1*856ea928SPeter Avalos /* $OpenBSD: canohost.c,v 1.66 2010/01/13 01:20:20 dtucker Exp $ */ 218de8d7fSPeter Avalos /* 318de8d7fSPeter Avalos * Author: Tatu Ylonen <ylo@cs.hut.fi> 418de8d7fSPeter Avalos * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 518de8d7fSPeter Avalos * All rights reserved 618de8d7fSPeter Avalos * Functions for returning the canonical host name of the remote site. 718de8d7fSPeter Avalos * 818de8d7fSPeter Avalos * As far as I am concerned, the code I have written for this software 918de8d7fSPeter Avalos * can be used freely for any purpose. Any derived versions of this 1018de8d7fSPeter Avalos * software must be clearly marked as such, and if the derived work is 1118de8d7fSPeter Avalos * incompatible with the protocol description in the RFC file, it must be 1218de8d7fSPeter Avalos * called by a name other than "ssh" or "Secure Shell". 1318de8d7fSPeter Avalos */ 1418de8d7fSPeter Avalos 1518de8d7fSPeter Avalos #include "includes.h" 1618de8d7fSPeter Avalos 1718de8d7fSPeter Avalos #include <sys/types.h> 1818de8d7fSPeter Avalos #include <sys/socket.h> 1918de8d7fSPeter Avalos 2018de8d7fSPeter Avalos #include <netinet/in.h> 2118de8d7fSPeter Avalos #include <arpa/inet.h> 2218de8d7fSPeter Avalos 2318de8d7fSPeter Avalos #include <ctype.h> 2418de8d7fSPeter Avalos #include <errno.h> 2518de8d7fSPeter Avalos #include <netdb.h> 2618de8d7fSPeter Avalos #include <stdio.h> 2718de8d7fSPeter Avalos #include <stdlib.h> 2818de8d7fSPeter Avalos #include <string.h> 2918de8d7fSPeter Avalos #include <stdarg.h> 30*856ea928SPeter Avalos #include <unistd.h> 3118de8d7fSPeter Avalos 3218de8d7fSPeter Avalos #include "xmalloc.h" 3318de8d7fSPeter Avalos #include "packet.h" 3418de8d7fSPeter Avalos #include "log.h" 3518de8d7fSPeter Avalos #include "canohost.h" 3618de8d7fSPeter Avalos #include "misc.h" 3718de8d7fSPeter Avalos 3818de8d7fSPeter Avalos static void check_ip_options(int, char *); 3940c002afSPeter Avalos static char *canonical_host_ip = NULL; 4040c002afSPeter Avalos static int cached_port = -1; 4118de8d7fSPeter Avalos 4218de8d7fSPeter Avalos /* 4318de8d7fSPeter Avalos * Return the canonical name of the host at the other end of the socket. The 4418de8d7fSPeter Avalos * caller should free the returned string with xfree. 4518de8d7fSPeter Avalos */ 4618de8d7fSPeter Avalos 4718de8d7fSPeter Avalos static char * 4818de8d7fSPeter Avalos get_remote_hostname(int sock, int use_dns) 4918de8d7fSPeter Avalos { 5018de8d7fSPeter Avalos struct sockaddr_storage from; 5118de8d7fSPeter Avalos int i; 5218de8d7fSPeter Avalos socklen_t fromlen; 5318de8d7fSPeter Avalos struct addrinfo hints, *ai, *aitop; 5418de8d7fSPeter Avalos char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST]; 5518de8d7fSPeter Avalos 5618de8d7fSPeter Avalos /* Get IP address of client. */ 5718de8d7fSPeter Avalos fromlen = sizeof(from); 5818de8d7fSPeter Avalos memset(&from, 0, sizeof(from)); 5918de8d7fSPeter Avalos if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 6018de8d7fSPeter Avalos debug("getpeername failed: %.100s", strerror(errno)); 6118de8d7fSPeter Avalos