1/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */ 2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42#include "includes.h" 43 44#include <sys/types.h> 45#include <sys/ioctl.h> 46#include <sys/un.h> 47#include <sys/socket.h> 48#ifdef HAVE_SYS_TIME_H 49# include <sys/time.h> 50#endif 51 52#include <netinet/in.h> 53#include <arpa/inet.h> 54 55#include <errno.h> 56#include <fcntl.h> 57#include <netdb.h> 58#include <stdio.h> 59#include <stdlib.h> 60#include <string.h> 61#include <termios.h> 62#include <unistd.h> 63#include <stdarg.h> 64 65#include "openbsd-compat/sys-queue.h" 66#include "xmalloc.h" 67#include "ssh.h" 68#include "ssh1.h" 69#include "ssh2.h" 70#include "packet.h" 71#include "log.h" 72#include "misc.h" 73#include "buffer.h" 74#include "channels.h" 75#include "compat.h" 76#include "canohost.h" 77#include "key.h" 78#include "authfd.h" 79#include "pathnames.h" 80 81/* -- channel core */ 82 83/* 84 * Pointer to an array containing all allocated channels. The array is 85 * dynamically extended as needed. 86 */ 87static Channel **channels = NULL; 88 89/* 90 * Size of the channel array. All slots of the array must always be 91 * initialized (at least the type field); unused slots set to NULL 92 */ 93static u_int channels_alloc = 0; 94 95/* 96 * Maximum file descriptor value used in any of the channels. This is 97 * updated in channel_new. 98 */ 99static int channel_max_fd = 0; 100 101 102/* -- tcp forwarding */ 103 104/* 105 * Data structure for storing which hosts are permitted for forward requests. 106 * The local sides of any remote forwards are stored in this array to prevent 107 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 108 * network (which might be behind a firewall). 109 */ 110typedef struct { 111 char *host_to_connect; /* Connect to 'host'. */ 112 u_short port_to_connect; /* Connect to 'port'. */ 113 u_short listen_port; /* Remote side should listen port number. */ 114} ForwardPermission; 115 116/* List of all permitted host/port pairs to connect by the user. */ 117static ForwardPermission *permitted_opens = NULL; 118 119/* List of all permitted host/port pairs to connect by the admin. */ 120static ForwardPermission *permitted_adm_opens = NULL; 121 122/* Number of permitted host/port pairs in the array permitted by the user. */ 123static int num_permitted_opens = 0; 124 125/* Number of permitted host/port pair in the array permitted by the admin. */ 126static int num_adm_permitted_opens = 0; 127 128/* 129 * If this is true, all opens are permitted. This is the case on the server 130 * on which we have to trust the client anyway, and the user could do 131 * anything after logging in anyway. 132 */ 133static int all_opens_permitted = 0; 134 135 136/* -- X11 forwarding */ 137 138/* Maximum number of fake X11 displays to try. */ 139#define MAX_DISPLAYS 1000 140 141/* Saved X11 local (client) display. */ 142static char *x11_saved_display = NULL; 143 144/* Saved X11 authentication protocol name. */ 145static char *x11_saved_proto = NULL; 146 147/* Saved X11 authentication data. This is the real data. */ 148static char *x11_saved_data = NULL; 149static u_int x11_saved_data_len = 0; 150 151/* 152 * Fake X11 authentication data. This is what the server will be sending us; 153 * we should replace any occurrences of this by the real data. 154 */ 155static u_char *x11_fake_data = NULL; 156static u_int x11_fake_data_len; 157 158 159/* -- agent forwarding */ 160 161#define NUM_SOCKS 10 162 163/* AF_UNSPEC or AF_INET or AF_INET6 */ 164static int IPv4or6 = AF_UNSPEC; 165 166/* helper */ 167static void port_open_helper(Channel *c, char *rtype); 168 169/* non-blocking connect helpers */ 170static int connect_next(struct channel_connect *); 171static void channel_connect_ctx_free(struct channel_connect *); 172 173/* -- channel core */ 174 175Channel * 176channel_by_id(int id) 177{ 178 Channel *c; 179 180 if (id < 0 || (u_int)id >= channels_alloc) { 181 logit("channel_by_id: %d: bad id", id); 182 return NULL; 183 } 184 c = channels[id]; 185 if (c == NULL) { 186 logit("channel_by_id: %d: bad id: channel free", id); 187 return NULL; 188 } 189 return c; 190} 191 192/* 193 * Returns the channel if it is allowed to receive protocol messages. 194 * Private channels, like listening sockets, may not receive messages. 195 */ 196Channel * 197channel_lookup(int id) 198{ 199 Channel *c; 200 201 if ((c = channel_by_id(id)) == NULL) 202 return (NULL); 203 204 switch (c->type) { 205 case SSH_CHANNEL_X11_OPEN: 206 case SSH_CHANNEL_LARVAL: 207 case SSH_CHANNEL_CONNECTING: 208 case SSH_CHANNEL_DYNAMIC: 209 case SSH_CHANNEL_OPENING: 210 case SSH_CHANNEL_OPEN: 211 case SSH_CHANNEL_INPUT_DRAINING: 212 case SSH_CHANNEL_OUTPUT_DRAINING: 213 return (c); 214 } 215 logit("Non-public channel %d, type %d.", id, c->type); 216 return (NULL); 217} 218 219/* 220 * Register filedescriptors for a channel, used when allocating a channel or 221 * when the channel consumer/producer is ready, e.g. shell exec'd 222 */ 223static void 224channel_register_fds(Channel *c, int rfd, int wfd, int efd, 225 int extusage, int nonblock, int is_tty) 226{ 227 /* Update the maximum file descriptor value. */ 228 channel_max_fd = MAX(channel_max_fd, rfd); 229 channel_max_fd = MAX(channel_max_fd, wfd); 230 channel_max_fd = MAX(channel_max_fd, efd); 231 232 if (rfd != -1) 233 fcntl(rfd, F_SETFD, FD_CLOEXEC); 234 if (wfd != -1 && wfd != rfd) 235 fcntl(wfd, F_SETFD, FD_CLOEXEC); 236 if (efd != -1 && efd != rfd && efd != wfd) 237 fcntl(efd, F_SETFD, FD_CLOEXEC); 238 239 c->rfd = rfd; 240 c->wfd = wfd; 241 c->sock = (rfd == wfd) ? rfd : -1; 242 c->efd = efd; 243 c->extended_usage = extusage; 244 245 if ((c->isatty = is_tty) != 0) 246 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 247 c->wfd_isatty = is_tty || isatty(c->wfd); 248 249 /* enable nonblocking mode */ 250 if (nonblock) { 251 if (rfd != -1) 252 set_nonblock(rfd); 253 if (wfd != -1) 254 set_nonblock(wfd); 255 if (efd != -1) 256 set_nonblock(efd); 257 } 258} 259 260/* 261 * Allocate a new channel object and set its type and socket. This will cause 262 * remote_name to be freed. 263 */ 264Channel * 265channel_new(char *ctype, int type, int rfd, int wfd, int efd, 266 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 267{ 268 int found; 269 u_int i; 270 Channel *c; 271 272 /* Do initial allocation if this is the first call. */ 273 if (channels_alloc == 0) { 274 channels_alloc = 10; 275 channels = xcalloc(channels_alloc, sizeof(Channel *)); 276 for (i = 0; i < channels_alloc; i++) 277 channels[i] = NULL; 278 } 279 /* Try to find a free slot where to put the new channel. */ 280 for (found = -1, i = 0; i < channels_alloc; i++) 281 if (channels[i] == NULL) { 282 /* Found a free slot. */ 283 found = (int)i; 284 break; 285 } 286 if (found < 0) { 287 /* There are no free slots. Take last+1 slot and expand the array. */ 288 found = channels_alloc; 289 if (channels_alloc > 10000) 290 fatal("channel_new: internal error: channels_alloc %d " 291 "too big.", channels_alloc); 292 channels = xrealloc(channels, channels_alloc + 10, 293 sizeof(Channel *)); 294 channels_alloc += 10; 295 debug2("channel: expanding %d", channels_alloc); 296 for (i = found; i < channels_alloc; i++) 297 channels[i] = NULL; 298 } 299 /* Initialize and return new channel. */ 300 c = channels[found] = xcalloc(1, sizeof(Channel)); 301 buffer_init(&c->input); 302 buffer_init(&c->output); 303 buffer_init(&c->extended); 304 c->path = NULL; 305 c->ostate = CHAN_OUTPUT_OPEN; 306 c->istate = CHAN_INPUT_OPEN; 307 c->flags = 0; 308 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); 309 c->self = found; 310 c->type = type; 311 c->ctype = ctype; 312 c->local_window = window; 313 c->local_window_max = window; 314 c->local_consumed = 0; 315 c->local_maxpacket = maxpack; 316 c->remote_id = -1; 317 c->remote_name = xstrdup(remote_name); 318 c->remote_window = 0; 319 c->remote_maxpacket = 0; 320 c->force_drain = 0; 321 c->single_connection = 0; 322 c->detach_user = NULL; 323 c->detach_close = 0; 324 c->open_confirm = NULL; 325 c->open_confirm_ctx = NULL; 326 c->input_filter = NULL; 327 c->output_filter = NULL; 328 c->filter_ctx = NULL; 329 c->filter_cleanup = NULL; 330 c->ctl_chan = -1; 331 c->mux_rcb = NULL; 332 c->mux_ctx = NULL; 333 c->mux_pause = 0; 334 c->delayed = 1; /* prevent call to channel_post handler */ 335 TAILQ_INIT(&c->status_confirms); 336 debug("channel %d: new [%s]", found, remote_name); 337 return c; 338} 339 340static int 341channel_find_maxfd(void) 342{ 343 u_int i; 344 int max = 0; 345 Channel *c; 346 347 for (i = 0; i < channels_alloc; i++) { 348 c = channels[i]; 349 if (c != NULL) { 350 max = MAX(max, c->rfd); 351 max = MAX(max, c->wfd); 352 max = MAX(max, c->efd); 353 } 354 } 355 return max; 356} 357 358int 359channel_close_fd(int *fdp) 360{ 361 int ret = 0, fd = *fdp; 362 363 if (fd != -1) { 364 ret = close(fd); 365 *fdp = -1; 366 if (fd == channel_max_fd) 367 channel_max_fd = channel_find_maxfd(); 368 } 369 return ret; 370} 371 372/* Close all channel fd/socket. */ 373static void 374channel_close_fds(Channel *c) 375{ 376 channel_close_fd(&c->sock); 377 channel_close_fd(&c->rfd); 378 channel_close_fd(&c->wfd); 379 channel_close_fd(&c->efd); 380} 381 382/* Free the channel and close its fd/socket. */ 383void 384channel_free(Channel *c) 385{ 386 char *s; 387 u_int i, n; 388 struct channel_confirm *cc; 389 390 for (n = 0, i = 0; i < channels_alloc; i++) 391 if (channels[i]) 392 n++; 393 debug("channel %d: free: %s, nchannels %u", c->self, 394 c->remote_name ? c->remote_name : "???", n); 395 396 s = channel_open_message(); 397 debug3("channel %d: status: %s", c->self, s); 398 xfree(s); 399 400 if (c->sock != -1) 401 shutdown(c->sock, SHUT_RDWR); 402 channel_close_fds(c); 403 buffer_free(&c->input); 404 buffer_free(&c->output); 405 buffer_free(&c->extended); 406 if (c->remote_name) { 407 xfree(c->remote_name); 408 c->remote_name = NULL; 409 } 410 if (c->path) { 411 xfree(c->path); 412 c->path = NULL; 413 } 414 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 415 if (cc->abandon_cb != NULL) 416 cc->abandon_cb(c, cc->ctx); 417 TAILQ_REMOVE(&c->status_confirms, cc, entry); 418 bzero(cc, sizeof(*cc)); 419 xfree(cc); 420 } 421 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 422 c->filter_cleanup(c->self, c->filter_ctx); 423 channels[c->self] = NULL; 424 xfree(c); 425} 426 427void 428channel_free_all(void) 429{ 430 u_int i; 431 432 for (i = 0; i < channels_alloc; i++) 433 if (channels[i] != NULL) 434 channel_free(channels[i]); 435} 436 437/* 438 * Closes the sockets/fds of all channels. This is used to close extra file 439 * descriptors after a fork. 440 */ 441void 442channel_close_all(void) 443{ 444 u_int i; 445 446 for (i = 0; i < channels_alloc; i++) 447 if (channels[i] != NULL) 448 channel_close_fds(channels[i]); 449} 450 451/* 452 * Stop listening to channels. 453 */ 454void 455channel_stop_listening(void) 456{ 457 u_int i; 458 Channel *c; 459 460 for (i = 0; i < channels_alloc; i++) { 461 c = channels[i]; 462 if (c != NULL) { 463 switch (c->type) { 464 case SSH_CHANNEL_AUTH_SOCKET: 465 case SSH_CHANNEL_PORT_LISTENER: 466 case SSH_CHANNEL_RPORT_LISTENER: 467 case SSH_CHANNEL_X11_LISTENER: 468 channel_close_fd(&c->sock); 469 channel_free(c); 470 break; 471 } 472 } 473 } 474} 475 476/* 477 * Returns true if no channel has too much buffered data, and false if one or 478 * more channel is overfull. 479 */ 480int 481channel_not_very_much_buffered_data(void) 482{ 483 u_int i; 484 Channel *c; 485 486 for (i = 0; i < channels_alloc; i++) { 487 c = channels[i]; 488 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 489#if 0 490 if (!compat20 && 491 buffer_len(&c->input) > packet_get_maxsize()) { 492 debug2("channel %d: big input buffer %d", 493 c->self, buffer_len(&c->input)); 494 return 0; 495 } 496#endif 497 if (buffer_len(&c->output) > packet_get_maxsize()) { 498 debug2("channel %d: big output buffer %u > %u", 499 c->self, buffer_len(&c->output), 500 packet_get_maxsize()); 501 return 0; 502 } 503 } 504 } 505 return 1; 506} 507 508/* Returns true if any channel is still open. */ 509int 510channel_still_open(void) 511{ 512 u_int i; 513 Channel *c; 514 515 for (i = 0; i < channels_alloc; i++) { 516 c = channels[i]; 517 if (c == NULL) 518 continue; 519 switch (c->type) { 520 case SSH_CHANNEL_X11_LISTENER: 521 case SSH_CHANNEL_PORT_LISTENER: 522 case SSH_CHANNEL_RPORT_LISTENER: 523 case SSH_CHANNEL_MUX_LISTENER: 524 case SSH_CHANNEL_CLOSED: 525 case SSH_CHANNEL_AUTH_SOCKET: 526 case SSH_CHANNEL_DYNAMIC: 527 case SSH_CHANNEL_CONNECTING: 528 case SSH_CHANNEL_ZOMBIE: 529 continue; 530 case SSH_CHANNEL_LARVAL: 531 if (!compat20) 532 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 533 continue; 534 case SSH_CHANNEL_OPENING: 535 case SSH_CHANNEL_OPEN: 536 case SSH_CHANNEL_X11_OPEN: 537 case SSH_CHANNEL_MUX_CLIENT: 538 return 1; 539 case SSH_CHANNEL_INPUT_DRAINING: 540 case SSH_CHANNEL_OUTPUT_DRAINING: 541 if (!compat13) 542 fatal("cannot happen: OUT_DRAIN"); 543 return 1; 544 default: 545 fatal("channel_still_open: bad channel type %d", c->type); 546 /* NOTREACHED */ 547 } 548 } 549 return 0; 550} 551 552/* Returns the id of an open channel suitable for keepaliving */ 553int 554channel_find_open(void) 555{ 556 u_int i; 557 Channel *c; 558 559 for (i = 0; i < channels_alloc; i++) { 560 c = channels[i]; 561 if (c == NULL || c->remote_id < 0) 562 continue; 563 switch (c->type) { 564 case SSH_CHANNEL_CLOSED: 565 case SSH_CHANNEL_DYNAMIC: 566 case SSH_CHANNEL_X11_LISTENER: 567 case SSH_CHANNEL_PORT_LISTENER: 568 case SSH_CHANNEL_RPORT_LISTENER: 569 case SSH_CHANNEL_MUX_LISTENER: 570 case SSH_CHANNEL_MUX_CLIENT: 571 case SSH_CHANNEL_OPENING: 572 case SSH_CHANNEL_CONNECTING: 573 case SSH_CHANNEL_ZOMBIE: 574 continue; 575 case SSH_CHANNEL_LARVAL: 576 case SSH_CHANNEL_AUTH_SOCKET: 577 case SSH_CHANNEL_OPEN: 578 case SSH_CHANNEL_X11_OPEN: 579 return i; 580 case SSH_CHANNEL_INPUT_DRAINING: 581 case SSH_CHANNEL_OUTPUT_DRAINING: 582 if (!compat13) 583 fatal("cannot happen: OUT_DRAIN"); 584 return i; 585 default: 586 fatal("channel_find_open: bad channel type %d", c->type); 587 /* NOTREACHED */ 588 } 589 } 590 return -1; 591} 592 593 594/* 595 * Returns a message describing the currently open forwarded connections, 596 * suitable for sending to the client. The message contains crlf pairs for 597 * newlines. 