channels.c revision 294693
1/* $OpenBSD: channels.c,v 1.331 2014/02/26 20:29:29 djm Exp $ */ 2/* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42#include "includes.h" 43 44#include <sys/types.h> 45#include <sys/ioctl.h> 46#include <sys/un.h> 47#include <sys/socket.h> 48#ifdef HAVE_SYS_TIME_H 49# include <sys/time.h> 50#endif 51 52#include <netinet/in.h> 53#include <arpa/inet.h> 54 55#include <errno.h> 56#include <fcntl.h> 57#include <netdb.h> 58#include <stdio.h> 59#include <stdlib.h> 60#include <string.h> 61#include <termios.h> 62#include <unistd.h> 63#include <stdarg.h> 64 65#include "openbsd-compat/sys-queue.h" 66#include "xmalloc.h" 67#include "ssh.h" 68#include "ssh1.h" 69#include "ssh2.h" 70#include "packet.h" 71#include "log.h" 72#include "misc.h" 73#include "buffer.h" 74#include "channels.h" 75#include "compat.h" 76#include "canohost.h" 77#include "key.h" 78#include "authfd.h" 79#include "pathnames.h" 80 81/* -- channel core */ 82 83/* 84 * Pointer to an array containing all allocated channels. The array is 85 * dynamically extended as needed. 86 */ 87static Channel **channels = NULL; 88 89/* 90 * Size of the channel array. All slots of the array must always be 91 * initialized (at least the type field); unused slots set to NULL 92 */ 93static u_int channels_alloc = 0; 94 95/* 96 * Maximum file descriptor value used in any of the channels. This is 97 * updated in channel_new. 98 */ 99static int channel_max_fd = 0; 100 101 102/* -- tcp forwarding */ 103 104/* 105 * Data structure for storing which hosts are permitted for forward requests. 106 * The local sides of any remote forwards are stored in this array to prevent 107 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 108 * network (which might be behind a firewall). 109 */ 110typedef struct { 111 char *host_to_connect; /* Connect to 'host'. */ 112 u_short port_to_connect; /* Connect to 'port'. */ 113 u_short listen_port; /* Remote side should listen port number. */ 114} ForwardPermission; 115 116/* List of all permitted host/port pairs to connect by the user. */ 117static ForwardPermission *permitted_opens = NULL; 118 119/* List of all permitted host/port pairs to connect by the admin. */ 120static ForwardPermission *permitted_adm_opens = NULL; 121 122/* Number of permitted host/port pairs in the array permitted by the user. */ 123static int num_permitted_opens = 0; 124 125/* Number of permitted host/port pair in the array permitted by the admin. */ 126static int num_adm_permitted_opens = 0; 127 128/* special-case port number meaning allow any port */ 129#define FWD_PERMIT_ANY_PORT 0 130 131/* 132 * If this is true, all opens are permitted. This is the case on the server 133 * on which we have to trust the client anyway, and the user could do 134 * anything after logging in anyway. 135 */ 136static int all_opens_permitted = 0; 137 138 139/* -- X11 forwarding */ 140 141/* Maximum number of fake X11 displays to try. */ 142#define MAX_DISPLAYS 1000 143 144/* Saved X11 local (client) display. */ 145static char *x11_saved_display = NULL; 146 147/* Saved X11 authentication protocol name. */ 148static char *x11_saved_proto = NULL; 149 150/* Saved X11 authentication data. This is the real data. */ 151static char *x11_saved_data = NULL; 152static u_int x11_saved_data_len = 0; 153 154/* 155 * Fake X11 authentication data. This is what the server will be sending us; 156 * we should replace any occurrences of this by the real data. 157 */ 158static u_char *x11_fake_data = NULL; 159static u_int x11_fake_data_len; 160 161 162/* -- agent forwarding */ 163 164#define NUM_SOCKS 10 165 166/* AF_UNSPEC or AF_INET or AF_INET6 */ 167static int IPv4or6 = AF_UNSPEC; 168 169/* helper */ 170static void port_open_helper(Channel *c, char *rtype); 171 172/* non-blocking connect helpers */ 173static int connect_next(struct channel_connect *); 174static void channel_connect_ctx_free(struct channel_connect *); 175 176/* -- channel core */ 177 178Channel * 179channel_by_id(int id) 180{ 181 Channel *c; 182 183 if (id < 0 || (u_int)id >= channels_alloc) { 184 logit("channel_by_id: %d: bad id", id); 185 return NULL; 186 } 187 c = channels[id]; 188 if (c == NULL) { 189 logit("channel_by_id: %d: bad id: channel free", id); 190 return NULL; 191 } 192 return c; 193} 194 195/* 196 * Returns the channel if it is allowed to receive protocol messages. 197 * Private channels, like listening sockets, may not receive messages. 198 */ 199Channel * 200channel_lookup(int id) 201{ 202 Channel *c; 203 204 if ((c = channel_by_id(id)) == NULL) 205 return (NULL); 206 207 switch (c->type) { 208 case SSH_CHANNEL_X11_OPEN: 209 case SSH_CHANNEL_LARVAL: 210 case SSH_CHANNEL_CONNECTING: 211 case SSH_CHANNEL_DYNAMIC: 212 case SSH_CHANNEL_OPENING: 213 case SSH_CHANNEL_OPEN: 214 case SSH_CHANNEL_INPUT_DRAINING: 215 case SSH_CHANNEL_OUTPUT_DRAINING: 216 case SSH_CHANNEL_ABANDONED: 217 return (c); 218 } 219 logit("Non-public channel %d, type %d.", id, c->type); 220 return (NULL); 221} 222 223/* 224 * Register filedescriptors for a channel, used when allocating a channel or 225 * when the channel consumer/producer is ready, e.g. shell exec'd 226 */ 227static void 228channel_register_fds(Channel *c, int rfd, int wfd, int efd, 229 int extusage, int nonblock, int is_tty) 230{ 231 /* Update the maximum file descriptor value. */ 232 channel_max_fd = MAX(channel_max_fd, rfd); 233 channel_max_fd = MAX(channel_max_fd, wfd); 234 channel_max_fd = MAX(channel_max_fd, efd); 235 236 if (rfd != -1) 237 fcntl(rfd, F_SETFD, FD_CLOEXEC); 238 if (wfd != -1 && wfd != rfd) 239 fcntl(wfd, F_SETFD, FD_CLOEXEC); 240 if (efd != -1 && efd != rfd && efd != wfd) 241 fcntl(efd, F_SETFD, FD_CLOEXEC); 242 243 c->rfd = rfd; 244 c->wfd = wfd; 245 c->sock = (rfd == wfd) ? rfd : -1; 246 c->efd = efd; 247 c->extended_usage = extusage; 248 249 if ((c->isatty = is_tty) != 0) 250 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 251#ifdef _AIX 252 /* XXX: Later AIX versions can't push as much data to tty */ 253 c->wfd_isatty = is_tty || isatty(c->wfd); 254#endif 255 256 /* enable nonblocking mode */ 257 if (nonblock) { 258 if (rfd != -1) 259 set_nonblock(rfd); 260 if (wfd != -1) 261 set_nonblock(wfd); 262 if (efd != -1) 263 set_nonblock(efd); 264 } 265} 266 267/* 268 * Allocate a new channel object and set its type and socket. This will cause 269 * remote_name to be freed. 270 */ 271Channel * 272channel_new(char *ctype, int type, int rfd, int wfd, int efd, 273 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 274{ 275 int found; 276 u_int i; 277 Channel *c; 278 279 /* Do initial allocation if this is the first call. */ 280 if (channels_alloc == 0) { 281 channels_alloc = 10; 282 channels = xcalloc(channels_alloc, sizeof(Channel *)); 283 for (i = 0; i < channels_alloc; i++) 284 channels[i] = NULL; 285 } 286 /* Try to find a free slot where to put the new channel. */ 287 for (found = -1, i = 0; i < channels_alloc; i++) 288 if (channels[i] == NULL) { 289 /* Found a free slot. */ 290 found = (int)i; 291 break; 292 } 293 if (found < 0) { 294 /* There are no free slots. Take last+1 slot and expand the array. */ 295 found = channels_alloc; 296 if (channels_alloc > 10000) 297 fatal("channel_new: internal error: channels_alloc %d " 298 "too big.", channels_alloc); 299 channels = xrealloc(channels, channels_alloc + 10, 300 sizeof(Channel *)); 301 channels_alloc += 10; 302 debug2("channel: expanding %d", channels_alloc); 303 for (i = found; i < channels_alloc; i++) 304 channels[i] = NULL; 305 } 306 /* Initialize and return new channel. */ 307 c = channels[found] = xcalloc(1, sizeof(Channel)); 308 buffer_init(&c->input); 309 buffer_init(&c->output); 310 buffer_init(&c->extended); 311 c->path = NULL; 312 c->listening_addr = NULL; 313 c->listening_port = 0; 314 c->ostate = CHAN_OUTPUT_OPEN; 315 c->istate = CHAN_INPUT_OPEN; 316 c->flags = 0; 317 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0); 318 c->notbefore = 0; 319 c->self = found; 320 c->type = type; 321 c->ctype = ctype; 322 c->local_window = window; 323 c->local_window_max = window; 324 c->local_consumed = 0; 325 c->local_maxpacket = maxpack; 326 c->remote_id = -1; 327 c->remote_name = xstrdup(remote_name); 328 c->remote_window = 0; 329 c->remote_maxpacket = 0; 330 c->force_drain = 0; 331 c->single_connection = 0; 332 c->detach_user = NULL; 333 c->detach_close = 0; 334 c->open_confirm = NULL; 335 c->open_confirm_ctx = NULL; 336 c->input_filter = NULL; 337 c->output_filter = NULL; 338 c->filter_ctx = NULL; 339 c->filter_cleanup = NULL; 340 c->ctl_chan = -1; 341 c->mux_rcb = NULL; 342 c->mux_ctx = NULL; 343 c->mux_pause = 0; 344 c->delayed = 1; /* prevent call to channel_post handler */ 345 TAILQ_INIT(&c->status_confirms); 346 debug("channel %d: new [%s]", found, remote_name); 347 return c; 348} 349 350static int 351channel_find_maxfd(void) 352{ 353 u_int i; 354 int max = 0; 355 Channel *c; 356 357 for (i = 0; i < channels_alloc; i++) { 358 c = channels[i]; 359 if (c != NULL) { 360 max = MAX(max, c->rfd); 361 max = MAX(max, c->wfd); 362 max = MAX(max, c->efd); 363 } 364 } 365 return max; 366} 367 368int 369channel_close_fd(int *fdp) 370{ 371 int ret = 0, fd = *fdp; 372 373 if (fd != -1) { 374 ret = close(fd); 375 *fdp = -1; 376 if (fd == channel_max_fd) 377 channel_max_fd = channel_find_maxfd(); 378 } 379 return ret; 380} 381 382/* Close all channel fd/socket. */ 383static void 384channel_close_fds(Channel *c) 385{ 386 channel_close_fd(&c->sock); 387 channel_close_fd(&c->rfd); 388 channel_close_fd(&c->wfd); 389 channel_close_fd(&c->efd); 390} 391 392/* Free the channel and close its fd/socket. */ 393void 394channel_free(Channel *c) 395{ 396 char *s; 397 u_int i, n; 398 struct channel_confirm *cc; 399 400 for (n = 0, i = 0; i < channels_alloc; i++) 401 if (channels[i]) 402 n++; 403 debug("channel %d: free: %s, nchannels %u", c->self, 404 c->remote_name ? c->remote_name : "???", n); 405 406 s = channel_open_message(); 407 debug3("channel %d: status: %s", c->self, s); 408 free(s); 409 410 if (c->sock != -1) 411 shutdown(c->sock, SHUT_RDWR); 412 channel_close_fds(c); 413 buffer_free(&c->input); 414 buffer_free(&c->output); 415 buffer_free(&c->extended); 416 free(c->remote_name); 417 c->remote_name = NULL; 418 free(c->path); 419 c->path = NULL; 420 free(c->listening_addr); 421 c->listening_addr = NULL; 422 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 423 if (cc->abandon_cb != NULL) 424 cc->abandon_cb(c, cc->ctx); 425 TAILQ_REMOVE(&c->status_confirms, cc, entry); 426 explicit_bzero(cc, sizeof(*cc)); 427 free(cc); 428 } 429 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 430 c->filter_cleanup(c->self, c->filter_ctx); 431 channels[c->self] = NULL; 432 free(c); 433} 434 435void 436channel_free_all(void) 437{ 438 u_int i; 439 440 for (i = 0; i < channels_alloc; i++) 441 if (channels[i] != NULL) 442 channel_free(channels[i]); 443} 444 445/* 446 * Closes the sockets/fds of all channels. This is used to close extra file 447 * descriptors after a fork. 448 */ 449void 450channel_close_all(void) 451{ 452 u_int i; 453 454 for (i = 0; i < channels_alloc; i++) 455 if (channels[i] != NULL) 456 channel_close_fds(channels[i]); 457} 458 459/* 460 * Stop listening to channels. 461 */ 462void 463channel_stop_listening(void) 464{ 465 u_int i; 466 Channel *c; 467 468 for (i = 0; i < channels_alloc; i++) { 469 c = channels[i]; 470 if (c != NULL) { 471 switch (c->type) { 472 case SSH_CHANNEL_AUTH_SOCKET: 473 case SSH_CHANNEL_PORT_LISTENER: 474 case SSH_CHANNEL_RPORT_LISTENER: 475 case SSH_CHANNEL_X11_LISTENER: 476 channel_close_fd(&c->sock); 477 channel_free(c); 478 break; 479 } 480 } 481 } 482} 483 484/* 485 * Returns true if no channel has too much buffered data, and false if one or 486 * more channel is overfull. 487 */ 488int 489channel_not_very_much_buffered_data(void) 490{ 491 u_int i; 492 Channel *c; 493 494 for (i = 0; i < channels_alloc; i++) { 495 c = channels[i]; 496 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 497#if 0 498 if (!compat20 && 499 buffer_len(&c->input) > packet_get_maxsize()) { 500 debug2("channel %d: big input buffer %d", 501 c->self, buffer_len(&c->input)); 502 return 0; 503 } 504#endif 505 if (buffer_len(&c->output) > packet_get_maxsize()) { 506 debug2("channel %d: big output buffer %u > %u", 507 c->self, buffer_len(&c->output), 508 packet_get_maxsize()); 509 return 0; 510 } 511 } 512 } 513 return 1; 514} 515 516/* Returns true if any channel is still open. */ 517int 518channel_still_open(void) 519{ 520 u_int i; 521 Channel *c; 522 523 for (i = 0; i < channels_alloc; i++) { 524 c = channels[i]; 525 if (c == NULL) 526 continue; 527 switch (c->type) { 528 case SSH_CHANNEL_X11_LISTENER: 529 case SSH_CHANNEL_PORT_LISTENER: 530 case SSH_CHANNEL_RPORT_LISTENER: 531 case SSH_CHANNEL_MUX_LISTENER: 532 case SSH_CHANNEL_CLOSED: 533 case SSH_CHANNEL_AUTH_SOCKET: 534 case SSH_CHANNEL_DYNAMIC: 535 case SSH_CHANNEL_CONNECTING: 536 case SSH_CHANNEL_ZOMBIE: 537 case SSH_CHANNEL_ABANDONED: 538 continue; 539 case SSH_CHANNEL_LARVAL: 540 if (!compat20) 541 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 542 continue; 543 case SSH_CHANNEL_OPENING: 544 case SSH_CHANNEL_OPEN: 545 case SSH_CHANNEL_X11_OPEN: 546 case SSH_CHANNEL_MUX_CLIENT: 547 return 1; 548 case SSH_CHANNEL_INPUT_DRAINING: 549 case SSH_CHANNEL_OUTPUT_DRAINING: 550 if (!compat13) 551 fatal("cannot happen: OUT_DRAIN"); 552 return 1; 553 default: 554 fatal("channel_still_open: bad channel type %d", c->type); 555 /* NOTREACHED */ 556 } 557 } 558 return 0; 559} 560 561/* Returns the id of an open channel suitable for keepaliving */ 562int 563channel_find_open(void) 564{ 565 u_int i; 566 Channel *c; 567 568 for (i = 0; i < channels_alloc; i++) { 569 c = channels[i]; 570 if (c == NULL || c->remote_id < 0) 571 continue; 572 switch (c->type) { 573 case SSH_CHANNEL_CLOSED: 574 case SSH_CHANNEL_DYNAMIC: 575 case SSH_CHANNEL_X11_LISTENER: 576 case SSH_CHANNEL_PORT_LISTENER: 577 case SSH_CHANNEL_RPORT_LISTENER: 578 case SSH_CHANNEL_MUX_LISTENER: 579 case SSH_CHANNEL_MUX_CLIENT: 580 case SSH_CHANNEL_OPENING: 581 case SSH_CHANNEL_CONNECTING: 582 case SSH_CHANNEL_ZOMBIE: 583 case SSH_CHANNEL_ABANDONED: 584 continue; 585 case SSH_CHANNEL_LARVAL: 586 case SSH_CHANNEL_AUTH_SOCKET: 587 case SSH_CHANNEL_OPEN: 588 case SSH_CHANNEL_X11_OPEN: 589 return i; 590 case SSH_CHANNEL_INPUT_DRAINING: 591 case SSH_CHANNEL_OUTPUT_DRAINING: 592 if (!compat13) 593 fatal("cannot happen: OUT_DRAIN"); 594 return i; 595 default: 596 fatal("channel_find_open: bad channel type %d", c->type); 597 /* NOTREACHED */ 598 } 599 } 600 return -1; 601} 602 603 604/* 605 * Returns a message describing the currently open forwarded connections, 606 * suitable for sending to the client. The message contains crlf pairs for 607 * newlines. 