diff options
author | Damien Miller <djm@mindrot.org> | 1999-10-27 13:42:43 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 1999-10-27 13:42:43 +1000 |
commit | d4a8b7e34dd619a4debf9a206c81db26d1402ea6 (patch) | |
tree | a47d770a2f790f40d18b0982d4e55fa7cfb1fa3b /channels.c |
Initial revision
Diffstat (limited to 'channels.c')
-rw-r--r-- | channels.c | 1500 |
1 files changed, 1500 insertions, 0 deletions
diff --git a/channels.c b/channels.c new file mode 100644 index 000000000..38a65a07f --- /dev/null +++ b/channels.c | |||
@@ -0,0 +1,1500 @@ | |||
1 | /* | ||
2 | |||
3 | channels.c | ||
4 | |||
5 | Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
6 | |||
7 | Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
8 | All rights reserved | ||
9 | |||
10 | Created: Fri Mar 24 16:35:24 1995 ylo | ||
11 | |||
12 | This file contains functions for generic socket connection forwarding. | ||
13 | There is also code for initiating connection forwarding for X11 connections, | ||
14 | arbitrary tcp/ip connections, and the authentication agent connection. | ||
15 | |||
16 | */ | ||
17 | |||
18 | #include "includes.h" | ||
19 | RCSID("$Id: channels.c,v 1.1 1999/10/27 03:42:44 damien Exp $"); | ||
20 | |||
21 | #include "ssh.h" | ||
22 | #include "packet.h" | ||
23 | #include "xmalloc.h" | ||
24 | #include "buffer.h" | ||
25 | #include "authfd.h" | ||
26 | #include "uidswap.h" | ||
27 | #include "servconf.h" | ||
28 | |||
29 | #include "channels.h" | ||
30 | #include "nchan.h" | ||
31 | #include "compat.h" | ||
32 | |||
33 | /* Maximum number of fake X11 displays to try. */ | ||
34 | #define MAX_DISPLAYS 1000 | ||
35 | |||
36 | /* Max len of agent socket */ | ||
37 | #define MAX_SOCKET_NAME 100 | ||
38 | |||
39 | /* Pointer to an array containing all allocated channels. The array is | ||
40 | dynamically extended as needed. */ | ||
41 | static Channel *channels = NULL; | ||
42 | |||
43 | /* Size of the channel array. All slots of the array must always be | ||
44 | initialized (at least the type field); unused slots are marked with | ||
45 | type SSH_CHANNEL_FREE. */ | ||
46 | static int channels_alloc = 0; | ||
47 | |||
48 | /* Maximum file descriptor value used in any of the channels. This is updated | ||
49 | in channel_allocate. */ | ||
50 | static int channel_max_fd_value = 0; | ||
51 | |||
52 | /* Name and directory of socket for authentication agent forwarding. */ | ||
53 | static char *channel_forwarded_auth_socket_name = NULL; | ||
54 | static char *channel_forwarded_auth_socket_dir = NULL; | ||
55 | |||
56 | /* Saved X11 authentication protocol name. */ | ||
57 | char *x11_saved_proto = NULL; | ||
58 | |||
59 | /* Saved X11 authentication data. This is the real data. */ | ||
60 | char *x11_saved_data = NULL; | ||
61 | unsigned int x11_saved_data_len = 0; | ||
62 | |||
63 | /* Fake X11 authentication data. This is what the server will be sending | ||
64 | us; we should replace any occurrences of this by the real data. */ | ||
65 | char *x11_fake_data = NULL; | ||
66 | unsigned int x11_fake_data_len; | ||
67 | |||
68 | /* Data structure for storing which hosts are permitted for forward requests. | ||
69 | The local sides of any remote forwards are stored in this array to prevent | ||
70 | a corrupt remote server from accessing arbitrary TCP/IP ports on our | ||
71 | local network (which might be behind a firewall). */ | ||
72 | typedef struct | ||
73 | { | ||
74 | char *host; /* Host name. */ | ||
75 | int port; /* Port number. */ | ||
76 | } ForwardPermission; | ||
77 | |||
78 | /* List of all permitted host/port pairs to connect. */ | ||
79 | static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; | ||
80 | /* Number of permitted host/port pairs in the array. */ | ||
81 | static int num_permitted_opens = 0; | ||
82 | /* If this is true, all opens are permitted. This is the case on the | ||
83 | server on which we have to trust the client anyway, and the user could | ||
84 | do anything after logging in anyway. */ | ||
85 | static int all_opens_permitted = 0; | ||
86 | |||
87 | /* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */ | ||
88 | static int have_hostname_in_open = 0; | ||
89 | |||
90 | /* Sets specific protocol options. */ | ||
91 | |||
92 | void channel_set_options(int hostname_in_open) | ||
93 | { | ||
94 | have_hostname_in_open = hostname_in_open; | ||
95 | } | ||
96 | |||
97 | /* Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually | ||
98 | called by the server, because the user could connect to any port anyway, | ||
99 | and the server has no way to know but to trust the client anyway. */ | ||
100 | |||
101 | void channel_permit_all_opens() | ||
102 | { | ||
103 | all_opens_permitted = 1; | ||
104 | } | ||
105 | |||
106 | /* Allocate a new channel object and set its type and socket. | ||
107 | This will cause remote_name to be freed. */ | ||
108 | |||
109 | int channel_allocate(int type, int sock, char *remote_name) | ||
110 | { | ||
111 | int i, old_channels; | ||
112 | |||
113 | /* Update the maximum file descriptor value. */ | ||
114 | if (sock > channel_max_fd_value) | ||
115 | channel_max_fd_value = sock; | ||
116 | |||
117 | /* Do initial allocation if this is the first call. */ | ||
118 | if (channels_alloc == 0) | ||
119 | { | ||
120 | channels_alloc = 10; | ||
121 | channels = xmalloc(channels_alloc * sizeof(Channel)); | ||
122 | for (i = 0; i < channels_alloc; i++) | ||
123 | channels[i].type = SSH_CHANNEL_FREE; | ||
124 | |||
125 | /* Kludge: arrange a call to channel_stop_listening if we terminate | ||
126 | with fatal(). */ | ||
127 | fatal_add_cleanup((void (*)(void *))channel_stop_listening, NULL); | ||
128 | } | ||
129 | |||
130 | /* Try to find a free slot where to put the new channel. */ | ||
131 | for (i = 0; i < channels_alloc; i++) | ||
132 | if (channels[i].type == SSH_CHANNEL_FREE) | ||
133 | { | ||
134 | /* Found a free slot. Initialize the fields and return its number. */ | ||
135 | buffer_init(&channels[i].input); | ||
136 | buffer_init(&channels[i].output); | ||
137 | channels[i].self = i; | ||
138 | channels[i].type = type; | ||
139 | channels[i].x11 = 0; | ||
140 | channels[i].sock = sock; | ||
141 | channels[i].remote_id = -1; | ||
142 | channels[i].remote_name = remote_name; | ||
143 | chan_init_iostates(&channels[i]); | ||
144 | return i; | ||
145 | } | ||
146 | |||
147 | /* There are no free slots. Must expand the array. */ | ||
148 | old_channels = channels_alloc; | ||
149 | channels_alloc += 10; | ||
150 | channels = xrealloc(channels, channels_alloc * sizeof(Channel)); | ||
151 | for (i = old_channels; i < channels_alloc; i++) | ||
152 | channels[i].type = SSH_CHANNEL_FREE; | ||
153 | |||
154 | /* We know that the next one after the old maximum channel number is now | ||
155 | available. Initialize and return its number. */ | ||
156 | buffer_init(&channels[old_channels].input); | ||
157 | buffer_init(&channels[old_channels].output); | ||
158 | channels[old_channels].self = old_channels; | ||
159 | channels[old_channels].type = type; | ||
160 | channels[old_channels].x11 = 0; | ||