598 */ 599char * 600channel_open_message(void) 601{ 602 Buffer buffer; 603 Channel *c; 604 char buf[1024], *cp; 605 u_int i; 606 607 buffer_init(&buffer); 608 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 609 buffer_append(&buffer, buf, strlen(buf)); 610 for (i = 0; i < channels_alloc; i++) { 611 c = channels[i]; 612 if (c == NULL) 613 continue; 614 switch (c->type) { 615 case SSH_CHANNEL_X11_LISTENER: 616 case SSH_CHANNEL_PORT_LISTENER: 617 case SSH_CHANNEL_RPORT_LISTENER: 618 case SSH_CHANNEL_CLOSED: 619 case SSH_CHANNEL_AUTH_SOCKET: 620 case SSH_CHANNEL_ZOMBIE: 621 case SSH_CHANNEL_MUX_CLIENT: 622 case SSH_CHANNEL_MUX_LISTENER: 623 continue; 624 case SSH_CHANNEL_LARVAL: 625 case SSH_CHANNEL_OPENING: 626 case SSH_CHANNEL_CONNECTING: 627 case SSH_CHANNEL_DYNAMIC: 628 case SSH_CHANNEL_OPEN: 629 case SSH_CHANNEL_X11_OPEN: 630 case SSH_CHANNEL_INPUT_DRAINING: 631 case SSH_CHANNEL_OUTPUT_DRAINING: 632 snprintf(buf, sizeof buf, 633 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n", 634 c->self, c->remote_name, 635 c->type, c->remote_id, 636 c->istate, buffer_len(&c->input), 637 c->ostate, buffer_len(&c->output), 638 c->rfd, c->wfd, c->ctl_chan); 639 buffer_append(&buffer, buf, strlen(buf)); 640 continue; 641 default: 642 fatal("channel_open_message: bad channel type %d", c->type); 643 /* NOTREACHED */ 644 } 645 } 646 buffer_append(&buffer, "\0", 1); 647 cp = xstrdup(buffer_ptr(&buffer)); 648 buffer_free(&buffer); 649 return cp; 650} 651 652void 653channel_send_open(int id) 654{ 655 Channel *c = channel_lookup(id); 656 657 if (c == NULL) { 658 logit("channel_send_open: %d: bad id", id); 659 return; 660 } 661 debug2("channel %d: send open", id); 662 packet_start(SSH2_MSG_CHANNEL_OPEN); 663 packet_put_cstring(c->ctype); 664 packet_put_int(c->self); 665 packet_put_int(c->local_window); 666 packet_put_int(c->local_maxpacket); 667 packet_send(); 668} 669 670void 671channel_request_start(int id, char *service, int wantconfirm) 672{ 673 Channel *c = channel_lookup(id); 674 675 if (c == NULL) { 676 logit("channel_request_start: %d: unknown channel id", id); 677 return; 678 } 679 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 680 packet_start(SSH2_MSG_CHANNEL_REQUEST); 681 packet_put_int(c->remote_id); 682 packet_put_cstring(service); 683 packet_put_char(wantconfirm); 684} 685 686void 687channel_register_status_confirm(int id, channel_confirm_cb *cb, 688 channel_confirm_abandon_cb *abandon_cb, void *ctx) 689{ 690 struct channel_confirm *cc; 691 Channel *c; 692 693 if ((c = channel_lookup(id)) == NULL) 694 fatal("channel_register_expect: %d: bad id", id); 695 696 cc = xmalloc(sizeof(*cc)); 697 cc->cb = cb; 698 cc->abandon_cb = abandon_cb; 699 cc->ctx = ctx; 700 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 701} 702 703void 704channel_register_open_confirm(int id, channel_open_fn *fn, void *ctx) 705{ 706 Channel *c = channel_lookup(id); 707 708 if (c == NULL) { 709 logit("channel_register_open_confirm: %d: bad id", id); 710 return; 711 } 712 c->open_confirm = fn; 713 c->open_confirm_ctx = ctx; 714} 715 716void 717channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 718{ 719 Channel *c = channel_by_id(id); 720 721 if (c == NULL) { 722 logit("channel_register_cleanup: %d: bad id", id); 723 return; 724 } 725 c->detach_user = fn; 726 c->detach_close = do_close; 727} 728 729void 730channel_cancel_cleanup(int id) 731{ 732 Channel *c = channel_by_id(id); 733 734 if (c == NULL) { 735 logit("channel_cancel_cleanup: %d: bad id", id); 736 return; 737 } 738 c->detach_user = NULL; 739 c->detach_close = 0; 740} 741 742void 743channel_register_filter(int id, channel_infilter_fn *ifn, 744 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 745{ 746 Channel *c = channel_lookup(id); 747 748 if (c == NULL) { 749 logit("channel_register_filter: %d: bad id", id); 750 return; 751 } 752 c->input_filter = ifn; 753 c->output_filter = ofn; 754 c->filter_ctx = ctx; 755 c->filter_cleanup = cfn; 756} 757 758void 759channel_set_fds(int id, int rfd, int wfd, int efd, 760 int extusage, int nonblock, int is_tty, u_int window_max) 761{ 762 Channel *c = channel_lookup(id); 763 764 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 765 fatal("channel_activate for non-larval channel %d.", id); 766 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); 767 c->type = SSH_CHANNEL_OPEN; 768 c->local_window = c->local_window_max = window_max; 769 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 770 packet_put_int(c->remote_id); 771 packet_put_int(c->local_window); 772 packet_send(); 773} 774 775/* 776 * 'channel_pre*' are called just before select() to add any bits relevant to 777 * channels in the select bitmasks. 778 */ 779/* 780 * 'channel_post*': perform any appropriate operations for channels which 781 * have events pending. 782 */ 783typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 784chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 785chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 786 787/* ARGSUSED */ 788static void 789channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 790{ 791 FD_SET(c->sock, readset); 792} 793 794/* ARGSUSED */ 795static void 796channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 797{ 798 debug3("channel %d: waiting for connection", c->self); 799 FD_SET(c->sock, writeset); 800} 801 802static void 803channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 804{ 805 if (buffer_len(&c->input) < packet_get_maxsize()) 806 FD_SET(c->sock, readset); 807 if (buffer_len(&c->output) > 0) 808 FD_SET(c->sock, writeset); 809} 810 811static void 812channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 813{ 814 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 815 816 if (c->istate == CHAN_INPUT_OPEN && 817 limit > 0 && 818 buffer_len(&c->input) < limit && 819 buffer_check_alloc(&c->input, CHAN_RBUF)) 820 FD_SET(c->rfd, readset); 821 if (c->ostate == CHAN_OUTPUT_OPEN || 822 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 823 if (buffer_len(&c->output) > 0) { 824 FD_SET(c->wfd, writeset); 825 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 826 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 827 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 828 c->self, c->efd, buffer_len(&c->extended)); 829 else 830 chan_obuf_empty(c); 831 } 832 } 833 /** XXX check close conditions, too */ 834 if (compat20 && c->efd != -1 && 835 !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) { 836 if (c->extended_usage == CHAN_EXTENDED_WRITE && 837 buffer_len(&c->extended) > 0) 838 FD_SET(c->efd, writeset); 839 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 840 (c->extended_usage == CHAN_EXTENDED_READ || 841 c->extended_usage == CHAN_EXTENDED_IGNORE) && 842 buffer_len(&c->extended) < c->remote_window) 843 FD_SET(c->efd, readset); 844 } 845 /* XXX: What about efd? races? */ 846} 847 848/* ARGSUSED */ 849static void 850channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 851{ 852 if (buffer_len(&c->input) == 0) { 853 packet_start(SSH_MSG_CHANNEL_CLOSE); 854 packet_put_int(c->remote_id); 855 packet_send(); 856 c->type = SSH_CHANNEL_CLOSED; 857 debug2("channel %d: closing after input drain.", c->self); 858 } 859} 860 861/* ARGSUSED */ 862static void 863channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 864{ 865 if (buffer_len(&c->output) == 0) 866 chan_mark_dead(c); 867 else 868 FD_SET(c->sock, writeset); 869} 870 871/* 872 * This is a special state for X11 authentication spoofing. An opened X11 873 * connection (when authentication spoofing is being done) remains in this 874 * state until the first packet has been completely read. The authentication 875 * data in that packet is then substituted by the real data if it matches the 876 * fake data, and the channel is put into normal mode. 877 * XXX All this happens at the client side. 878 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 879 */ 880static int 881x11_open_helper(Buffer *b) 882{ 883 u_char *ucp; 884 u_int proto_len, data_len; 885 886 /* Check if the fixed size part of the packet is in buffer. */ 887 if (buffer_len(b) < 12) 888 return 0; 889 890 /* Parse the lengths of variable-length fields. */ 891 ucp = buffer_ptr(b); 892 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 893 proto_len = 256 * ucp[6] + ucp[7]; 894 data_len = 256 * ucp[8] + ucp[9]; 895 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 896 proto_len = ucp[6] + 256 * ucp[7]; 897 data_len = ucp[8] + 256 * ucp[9]; 898 } else { 899 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 900 ucp[0]); 901 return -1; 902 } 903 904 /* Check if the whole packet is in buffer. */ 905 if (buffer_len(b) < 906 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 907 return 0; 908 909 /* Check if authentication protocol matches. */ 910 if (proto_len != strlen(x11_saved_proto) || 911 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 912 debug2("X11 connection uses different authentication protocol."); 913 return -1; 914 } 915 /* Check if authentication data matches our fake data. */ 916 if (data_len != x11_fake_data_len || 917 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 918 x11_fake_data, x11_fake_data_len) != 0) { 919 debug2("X11 auth data does not match fake data."); 920 return -1; 921 } 922 /* Check fake data length */ 923 if (x11_fake_data_len != x11_saved_data_len) { 924 error("X11 fake_data_len %d != saved_data_len %d", 925 x11_fake_data_len, x11_saved_data_len); 926 return -1; 927 } 928 /* 929 * Received authentication protocol and data match 930 * our fake data. Substitute the fake data with real 931 * data. 932 */ 933 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 934 x11_saved_data, x11_saved_data_len); 935 return 1; 936} 937 938static void 939channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 940{ 941 int ret = x11_open_helper(&c->output); 942 943 if (ret == 1) { 944 /* Start normal processing for the channel. */ 945 c->type = SSH_CHANNEL_OPEN; 946 channel_pre_open_13(c, readset, writeset); 947 } else if (ret == -1) { 948 /* 949 * We have received an X11 connection that has bad 950 * authentication information. 