608 */ 609char * 610channel_open_message(void) 611{ 612 Buffer buffer; 613 Channel *c; 614 char buf[1024], *cp; 615 u_int i; 616 617 buffer_init(&buffer); 618 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 619 buffer_append(&buffer, buf, strlen(buf)); 620 for (i = 0; i < channels_alloc; i++) { 621 c = channels[i]; 622 if (c == NULL) 623 continue; 624 switch (c->type) { 625 case SSH_CHANNEL_X11_LISTENER: 626 case SSH_CHANNEL_PORT_LISTENER: 627 case SSH_CHANNEL_RPORT_LISTENER: 628 case SSH_CHANNEL_CLOSED: 629 case SSH_CHANNEL_AUTH_SOCKET: 630 case SSH_CHANNEL_ZOMBIE: 631 case SSH_CHANNEL_ABANDONED: 632 case SSH_CHANNEL_MUX_CLIENT: 633 case SSH_CHANNEL_MUX_LISTENER: 634 continue; 635 case SSH_CHANNEL_LARVAL: 636 case SSH_CHANNEL_OPENING: 637 case SSH_CHANNEL_CONNECTING: 638 case SSH_CHANNEL_DYNAMIC: 639 case SSH_CHANNEL_OPEN: 640 case SSH_CHANNEL_X11_OPEN: 641 case SSH_CHANNEL_INPUT_DRAINING: 642 case SSH_CHANNEL_OUTPUT_DRAINING: 643 snprintf(buf, sizeof buf, 644 " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n", 645 c->self, c->remote_name, 646 c->type, c->remote_id, 647 c->istate, buffer_len(&c->input), 648 c->ostate, buffer_len(&c->output), 649 c->rfd, c->wfd, c->ctl_chan); 650 buffer_append(&buffer, buf, strlen(buf)); 651 continue; 652 default: 653 fatal("channel_open_message: bad channel type %d", c->type); 654 /* NOTREACHED */ 655 } 656 } 657 buffer_append(&buffer, "\0", 1); 658 cp = xstrdup(buffer_ptr(&buffer)); 659 buffer_free(&buffer); 660 return cp; 661} 662 663void 664channel_send_open(int id) 665{ 666 Channel *c = channel_lookup(id); 667 668 if (c == NULL) { 669 logit("channel_send_open: %d: bad id", id); 670 return; 671 } 672 debug2("channel %d: send open", id); 673 packet_start(SSH2_MSG_CHANNEL_OPEN); 674 packet_put_cstring(c->ctype); 675 packet_put_int(c->self); 676 packet_put_int(c->local_window); 677 packet_put_int(c->local_maxpacket); 678 packet_send(); 679} 680 681void 682channel_request_start(int id, char *service, int wantconfirm) 683{ 684 Channel *c = channel_lookup(id); 685 686 if (c == NULL) { 687 logit("channel_request_start: %d: unknown channel id", id); 688 return; 689 } 690 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 691 packet_start(SSH2_MSG_CHANNEL_REQUEST); 692 packet_put_int(c->remote_id); 693 packet_put_cstring(service); 694 packet_put_char(wantconfirm); 695} 696 697void 698channel_register_status_confirm(int id, channel_confirm_cb *cb, 699 channel_confirm_abandon_cb *abandon_cb, void *ctx) 700{ 701 struct channel_confirm *cc; 702 Channel *c; 703 704 if ((c = channel_lookup(id)) == NULL) 705 fatal("channel_register_expect: %d: bad id", id); 706 707 cc = xcalloc(1, sizeof(*cc)); 708 cc->cb = cb; 709 cc->abandon_cb = abandon_cb; 710 cc->ctx = ctx; 711 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 712} 713 714void 715channel_register_open_confirm(int id, channel_open_fn *fn, void *ctx) 716{ 717 Channel *c = channel_lookup(id); 718 719 if (c == NULL) { 720 logit("channel_register_open_confirm: %d: bad id", id); 721 return; 722 } 723 c->open_confirm = fn; 724 c->open_confirm_ctx = ctx; 725} 726 727void 728channel_register_cleanup(int id, channel_callback_fn *fn, int do_close) 729{ 730 Channel *c = channel_by_id(id); 731 732 if (c == NULL) { 733 logit("channel_register_cleanup: %d: bad id", id); 734 return; 735 } 736 c->detach_user = fn; 737 c->detach_close = do_close; 738} 739 740void 741channel_cancel_cleanup(int id) 742{ 743 Channel *c = channel_by_id(id); 744 745 if (c == NULL) { 746 logit("channel_cancel_cleanup: %d: bad id", id); 747 return; 748 } 749 c->detach_user = NULL; 750 c->detach_close = 0; 751} 752 753void 754channel_register_filter(int id, channel_infilter_fn *ifn, 755 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 756{ 757 Channel *c = channel_lookup(id); 758 759 if (c == NULL) { 760 logit("channel_register_filter: %d: bad id", id); 761 return; 762 } 763 c->input_filter = ifn; 764 c->output_filter = ofn; 765 c->filter_ctx = ctx; 766 c->filter_cleanup = cfn; 767} 768 769void 770channel_set_fds(int id, int rfd, int wfd, int efd, 771 int extusage, int nonblock, int is_tty, u_int window_max) 772{ 773 Channel *c = channel_lookup(id); 774 775 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 776 fatal("channel_activate for non-larval channel %d.", id); 777 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty); 778 c->type = SSH_CHANNEL_OPEN; 779 c->local_window = c->local_window_max = window_max; 780 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 781 packet_put_int(c->remote_id); 782 packet_put_int(c->local_window); 783 packet_send(); 784} 785 786/* 787 * 'channel_pre*' are called just before select() to add any bits relevant to 788 * channels in the select bitmasks. 789 */ 790/* 791 * 'channel_post*': perform any appropriate operations for channels which 792 * have events pending. 793 */ 794typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset); 795chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 796chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 797 798/* ARGSUSED */ 799static void 800channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset) 801{ 802 FD_SET(c->sock, readset); 803} 804 805/* ARGSUSED */ 806static void 807channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset) 808{ 809 debug3("channel %d: waiting for connection", c->self); 810 FD_SET(c->sock, writeset); 811} 812 813static void 814channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset) 815{ 816 if (buffer_len(&c->input) < packet_get_maxsize()) 817 FD_SET(c->sock, readset); 818 if (buffer_len(&c->output) > 0) 819 FD_SET(c->sock, writeset); 820} 821 822static void 823channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset) 824{ 825 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 826 827 if (c->istate == CHAN_INPUT_OPEN && 828 limit > 0 && 829 buffer_len(&c->input) < limit && 830 buffer_check_alloc(&c->input, CHAN_RBUF)) 831 FD_SET(c->rfd, readset); 832 if (c->ostate == CHAN_OUTPUT_OPEN || 833 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 834 if (buffer_len(&c->output) > 0) { 835 FD_SET(c->wfd, writeset); 836 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 837 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 838 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 839 c->self, c->efd, buffer_len(&c->extended)); 840 else 841 chan_obuf_empty(c); 842 } 843 } 844 /** XXX check close conditions, too */ 845 if (compat20 && c->efd != -1 && 846 !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) { 847 if (c->extended_usage == CHAN_EXTENDED_WRITE && 848 buffer_len(&c->extended) > 0) 849 FD_SET(c->efd, writeset); 850 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 851 (c->extended_usage == CHAN_EXTENDED_READ || 852 c->extended_usage == CHAN_EXTENDED_IGNORE) && 853 buffer_len(&c->extended) < c->remote_window) 854 FD_SET(c->efd, readset); 855 } 856 /* XXX: What about efd? races? */ 857} 858 859/* ARGSUSED */ 860static void 861channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset) 862{ 863 if (buffer_len(&c->input) == 0) { 864 packet_start(SSH_MSG_CHANNEL_CLOSE); 865 packet_put_int(c->remote_id); 866 packet_send(); 867 c->type = SSH_CHANNEL_CLOSED; 868 debug2("channel %d: closing after input drain.", c->self); 869 } 870} 871 872/* ARGSUSED */ 873static void 874channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset) 875{ 876 if (buffer_len(&c->output) == 0) 877 chan_mark_dead(c); 878 else 879 FD_SET(c->sock, writeset); 880} 881 882/* 883 * This is a special state for X11 authentication spoofing. An opened X11 884 * connection (when authentication spoofing is being done) remains in this 885 * state until the first packet has been completely read. The authentication 886 * data in that packet is then substituted by the real data if it matches the 887 * fake data, and the channel is put into normal mode. 888 * XXX All this happens at the client side. 889 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 890 */ 891static int 892x11_open_helper(Buffer *b) 893{ 894 u_char *ucp; 895 u_int proto_len, data_len; 896 897 /* Check if the fixed size part of the packet is in buffer. */ 898 if (buffer_len(b) < 12) 899 return 0; 900 901 /* Parse the lengths of variable-length fields. */ 902 ucp = buffer_ptr(b); 903 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 904 proto_len = 256 * ucp[6] + ucp[7]; 905 data_len = 256 * ucp[8] + ucp[9]; 906 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 907 proto_len = ucp[6] + 256 * ucp[7]; 908 data_len = ucp[8] + 256 * ucp[9]; 909 } else { 910 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 911 ucp[0]); 912 return -1; 913 } 914 915 /* Check if the whole packet is in buffer. */ 916 if (buffer_len(b) < 917 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 918 return 0; 919 920 /* Check if authentication protocol matches. */ 921 if (proto_len != strlen(x11_saved_proto) || 922 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 923 debug2("X11 connection uses different authentication protocol."); 924 return -1; 925 } 926 /* Check if authentication data matches our fake data. */ 927 if (data_len != x11_fake_data_len || 928 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 929 x11_fake_data, x11_fake_data_len) != 0) { 930 debug2("X11 auth data does not match fake data."); 931 return -1; 932 } 933 /* Check fake data length */ 934 if (x11_fake_data_len != x11_saved_data_len) { 935 error("X11 fake_data_len %d != saved_data_len %d", 936 x11_fake_data_len, x11_saved_data_len); 937 return -1; 938 } 939 /* 940 * Received authentication protocol and data match 941 * our fake data. Substitute the fake data with real 942 * data. 943 */ 944 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 945 x11_saved_data, x11_saved_data_len); 946 return 1; 947} 948 949static void 950channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset) 951{ 952 int ret = x11_open_helper(&c->output); 953 954 if (ret == 1) { 955 /* Start normal processing for the channel. */ 956 c->type = SSH_CHANNEL_OPEN; 957 channel_pre_open_13(c, readset, writeset); 958 } else if (ret == -1) { 959 /* 960 * We have received an X11 connection that has bad 961 * authentication information. 962 */ 963 logit("X11 connection rejected because of wrong authentication."); 964 buffer_clear(&c->input); 965 buffer_clear(&c->output); 966 channel_close_fd(&c->sock); 967 c->sock = -1; 968 c->type = SSH_CHANNEL_CLOSED; 969 packet_start(SSH_MSG_CHANNEL_CLOSE); 970 packet_put_int(c->remote_id); 971 packet_send(); 972 } 973} 974 975static void 976channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset) 977{ 978 int ret = x11_open_helper(&c->output); 979 980 /* c->force_drain = 1; */ 981 982 if (ret == 1) { 983 c->type = SSH_CHANNEL_OPEN; 984 channel_pre_open(c, readset, writeset); 985 } else if (ret == -1) { 986 logit("X11 connection rejected because of wrong authentication."); 987 debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 988 chan_read_failed(c); 989 buffer_clear(&c->input); 990 chan_ibuf_empty(c); 991 buffer_clear(&c->output); 992 /* for proto v1, the peer will send an IEOF */ 993 if (compat20) 994 chan_write_failed(c); 995 else 996 c->type = SSH_CHANNEL_OPEN; 997 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 998 } 999} 1000 1001static void 1002channel_pre_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1003{ 1004 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 1005 buffer_check_alloc(&c->input, CHAN_RBUF)) 1006 FD_SET(c->rfd, readset); 1007 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1008 /* clear buffer immediately (discard any partial packet) */ 1009 buffer_clear(&c->input); 1010 chan_ibuf_empty(c); 1011 /* Start output drain. XXX just kill chan? */ 1012 chan_rcvd_oclose(c); 1013 } 1014 if (c->ostate == CHAN_OUTPUT_OPEN || 1015 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1016 if (buffer_len(&c->output) > 0) 1017 FD_SET(c->wfd, writeset); 1018 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1019 chan_obuf_empty(c); 1020 } 1021} 1022 1023/* try to decode a socks4 header */ 1024/* ARGSUSED */ 1025static int 1026channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset) 1027{ 1028 char *p, *host; 1029 u_int len, have, i, found, need; 1030 char username[256]; 1031 struct { 1032 u_int8_t version; 1033 u_int8_t command; 1034 u_int16_t dest_port; 1035 struct in_addr dest_addr; 1036 } s4_req, s4_rsp; 1037 1038 debug2("channel %d: decode socks4", c->self); 1039 1040 have = buffer_len(&c->input); 1041 len = sizeof(s4_req); 1042 if (have < len) 1043 return 0; 1044 p = buffer_ptr(&c->input); 1045 1046 need = 1; 1047 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1048 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1049 debug2("channel %d: socks4a