1 /* $OpenBSD: serverloop.c,v 1.153 2008/06/30 12:15:39 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * Server main loop for handling the interactive session. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 * 14 * SSH2 support by Markus Friedl. 15 * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38 #include "includes.h" 39 40 #include <sys/types.h> 41 #include <sys/param.h> 42 #include <sys/wait.h> 43 #include <sys/socket.h> 44 #ifdef HAVE_SYS_TIME_H 45 # include <sys/time.h> 46 #endif 47 48 #include <netinet/in.h> 49 50 #include <errno.h> 51 #include <fcntl.h> 52 #include <pwd.h> 53 #include <signal.h> 54 #include <string.h> 55 #include <termios.h> 56 #include <unistd.h> 57 #include <stdarg.h> 58 59 #include "openbsd-compat/sys-queue.h" 60 #include "xmalloc.h" 61 #include "packet.h" 62 #include "buffer.h" 63 #include "log.h" 64 #include "servconf.h" 65 #include "canohost.h" 66 #include "sshpty.h" 67 #include "channels.h" 68 #include "compat.h" 69 #include "ssh1.h" 70 #include "ssh2.h" 71 #include "key.h" 72 #include "cipher.h" 73 #include "kex.h" 74 #include "hostfile.h" 75 #include "auth.h" 76 #include "session.h" 77 #include "dispatch.h" 78 #include "auth-options.h" 79 #include "serverloop.h" 80 #include "misc.h" 81 82 extern ServerOptions options; 83 84 /* XXX */ 85 extern Kex *xxx_kex; 86 extern Authctxt *the_authctxt; 87 extern int use_privsep; 88 89 static Buffer stdin_buffer; /* Buffer for stdin data. */ 90 static Buffer stdout_buffer; /* Buffer for stdout data. */ 91 static Buffer stderr_buffer; /* Buffer for stderr data. */ 92 static int fdin; /* Descriptor for stdin (for writing) */ 93 static int fdout; /* Descriptor for stdout (for reading); 94 May be same number as fdin. */ 95 static int fderr; /* Descriptor for stderr. May be -1. */ 96 static long stdin_bytes = 0; /* Number of bytes written to stdin. */ 97 static long stdout_bytes = 0; /* Number of stdout bytes sent to client. */ 98 static long stderr_bytes = 0; /* Number of stderr bytes sent to client. */ 99 static long fdout_bytes = 0; /* Number of stdout bytes read from program. */ 100 static int stdin_eof = 0; /* EOF message received from client. */ 101 static int fdout_eof = 0; /* EOF encountered reading from fdout. */ 102 static int fderr_eof = 0; /* EOF encountered readung from fderr. */ 103 static int fdin_is_tty = 0; /* fdin points to a tty. */ 104 static int connection_in; /* Connection to client (input). */ 105 static int connection_out; /* Connection to client (output). */ 106 static int connection_closed = 0; /* Connection to client closed. */ 107 static u_int buffer_high; /* "Soft" max buffer size. */ 108 static int no_more_sessions = 0; /* Disallow further sessions. */ 109 110 /* 111 * This SIGCHLD kludge is used to detect when the child exits. The server 112 * will exit after that, as soon as forwarded connections have terminated. 113 */ 114 115 static volatile sig_atomic_t child_terminated = 0; /* The child has terminated. */ 116 117 /* Cleanup on signals (!use_privsep case only) */ 118 static volatile sig_atomic_t received_sigterm = 0; 119 120 /* prototypes */ 121 static void server_init_dispatch(void); 122 123 /* 124 * we write to this pipe if a SIGCHLD is caught in order to avoid 125 * the race between select() and child_terminated 126 */ 127 static int notify_pipe[2]; 128 static void 129 notify_setup(void) 130 { 131 if (pipe(notify_pipe) < 0) { 132 error("pipe(notify_pipe) failed %s", strerror(errno)); 133 } else if ((fcntl(notify_pipe[0], F_SETFD, 1) == -1) || 134 (fcntl(notify_pipe[1], F_SETFD, 1) == -1)) { 135 error("fcntl(notify_pipe, F_SETFD) failed %s", strerror(errno)); 136 close(notify_pipe[0]); 137 close(notify_pipe[1]); 138 } else { 139 set_nonblock(notify_pipe[0]); 140 set_nonblock(notify_pipe[1]); 141 return; 142 } 143 notify_pipe[0] = -1; /* read end */ 144 notify_pipe[1] = -1; /* write end */ 145 } 146 static void 147 notify_parent(void) 148 { 149 if (notify_pipe[1] != -1) 150 write(notify_pipe[1], "", 1); 151 } 152 static void 153 notify_prepare(fd_set *readset) 154 { 155 if (notify_pipe[0] != -1) 156 FD_SET(notify_pipe[0], readset); 157 } 158 static void 159 notify_done(fd_set *readset) 160 { 161 char c; 162 163 if (notify_pipe[0] != -1 && FD_ISSET(notify_pipe[0], readset)) 164 while (read(notify_pipe[0], &c, 1) != -1) 165 debug2("notify_done: reading"); 166 } 167 168 /*ARGSUSED*/ 169 static void 170 sigchld_handler(int sig) 171 { 172 int save_errno = errno; 173 child_terminated = 1; 174 #ifndef _UNICOS 175 mysignal(SIGCHLD, sigchld_handler); 176 #endif 177 notify_parent(); 178 errno = save_errno; 179 } 180 181 /*ARGSUSED*/ 182 static void 183 sigterm_handler(int sig) 184 { 185 received_sigterm = sig; 186 } 187 188 /* 189 * Make packets from buffered stderr data, and buffer it for sending 190 * to the client. 