951 */ 952 logit("X11 connection rejected because of wrong authentication."); 953 buffer_clear(&c->input); 954 buffer_clear(&c->output); 955 channel_close_fd(&c->sock); 956 c->sock = -1; 957 c->type = SSH_CHANNEL_CLOSED; 958 packet_start(SSH_MSG_CHANNEL_CLOSE); 959 packet_put_int(c->remote_id); 960 packet_send(); 961 } 962} 963 964static void 965channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 966{ 967 int ret = x11_open_helper(&c->output); 968 969 /* c->force_drain = 1; */ 970 971 if (ret == 1) { 972 c->type = SSH_CHANNEL_OPEN; 973 channel_pre_open(c, readset, writeset); 974 } else if (ret == -1) { 975 logit("X11 connection rejected because of wrong authentication."); 976 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 977 chan_read_failed(c); 978 buffer_clear(&c->input); 979 chan_ibuf_empty(c); 980 buffer_clear(&c->output); 981 /* for proto v1, the peer will send an IEOF */ 982 if (compat20) 983 chan_write_failed(c); 984 else 985 c->type = SSH_CHANNEL_OPEN; 986 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 987 } 988} 989 990static void 991channel_pre_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 992{ 993 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 994 buffer_check_alloc(&c->input, CHAN_RBUF)) 995 FD_SET(c->rfd, readset); 996 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 997 /* clear buffer immediately (discard any partial packet) */ 998 buffer_clear(&c->input); 999 chan_ibuf_empty(c); 1000 /* Start output drain. XXX just kill chan? */ 1001 chan_rcvd_oclose(c); 1002 } 1003 if (c->ostate == CHAN_OUTPUT_OPEN || 1004 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1005 if (buffer_len(&c->output) > 0) 1006 FD_SET(c->wfd, writeset); 1007 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1008 chan_obuf_empty(c); 1009 } 1010} 1011 1012/* try to decode a socks4 header */ 1013/* ARGSUSED */ 1014static int 1015channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 1016{ 1017 char *p, *host; 1018 u_int len, have, i, found, need; 1019 char username[256]; 1020 struct { 1021 u_int8_t version; 1022 u_int8_t command; 1023 u_int16_t dest_port; 1024 struct in_addr dest_addr; 1025 } s4_req, s4_rsp; 1026 1027 debug2("channel %d: decode socks4", c->self); 1028 1029 have = buffer_len(&c->input); 1030 len = sizeof(s4_req); 1031 if (have < len) 1032 return 0; 1033 p = buffer_ptr(&c->input); 1034 1035 need = 1; 1036 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1037 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1038 debug2("channel %d: socks4a request", c->self); 1039 /* ... and needs an extra string (the hostname) */ 1040 need = 2; 1041 } 1042 /* Check for terminating NUL on the string(s) */ 1043 for (found = 0, i = len; i < have; i++) { 1044 if (p[i] == '\0') { 1045 found++; 1046 if (found == need) 1047 break; 1048 } 1049 if (i > 1024) { 1050 /* the peer is probably sending garbage */ 1051 debug("channel %d: decode socks4: too long", 1052 c->self); 1053 return -1; 1054 } 1055 } 1056 if (found < need) 1057 return 0; 1058 buffer_get(&c->input, (char *)&s4_req.version, 1); 1059 buffer_get(&c->input, (char *)&s4_req.command, 1); 1060 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 1061 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 1062 have = buffer_len(&c->input); 1063 p = buffer_ptr(&c->input); 1064 len = strlen(p); 1065 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1066 len++; /* trailing '\0' */ 1067 if (len > have) 1068 fatal("channel %d: decode socks4: len %d > have %d", 1069 c->self, len, have); 1070 strlcpy(username, p, sizeof(username)); 1071 buffer_consume(&c->input, len); 1072 1073 if (c->path != NULL) { 1074 xfree(c->path); 1075 c->path = NULL; 1076 } 1077 if (need == 1) { /* SOCKS4: one string */ 1078 host = inet_ntoa(s4_req.dest_addr); 1079 c->path = xstrdup(host); 1080 } else { /* SOCKS4A: two strings */ 1081 have = buffer_len(&c->input); 1082 p = buffer_ptr(&c->input); 1083 len = strlen(p); 1084 debug2("channel %d: decode socks4a: host %s/%d", 1085 c->self, p, len); 1086 len++; /* trailing '\0' */ 1087 if (len > have) 1088 fatal("channel %d: decode socks4a: len %d > have %d", 1089 c->self, len, have); 1090 if (len > NI_MAXHOST) { 1091 error("channel %d: hostname \"%.100s\" too long", 1092 c->self, p); 1093 return -1; 1094 } 1095 c->path = xstrdup(p); 1096 buffer_consume(&c->input, len); 1097 } 1098 c->host_port = ntohs(s4_req.dest_port); 1099 1100 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1101 c->self, c->path, c->host_port, s4_req.command); 1102 1103 if (s4_req.command != 1) { 1104 debug("channel %d: cannot handle: %s cn %d", 1105 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1106 return -1; 1107 } 1108 s4_rsp.version = 0; /* vn: 0 for reply */ 1109 s4_rsp.command = 90; /* cd: req granted */ 1110 s4_rsp.dest_port = 0; /* ignored */ 1111 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1112 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1113 return 1; 1114} 1115 1116/* try to decode a socks5 header */ 1117#define SSH_SOCKS5_AUTHDONE 0x1000 1118#define SSH_SOCKS5_NOAUTH 0x00 1119#define SSH_SOCKS5_IPV4 0x01 1120#define SSH_SOCKS5_DOMAIN 0x03 1121#define SSH_SOCKS5_IPV6 0x04 1122#define SSH_SOCKS5_CONNECT 0x01 1123#define SSH_SOCKS5_SUCCESS 0x00 1124 1125/* ARGSUSED */ 1126static int 1127channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1128{ 1129 struct { 1130 u_int8_t version; 1131 u_int8_t command; 1132 u_int8_t reserved; 1133 u_int8_t atyp; 1134 } s5_req, s5_rsp; 1135 u_int16_t dest_port; 1136 u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1137 u_int have, need, i, found, nmethods, addrlen, af; 1138 1139 debug2("channel %d: decode socks5", c->self); 1140 p = buffer_ptr(&c->input); 1141 if (p[0] != 0x05) 1142 return -1; 1143 have = buffer_len(&c->input); 1144 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1145 /* format: ver | nmethods | methods */ 1146 if (have < 2) 1147 return 0; 1148 nmethods = p[1]; 1149 if (have < nmethods + 2) 1150 return 0; 1151 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1152 for (found = 0, i = 2; i < nmethods + 2; i++) { 1153 if (p[i] == SSH_SOCKS5_NOAUTH) { 1154 found = 1; 1155 break; 1156 } 1157 } 1158 if (!found) { 1159 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1160 c->self); 1161 return -1; 1162 } 1163 buffer_consume(&c->input, nmethods + 2); 1164 buffer_put_char(&c->output, 0x05); /* version */ 1165 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1166 FD_SET(c->sock, writeset); 1167 c->flags |= SSH_SOCKS5_AUTHDONE; 1168 debug2("channel %d: socks5 auth done", c->self); 1169 return 0; /* need more */ 1170 } 1171 debug2("channel %d: socks5 post auth", c->self); 1172 if (have < sizeof(s5_req)+1) 1173 return 0; /* need more */ 1174 memcpy(&s5_req, p, sizeof(s5_req)); 1175 if (s5_req.version != 0x05 || 1176 s5_req.command != SSH_SOCKS5_CONNECT || 1177 s5_req.reserved != 0x00) { 1178 debug2("channel %d: only socks5 connect supported", c->self); 1179 return -1; 1180 } 1181 switch (s5_req.atyp){ 1182 case SSH_SOCKS5_IPV4: 1183 addrlen = 4; 1184 af = AF_INET; 1185 break; 1186 case SSH_SOCKS5_DOMAIN: 1187 addrlen = p[sizeof(s5_req)]; 1188 af = -1; 1189 break; 1190 case SSH_SOCKS5_IPV6: 1191 addrlen = 16; 1192 af = AF_INET6; 1193 break; 1194 default: 1195 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1196 return -1; 1197 } 1198 need = sizeof(s5_req) + addrlen + 2; 1199 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1200 need++; 1201 if (have < need) 1202 return 0; 1203 buffer_consume(&c->input, sizeof(s5_req)); 1204 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1205 buffer_consume(&c->input, 1); /* host string length */ 1206 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1207 buffer_get(&c->input, (char *)&dest_port, 2); 1208 dest_addr[addrlen] = '\0'; 1209 if (c->path != NULL) { 1210 xfree(c->path); 1211 c->path = NULL; 1212 } 1213 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1214 if (addrlen >= NI_MAXHOST) { 1215 error("channel %d: dynamic request: socks5 hostname " 1216 "\"%.100s\" too long", c->self, dest_addr); 1217 return -1; 1218 } 1219 c->path = xstrdup(dest_addr); 1220 } else { 1221 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1222 return -1; 1223 c->path = xstrdup(ntop); 1224 } 1225 c->host_port = ntohs(dest_port); 1226 1227 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1228 c->self, c->path, c->host_port, s5_req.command); 1229 1230 s5_rsp.version = 0x05; 1231 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1232 s5_rsp.reserved = 0; /* ignored */ 1233 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1234 ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY; 1235 dest_port = 0; /* ignored */ 1236 1237 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1238 buffer_append(&c->output, &dest_addr, sizeof(struct in_addr)); 1239 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1240 return 1; 1241} 1242 1243Channel * 1244channel_connect_stdio_fwd(const char *host_to_connect, u_short port_to_connect, 1245 int in, int out) 1246{ 1247 Channel *c; 1248 1249 debug("channel_connect_stdio_fwd %s:%d", host_to_connect, 1250 port_to_connect); 1251 1252 c = channel_new("stdio-forward", SSH_CHANNEL_OPENING, in, out, 1253 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1254 0, "stdio-forward", /*nonblock*/0); 1255 1256 c->path = xstrdup(host_to_connect); 1257 c->host_port = port_to_connect; 1258 c->listening_port = 0; 1259 c->force_drain = 1; 1260 1261 channel_register_fds(c, in, out, -1, 0, 1, 0); 1262 port_open_helper(c, "direct-tcpip"); 1263 1264 return c; 1265} 1266 1267/* dynamic port forwarding */ 1268static void 1269channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1270{ 1271 u_char *p; 1272 u_int have; 1273 int ret; 1274 1275 have = buffer_len(&c->input); 1276 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1277 /* buffer_dump(&c->input); */ 1278 /* check if the fixed size part of the packet is in buffer. */ 1279 if (have < 3) { 1280 /* need more */ 1281 FD_SET(c->sock, readset); 1282 return; 1283 } 1284 /* try to guess the protocol */ 1285 p = buffer_ptr(&c->input); 1286 switch (p[0]) { 1287 case 0x04: 1288 ret = channel_decode_socks4(c, readset, writeset); 1289 break; 1290 case 0x05: 1291 ret = channel_decode_socks5(c, readset, writeset); 1292 break; 1293 default: 1294 ret = -1; 1295 break; 1296 } 1297 if (ret < 0) { 1298 chan_mark_dead(c); 1299 } else if (ret == 0) { 1300 debug2("channel %d: pre_dynamic: need more", c->self); 1301 /* need more */ 1302 FD_SET(c->sock, readset); 1303 } else { 1304 /* switch to the next state */ 1305 c->type = SSH_CHANNEL_OPENING; 1306 port_open_helper(c, "direct-tcpip"); 1307 } 1308} 1309 1310/* This is our fake X11 server socket. */ 1311/* ARGSUSED */ 1312static void 1313channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1314{ 1315 Channel *nc; 1316 struct sockaddr_storage addr; 1317 int newsock; 1318 socklen_t addrlen; 1319 char buf[16384], *remote_ipaddr; 1320 int remote_port; 1321 1322 if (FD_ISSET(c->sock, readset)) { 1323 debug("X11 connection requested."); 1324 addrlen = sizeof(addr); 1325 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1326 if (c->single_connection) { 1327 debug2("single_connection: closing X11 listener."); 1328 channel_close_fd(&c->sock); 1329 chan_mark_dead(c); 1330 } 1331 if (newsock < 0) { 1332 error("accept: %.100s", strerror(errno)); 1333 return; 1334 } 1335 set_nodelay(newsock); 1336 remote_ipaddr = get_peer_ipaddr(newsock); 1337 remote_port = get_peer_port(newsock); 1338 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1339 remote_ipaddr, remote_port); 1340 1341 nc = channel_new("accepted x11 socket", 1342 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1343 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1344 if (compat20) { 1345 packet_start(SSH2_MSG_CHANNEL_OPEN); 1346 packet_put_cstring("x11"); 1347 packet_put_int(nc->self); 1348 packet_put_int(nc->local_window_max); 1349 packet_put_int(nc->local_maxpacket); 1350 /* originator ipaddr and port */ 1351 packet_put_cstring(remote_ipaddr); 1352 if (datafellows & SSH_BUG_X11FWD) { 1353 debug2("ssh2 x11 bug compat mode"); 1354 } else { 1355 packet_put_int(remote_port); 1356 } 1357 packet_send(); 1358 } else { 1359 packet_start(SSH_SMSG_X11_OPEN); 1360 packet_put_int(nc->self); 1361 if (packet_get_protocol_flags() & 1362 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1363 packet_put_cstring(buf); 1364 packet_send(); 1365 } 1366 xfree(remote_ipaddr); 1367 } 1368} 1369 1370static void 1371port_open_helper(Channel *c, char *rtype) 1372{ 1373 int direct; 1374 char buf[1024]; 1375 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1376 int remote_port = get_peer_port(c->sock); 1377 1378 if (remote_port == -1) { 1379 /* Fake addr/port to appease peers that validate it (Tectia) */ 1380 xfree(remote_ipaddr); 1381 remote_ipaddr = xstrdup("127.0.0.1"); 1382 remote_port = 65535; 1383 } 1384 1385 direct = (strcmp(rtype, "direct-tcpip") == 0); 1386 1387 snprintf(buf, sizeof buf, 1388 "%s: listening port %d for %.100s port %d, " 1389 "connect from %.200s port %d", 1390 rtype, c->listening_port, c->path, c->host_port, 1391 remote_ipaddr, remote_port); 1392 1393 xfree(c->remote_name); 1394 c->remote_name = xstrdup(buf); 1395 1396 if (compat20) { 1397 packet_start(SSH2_MSG_CHANNEL_OPEN); 1398 packet_put_cstring(rtype); 1399 packet_put_int(c->self); 1400 packet_put_int(c->local_window_max); 1401 packet_put_int(c->local_maxpacket); 1402 if (direct) { 1403 /* target host, port */ 1404 packet_put_cstring(c->path); 1405 packet_put_int(c->host_port); 1406 } else { 1407 /* listen address, port */ 1408 packet_put_cstring(c->path); 1409 packet_put_int(c->listening_port); 1410 } 1411 /* originator host and port */ 1412 packet_put_cstring(remote_ipaddr); 1413 packet_put_int((u_int)remote_port); 1414 packet_send(); 1415 } else { 1416 packet_start(SSH_MSG_PORT_OPEN); 1417 packet_put_int(c->self); 1418 packet_put_cstring(c->path); 1419 packet_put_int(c->host_port); 1420 if (packet_get_protocol_flags() & 1421 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1422 packet_put_cstring(c->remote_name); 1423 packet_send(); 1424 } 1425 xfree(remote_ipaddr); 1426} 1427 1428static void 1429channel_set_reuseaddr(int fd) 1430{ 1431 int on = 1; 1432 1433 /* 1434 * Set socket options. 