request", c->self); 1050 /* ... and needs an extra string (the hostname) */ 1051 need = 2; 1052 } 1053 /* Check for terminating NUL on the string(s) */ 1054 for (found = 0, i = len; i < have; i++) { 1055 if (p[i] == '\0') { 1056 found++; 1057 if (found == need) 1058 break; 1059 } 1060 if (i > 1024) { 1061 /* the peer is probably sending garbage */ 1062 debug("channel %d: decode socks4: too long", 1063 c->self); 1064 return -1; 1065 } 1066 } 1067 if (found < need) 1068 return 0; 1069 buffer_get(&c->input, (char *)&s4_req.version, 1); 1070 buffer_get(&c->input, (char *)&s4_req.command, 1); 1071 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 1072 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 1073 have = buffer_len(&c->input); 1074 p = buffer_ptr(&c->input); 1075 if (memchr(p, '\0', have) == NULL) 1076 fatal("channel %d: decode socks4: user not nul terminated", 1077 c->self); 1078 len = strlen(p); 1079 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1080 len++; /* trailing '\0' */ 1081 if (len > have) 1082 fatal("channel %d: decode socks4: len %d > have %d", 1083 c->self, len, have); 1084 strlcpy(username, p, sizeof(username)); 1085 buffer_consume(&c->input, len); 1086 1087 free(c->path); 1088 c->path = NULL; 1089 if (need == 1) { /* SOCKS4: one string */ 1090 host = inet_ntoa(s4_req.dest_addr); 1091 c->path = xstrdup(host); 1092 } else { /* SOCKS4A: two strings */ 1093 have = buffer_len(&c->input); 1094 p = buffer_ptr(&c->input); 1095 len = strlen(p); 1096 debug2("channel %d: decode socks4a: host %s/%d", 1097 c->self, p, len); 1098 len++; /* trailing '\0' */ 1099 if (len > have) 1100 fatal("channel %d: decode socks4a: len %d > have %d", 1101 c->self, len, have); 1102 if (len > NI_MAXHOST) { 1103 error("channel %d: hostname \"%.100s\" too long", 1104 c->self, p); 1105 return -1; 1106 } 1107 c->path = xstrdup(p); 1108 buffer_consume(&c->input, len); 1109 } 1110 c->host_port = ntohs(s4_req.dest_port); 1111 1112 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1113 c->self, c->path, c->host_port, s4_req.command); 1114 1115 if (s4_req.command != 1) { 1116 debug("channel %d: cannot handle: %s cn %d", 1117 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1118 return -1; 1119 } 1120 s4_rsp.version = 0; /* vn: 0 for reply */ 1121 s4_rsp.command = 90; /* cd: req granted */ 1122 s4_rsp.dest_port = 0; /* ignored */ 1123 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1124 buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp)); 1125 return 1; 1126} 1127 1128/* try to decode a socks5 header */ 1129#define SSH_SOCKS5_AUTHDONE 0x1000 1130#define SSH_SOCKS5_NOAUTH 0x00 1131#define SSH_SOCKS5_IPV4 0x01 1132#define SSH_SOCKS5_DOMAIN 0x03 1133#define SSH_SOCKS5_IPV6 0x04 1134#define SSH_SOCKS5_CONNECT 0x01 1135#define SSH_SOCKS5_SUCCESS 0x00 1136 1137/* ARGSUSED */ 1138static int 1139channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 1140{ 1141 struct { 1142 u_int8_t version; 1143 u_int8_t command; 1144 u_int8_t reserved; 1145 u_int8_t atyp; 1146 } s5_req, s5_rsp; 1147 u_int16_t dest_port; 1148 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1149 u_char *p; 1150 u_int have, need, i, found, nmethods, addrlen, af; 1151 1152 debug2("channel %d: decode socks5", c->self); 1153 p = buffer_ptr(&c->input); 1154 if (p[0] != 0x05) 1155 return -1; 1156 have = buffer_len(&c->input); 1157 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1158 /* format: ver | nmethods | methods */ 1159 if (have < 2) 1160 return 0; 1161 nmethods = p[1]; 1162 if (have < nmethods + 2) 1163 return 0; 1164 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1165 for (found = 0, i = 2; i < nmethods + 2; i++) { 1166 if (p[i] == SSH_SOCKS5_NOAUTH) { 1167 found = 1; 1168 break; 1169 } 1170 } 1171 if (!found) { 1172 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1173 c->self); 1174 return -1; 1175 } 1176 buffer_consume(&c->input, nmethods + 2); 1177 buffer_put_char(&c->output, 0x05); /* version */ 1178 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1179 FD_SET(c->sock, writeset); 1180 c->flags |= SSH_SOCKS5_AUTHDONE; 1181 debug2("channel %d: socks5 auth done", c->self); 1182 return 0; /* need more */ 1183 } 1184 debug2("channel %d: socks5 post auth", c->self); 1185 if (have < sizeof(s5_req)+1) 1186 return 0; /* need more */ 1187 memcpy(&s5_req, p, sizeof(s5_req)); 1188 if (s5_req.version != 0x05 || 1189 s5_req.command != SSH_SOCKS5_CONNECT || 1190 s5_req.reserved != 0x00) { 1191 debug2("channel %d: only socks5 connect supported", c->self); 1192 return -1; 1193 } 1194 switch (s5_req.atyp){ 1195 case SSH_SOCKS5_IPV4: 1196 addrlen = 4; 1197 af = AF_INET; 1198 break; 1199 case SSH_SOCKS5_DOMAIN: 1200 addrlen = p[sizeof(s5_req)]; 1201 af = -1; 1202 break; 1203 case SSH_SOCKS5_IPV6: 1204 addrlen = 16; 1205 af = AF_INET6; 1206 break; 1207 default: 1208 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1209 return -1; 1210 } 1211 need = sizeof(s5_req) + addrlen + 2; 1212 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1213 need++; 1214 if (have < need) 1215 return 0; 1216 buffer_consume(&c->input, sizeof(s5_req)); 1217 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1218 buffer_consume(&c->input, 1); /* host string length */ 1219 buffer_get(&c->input, &dest_addr, addrlen); 1220 buffer_get(&c->input, (char *)&dest_port, 2); 1221 dest_addr[addrlen] = '\0'; 1222 free(c->path); 1223 c->path = NULL; 1224 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1225 if (addrlen >= NI_MAXHOST) { 1226 error("channel %d: dynamic request: socks5 hostname " 1227 "\"%.100s\" too long", c->self, dest_addr); 1228 return -1; 1229 } 1230 c->path = xstrdup(dest_addr); 1231 } else { 1232 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1233 return -1; 1234 c->path = xstrdup(ntop); 1235 } 1236 c->host_port = ntohs(dest_port); 1237 1238 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1239 c->self, c->path, c->host_port, s5_req.command); 1240 1241 s5_rsp.version = 0x05; 1242 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1243 s5_rsp.reserved = 0; /* ignored */ 1244 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1245 dest_port = 0; /* ignored */ 1246 1247 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1248 buffer_put_int(&c->output, ntohl(INADDR_ANY)); /* bind address */ 1249 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1250 return 1; 1251} 1252 1253Channel * 1254channel_connect_stdio_fwd(const char *host_to_connect, u_short port_to_connect, 1255 int in, int out) 1256{ 1257 Channel *c; 1258 1259 debug("channel_connect_stdio_fwd %s:%d", host_to_connect, 1260 port_to_connect); 1261 1262 c = channel_new("stdio-forward", SSH_CHANNEL_OPENING, in, out, 1263 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1264 0, "stdio-forward", /*nonblock*/0); 1265 1266 c->path = xstrdup(host_to_connect); 1267 c->host_port = port_to_connect; 1268 c->listening_port = 0; 1269 c->force_drain = 1; 1270 1271 channel_register_fds(c, in, out, -1, 0, 1, 0); 1272 port_open_helper(c, "direct-tcpip"); 1273 1274 return c; 1275} 1276 1277/* dynamic port forwarding */ 1278static void 1279channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset) 1280{ 1281 u_char *p; 1282 u_int have; 1283 int ret; 1284 1285 have = buffer_len(&c->input); 1286 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1287 /* buffer_dump(&c->input); */ 1288 /* check if the fixed size part of the packet is in buffer. */ 1289 if (have < 3) { 1290 /* need more */ 1291 FD_SET(c->sock, readset); 1292 return; 1293 } 1294 /* try to guess the protocol */ 1295 p = buffer_ptr(&c->input); 1296 switch (p[0]) { 1297 case 0x04: 1298 ret = channel_decode_socks4(c, readset, writeset); 1299 break; 1300 case 0x05: 1301 ret = channel_decode_socks5(c, readset, writeset); 1302 break; 1303 default: 1304 ret = -1; 1305 break; 1306 } 1307 if (ret < 0) { 1308 chan_mark_dead(c); 1309 } else if (ret == 0) { 1310 debug2("channel %d: pre_dynamic: need more", c->self); 1311 /* need more */ 1312 FD_SET(c->sock, readset); 1313 } else { 1314 /* switch to the next state */ 1315 c->type = SSH_CHANNEL_OPENING; 1316 port_open_helper(c, "direct-tcpip"); 1317 } 1318} 1319 1320/* This is our fake X11 server socket. */ 1321/* ARGSUSED */ 1322static void 1323channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset) 1324{ 1325 Channel *nc; 1326 struct sockaddr_storage addr; 1327 int newsock, oerrno; 1328 socklen_t addrlen; 1329 char buf[16384], *remote_ipaddr; 1330 int remote_port; 1331 1332 if (FD_ISSET(c->sock, readset)) { 1333 debug("X11 connection requested."); 1334 addrlen = sizeof(addr); 1335 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1336 if (c->single_connection) { 1337 oerrno = errno; 1338 debug2("single_connection: closing X11 listener."); 1339 channel_close_fd(&c->sock); 1340 chan_mark_dead(c); 1341 errno = oerrno; 1342 } 1343 if (newsock < 0) { 1344 if (errno != EINTR && errno != EWOULDBLOCK && 1345 errno != ECONNABORTED) 1346 error("accept: %.100s", strerror(errno)); 1347 if (errno == EMFILE || errno == ENFILE) 1348 c->notbefore = monotime() + 1; 1349 return; 1350 } 1351 set_nodelay(newsock); 1352 remote_ipaddr = get_peer_ipaddr(newsock); 1353 remote_port = get_peer_port(newsock); 1354 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1355 remote_ipaddr, remote_port); 1356 1357 nc = channel_new("accepted x11 socket", 1358 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1359 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1360 if (compat20) { 1361 packet_start(SSH2_MSG_CHANNEL_OPEN); 1362 packet_put_cstring("x11"); 1363 packet_put_int(nc->self); 1364 packet_put_int(nc->local_window_max); 1365 packet_put_int(nc->local_maxpacket); 1366 /* originator ipaddr and port */ 1367 packet_put_cstring(remote_ipaddr); 1368 if (datafellows & SSH_BUG_X11FWD) { 1369 debug2("ssh2 x11 bug compat mode"); 1370 } else { 1371 packet_put_int(remote_port); 1372 } 1373 packet_send(); 1374 } else { 1375 packet_start(SSH_SMSG_X11_OPEN); 1376 packet_put_int(nc->self); 1377 if (packet_get_protocol_flags() & 1378 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1379 packet_put_cstring(buf); 1380 packet_send(); 1381 } 1382 free(remote_ipaddr); 1383 } 1384} 1385 1386static void 1387port_open_helper(Channel *c, char *rtype) 1388{ 1389 int direct; 1390 char buf[1024]; 1391 char *local_ipaddr = get_local_ipaddr(c->sock); 1392 int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1); 1393 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1394 int remote_port = get_peer_port(c->sock); 1395 1396 if (remote_port == -1) { 1397 /* Fake addr/port to appease peers that validate it (Tectia) */ 1398 free(remote_ipaddr); 1399 remote_ipaddr = xstrdup("127.0.0.1"); 1400 remote_port = 65535; 1401 } 1402 1403 direct = (strcmp(rtype, "direct-tcpip") == 0); 1404 1405 snprintf(buf, sizeof buf, 1406 "%s: listening port %d for %.100s port %d, " 1407 "connect from %.200s port %d to %.100s port %d", 1408 rtype, c->listening_port, c->path, c->host_port, 1409 remote_ipaddr, remote_port, local_ipaddr, local_port); 1410 1411 free(c->remote_name); 1412 c->remote_name = xstrdup(buf); 1413 1414 if (compat20) { 1415 packet_start(SSH2_MSG_CHANNEL_OPEN); 1416 packet_put_cstring(rtype); 1417 packet_put_int(c->self); 1418 packet_put_int(c->local_window_max); 1419 packet_put_int(c->local_maxpacket); 1420 if (direct) { 1421 /* target host, port */ 1422 packet_put_cstring(c->path); 1423 packet_put_int(c->host_port); 1424 } else { 1425 /* listen address, port */ 1426 packet_put_cstring(c->path); 1427 packet_put_int(local_port); 1428 } 1429 /* originator host and port */ 1430 packet_put_cstring(remote_ipaddr); 1431 packet_put_int((u_int)remote_port); 1432 packet_send(); 1433 } else { 1434 packet_start(SSH_MSG_PORT_OPEN); 1435 packet_put_int(c->self); 1436 packet_put_cstring(c->path); 1437 packet_put_int(c->host_port); 1438 if (packet_get_protocol_flags() & 1439 SSH_PROTOFLAG_HOST_IN_FWD_OPEN) 1440 packet_put_cstring(c->remote_name); 1441 packet_send(); 1442 } 1443 free(remote_ipaddr); 1444 free(local_ipaddr); 1445} 1446 1447static void 1448channel_set_reuseaddr(int fd) 1449{ 1450 int on = 1; 1451 1452 /* 1453 * Set socket options. 1454 * Allow local port reuse in TIME_WAIT. 1455 */ 1456 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) 1457 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1458} 1459 1460/* 1461 * This socket is listening for connections to a forwarded TCP/IP port. 1462 */ 1463/* ARGSUSED */ 1464static void 1465channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset) 1466{ 1467 Channel *nc; 1468 struct sockaddr_storage addr; 1469 int newsock, nextstate; 1470 socklen_t addrlen; 1471 char *rtype; 1472 1473 if (FD_ISSET(c->sock, readset)) { 1474 debug("Connection to port %d forwarding " 1475 "to %.100s port %d requested.", 1476 c->listening_port, c->path, c->host_port); 1477 1478 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1479 nextstate = SSH_CHANNEL_OPENING; 1480 rtype = "forwarded-tcpip"; 1481 } else { 1482 if (c->host_port == 0) { 1483 nextstate = SSH_CHANNEL_DYNAMIC; 1484 rtype = "dynamic-tcpip"; 1485 } else { 1486 nextstate = SSH_CHANNEL_OPENING; 1487 rtype = "direct-tcpip"; 1488 } 1489 } 1490 1491 addrlen = sizeof(addr); 1492 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1493 if (newsock < 0) { 1494 if (errno != EINTR && errno != EWOULDBLOCK && 1495 errno != ECONNABORTED) 1496 error("accept: %.100s", strerror(errno)); 1497 if (errno == EMFILE || errno == ENFILE) 1498 c->notbefore = monotime() + 1; 1499 return; 1500 } 1501 set_nodelay(newsock); 1502 nc = channel_new(rtype, nextstate, newsock, newsock, -1, 1503 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1504 nc->listening_port = c->listening_port; 1505 nc->host_port = c->host_port; 1506 if (c->path != NULL) 1507 nc->path = xstrdup(c->path); 1508 1509 if (nextstate != SSH_CHANNEL_DYNAMIC) 1510 port_open_helper(nc, rtype); 1511 } 1512} 1513 1514/* 1515 * This is the authentication agent socket listening for connections from 1516 * clients. 