1 /* $OpenBSD: channels.c,v 1.398 2020/04/25 06:59:36 dtucker Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 44 #include <sys/types.h> 45 #include <sys/stat.h> 46 #include <sys/ioctl.h> 47 #include <sys/un.h> 48 #include <sys/socket.h> 49 #ifdef HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 #endif 52 53 #include <netinet/in.h> 54 #include <arpa/inet.h> 55 56 #include <errno.h> 57 #include <fcntl.h> 58 #include <limits.h> 59 #include <netdb.h> 60 #include <stdarg.h> 61 #ifdef HAVE_STDINT_H 62 # include <stdint.h> 63 #endif 64 #include <stdio.h> 65 #include <stdlib.h> 66 #include <string.h> 67 #include <termios.h> 68 #include <unistd.h> 69 70 #include "openbsd-compat/sys-queue.h" 71 #include "xmalloc.h" 72 #include "ssh.h" 73 #include "ssh2.h" 74 #include "ssherr.h" 75 #include "sshbuf.h" 76 #include "packet.h" 77 #include "log.h" 78 #include "misc.h" 79 #include "channels.h" 80 #include "compat.h" 81 #include "canohost.h" 82 #include "sshkey.h" 83 #include "authfd.h" 84 #include "pathnames.h" 85 #include "match.h" 86 87 /* -- agent forwarding */ 88 #define NUM_SOCKS 10 89 90 /* -- tcp forwarding */ 91 /* special-case port number meaning allow any port */ 92 #define FWD_PERMIT_ANY_PORT 0 93 94 /* special-case wildcard meaning allow any host */ 95 #define FWD_PERMIT_ANY_HOST "*" 96 97 /* -- X11 forwarding */ 98 /* Maximum number of fake X11 displays to try. */ 99 #define MAX_DISPLAYS 1000 100 101 /* Per-channel callback for pre/post select() actions */ 102 typedef void chan_fn(struct ssh *, Channel *c, 103 fd_set *readset, fd_set *writeset); 104 105 /* 106 * Data structure for storing which hosts are permitted for forward requests. 107 * The local sides of any remote forwards are stored in this array to prevent 108 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 109 * network (which might be behind a firewall). 110 */ 111 /* XXX: streamlocal wants a path instead of host:port */ 112 /* Overload host_to_connect; we could just make this match Forward */ 113 /* XXX - can we use listen_host instead of listen_path? */ 114 struct permission { 115 char *host_to_connect; /* Connect to 'host'. */ 116 int port_to_connect; /* Connect to 'port'. */ 117 char *listen_host; /* Remote side should listen address. */ 118 char *listen_path; /* Remote side should listen path. */ 119 int listen_port; /* Remote side should listen port. */ 120 Channel *downstream; /* Downstream mux*/ 121 }; 122 123 /* 124 * Stores the forwarding permission state for a single direction (local or 125 * remote). 126 */ 127 struct permission_set { 128 /* 129 * List of all local permitted host/port pairs to allow for the 130 * user. 131 */ 132 u_int num_permitted_user; 133 struct permission *permitted_user; 134 135 /* 136 * List of all permitted host/port pairs to allow for the admin. 137 */ 138 u_int num_permitted_admin; 139 struct permission *permitted_admin; 140 141 /* 142 * If this is true, all opens/listens are permitted. This is the 143 * case on the server on which we have to trust the client anyway, 144 * and the user could do anything after logging in. 145 */ 146 int all_permitted; 147 }; 148 149 /* Master structure for channels state */ 150 struct ssh_channels { 151 /* 152 * Pointer to an array containing all allocated channels. The array 153 * is dynamically extended as needed. 154 */ 155 Channel **channels; 156 157 /* 158 * Size of the channel array. All slots of the array must always be 159 * initialized (at least the type field); unused slots set to NULL 160 */ 161 u_int channels_alloc; 162 163 /* 164 * Maximum file descriptor value used in any of the channels. This is 165 * updated in channel_new. 166 */ 167 int channel_max_fd; 168 169 /* 170 * 'channel_pre*' are called just before select() to add any bits 171 * relevant to channels in the select bitmasks. 172 * 173 * 'channel_post*': perform any appropriate operations for 174 * channels which have events pending. 175 */ 176 chan_fn **channel_pre; 177 chan_fn **channel_post; 178 179 /* -- tcp forwarding */ 180 struct permission_set local_perms; 181 struct permission_set remote_perms; 182 183 /* -- X11 forwarding */ 184 185 /* Saved X11 local (client) display. */ 186 char *x11_saved_display; 187 188 /* Saved X11 authentication protocol name. */ 189 char *x11_saved_proto; 190 191 /* Saved X11 authentication data. This is the real data. */ 192 char *x11_saved_data; 193 u_int x11_saved_data_len; 194 195 /* Deadline after which all X11 connections are refused */ 196 u_int x11_refuse_time; 197 198 /* 199 * Fake X11 authentication data. This is what the server will be 200 * sending us; we should replace any occurrences of this by the 201 * real data. 202 */ 203 u_char *x11_fake_data; 204 u_int x11_fake_data_len; 205 206 /* AF_UNSPEC or AF_INET or AF_INET6 */ 207 int IPv4or6; 208 }; 209 210 /* helper */ 211 static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype); 212 static const char *channel_rfwd_bind_host(const char *listen_host); 213 214 /* non-blocking connect helpers */ 215 static int connect_next(struct channel_connect *); 216 static void channel_connect_ctx_free(struct channel_connect *); 217 static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *); 218 static int rdynamic_connect_finish(struct ssh *, Channel *); 219 220 /* Setup helper */ 221 static void channel_handler_init(struct ssh_channels *sc); 222 223 /* -- channel core */ 224 225 void 226 channel_init_channels(struct ssh *ssh) 227 { 228 struct ssh_channels *sc; 229 230 if ((sc = calloc(1, sizeof(*sc))) == NULL) 231 fatal("%s: allocation failed", __func__); 232 sc->channels_alloc = 10; 233 sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels)); 234 sc->IPv4or6 = AF_UNSPEC; 235 channel_handler_init(sc); 236 237 ssh->chanctxt = sc; 238 } 239 240 Channel * 241 channel_by_id(struct ssh *ssh, int id) 242 { 243 Channel *c; 244 245 if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) { 246 logit("%s: %d: bad id", __func__, id); 247 return NULL; 248 } 249 c = ssh->chanctxt->channels[id]; 250 if (c == NULL) { 251 logit("%s: %d: bad id: channel free", __func__, id); 252 return NULL; 253 } 254 return c; 255 } 256 257 Channel * 258 channel_by_remote_id(struct ssh *ssh, u_int remote_id) 259 { 260 Channel *c; 261 u_int i; 262 263 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 264 c = ssh->chanctxt->channels[i]; 265 if (c != NULL && c->have_remote_id && c->remote_id == remote_id) 266 return c; 267 } 268 return NULL; 269 } 270 271 /* 272 * Returns the channel if it is allowed to receive protocol messages. 273 * Private channels, like listening sockets, may not receive messages. 274 */ 275 Channel * 276 channel_lookup(struct ssh *ssh, int id) 277 { 278 Channel *c; 279 280 if ((c = channel_by_id(ssh, id)) == NULL) 281 return NULL; 282 283 switch (c->type) { 284 case SSH_CHANNEL_X11_OPEN: 285 case SSH_CHANNEL_LARVAL: 286 case SSH_CHANNEL_CONNECTING: 287 case SSH_CHANNEL_DYNAMIC: 288 case SSH_CHANNEL_RDYNAMIC_OPEN: 289 case SSH_CHANNEL_RDYNAMIC_FINISH: 290 case SSH_CHANNEL_OPENING: 291 case SSH_CHANNEL_OPEN: 292 case SSH_CHANNEL_ABANDONED: 293 case SSH_CHANNEL_MUX_PROXY: 294 return c; 295 } 296 logit("Non-public channel %d, type %d.", id, c->type); 297 return NULL; 298 } 299 300 /* 301 * Register filedescriptors for a channel, used when allocating a channel or 302 * when the channel consumer/producer is ready, e.g. shell exec'd 303 */ 304 static void 305 channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, 306 int extusage, int nonblock, int is_tty) 307 { 308 struct ssh_channels *sc = ssh->chanctxt; 309 310 /* Update the maximum file descriptor value. */ 311 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, rfd); 312 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, wfd); 313 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, efd); 314 315 if (rfd != -1) 316 fcntl(rfd, F_SETFD, FD_CLOEXEC); 317 if (wfd != -1 && wfd != rfd) 318 fcntl(wfd, F_SETFD, FD_CLOEXEC); 319 if (efd != -1 && efd != rfd && efd != wfd) 320 fcntl(efd, F_SETFD, FD_CLOEXEC); 321 322 c->rfd = rfd; 323 c->wfd = wfd; 324 c->sock = (rfd == wfd) ? rfd : -1; 325 c->efd = efd; 326 c->extended_usage = extusage; 327 328 if ((c->isatty = is_tty) != 0) 329 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 330 #ifdef _AIX 331 /* XXX: Later AIX versions can't push as much data to tty */ 332 c->wfd_isatty = is_tty || isatty(c->wfd); 333 #endif 334 335 /* enable nonblocking mode */ 336 if (nonblock) { 337 if (rfd != -1) 338 set_nonblock(rfd); 339 if (wfd != -1) 340 set_nonblock(wfd); 341 if (efd != -1) 342 set_nonblock(efd); 343 } 344 } 345 346 /* 347 * Allocate a new channel object and set its type and socket. This will cause 348 * remote_name to be freed. 349 */ 350 Channel * 351 channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, 352 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 353 { 354 struct ssh_channels *sc = ssh->chanctxt; 355 u_int i, found; 356 Channel *c; 357 358 /* Try to find a free slot where to put the new channel. */ 359 for (i = 0; i < sc->channels_alloc; i++) { 360 if (sc->channels[i] == NULL) { 361 /* Found a free slot. */ 362 found = i; 363 break; 364 } 365 } 366 if (i >= sc->channels_alloc) { 367 /* 368 * There are no free slots. Take last+1 slot and expand 369 * the array. 