191 */ 192 static void 193 make_packets_from_stderr_data(void) 194 { 195 u_int len; 196 197 /* Send buffered stderr data to the client. */ 198 while (buffer_len(&stderr_buffer) > 0 && 199 packet_not_very_much_data_to_write()) { 200 len = buffer_len(&stderr_buffer); 201 if (packet_is_interactive()) { 202 if (len > 512) 203 len = 512; 204 } else { 205 /* Keep the packets at reasonable size. */ 206 if (len > packet_get_maxsize()) 207 len = packet_get_maxsize(); 208 } 209 packet_start(SSH_SMSG_STDERR_DATA); 210 packet_put_string(buffer_ptr(&stderr_buffer), len); 211 packet_send(); 212 buffer_consume(&stderr_buffer, len); 213 stderr_bytes += len; 214 } 215 } 216 217 /* 218 * Make packets from buffered stdout data, and buffer it for sending to the 219 * client. 220 */ 221 static void 222 make_packets_from_stdout_data(void) 223 { 224 u_int len; 225 226 /* Send buffered stdout data to the client. */ 227 while (buffer_len(&stdout_buffer) > 0 && 228 packet_not_very_much_data_to_write()) { 229 len = buffer_len(&stdout_buffer); 230 if (packet_is_interactive()) { 231 if (len > 512) 232 len = 512; 233 } else { 234 /* Keep the packets at reasonable size. */ 235 if (len > packet_get_maxsize()) 236 len = packet_get_maxsize(); 237 } 238 packet_start(SSH_SMSG_STDOUT_DATA); 239 packet_put_string(buffer_ptr(&stdout_buffer), len); 240 packet_send(); 241 buffer_consume(&stdout_buffer, len); 242 stdout_bytes += len; 243 } 244 } 245 246 static void 247 client_alive_check(void) 248 { 249 int channel_id; 250 251 /* timeout, check to see how many we have had */ 252 if (++keep_alive_timeouts > options.client_alive_count_max) { 253 logit("Timeout, client not responding."); 254 cleanup_exit(255); 255 } 256 257 /* 258 * send a bogus global/channel request with "wantreply", 259 * we should get back a failure 260 */ 261 if ((channel_id = channel_find_open()) == -1) { 262 packet_start(SSH2_MSG_GLOBAL_REQUEST); 263 packet_put_cstring("keepalive@openssh.com"); 264 packet_put_char(1); /* boolean: want reply */ 265 } else { 266 channel_request_start(channel_id, "keepalive@openssh.com", 1); 267 } 268 packet_send(); 269 } 270 271 /* 272 * Sleep in select() until we can do something. This will initialize the 273 * select masks. Upon return, the masks will indicate which descriptors 274 * have data or can accept data. Optionally, a maximum time can be specified 275 * for the duration of the wait (0 = infinite). 276 */ 277 static void 278 wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 279 u_int *nallocp, u_int max_time_milliseconds) 280 { 281 struct timeval tv, *tvp; 282 int ret; 283 int client_alive_scheduled = 0; 284 int program_alive_scheduled = 0; 285 286 /* 287 * if using client_alive, set the max timeout accordingly, 288 * and indicate that this particular timeout was for client 289 * alive by setting the client_alive_scheduled flag. 290 * 291 * this could be randomized somewhat to make traffic 292 * analysis more difficult, but we're not doing it yet. 293 */ 294 if (compat20 && 295 max_time_milliseconds == 0 && options.client_alive_interval) { 296 client_alive_scheduled = 1; 297 max_time_milliseconds = options.client_alive_interval * 1000; 298 } 299 300 /* Allocate and update select() masks for channel descriptors. */ 301 channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, 0); 302 303 if (compat20) { 304 #if 0 305 /* wrong: bad condition XXX */ 306 if (channel_not_very_much_buffered_data()) 307 #endif 308 FD_SET(connection_in, *readsetp); 309 } else { 310 /* 311 * Read packets from the client unless we have too much 312 * buffered stdin or channel data. 313 */ 314 if (buffer_len(&stdin_buffer) < buffer_high && 315 channel_not_very_much_buffered_data()) 316 FD_SET(connection_in, *readsetp); 317 /* 318 * If there is not too much data already buffered going to 319 * the client, try to get some more data from the program. 320 */ 321 if (packet_not_very_much_data_to_write()) { 322 program_alive_scheduled = child_terminated; 323 if (!fdout_eof) 324 FD_SET(fdout, *readsetp); 325 if (!fderr_eof) 326 FD_SET(fderr, *readsetp); 327 } 328 /* 329 * If we have buffered data, try to write some of that data 330 * to the program. 331 */ 332 if (fdin != -1 && buffer_len(&stdin_buffer) > 0) 333 FD_SET(fdin, *writesetp); 334 } 335 notify_prepare(*readsetp); 336 337 /* 338 * If we have buffered packet data going to the client, mark that 339 * descriptor. 