1517 */ 1518/* ARGSUSED */ 1519static void 1520channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset) 1521{ 1522 Channel *nc; 1523 int newsock; 1524 struct sockaddr_storage addr; 1525 socklen_t addrlen; 1526 1527 if (FD_ISSET(c->sock, readset)) { 1528 addrlen = sizeof(addr); 1529 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1530 if (newsock < 0) { 1531 error("accept from auth socket: %.100s", 1532 strerror(errno)); 1533 if (errno == EMFILE || errno == ENFILE) 1534 c->notbefore = monotime() + 1; 1535 return; 1536 } 1537 nc = channel_new("accepted auth socket", 1538 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1539 c->local_window_max, c->local_maxpacket, 1540 0, "accepted auth socket", 1); 1541 if (compat20) { 1542 packet_start(SSH2_MSG_CHANNEL_OPEN); 1543 packet_put_cstring("auth-agent@openssh.com"); 1544 packet_put_int(nc->self); 1545 packet_put_int(c->local_window_max); 1546 packet_put_int(c->local_maxpacket); 1547 } else { 1548 packet_start(SSH_SMSG_AGENT_OPEN); 1549 packet_put_int(nc->self); 1550 } 1551 packet_send(); 1552 } 1553} 1554 1555/* ARGSUSED */ 1556static void 1557channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset) 1558{ 1559 int err = 0, sock; 1560 socklen_t sz = sizeof(err); 1561 1562 if (FD_ISSET(c->sock, writeset)) { 1563 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1564 err = errno; 1565 error("getsockopt SO_ERROR failed"); 1566 } 1567 if (err == 0) { 1568 debug("channel %d: connected to %s port %d", 1569 c->self, c->connect_ctx.host, c->connect_ctx.port); 1570 channel_connect_ctx_free(&c->connect_ctx); 1571 c->type = SSH_CHANNEL_OPEN; 1572 if (compat20) { 1573 packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION); 1574 packet_put_int(c->remote_id); 1575 packet_put_int(c->self); 1576 packet_put_int(c->local_window); 1577 packet_put_int(c->local_maxpacket); 1578 } else { 1579 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 1580 packet_put_int(c->remote_id); 1581 packet_put_int(c->self); 1582 } 1583 } else { 1584 debug("channel %d: connection failed: %s", 1585 c->self, strerror(err)); 1586 /* Try next address, if any */ 1587 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1588 close(c->sock); 1589 c->sock = c->rfd = c->wfd = sock; 1590 channel_max_fd = channel_find_maxfd(); 1591 return; 1592 } 1593 /* Exhausted all addresses */ 1594 error("connect_to %.100s port %d: failed.", 1595 c->connect_ctx.host, c->connect_ctx.port); 1596 channel_connect_ctx_free(&c->connect_ctx); 1597 if (compat20) { 1598 packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); 1599 packet_put_int(c->remote_id); 1600 packet_put_int(SSH2_OPEN_CONNECT_FAILED); 1601 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 1602 packet_put_cstring(strerror(err)); 1603 packet_put_cstring(""); 1604 } 1605 } else { 1606 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 1607 packet_put_int(c->remote_id); 1608 } 1609 chan_mark_dead(c); 1610 } 1611 packet_send(); 1612 } 1613} 1614 1615/* ARGSUSED */ 1616static int 1617channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset) 1618{ 1619 char buf[CHAN_RBUF]; 1620 int len, force; 1621 1622 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1623 if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) { 1624 errno = 0; 1625 len = read(c->rfd, buf, sizeof(buf)); 1626 if (len < 0 && (errno == EINTR || 1627 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1628 return 1; 1629#ifndef PTY_ZEROREAD 1630 if (len <= 0) { 1631#else 1632 if ((!c->isatty && len <= 0) || 1633 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1634#endif 1635 debug2("channel %d: read<=0 rfd %d len %d", 1636 c->self, c->rfd, len); 1637 if (c->type != SSH_CHANNEL_OPEN) { 1638 debug2("channel %d: not open", c->self); 1639 chan_mark_dead(c); 1640 return -1; 1641 } else if (compat13) { 1642 buffer_clear(&c->output); 1643 c->type = SSH_CHANNEL_INPUT_DRAINING; 1644 debug2("channel %d: input draining.", c->self); 1645 } else { 1646 chan_read_failed(c); 1647 } 1648 return -1; 1649 } 1650 if (c->input_filter != NULL) { 1651 if (c->input_filter(c, buf, len) == -1) { 1652 debug2("channel %d: filter stops", c->self); 1653 chan_read_failed(c); 1654 } 1655 } else if (c->datagram) { 1656 buffer_put_string(&c->input, buf, len); 1657 } else { 1658 buffer_append(&c->input, buf, len); 1659 } 1660 } 1661 return 1; 1662} 1663 1664/* ARGSUSED */ 1665static int 1666channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset) 1667{ 1668 struct termios tio; 1669 u_char *data = NULL, *buf; 1670 u_int dlen, olen = 0; 1671 int len; 1672 1673 /* Send buffered output data to the socket. */ 1674 if (c->wfd != -1 && 1675 FD_ISSET(c->wfd, writeset) && 1676 buffer_len(&c->output) > 0) { 1677 olen = buffer_len(&c->output); 1678 if (c->output_filter != NULL) { 1679 if ((buf = c->output_filter(c, &data, &dlen)) == NULL) { 1680 debug2("channel %d: filter stops", c->self); 1681 if (c->type != SSH_CHANNEL_OPEN) 1682 chan_mark_dead(c); 1683 else 1684 chan_write_failed(c); 1685 return -1; 1686 } 1687 } else if (c->datagram) { 1688 buf = data = buffer_get_string(&c->output, &dlen); 1689 } else { 1690 buf = data = buffer_ptr(&c->output); 1691 dlen = buffer_len(&c->output); 1692 } 1693 1694 if (c->datagram) { 1695 /* ignore truncated writes, datagrams might get lost */ 1696 len = write(c->wfd, buf, dlen); 1697 free(data); 1698 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1699 errno == EWOULDBLOCK)) 1700 return 1; 1701 if (len <= 0) { 1702 if (c->type != SSH_CHANNEL_OPEN) 1703 chan_mark_dead(c); 1704 else 1705 chan_write_failed(c); 1706 return -1; 1707 } 1708 goto out; 1709 } 1710#ifdef _AIX 1711 /* XXX: Later AIX versions can't push as much data to tty */ 1712 if (compat20 && c->wfd_isatty) 1713 dlen = MIN(dlen, 8*1024); 1714#endif 1715 1716 len = write(c->wfd, buf, dlen); 1717 if (len < 0 && 1718 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 1719 return 1; 1720 if (len <= 0) { 1721 if (c->type != SSH_CHANNEL_OPEN) { 1722 debug2("channel %d: not open", c->self); 1723 chan_mark_dead(c); 1724 return -1; 1725 } else if (compat13) { 1726 buffer_clear(&c->output); 1727 debug2("channel %d: input draining.", c->self); 1728 c->type = SSH_CHANNEL_INPUT_DRAINING; 1729 } else { 1730 chan_write_failed(c); 1731 } 1732 return -1; 1733 } 1734#ifndef BROKEN_TCGETATTR_ICANON 1735 if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') { 1736 if (tcgetattr(c->wfd, &tio) == 0 && 1737 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 1738 /* 1739 * Simulate echo to reduce the impact of 1740 * traffic analysis. We need to match the 1741 * size of a SSH2_MSG_CHANNEL_DATA message 1742 * (4 byte channel id + buf) 1743 */ 1744 packet_send_ignore(4 + len); 1745 packet_send(); 1746 } 1747 } 1748#endif 1749 buffer_consume(&c->output, len); 1750 } 1751 out: 1752 if (compat20 && olen > 0) 1753 c->local_consumed += olen - buffer_len(&c->output); 1754 return 1; 1755} 1756 1757static int 1758channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset) 1759{ 1760 char buf[CHAN_RBUF]; 1761 int len; 1762 1763/** XXX handle drain efd, too */ 1764 if (c->efd != -1) { 1765 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1766 FD_ISSET(c->efd, writeset) && 1767 buffer_len(&c->extended) > 0) { 1768 len = write(c->efd, buffer_ptr(&c->extended), 1769 buffer_len(&c->extended)); 1770 debug2("channel %d: written %d to efd %d", 1771 c->self, len, c->efd); 1772 if (len < 0 && (errno == EINTR || errno == EAGAIN || 1773 errno == EWOULDBLOCK)) 1774 return 1; 1775 if (len <= 0) { 1776 debug2("channel %d: closing write-efd %d", 1777 c->self, c->efd); 1778 channel_close_fd(&c->efd); 1779 } else { 1780 buffer_consume(&c->extended, len); 1781 c->local_consumed += len; 1782 } 1783 } else if (c->efd != -1 && 1784 (c->extended_usage == CHAN_EXTENDED_READ || 1785 c->extended_usage == CHAN_EXTENDED_IGNORE) && 1786 (c->detach_close || FD_ISSET(c->efd, readset))) { 1787 len = read(c->efd, buf, sizeof(buf)); 1788 debug2("channel %d: read %d from efd %d", 1789 c->self, len, c->efd); 1790 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 1791 errno == EWOULDBLOCK) && !c->detach_close))) 1792 return 1; 1793 if (len <= 0) { 1794 debug2("channel %d: closing read-efd %d", 1795 c->self, c->efd); 1796 channel_close_fd(&c->efd); 1797 } else { 1798 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 1799 debug3("channel %d: discard efd", 1800 c->self); 1801 } else 1802 buffer_append(&c->extended, buf, len); 1803 } 1804 } 1805 } 1806 return 1; 1807} 1808 1809static int 1810channel_check_window(Channel *c) 1811{ 1812 if (c->type == SSH_CHANNEL_OPEN && 1813 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 1814 ((c->local_window_max - c->local_window > 1815 c->local_maxpacket*3) || 1816 c->local_window < c->local_window_max/2) && 1817 c->local_consumed > 0) { 1818 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 1819 packet_put_int(c->remote_id); 1820 packet_put_int(c->local_consumed); 1821 packet_send(); 1822 debug2("channel %d: window %d sent adjust %d", 1823 c->self, c->local_window, 1824 c->local_consumed); 1825 c->local_window += c->local_consumed; 1826 c->local_consumed = 0; 1827 } 1828 return 1; 1829} 1830 1831static void 1832channel_post_open(Channel *c, fd_set *readset, fd_set *writeset) 1833{ 1834 channel_handle_rfd(c, readset, writeset); 1835 channel_handle_wfd(c, readset, writeset); 1836 if (!compat20) 1837 return; 1838 channel_handle_efd(c, readset, writeset); 1839 channel_check_window(c); 1840} 1841 1842static u_int 1843read_mux(Channel *c, u_int need) 1844{ 1845 char buf[CHAN_RBUF]; 1846 int len; 1847 u_int rlen; 1848 1849 if (buffer_len(&c->input) < need) { 1850 rlen = need - buffer_len(&c->input); 1851 len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF)); 1852 if (len <= 0) { 1853 if (errno != EINTR && errno != EAGAIN) { 1854 debug2("channel %d: ctl read<=0 rfd %d len %d", 1855 c->self, c->rfd, len); 1856 chan_read_failed(c); 1857 return 0; 1858 } 1859 } else 1860 buffer_append(&c->input, buf, len); 1861 } 1862 return buffer_len(&c->input); 1863} 1864 1865static void 1866channel_post_mux_client(Channel *c, fd_set *readset, fd_set *writeset) 1867{ 1868 u_int need; 1869 ssize_t len; 1870 1871 if (!compat20) 1872 fatal("%s: entered with !compat20", __func__); 1873 1874 if (c->rfd != -1 && !c->mux_pause && FD_ISSET(c->rfd, readset) && 1875 (c->istate == CHAN_INPUT_OPEN || 1876 c->istate == CHAN_INPUT_WAIT_DRAIN)) { 1877 /* 1878 * Don't not read past the precise end of packets to 1879 * avoid disrupting fd passing. 1880 */ 1881 if (read_mux(c, 4) < 4) /* read header */ 1882 return; 1883 need = get_u32(buffer_ptr(&c->input)); 1884#define CHANNEL_MUX_MAX_PACKET (256 * 1024) 1885 if (need > CHANNEL_MUX_MAX_PACKET) { 1886 debug2("channel %d: packet too big %u > %u", 1887 c->self, CHANNEL_MUX_MAX_PACKET, need); 1888 chan_rcvd_oclose(c); 1889 return; 1890 } 1891 if (read_mux(c, need + 4) < need + 4) /* read body */ 1892 return; 1893 if (c->mux_rcb(c) != 0) { 1894 debug("channel %d: mux_rcb failed", c->self); 1895 chan_mark_dead(c); 1896 return; 1897 } 1898 } 1899 1900 if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) && 1901 buffer_len(&c->output) > 0) { 1902 len = write(c->wfd, buffer_ptr(&c->output), 1903 buffer_len(&c->output)); 1904 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 1905 return; 1906 if (len <= 0) { 1907 chan_mark_dead(c); 1908 return; 1909 } 1910 buffer_consume(&c->output, len); 1911 } 1912} 1913 1914static void 1915channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset) 1916{ 1917 Channel *nc; 1918 struct sockaddr_storage addr; 1919 socklen_t addrlen; 1920 int newsock; 1921 uid_t euid; 1922 gid_t egid; 1923 1924 if (!FD_ISSET(c->sock, readset)) 1925 return; 1926 1927 debug("multiplexing control connection"); 1928 1929 /* 1930 * Accept connection on control socket 1931 */ 1932 memset(&addr, 0, sizeof(addr)); 1933 addrlen = sizeof(addr); 1934 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 1935 &addrlen)) == -1) { 1936 error("%s accept: %s", __func__, strerror(errno)); 1937 if (errno == EMFILE || errno == ENFILE) 1938 c->notbefore = monotime() + 1; 1939 return; 1940 } 1941 1942 if (getpeereid(newsock, &euid, &egid) < 0) { 1943 error("%s getpeereid failed: %s", __func__, 1944 strerror(errno)); 1945 close(newsock); 1946 return; 1947 } 1948 if ((euid != 0) && (getuid() != euid)) { 1949 error("multiplex uid mismatch: peer euid %u != uid %u", 1950 (u_int)euid, (u_int)getuid()); 1951 close(newsock); 1952 return; 1953 } 1954 nc = channel_new("multiplex client", SSH_CHANNEL_MUX_CLIENT, 1955 newsock, newsock, -1, c->local_window_max, 1956 c->local_maxpacket, 0, "mux-control", 1); 1957 nc->mux_rcb = c->mux_rcb; 1958 debug3("%s: new mux channel %d fd %d", __func__, 1959 nc->self, nc->sock); 1960 /* establish state */ 1961 nc->mux_rcb(nc); 1962 /* mux state transitions must not elicit protocol messages */ 1963 nc->flags |= CHAN_LOCAL; 1964} 1965 1966/* ARGSUSED */ 1967static void 1968channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset) 1969{ 1970 int len; 1971 1972 /* Send buffered output data to the socket. */ 1973 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) { 1974 len = write(c->sock, buffer_ptr(&c->output), 1975 buffer_len(&c->output)); 1976 if (len <= 0) 1977 buffer_clear(&c->output); 1978 else 1979 buffer_consume(&c->output, len); 1980 } 1981} 1982 1983static void 1984channel_handler_init_20(void) 1985{ 1986 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 1987 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 