cleanup_exit(255); 6218de8d7fSPeter Avalos } 6318de8d7fSPeter Avalos 6418de8d7fSPeter Avalos if (from.ss_family == AF_INET) 6518de8d7fSPeter Avalos check_ip_options(sock, ntop); 6618de8d7fSPeter Avalos 6718de8d7fSPeter Avalos ipv64_normalise_mapped(&from, &fromlen); 6818de8d7fSPeter Avalos 6918de8d7fSPeter Avalos if (from.ss_family == AF_INET6) 7018de8d7fSPeter Avalos fromlen = sizeof(struct sockaddr_in6); 7118de8d7fSPeter Avalos 7218de8d7fSPeter Avalos if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop), 7318de8d7fSPeter Avalos NULL, 0, NI_NUMERICHOST) != 0) 7418de8d7fSPeter Avalos fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed"); 7518de8d7fSPeter Avalos 7618de8d7fSPeter Avalos if (!use_dns) 7718de8d7fSPeter Avalos return xstrdup(ntop); 7818de8d7fSPeter Avalos 7918de8d7fSPeter Avalos debug3("Trying to reverse map address %.100s.", ntop); 8018de8d7fSPeter Avalos /* Map the IP address to a host name. */ 8118de8d7fSPeter Avalos if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), 8218de8d7fSPeter Avalos NULL, 0, NI_NAMEREQD) != 0) { 8318de8d7fSPeter Avalos /* Host name not found. Use ip address. */ 8418de8d7fSPeter Avalos return xstrdup(ntop); 8518de8d7fSPeter Avalos } 8618de8d7fSPeter Avalos 8718de8d7fSPeter Avalos /* 8818de8d7fSPeter Avalos * if reverse lookup result looks like a numeric hostname, 8918de8d7fSPeter Avalos * someone is trying to trick us by PTR record like following: 9018de8d7fSPeter Avalos * 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5 9118de8d7fSPeter Avalos */ 9218de8d7fSPeter Avalos memset(&hints, 0, sizeof(hints)); 9318de8d7fSPeter Avalos hints.ai_socktype = SOCK_DGRAM; /*dummy*/ 9418de8d7fSPeter Avalos hints.ai_flags = AI_NUMERICHOST; 9518de8d7fSPeter Avalos if (getaddrinfo(name, NULL, &hints, &ai) == 0) { 9618de8d7fSPeter Avalos logit("Nasty PTR record \"%s\" is set up for %s, ignoring", 9718de8d7fSPeter Avalos name, ntop); 9818de8d7fSPeter Avalos freeaddrinfo(ai); 9918de8d7fSPeter Avalos return xstrdup(ntop); 10018de8d7fSPeter Avalos } 10118de8d7fSPeter Avalos 10218de8d7fSPeter Avalos /* 10318de8d7fSPeter Avalos * Convert it to all lowercase (which is expected by the rest 10418de8d7fSPeter Avalos * of this software). 10518de8d7fSPeter Avalos */ 10618de8d7fSPeter Avalos for (i = 0; name[i]; i++) 10718de8d7fSPeter Avalos if (isupper(name[i])) 10818de8d7fSPeter Avalos name[i] = (char)tolower(name[i]); 10918de8d7fSPeter Avalos /* 11018de8d7fSPeter Avalos * Map it back to an IP address and check that the given 11118de8d7fSPeter Avalos * address actually is an address of this host. This is 11218de8d7fSPeter Avalos * necessary because anyone with access to a name server can 11318de8d7fSPeter Avalos * define arbitrary names for an IP address. Mapping from 11418de8d7fSPeter Avalos * name to IP address can be trusted better (but can still be 11518de8d7fSPeter Avalos * fooled if the intruder has access to the name server of 11618de8d7fSPeter Avalos * the domain). 