340 */ 341 if (packet_have_data_to_write()) 342 FD_SET(connection_out, *writesetp); 343 344 /* 345 * If child has terminated and there is enough buffer space to read 346 * from it, then read as much as is available and exit. 347 */ 348 if (child_terminated && packet_not_very_much_data_to_write()) 349 if (max_time_milliseconds == 0 || client_alive_scheduled) 350 max_time_milliseconds = 100; 351 352 if (max_time_milliseconds == 0) 353 tvp = NULL; 354 else { 355 tv.tv_sec = max_time_milliseconds / 1000; 356 tv.tv_usec = 1000 * (max_time_milliseconds % 1000); 357 tvp = &tv; 358 } 359 360 /* Wait for something to happen, or the timeout to expire. */ 361 ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); 362 363 if (ret == -1) { 364 memset(*readsetp, 0, *nallocp); 365 memset(*writesetp, 0, *nallocp); 366 if (errno != EINTR) 367 error("select: %.100s", strerror(errno)); 368 } else { 369 if (ret == 0 && client_alive_scheduled) 370 client_alive_check(); 371 if (!compat20 && program_alive_scheduled && fdin_is_tty) { 372 if (!fdout_eof) 373 FD_SET(fdout, *readsetp); 374 if (!fderr_eof) 375 FD_SET(fderr, *readsetp); 376 } 377 } 378 379 notify_done(*readsetp); 380 } 381 382 /* 383 * Processes input from the client and the program. Input data is stored 384 * in buffers and processed later. 385 */ 386 static void 387 process_input(fd_set *readset) 388 { 389 int len; 390 char buf[16384]; 391 392 /* Read and buffer any input data from the client. */ 393 if (FD_ISSET(connection_in, readset)) { 394 len = read(connection_in, buf, sizeof(buf)); 395 if (len == 0) { 396 verbose("Connection closed by %.100s", 397 get_remote_ipaddr()); 398 connection_closed = 1; 399 if (compat20) 400 return; 401 cleanup_exit(255); 402 } else if (len < 0) { 403 if (errno != EINTR && errno != EAGAIN && 404 errno != EWOULDBLOCK) { 405 verbose("Read error from remote host " 406 "%.100s: %.100s", 407 get_remote_ipaddr(), strerror(errno)); 408 cleanup_exit(255); 409 } 410 } else { 411 /* Buffer any received data. */ 412 packet_process_incoming(buf, len); 413 } 414 } 415 if (compat20) 416 return; 417 418 /* Read and buffer any available stdout data from the program. */ 419 if (!fdout_eof && FD_ISSET(fdout, readset)) { 420 errno = 0; 421 len = read(fdout, buf, sizeof(buf)); 422 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 423 errno == EWOULDBLOCK) && !child_terminated))) { 424 /* do nothing */ 425 #ifndef PTY_ZEROREAD 426 } else if (len <= 0) { 427 #else 428 } else if ((!isatty(fdout) && len <= 0) || 429 (isatty(fdout) && (len < 0 || (len == 0 && errno != 0)))) { 430 #endif 431 fdout_eof = 1; 432 } else { 433 buffer_append(&stdout_buffer, buf, len); 434 fdout_bytes += len; 435 } 436 } 437 /* Read and buffer any available stderr data from the program. */ 438 if (!fderr_eof && FD_ISSET(fderr, readset)) { 439 errno = 0; 440 len = read(fderr, buf, sizeof(buf)); 441 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 442 errno == EWOULDBLOCK) && !child_terminated))) { 443 /* do nothing */ 444 #ifndef PTY_ZEROREAD 445 } else if (len <= 0) { 446 #else 447 } else if ((!isatty(fderr) && len <= 0) || 448 (isatty(fderr) && (len < 0 || (len == 0 && errno != 0)))) { 449 #endif 450 fderr_eof = 1; 451 } else { 452 buffer_append(&stderr_buffer, buf, len); 453 } 454 } 455 } 456 457 /* 458 * Sends data from internal buffers to client program stdin. 459 */ 460 static void 461 process_output(fd_set *writeset) 462 { 463 struct termios tio; 464 u_char *data; 465 u_int dlen; 466 int len; 467 468 /* Write buffered data to program stdin. */ 469 if (!compat20 && fdin != -1 && FD_ISSET(fdin, writeset)) { 470 data = buffer_ptr(&stdin_buffer); 471 dlen = buffer_len(&stdin_buffer); 472 len = write(fdin, data, dlen); 473 if (len < 0 && 474 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) { 475 /* do nothing */ 476 } else if (len <= 0) { 477 if (fdin != fdout) 478 close(fdin); 479 else 480 shutdown(fdin, SHUT_WR); /* We will no longer send. */ 481 fdin = -1; 482 } else { 483 /* Successful write. */ 484 if (fdin_is_tty && dlen >= 1 && data[0] != '\r' && 485 tcgetattr(fdin, &tio) == 0 && 486 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 487 /* 488 * Simulate echo to reduce the impact of 489 * traffic analysis 490 */ 491 packet_send_ignore(len); 492 packet_send(); 493 } 494 /* Consume the data from the buffer. */ 495 buffer_consume(&stdin_buffer, len); 496 /* Update the count of bytes written to the program. */ 497 stdin_bytes += len; 498 } 499 } 500 /* Send any buffered packet data to the client. */ 501 if (FD_ISSET(connection_out, writeset)) 502 packet_write_poll(); 503 } 504 505 /* 506 * Wait until all buffered output has been sent to the client. 