1988 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 1989 channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 1990 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 1991 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 1992 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 1993 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 1994 channel_pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 1995 channel_pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 1996 1997 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 1998 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 1999 channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 2000 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2001 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2002 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2003 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2004 channel_post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 2005 channel_post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 2006} 2007 2008static void 2009channel_handler_init_13(void) 2010{ 2011 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13; 2012 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13; 2013 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2014 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2015 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2016 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining; 2017 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining; 2018 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2019 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2020 2021 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2022 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2023 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2024 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2025 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13; 2026 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2027 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2028} 2029 2030static void 2031channel_handler_init_15(void) 2032{ 2033 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2034 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2035 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2036 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2037 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2038 channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2039 channel_pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2040 2041 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2042 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2043 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2044 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open; 2045 channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2046 channel_post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2047} 2048 2049static void 2050channel_handler_init(void) 2051{ 2052 int i; 2053 2054 for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) { 2055 channel_pre[i] = NULL; 2056 channel_post[i] = NULL; 2057 } 2058 if (compat20) 2059 channel_handler_init_20(); 2060 else if (compat13) 2061 channel_handler_init_13(); 2062 else 2063 channel_handler_init_15(); 2064} 2065 2066/* gc dead channels */ 2067static void 2068channel_garbage_collect(Channel *c) 2069{ 2070 if (c == NULL) 2071 return; 2072 if (c->detach_user != NULL) { 2073 if (!chan_is_dead(c, c->detach_close)) 2074 return; 2075 debug2("channel %d: gc: notify user", c->self); 2076 c->detach_user(c->self, NULL); 2077 /* if we still have a callback */ 2078 if (c->detach_user != NULL) 2079 return; 2080 debug2("channel %d: gc: user detached", c->self); 2081 } 2082 if (!chan_is_dead(c, 1)) 2083 return; 2084 debug2("channel %d: garbage collecting", c->self); 2085 channel_free(c); 2086} 2087 2088static void 2089channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset, 2090 time_t *unpause_secs) 2091{ 2092 static int did_init = 0; 2093 u_int i, oalloc; 2094 Channel *c; 2095 time_t now; 2096 2097 if (!did_init) { 2098 channel_handler_init(); 2099 did_init = 1; 2100 } 2101 now = monotime(); 2102 if (unpause_secs != NULL) 2103 *unpause_secs = 0; 2104 for (i = 0, oalloc = channels_alloc; i < oalloc; i++) { 2105 c = channels[i]; 2106 if (c == NULL) 2107 continue; 2108 if (c->delayed) { 2109 if (ftab == channel_pre) 2110 c->delayed = 0; 2111 else 2112 continue; 2113 } 2114 if (ftab[c->type] != NULL) { 2115 /* 2116 * Run handlers that are not paused. 2117 */ 2118 if (c->notbefore <= now) 2119 (*ftab[c->type])(c, readset, writeset); 2120 else if (unpause_secs != NULL) { 2121 /* 2122 * Collect the time that the earliest 2123 * channel comes off pause. 2124 */ 2125 debug3("%s: chan %d: skip for %d more seconds", 2126 __func__, c->self, 2127 (int)(c->notbefore - now)); 2128 if (*unpause_secs == 0 || 2129 (c->notbefore - now) < *unpause_secs) 2130 *unpause_secs = c->notbefore - now; 2131 } 2132 } 2133 channel_garbage_collect(c); 2134 } 2135 if (unpause_secs != NULL && *unpause_secs != 0) 2136 debug3("%s: first channel unpauses in %d seconds", 2137 __func__, (int)*unpause_secs); 2138} 2139 2140/* 2141 * Allocate/update select bitmasks and add any bits relevant to channels in 2142 * select bitmasks. 2143 */ 2144void 2145channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp, 2146 u_int *nallocp, time_t *minwait_secs, int rekeying) 2147{ 2148 u_int n, sz, nfdset; 2149 2150 n = MAX(*maxfdp, channel_max_fd); 2151 2152 nfdset = howmany(n+1, NFDBITS); 2153 /* Explicitly test here, because xrealloc isn't always called */ 2154 if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask)) 2155 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2156 sz = nfdset * sizeof(fd_mask); 2157 2158 /* perhaps check sz < nalloc/2 and shrink? */ 2159 if (*readsetp == NULL || sz > *nallocp) { 2160 *readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask)); 2161 *writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask)); 2162 *nallocp = sz; 2163 } 2164 *maxfdp = n; 2165 memset(*readsetp, 0, sz); 2166 memset(*writesetp, 0, sz); 2167 2168 if (!rekeying) 2169 channel_handler(channel_pre, *readsetp, *writesetp, 2170 minwait_secs); 2171} 2172 2173/* 2174 * After select, perform any appropriate operations for channels which have 2175 * events pending. 2176 */ 2177void 2178channel_after_select(fd_set *readset, fd_set *writeset) 2179{ 2180 channel_handler(channel_post, readset, writeset, NULL); 2181} 2182 2183 2184/* If there is data to send to the connection, enqueue some of it now. */ 2185void 2186channel_output_poll(void) 2187{ 2188 Channel *c; 2189 u_int i, len; 2190 2191 for (i = 0; i < channels_alloc; i++) { 2192 c = channels[i]; 2193 if (c == NULL) 2194 continue; 2195 2196 /* 2197 * We are only interested in channels that can have buffered 2198 * incoming data. 2199 */ 2200 if (compat13) { 2201 if (c->type != SSH_CHANNEL_OPEN && 2202 c->type != SSH_CHANNEL_INPUT_DRAINING) 2203 continue; 2204 } else { 2205 if (c->type != SSH_CHANNEL_OPEN) 2206 continue; 2207 } 2208 if (compat20 && 2209 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2210 /* XXX is this true? */ 2211 debug3("channel %d: will not send data after close", c->self); 2212 continue; 2213 } 2214 2215 /* Get the amount of buffered data for this channel. */ 2216 if ((c->istate == CHAN_INPUT_OPEN || 2217 c->istate == CHAN_INPUT_WAIT_DRAIN) && 2218 (len = buffer_len(&c->input)) > 0) { 2219 if (c->datagram) { 2220 if (len > 0) { 2221 u_char *data; 2222 u_int dlen; 2223 2224 data = buffer_get_string(&c->input, 2225 &dlen); 2226 if (dlen > c->remote_window || 2227 dlen > c->remote_maxpacket) { 2228 debug("channel %d: datagram " 2229 "too big for channel", 2230 c->self); 2231 free(data); 2232 continue; 2233 } 2234 packet_start(SSH2_MSG_CHANNEL_DATA); 2235 packet_put_int(c->remote_id); 2236 packet_put_string(data, dlen); 2237 packet_send(); 2238 c->remote_window -= dlen + 4; 2239 free(data); 2240 } 2241 continue; 2242 } 2243 /* 2244 * Send some data for the other side over the secure 2245 * connection. 2246 */ 2247 if (compat20) { 2248 if (len > c->remote_window) 2249 len = c->remote_window; 2250 if (len > c->remote_maxpacket) 2251 len = c->remote_maxpacket; 2252 } else { 2253 if (packet_is_interactive()) { 2254 if (len > 1024) 2255 len = 512; 2256 } else { 2257 /* Keep the packets at reasonable size. */ 2258 if (len > packet_get_maxsize()/2) 2259 len = packet_get_maxsize()/2; 2260 } 2261 } 2262 if (len > 0) { 2263 packet_start(compat20 ? 2264 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA); 2265 packet_put_int(c->remote_id); 2266 packet_put_string(buffer_ptr(&c->input), len); 2267 packet_send(); 2268 buffer_consume(&c->input, len); 2269 c->remote_window -= len; 2270 } 2271 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2272 if (compat13) 2273 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); 2274 /* 2275 * input-buffer is empty and read-socket shutdown: 2276 * tell peer, that we will not send more data: send IEOF. 2277 * hack for extended data: delay EOF if EFD still in use. 2278 */ 2279 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2280 debug2("channel %d: ibuf_empty delayed efd %d/(%d)", 2281 c->self, c->efd, buffer_len(&c->extended)); 2282 else 2283 chan_ibuf_empty(c); 2284 } 2285 /* Send extended data, i.e. stderr */ 2286 if (compat20 && 2287 !(c->flags & CHAN_EOF_SENT) && 2288 c->remote_window > 0 && 2289 (len = buffer_len(&c->extended)) > 0 && 2290 c->extended_usage == CHAN_EXTENDED_READ) { 2291 debug2("channel %d: rwin %u elen %u euse %d", 2292 c->self, c->remote_window, buffer_len(&c->extended), 2293 c->extended_usage); 2294 if (len > c->remote_window) 2295 len = c->remote_window; 2296 if (len > c->remote_maxpacket) 2297 len = c->remote_maxpacket; 2298 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA); 2299 packet_put_int(c->remote_id); 2300 packet_put_int(SSH2_EXTENDED_DATA_STDERR); 2301 packet_put_string(buffer_ptr(&c->extended), len); 2302 packet_send(); 2303 buffer_consume(&c->extended, len); 2304 c->remote_window -= len; 2305 debug2("channel %d: sent ext data %d", c->self, len); 2306 } 2307 } 2308} 2309 2310 2311/* -- protocol input */ 2312 2313/* ARGSUSED */ 2314void 2315channel_input_data(int type, u_int32_t seq, void *ctxt) 2316{ 2317 int id; 2318 char *data; 2319 u_int data_len, win_len; 2320 Channel *c; 2321 2322 /* Get the channel number and verify it. */ 2323 id = packet_get_int(); 2324 c = channel_lookup(id); 2325 if (c == NULL) 2326 packet_disconnect("Received data for nonexistent channel %d.", id); 2327 2328 /* Ignore any data for non-open channels (might happen on close) */ 2329 if (c->type != SSH_CHANNEL_OPEN && 2330 c->type != SSH_CHANNEL_X11_OPEN) 2331 return; 2332 2333 /* Get the data. */ 2334 data = packet_get_string_ptr(&data_len); 2335 win_len = data_len; 2336 if (c->datagram) 2337 win_len += 4; /* string length header */ 2338 2339 /* 2340 * Ignore data for protocol > 1.3 if output end is no longer open. 2341 * For protocol 2 the sending side is reducing its window as it sends 2342 * data, so we must 'fake' consumption of the data in order to ensure 2343 * that window updates are sent back. Otherwise the connection might 2344 * deadlock. 2345 */ 2346 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { 2347 if (compat20) { 2348 c->local_window -= win_len; 2349 c->local_consumed += win_len; 2350 } 2351 return; 2352 } 2353 2354 if (compat20) { 2355 if (win_len > c->local_maxpacket) { 2356 logit("channel %d: rcvd big packet %d, maxpack %d", 2357 c->self, win_len, c->local_maxpacket); 2358 } 2359 if (win_len > c->local_window) { 2360 logit("channel %d: rcvd too much data %d, win %d", 2361 c->self, win_len, c->local_window); 2362 return; 2363 } 2364 c->local_window -= win_len; 2365 } 2366 if (c->datagram) 2367 buffer_put_string(&c->output, data, data_len); 2368 else 2369 buffer_append(&c->output, data, data_len); 2370 packet_check_eom(); 2371} 2372 2373/* ARGSUSED */ 2374void 2375channel_input_extended_data(int type, u_int32_t seq, void *ctxt) 2376{ 2377 int id; 2378 char *data; 2379 u_int data_len, tcode; 2380 Channel *c; 2381 2382 /* Get the channel number and verify it. */ 2383 id = packet_get_int(); 2384 c = channel_lookup(id); 2385 2386 if (c == NULL) 2387 packet_disconnect("Received extended_data for bad channel %d.", id); 2388 if (c->type != SSH_CHANNEL_OPEN) { 2389 logit("channel %d: ext data for non open", id); 2390 return; 2391 } 2392 if (c->flags & CHAN_EOF_RCVD) { 2393 if (datafellows & SSH_BUG_EXTEOF) 2394 debug("channel %d: accepting ext data after eof", id); 2395 else 2396 packet_disconnect("Received extended_data after EOF " 2397 "on channel %d.", id); 2398 } 2399 tcode = packet_get_int(); 2400 if (c->efd == -1 || 2401 c->extended_usage != CHAN_EXTENDED_WRITE || 2402 tcode != SSH2_EXTENDED_DATA_STDERR) { 2403 logit("channel %d: bad ext data", c->self); 2404 return; 2405 } 2406 data = packet_get_string(&data_len); 2407 packet_check_eom(); 2408 if (data_len > c->local_window) { 2409 logit("channel %d: rcvd too much extended_data %d, win %d", 2410 c->self, data_len, c->local_window); 2411 free(data); 2412 return; 2413 } 2414 debug2("channel %d: rcvd ext data %d", c->self, data_len); 2415 c->local_window -= data_len; 2416 buffer_append(&c->extended, data, data_len); 2417 free(data); 2418} 2419 2420/* ARGSUSED */ 2421void 2422channel_input_ieof(int type, u_int32_t seq, void *ctxt) 2423{ 2424 int id; 2425 Channel *c; 2426 2427 id = packet_get_int(); 2428 packet_check_eom(); 2429 c = channel_lookup(id); 2430 if (c == NULL) 2431 packet_disconnect("Received ieof for nonexistent channel %d.", id); 2432 chan_rcvd_ieof(c); 2433 2434 /* XXX force input close */ 2435 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 2436 debug("channel %d: FORCE input drain", c->self); 2437 c->istate = CHAN_INPUT_WAIT_DRAIN; 2438 if (buffer_len(&c->input) == 0) 2439 chan_ibuf_empty(c); 2440 } 2441 2442} 2443 2444/* ARGSUSED */ 2445void 2446channel_input_close(int type, u_int32_t seq, void *ctxt) 2447{ 2448 int id; 2449 Channel *c; 2450 2451 id = packet_get_int(); 2452 packet_check_eom(); 2453 c = channel_lookup(id); 2454 if (c == NULL) 2455 packet_disconnect("Received close for nonexistent channel %d.", id); 2456 2457 /* 2458 * Send a confirmation that we have closed the channel and no more 2459 * data is coming for it. 2460 */ 2461 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); 2462 packet_put_int(c->remote_id); 2463 packet_send(); 2464 2465 /* 2466 * If the channel is in closed state, we have sent a close request, 2467 * and the other side will eventually respond with a confirmation. 