11718de8d7fSPeter Avalos */ 11818de8d7fSPeter Avalos memset(&hints, 0, sizeof(hints)); 11918de8d7fSPeter Avalos hints.ai_family = from.ss_family; 12018de8d7fSPeter Avalos hints.ai_socktype = SOCK_STREAM; 12118de8d7fSPeter Avalos if (getaddrinfo(name, NULL, &hints, &aitop) != 0) { 12218de8d7fSPeter Avalos logit("reverse mapping checking getaddrinfo for %.700s " 12318de8d7fSPeter Avalos "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop); 12418de8d7fSPeter Avalos return xstrdup(ntop); 12518de8d7fSPeter Avalos } 12618de8d7fSPeter Avalos /* Look for the address from the list of addresses. */ 12718de8d7fSPeter Avalos for (ai = aitop; ai; ai = ai->ai_next) { 12818de8d7fSPeter Avalos if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2, 12918de8d7fSPeter Avalos sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 && 13018de8d7fSPeter Avalos (strcmp(ntop, ntop2) == 0)) 13118de8d7fSPeter Avalos break; 13218de8d7fSPeter Avalos } 13318de8d7fSPeter Avalos freeaddrinfo(aitop); 13418de8d7fSPeter Avalos /* If we reached the end of the list, the address was not there. */ 13518de8d7fSPeter Avalos if (!ai) { 13618de8d7fSPeter Avalos /* Address not found for the host name. */ 13718de8d7fSPeter Avalos logit("Address %.100s maps to %.600s, but this does not " 13818de8d7fSPeter Avalos "map back to the address - POSSIBLE BREAK-IN ATTEMPT!", 13918de8d7fSPeter Avalos ntop, name); 14018de8d7fSPeter Avalos return xstrdup(ntop); 14118de8d7fSPeter Avalos } 14218de8d7fSPeter Avalos return xstrdup(name); 14318de8d7fSPeter Avalos } 14418de8d7fSPeter Avalos 14518de8d7fSPeter Avalos /* 14618de8d7fSPeter Avalos * If IP options are supported, make sure there are none (log and 14718de8d7fSPeter Avalos * disconnect them if any are found). Basically we are worried about 14818de8d7fSPeter Avalos * source routing; it can be used to pretend you are somebody 14918de8d7fSPeter Avalos * (ip-address) you are not. That itself may be "almost acceptable" 15018de8d7fSPeter Avalos * under certain circumstances, but rhosts autentication is useless 15118de8d7fSPeter Avalos * if source routing is accepted. Notice also that if we just dropped 15218de8d7fSPeter Avalos * source routing here, the other side could use IP spoofing to do 15318de8d7fSPeter Avalos * rest of the interaction and could still bypass security. So we 15418de8d7fSPeter Avalos * exit here if we detect any IP options. 15518de8d7fSPeter Avalos */ 15618de8d7fSPeter Avalos /* IPv4 only */ 15718de8d7fSPeter Avalos static void 15818de8d7fSPeter Avalos check_ip_options(int sock, char *ipaddr) 15918de8d7fSPeter Avalos { 16018de8d7fSPeter Avalos #ifdef IP_OPTIONS 16118de8d7fSPeter Avalos u_char options[200]; 16218de8d7fSPeter Avalos char text[sizeof(options) * 3 + 1]; 16318de8d7fSPeter Avalos socklen_t option_size; 16418de8d7fSPeter Avalos u_int i; 16518de8d7fSPeter Avalos int ipproto; 16618de8d7fSPeter Avalos struct protoent *ip; 16718de8d7fSPeter Avalos 16818de8d7fSPeter Avalos if ((ip = getprotobyname("ip")) != NULL) 16918de8d7fSPeter Avalos ipproto = ip->p_proto; 17018de8d7fSPeter Avalos else 17118de8d7fSPeter Avalos ipproto = IPPROTO_IP; 17218de8d7fSPeter Avalos option_size = sizeof(options); 17318de8d7fSPeter Avalos if (getsockopt(sock, ipproto, IP_OPTIONS, options, 