * completely read. The authentication data in that 276 * packet is then substituted by the real data if it 277 * matches the fake data, and the channel is put into 278 * normal mode. 279 */ 280 /* Check if the fixed size part of the packet is in buffer. */ 281 if (buffer_len(&ch->output) < 12) 282 break; 283 284 /* Parse the lengths of variable-length fields. */ 285 ucp = (unsigned char *) buffer_ptr(&ch->output); 286 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 287 proto_len = 256 * ucp[6] + ucp[7]; 288 data_len = 256 * ucp[8] + ucp[9]; 289 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 290 proto_len = ucp[6] + 256 * ucp[7]; 291 data_len = ucp[8] + 256 * ucp[9]; 292 } else { 293 debug("Initial X11 packet contains bad byte order byte: 0x%x", 294 ucp[0]); 295 ch->type = SSH_CHANNEL_OPEN; 296 goto reject; 297 } 298 299 /* Check if the whole packet is in buffer. */ 300 if (buffer_len(&ch->output) < 301 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 302 break; 303 304 /* Check if authentication protocol matches. */ 305 if (proto_len != strlen(x11_saved_proto) || 306 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 307 debug("X11 connection uses different authentication protocol."); 308 ch->type = SSH_CHANNEL_OPEN; 309 goto reject; 310 } 311 /* Check if authentication data matches our fake data. */ 312 if (data_len != x11_fake_data_len || 313 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 314 x11_fake_data, x11_fake_data_len) != 0) { 315 debug("X11 auth data does not match fake data."); 316 ch->type = SSH_CHANNEL_OPEN; 317 goto reject; 318 } 319 /* Check fake data length */ 320 if (x11_fake_data_len != x11_saved_data_len) { 321 error("X11 fake_data_len %d != saved_data_len %d", 322 x11_fake_data_len, x11_saved_data_len); 323 ch->type = SSH_CHANNEL_OPEN; 324 goto reject; 325 } 326 /* 327 * Received authentication protocol and data match 328 * our fake data. Substitute the fake data with real 329 * data. 330 */ 331 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 332 x11_saved_data, x11_saved_data_len); 333 334 /* Start normal processing for the channel. */ 335 ch->type = SSH_CHANNEL_OPEN; 336 goto redo; 337 338 reject: 339 /* 340 * We have received an X11 connection that has bad 341 * authentication information. 342 */ 343 log("X11 connection rejected because of wrong authentication.\r\n"); 344 buffer_clear(&ch->input); 345 buffer_clear(&ch->output); 346 if (compat13) { 347 close(ch->sock); 348 ch->sock = -1; 349 ch->type = SSH_CHANNEL_CLOSED; 350 packet_start(SSH_MSG_CHANNEL_CLOSE); 351 packet_put_int(ch->remote_id); 352 packet_send(); 353 } else { 354 debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate); 355 chan_read_failed(ch); 356 chan_write_failed(ch); 357 debug("X11 rejected %d i%d/o%d", ch->self, ch->istate, ch->ostate); 358 } 359 break; 360 361 case SSH_CHANNEL_FREE: 362 default: 363 continue; 364 } 365 } 366 } 367 368 /* 369 * After select, perform any appropriate operations for channels which have 370 * events pending. 371 */ 372 373 void 374 channel_after_select(fd_set * readset, fd_set * writeset) 375 { 376 struct sockaddr addr; 377 int newsock, i, newch, len; 378 socklen_t addrlen; 379 Channel *ch; 380 char buf[16384], *remote_hostname; 381 382 /* Loop over all channels... */ 383 for (i = 0; i < channels_alloc; i++) { 384 ch = &channels[i]; 385 switch (ch->type) { 386 case SSH_CHANNEL_X11_LISTENER: 387 /* This is our fake X11 server socket. */ 388 if (FD_ISSET(ch->sock, readset)) { 389 debug("X11 connection requested."); 390 addrlen = sizeof(addr); 391 newsock = accept(ch->sock, &addr, &addrlen); 392 if (newsock < 0) { 393 error("accept: %.100s", strerror(errno)); 394 break; 395 } 396 remote_hostname = get_remote_hostname(newsock); 397 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 398 remote_hostname, get_peer_port(newsock)); 399 xfree(remote_hostname); 400 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, 401 xstrdup(buf)); 402 packet_start(SSH_SMSG_X11_OPEN); 403 packet_put_int(newch); 404 if (have_hostname_in_open) 405 packet_put_string(buf, strlen(buf)); 406 packet_send(); 407 } 408 break; 409 410 case SSH_CHANNEL_PORT_LISTENER: 411 /* 412 * This socket is listening for connections to a 413 * forwarded TCP/IP port. 414 */ 415 if (FD_ISSET(ch->sock, readset)) { 416 debug("Connection to port %d forwarding to %.100s port %d requested.", 417 ch->listening_port, ch->path, ch->host_port); 418 addrlen = sizeof(addr); 419 newsock = accept(ch->sock, &addr, &addrlen); 420 if (newsock < 0) { 421 error("accept: %.100s", strerror(errno)); 422 break; 423 } 424 remote_hostname = get_remote_hostname(newsock); 425 snprintf(buf, sizeof buf, "listen port %d for %.100s port %d, connect from %.200s port %d", 426 ch->listening_port, ch->path, ch->host_port, 427 remote_hostname, get_peer_port(newsock)); 428 xfree(remote_hostname); 429 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, 430 xstrdup(buf)); 431 packet_start(SSH_MSG_PORT_OPEN); 432 packet_put_int(newch); 433 packet_put_string(ch->path, strlen(ch->path)); 434 packet_put_int(ch->host_port); 435 if (have_hostname_in_open) 436 packet_put_string(buf, strlen(buf)); 437 packet_send(); 438 } 439 break; 440 441 case SSH_CHANNEL_AUTH_SOCKET: 442 /* 443 * This is the authentication agent socket listening 444 * for connections from clients. 