161 | channels[old_channels].sock = sock; | ||
162 | channels[old_channels].remote_id = -1; | ||
163 | channels[old_channels].remote_name = remote_name; | ||
164 | chan_init_iostates(&channels[old_channels]); | ||
165 | return old_channels; | ||
166 | } | ||
167 | |||
168 | /* Free the channel and close its socket. */ | ||
169 | |||
170 | void channel_free(int channel) | ||
171 | { | ||
172 | assert(channel >= 0 && channel < channels_alloc && | ||
173 | channels[channel].type != SSH_CHANNEL_FREE); | ||
174 | if(compat13) | ||
175 | shutdown(channels[channel].sock, SHUT_RDWR); | ||
176 | close(channels[channel].sock); | ||
177 | buffer_free(&channels[channel].input); | ||
178 | buffer_free(&channels[channel].output); | ||
179 | channels[channel].type = SSH_CHANNEL_FREE; | ||
180 | if (channels[channel].remote_name) | ||
181 | { | ||
182 | xfree(channels[channel].remote_name); | ||
183 | channels[channel].remote_name = NULL; | ||
184 | } | ||
185 | } | ||
186 | |||
187 | /* This is called just before select() to add any bits relevant to | ||
188 | channels in the select bitmasks. */ | ||
189 | |||
190 | void channel_prepare_select(fd_set *readset, fd_set *writeset) | ||
191 | { | ||
192 | int i; | ||
193 | Channel *ch; | ||
194 | unsigned char *ucp; | ||
195 | unsigned int proto_len, data_len; | ||
196 | |||
197 | for (i = 0; i < channels_alloc; i++) | ||
198 | { | ||
199 | ch = &channels[i]; | ||
200 | redo: | ||
201 | switch (ch->type) | ||
202 | { | ||
203 | case SSH_CHANNEL_X11_LISTENER: | ||
204 | case SSH_CHANNEL_PORT_LISTENER: | ||
205 | case SSH_CHANNEL_AUTH_SOCKET: | ||
206 | FD_SET(ch->sock, readset); | ||
207 | break; | ||
208 | |||
209 | case SSH_CHANNEL_OPEN: | ||
210 | if(compat13){ | ||
211 | if (buffer_len(&ch->input) < 32768) | ||
212 | FD_SET(ch->sock, readset); | ||
213 | if (buffer_len(&ch->output) > 0) | ||
214 | FD_SET(ch->sock, writeset); | ||
215 | break; | ||
216 | } | ||
217 | /* test whether sockets are 'alive' for read/write */ | ||
218 | if (ch->istate == CHAN_INPUT_OPEN) | ||
219 | if (buffer_len(&ch->input) < 32768) | ||
220 | FD_SET(ch->sock, readset); | ||
221 | if (ch->ostate == CHAN_OUTPUT_OPEN || ch->ostate == CHAN_OUTPUT_WAIT_DRAIN){ | ||
222 | if (buffer_len(&ch->output) > 0){ | ||
223 | FD_SET(ch->sock, writeset); | ||
224 | }else if(ch->ostate == CHAN_OUTPUT_WAIT_DRAIN) { | ||
225 | chan_obuf_empty(ch); | ||
226 | } | ||
227 | } | ||
228 | break; | ||
229 | |||
230 | case SSH_CHANNEL_INPUT_DRAINING: | ||
231 | if (!compat13) | ||
232 | fatal("cannot happen: IN_DRAIN"); | ||
233 | if (buffer_len(&ch->input) == 0) | ||
234 | { | ||
235 | packet_start(SSH_MSG_CHANNEL_CLOSE); | ||
236 | packet_put_int(ch->remote_id); | ||
237 | packet_send(); | ||
238 | ch->type = SSH_CHANNEL_CLOSED; | ||
239 | debug("Closing channel %d after input drain.", i); | ||
240 | break; | ||
241 | } | ||
242 | break; | ||
243 | |||
244 | case SSH_CHANNEL_OUTPUT_DRAINING: | ||
245 | if (!compat13) | ||
246 | fatal("cannot happen: OUT_DRAIN"); | ||
247 | if (buffer_len(&ch->output) == 0) | ||
248 | { | ||
249 | /* debug("Freeing channel %d after output drain.", i); */ | ||
250 | channel_free(i); | ||
251 | break; | ||
252 | } | ||
253 | FD_SET(ch->sock, writeset); | ||
254 | break; | ||
255 | |||
256 | case SSH_CHANNEL_X11_OPEN: | ||
257 | /* This is a special state for X11 authentication spoofing. An | ||
258 | opened X11 connection (when authentication spoofing is being | ||
259 | done) remains in this state until the first packet has been | ||
260 | completely read. The authentication data in that packet is | ||
261 | then substituted by the real data if it matches the fake data, | ||
262 | and the channel is put into normal mode. */ | ||
263 | |||
264 | /* Check if the fixed size part of the packet is in buffer. */ | ||
265 | if (buffer_len(&ch->output) < 12) | ||
266 | break; | ||
267 | |||
268 | /* Parse the lengths of variable-length fields. */ | ||
269 | ucp = (unsigned char *)buffer_ptr(&ch->output); | ||
270 | if (ucp[0] == 0x42) | ||
271 | { /* Byte order MSB first. */ | ||
272 | proto_len = 256 * ucp[6] + ucp[7]; | ||
273 | data_len = 256 * ucp[8] + ucp[9]; | ||
274 | } | ||
275 | else | ||
276 | if (ucp[0] == 0x6c) | ||
277 | { /* Byte order LSB first. */ | ||
278 | proto_len = ucp[6] + 256 * ucp[7]; | ||
279 | data_len = ucp[8] + 256 * ucp[9]; | ||
280 | } | ||
281 | else | ||
282 | { | ||
283 | debug("Initial X11 packet contains bad byte order byte: 0x%x", | ||
284 | ucp[0]); | ||
285 | ch->type = SSH_CHANNEL_OPEN; | ||
286 | goto reject; | ||
287 | } | ||
288 | |||
289 | /* Check if the whole packet is in buffer. */ | ||
290 | if (buffer_len(&ch->output) < | ||
291 | 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) | ||
292 | break; | ||
293 | |||
294 | /* Check if authentication protocol matches. */ | ||
295 | if (proto_len != strlen(x11_saved_proto) || | ||
296 | memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) | ||
297 | { | ||
298 | debug("X11 connection uses different authentication protocol."); | ||
299 | ch->type = SSH_CHANNEL_OPEN; | ||
300 | goto reject; | ||
301 | } | ||
302 | |||
303 | /* Check if authentication data matches our fake data. */ | ||
304 | if (data_len != x11_fake_data_len || | ||
305 | memcmp(ucp + 12 + ((proto_len + 3) & ~3), | ||
306 | x11_fake_data, x11_fake_data_len) != 0) | ||
307 | { | ||
308 | debug("X11 auth data does not match fake data."); | ||
309 | ch->type = SSH_CHANNEL_OPEN; | ||
310 | goto reject; | ||
311 | } | ||
312 | |||
313 | /* Received authentication protocol and data match our fake data. | ||
314 | Substitute the fake data with real data. */ | ||
315 | assert(x11_fake_data_len == x11_saved_data_len); | ||
316 | memcpy(ucp + 12 + ((proto_len + 3) & ~3), | ||
317 | x11_saved_data, x11_saved_data_len); | ||
318 | |||
319 | /* Start normal processing for the channel. */ | ||
320 | ch->type = SSH_CHANNEL_OPEN; | ||
321 | /* Enable X11 Problem FIX */ | ||
322 | ch->x11 = 1; | ||
323 | goto redo; | ||
324 | |||
325 | reject: | ||
326 | /* We have received an X11 connection that has bad authentication | ||
327 | information. */ | ||
328 | log("X11 connection rejected because of wrong authentication.\r\n"); | ||
329 | buffer_clear(&ch->input); | ||
330 | buffer_clear(&ch->output); | ||
331 | if (compat13) { | ||
332 | close(ch->sock); | ||
333 | ch->sock = -1; | ||
334 | ch->type = SSH_CHANNEL_CLOSED; | ||
335 | packet_start(SSH_MSG_CHANNEL_CLOSE); | ||
336 | packet_put_int(ch->remote_id); | ||
337 | packet_send(); | ||
338 | }else{ | ||
339 | debug("X11 rejected %d 0x%x 0x%x", ch->self, ch->istate, ch->ostate); | ||
340 | chan_read_failed(ch); | ||
341 | chan_write_failed(ch); | ||
342 | debug("X11 rejected %d 0x%x 0x%x", ch->self, ch->istate, ch->ostate); | ||
343 | } | ||
344 | break; | ||
345 | |||
346 | case SSH_CHANNEL_FREE: | ||
347 | default: | ||
348 | continue; | ||
349 | } | ||
350 | } | ||
351 | } | ||
352 | |||
353 | /* After select, perform any appropriate operations for channels which | ||
354 | have events pending. */ | ||
355 | |||
