1 /* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */
2 /*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * All rights reserved
6 * This file contains functions for generic socket connection forwarding.
7 * There is also code for initiating connection forwarding for X11 connections,
8 * arbitrary tcp/ip connections, and the authentication agent connection.
9 *
10 * As far as I am concerned, the code I have written for this software
11 * can be used freely for any purpose. Any derived versions of this
12 * software must be clearly marked as such, and if the derived work is
13 * incompatible with the protocol description in the RFC file, it must be
14 * called by a name other than "ssh" or "Secure Shell".
15 *
16 * SSH2 support added by Markus Friedl.
17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
18 * Copyright (c) 1999 Dug Song. All rights reserved.
19 * Copyright (c) 1999 Theo de Raadt. All rights reserved.
20 *
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
23 * are met:
24 * 1. Redistributions of source code must retain the above copyright
25 * notice, this list of conditions and the following disclaimer.
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in the
28 * documentation and/or other materials provided with the distribution.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40 */
41
42 #include "includes.h"
43
44 #include <sys/types.h>
45 #include <sys/stat.h>
46 #include <sys/ioctl.h>
47 #include <sys/un.h>
48 #include <sys/socket.h>
49 #ifdef HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 #endif
52
53 #include <netinet/in.h>
54 #include <arpa/inet.h>
55
56 #include <errno.h>
57 #include <fcntl.h>
58 #include <limits.h>
59 #include <netdb.h>
60 #ifdef HAVE_POLL_H
61 #include <poll.h>
62 #endif
63 #include <stdarg.h>
64 #ifdef HAVE_STDINT_H
65 # include <stdint.h>
66 #endif
67 #include <stdio.h>
68 #include <stdlib.h>
69 #include <string.h>
70 #include <termios.h>
71 #include <unistd.h>
72
73 #include "openbsd-compat/sys-queue.h"
74 #include "xmalloc.h"
75 #include "ssh.h"
76 #include "ssh2.h"
77 #include "ssherr.h"
78 #include "sshbuf.h"
79 #include "packet.h"
80 #include "log.h"
81 #include "misc.h"
82 #include "channels.h"
83 #include "compat.h"
84 #include "canohost.h"
85 #include "sshkey.h"
86 #include "authfd.h"
87 #include "pathnames.h"
88 #include "match.h"
89
90 /* XXX remove once we're satisfied there's no lurking bugs */
91 /* #define DEBUG_CHANNEL_POLL 1 */
92
93 /* -- agent forwarding */
94 #define NUM_SOCKS 10
95
96 /* -- tcp forwarding */
97 /* special-case port number meaning allow any port */
98 #define FWD_PERMIT_ANY_PORT 0
99
100 /* special-case wildcard meaning allow any host */
101 #define FWD_PERMIT_ANY_HOST "*"
102
103 /* -- X11 forwarding */
104 /* Maximum number of fake X11 displays to try. */
105 #define MAX_DISPLAYS 1000
106
107 /* Per-channel callback for pre/post IO actions */
108 typedef void chan_fn(struct ssh *, Channel *c);
109
110 /*
111 * Data structure for storing which hosts are permitted for forward requests.
112 * The local sides of any remote forwards are stored in this array to prevent
113 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
114 * network (which might be behind a firewall).
115 */
116 /* XXX: streamlocal wants a path instead of host:port */
117 /* Overload host_to_connect; we could just make this match Forward */
118 /* XXX - can we use listen_host instead of listen_path? */
119 struct permission {
120 char *host_to_connect; /* Connect to 'host'. */
121 int port_to_connect; /* Connect to 'port'. */
122 char *listen_host; /* Remote side should listen address. */
123 char *listen_path; /* Remote side should listen path. */
124 int listen_port; /* Remote side should listen port. */
125 Channel *downstream; /* Downstream mux*/
126 };
127
128 /*
129 * Stores the forwarding permission state for a single direction (local or
130 * remote).
131 */
132 struct permission_set {
133 /*
134 * List of all local permitted host/port pairs to allow for the
135 * user.
136 */
137 u_int num_permitted_user;
138 struct permission *permitted_user;
139
140 /*
141 * List of all permitted host/port pairs to allow for the admin.
142 */
143 u_int num_permitted_admin;
144 struct permission *permitted_admin;
145
146 /*
147 * If this is true, all opens/listens are permitted. This is the
148 * case on the server on which we have to trust the client anyway,
149 * and the user could do anything after logging in.
150 */
151 int all_permitted;
152 };
153
154 /* Master structure for channels state */
155 struct ssh_channels {
156 /*
157 * Pointer to an array containing all allocated channels. The array
158 * is dynamically extended as needed.
159 */
160 Channel **channels;
161
162 /*
163 * Size of the channel array. All slots of the array must always be
164 * initialized (at least the type field); unused slots set to NULL
165 */
166 u_int channels_alloc;
167
168 /*
169 * 'channel_pre*' are called just before IO to add any bits
170 * relevant to channels in the c->io_want bitmasks.
171 *
172 * 'channel_post*': perform any appropriate operations for
173 * channels which have c->io_ready events pending.
174 */
175 chan_fn **channel_pre;
176 chan_fn **channel_post;
177
178 /* -- tcp forwarding */
179 struct permission_set local_perms;
180 struct permission_set remote_perms;
181
182 /* -- X11 forwarding */
183
184 /* Saved X11 local (client) display. */
185 char *x11_saved_display;
186
187 /* Saved X11 authentication protocol name. */
188 char *x11_saved_proto;
189
190 /* Saved X11 authentication data. This is the real data. */
191 char *x11_saved_data;
192 u_int x11_saved_data_len;
193
194 /* Deadline after which all X11 connections are refused */
195 u_int x11_refuse_time;
196
197 /*
198 * Fake X11 authentication data. This is what the server will be
199 * sending us; we should replace any occurrences of this by the
200 * real data.
201 */
202 u_char *x11_fake_data;
203 u_int x11_fake_data_len;
204
205 /* AF_UNSPEC or AF_INET or AF_INET6 */
206 int IPv4or6;
207 };
208
209 /* helper */
210 static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype);
211 static const char *channel_rfwd_bind_host(const char *listen_host);
212
213 /* non-blocking connect helpers */
214 static int connect_next(struct channel_connect *);
215 static void channel_connect_ctx_free(struct channel_connect *);
216 static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *);
217 static int rdynamic_connect_finish(struct ssh *, Channel *);
218
219 /* Setup helper */
220 static void channel_handler_init(struct ssh_channels *sc);
221
222 /* -- channel core */
223
224 void
channel_init_channels(struct ssh * ssh)225 channel_init_channels(struct ssh *ssh)
226 {
227 struct ssh_channels *sc;
228
229 if ((sc = calloc(1, sizeof(*sc))) == NULL)
230 fatal_f("allocation failed");
231 sc->channels_alloc = 10;
232 sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
233 sc->IPv4or6 = AF_UNSPEC;
234 channel_handler_init(sc);
235
236 ssh->chanctxt = sc;
237 }
238
239 Channel *
channel_by_id(struct ssh * ssh,int id)240 channel_by_id(struct ssh *ssh, int id)
241 {
242 Channel *c;
243
244 if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) {
245 logit_f("%d: bad id", id);
246 return NULL;
247 }
248 c = ssh->chanctxt->channels[id];
249 if (c == NULL) {
250 logit_f("%d: bad id: channel free", id);
251 return NULL;
252 }
253 return c;
254 }
255
256 Channel *
channel_by_remote_id(struct ssh * ssh,u_int remote_id)257 channel_by_remote_id(struct ssh *ssh, u_int remote_id)
258 {
259 Channel *c;
260 u_int i;
261
262 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
263 c = ssh->chanctxt->channels[i];
264 if (c != NULL && c->have_remote_id && c->remote_id == remote_id)
265 return c;
266 }
267 return NULL;
268 }
269
270 /*
271 * Returns the channel if it is allowed to receive protocol messages.
272 * Private channels, like listening sockets, may not receive messages.
273 */
274 Channel *
channel_lookup(struct ssh * ssh,int id)275 channel_lookup(struct ssh *ssh, int id)
276 {
277 Channel *c;
278
279 if ((c = channel_by_id(ssh, id)) == NULL)
280 return NULL;
281
282 switch (c->type) {
283 case SSH_CHANNEL_X11_OPEN:
284 case SSH_CHANNEL_LARVAL:
285 case SSH_CHANNEL_CONNECTING:
286 case SSH_CHANNEL_DYNAMIC:
287 case SSH_CHANNEL_RDYNAMIC_OPEN:
288 case SSH_CHANNEL_RDYNAMIC_FINISH:
289 case SSH_CHANNEL_OPENING:
290 case SSH_CHANNEL_OPEN:
291 case SSH_CHANNEL_ABANDONED:
292 case SSH_CHANNEL_MUX_PROXY:
293 return c;
294 }
295 logit("Non-public channel %d, type %d.", id, c->type);
296 return NULL;
297 }
298
299 /*
300 * Register filedescriptors for a channel, used when allocating a channel or
301 * when the channel consumer/producer is ready, e.g. shell exec'd
302 */
303 static void
channel_register_fds(struct ssh * ssh,Channel * c,int rfd,int wfd,int efd,int extusage,int nonblock,int is_tty)304 channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
305 int extusage, int nonblock, int is_tty)
306 {
307 int val;
308
309 if (rfd != -1)
310 fcntl(rfd, F_SETFD, FD_CLOEXEC);
311 if (wfd != -1 && wfd != rfd)
312 fcntl(wfd, F_SETFD, FD_CLOEXEC);
313 if (efd != -1 && efd != rfd && efd != wfd)
314 fcntl(efd, F_SETFD, FD_CLOEXEC);
315
316 c->rfd = rfd;
317 c->wfd = wfd;
318 c->sock = (rfd == wfd) ? rfd : -1;
319 c->efd = efd;
320 c->extended_usage = extusage;
321
322 if ((c->isatty = is_tty) != 0)
323 debug2("channel %d: rfd %d isatty", c->self, c->rfd);
324 #ifdef _AIX
325 /* XXX: Later AIX versions can't push as much data to tty */
326 c->wfd_isatty = is_tty || isatty(c->wfd);
327 #endif
328
329 /* enable nonblocking mode */
330 c->restore_block = 0;
331 if (nonblock == CHANNEL_NONBLOCK_STDIO) {
332 /*
333 * Special handling for stdio file descriptors: do not set
334 * non-blocking mode if they are TTYs. Otherwise prepare to
335 * restore their blocking state on exit to avoid interfering
336 * with other programs that follow.
337 */
338 if (rfd != -1 && !isatty(rfd) &&
339 (val = fcntl(rfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
340 c->restore_block |= CHANNEL_RESTORE_RFD;
341 set_nonblock(rfd);
342 }
343 if (wfd != -1 && !isatty(wfd) &&
344 (val = fcntl(wfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
345 c->restore_block |= CHANNEL_RESTORE_WFD;
346 set_nonblock(wfd);
347 }
348 if (efd != -1 && !isatty(efd) &&
349 (val = fcntl(efd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
350 c->restore_block |= CHANNEL_RESTORE_EFD;
351 set_nonblock(efd);
352 }
353 } else if (nonblock) {
354 if (rfd != -1)
355 set_nonblock(rfd);
356 if (wfd != -1)
357 set_nonblock(wfd);
358 if (efd != -1)
359 set_nonblock(efd);
360 }
361 }
362
363 /*
364 * Allocate a new channel object and set its type and socket.
365 */
366 Channel *
channel_new(struct ssh * ssh,char * ctype,int type,int rfd,int wfd,int efd,u_int window,u_int maxpack,int extusage,const char * remote_name,int nonblock)367 channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
368 u_int window, u_int maxpack, int extusage, const char *remote_name,
369 int nonblock)
370 {
371 struct ssh_channels *sc = ssh->chanctxt;
372 u_int i, found = 0;
373 Channel *c;
374 int r;
375
376 /* Try to find a free slot where to put the new channel. */
377 for (i = 0; i < sc->channels_alloc; i++) {
378 if (sc->channels[i] == NULL) {
379 /* Found a free slot. */
380 found = i;
381 break;
382 }
383 }
384 if (i >= sc->channels_alloc) {
385 /*
386 * There are no free slots. Take last+1 slot and expand
387 * the array.
388 */
389 found = sc->channels_alloc;
390 if (sc->channels_alloc > CHANNELS_MAX_CHANNELS)
391 fatal_f("internal error: channels_alloc %d too big",
392 sc->channels_alloc);
393 sc->channels = xrecallocarray(sc->channels, sc->channels_alloc,
394 sc->channels_alloc + 10, sizeof(*sc->channels));
395 sc->channels_alloc += 10;
396 debug2("channel: expanding %d", sc->channels_alloc);
397 }
398 /* Initialize and return new channel. */
399 c = sc->channels[found] = xcalloc(1, sizeof(Channel));
400 if ((c->input = sshbuf_new()) == NULL ||
401 (c->output = sshbuf_new()) == NULL ||
402 (c->extended = sshbuf_new()) == NULL)
403 fatal_f("sshbuf_new failed");
404 if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
405 fatal_fr(r, "sshbuf_set_max_size");
406 c->ostate = CHAN_OUTPUT_OPEN;
407 c->istate = CHAN_INPUT_OPEN;
408 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
409 c->self = found;
410 c->type = type;
411 c->ctype = ctype;
412 c->local_window = window;
413 c->local_window_max = window;
414 c->local_maxpacket = maxpack;
415 c->remote_name = xstrdup(remote_name);
416 c->ctl_chan = -1;
417 c->delayed = 1; /* prevent call to channel_post handler */
418 TAILQ_INIT(&c->status_confirms);
419 debug("channel %d: new [%s]", found, remote_name);
420 return c;
421 }
422
423 int
channel_close_fd(struct ssh * ssh,Channel * c,int * fdp)424 channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
425 {
426 int ret, fd = *fdp;
427
428 if (fd == -1)
429 return 0;
430
431 if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
432 (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
433 (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
434 (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
435
436 if (*fdp == c->rfd) {
437 c->io_want &= ~SSH_CHAN_IO_RFD;
438 c->io_ready &= ~SSH_CHAN_IO_RFD;
439 c->rfd = -1;
440 c->pfds[0] = -1;
441 }
442 if (*fdp == c->wfd) {
443 c->io_want &= ~SSH_CHAN_IO_WFD;
444 c->io_ready &= ~SSH_CHAN_IO_WFD;
445 c->wfd = -1;
446 c->pfds[1] = -1;
447 }
448 if (*fdp == c->efd) {
449 c->io_want &= ~SSH_CHAN_IO_EFD;
450 c->io_ready &= ~SSH_CHAN_IO_EFD;
451 c->efd = -1;
452 c->pfds[2] = -1;
453 }
454 if (*fdp == c->sock) {
455 c->io_want &= ~SSH_CHAN_IO_SOCK;
456 c->io_ready &= ~SSH_CHAN_IO_SOCK;
457 c->sock = -1;
458 c->pfds[3] = -1;
459 }
460
461 ret = close(fd);
462 *fdp = -1; /* probably redundant */
463 return ret;
464 }
465
466 /* Close all channel fd/socket. */
467 static void
channel_close_fds(struct ssh * ssh,Channel * c)468 channel_close_fds(struct ssh *ssh, Channel *c)
469 {
470 int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
471
472 channel_close_fd(ssh, c, &c->sock);
473 if (rfd != sock)
474 channel_close_fd(ssh, c, &c->rfd);
475 if (wfd != sock && wfd != rfd)
476 channel_close_fd(ssh, c, &c->wfd);
477 if (efd != sock && efd != rfd && efd != wfd)
478 channel_close_fd(ssh, c, &c->efd);
479 }
480
481 static void
fwd_perm_clear(struct permission * perm)482 fwd_perm_clear(struct permission *perm)
483 {
484 free(perm->host_to_connect);
485 free(perm->listen_host);
486 free(perm->listen_path);
487 memset(perm, 0, sizeof(*perm));
488 }
489
490 /* Returns an printable name for the specified forwarding permission list */
491 static const char *
fwd_ident(int who,int where)492 fwd_ident(int who, int where)
493 {
494 if (who == FORWARD_ADM) {
495 if (where == FORWARD_LOCAL)
496 return "admin local";
497 else if (where == FORWARD_REMOTE)
498 return "admin remote";
499 } else if (who == FORWARD_USER) {
500 if (where == FORWARD_LOCAL)
501 return "user local";
502 else if (where == FORWARD_REMOTE)
503 return "user remote";
504 }
505 fatal("Unknown forward permission list %d/%d", who, where);
506 }
507
508 /* Returns the forwarding permission list for the specified direction */
509 static struct permission_set *
permission_set_get(struct ssh * ssh,int where)510 permission_set_get(struct ssh *ssh, int where)
511 {
512 struct ssh_channels *sc = ssh->chanctxt;
513
514 switch (where) {
515 case FORWARD_LOCAL:
516 return &sc->local_perms;
517 break;
518 case FORWARD_REMOTE:
519 return &sc->remote_perms;
520 break;
521 default:
522 fatal_f("invalid forwarding direction %d", where);
523 }
524 }
525
526 /* Returns pointers to the specified forwarding list and its element count */
527 static void
permission_set_get_array(struct ssh * ssh,int who,int where,struct permission *** permpp,u_int ** npermpp)528 permission_set_get_array(struct ssh *ssh, int who, int where,
529 struct permission ***permpp, u_int **npermpp)
530 {
531 struct permission_set *pset = permission_set_get(ssh, where);
532
533 switch (who) {
534 case FORWARD_USER:
535 *permpp = &pset->permitted_user;
536 *npermpp = &pset->num_permitted_user;
537 break;
538 case FORWARD_ADM:
539 *permpp = &pset->permitted_admin;
540 *npermpp = &pset->num_permitted_admin;
541 break;
542 default:
543 fatal_f("invalid forwarding client %d", who);
544 }
545 }
546
547 /* Adds an entry to the specified forwarding list */
548 static int
permission_set_add(struct ssh * ssh,int who,int where,const char * host_to_connect,int port_to_connect,const char * listen_host,const char * listen_path,int listen_port,Channel * downstream)549 permission_set_add(struct ssh *ssh, int who, int where,
550 const char *host_to_connect, int port_to_connect,
551 const char *listen_host, const char *listen_path, int listen_port,
552 Channel *downstream)
553 {
554 struct permission **permp;
555 u_int n, *npermp;
556
557 permission_set_get_array(ssh, who, where, &permp, &npermp);
558
559 if (*npermp >= INT_MAX)
560 fatal_f("%s overflow", fwd_ident(who, where));
561
562 *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp));
563 n = (*npermp)++;
564 #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s))
565 (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect);
566 (*permp)[n].port_to_connect = port_to_connect;
567 (*permp)[n].listen_host = MAYBE_DUP(listen_host);
568 (*permp)[n].listen_path = MAYBE_DUP(listen_path);
569 (*permp)[n].listen_port = listen_port;
570 (*permp)[n].downstream = downstream;
571 #undef MAYBE_DUP
572 return (int)n;
573 }
574
575 static void
mux_remove_remote_forwardings(struct ssh * ssh,Channel * c)576 mux_remove_remote_forwardings(struct ssh *ssh, Channel *c)
577 {
578 struct ssh_channels *sc = ssh->chanctxt;
579 struct permission_set *pset = &sc->local_perms;
580 struct permission *perm;
581 int r;
582 u_int i;
583
584 for (i = 0; i < pset->num_permitted_user; i++) {
585 perm = &pset->permitted_user[i];
586 if (perm->downstream != c)
587 continue;
588
589 /* cancel on the server, since mux client is gone */
590 debug("channel %d: cleanup remote forward for %s:%u",
591 c->self, perm->listen_host, perm->listen_port);
592 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
593 (r = sshpkt_put_cstring(ssh,
594 "cancel-tcpip-forward")) != 0 ||
595 (r = sshpkt_put_u8(ssh, 0)) != 0 ||
596 (r = sshpkt_put_cstring(ssh,
597 channel_rfwd_bind_host(perm->listen_host))) != 0 ||
598 (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 ||
599 (r = sshpkt_send(ssh)) != 0) {
600 fatal_fr(r, "channel %i", c->self);
601 }
602 fwd_perm_clear(perm); /* unregister */
603 }
604 }
605
606 /* Free the channel and close its fd/socket. */
607 void
channel_free(struct ssh * ssh,Channel * c)608 channel_free(struct ssh *ssh, Channel *c)
609 {
610 struct ssh_channels *sc = ssh->chanctxt;
611 char *s;
612 u_int i, n;
613 Channel *other;
614 struct channel_confirm *cc;
615
616 for (n = 0, i = 0; i < sc->channels_alloc; i++) {
617 if ((other = sc->channels[i]) == NULL)
618 continue;
619 n++;
620 /* detach from mux client and prepare for closing */
621 if (c->type == SSH_CHANNEL_MUX_CLIENT &&
622 other->type == SSH_CHANNEL_MUX_PROXY &&
623 other->mux_ctx == c) {
624 other->mux_ctx = NULL;
625 other->type = SSH_CHANNEL_OPEN;
626 other->istate = CHAN_INPUT_CLOSED;
627 other->ostate = CHAN_OUTPUT_CLOSED;
628 }
629 }
630 debug("channel %d: free: %s, nchannels %u", c->self,
631 c->remote_name ? c->remote_name : "???", n);
632
633 if (c->type == SSH_CHANNEL_MUX_CLIENT) {
634 mux_remove_remote_forwardings(ssh, c);
635 free(c->mux_ctx);
636 c->mux_ctx = NULL;
637 } else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
638 free(c->mux_ctx);
639 c->mux_ctx = NULL;
640 }
641
642 if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) {
643 s = channel_open_message(ssh);
644 debug3("channel %d: status: %s", c->self, s);
645 free(s);
646 }
647
648 channel_close_fds(ssh, c);
649 sshbuf_free(c->input);
650 sshbuf_free(c->output);
651 sshbuf_free(c->extended);
652 c->input = c->output = c->extended = NULL;
653 free(c->remote_name);
654 c->remote_name = NULL;
655 free(c->path);
656 c->path = NULL;
657 free(c->listening_addr);
658 c->listening_addr = NULL;
659 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
660 if (cc->abandon_cb != NULL)
661 cc->abandon_cb(ssh, c, cc->ctx);
662 TAILQ_REMOVE(&c->status_confirms, cc, entry);
663 freezero(cc, sizeof(*cc));
664 }
665 if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
666 c->filter_cleanup(ssh, c->self, c->filter_ctx);
667 sc->channels[c->self] = NULL;
668 freezero(c, sizeof(*c));
669 }
670
671 void
channel_free_all(struct ssh * ssh)672 channel_free_all(struct ssh *ssh)
673 {
674 u_int i;
675 struct ssh_channels *sc = ssh->chanctxt;
676
677 for (i = 0; i < sc->channels_alloc; i++)
678 if (sc->channels[i] != NULL)
679 channel_free(ssh, sc->channels[i]);
680
681 free(sc->channels);
682 sc->channels = NULL;
683 sc->channels_alloc = 0;
684
685 free(sc->x11_saved_display);
686 sc->x11_saved_display = NULL;
687
688 free(sc->x11_saved_proto);
689 sc->x11_saved_proto = NULL;
690
691 free(sc->x11_saved_data);
692 sc->x11_saved_data = NULL;
693 sc->x11_saved_data_len = 0;
694
695 free(sc->x11_fake_data);
696 sc->x11_fake_data = NULL;
697 sc->x11_fake_data_len = 0;
698 }
699
700 /*
701 * Closes the sockets/fds of all channels. This is used to close extra file
702 * descriptors after a fork.