445 */ 446 if (FD_ISSET(ch->sock, readset)) { 447 addrlen = sizeof(addr); 448 newsock = accept(ch->sock, &addr, &addrlen); 449 if (newsock < 0) { 450 error("accept from auth socket: %.100s", strerror(errno)); 451 break; 452 } 453 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, 454 xstrdup("accepted auth socket")); 455 packet_start(SSH_SMSG_AGENT_OPEN); 456 packet_put_int(newch); 457 packet_send(); 458 } 459 break; 460 461 case SSH_CHANNEL_OPEN: 462 /* 463 * This is an open two-way communication channel. It 464 * is not of interest to us at this point what kind 465 * of data is being transmitted. 466 */ 467 468 /* 469 * Read available incoming data and append it to 470 * buffer; shutdown socket, if read or write failes 471 */ 472 if (FD_ISSET(ch->sock, readset)) { 473 len = read(ch->sock, buf, sizeof(buf)); 474 if (len <= 0) { 475 if (compat13) { 476 buffer_consume(&ch->output, buffer_len(&ch->output)); 477 ch->type = SSH_CHANNEL_INPUT_DRAINING; 478 debug("Channel %d status set to input draining.", i); 479 } else { 480 chan_read_failed(ch); 481 } 482 break; 483 } 484 buffer_append(&ch->input, buf, len); 485 } 486 /* Send buffered output data to the socket. */ 487 if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) { 488 len = write(ch->sock, buffer_ptr(&ch->output), 489 buffer_len(&ch->output)); 490 if (len <= 0) { 491 if (compat13) { 492 buffer_consume(&ch->output, buffer_len(&ch->output)); 493 debug("Channel %d status set to input draining.", i); 494 ch->type = SSH_CHANNEL_INPUT_DRAINING; 495 } else { 496 chan_write_failed(ch); 497 } 498 break; 499 } 500 buffer_consume(&ch->output, len); 501 } 502 break; 503 504 case SSH_CHANNEL_OUTPUT_DRAINING: 505 if (!compat13) 506 fatal("cannot happen: OUT_DRAIN"); 507 /* Send buffered output data to the socket. */ 508 if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) { 509 len = write(ch->sock, buffer_ptr(&ch->output), 510 buffer_len(&ch->output)); 511 if (len <= 0) 512 buffer_consume(&ch->output, buffer_len(&ch->output)); 513 else 514 buffer_consume(&ch->output, len); 515 } 516 break; 517 518 case SSH_CHANNEL_X11_OPEN: 519 case SSH_CHANNEL_FREE: 520 default: 521 continue; 522 } 523 } 524 } 525 526 /* If there is data to send to the connection, send some of it now. */ 527 528 void 529 channel_output_poll() 530 { 531 int len, i; 532 Channel *ch; 533 534 for (i = 0; i < channels_alloc; i++) { 535 ch = &channels[i]; 536 537 /* We are only interested in channels that can have buffered incoming data. */ 538 if (compat13) { 539 if (ch->type != SSH_CHANNEL_OPEN && 540 ch->type != SSH_CHANNEL_INPUT_DRAINING) 541 continue; 542 } else { 543 if (ch->type != SSH_CHANNEL_OPEN) 544 continue; 545 if (ch->istate != CHAN_INPUT_OPEN && 546 ch->istate != CHAN_INPUT_WAIT_DRAIN) 547 continue; 548 } 549 550 /* Get the amount of buffered data for this channel. */ 551 len = buffer_len(&ch->input); 552 if (len > 0) { 553 /* Send some data for the other side over the secure connection. */ 554 if (packet_is_interactive()) { 555 if (len > 1024) 556 len = 512; 557 } else { 558 /* Keep the packets at reasonable size. */ 559 if (len > packet_get_maxsize()/2) 560 len = packet_get_maxsize()/2; 561 } 562 packet_start(SSH_MSG_CHANNEL_DATA); 563 packet_put_int(ch->remote_id); 564 packet_put_string(buffer_ptr(&ch->input), len); 565 packet_send(); 566 buffer_consume(&ch->input, len); 567 } else if (ch->istate == CHAN_INPUT_WAIT_DRAIN) { 568 if (compat13) 569 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 570 /* 571 * input-buffer is empty and read-socket shutdown: 572 * tell peer, that we will not send more data: send IEOF 573 */ 574 chan_ibuf_empty(ch); 575 } 576 } 577 } 578 579 /* 580 * This is called when a packet of type CHANNEL_DATA has just been received. 581 * The message type has already been consumed, but channel number and data is 582 * still there. 583 */ 584 585 void 586 channel_input_data(int payload_len) 587 { 588 int id; 589 char *data; 590 unsigned int data_len; 591 Channel *ch; 592 593 /* Get the channel number and verify it. */ 594 id = packet_get_int(); 595 if (id < 0 || id >= channels_alloc) 596 packet_disconnect("Received data for nonexistent channel %d.", id); 597 ch = &channels[id]; 598 599 if (ch->type == SSH_CHANNEL_FREE) 600 packet_disconnect("Received data for free channel %d.", ch->self); 601 602 /* Ignore any data for non-open channels (might happen on close) */ 603 if (ch->type != SSH_CHANNEL_OPEN && 604 ch->type != SSH_CHANNEL_X11_OPEN) 605 return; 606 607 /* same for protocol 1.5 if output end is no longer open */ 608 if (!compat13 && ch->ostate != CHAN_OUTPUT_OPEN) 609 return; 610 611 /* Get the data. */ 612 data = packet_get_string(&data_len); 613 packet_integrity_check(payload_len, 4 + 4 + data_len, SSH_MSG_CHANNEL_DATA); 614 buffer_append(&ch->output, data, data_len); 615 xfree(data); 616 } 617 618 /* 619 * Returns true if no channel has too much buffered data, and false if one or 620 * more channel is overfull. 