17418de8d7fSPeter Avalos &option_size) >= 0 && option_size != 0) { 17518de8d7fSPeter Avalos text[0] = '\0'; 17618de8d7fSPeter Avalos for (i = 0; i < option_size; i++) 17718de8d7fSPeter Avalos snprintf(text + i*3, sizeof(text) - i*3, 17818de8d7fSPeter Avalos " %2.2x", options[i]); 17918de8d7fSPeter Avalos fatal("Connection from %.100s with IP options:%.800s", 18018de8d7fSPeter Avalos ipaddr, text); 18118de8d7fSPeter Avalos } 18218de8d7fSPeter Avalos #endif /* IP_OPTIONS */ 18318de8d7fSPeter Avalos } 18418de8d7fSPeter Avalos 18518de8d7fSPeter Avalos void 18618de8d7fSPeter Avalos ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) 18718de8d7fSPeter Avalos { 18818de8d7fSPeter Avalos struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; 18918de8d7fSPeter Avalos struct sockaddr_in *a4 = (struct sockaddr_in *)addr; 19018de8d7fSPeter Avalos struct in_addr inaddr; 19118de8d7fSPeter Avalos u_int16_t port; 19218de8d7fSPeter Avalos 19318de8d7fSPeter Avalos if (addr->ss_family != AF_INET6 || 19418de8d7fSPeter Avalos !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) 19518de8d7fSPeter Avalos return; 19618de8d7fSPeter Avalos 19718de8d7fSPeter Avalos debug3("Normalising mapped IPv4 in IPv6 address"); 19818de8d7fSPeter Avalos 19918de8d7fSPeter Avalos memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); 20018de8d7fSPeter Avalos port = a6->sin6_port; 20118de8d7fSPeter Avalos 20218de8d7fSPeter Avalos memset(addr, 0, sizeof(*a4)); 20318de8d7fSPeter Avalos 20418de8d7fSPeter Avalos a4->sin_family = AF_INET; 20518de8d7fSPeter Avalos *len = sizeof(*a4); 20618de8d7fSPeter Avalos memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); 20718de8d7fSPeter Avalos a4->sin_port = port; 20818de8d7fSPeter Avalos } 20918de8d7fSPeter Avalos 21018de8d7fSPeter Avalos /* 21118de8d7fSPeter Avalos * Return the canonical name of the host in the other side of the current 21218de8d7fSPeter Avalos * connection. The host name is cached, so it is efficient to call this 21318de8d7fSPeter Avalos * several times. 21418de8d7fSPeter Avalos */ 21518de8d7fSPeter Avalos 21618de8d7fSPeter Avalos const char * 21718de8d7fSPeter Avalos get_canonical_hostname(int use_dns) 21818de8d7fSPeter Avalos { 21918de8d7fSPeter Avalos char *host; 22018de8d7fSPeter Avalos static char *canonical_host_name = NULL; 22118de8d7fSPeter Avalos static char *remote_ip = NULL; 22218de8d7fSPeter Avalos 22318de8d7fSPeter Avalos /* Check if we have previously retrieved name with same option. */ 22418de8d7fSPeter Avalos if (use_dns && canonical_host_name != NULL) 22518de8d7fSPeter Avalos return canonical_host_name; 22618de8d7fSPeter Avalos if (!use_dns && remote_ip != NULL) 22718de8d7fSPeter Avalos return remote_ip; 22818de8d7fSPeter Avalos 22918de8d7fSPeter Avalos /* Get the real hostname if socket; otherwise return UNKNOWN. */ 23018de8d7fSPeter Avalos if (packet_connection_is_on_socket()) 23118de8d7fSPeter Avalos host = get_remote_hostname(packet_get_connection_in(), use_dns); 23218de8d7fSPeter Avalos else 23318de8d7fSPeter Avalos host = "UNKNOWN"; 23418de8d7fSPeter Avalos 23518de8d7fSPeter Avalos if (use_dns) 23618de8d7fSPeter Avalos canonical_host_name = host; 23718de8d7fSPeter Avalos else 23818de8d7fSPeter Avalos remote_ip = host; 23918de8d7fSPeter Avalos return host; 24018de8d7fSPeter Avalos } 24118de8d7fSPeter Avalos 24218de8d7fSPeter Avalos /* 24318de8d7fSPeter Avalos * Returns the local/remote IP-address/hostname of socket as a string. 