703 */
704 void
channel_close_all(struct ssh * ssh)705 channel_close_all(struct ssh *ssh)
706 {
707 u_int i;
708
709 for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
710 if (ssh->chanctxt->channels[i] != NULL)
711 channel_close_fds(ssh, ssh->chanctxt->channels[i]);
712 }
713
714 /*
715 * Stop listening to channels.
716 */
717 void
channel_stop_listening(struct ssh * ssh)718 channel_stop_listening(struct ssh *ssh)
719 {
720 u_int i;
721 Channel *c;
722
723 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
724 c = ssh->chanctxt->channels[i];
725 if (c != NULL) {
726 switch (c->type) {
727 case SSH_CHANNEL_AUTH_SOCKET:
728 case SSH_CHANNEL_PORT_LISTENER:
729 case SSH_CHANNEL_RPORT_LISTENER:
730 case SSH_CHANNEL_X11_LISTENER:
731 case SSH_CHANNEL_UNIX_LISTENER:
732 case SSH_CHANNEL_RUNIX_LISTENER:
733 channel_close_fd(ssh, c, &c->sock);
734 channel_free(ssh, c);
735 break;
736 }
737 }
738 }
739 }
740
741 /*
742 * Returns true if no channel has too much buffered data, and false if one or
743 * more channel is overfull.
744 */
745 int
channel_not_very_much_buffered_data(struct ssh * ssh)746 channel_not_very_much_buffered_data(struct ssh *ssh)
747 {
748 u_int i;
749 u_int maxsize = ssh_packet_get_maxsize(ssh);
750 Channel *c;
751
752 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
753 c = ssh->chanctxt->channels[i];
754 if (c == NULL || c->type != SSH_CHANNEL_OPEN)
755 continue;
756 if (sshbuf_len(c->output) > maxsize) {
757 debug2("channel %d: big output buffer %zu > %u",
758 c->self, sshbuf_len(c->output), maxsize);
759 return 0;
760 }
761 }
762 return 1;
763 }
764
765 /* Returns true if any channel is still open. */
766 int
channel_still_open(struct ssh * ssh)767 channel_still_open(struct ssh *ssh)
768 {
769 u_int i;
770 Channel *c;
771
772 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
773 c = ssh->chanctxt->channels[i];
774 if (c == NULL)
775 continue;
776 switch (c->type) {
777 case SSH_CHANNEL_X11_LISTENER:
778 case SSH_CHANNEL_PORT_LISTENER:
779 case SSH_CHANNEL_RPORT_LISTENER:
780 case SSH_CHANNEL_MUX_LISTENER:
781 case SSH_CHANNEL_CLOSED:
782 case SSH_CHANNEL_AUTH_SOCKET:
783 case SSH_CHANNEL_DYNAMIC:
784 case SSH_CHANNEL_RDYNAMIC_OPEN:
785 case SSH_CHANNEL_CONNECTING:
786 case SSH_CHANNEL_ZOMBIE:
787 case SSH_CHANNEL_ABANDONED:
788 case SSH_CHANNEL_UNIX_LISTENER:
789 case SSH_CHANNEL_RUNIX_LISTENER:
790 continue;
791 case SSH_CHANNEL_LARVAL:
792 continue;
793 case SSH_CHANNEL_OPENING:
794 case SSH_CHANNEL_OPEN:
795 case SSH_CHANNEL_RDYNAMIC_FINISH:
796 case SSH_CHANNEL_X11_OPEN:
797 case SSH_CHANNEL_MUX_CLIENT:
798 case SSH_CHANNEL_MUX_PROXY:
799 return 1;
800 default:
801 fatal_f("bad channel type %d", c->type);
802 /* NOTREACHED */
803 }
804 }
805 return 0;
806 }
807
808 /* Returns the id of an open channel suitable for keepaliving */
809 int
channel_find_open(struct ssh * ssh)810 channel_find_open(struct ssh *ssh)
811 {
812 u_int i;
813 Channel *c;
814
815 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
816 c = ssh->chanctxt->channels[i];
817 if (c == NULL || !c->have_remote_id)
818 continue;
819 switch (c->type) {
820 case SSH_CHANNEL_CLOSED:
821 case SSH_CHANNEL_DYNAMIC:
822 case SSH_CHANNEL_RDYNAMIC_OPEN:
823 case SSH_CHANNEL_RDYNAMIC_FINISH:
824 case SSH_CHANNEL_X11_LISTENER:
825 case SSH_CHANNEL_PORT_LISTENER:
826 case SSH_CHANNEL_RPORT_LISTENER:
827 case SSH_CHANNEL_MUX_LISTENER:
828 case SSH_CHANNEL_MUX_CLIENT:
829 case SSH_CHANNEL_MUX_PROXY:
830 case SSH_CHANNEL_OPENING:
831 case SSH_CHANNEL_CONNECTING:
832 case SSH_CHANNEL_ZOMBIE:
833 case SSH_CHANNEL_ABANDONED:
834 case SSH_CHANNEL_UNIX_LISTENER:
835 case SSH_CHANNEL_RUNIX_LISTENER:
836 continue;
837 case SSH_CHANNEL_LARVAL:
838 case SSH_CHANNEL_AUTH_SOCKET:
839 case SSH_CHANNEL_OPEN:
840 case SSH_CHANNEL_X11_OPEN:
841 return i;
842 default:
843 fatal_f("bad channel type %d", c->type);
844 /* NOTREACHED */
845 }
846 }
847 return -1;
848 }
849
850 /* Returns the state of the channel's extended usage flag */
851 const char *
channel_format_extended_usage(const Channel * c)852 channel_format_extended_usage(const Channel *c)
853 {
854 if (c->efd == -1)
855 return "closed";
856
857 switch (c->extended_usage) {
858 case CHAN_EXTENDED_WRITE:
859 return "write";
860 case CHAN_EXTENDED_READ:
861 return "read";
862 case CHAN_EXTENDED_IGNORE:
863 return "ignore";
864 default:
865 return "UNKNOWN";
866 }
867 }
868
869 static char *
channel_format_status(const Channel * c)870 channel_format_status(const Channel *c)
871 {
872 char *ret = NULL;
873
874 xasprintf(&ret, "t%d %s%u i%u/%zu o%u/%zu e[%s]/%zu "
875 "fd %d/%d/%d sock %d cc %d io 0x%02x/0x%02x",
876 c->type,
877 c->have_remote_id ? "r" : "nr", c->remote_id,
878 c->istate, sshbuf_len(c->input),
879 c->ostate, sshbuf_len(c->output),
880 channel_format_extended_usage(c), sshbuf_len(c->extended),
881 c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan,
882 c->io_want, c->io_ready);
883 return ret;
884 }
885
886 /*
887 * Returns a message describing the currently open forwarded connections,
888 * suitable for sending to the client. The message contains crlf pairs for
889 * newlines.
890 */
891 char *
channel_open_message(struct ssh * ssh)892 channel_open_message(struct ssh *ssh)
893 {
894 struct sshbuf *buf;
895 Channel *c;
896 u_int i;
897 int r;
898 char *cp, *ret;
899
900 if ((buf = sshbuf_new()) == NULL)
901 fatal_f("sshbuf_new");
902 if ((r = sshbuf_putf(buf,
903 "The following connections are open:\r\n")) != 0)
904 fatal_fr(r, "sshbuf_putf");
905 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
906 c = ssh->chanctxt->channels[i];
907 if (c == NULL)
908 continue;
909 switch (c->type) {
910 case SSH_CHANNEL_X11_LISTENER:
911 case SSH_CHANNEL_PORT_LISTENER:
912 case SSH_CHANNEL_RPORT_LISTENER:
913 case SSH_CHANNEL_CLOSED:
914 case SSH_CHANNEL_AUTH_SOCKET:
915 case SSH_CHANNEL_ZOMBIE:
916 case SSH_CHANNEL_ABANDONED:
917 case SSH_CHANNEL_MUX_LISTENER:
918 case SSH_CHANNEL_UNIX_LISTENER:
919 case SSH_CHANNEL_RUNIX_LISTENER:
920 continue;
921 case SSH_CHANNEL_LARVAL:
922 case SSH_CHANNEL_OPENING:
923 case SSH_CHANNEL_CONNECTING:
924 case SSH_CHANNEL_DYNAMIC:
925 case SSH_CHANNEL_RDYNAMIC_OPEN:
926 case SSH_CHANNEL_RDYNAMIC_FINISH:
927 case SSH_CHANNEL_OPEN:
928 case SSH_CHANNEL_X11_OPEN:
929 case SSH_CHANNEL_MUX_PROXY:
930 case SSH_CHANNEL_MUX_CLIENT:
931 cp = channel_format_status(c);
932 if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n",
933 c->self, c->remote_name, cp)) != 0) {
934 free(cp);
935 fatal_fr(r, "sshbuf_putf");
936 }
937 free(cp);
938 continue;
939 default:
940 fatal_f("bad channel type %d", c->type);
941 /* NOTREACHED */
942 }
943 }
944 if ((ret = sshbuf_dup_string(buf)) == NULL)
945 fatal_f("sshbuf_dup_string");
946 sshbuf_free(buf);
947 return ret;
948 }
949
950 static void
open_preamble(struct ssh * ssh,const char * where,Channel * c,const char * type)951 open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type)
952 {
953 int r;
954
955 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
956 (r = sshpkt_put_cstring(ssh, type)) != 0 ||
957 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
958 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
959 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
960 fatal_r(r, "%s: channel %i: open", where, c->self);
961 }
962 }
963
964 void
channel_send_open(struct ssh * ssh,int id)965 channel_send_open(struct ssh *ssh, int id)
966 {
967 Channel *c = channel_lookup(ssh, id);
968 int r;
969
970 if (c == NULL) {
971 logit("channel_send_open: %d: bad id", id);
972 return;
973 }
974 debug2("channel %d: send open", id);
975 open_preamble(ssh, __func__, c, c->ctype);
976 if ((r = sshpkt_send(ssh)) != 0)
977 fatal_fr(r, "channel %i", c->self);
978 }
979
980 void
channel_request_start(struct ssh * ssh,int id,char * service,int wantconfirm)981 channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
982 {
983 Channel *c = channel_lookup(ssh, id);
984 int r;
985
986 if (c == NULL) {
987 logit_f("%d: unknown channel id", id);
988 return;
989 }
990 if (!c->have_remote_id)
991 fatal_f("channel %d: no remote id", c->self);
992
993 debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
994 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 ||
995 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
996 (r = sshpkt_put_cstring(ssh, service)) != 0 ||
997 (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) {
998 fatal_fr(r, "channel %i", c->self);
999 }
1000 }
1001
1002 void
channel_register_status_confirm(struct ssh * ssh,int id,channel_confirm_cb * cb,channel_confirm_abandon_cb * abandon_cb,void * ctx)1003 channel_register_status_confirm(struct ssh *ssh, int id,
1004 channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx)
1005 {
1006 struct channel_confirm *cc;
1007 Channel *c;
1008
1009 if ((c = channel_lookup(ssh, id)) == NULL)
1010 fatal_f("%d: bad id", id);
1011
1012 cc = xcalloc(1, sizeof(*cc));
1013 cc->cb = cb;
1014 cc->abandon_cb = abandon_cb;
1015 cc->ctx = ctx;
1016 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
1017 }
1018
1019 void
channel_register_open_confirm(struct ssh * ssh,int id,channel_open_fn * fn,void * ctx)1020 channel_register_open_confirm(struct ssh *ssh, int id,
1021 channel_open_fn *fn, void *ctx)
1022 {
1023 Channel *c = channel_lookup(ssh, id);
1024
1025 if (c == NULL) {
1026 logit_f("%d: bad id", id);
1027 return;
1028 }
1029 c->open_confirm = fn;
1030 c->open_confirm_ctx = ctx;
1031 }
1032
1033 void
channel_register_cleanup(struct ssh * ssh,int id,channel_callback_fn * fn,int do_close)1034 channel_register_cleanup(struct ssh *ssh, int id,
1035 channel_callback_fn *fn, int do_close)
1036 {
1037 Channel *c = channel_by_id(ssh, id);
1038
1039 if (c == NULL) {
1040 logit_f("%d: bad id", id);
1041 return;
1042 }
1043 c->detach_user = fn;
1044 c->detach_close = do_close;
1045 }
1046
1047 void
channel_cancel_cleanup(struct ssh * ssh,int id)1048 channel_cancel_cleanup(struct ssh *ssh, int id)
1049 {
1050 Channel *c = channel_by_id(ssh, id);
1051
1052 if (c == NULL) {
1053 logit_f("%d: bad id", id);
1054 return;
1055 }
1056 c->detach_user = NULL;
1057 c->detach_close = 0;
1058 }
1059
1060 void
channel_register_filter(struct ssh * ssh,int id,channel_infilter_fn * ifn,channel_outfilter_fn * ofn,channel_filter_cleanup_fn * cfn,void * ctx)1061 channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn,
1062 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
1063 {
1064 Channel *c = channel_lookup(ssh, id);
1065
1066 if (c == NULL) {
1067 logit_f("%d: bad id", id);
1068 return;
1069 }
1070 c->input_filter = ifn;
1071 c->output_filter = ofn;
1072 c->filter_ctx = ctx;
1073 c->filter_cleanup = cfn;
1074 }
1075
1076 void
channel_set_fds(struct ssh * ssh,int id,int rfd,int wfd,int efd,int extusage,int nonblock,int is_tty,u_int window_max)1077 channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
1078 int extusage, int nonblock, int is_tty, u_int window_max)
1079 {
1080 Channel *c = channel_lookup(ssh, id);
1081 int r;
1082
1083 if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
1084 fatal("channel_activate for non-larval channel %d.", id);
1085 if (!c->have_remote_id)
1086 fatal_f("channel %d: no remote id", c->self);
1087
1088 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
1089 c->type = SSH_CHANNEL_OPEN;
1090 c->local_window = c->local_window_max = window_max;
1091
1092 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
1093 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1094 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1095 (r = sshpkt_send(ssh)) != 0)
1096 fatal_fr(r, "channel %i", c->self);
1097 }
1098
1099 static void
channel_pre_listener(struct ssh * ssh,Channel * c)1100 channel_pre_listener(struct ssh *ssh, Channel *c)
1101 {
1102 c->io_want = SSH_CHAN_IO_SOCK_R;
1103 }
1104
1105 static void
channel_pre_connecting(struct ssh * ssh,Channel * c)1106 channel_pre_connecting(struct ssh *ssh, Channel *c)
1107 {
1108 debug3("channel %d: waiting for connection", c->self);
1109 c->io_want = SSH_CHAN_IO_SOCK_W;
1110 }
1111
1112 static void
channel_pre_open(struct ssh * ssh,Channel * c)1113 channel_pre_open(struct ssh *ssh, Channel *c)
1114 {
1115 c->io_want = 0;
1116 if (c->istate == CHAN_INPUT_OPEN &&
1117 c->remote_window > 0 &&
1118 sshbuf_len(c->input) < c->remote_window &&
1119 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1120 c->io_want |= SSH_CHAN_IO_RFD;
1121 if (c->ostate == CHAN_OUTPUT_OPEN ||
1122 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1123 if (sshbuf_len(c->output) > 0) {
1124 c->io_want |= SSH_CHAN_IO_WFD;
1125 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1126 if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
1127 debug2("channel %d: "
1128 "obuf_empty delayed efd %d/(%zu)", c->self,
1129 c->efd, sshbuf_len(c->extended));
1130 else
1131 chan_obuf_empty(ssh, c);
1132 }
1133 }
1134 /** XXX check close conditions, too */
1135 if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED &&
1136 c->ostate == CHAN_OUTPUT_CLOSED)) {
1137 if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1138 sshbuf_len(c->extended) > 0)
1139 c->io_want |= SSH_CHAN_IO_EFD_W;
1140 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
1141 (c->extended_usage == CHAN_EXTENDED_READ ||
1142 c->extended_usage == CHAN_EXTENDED_IGNORE) &&
1143 sshbuf_len(c->extended) < c->remote_window)
1144 c->io_want |= SSH_CHAN_IO_EFD_R;
1145 }
1146 /* XXX: What about efd? races? */
1147 }
1148
1149 /*
1150 * This is a special state for X11 authentication spoofing. An opened X11
1151 * connection (when authentication spoofing is being done) remains in this
1152 * state until the first packet has been completely read. The authentication
1153 * data in that packet is then substituted by the real data if it matches the
1154 * fake data, and the channel is put into normal mode.
1155 * XXX All this happens at the client side.
1156 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1157 */
1158 static int
x11_open_helper(struct ssh * ssh,struct sshbuf * b)1159 x11_open_helper(struct ssh *ssh, struct sshbuf *b)
1160 {
1161 struct ssh_channels *sc = ssh->chanctxt;
1162 u_char *ucp;
1163 u_int proto_len, data_len;
1164
1165 /* Is this being called after the refusal deadline? */
1166 if (sc->x11_refuse_time != 0 &&
1167 (u_int)monotime() >= sc->x11_refuse_time) {
1168 verbose("Rejected X11 connection after ForwardX11Timeout "
1169 "expired");
1170 return -1;
1171 }
1172
1173 /* Check if the fixed size part of the packet is in buffer. */
1174 if (sshbuf_len(b) < 12)
1175 return 0;
1176
1177 /* Parse the lengths of variable-length fields. */
1178 ucp = sshbuf_mutable_ptr(b);
1179 if (ucp[0] == 0x42) { /* Byte order MSB first. */
1180 proto_len = 256 * ucp[6] + ucp[7];
1181 data_len = 256 * ucp[8] + ucp[9];
1182 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
1183 proto_len = ucp[6] + 256 * ucp[7];
1184 data_len = ucp[8] + 256 * ucp[9];
1185 } else {
1186 debug2("Initial X11 packet contains bad byte order byte: 0x%x",
1187 ucp[0]);
1188 return -1;
1189 }
1190
1191 /* Check if the whole packet is in buffer. */
1192 if (sshbuf_len(b) <
1193 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
1194 return 0;
1195
1196 /* Check if authentication protocol matches. */
1197 if (proto_len != strlen(sc->x11_saved_proto) ||
1198 memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) {
1199 debug2("X11 connection uses different authentication protocol.");
1200 return -1;
1201 }
1202 /* Check if authentication data matches our fake data. */
1203 if (data_len != sc->x11_fake_data_len ||
1204 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
1205 sc->x11_fake_data, sc->x11_fake_data_len) != 0) {
1206 debug2("X11 auth data does not match fake data.");
1207 return -1;
1208 }
1209 /* Check fake data length */
1210 if (sc->x11_fake_data_len != sc->x11_saved_data_len) {
1211 error("X11 fake_data_len %d != saved_data_len %d",
1212 sc->x11_fake_data_len, sc->x11_saved_data_len);
1213 return -1;
1214 }
1215 /*
1216 * Received authentication protocol and data match
1217 * our fake data. Substitute the fake data with real
1218 * data.