370 */ 371 found = sc->channels_alloc; 372 if (sc->channels_alloc > CHANNELS_MAX_CHANNELS) 373 fatal("%s: internal error: channels_alloc %d too big", 374 __func__, sc->channels_alloc); 375 sc->channels = xrecallocarray(sc->channels, sc->channels_alloc, 376 sc->channels_alloc + 10, sizeof(*sc->channels)); 377 sc->channels_alloc += 10; 378 debug2("channel: expanding %d", sc->channels_alloc); 379 } 380 /* Initialize and return new channel. */ 381 c = sc->channels[found] = xcalloc(1, sizeof(Channel)); 382 if ((c->input = sshbuf_new()) == NULL || 383 (c->output = sshbuf_new()) == NULL || 384 (c->extended = sshbuf_new()) == NULL) 385 fatal("%s: sshbuf_new failed", __func__); 386 c->ostate = CHAN_OUTPUT_OPEN; 387 c->istate = CHAN_INPUT_OPEN; 388 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0); 389 c->self = found; 390 c->type = type; 391 c->ctype = ctype; 392 c->local_window = window; 393 c->local_window_max = window; 394 c->local_maxpacket = maxpack; 395 c->remote_name = xstrdup(remote_name); 396 c->ctl_chan = -1; 397 c->delayed = 1; /* prevent call to channel_post handler */ 398 TAILQ_INIT(&c->status_confirms); 399 debug("channel %d: new [%s]", found, remote_name); 400 return c; 401 } 402 403 static void 404 channel_find_maxfd(struct ssh_channels *sc) 405 { 406 u_int i; 407 int max = 0; 408 Channel *c; 409 410 for (i = 0; i < sc->channels_alloc; i++) { 411 c = sc->channels[i]; 412 if (c != NULL) { 413 max = MAXIMUM(max, c->rfd); 414 max = MAXIMUM(max, c->wfd); 415 max = MAXIMUM(max, c->efd); 416 } 417 } 418 sc->channel_max_fd = max; 419 } 420 421 int 422 channel_close_fd(struct ssh *ssh, int *fdp) 423 { 424 struct ssh_channels *sc = ssh->chanctxt; 425 int ret = 0, fd = *fdp; 426 427 if (fd != -1) { 428 ret = close(fd); 429 *fdp = -1; 430 if (fd == sc->channel_max_fd) 431 channel_find_maxfd(sc); 432 } 433 return ret; 434 } 435 436 /* Close all channel fd/socket. */ 437 static void 438 channel_close_fds(struct ssh *ssh, Channel *c) 439 { 440 int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd; 441 442 channel_close_fd(ssh, &c->sock); 443 if (rfd != sock) 444 channel_close_fd(ssh, &c->rfd); 445 if (wfd != sock && wfd != rfd) 446 channel_close_fd(ssh, &c->wfd); 447 if (efd != sock && efd != rfd && efd != wfd) 448 channel_close_fd(ssh, &c->efd); 449 } 450 451 static void 452 fwd_perm_clear(struct permission *perm) 453 { 454 free(perm->host_to_connect); 455 free(perm->listen_host); 456 free(perm->listen_path); 457 memset(perm, 0, sizeof(*perm)); 458 } 459 460 /* Returns an printable name for the specified forwarding permission list */ 461 static const char * 462 fwd_ident(int who, int where) 463 { 464 if (who == FORWARD_ADM) { 465 if (where == FORWARD_LOCAL) 466 return "admin local"; 467 else if (where == FORWARD_REMOTE) 468 return "admin remote"; 469 } else if (who == FORWARD_USER) { 470 if (where == FORWARD_LOCAL) 471 return "user local"; 472 else if (where == FORWARD_REMOTE) 473 return "user remote"; 474 } 475 fatal("Unknown forward permission list %d/%d", who, where); 476 } 477 478 /* Returns the forwarding permission list for the specified direction */ 479 static struct permission_set * 480 permission_set_get(struct ssh *ssh, int where) 481 { 482 struct ssh_channels *sc = ssh->chanctxt; 483 484 switch (where) { 485 case FORWARD_LOCAL: 486 return &sc->local_perms; 487 break; 488 case FORWARD_REMOTE: 489 return &sc->remote_perms; 490 break; 491 default: 492 fatal("%s: invalid forwarding direction %d", __func__, where); 493 } 494 } 495 496 /* Returns pointers to the specified forwarding list and its element count */ 497 static void 498 permission_set_get_array(struct ssh *ssh, int who, int where, 499 struct permission ***permpp, u_int **npermpp) 500 { 501 struct permission_set *pset = permission_set_get(ssh, where); 502 503 switch (who) { 504 case FORWARD_USER: 505 *permpp = &pset->permitted_user; 506 *npermpp = &pset->num_permitted_user; 507 break; 508 case FORWARD_ADM: 509 *permpp = &pset->permitted_admin; 510 *npermpp = &pset->num_permitted_admin; 511 break; 512 default: 513 fatal("%s: invalid forwarding client %d", __func__, who); 514 } 515 } 516 517 /* Adds an entry to the spcified forwarding list */ 518 static int 519 permission_set_add(struct ssh *ssh, int who, int where, 520 const char *host_to_connect, int port_to_connect, 521 const char *listen_host, const char *listen_path, int listen_port, 522 Channel *downstream) 523 { 524 struct permission **permp; 525 u_int n, *npermp; 526 527 permission_set_get_array(ssh, who, where, &permp, &npermp); 528 529 if (*npermp >= INT_MAX) 530 fatal("%s: %s overflow", __func__, fwd_ident(who, where)); 531 532 *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp)); 533 n = (*npermp)++; 534 #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s)) 535 (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect); 536 (*permp)[n].port_to_connect = port_to_connect; 537 (*permp)[n].listen_host = MAYBE_DUP(listen_host); 538 (*permp)[n].listen_path = MAYBE_DUP(listen_path); 539 (*permp)[n].listen_port = listen_port; 540 (*permp)[n].downstream = downstream; 541 #undef MAYBE_DUP 542 return (int)n; 543 } 544 545 static void 546 mux_remove_remote_forwardings(struct ssh *ssh, Channel *c) 547 { 548 struct ssh_channels *sc = ssh->chanctxt; 549 struct permission_set *pset = &sc->local_perms; 550 struct permission *perm; 551 int r; 552 u_int i; 553 554 for (i = 0; i < pset->num_permitted_user; i++) { 555 perm = &pset->permitted_user[i]; 556 if (perm->downstream != c) 557 continue; 558 559 /* cancel on the server, since mux client is gone */ 560 debug("channel %d: cleanup remote forward for %s:%u", 561 c->self, perm->listen_host, perm->listen_port); 562 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 563 (r = sshpkt_put_cstring(ssh, 564 "cancel-tcpip-forward")) != 0 || 565 (r = sshpkt_put_u8(ssh, 0)) != 0 || 566 (r = sshpkt_put_cstring(ssh, 567 channel_rfwd_bind_host(perm->listen_host))) != 0 || 568 (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 || 569 (r = sshpkt_send(ssh)) != 0) { 570 fatal("%s: channel %i: %s", __func__, 571 c->self, ssh_err(r)); 572 } 573 fwd_perm_clear(perm); /* unregister */ 574 } 575 } 576 577 /* Free the channel and close its fd/socket. */ 578 void 579 channel_free(struct ssh *ssh, Channel *c) 580 { 581 struct ssh_channels *sc = ssh->chanctxt; 582 char *s; 583 u_int i, n; 584 Channel *other; 585 struct channel_confirm *cc; 586 587 for (n = 0, i = 0; i < sc->channels_alloc; i++) { 588 if ((other = sc->channels[i]) == NULL) 589 continue; 590 n++; 591 /* detach from mux client and prepare for closing */ 592 if (c->type == SSH_CHANNEL_MUX_CLIENT && 593 other->type == SSH_CHANNEL_MUX_PROXY && 594 other->mux_ctx == c) { 595 other->mux_ctx = NULL; 596 other->type = SSH_CHANNEL_OPEN; 597 other->istate = CHAN_INPUT_CLOSED; 598 other->ostate = CHAN_OUTPUT_CLOSED; 599 } 600 } 601 debug("channel %d: free: %s, nchannels %u", c->self, 602 c->remote_name ? c->remote_name : "???", n); 603 604 if (c->type == SSH_CHANNEL_MUX_CLIENT) 605 mux_remove_remote_forwardings(ssh, c); 606 607 if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) { 608 s = channel_open_message(ssh); 609 debug3("channel %d: status: %s", c->self, s); 610 free(s); 611 } 612 613 channel_close_fds(ssh, c); 614 sshbuf_free(c->input); 615 sshbuf_free(c->output); 616 sshbuf_free(c->extended); 617 c->input = c->output = c->extended = NULL; 618 free(c->remote_name); 619 c->remote_name = NULL; 620 free(c->path); 621 c->path = NULL; 622 free(c->listening_addr); 623 c->listening_addr = NULL; 624 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 625 if (cc->abandon_cb != NULL) 626 cc->abandon_cb(ssh, c, cc->ctx); 627 TAILQ_REMOVE(&c->status_confirms, cc, entry); 628 freezero(cc, sizeof(*cc)); 629 } 630 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 631 c->filter_cleanup(ssh, c->self, c->filter_ctx); 632 sc->channels[c->self] = NULL; 633 freezero(c, sizeof(*c)); 634 } 635 636 void 637 channel_free_all(struct ssh *ssh) 638 { 639 u_int i; 640 struct ssh_channels *sc = ssh->chanctxt; 641 642 for (i = 0; i < sc->channels_alloc; i++) 643 if (sc->channels[i] != NULL) 644 channel_free(ssh, sc->channels[i]); 645 646 free(sc->channels); 647 sc->channels = NULL; 648 sc->channels_alloc = 0; 649 sc->channel_max_fd = 0; 650 651 free(sc->x11_saved_display); 652 sc->x11_saved_display = NULL; 653 654 free(sc->x11_saved_proto); 655 sc->x11_saved_proto = NULL; 656 657 free(sc->x11_saved_data); 658 sc->x11_saved_data = NULL; 659 sc->x11_saved_data_len = 0; 660 661 free(sc->x11_fake_data); 662 sc->x11_fake_data = NULL; 663 sc->x11_fake_data_len = 0; 664 } 665 666 /* 667 * Closes the sockets/fds of all channels. This is used to close extra file 668 * descriptors after a fork. 669 */ 670 void 671 channel_close_all(struct ssh *ssh) 672 { 673 u_int i; 674 675 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) 676 if (ssh->chanctxt->channels[i] != NULL) 677 channel_close_fds(ssh, ssh->chanctxt->channels[i]); 678 } 679 680 /* 681 * Stop listening to channels. 