24418de8d7fSPeter Avalos * The returned string must be freed. 24518de8d7fSPeter Avalos */ 24618de8d7fSPeter Avalos static char * 24718de8d7fSPeter Avalos get_socket_address(int sock, int remote, int flags) 24818de8d7fSPeter Avalos { 24918de8d7fSPeter Avalos struct sockaddr_storage addr; 25018de8d7fSPeter Avalos socklen_t addrlen; 25118de8d7fSPeter Avalos char ntop[NI_MAXHOST]; 25218de8d7fSPeter Avalos int r; 25318de8d7fSPeter Avalos 25418de8d7fSPeter Avalos /* Get IP address of client. */ 25518de8d7fSPeter Avalos addrlen = sizeof(addr); 25618de8d7fSPeter Avalos memset(&addr, 0, sizeof(addr)); 25718de8d7fSPeter Avalos 25818de8d7fSPeter Avalos if (remote) { 25918de8d7fSPeter Avalos if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) 26018de8d7fSPeter Avalos < 0) 26118de8d7fSPeter Avalos return NULL; 26218de8d7fSPeter Avalos } else { 26318de8d7fSPeter Avalos if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) 26418de8d7fSPeter Avalos < 0) 26518de8d7fSPeter Avalos return NULL; 26618de8d7fSPeter Avalos } 26718de8d7fSPeter Avalos 26818de8d7fSPeter Avalos /* Work around Linux IPv6 weirdness */ 26918de8d7fSPeter Avalos if (addr.ss_family == AF_INET6) 27018de8d7fSPeter Avalos addrlen = sizeof(struct sockaddr_in6); 27118de8d7fSPeter Avalos 27218de8d7fSPeter Avalos ipv64_normalise_mapped(&addr, &addrlen); 27318de8d7fSPeter Avalos 27418de8d7fSPeter Avalos /* Get the address in ascii. */ 27518de8d7fSPeter Avalos if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop, 27618de8d7fSPeter Avalos sizeof(ntop), NULL, 0, flags)) != 0) { 27718de8d7fSPeter Avalos error("get_socket_address: getnameinfo %d failed: %s", flags, 27818de8d7fSPeter Avalos ssh_gai_strerror(r)); 27918de8d7fSPeter Avalos return NULL; 28018de8d7fSPeter Avalos } 28118de8d7fSPeter Avalos return xstrdup(ntop); 28218de8d7fSPeter Avalos } 28318de8d7fSPeter Avalos 28418de8d7fSPeter Avalos char * 28518de8d7fSPeter Avalos get_peer_ipaddr(int sock) 28618de8d7fSPeter Avalos { 28718de8d7fSPeter Avalos char *p; 28818de8d7fSPeter Avalos 28918de8d7fSPeter Avalos if ((p = get_socket_address(sock, 1, NI_NUMERICHOST)) != NULL) 29018de8d7fSPeter Avalos return p; 29118de8d7fSPeter Avalos return xstrdup("UNKNOWN"); 29218de8d7fSPeter Avalos } 29318de8d7fSPeter Avalos 29418de8d7fSPeter Avalos char * 29518de8d7fSPeter Avalos get_local_ipaddr(int sock) 29618de8d7fSPeter Avalos { 29718de8d7fSPeter Avalos char *p; 29818de8d7fSPeter Avalos 29918de8d7fSPeter Avalos if ((p = get_socket_address(sock, 0, NI_NUMERICHOST)) != NULL) 30018de8d7fSPeter Avalos return p; 30118de8d7fSPeter Avalos return xstrdup("UNKNOWN"); 30218de8d7fSPeter Avalos } 30318de8d7fSPeter Avalos 30418de8d7fSPeter Avalos char * 305*856ea928SPeter Avalos get_local_name(int