1219 */
1220 memcpy(ucp + 12 + ((proto_len + 3) & ~3),
1221 sc->x11_saved_data, sc->x11_saved_data_len);
1222 return 1;
1223 }
1224
1225 static void
channel_pre_x11_open(struct ssh * ssh,Channel * c)1226 channel_pre_x11_open(struct ssh *ssh, Channel *c)
1227 {
1228 int ret = x11_open_helper(ssh, c->output);
1229
1230 /* c->force_drain = 1; */
1231
1232 if (ret == 1) {
1233 c->type = SSH_CHANNEL_OPEN;
1234 channel_pre_open(ssh, c);
1235 } else if (ret == -1) {
1236 logit("X11 connection rejected because of wrong authentication.");
1237 debug2("X11 rejected %d i%d/o%d",
1238 c->self, c->istate, c->ostate);
1239 chan_read_failed(ssh, c);
1240 sshbuf_reset(c->input);
1241 chan_ibuf_empty(ssh, c);
1242 sshbuf_reset(c->output);
1243 chan_write_failed(ssh, c);
1244 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
1245 }
1246 }
1247
1248 static void
channel_pre_mux_client(struct ssh * ssh,Channel * c)1249 channel_pre_mux_client(struct ssh *ssh, Channel *c)
1250 {
1251 c->io_want = 0;
1252 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause &&
1253 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1254 c->io_want |= SSH_CHAN_IO_RFD;
1255 if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1256 /* clear buffer immediately (discard any partial packet) */
1257 sshbuf_reset(c->input);
1258 chan_ibuf_empty(ssh, c);
1259 /* Start output drain. XXX just kill chan? */
1260 chan_rcvd_oclose(ssh, c);
1261 }
1262 if (c->ostate == CHAN_OUTPUT_OPEN ||
1263 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1264 if (sshbuf_len(c->output) > 0)
1265 c->io_want |= SSH_CHAN_IO_WFD;
1266 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN)
1267 chan_obuf_empty(ssh, c);
1268 }
1269 }
1270
1271 /* try to decode a socks4 header */
1272 static int
channel_decode_socks4(Channel * c,struct sshbuf * input,struct sshbuf * output)1273 channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output)
1274 {
1275 const u_char *p;
1276 char *host;
1277 u_int len, have, i, found, need;
1278 char username[256];
1279 struct {
1280 u_int8_t version;
1281 u_int8_t command;
1282 u_int16_t dest_port;
1283 struct in_addr dest_addr;
1284 } s4_req, s4_rsp;
1285 int r;
1286
1287 debug2("channel %d: decode socks4", c->self);
1288
1289 have = sshbuf_len(input);
1290 len = sizeof(s4_req);
1291 if (have < len)
1292 return 0;
1293 p = sshbuf_ptr(input);
1294
1295 need = 1;
1296 /* SOCKS4A uses an invalid IP address 0.0.0.x */
1297 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1298 debug2("channel %d: socks4a request", c->self);
1299 /* ... and needs an extra string (the hostname) */
1300 need = 2;
1301 }
1302 /* Check for terminating NUL on the string(s) */
1303 for (found = 0, i = len; i < have; i++) {
1304 if (p[i] == '\0') {
1305 found++;
1306 if (found == need)
1307 break;
1308 }
1309 if (i > 1024) {
1310 /* the peer is probably sending garbage */
1311 debug("channel %d: decode socks4: too long",
1312 c->self);
1313 return -1;
1314 }
1315 }
1316 if (found < need)
1317 return 0;
1318 if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 ||
1319 (r = sshbuf_get(input, &s4_req.command, 1)) != 0 ||
1320 (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 ||
1321 (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) {
1322 debug_r(r, "channels %d: decode socks4", c->self);
1323 return -1;
1324 }
1325 have = sshbuf_len(input);
1326 p = sshbuf_ptr(input);
1327 if (memchr(p, '\0', have) == NULL) {
1328 error("channel %d: decode socks4: unterminated user", c->self);
1329 return -1;
1330 }
1331 len = strlen(p);
1332 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1333 len++; /* trailing '\0' */
1334 strlcpy(username, p, sizeof(username));
1335 if ((r = sshbuf_consume(input, len)) != 0)
1336 fatal_fr(r, "channel %d: consume", c->self);
1337 free(c->path);
1338 c->path = NULL;
1339 if (need == 1) { /* SOCKS4: one string */
1340 host = inet_ntoa(s4_req.dest_addr);
1341 c->path = xstrdup(host);
1342 } else { /* SOCKS4A: two strings */
1343 have = sshbuf_len(input);
1344 p = sshbuf_ptr(input);
1345 if (memchr(p, '\0', have) == NULL) {
1346 error("channel %d: decode socks4a: host not nul "
1347 "terminated", c->self);
1348 return -1;
1349 }
1350 len = strlen(p);
1351 debug2("channel %d: decode socks4a: host %s/%d",
1352 c->self, p, len);
1353 len++; /* trailing '\0' */
1354 if (len > NI_MAXHOST) {
1355 error("channel %d: hostname \"%.100s\" too long",
1356 c->self, p);
1357 return -1;
1358 }
1359 c->path = xstrdup(p);
1360 if ((r = sshbuf_consume(input, len)) != 0)
1361 fatal_fr(r, "channel %d: consume", c->self);
1362 }
1363 c->host_port = ntohs(s4_req.dest_port);
1364
1365 debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1366 c->self, c->path, c->host_port, s4_req.command);
1367
1368 if (s4_req.command != 1) {
1369 debug("channel %d: cannot handle: %s cn %d",
1370 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command);
1371 return -1;
1372 }
1373 s4_rsp.version = 0; /* vn: 0 for reply */
1374 s4_rsp.command = 90; /* cd: req granted */
1375 s4_rsp.dest_port = 0; /* ignored */
1376 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */
1377 if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0)
1378 fatal_fr(r, "channel %d: append reply", c->self);
1379 return 1;
1380 }
1381
1382 /* try to decode a socks5 header */
1383 #define SSH_SOCKS5_AUTHDONE 0x1000
1384 #define SSH_SOCKS5_NOAUTH 0x00
1385 #define SSH_SOCKS5_IPV4 0x01
1386 #define SSH_SOCKS5_DOMAIN 0x03
1387 #define SSH_SOCKS5_IPV6 0x04
1388 #define SSH_SOCKS5_CONNECT 0x01
1389 #define SSH_SOCKS5_SUCCESS 0x00
1390
1391 static int
channel_decode_socks5(Channel * c,struct sshbuf * input,struct sshbuf * output)1392 channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
1393 {
1394 /* XXX use get/put_u8 instead of trusting struct padding */
1395 struct {
1396 u_int8_t version;
1397 u_int8_t command;
1398 u_int8_t reserved;
1399 u_int8_t atyp;
1400 } s5_req, s5_rsp;
1401 u_int16_t dest_port;
1402 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1403 const u_char *p;
1404 u_int have, need, i, found, nmethods, addrlen, af;
1405 int r;
1406
1407 debug2("channel %d: decode socks5", c->self);
1408 p = sshbuf_ptr(input);
1409 if (p[0] != 0x05)
1410 return -1;
1411 have = sshbuf_len(input);
1412 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
1413 /* format: ver | nmethods | methods */
1414 if (have < 2)
1415 return 0;
1416 nmethods = p[1];
1417 if (have < nmethods + 2)
1418 return 0;
1419 /* look for method: "NO AUTHENTICATION REQUIRED" */
1420 for (found = 0, i = 2; i < nmethods + 2; i++) {
1421 if (p[i] == SSH_SOCKS5_NOAUTH) {
1422 found = 1;
1423 break;
1424 }
1425 }
1426 if (!found) {
1427 debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
1428 c->self);
1429 return -1;
1430 }
1431 if ((r = sshbuf_consume(input, nmethods + 2)) != 0)
1432 fatal_fr(r, "channel %d: consume", c->self);
1433 /* version, method */
1434 if ((r = sshbuf_put_u8(output, 0x05)) != 0 ||
1435 (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0)
1436 fatal_fr(r, "channel %d: append reply", c->self);
1437 c->flags |= SSH_SOCKS5_AUTHDONE;
1438 debug2("channel %d: socks5 auth done", c->self);
1439 return 0; /* need more */
1440 }
1441 debug2("channel %d: socks5 post auth", c->self);
1442 if (have < sizeof(s5_req)+1)
1443 return 0; /* need more */
1444 memcpy(&s5_req, p, sizeof(s5_req));
1445 if (s5_req.version != 0x05 ||
1446 s5_req.command != SSH_SOCKS5_CONNECT ||
1447 s5_req.reserved != 0x00) {
1448 debug2("channel %d: only socks5 connect supported", c->self);
1449 return -1;
1450 }
1451 switch (s5_req.atyp){
1452 case SSH_SOCKS5_IPV4:
1453 addrlen = 4;
1454 af = AF_INET;
1455 break;
1456 case SSH_SOCKS5_DOMAIN:
1457 addrlen = p[sizeof(s5_req)];
1458 af = -1;
1459 break;
1460 case SSH_SOCKS5_IPV6:
1461 addrlen = 16;
1462 af = AF_INET6;
1463 break;
1464 default:
1465 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
1466 return -1;
1467 }
1468 need = sizeof(s5_req) + addrlen + 2;
1469 if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1470 need++;
1471 if (have < need)
1472 return 0;
1473 if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0)
1474 fatal_fr(r, "channel %d: consume", c->self);
1475 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1476 /* host string length */
1477 if ((r = sshbuf_consume(input, 1)) != 0)
1478 fatal_fr(r, "channel %d: consume", c->self);
1479 }
1480 if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 ||
1481 (r = sshbuf_get(input, &dest_port, 2)) != 0) {
1482 debug_r(r, "channel %d: parse addr/port", c->self);
1483 return -1;
1484 }
1485 dest_addr[addrlen] = '\0';
1486 free(c->path);
1487 c->path = NULL;
1488 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1489 if (addrlen >= NI_MAXHOST) {
1490 error("channel %d: dynamic request: socks5 hostname "
1491 "\"%.100s\" too long", c->self, dest_addr);
1492 return -1;
1493 }
1494 c->path = xstrdup(dest_addr);
1495 } else {
1496 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
1497 return -1;
1498 c->path = xstrdup(ntop);
1499 }
1500 c->host_port = ntohs(dest_port);
1501
1502 debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
1503 c->self, c->path, c->host_port, s5_req.command);
1504
1505 s5_rsp.version = 0x05;
1506 s5_rsp.command = SSH_SOCKS5_SUCCESS;
1507 s5_rsp.reserved = 0; /* ignored */
1508 s5_rsp.atyp = SSH_SOCKS5_IPV4;
1509 dest_port = 0; /* ignored */
1510
1511 if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 ||
1512 (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 ||
1513 (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0)
1514 fatal_fr(r, "channel %d: append reply", c->self);
1515 return 1;
1516 }
1517
1518 Channel *
channel_connect_stdio_fwd(struct ssh * ssh,const char * host_to_connect,u_short port_to_connect,int in,int out,int nonblock)1519 channel_connect_stdio_fwd(struct ssh *ssh,
1520 const char *host_to_connect, u_short port_to_connect,
1521 int in, int out, int nonblock)
1522 {
1523 Channel *c;
1524
1525 debug_f("%s:%d", host_to_connect, port_to_connect);
1526
1527 c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
1528 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1529 0, "stdio-forward", nonblock);
1530
1531 c->path = xstrdup(host_to_connect);
1532 c->host_port = port_to_connect;
1533 c->listening_port = 0;
1534 c->force_drain = 1;
1535
1536 channel_register_fds(ssh, c, in, out, -1, 0, 1, 0);
1537 port_open_helper(ssh, c, "direct-tcpip");
1538
1539 return c;
1540 }
1541
1542 /* dynamic port forwarding */
1543 static void
channel_pre_dynamic(struct ssh * ssh,Channel * c)1544 channel_pre_dynamic(struct ssh *ssh, Channel *c)
1545 {
1546 const u_char *p;
1547 u_int have;
1548 int ret;
1549
1550 c->io_want = 0;
1551 have = sshbuf_len(c->input);
1552 debug2("channel %d: pre_dynamic: have %d", c->self, have);
1553 /* sshbuf_dump(c->input, stderr); */
1554 /* check if the fixed size part of the packet is in buffer. */
1555 if (have < 3) {
1556 /* need more */
1557 c->io_want |= SSH_CHAN_IO_RFD;
1558 return;
1559 }
1560 /* try to guess the protocol */
1561 p = sshbuf_ptr(c->input);
1562 /* XXX sshbuf_peek_u8? */
1563 switch (p[0]) {
1564 case 0x04:
1565 ret = channel_decode_socks4(c, c->input, c->output);
1566 break;
1567 case 0x05:
1568 ret = channel_decode_socks5(c, c->input, c->output);
1569 break;
1570 default:
1571 ret = -1;
1572 break;
1573 }
1574 if (ret < 0) {
1575 chan_mark_dead(ssh, c);
1576 } else if (ret == 0) {
1577 debug2("channel %d: pre_dynamic: need more", c->self);
1578 /* need more */
1579 c->io_want |= SSH_CHAN_IO_RFD;
1580 if (sshbuf_len(c->output))
1581 c->io_want |= SSH_CHAN_IO_WFD;
1582 } else {
1583 /* switch to the next state */
1584 c->type = SSH_CHANNEL_OPENING;
1585 port_open_helper(ssh, c, "direct-tcpip");
1586 }
1587 }
1588
1589 /* simulate read-error */
1590 static void
rdynamic_close(struct ssh * ssh,Channel * c)1591 rdynamic_close(struct ssh *ssh, Channel *c)
1592 {
1593 c->type = SSH_CHANNEL_OPEN;
1594 chan_read_failed(ssh, c);
1595 sshbuf_reset(c->input);
1596 chan_ibuf_empty(ssh, c);
1597 sshbuf_reset(c->output);
1598 chan_write_failed(ssh, c);
1599 }
1600
1601 /* reverse dynamic port forwarding */
1602 static void
channel_before_prepare_io_rdynamic(struct ssh * ssh,Channel * c)1603 channel_before_prepare_io_rdynamic(struct ssh *ssh, Channel *c)
1604 {
1605 const u_char *p;
1606 u_int have, len;
1607 int r, ret;
1608
1609 have = sshbuf_len(c->output);
1610 debug2("channel %d: pre_rdynamic: have %d", c->self, have);
1611 /* sshbuf_dump(c->output, stderr); */
1612 /* EOF received */
1613 if (c->flags & CHAN_EOF_RCVD) {
1614 if ((r = sshbuf_consume(c->output, have)) != 0)
1615 fatal_fr(r, "channel %d: consume", c->self);
1616 rdynamic_close(ssh, c);
1617 return;
1618 }
1619 /* check if the fixed size part of the packet is in buffer. */
1620 if (have < 3)
1621 return;
1622 /* try to guess the protocol */
1623 p = sshbuf_ptr(c->output);
1624 switch (p[0]) {
1625 case 0x04:
1626 /* switch input/output for reverse forwarding */
1627 ret = channel_decode_socks4(c, c->output, c->input);
1628 break;
1629 case 0x05:
1630 ret = channel_decode_socks5(c, c->output, c->input);
1631 break;
1632 default:
1633 ret = -1;
1634 break;
1635 }
1636 if (ret < 0) {
1637 rdynamic_close(ssh, c);
1638 } else if (ret == 0) {
1639 debug2("channel %d: pre_rdynamic: need more", c->self);
1640 /* send socks request to peer */
1641 len = sshbuf_len(c->input);
1642 if (len > 0 && len < c->remote_window) {
1643 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
1644 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1645 (r = sshpkt_put_stringb(ssh, c->input)) != 0 ||
1646 (r = sshpkt_send(ssh)) != 0) {
1647 fatal_fr(r, "channel %i: rdynamic", c->self);
1648 }
1649 if ((r = sshbuf_consume(c->input, len)) != 0)
1650 fatal_fr(r, "channel %d: consume", c->self);
1651 c->remote_window -= len;
1652 }
1653 } else if (rdynamic_connect_finish(ssh, c) < 0) {
1654 /* the connect failed */
1655 rdynamic_close(ssh, c);
1656 }
1657 }
1658
1659 /* This is our fake X11 server socket. */
1660 static void
channel_post_x11_listener(struct ssh * ssh,Channel * c)1661 channel_post_x11_listener(struct ssh *ssh, Channel *c)
1662 {
1663 Channel *nc;
1664 struct sockaddr_storage addr;
1665 int r, newsock, oerrno, remote_port;
1666 socklen_t addrlen;
1667 char buf[16384], *remote_ipaddr;
1668
1669 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1670 return;
1671
1672 debug("X11 connection requested.");
1673 addrlen = sizeof(addr);
1674 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1675 if (c->single_connection) {
1676 oerrno = errno;
1677 debug2("single_connection: closing X11 listener.");
1678 channel_close_fd(ssh, c, &c->sock);
1679 chan_mark_dead(ssh, c);
1680 errno = oerrno;
1681 }
1682 if (newsock == -1) {
1683 if (errno != EINTR && errno != EWOULDBLOCK &&
1684 errno != ECONNABORTED)
1685 error("accept: %.100s", strerror(errno));
1686 if (errno == EMFILE || errno == ENFILE)
1687 c->notbefore = monotime() + 1;
1688 return;
1689 }
1690 set_nodelay(newsock);
1691 remote_ipaddr = get_peer_ipaddr(newsock);
1692 remote_port = get_peer_port(newsock);
1693 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1694 remote_ipaddr, remote_port);
1695
1696 nc = channel_new(ssh, "accepted x11 socket",
1697 SSH_CHANNEL_OPENING, newsock, newsock, -1,
1698 c->local_window_max, c->local_maxpacket, 0, buf, 1);
1699 open_preamble(ssh, __func__, nc, "x11");
1700 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1701 (r = sshpkt_put_u32(ssh, remote_port)) != 0) {
1702 fatal_fr(r, "channel %i: reply", c->self);
1703 }
1704 if ((r = sshpkt_send(ssh)) != 0)
1705 fatal_fr(r, "channel %i: send", c->self);
1706 free(remote_ipaddr);
1707 }
1708
1709 static void
port_open_helper(struct ssh * ssh,Channel * c,char * rtype)1710 port_open_helper(struct ssh *ssh, Channel *c, char *rtype)
1711 {
1712 char *local_ipaddr = get_local_ipaddr(c->sock);
1713 int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
1714 char *remote_ipaddr = get_peer_ipaddr(c->sock);
1715 int remote_port = get_peer_port(c->sock);
1716 int r;
1717
1718 if (remote_port == -1) {
1719 /* Fake addr/port to appease peers that validate it (Tectia) */
1720 free(remote_ipaddr);
1721 remote_ipaddr = xstrdup("127.0.0.1");
1722 remote_port = 65535;
1723 }
1724
1725 free(c->remote_name);
1726 xasprintf(&c->remote_name,
1727 "%s: listening port %d for %.100s port %d, "
1728 "connect from %.200s port %d to %.100s port %d",
1729 rtype, c->listening_port, c->path, c->host_port,
1730 remote_ipaddr, remote_port, local_ipaddr, local_port);
1731
1732 open_preamble(ssh, __func__, c, rtype);
1733 if (strcmp(rtype, "direct-tcpip") == 0) {
1734 /* target host, port */
1735 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1736 (r = sshpkt_put_u32(ssh, c->host_port)) != 0)
1737 fatal_fr(r, "channel %i: reply", c->self);
1738 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
1739 /* target path */
1740 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1741 fatal_fr(r, "channel %i: reply", c->self);
1742 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1743 /* listen path */
1744 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1745 fatal_fr(r, "channel %i: reply", c->self);
1746 } else {
1747 /* listen address, port */
1748 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1749 (r = sshpkt_put_u32(ssh, local_port)) != 0)
1750 fatal_fr(r, "channel %i: reply", c->self);
1751 }
1752 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1753 /* reserved for future owner/mode info */
1754 if ((r = sshpkt_put_cstring(ssh, "")) != 0)
1755 fatal_fr(r, "channel %i: reply", c->self);
1756 } else {
1757 /* originator host and port */
1758 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1759 (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0)
1760 fatal_fr(r, "channel %i: reply", c->self);
1761 }
1762 if ((r = sshpkt_send(ssh)) != 0)
1763 fatal_fr(r, "channel %i: send", c->self);
1764 free(remote_ipaddr);
1765 free(local_ipaddr);
1766 }
1767
1768 void
channel_set_x11_refuse_time(struct ssh * ssh,u_int refuse_time)1769 channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time)
1770 {
1771 ssh->chanctxt->x11_refuse_time = refuse_time;
1772 }
1773
1774 /*
1775 * This socket is listening for connections to a forwarded TCP/IP port.
1776 */
1777 static void
channel_post_port_listener(struct ssh * ssh,Channel * c)1778 channel_post_port_listener(struct ssh *ssh, Channel *c)
1779 {
1780 Channel *nc;
1781 struct sockaddr_storage addr;
1782 int newsock, nextstate;
1783 socklen_t addrlen;
1784 char *rtype;
1785
1786 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1787 return;
1788
1789 debug("Connection to port %d forwarding to %.100s port %d requested.",
1790 c->listening_port, c->path, c->host_port);
1791
1792 if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1793 nextstate = SSH_CHANNEL_OPENING;
1794 rtype = "forwarded-tcpip";
1795 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) {
1796 nextstate = SSH_CHANNEL_OPENING;
1797 rtype = "forwarded-streamlocal@openssh.com";
1798 } else if (c->host_port == PORT_STREAMLOCAL) {
1799 nextstate = SSH_CHANNEL_OPENING;
1800 rtype = "direct-streamlocal@openssh.com";
1801 } else if (c->host_port == 0) {
1802 nextstate = SSH_CHANNEL_DYNAMIC;
1803 rtype = "dynamic-tcpip";
1804 } else {
1805 nextstate = SSH_CHANNEL_OPENING;
1806 rtype = "direct-tcpip";
1807 }
1808
1809 addrlen = sizeof(addr);
1810 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1811 if (newsock == -1) {
1812 if (errno != EINTR && errno != EWOULDBLOCK &&
1813 errno != ECONNABORTED)
1814 error("accept: %.100s", strerror(errno));
1815 if (errno == EMFILE || errno == ENFILE)
1816 c->notbefore = monotime() + 1;
1817 return;
1818 }
1819 if (c->host_port != PORT_STREAMLOCAL)
1820 set_nodelay(newsock);
1821 nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1,
1822 c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1823 nc->listening_port = c->listening_port;
1824 nc->host_port = c->host_port;
1825 if (c->path != NULL)
1826 nc->path = xstrdup(c->path);
1827
1828 if (nextstate != SSH_CHANNEL_DYNAMIC)
1829 port_open_helper(ssh, nc, rtype);
1830 }
1831
1832 /*
1833 * This is the authentication agent socket listening for connections from
1834 * clients.
1835 */
1836 static void
channel_post_auth_listener(struct ssh * ssh,Channel * c)1837 channel_post_auth_listener(struct ssh *ssh, Channel *c)
1838 {
1839 Channel *nc;
1840 int r, newsock;
1841 struct sockaddr_storage addr;
1842 socklen_t addrlen;
1843
1844 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1845 return;
1846
1847 addrlen = sizeof(addr);
1848 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1849 if (newsock == -1) {
1850 error("accept from auth socket: %.100s", strerror(errno));
1851 if (errno == EMFILE || errno == ENFILE)
1852 c->notbefore = monotime() + 1;
1853 return;
1854 }
1855 nc = channel_new(ssh, "accepted auth socket",
1856 SSH_CHANNEL_OPENING, newsock, newsock, -1,
1857 c->local_window_max, c->local_maxpacket,
1858 0, "accepted auth socket", 1);
1859 open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
1860 if ((r = sshpkt_send(ssh)) != 0)
1861 fatal_fr(r, "channel %i", c->self);
1862 }
1863
1864 static void
channel_post_connecting(struct ssh * ssh,Channel * c)1865 channel_post_connecting(struct ssh *ssh, Channel *c)
1866 {
1867 int err = 0, sock, isopen, r;
1868 socklen_t sz = sizeof(err);
1869
1870 if ((c->io_ready & SSH_CHAN_IO_SOCK_W) == 0)
1871 return;
1872 if (!c->have_remote_id)
1873 fatal_f("channel %d: no remote id", c->self);
1874 /* for rdynamic the OPEN_CONFIRMATION has been sent already */
1875 isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH);
1876 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) == -1) {
1877 err = errno;
1878 error("getsockopt SO_ERROR failed");
1879 }
1880 if (err == 0) {
1881 debug("channel %d: connected to %s port %d",
1882 c->self, c->connect_ctx.host, c->connect_ctx.port);
1883 channel_connect_ctx_free(&c->connect_ctx);
1884 c->type = SSH_CHANNEL_OPEN;
1885 if (isopen) {
1886 /* no message necessary */
1887 } else {
1888 if ((r = sshpkt_start(ssh,
1889 SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
1890 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1891 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
1892 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1893 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 ||
1894 (r = sshpkt_send(ssh)) != 0)
1895 fatal_fr(r, "channel %i open confirm", c->self);
1896 }
1897 } else {
1898 debug("channel %d: connection failed: %s",
1899 c->self, strerror(err));
1900 /* Try next address, if any */
1901 if ((sock = connect_next(&c->connect_ctx)) > 0) {
1902 close(c->sock);
1903 c->sock = c->rfd = c->wfd = sock;
1904 return;
1905 }
1906 /* Exhausted all addresses */
1907 error("connect_to %.100s port %d: failed.",
1908 c->connect_ctx.host, c->connect_ctx.port);
1909 channel_connect_ctx_free(&c->connect_ctx);
1910 if (isopen) {
1911 rdynamic_close(ssh, c);
1912 } else {
1913 if ((r = sshpkt_start(ssh,
1914 SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
1915 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1916 (r = sshpkt_put_u32(ssh,
1917 SSH2_OPEN_CONNECT_FAILED)) != 0 ||
1918 (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
1919 (r = sshpkt_put_cstring(ssh, "")) != 0 ||
1920 (r = sshpkt_send(ssh)) != 0)
1921 fatal_fr(r, "channel %i: failure", c->self);
1922 chan_mark_dead(ssh, c);
1923 }
1924 }
1925 }
1926
1927 static int
channel_handle_rfd(struct ssh * ssh,Channel * c)1928 channel_handle_rfd(struct ssh *ssh, Channel *c)
1929 {
1930 char buf[CHAN_RBUF];
1931 ssize_t len;
1932 int r, force;
1933 size_t have, avail, maxlen = CHANNEL_MAX_READ;
1934 int pty_zeroread = 0;
1935
1936 #ifdef PTY_ZEROREAD
1937 /* Bug on AIX: read(1) can return 0 for a non-closed fd */
1938 pty_zeroread = c->isatty;
1939 #endif
1940
1941 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
1942
1943 if (!force && (c->io_ready & SSH_CHAN_IO_RFD) == 0)
1944 return 1;
1945 if ((avail = sshbuf_avail(c->input)) == 0)
1946 return 1; /* Shouldn't happen */
1947
1948 /*
1949 * For "simple" channels (i.e. not datagram or filtered), we can
1950 * read directly to the channel buffer.