356 | void channel_after_select(fd_set *readset, fd_set *writeset) | ||
357 | { | ||
358 | struct sockaddr addr; | ||
359 | int addrlen, newsock, i, newch, len; | ||
360 | Channel *ch; | ||
361 | char buf[16384], *remote_hostname; | ||
362 | |||
363 | /* Loop over all channels... */ | ||
364 | for (i = 0; i < channels_alloc; i++) | ||
365 | { | ||
366 | ch = &channels[i]; | ||
367 | switch (ch->type) | ||
368 | { | ||
369 | case SSH_CHANNEL_X11_LISTENER: | ||
370 | /* This is our fake X11 server socket. */ | ||
371 | if (FD_ISSET(ch->sock, readset)) | ||
372 | { | ||
373 | debug("X11 connection requested."); | ||
374 | addrlen = sizeof(addr); | ||
375 | newsock = accept(ch->sock, &addr, &addrlen); | ||
376 | if (newsock < 0) | ||
377 | { | ||
378 | error("accept: %.100s", strerror(errno)); | ||
379 | break; | ||
380 | } | ||
381 | remote_hostname = get_remote_hostname(newsock); | ||
382 | snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", | ||
383 | remote_hostname, get_peer_port(newsock)); | ||
384 | xfree(remote_hostname); | ||
385 | newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, | ||
386 | xstrdup(buf)); | ||
387 | packet_start(SSH_SMSG_X11_OPEN); | ||
388 | packet_put_int(newch); | ||
389 | if (have_hostname_in_open) | ||
390 | packet_put_string(buf, strlen(buf)); | ||
391 | packet_send(); | ||
392 | } | ||
393 | break; | ||
394 | |||
395 | case SSH_CHANNEL_PORT_LISTENER: | ||
396 | /* This socket is listening for connections to a forwarded TCP/IP | ||
397 | port. */ | ||
398 | if (FD_ISSET(ch->sock, readset)) | ||
399 | { | ||
400 | debug("Connection to port %d forwarding to %.100s:%d requested.", | ||
401 | ch->listening_port, ch->path, ch->host_port); | ||
402 | addrlen = sizeof(addr); | ||
403 | newsock = accept(ch->sock, &addr, &addrlen); | ||
404 | if (newsock < 0) | ||
405 | { | ||
406 | error("accept: %.100s", strerror(errno)); | ||
407 | break; | ||
408 | } | ||
409 | remote_hostname = get_remote_hostname(newsock); | ||
410 | snprintf(buf, sizeof buf, "port %d, connection from %.200s port %d", | ||
411 | ch->listening_port, remote_hostname, | ||
412 | get_peer_port(newsock)); | ||
413 | xfree(remote_hostname); | ||
414 | newch = channel_allocate(SSH_CHANNEL_OPENING, newsock, | ||
415 | xstrdup(buf)); | ||
416 | packet_start(SSH_MSG_PORT_OPEN); | ||
417 | packet_put_int(newch); | ||
418 | packet_put_string(ch->path, strlen(ch->path)); | ||
419 | packet_put_int(ch->host_port); | ||
420 | if (have_hostname_in_open) | ||
421 | packet_put_string(buf, strlen(buf)); | ||
422 | packet_send(); | ||
423 | } | ||
424 | break; | ||
425 | |||
426 | case SSH_CHANNEL_AUTH_SOCKET: | ||
427 | /* This is the authentication agent socket listening for connections | ||
428 | from clients. */ | ||
429 | if (FD_ISSET(ch->sock, readset)) | ||
430 | { | ||
431 | int nchan; | ||
432 | len = sizeof(addr); | ||
433 | newsock = accept(ch->sock, &addr, &len); | ||
434 | if (newsock < 0) | ||
435 | { | ||
436 | error("accept from auth socket: %.100s", strerror(errno)); | ||
437 | break; | ||
438 | } | ||
439 | |||
440 | nchan = channel_allocate(SSH_CHANNEL_OPENING, newsock, | ||
441 | xstrdup("accepted auth socket")); | ||
442 | packet_start(SSH_SMSG_AGENT_OPEN); | ||
443 | packet_put_int(nchan); | ||
444 | packet_send(); | ||
445 | } | ||
446 | break; | ||
447 | |||
448 | case SSH_CHANNEL_OPEN: | ||
449 | /* This is an open two-way communication channel. It is not of | ||
450 | interest to us at this point what kind of data is being | ||
451 | transmitted. */ | ||
452 | |||
453 | /* Read available incoming data and append it to buffer; | ||
454 | shutdown socket, if read or write failes */ | ||
455 | if (FD_ISSET(ch->sock, readset)) | ||
456 | { | ||
457 | len = read(ch->sock, buf, sizeof(buf)); | ||
458 | if (len <= 0) | ||
459 | { | ||
460 | if (compat13) { | ||
461 | buffer_consume(&ch->output, buffer_len(&ch->output)); | ||
462 | ch->type = SSH_CHANNEL_INPUT_DRAINING; | ||
463 | debug("Channel %d status set to input draining.", i); | ||
464 | }else{ | ||
465 | chan_read_failed(ch); | ||
466 | } | ||
467 | break; | ||
468 | } | ||
469 | buffer_append(&ch->input, buf, len); | ||
470 | } | ||
471 | /* Send buffered output data to the socket. */ | ||
472 | if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) | ||
473 | { | ||
474 | len = write(ch->sock, buffer_ptr(&ch->output), | ||
475 | buffer_len(&ch->output)); | ||
476 | if (len <= 0) | ||
477 | { | ||
478 | if (compat13) { | ||
479 | buffer_consume(&ch->output, buffer_len(&ch->output)); | ||
480 | debug("Channel %d status set to input draining.", i); | ||
481 | ch->type = SSH_CHANNEL_INPUT_DRAINING; | ||
482 | }else{ | ||
483 | chan_write_failed(ch); | ||
484 | } | ||
485 | break; | ||
486 | } | ||
487 | buffer_consume(&ch->output, len); | ||
488 | } | ||
489 | break; | ||
490 | |||
491 | case SSH_CHANNEL_OUTPUT_DRAINING: | ||
492 | if (!compat13) | ||
493 | fatal("cannot happen: OUT_DRAIN"); | ||
494 | /* Send buffered output data to the socket. */ | ||
495 | if (FD_ISSET(ch->sock, writeset) && buffer_len(&ch->output) > 0) | ||
496 | { | ||
497 | len = write(ch->sock, buffer_ptr(&ch->output), | ||
498 | buffer_len(&ch->output)); | ||
499 | if (len <= 0) | ||
500 | buffer_consume(&ch->output, buffer_len(&ch->output)); | ||
501 | else | ||
502 | buffer_consume(&ch->output, len); | ||
503 | } | ||
504 | break; | ||
505 | |||
506 | case SSH_CHANNEL_X11_OPEN: | ||
507 | case SSH_CHANNEL_FREE: | ||
508 | default: | ||
509 | continue; | ||
510 | } | ||
511 | } | ||
512 | } | ||
513 | |||
514 | /* If there is data to send to the connection, send some of it now. */ | ||
515 | |||
516 | void channel_output_poll() | ||
517 | { | ||
518 | int len, i; | ||
519 | Channel *ch; | ||
520 | |||
521 | for (i = 0; i < channels_alloc; i++) | ||
522 | { | ||
523 | ch = &channels[i]; | ||
524 | /* We are only interested in channels that can have buffered incoming | ||
525 | data. */ | ||
526 | if (ch->type != SSH_CHANNEL_OPEN && | ||
527 | ch->type != SSH_CHANNEL_INPUT_DRAINING) | ||
528 | continue; | ||
529 | |||
530 | /* Get the amount of buffered data for this channel. */ | ||
531 | len = buffer_len(&ch->input); | ||
532 | if (len > 0) | ||
533 | { | ||
534 | /* Send some data for the other side over the secure connection. */ | ||
535 | if (packet_is_interactive()) | ||
536 | { | ||
537 | if (len > 1024) | ||
538 | len = 512; | ||
539 | } | ||
540 | else | ||
541 | { | ||
542 | if (len > 16384) | ||
543 | len = 16384; /* Keep the packets at reasonable size. */ | ||
544 | } | ||
545 | packet_start(SSH_MSG_CHANNEL_DATA); | ||
546 | packet_put_int(ch->remote_id); | ||
547 | packet_put_string(buffer_ptr(&ch->input), len); | ||
548 | packet_send(); | ||
549 | buffer_consume(&ch->input, len); | ||
550 | } | ||
551 | else if(ch->istate == CHAN_INPUT_WAIT_DRAIN) | ||
552 | { | ||
553 | if (compat13) | ||
554 | fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3"); | ||
555 | /* input-buffer is empty and read-socket shutdown: | ||
556 | tell peer, that we will not send more data: send IEOF */ | ||