621 */ 622 623 int 624 channel_not_very_much_buffered_data() 625 { 626 unsigned int i; 627 Channel *ch; 628 629 for (i = 0; i < channels_alloc; i++) { 630 ch = &channels[i]; 631 if (ch->type == SSH_CHANNEL_OPEN) { 632 if (buffer_len(&ch->input) > packet_get_maxsize()) 633 return 0; 634 if (buffer_len(&ch->output) > packet_get_maxsize()) 635 return 0; 636 } 637 } 638 return 1; 639 } 640 641 /* This is called after receiving CHANNEL_CLOSE/IEOF. */ 642 643 void 644 channel_input_close() 645 { 646 int channel; 647 648 /* Get the channel number and verify it. */ 649 channel = packet_get_int(); 650 if (channel < 0 || channel >= channels_alloc || 651 channels[channel].type == SSH_CHANNEL_FREE) 652 packet_disconnect("Received data for nonexistent channel %d.", channel); 653 654 if (!compat13) { 655 /* proto version 1.5 overloads CLOSE with IEOF */ 656 chan_rcvd_ieof(&channels[channel]); 657 return; 658 } 659 660 /* 661 * Send a confirmation that we have closed the channel and no more 662 * data is coming for it. 663 */ 664 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 665 packet_put_int(channels[channel].remote_id); 666 packet_send(); 667 668 /* 669 * If the channel is in closed state, we have sent a close request, 670 * and the other side will eventually respond with a confirmation. 671 * Thus, we cannot free the channel here, because then there would be 672 * no-one to receive the confirmation. The channel gets freed when 673 * the confirmation arrives. 674 */ 675 if (channels[channel].type != SSH_CHANNEL_CLOSED) { 676 /* 677 * Not a closed channel - mark it as draining, which will 678 * cause it to be freed later. 679 */ 680 buffer_consume(&channels[channel].input, 681 buffer_len(&channels[channel].input)); 682 channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING; 683 } 684 } 685 686 /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */ 687 688 void 689 channel_input_close_confirmation() 690 { 691 int channel; 692 693 /* Get the channel number and verify it. */ 694 channel = packet_get_int(); 695 if (channel < 0 || channel >= channels_alloc) 696 packet_disconnect("Received close confirmation for out-of-range channel %d.", 697 channel); 698 699 if (!compat13) { 700 /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 701 chan_rcvd_oclose(&channels[channel]); 702 return; 703 } 704 if (channels[channel].type != SSH_CHANNEL_CLOSED) 705 packet_disconnect("Received close confirmation for non-closed channel %d (type %d).", 706 channel, channels[channel].type); 707 708 /* Free the channel. */ 709 channel_free(channel); 710 } 711 712 /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */ 713 714 void 715 channel_input_open_confirmation() 716 { 717 int channel, remote_channel; 718 719 /* Get the channel number and verify it. */ 720 channel = packet_get_int(); 721 if (channel < 0 || channel >= channels_alloc || 722 channels[channel].type != SSH_CHANNEL_OPENING) 723 packet_disconnect("Received open confirmation for non-opening channel %d.", 724 channel); 725 726 /* Get remote side's id for this channel. */ 727 remote_channel = packet_get_int(); 728 729 /* Record the remote channel number and mark that the channel is now open. */ 730 channels[channel].remote_id = remote_channel; 731 channels[channel].type = SSH_CHANNEL_OPEN; 732 } 733 734 /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */ 735 736 void 737 channel_input_open_failure() 738 { 739 int channel; 740 741 /* Get the channel number and verify it. */ 742 channel = packet_get_int(); 743 if (channel < 0 || channel >= channels_alloc || 744 channels[channel].type != SSH_CHANNEL_OPENING) 745 packet_disconnect("Received open failure for non-opening channel %d.", 746 channel); 747 748 /* Free the channel. This will also close the socket. */ 749 channel_free(channel); 750 } 751 752 /* 753 * Stops listening for channels, and removes any unix domain sockets that we 754 * might have. 755 */ 756 757 void 758 channel_stop_listening() 759 { 760 int i; 761 for (i = 0; i < channels_alloc; i++) { 762 switch (channels[i].type) { 763 case SSH_CHANNEL_AUTH_SOCKET: 764 close(channels[i].sock); 765 remove(channels[i].path); 766 channel_free(i); 767 break; 768 case SSH_CHANNEL_PORT_LISTENER: 769 case SSH_CHANNEL_X11_LISTENER: 770 close(channels[i].sock); 771 channel_free(i); 772 break; 773 default: 774 break; 775 } 776 } 777 } 778 779 /* 780 * Closes the sockets of all channels. This is used to close extra file 781 * descriptors after a fork. 782 */ 783 784 void 785 channel_close_all() 786 { 787 int i; 788 for (i = 0; i < channels_alloc; i++) { 789 if (channels[i].type != SSH_CHANNEL_FREE) 790 close(channels[i].sock); 791 } 792 } 793 794 /* Returns the maximum file descriptor number used by the channels. */ 