1951 */
1952 if (!pty_zeroread && c->input_filter == NULL && !c->datagram) {
1953 /* Only OPEN channels have valid rwin */
1954 if (c->type == SSH_CHANNEL_OPEN) {
1955 if ((have = sshbuf_len(c->input)) >= c->remote_window)
1956 return 1; /* shouldn't happen */
1957 if (maxlen > c->remote_window - have)
1958 maxlen = c->remote_window - have;
1959 }
1960 if (maxlen > avail)
1961 maxlen = avail;
1962 if ((r = sshbuf_read(c->rfd, c->input, maxlen, NULL)) != 0) {
1963 if (errno == EINTR || (!force &&
1964 (errno == EAGAIN || errno == EWOULDBLOCK)))
1965 return 1;
1966 debug2("channel %d: read failed rfd %d maxlen %zu: %s",
1967 c->self, c->rfd, maxlen, ssh_err(r));
1968 goto rfail;
1969 }
1970 return 1;
1971 }
1972
1973 errno = 0;
1974 len = read(c->rfd, buf, sizeof(buf));
1975 /* fixup AIX zero-length read with errno set to look more like errors */
1976 if (pty_zeroread && len == 0 && errno != 0)
1977 len = -1;
1978 if (len == -1 && (errno == EINTR ||
1979 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force)))
1980 return 1;
1981 if (len < 0 || (!pty_zeroread && len == 0)) {
1982 debug2("channel %d: read<=0 rfd %d len %zd: %s",
1983 c->self, c->rfd, len,
1984 len == 0 ? "closed" : strerror(errno));
1985 rfail:
1986 if (c->type != SSH_CHANNEL_OPEN) {
1987 debug2("channel %d: not open", c->self);
1988 chan_mark_dead(ssh, c);
1989 return -1;
1990 } else {
1991 chan_read_failed(ssh, c);
1992 }
1993 return -1;
1994 }
1995 if (c->input_filter != NULL) {
1996 if (c->input_filter(ssh, c, buf, len) == -1) {
1997 debug2("channel %d: filter stops", c->self);
1998 chan_read_failed(ssh, c);
1999 }
2000 } else if (c->datagram) {
2001 if ((r = sshbuf_put_string(c->input, buf, len)) != 0)
2002 fatal_fr(r, "channel %i: put datagram", c->self);
2003 } else if ((r = sshbuf_put(c->input, buf, len)) != 0)
2004 fatal_fr(r, "channel %i: put data", c->self);
2005
2006 return 1;
2007 }
2008
2009 static int
channel_handle_wfd(struct ssh * ssh,Channel * c)2010 channel_handle_wfd(struct ssh *ssh, Channel *c)
2011 {
2012 struct termios tio;
2013 u_char *data = NULL, *buf; /* XXX const; need filter API change */
2014 size_t dlen, olen = 0;
2015 int r, len;
2016
2017 if ((c->io_ready & SSH_CHAN_IO_WFD) == 0)
2018 return 1;
2019 if (sshbuf_len(c->output) == 0)
2020 return 1;
2021
2022 /* Send buffered output data to the socket. */
2023 olen = sshbuf_len(c->output);
2024 if (c->output_filter != NULL) {
2025 if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) {
2026 debug2("channel %d: filter stops", c->self);
2027 if (c->type != SSH_CHANNEL_OPEN)
2028 chan_mark_dead(ssh, c);
2029 else
2030 chan_write_failed(ssh, c);
2031 return -1;
2032 }
2033 } else if (c->datagram) {
2034 if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0)
2035 fatal_fr(r, "channel %i: get datagram", c->self);
2036 buf = data;
2037 } else {
2038 buf = data = sshbuf_mutable_ptr(c->output);
2039 dlen = sshbuf_len(c->output);
2040 }
2041
2042 if (c->datagram) {
2043 /* ignore truncated writes, datagrams might get lost */
2044 len = write(c->wfd, buf, dlen);
2045 free(data);
2046 if (len == -1 && (errno == EINTR || errno == EAGAIN ||
2047 errno == EWOULDBLOCK))
2048 return 1;
2049 if (len <= 0)
2050 goto write_fail;
2051 goto out;
2052 }
2053
2054 #ifdef _AIX
2055 /* XXX: Later AIX versions can't push as much data to tty */
2056 if (c->wfd_isatty)
2057 dlen = MINIMUM(dlen, 8*1024);
2058 #endif
2059
2060 len = write(c->wfd, buf, dlen);
2061 if (len == -1 &&
2062 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK))
2063 return 1;
2064 if (len <= 0) {
2065 write_fail:
2066 if (c->type != SSH_CHANNEL_OPEN) {
2067 debug2("channel %d: not open", c->self);
2068 chan_mark_dead(ssh, c);
2069 return -1;
2070 } else {
2071 chan_write_failed(ssh, c);
2072 }
2073 return -1;
2074 }
2075 #ifndef BROKEN_TCGETATTR_ICANON
2076 if (c->isatty && dlen >= 1 && buf[0] != '\r') {
2077 if (tcgetattr(c->wfd, &tio) == 0 &&
2078 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
2079 /*
2080 * Simulate echo to reduce the impact of
2081 * traffic analysis. We need to match the
2082 * size of a SSH2_MSG_CHANNEL_DATA message
2083 * (4 byte channel id + buf)
2084 */
2085 if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 ||
2086 (r = sshpkt_send(ssh)) != 0)
2087 fatal_fr(r, "channel %i: ignore", c->self);
2088 }
2089 }
2090 #endif /* BROKEN_TCGETATTR_ICANON */
2091 if ((r = sshbuf_consume(c->output, len)) != 0)
2092 fatal_fr(r, "channel %i: consume", c->self);
2093 out:
2094 c->local_consumed += olen - sshbuf_len(c->output);
2095
2096 return 1;
2097 }
2098
2099 static int
channel_handle_efd_write(struct ssh * ssh,Channel * c)2100 channel_handle_efd_write(struct ssh *ssh, Channel *c)
2101 {
2102 int r;
2103 ssize_t len;
2104
2105 if ((c->io_ready & SSH_CHAN_IO_EFD_W) == 0)
2106 return 1;
2107 if (sshbuf_len(c->extended) == 0)
2108 return 1;
2109
2110 len = write(c->efd, sshbuf_ptr(c->extended),
2111 sshbuf_len(c->extended));
2112 debug2("channel %d: written %zd to efd %d", c->self, len, c->efd);
2113 if (len == -1 && (errno == EINTR || errno == EAGAIN ||
2114 errno == EWOULDBLOCK))
2115 return 1;
2116 if (len <= 0) {
2117 debug2("channel %d: closing write-efd %d", c->self, c->efd);
2118 channel_close_fd(ssh, c, &c->efd);
2119 } else {
2120 if ((r = sshbuf_consume(c->extended, len)) != 0)
2121 fatal_fr(r, "channel %i: consume", c->self);
2122 c->local_consumed += len;
2123 }
2124 return 1;
2125 }
2126
2127 static int
channel_handle_efd_read(struct ssh * ssh,Channel * c)2128 channel_handle_efd_read(struct ssh *ssh, Channel *c)
2129 {
2130 char buf[CHAN_RBUF];
2131 ssize_t len;
2132 int r, force;
2133
2134 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
2135
2136 if (!force && (c->io_ready & SSH_CHAN_IO_EFD_R) == 0)
2137 return 1;
2138
2139 len = read(c->efd, buf, sizeof(buf));
2140 debug2("channel %d: read %zd from efd %d", c->self, len, c->efd);
2141 if (len == -1 && (errno == EINTR || ((errno == EAGAIN ||
2142 errno == EWOULDBLOCK) && !force)))
2143 return 1;
2144 if (len <= 0) {
2145 debug2("channel %d: closing read-efd %d", c->self, c->efd);
2146 channel_close_fd(ssh, c, &c->efd);
2147 } else if (c->extended_usage == CHAN_EXTENDED_IGNORE)
2148 debug3("channel %d: discard efd", c->self);
2149 else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
2150 fatal_fr(r, "channel %i: append", c->self);
2151 return 1;
2152 }
2153
2154 static int
channel_handle_efd(struct ssh * ssh,Channel * c)2155 channel_handle_efd(struct ssh *ssh, Channel *c)
2156 {
2157 if (c->efd == -1)
2158 return 1;
2159
2160 /** XXX handle drain efd, too */
2161
2162 if (c->extended_usage == CHAN_EXTENDED_WRITE)
2163 return channel_handle_efd_write(ssh, c);
2164 else if (c->extended_usage == CHAN_EXTENDED_READ ||
2165 c->extended_usage == CHAN_EXTENDED_IGNORE)
2166 return channel_handle_efd_read(ssh, c);
2167
2168 return 1;
2169 }
2170
2171 static int
channel_check_window(struct ssh * ssh,Channel * c)2172 channel_check_window(struct ssh *ssh, Channel *c)
2173 {
2174 int r;
2175
2176 if (c->type == SSH_CHANNEL_OPEN &&
2177 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
2178 ((c->local_window_max - c->local_window >
2179 c->local_maxpacket*3) ||
2180 c->local_window < c->local_window_max/2) &&
2181 c->local_consumed > 0) {
2182 if (!c->have_remote_id)
2183 fatal_f("channel %d: no remote id", c->self);
2184 if ((r = sshpkt_start(ssh,
2185 SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
2186 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2187 (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
2188 (r = sshpkt_send(ssh)) != 0) {
2189 fatal_fr(r, "channel %i", c->self);
2190 }
2191 debug2("channel %d: window %d sent adjust %d", c->self,
2192 c->local_window, c->local_consumed);
2193 c->local_window += c->local_consumed;
2194 c->local_consumed = 0;
2195 }
2196 return 1;
2197 }
2198
2199 static void
channel_post_open(struct ssh * ssh,Channel * c)2200 channel_post_open(struct ssh *ssh, Channel *c)
2201 {
2202 channel_handle_rfd(ssh, c);
2203 channel_handle_wfd(ssh, c);
2204 channel_handle_efd(ssh, c);
2205 channel_check_window(ssh, c);
2206 }
2207
2208 static u_int
read_mux(struct ssh * ssh,Channel * c,u_int need)2209 read_mux(struct ssh *ssh, Channel *c, u_int need)
2210 {
2211 char buf[CHAN_RBUF];
2212 ssize_t len;
2213 u_int rlen;
2214 int r;
2215
2216 if (sshbuf_len(c->input) < need) {
2217 rlen = need - sshbuf_len(c->input);
2218 len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF));
2219 if (len == -1 && (errno == EINTR || errno == EAGAIN))
2220 return sshbuf_len(c->input);
2221 if (len <= 0) {
2222 debug2("channel %d: ctl read<=0 rfd %d len %zd",
2223 c->self, c->rfd, len);
2224 chan_read_failed(ssh, c);
2225 return 0;
2226 } else if ((r = sshbuf_put(c->input, buf, len)) != 0)
2227 fatal_fr(r, "channel %i: append", c->self);
2228 }
2229 return sshbuf_len(c->input);
2230 }
2231
2232 static void
channel_post_mux_client_read(struct ssh * ssh,Channel * c)2233 channel_post_mux_client_read(struct ssh *ssh, Channel *c)
2234 {
2235 u_int need;
2236
2237 if ((c->io_ready & SSH_CHAN_IO_RFD) == 0)
2238 return;
2239 if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN)
2240 return;
2241 if (c->mux_pause)
2242 return;
2243
2244 /*
2245 * Don't not read past the precise end of packets to
2246 * avoid disrupting fd passing.
2247 */
2248 if (read_mux(ssh, c, 4) < 4) /* read header */
2249 return;
2250 /* XXX sshbuf_peek_u32 */
2251 need = PEEK_U32(sshbuf_ptr(c->input));
2252 #define CHANNEL_MUX_MAX_PACKET (256 * 1024)
2253 if (need > CHANNEL_MUX_MAX_PACKET) {
2254 debug2("channel %d: packet too big %u > %u",
2255 c->self, CHANNEL_MUX_MAX_PACKET, need);
2256 chan_rcvd_oclose(ssh, c);
2257 return;
2258 }
2259 if (read_mux(ssh, c, need + 4) < need + 4) /* read body */
2260 return;
2261 if (c->mux_rcb(ssh, c) != 0) {
2262 debug("channel %d: mux_rcb failed", c->self);
2263 chan_mark_dead(ssh, c);
2264 return;
2265 }
2266 }
2267
2268 static void
channel_post_mux_client_write(struct ssh * ssh,Channel * c)2269 channel_post_mux_client_write(struct ssh *ssh, Channel *c)
2270 {
2271 ssize_t len;
2272 int r;
2273
2274 if ((c->io_ready & SSH_CHAN_IO_WFD) == 0)
2275 return;
2276 if (sshbuf_len(c->output) == 0)
2277 return;
2278
2279 len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output));
2280 if (len == -1 && (errno == EINTR || errno == EAGAIN))
2281 return;
2282 if (len <= 0) {
2283 chan_mark_dead(ssh, c);
2284 return;
2285 }
2286 if ((r = sshbuf_consume(c->output, len)) != 0)
2287 fatal_fr(r, "channel %i: consume", c->self);
2288 }
2289
2290 static void
channel_post_mux_client(struct ssh * ssh,Channel * c)2291 channel_post_mux_client(struct ssh *ssh, Channel *c)
2292 {
2293 channel_post_mux_client_read(ssh, c);
2294 channel_post_mux_client_write(ssh, c);
2295 }
2296
2297 static void
channel_post_mux_listener(struct ssh * ssh,Channel * c)2298 channel_post_mux_listener(struct ssh *ssh, Channel *c)
2299 {
2300 Channel *nc;
2301 struct sockaddr_storage addr;
2302 socklen_t addrlen;
2303 int newsock;
2304 uid_t euid;
2305 gid_t egid;
2306
2307 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
2308 return;
2309
2310 debug("multiplexing control connection");
2311
2312 /*
2313 * Accept connection on control socket
2314 */
2315 memset(&addr, 0, sizeof(addr));
2316 addrlen = sizeof(addr);
2317 if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
2318 &addrlen)) == -1) {
2319 error_f("accept: %s", strerror(errno));
2320 if (errno == EMFILE || errno == ENFILE)
2321 c->notbefore = monotime() + 1;
2322 return;
2323 }
2324
2325 if (getpeereid(newsock, &euid, &egid) == -1) {
2326 error_f("getpeereid failed: %s", strerror(errno));
2327 close(newsock);
2328 return;
2329 }
2330 if ((euid != 0) && (getuid() != euid)) {
2331 error("multiplex uid mismatch: peer euid %u != uid %u",
2332 (u_int)euid, (u_int)getuid());
2333 close(newsock);
2334 return;
2335 }
2336 nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT,
2337 newsock, newsock, -1, c->local_window_max,
2338 c->local_maxpacket, 0, "mux-control", 1);
2339 nc->mux_rcb = c->mux_rcb;
2340 debug3_f("new mux channel %d fd %d", nc->self, nc->sock);
2341 /* establish state */
2342 nc->mux_rcb(ssh, nc);
2343 /* mux state transitions must not elicit protocol messages */
2344 nc->flags |= CHAN_LOCAL;
2345 }
2346
2347 static void
channel_handler_init(struct ssh_channels * sc)2348 channel_handler_init(struct ssh_channels *sc)
2349 {
2350 chan_fn **pre, **post;
2351
2352 if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL ||
2353 (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL)
2354 fatal_f("allocation failed");
2355
2356 pre[SSH_CHANNEL_OPEN] = &channel_pre_open;
2357 pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
2358 pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
2359 pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
2360 pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener;
2361 pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener;
2362 pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
2363 pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
2364 pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
2365 pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
2366 pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting;
2367 pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener;
2368 pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client;
2369
2370 post[SSH_CHANNEL_OPEN] = &channel_post_open;
2371 post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
2372 post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
2373 post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener;
2374 post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener;
2375 post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
2376 post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
2377 post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
2378 post[SSH_CHANNEL_DYNAMIC] = &channel_post_open;
2379 post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting;
2380 post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener;
2381 post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client;
2382
2383 sc->channel_pre = pre;
2384 sc->channel_post = post;
2385 }
2386
2387 /* gc dead channels */
2388 static void
channel_garbage_collect(struct ssh * ssh,Channel * c)2389 channel_garbage_collect(struct ssh *ssh, Channel *c)
2390 {
2391 if (c == NULL)
2392 return;
2393 if (c->detach_user != NULL) {
2394 if (!chan_is_dead(ssh, c, c->detach_close))
2395 return;
2396
2397 debug2("channel %d: gc: notify user", c->self);
2398 c->detach_user(ssh, c->self, NULL);
2399 /* if we still have a callback */
2400 if (c->detach_user != NULL)
2401 return;
2402 debug2("channel %d: gc: user detached", c->self);
2403 }
2404 if (!chan_is_dead(ssh, c, 1))
2405 return;
2406 debug2("channel %d: garbage collecting", c->self);
2407 channel_free(ssh, c);
2408 }
2409
2410 enum channel_table { CHAN_PRE, CHAN_POST };
2411
2412 static void
channel_handler(struct ssh * ssh,int table,time_t * unpause_secs)2413 channel_handler(struct ssh *ssh, int table, time_t *unpause_secs)
2414 {
2415 struct ssh_channels *sc = ssh->chanctxt;
2416 chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post;
2417 u_int i, oalloc;
2418 Channel *c;
2419 time_t now;
2420
2421 now = monotime();
2422 if (unpause_secs != NULL)
2423 *unpause_secs = 0;
2424 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2425 c = sc->channels[i];
2426 if (c == NULL)
2427 continue;
2428 /* Try to keep IO going while rekeying */
2429 if (ssh_packet_is_rekeying(ssh) && c->type != SSH_CHANNEL_OPEN)
2430 continue;
2431 if (c->delayed) {
2432 if (table == CHAN_PRE)
2433 c->delayed = 0;
2434 else
2435 continue;
2436 }
2437 if (ftab[c->type] != NULL) {
2438 /*
2439 * Run handlers that are not paused.
2440 */
2441 if (c->notbefore <= now)
2442 (*ftab[c->type])(ssh, c);
2443 else if (unpause_secs != NULL) {
2444 /*
2445 * Collect the time that the earliest
2446 * channel comes off pause.
2447 */
2448 debug3_f("chan %d: skip for %d more "
2449 "seconds", c->self,
2450 (int)(c->notbefore - now));
2451 if (*unpause_secs == 0 ||
2452 (c->notbefore - now) < *unpause_secs)
2453 *unpause_secs = c->notbefore - now;
2454 }
2455 }
2456 channel_garbage_collect(ssh, c);
2457 }
2458 if (unpause_secs != NULL && *unpause_secs != 0)
2459 debug3_f("first channel unpauses in %d seconds",
2460 (int)*unpause_secs);
2461 }
2462
2463 /*
2464 * Create sockets before preparing IO.
2465 * This is necessary for things that need to happen after reading
2466 * the network-input but need to be completed before IO event setup, e.g.
2467 * because they may create new channels.
2468 */
2469 static void
channel_before_prepare_io(struct ssh * ssh)2470 channel_before_prepare_io(struct ssh *ssh)
2471 {
2472 struct ssh_channels *sc = ssh->chanctxt;
2473 Channel *c;
2474 u_int i, oalloc;
2475
2476 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2477 c = sc->channels[i];
2478 if (c == NULL)
2479 continue;
2480 if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN)
2481 channel_before_prepare_io_rdynamic(ssh, c);
2482 }
2483 }
2484
2485 static void
dump_channel_poll(const char * func,const char * what,Channel * c,u_int pollfd_offset,struct pollfd * pfd)2486 dump_channel_poll(const char *func, const char *what, Channel *c,
2487 u_int pollfd_offset, struct pollfd *pfd)
2488 {
2489 #ifdef DEBUG_CHANNEL_POLL
2490 debug3("%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] "
2491 "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d "
2492 "pfd.ev 0x%02x pfd.rev 0x%02x", func, c->self, what,
2493 c->rfd, c->wfd, c->efd, c->sock,
2494 c->pfds[0], c->pfds[1], c->pfds[2], c->pfds[3],
2495 c->io_want, c->io_ready,
2496 pollfd_offset, pfd->fd, pfd->events, pfd->revents);
2497 #endif
2498 }
2499
2500 /* Prepare pollfd entries for a single channel */
2501 static void
channel_prepare_pollfd(Channel * c,u_int * next_pollfd,struct pollfd * pfd,u_int npfd)2502 channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
2503 struct pollfd *pfd, u_int npfd)
2504 {
2505 u_int ev, p = *next_pollfd;
2506
2507 if (c == NULL)
2508 return;
2509 if (p + 4 > npfd) {
2510 /* Shouldn't happen */
2511 fatal_f("channel %d: bad pfd offset %u (max %u)",
2512 c->self, p, npfd);
2513 }
2514 c->pfds[0] = c->pfds[1] = c->pfds[2] = c->pfds[3] = -1;
2515 /*
2516 * prepare c->rfd
2517 *
2518 * This is a special case, since c->rfd might be the same as
2519 * c->wfd, c->efd and/or c->sock. Handle those here if they want
2520 * IO too.