557 | chan_ibuf_empty(ch); | ||
558 | } | ||
559 | } | ||
560 | } | ||
561 | |||
562 | /* This is called when a packet of type CHANNEL_DATA has just been received. | ||
563 | The message type has already been consumed, but channel number and data | ||
564 | is still there. */ | ||
565 | |||
566 | void channel_input_data(int payload_len) | ||
567 | { | ||
568 | int channel; | ||
569 | char *data; | ||
570 | unsigned int data_len; | ||
571 | |||
572 | /* Get the channel number and verify it. */ | ||
573 | channel = packet_get_int(); | ||
574 | if (channel < 0 || channel >= channels_alloc || | ||
575 | channels[channel].type == SSH_CHANNEL_FREE) | ||
576 | packet_disconnect("Received data for nonexistent channel %d.", channel); | ||
577 | |||
578 | /* Ignore any data for non-open channels (might happen on close) */ | ||
579 | if (channels[channel].type != SSH_CHANNEL_OPEN && | ||
580 | channels[channel].type != SSH_CHANNEL_X11_OPEN) | ||
581 | return; | ||
582 | |||
583 | /* Get the data. */ | ||
584 | data = packet_get_string(&data_len); | ||
585 | packet_integrity_check(payload_len, 4 + 4+data_len, SSH_MSG_CHANNEL_DATA); | ||
586 | buffer_append(&channels[channel].output, data, data_len); | ||
587 | xfree(data); | ||
588 | } | ||
589 | |||
590 | /* Returns true if no channel has too much buffered data, and false if | ||
591 | one or more channel is overfull. */ | ||
592 | |||
593 | int channel_not_very_much_buffered_data() | ||
594 | { | ||
595 | unsigned int i; | ||
596 | Channel *ch; | ||
597 | |||
598 | for (i = 0; i < channels_alloc; i++) | ||
599 | { | ||
600 | ch = &channels[i]; | ||
601 | switch (ch->type) | ||
602 | { | ||
603 | case SSH_CHANNEL_X11_LISTENER: | ||
604 | case SSH_CHANNEL_PORT_LISTENER: | ||
605 | case SSH_CHANNEL_AUTH_SOCKET: | ||
606 | continue; | ||
607 | case SSH_CHANNEL_OPEN: | ||
608 | if (buffer_len(&ch->input) > 32768) | ||
609 | return 0; | ||
610 | if (buffer_len(&ch->output) > 32768) | ||
611 | return 0; | ||
612 | continue; | ||
613 | case SSH_CHANNEL_INPUT_DRAINING: | ||
614 | case SSH_CHANNEL_OUTPUT_DRAINING: | ||
615 | case SSH_CHANNEL_X11_OPEN: | ||
616 | case SSH_CHANNEL_FREE: | ||
617 | default: | ||
618 | continue; | ||
619 | } | ||
620 | } | ||
621 | return 1; | ||
622 | } | ||
623 | |||
624 | /* This is called after receiving CHANNEL_CLOSE/IEOF. */ | ||
625 | |||
626 | void channel_input_close() | ||
627 | { | ||
628 | int channel; | ||
629 | |||
630 | /* Get the channel number and verify it. */ | ||
631 | channel = packet_get_int(); | ||
632 | if (channel < 0 || channel >= channels_alloc || | ||
633 | channels[channel].type == SSH_CHANNEL_FREE) | ||
634 | packet_disconnect("Received data for nonexistent channel %d.", channel); | ||
635 | |||
636 | if(!compat13){ | ||
637 | /* proto version 1.5 overloads CLOSE with IEOF */ | ||
638 | chan_rcvd_ieof(&channels[channel]); | ||
639 | return; | ||
640 | } | ||
641 | |||
642 | /* Send a confirmation that we have closed the channel and no more data is | ||
643 | coming for it. */ | ||
644 | packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION); | ||
645 | packet_put_int(channels[channel].remote_id); | ||
646 | packet_send(); | ||
647 | |||
648 | /* If the channel is in closed state, we have sent a close request, and | ||
649 | the other side will eventually respond with a confirmation. Thus, | ||
650 | we cannot free the channel here, because then there would be no-one to | ||
651 | receive the confirmation. The channel gets freed when the confirmation | ||
652 | arrives. */ | ||
653 | if (channels[channel].type != SSH_CHANNEL_CLOSED) | ||
654 | { | ||
655 | /* Not a closed channel - mark it as draining, which will cause it to | ||
656 | be freed later. */ | ||
657 | buffer_consume(&channels[channel].input, | ||
658 | buffer_len(&channels[channel].input)); | ||
659 | channels[channel].type = SSH_CHANNEL_OUTPUT_DRAINING; | ||
660 | /* debug("Setting status to output draining; output len = %d", | ||
661 | buffer_len(&channels[channel].output)); */ | ||
662 | } | ||
663 | } | ||
664 | |||
665 | /* This is called after receiving CHANNEL_CLOSE_CONFIRMATION/OCLOSE. */ | ||
666 | |||
667 | void channel_input_close_confirmation() | ||
668 | { | ||
669 | int channel; | ||
670 | |||
671 | /* Get the channel number and verify it. */ | ||
672 | channel = packet_get_int(); | ||
673 | if (channel < 0 || channel >= channels_alloc) | ||
674 | packet_disconnect("Received close confirmation for out-of-range channel %d.", | ||
675 | channel); | ||
676 | |||
677 | if(!compat13){ | ||
678 | /* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */ | ||
679 | chan_rcvd_oclose(&channels[channel]); | ||
680 | return; | ||
681 | } | ||
682 | |||
683 | if (channels[channel].type != SSH_CHANNEL_CLOSED) | ||
684 | packet_disconnect("Received close confirmation for non-closed channel %d (type %d).", | ||
685 | channel, channels[channel].type); | ||
686 | |||
687 | /* Free the channel. */ | ||
688 | channel_free(channel); | ||
689 | } | ||
690 | |||
691 | /* This is called after receiving CHANNEL_OPEN_CONFIRMATION. */ | ||
692 | |||
693 | void channel_input_open_confirmation() | ||
694 | { | ||
695 | int channel, remote_channel; | ||
696 | |||
697 | /* Get the channel number and verify it. */ | ||
698 | channel = packet_get_int(); | ||
699 | if (channel < 0 || channel >= channels_alloc || | ||
700 | channels[channel].type != SSH_CHANNEL_OPENING) | ||
701 | packet_disconnect("Received open confirmation for non-opening channel %d.", | ||
702 | channel); | ||
703 | |||
704 | /* Get remote side's id for this channel. */ | ||
705 | remote_channel = packet_get_int(); | ||
706 | |||
707 | /* Record the remote channel number and mark that the channel is now open. */ | ||
708 | channels[channel].remote_id = remote_channel; | ||
709 | channels[channel].type = SSH_CHANNEL_OPEN; | ||
710 | } | ||
711 | |||
712 | /* This is called after receiving CHANNEL_OPEN_FAILURE from the other side. */ | ||
713 | |||
714 | void channel_input_open_failure() | ||
715 | { | ||
716 | int channel; | ||
717 | |||
718 | /* Get the channel number and verify it. */ | ||
719 | channel = packet_get_int(); | ||
720 | if (channel < 0 || channel >= channels_alloc || | ||
721 | channels[channel].type != SSH_CHANNEL_OPENING) | ||
722 | packet_disconnect("Received open failure for non-opening channel %d.", | ||
723 | channel); | ||
724 | |||
725 | /* Free the channel. This will also close the socket. */ | ||
726 | channel_free(channel); | ||
727 | } | ||
728 | |||
729 | /* Stops listening for channels, and removes any unix domain sockets that | ||
730 | we might have. */ | ||
731 | |||
732 | void channel_stop_listening() | ||
733 | { | ||
734 | int i; | ||
735 | for (i = 0; i < channels_alloc; i++) | ||
736 | { | ||
737 | switch (channels[i].type) | ||
738 | { | ||
739 | case SSH_CHANNEL_AUTH_SOCKET: | ||
740 | close(channels[i].sock); | ||
741 | remove(channels[i].path); | ||
742 | channel_free(i); | ||
743 | break; | ||
744 | case SSH_CHANNEL_PORT_LISTENER: | ||
745 | case SSH_CHANNEL_X11_LISTENER: | ||