1435 * Allow local port reuse in TIME_WAIT. 1436 */ 1437 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1438 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1439} 1440 1441/* 1442 * This socket is listening for connections to a forwarded TCP/IP port. 1443 */ 1444/* ARGSUSED */ 1445static void 1446channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1447{ 1448 Channel *nc; 1449 struct sockaddr_storage addr; 1450 int newsock, nextstate; 1451 socklen_t addrlen; 1452 char *rtype; 1453 1454 if (FD_ISSET(c->sock, readset)) { 1455 debug("Connection to port %d forwarding " 1456 "to %.100s port %d requested.", 1457 c->listening_port, c->path, c->host_port); 1458 1459 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1460 nextstate = SSH_CHANNEL_OPENING; 1461 rtype = "forwarded-tcpip"; 1462 } else { 1463 if (c->host_port == 0) { 1464 nextstate = SSH_CHANNEL_DYNAMIC; 1465 rtype = "dynamic-tcpip"; 1466 } else { 1467 nextstate = SSH_CHANNEL_OPENING; 1468 rtype = "direct-tcpip"; 1469 } 1470 } 1471 1472 addrlen = sizeof(addr); 1473 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1474 if (newsock < 0) { 1475 error("accept: %.100s", strerror(errno)); 1476 return; 1477 } 1478 set_nodelay(newsock); 1479 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1480 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1481 nc->listening_port = c->listening_port; 1482 nc->host_port = c->host_port; 1483 if (c->path != NULL) 1484 nc->path = xstrdup(c->path); 1485 1486 if (nextstate != SSH_CHANNEL_DYNAMIC) 1487 port_open_helper(nc, rtype); 1488 } 1489} 1490 1491/* 1492 * This is the authentication agent socket listening for connections from 1493 * clients. 1494 */ 1495/* ARGSUSED */ 1496static void 1497channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1498{ 1499 Channel *nc; 1500 int newsock; 1501 struct sockaddr_storage addr; 1502 socklen_t addrlen; 1503 1504 if (FD_ISSET(c->sock, readset)) { 1505 addrlen = sizeof(addr); 1506 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1507 if (newsock < 0) { 1508 error("accept from auth socket: %.100s", strerror(errno)); 1509 return; 1510 } 1511 nc = channel_new("accepted auth socket", 1512 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1513 c->local_window_max, c->local_maxpacket, 1514 0, "accepted auth socket", 1); 1515 if (compat20) { 1516 packet_start(SSH2_MSG_CHANNEL_OPEN); 1517 packet_put_cstring("auth-agent@openssh.com"); 1518 packet_put_int(nc->self); 1519 packet_put_int(c->local_window_max); 1520 packet_put_int(c->local_maxpacket); 1521 } else { 1522 packet_start(SSH_SMSG_AGENT_OPEN); 1523 packet_put_int(nc->self); 1524 } 1525 packet_send(); 1526 } 1527} 1528 1529/* ARGSUSED */ 1530static void 1531channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1532{ 1533 int err = 0, sock; 1534 socklen_t sz = sizeof(err); 1535 1536 if (FD_ISSET(c->sock, writeset)) { 1537 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1538 err = errno; 1539 error("getsockopt SO_ERROR failed"); 1540 } 1541 if (err == 0) { 1542 debug("channel %d: connected to %s port %d", 1543 c->self, c->connect_ctx.host, c->connect_ctx.port); 1544 channel_connect_ctx_free(&c->connect_ctx); 1545 c->type = SSH_CHANNEL_OPEN; 1546 if (compat20) { 1547 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1548 packet_put_int(c->remote_id); 1549 packet_put_int(c->self); 1550 packet_put_int(c->local_window); 1551 packet_put_int(c->local_maxpacket); 1552 } else { 1553 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1554 packet_put_int(c->remote_id); 1555 packet_put_int(c->self); 1556 } 1557 } else { 1558 debug("channel %d: connection failed: %s", 1559 c->self, strerror(err)); 1560 /* Try next address, if any */ 1561 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1562 close(c->sock); 1563 c->sock = c->rfd = c->wfd = sock; 1564 channel_max_fd = channel_find_maxfd(); 1565 return; 1566 } 1567 /* Exhausted all addresses */ 1568 error("connect_to %.100s port %d: failed.", 1569 c->connect_ctx.host, c->connect_ctx.port); 1570 channel_connect_ctx_free(&c->connect_ctx); 1571 if (compat20) { 1572 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1573 packet_put_int(c->remote_id); 1574 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1575 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1576 packet_put_cstring(strerror(err)); 1577 packet_put_cstring(""); 1578 } 1579 } else { 1580 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1581 packet_put_int(c->remote_id); 1582 } 1583 chan_mark_dead(c); 1584 } 1585 packet_send(); 1586 } 1587} 1588 1589/* ARGSUSED */ 1590static int 1591channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1592{ 1593 char buf[CHAN_RBUF]; 1594 int len, force; 1595 1596 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1597 if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { 1598 errno = 0; 1599 len = read(c->rfd, buf, sizeof(buf)); 1600 if (len < 0 && (errno == EINTR || 1601 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1602 return 1; 1603#ifndef PTY_ZEROREAD 1604 if (len <= 0) { 1605#else 1606 if ((!c->isatty && len <= 0) || 1607 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1608#endif 1609 debug2("channel %d: read<=0 rfd %d len %d", 1610 c->self, c->rfd, len); 1611 if (c->type != SSH_CHANNEL_OPEN) { 1612 debug2("channel %d: not open", c->self); 1613 chan_mark_dead(c); 1614 return -1; 1615 } else if (compat13) { 1616 buffer_clear(&c->output); 1617 c->type = SSH_CHANNEL_INPUT_DRAINING; 1618 debug2("channel %d: input draining.", c->self); 1619 } else { 1620 chan_read_failed(c); 1621 } 1622 return -1; 1623 } 1624 if (c->input_filter != NULL) { 1625 if (c->input_filter(c, buf, len) == -1) { 1626 debug2("channel %d: filter stops", c->self); 1627 chan_read_failed(c); 1628 } 1629 } else if (c->datagram) { 1630 buffer_put_string(&c->input, buf, len); 1631 } else { 1632 buffer_append(&c->input, buf, len); 1633 } 1634 } 1635 return 1; 1636} 1637 1638/* ARGSUSED */ 1639static int 1640channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1641{ 1642 struct termios tio; 1643 u_char *data = NULL, *buf; 1644 u_int dlen, olen = 0; 1645 int len; 1646 1647 /* Send buffered output data to the socket. */ 1648 if (c->wfd != -1 && 1649 FD_ISSET(c->wfd, writeset) && 1650 buffer_len(&c->output) > 0) { 1651 olen = buffer_len(&c->output); 1652 if (c->output_filter != NULL) { 1653 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1654 debug2("channel %d: filter stops", c->self); 1655 if (c->type != SSH_CHANNEL_OPEN) 1656 chan_mark_dead(c); 1657 else 1658 chan_write_failed(c); 1659 return -1; 1660 } 1661 } else if (c->datagram) { 1662 buf = data = buffer_get_string(&c->output, &dlen); 1663 } else { 1664 buf = data = buffer_ptr(&c->output); 1665 dlen = buffer_len(&c->output); 1666 } 1667 1668 if (c->datagram) { 1669 /* ignore truncated writes, datagrams might get lost */ 1670 len = write(c->wfd, buf, dlen); 1671 xfree(data); 1672 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1673 errno == EWOULDBLOCK)) 1674 return 1; 1675 if (len <= 0) { 1676 if (c->type != SSH_CHANNEL_OPEN) 1677 chan_mark_dead(c); 1678 else 1679 chan_write_failed(c); 1680 return -1; 1681 } 1682 goto out; 1683 } 1684#ifdef _AIX 1685 /* XXX: Later AIX versions can't push as much data to tty */ 1686 if (compat20 && c->wfd_isatty) 1687 dlen = MIN(dlen, 8*1024); 1688#endif 1689 1690 len = write(c->wfd, buf, dlen); 1691 if (len < 0 && 1692 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1693 return 1; 1694 if (len <= 0) { 1695 if (c->type != SSH_CHANNEL_OPEN) { 1696 debug2("channel %d: not open", c->self); 1697 chan_mark_dead(c); 1698 return -1; 1699 } else if (compat13) { 1700 buffer_clear(&c->output); 1701 debug2("channel %d: input draining.", c->self); 1702 c->type = SSH_CHANNEL_INPUT_DRAINING; 1703 } else { 1704 chan_write_failed(c); 1705 } 1706 return -1; 1707 } 1708#ifndef BROKEN_TCGETATTR_ICANON 1709 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1710 if (tcgetattr(c->wfd, &tio) == 0 && 1711 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1712 /* 1713 * Simulate echo to reduce the impact of 1714 * traffic analysis. We need to match the 1715 * size of a SSH2_MSG_CHANNEL_DATA message 1716 * (4 byte channel id + buf) 1717 */ 1718 packet_send_ignore(4 + len); 1719 packet_send(); 1720 } 1721 } 1722#endif 1723 buffer_consume(&c->output, len); 1724 } 1725 out: 1726 if (compat20 && olen > 0) 1727 c->local_consumed += olen - buffer_len(&c->output); 1728 return 1; 1729} 1730 1731static int 1732channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1733{ 1734 char buf[CHAN_RBUF]; 1735 int len; 1736 1737/** XXX handle drain efd, too */ 1738 if (c->efd != -1) { 1739 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1740 FD_ISSET(c->efd, writeset) && 1741 buffer_len(&c->extended) > 0) { 1742 len = write(c->efd, buffer_ptr(&c->extended), 1743 buffer_len(&c->extended)); 1744 debug2("channel %d: written %d to efd %d", 1745 c->self, len, c->efd); 1746 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1747 errno == EWOULDBLOCK)) 1748 return 1; 1749 if (len <= 0) { 1750 debug2("channel %d: closing write-efd %d", 1751 c->self, c->efd); 1752 channel_close_fd(&c->efd); 1753 } else { 1754 buffer_consume(&c->extended, len); 1755 c->local_consumed += len; 1756 } 1757 } else if (c->efd != -1 && 1758 (c->extended_usage == CHAN_EXTENDED_READ || 1759 c->extended_usage == CHAN_EXTENDED_IGNORE) && 1760 (c->detach_close || FD_ISSET(c->efd, readset))) { 1761 len = read(c->efd, buf, sizeof(buf)); 1762 debug2("channel %d: read %d from efd %d", 1763 c->self, len, c->efd); 1764 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 1765 errno == EWOULDBLOCK) && !c->detach_close))) 1766 return 1; 1767 if (len <= 0) { 1768 debug2("channel %d: closing read-efd %d", 1769 c->self, c->efd); 1770 channel_close_fd(&c->efd); 1771 } else { 1772 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 1773 debug3("channel %d: discard efd", 1774 c->self); 1775 } else 1776 buffer_append(&c->extended, buf, len); 1777 } 1778 } 1779 } 1780 return 1; 1781} 1782 1783static int 1784channel_check_window(Channel *c) 1785{ 1786 if (c->type == SSH_CHANNEL_OPEN && 1787 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1788 ((c->local_window_max - c->local_window > 1789 c->local_maxpacket*3) || 1790 c->local_window < c->local_window_max/2) && 1791 c->local_consumed > 0) { 1792 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1793 packet_put_int(c->remote_id); 1794 packet_put_int(c->local_consumed); 1795 packet_send(); 1796 debug2("channel %d: window %d sent adjust %d", 1797 c->self, c->local_window, 1798 c->local_consumed); 1799 c->local_window += c->local_consumed; 1800 c->local_consumed = 0; 1801 } 1802 return 1; 1803} 1804 1805static void 1806channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1807{ 1808 channel_handle_rfd(c, readset, writeset); 1809 channel_handle_wfd(c, readset, writeset); 1810 if (!compat20) 1811 return; 1812 channel_handle_efd(c, readset, writeset); 1813 channel_check_window(c); 1814} 1815 1816static u_int 1817read_mux(Channel *c, u_int need) 1818{ 1819 char buf[CHAN_RBUF]; 1820 int len; 1821 u_int rlen; 1822 1823 if (buffer_len(&c->input) < need) { 1824 rlen = need - buffer_len(&c->input); 1825 len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF)); 1826 if (len <= 0) { 1827 if (errno != EINTR && errno != EAGAIN) { 1828 debug2("channel %d: ctl read<=0 rfd %d len %d", 1829 c->self, c->rfd, len); 1830 chan_read_failed(c); 1831 return 0; 1832 } 1833 } else 1834 buffer_append(&c->input, buf, len); 1835 } 1836 return buffer_len(&c->input); 1837} 1838 1839static void 1840channel_post_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1841{ 1842 u_int need; 1843 ssize_t len; 1844 1845 if (!compat20) 1846 fatal("%s: entered with !compat20", __func__); 1847 1848 if (c->rfd != -1 && !c->mux_pause && FD_ISSET(c->rfd, readset) && 1849 (c->istate == CHAN_INPUT_OPEN || 1850 c->istate == CHAN_INPUT_WAIT_DRAIN)) { 1851 /* 1852 * Don't not read past the precise end of packets to 1853 * avoid disrupting fd passing. 