682 */ 683 void 684 channel_stop_listening(struct ssh *ssh) 685 { 686 u_int i; 687 Channel *c; 688 689 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 690 c = ssh->chanctxt->channels[i]; 691 if (c != NULL) { 692 switch (c->type) { 693 case SSH_CHANNEL_AUTH_SOCKET: 694 case SSH_CHANNEL_PORT_LISTENER: 695 case SSH_CHANNEL_RPORT_LISTENER: 696 case SSH_CHANNEL_X11_LISTENER: 697 case SSH_CHANNEL_UNIX_LISTENER: 698 case SSH_CHANNEL_RUNIX_LISTENER: 699 channel_close_fd(ssh, &c->sock); 700 channel_free(ssh, c); 701 break; 702 } 703 } 704 } 705 } 706 707 /* 708 * Returns true if no channel has too much buffered data, and false if one or 709 * more channel is overfull. 710 */ 711 int 712 channel_not_very_much_buffered_data(struct ssh *ssh) 713 { 714 u_int i; 715 u_int maxsize = ssh_packet_get_maxsize(ssh); 716 Channel *c; 717 718 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 719 c = ssh->chanctxt->channels[i]; 720 if (c == NULL || c->type != SSH_CHANNEL_OPEN) 721 continue; 722 if (sshbuf_len(c->output) > maxsize) { 723 debug2("channel %d: big output buffer %zu > %u", 724 c->self, sshbuf_len(c->output), maxsize); 725 return 0; 726 } 727 } 728 return 1; 729 } 730 731 /* Returns true if any channel is still open. */ 732 int 733 channel_still_open(struct ssh *ssh) 734 { 735 u_int i; 736 Channel *c; 737 738 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 739 c = ssh->chanctxt->channels[i]; 740 if (c == NULL) 741 continue; 742 switch (c->type) { 743 case SSH_CHANNEL_X11_LISTENER: 744 case SSH_CHANNEL_PORT_LISTENER: 745 case SSH_CHANNEL_RPORT_LISTENER: 746 case SSH_CHANNEL_MUX_LISTENER: 747 case SSH_CHANNEL_CLOSED: 748 case SSH_CHANNEL_AUTH_SOCKET: 749 case SSH_CHANNEL_DYNAMIC: 750 case SSH_CHANNEL_RDYNAMIC_OPEN: 751 case SSH_CHANNEL_CONNECTING: 752 case SSH_CHANNEL_ZOMBIE: 753 case SSH_CHANNEL_ABANDONED: 754 case SSH_CHANNEL_UNIX_LISTENER: 755 case SSH_CHANNEL_RUNIX_LISTENER: 756 continue; 757 case SSH_CHANNEL_LARVAL: 758 continue; 759 case SSH_CHANNEL_OPENING: 760 case SSH_CHANNEL_OPEN: 761 case SSH_CHANNEL_RDYNAMIC_FINISH: 762 case SSH_CHANNEL_X11_OPEN: 763 case SSH_CHANNEL_MUX_CLIENT: 764 case SSH_CHANNEL_MUX_PROXY: 765 return 1; 766 default: 767 fatal("%s: bad channel type %d", __func__, c->type); 768 /* NOTREACHED */ 769 } 770 } 771 return 0; 772 } 773 774 /* Returns the id of an open channel suitable for keepaliving */ 775 int 776 channel_find_open(struct ssh *ssh) 777 { 778 u_int i; 779 Channel *c; 780 781 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 782 c = ssh->chanctxt->channels[i]; 783 if (c == NULL || !c->have_remote_id) 784 continue; 785 switch (c->type) { 786 case SSH_CHANNEL_CLOSED: 787 case SSH_CHANNEL_DYNAMIC: 788 case SSH_CHANNEL_RDYNAMIC_OPEN: 789 case SSH_CHANNEL_RDYNAMIC_FINISH: 790 case SSH_CHANNEL_X11_LISTENER: 791 case SSH_CHANNEL_PORT_LISTENER: 792 case SSH_CHANNEL_RPORT_LISTENER: 793 case SSH_CHANNEL_MUX_LISTENER: 794 case SSH_CHANNEL_MUX_CLIENT: 795 case SSH_CHANNEL_MUX_PROXY: 796 case SSH_CHANNEL_OPENING: 797 case SSH_CHANNEL_CONNECTING: 798 case SSH_CHANNEL_ZOMBIE: 799 case SSH_CHANNEL_ABANDONED: 800 case SSH_CHANNEL_UNIX_LISTENER: 801 case SSH_CHANNEL_RUNIX_LISTENER: 802 continue; 803 case SSH_CHANNEL_LARVAL: 804 case SSH_CHANNEL_AUTH_SOCKET: 805 case SSH_CHANNEL_OPEN: 806 case SSH_CHANNEL_X11_OPEN: 807 return i; 808 default: 809 fatal("%s: bad channel type %d", __func__, c->type); 810 /* NOTREACHED */ 811 } 812 } 813 return -1; 814 } 815 816 /* Returns the state of the channel's extended usage flag */ 817 const char * 818 channel_format_extended_usage(const Channel *c) 819 { 820 if (c->efd == -1) 821 return "closed"; 822 823 switch (c->extended_usage) { 824 case CHAN_EXTENDED_WRITE: 825 return "write"; 826 case CHAN_EXTENDED_READ: 827 return "read"; 828 case CHAN_EXTENDED_IGNORE: 829 return "ignore"; 830 default: 831 return "UNKNOWN"; 832 } 833 } 834 835 static char * 836 channel_format_status(const Channel *c) 837 { 838 char *ret = NULL; 839 840 xasprintf(&ret, "t%d %s%u i%u/%zu o%u/%zu e[%s]/%zu " 841 "fd %d/%d/%d sock %d cc %d", 842 c->type, 843 c->have_remote_id ? "r" : "nr", c->remote_id, 844 c->istate, sshbuf_len(c->input), 845 c->ostate, sshbuf_len(c->output), 846 channel_format_extended_usage(c), sshbuf_len(c->extended), 847 c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan); 848 return ret; 849 } 850 851 /* 852 * Returns a message describing the currently open forwarded connections, 853 * suitable for sending to the client. The message contains crlf pairs for 854 * newlines. 855 */ 856 char * 857 channel_open_message(struct ssh *ssh) 858 { 859 struct sshbuf *buf; 860 Channel *c; 861 u_int i; 862 int r; 863 char *cp, *ret; 864 865 if ((buf = sshbuf_new()) == NULL) 866 fatal("%s: sshbuf_new", __func__); 867 if ((r = sshbuf_putf(buf, 868 "The following connections are open:\r\n")) != 0) 869 fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 870 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 871 c = ssh->chanctxt->channels[i]; 872 if (c == NULL) 873 continue; 874 switch (c->type) { 875 case SSH_CHANNEL_X11_LISTENER: 876 case SSH_CHANNEL_PORT_LISTENER: 877 case SSH_CHANNEL_RPORT_LISTENER: 878 case SSH_CHANNEL_CLOSED: 879 case SSH_CHANNEL_AUTH_SOCKET: 880 case SSH_CHANNEL_ZOMBIE: 881 case SSH_CHANNEL_ABANDONED: 882 case SSH_CHANNEL_MUX_LISTENER: 883 case SSH_CHANNEL_UNIX_LISTENER: 884 case SSH_CHANNEL_RUNIX_LISTENER: 885 continue; 886 case SSH_CHANNEL_LARVAL: 887 case SSH_CHANNEL_OPENING: 888 case SSH_CHANNEL_CONNECTING: 889 case SSH_CHANNEL_DYNAMIC: 890 case SSH_CHANNEL_RDYNAMIC_OPEN: 891 case SSH_CHANNEL_RDYNAMIC_FINISH: 892 case SSH_CHANNEL_OPEN: 893 case SSH_CHANNEL_X11_OPEN: 894 case SSH_CHANNEL_MUX_PROXY: 895 case SSH_CHANNEL_MUX_CLIENT: 896 cp = channel_format_status(c); 897 if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n", 898 c->self, c->remote_name, cp)) != 0) { 899 free(cp); 900 fatal("%s: sshbuf_putf: %s", 901 __func__, ssh_err(r)); 902 } 903 free(cp); 904 continue; 905 default: 906 fatal("%s: bad channel type %d", __func__, c->type); 907 /* NOTREACHED */ 908 } 909 } 910 if ((ret = sshbuf_dup_string(buf)) == NULL) 911 fatal("%s: sshbuf_dup_string", __func__); 912 sshbuf_free(buf); 913 return ret; 914 } 915 916 static void 917 open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type) 918 { 919 int r; 920 921 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 || 922 (r = sshpkt_put_cstring(ssh, type)) != 0 || 923 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 924 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 925 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { 926 fatal("%s: channel %i: open: %s", where, c->self, ssh_err(r)); 927 } 928 } 929 930 void 931 channel_send_open(struct ssh *ssh, int id) 932 { 933 Channel *c = channel_lookup(ssh, id); 934 int r; 935 936 if (c == NULL) { 937 logit("channel_send_open: %d: bad id", id); 938 return; 939 } 940 debug2("channel %d: send open", id); 941 open_preamble(ssh, __func__, c, c->ctype); 942 if ((r = sshpkt_send(ssh)) != 0) 943 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 944 } 945 946 void 947 channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm) 948 { 949 Channel *c = channel_lookup(ssh, id); 950 int r; 951 952 if (c == NULL) { 953 logit("%s: %d: unknown channel id", __func__, id); 954 return; 955 } 956 if (!c->have_remote_id) 957 fatal(":%s: channel %d: no remote id", __func__, c->self); 958 959 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 960 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 || 961 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 962 (r = sshpkt_put_cstring(ssh, service)) != 0 || 963 (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) { 964 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 965 } 966 } 967 968 void 969 channel_register_status_confirm(struct ssh *ssh, int id, 970 channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx) 971 { 972 struct channel_confirm *cc; 973 Channel *c; 974 975 if ((c = channel_lookup(ssh, id)) == NULL) 976 fatal("%s: %d: bad id", __func__, id); 977 978 cc = xcalloc(1, sizeof(*cc)); 979 cc->cb = cb; 980 cc->abandon_cb = abandon_cb; 981 cc->ctx = ctx; 982 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 983 } 984 985 void 986 channel_register_open_confirm(struct ssh *ssh, int id, 987 channel_open_fn *fn, void *ctx) 988 { 989 Channel *c = channel_lookup(ssh, id); 990 991 if (c == NULL) { 992 logit("%s: %d: bad id", __func__, id); 993 return; 994 } 995 c->open_confirm = fn; 996 c->open_confirm_ctx = ctx; 997 } 998 999 void 1000 channel_register_cleanup(struct ssh *ssh, int id, 1001 channel_callback_fn *fn, int do_close) 1002 { 1003 Channel *c = channel_by_id(ssh, id); 1004 1005 if (c == NULL) { 1006 logit("%s: %d: bad id", __func__, id); 1007 return; 1008 } 1009 c->detach_user = fn; 1010 c->detach_close = do_close; 1011 } 1012 1013 void 1014 channel_cancel_cleanup(struct ssh *ssh, int id) 1015 { 1016 Channel *c = channel_by_id(ssh, id); 1017 1018 if (c == NULL) { 1019 logit("%s: %d: bad id", __func__, id); 1020 