2521 */
2522 if (c->rfd != -1) {
2523 ev = 0;
2524 if ((c->io_want & SSH_CHAN_IO_RFD) != 0)
2525 ev |= POLLIN;
2526 /* rfd == wfd */
2527 if (c->wfd == c->rfd) {
2528 if ((c->io_want & SSH_CHAN_IO_WFD) != 0)
2529 ev |= POLLOUT;
2530 }
2531 /* rfd == efd */
2532 if (c->efd == c->rfd) {
2533 if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
2534 ev |= POLLIN;
2535 if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
2536 ev |= POLLOUT;
2537 }
2538 /* rfd == sock */
2539 if (c->sock == c->rfd) {
2540 if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
2541 ev |= POLLIN;
2542 if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
2543 ev |= POLLOUT;
2544 }
2545 /* Pack a pfd entry if any event armed for this fd */
2546 if (ev != 0) {
2547 c->pfds[0] = p;
2548 pfd[p].fd = c->rfd;
2549 pfd[p].events = ev;
2550 dump_channel_poll(__func__, "rfd", c, p, &pfd[p]);
2551 p++;
2552 }
2553 }
2554 /* prepare c->wfd if wanting IO and not already handled above */
2555 if (c->wfd != -1 && c->rfd != c->wfd) {
2556 ev = 0;
2557 if ((c->io_want & SSH_CHAN_IO_WFD))
2558 ev |= POLLOUT;
2559 /* Pack a pfd entry if any event armed for this fd */
2560 if (ev != 0) {
2561 c->pfds[1] = p;
2562 pfd[p].fd = c->wfd;
2563 pfd[p].events = ev;
2564 dump_channel_poll(__func__, "wfd", c, p, &pfd[p]);
2565 p++;
2566 }
2567 }
2568 /* prepare c->efd if wanting IO and not already handled above */
2569 if (c->efd != -1 && c->rfd != c->efd) {
2570 ev = 0;
2571 if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
2572 ev |= POLLIN;
2573 if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
2574 ev |= POLLOUT;
2575 /* Pack a pfd entry if any event armed for this fd */
2576 if (ev != 0) {
2577 c->pfds[2] = p;
2578 pfd[p].fd = c->efd;
2579 pfd[p].events = ev;
2580 dump_channel_poll(__func__, "efd", c, p, &pfd[p]);
2581 p++;
2582 }
2583 }
2584 /* prepare c->sock if wanting IO and not already handled above */
2585 if (c->sock != -1 && c->rfd != c->sock) {
2586 ev = 0;
2587 if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
2588 ev |= POLLIN;
2589 if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
2590 ev |= POLLOUT;
2591 /* Pack a pfd entry if any event armed for this fd */
2592 if (ev != 0) {
2593 c->pfds[3] = p;
2594 pfd[p].fd = c->sock;
2595 pfd[p].events = 0;
2596 dump_channel_poll(__func__, "sock", c, p, &pfd[p]);
2597 p++;
2598 }
2599 }
2600 *next_pollfd = p;
2601 }
2602
2603 /* * Allocate/prepare poll structure */
2604 void
channel_prepare_poll(struct ssh * ssh,struct pollfd ** pfdp,u_int * npfd_allocp,u_int * npfd_activep,u_int npfd_reserved,time_t * minwait_secs)2605 channel_prepare_poll(struct ssh *ssh, struct pollfd **pfdp, u_int *npfd_allocp,
2606 u_int *npfd_activep, u_int npfd_reserved, time_t *minwait_secs)
2607 {
2608 struct ssh_channels *sc = ssh->chanctxt;
2609 u_int i, oalloc, p, npfd = npfd_reserved;
2610
2611 channel_before_prepare_io(ssh); /* might create a new channel */
2612 /* clear out I/O flags from last poll */
2613 for (i = 0; i < sc->channels_alloc; i++) {
2614 if (sc->channels[i] == NULL)
2615 continue;
2616 sc->channels[i]->io_want = sc->channels[i]->io_ready = 0;
2617 }
2618 /* Allocate 4x pollfd for each channel (rfd, wfd, efd, sock) */
2619 if (sc->channels_alloc >= (INT_MAX / 4) - npfd_reserved)
2620 fatal_f("too many channels"); /* shouldn't happen */
2621 npfd += sc->channels_alloc * 4;
2622 if (npfd > *npfd_allocp) {
2623 *pfdp = xrecallocarray(*pfdp, *npfd_allocp,
2624 npfd, sizeof(**pfdp));
2625 *npfd_allocp = npfd;
2626 }
2627 *npfd_activep = npfd_reserved;
2628 oalloc = sc->channels_alloc;
2629
2630 channel_handler(ssh, CHAN_PRE, minwait_secs);
2631
2632 if (oalloc != sc->channels_alloc) {
2633 /* shouldn't happen */
2634 fatal_f("channels_alloc changed during CHAN_PRE "
2635 "(was %u, now %u)", oalloc, sc->channels_alloc);
2636 }
2637
2638 /* Prepare pollfd */
2639 p = npfd_reserved;
2640 for (i = 0; i < sc->channels_alloc; i++)
2641 channel_prepare_pollfd(sc->channels[i], &p, *pfdp, npfd);
2642 *npfd_activep = p;
2643 }
2644
2645 static void
fd_ready(Channel * c,int p,struct pollfd * pfds,u_int npfd,int fd,const char * what,u_int revents_mask,u_int ready)2646 fd_ready(Channel *c, int p, struct pollfd *pfds, u_int npfd, int fd,
2647 const char *what, u_int revents_mask, u_int ready)
2648 {
2649 struct pollfd *pfd = &pfds[p];
2650
2651 if (fd == -1)
2652 return;
2653 if (p == -1 || (u_int)p >= npfd)
2654 fatal_f("channel %d: bad pfd %d (max %u)", c->self, p, npfd);
2655 dump_channel_poll(__func__, what, c, p, pfd);
2656 if (pfd->fd != fd) {
2657 fatal("channel %d: inconsistent %s fd=%d pollfd[%u].fd %d "
2658 "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd,
2659 c->rfd, c->wfd, c->efd, c->sock);
2660 }
2661 if ((pfd->revents & POLLNVAL) != 0) {
2662 fatal("channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d",
2663 c->self, what, p, pfd->fd, c->rfd, c->wfd, c->efd, c->sock);
2664 }
2665 if ((pfd->revents & (revents_mask|POLLHUP|POLLERR)) != 0)
2666 c->io_ready |= ready & c->io_want;
2667 }
2668
2669 /*
2670 * After poll, perform any appropriate operations for channels which have
2671 * events pending.
2672 */
2673 void
channel_after_poll(struct ssh * ssh,struct pollfd * pfd,u_int npfd)2674 channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
2675 {
2676 struct ssh_channels *sc = ssh->chanctxt;
2677 u_int i;
2678 int p;
2679 Channel *c;
2680
2681 #ifdef DEBUG_CHANNEL_POLL
2682 for (p = 0; p < (int)npfd; p++) {
2683 if (pfd[p].revents == 0)
2684 continue;
2685 debug_f("pfd[%u].fd %d rev 0x%04x",
2686 p, pfd[p].fd, pfd[p].revents);
2687 }
2688 #endif
2689
2690 /* Convert pollfd into c->io_ready */
2691 for (i = 0; i < sc->channels_alloc; i++) {
2692 c = sc->channels[i];
2693 if (c == NULL)
2694 continue;
2695 /* if rfd is shared with efd/sock then wfd should be too */
2696 if (c->rfd != -1 && c->wfd != -1 && c->rfd != c->wfd &&
2697 (c->rfd == c->efd || c->rfd == c->sock)) {
2698 /* Shouldn't happen */
2699 fatal_f("channel %d: unexpected fds r%d w%d e%d s%d",
2700 c->self, c->rfd, c->wfd, c->efd, c->sock);
2701 }
2702 c->io_ready = 0;
2703 /* rfd, potentially shared with wfd, efd and sock */
2704 if (c->rfd != -1 && (p = c->pfds[0]) != -1) {
2705 fd_ready(c, p, pfd, npfd, c->rfd,
2706 "rfd", POLLIN, SSH_CHAN_IO_RFD);
2707 if (c->rfd == c->wfd) {
2708 fd_ready(c, p, pfd, npfd, c->wfd,
2709 "wfd/r", POLLOUT, SSH_CHAN_IO_WFD);
2710 }
2711 if (c->rfd == c->efd) {
2712 fd_ready(c, p, pfd, npfd, c->efd,
2713 "efdr/r", POLLIN, SSH_CHAN_IO_EFD_R);
2714 fd_ready(c, p, pfd, npfd, c->efd,
2715 "efdw/r", POLLOUT, SSH_CHAN_IO_EFD_W);
2716 }
2717 if (c->rfd == c->sock) {
2718 fd_ready(c, p, pfd, npfd, c->sock,
2719 "sockr/r", POLLIN, SSH_CHAN_IO_SOCK_R);
2720 fd_ready(c, p, pfd, npfd, c->sock,
2721 "sockw/r", POLLOUT, SSH_CHAN_IO_SOCK_W);
2722 }
2723 dump_channel_poll(__func__, "rfd", c, p, pfd);
2724 }
2725 /* wfd */
2726 if (c->wfd != -1 && c->wfd != c->rfd &&
2727 (p = c->pfds[1]) != -1) {
2728 fd_ready(c, p, pfd, npfd, c->wfd,
2729 "wfd", POLLOUT, SSH_CHAN_IO_WFD);
2730 dump_channel_poll(__func__, "wfd", c, p, pfd);
2731 }
2732 /* efd */
2733 if (c->efd != -1 && c->efd != c->rfd &&
2734 (p = c->pfds[2]) != -1) {
2735 fd_ready(c, p, pfd, npfd, c->efd,
2736 "efdr", POLLIN, SSH_CHAN_IO_EFD_R);
2737 fd_ready(c, p, pfd, npfd, c->efd,
2738 "efdw", POLLOUT, SSH_CHAN_IO_EFD_W);
2739 dump_channel_poll(__func__, "efd", c, p, pfd);
2740 }
2741 /* sock */
2742 if (c->sock != -1 && c->sock != c->rfd &&
2743 (p = c->pfds[3]) != -1) {
2744 fd_ready(c, p, pfd, npfd, c->sock,
2745 "sockr", POLLIN, SSH_CHAN_IO_SOCK_R);
2746 fd_ready(c, p, pfd, npfd, c->sock,
2747 "sockw", POLLOUT, SSH_CHAN_IO_SOCK_W);
2748 dump_channel_poll(__func__, "sock", c, p, pfd);
2749 }
2750 }
2751 channel_handler(ssh, CHAN_POST, NULL);
2752 }
2753
2754 /*
2755 * Enqueue data for channels with open or draining c->input.
2756 */
2757 static void
channel_output_poll_input_open(struct ssh * ssh,Channel * c)2758 channel_output_poll_input_open(struct ssh *ssh, Channel *c)
2759 {
2760 size_t len, plen;
2761 const u_char *pkt;
2762 int r;
2763
2764 if ((len = sshbuf_len(c->input)) == 0) {
2765 if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
2766 /*
2767 * input-buffer is empty and read-socket shutdown:
2768 * tell peer, that we will not send more data:
2769 * send IEOF.
2770 * hack for extended data: delay EOF if EFD still
2771 * in use.
2772 */
2773 if (CHANNEL_EFD_INPUT_ACTIVE(c))
2774 debug2("channel %d: "
2775 "ibuf_empty delayed efd %d/(%zu)",
2776 c->self, c->efd, sshbuf_len(c->extended));
2777 else
2778 chan_ibuf_empty(ssh, c);
2779 }
2780 return;
2781 }
2782
2783 if (!c->have_remote_id)
2784 fatal_f("channel %d: no remote id", c->self);
2785
2786 if (c->datagram) {
2787 /* Check datagram will fit; drop if not */
2788 if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0)
2789 fatal_fr(r, "channel %i: get datagram", c->self);
2790 /*
2791 * XXX this does tail-drop on the datagram queue which is
2792 * usually suboptimal compared to head-drop. Better to have
2793 * backpressure at read time? (i.e. read + discard)
2794 */
2795 if (plen > c->remote_window || plen > c->remote_maxpacket) {
2796 debug("channel %d: datagram too big", c->self);
2797 return;
2798 }
2799 /* Enqueue it */
2800 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2801 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2802 (r = sshpkt_put_string(ssh, pkt, plen)) != 0 ||
2803 (r = sshpkt_send(ssh)) != 0)
2804 fatal_fr(r, "channel %i: send datagram", c->self);
2805 c->remote_window -= plen;
2806 return;
2807 }
2808
2809 /* Enqueue packet for buffered data. */
2810 if (len > c->remote_window)
2811 len = c->remote_window;
2812 if (len > c->remote_maxpacket)
2813 len = c->remote_maxpacket;
2814 if (len == 0)
2815 return;
2816 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2817 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2818 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 ||
2819 (r = sshpkt_send(ssh)) != 0)
2820 fatal_fr(r, "channel %i: send data", c->self);
2821 if ((r = sshbuf_consume(c->input, len)) != 0)
2822 fatal_fr(r, "channel %i: consume", c->self);
2823 c->remote_window -= len;
2824 }
2825
2826 /*
2827 * Enqueue data for channels with open c->extended in read mode.
2828 */
2829 static void
channel_output_poll_extended_read(struct ssh * ssh,Channel * c)2830 channel_output_poll_extended_read(struct ssh *ssh, Channel *c)
2831 {
2832 size_t len;
2833 int r;
2834
2835 if ((len = sshbuf_len(c->extended)) == 0)
2836 return;
2837
2838 debug2("channel %d: rwin %u elen %zu euse %d", c->self,
2839 c->remote_window, sshbuf_len(c->extended), c->extended_usage);
2840 if (len > c->remote_window)
2841 len = c->remote_window;
2842 if (len > c->remote_maxpacket)
2843 len = c->remote_maxpacket;
2844 if (len == 0)
2845 return;
2846 if (!c->have_remote_id)
2847 fatal_f("channel %d: no remote id", c->self);
2848 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 ||
2849 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2850 (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 ||
2851 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 ||
2852 (r = sshpkt_send(ssh)) != 0)
2853 fatal_fr(r, "channel %i: data", c->self);
2854 if ((r = sshbuf_consume(c->extended, len)) != 0)
2855 fatal_fr(r, "channel %i: consume", c->self);
2856 c->remote_window -= len;
2857 debug2("channel %d: sent ext data %zu", c->self, len);
2858 }
2859
2860 /* If there is data to send to the connection, enqueue some of it now. */
2861 void
channel_output_poll(struct ssh * ssh)2862 channel_output_poll(struct ssh *ssh)
2863 {
2864 struct ssh_channels *sc = ssh->chanctxt;
2865 Channel *c;
2866 u_int i;
2867
2868 for (i = 0; i < sc->channels_alloc; i++) {
2869 c = sc->channels[i];
2870 if (c == NULL)
2871 continue;
2872
2873 /*
2874 * We are only interested in channels that can have buffered
2875 * incoming data.
2876 */
2877 if (c->type != SSH_CHANNEL_OPEN)
2878 continue;
2879 if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
2880 /* XXX is this true? */
2881 debug3("channel %d: will not send data after close",
2882 c->self);
2883 continue;
2884 }
2885
2886 /* Get the amount of buffered data for this channel. */
2887 if (c->istate == CHAN_INPUT_OPEN ||
2888 c->istate == CHAN_INPUT_WAIT_DRAIN)
2889 channel_output_poll_input_open(ssh, c);
2890 /* Send extended data, i.e. stderr */
2891 if (!(c->flags & CHAN_EOF_SENT) &&
2892 c->extended_usage == CHAN_EXTENDED_READ)
2893 channel_output_poll_extended_read(ssh, c);
2894 }
2895 }
2896
2897 /* -- mux proxy support */
2898
2899 /*
2900 * When multiplexing channel messages for mux clients we have to deal
2901 * with downstream messages from the mux client and upstream messages
2902 * from the ssh server:
2903 * 1) Handling downstream messages is straightforward and happens
2904 * in channel_proxy_downstream():
2905 * - We forward all messages (mostly) unmodified to the server.
2906 * - However, in order to route messages from upstream to the correct
2907 * downstream client, we have to replace the channel IDs used by the
2908 * mux clients with a unique channel ID because the mux clients might
2909 * use conflicting channel IDs.
2910 * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
2911 * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
2912 * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
2913 * with the newly allocated channel ID.
2914 * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
2915 * channels and processed by channel_proxy_upstream(). The local channel ID
2916 * is then translated back to the original mux client ID.
2917 * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
2918 * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
2919 * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
2920 * downstream mux client are removed.
2921 * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
2922 * requires more work, because they are not addressed to a specific
2923 * channel. E.g. client_request_forwarded_tcpip() needs to figure
2924 * out whether the request is addressed to the local client or a
2925 * specific downstream client based on the listen-address/port.
2926 * 6) Agent and X11-Forwarding have a similar problem and are currently
2927 * not supported as the matching session/channel cannot be identified
2928 * easily.
2929 */
2930
2931 /*
2932 * receive packets from downstream mux clients:
2933 * channel callback fired on read from mux client, creates
2934 * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
2935 * on channel creation.
2936 */
2937 int
channel_proxy_downstream(struct ssh * ssh,Channel * downstream)2938 channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
2939 {
2940 Channel *c = NULL;
2941 struct sshbuf *original = NULL, *modified = NULL;
2942 const u_char *cp;
2943 char *ctype = NULL, *listen_host = NULL;
2944 u_char type;
2945 size_t have;
2946 int ret = -1, r;
2947 u_int id, remote_id, listen_port;
2948
2949 /* sshbuf_dump(downstream->input, stderr); */
2950 if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have))
2951 != 0) {
2952 error_fr(r, "parse");
2953 return -1;
2954 }
2955 if (have < 2) {
2956 error_f("short message");
2957 return -1;
2958 }
2959 type = cp[1];
2960 /* skip padlen + type */
2961 cp += 2;
2962 have -= 2;
2963 if (ssh_packet_log_type(type))
2964 debug3_f("channel %u: down->up: type %u",
2965 downstream->self, type);
2966
2967 switch (type) {
2968 case SSH2_MSG_CHANNEL_OPEN:
2969 if ((original = sshbuf_from(cp, have)) == NULL ||
2970 (modified = sshbuf_new()) == NULL) {
2971 error_f("alloc");
2972 goto out;
2973 }
2974 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 ||
2975 (r = sshbuf_get_u32(original, &id)) != 0) {
2976 error_fr(r, "parse");
2977 goto out;
2978 }
2979 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
2980 -1, -1, -1, 0, 0, 0, ctype, 1);
2981 c->mux_ctx = downstream; /* point to mux client */
2982 c->mux_downstream_id = id; /* original downstream id */
2983 if ((r = sshbuf_put_cstring(modified, ctype)) != 0 ||
2984 (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2985 (r = sshbuf_putb(modified, original)) != 0) {
2986 error_fr(r, "compose");
2987 channel_free(ssh, c);
2988 goto out;
2989 }
2990 break;
2991 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2992 /*
2993 * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
2994 * need to parse 'remote_id' instead of 'ctype'.
2995 */
2996 if ((original = sshbuf_from(cp, have)) == NULL ||
2997 (modified = sshbuf_new()) == NULL) {
2998 error_f("alloc");
2999 goto out;
3000 }
3001 if ((r = sshbuf_get_u32(original, &remote_id)) != 0 ||
3002 (r = sshbuf_get_u32(original, &id)) != 0) {
3003 error_fr(r, "parse");
3004 goto out;
3005 }
3006 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
3007 -1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
3008 c->mux_ctx = downstream; /* point to mux client */
3009 c->mux_downstream_id = id;
3010 c->remote_id = remote_id;
3011 c->have_remote_id = 1;
3012 if ((r = sshbuf_put_u32(modified, remote_id)) != 0 ||
3013 (r = sshbuf_put_u32(modified, c->self)) != 0 ||
3014 (r = sshbuf_putb(modified, original)) != 0) {
3015 error_fr(r, "compose");
3016 channel_free(ssh, c);
3017 goto out;
3018 }
3019 break;
3020 case SSH2_MSG_GLOBAL_REQUEST:
3021 if ((original = sshbuf_from(cp, have)) == NULL) {
3022 error_f("alloc");
3023 goto out;
3024 }
3025 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) {
3026 error_fr(r, "parse");
3027 goto out;
3028 }
3029 if (strcmp(ctype, "tcpip-forward") != 0) {
3030 error_f("unsupported request %s", ctype);
3031 goto out;
3032 }
3033 if ((r = sshbuf_get_u8(original, NULL)) != 0 ||
3034 (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 ||
3035 (r = sshbuf_get_u32(original, &listen_port)) != 0) {
3036 error_fr(r, "parse");
3037 goto out;
3038 }
3039 if (listen_port > 65535) {
3040 error_f("tcpip-forward for %s: bad port %u",
3041 listen_host, listen_port);
3042 goto out;
3043 }
3044 /* Record that connection to this host/port is permitted. */
3045 permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
3046 listen_host, NULL, (int)listen_port, downstream);
3047 listen_host = NULL;
3048 break;
3049 case SSH2_MSG_CHANNEL_CLOSE:
3050 if (have < 4)
3051 break;
3052 remote_id = PEEK_U32(cp);
3053 if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) {
3054 if (c->flags & CHAN_CLOSE_RCVD)
3055 channel_free(ssh, c);
3056 else
3057 c->flags |= CHAN_CLOSE_SENT;
3058 }
3059 break;
3060 }
3061 if (modified) {
3062 if ((r = sshpkt_start(ssh, type)) != 0 ||
3063 (r = sshpkt_putb(ssh, modified)) != 0 ||
3064 (r = sshpkt_send(ssh)) != 0) {
3065 error_fr(r, "send");
3066 goto out;
3067 }
3068 } else {
3069 if ((r = sshpkt_start(ssh, type)) != 0 ||
3070 (r = sshpkt_put(ssh, cp, have)) != 0 ||
3071 (r = sshpkt_send(ssh)) != 0) {
3072 error_fr(r, "send");
3073 goto out;
3074 }
3075 }
3076 ret = 0;
3077 out:
3078 free(ctype);
3079 free(listen_host);
3080 sshbuf_free(original);
3081 sshbuf_free(modified);
3082 return ret;
3083 }
3084
3085 /*
3086 * receive packets from upstream server and de-multiplex packets
3087 * to correct downstream:
3088 * implemented as a helper for channel input handlers,
3089 * replaces local (proxy) channel ID with downstream channel ID.
3090 */
3091 int
channel_proxy_upstream(Channel * c,int type,u_int32_t seq,struct ssh * ssh)3092 channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh)
3093 {
3094 struct sshbuf *b = NULL;
3095 Channel *downstream;
3096 const u_char *cp = NULL;
3097 size_t len;
3098 int r;
3099
3100 /*
3101 * When receiving packets from the peer we need to check whether we
3102 * need to forward the packets to the mux client. In this case we
3103 * restore the original channel id and keep track of CLOSE messages,
3104 * so we can cleanup the channel.