795 796 int 797 channel_max_fd() 798 { 799 return channel_max_fd_value; 800 } 801 802 /* Returns true if any channel is still open. */ 803 804 int 805 channel_still_open() 806 { 807 unsigned int i; 808 for (i = 0; i < channels_alloc; i++) 809 switch (channels[i].type) { 810 case SSH_CHANNEL_FREE: 811 case SSH_CHANNEL_X11_LISTENER: 812 case SSH_CHANNEL_PORT_LISTENER: 813 case SSH_CHANNEL_CLOSED: 814 case SSH_CHANNEL_AUTH_SOCKET: 815 continue; 816 case SSH_CHANNEL_OPENING: 817 case SSH_CHANNEL_OPEN: 818 case SSH_CHANNEL_X11_OPEN: 819 return 1; 820 case SSH_CHANNEL_INPUT_DRAINING: 821 case SSH_CHANNEL_OUTPUT_DRAINING: 822 if (!compat13) 823 fatal("cannot happen: OUT_DRAIN"); 824 return 1; 825 default: 826 fatal("channel_still_open: bad channel type %d", channels[i].type); 827 /* NOTREACHED */ 828 } 829 return 0; 830 } 831 832 /* 833 * Returns a message describing the currently open forwarded connections, 834 * suitable for sending to the client. The message contains crlf pairs for 835 * newlines. 836 */ 837 838 char * 839 channel_open_message() 840 { 841 Buffer buffer; 842 int i; 843 char buf[512], *cp; 844 845 buffer_init(&buffer); 846 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 847 buffer_append(&buffer, buf, strlen(buf)); 848 for (i = 0; i < channels_alloc; i++) { 849 Channel *c = &channels[i]; 850 switch (c->type) { 851 case SSH_CHANNEL_FREE: 852 case SSH_CHANNEL_X11_LISTENER: 853 case SSH_CHANNEL_PORT_LISTENER: 854 case SSH_CHANNEL_CLOSED: 855 case SSH_CHANNEL_AUTH_SOCKET: 856 continue; 857 case SSH_CHANNEL_OPENING: 858 case SSH_CHANNEL_OPEN: 859 case SSH_CHANNEL_X11_OPEN: 860 case SSH_CHANNEL_INPUT_DRAINING: 861 case SSH_CHANNEL_OUTPUT_DRAINING: 862 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d)\r\n", 863 c->self, c->remote_name, 864 c->type, c->remote_id, 865 c->istate, buffer_len(&c->input), 866 c->ostate, buffer_len(&c->output)); 867 buffer_append(&buffer, buf, strlen(buf)); 868 continue; 869 default: 870 fatal("channel_still_open: bad channel type %d", c->type); 871 /* NOTREACHED */ 872 } 873 } 874 buffer_append(&buffer, "\0", 1); 875 cp = xstrdup(buffer_ptr(&buffer)); 876 buffer_free(&buffer); 877 return cp; 878 } 879 880 /* 881 * Initiate forwarding of connections to local port "port" through the secure 882 * channel to host:port from remote side. 883 */ 884 885 void 886 channel_request_local_forwarding(u_short port, const char *host, 887 u_short host_port, int gateway_ports) 888 { 889 int success, ch, sock, on = 1; 890 struct addrinfo hints, *ai, *aitop; 891 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 892 struct linger linger; 893 894 if (strlen(host) > sizeof(channels[0].path) - 1) 895 packet_disconnect("Forward host name too long."); 896 897 /* 898 * getaddrinfo returns a loopback address if the hostname is 899 * set to NULL and hints.ai_flags is not AI_PASSIVE 900 */ 901 memset(&hints, 0, sizeof(hints)); 902 hints.ai_family = IPv4or6; 903 hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; 904 hints.ai_socktype = SOCK_STREAM; 905 snprintf(strport, sizeof strport, "%d", port); 906 if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) 907 packet_disconnect("getaddrinfo: fatal error"); 908 909 success = 0; 910 for (ai = aitop; ai; ai = ai->ai_next) { 911 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 912 continue; 913 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 914 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 915 error("channel_request_local_forwarding: getnameinfo failed"); 916 continue; 917 } 918 /* Create a port to listen for the host. */ 919 sock = socket(ai->ai_family, SOCK_STREAM, 0); 920 if (sock < 0) { 921 /* this is no error since kernel may not support ipv6 */ 922 verbose("socket: %.100s", strerror(errno)); 923 continue; 924 } 925 /* 926 * Set socket options. We would like the socket to disappear 927 * as soon as it has been closed for whatever reason. 928 */ 929 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on)); 930 linger.l_onoff = 1; 931 linger.l_linger = 5; 932 setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger)); 933 debug("Local forwarding listening on %s port %s.", ntop, strport); 934 935 /* Bind the socket to the address. */ 936 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 937 /* address can be in use ipv6 address is already bound */ 938 verbose("bind: %.100s", strerror(errno)); 939 close(sock); 940 continue; 941 } 942 /* Start listening for connections on the socket. */ 943 if (listen(sock, 5) < 0) { 944 error("listen: %.100s", strerror(errno)); 945 close(sock); 946 continue; 947 } 948 /* Allocate a channel number for the socket. */ 949 ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock, 950 xstrdup("port listener")); 951 strlcpy(channels[ch].path, host, sizeof(channels[ch].path)); 952 channels[ch].host_port = host_port; 953 channels[ch].listening_port = port; 954 success = 1; 955 } 956 if (success == 0) 957 packet_disconnect("cannot listen port: %d", port); 958 freeaddrinfo(aitop); 959 } 960 961 /* 962 * Initiate forwarding of connections to port "port" on remote host through 963 * the secure channel to host:port from local side. 964 */ 965 966 void 967 channel_request_remote_forwarding(u_short port, const char *host, 968 u_short remote_port) 969 { 970 int payload_len; 971 /* Record locally that connection to this host/port is permitted. */ 972 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) 973 fatal("channel_request_remote_forwarding: too many forwards"); 974 975 permitted_opens[num_permitted_opens].host = xstrdup(host); 976 permitted_opens[num_permitted_opens].port = remote_port; 977 num_permitted_opens++; 978 979 /* Send the forward request to the remote side. */ 980 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 981 packet_put_int(port); 982 packet_put_string(host, strlen(host)); 983 packet_put_int(remote_port); 984 packet_send(); 985 packet_write_wait(); 986 987 /* 988 * Wait for response from the remote side. It will send a disconnect 989 * message on failure, and we will never see it here. 990 */ 991 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); 992 } 993 994 /* 995 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 996 * listening for the port, and sends back a success reply (or disconnect 997 * message if there was an error). This never returns if there was an error. 998 */ 999 1000 void 1001 channel_input_port_forward_request(int is_root) 1002 { 1003 u_short port, host_port; 1004 char *hostname; 1005 1006 /* Get arguments from the packet. */ 1007 port = packet_get_int(); 1008 hostname = packet_get_string(NULL); 1009 host_port = packet_get_int(); 1010 1011 /* 1012 * Check that an unprivileged user is not trying to forward a 1013 * privileged port. 1014 */ 1015 if (port < IPPORT_RESERVED && !is_root) 1016 packet_disconnect("Requested forwarding of port %d but user is not root.", 1017 port); 1018 /* 1019 * Initiate forwarding, 1020 * bind port to localhost only (gateway ports == 0). 1021 */ 1022 channel_request_local_forwarding(port, hostname, host_port, 0); 1023 1024 /* Free the argument string. */ 1025 xfree(hostname); 1026 } 1027 1028 /* 1029 * This is called after receiving PORT_OPEN message. This attempts to 1030 * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION 1031 * or CHANNEL_OPEN_FAILURE. 1032 */ 1033 1034 void 1035 channel_input_port_open(int payload_len) 1036 { 1037 int remote_channel, sock = 0, newch, i; 1038 u_short host_port; 1039 char *host, *originator_string; 1040 int host_len, originator_len; 1041 struct addrinfo hints, *ai, *aitop; 1042 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 1043 int gaierr; 1044 1045 /* Get remote channel number. */ 1046 remote_channel = packet_get_int(); 1047 1048 /* Get host name to connect to. */ 1049 host = packet_get_string(&host_len); 1050 1051 /* Get port to connect to. */ 1052 host_port = packet_get_int(); 1053 1054 /* Get remote originator name. */ 1055 if (have_hostname_in_open) { 1056 originator_string = packet_get_string(&originator_len); 1057 originator_len += 4; /* size of packet_int */ 1058 } else { 1059 originator_string = xstrdup("unknown (remote did not supply name)"); 1060 originator_len = 0; /* no originator supplied */ 1061 } 1062 1063 packet_integrity_check(payload_len, 1064 4 + 4 + host_len + 4 + originator_len, 1065 SSH_MSG_PORT_OPEN); 1066 1067 /* Check if opening that port is permitted. */ 1068 if (!all_opens_permitted) { 1069 /* Go trough all permitted ports. */ 1070 for (i = 0; i < num_permitted_opens; i++) 1071 if (permitted_opens[i].port == host_port && 1072 strcmp(permitted_opens[i].host, host) == 0) 1073 break; 1074 1075 /* Check if we found the requested port among those permitted. */ 1076 if (i >= num_permitted_opens) { 1077 /* The port is not permitted. */ 1078 log("Received request to connect to %.100s:%d, but the request was denied.", 1079 host, host_port); 1080 goto fail; 1081 } 1082 } 1083 1084 memset(&hints, 0, sizeof(hints)); 1085 hints.ai_family = IPv4or6; 1086 hints.ai_socktype = SOCK_STREAM; 1087 snprintf(strport, sizeof strport, "%d", host_port); 1088 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) { 1089 error("%.100s: unknown host (%s)", host, gai_strerror(gaierr)); 1090 goto fail; 1091 } 1092 1093 for (ai = aitop; ai; ai = ai->ai_next) { 1094 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1095 continue; 1096 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 1097 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 1098 error("channel_input_port_open: getnameinfo failed"); 1099 continue; 1100 } 1101 /* Create the socket. */ 1102 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1103 if (sock < 0) { 1104 error("socket: %.100s", strerror(errno)); 1105 continue; 1106 } 1107 /* Connect to the host/port. */ 1108 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1109 error("connect %.100s port %s: %.100s", ntop, strport, 1110 strerror(errno)); 1111 close(sock); 1112 continue; /* fail -- try next */ 1113 } 1114 break; /* success */ 1115 1116 } 1117 freeaddrinfo(aitop); 