2468 * Thus, we cannot free the channel here, because then there would be 2469 * no-one to receive the confirmation. The channel gets freed when 2470 * the confirmation arrives. 2471 */ 2472 if (c->type != SSH_CHANNEL_CLOSED) { 2473 /* 2474 * Not a closed channel - mark it as draining, which will 2475 * cause it to be freed later. 2476 */ 2477 buffer_clear(&c->input); 2478 c->type = SSH_CHANNEL_OUTPUT_DRAINING; 2479 } 2480} 2481 2482/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ 2483/* ARGSUSED */ 2484void 2485channel_input_oclose(int type, u_int32_t seq, void *ctxt) 2486{ 2487 int id = packet_get_int(); 2488 Channel *c = channel_lookup(id); 2489 2490 packet_check_eom(); 2491 if (c == NULL) 2492 packet_disconnect("Received oclose for nonexistent channel %d.", id); 2493 chan_rcvd_oclose(c); 2494} 2495 2496/* ARGSUSED */ 2497void 2498channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt) 2499{ 2500 int id = packet_get_int(); 2501 Channel *c = channel_lookup(id); 2502 2503 packet_check_eom(); 2504 if (c == NULL) 2505 packet_disconnect("Received close confirmation for " 2506 "out-of-range channel %d.", id); 2507 if (c->type != SSH_CHANNEL_CLOSED && c->type != SSH_CHANNEL_ABANDONED) 2508 packet_disconnect("Received close confirmation for " 2509 "non-closed channel %d (type %d).", id, c->type); 2510 channel_free(c); 2511} 2512 2513/* ARGSUSED */ 2514void 2515channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt) 2516{ 2517 int id, remote_id; 2518 Channel *c; 2519 2520 id = packet_get_int(); 2521 c = channel_lookup(id); 2522 2523 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2524 packet_disconnect("Received open confirmation for " 2525 "non-opening channel %d.", id); 2526 remote_id = packet_get_int(); 2527 /* Record the remote channel number and mark that the channel is now open. */ 2528 c->remote_id = remote_id; 2529 c->type = SSH_CHANNEL_OPEN; 2530 2531 if (compat20) { 2532 c->remote_window = packet_get_int(); 2533 c->remote_maxpacket = packet_get_int(); 2534 if (c->open_confirm) { 2535 debug2("callback start"); 2536 c->open_confirm(c->self, 1, c->open_confirm_ctx); 2537 debug2("callback done"); 2538 } 2539 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 2540 c->remote_window, c->remote_maxpacket); 2541 } 2542 packet_check_eom(); 2543} 2544 2545static char * 2546reason2txt(int reason) 2547{ 2548 switch (reason) { 2549 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 2550 return "administratively prohibited"; 2551 case SSH2_OPEN_CONNECT_FAILED: 2552 return "connect failed"; 2553 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 2554 return "unknown channel type"; 2555 case SSH2_OPEN_RESOURCE_SHORTAGE: 2556 return "resource shortage"; 2557 } 2558 return "unknown reason"; 2559} 2560 2561/* ARGSUSED */ 2562void 2563channel_input_open_failure(int type, u_int32_t seq, void *ctxt) 2564{ 2565 int id, reason; 2566 char *msg = NULL, *lang = NULL; 2567 Channel *c; 2568 2569 id = packet_get_int(); 2570 c = channel_lookup(id); 2571 2572 if (c==NULL || c->type != SSH_CHANNEL_OPENING) 2573 packet_disconnect("Received open failure for " 2574 "non-opening channel %d.", id); 2575 if (compat20) { 2576 reason = packet_get_int(); 2577 if (!(datafellows & SSH_BUG_OPENFAILURE)) { 2578 msg = packet_get_string(NULL); 2579 lang = packet_get_string(NULL); 2580 } 2581 logit("channel %d: open failed: %s%s%s", id, 2582 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 2583 free(msg); 2584 free(lang); 2585 if (c->open_confirm) { 2586 debug2("callback start"); 2587 c->open_confirm(c->self, 0, c->open_confirm_ctx); 2588 debug2("callback done"); 2589 } 2590 } 2591 packet_check_eom(); 2592 /* Schedule the channel for cleanup/deletion. */ 2593 chan_mark_dead(c); 2594} 2595 2596/* ARGSUSED */ 2597void 2598channel_input_window_adjust(int type, u_int32_t seq, void *ctxt) 2599{ 2600 Channel *c; 2601 int id; 2602 u_int adjust; 2603 2604 if (!compat20) 2605 return; 2606 2607 /* Get the channel number and verify it. */ 2608 id = packet_get_int(); 2609 c = channel_lookup(id); 2610 2611 if (c == NULL) { 2612 logit("Received window adjust for non-open channel %d.", id); 2613 return; 2614 } 2615 adjust = packet_get_int(); 2616 packet_check_eom(); 2617 debug2("channel %d: rcvd adjust %u", id, adjust); 2618 c->remote_window += adjust; 2619} 2620 2621/* ARGSUSED */ 2622void 2623channel_input_port_open(int type, u_int32_t seq, void *ctxt) 2624{ 2625 Channel *c = NULL; 2626 u_short host_port; 2627 char *host, *originator_string; 2628 int remote_id; 2629 2630 remote_id = packet_get_int(); 2631 host = packet_get_string(NULL); 2632 host_port = packet_get_int(); 2633 2634 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 2635 originator_string = packet_get_string(NULL); 2636 } else { 2637 originator_string = xstrdup("unknown (remote did not supply name)"); 2638 } 2639 packet_check_eom(); 2640 c = channel_connect_to(host, host_port, 2641 "connected socket", originator_string); 2642 free(originator_string); 2643 free(host); 2644 if (c == NULL) { 2645 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 2646 packet_put_int(remote_id); 2647 packet_send(); 2648 } else 2649 c->remote_id = remote_id; 2650} 2651 2652/* ARGSUSED */ 2653void 2654channel_input_status_confirm(int type, u_int32_t seq, void *ctxt) 2655{ 2656 Channel *c; 2657 struct channel_confirm *cc; 2658 int id; 2659 2660 /* Reset keepalive timeout */ 2661 packet_set_alive_timeouts(0); 2662 2663 id = packet_get_int(); 2664 packet_check_eom(); 2665 2666 debug2("channel_input_status_confirm: type %d id %d", type, id); 2667 2668 if ((c = channel_lookup(id)) == NULL) { 2669 logit("channel_input_status_confirm: %d: unknown", id); 2670 return; 2671 } 2672 ; 2673 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 2674 return; 2675 cc->cb(type, c, cc->ctx); 2676 TAILQ_REMOVE(&c->status_confirms, cc, entry); 2677 explicit_bzero(cc, sizeof(*cc)); 2678 free(cc); 2679} 2680 2681/* -- tcp forwarding */ 2682 2683void 2684channel_set_af(int af) 2685{ 2686 IPv4or6 = af; 2687} 2688 2689 2690/* 2691 * Determine whether or not a port forward listens to loopback, the 2692 * specified address or wildcard. On the client, a specified bind 2693 * address will always override gateway_ports. On the server, a 2694 * gateway_ports of 1 (``yes'') will override the client's specification 2695 * and force a wildcard bind, whereas a value of 2 (``clientspecified'') 2696 * will bind to whatever address the client asked for. 2697 * 2698 * Special-case listen_addrs are: 2699 * 2700 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 2701 * "" (empty string), "*" -> wildcard v4/v6 2702 * "localhost" -> loopback v4/v6 2703 */ 2704static const char * 2705channel_fwd_bind_addr(const char *listen_addr, int *wildcardp, 2706 int is_client, int gateway_ports) 2707{ 2708 const char *addr = NULL; 2709 int wildcard = 0; 2710 2711 if (listen_addr == NULL) { 2712 /* No address specified: default to gateway_ports setting */ 2713 if (gateway_ports) 2714 wildcard = 1; 2715 } else if (gateway_ports || is_client) { 2716 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 2717 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 2718 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 2719 (!is_client && gateway_ports == 1)) { 2720 wildcard = 1; 2721 /* 2722 * Notify client if they requested a specific listen 2723 * address and it was overridden. 2724 */ 2725 if (*listen_addr != '\0' && 2726 strcmp(listen_addr, "0.0.0.0") != 0 && 2727 strcmp(listen_addr, "*") != 0) { 2728 packet_send_debug("Forwarding listen address " 2729 "\"%s\" overridden by server " 2730 "GatewayPorts", listen_addr); 2731 } 2732 } 2733 else if (strcmp(listen_addr, "localhost") != 0) 2734 addr = listen_addr; 2735 } 2736 if (wildcardp != NULL) 2737 *wildcardp = wildcard; 2738 return addr; 2739} 2740 2741static int 2742channel_setup_fwd_listener(int type, const char *listen_addr, 2743 u_short listen_port, int *allocated_listen_port, 2744 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2745{ 2746 Channel *c; 2747 int sock, r, success = 0, wildcard = 0, is_client; 2748 struct addrinfo hints, *ai, *aitop; 2749 const char *host, *addr; 2750 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 2751 in_port_t *lport_p; 2752 2753 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 2754 listen_addr : host_to_connect; 2755 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 2756 2757 if (host == NULL) { 2758 error("No forward host name."); 2759 return 0; 2760 } 2761 if (strlen(host) >= NI_MAXHOST) { 2762 error("Forward host name too long."); 2763 return 0; 2764 } 2765 2766 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ 2767 addr = channel_fwd_bind_addr(listen_addr, &wildcard, 2768 is_client, gateway_ports); 2769 debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s", 2770 type, wildcard, (addr == NULL) ? "NULL" : addr); 2771 2772 /* 2773 * getaddrinfo returns a loopback address if the hostname is 2774 * set to NULL and hints.ai_flags is not AI_PASSIVE 2775 */ 2776 memset(&hints, 0, sizeof(hints)); 2777 hints.ai_family = IPv4or6; 2778 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 2779 hints.ai_socktype = SOCK_STREAM; 2780 snprintf(strport, sizeof strport, "%d", listen_port); 2781 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 2782 if (addr == NULL) { 2783 /* This really shouldn't happen */ 2784 packet_disconnect("getaddrinfo: fatal error: %s", 2785 ssh_gai_strerror(r)); 2786 } else { 2787 error("channel_setup_fwd_listener: " 2788 "getaddrinfo(%.64s): %s", addr, 2789 ssh_gai_strerror(r)); 2790 } 2791 return 0; 2792 } 2793 if (allocated_listen_port != NULL) 2794 *allocated_listen_port = 0; 2795 for (ai = aitop; ai; ai = ai->ai_next) { 2796 switch (ai->ai_family) { 2797 case AF_INET: 2798 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 2799 sin_port; 2800 break; 2801 case AF_INET6: 2802 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 2803 sin6_port; 2804 break; 2805 default: 2806 continue; 2807 } 2808 /* 2809 * If allocating a port for -R forwards, then use the 2810 * same port for all address families. 2811 */ 2812 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2813 allocated_listen_port != NULL && *allocated_listen_port > 0) 2814 *lport_p = htons(*allocated_listen_port); 2815 2816 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 2817 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 2818 error("channel_setup_fwd_listener: getnameinfo failed"); 2819 continue; 2820 } 2821 /* Create a port to listen for the host. */ 2822 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 2823 if (sock < 0) { 2824 /* this is no error since kernel may not support ipv6 */ 2825 verbose("socket: %.100s", strerror(errno)); 2826 continue; 2827 } 2828 2829 channel_set_reuseaddr(sock); 2830 if (ai->ai_family == AF_INET6) 2831 sock_set_v6only(sock); 2832 2833 debug("Local forwarding listening on %s port %s.", 2834 ntop, strport); 2835 2836 /* Bind the socket to the address. */ 2837 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 2838 /* address can be in use ipv6 address is already bound */ 2839 if (!ai->ai_next) 2840 error("bind: %.100s", strerror(errno)); 2841 else 2842 verbose("bind: %.100s", strerror(errno)); 2843 2844 close(sock); 2845 continue; 2846 } 2847 /* Start listening for connections on the socket. */ 2848 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 2849 error("listen: %.100s", strerror(errno)); 2850 close(sock); 2851 continue; 2852 } 2853 2854 /* 2855 * listen_port == 0 requests a dynamically allocated port - 2856 * record what we got. 2857 */ 2858 if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 && 2859 allocated_listen_port != NULL && 2860 *allocated_listen_port == 0) { 2861 *allocated_listen_port = get_sock_port(sock, 1); 2862 debug("Allocated listen port %d", 2863 *allocated_listen_port); 2864 } 2865 2866 /* Allocate a channel number for the socket. */ 2867 c = channel_new("port listener", type, sock, sock, -1, 2868 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 2869 0, "port listener", 1); 2870 c->path = xstrdup(host); 2871 c->host_port = port_to_connect; 2872 c->listening_addr = addr == NULL ? NULL : xstrdup(addr); 2873 if (listen_port == 0 && allocated_listen_port != NULL && 2874 !