fd) 30618de8d7fSPeter Avalos { 307*856ea928SPeter Avalos char *host, myname[NI_MAXHOST]; 308*856ea928SPeter Avalos 309*856ea928SPeter Avalos /* Assume we were passed a socket */ 310*856ea928SPeter Avalos if ((host = get_socket_address(fd, 0, NI_NAMEREQD)) != NULL) 311*856ea928SPeter Avalos return host; 312*856ea928SPeter Avalos 313*856ea928SPeter Avalos /* Handle the case where we were passed a pipe */ 314*856ea928SPeter Avalos if (gethostname(myname, sizeof(myname)) == -1) { 315*856ea928SPeter Avalos verbose("get_local_name: gethostname: %s", strerror(errno)); 316*856ea928SPeter Avalos } else { 317*856ea928SPeter Avalos host = xstrdup(myname); 318*856ea928SPeter Avalos } 319*856ea928SPeter Avalos 320*856ea928SPeter Avalos return host; 32118de8d7fSPeter Avalos } 32218de8d7fSPeter Avalos 32340c002afSPeter Avalos void 32440c002afSPeter Avalos clear_cached_addr(void) 32540c002afSPeter Avalos { 32640c002afSPeter Avalos if (canonical_host_ip != NULL) { 32740c002afSPeter Avalos xfree(canonical_host_ip); 32840c002afSPeter Avalos canonical_host_ip = NULL; 32940c002afSPeter Avalos } 33040c002afSPeter Avalos cached_port = -1; 33140c002afSPeter Avalos } 33240c002afSPeter Avalos 33318de8d7fSPeter Avalos /* 33418de8d7fSPeter Avalos * Returns the IP-address of the remote host as a string. The returned 33518de8d7fSPeter Avalos * string must not be freed. 33618de8d7fSPeter Avalos */ 33718de8d7fSPeter Avalos 33818de8d7fSPeter Avalos const char * 33918de8d7fSPeter Avalos get_remote_ipaddr(void) 34018de8d7fSPeter Avalos { 34118de8d7fSPeter Avalos /* Check whether we have cached the ipaddr. */ 34218de8d7fSPeter Avalos if (canonical_host_ip == NULL) { 34318de8d7fSPeter Avalos if (packet_connection_is_on_socket()) { 34418de8d7fSPeter Avalos canonical_host_ip = 34518de8d7fSPeter Avalos get_peer_ipaddr(packet_get_connection_in()); 34618de8d7fSPeter Avalos if (canonical_host_ip == NULL) 34718de8d7fSPeter Avalos cleanup_exit(255); 34818de8d7fSPeter Avalos } else { 34918de8d7fSPeter Avalos /* If not on socket, return UNKNOWN. */ 35018de8d7fSPeter Avalos canonical_host_ip = xstrdup("UNKNOWN"); 35118de8d7fSPeter Avalos } 35218de8d7fSPeter Avalos } 35318de8d7fSPeter Avalos return canonical_host_ip; 35418de8d7fSPeter Avalos } 35518de8d7fSPeter Avalos 35618de8d7fSPeter Avalos const char * 35718de8d7fSPeter Avalos get_remote_name_or_ip(u_int utmp_len, int use_dns) 35818de8d7fSPeter Avalos { 35918de8d7fSPeter Avalos static const char *remote = ""; 36018de8d7fSPeter Avalos if (utmp_len > 0) 36118de8d7fSPeter Avalos remote = get_canonical_hostname(use_dns); 36218de8d7fSPeter Avalos if (utmp_len == 0 || strlen(remote) > utmp_len) 36318de8d7fSPeter Avalos remote = get_remote_ipaddr(); 36418de8d7fSPeter Avalos return remote; 36518de8d7fSPeter Avalos } 36618de8d7fSPeter Avalos 36718de8d7fSPeter Avalos /* Returns the local/remote port for the socket. */ 36818de8d7fSPeter Avalos 369cb5eb4f1SPeter Avalos int 37018de8d7fSPeter Avalos get_sock_port(int sock, int local) 37118de8d7fSPeter Avalos { 37218de8d7fSPeter Avalos struct sockaddr_storage from; 37318de8d7fSPeter