1118 1119 if (!ai) { 1120 error("connect %.100s port %d: failed.", host, host_port); 1121 goto fail; 1122 } 1123 1124 /* Successful connection. */ 1125 1126 /* Allocate a channel for this connection. */ 1127 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string); 1128 channels[newch].remote_id = remote_channel; 1129 1130 /* Send a confirmation to the remote host. */ 1131 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1132 packet_put_int(remote_channel); 1133 packet_put_int(newch); 1134 packet_send(); 1135 1136 /* Free the argument string. */ 1137 xfree(host); 1138 1139 return; 1140 1141 fail: 1142 /* Free the argument string. */ 1143 xfree(host); 1144 1145 /* Send refusal to the remote host. */ 1146 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1147 packet_put_int(remote_channel); 1148 packet_send(); 1149 } 1150 1151 /* 1152 * Creates an internet domain socket for listening for X11 connections. 1153 * Returns a suitable value for the DISPLAY variable, or NULL if an error 1154 * occurs. 1155 */ 1156 1157 #define NUM_SOCKS 10 1158 1159 char * 1160 x11_create_display_inet(int screen_number, int x11_display_offset) 1161 { 1162 int display_number, sock; 1163 u_short port; 1164 struct addrinfo hints, *ai, *aitop; 1165 char strport[NI_MAXSERV]; 1166 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 1167 char display[512]; 1168 char hostname[MAXHOSTNAMELEN]; 1169 1170 for (display_number = x11_display_offset; 1171 display_number < MAX_DISPLAYS; 1172 display_number++) { 1173 port = 6000 + display_number; 1174 memset(&hints, 0, sizeof(hints)); 1175 hints.ai_family = IPv4or6; 1176 hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */ 1177 hints.ai_socktype = SOCK_STREAM; 1178 snprintf(strport, sizeof strport, "%d", port); 1179 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 1180 error("getaddrinfo: %.100s", gai_strerror(gaierr)); 1181 return NULL; 1182 } 1183 for (ai = aitop; ai; ai = ai->ai_next) { 1184 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 1185 continue; 1186 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1187 if (sock < 0) { 1188 error("socket: %.100s", strerror(errno)); 1189 return NULL; 1190 } 1191 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1192 debug("bind port %d: %.100s", port, strerror(errno)); 1193 shutdown(sock, SHUT_RDWR); 1194 close(sock); 1195 for (n = 0; n < num_socks; n++) { 1196 shutdown(socks[n], SHUT_RDWR); 1197 close(socks[n]); 1198 } 1199 num_socks = 0; 1200 break; 1201 } 1202 socks[num_socks++] = sock; 1203 if (num_socks == NUM_SOCKS) 1204 break; 1205 } 1206 if (num_socks > 0) 1207 break; 1208 } 1209 if (display_number >= MAX_DISPLAYS) { 1210 error("Failed to allocate internet-domain X11 display socket."); 1211 return NULL; 1212 } 1213 /* Start listening for connections on the socket. */ 1214 for (n = 0; n < num_socks; n++) { 1215 sock = socks[n]; 1216 if (listen(sock, 5) < 0) { 1217 error("listen: %.100s", strerror(errno)); 1218 shutdown(sock, SHUT_RDWR); 1219 close(sock); 1220 return NULL; 1221 } 1222 } 1223 1224 /* Set up a suitable value for the DISPLAY variable. */ 1225 if (gethostname(hostname, sizeof(hostname)) < 0) 1226 fatal("gethostname: %.100s", strerror(errno)); 1227 snprintf(display, sizeof display, "%.400s:%d.%d", hostname, 1228 display_number, screen_number); 1229 1230 /* Allocate a channel for each socket. */ 1231 for (n = 0; n < num_socks; n++) { 1232 sock = socks[n]; 1233 (void) channel_allocate(SSH_CHANNEL_X11_LISTENER, sock, 1234 xstrdup("X11 inet listener")); 1235 } 1236 1237 /* Return a suitable value for the DISPLAY environment variable. */ 1238 return xstrdup(display); 1239 } 1240 1241 #ifndef X_UNIX_PATH 1242 #define X_UNIX_PATH "/tmp/.X11-unix/X" 1243 #endif 1244 1245 static 1246 int 1247 connect_local_xsocket(unsigned int dnr) 1248 { 1249 static const char *const x_sockets[] = { 1250 X_UNIX_PATH "%u", 1251 "/var/X/.X11-unix/X" "%u", 1252 "/usr/spool/sockets/X11/" "%u", 1253 NULL 1254 }; 1255 int sock; 1256 struct sockaddr_un addr; 1257 const char *const * path; 1258 1259 for (path = x_sockets; *path; ++path) { 1260 sock = socket(AF_UNIX, SOCK_STREAM, 0); 1261 if (sock < 0) 1262 error("socket: %.100s", strerror(errno)); 1263 memset(&addr, 0, sizeof(addr)); 1264 addr.sun_family = AF_UNIX; 1265 snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr); 1266 if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0) 1267 return sock; 1268 close(sock); 1269 } 1270 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 1271 return -1; 1272 } 1273 1274 1275 /* 1276 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 1277 * the remote channel number. We should do whatever we want, and respond 1278 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 1279 */ 1280 1281 void 1282 x11_input_open(int payload_len) 1283 { 1284 int remote_channel, display_number, sock = 0, newch; 1285 const char *display; 1286 char buf[1024], *cp, *remote_host; 1287 int remote_len; 1288 struct addrinfo hints, *ai, *aitop; 1289 char strport[NI_MAXSERV]; 