507 * This is used when the program terminates. 508 */ 509 static void 510 drain_output(void) 511 { 512 /* Send any buffered stdout data to the client. */ 513 if (buffer_len(&stdout_buffer) > 0) { 514 packet_start(SSH_SMSG_STDOUT_DATA); 515 packet_put_string(buffer_ptr(&stdout_buffer), 516 buffer_len(&stdout_buffer)); 517 packet_send(); 518 /* Update the count of sent bytes. */ 519 stdout_bytes += buffer_len(&stdout_buffer); 520 } 521 /* Send any buffered stderr data to the client. */ 522 if (buffer_len(&stderr_buffer) > 0) { 523 packet_start(SSH_SMSG_STDERR_DATA); 524 packet_put_string(buffer_ptr(&stderr_buffer), 525 buffer_len(&stderr_buffer)); 526 packet_send(); 527 /* Update the count of sent bytes. */ 528 stderr_bytes += buffer_len(&stderr_buffer); 529 } 530 /* Wait until all buffered data has been written to the client. */ 531 packet_write_wait(); 532 } 533 534 static void 535 process_buffered_input_packets(void) 536 { 537 dispatch_run(DISPATCH_NONBLOCK, NULL, compat20 ? xxx_kex : NULL); 538 } 539 540 /* 541 * Performs the interactive session. This handles data transmission between 542 * the client and the program. Note that the notion of stdin, stdout, and 543 * stderr in this function is sort of reversed: this function writes to 544 * stdin (of the child program), and reads from stdout and stderr (of the 545 * child program). 546 */ 547 void 548 server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg) 549 { 550 fd_set *readset = NULL, *writeset = NULL; 551 int max_fd = 0; 552 u_int nalloc = 0; 553 int wait_status; /* Status returned by wait(). */ 554 pid_t wait_pid; /* pid returned by wait(). */ 555 int waiting_termination = 0; /* Have displayed waiting close message. */ 556 u_int max_time_milliseconds; 557 u_int previous_stdout_buffer_bytes; 558 u_int stdout_buffer_bytes; 559 int type; 560 561 debug("Entering interactive session."); 562 563 /* Initialize the SIGCHLD kludge. */ 564 child_terminated = 0; 565 mysignal(SIGCHLD, sigchld_handler); 566 567 if (!use_privsep) { 568 signal(SIGTERM, sigterm_handler); 569 signal(SIGINT, sigterm_handler); 570 signal(SIGQUIT, sigterm_handler); 571 } 572 573 /* Initialize our global variables. */ 574 fdin = fdin_arg; 575 fdout = fdout_arg; 576 fderr = fderr_arg; 577 578 /* nonblocking IO */ 579 set_nonblock(fdin); 580 set_nonblock(fdout); 581 /* we don't have stderr for interactive terminal sessions, see below */ 582 if (fderr != -1) 583 set_nonblock(fderr); 584 585 if (!(datafellows & SSH_BUG_IGNOREMSG) && isatty(fdin)) 586 fdin_is_tty = 1; 587 588 connection_in = packet_get_connection_in(); 589 connection_out = packet_get_connection_out(); 590 591 notify_setup(); 592 593 previous_stdout_buffer_bytes = 0; 594 595 /* Set approximate I/O buffer size. */ 596 if (packet_is_interactive()) 597 buffer_high = 4096; 598 else 599 buffer_high = 64 * 1024; 600 601 #if 0 602 /* Initialize max_fd to the maximum of the known file descriptors. */ 603 max_fd = MAX(connection_in, connection_out); 604 max_fd = MAX(max_fd, fdin); 605 max_fd = MAX(max_fd, fdout); 606 if (fderr != -1) 607 max_fd = MAX(max_fd, fderr); 608 #endif 609 610 /* Initialize Initialize buffers. */ 611 buffer_init(&stdin_buffer); 612 buffer_init(&stdout_buffer); 613 buffer_init(&stderr_buffer); 614 615 /* 616 * If we have no separate fderr (which is the case when we have a pty 617 * - there we cannot make difference between data sent to stdout and 618 * stderr), indicate that we have seen an EOF from stderr. This way 619 * we don't need to check the descriptor everywhere. 620 */ 621 if (fderr == -1) 622 fderr_eof = 1; 623 624 server_init_dispatch(); 625 626 /* Main loop of the server for the interactive session mode. */ 627 for (;;) { 628 629 /* Process buffered packets from the client. */ 630 process_buffered_input_packets(); 631 632 /* 633 * If we have received eof, and there is no more pending 634 * input data, cause a real eof by closing fdin. 635 */ 636 if (stdin_eof && fdin != -1 && buffer_len(&stdin_buffer) == 0) { 637 if (fdin != fdout) 638 close(fdin); 639 else 640 shutdown(fdin, SHUT_WR); /* We will no longer send. */ 641 fdin = -1; 642 } 643 /* Make packets from buffered stderr data to send to the client. */ 644 make_packets_from_stderr_data(); 645 646 /* 647 * Make packets from buffered stdout data to send to the 648 * client. If there is very little to send, this arranges to 649 * not send them now, but to wait a short while to see if we 650 * are getting more data. This is necessary, as some systems 651 * wake up readers from a pty after each separate character. 