return; 1021 } 1022 c->detach_user = NULL; 1023 c->detach_close = 0; 1024 } 1025 1026 void 1027 channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn, 1028 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 1029 { 1030 Channel *c = channel_lookup(ssh, id); 1031 1032 if (c == NULL) { 1033 logit("%s: %d: bad id", __func__, id); 1034 return; 1035 } 1036 c->input_filter = ifn; 1037 c->output_filter = ofn; 1038 c->filter_ctx = ctx; 1039 c->filter_cleanup = cfn; 1040 } 1041 1042 void 1043 channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd, 1044 int extusage, int nonblock, int is_tty, u_int window_max) 1045 { 1046 Channel *c = channel_lookup(ssh, id); 1047 int r; 1048 1049 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 1050 fatal("channel_activate for non-larval channel %d.", id); 1051 if (!c->have_remote_id) 1052 fatal(":%s: channel %d: no remote id", __func__, c->self); 1053 1054 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty); 1055 c->type = SSH_CHANNEL_OPEN; 1056 c->local_window = c->local_window_max = window_max; 1057 1058 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || 1059 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1060 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 1061 (r = sshpkt_send(ssh)) != 0) 1062 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 1063 } 1064 1065 static void 1066 channel_pre_listener(struct ssh *ssh, Channel *c, 1067 fd_set *readset, fd_set *writeset) 1068 { 1069 FD_SET(c->sock, readset); 1070 } 1071 1072 static void 1073 channel_pre_connecting(struct ssh *ssh, Channel *c, 1074 fd_set *readset, fd_set *writeset) 1075 { 1076 debug3("channel %d: waiting for connection", c->self); 1077 FD_SET(c->sock, writeset); 1078 } 1079 1080 static void 1081 channel_pre_open(struct ssh *ssh, Channel *c, 1082 fd_set *readset, fd_set *writeset) 1083 { 1084 if (c->istate == CHAN_INPUT_OPEN && 1085 c->remote_window > 0 && 1086 sshbuf_len(c->input) < c->remote_window && 1087 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0) 1088 FD_SET(c->rfd, readset); 1089 if (c->ostate == CHAN_OUTPUT_OPEN || 1090 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1091 if (sshbuf_len(c->output) > 0) { 1092 FD_SET(c->wfd, writeset); 1093 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1094 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 1095 debug2("channel %d: " 1096 "obuf_empty delayed efd %d/(%zu)", c->self, 1097 c->efd, sshbuf_len(c->extended)); 1098 else 1099 chan_obuf_empty(ssh, c); 1100 } 1101 } 1102 /** XXX check close conditions, too */ 1103 if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED && 1104 c->ostate == CHAN_OUTPUT_CLOSED)) { 1105 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1106 sshbuf_len(c->extended) > 0) 1107 FD_SET(c->efd, writeset); 1108 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 1109 (c->extended_usage == CHAN_EXTENDED_READ || 1110 c->extended_usage == CHAN_EXTENDED_IGNORE) && 1111 sshbuf_len(c->extended) < c->remote_window) 1112 FD_SET(c->efd, readset); 1113 } 1114 /* XXX: What about efd? races? */ 1115 } 1116 1117 /* 1118 * This is a special state for X11 authentication spoofing. An opened X11 1119 * connection (when authentication spoofing is being done) remains in this 1120 * state until the first packet has been completely read. The authentication 1121 * data in that packet is then substituted by the real data if it matches the 1122 * fake data, and the channel is put into normal mode. 1123 * XXX All this happens at the client side. 1124 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 1125 */ 1126 static int 1127 x11_open_helper(struct ssh *ssh, struct sshbuf *b) 1128 { 1129 struct ssh_channels *sc = ssh->chanctxt; 1130 u_char *ucp; 1131 u_int proto_len, data_len; 1132 1133 /* Is this being called after the refusal deadline? */ 1134 if (sc->x11_refuse_time != 0 && 1135 (u_int)monotime() >= sc->x11_refuse_time) { 1136 verbose("Rejected X11 connection after ForwardX11Timeout " 1137 "expired"); 1138 return -1; 1139 } 1140 1141 /* Check if the fixed size part of the packet is in buffer. */ 1142 if (sshbuf_len(b) < 12) 1143 return 0; 1144 1145 /* Parse the lengths of variable-length fields. */ 1146 ucp = sshbuf_mutable_ptr(b); 1147 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 1148 proto_len = 256 * ucp[6] + ucp[7]; 1149 data_len = 256 * ucp[8] + ucp[9]; 1150 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 1151 proto_len = ucp[6] + 256 * ucp[7]; 1152 data_len = ucp[8] + 256 * ucp[9]; 1153 } else { 1154 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 1155 ucp[0]); 1156 return -1; 1157 } 1158 1159 /* Check if the whole packet is in buffer. */ 1160 if (sshbuf_len(b) < 1161 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 1162 return 0; 1163 1164 /* Check if authentication protocol matches. */ 1165 if (proto_len != strlen(sc->x11_saved_proto) || 1166 memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) { 1167 debug2("X11 connection uses different authentication protocol."); 1168 return -1; 1169 } 1170 /* Check if authentication data matches our fake data. */ 1171 if (data_len != sc->x11_fake_data_len || 1172 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 1173 sc->x11_fake_data, sc->x11_fake_data_len) != 0) { 1174 debug2("X11 auth data does not match fake data."); 1175 return -1; 1176 } 1177 /* Check fake data length */ 1178 if (sc->x11_fake_data_len != sc->x11_saved_data_len) { 1179 error("X11 fake_data_len %d != saved_data_len %d", 1180 sc->x11_fake_data_len, sc->x11_saved_data_len); 1181 return -1; 1182 } 1183 /* 1184 * Received authentication protocol and data match 1185 * our fake data. Substitute the fake data with real 1186 * data. 1187 */ 1188 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 1189 sc->x11_saved_data, sc->x11_saved_data_len); 1190 return 1; 1191 } 1192 1193 static void 1194 channel_pre_x11_open(struct ssh *ssh, Channel *c, 1195 fd_set *readset, fd_set *writeset) 1196 { 1197 int ret = x11_open_helper(ssh, c->output); 1198 1199 /* c->force_drain = 1; */ 1200 1201 if (ret == 1) { 1202 c->type = SSH_CHANNEL_OPEN; 1203 channel_pre_open(ssh, c, readset, writeset); 1204 } else if (ret == -1) { 1205 logit("X11 connection rejected because of wrong authentication."); 1206 debug2("X11 rejected %d i%d/o%d", 1207 c->self, c->istate, c->ostate); 1208 chan_read_failed(ssh, c); 1209 sshbuf_reset(c->input); 1210 chan_ibuf_empty(ssh, c); 1211 sshbuf_reset(c->output); 1212 chan_write_failed(ssh, c); 1213 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 1214 } 1215 } 1216 1217 static void 1218 channel_pre_mux_client(struct ssh *ssh, 1219 Channel *c, fd_set *readset, fd_set *writeset) 1220 { 1221 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 1222 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0) 1223 FD_SET(c->rfd, readset); 1224 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1225 /* clear buffer immediately (discard any partial packet) */ 1226 sshbuf_reset(c->input); 1227 chan_ibuf_empty(ssh, c); 1228 /* Start output drain. XXX just kill chan? */ 1229 chan_rcvd_oclose(ssh, c); 1230 } 1231 if (c->ostate == CHAN_OUTPUT_OPEN || 1232 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1233 if (sshbuf_len(c->output) > 0) 1234 FD_SET(c->wfd, writeset); 1235 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1236 chan_obuf_empty(ssh, c); 1237 } 1238 } 1239 1240 /* try to decode a socks4 header */ 1241 static int 1242 channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output) 1243 { 1244 const u_char *p; 1245 char *host; 1246 u_int len, have, i, found, need; 1247 char username[256]; 1248 struct { 1249 u_int8_t version; 1250 u_int8_t command; 1251 u_int16_t dest_port; 1252 struct in_addr dest_addr; 1253 } s4_req, s4_rsp; 1254 int r; 1255 1256 debug2("channel %d: decode socks4", c->self); 1257 1258 have = sshbuf_len(input); 1259 len = sizeof(s4_req); 1260 if (have < len) 1261 return 0; 1262 p = sshbuf_ptr(input); 1263 1264 need = 1; 1265 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1266 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1267 debug2("channel %d: socks4a request", c->self); 1268 /* ... and needs an extra string (the hostname) */ 1269 need = 2; 1270 } 1271 /* Check for terminating NUL on the string(s) */ 1272 for (found = 0, i = len; i < have; i++) { 1273 if (p[i] == '\0') { 1274 found++; 1275 if (found == need) 1276 break; 1277 } 1278 if (i > 1024) { 1279 /* the peer is probably sending garbage */ 1280 debug("channel %d: decode socks4: too long", 1281 c->self); 1282 return -1; 1283 } 1284 } 1285 if (found < need) 1286 return 0; 1287 if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 || 1288 (r = sshbuf_get(input, &s4_req.command, 1)) != 0 || 1289 (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 || 1290 (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) { 1291 debug("channels %d: decode socks4: %s", c->self, ssh_err(r)); 1292 return -1; 1293 } 1294 have = sshbuf_len(input); 1295 p = sshbuf_ptr(input); 1296 if (memchr(p, '\0', have) == NULL) { 1297 error("channel %d: decode socks4: user not nul terminated", 1298 