1290 int gaierr; 1291 1292 /* Get remote channel number. */ 1293 remote_channel = packet_get_int(); 1294 1295 /* Get remote originator name. */ 1296 if (have_hostname_in_open) { 1297 remote_host = packet_get_string(&remote_len); 1298 remote_len += 4; 1299 } else { 1300 remote_host = xstrdup("unknown (remote did not supply name)"); 1301 remote_len = 0; 1302 } 1303 1304 debug("Received X11 open request."); 1305 packet_integrity_check(payload_len, 4 + remote_len, SSH_SMSG_X11_OPEN); 1306 1307 /* Try to open a socket for the local X server. */ 1308 display = getenv("DISPLAY"); 1309 if (!display) { 1310 error("DISPLAY not set."); 1311 goto fail; 1312 } 1313 /* 1314 * Now we decode the value of the DISPLAY variable and make a 1315 * connection to the real X server. 1316 */ 1317 1318 /* 1319 * Check if it is a unix domain socket. Unix domain displays are in 1320 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 1321 */ 1322 if (strncmp(display, "unix:", 5) == 0 || 1323 display[0] == ':') { 1324 /* Connect to the unix domain socket. */ 1325 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) { 1326 error("Could not parse display number from DISPLAY: %.100s", 1327 display); 1328 goto fail; 1329 } 1330 /* Create a socket. */ 1331 sock = connect_local_xsocket(display_number); 1332 if (sock < 0) 1333 goto fail; 1334 1335 /* OK, we now have a connection to the display. */ 1336 goto success; 1337 } 1338 /* 1339 * Connect to an inet socket. The DISPLAY value is supposedly 1340 * hostname:d[.s], where hostname may also be numeric IP address. 1341 */ 1342 strncpy(buf, display, sizeof(buf)); 1343 buf[sizeof(buf) - 1] = 0; 1344 cp = strchr(buf, ':'); 1345 if (!cp) { 1346 error("Could not find ':' in DISPLAY: %.100s", display); 1347 goto fail; 1348 } 1349 *cp = 0; 1350 /* buf now contains the host name. But first we parse the display number. */ 1351 if (sscanf(cp + 1, "%d", &display_number) != 1) { 1352 error("Could not parse display number from DISPLAY: %.100s", 1353 display); 1354 goto fail; 1355 } 1356 1357 /* Look up the host address */ 1358 memset(&hints, 0, sizeof(hints)); 1359 hints.ai_family = IPv4or6; 1360 hints.ai_socktype = SOCK_STREAM; 1361 snprintf(strport, sizeof strport, "%d", 6000 + display_number); 1362 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 1363 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); 1364 goto fail; 1365 } 1366 for (ai = aitop; ai; ai = ai->ai_next) { 1367 /* Create a socket. */ 1368 sock = socket(ai->ai_family, SOCK_STREAM, 0); 1369 if (sock < 0) { 1370 debug("socket: %.100s", strerror(errno)); 1371 continue; 1372 } 1373 /* Connect it to the display. */ 1374 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 1375 debug("connect %.100s port %d: %.100s", buf, 6000 + display_number, 1376 strerror(errno)); 1377 close(sock); 1378 continue; 1379 } 1380 /* Success */ 1381 break; 1382 1383 } /* (ai = aitop, ai; ai = ai->ai_next) */ 1384 freeaddrinfo(aitop); 1385 if (!ai) { 1386 error("connect %.100s port %d: %.100s", buf, 6000 + display_number, 1387 strerror(errno)); 1388 goto fail; 1389 } 1390 success: 1391 /* We have successfully obtained a connection to the real X display. */ 1392 1393 /* Allocate a channel for this connection. */ 1394 if (x11_saved_proto == NULL) 1395 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host); 1396 else 1397 newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host); 1398 channels[newch].remote_id = remote_channel; 1399 1400 /* Send a confirmation to the remote host. */ 1401 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1402 packet_put_int(remote_channel); 1403 packet_put_int(newch); 1404 packet_send(); 1405 1406 return; 1407 1408 fail: 1409 /* Send refusal to the remote host. */ 1410 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1411 packet_put_int(remote_channel); 1412 packet_send(); 1413 } 1414 1415 /* 1416 * Requests forwarding of X11 connections, generates fake authentication 1417 * data, and enables authentication spoofing. 1418 */ 1419 1420 void 1421 x11_request_forwarding_with_spoofing(const char *proto, const char *data) 1422 { 1423 unsigned int data_len = (unsigned int) strlen(data) / 2; 1424 unsigned int i, value; 1425 char *new_data; 1426 int screen_number; 1427 const char *cp; 1428 u_int32_t rand = 0; 1429 1430 cp = getenv("DISPLAY"); 1431 if (cp) 1432 cp = strchr(cp, ':'); 1433 if (cp) 1434 cp = strchr(cp, '.'); 1435 if (cp) 1436 screen_number = atoi(cp + 1); 1437 else 1438 screen_number = 0; 1439 1440 /* Save protocol name. */ 1441 x11_saved_proto = xstrdup(proto); 1442 1443 /* 1444 * Extract real authentication data and generate fake data of the 1445 * same length. 