3105 */
3106 if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY)
3107 return 0;
3108 if ((downstream = c->mux_ctx) == NULL)
3109 return 0;
3110 switch (type) {
3111 case SSH2_MSG_CHANNEL_CLOSE:
3112 case SSH2_MSG_CHANNEL_DATA:
3113 case SSH2_MSG_CHANNEL_EOF:
3114 case SSH2_MSG_CHANNEL_EXTENDED_DATA:
3115 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
3116 case SSH2_MSG_CHANNEL_OPEN_FAILURE:
3117 case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
3118 case SSH2_MSG_CHANNEL_SUCCESS:
3119 case SSH2_MSG_CHANNEL_FAILURE:
3120 case SSH2_MSG_CHANNEL_REQUEST:
3121 break;
3122 default:
3123 debug2_f("channel %u: unsupported type %u", c->self, type);
3124 return 0;
3125 }
3126 if ((b = sshbuf_new()) == NULL) {
3127 error_f("alloc reply");
3128 goto out;
3129 }
3130 /* get remaining payload (after id) */
3131 cp = sshpkt_ptr(ssh, &len);
3132 if (cp == NULL) {
3133 error_f("no packet");
3134 goto out;
3135 }
3136 /* translate id and send to muxclient */
3137 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */
3138 (r = sshbuf_put_u8(b, type)) != 0 ||
3139 (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 ||
3140 (r = sshbuf_put(b, cp, len)) != 0 ||
3141 (r = sshbuf_put_stringb(downstream->output, b)) != 0) {
3142 error_fr(r, "compose muxclient");
3143 goto out;
3144 }
3145 /* sshbuf_dump(b, stderr); */
3146 if (ssh_packet_log_type(type))
3147 debug3_f("channel %u: up->down: type %u", c->self, type);
3148 out:
3149 /* update state */
3150 switch (type) {
3151 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
3152 /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
3153 if (cp && len > 4) {
3154 c->remote_id = PEEK_U32(cp);
3155 c->have_remote_id = 1;
3156 }
3157 break;
3158 case SSH2_MSG_CHANNEL_CLOSE:
3159 if (c->flags & CHAN_CLOSE_SENT)
3160 channel_free(ssh, c);
3161 else
3162 c->flags |= CHAN_CLOSE_RCVD;
3163 break;
3164 }
3165 sshbuf_free(b);
3166 return 1;
3167 }
3168
3169 /* -- protocol input */
3170
3171 /* Parse a channel ID from the current packet */
3172 static int
channel_parse_id(struct ssh * ssh,const char * where,const char * what)3173 channel_parse_id(struct ssh *ssh, const char *where, const char *what)
3174 {
3175 u_int32_t id;
3176 int r;
3177
3178 if ((r = sshpkt_get_u32(ssh, &id)) != 0) {
3179 error_r(r, "%s: parse id", where);
3180 ssh_packet_disconnect(ssh, "Invalid %s message", what);
3181 }
3182 if (id > INT_MAX) {
3183 error_r(r, "%s: bad channel id %u", where, id);
3184 ssh_packet_disconnect(ssh, "Invalid %s channel id", what);
3185 }
3186 return (int)id;
3187 }
3188
3189 /* Lookup a channel from an ID in the current packet */
3190 static Channel *
channel_from_packet_id(struct ssh * ssh,const char * where,const char * what)3191 channel_from_packet_id(struct ssh *ssh, const char *where, const char *what)
3192 {
3193 int id = channel_parse_id(ssh, where, what);
3194 Channel *c;
3195
3196 if ((c = channel_lookup(ssh, id)) == NULL) {
3197 ssh_packet_disconnect(ssh,
3198 "%s packet referred to nonexistent channel %d", what, id);
3199 }
3200 return c;
3201 }
3202
3203 int
channel_input_data(int type,u_int32_t seq,struct ssh * ssh)3204 channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
3205 {
3206 const u_char *data;
3207 size_t data_len, win_len;
3208 Channel *c = channel_from_packet_id(ssh, __func__, "data");
3209 int r;
3210
3211 if (channel_proxy_upstream(c, type, seq, ssh))
3212 return 0;
3213
3214 /* Ignore any data for non-open channels (might happen on close) */
3215 if (c->type != SSH_CHANNEL_OPEN &&
3216 c->type != SSH_CHANNEL_RDYNAMIC_OPEN &&
3217 c->type != SSH_CHANNEL_RDYNAMIC_FINISH &&
3218 c->type != SSH_CHANNEL_X11_OPEN)
3219 return 0;
3220
3221 /* Get the data. */
3222 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
3223 (r = sshpkt_get_end(ssh)) != 0)
3224 fatal_fr(r, "channel %i: get data", c->self);
3225
3226 win_len = data_len;
3227 if (c->datagram)
3228 win_len += 4; /* string length header */
3229
3230 /*
3231 * The sending side reduces its window as it sends data, so we
3232 * must 'fake' consumption of the data in order to ensure that window
3233 * updates are sent back. Otherwise the connection might deadlock.
3234 */
3235 if (c->ostate != CHAN_OUTPUT_OPEN) {
3236 c->local_window -= win_len;
3237 c->local_consumed += win_len;
3238 return 0;
3239 }
3240
3241 if (win_len > c->local_maxpacket) {
3242 logit("channel %d: rcvd big packet %zu, maxpack %u",
3243 c->self, win_len, c->local_maxpacket);
3244 return 0;
3245 }
3246 if (win_len > c->local_window) {
3247 logit("channel %d: rcvd too much data %zu, win %u",
3248 c->self, win_len, c->local_window);
3249 return 0;
3250 }
3251 c->local_window -= win_len;
3252
3253 if (c->datagram) {
3254 if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
3255 fatal_fr(r, "channel %i: append datagram", c->self);
3256 } else if ((r = sshbuf_put(c->output, data, data_len)) != 0)
3257 fatal_fr(r, "channel %i: append data", c->self);
3258
3259 return 0;
3260 }
3261
3262 int
channel_input_extended_data(int type,u_int32_t seq,struct ssh * ssh)3263 channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
3264 {
3265 const u_char *data;
3266 size_t data_len;
3267 u_int32_t tcode;
3268 Channel *c = channel_from_packet_id(ssh, __func__, "extended data");
3269 int r;
3270
3271 if (channel_proxy_upstream(c, type, seq, ssh))
3272 return 0;
3273 if (c->type != SSH_CHANNEL_OPEN) {
3274 logit("channel %d: ext data for non open", c->self);
3275 return 0;
3276 }
3277 if (c->flags & CHAN_EOF_RCVD) {
3278 if (ssh->compat & SSH_BUG_EXTEOF)
3279 debug("channel %d: accepting ext data after eof",
3280 c->self);
3281 else
3282 ssh_packet_disconnect(ssh, "Received extended_data "
3283 "after EOF on channel %d.", c->self);
3284 }
3285
3286 if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) {
3287 error_fr(r, "parse tcode");
3288 ssh_packet_disconnect(ssh, "Invalid extended_data message");
3289 }
3290 if (c->efd == -1 ||
3291 c->extended_usage != CHAN_EXTENDED_WRITE ||
3292 tcode != SSH2_EXTENDED_DATA_STDERR) {
3293 logit("channel %d: bad ext data", c->self);
3294 return 0;
3295 }
3296 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
3297 (r = sshpkt_get_end(ssh)) != 0) {
3298 error_fr(r, "parse data");
3299 ssh_packet_disconnect(ssh, "Invalid extended_data message");
3300 }
3301
3302 if (data_len > c->local_window) {
3303 logit("channel %d: rcvd too much extended_data %zu, win %u",
3304 c->self, data_len, c->local_window);
3305 return 0;
3306 }
3307 debug2("channel %d: rcvd ext data %zu", c->self, data_len);
3308 /* XXX sshpkt_getb? */
3309 if ((r = sshbuf_put(c->extended, data, data_len)) != 0)
3310 error_fr(r, "append");
3311 c->local_window -= data_len;
3312 return 0;
3313 }
3314
3315 int
channel_input_ieof(int type,u_int32_t seq,struct ssh * ssh)3316 channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
3317 {
3318 Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
3319 int r;
3320
3321 if ((r = sshpkt_get_end(ssh)) != 0) {
3322 error_fr(r, "parse data");
3323 ssh_packet_disconnect(ssh, "Invalid ieof message");
3324 }
3325
3326 if (channel_proxy_upstream(c, type, seq, ssh))
3327 return 0;
3328 chan_rcvd_ieof(ssh, c);
3329
3330 /* XXX force input close */
3331 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
3332 debug("channel %d: FORCE input drain", c->self);
3333 c->istate = CHAN_INPUT_WAIT_DRAIN;
3334 if (sshbuf_len(c->input) == 0)
3335 chan_ibuf_empty(ssh, c);
3336 }
3337 return 0;
3338 }
3339
3340 int
channel_input_oclose(int type,u_int32_t seq,struct ssh * ssh)3341 channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
3342 {
3343 Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
3344 int r;
3345
3346 if (channel_proxy_upstream(c, type, seq, ssh))
3347 return 0;
3348 if ((r = sshpkt_get_end(ssh)) != 0) {
3349 error_fr(r, "parse data");
3350 ssh_packet_disconnect(ssh, "Invalid oclose message");
3351 }
3352 chan_rcvd_oclose(ssh, c);
3353 return 0;
3354 }
3355
3356 int
channel_input_open_confirmation(int type,u_int32_t seq,struct ssh * ssh)3357 channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
3358 {
3359 Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation");
3360 u_int32_t remote_window, remote_maxpacket;
3361 int r;
3362
3363 if (channel_proxy_upstream(c, type, seq, ssh))
3364 return 0;
3365 if (c->type != SSH_CHANNEL_OPENING)
3366 ssh_packet_disconnect(ssh, "Received open confirmation for "
3367 "non-opening channel %d.", c->self);
3368 /*
3369 * Record the remote channel number and mark that the channel
3370 * is now open.
3371 */
3372 if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 ||
3373 (r = sshpkt_get_u32(ssh, &remote_window)) != 0 ||
3374 (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 ||
3375 (r = sshpkt_get_end(ssh)) != 0) {
3376 error_fr(r, "window/maxpacket");
3377 ssh_packet_disconnect(ssh, "Invalid open confirmation message");
3378 }
3379
3380 c->have_remote_id = 1;
3381 c->remote_window = remote_window;
3382 c->remote_maxpacket = remote_maxpacket;
3383 c->type = SSH_CHANNEL_OPEN;
3384 if (c->open_confirm) {
3385 debug2_f("channel %d: callback start", c->self);
3386 c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
3387 debug2_f("channel %d: callback done", c->self);
3388 }
3389 debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
3390 c->remote_window, c->remote_maxpacket);
3391 return 0;
3392 }
3393
3394 static char *
reason2txt(int reason)3395 reason2txt(int reason)
3396 {
3397 switch (reason) {
3398 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
3399 return "administratively prohibited";
3400 case SSH2_OPEN_CONNECT_FAILED:
3401 return "connect failed";
3402 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
3403 return "unknown channel type";
3404 case SSH2_OPEN_RESOURCE_SHORTAGE:
3405 return "resource shortage";
3406 }
3407 return "unknown reason";
3408 }
3409
3410 int
channel_input_open_failure(int type,u_int32_t seq,struct ssh * ssh)3411 channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
3412 {
3413 Channel *c = channel_from_packet_id(ssh, __func__, "open failure");
3414 u_int32_t reason;
3415 char *msg = NULL;
3416 int r;
3417
3418 if (channel_proxy_upstream(c, type, seq, ssh))
3419 return 0;
3420 if (c->type != SSH_CHANNEL_OPENING)
3421 ssh_packet_disconnect(ssh, "Received open failure for "
3422 "non-opening channel %d.", c->self);
3423 if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
3424 error_fr(r, "parse reason");
3425 ssh_packet_disconnect(ssh, "Invalid open failure message");
3426 }
3427 /* skip language */
3428 if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
3429 (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0 ||
3430 (r = sshpkt_get_end(ssh)) != 0) {
3431 error_fr(r, "parse msg/lang");
3432 ssh_packet_disconnect(ssh, "Invalid open failure message");
3433 }
3434 logit("channel %d: open failed: %s%s%s", c->self,
3435 reason2txt(reason), msg ? ": ": "", msg ? msg : "");
3436 free(msg);
3437 if (c->open_confirm) {
3438 debug2_f("channel %d: callback start", c->self);
3439 c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx);
3440 debug2_f("channel %d: callback done", c->self);
3441 }
3442 /* Schedule the channel for cleanup/deletion. */
3443 chan_mark_dead(ssh, c);
3444 return 0;
3445 }
3446
3447 int
channel_input_window_adjust(int type,u_int32_t seq,struct ssh * ssh)3448 channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
3449 {
3450 int id = channel_parse_id(ssh, __func__, "window adjust");
3451 Channel *c;
3452 u_int32_t adjust;
3453 u_int new_rwin;
3454 int r;
3455
3456 if ((c = channel_lookup(ssh, id)) == NULL) {
3457 logit("Received window adjust for non-open channel %d.", id);
3458 return 0;
3459 }
3460
3461 if (channel_proxy_upstream(c, type, seq, ssh))
3462 return 0;
3463 if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 ||
3464 (r = sshpkt_get_end(ssh)) != 0) {
3465 error_fr(r, "parse adjust");
3466 ssh_packet_disconnect(ssh, "Invalid window adjust message");
3467 }
3468 debug2("channel %d: rcvd adjust %u", c->self, adjust);
3469 if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
3470 fatal("channel %d: adjust %u overflows remote window %u",
3471 c->self, adjust, c->remote_window);
3472 }
3473 c->remote_window = new_rwin;
3474 return 0;
3475 }
3476
3477 int
channel_input_status_confirm(int type,u_int32_t seq,struct ssh * ssh)3478 channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
3479 {
3480 int id = channel_parse_id(ssh, __func__, "status confirm");
3481 Channel *c;
3482 struct channel_confirm *cc;
3483
3484 /* Reset keepalive timeout */
3485 ssh_packet_set_alive_timeouts(ssh, 0);
3486
3487 debug2_f("type %d id %d", type, id);
3488
3489 if ((c = channel_lookup(ssh, id)) == NULL) {
3490 logit_f("%d: unknown", id);
3491 return 0;
3492 }
3493 if (channel_proxy_upstream(c, type, seq, ssh))
3494 return 0;
3495 if (sshpkt_get_end(ssh) != 0)
3496 ssh_packet_disconnect(ssh, "Invalid status confirm message");
3497 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
3498 return 0;
3499 cc->cb(ssh, type, c, cc->ctx);
3500 TAILQ_REMOVE(&c->status_confirms, cc, entry);
3501 freezero(cc, sizeof(*cc));
3502 return 0;
3503 }
3504
3505 /* -- tcp forwarding */
3506
3507 void
channel_set_af(struct ssh * ssh,int af)3508 channel_set_af(struct ssh *ssh, int af)
3509 {
3510 ssh->chanctxt->IPv4or6 = af;
3511 }
3512
3513
3514 /*
3515 * Determine whether or not a port forward listens to loopback, the
3516 * specified address or wildcard. On the client, a specified bind
3517 * address will always override gateway_ports. On the server, a
3518 * gateway_ports of 1 (``yes'') will override the client's specification
3519 * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
3520 * will bind to whatever address the client asked for.
3521 *
3522 * Special-case listen_addrs are:
3523 *
3524 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
3525 * "" (empty string), "*" -> wildcard v4/v6
3526 * "localhost" -> loopback v4/v6
3527 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set
3528 */
3529 static const char *
channel_fwd_bind_addr(struct ssh * ssh,const char * listen_addr,int * wildcardp,int is_client,struct ForwardOptions * fwd_opts)3530 channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp,
3531 int is_client, struct ForwardOptions *fwd_opts)
3532 {
3533 const char *addr = NULL;
3534 int wildcard = 0;
3535
3536 if (listen_addr == NULL) {
3537 /* No address specified: default to gateway_ports setting */
3538 if (fwd_opts->gateway_ports)
3539 wildcard = 1;
3540 } else if (fwd_opts->gateway_ports || is_client) {
3541 if (((ssh->compat & SSH_OLD_FORWARD_ADDR) &&
3542 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
3543 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
3544 (!is_client && fwd_opts->gateway_ports == 1)) {
3545 wildcard = 1;
3546 /*
3547 * Notify client if they requested a specific listen
3548 * address and it was overridden.
3549 */
3550 if (*listen_addr != '\0' &&
3551 strcmp(listen_addr, "0.0.0.0") != 0 &&
3552 strcmp(listen_addr, "*") != 0) {
3553 ssh_packet_send_debug(ssh,
3554 "Forwarding listen address "
3555 "\"%s\" overridden by server "
3556 "GatewayPorts", listen_addr);
3557 }
3558 } else if (strcmp(listen_addr, "localhost") != 0 ||
3559 strcmp(listen_addr, "127.0.0.1") == 0 ||
3560 strcmp(listen_addr, "::1") == 0) {
3561 /*
3562 * Accept explicit localhost address when
3563 * GatewayPorts=yes. The "localhost" hostname is
3564 * deliberately skipped here so it will listen on all
3565 * available local address families.
3566 */
3567 addr = listen_addr;
3568 }
3569 } else if (strcmp(listen_addr, "127.0.0.1") == 0 ||
3570 strcmp(listen_addr, "::1") == 0) {
3571 /*
3572 * If a specific IPv4/IPv6 localhost address has been
3573 * requested then accept it even if gateway_ports is in
3574 * effect. This allows the client to prefer IPv4 or IPv6.
3575 */
3576 addr = listen_addr;
3577 }
3578 if (wildcardp != NULL)
3579 *wildcardp = wildcard;
3580 return addr;
3581 }
3582
3583 static int
channel_setup_fwd_listener_tcpip(struct ssh * ssh,int type,struct Forward * fwd,int * allocated_listen_port,struct ForwardOptions * fwd_opts)3584 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
3585 struct Forward *fwd, int *allocated_listen_port,
3586 struct ForwardOptions *fwd_opts)
3587 {
3588 Channel *c;
3589 int sock, r, success = 0, wildcard = 0, is_client;
3590 struct addrinfo hints, *ai, *aitop;
3591 const char *host, *addr;
3592 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
3593 in_port_t *lport_p;
3594
3595 is_client = (type == SSH_CHANNEL_PORT_LISTENER);
3596
3597 if (is_client && fwd->connect_path != NULL) {
3598 host = fwd->connect_path;
3599 } else {
3600 host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
3601 fwd->listen_host : fwd->connect_host;
3602 if (host == NULL) {
3603 error("No forward host name.");
3604 return 0;
3605 }
3606 if (strlen(host) >= NI_MAXHOST) {
3607 error("Forward host name too long.");
3608 return 0;
3609 }
3610 }
3611
3612 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
3613 addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard,
3614 is_client, fwd_opts);
3615 debug3_f("type %d wildcard %d addr %s", type, wildcard,
3616 (addr == NULL) ? "NULL" : addr);
3617
3618 /*
3619 * getaddrinfo returns a loopback address if the hostname is
3620 * set to NULL and hints.ai_flags is not AI_PASSIVE
3621 */
3622 memset(&hints, 0, sizeof(hints));
3623 hints.ai_family = ssh->chanctxt->IPv4or6;
3624 hints.ai_flags = wildcard ? AI_PASSIVE : 0;
3625 hints.ai_socktype = SOCK_STREAM;
3626 snprintf(strport, sizeof strport, "%d", fwd->listen_port);
3627 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
3628 if (addr == NULL) {
3629 /* This really shouldn't happen */
3630 ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s",
3631 ssh_gai_strerror(r));
3632 } else {
3633 error_f("getaddrinfo(%.64s): %s", addr,
3634 ssh_gai_strerror(r));
3635 }
3636 return 0;
3637 }
3638 if (allocated_listen_port != NULL)
3639 *allocated_listen_port = 0;
3640 for (ai = aitop; ai; ai = ai->ai_next) {
3641 switch (ai->ai_family) {
3642 case AF_INET:
3643 lport_p = &((struct sockaddr_in *)ai->ai_addr)->
3644 sin_port;
3645 break;
3646 case AF_INET6:
3647 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
3648 sin6_port;
3649 break;
3650 default:
3651 continue;
3652 }
3653 /*
3654 * If allocating a port for -R forwards, then use the
3655 * same port for all address families.
3656 */
3657 if (type == SSH_CHANNEL_RPORT_LISTENER &&
3658 fwd->listen_port == 0 && allocated_listen_port != NULL &&
3659 *allocated_listen_port > 0)
3660 *lport_p = htons(*allocated_listen_port);
3661
3662 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
3663 strport, sizeof(strport),
3664 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
3665 error_f("getnameinfo failed");
3666 continue;
3667 }
3668 /* Create a port to listen for the host. */
3669 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3670 if (sock == -1) {
3671 /* this is no error since kernel may not support ipv6 */
3672 verbose("socket [%s]:%s: %.100s", ntop, strport,
3673 strerror(errno));
3674 continue;
3675 }
3676
3677 set_reuseaddr(sock);
3678 if (ai->ai_family == AF_INET6)
3679 sock_set_v6only(sock);
3680
3681 debug("Local forwarding listening on %s port %s.",
3682 ntop, strport);
3683
3684 /* Bind the socket to the address. */
3685 if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
3686 /*
3687 * address can be in if use ipv6 address is
3688 * already bound
3689 */
3690 if (!ai->ai_next)
3691 error("bind [%s]:%s: %.100s",
3692 ntop, strport, strerror(errno));
3693 else
3694 verbose("bind [%s]:%s: %.100s",
3695 ntop, strport, strerror(errno));
3696
3697 close(sock);
3698 continue;
3699 }
3700 /* Start listening for connections on the socket. */
3701 if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
3702 error("listen [%s]:%s: %.100s", ntop, strport,
3703 strerror(errno));
3704 close(sock);
3705 continue;
3706 }
3707
3708 /*
3709 * fwd->listen_port == 0 requests a dynamically allocated port -
3710 * record what we got.