c->self); 1299 return -1; 1300 } 1301 len = strlen(p); 1302 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1303 len++; /* trailing '\0' */ 1304 strlcpy(username, p, sizeof(username)); 1305 if ((r = sshbuf_consume(input, len)) != 0) { 1306 fatal("%s: channel %d: consume: %s", __func__, 1307 c->self, ssh_err(r)); 1308 } 1309 free(c->path); 1310 c->path = NULL; 1311 if (need == 1) { /* SOCKS4: one string */ 1312 host = inet_ntoa(s4_req.dest_addr); 1313 c->path = xstrdup(host); 1314 } else { /* SOCKS4A: two strings */ 1315 have = sshbuf_len(input); 1316 p = sshbuf_ptr(input); 1317 if (memchr(p, '\0', have) == NULL) { 1318 error("channel %d: decode socks4a: host not nul " 1319 "terminated", c->self); 1320 return -1; 1321 } 1322 len = strlen(p); 1323 debug2("channel %d: decode socks4a: host %s/%d", 1324 c->self, p, len); 1325 len++; /* trailing '\0' */ 1326 if (len > NI_MAXHOST) { 1327 error("channel %d: hostname \"%.100s\" too long", 1328 c->self, p); 1329 return -1; 1330 } 1331 c->path = xstrdup(p); 1332 if ((r = sshbuf_consume(input, len)) != 0) { 1333 fatal("%s: channel %d: consume: %s", __func__, 1334 c->self, ssh_err(r)); 1335 } 1336 } 1337 c->host_port = ntohs(s4_req.dest_port); 1338 1339 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1340 c->self, c->path, c->host_port, s4_req.command); 1341 1342 if (s4_req.command != 1) { 1343 debug("channel %d: cannot handle: %s cn %d", 1344 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1345 return -1; 1346 } 1347 s4_rsp.version = 0; /* vn: 0 for reply */ 1348 s4_rsp.command = 90; /* cd: req granted */ 1349 s4_rsp.dest_port = 0; /* ignored */ 1350 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1351 if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) { 1352 fatal("%s: channel %d: append reply: %s", __func__, 1353 c->self, ssh_err(r)); 1354 } 1355 return 1; 1356 } 1357 1358 /* try to decode a socks5 header */ 1359 #define SSH_SOCKS5_AUTHDONE 0x1000 1360 #define SSH_SOCKS5_NOAUTH 0x00 1361 #define SSH_SOCKS5_IPV4 0x01 1362 #define SSH_SOCKS5_DOMAIN 0x03 1363 #define SSH_SOCKS5_IPV6 0x04 1364 #define SSH_SOCKS5_CONNECT 0x01 1365 #define SSH_SOCKS5_SUCCESS 0x00 1366 1367 static int 1368 channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) 1369 { 1370 /* XXX use get/put_u8 instead of trusting struct padding */ 1371 struct { 1372 u_int8_t version; 1373 u_int8_t command; 1374 u_int8_t reserved; 1375 u_int8_t atyp; 1376 } s5_req, s5_rsp; 1377 u_int16_t dest_port; 1378 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1379 const u_char *p; 1380 u_int have, need, i, found, nmethods, addrlen, af; 1381 int r; 1382 1383 debug2("channel %d: decode socks5", c->self); 1384 p = sshbuf_ptr(input); 1385 if (p[0] != 0x05) 1386 return -1; 1387 have = sshbuf_len(input); 1388 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1389 /* format: ver | nmethods | methods */ 1390 if (have < 2) 1391 return 0; 1392 nmethods = p[1]; 1393 if (have < nmethods + 2) 1394 return 0; 1395 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1396 for (found = 0, i = 2; i < nmethods + 2; i++) { 1397 if (p[i] == SSH_SOCKS5_NOAUTH) { 1398 found = 1; 1399 break; 1400 } 1401 } 1402 if (!found) { 1403 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1404 c->self); 1405 return -1; 1406 } 1407 if ((r = sshbuf_consume(input, nmethods + 2)) != 0) { 1408 fatal("%s: channel %d: consume: %s", __func__, 1409 c->self, ssh_err(r)); 1410 } 1411 /* version, method */ 1412 if ((r = sshbuf_put_u8(output, 0x05)) != 0 || 1413 (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0) { 1414 fatal("%s: channel %d: append reply: %s", __func__, 1415 c->self, ssh_err(r)); 1416 } 1417 c->flags |= SSH_SOCKS5_AUTHDONE; 1418 debug2("channel %d: socks5 auth done", c->self); 1419 return 0; /* need more */ 1420 } 1421 debug2("channel %d: socks5 post auth", c->self); 1422 if (have < sizeof(s5_req)+1) 1423 return 0; /* need more */ 1424 memcpy(&s5_req, p, sizeof(s5_req)); 1425 if (s5_req.version != 0x05 || 1426 s5_req.command != SSH_SOCKS5_CONNECT || 1427 s5_req.reserved != 0x00) { 1428 debug2("channel %d: only socks5 connect supported", c->self); 1429 return -1; 1430 } 1431 switch (s5_req.atyp){ 1432 case SSH_SOCKS5_IPV4: 1433 addrlen = 4; 1434 af = AF_INET; 1435 break; 1436 case SSH_SOCKS5_DOMAIN: 1437 addrlen = p[sizeof(s5_req)]; 1438 af = -1; 1439 break; 1440 case SSH_SOCKS5_IPV6: 1441 addrlen = 16; 1442 af = AF_INET6; 1443 break; 1444 default: 1445 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1446 return -1; 1447 } 1448 need = sizeof(s5_req) + addrlen + 2; 1449 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1450 need++; 1451 if (have < need) 1452 return 0; 1453 if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) { 1454 fatal("%s: channel %d: consume: %s", __func__, 1455 c->self, ssh_err(r)); 1456 } 1457 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1458 /* host string length */ 1459 if ((r = sshbuf_consume(input, 1)) != 0) { 1460 fatal("%s: channel %d: consume: %s", __func__, 1461 c->self, ssh_err(r)); 1462 } 1463 } 1464 if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 || 1465 (r = sshbuf_get(input, &dest_port, 2)) != 0) { 1466 debug("channel %d: parse addr/port: %s", c->self, ssh_err(r)); 1467 return -1; 1468 } 1469 dest_addr[addrlen] = '\0'; 1470 free(c->path); 1471 c->path = NULL; 1472 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1473 if (addrlen >= NI_MAXHOST) { 1474 error("channel %d: dynamic request: socks5 hostname " 1475 "\"%.100s\" too long", c->self, dest_addr); 1476 return -1; 1477 } 1478 c->path = xstrdup(dest_addr); 1479 } else { 1480 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1481 return -1; 1482 c->path = xstrdup(ntop); 1483 } 1484 c->host_port = ntohs(dest_port); 1485 1486 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1487 c->self, c->path, c->host_port, s5_req.command); 1488 1489 s5_rsp.version = 0x05; 1490 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1491 s5_rsp.reserved = 0; /* ignored */ 1492 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1493 dest_port = 0; /* ignored */ 1494 1495 if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 || 1496 (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 || 1497 (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0) 1498 fatal("%s: channel %d: append reply: %s", __func__, 1499 c->self, ssh_err(r)); 1500 return 1; 1501 } 1502 1503 Channel * 1504 channel_connect_stdio_fwd(struct ssh *ssh, 1505 const char *host_to_connect, u_short port_to_connect, int in, int out) 1506 { 1507 Channel *c; 1508 1509 debug("%s %s:%d", __func__, host_to_connect, port_to_connect); 1510 1511 c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out, 1512 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1513 0, "stdio-forward", /*nonblock*/0); 1514 1515 c->path = xstrdup(host_to_connect); 1516 c->host_port = port_to_connect; 1517 c->listening_port = 0; 1518 c->force_drain = 1; 1519 1520 channel_register_fds(ssh, c, in, out, -1, 0, 1, 0); 1521 port_open_helper(ssh, c, "direct-tcpip"); 1522 1523 return c; 1524 } 1525 1526 /* dynamic port forwarding */ 1527 static void 1528 channel_pre_dynamic(struct ssh *ssh, Channel *c, 1529 fd_set *readset, fd_set *writeset) 1530 { 1531 const u_char *p; 1532 u_int have; 1533 int ret; 1534 1535 have = sshbuf_len(c->input); 1536 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1537 /* sshbuf_dump(c->input, stderr); */ 1538 /* check if the fixed size part of the packet is in buffer. */ 1539 if (have < 3) { 1540 /* need more */ 1541 FD_SET(c->sock, readset); 1542 return; 1543 } 1544 /* try to guess the protocol */ 1545 p = sshbuf_ptr(c->input); 1546 /* XXX sshbuf_peek_u8? */ 1547 switch (p[0]) { 1548 case 0x04: 1549 ret = channel_decode_socks4(c, c->input, c->output); 1550 break; 1551 case 0x05: 1552 ret = channel_decode_socks5(c, c->input, c->output); 1553 break; 1554 default: 1555 ret = -1; 1556 break; 1557 } 1558 if (ret < 0) { 1559 chan_mark_dead(ssh, c); 1560 } else if (ret == 0) { 1561 debug2("channel %d: pre_dynamic: need more", c->self); 1562 /* need more */ 1563 FD_SET(c->sock, readset); 1564 if (sshbuf_len(c->output)) 1565 FD_SET(c->sock, writeset); 1566 } else { 1567 /* switch to the next state */ 1568 c->type = SSH_CHANNEL_OPENING; 1569 port_open_helper(ssh, c, "direct-tcpip"); 1570 } 1571 } 1572 1573 /* simulate read-error */ 1574 static void 1575 rdynamic_close(struct ssh *ssh, Channel *c) 1576 { 1577 c->type = SSH_CHANNEL_OPEN; 1578 chan_read_failed(ssh, c); 1579 sshbuf_reset(c->input); 1580 chan_ibuf_empty(ssh, c); 1581 sshbuf_reset(c->output); 1582 chan_write_failed(ssh, c); 1583 } 1584 1585 /* reverse dynamic port forwarding */ 1586 static void 1587 channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c) 1588 { 1589 const u_char *p; 1590 u_int have, len; 1591 int r, ret; 1592 1593 have = sshbuf_len(c->output); 1594 debug2("channel %d: pre_rdynamic: have %d", c->self, have); 1595 /* sshbuf_dump(c->output, stderr); */ 1596 /* EOF received */ 1597 if (c->flags & CHAN_EOF_RCVD) { 1598 if ((r = sshbuf_consume(c->output, have)) != 0) { 1599 fatal("%s: channel %d: consume: %s", 1600 __func__, c->self, ssh_err(r)); 1601 } 1602 rdynamic_close(ssh, c); 1603 return; 1604 } 1605 /* check if the fixed size part of the packet is in buffer. */ 1606 if (have < 3) 1607 return; 1608 /* try to guess the protocol */ 1609 p = sshbuf_ptr(c->output); 1610 switch (p[0]) { 1611 case 0x04: 1612 /* switch input/output for reverse forwarding */ 1613 ret = channel_decode_socks4(c, c->output, c->input); 1614 break; 1615 case 0x05: 1616 ret = channel_decode_socks5(c, c->output, c->input); 1617 break; 1618 default: 1619 ret = -1; 1620 break; 1621 } 1622 if (ret < 0) { 1623 rdynamic_close(ssh, c); 1624 } else if (ret == 0) { 1625 debug2("channel %d: pre_rdynamic: need more", c->self); 1626 /* send socks request to peer */ 1627 len = sshbuf_len(c->input); 1628 if (len > 0 && len < c->remote_window) { 1629 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 1630 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1631 (r = sshpkt_put_stringb(ssh, c->input)) != 0 || 1632 (r = sshpkt_send(ssh)) != 0) { 1633 fatal("%s: channel %i: rdynamic: %s", __func__, 1634 c->self, ssh_err(r)); 1635 } 1636 if ((r = sshbuf_consume(c->input, len)) != 0) { 1637 fatal("%s: channel %d: consume: %s", 1638 __func__, c->self, ssh_err(r)); 1639 } 1640 c->remote_window -= len; 1641 } 1642 } else if (rdynamic_connect_finish(ssh, c) < 0) { 1643 /* the connect failed */ 1644 rdynamic_close(ssh, c); 1645 } 1646 } 1647 1648 /* This is our fake X11 server socket. */ 1649 static void 1650 channel_post_x11_listener(struct ssh *ssh, Channel *c, 1651 fd_set *readset, fd_set *writeset) 1652 { 1653 Channel *nc; 1654 struct sockaddr_storage addr; 1655 int r, newsock, oerrno, remote_port; 1656 socklen_t addrlen; 1657 char buf[16384], *remote_ipaddr; 1658 1659 if (!FD_ISSET(c->sock, readset)) 1660 return; 1661 1662 debug("X11 connection requested."); 1663 addrlen = sizeof(addr); 1664 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1665 if (c->single_connection) { 1666 oerrno = errno; 1667 debug2("single_connection: closing X11 listener."); 1668 channel_close_fd(ssh, &c->sock); 1669 chan_mark_dead(ssh, c); 1670 errno = oerrno; 1671 } 1672 if (newsock == -1) { 1673 if (errno != EINTR && errno != EWOULDBLOCK && 1674 errno != ECONNABORTED) 1675 error("accept: %.100s", strerror(errno)); 1676 if (errno == EMFILE || errno == ENFILE) 1677 c->notbefore = monotime() + 1; 1678 return; 1679 } 1680 set_nodelay(newsock); 1681 remote_ipaddr = get_peer_ipaddr(newsock); 1682 remote_port = get_peer_port(newsock); 1683 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1684 remote_ipaddr, remote_port); 1685 1686 nc = channel_new(ssh, "accepted x11 socket", 1687 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1688 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1689 open_preamble(ssh, __func__, nc, "x11"); 1690 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || 1691 (r = sshpkt_put_u32(ssh, remote_port)) != 0) { 1692 fatal("%s: channel %i: reply %s", __func__, 1693 c->self, ssh_err(r)); 1694 } 1695 if ((r = sshpkt_send(ssh)) != 0) 1696 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r)); 1697 free(remote_ipaddr); 1698 } 1699 1700 static void 1701 port_open_helper(struct ssh *ssh, Channel *c, char *rtype) 1702 { 1703 char *local_ipaddr = get_local_ipaddr(c->sock); 1704 int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock); 1705 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1706 int remote_port = get_peer_port(c->sock); 1707 int r; 1708 1709 if (remote_port == -1) { 1710 /* Fake addr/port to appease peers that validate it (Tectia) */ 1711 free(remote_ipaddr); 1712 remote_ipaddr = xstrdup("127.0.0.1"); 1713 remote_port = 65535; 1714 } 1715 1716 free(c->remote_name); 1717 xasprintf(&c->remote_name, 1718 "%s: listening port %d for %.100s port %d, " 1719 "connect from %.200s port %d to %.100s port %d", 1720 rtype, c->listening_port, c->path, c->host_port, 1721 remote_ipaddr, remote_port, local_ipaddr, local_port); 1722 1723 open_preamble(ssh, __func__, c, rtype); 1724 if (strcmp(rtype, "direct-tcpip") == 0) { 1725 /* target host, port */ 1726 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || 1727 (r = sshpkt_put_u32(ssh, c->host_port)) != 0) { 1728 fatal("%s: channel %i: reply %s", __func__, 1729 c->self, ssh_err(r)); 1730 } 1731 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) { 1732 /* target path */ 1733 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) { 1734 fatal("%s: channel %i: reply %s", __func__, 1735 c->self, ssh_err(r)); 1736 } 1737 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1738 /* listen path */ 1739 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) { 1740 fatal("%s: channel %i: reply %s", __func__, 1741 c->self, ssh_err(r)); 1742 } 1743 } else { 1744 /* listen address, port */ 1745 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || 1746 (r = sshpkt_put_u32(ssh, local_port)) != 0) { 1747 fatal("%s: channel %i: reply %s", __func__, 1748 c->self, ssh_err(r)); 1749 } 1750 } 1751 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1752 /* reserved for future owner/mode info */ 1753 if ((r = sshpkt_put_cstring(ssh, "")) != 0) { 1754 fatal("%s: channel %i: reply %s", __func__, 1755 c->self, ssh_err(r)); 1756 } 1757 } else { 1758 /* originator host and port */ 1759 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || 1760 (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) { 1761 fatal("%s: channel %i: reply %s", __func__, 1762 c->self, ssh_err(r)); 1763 } 1764 } 1765 if ((r = sshpkt_send(ssh)) != 0) 1766 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r)); 1767 free(remote_ipaddr); 1768 free(local_ipaddr); 1769 } 1770 1771 void 1772 channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time) 1773 { 1774 ssh->chanctxt->x11_refuse_time = refuse_time; 1775 } 1776 1777 /* 1778 * This socket is listening for connections to a forwarded TCP/IP port. 1779 */ 1780 static void 1781 channel_post_port_listener(struct ssh *ssh, Channel *c, 1782 fd_set *readset, fd_set *writeset) 1783 { 1784 Channel *nc; 1785 struct sockaddr_storage addr; 1786 int newsock, nextstate; 1787 socklen_t addrlen; 1788 char *rtype; 1789 1790 if (!FD_ISSET(c->sock, readset)) 1791 return; 1792 1793 debug("Connection to port %d forwarding to %.100s port %d requested.", 1794 c->listening_port, c->path, c->host_port); 1795 1796 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1797 nextstate = SSH_CHANNEL_OPENING; 1798 rtype = "forwarded-tcpip"; 1799 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) { 1800 nextstate = SSH_CHANNEL_OPENING; 1801 rtype = "forwarded-streamlocal@openssh.com"; 1802 } else if (c->host_port == PORT_STREAMLOCAL) { 1803 nextstate = SSH_CHANNEL_OPENING; 1804 rtype = "direct-streamlocal@openssh.com"; 1805 } else if (c->host_port == 0) { 1806 nextstate = SSH_CHANNEL_DYNAMIC; 1807 rtype = "dynamic-tcpip"; 1808 } else { 1809 nextstate = SSH_CHANNEL_OPENING; 1810 rtype = "direct-tcpip"; 1811 } 1812 1813 addrlen = sizeof(addr); 1814 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1815 if (newsock == -1) { 1816 if (errno != EINTR && errno != EWOULDBLOCK && 1817 errno != ECONNABORTED) 1818 error("accept: %.100s", strerror(errno)); 1819 if (errno == EMFILE || errno == ENFILE) 1820 c->notbefore = monotime() + 1; 1821 return; 1822 } 1823 if (c->host_port != PORT_STREAMLOCAL) 1824 set_nodelay(newsock); 1825 nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1, 1826 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1827 nc->listening_port = c->listening_port; 1828 nc->host_port = c->host_port; 1829 if (c->path != NULL) 1830 nc->path = xstrdup(c->path); 1831 1832 if (nextstate != SSH_CHANNEL_DYNAMIC) 1833 port_open_helper(ssh, nc, rtype); 1834 } 1835 1836 /* 1837 * This is the authentication agent socket listening for connections from 1838 * clients. 