1446 */ 1447 x11_saved_data = xmalloc(data_len); 1448 x11_fake_data = xmalloc(data_len); 1449 for (i = 0; i < data_len; i++) { 1450 if (sscanf(data + 2 * i, "%2x", &value) != 1) 1451 fatal("x11_request_forwarding: bad authentication data: %.100s", data); 1452 if (i % 4 == 0) 1453 rand = arc4random(); 1454 x11_saved_data[i] = value; 1455 x11_fake_data[i] = rand & 0xff; 1456 rand >>= 8; 1457 } 1458 x11_saved_data_len = data_len; 1459 x11_fake_data_len = data_len; 1460 1461 /* Convert the fake data into hex. */ 1462 new_data = xmalloc(2 * data_len + 1); 1463 for (i = 0; i < data_len; i++) 1464 sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]); 1465 1466 /* Send the request packet. */ 1467 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 1468 packet_put_string(proto, strlen(proto)); 1469 packet_put_string(new_data, strlen(new_data)); 1470 packet_put_int(screen_number); 1471 packet_send(); 1472 packet_write_wait(); 1473 xfree(new_data); 1474 } 1475 1476 /* Sends a message to the server to request authentication fd forwarding. */ 1477 1478 void 1479 auth_request_forwarding() 1480 { 1481 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 1482 packet_send(); 1483 packet_write_wait(); 1484 } 1485 1486 /* 1487 * Returns the name of the forwarded authentication socket. Returns NULL if 1488 * there is no forwarded authentication socket. The returned value points to 1489 * a static buffer. 1490 */ 1491 1492 char * 1493 auth_get_socket_name() 1494 { 1495 return channel_forwarded_auth_socket_name; 1496 } 1497 1498 /* removes the agent forwarding socket */ 1499 1500 void 1501 cleanup_socket(void) 1502 { 1503 remove(channel_forwarded_auth_socket_name); 1504 rmdir(channel_forwarded_auth_socket_dir); 1505 } 1506 1507 /* 1508 * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. 1509 * This starts forwarding authentication requests. 1510 */ 1511 1512 void 1513 auth_input_request_forwarding(struct passwd * pw) 1514 { 1515 int sock, newch; 1516 struct sockaddr_un sunaddr; 1517 1518 if (auth_get_socket_name() != NULL) 1519 fatal("Protocol error: authentication forwarding requested twice."); 1520 1521 /* Temporarily drop privileged uid for mkdir/bind. */ 1522 temporarily_use_uid(pw->pw_uid); 1523 1524 /* Allocate a buffer for the socket name, and format the name. */ 1525 channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME); 1526 channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME); 1527 strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); 1528 1529 /* Create private directory for socket */ 1530 if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) 1531 packet_disconnect("mkdtemp: %.100s", strerror(errno)); 1532 snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", 1533 channel_forwarded_auth_socket_dir, (int) getpid()); 1534 1535 if (atexit(cleanup_socket) < 0) { 1536 int saved = errno; 1537 cleanup_socket(); 1538 packet_disconnect("socket: %.100s", strerror(saved)); 1539 } 1540 /* Create the socket. */ 1541 sock = socket(AF_UNIX, SOCK_STREAM, 0); 1542 if (sock < 0) 1543 packet_disconnect("socket: %.100s", strerror(errno)); 1544 1545 /* Bind it to the name. */ 1546 memset(&sunaddr, 0, sizeof(sunaddr)); 1547 sunaddr.sun_family = AF_UNIX; 1548 strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name, 1549 sizeof(sunaddr.sun_path)); 1550 1551 if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0) 1552 packet_disconnect("bind: %.100s", strerror(errno)); 1553 1554 /* Restore the privileged uid. */ 1555 restore_uid(); 1556 1557 /* Start listening on the socket. */ 1558 if (listen(sock, 5) < 0) 1559 packet_disconnect("listen: %.100s", strerror(errno)); 1560 1561 /* Allocate a channel for the authentication agent socket. */ 1562 newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock, 1563 xstrdup("auth socket")); 1564 strlcpy(channels[newch].path, channel_forwarded_auth_socket_name, 1565 sizeof(channels[newch].path)); 1566 } 1567 1568 /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ 1569 1570 void 1571 auth_input_open_request() 1572 { 1573 int remch, sock, newch; 1574 char *dummyname; 1575 1576 /* Read the remote channel number from the message. */ 1577 remch = packet_get_int(); 1578 1579 /* 1580 * Get a connection to the local authentication agent (this may again 1581 * get forwarded). 1582 */ 1583 sock = ssh_get_authentication_socket(); 1584 1585 /* 1586 * If we could not connect the agent, send an error message back to 1587 * the server. This should never happen unless the agent dies, 1588 * because authentication forwarding is only enabled if we have an 1589 * agent. 1590 */ 1591 if (sock < 0) { 1592 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1593 packet_put_int(remch); 1594 packet_send(); 1595 return; 1596 } 1597 debug("Forwarding authentication connection."); 1598 1599 /* 1600 * Dummy host name. This will be freed when the channel is freed; it 1601 * will still be valid in the packet_put_string below since the 1602 * channel cannot yet be freed at that point. 1603 */ 1604 dummyname = xstrdup("authentication agent connection"); 1605 1606 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname); 1607 channels[newch].remote_id = remch; 1608 1609 /* Send a confirmation to the remote host. */ 1610 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1611 packet_put_int(remch); 1612 packet_put_int(newch); 1613 packet_send(); 1614 } 1615