3711 */
3712 if (type == SSH_CHANNEL_RPORT_LISTENER &&
3713 fwd->listen_port == 0 &&
3714 allocated_listen_port != NULL &&
3715 *allocated_listen_port == 0) {
3716 *allocated_listen_port = get_local_port(sock);
3717 debug("Allocated listen port %d",
3718 *allocated_listen_port);
3719 }
3720
3721 /* Allocate a channel number for the socket. */
3722 c = channel_new(ssh, "port listener", type, sock, sock, -1,
3723 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3724 0, "port listener", 1);
3725 c->path = xstrdup(host);
3726 c->host_port = fwd->connect_port;
3727 c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
3728 if (fwd->listen_port == 0 && allocated_listen_port != NULL &&
3729 !(ssh->compat & SSH_BUG_DYNAMIC_RPORT))
3730 c->listening_port = *allocated_listen_port;
3731 else
3732 c->listening_port = fwd->listen_port;
3733 success = 1;
3734 }
3735 if (success == 0)
3736 error_f("cannot listen to port: %d", fwd->listen_port);
3737 freeaddrinfo(aitop);
3738 return success;
3739 }
3740
3741 static int
channel_setup_fwd_listener_streamlocal(struct ssh * ssh,int type,struct Forward * fwd,struct ForwardOptions * fwd_opts)3742 channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type,
3743 struct Forward *fwd, struct ForwardOptions *fwd_opts)
3744 {
3745 struct sockaddr_un sunaddr;
3746 const char *path;
3747 Channel *c;
3748 int port, sock;
3749 mode_t omask;
3750
3751 switch (type) {
3752 case SSH_CHANNEL_UNIX_LISTENER:
3753 if (fwd->connect_path != NULL) {
3754 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
3755 error("Local connecting path too long: %s",
3756 fwd->connect_path);
3757 return 0;
3758 }
3759 path = fwd->connect_path;
3760 port = PORT_STREAMLOCAL;
3761 } else {
3762 if (fwd->connect_host == NULL) {
3763 error("No forward host name.");
3764 return 0;
3765 }
3766 if (strlen(fwd->connect_host) >= NI_MAXHOST) {
3767 error("Forward host name too long.");
3768 return 0;
3769 }
3770 path = fwd->connect_host;
3771 port = fwd->connect_port;
3772 }
3773 break;
3774 case SSH_CHANNEL_RUNIX_LISTENER:
3775 path = fwd->listen_path;
3776 port = PORT_STREAMLOCAL;
3777 break;
3778 default:
3779 error_f("unexpected channel type %d", type);
3780 return 0;
3781 }
3782
3783 if (fwd->listen_path == NULL) {
3784 error("No forward path name.");
3785 return 0;
3786 }
3787 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
3788 error("Local listening path too long: %s", fwd->listen_path);
3789 return 0;
3790 }
3791
3792 debug3_f("type %d path %s", type, fwd->listen_path);
3793
3794 /* Start a Unix domain listener. */
3795 omask = umask(fwd_opts->streamlocal_bind_mask);
3796 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
3797 fwd_opts->streamlocal_bind_unlink);
3798 umask(omask);
3799 if (sock < 0)
3800 return 0;
3801
3802 debug("Local forwarding listening on path %s.", fwd->listen_path);
3803
3804 /* Allocate a channel number for the socket. */
3805 c = channel_new(ssh, "unix listener", type, sock, sock, -1,
3806 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3807 0, "unix listener", 1);
3808 c->path = xstrdup(path);
3809 c->host_port = port;
3810 c->listening_port = PORT_STREAMLOCAL;
3811 c->listening_addr = xstrdup(fwd->listen_path);
3812 return 1;
3813 }
3814
3815 static int
channel_cancel_rport_listener_tcpip(struct ssh * ssh,const char * host,u_short port)3816 channel_cancel_rport_listener_tcpip(struct ssh *ssh,
3817 const char *host, u_short port)
3818 {
3819 u_int i;
3820 int found = 0;
3821
3822 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3823 Channel *c = ssh->chanctxt->channels[i];
3824 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
3825 continue;
3826 if (strcmp(c->path, host) == 0 && c->listening_port == port) {
3827 debug2_f("close channel %d", i);
3828 channel_free(ssh, c);
3829 found = 1;
3830 }
3831 }
3832
3833 return found;
3834 }
3835
3836 static int
channel_cancel_rport_listener_streamlocal(struct ssh * ssh,const char * path)3837 channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path)
3838 {
3839 u_int i;
3840 int found = 0;
3841
3842 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3843 Channel *c = ssh->chanctxt->channels[i];
3844 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER)
3845 continue;
3846 if (c->path == NULL)
3847 continue;
3848 if (strcmp(c->path, path) == 0) {
3849 debug2_f("close channel %d", i);
3850 channel_free(ssh, c);
3851 found = 1;
3852 }
3853 }
3854
3855 return found;
3856 }
3857
3858 int
channel_cancel_rport_listener(struct ssh * ssh,struct Forward * fwd)3859 channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd)
3860 {
3861 if (fwd->listen_path != NULL) {
3862 return channel_cancel_rport_listener_streamlocal(ssh,
3863 fwd->listen_path);
3864 } else {
3865 return channel_cancel_rport_listener_tcpip(ssh,
3866 fwd->listen_host, fwd->listen_port);
3867 }
3868 }
3869
3870 static int
channel_cancel_lport_listener_tcpip(struct ssh * ssh,const char * lhost,u_short lport,int cport,struct ForwardOptions * fwd_opts)3871 channel_cancel_lport_listener_tcpip(struct ssh *ssh,
3872 const char *lhost, u_short lport, int cport,
3873 struct ForwardOptions *fwd_opts)
3874 {
3875 u_int i;
3876 int found = 0;
3877 const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL, 1, fwd_opts);
3878
3879 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3880 Channel *c = ssh->chanctxt->channels[i];
3881 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
3882 continue;
3883 if (c->listening_port != lport)
3884 continue;
3885 if (cport == CHANNEL_CANCEL_PORT_STATIC) {
3886 /* skip dynamic forwardings */
3887 if (c->host_port == 0)
3888 continue;
3889 } else {
3890 if (c->host_port != cport)
3891 continue;
3892 }
3893 if ((c->listening_addr == NULL && addr != NULL) ||
3894 (c->listening_addr != NULL && addr == NULL))
3895 continue;
3896 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
3897 debug2_f("close channel %d", i);
3898 channel_free(ssh, c);
3899 found = 1;
3900 }
3901 }
3902
3903 return found;
3904 }
3905
3906 static int
channel_cancel_lport_listener_streamlocal(struct ssh * ssh,const char * path)3907 channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path)
3908 {
3909 u_int i;
3910 int found = 0;
3911
3912 if (path == NULL) {
3913 error_f("no path specified.");
3914 return 0;
3915 }
3916
3917 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3918 Channel *c = ssh->chanctxt->channels[i];
3919 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER)
3920 continue;
3921 if (c->listening_addr == NULL)
3922 continue;
3923 if (strcmp(c->listening_addr, path) == 0) {
3924 debug2_f("close channel %d", i);
3925 channel_free(ssh, c);
3926 found = 1;
3927 }
3928 }
3929
3930 return found;
3931 }
3932
3933 int
channel_cancel_lport_listener(struct ssh * ssh,struct Forward * fwd,int cport,struct ForwardOptions * fwd_opts)3934 channel_cancel_lport_listener(struct ssh *ssh,
3935 struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts)
3936 {
3937 if (fwd->listen_path != NULL) {
3938 return channel_cancel_lport_listener_streamlocal(ssh,
3939 fwd->listen_path);
3940 } else {
3941 return channel_cancel_lport_listener_tcpip(ssh,
3942 fwd->listen_host, fwd->listen_port, cport, fwd_opts);
3943 }
3944 }
3945
3946 /* protocol local port fwd, used by ssh */
3947 int
channel_setup_local_fwd_listener(struct ssh * ssh,struct Forward * fwd,struct ForwardOptions * fwd_opts)3948 channel_setup_local_fwd_listener(struct ssh *ssh,
3949 struct Forward *fwd, struct ForwardOptions *fwd_opts)
3950 {
3951 if (fwd->listen_path != NULL) {
3952 return channel_setup_fwd_listener_streamlocal(ssh,
3953 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts);
3954 } else {
3955 return channel_setup_fwd_listener_tcpip(ssh,
3956 SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts);
3957 }
3958 }
3959
3960 /* Matches a remote forwarding permission against a requested forwarding */
3961 static int
remote_open_match(struct permission * allowed_open,struct Forward * fwd)3962 remote_open_match(struct permission *allowed_open, struct Forward *fwd)
3963 {
3964 int ret;
3965 char *lhost;
3966
3967 /* XXX add ACLs for streamlocal */
3968 if (fwd->listen_path != NULL)
3969 return 1;
3970
3971 if (fwd->listen_host == NULL || allowed_open->listen_host == NULL)
3972 return 0;
3973
3974 if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT &&
3975 allowed_open->listen_port != fwd->listen_port)
3976 return 0;
3977
3978 /* Match hostnames case-insensitively */
3979 lhost = xstrdup(fwd->listen_host);
3980 lowercase(lhost);
3981 ret = match_pattern(lhost, allowed_open->listen_host);
3982 free(lhost);
3983
3984 return ret;
3985 }
3986
3987 /* Checks whether a requested remote forwarding is permitted */
3988 static int
check_rfwd_permission(struct ssh * ssh,struct Forward * fwd)3989 check_rfwd_permission(struct ssh *ssh, struct Forward *fwd)
3990 {
3991 struct ssh_channels *sc = ssh->chanctxt;
3992 struct permission_set *pset = &sc->remote_perms;
3993 u_int i, permit, permit_adm = 1;
3994 struct permission *perm;
3995
3996 /* XXX apply GatewayPorts override before checking? */
3997
3998 permit = pset->all_permitted;
3999 if (!permit) {
4000 for (i = 0; i < pset->num_permitted_user; i++) {
4001 perm = &pset->permitted_user[i];
4002 if (remote_open_match(perm, fwd)) {
4003 permit = 1;
4004 break;
4005 }
4006 }
4007 }
4008
4009 if (pset->num_permitted_admin > 0) {
4010 permit_adm = 0;
4011 for (i = 0; i < pset->num_permitted_admin; i++) {
4012 perm = &pset->permitted_admin[i];
4013 if (remote_open_match(perm, fwd)) {
4014 permit_adm = 1;
4015 break;
4016 }
4017 }
4018 }
4019
4020 return permit && permit_adm;
4021 }
4022
4023 /* protocol v2 remote port fwd, used by sshd */
4024 int
channel_setup_remote_fwd_listener(struct ssh * ssh,struct Forward * fwd,int * allocated_listen_port,struct ForwardOptions * fwd_opts)4025 channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
4026 int *allocated_listen_port, struct ForwardOptions *fwd_opts)
4027 {
4028 if (!check_rfwd_permission(ssh, fwd)) {
4029 ssh_packet_send_debug(ssh, "port forwarding refused");
4030 if (fwd->listen_path != NULL)
4031 /* XXX always allowed, see remote_open_match() */
4032 logit("Received request from %.100s port %d to "
4033 "remote forward to path \"%.100s\", "
4034 "but the request was denied.",
4035 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
4036 fwd->listen_path);
4037 else if(fwd->listen_host != NULL)
4038 logit("Received request from %.100s port %d to "
4039 "remote forward to host %.100s port %d, "
4040 "but the request was denied.",
4041 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
4042 fwd->listen_host, fwd->listen_port );
4043 else
4044 logit("Received request from %.100s port %d to remote "
4045 "forward, but the request was denied.",
4046 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
4047 return 0;
4048 }
4049 if (fwd->listen_path != NULL) {
4050 return channel_setup_fwd_listener_streamlocal(ssh,
4051 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);
4052 } else {
4053 return channel_setup_fwd_listener_tcpip(ssh,
4054 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,
4055 fwd_opts);
4056 }
4057 }
4058
4059 /*
4060 * Translate the requested rfwd listen host to something usable for
4061 * this server.
4062 */
4063 static const char *
channel_rfwd_bind_host(const char * listen_host)4064 channel_rfwd_bind_host(const char *listen_host)
4065 {
4066 if (listen_host == NULL) {
4067 return "localhost";
4068 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
4069 return "";
4070 } else
4071 return listen_host;
4072 }
4073
4074 /*
4075 * Initiate forwarding of connections to port "port" on remote host through
4076 * the secure channel to host:port from local side.
4077 * Returns handle (index) for updating the dynamic listen port with
4078 * channel_update_permission().
4079 */
4080 int
channel_request_remote_forwarding(struct ssh * ssh,struct Forward * fwd)4081 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
4082 {
4083 int r, success = 0, idx = -1;
4084 char *host_to_connect, *listen_host, *listen_path;
4085 int port_to_connect, listen_port;
4086
4087 /* Send the forward request to the remote side. */
4088 if (fwd->listen_path != NULL) {
4089 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4090 (r = sshpkt_put_cstring(ssh,
4091 "streamlocal-forward@openssh.com")) != 0 ||
4092 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
4093 (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 ||
4094 (r = sshpkt_send(ssh)) != 0 ||
4095 (r = ssh_packet_write_wait(ssh)) != 0)
4096 fatal_fr(r, "request streamlocal");
4097 } else {
4098 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4099 (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 ||
4100 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
4101 (r = sshpkt_put_cstring(ssh,
4102 channel_rfwd_bind_host(fwd->listen_host))) != 0 ||
4103 (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 ||
4104 (r = sshpkt_send(ssh)) != 0 ||
4105 (r = ssh_packet_write_wait(ssh)) != 0)
4106 fatal_fr(r, "request tcpip-forward");
4107 }
4108 /* Assume that server accepts the request */
4109 success = 1;
4110 if (success) {
4111 /* Record that connection to this host/port is permitted. */
4112 host_to_connect = listen_host = listen_path = NULL;
4113 port_to_connect = listen_port = 0;
4114 if (fwd->connect_path != NULL) {
4115 host_to_connect = xstrdup(fwd->connect_path);
4116 port_to_connect = PORT_STREAMLOCAL;
4117 } else {
4118 host_to_connect = xstrdup(fwd->connect_host);
4119 port_to_connect = fwd->connect_port;
4120 }
4121 if (fwd->listen_path != NULL) {
4122 listen_path = xstrdup(fwd->listen_path);
4123 listen_port = PORT_STREAMLOCAL;
4124 } else {
4125 if (fwd->listen_host != NULL)
4126 listen_host = xstrdup(fwd->listen_host);
4127 listen_port = fwd->listen_port;
4128 }
4129 idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL,
4130 host_to_connect, port_to_connect,
4131 listen_host, listen_path, listen_port, NULL);
4132 }
4133 return idx;
4134 }
4135
4136 static int
open_match(struct permission * allowed_open,const char * requestedhost,int requestedport)4137 open_match(struct permission *allowed_open, const char *requestedhost,
4138 int requestedport)
4139 {
4140 if (allowed_open->host_to_connect == NULL)
4141 return 0;
4142 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
4143 allowed_open->port_to_connect != requestedport)
4144 return 0;
4145 if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
4146 strcmp(allowed_open->host_to_connect, requestedhost) != 0)
4147 return 0;
4148 return 1;
4149 }
4150
4151 /*
4152 * Note that in the listen host/port case
4153 * we don't support FWD_PERMIT_ANY_PORT and
4154 * need to translate between the configured-host (listen_host)
4155 * and what we've sent to the remote server (channel_rfwd_bind_host)
4156 */
4157 static int
open_listen_match_tcpip(struct permission * allowed_open,const char * requestedhost,u_short requestedport,int translate)4158 open_listen_match_tcpip(struct permission *allowed_open,
4159 const char *requestedhost, u_short requestedport, int translate)
4160 {
4161 const char *allowed_host;
4162
4163 if (allowed_open->host_to_connect == NULL)
4164 return 0;
4165 if (allowed_open->listen_port != requestedport)
4166 return 0;
4167 if (!translate && allowed_open->listen_host == NULL &&
4168 requestedhost == NULL)
4169 return 1;
4170 allowed_host = translate ?
4171 channel_rfwd_bind_host(allowed_open->listen_host) :
4172 allowed_open->listen_host;
4173 if (allowed_host == NULL || requestedhost == NULL ||
4174 strcmp(allowed_host, requestedhost) != 0)
4175 return 0;
4176 return 1;
4177 }
4178
4179 static int
open_listen_match_streamlocal(struct permission * allowed_open,const char * requestedpath)4180 open_listen_match_streamlocal(struct permission *allowed_open,
4181 const char *requestedpath)
4182 {
4183 if (allowed_open->host_to_connect == NULL)
4184 return 0;
4185 if (allowed_open->listen_port != PORT_STREAMLOCAL)
4186 return 0;
4187 if (allowed_open->listen_path == NULL ||
4188 strcmp(allowed_open->listen_path, requestedpath) != 0)
4189 return 0;
4190 return 1;
4191 }
4192
4193 /*
4194 * Request cancellation of remote forwarding of connection host:port from
4195 * local side.
4196 */
4197 static int
channel_request_rforward_cancel_tcpip(struct ssh * ssh,const char * host,u_short port)4198 channel_request_rforward_cancel_tcpip(struct ssh *ssh,
4199 const char *host, u_short port)
4200 {
4201 struct ssh_channels *sc = ssh->chanctxt;
4202 struct permission_set *pset = &sc->local_perms;
4203 int r;
4204 u_int i;
4205 struct permission *perm = NULL;
4206
4207 for (i = 0; i < pset->num_permitted_user; i++) {
4208 perm = &pset->permitted_user[i];
4209 if (open_listen_match_tcpip(perm, host, port, 0))
4210 break;
4211 perm = NULL;
4212 }
4213 if (perm == NULL) {
4214 debug_f("requested forward not found");
4215 return -1;
4216 }
4217 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4218 (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 ||
4219 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
4220 (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 ||
4221 (r = sshpkt_put_u32(ssh, port)) != 0 ||
4222 (r = sshpkt_send(ssh)) != 0)
4223 fatal_fr(r, "send cancel");
4224
4225 fwd_perm_clear(perm); /* unregister */
4226
4227 return 0;
4228 }
4229
4230 /*
4231 * Request cancellation of remote forwarding of Unix domain socket
4232 * path from local side.
4233 */
4234 static int
channel_request_rforward_cancel_streamlocal(struct ssh * ssh,const char * path)4235 channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path)
4236 {
4237 struct ssh_channels *sc = ssh->chanctxt;
4238 struct permission_set *pset = &sc->local_perms;
4239 int r;
4240 u_int i;
4241 struct permission *perm = NULL;
4242
4243 for (i = 0; i < pset->num_permitted_user; i++) {
4244 perm = &pset->permitted_user[i];
4245 if (open_listen_match_streamlocal(perm, path))
4246 break;
4247 perm = NULL;
4248 }
4249 if (perm == NULL) {
4250 debug_f("requested forward not found");
4251 return -1;
4252 }
4253 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4254 (r = sshpkt_put_cstring(ssh,
4255 "cancel-streamlocal-forward@openssh.com")) != 0 ||
4256 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
4257 (r = sshpkt_put_cstring(ssh, path)) != 0 ||
4258 (r = sshpkt_send(ssh)) != 0)
4259 fatal_fr(r, "send cancel");
4260
4261 fwd_perm_clear(perm); /* unregister */
4262
4263 return 0;
4264 }
4265
4266 /*
4267 * Request cancellation of remote forwarding of a connection from local side.
4268 */
4269 int
channel_request_rforward_cancel(struct ssh * ssh,struct Forward * fwd)4270 channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd)
4271 {
4272 if (fwd->listen_path != NULL) {
4273 return channel_request_rforward_cancel_streamlocal(ssh,
4274 fwd->listen_path);
4275 } else {
4276 return channel_request_rforward_cancel_tcpip(ssh,
4277 fwd->listen_host,
4278 fwd->listen_port ? fwd->listen_port : fwd->allocated_port);
4279 }
4280 }
4281
4282 /*
4283 * Permits opening to any host/port if permitted_user[] is empty. This is
4284 * usually called by the server, because the user could connect to any port
4285 * anyway, and the server has no way to know but to trust the client anyway.
4286 */
4287 void
channel_permit_all(struct ssh * ssh,int where)4288 channel_permit_all(struct ssh *ssh, int where)
4289 {
4290 struct permission_set *pset = permission_set_get(ssh, where);
4291
4292 if (pset->num_permitted_user == 0)
4293 pset->all_permitted = 1;
4294 }
4295
4296 /*
4297 * Permit the specified host/port for forwarding.
4298 */
4299 void
channel_add_permission(struct ssh * ssh,int who,int where,char * host,int port)4300 channel_add_permission(struct ssh *ssh, int who, int where,
4301 char *host, int port)
4302 {
4303 int local = where == FORWARD_LOCAL;
4304 struct permission_set *pset = permission_set_get(ssh, where);
4305
4306 debug("allow %s forwarding to host %s port %d",
4307 fwd_ident(who, where), host, port);
4308 /*
4309 * Remote forwards set listen_host/port, local forwards set
4310 * host/port_to_connect.
4311 */
4312 permission_set_add(ssh, who, where,
4313 local ? host : 0, local ? port : 0,
4314 local ? NULL : host, NULL, local ? 0 : port, NULL);
4315 pset->all_permitted = 0;
4316 }
4317
4318 /*
4319 * Administratively disable forwarding.
4320 */
4321 void
channel_disable_admin(struct ssh * ssh,int where)4322 channel_disable_admin(struct ssh *ssh, int where)
4323 {
4324 channel_clear_permission(ssh, FORWARD_ADM, where);
4325 permission_set_add(ssh, FORWARD_ADM, where,
4326 NULL, 0, NULL, NULL, 0, NULL);
4327 }
4328
4329 /*
4330 * Clear a list of permitted opens.
4331 */
4332 void
channel_clear_permission(struct ssh * ssh,int who,int where)4333 channel_clear_permission(struct ssh *ssh, int who, int where)
4334 {
4335 struct permission **permp;
4336 u_int *npermp;
4337
4338 permission_set_get_array(ssh, who, where, &permp, &npermp);
4339 *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp));
4340 *npermp = 0;
4341 }
4342
4343 /*
4344 * Update the listen port for a dynamic remote forward, after
4345 * the actual 'newport' has been allocated. If 'newport' < 0 is
4346 * passed then they entry will be invalidated.
4347 */
4348 void
channel_update_permission(struct ssh * ssh,int idx,int newport)4349 channel_update_permission(struct ssh *ssh, int idx, int newport)
4350 {
4351 struct permission_set *pset = &ssh->chanctxt->local_perms;
4352
4353 if (idx < 0 || (u_int)idx >= pset->num_permitted_user) {
4354 debug_f("index out of range: %d num_permitted_user %d",
4355 idx, pset->num_permitted_user);
4356 return;
4357 }
4358 debug("%s allowed port %d for forwarding to host %s port %d",
4359 newport > 0 ? "Updating" : "Removing",
4360 newport,
4361 pset->permitted_user[idx].host_to_connect,
4362 pset->permitted_user[idx].port_to_connect);
4363 if (newport <= 0)
4364 fwd_perm_clear(&pset->permitted_user[idx]);
4365 else {
4366 pset->permitted_user[idx].listen_port =
4367 (ssh->compat & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
4368 }
4369 }
4370
4371 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
4372 int
permitopen_port(const char * p)4373 permitopen_port(const char *p)
4374 {
4375 int port;
4376
4377 if (strcmp(p, "*") == 0)
4378 return FWD_PERMIT_ANY_PORT;
4379 if ((port = a2port(p)) > 0)
4380 return port;
4381 return -1;
4382 }
4383
4384 /* Try to start non-blocking connect to next host in cctx list */
4385 static int
connect_next(struct channel_connect * cctx)4386 connect_next(struct channel_connect *cctx)
4387 {
4388 int sock, saved_errno;
4389 struct sockaddr_un *sunaddr;
4390 char ntop[NI_MAXHOST];
4391 char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))];
4392
4393 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
4394 switch (cctx->ai->ai_family) {
4395 case AF_UNIX:
4396 /* unix:pathname instead of host:port */
4397 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
4398 strlcpy(ntop, "unix", sizeof(ntop));
4399 strlcpy(strport, sunaddr->sun_path, sizeof(strport));
4400 break;
4401 case AF_INET:
4402 case AF_INET6:
4403 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
4404 ntop, sizeof(ntop), strport, sizeof(strport),
4405 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
4406 error_f("getnameinfo failed");
4407 continue;
4408 }
4409 break;
4410 default:
4411 continue;
4412 }
4413 debug_f("start for host %.100s ([%.100s]:%s)",
4414 cctx->host, ntop, strport);
4415 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
4416 cctx->ai->ai_protocol)) == -1) {
4417 if (cctx->ai->ai_next == NULL)
4418 error("socket: %.100s", strerror(errno));
4419 else
4420 verbose("socket: %.100s", strerror(errno));
4421 continue;
4422 }
4423 if (set_nonblock(sock) == -1)
4424 fatal_f("set_nonblock(%d)", sock);
4425 if (connect(sock, cctx->ai->ai_addr,
4426 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
4427 debug_f("host %.100s ([%.100s]:%s): %.100s",
4428 cctx->host, ntop, strport, strerror(errno));
4429 saved_errno = errno;
4430 close(sock);
4431 errno = saved_errno;
4432 continue; /* fail -- try next */
4433 }
4434 if (cctx->ai->ai_family != AF_UNIX)
4435 set_nodelay(sock);
4436 debug_f("connect host %.100s ([%.100s]:%s) in progress, fd=%d",
4437 cctx->host, ntop, strport, sock);
4438 cctx->ai = cctx->ai->ai_next;
4439 return sock;
4440 }
4441 return -1;
4442 }
4443
4444 static void
channel_connect_ctx_free(struct channel_connect * cctx)4445 channel_connect_ctx_free(struct channel_connect *cctx)
4446 {
4447 free(cctx->host);
4448 if (cctx->aitop) {
4449 if (cctx->aitop->ai_family == AF_UNIX)
4450 free(cctx->aitop);
4451 else
4452 freeaddrinfo(cctx->aitop);
4453 }
4454 memset(cctx, 0, sizeof(*cctx));
4455 }
4456
4457 /*
4458 * Return connecting socket to remote host:port or local socket path,
4459 * passing back the failure reason if appropriate.