(datafellows & SSH_BUG_DYNAMIC_RPORT)) 2875 c->listening_port = *allocated_listen_port; 2876 else 2877 c->listening_port = listen_port; 2878 success = 1; 2879 } 2880 if (success == 0) 2881 error("channel_setup_fwd_listener: cannot listen to port: %d", 2882 listen_port); 2883 freeaddrinfo(aitop); 2884 return success; 2885} 2886 2887int 2888channel_cancel_rport_listener(const char *host, u_short port) 2889{ 2890 u_int i; 2891 int found = 0; 2892 2893 for (i = 0; i < channels_alloc; i++) { 2894 Channel *c = channels[i]; 2895 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER) 2896 continue; 2897 if (strcmp(c->path, host) == 0 && c->listening_port == port) { 2898 debug2("%s: close channel %d", __func__, i); 2899 channel_free(c); 2900 found = 1; 2901 } 2902 } 2903 2904 return (found); 2905} 2906 2907int 2908channel_cancel_lport_listener(const char *lhost, u_short lport, 2909 int cport, int gateway_ports) 2910{ 2911 u_int i; 2912 int found = 0; 2913 const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, gateway_ports); 2914 2915 for (i = 0; i < channels_alloc; i++) { 2916 Channel *c = channels[i]; 2917 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER) 2918 continue; 2919 if (c->listening_port != lport) 2920 continue; 2921 if (cport == CHANNEL_CANCEL_PORT_STATIC) { 2922 /* skip dynamic forwardings */ 2923 if (c->host_port == 0) 2924 continue; 2925 } else { 2926 if (c->host_port != cport) 2927 continue; 2928 } 2929 if ((c->listening_addr == NULL && addr != NULL) || 2930 (c->listening_addr != NULL && addr == NULL)) 2931 continue; 2932 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) { 2933 debug2("%s: close channel %d", __func__, i); 2934 channel_free(c); 2935 found = 1; 2936 } 2937 } 2938 2939 return (found); 2940} 2941 2942/* protocol local port fwd, used by ssh (and sshd in v1) */ 2943int 2944channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port, 2945 const char *host_to_connect, u_short port_to_connect, int gateway_ports) 2946{ 2947 return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER, 2948 listen_host, listen_port, NULL, host_to_connect, port_to_connect, 2949 gateway_ports); 2950} 2951 2952/* protocol v2 remote port fwd, used by sshd */ 2953int 2954channel_setup_remote_fwd_listener(const char *listen_address, 2955 u_short listen_port, int *allocated_listen_port, int gateway_ports) 2956{ 2957 return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER, 2958 listen_address, listen_port, allocated_listen_port, 2959 NULL, 0, gateway_ports); 2960} 2961 2962/* 2963 * Translate the requested rfwd listen host to something usable for 2964 * this server. 2965 */ 2966static const char * 2967channel_rfwd_bind_host(const char *listen_host) 2968{ 2969 if (listen_host == NULL) { 2970 if (datafellows & SSH_BUG_RFWD_ADDR) 2971 return "127.0.0.1"; 2972 else 2973 return "localhost"; 2974 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { 2975 if (datafellows & SSH_BUG_RFWD_ADDR) 2976 return "0.0.0.0"; 2977 else 2978 return ""; 2979 } else 2980 return listen_host; 2981} 2982 2983/* 2984 * Initiate forwarding of connections to port "port" on remote host through 2985 * the secure channel to host:port from local side. 2986 * Returns handle (index) for updating the dynamic listen port with 2987 * channel_update_permitted_opens(). 2988 */ 2989int 2990channel_request_remote_forwarding(const char *listen_host, u_short listen_port, 2991 const char *host_to_connect, u_short port_to_connect) 2992{ 2993 int type, success = 0, idx = -1; 2994 2995 /* Send the forward request to the remote side. */ 2996 if (compat20) { 2997 packet_start(SSH2_MSG_GLOBAL_REQUEST); 2998 packet_put_cstring("tcpip-forward"); 2999 packet_put_char(1); /* boolean: want reply */ 3000 packet_put_cstring(channel_rfwd_bind_host(listen_host)); 3001 packet_put_int(listen_port); 3002 packet_send(); 3003 packet_write_wait(); 3004 /* Assume that server accepts the request */ 3005 success = 1; 3006 } else { 3007 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); 3008 packet_put_int(listen_port); 3009 packet_put_cstring(host_to_connect); 3010 packet_put_int(port_to_connect); 3011 packet_send(); 3012 packet_write_wait(); 3013 3014 /* Wait for response from the remote side. */ 3015 type = packet_read(); 3016 switch (type) { 3017 case SSH_SMSG_SUCCESS: 3018 success = 1; 3019 break; 3020 case SSH_SMSG_FAILURE: 3021 break; 3022 default: 3023 /* Unknown packet */ 3024 packet_disconnect("Protocol error for port forward request:" 3025 "received packet type %d.", type); 3026 } 3027 } 3028 if (success) { 3029 /* Record that connection to this host/port is permitted. */ 3030 permitted_opens = xrealloc(permitted_opens, 3031 num_permitted_opens + 1, sizeof(*permitted_opens)); 3032 idx = num_permitted_opens++; 3033 permitted_opens[idx].host_to_connect = xstrdup(host_to_connect); 3034 permitted_opens[idx].port_to_connect = port_to_connect; 3035 permitted_opens[idx].listen_port = listen_port; 3036 } 3037 return (idx); 3038} 3039 3040/* 3041 * Request cancellation of remote forwarding of connection host:port from 3042 * local side. 3043 */ 3044int 3045channel_request_rforward_cancel(const char *host, u_short port) 3046{ 3047 int i; 3048 3049 if (!compat20) 3050 return -1; 3051 3052 for (i = 0; i < num_permitted_opens; i++) { 3053 if (permitted_opens[i].host_to_connect != NULL && 3054 permitted_opens[i].listen_port == port) 3055 break; 3056 } 3057 if (i >= num_permitted_opens) { 3058 debug("%s: requested forward not found", __func__); 3059 return -1; 3060 } 3061 packet_start(SSH2_MSG_GLOBAL_REQUEST); 3062 packet_put_cstring("cancel-tcpip-forward"); 3063 packet_put_char(0); 3064 packet_put_cstring(channel_rfwd_bind_host(host)); 3065 packet_put_int(port); 3066 packet_send(); 3067 3068 permitted_opens[i].listen_port = 0; 3069 permitted_opens[i].port_to_connect = 0; 3070 free(permitted_opens[i].host_to_connect); 3071 permitted_opens[i].host_to_connect = NULL; 3072 3073 return 0; 3074} 3075 3076/* 3077 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates 3078 * listening for the port, and sends back a success reply (or disconnect 3079 * message if there was an error). 3080 */ 3081int 3082channel_input_port_forward_request(int is_root, int gateway_ports) 3083{ 3084 u_short port, host_port; 3085 int success = 0; 3086 char *hostname; 3087 3088 /* Get arguments from the packet. */ 3089 port = packet_get_int(); 3090 hostname = packet_get_string(NULL); 3091 host_port = packet_get_int(); 3092 3093#ifndef HAVE_CYGWIN 3094 /* 3095 * Check that an unprivileged user is not trying to forward a 3096 * privileged port. 3097 */ 3098 if (port < IPPORT_RESERVED && !is_root) 3099 packet_disconnect( 3100 "Requested forwarding of port %d but user is not root.", 3101 port); 3102 if (host_port == 0) 3103 packet_disconnect("Dynamic forwarding denied."); 3104#endif 3105 3106 /* Initiate forwarding */ 3107 success = channel_setup_local_fwd_listener(NULL, port, hostname, 3108 host_port, gateway_ports); 3109 3110 /* Free the argument string. */ 3111 free(hostname); 3112 3113 return (success ? 0 : -1); 3114} 3115 3116/* 3117 * Permits opening to any host/port if permitted_opens[] is empty. This is 3118 * usually called by the server, because the user could connect to any port 3119 * anyway, and the server has no way to know but to trust the client anyway. 3120 */ 3121void 3122channel_permit_all_opens(void) 3123{ 3124 if (num_permitted_opens == 0) 3125 all_opens_permitted = 1; 3126} 3127 3128void 3129channel_add_permitted_opens(char *host, int port) 3130{ 3131 debug("allow port forwarding to host %s port %d", host, port); 3132 3133 permitted_opens = xrealloc(permitted_opens, 3134 num_permitted_opens + 1, sizeof(*permitted_opens)); 3135 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host); 3136 permitted_opens[num_permitted_opens].port_to_connect = port; 3137 num_permitted_opens++; 3138 3139 all_opens_permitted = 0; 3140} 3141 3142/* 3143 * Update the listen port for a dynamic remote forward, after 3144 * the actual 'newport' has been allocated. If 'newport' < 0 is 3145 * passed then they entry will be invalidated. 3146 */ 3147void 3148channel_update_permitted_opens(int idx, int newport) 3149{ 3150 if (idx < 0 || idx >= num_permitted_opens) { 3151 debug("channel_update_permitted_opens: index out of range:" 3152 " %d num_permitted_opens %d", idx, num_permitted_opens); 3153 return; 3154 } 3155 debug("%s allowed port %d for forwarding to host %s port %d", 3156 newport > 0 ? "Updating" : "Removing", 3157 newport, 3158 permitted_opens[idx].host_to_connect, 3159 permitted_opens[idx].port_to_connect); 3160 if (newport >= 0) { 3161 permitted_opens[idx].listen_port = 3162 (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport; 3163 } else { 3164 permitted_opens[idx].listen_port = 0; 3165 permitted_opens[idx].port_to_connect = 0; 3166 free(permitted_opens[idx].host_to_connect); 3167 permitted_opens[idx].host_to_connect = NULL; 3168 } 3169} 3170 3171int 3172channel_add_adm_permitted_opens(char *host, int port) 3173{ 3174 debug("config allows port forwarding to host %s port %d", host, port); 3175 3176 permitted_adm_opens = xrealloc(permitted_adm_opens, 3177 num_adm_permitted_opens + 1, sizeof(*permitted_adm_opens)); 3178 permitted_adm_opens[num_adm_permitted_opens].host_to_connect 3179 = xstrdup(host); 3180 permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port; 3181 return ++num_adm_permitted_opens; 3182} 3183 3184void 3185channel_disable_adm_local_opens(void) 3186{ 3187 channel_clear_adm_permitted_opens(); 3188 permitted_adm_opens = xmalloc(sizeof(*permitted_adm_opens)); 3189 permitted_adm_opens[num_adm_permitted_opens].host_to_connect = NULL; 3190 num_adm_permitted_opens = 1; 3191} 3192 3193void 3194channel_clear_permitted_opens(void) 3195{ 3196 int i; 3197 3198 for (i = 0; i < num_permitted_opens; i++) 3199 free(permitted_opens[i].host_to_connect); 3200 free(permitted_opens); 3201 permitted_opens = NULL; 3202 num_permitted_opens = 0; 3203} 3204 3205void 3206channel_clear_adm_permitted_opens(void) 3207{ 3208 int i; 3209 3210 for (i = 0; i < num_adm_permitted_opens; i++) 3211 free(permitted_adm_opens[i].host_to_connect); 3212 free(permitted_adm_opens); 3213 permitted_adm_opens = NULL; 3214 num_adm_permitted_opens = 0; 3215} 3216 3217void 3218channel_print_adm_permitted_opens(void) 3219{ 3220 int i; 3221 3222 printf("permitopen"); 3223 if (num_adm_permitted_opens == 0) { 3224 printf(" any\n"); 3225 return; 3226 } 3227 for (i = 0; i < num_adm_permitted_opens; i++) 3228 if (permitted_adm_opens[i].host_to_connect == NULL) 3229 printf(" none"); 3230 else 3231 printf(" %s:%d", permitted_adm_opens[i].host_to_connect, 3232 permitted_adm_opens[i].port_to_connect); 3233 printf("\n"); 3234} 3235 3236/* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ 3237int 3238permitopen_port(const char *p) 3239{ 3240 int port; 3241 3242 if (strcmp(p, "*") == 0) 3243 return FWD_PERMIT_ANY_PORT; 3244 if ((port = a2port(p)) > 0) 3245 return port; 3246 return -1; 3247} 3248 3249static int 3250port_match(u_short allowedport, u_short requestedport) 3251{ 3252 if (allowedport == FWD_PERMIT_ANY_PORT || 3253 allowedport == requestedport) 3254 return 1; 3255 return 0; 3256} 3257 3258/* Try to start non-blocking connect to next host in cctx list */ 3259static int 3260connect_next(struct channel_connect *cctx) 3261{ 3262 int sock, saved_errno; 3263 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 3264 3265 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 3266 if (cctx->ai->ai_family != AF_INET && 3267 cctx->ai->ai_family != AF_INET6) 3268 continue; 3269 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 3270 ntop, sizeof(ntop), strport, sizeof(strport), 3271 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3272 error("connect_next: getnameinfo failed"); 3273 continue; 3274 } 3275 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 3276 cctx->ai->ai_protocol)) == -1) { 3277 if (cctx->ai->ai_next == NULL) 3278 error("socket: %.100s", strerror(errno)); 3279 else 3280 verbose("socket: %.100s", strerror(errno)); 3281 continue; 3282 } 3283 if (set_nonblock(sock) == -1) 3284 fatal("%s: set_nonblock(%d)", __func__, sock); 3285 if (connect(sock, cctx->ai->ai_addr, 3286 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 3287 debug("connect_next: host %.100s ([%.100s]:%s): " 3288 "%.100s", cctx->host, ntop, strport, 3289 strerror(errno)); 3290 saved_errno = errno; 3291 close(sock); 3292 errno = saved_errno; 3293 continue; /* fail -- try next */ 3294 } 3295 debug("connect_next: host %.100s ([%.100s]:%s) " 3296 "in progress, fd=%d", cctx->host, ntop, strport, sock); 3297 cctx->ai = cctx->ai->ai_next; 3298 set_nodelay(sock); 3299 return sock; 3300 } 3301 return -1; 3302} 3303 3304static void 3305channel_connect_ctx_free(struct channel_connect *cctx) 3306{ 3307 free(cctx->host); 3308 if (cctx->aitop) 3309 freeaddrinfo(cctx->aitop); 3310 memset(cctx, 0, sizeof(*cctx)); 3311} 3312 3313/* Return CONNECTING channel to remote host, port */ 3314static Channel * 3315connect_to(const char *host, u_short port, char *ctype, char *rname) 3316{ 3317 struct addrinfo hints; 3318 int gaierr; 3319 int sock = -1; 3320 char strport[NI_MAXSERV]; 3321 struct channel_connect cctx; 3322 Channel *c; 3323 3324 memset(&cctx, 0, sizeof(cctx)); 3325 memset(&hints, 0, sizeof(hints)); 3326 hints.ai_family = IPv4or6; 3327 hints.ai_socktype = SOCK_STREAM; 3328 snprintf(strport, sizeof strport, "%d", port); 3329 if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) { 3330 error("connect_to %.100s: unknown host (%s)", host, 3331 ssh_gai_strerror(gaierr)); 3332 return NULL; 3333 } 3334 3335 cctx.host = xstrdup(host); 3336 cctx.port = port; 3337 cctx.ai = cctx.aitop; 3338 3339 if ((sock = connect_next(&cctx)) == -1) { 3340 error("connect to %.100s port %d failed: %s", 3341 host, port, strerror(errno)); 3342 channel_connect_ctx_free(&cctx); 3343 return NULL; 3344 } 3345 c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 3346 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 3347 c->connect_ctx = cctx; 3348 return c; 3349} 3350 3351Channel * 3352channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname) 3353{ 3354 int i; 3355 3356 for (i = 0; i < num_permitted_opens; i++) { 3357 if (permitted_opens[i].host_to_connect != NULL && 3358 