652 */ 653 max_time_milliseconds = 0; 654 stdout_buffer_bytes = buffer_len(&stdout_buffer); 655 if (stdout_buffer_bytes != 0 && stdout_buffer_bytes < 256 && 656 stdout_buffer_bytes != previous_stdout_buffer_bytes) { 657 /* try again after a while */ 658 max_time_milliseconds = 10; 659 } else { 660 /* Send it now. */ 661 make_packets_from_stdout_data(); 662 } 663 previous_stdout_buffer_bytes = buffer_len(&stdout_buffer); 664 665 /* Send channel data to the client. */ 666 if (packet_not_very_much_data_to_write()) 667 channel_output_poll(); 668 669 /* 670 * Bail out of the loop if the program has closed its output 671 * descriptors, and we have no more data to send to the 672 * client, and there is no pending buffered data. 673 */ 674 if (fdout_eof && fderr_eof && !packet_have_data_to_write() && 675 buffer_len(&stdout_buffer) == 0 && buffer_len(&stderr_buffer) == 0) { 676 if (!channel_still_open()) 677 break; 678 if (!waiting_termination) { 679 const char *s = "Waiting for forwarded connections to terminate...\r\n"; 680 char *cp; 681 waiting_termination = 1; 682 buffer_append(&stderr_buffer, s, strlen(s)); 683 684 /* Display list of open channels. */ 685 cp = channel_open_message(); 686 buffer_append(&stderr_buffer, cp, strlen(cp)); 687 xfree(cp); 688 } 689 } 690 max_fd = MAX(connection_in, connection_out); 691 max_fd = MAX(max_fd, fdin); 692 max_fd = MAX(max_fd, fdout); 693 max_fd = MAX(max_fd, fderr); 694 max_fd = MAX(max_fd, notify_pipe[0]); 695 696 /* Sleep in select() until we can do something. */ 697 wait_until_can_do_something(&readset, &writeset, &max_fd, 698 &nalloc, max_time_milliseconds); 699 700 if (received_sigterm) { 701 logit("Exiting on signal %d", received_sigterm); 702 /* Clean up sessions, utmp, etc. */ 703 cleanup_exit(255); 704 } 705 706 /* Process any channel events. */ 707 channel_after_select(readset, writeset); 708 709 /* Process input from the client and from program stdout/stderr. */ 710 process_input(readset); 711 712 /* Process output to the client and to program stdin. */ 713 process_output(writeset); 714 } 715 if (readset) 716 xfree(readset); 717 if (writeset) 718 xfree(writeset); 719 720 /* Cleanup and termination code. */ 721 722 /* Wait until all output has been sent to the client. */ 723 drain_output(); 724 725 debug("End of interactive session; stdin %ld, stdout (read %ld, sent %ld), stderr %ld bytes.", 726 stdin_bytes, fdout_bytes, stdout_bytes, stderr_bytes); 727 728 /* Free and clear the buffers. */ 729 buffer_free(&stdin_buffer); 730 buffer_free(&stdout_buffer); 731 buffer_free(&stderr_buffer); 732 733 /* Close the file descriptors. */ 734 if (fdout != -1) 735 close(fdout); 736 fdout = -1; 737 fdout_eof = 1; 738 if (fderr != -1) 739 close(fderr); 740 fderr = -1; 741 fderr_eof = 1; 742 if (fdin != -1) 743 close(fdin); 744 fdin = -1; 745 746 channel_free_all(); 747 748 /* We no longer want our SIGCHLD handler to be called. */ 749 mysignal(SIGCHLD, SIG_DFL); 750 751 while ((wait_pid = waitpid(-1, &wait_status, 0)) < 0) 752 if (errno != EINTR) 753 packet_disconnect("wait: %.100s", strerror(errno)); 754 if (wait_pid != pid) 755 error("Strange, wait returned pid %ld, expected %ld", 756 (long)wait_pid, (long)pid); 757 758 /* Check if it exited normally. */ 759 if (WIFEXITED(wait_status)) { 760 /* Yes, normal exit. Get exit status and send it to the client. */ 761 debug("Command exited with status %d.", WEXITSTATUS(wait_status)); 762 packet_start(SSH_SMSG_EXITSTATUS); 763 packet_put_int(WEXITSTATUS(wait_status)); 764 packet_send(); 765 packet_write_wait(); 766 767 /* 768 * Wait for exit confirmation. Note that there might be 769 * other packets coming before it; however, the program has 770 * already died so we just ignore them. The client is 771 * supposed to respond with the confirmation when it receives 772 * the exit status. 