1854 */ 1855 if (read_mux(c, 4) < 4) /* read header */ 1856 return; 1857 need = get_u32(buffer_ptr(&c->input)); 1858#define CHANNEL_MUX_MAX_PACKET (256 * 1024) 1859 if (need > CHANNEL_MUX_MAX_PACKET) { 1860 debug2("channel %d: packet too big %u > %u", 1861 c->self, CHANNEL_MUX_MAX_PACKET, need); 1862 chan_rcvd_oclose(c); 1863 return; 1864 } 1865 if (read_mux(c, need + 4) < need + 4) /* read body */ 1866 return; 1867 if (c->mux_rcb(c) != 0) { 1868 debug("channel %d: mux_rcb failed", c->self); 1869 chan_mark_dead(c); 1870 return; 1871 } 1872 } 1873 1874 if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && 1875 buffer_len(&c->output) > 0) { 1876 len = write(c->wfd, buffer_ptr(&c->output), 1877 buffer_len(&c->output)); 1878 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1879 return; 1880 if (len <= 0) { 1881 chan_mark_dead(c); 1882 return; 1883 } 1884 buffer_consume(&c->output, len); 1885 } 1886} 1887 1888static void 1889channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) 1890{ 1891 Channel *nc; 1892 struct sockaddr_storage addr; 1893 socklen_t addrlen; 1894 int newsock; 1895 uid_t euid; 1896 gid_t egid; 1897 1898 if (!FD_ISSET(c->sock, readset)) 1899 return; 1900 1901 debug("multiplexing control connection"); 1902 1903 /* 1904 * Accept connection on control socket 1905 */ 1906 memset(&addr, 0, sizeof(addr)); 1907 addrlen = sizeof(addr); 1908 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 1909 &addrlen)) == -1) { 1910 error("%s accept: %s", __func__, strerror(errno)); 1911 return; 1912 } 1913 1914 if (getpeereid(newsock, &euid, &egid) < 0) { 1915 error("%s getpeereid failed: %s", __func__, 1916 strerror(errno)); 1917 close(newsock); 1918 return; 1919 } 1920 if ((euid != 0) && (getuid() != euid)) { 1921 error("multiplex uid mismatch: peer euid %u != uid %u", 1922 (u_int)euid, (u_int)getuid()); 1923 close(newsock); 1924 return; 1925 } 1926 nc = channel_new("multiplex client", SSH_CHANNEL_MUX_CLIENT, 1927 newsock, newsock, -1, c->local_window_max, 1928 c->local_maxpacket, 0, "mux-control", 1); 1929 nc->mux_rcb = c->mux_rcb; 1930 debug3("%s: new mux channel %d fd %d", __func__, 1931 nc->self, nc->sock); 1932 /* establish state */ 1933 nc->mux_rcb(nc); 1934 /* mux state transitions must not elicit protocol messages */ 1935 nc->flags |= CHAN_LOCAL; 1936} 1937 1938/* ARGSUSED */ 1939static void 1940channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 1941{ 1942 int len; 1943 1944 /* Send buffered output data to the socket. */ 1945 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1946 len = write(c->sock, buffer_ptr(&c->output), 1947 buffer_len(&c->output)); 1948 if (len <= 0) 1949 buffer_clear(&c->output); 1950 else 1951 buffer_consume(&c->output, len); 1952 } 1953} 1954 1955static void 1956channel_handler_init_20(void) 1957{ 1958 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1959 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1960 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1961 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1962 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1963 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1964 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1965 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1966 channel_pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 1967 channel_pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 1968 1969 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1970 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1971 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 1972 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1973 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1974 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1975 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 1976 channel_post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 1977 channel_post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 1978} 1979 1980static void 1981channel_handler_init_13(void) 1982{ 1983 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 1984 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 1985 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1986 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1987 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1988 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 1989 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 1990 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1991 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1992 1993 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1994 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 1995 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1996 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 1997 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 1998 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 1999 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2000} 2001 2002static void 2003channel_handler_init_15(void) 2004{ 2005 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2006 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2007 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2008 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2009 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2010 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2011 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2012 2013 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2014 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2015 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2016 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2017 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2018 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2019} 2020 2021static void 2022channel_handler_init(void) 2023{ 2024 int i; 2025 2026 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 2027 channel_pre[i] = NULL; 2028 channel_post[i] = NULL; 2029 } 2030 if (compat20) 2031 channel_handler_init_20(); 2032 else if (compat13) 2033 channel_handler_init_13(); 2034 else 2035 channel_handler_init_15(); 2036} 2037 2038/* gc dead channels */ 2039static void 2040channel_garbage_collect(Channel *c) 2041{ 2042 if (c == NULL) 2043 return; 2044 if (c->detach_user != NULL) { 2045 if (!chan_is_dead(c, c->detach_close)) 2046 return; 2047 debug2("channel %d: gc: notify user", c->self); 2048 c->detach_user(c->self, NULL); 2049 /* if we still have a callback */ 2050 if (c->detach_user != NULL) 2051 return; 2052 debug2("channel %d: gc: user detached", c->self); 2053 } 2054 if (!chan_is_dead(c, 1)) 2055 return; 2056 debug2("channel %d: garbage collecting", c->self); 2057 channel_free(c); 2058} 2059 2060static void 2061channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset) 2062{ 2063 static int did_init = 0; 2064 u_int i, oalloc; 2065 Channel *c; 2066 2067 if (!did_init) { 2068 channel_handler_init(); 2069 did_init = 1; 2070 } 2071 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { 2072 c = channels[i]; 2073 if (c == NULL) 2074 continue; 2075 if (c->delayed) { 2076 if (ftab == channel_pre) 2077 c->delayed = 0; 2078 else 2079 continue; 2080 } 2081 if (ftab[c->type] != NULL) 2082 (*ftab[c->type])(c, readset, writeset); 2083 channel_garbage_collect(c); 2084 } 2085} 2086 2087/* 2088 * Allocate/update select bitmasks and add any bits relevant to channels in 2089 * select bitmasks. 2090 */ 2091void 2092channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 2093 u_int *nallocp, int rekeying) 2094{ 2095 u_int n, sz, nfdset; 2096 2097 n = MAX(*maxfdp, channel_max_fd); 2098 2099 nfdset = howmany(n+1, NFDBITS); 2100 /* Explicitly test here, because xrealloc isn't always called */ 2101 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) 2102 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2103 sz = nfdset * sizeof(fd_mask); 2104 2105 /* perhaps check sz < nalloc/2 and shrink? */ 2106 if (*readsetp == NULL || sz > *nallocp) { 2107 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); 2108 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); 2109 *nallocp = sz; 2110 } 2111 *maxfdp = n; 2112 memset(*readsetp, 0, sz); 2113 memset(*writesetp, 0, sz); 2114 2115 if (!rekeying) 2116 channel_handler(channel_pre, *readsetp, *writesetp); 2117} 2118 2119/* 2120 * After select, perform any appropriate operations for channels which have 2121 * events pending. 2122 */ 2123void 2124channel_after_select(fd_set *readset, fd_set *writeset) 2125{ 2126 channel_handler(channel_post, readset, writeset); 2127} 2128 2129 2130/* If there is data to send to the connection, enqueue some of it now. */ 2131void 2132channel_output_poll(void) 2133{ 2134 Channel *c; 2135 u_int i, len; 2136 2137 for (i = 0; i < channels_alloc; i++) { 2138 c = channels[i]; 2139 if (c == NULL) 2140 continue; 2141 2142 /* 2143 * We are only interested in channels that can have buffered 2144 * incoming data. 2145 */ 2146 if (compat13) { 2147 if (c->type != SSH_CHANNEL_OPEN && 2148 c->type != SSH_CHANNEL_INPUT_DRAINING) 2149 continue; 2150 } else { 2151 if (c->type != SSH_CHANNEL_OPEN) 2152 continue; 2153 } 2154 if (compat20 && 2155 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2156 /* XXX is this true? */ 2157 debug3("channel %d: will not send data after close", c->self); 2158 continue; 2159 } 2160 2161 /* Get the amount of buffered data for this channel. */ 2162 if ((c->istate == CHAN_INPUT_OPEN || 2163 c->istate == CHAN_INPUT_WAIT_DRAIN) && 2164 (len = buffer_len(&c->input)) > 0) { 2165 if (c->datagram) { 2166 if (len > 0) { 2167 u_char *data; 2168 u_int dlen; 2169 2170 data = buffer_get_string(&c->input, 2171 &dlen); 2172 if (dlen > c->remote_window || 2173 dlen > c->remote_maxpacket) { 2174 debug("channel %d: datagram " 2175 "too big for channel", 2176 c->self); 2177 xfree(data); 2178 continue; 2179 } 2180 packet_start(SSH2_MSG_CHANNEL_DATA); 2181 packet_put_int(c->remote_id); 2182 packet_put_string(data, dlen); 2183 packet_send(); 2184 c->remote_window -= dlen + 4; 2185 xfree(data); 2186 } 2187 continue; 2188 } 2189 /* 2190 * Send some data for the other side over the secure 2191 * connection. 2192 */ 2193 if (compat20) { 2194 if (len > c->remote_window) 2195 len = c->remote_window; 2196 if (len > c->remote_maxpacket) 2197 len = c->remote_maxpacket; 2198 } else { 2199 if (packet_is_interactive()) { 2200 if (len > 1024) 2201 len = 512; 2202 } else { 2203 /* Keep the packets at reasonable size. */ 2204 if (len > packet_get_maxsize()/2) 2205 len = packet_get_maxsize()/2; 2206 } 2207 } 2208 if (len > 0) { 2209 packet_start(compat20 ? 2210 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 2211 packet_put_int(c->remote_id); 2212 packet_put_string(buffer_ptr(&c->input), len); 2213 packet_send(); 2214 buffer_consume(&c->input, len); 2215 c->remote_window -= len; 2216 } 2217 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2218 if (compat13) 2219 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 2220 /* 2221 * input-buffer is empty and read-socket shutdown: 2222 * tell peer, that we will not send more data: send IEOF. 2223 * hack for extended data: delay EOF if EFD still in use. 2224 */ 2225 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2226 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 2227 c->self, c->efd, buffer_len(&c->extended)); 2228 else 2229 chan_ibuf_empty(c); 2230 } 2231 /* Send extended data, i.e. stderr */ 2232 if (compat20 && 2233 !(c->flags & CHAN_EOF_SENT) && 2234 c->remote_window > 0 && 2235 (len = buffer_len(&c->extended)) > 0 && 2236 c->extended_usage == CHAN_EXTENDED_READ) { 2237 debug2("channel %d: rwin %u elen %u euse %d", 2238 c->self, c->remote_window, buffer_len(&c->extended), 2239 c->extended_usage); 2240 if (len > c->remote_window) 2241 len = c->remote_window; 2242 if (len > c->remote_maxpacket) 2243 len = c->remote_maxpacket; 2244 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 2245 packet_put_int(c->remote_id); 2246 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 2247 packet_put_string(buffer_ptr(&c->extended), len); 2248 packet_send(); 2249 buffer_consume(&c->extended, len); 2250 c->remote_window -= len; 2251 debug2("channel %d: sent ext data %d", c->self, len); 2252 } 2253 } 2254} 2255 2256 2257/* -- protocol input */ 2258 2259/* ARGSUSED */ 2260void 2261channel_input_data(int type, u_int32_t seq, void *ctxt) 2262{ 2263 int id; 2264 char *data; 2265 u_int data_len, win_len; 2266 Channel *c; 2267 2268 /* Get the channel number and verify it. */ 2269 id = packet_get_int(); 2270 c = channel_lookup(id); 2271 if (c == NULL) 2272 packet_disconnect("Received data for nonexistent channel %d.", id); 2273 2274 /* Ignore any data for non-open channels (might happen on close) */ 2275 if (c->type != SSH_CHANNEL_OPEN && 2276 c->type != SSH_CHANNEL_X11_OPEN) 2277 return; 2278 2279 /* Get the data. */ 2280 data = packet_get_string_ptr(&data_len); 2281 win_len = data_len; 2282 if (c->datagram) 2283 win_len += 4; /* string length header */ 2284 2285 /* 2286 * Ignore data for protocol > 1.3 if output end is no longer open. 2287 * For protocol 2 the sending side is reducing its window as it sends 2288 * data, so we must 'fake' consumption of the data in order to ensure 2289 * that window updates are sent back. Otherwise the connection might 2290 * deadlock. 