port_match(permitted_opens[i].listen_port, listen_port)) { 3359 return connect_to( 3360 permitted_opens[i].host_to_connect, 3361 permitted_opens[i].port_to_connect, ctype, rname); 3362 } 3363 } 3364 error("WARNING: Server requests forwarding for unknown listen_port %d", 3365 listen_port); 3366 return NULL; 3367} 3368 3369/* Check if connecting to that port is permitted and connect. */ 3370Channel * 3371channel_connect_to(const char *host, u_short port, char *ctype, char *rname) 3372{ 3373 int i, permit, permit_adm = 1; 3374 3375 permit = all_opens_permitted; 3376 if (!permit) { 3377 for (i = 0; i < num_permitted_opens; i++) 3378 if (permitted_opens[i].host_to_connect != NULL && 3379 port_match(permitted_opens[i].port_to_connect, port) && 3380 strcmp(permitted_opens[i].host_to_connect, host) == 0) 3381 permit = 1; 3382 } 3383 3384 if (num_adm_permitted_opens > 0) { 3385 permit_adm = 0; 3386 for (i = 0; i < num_adm_permitted_opens; i++) 3387 if (permitted_adm_opens[i].host_to_connect != NULL && 3388 port_match(permitted_adm_opens[i].port_to_connect, port) && 3389 strcmp(permitted_adm_opens[i].host_to_connect, host) 3390 == 0) 3391 permit_adm = 1; 3392 } 3393 3394 if (!permit || !permit_adm) { 3395 logit("Received request to connect to host %.100s port %d, " 3396 "but the request was denied.", host, port); 3397 return NULL; 3398 } 3399 return connect_to(host, port, ctype, rname); 3400} 3401 3402void 3403channel_send_window_changes(void) 3404{ 3405 u_int i; 3406 struct winsize ws; 3407 3408 for (i = 0; i < channels_alloc; i++) { 3409 if (channels[i] == NULL || !channels[i]->client_tty || 3410 channels[i]->type != SSH_CHANNEL_OPEN) 3411 continue; 3412 if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 3413 continue; 3414 channel_request_start(i, "window-change", 0); 3415 packet_put_int((u_int)ws.ws_col); 3416 packet_put_int((u_int)ws.ws_row); 3417 packet_put_int((u_int)ws.ws_xpixel); 3418 packet_put_int((u_int)ws.ws_ypixel); 3419 packet_send(); 3420 } 3421} 3422 3423/* -- X11 forwarding */ 3424 3425/* 3426 * Creates an internet domain socket for listening for X11 connections. 3427 * Returns 0 and a suitable display number for the DISPLAY variable 3428 * stored in display_numberp , or -1 if an error occurs. 3429 */ 3430int 3431x11_create_display_inet(int x11_display_offset, int x11_use_localhost, 3432 int single_connection, u_int *display_numberp, int **chanids) 3433{ 3434 Channel *nc = NULL; 3435 int display_number, sock; 3436 u_short port; 3437 struct addrinfo hints, *ai, *aitop; 3438 char strport[NI_MAXSERV]; 3439 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 3440 3441 if (chanids == NULL) 3442 return -1; 3443 3444 for (display_number = x11_display_offset; 3445 display_number < MAX_DISPLAYS; 3446 display_number++) { 3447 port = 6000 + display_number; 3448 memset(&hints, 0, sizeof(hints)); 3449 hints.ai_family = IPv4or6; 3450 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 3451 hints.ai_socktype = SOCK_STREAM; 3452 snprintf(strport, sizeof strport, "%d", port); 3453 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) { 3454 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 3455 return -1; 3456 } 3457 for (ai = aitop; ai; ai = ai->ai_next) { 3458 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) 3459 continue; 3460 sock = socket(ai->ai_family, ai->ai_socktype, 3461 ai->ai_protocol); 3462 if (sock < 0) { 3463 if ((errno != EINVAL) && (errno != EAFNOSUPPORT) 3464#ifdef EPFNOSUPPORT 3465 && (errno != EPFNOSUPPORT) 3466#endif 3467 ) { 3468 error("socket: %.100s", strerror(errno)); 3469 freeaddrinfo(aitop); 3470 return -1; 3471 } else { 3472 debug("x11_create_display_inet: Socket family %d not supported", 3473 ai->ai_family); 3474 continue; 3475 } 3476 } 3477 if (ai->ai_family == AF_INET6) 3478 sock_set_v6only(sock); 3479 if (x11_use_localhost) 3480 channel_set_reuseaddr(sock); 3481 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3482 debug2("bind port %d: %.100s", port, strerror(errno)); 3483 close(sock); 3484 3485 for (n = 0; n < num_socks; n++) { 3486 close(socks[n]); 3487 } 3488 num_socks = 0; 3489 break; 3490 } 3491 socks[num_socks++] = sock; 3492 if (num_socks == NUM_SOCKS) 3493 break; 3494 } 3495 freeaddrinfo(aitop); 3496 if (num_socks > 0) 3497 break; 3498 } 3499 if (display_number >= MAX_DISPLAYS) { 3500 error("Failed to allocate internet-domain X11 display socket."); 3501 return -1; 3502 } 3503 /* Start listening for connections on the socket. */ 3504 for (n = 0; n < num_socks; n++) { 3505 sock = socks[n]; 3506 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3507 error("listen: %.100s", strerror(errno)); 3508 close(sock); 3509 return -1; 3510 } 3511 } 3512 3513 /* Allocate a channel for each socket. */ 3514 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 3515 for (n = 0; n < num_socks; n++) { 3516 sock = socks[n]; 3517 nc = channel_new("x11 listener", 3518 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 3519 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 3520 0, "X11 inet listener", 1); 3521 nc->single_connection = single_connection; 3522 (*chanids)[n] = nc->self; 3523 } 3524 (*chanids)[n] = -1; 3525 3526 /* Return the display number for the DISPLAY environment variable. */ 3527 *display_numberp = display_number; 3528 return (0); 3529} 3530 3531static int 3532connect_local_xsocket_path(const char *pathname) 3533{ 3534 int sock; 3535 struct sockaddr_un addr; 3536 3537 sock = socket(AF_UNIX, SOCK_STREAM, 0); 3538 if (sock < 0) 3539 error("socket: %.100s", strerror(errno)); 3540 memset(&addr, 0, sizeof(addr)); 3541 addr.sun_family = AF_UNIX; 3542 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 3543 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 3544 return sock; 3545 close(sock); 3546 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 3547 return -1; 3548} 3549 3550static int 3551connect_local_xsocket(u_int dnr) 3552{ 3553 char buf[1024]; 3554 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 3555 return connect_local_xsocket_path(buf); 3556} 3557 3558int 3559x11_connect_display(void) 3560{ 3561 u_int display_number; 3562 const char *display; 3563 char buf[1024], *cp; 3564 struct addrinfo hints, *ai, *aitop; 3565 char strport[NI_MAXSERV]; 3566 int gaierr, sock = 0; 3567 3568 /* Try to open a socket for the local X server. */ 3569 display = getenv("DISPLAY"); 3570 if (!display) { 3571 error("DISPLAY not set."); 3572 return -1; 3573 } 3574 /* 3575 * Now we decode the value of the DISPLAY variable and make a 3576 * connection to the real X server. 3577 */ 3578 3579 /* Check if the display is from launchd. */ 3580#ifdef __APPLE__ 3581 if (strncmp(display, "/tmp/launch", 11) == 0) { 3582 sock = connect_local_xsocket_path(display); 3583 if (sock < 0) 3584 return -1; 3585 3586 /* OK, we now have a connection to the display. */ 3587 return sock; 3588 } 3589#endif 3590 /* 3591 * Check if it is a unix domain socket. Unix domain displays are in 3592 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 3593 */ 3594 if (strncmp(display, "unix:", 5) == 0 || 3595 display[0] == ':') { 3596 /* Connect to the unix domain socket. */ 3597 if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) { 3598 error("Could not parse display number from DISPLAY: %.100s", 3599 display); 3600 return -1; 3601 } 3602 /* Create a socket. */ 3603 sock = connect_local_xsocket(display_number); 3604 if (sock < 0) 3605 return -1; 3606 3607 /* OK, we now have a connection to the display. */ 3608 return sock; 3609 } 3610 /* 3611 * Connect to an inet socket. The DISPLAY value is supposedly 3612 * hostname:d[.s], where hostname may also be numeric IP address. 3613 */ 3614 strlcpy(buf, display, sizeof(buf)); 3615 cp = strchr(buf, ':'); 3616 if (!cp) { 3617 error("Could not find ':' in DISPLAY: %.100s", display); 3618 return -1; 3619 } 3620 *cp = 0; 3621 /* buf now contains the host name. But first we parse the display number. */ 3622 if (sscanf(cp + 1, "%u", &display_number) != 1) { 3623 error("Could not parse display number from DISPLAY: %.100s", 3624 display); 3625 return -1; 3626 } 3627 3628 /* Look up the host address */ 3629 memset(&hints, 0, sizeof(hints)); 3630 hints.ai_family = IPv4or6; 3631 hints.ai_socktype = SOCK_STREAM; 3632 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 3633 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 3634 error("%.100s: unknown host. (%s)", buf, 3635 ssh_gai_strerror(gaierr)); 3636 return -1; 3637 } 3638 for (ai = aitop; ai; ai = ai->ai_next) { 3639 /* Create a socket. */ 3640 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3641 if (sock < 0) { 3642 debug2("socket: %.100s", strerror(errno)); 3643 continue; 3644 } 3645 /* Connect it to the display. */ 3646 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3647 debug2("connect %.100s port %u: %.100s", buf, 3648 6000 + display_number, strerror(errno)); 3649 close(sock); 3650 continue; 3651 } 3652 /* Success */ 3653 break; 3654 } 3655 freeaddrinfo(aitop); 3656 if (!ai) { 3657 error("connect %.100s port %u: %.100s", buf, 6000 + display_number, 3658 strerror(errno)); 3659 return -1; 3660 } 3661 set_nodelay(sock); 3662 return sock; 3663} 3664 3665/* 3666 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains 3667 * the remote channel number. We should do whatever we want, and respond 3668 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. 3669 */ 3670 3671/* ARGSUSED */ 3672void 3673x11_input_open(int type, u_int32_t seq, void *ctxt) 3674{ 3675 Channel *c = NULL; 3676 int remote_id, sock = 0; 3677 char *remote_host; 3678 3679 debug("Received X11 open request."); 3680 3681 remote_id = packet_get_int(); 3682 3683 if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) { 3684 remote_host = packet_get_string(NULL); 3685 } else { 3686 remote_host = xstrdup("unknown (remote did not supply name)"); 3687 } 3688 packet_check_eom(); 3689 3690 /* Obtain a connection to the real X display. */ 3691 sock = x11_connect_display(); 3692 if (sock != -1) { 3693 /* Allocate a channel for this connection. */ 3694 c = channel_new("connected x11 socket", 3695 SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0, 3696 remote_host, 1); 3697 c->remote_id = remote_id; 3698 c->force_drain = 1; 3699 } 3700 free(remote_host); 3701 if (c == NULL) { 3702 /* Send refusal to the remote host. */ 3703 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3704 packet_put_int(remote_id); 3705 } else { 3706 /* Send a confirmation to the remote host. */ 3707 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); 3708 packet_put_int(remote_id); 3709 packet_put_int(c->self); 3710 } 3711 packet_send(); 3712} 3713 3714/* dummy protocol handler that denies SSH-1 requests (agent/x11) */ 3715/* ARGSUSED */ 3716void 3717deny_input_open(int type, u_int32_t seq, void *ctxt) 3718{ 3719 int rchan = packet_get_int(); 3720 3721 switch (type) { 3722 case SSH_SMSG_AGENT_OPEN: 3723 error("Warning: ssh server tried agent forwarding."); 3724 break; 3725 case SSH_SMSG_X11_OPEN: 3726 error("Warning: ssh server tried X11 forwarding."); 3727 break; 3728 default: 3729 error("deny_input_open: type %d", type); 3730 break; 3731 } 3732 error("Warning: this is probably a break-in attempt by a malicious server."); 3733 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); 3734 packet_put_int(rchan); 3735 packet_send(); 3736} 3737 3738/* 3739 * Requests forwarding of X11 connections, generates fake authentication 3740 * data, and enables authentication spoofing. 3741 * This should be called in the client only. 3742 */ 3743void 3744x11_request_forwarding_with_spoofing(int client_session_id, const char *disp, 3745 const char *proto, const char *data, int want_reply) 3746{ 3747 u_int data_len = (u_int) strlen(data) / 2; 3748 u_int i, value; 3749 char *new_data; 3750 int screen_number; 3751 const char *cp; 3752 u_int32_t rnd = 0; 3753 3754 if (x11_saved_display == NULL) 3755 x11_saved_display = xstrdup(disp); 3756 else if (strcmp(disp, x11_saved_display) != 0) { 3757 error("x11_request_forwarding_with_spoofing: different " 3758 "$DISPLAY already forwarded"); 3759 return; 3760 } 3761 3762 cp = strchr(disp, ':'); 3763 if (cp) 3764 cp = strchr(cp, '.'); 3765 if (cp) 3766 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 3767 else 3768 screen_number = 0; 3769 3770 if (x11_saved_proto == NULL) { 3771 /* Save protocol name. */ 3772 x11_saved_proto = xstrdup(proto); 3773 /* 3774 * Extract real authentication data and generate fake data 3775 * of the same length. 3776 */ 3777 x11_saved_data = xmalloc(data_len); 3778 x11_fake_data = xmalloc(data_len); 3779 for (i = 0; i < data_len; i++) { 3780 if (sscanf(data + 2 * i, "%2x", &value) != 1) 3781 fatal("x11_request_forwarding: bad " 3782 "authentication data: %.100s", data); 3783 if (i % 4 == 0) 3784 rnd = arc4random(); 3785 x11_saved_data[i] = value; 3786 x11_fake_data[i] = rnd & 0xff; 3787 rnd >>= 8; 3788 } 3789 x11_saved_data_len = data_len; 3790 x11_fake_data_len = data_len; 3791 } 3792 3793 /* Convert the fake data into hex. */ 3794 new_data = tohex(x11_fake_data, data_len); 3795 3796 /* Send the request packet. */ 3797 if (compat20) { 3798 channel_request_start(client_session_id, "x11-req", want_reply); 3799 packet_put_char(0); /* XXX bool single connection */ 3800 } else { 3801 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); 3802 } 3803 packet_put_cstring(proto); 3804 packet_put_cstring(new_data); 3805 packet_put_int(screen_number); 3806 packet_send(); 3807 packet_write_wait(); 3808 free(new_data); 3809} 3810 3811 3812/* -- agent forwarding */ 3813 3814/* Sends a message to the server to request authentication fd forwarding. */ 3815 3816void 3817auth_request_forwarding(void) 3818{ 3819 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); 3820 packet_send(); 3821 packet_write_wait(); 3822} 3823