773 */ 774 do { 775 type = packet_read(); 776 } 777 while (type != SSH_CMSG_EXIT_CONFIRMATION); 778 779 debug("Received exit confirmation."); 780 return; 781 } 782 /* Check if the program terminated due to a signal. */ 783 if (WIFSIGNALED(wait_status)) 784 packet_disconnect("Command terminated on signal %d.", 785 WTERMSIG(wait_status)); 786 787 /* Some weird exit cause. Just exit. */ 788 packet_disconnect("wait returned status %04x.", wait_status); 789 /* NOTREACHED */ 790 } 791 792 static void 793 collect_children(void) 794 { 795 pid_t pid; 796 sigset_t oset, nset; 797 int status; 798 799 /* block SIGCHLD while we check for dead children */ 800 sigemptyset(&nset); 801 sigaddset(&nset, SIGCHLD); 802 sigprocmask(SIG_BLOCK, &nset, &oset); 803 if (child_terminated) { 804 debug("Received SIGCHLD."); 805 while ((pid = waitpid(-1, &status, WNOHANG)) > 0 || 806 (pid < 0 && errno == EINTR)) 807 if (pid > 0) 808 session_close_by_pid(pid, status); 809 child_terminated = 0; 810 } 811 sigprocmask(SIG_SETMASK, &oset, NULL); 812 } 813 814 void 815 server_loop2(Authctxt *authctxt) 816 { 817 fd_set *readset = NULL, *writeset = NULL; 818 int rekeying = 0, max_fd, nalloc = 0; 819 820 debug("Entering interactive session for SSH2."); 821 822 mysignal(SIGCHLD, sigchld_handler); 823 child_terminated = 0; 824 connection_in = packet_get_connection_in(); 825 connection_out = packet_get_connection_out(); 826 827 if (!use_privsep) { 828 signal(SIGTERM, sigterm_handler); 829 signal(SIGINT, sigterm_handler); 830 signal(SIGQUIT, sigterm_handler); 831 } 832 833 notify_setup(); 834 835 max_fd = MAX(connection_in, connection_out); 836 max_fd = MAX(max_fd, notify_pipe[0]); 837 838 server_init_dispatch(); 839 840 for (;;) { 841 process_buffered_input_packets(); 842 843 rekeying = (xxx_kex != NULL && !xxx_kex->done); 844 845 if (!rekeying && packet_not_very_much_data_to_write()) 846 channel_output_poll(); 847 wait_until_can_do_something(&readset, &writeset, &max_fd, 848 &nalloc, 0); 849 850 if (received_sigterm) { 851 logit("Exiting on signal %d", received_sigterm); 852 /* Clean up sessions, utmp, etc. */ 853 cleanup_exit(255); 854 } 855 856 collect_children(); 857 if (!rekeying) { 858 channel_after_select(readset, writeset); 859 if (packet_need_rekeying()) { 860 debug("need rekeying"); 861 xxx_kex->done = 0; 862 kex_send_kexinit(xxx_kex); 863 } 864 } 865 process_input(readset); 866 if (connection_closed) 867 break; 868 process_output(writeset); 869 } 870 collect_children(); 871 872 if (readset) 873 xfree(readset); 874 if (writeset) 875 xfree(writeset); 876 877 /* free all channels, no more reads and writes */ 878 channel_free_all(); 879 880 /* free remaining sessions, e.g. remove wtmp entries */ 881 session_destroy_all(NULL); 882 } 883 884 static void 885 server_input_keep_alive(int type, u_int32_t seq, void *ctxt) 886 { 887 debug("Got %d/%u for keepalive", type, seq); 888 /* 889 * reset timeout, since we got a sane answer from the client. 890 * even if this was generated by something other than 891 * the bogus CHANNEL_REQUEST we send for keepalives. 892 */ 893 keep_alive_timeouts = 0; 894 } 895 896 static void 897 server_input_stdin_data(int type, u_int32_t seq, void *ctxt) 898 { 899 char *data; 900 u_int data_len; 901 902 /* Stdin data from the client. Append it to the buffer. */ 903 /* Ignore any data if the client has closed stdin. */ 904 if (fdin == -1) 905 return; 906 data = packet_get_string(&data_len); 907 packet_check_eom(); 908 buffer_append(&stdin_buffer, data, data_len); 909 memset(data, 0, data_len); 910 xfree(data); 911 } 912 913 static void 914 server_input_eof(int type, u_int32_t seq, void *ctxt) 915 { 916 /* 917 * Eof from the client. The stdin descriptor to the 918 * program will be closed when all buffered data has 919 * drained. 920 */ 921 debug("EOF received for stdin."); 922 packet_check_eom(); 923 stdin_eof = 1; 924 } 925 926 static void 927 server_input_window_size(int type, u_int32_t seq, void *ctxt) 928 { 929 u_int row = packet_get_int(); 930 u_int col = packet_get_int(); 931 u_int xpixel = packet_get_int(); 932 u_int ypixel = packet_get_int(); 933 934 debug("Window change received."); 935 packet_check_eom(); 936 if (fdin != -1) 937 pty_change_window_size(fdin, row, col, xpixel, ypixel); 938 } 939 940 static Channel * 941 server_request_direct_tcpip(void) 942 { 943 Channel *c; 944 char *target, *originator; 945 int target_port, originator_port; 946 947 target = packet_get_string(NULL); 948 target_port = packet_get_int(); 949 originator = packet_get_string(NULL); 950 originator_port = packet_get_int(); 951 packet_check_eom(); 952 953 debug("server_request_direct_tcpip: originator %s port %d, target %s " 954 "port %d", originator, originator_port, target, target_port); 955 956 /* XXX check permission */ 957 c = channel_connect_to(target, target_port, 958 "direct-tcpip", "direct-tcpip"); 959 960 xfree(originator); 961 xfree(target); 962 963 return c; 964 } 965 966 static Channel * 967 server_request_tun(void) 968 { 969 Channel *c = NULL; 