4460 */
4461 static int
connect_to_helper(struct ssh * ssh,const char * name,int port,int socktype,char * ctype,char * rname,struct channel_connect * cctx,int * reason,const char ** errmsg)4462 connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype,
4463 char *ctype, char *rname, struct channel_connect *cctx,
4464 int *reason, const char **errmsg)
4465 {
4466 struct addrinfo hints;
4467 int gaierr;
4468 int sock = -1;
4469 char strport[NI_MAXSERV];
4470
4471 if (port == PORT_STREAMLOCAL) {
4472 struct sockaddr_un *sunaddr;
4473 struct addrinfo *ai;
4474
4475 if (strlen(name) > sizeof(sunaddr->sun_path)) {
4476 error("%.100s: %.100s", name, strerror(ENAMETOOLONG));
4477 return -1;
4478 }
4479
4480 /*
4481 * Fake up a struct addrinfo for AF_UNIX connections.
4482 * channel_connect_ctx_free() must check ai_family
4483 * and use free() not freeaddirinfo() for AF_UNIX.
4484 */
4485 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr));
4486 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr));
4487 ai->ai_addr = (struct sockaddr *)(ai + 1);
4488 ai->ai_addrlen = sizeof(*sunaddr);
4489 ai->ai_family = AF_UNIX;
4490 ai->ai_socktype = socktype;
4491 ai->ai_protocol = PF_UNSPEC;
4492 sunaddr = (struct sockaddr_un *)ai->ai_addr;
4493 sunaddr->sun_family = AF_UNIX;
4494 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
4495 cctx->aitop = ai;
4496 } else {
4497 memset(&hints, 0, sizeof(hints));
4498 hints.ai_family = ssh->chanctxt->IPv4or6;
4499 hints.ai_socktype = socktype;
4500 snprintf(strport, sizeof strport, "%d", port);
4501 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop))
4502 != 0) {
4503 if (errmsg != NULL)
4504 *errmsg = ssh_gai_strerror(gaierr);
4505 if (reason != NULL)
4506 *reason = SSH2_OPEN_CONNECT_FAILED;
4507 error("connect_to %.100s: unknown host (%s)", name,
4508 ssh_gai_strerror(gaierr));
4509 return -1;
4510 }
4511 }
4512
4513 cctx->host = xstrdup(name);
4514 cctx->port = port;
4515 cctx->ai = cctx->aitop;
4516
4517 if ((sock = connect_next(cctx)) == -1) {
4518 error("connect to %.100s port %d failed: %s",
4519 name, port, strerror(errno));
4520 return -1;
4521 }
4522
4523 return sock;
4524 }
4525
4526 /* Return CONNECTING channel to remote host:port or local socket path */
4527 static Channel *
connect_to(struct ssh * ssh,const char * host,int port,char * ctype,char * rname)4528 connect_to(struct ssh *ssh, const char *host, int port,
4529 char *ctype, char *rname)
4530 {
4531 struct channel_connect cctx;
4532 Channel *c;
4533 int sock;
4534
4535 memset(&cctx, 0, sizeof(cctx));
4536 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4537 &cctx, NULL, NULL);
4538 if (sock == -1) {
4539 channel_connect_ctx_free(&cctx);
4540 return NULL;
4541 }
4542 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4543 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4544 c->host_port = port;
4545 c->path = xstrdup(host);
4546 c->connect_ctx = cctx;
4547
4548 return c;
4549 }
4550
4551 /*
4552 * returns either the newly connected channel or the downstream channel
4553 * that needs to deal with this connection.
4554 */
4555 Channel *
channel_connect_by_listen_address(struct ssh * ssh,const char * listen_host,u_short listen_port,char * ctype,char * rname)4556 channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host,
4557 u_short listen_port, char *ctype, char *rname)
4558 {
4559 struct ssh_channels *sc = ssh->chanctxt;
4560 struct permission_set *pset = &sc->local_perms;
4561 u_int i;
4562 struct permission *perm;
4563
4564 for (i = 0; i < pset->num_permitted_user; i++) {
4565 perm = &pset->permitted_user[i];
4566 if (open_listen_match_tcpip(perm,
4567 listen_host, listen_port, 1)) {
4568 if (perm->downstream)
4569 return perm->downstream;
4570 if (perm->port_to_connect == 0)
4571 return rdynamic_connect_prepare(ssh,
4572 ctype, rname);
4573 return connect_to(ssh,
4574 perm->host_to_connect, perm->port_to_connect,
4575 ctype, rname);
4576 }
4577 }
4578 error("WARNING: Server requests forwarding for unknown listen_port %d",
4579 listen_port);
4580 return NULL;
4581 }
4582
4583 Channel *
channel_connect_by_listen_path(struct ssh * ssh,const char * path,char * ctype,char * rname)4584 channel_connect_by_listen_path(struct ssh *ssh, const char *path,
4585 char *ctype, char *rname)
4586 {
4587 struct ssh_channels *sc = ssh->chanctxt;
4588 struct permission_set *pset = &sc->local_perms;
4589 u_int i;
4590 struct permission *perm;
4591
4592 for (i = 0; i < pset->num_permitted_user; i++) {
4593 perm = &pset->permitted_user[i];
4594 if (open_listen_match_streamlocal(perm, path)) {
4595 return connect_to(ssh,
4596 perm->host_to_connect, perm->port_to_connect,
4597 ctype, rname);
4598 }
4599 }
4600 error("WARNING: Server requests forwarding for unknown path %.100s",
4601 path);
4602 return NULL;
4603 }
4604
4605 /* Check if connecting to that port is permitted and connect. */
4606 Channel *
channel_connect_to_port(struct ssh * ssh,const char * host,u_short port,char * ctype,char * rname,int * reason,const char ** errmsg)4607 channel_connect_to_port(struct ssh *ssh, const char *host, u_short port,
4608 char *ctype, char *rname, int *reason, const char **errmsg)
4609 {
4610 struct ssh_channels *sc = ssh->chanctxt;
4611 struct permission_set *pset = &sc->local_perms;
4612 struct channel_connect cctx;
4613 Channel *c;
4614 u_int i, permit, permit_adm = 1;
4615 int sock;
4616 struct permission *perm;
4617
4618 permit = pset->all_permitted;
4619 if (!permit) {
4620 for (i = 0; i < pset->num_permitted_user; i++) {
4621 perm = &pset->permitted_user[i];
4622 if (open_match(perm, host, port)) {
4623 permit = 1;
4624 break;
4625 }
4626 }
4627 }
4628
4629 if (pset->num_permitted_admin > 0) {
4630 permit_adm = 0;
4631 for (i = 0; i < pset->num_permitted_admin; i++) {
4632 perm = &pset->permitted_admin[i];
4633 if (open_match(perm, host, port)) {
4634 permit_adm = 1;
4635 break;
4636 }
4637 }
4638 }
4639
4640 if (!permit || !permit_adm) {
4641 logit("Received request from %.100s port %d to connect to "
4642 "host %.100s port %d, but the request was denied.",
4643 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port);
4644 if (reason != NULL)
4645 *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
4646 return NULL;
4647 }
4648
4649 memset(&cctx, 0, sizeof(cctx));
4650 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4651 &cctx, reason, errmsg);
4652 if (sock == -1) {
4653 channel_connect_ctx_free(&cctx);
4654 return NULL;
4655 }
4656
4657 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4658 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4659 c->host_port = port;
4660 c->path = xstrdup(host);
4661 c->connect_ctx = cctx;
4662
4663 return c;
4664 }
4665
4666 /* Check if connecting to that path is permitted and connect. */
4667 Channel *
channel_connect_to_path(struct ssh * ssh,const char * path,char * ctype,char * rname)4668 channel_connect_to_path(struct ssh *ssh, const char *path,
4669 char *ctype, char *rname)
4670 {
4671 struct ssh_channels *sc = ssh->chanctxt;
4672 struct permission_set *pset = &sc->local_perms;
4673 u_int i, permit, permit_adm = 1;
4674 struct permission *perm;
4675
4676 permit = pset->all_permitted;
4677 if (!permit) {
4678 for (i = 0; i < pset->num_permitted_user; i++) {
4679 perm = &pset->permitted_user[i];
4680 if (open_match(perm, path, PORT_STREAMLOCAL)) {
4681 permit = 1;
4682 break;
4683 }
4684 }
4685 }
4686
4687 if (pset->num_permitted_admin > 0) {
4688 permit_adm = 0;
4689 for (i = 0; i < pset->num_permitted_admin; i++) {
4690 perm = &pset->permitted_admin[i];
4691 if (open_match(perm, path, PORT_STREAMLOCAL)) {
4692 permit_adm = 1;
4693 break;
4694 }
4695 }
4696 }
4697
4698 if (!permit || !permit_adm) {
4699 logit("Received request to connect to path %.100s, "
4700 "but the request was denied.", path);
4701 return NULL;
4702 }
4703 return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname);
4704 }
4705
4706 void
channel_send_window_changes(struct ssh * ssh)4707 channel_send_window_changes(struct ssh *ssh)
4708 {
4709 struct ssh_channels *sc = ssh->chanctxt;
4710 struct winsize ws;
4711 int r;
4712 u_int i;
4713
4714 for (i = 0; i < sc->channels_alloc; i++) {
4715 if (sc->channels[i] == NULL || !sc->channels[i]->client_tty ||
4716 sc->channels[i]->type != SSH_CHANNEL_OPEN)
4717 continue;
4718 if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) == -1)
4719 continue;
4720 channel_request_start(ssh, i, "window-change", 0);
4721 if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 ||
4722 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
4723 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
4724 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 ||
4725 (r = sshpkt_send(ssh)) != 0)
4726 fatal_fr(r, "channel %u; send window-change", i);
4727 }
4728 }
4729
4730 /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */
4731 static Channel *
rdynamic_connect_prepare(struct ssh * ssh,char * ctype,char * rname)4732 rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname)
4733 {
4734 Channel *c;
4735 int r;
4736
4737 c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1,
4738 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4739 c->host_port = 0;
4740 c->path = NULL;
4741
4742 /*
4743 * We need to open the channel before we have a FD,
4744 * so that we can get SOCKS header from peer.
4745 */
4746 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
4747 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
4748 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
4749 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
4750 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0)
4751 fatal_fr(r, "channel %i; confirm", c->self);
4752 return c;
4753 }
4754
4755 /* Return CONNECTING socket to remote host:port or local socket path */
4756 static int
rdynamic_connect_finish(struct ssh * ssh,Channel * c)4757 rdynamic_connect_finish(struct ssh *ssh, Channel *c)
4758 {
4759 struct ssh_channels *sc = ssh->chanctxt;
4760 struct permission_set *pset = &sc->local_perms;
4761 struct permission *perm;
4762 struct channel_connect cctx;
4763 u_int i, permit_adm = 1;
4764 int sock;
4765
4766 if (pset->num_permitted_admin > 0) {
4767 permit_adm = 0;
4768 for (i = 0; i < pset->num_permitted_admin; i++) {
4769 perm = &pset->permitted_admin[i];
4770 if (open_match(perm, c->path, c->host_port)) {
4771 permit_adm = 1;
4772 break;
4773 }
4774 }
4775 }
4776 if (!permit_adm) {
4777 debug_f("requested forward not permitted");
4778 return -1;
4779 }
4780
4781 memset(&cctx, 0, sizeof(cctx));
4782 sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL,
4783 NULL, &cctx, NULL, NULL);
4784 if (sock == -1)
4785 channel_connect_ctx_free(&cctx);
4786 else {
4787 /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */
4788 c->type = SSH_CHANNEL_RDYNAMIC_FINISH;
4789 c->connect_ctx = cctx;
4790 channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0);
4791 }
4792 return sock;
4793 }
4794
4795 /* -- X11 forwarding */
4796
4797 /*
4798 * Creates an internet domain socket for listening for X11 connections.
4799 * Returns 0 and a suitable display number for the DISPLAY variable
4800 * stored in display_numberp , or -1 if an error occurs.
4801 */
4802 int
x11_create_display_inet(struct ssh * ssh,int x11_display_offset,int x11_use_localhost,int single_connection,u_int * display_numberp,int ** chanids)4803 x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
4804 int x11_use_localhost, int single_connection,
4805 u_int *display_numberp, int **chanids)
4806 {
4807 Channel *nc = NULL;
4808 int display_number, sock;
4809 u_short port;
4810 struct addrinfo hints, *ai, *aitop;
4811 char strport[NI_MAXSERV];
4812 int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
4813
4814 if (chanids == NULL)
4815 return -1;
4816
4817 for (display_number = x11_display_offset;
4818 display_number < MAX_DISPLAYS;
4819 display_number++) {
4820 port = 6000 + display_number;
4821 memset(&hints, 0, sizeof(hints));
4822 hints.ai_family = ssh->chanctxt->IPv4or6;
4823 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
4824 hints.ai_socktype = SOCK_STREAM;
4825 snprintf(strport, sizeof strport, "%d", port);
4826 if ((gaierr = getaddrinfo(NULL, strport,
4827 &hints, &aitop)) != 0) {
4828 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
4829 return -1;
4830 }
4831 for (ai = aitop; ai; ai = ai->ai_next) {
4832 if (ai->ai_family != AF_INET &&
4833 ai->ai_family != AF_INET6)
4834 continue;
4835 sock = socket(ai->ai_family, ai->ai_socktype,
4836 ai->ai_protocol);
4837 if (sock == -1) {
4838 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
4839 #ifdef EPFNOSUPPORT
4840 && (errno != EPFNOSUPPORT)
4841 #endif
4842 ) {
4843 error("socket: %.100s", strerror(errno));
4844 freeaddrinfo(aitop);
4845 return -1;
4846 } else {
4847 debug("x11_create_display_inet: Socket family %d not supported",
4848 ai->ai_family);
4849 continue;
4850 }
4851 }
4852 if (ai->ai_family == AF_INET6)
4853 sock_set_v6only(sock);
4854 if (x11_use_localhost)
4855 set_reuseaddr(sock);
4856 if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
4857 debug2_f("bind port %d: %.100s", port,
4858 strerror(errno));
4859 close(sock);
4860 for (n = 0; n < num_socks; n++)
4861 close(socks[n]);
4862 num_socks = 0;
4863 break;
4864 }
4865 socks[num_socks++] = sock;
4866 if (num_socks == NUM_SOCKS)
4867 break;
4868 }
4869 freeaddrinfo(aitop);
4870 if (num_socks > 0)
4871 break;
4872 }
4873 if (display_number >= MAX_DISPLAYS) {
4874 error("Failed to allocate internet-domain X11 display socket.");
4875 return -1;
4876 }
4877 /* Start listening for connections on the socket. */
4878 for (n = 0; n < num_socks; n++) {
4879 sock = socks[n];
4880 if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
4881 error("listen: %.100s", strerror(errno));
4882 close(sock);
4883 return -1;
4884 }
4885 }
4886
4887 /* Allocate a channel for each socket. */
4888 *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
4889 for (n = 0; n < num_socks; n++) {
4890 sock = socks[n];
4891 nc = channel_new(ssh, "x11 listener",
4892 SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
4893 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
4894 0, "X11 inet listener", 1);
4895 nc->single_connection = single_connection;
4896 (*chanids)[n] = nc->self;
4897 }
4898 (*chanids)[n] = -1;
4899
4900 /* Return the display number for the DISPLAY environment variable. */
4901 *display_numberp = display_number;
4902 return 0;
4903 }
4904
4905 static int
connect_local_xsocket_path(const char * pathname)4906 connect_local_xsocket_path(const char *pathname)
4907 {
4908 int sock;
4909 struct sockaddr_un addr;
4910
4911 sock = socket(AF_UNIX, SOCK_STREAM, 0);
4912 if (sock == -1)
4913 error("socket: %.100s", strerror(errno));
4914 memset(&addr, 0, sizeof(addr));
4915 addr.sun_family = AF_UNIX;
4916 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
4917 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
4918 return sock;
4919 close(sock);
4920 error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
4921 return -1;
4922 }
4923
4924 static int
connect_local_xsocket(u_int dnr)4925 connect_local_xsocket(u_int dnr)
4926 {
4927 char buf[1024];
4928 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);
4929 return connect_local_xsocket_path(buf);
4930 }
4931
4932 #ifdef __APPLE__
4933 static int
is_path_to_xsocket(const char * display,char * path,size_t pathlen)4934 is_path_to_xsocket(const char *display, char *path, size_t pathlen)
4935 {
4936 struct stat sbuf;
4937
4938 if (strlcpy(path, display, pathlen) >= pathlen) {
4939 error("%s: display path too long", __func__);
4940 return 0;
4941 }
4942 if (display[0] != '/')
4943 return 0;
4944 if (stat(path, &sbuf) == 0) {
4945 return 1;
4946 } else {
4947 char *dot = strrchr(path, '.');
4948 if (dot != NULL) {
4949 *dot = '\0';
4950 if (stat(path, &sbuf) == 0) {
4951 return 1;
4952 }
4953 }
4954 }
4955 return 0;
4956 }
4957 #endif
4958
4959 int
x11_connect_display(struct ssh * ssh)4960 x11_connect_display(struct ssh *ssh)
4961 {
4962 u_int display_number;
4963 const char *display;
4964 char buf[1024], *cp;
4965 struct addrinfo hints, *ai, *aitop;
4966 char strport[NI_MAXSERV];
4967 int gaierr, sock = 0;
4968
4969 /* Try to open a socket for the local X server. */
4970 display = getenv("DISPLAY");
4971 if (!display) {
4972 error("DISPLAY not set.");
4973 return -1;
4974 }
4975 /*
4976 * Now we decode the value of the DISPLAY variable and make a
4977 * connection to the real X server.
4978 */
4979
4980 #ifdef __APPLE__
4981 /* Check if display is a path to a socket (as set by launchd). */
4982 {
4983 char path[PATH_MAX];
4984
4985 if (is_path_to_xsocket(display, path, sizeof(path))) {
4986 debug("x11_connect_display: $DISPLAY is launchd");
4987
4988 /* Create a socket. */
4989 sock = connect_local_xsocket_path(path);
4990 if (sock < 0)
4991 return -1;
4992
4993 /* OK, we now have a connection to the display. */
4994 return sock;
4995 }
4996 }
4997 #endif
4998 /*
4999 * Check if it is a unix domain socket. Unix domain displays are in
5000 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
5001 */
5002 if (strncmp(display, "unix:", 5) == 0 ||
5003 display[0] == ':') {
5004 /* Connect to the unix domain socket. */
5005 if (sscanf(strrchr(display, ':') + 1, "%u",
5006 &display_number) != 1) {
5007 error("Could not parse display number from DISPLAY: "
5008 "%.100s", display);
5009 return -1;
5010 }
5011 /* Create a socket. */
5012 sock = connect_local_xsocket(display_number);
5013 if (sock < 0)
5014 return -1;
5015
5016 /* OK, we now have a connection to the display. */
5017 return sock;
5018 }
5019 /*
5020 * Connect to an inet socket. The DISPLAY value is supposedly
5021 * hostname:d[.s], where hostname may also be numeric IP address.
5022 */
5023 strlcpy(buf, display, sizeof(buf));
5024 cp = strchr(buf, ':');
5025 if (!cp) {
5026 error("Could not find ':' in DISPLAY: %.100s", display);
5027 return -1;
5028 }
5029 *cp = 0;
5030 /*
5031 * buf now contains the host name. But first we parse the
5032 * display number.
5033 */
5034 if (sscanf(cp + 1, "%u", &display_number) != 1) {
5035 error("Could not parse display number from DISPLAY: %.100s",
5036 display);
5037 return -1;
5038 }
5039
5040 /* Look up the host address */
5041 memset(&hints, 0, sizeof(hints));
5042 hints.ai_family = ssh->chanctxt->IPv4or6;
5043 hints.ai_socktype = SOCK_STREAM;
5044 snprintf(strport, sizeof strport, "%u", 6000 + display_number);
5045 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
5046 error("%.100s: unknown host. (%s)", buf,
5047 ssh_gai_strerror(gaierr));
5048 return -1;
5049 }
5050 for (ai = aitop; ai; ai = ai->ai_next) {
5051 /* Create a socket. */
5052 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
5053 if (sock == -1) {
5054 debug2("socket: %.100s", strerror(errno));
5055 continue;
5056 }
5057 /* Connect it to the display. */
5058 if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
5059 debug2("connect %.100s port %u: %.100s", buf,
5060 6000 + display_number, strerror(errno));
5061 close(sock);
5062 continue;
5063 }
5064 /* Success */
5065 break;
5066 }
5067 freeaddrinfo(aitop);
5068 if (!ai) {
5069 error("connect %.100s port %u: %.100s", buf,
5070 6000 + display_number, strerror(errno));
5071 return -1;
5072 }
5073 set_nodelay(sock);
5074 return sock;
5075 }
5076
5077 /*
5078 * Requests forwarding of X11 connections, generates fake authentication
5079 * data, and enables authentication spoofing.
5080 * This should be called in the client only.
5081 */
5082 void
x11_request_forwarding_with_spoofing(struct ssh * ssh,int client_session_id,const char * disp,const char * proto,const char * data,int want_reply)5083 x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
5084 const char *disp, const char *proto, const char *data, int want_reply)
5085 {
5086 struct ssh_channels *sc = ssh->chanctxt;
5087 u_int data_len = (u_int) strlen(data) / 2;
5088 u_int i, value;
5089 const char *cp;
5090 char *new_data;
5091 int r, screen_number;
5092
5093 if (sc->x11_saved_display == NULL)
5094 sc->x11_saved_display = xstrdup(disp);
5095 else if (strcmp(disp, sc->x11_saved_display) != 0) {
5096 error("x11_request_forwarding_with_spoofing: different "
5097 "$DISPLAY already forwarded");
5098 return;
5099 }
5100
5101 cp = strchr(disp, ':');
5102 if (cp)
5103 cp = strchr(cp, '.');
5104 if (cp)
5105 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
5106 else
5107 screen_number = 0;
5108
5109 if (sc->x11_saved_proto == NULL) {
5110 /* Save protocol name. */
5111 sc->x11_saved_proto = xstrdup(proto);
5112
5113 /* Extract real authentication data. */
5114 sc->x11_saved_data = xmalloc(data_len);
5115 for (i = 0; i < data_len; i++) {
5116 if (sscanf(data + 2 * i, "%2x", &value) != 1) {
5117 fatal("x11_request_forwarding: bad "
5118 "authentication data: %.100s", data);
5119 }
5120 sc->x11_saved_data[i] = value;
5121 }
5122 sc->x11_saved_data_len = data_len;
5123
5124 /* Generate fake data of the same length. */
5125 sc->x11_fake_data = xmalloc(data_len);
5126 arc4random_buf(sc->x11_fake_data, data_len);
5127 sc->x11_fake_data_len = data_len;
5128 }
5129
5130 /* Convert the fake data into hex. */
5131 new_data = tohex(sc->x11_fake_data, data_len);
5132
5133 /* Send the request packet. */
5134 channel_request_start(ssh, client_session_id, "x11-req", want_reply);
5135 if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */
5136 (r = sshpkt_put_cstring(ssh, proto)) != 0 ||
5137 (r = sshpkt_put_cstring(ssh, new_data)) != 0 ||
5138 (r = sshpkt_put_u32(ssh, screen_number)) != 0 ||
5139 (r = sshpkt_send(ssh)) != 0 ||
5140 (r = ssh_packet_write_wait(ssh)) != 0)
5141 fatal_fr(r, "send x11-req");
5142 free(new_data);
5143 }
5144