746 | close(channels[i].sock); | ||
747 | channel_free(i); | ||
748 | break; | ||
749 | default: | ||
750 | break; | ||
751 | } | ||
752 | } | ||
753 | } | ||
754 | |||
755 | /* Closes the sockets of all channels. This is used to close extra file | ||
756 | descriptors after a fork. */ | ||
757 | |||
758 | void channel_close_all() | ||
759 | { | ||
760 | int i; | ||
761 | for (i = 0; i < channels_alloc; i++) | ||
762 | { | ||
763 | if (channels[i].type != SSH_CHANNEL_FREE) | ||
764 | close(channels[i].sock); | ||
765 | } | ||
766 | } | ||
767 | |||
768 | /* Returns the maximum file descriptor number used by the channels. */ | ||
769 | |||
770 | int channel_max_fd() | ||
771 | { | ||
772 | return channel_max_fd_value; | ||
773 | } | ||
774 | |||
775 | /* Returns true if any channel is still open. */ | ||
776 | |||
777 | int channel_still_open() | ||
778 | { | ||
779 | unsigned int i; | ||
780 | for (i = 0; i < channels_alloc; i++) | ||
781 | switch (channels[i].type) | ||
782 | { | ||
783 | case SSH_CHANNEL_FREE: | ||
784 | case SSH_CHANNEL_X11_LISTENER: | ||
785 | case SSH_CHANNEL_PORT_LISTENER: | ||
786 | case SSH_CHANNEL_CLOSED: | ||
787 | case SSH_CHANNEL_AUTH_SOCKET: | ||
788 | continue; | ||
789 | case SSH_CHANNEL_OPENING: | ||
790 | case SSH_CHANNEL_OPEN: | ||
791 | case SSH_CHANNEL_X11_OPEN: | ||
792 | return 1; | ||
793 | case SSH_CHANNEL_INPUT_DRAINING: | ||
794 | case SSH_CHANNEL_OUTPUT_DRAINING: | ||
795 | if (!compat13) | ||
796 | fatal("cannot happen: OUT_DRAIN"); | ||
797 | return 1; | ||
798 | default: | ||
799 | fatal("channel_still_open: bad channel type %d", channels[i].type); | ||
800 | /*NOTREACHED*/ | ||
801 | } | ||
802 | return 0; | ||
803 | } | ||
804 | |||
805 | /* Returns a message describing the currently open forwarded | ||
806 | connections, suitable for sending to the client. The message | ||
807 | contains crlf pairs for newlines. */ | ||
808 | |||
809 | char *channel_open_message() | ||
810 | { | ||
811 | Buffer buffer; | ||
812 | int i; | ||
813 | char buf[512], *cp; | ||
814 | |||
815 | buffer_init(&buffer); | ||
816 | snprintf(buf, sizeof buf, "The following connections are open:\r\n"); | ||
817 | buffer_append(&buffer, buf, strlen(buf)); | ||
818 | for (i = 0; i < channels_alloc; i++){ | ||
819 | Channel *c=&channels[i]; | ||
820 | switch (c->type) | ||
821 | { | ||
822 | case SSH_CHANNEL_FREE: | ||
823 | case SSH_CHANNEL_X11_LISTENER: | ||
824 | case SSH_CHANNEL_PORT_LISTENER: | ||
825 | case SSH_CHANNEL_CLOSED: | ||
826 | case SSH_CHANNEL_AUTH_SOCKET: | ||
827 | continue; | ||
828 | case SSH_CHANNEL_OPENING: | ||
829 | case SSH_CHANNEL_OPEN: | ||
830 | case SSH_CHANNEL_X11_OPEN: | ||
831 | case SSH_CHANNEL_INPUT_DRAINING: | ||
832 | case SSH_CHANNEL_OUTPUT_DRAINING: | ||
833 | snprintf(buf, sizeof buf, " #%d/%d %.300s\r\n", | ||
834 | c->self,c->type,c->remote_name); | ||
835 | buffer_append(&buffer, buf, strlen(buf)); | ||
836 | continue; | ||
837 | default: | ||
838 | fatal("channel_still_open: bad channel type %d", c->type); | ||
839 | /*NOTREACHED*/ | ||
840 | } | ||
841 | } | ||
842 | buffer_append(&buffer, "\0", 1); | ||
843 | cp = xstrdup(buffer_ptr(&buffer)); | ||
844 | buffer_free(&buffer); | ||
845 | return cp; | ||
846 | } | ||
847 | |||
848 | /* Initiate forwarding of connections to local port "port" through the secure | ||
849 | channel to host:port from remote side. */ | ||
850 | |||
851 | void channel_request_local_forwarding(int port, const char *host, | ||
852 | int host_port) | ||
853 | { | ||
854 | int ch, sock; | ||
855 | struct sockaddr_in sin; | ||
856 | extern Options options; | ||
857 | |||
858 | if (strlen(host) > sizeof(channels[0].path) - 1) | ||
859 | packet_disconnect("Forward host name too long."); | ||
860 | |||
861 | /* Create a port to listen for the host. */ | ||
862 | sock = socket(AF_INET, SOCK_STREAM, 0); | ||
863 | if (sock < 0) | ||
864 | packet_disconnect("socket: %.100s", strerror(errno)); | ||
865 | |||
866 | /* Initialize socket address. */ | ||
867 | memset(&sin, 0, sizeof(sin)); | ||
868 | sin.sin_family = AF_INET; | ||
869 | if (options.gateway_ports == 1) | ||
870 | sin.sin_addr.s_addr = htonl(INADDR_ANY); | ||
871 | else | ||
872 | sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK); | ||
873 | sin.sin_port = htons(port); | ||
874 | |||
875 | /* Bind the socket to the address. */ | ||
876 | if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) | ||
877 | packet_disconnect("bind: %.100s", strerror(errno)); | ||
878 | |||
879 | /* Start listening for connections on the socket. */ | ||
880 | if (listen(sock, 5) < 0) | ||
881 | packet_disconnect("listen: %.100s", strerror(errno)); | ||
882 | |||
883 | /* Allocate a channel number for the socket. */ | ||
884 | ch = channel_allocate(SSH_CHANNEL_PORT_LISTENER, sock, | ||
885 | xstrdup("port listener")); | ||
886 | strcpy(channels[ch].path, host); /* note: host name stored here */ | ||
887 | channels[ch].host_port = host_port; /* port on host to connect to */ | ||
888 | channels[ch].listening_port = port; /* port being listened */ | ||
889 | } | ||
890 | |||
891 | /* Initiate forwarding of connections to port "port" on remote host through | ||
892 | the secure channel to host:port from local side. */ | ||
893 | |||
894 | void channel_request_remote_forwarding(int port, const char *host, | ||
895 | int remote_port) | ||
896 | { | ||
897 | int payload_len; | ||
898 | /* Record locally that connection to this host/port is permitted. */ | ||
899 | if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) | ||
900 | fatal("channel_request_remote_forwarding: too many forwards"); | ||
901 | permitted_opens[num_permitted_opens].host = xstrdup(host); | ||
902 | permitted_opens[num_permitted_opens].port = remote_port; | ||
903 | num_permitted_opens++; | ||
904 | |||
905 | /* Send the forward request to the remote side. */ | ||
906 | packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); | ||
907 | packet_put_int(port); | ||
908 | packet_put_string(host, strlen(host)); | ||
909 | packet_put_int(remote_port); | ||
910 | packet_send(); | ||
911 | packet_write_wait(); | ||
912 | |||
913 | /* Wait for response from the remote side. It will send a disconnect | ||
914 | message on failure, and we will never see it here. */ | ||
915 | packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); | ||
916 | } | ||
917 | |||
918 | /* This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates | ||
919 | listening for the port, and sends back a success reply (or disconnect | ||
920 | message if there was an error). This never returns if there was an | ||
921 | error. */ | ||
922 | |||
923 | void channel_input_port_forward_request(int is_root) | ||
924 | { | ||
925 | int port, host_port; | ||
926 | char *hostname; | ||
927 | |||
928 | /* Get arguments from the packet. */ | ||
929 | port = packet_get_int(); | ||
930 | hostname = packet_get_string(NULL); | ||
931 | host_port = packet_get_int(); | ||
932 | |||
933 | /* Port numbers are 16 bit quantities. */ | ||
934 | if ((port & 0xffff) != port) | ||