2291 */ 2292 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2293 if (compat20) { 2294 c->local_window -= win_len; 2295 c->local_consumed += win_len; 2296 } 2297 return; 2298 } 2299 2300 if (compat20) { 2301 if (win_len > c->local_maxpacket) { 2302 logit("channel %d: rcvd big packet %d, maxpack %d", 2303 c->self, win_len, c->local_maxpacket); 2304 } 2305 if (win_len > c->local_window) { 2306 logit("channel %d: rcvd too much data %d, win %d", 2307 c->self, win_len, c->local_window); 2308 return; 2309 } 2310 c->local_window -= win_len; 2311 } 2312 if (c->datagram) 2313 buffer_put_string(&c->output, data, data_len); 2314 else 2315 buffer_append(&c->output, data, data_len); 2316 packet_check_eom(); 2317} 2318 2319/* ARGSUSED */ 2320void 2321channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2322{ 2323 int id; 2324 char *data; 2325 u_int data_len, tcode; 2326 Channel *c; 2327 2328 /* Get the channel number and verify it. */ 2329 id = packet_get_int(); 2330 c = channel_lookup(id); 2331 2332 if (c == NULL) 2333 packet_disconnect("Received extended_data for bad channel %d.", id); 2334 if (c->type != SSH_CHANNEL_OPEN) { 2335 logit("channel %d: ext data for non open", id); 2336 return; 2337 } 2338 if (c->flags & CHAN_EOF_RCVD) { 2339 if (datafellows & SSH_BUG_EXTEOF) 2340 debug("channel %d: accepting ext data after eof", id); 2341 else 2342 packet_disconnect("Received extended_data after EOF " 2343 "on channel %d.", id); 2344 } 2345 tcode = packet_get_int(); 2346 if (c->efd == -1 || 2347 c->extended_usage != CHAN_EXTENDED_WRITE || 2348 tcode != SSH2_EXTENDED_DATA_STDERR) { 2349 logit("channel %d: bad ext data", c->self); 2350 return; 2351 } 2352 data = packet_get_string(&data_len); 2353 packet_check_eom(); 2354 if (data_len > c->local_window) { 2355 logit("channel %d: rcvd too much extended_data %d, win %d", 2356 c->self, data_len, c->local_window); 2357 xfree(data); 2358 return; 2359 } 2360 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2361 c->local_window -= data_len; 2362 buffer_append(&c->extended, data, data_len); 2363 xfree(data); 2364} 2365 2366/* ARGSUSED */ 2367void 2368channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2369{ 2370 int id; 2371 Channel *c; 2372 2373 id = packet_get_int(); 2374 packet_check_eom(); 2375 c = channel_lookup(id); 2376 if (c == NULL) 2377 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2378 chan_rcvd_ieof(c); 2379 2380 /* XXX force input close */ 2381 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2382 debug("channel %d: FORCE input drain", c->self); 2383 c->istate = CHAN_INPUT_WAIT_DRAIN; 2384 if (buffer_len(&c->input) == 0) 2385 chan_ibuf_empty(c); 2386 } 2387 2388} 2389 2390/* ARGSUSED */ 2391void 2392channel_input_close(int type, u_int32_t seq, void *ctxt) 2393{ 2394 int id; 2395 Channel *c; 2396 2397 id = packet_get_int(); 2398 packet_check_eom(); 2399 c = channel_lookup(id); 2400 if (c == NULL) 2401 packet_disconnect("Received close for nonexistent channel %d.", id); 2402 2403 /* 2404 * Send a confirmation that we have closed the channel and no more 2405 * data is coming for it. 2406 */ 2407 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2408 packet_put_int(c->remote_id); 2409 packet_send(); 2410 2411 /* 2412 * If the channel is in closed state, we have sent a close request, 2413 * and the other side will eventually respond with a confirmation. 2414 * Thus, we cannot free the channel here, because then there would be 2415 * no-one to receive the confirmation. The channel gets freed when 2416 * the confirmation arrives. 2417 */ 2418 if (c->type != SSH_CHANNEL_CLOSED) { 2419 /* 2420 * Not a closed channel - mark it as draining, which will 2421 * cause it to be freed later. 2422 */ 2423 buffer_clear(&c->input); 2424 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2425 } 2426} 2427 2428/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2429/* ARGSUSED */ 2430void 2431channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2432{ 2433 int id = packet_get_int(); 2434 Channel *c = channel_lookup(id); 2435 2436 packet_check_eom(); 2437 if (c == NULL) 2438 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2439 chan_rcvd_oclose(c); 2440} 2441 2442/* ARGSUSED */ 2443void 2444channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2445{ 2446 int id = packet_get_int(); 2447 Channel *c = channel_lookup(id); 2448 2449 packet_check_eom(); 2450 if (c == NULL) 2451 packet_disconnect("Received close confirmation for " 2452 "out-of-range channel %d.", id); 2453 if (c->type != SSH_CHANNEL_CLOSED) 2454 packet_disconnect("Received close confirmation for " 2455 "non-closed channel %d (type %d).", id, c->type); 2456 channel_free(c); 2457} 2458 2459/* ARGSUSED */ 2460void 2461channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2462{ 2463 int id, remote_id; 2464 Channel *c; 2465 2466 id = packet_get_int(); 2467 c = channel_lookup(id); 2468 2469 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2470 packet_disconnect("Received open confirmation for " 2471 "non-opening channel %d.", id); 2472 remote_id = packet_get_int(); 2473 /* Record the remote channel number and mark that the channel is now open. */ 2474 c->remote_id = remote_id; 2475 c->type = SSH_CHANNEL_OPEN; 2476 2477 if (compat20) { 2478 c->remote_window = packet_get_int(); 2479 c->remote_maxpacket = packet_get_int(); 2480 if (c->open_confirm) { 2481 debug2("callback start"); 2482 c->open_confirm(c->self, 1, c->open_confirm_ctx); 2483 debug2("callback done"); 2484 } 2485 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2486 c->remote_window, c->remote_maxpacket); 2487 } 2488 packet_check_eom(); 2489} 2490 2491static char * 2492reason2txt(int reason) 2493{ 2494 switch (reason) { 2495 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2496 return "administratively prohibited"; 2497 case SSH2_OPEN_CONNECT_FAILED: 2498 return "connect failed"; 2499 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2500 return "unknown channel type"; 2501 case SSH2_OPEN_RESOURCE_SHORTAGE: 2502 return "resource shortage"; 2503 } 2504 return "unknown reason"; 2505} 2506 2507/* ARGSUSED */ 2508void 2509channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2510{ 2511 int id, reason; 2512 char *msg = NULL, *lang = NULL; 2513 Channel *c; 2514 2515 id = packet_get_int(); 2516 c = channel_lookup(id); 2517 2518 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2519 packet_disconnect("Received open failure for " 2520 "non-opening channel %d.", id); 2521 if (compat20) { 2522 reason = packet_get_int(); 2523 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2524 msg = packet_get_string(NULL); 2525 lang = packet_get_string(NULL); 2526 } 2527 logit("channel %d: open failed: %s%s%s", id, 2528 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2529 if (msg != NULL) 2530 xfree(msg); 2531 if (lang != NULL) 2532 xfree(lang); 2533 if (c->open_confirm) { 2534 debug2("callback start"); 2535 c->open_confirm(c->self, 0, c->open_confirm_ctx); 2536 debug2("callback done"); 2537 } 2538 } 2539 packet_check_eom(); 2540 /* Schedule the channel for cleanup/deletion. */ 2541 chan_mark_dead(c); 2542} 2543 2544/* ARGSUSED */ 2545void 2546channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2547{ 2548 Channel *c; 2549 int id; 2550 u_int adjust; 2551 2552 if (!compat20) 2553 return; 2554 2555 /* Get the channel number and verify it. */ 2556 id = packet_get_int(); 2557 c = channel_lookup(id); 2558 2559 if (c == NULL) { 2560 logit("Received window adjust for non-open channel %d.", id); 2561 return; 2562 } 2563 adjust = packet_get_int(); 2564 packet_check_eom(); 2565 debug2("channel %d: rcvd adjust %u", id, adjust); 2566 c->remote_window += adjust; 2567} 2568 2569/* ARGSUSED */ 2570void 2571channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2572{ 2573 Channel *c = NULL; 2574 u_short host_port; 2575 char *host, *originator_string; 2576 int remote_id; 2577 2578 remote_id = packet_get_int(); 2579 host = packet_get_string(NULL); 2580 host_port = packet_get_int(); 2581 2582 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2583 originator_string = packet_get_string(NULL); 2584 } else { 2585 originator_string = xstrdup("unknown (remote did not supply name)"); 2586 } 2587 packet_check_eom(); 2588 c = channel_connect_to(host, host_port, 2589 "connected socket", originator_string); 2590 xfree(originator_string); 2591 xfree(host); 2592 if (c == NULL) { 2593 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2594 packet_put_int(remote_id); 2595 packet_send(); 2596 } else 2597 c->remote_id = remote_id; 2598} 2599 2600/* ARGSUSED */ 2601void 2602channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) 2603{ 2604 Channel *c; 2605 struct channel_confirm *cc; 2606 int id; 2607 2608 /* Reset keepalive timeout */ 2609 packet_set_alive_timeouts(0); 2610 2611 id = packet_get_int(); 2612 packet_check_eom(); 2613 2614 debug2("channel_input_status_confirm: type %d id %d", type, id); 2615 2616 if ((c = channel_lookup(id)) == NULL) { 2617 logit("channel_input_status_confirm: %d: unknown", id); 2618 return; 2619 } 2620 ; 2621 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 2622 return; 2623 cc->cb(type, c, cc->ctx); 2624 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2625 bzero(cc, sizeof(*cc)); 2626 xfree(cc); 2627} 2628 2629/* -- tcp forwarding */ 2630 2631void 2632channel_set_af(int af) 2633{ 2634 IPv4or6 = af; 2635} 2636 2637static int 2638channel_setup_fwd_listener(int type, const char *listen_addr, 2639 u_short listen_port, int *allocated_listen_port, 2640 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2641{ 2642 Channel *c; 2643 int sock, r, success = 0, wildcard = 0, is_client; 2644 struct addrinfo hints, *ai, *aitop; 2645 const char *host, *addr; 2646 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2647 in_port_t *lport_p; 2648 2649 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2650 listen_addr : host_to_connect; 2651 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2652 2653 if (host == NULL) { 2654 error("No forward host name."); 2655 return 0; 2656 } 2657 if (strlen(host) >= NI_MAXHOST) { 2658 error("Forward host name too long."); 2659 return 0; 2660 } 2661 2662 /* 2663 * Determine whether or not a port forward listens to loopback, 2664 * specified address or wildcard. On the client, a specified bind 2665 * address will always override gateway_ports. On the server, a 2666 * gateway_ports of 1 (``yes'') will override the client's 2667 * specification and force a wildcard bind, whereas a value of 2 2668 * (``clientspecified'') will bind to whatever address the client 2669 * asked for. 2670 * 2671 * Special-case listen_addrs are: 2672 * 2673 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2674 * "" (empty string), "*" -> wildcard v4/v6 2675 * "localhost" -> loopback v4/v6 2676 */ 2677 addr = NULL; 2678 if (listen_addr == NULL) { 2679 /* No address specified: default to gateway_ports setting */ 2680 if (gateway_ports) 2681 wildcard = 1; 2682 } else if (gateway_ports || is_client) { 2683 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2684 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 2685 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2686 (!is_client && gateway_ports == 1)) 2687 wildcard = 1; 2688 else if (strcmp(listen_addr, "localhost") != 0) 2689 addr = listen_addr; 2690 } 2691 2692 debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s", 2693 type, wildcard, (addr == NULL) ? "NULL" : addr); 2694 2695 /* 2696 * getaddrinfo returns a loopback address if the hostname is 2697 * set to NULL and hints.ai_flags is not AI_PASSIVE 2698 */ 2699 memset(&hints, 0, sizeof(hints)); 2700 hints.ai_family = IPv4or6; 2701 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2702 hints.ai_socktype = SOCK_STREAM; 2703 snprintf(strport, sizeof strport, "%d", listen_port); 2704 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2705 if (addr == NULL) { 2706 /* This really shouldn't happen */ 2707 packet_disconnect("getaddrinfo: fatal error: %s", 2708 ssh_gai_strerror(r)); 2709 } else { 2710 error("channel_setup_fwd_listener: " 2711 "getaddrinfo(%.64s): %s", addr, 2712 ssh_gai_strerror(r)); 2713 } 2714 return 0; 2715 } 2716 if (allocated_listen_port != NULL) 2717 *allocated_listen_port = 0; 2718 for (ai = aitop; ai; ai = ai->ai_next) { 2719 switch (ai->ai_family) { 2720 case AF_INET: 2721 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 2722 sin_port; 2723 break; 2724 case AF_INET6: 2725 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 2726 sin6_port; 2727 break; 2728 default: 2729 continue; 2730 } 2731 /* 2732 * If allocating a port for -R forwards, then use the 2733 * same port for all address families. 