970 int mode, tun; 971 int sock; 972 973 mode = packet_get_int(); 974 switch (mode) { 975 case SSH_TUNMODE_POINTOPOINT: 976 case SSH_TUNMODE_ETHERNET: 977 break; 978 default: 979 packet_send_debug("Unsupported tunnel device mode."); 980 return NULL; 981 } 982 if ((options.permit_tun & mode) == 0) { 983 packet_send_debug("Server has rejected tunnel device " 984 "forwarding"); 985 return NULL; 986 } 987 988 tun = packet_get_int(); 989 if (forced_tun_device != -1) { 990 if (tun != SSH_TUNID_ANY && forced_tun_device != tun) 991 goto done; 992 tun = forced_tun_device; 993 } 994 sock = tun_open(tun, mode); 995 if (sock < 0) 996 goto done; 997 c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1, 998 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1); 999 c->datagram = 1; 1000 #if defined(SSH_TUN_FILTER) 1001 if (mode == SSH_TUNMODE_POINTOPOINT) 1002 channel_register_filter(c->self, sys_tun_infilter, 1003 sys_tun_outfilter, NULL, NULL); 1004 #endif 1005 1006 done: 1007 if (c == NULL) 1008 packet_send_debug("Failed to open the tunnel device."); 1009 return c; 1010 } 1011 1012 static Channel * 1013 server_request_session(void) 1014 { 1015 Channel *c; 1016 1017 debug("input_session_request"); 1018 packet_check_eom(); 1019 1020 if (no_more_sessions) { 1021 packet_disconnect("Possible attack: attempt to open a session " 1022 "after additional sessions disabled"); 1023 } 1024 1025 /* 1026 * A server session has no fd to read or write until a 1027 * CHANNEL_REQUEST for a shell is made, so we set the type to 1028 * SSH_CHANNEL_LARVAL. Additionally, a callback for handling all 1029 * CHANNEL_REQUEST messages is registered. 1030 */ 1031 c = channel_new("session", SSH_CHANNEL_LARVAL, 1032 -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 1033 0, "server-session", 1); 1034 if (session_open(the_authctxt, c->self) != 1) { 1035 debug("session open failed, free channel %d", c->self); 1036 channel_free(c); 1037 return NULL; 1038 } 1039 channel_register_cleanup(c->self, session_close_by_channel, 0); 1040 return c; 1041 } 1042 1043 static void 1044 server_input_channel_open(int type, u_int32_t seq, void *ctxt) 1045 { 1046 Channel *c = NULL; 1047 char *ctype; 1048 int rchan; 1049 u_int rmaxpack, rwindow, len; 1050 1051 ctype = packet_get_string(&len); 1052 rchan = packet_get_int(); 1053 rwindow = packet_get_int(); 1054 rmaxpack = packet_get_int(); 1055 1056 debug("server_input_channel_open: ctype %s rchan %d win %d max %d", 1057 ctype, rchan, rwindow, rmaxpack); 1058 1059 if (strcmp(ctype, "session") == 0) { 1060 c = server_request_session(); 1061 } else if (strcmp(ctype, "direct-tcpip") == 0) { 1062 c = server_request_direct_tcpip(); 1063 } else if (strcmp(ctype, "tun@openssh.com") == 0) { 1064 c = server_request_tun(); 1065 } 1066 if (c != NULL) { 1067 debug("server_input_channel_open: confirm %s", ctype); 1068 c->remote_id = rchan; 1069 c->remote_window = rwindow; 1070 c->remote_maxpacket = rmaxpack; 1071 if (c->type != SSH_CHANNEL_CONNECTING) { 1072 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1073 packet_put_int(c->remote_id); 1074 packet_put_int(c->self); 1075 packet_put_int(c->local_window); 1076 packet_put_int(c->local_maxpacket); 1077 packet_send(); 1078 } 1079 } else { 1080 debug("server_input_channel_open: failure %s", ctype); 1081 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1082 packet_put_int(rchan); 1083 packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); 1084 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1085 packet_put_cstring("open failed"); 1086 packet_put_cstring(""); 1087 } 1088 packet_send(); 1089 } 1090 xfree(ctype); 1091 } 1092 1093 static void 1094 server_input_global_request(int type, u_int32_t seq, void *ctxt) 1095 { 1096 char *rtype; 1097 int want_reply; 1098 int success = 0; 1099 1100 rtype = packet_get_string(NULL); 1101 want_reply = packet_get_char(); 1102 debug("server_input_global_request: rtype %s want_reply %d", rtype, want_reply); 1103 1104 /* -R style forwarding */ 1105 if (strcmp(rtype, "tcpip-forward") == 0) { 1106 struct passwd *pw; 1107 char *listen_address; 1108 u_short listen_port; 1109 1110 pw = the_authctxt->pw; 1111 if (pw == NULL || !the_authctxt->valid) 1112 fatal("server_input_global_request: no/invalid user"); 1113 listen_address = packet_get_string(NULL); 1114 listen_port = (u_short)packet_get_int(); 1115 debug("server_input_global_request: tcpip-forward listen %s port %d", 1116 listen_address, listen_port); 1117 1118 /* check permissions */ 1119 if (!options.allow_tcp_forwarding || 1120 