935 | packet_disconnect("Requested forwarding of nonexistent port %d.", port); | ||
936 | |||
937 | /* Check that an unprivileged user is not trying to forward a privileged | ||
938 | port. */ | ||
939 | if (port < IPPORT_RESERVED && !is_root) | ||
940 | packet_disconnect("Requested forwarding of port %d but user is not root.", | ||
941 | port); | ||
942 | |||
943 | /* Initiate forwarding. */ | ||
944 | channel_request_local_forwarding(port, hostname, host_port); | ||
945 | |||
946 | /* Free the argument string. */ | ||
947 | xfree(hostname); | ||
948 | } | ||
949 | |||
950 | /* This is called after receiving PORT_OPEN message. This attempts to connect | ||
951 | to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION or | ||
952 | CHANNEL_OPEN_FAILURE. */ | ||
953 | |||
954 | void channel_input_port_open(int payload_len) | ||
955 | { | ||
956 | int remote_channel, sock, newch, host_port, i; | ||
957 | struct sockaddr_in sin; | ||
958 | char *host, *originator_string; | ||
959 | struct hostent *hp; | ||
960 | int host_len, originator_len; | ||
961 | |||
962 | /* Get remote channel number. */ | ||
963 | remote_channel = packet_get_int(); | ||
964 | |||
965 | /* Get host name to connect to. */ | ||
966 | host = packet_get_string(&host_len); | ||
967 | |||
968 | /* Get port to connect to. */ | ||
969 | host_port = packet_get_int(); | ||
970 | |||
971 | /* Get remote originator name. */ | ||
972 | if (have_hostname_in_open) | ||
973 | originator_string = packet_get_string(&originator_len); | ||
974 | else | ||
975 | originator_string = xstrdup("unknown (remote did not supply name)"); | ||
976 | |||
977 | packet_integrity_check(payload_len, | ||
978 | 4 + 4 + host_len + 4 + 4 + originator_len, | ||
979 | SSH_MSG_PORT_OPEN); | ||
980 | |||
981 | /* Check if opening that port is permitted. */ | ||
982 | if (!all_opens_permitted) | ||
983 | { | ||
984 | /* Go trough all permitted ports. */ | ||
985 | for (i = 0; i < num_permitted_opens; i++) | ||
986 | if (permitted_opens[i].port == host_port && | ||
987 | strcmp(permitted_opens[i].host, host) == 0) | ||
988 | break; | ||
989 | |||
990 | /* Check if we found the requested port among those permitted. */ | ||
991 | if (i >= num_permitted_opens) | ||
992 | { | ||
993 | /* The port is not permitted. */ | ||
994 | log("Received request to connect to %.100s:%d, but the request was denied.", | ||
995 | host, host_port); | ||
996 | packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); | ||
997 | packet_put_int(remote_channel); | ||
998 | packet_send(); | ||
999 | } | ||
1000 | } | ||
1001 | |||
1002 | memset(&sin, 0, sizeof(sin)); | ||
1003 | sin.sin_addr.s_addr = inet_addr(host); | ||
1004 | if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) | ||
1005 | { | ||
1006 | /* It was a valid numeric host address. */ | ||
1007 | sin.sin_family = AF_INET; | ||
1008 | } | ||
1009 | else | ||
1010 | { | ||
1011 | /* Look up the host address from the name servers. */ | ||
1012 | hp = gethostbyname(host); | ||
1013 | if (!hp) | ||
1014 | { | ||
1015 | error("%.100s: unknown host.", host); | ||
1016 | goto fail; | ||
1017 | } | ||
1018 | if (!hp->h_addr_list[0]) | ||
1019 | { | ||
1020 | error("%.100s: host has no IP address.", host); | ||
1021 | goto fail; | ||
1022 | } | ||
1023 | sin.sin_family = hp->h_addrtype; | ||
1024 | memcpy(&sin.sin_addr, hp->h_addr_list[0], | ||
1025 | sizeof(sin.sin_addr)); | ||
1026 | } | ||
1027 | sin.sin_port = htons(host_port); | ||
1028 | |||
1029 | /* Create the socket. */ | ||
1030 | sock = socket(sin.sin_family, SOCK_STREAM, 0); | ||
1031 | if (sock < 0) | ||
1032 | { | ||
1033 | error("socket: %.100s", strerror(errno)); | ||
1034 | goto fail; | ||
1035 | } | ||
1036 | |||
1037 | /* Connect to the host/port. */ | ||
1038 | if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) | ||
1039 | { | ||
1040 | error("connect %.100s:%d: %.100s", host, host_port, | ||
1041 | strerror(errno)); | ||
1042 | close(sock); | ||
1043 | goto fail; | ||
1044 | } | ||
1045 | |||
1046 | /* Successful connection. */ | ||
1047 | |||
1048 | /* Allocate a channel for this connection. */ | ||
1049 | newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string); | ||
1050 | channels[newch].remote_id = remote_channel; | ||
1051 | |||
1052 | /* Send a confirmation to the remote host. */ | ||
1053 | packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); | ||
1054 | packet_put_int(remote_channel); | ||
1055 | packet_put_int(newch); | ||
1056 | packet_send(); | ||
1057 | |||
1058 | /* Free the argument string. */ | ||
1059 | xfree(host); | ||
1060 | |||
1061 | return; | ||
1062 | |||
1063 | fail: | ||
1064 | /* Free the argument string. */ | ||
1065 | xfree(host); | ||
1066 | |||
1067 | /* Send refusal to the remote host. */ | ||
1068 | packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); | ||
1069 | packet_put_int(remote_channel); | ||
1070 | packet_send(); | ||
1071 | } | ||
1072 | |||
1073 | /* Creates an internet domain socket for listening for X11 connections. | ||
1074 | Returns a suitable value for the DISPLAY variable, or NULL if an error | ||
1075 | occurs. */ | ||
1076 | |||
1077 | char *x11_create_display_inet(int screen_number) | ||
1078 | { | ||
1079 | extern ServerOptions options; | ||
1080 | int display_number, port, sock; | ||
1081 | struct sockaddr_in sin; | ||
1082 | char buf[512]; | ||
1083 | char hostname[MAXHOSTNAMELEN]; | ||
1084 | |||
1085 | for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++) | ||
1086 | { | ||
1087 | port = 6000 + display_number; | ||
1088 | memset(&sin, 0, sizeof(sin)); | ||
1089 | sin.sin_family = AF_INET; | ||
1090 | sin.sin_addr.s_addr = htonl(INADDR_ANY); | ||
1091 | sin.sin_port = htons(port); | ||
1092 | |||
1093 | sock = socket(AF_INET, SOCK_STREAM, 0); | ||
1094 | if (sock < 0) | ||
1095 | { | ||
1096 | error("socket: %.100s", strerror(errno)); | ||
1097 | return NULL; | ||
1098 | } | ||
1099 | |||
1100 | if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) | ||
1101 | { | ||
1102 | debug("bind port %d: %.100s", port, strerror(errno)); | ||
1103 | shutdown(sock, SHUT_RDWR); | ||
1104 | close(sock); | ||
1105 | continue; | ||
1106 | } | ||
1107 | break; | ||
1108 | } | ||
1109 | if (display_number >= MAX_DISPLAYS) | ||
1110 | { | ||
1111 | error("Failed to allocate internet-domain X11 display socket."); | ||
1112 | return NULL; | ||
1113 | } | ||
1114 | |||
1115 | /* Start listening for connections on the socket. */ | ||
1116 | if (listen(sock, 5) < 0) | ||
1117 | { | ||
1118 | error("listen: %.100s", strerror(errno)); | ||
1119 | shutdown(sock, SHUT_RDWR); | ||
1120 | close(sock); | ||
1121 | return NULL; | ||
1122 | } | ||
1123 | |||
1124 | /* Set up a suitable value for the DISPLAY variable. */ | ||
1125 | if (gethostname(hostname, sizeof(hostname)) < 0) | ||
1126 | fatal("gethostname: %.100s", strerror(errno)); | ||
1127 | snprintf(buf, sizeof buf, "%.400s:%d.%d", hostname, | ||
1128 | display_number, screen_number); | ||
1129 | |||
1130 | /* Allocate a channel for the socket. */ | ||
1131 | (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock, | ||
