summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--channels.c18
-rw-r--r--channels.h3
-rw-r--r--clientloop.c29
3 files changed, 40 insertions, 10 deletions
diff --git a/channels.c b/channels.c
index 3fe836aad..a84b487e5 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.c,v 1.346 2015/06/30 05:25:07 djm Exp $ */ 1/* $OpenBSD: channels.c,v 1.347 2015/07/01 02:26:31 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -161,6 +161,9 @@ static char *x11_saved_proto = NULL;
161static char *x11_saved_data = NULL; 161static char *x11_saved_data = NULL;
162static u_int x11_saved_data_len = 0; 162static u_int x11_saved_data_len = 0;
163 163
164/* Deadline after which all X11 connections are refused */
165static u_int x11_refuse_time;
166
164/* 167/*
165 * Fake X11 authentication data. This is what the server will be sending us; 168 * Fake X11 authentication data. This is what the server will be sending us;
166 * we should replace any occurrences of this by the real data. 169 * we should replace any occurrences of this by the real data.
@@ -912,6 +915,13 @@ x11_open_helper(Buffer *b)
912 u_char *ucp; 915 u_char *ucp;
913 u_int proto_len, data_len; 916 u_int proto_len, data_len;
914 917
918 /* Is this being called after the refusal deadline? */
919 if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
920 verbose("Rejected X11 connection after ForwardX11Timeout "
921 "expired");
922 return -1;
923 }
924
915 /* Check if the fixed size part of the packet is in buffer. */ 925 /* Check if the fixed size part of the packet is in buffer. */
916 if (buffer_len(b) < 12) 926 if (buffer_len(b) < 12)
917 return 0; 927 return 0;
@@ -1483,6 +1493,12 @@ channel_set_reuseaddr(int fd)
1483 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno)); 1493 error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
1484} 1494}
1485 1495
1496void
1497channel_set_x11_refuse_time(u_int refuse_time)
1498{
1499 x11_refuse_time = refuse_time;
1500}
1501
1486/* 1502/*
1487 * This socket is listening for connections to a forwarded TCP/IP port. 1503 * This socket is listening for connections to a forwarded TCP/IP port.
1488 */ 1504 */
diff --git a/channels.h b/channels.h
index b9b486027..9d76c9d2a 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: channels.h,v 1.117 2015/05/08 06:45:13 djm Exp $ */ 1/* $OpenBSD: channels.h,v 1.118 2015/07/01 02:26:31 djm Exp $ */
2 2
3/* 3/*
4 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -284,6 +284,7 @@ int permitopen_port(const char *);
284 284
285/* x11 forwarding */ 285/* x11 forwarding */
286 286
287void channel_set_x11_refuse_time(u_int);
287int x11_connect_display(void); 288int x11_connect_display(void);
288int x11_create_display_inet(int, int, int, u_int *, int **); 289int x11_create_display_inet(int, int, int, u_int *, int **);
289int x11_input_open(int, u_int32_t, void *); 290int x11_input_open(int, u_int32_t, void *);
diff --git a/clientloop.c b/clientloop.c
index 040deb992..dc0e557ad 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: clientloop.c,v 1.273 2015/05/04 06:10:48 djm Exp $ */ 1/* $OpenBSD: clientloop.c,v 1.274 2015/07/01 02:26:31 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -163,7 +163,7 @@ static int connection_in; /* Connection to server (input). */
163static int connection_out; /* Connection to server (output). */ 163static int connection_out; /* Connection to server (output). */
164static int need_rekeying; /* Set to non-zero if rekeying is requested. */ 164static int need_rekeying; /* Set to non-zero if rekeying is requested. */
165static int session_closed; /* In SSH2: login session closed. */ 165static int session_closed; /* In SSH2: login session closed. */