1839 */ 1840 static void 1841 channel_post_auth_listener(struct ssh *ssh, Channel *c, 1842 fd_set *readset, fd_set *writeset) 1843 { 1844 Channel *nc; 1845 int r, newsock; 1846 struct sockaddr_storage addr; 1847 socklen_t addrlen; 1848 1849 if (!FD_ISSET(c->sock, readset)) 1850 return; 1851 1852 addrlen = sizeof(addr); 1853 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1854 if (newsock == -1) { 1855 error("accept from auth socket: %.100s", strerror(errno)); 1856 if (errno == EMFILE || errno == ENFILE) 1857 c->notbefore = monotime() + 1; 1858 return; 1859 } 1860 nc = channel_new(ssh, "accepted auth socket", 1861 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1862 c->local_window_max, c->local_maxpacket, 1863 0, "accepted auth socket", 1); 1864 open_preamble(ssh, __func__, nc, "auth-agent@openssh.com"); 1865 if ((r = sshpkt_send(ssh)) != 0) 1866 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 1867 } 1868 1869 static void 1870 channel_post_connecting(struct ssh *ssh, Channel *c, 1871 fd_set *readset, fd_set *writeset) 1872 { 1873 int err = 0, sock, isopen, r; 1874 socklen_t sz = sizeof(err); 1875 1876 if (!FD_ISSET(c->sock, writeset)) 1877 return; 1878 if (!c->have_remote_id) 1879 fatal(":%s: channel %d: no remote id", __func__, c->self); 1880 /* for rdynamic the OPEN_CONFIRMATION has been sent already */ 1881 isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH); 1882 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) == -1) { 1883 err = errno; 1884 error("getsockopt SO_ERROR failed"); 1885 } 1886 if (err == 0) { 1887 debug("channel %d: connected to %s port %d", 1888 c->self, c->connect_ctx.host, c->connect_ctx.port); 1889 channel_connect_ctx_free(&c->connect_ctx); 1890 c->type = SSH_CHANNEL_OPEN; 1891 if (isopen) { 1892 /* no message necessary */ 1893 } else { 1894 if ((r = sshpkt_start(ssh, 1895 SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || 1896 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1897 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 1898 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 1899 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) 1900 != 0) 1901 fatal("%s: channel %i: confirm: %s", __func__, 1902 c->self, ssh_err(r)); 1903 if ((r = sshpkt_send(ssh)) != 0) 1904 fatal("%s: channel %i: %s", __func__, c->self, 1905 ssh_err(r)); 1906 } 1907 } else { 1908 debug("channel %d: connection failed: %s", 1909 c->self, strerror(err)); 1910 /* Try next address, if any */ 1911 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1912 close(c->sock); 1913 c->sock = c->rfd = c->wfd = sock; 1914 channel_find_maxfd(ssh->chanctxt); 1915 return; 1916 } 1917 /* Exhausted all addresses */ 1918 error("connect_to %.100s port %d: failed.", 1919 c->connect_ctx.host, c->connect_ctx.port); 1920 channel_connect_ctx_free(&c->connect_ctx); 1921 if (isopen) { 1922 rdynamic_close(ssh, c); 1923 } else { 1924 if ((r = sshpkt_start(ssh, 1925 SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 || 1926 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1927 (r = sshpkt_put_u32(ssh, 1928 SSH2_OPEN_CONNECT_FAILED)) != 0 || 1929 (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 || 1930 (r = sshpkt_put_cstring(ssh, "")) != 0) { 1931 fatal("%s: channel %i: failure: %s", __func__, 1932 c->self, ssh_err(r)); 1933 } 1934 if ((r = sshpkt_send(ssh)) != 0) 1935 fatal("%s: channel %i: %s", __func__, c->self, 1936 ssh_err(r)); 1937 chan_mark_dead(ssh, c); 1938 } 1939 } 1940 } 1941 1942 static int 1943 channel_handle_rfd(struct ssh *ssh, Channel *c, 1944 fd_set *readset, fd_set *writeset) 1945 { 1946 char buf[CHAN_RBUF]; 1947 ssize_t len; 1948 int r, force; 1949 1950 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1951 1952 if (c->rfd == -1 || (!force && !FD_ISSET(c->rfd, readset))) 1953 return 1; 1954 1955 errno = 0; 1956 len = read(c->rfd, buf, sizeof(buf)); 1957 if (len == -1 && (errno == EINTR || 1958 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1959 return 1; 1960 #ifndef PTY_ZEROREAD 1961 if (len <= 0) { 1962 #else 1963 if ((!c->isatty && len <= 0) || 1964 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1965 #endif 1966 debug2("channel %d: read<=0 rfd %d len %zd", 1967 c->self, c->rfd, len); 1968 if (c->type != SSH_CHANNEL_OPEN) { 1969 debug2("channel %d: not open", c->self); 1970 chan_mark_dead(ssh, c); 1971 return -1; 1972 } else { 1973 chan_read_failed(ssh, c); 1974 } 1975 return -1; 1976 } 1977 if (c->input_filter != NULL) { 1978 if (c->input_filter(ssh, c, buf, len) == -1) { 1979 debug2("channel %d: filter stops", c->self); 1980 chan_read_failed(ssh, c); 1981 } 1982 } else if (c->datagram) { 1983 if ((r = sshbuf_put_string(c->input, buf, len)) != 0) 1984 fatal("%s: channel %d: put datagram: %s", __func__, 1985 c->self, ssh_err(r)); 1986 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) { 1987 fatal("%s: channel %d: put data: %s", __func__, 1988 c->self, ssh_err(r)); 1989 } 1990 return 1; 1991 } 1992 1993 static int 1994 channel_handle_wfd(struct ssh *ssh, Channel *c, 1995 fd_set *readset, fd_set *writeset) 1996 { 1997 struct termios tio; 1998 u_char *data = NULL, *buf; /* XXX const; need filter API change */ 1999 size_t dlen, olen = 0; 2000 int r, len; 2001 2002 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) || 2003 sshbuf_len(c->output) == 0) 2004 return 1; 2005 2006 /* Send buffered output data to the socket. */ 2007 olen = sshbuf_len(c->output); 2008 if (c->output_filter != NULL) { 2009 if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) { 2010 debug2("channel %d: filter stops", c->self); 2011 if (c->type != SSH_CHANNEL_OPEN) 2012 chan_mark_dead(ssh, c); 2013 else 2014 chan_write_failed(ssh, c); 2015 return -1; 2016 } 2017 } else if (c->datagram) { 2018 if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0) 2019 fatal("%s: channel %d: get datagram: %s", __func__, 2020 c->self, ssh_err(r)); 2021 buf = data; 2022 } else { 2023 buf = data = sshbuf_mutable_ptr(c->output); 2024 dlen = sshbuf_len(c->output); 2025 } 2026 2027 if (c->datagram) { 2028 /* ignore truncated writes, datagrams might get lost */ 2029 len = write(c->wfd, buf, dlen); 2030 free(data); 2031 if (len == -1 && (errno == EINTR || errno == EAGAIN || 2032 errno == EWOULDBLOCK)) 2033 return 1; 2034 if (len <= 0) 2035 goto write_fail; 2036 goto out; 2037 } 2038 2039 #ifdef _AIX 2040 /* XXX: Later AIX versions can't push as much data to tty */ 2041 if (c->wfd_isatty) 2042 dlen = MIN(dlen, 8*1024); 2043 #endif 2044 2045 len = write(c->wfd, buf, dlen); 2046 if (len == -1 && 2047 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 2048 return 1; 2049 if (len <= 0) { 2050 write_fail: 2051 if (c->type != SSH_CHANNEL_OPEN) { 2052 debug2("channel %d: not open", c->self); 2053 chan_mark_dead(ssh, c); 2054 return -1; 2055 } else { 2056 chan_write_failed(ssh, c); 2057 } 2058 return -1; 2059 } 2060 #ifndef BROKEN_TCGETATTR_ICANON 2061 if (c->isatty && dlen >= 1 && buf[0] != '\r') { 2062 if (tcgetattr(c->wfd, &tio) == 0 && 2063 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 2064 /* 2065 * Simulate echo to reduce the impact of 2066 * traffic analysis. We need to match the 2067 * size of a SSH2_MSG_CHANNEL_DATA message 2068 * (4 byte channel id + buf) 2069 */ 2070 if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 || 2071 (r = sshpkt_send(ssh)) != 0) 2072 fatal("%s: channel %d: ignore: %s", 2073 __func__, c->self, ssh_err(r)); 2074 } 2075 } 2076 #endif /* BROKEN_TCGETATTR_ICANON */ 2077 if ((r = sshbuf_consume(c->output, len)) != 0) { 2078 fatal("%s: channel %d: consume: %s", 2079 __func__, c->self, ssh_err(r)); 2080 } 2081 out: 2082 c->local_consumed += olen - sshbuf_len(c->output); 2083 2084 return 1; 2085 } 2086 2087 static int 2088 channel_handle_efd_write(struct ssh *ssh, Channel *c, 2089 fd_set *readset, fd_set *writeset) 2090 { 2091 int r; 2092 ssize_t len; 2093 2094 if (!FD_ISSET(c->efd, writeset) || sshbuf_len(c->extended) == 0) 2095 return 1; 2096 2097 len = write(c->efd, sshbuf_ptr(c->extended), 2098 sshbuf_len(c->extended)); 2099 debug2("channel %d: written %zd to efd %d", c->self, len, c->efd); 2100 if (len == -1 && (errno == EINTR || errno == EAGAIN || 2101 errno == EWOULDBLOCK)) 2102 return 1; 2103 if (len <= 0) { 2104 debug2("channel %d: closing write-efd %d", c->self, c->efd); 2105 channel_close_fd(ssh, &c->efd); 2106 } else { 2107 if ((r = sshbuf_consume(c->extended, len)) != 0) { 2108 fatal("%s: channel %d: consume: %s", 2109 __func__, c->self, ssh_err(r)); 2110 } 2111 c->local_consumed += len; 2112 } 2113 return 1; 2114 } 2115 2116 static int 2117 channel_handle_efd_read(struct ssh *ssh, Channel *c, 2118 fd_set *readset, fd_set *writeset) 2119 { 2120 char buf[CHAN_RBUF]; 2121 ssize_t len; 2122 int r, force; 2123 2124 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 2125 2126 if (c->efd == -1 || (!force && !FD_ISSET(c->efd, readset))) 2127 return 1; 2128 2129 len = read(c->efd, buf, sizeof(buf)); 2130 debug2("channel %d: read %zd from efd %d", c->self, len, c->efd); 2131 if (len == -1 && (errno == EINTR || ((errno == EAGAIN || 2132 errno == EWOULDBLOCK) && !force))) 2133 return 1; 2134 if (len <= 0) { 2135 debug2("channel %d: closing read-efd %d", 2136 c->self, c->efd); 2137 channel_close_fd(ssh, &c->efd); 2138 } else { 2139 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 2140 debug3("channel %d: discard efd", 2141 c->self); 2142 } else if ((r = sshbuf_put(c->extended, buf, len)) != 0) { 2143 fatal("%s: channel %d: append: %s", 2144 __func__, c->self, ssh_err(r)); 2145 } 2146 } 2147 return 1; 2148 } 2149 2150 static int 2151 channel_handle_efd(struct ssh *ssh, Channel *c, 2152 fd_set *readset, fd_set *writeset) 2153 { 2154 if (c->efd == -1) 2155 return 1; 2156 2157 /** XXX handle drain efd, too */ 2158 2159 if (c->extended_usage == CHAN_EXTENDED_WRITE) 2160 return channel_handle_efd_write(ssh, c, readset, writeset); 2161 else if (c->extended_usage == CHAN_EXTENDED_READ || 2162 c->extended_usage == CHAN_EXTENDED_IGNORE) 2163 return channel_handle_efd_read(ssh, c, readset, writeset); 2164 2165 return 1; 2166 } 2167 2168 static int 2169 channel_check_window(struct ssh *ssh, Channel *c) 2170 { 2171 int r; 2172 2173 if (c->type == SSH_CHANNEL_OPEN && 2174 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 2175 ((c->local_window_max - c->local_window > 2176 c->local_maxpacket*3) || 2177 c->local_window < c->local_window_max/2) && 