2734 */ 2735 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2736 allocated_listen_port != NULL && *allocated_listen_port > 0) 2737 *lport_p = htons(*allocated_listen_port); 2738 2739 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2740 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2741 error("channel_setup_fwd_listener: getnameinfo failed"); 2742 continue; 2743 } 2744 /* Create a port to listen for the host. */ 2745 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2746 if (sock < 0) { 2747 /* this is no error since kernel may not support ipv6 */ 2748 verbose("socket: %.100s", strerror(errno)); 2749 continue; 2750 } 2751 2752 channel_set_reuseaddr(sock); 2753 if (ai->ai_family == AF_INET6) 2754 sock_set_v6only(sock); 2755 2756 debug("Local forwarding listening on %s port %s.", 2757 ntop, strport); 2758 2759 /* Bind the socket to the address. */ 2760 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2761 /* address can be in use ipv6 address is already bound */ 2762 if (!ai->ai_next) 2763 error("bind: %.100s", strerror(errno)); 2764 else 2765 verbose("bind: %.100s", strerror(errno)); 2766 2767 close(sock); 2768 continue; 2769 } 2770 /* Start listening for connections on the socket. */ 2771 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2772 error("listen: %.100s", strerror(errno)); 2773 close(sock); 2774 continue; 2775 } 2776 2777 /* 2778 * listen_port == 0 requests a dynamically allocated port - 2779 * record what we got. 2780 */ 2781 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2782 allocated_listen_port != NULL && 2783 *allocated_listen_port == 0) { 2784 *allocated_listen_port = get_sock_port(sock, 1); 2785 debug("Allocated listen port %d", 2786 *allocated_listen_port); 2787 } 2788 2789 /* Allocate a channel number for the socket. */ 2790 c = channel_new("port listener", type, sock, sock, -1, 2791 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2792 0, "port listener", 1); 2793 c->path = xstrdup(host); 2794 c->host_port = port_to_connect; 2795 c->listening_port = listen_port; 2796 success = 1; 2797 } 2798 if (success == 0) 2799 error("channel_setup_fwd_listener: cannot listen to port: %d", 2800 listen_port); 2801 freeaddrinfo(aitop); 2802 return success; 2803} 2804 2805int 2806channel_cancel_rport_listener(const char *host, u_short port) 2807{ 2808 u_int i; 2809 int found = 0; 2810 2811 for (i = 0; i < channels_alloc; i++) { 2812 Channel *c = channels[i]; 2813 2814 if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER && 2815 strcmp(c->path, host) == 0 && c->listening_port == port) { 2816 debug2("%s: close channel %d", __func__, i); 2817 channel_free(c); 2818 found = 1; 2819 } 2820 } 2821 2822 return (found); 2823} 2824 2825/* protocol local port fwd, used by ssh (and sshd in v1) */ 2826int 2827channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, 2828 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2829{ 2830 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2831 listen_host, listen_port, NULL, host_to_connect, port_to_connect, 2832 gateway_ports); 2833} 2834 2835/* protocol v2 remote port fwd, used by sshd */ 2836int 2837channel_setup_remote_fwd_listener(const char *listen_address, 2838 u_short listen_port, int *allocated_listen_port, int gateway_ports) 2839{ 2840 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2841 listen_address, listen_port, allocated_listen_port, 2842 NULL, 0, gateway_ports); 2843} 2844 2845/* 2846 * Initiate forwarding of connections to port "port" on remote host through 2847 * the secure channel to host:port from local side. 2848 */ 2849 2850int 2851channel_request_remote_forwarding(const char *listen_host, u_short listen_port, 2852 const char *host_to_connect, u_short port_to_connect) 2853{ 2854 int type, success = 0; 2855 2856 /* Send the forward request to the remote side. */ 2857 if (compat20) { 2858 const char *address_to_bind; 2859 if (listen_host == NULL) { 2860 if (datafellows & SSH_BUG_RFWD_ADDR) 2861 address_to_bind = "127.0.0.1"; 2862 else 2863 address_to_bind = "localhost"; 2864 } else if (*listen_host == '\0' || 2865 strcmp(listen_host, "*") == 0) { 2866 if (datafellows & SSH_BUG_RFWD_ADDR) 2867 address_to_bind = "0.0.0.0"; 2868 else 2869 address_to_bind = ""; 2870 } else 2871 address_to_bind = listen_host; 2872 2873 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2874 packet_put_cstring("tcpip-forward"); 2875 packet_put_char(1); /* boolean: want reply */ 2876 packet_put_cstring(address_to_bind); 2877 packet_put_int(listen_port); 2878 packet_send(); 2879 packet_write_wait(); 2880 /* Assume that server accepts the request */ 2881 success = 1; 2882 } else { 2883 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 2884 packet_put_int(listen_port); 2885 packet_put_cstring(host_to_connect); 2886 packet_put_int(port_to_connect); 2887 packet_send(); 2888 packet_write_wait(); 2889 2890 /* Wait for response from the remote side. */ 2891 type = packet_read(); 2892 switch (type) { 2893 case SSH_SMSG_SUCCESS: 2894 success = 1; 2895 break; 2896 case SSH_SMSG_FAILURE: 2897 break; 2898 default: 2899 /* Unknown packet */ 2900 packet_disconnect("Protocol error for port forward request:" 2901 "received packet type %d.", type); 2902 } 2903 } 2904 if (success) { 2905 /* Record that connection to this host/port is permitted. */ 2906 permitted_opens = xrealloc(permitted_opens, 2907 num_permitted_opens + 1, sizeof(*permitted_opens)); 2908 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); 2909 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; 2910 permitted_opens[num_permitted_opens].listen_port = listen_port; 2911 num_permitted_opens++; 2912 } 2913 return (success ? 0 : -1); 2914} 2915 2916/* 2917 * Request cancellation of remote forwarding of connection host:port from 2918 * local side. 2919 */ 2920void 2921channel_request_rforward_cancel(const char *host, u_short port) 2922{ 2923 int i; 2924 2925 if (!compat20) 2926 return; 2927 2928 for (i = 0; i < num_permitted_opens; i++) { 2929 if (permitted_opens[i].host_to_connect != NULL && 2930 permitted_opens[i].listen_port == port) 2931 break; 2932 } 2933 if (i >= num_permitted_opens) { 2934 debug("%s: requested forward not found", __func__); 2935 return; 2936 } 2937 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2938 packet_put_cstring("cancel-tcpip-forward"); 2939 packet_put_char(0); 2940 packet_put_cstring(host == NULL ? "" : host); 2941 packet_put_int(port); 2942 packet_send(); 2943 2944 permitted_opens[i].listen_port = 0; 2945 permitted_opens[i].port_to_connect = 0; 2946 xfree(permitted_opens[i].host_to_connect); 2947 permitted_opens[i].host_to_connect = NULL; 2948} 2949 2950/* 2951 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 2952 * listening for the port, and sends back a success reply (or disconnect 2953 * message if there was an error). 2954 */ 2955int 2956channel_input_port_forward_request(int is_root, int gateway_ports) 2957{ 2958 u_short port, host_port; 2959 int success = 0; 2960 char *hostname; 2961 2962 /* Get arguments from the packet. */ 2963 port = packet_get_int(); 2964 hostname = packet_get_string(NULL); 2965 host_port = packet_get_int(); 2966 2967#ifndef HAVE_CYGWIN 2968 /* 2969 * Check that an unprivileged user is not trying to forward a 2970 * privileged port. 2971 */ 2972 if (port < IPPORT_RESERVED && !is_root) 2973 packet_disconnect( 2974 "Requested forwarding of port %d but user is not root.", 2975 port); 2976 if (host_port == 0) 2977 packet_disconnect("Dynamic forwarding denied."); 2978#endif 2979 2980 /* Initiate forwarding */ 2981 success = channel_setup_local_fwd_listener(NULL, port, hostname, 2982 host_port, gateway_ports); 2983 2984 /* Free the argument string. */ 2985 xfree(hostname); 2986 2987 return (success ? 0 : -1); 2988} 2989 2990/* 2991 * Permits opening to any host/port if permitted_opens[] is empty. This is 2992 * usually called by the server, because the user could connect to any port 2993 * anyway, and the server has no way to know but to trust the client anyway. 2994 */ 2995void 2996channel_permit_all_opens(void) 2997{ 2998 if (num_permitted_opens == 0) 2999 all_opens_permitted = 1; 3000} 3001 3002void 3003channel_add_permitted_opens(char *host, int port) 3004{ 3005 debug("allow port forwarding to host %s port %d", host, port); 3006 3007 permitted_opens = xrealloc(permitted_opens, 3008 num_permitted_opens + 1, sizeof(*permitted_opens)); 3009 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 3010 permitted_opens[num_permitted_opens].port_to_connect = port; 3011 num_permitted_opens++; 3012 3013 all_opens_permitted = 0; 3014} 3015 3016int 3017channel_add_adm_permitted_opens(char *host, int port) 3018{ 3019 debug("config allows port forwarding to host %s port %d", host, port); 3020 3021 permitted_adm_opens = xrealloc(permitted_adm_opens, 3022 num_adm_permitted_opens + 1, sizeof(*permitted_adm_opens)); 3023 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 3024 = xstrdup(host); 3025 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 3026 return ++num_adm_permitted_opens; 3027} 3028 3029void 3030channel_clear_permitted_opens(void) 3031{ 3032 int i; 3033 3034 for (i = 0; i < num_permitted_opens; i++) 3035 if (permitted_opens[i].host_to_connect != NULL) 3036 xfree(permitted_opens[i].host_to_connect); 3037 if (num_permitted_opens > 0) { 3038 xfree(permitted_opens); 3039 permitted_opens = NULL; 3040 } 3041 num_permitted_opens = 0; 3042} 3043 3044void 3045channel_clear_adm_permitted_opens(void) 3046{ 3047 int i; 3048 3049 for (i = 0; i < num_adm_permitted_opens; i++) 3050 if (permitted_adm_opens[i].host_to_connect != NULL) 3051 xfree(permitted_adm_opens[i].host_to_connect); 3052 if (num_adm_permitted_opens > 0) { 3053 xfree(permitted_adm_opens); 3054 permitted_adm_opens = NULL; 3055 } 3056 num_adm_permitted_opens = 0; 3057} 3058 3059void 3060channel_print_adm_permitted_opens(void) 3061{ 3062 int i; 3063 3064 printf("permitopen"); 3065 if (num_adm_permitted_opens == 0) { 3066 printf(" any\n"); 3067 return; 3068 } 3069 for (i = 0; i < num_adm_permitted_opens; i++) 3070 if (permitted_adm_opens[i].host_to_connect != NULL) 3071 printf(" %s:%d", permitted_adm_opens[i].host_to_connect, 3072 permitted_adm_opens[i].port_to_connect); 3073 printf("\n"); 3074} 3075 3076/* Try to start non-blocking connect to next host in cctx list */ 3077static int 3078connect_next(struct channel_connect *cctx) 3079{ 3080 int sock, saved_errno; 3081 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 3082 3083 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 3084 if (cctx->ai->ai_family != AF_INET && 3085 cctx->ai->ai_family != AF_INET6) 3086 continue; 3087 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 3088 ntop, sizeof(ntop), strport, sizeof(strport), 3089 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3090 error("connect_next: getnameinfo failed"); 3091 continue; 3092 } 3093 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 3094 cctx->ai->ai_protocol)) == -1) { 3095 if (cctx->ai->ai_next == NULL) 3096 error("socket: %.100s", strerror(errno)); 3097 else 3098 verbose("socket: %.100s", strerror(errno)); 3099 continue; 3100 } 3101 if (set_nonblock(sock) == -1) 3102 fatal("%s: set_nonblock(%d)", __func__, sock); 3103 if (connect(sock, cctx->ai->ai_addr, 3104 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 3105 debug("connect_next: host %.100s ([%.100s]:%s): " 3106 "%.100s", cctx->host, ntop, strport, 3107 strerror(errno)); 3108 saved_errno = errno; 3109 close(sock); 3110 errno = saved_errno; 3111 continue; /* fail -- try next */ 3112 } 3113 debug("connect_next: host %.100s ([%.100s]:%s) " 3114 "in progress, fd=%d", cctx->host, ntop, strport, sock); 3115 cctx->ai = cctx->ai->ai_next; 3116 set_nodelay(sock); 3117 return sock; 3118 } 3119 return -1; 3120} 3121 3122static void 3123channel_connect_ctx_free(struct channel_connect *cctx) 3124{ 3125 xfree(cctx->host); 3126 if (cctx->aitop) 3127 freeaddrinfo(cctx->aitop); 3128 bzero(cctx, sizeof(*cctx)); 3129 cctx->host = NULL; 3130 cctx->ai = cctx->aitop = NULL; 3131} 3132 3133/* Return CONNECTING channel to remote host, port */ 3134static Channel * 3135connect_to(const char *host, u_short port, char *ctype, char *rname) 3136{ 3137 struct addrinfo hints; 3138 int gaierr; 3139 int sock = -1; 3140 char strport[NI_MAXSERV]; 3141 struct channel_connect cctx; 3142 Channel *c; 3143 3144 memset(&cctx, 0, sizeof(cctx)); 3145 memset(&hints, 0, sizeof(hints)); 3146 hints.ai_family = IPv4or6; 3147 hints.ai_socktype = SOCK_STREAM; 3148 snprintf(strport, sizeof strport, "%d", port); 3149 if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) { 3150 error("connect_to %.100s: unknown host (%s)", host, 3151 ssh_gai_strerror(gaierr)); 3152 return NULL; 3153 } 3154 3155 cctx.host = xstrdup(host); 3156 cctx.port = port; 3157 cctx.ai = cctx.aitop; 3158 3159 if ((sock = connect_next(&cctx)) == -1) { 3160 error("connect to %.100s port %d failed: %s", 3161 host, port, strerror(errno)); 3162 channel_connect_ctx_free(&cctx); 3163 return NULL; 3164 } 3165 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 3166 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 3167 c->connect_ctx = cctx; 3168 return c; 3169} 3170 3171Channel * 3172channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) 3173{ 3174 int i; 3175 3176 for (i = 0; i < num_permitted_opens; i++) { 3177 if (permitted_opens[i].host_to_connect != NULL && 3178 permitted_opens[i].listen_port == listen_port) { 3179 return connect_to( 3180 permitted_opens[i].host_to_connect, 3181 permitted_opens[i].port_to_connect, ctype, rname); 3182 } 3183 } 3184 error("WARNING: Server requests forwarding for unknown listen_port %d", 3185 listen_port); 3186 return NULL; 3187} 3188 3189/* Check if connecting to that port is permitted and connect. */ 3190Channel * 3191channel_connect_to(const char *host, u_short port, char *ctype, char *rname) 3192{ 3193 int i, permit, permit_adm = 1; 3194 3195 permit = all_opens_permitted; 3196 if (!permit) { 3197 for (i = 0; i < num_permitted_opens; i++) 3198 if (permitted_opens[i].host_to_connect != NULL && 3199 permitted_opens[i].port_to_connect == port && 3200 strcmp(permitted_opens[i].host_to_connect, host) == 0) 3201 permit = 1; 3202 } 3203 3204 if (num_adm_permitted_opens > 0) { 3205 permit_adm = 0; 3206 for (i = 0; i < num_adm_permitted_opens; i++) 3207 if (permitted_adm_opens[i].host_to_connect != NULL && 3208 permitted_adm_opens[i].port_to_connect == port && 3209 strcmp(permitted_adm_opens[i].host_to_connect, host) 3210 == 0) 3211 permit_adm = 1; 3212 } 3213 3214 if (!permit || !permit_adm) { 3215 logit("Received request to connect to host %.100s port %d, " 3216 "but the request was denied.", host, port); 3217 return NULL; 3218 } 3219 return connect_to(host, port, ctype, rname); 3220} 3221 3222void 3223channel_send_window_changes(void) 3224{ 3225 u_int i; 3226 struct winsize ws; 3227 3228 for (i = 0; i < channels_alloc; i++) { 3229 if (channels[i] == NULL || !channels[i]->client_tty || 3230 channels[i]->type != SSH_CHANNEL_OPEN) 3231 continue; 3232 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 3233 continue; 3234 channel_request_start(i, "window-change", 0); 3235 packet_put_int((u_int)ws.ws_col); 3236 packet_put_int((u_int)ws.ws_row); 3237 packet_put_int((u_int)ws.ws_xpixel); 3238 packet_put_int((u_int)ws.ws_ypixel); 3239 packet_send(); 3240 } 3241} 3242 3243/* -- X11 forwarding */ 3244 3245/* 3246 * Creates an internet domain socket for listening for X11 connections. 