no_port_forwarding_flag 1121 #ifndef NO_IPPORT_RESERVED_CONCEPT 1122 || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) 1123 #endif 1124 ) { 1125 success = 0; 1126 packet_send_debug("Server has disabled port forwarding."); 1127 } else { 1128 /* Start listening on the port */ 1129 success = channel_setup_remote_fwd_listener( 1130 listen_address, listen_port, options.gateway_ports); 1131 } 1132 xfree(listen_address); 1133 } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) { 1134 char *cancel_address; 1135 u_short cancel_port; 1136 1137 cancel_address = packet_get_string(NULL); 1138 cancel_port = (u_short)packet_get_int(); 1139 debug("%s: cancel-tcpip-forward addr %s port %d", __func__, 1140 cancel_address, cancel_port); 1141 1142 success = channel_cancel_rport_listener(cancel_address, 1143 cancel_port); 1144 xfree(cancel_address); 1145 } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) { 1146 no_more_sessions = 1; 1147 success = 1; 1148 } 1149 if (want_reply) { 1150 packet_start(success ? 1151 SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); 1152 packet_send(); 1153 packet_write_wait(); 1154 } 1155 xfree(rtype); 1156 } 1157 1158 static void 1159 server_input_channel_req(int type, u_int32_t seq, void *ctxt) 1160 { 1161 Channel *c; 1162 int id, reply, success = 0; 1163 char *rtype; 1164 1165 id = packet_get_int(); 1166 rtype = packet_get_string(NULL); 1167 reply = packet_get_char(); 1168 1169 debug("server_input_channel_req: channel %d request %s reply %d", 1170 id, rtype, reply); 1171 1172 if ((c = channel_lookup(id)) == NULL) 1173 packet_disconnect("server_input_channel_req: " 1174 "unknown channel %d", id); 1175 if (!strcmp(rtype, "eow@openssh.com")) { 1176 packet_check_eom(); 1177 chan_rcvd_eow(c); 1178 } else if ((c->type == SSH_CHANNEL_LARVAL || 1179 c->type == SSH_CHANNEL_OPEN) && strcmp(c->ctype, "session") == 0) 1180 success = session_input_channel_req(c, rtype); 1181 if (reply) { 1182 packet_start(success ? 1183 SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE); 1184 packet_put_int(c->remote_id); 1185 packet_send(); 1186 } 1187 xfree(rtype); 1188 } 1189 1190 static void 1191 server_init_dispatch_20(void) 1192 { 1193 debug("server_init_dispatch_20"); 1194 dispatch_init(&dispatch_protocol_error); 1195 dispatch_set(SSH2_MSG_CHANNEL_CLOSE, &channel_input_oclose); 1196 dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data); 1197 dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof); 1198 dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data); 1199 dispatch_set(SSH2_MSG_CHANNEL_OPEN, &server_input_channel_open); 1200 dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1201 dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1202 dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &server_input_channel_req); 1203 dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); 1204 dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); 1205 dispatch_set(SSH2_MSG_CHANNEL_SUCCESS, &channel_input_status_confirm); 1206 dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &channel_input_status_confirm); 1207 /* client_alive */ 1208 dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &server_input_keep_alive); 1209 dispatch_set(SSH2_MSG_REQUEST_FAILURE, &server_input_keep_alive); 1210 /* rekeying */ 1211 dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); 1212 } 1213 static void 1214 server_init_dispatch_13(void) 1215 { 1216 debug("server_init_dispatch_13"); 1217 dispatch_init(NULL); 1218 dispatch_set(SSH_CMSG_EOF, &server_input_eof); 1219 dispatch_set(SSH_CMSG_STDIN_DATA, &server_input_stdin_data); 1220 dispatch_set(SSH_CMSG_WINDOW_SIZE, &server_input_window_size); 1221 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close); 1222 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation); 1223 dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data); 1224 dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); 1225 dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); 1226 dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); 1227 } 1228 static void 1229 server_init_dispatch_15(void) 1230 { 1231 server_init_dispatch_13(); 1232 debug("server_init_dispatch_15"); 1233 dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_ieof); 1234 dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_oclose); 1235 } 1236 static void 1237 server_init_dispatch(void) 1238 { 1239 if (compat20) 1240 server_init_dispatch_20(); 1241 else if (compat13) 1242 server_init_dispatch_13(); 1243 else 1244 server_init_dispatch_15(); 1245 } 1246