Avalos socklen_t fromlen; 37418de8d7fSPeter Avalos char strport[NI_MAXSERV]; 37518de8d7fSPeter Avalos int r; 37618de8d7fSPeter Avalos 37718de8d7fSPeter Avalos /* Get IP address of client. */ 37818de8d7fSPeter Avalos fromlen = sizeof(from); 37918de8d7fSPeter Avalos memset(&from, 0, sizeof(from)); 38018de8d7fSPeter Avalos if (local) { 38118de8d7fSPeter Avalos if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { 38218de8d7fSPeter Avalos error("getsockname failed: %.100s", strerror(errno)); 38318de8d7fSPeter Avalos return 0; 38418de8d7fSPeter Avalos } 38518de8d7fSPeter Avalos } else { 38618de8d7fSPeter Avalos if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { 38718de8d7fSPeter Avalos debug("getpeername failed: %.100s", strerror(errno)); 38818de8d7fSPeter Avalos return -1; 38918de8d7fSPeter Avalos } 39018de8d7fSPeter Avalos } 39118de8d7fSPeter Avalos 39218de8d7fSPeter Avalos /* Work around Linux IPv6 weirdness */ 39318de8d7fSPeter Avalos if (from.ss_family == AF_INET6) 39418de8d7fSPeter Avalos fromlen = sizeof(struct sockaddr_in6); 39518de8d7fSPeter Avalos 39618de8d7fSPeter Avalos /* Return port number. */ 39718de8d7fSPeter Avalos if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, 39818de8d7fSPeter Avalos strport, sizeof(strport), NI_NUMERICSERV)) != 0) 39918de8d7fSPeter Avalos fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s", 40018de8d7fSPeter Avalos ssh_gai_strerror(r)); 40118de8d7fSPeter Avalos return atoi(strport); 40218de8d7fSPeter Avalos } 40318de8d7fSPeter Avalos 40418de8d7fSPeter Avalos /* Returns remote/local port number for the current connection. */ 40518de8d7fSPeter Avalos 40618de8d7fSPeter Avalos static int 40718de8d7fSPeter Avalos get_port(int local) 40818de8d7fSPeter Avalos { 40918de8d7fSPeter Avalos /* 41018de8d7fSPeter Avalos * If the connection is not a socket, return 65535. This is 41118de8d7fSPeter Avalos * intentionally chosen to be an unprivileged port number. 41218de8d7fSPeter Avalos */ 41318de8d7fSPeter Avalos if (!packet_connection_is_on_socket()) 41418de8d7fSPeter Avalos return 65535; 41518de8d7fSPeter Avalos 41618de8d7fSPeter Avalos /* Get socket and return the port number. */ 41718de8d7fSPeter Avalos return get_sock_port(packet_get_connection_in(), local); 41818de8d7fSPeter Avalos } 41918de8d7fSPeter Avalos 42018de8d7fSPeter Avalos int 42118de8d7fSPeter Avalos get_peer_port(int sock) 42218de8d7fSPeter Avalos { 42318de8d7fSPeter Avalos return get_sock_port(sock, 0); 42418de8d7fSPeter Avalos } 42518de8d7fSPeter Avalos 42618de8d7fSPeter Avalos int 42718de8d7fSPeter Avalos get_remote_port(void) 42818de8d7fSPeter Avalos { 42918de8d7fSPeter Avalos /* Cache to avoid getpeername() on a dead connection */ 43040c002afSPeter Avalos if (cached_port == -1) 43140c002afSPeter Avalos cached_port = get_port(0); 43218de8d7fSPeter Avalos 43340c002afSPeter Avalos return cached_port; 43418de8d7fSPeter Avalos } 43518de8d7fSPeter Avalos 43618de8d7fSPeter Avalos int 43718de8d7fSPeter Avalos get_local_port(void) 43818de8d7fSPeter Avalos { 43918de8d7fSPeter Avalos return get_port(1); 44018de8d7fSPeter Avalos } 441