3247 * Returns 0 and a suitable display number for the DISPLAY variable 3248 * stored in display_numberp , or -1 if an error occurs. 3249 */ 3250int 3251x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 3252 int single_connection, u_int *display_numberp, int **chanids) 3253{ 3254 Channel *nc = NULL; 3255 int display_number, sock; 3256 u_short port; 3257 struct addrinfo hints, *ai, *aitop; 3258 char strport[NI_MAXSERV]; 3259 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 3260 3261 if (chanids == NULL) 3262 return -1; 3263 3264 for (display_number = x11_display_offset; 3265 display_number < MAX_DISPLAYS; 3266 display_number++) { 3267 port = 6000 + display_number; 3268 memset(&hints, 0, sizeof(hints)); 3269 hints.ai_family = IPv4or6; 3270 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 3271 hints.ai_socktype = SOCK_STREAM; 3272 snprintf(strport, sizeof strport, "%d", port); 3273 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 3274 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 3275 return -1; 3276 } 3277 for (ai = aitop; ai; ai = ai->ai_next) { 3278 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 3279 continue; 3280 sock = socket(ai->ai_family, ai->ai_socktype, 3281 ai->ai_protocol); 3282 if (sock < 0) { 3283 if ((errno != EINVAL) && (errno != EAFNOSUPPORT) 3284#ifdef EPFNOSUPPORT 3285 && (errno != EPFNOSUPPORT) 3286#endif 3287 ) { 3288 error("socket: %.100s", strerror(errno)); 3289 freeaddrinfo(aitop); 3290 return -1; 3291 } else { 3292 debug("x11_create_display_inet: Socket family %d not supported", 3293 ai->ai_family); 3294 continue; 3295 } 3296 } 3297 if (ai->ai_family == AF_INET6) 3298 sock_set_v6only(sock); 3299 if (x11_use_localhost) 3300 channel_set_reuseaddr(sock); 3301 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3302 debug2("bind port %d: %.100s", port, strerror(errno)); 3303 close(sock); 3304 3305 for (n = 0; n < num_socks; n++) { 3306 close(socks[n]); 3307 } 3308 num_socks = 0; 3309 break; 3310 } 3311 socks[num_socks++] = sock; 3312 if (num_socks == NUM_SOCKS) 3313 break; 3314 } 3315 freeaddrinfo(aitop); 3316 if (num_socks > 0) 3317 break; 3318 } 3319 if (display_number >= MAX_DISPLAYS) { 3320 error("Failed to allocate internet-domain X11 display socket."); 3321 return -1; 3322 } 3323 /* Start listening for connections on the socket. */ 3324 for (n = 0; n < num_socks; n++) { 3325 sock = socks[n]; 3326 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3327 error("listen: %.100s", strerror(errno)); 3328 close(sock); 3329 return -1; 3330 } 3331 } 3332 3333 /* Allocate a channel for each socket. */ 3334 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 3335 for (n = 0; n < num_socks; n++) { 3336 sock = socks[n]; 3337 nc = channel_new("x11 listener", 3338 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 3339 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 3340 0, "X11 inet listener", 1); 3341 nc->single_connection = single_connection; 3342 (*chanids)[n] = nc->self; 3343 } 3344 (*chanids)[n] = -1; 3345 3346 /* Return the display number for the DISPLAY environment variable. */ 3347 *display_numberp = display_number; 3348 return (0); 3349} 3350 3351static int 3352connect_local_xsocket_path(const char *pathname) 3353{ 3354 int sock; 3355 struct sockaddr_un addr; 3356 3357 sock = socket(AF_UNIX, SOCK_STREAM, 0); 3358 if (sock < 0) 3359 error("socket: %.100s", strerror(errno)); 3360 memset(&addr, 0, sizeof(addr)); 3361 addr.sun_family = AF_UNIX; 3362 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 3363 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 3364 return sock; 3365 close(sock); 3366 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 3367 return -1; 3368} 3369 3370static int 3371connect_local_xsocket(u_int dnr) 3372{ 3373 char buf[1024]; 3374 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 3375 return connect_local_xsocket_path(buf); 3376} 3377 3378int 3379x11_connect_display(void) 3380{ 3381 u_int display_number; 3382 const char *display; 3383 char buf[1024], *cp; 3384 struct addrinfo hints, *ai, *aitop; 3385 char strport[NI_MAXSERV]; 3386 int gaierr, sock = 0; 3387 3388 /* Try to open a socket for the local X server. */ 3389 display = getenv("DISPLAY"); 3390 if (!display) { 3391 error("DISPLAY not set."); 3392 return -1; 3393 } 3394 /* 3395 * Now we decode the value of the DISPLAY variable and make a 3396 * connection to the real X server. 3397 */ 3398 3399 /* Check if the display is from launchd. */ 3400#ifdef __APPLE__ 3401 if (strncmp(display, "/tmp/launch", 11) == 0) { 3402 sock = connect_local_xsocket_path(display); 3403 if (sock < 0) 3404 return -1; 3405 3406 /* OK, we now have a connection to the display. */ 3407 return sock; 3408 } 3409#endif 3410 /* 3411 * Check if it is a unix domain socket. Unix domain displays are in 3412 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 3413 */ 3414 if (strncmp(display, "unix:", 5) == 0 || 3415 display[0] == ':') { 3416 /* Connect to the unix domain socket. */ 3417 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 3418 error("Could not parse display number from DISPLAY: %.100s", 3419 display); 3420 return -1; 3421 } 3422 /* Create a socket. */ 3423 sock = connect_local_xsocket(display_number); 3424 if (sock < 0) 3425 return -1; 3426 3427 /* OK, we now have a connection to the display. */ 3428 return sock; 3429 } 3430 /* 3431 * Connect to an inet socket. The DISPLAY value is supposedly 3432 * hostname:d[.s], where hostname may also be numeric IP address. 3433 */ 3434 strlcpy(buf, display, sizeof(buf)); 3435 cp = strchr(buf, ':'); 3436 if (!cp) { 3437 error("Could not find ':' in DISPLAY: %.100s", display); 3438 return -1; 3439 } 3440 *cp = 0; 3441 /* buf now contains the host name. But first we parse the display number. */ 3442 if (sscanf(cp + 1, "%u", &display_number) != 1) { 3443 error("Could not parse display number from DISPLAY: %.100s", 3444 display); 3445 return -1; 3446 } 3447 3448 /* Look up the host address */ 3449 memset(&hints, 0, sizeof(hints)); 3450 hints.ai_family = IPv4or6; 3451 hints.ai_socktype = SOCK_STREAM; 3452 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 3453 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 3454 error("%.100s: unknown host. (%s)", buf, 3455 ssh_gai_strerror(gaierr)); 3456 return -1; 3457 } 3458 for (ai = aitop; ai; ai = ai->ai_next) { 3459 /* Create a socket. */ 3460 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3461 if (sock < 0) { 3462 debug2("socket: %.100s", strerror(errno)); 3463 continue; 3464 } 3465 /* Connect it to the display. */ 3466 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3467 debug2("connect %.100s port %u: %.100s", buf, 3468 6000 + display_number, strerror(errno)); 3469 close(sock); 3470 continue; 3471 } 3472 /* Success */ 3473 break; 3474 } 3475 freeaddrinfo(aitop); 3476 if (!ai) { 3477 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 3478 strerror(errno)); 3479 return -1; 3480 } 3481 set_nodelay(sock); 3482 return sock; 3483} 3484 3485/* 3486 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 3487 * the remote channel number. We should do whatever we want, and respond 3488 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 3489 */ 3490 3491/* ARGSUSED */ 3492void 3493x11_input_open(int type, u_int32_t seq, void *ctxt) 3494{ 3495 Channel *c = NULL; 3496 int remote_id, sock = 0; 3497 char *remote_host; 3498 3499 debug("Received X11 open request."); 3500 3501 remote_id = packet_get_int(); 3502 3503 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 3504 remote_host = packet_get_string(NULL); 3505 } else { 3506 remote_host = xstrdup("unknown (remote did not supply name)"); 3507 } 3508 packet_check_eom(); 3509 3510 /* Obtain a connection to the real X display. */ 3511 sock = x11_connect_display(); 3512 if (sock != -1) { 3513 /* Allocate a channel for this connection. */ 3514 c = channel_new("connected x11 socket", 3515 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 3516 remote_host, 1); 3517 c->remote_id = remote_id; 3518 c->force_drain = 1; 3519 } 3520 xfree(remote_host); 3521 if (c == NULL) { 3522 /* Send refusal to the remote host. */ 3523 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3524 packet_put_int(remote_id); 3525 } else { 3526 /* Send a confirmation to the remote host. */ 3527 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 3528 packet_put_int(remote_id); 3529 packet_put_int(c->self); 3530 } 3531 packet_send(); 3532} 3533 3534/* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 3535/* ARGSUSED */ 3536void 3537deny_input_open(int type, u_int32_t seq, void *ctxt) 3538{ 3539 int rchan = packet_get_int(); 3540 3541 switch (type) { 3542 case SSH_SMSG_AGENT_OPEN: 3543 error("Warning: ssh server tried agent forwarding."); 3544 break; 3545 case SSH_SMSG_X11_OPEN: 3546 error("Warning: ssh server tried X11 forwarding."); 3547 break; 3548 default: 3549 error("deny_input_open: type %d", type); 3550 break; 3551 } 3552 error("Warning: this is probably a break-in attempt by a malicious server."); 3553 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3554 packet_put_int(rchan); 3555 packet_send(); 3556} 3557 3558/* 3559 * Requests forwarding of X11 connections, generates fake authentication 3560 * data, and enables authentication spoofing. 3561 * This should be called in the client only. 3562 */ 3563void 3564x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 3565 const char *proto, const char *data, int want_reply) 3566{ 3567 u_int data_len = (u_int) strlen(data) / 2; 3568 u_int i, value; 3569 char *new_data; 3570 int screen_number; 3571 const char *cp; 3572 u_int32_t rnd = 0; 3573 3574 if (x11_saved_display == NULL) 3575 x11_saved_display = xstrdup(disp); 3576 else if (strcmp(disp, x11_saved_display) != 0) { 3577 error("x11_request_forwarding_with_spoofing: different " 3578 "$DISPLAY already forwarded"); 3579 return; 3580 } 3581 3582 cp = strchr(disp, ':'); 3583 if (cp) 3584 cp = strchr(cp, '.'); 3585 if (cp) 3586 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 3587 else 3588 screen_number = 0; 3589 3590 if (x11_saved_proto == NULL) { 3591 /* Save protocol name. */ 3592 x11_saved_proto = xstrdup(proto); 3593 /* 3594 * Extract real authentication data and generate fake data 3595 * of the same length. 3596 */ 3597 x11_saved_data = xmalloc(data_len); 3598 x11_fake_data = xmalloc(data_len); 3599 for (i = 0; i < data_len; i++) { 3600 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3601 fatal("x11_request_forwarding: bad " 3602 "authentication data: %.100s", data); 3603 if (i % 4 == 0) 3604 rnd = arc4random(); 3605 x11_saved_data[i] = value; 3606 x11_fake_data[i] = rnd & 0xff; 3607 rnd >>= 8; 3608 } 3609 x11_saved_data_len = data_len; 3610 x11_fake_data_len = data_len; 3611 } 3612 3613 /* Convert the fake data into hex. */ 3614 new_data = tohex(x11_fake_data, data_len); 3615 3616 /* Send the request packet. */ 3617 if (compat20) { 3618 channel_request_start(client_session_id, "x11-req", want_reply); 3619 packet_put_char(0); /* XXX bool single connection */ 3620 } else { 3621 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 3622 } 3623 packet_put_cstring(proto); 3624 packet_put_cstring(new_data); 3625 packet_put_int(screen_number); 3626 packet_send(); 3627 packet_write_wait(); 3628 xfree(new_data); 3629} 3630 3631 3632/* -- agent forwarding */ 3633 3634/* Sends a message to the server to request authentication fd forwarding. */ 3635 3636void 3637auth_request_forwarding(void) 3638{ 3639 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 3640 packet_send(); 3641 packet_write_wait(); 3642} 3643