1132 | xstrdup("X11 inet listener")); | ||
1133 | |||
1134 | /* Return a suitable value for the DISPLAY environment variable. */ | ||
1135 | return xstrdup(buf); | ||
1136 | } | ||
1137 | |||
1138 | #ifndef X_UNIX_PATH | ||
1139 | #define X_UNIX_PATH "/tmp/.X11-unix/X" | ||
1140 | #endif | ||
1141 | |||
1142 | static | ||
1143 | int | ||
1144 | connect_local_xsocket(unsigned dnr) | ||
1145 | { | ||
1146 | static const char *const x_sockets[] = { | ||
1147 | X_UNIX_PATH "%u", | ||
1148 | "/var/X/.X11-unix/X" "%u", | ||
1149 | "/usr/spool/sockets/X11/" "%u", | ||
1150 | NULL | ||
1151 | }; | ||
1152 | int sock; | ||
1153 | struct sockaddr_un addr; | ||
1154 | const char *const *path; | ||
1155 | |||
1156 | for (path = x_sockets; *path; ++path) | ||
1157 | { | ||
1158 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
1159 | if (sock < 0) | ||
1160 | error("socket: %.100s", strerror(errno)); | ||
1161 | memset(&addr, 0, sizeof(addr)); | ||
1162 | addr.sun_family = AF_UNIX; | ||
1163 | snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr); | ||
1164 | if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) | ||
1165 | return sock; | ||
1166 | close(sock); | ||
1167 | } | ||
1168 | error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); | ||
1169 | return -1; | ||
1170 | } | ||
1171 | |||
1172 | |||
1173 | /* This is called when SSH_SMSG_X11_OPEN is received. The packet contains | ||
1174 | the remote channel number. We should do whatever we want, and respond | ||
1175 | with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE. */ | ||
1176 | |||
1177 | void x11_input_open(int payload_len) | ||
1178 | { | ||
1179 | int remote_channel, display_number, sock, newch; | ||
1180 | const char *display; | ||
1181 | struct sockaddr_in sin; | ||
1182 | char buf[1024], *cp, *remote_host; | ||
1183 | struct hostent *hp; | ||
1184 | int remote_len; | ||
1185 | |||
1186 | /* Get remote channel number. */ | ||
1187 | remote_channel = packet_get_int(); | ||
1188 | |||
1189 | /* Get remote originator name. */ | ||
1190 | if (have_hostname_in_open) | ||
1191 | remote_host = packet_get_string(&remote_len); | ||
1192 | else | ||
1193 | remote_host = xstrdup("unknown (remote did not supply name)"); | ||
1194 | |||
1195 | debug("Received X11 open request."); | ||
1196 | packet_integrity_check(payload_len, 4 + 4+remote_len, SSH_SMSG_X11_OPEN); | ||
1197 | |||
1198 | /* Try to open a socket for the local X server. */ | ||
1199 | display = getenv("DISPLAY"); | ||
1200 | if (!display) | ||
1201 | { | ||
1202 | error("DISPLAY not set."); | ||
1203 | goto fail; | ||
1204 | } | ||
1205 | |||
1206 | /* Now we decode the value of the DISPLAY variable and make a connection | ||
1207 | to the real X server. */ | ||
1208 | |||
1209 | /* Check if it is a unix domain socket. Unix domain displays are in one | ||
1210 | of the following formats: unix:d[.s], :d[.s], ::d[.s] */ | ||
1211 | if (strncmp(display, "unix:", 5) == 0 || | ||
1212 | display[0] == ':') | ||
1213 | { | ||
1214 | /* Connect to the unix domain socket. */ | ||
1215 | if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) | ||
1216 | { | ||
1217 | error("Could not parse display number from DISPLAY: %.100s", | ||
1218 | display); | ||
1219 | goto fail; | ||
1220 | } | ||
1221 | /* Create a socket. */ | ||
1222 | sock = connect_local_xsocket(display_number); | ||
1223 | if (sock < 0) | ||
1224 | goto fail; | ||
1225 | |||
1226 | /* OK, we now have a connection to the display. */ | ||
1227 | goto success; | ||
1228 | } | ||
1229 | |||
1230 | /* Connect to an inet socket. The DISPLAY value is supposedly | ||
1231 | hostname:d[.s], where hostname may also be numeric IP address. */ | ||
1232 | strncpy(buf, display, sizeof(buf)); | ||
1233 | buf[sizeof(buf) - 1] = 0; | ||
1234 | cp = strchr(buf, ':'); | ||
1235 | if (!cp) | ||
1236 | { | ||
1237 | error("Could not find ':' in DISPLAY: %.100s", display); | ||
1238 | goto fail; | ||
1239 | } | ||
1240 | *cp = 0; | ||
1241 | /* buf now contains the host name. But first we parse the display number. */ | ||
1242 | if (sscanf(cp + 1, "%d", &display_number) != 1) | ||
1243 | { | ||
1244 | error("Could not parse display number from DISPLAY: %.100s", | ||
1245 | display); | ||
1246 | goto fail; | ||
1247 | } | ||
1248 | |||
1249 | /* Try to parse the host name as a numeric IP address. */ | ||
1250 | memset(&sin, 0, sizeof(sin)); | ||
1251 | sin.sin_addr.s_addr = inet_addr(buf); | ||
1252 | if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) | ||
1253 | { | ||
1254 | /* It was a valid numeric host address. */ | ||
1255 | sin.sin_family = AF_INET; | ||
1256 | } | ||
1257 | else | ||
1258 | { | ||
1259 | /* Not a numeric IP address. */ | ||
1260 | /* Look up the host address from the name servers. */ | ||
1261 | hp = gethostbyname(buf); | ||
1262 | if (!hp) | ||
1263 | { | ||
1264 | error("%.100s: unknown host.", buf); | ||
1265 | goto fail; | ||
1266 | } | ||
1267 | if (!hp->h_addr_list[0]) | ||
1268 | { | ||
1269 | error("%.100s: host has no IP address.", buf); | ||
1270 | goto fail; | ||
1271 | } | ||
1272 | sin.sin_family = hp->h_addrtype; | ||
1273 | memcpy(&sin.sin_addr, hp->h_addr_list[0], | ||
1274 | sizeof(sin.sin_addr)); | ||
1275 | } | ||
1276 | /* Set port number. */ | ||
1277 | sin.sin_port = htons(6000 + display_number); | ||
1278 | |||
1279 | /* Create a socket. */ | ||
1280 | sock = socket(sin.sin_family, SOCK_STREAM, 0); | ||
1281 | if (sock < 0) | ||
1282 | { | ||
1283 | error("socket: %.100s", strerror(errno)); | ||
1284 | goto fail; | ||
1285 | } | ||
1286 | /* Connect it to the display. */ | ||
1287 | if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) | ||
1288 | { | ||
1289 | error("connect %.100s:%d: %.100s", buf, 6000 + display_number, | ||
1290 | strerror(errno)); | ||
1291 | close(sock); | ||
1292 | goto fail; | ||
1293 | } | ||
1294 | |||
1295 | success: | ||
1296 | /* We have successfully obtained a connection to the real X display. */ | ||
1297 | |||
1298 | /* Allocate a channel for this connection. */ | ||
1299 | if (x11_saved_proto == NULL) | ||
1300 | newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host); | ||
1301 | else | ||
1302 | newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host); | ||
1303 | channels[newch].remote_id = remote_channel; | ||
1304 | |||
1305 | /* Send a confirmation to the remote host. */ | ||
1306 | packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); | ||
1307 | packet_put_int(remote_channel); | ||
1308 | packet_put_int(newch); | ||
1309 | packet_send(); | ||
1310 | |||
1311 | return; | ||
1312 | |||
1313 | fail: | ||
1314 | /* Send refusal to the remote host. */ | ||
1315 | packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); | ||
1316 | packet_put_int(remote_channel); | ||
1317 | packet_send(); | ||
1318 | } | ||
1319 | |||
1320 | /* Requests forwarding of X11 connections, generates fake authentication | ||
1321 | data, and enables authentication spoofing. */ | ||
1322 | |||
1323 | void x11_request_forwarding_with_spoofing(const char *proto, const char *data) | ||