166static int x11_refuse_time; /* If >0, refuse x11 opens after this time. */ 166static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
167 167
168static void client_init_dispatch(void); 168static void client_init_dispatch(void);
169int session_ident = -1; 169int session_ident = -1;
@@ -298,7 +298,8 @@ client_x11_display_valid(const char *display)
298 return 1; 298 return 1;
299} 299}
300 300
301#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" 301#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
302#define X11_TIMEOUT_SLACK 60
302void 303void
303client_x11_get_proto(const char *display, const char *xauth_path, 304client_x11_get_proto(const char *display, const char *xauth_path,
304 u_int trusted, u_int timeout, char **_proto, char **_data) 305 u_int trusted, u_int timeout, char **_proto, char **_data)
@@ -311,7 +312,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
311 int got_data = 0, generated = 0, do_unlink = 0, i; 312 int got_data = 0, generated = 0, do_unlink = 0, i;
312 char *xauthdir, *xauthfile; 313 char *xauthdir, *xauthfile;
313 struct stat st; 314 struct stat st;
314 u_int now; 315 u_int now, x11_timeout_real;
315 316
316 xauthdir = xauthfile = NULL; 317 xauthdir = xauthfile = NULL;
317 *_proto = proto; 318 *_proto = proto;
@@ -344,6 +345,15 @@ client_x11_get_proto(const char *display, const char *xauth_path,
344 xauthdir = xmalloc(PATH_MAX); 345 xauthdir = xmalloc(PATH_MAX);
345 xauthfile = xmalloc(PATH_MAX); 346 xauthfile = xmalloc(PATH_MAX);
346 mktemp_proto(xauthdir, PATH_MAX); 347 mktemp_proto(xauthdir, PATH_MAX);
348 /*
349 * The authentication cookie should briefly outlive
350 * ssh's willingness to forward X11 connections to
351 * avoid nasty fail-open behaviour in the X server.
352 */
353 if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
354 x11_timeout_real = UINT_MAX;
355 else
356 x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
347 if (mkdtemp(xauthdir) != NULL) { 357 if (mkdtemp(xauthdir) != NULL) {
348 do_unlink = 1; 358 do_unlink = 1;
349 snprintf(xauthfile, PATH_MAX, "%s/xauthfile", 359 snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
@@ -351,17 +361,20 @@ client_x11_get_proto(const char *display, const char *xauth_path,
351 snprintf(cmd, sizeof(cmd), 361 snprintf(cmd, sizeof(cmd),
352 "%s -f %s generate %s " SSH_X11_PROTO 362 "%s -f %s generate %s " SSH_X11_PROTO
353 " untrusted timeout %u 2>" _PATH_DEVNULL, 363 " untrusted timeout %u 2>" _PATH_DEVNULL,
354 xauth_path, xauthfile, display, timeout); 364 xauth_path, xauthfile, display,
365 x11_timeout_real);
355 debug2("x11_get_proto: %s", cmd); 366 debug2("x11_get_proto: %s", cmd);
356 if (system(cmd) == 0)
357 generated = 1;
358 if (x11_refuse_time == 0) { 367 if (x11_refuse_time == 0) {
359 now = monotime() + 1; 368 now = monotime() + 1;
360 if (UINT_MAX - timeout < now) 369 if (UINT_MAX - timeout < now)
361 x11_refuse_time = UINT_MAX; 370 x11_refuse_time = UINT_MAX;
362 else 371 else
363 x11_refuse_time = now + timeout; 372 x11_refuse_time = now + timeout;
373 channel_set_x11_refuse_time(
374 x11_refuse_time);
364 } 375 }
376 if (system(cmd) == 0)
377 generated = 1;
365 } 378 }
366 } 379 }
367 380
@@ -1889,7 +1902,7 @@ client_request_x11(const char *request_type, int rchan)
1889 "malicious server."); 1902 "malicious server.");
1890 return NULL; 1903 return NULL;
1891 } 1904 }
1892 if (x11_refuse_time != 0 && monotime() >= x11_refuse_time) { 1905 if (x11_refuse_time != 0 && (u_int)monotime() >= x11_refuse_time) {
1893 verbose("Rejected X11 connection after ForwardX11Timeout " 1906 verbose("Rejected X11 connection after ForwardX11Timeout "
1894 "expired"); 1907 "expired");
1895 return NULL; 1908 return NULL;