1324 | { | ||
1325 | unsigned int data_len = (unsigned int)strlen(data) / 2; | ||
1326 | unsigned int i, value; | ||
1327 | char *new_data; | ||
1328 | int screen_number; | ||
1329 | const char *cp; | ||
1330 | u_int32_t rand = 0; | ||
1331 | |||
1332 | cp = getenv("DISPLAY"); | ||
1333 | if (cp) | ||
1334 | cp = strchr(cp, ':'); | ||
1335 | if (cp) | ||
1336 | cp = strchr(cp, '.'); | ||
1337 | if (cp) | ||
1338 | screen_number = atoi(cp + 1); | ||
1339 | else | ||
1340 | screen_number = 0; | ||
1341 | |||
1342 | /* Save protocol name. */ | ||
1343 | x11_saved_proto = xstrdup(proto); | ||
1344 | |||
1345 | /* Extract real authentication data and generate fake data of the same | ||
1346 | length. */ | ||
1347 | x11_saved_data = xmalloc(data_len); | ||
1348 | x11_fake_data = xmalloc(data_len); | ||
1349 | for (i = 0; i < data_len; i++) | ||
1350 | { | ||
1351 | if (sscanf(data + 2 * i, "%2x", &value) != 1) | ||
1352 | fatal("x11_request_forwarding: bad authentication data: %.100s", data); | ||
1353 | if (i % 4 == 0) | ||
1354 | rand = arc4random(); | ||
1355 | x11_saved_data[i] = value; | ||
1356 | x11_fake_data[i] = rand & 0xff; | ||
1357 | rand >>= 8; | ||
1358 | } | ||
1359 | x11_saved_data_len = data_len; | ||
1360 | x11_fake_data_len = data_len; | ||
1361 | |||
1362 | /* Convert the fake data into hex. */ | ||
1363 | new_data = xmalloc(2 * data_len + 1); | ||
1364 | for (i = 0; i < data_len; i++) | ||
1365 | sprintf(new_data + 2 * i, "%02x", (unsigned char)x11_fake_data[i]); | ||
1366 | |||
1367 | /* Send the request packet. */ | ||
1368 | packet_start(SSH_CMSG_X11_REQUEST_FORWARDING); | ||
1369 | packet_put_string(proto, strlen(proto)); | ||
1370 | packet_put_string(new_data, strlen(new_data)); | ||
1371 | packet_put_int(screen_number); | ||
1372 | packet_send(); | ||
1373 | packet_write_wait(); | ||
1374 | xfree(new_data); | ||
1375 | } | ||
1376 | |||
1377 | /* Sends a message to the server to request authentication fd forwarding. */ | ||
1378 | |||
1379 | void auth_request_forwarding() | ||
1380 | { | ||
1381 | packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING); | ||
1382 | packet_send(); | ||
1383 | packet_write_wait(); | ||
1384 | } | ||
1385 | |||
1386 | /* Returns the name of the forwarded authentication socket. Returns NULL | ||
1387 | if there is no forwarded authentication socket. The returned value | ||
1388 | points to a static buffer. */ | ||
1389 | |||
1390 | char *auth_get_socket_name() | ||
1391 | { | ||
1392 | return channel_forwarded_auth_socket_name; | ||
1393 | } | ||
1394 | |||
1395 | /* removes the agent forwarding socket */ | ||
1396 | |||
1397 | void cleanup_socket(void) { | ||
1398 | remove(channel_forwarded_auth_socket_name); | ||
1399 | rmdir(channel_forwarded_auth_socket_dir); | ||
1400 | } | ||
1401 | |||
1402 | /* This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. | ||
1403 | This starts forwarding authentication requests. */ | ||
1404 | |||
1405 | void auth_input_request_forwarding(struct passwd *pw) | ||
1406 | { | ||
1407 | int sock, newch; | ||
1408 | struct sockaddr_un sunaddr; | ||
1409 | |||
1410 | if (auth_get_socket_name() != NULL) | ||
1411 | fatal("Protocol error: authentication forwarding requested twice."); | ||
1412 | |||
1413 | /* Temporarily drop privileged uid for mkdir/bind. */ | ||
1414 | temporarily_use_uid(pw->pw_uid); | ||
1415 | |||
1416 | /* Allocate a buffer for the socket name, and format the name. */ | ||
1417 | channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME); | ||
1418 | channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME); | ||
1419 | strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME); | ||
1420 | |||
1421 | /* Create private directory for socket */ | ||
1422 | if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) | ||
1423 | packet_disconnect("mkdtemp: %.100s", strerror(errno)); | ||
1424 | snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, | ||
1425 | "%s/agent.%d", channel_forwarded_auth_socket_dir, (int)getpid()); | ||
1426 | |||
1427 | if (atexit(cleanup_socket) < 0) { | ||
1428 | int saved=errno; | ||
1429 | cleanup_socket(); | ||
1430 | packet_disconnect("socket: %.100s", strerror(saved)); | ||
1431 | } | ||
1432 | |||
1433 | /* Create the socket. */ | ||
1434 | sock = socket(AF_UNIX, SOCK_STREAM, 0); | ||
1435 | if (sock < 0) | ||
1436 | packet_disconnect("socket: %.100s", strerror(errno)); | ||
1437 | |||
1438 | /* Bind it to the name. */ | ||
1439 | memset(&sunaddr, 0, sizeof(sunaddr)); | ||
1440 | sunaddr.sun_family = AF_UNIX; | ||
1441 | strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name, | ||
1442 | sizeof(sunaddr.sun_path)); | ||
1443 | |||
1444 | if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) | ||
1445 | packet_disconnect("bind: %.100s", strerror(errno)); | ||
1446 | |||
1447 | /* Restore the privileged uid. */ | ||
1448 | restore_uid(); | ||
1449 | |||
1450 | /* Start listening on the socket. */ | ||
1451 | if (listen(sock, 5) < 0) | ||
1452 | packet_disconnect("listen: %.100s", strerror(errno)); | ||
1453 | |||
1454 | /* Allocate a channel for the authentication agent socket. */ | ||
1455 | newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock, | ||
1456 | xstrdup("auth socket")); | ||
1457 | strcpy(channels[newch].path, channel_forwarded_auth_socket_name); | ||
1458 | } | ||
1459 | |||
1460 | /* This is called to process an SSH_SMSG_AGENT_OPEN message. */ | ||
1461 | |||
1462 | void auth_input_open_request() | ||
1463 | { | ||
1464 | int remch, sock, newch; | ||
1465 | char *dummyname; | ||
1466 | |||
1467 | /* Read the remote channel number from the message. */ | ||
1468 | remch = packet_get_int(); | ||
1469 | |||
1470 | /* Get a connection to the local authentication agent (this may again get | ||
1471 | forwarded). */ | ||
1472 | sock = ssh_get_authentication_socket(); | ||
1473 | |||
1474 | /* If we could not connect the agent, send an error message back to | ||
1475 | the server. This should never happen unless the agent | ||
1476 | dies, because authentication forwarding is only enabled if we have an | ||
1477 | agent. */ | ||
1478 | if (sock < 0){ | ||
1479 | packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); | ||
1480 | packet_put_int(remch); | ||
1481 | packet_send(); | ||
1482 | return; | ||
1483 | } | ||
1484 | |||
1485 | debug("Forwarding authentication connection."); | ||
1486 | |||
1487 | /* Dummy host name. This will be freed when the channel is freed; it will | ||
1488 | still be valid in the packet_put_string below since the channel cannot | ||
1489 | yet be freed at that point. */ | ||
1490 | dummyname = xstrdup("authentication agent connection"); | ||
1491 | |||
1492 | newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname); | ||
1493 | channels[newch].remote_id = remch; | ||
1494 | |||
1495 | /* Send a confirmation to the remote host. */ | ||
1496 | packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); | ||
1497 | packet_put_int(remch); | ||
1498 | packet_put_int(newch); | ||
1499 | packet_send(); | ||
1500 | } | ||