2178 c->local_consumed > 0) { 2179 if (!c->have_remote_id) 2180 fatal(":%s: channel %d: no remote id", 2181 __func__, c->self); 2182 if ((r = sshpkt_start(ssh, 2183 SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || 2184 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2185 (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || 2186 (r = sshpkt_send(ssh)) != 0) { 2187 fatal("%s: channel %i: %s", __func__, 2188 c->self, ssh_err(r)); 2189 } 2190 debug2("channel %d: window %d sent adjust %d", 2191 c->self, c->local_window, 2192 c->local_consumed); 2193 c->local_window += c->local_consumed; 2194 c->local_consumed = 0; 2195 } 2196 return 1; 2197 } 2198 2199 static void 2200 channel_post_open(struct ssh *ssh, Channel *c, 2201 fd_set *readset, fd_set *writeset) 2202 { 2203 channel_handle_rfd(ssh, c, readset, writeset); 2204 channel_handle_wfd(ssh, c, readset, writeset); 2205 channel_handle_efd(ssh, c, readset, writeset); 2206 channel_check_window(ssh, c); 2207 } 2208 2209 static u_int 2210 read_mux(struct ssh *ssh, Channel *c, u_int need) 2211 { 2212 char buf[CHAN_RBUF]; 2213 ssize_t len; 2214 u_int rlen; 2215 int r; 2216 2217 if (sshbuf_len(c->input) < need) { 2218 rlen = need - sshbuf_len(c->input); 2219 len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF)); 2220 if (len == -1 && (errno == EINTR || errno == EAGAIN)) 2221 return sshbuf_len(c->input); 2222 if (len <= 0) { 2223 debug2("channel %d: ctl read<=0 rfd %d len %zd", 2224 c->self, c->rfd, len); 2225 chan_read_failed(ssh, c); 2226 return 0; 2227 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) { 2228 fatal("%s: channel %d: append: %s", 2229 __func__, c->self, ssh_err(r)); 2230 } 2231 } 2232 return sshbuf_len(c->input); 2233 } 2234 2235 static void 2236 channel_post_mux_client_read(struct ssh *ssh, Channel *c, 2237 fd_set *readset, fd_set *writeset) 2238 { 2239 u_int need; 2240 2241 if (c->rfd == -1 || !FD_ISSET(c->rfd, readset)) 2242 return; 2243 if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN) 2244 return; 2245 if (c->mux_pause) 2246 return; 2247 2248 /* 2249 * Don't not read past the precise end of packets to 2250 * avoid disrupting fd passing. 2251 */ 2252 if (read_mux(ssh, c, 4) < 4) /* read header */ 2253 return; 2254 /* XXX sshbuf_peek_u32 */ 2255 need = PEEK_U32(sshbuf_ptr(c->input)); 2256 #define CHANNEL_MUX_MAX_PACKET (256 * 1024) 2257 if (need > CHANNEL_MUX_MAX_PACKET) { 2258 debug2("channel %d: packet too big %u > %u", 2259 c->self, CHANNEL_MUX_MAX_PACKET, need); 2260 chan_rcvd_oclose(ssh, c); 2261 return; 2262 } 2263 if (read_mux(ssh, c, need + 4) < need + 4) /* read body */ 2264 return; 2265 if (c->mux_rcb(ssh, c) != 0) { 2266 debug("channel %d: mux_rcb failed", c->self); 2267 chan_mark_dead(ssh, c); 2268 return; 2269 } 2270 } 2271 2272 static void 2273 channel_post_mux_client_write(struct ssh *ssh, Channel *c, 2274 fd_set *readset, fd_set *writeset) 2275 { 2276 ssize_t len; 2277 int r; 2278 2279 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) || 2280 sshbuf_len(c->output) == 0) 2281 return; 2282 2283 len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output)); 2284 if (len == -1 && (errno == EINTR || errno == EAGAIN)) 2285 return; 2286 if (len <= 0) { 2287 chan_mark_dead(ssh, c); 2288 return; 2289 } 2290 if ((r = sshbuf_consume(c->output, len)) != 0) 2291 fatal("%s: channel %d: consume: %s", __func__, 2292 c->self, ssh_err(r)); 2293 } 2294 2295 static void 2296 channel_post_mux_client(struct ssh *ssh, Channel *c, 2297 fd_set *readset, fd_set *writeset) 2298 { 2299 channel_post_mux_client_read(ssh, c, readset, writeset); 2300 channel_post_mux_client_write(ssh, c, readset, writeset); 2301 } 2302 2303 static void 2304 channel_post_mux_listener(struct ssh *ssh, Channel *c, 2305 fd_set *readset, fd_set *writeset) 2306 { 2307 Channel *nc; 2308 struct sockaddr_storage addr; 2309 socklen_t addrlen; 2310 int newsock; 2311 uid_t euid; 2312 gid_t egid; 2313 2314 if (!FD_ISSET(c->sock, readset)) 2315 return; 2316 2317 debug("multiplexing control connection"); 2318 2319 /* 2320 * Accept connection on control socket 2321 */ 2322 memset(&addr, 0, sizeof(addr)); 2323 addrlen = sizeof(addr); 2324 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 2325 &addrlen)) == -1) { 2326 error("%s accept: %s", __func__, strerror(errno)); 2327 if (errno == EMFILE || errno == ENFILE) 2328 c->notbefore = monotime() + 1; 2329 return; 2330 } 2331 2332 if (getpeereid(newsock, &euid, &egid) == -1) { 2333 error("%s getpeereid failed: %s", __func__, 2334 strerror(errno)); 2335 close(newsock); 2336 return; 2337 } 2338 if ((euid != 0) && (getuid() != euid)) { 2339 error("multiplex uid mismatch: peer euid %u != uid %u", 2340 (u_int)euid, (u_int)getuid()); 2341 close(newsock); 2342 return; 2343 } 2344 nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT, 2345 newsock, newsock, -1, c->local_window_max, 2346 c->local_maxpacket, 0, "mux-control", 1); 2347 nc->mux_rcb = c->mux_rcb; 2348 debug3("%s: new mux channel %d fd %d", __func__, nc->self, nc->sock); 2349 /* establish state */ 2350 nc->mux_rcb(ssh, nc); 2351 /* mux state transitions must not elicit protocol messages */ 2352 nc->flags |= CHAN_LOCAL; 2353 } 2354 2355 static void 2356 channel_handler_init(struct ssh_channels *sc) 2357 { 2358 chan_fn **pre, **post; 2359 2360 if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL || 2361 (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL) 2362 fatal("%s: allocation failed", __func__); 2363 2364 pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2365 pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2366 pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2367 pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 2368 pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener; 2369 pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener; 2370 pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2371 pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2372 pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2373 pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2374 pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting; 2375 pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 2376 pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 2377 2378 post[SSH_CHANNEL_OPEN] = &channel_post_open; 2379 post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2380 post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 2381 post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener; 2382 post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener; 2383 post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2384 post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2385 post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2386 post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2387 post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting; 2388 post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 2389 post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 2390 2391 sc->channel_pre = pre; 2392 sc->channel_post = post; 2393 } 2394 2395 /* gc dead channels */ 2396 static void 2397 channel_garbage_collect(struct ssh *ssh, Channel *c) 2398 { 2399 if (c == NULL) 2400 return; 2401 if (c->detach_user != NULL) { 2402 if (!chan_is_dead(ssh, c, c->detach_close)) 2403 return; 2404 2405 debug2("channel %d: gc: notify user", c->self); 2406 c->detach_user(ssh, c->self, NULL); 2407 /* if we still have a callback */ 2408 if (c->detach_user != NULL) 2409 return; 2410 debug2("channel %d: gc: user detached", c->self); 2411 } 2412 if (!chan_is_dead(ssh, c, 1)) 2413 return; 2414 debug2("channel %d: garbage collecting", c->self); 2415 channel_free(ssh, c); 2416 } 2417 2418 enum channel_table { CHAN_PRE, CHAN_POST }; 2419 2420 static void 2421 channel_handler(struct ssh *ssh, int table, 2422 fd_set *readset, fd_set *writeset, time_t *unpause_secs) 2423 { 2424 struct ssh_channels *sc = ssh->chanctxt; 2425 chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post; 2426 u_int i, oalloc; 2427 Channel *c; 2428 time_t now; 2429 2430 now = monotime(); 2431 if (unpause_secs != NULL) 2432 *unpause_secs = 0; 2433 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { 2434 c = sc->channels[i]; 2435 if (c == NULL) 2436 continue; 2437 if (c->delayed) { 2438 if (table == CHAN_PRE) 2439 c->delayed = 0; 2440 else 2441 continue; 2442 } 2443 if (ftab[c->type] != NULL) { 2444 /* 2445 * Run handlers that are not paused. 2446 */ 2447 if (c->notbefore <= now) 2448 (*ftab[c->type])(ssh, c, readset, writeset); 2449 else if (unpause_secs != NULL) { 2450 /* 2451 * Collect the time that the earliest 2452 * channel comes off pause. 2453 */ 2454 debug3("%s: chan %d: skip for %d more seconds", 2455 __func__, c->self, 2456 (int)(c->notbefore - now)); 2457 if (*unpause_secs == 0 || 2458 (c->notbefore - now) < *unpause_secs) 2459 *unpause_secs = c->notbefore - now; 2460 } 2461 } 2462 channel_garbage_collect(ssh, c); 2463 } 2464 if (unpause_secs != NULL && *unpause_secs != 0) 2465 debug3("%s: first channel unpauses in %d seconds", 2466 __func__, (int)*unpause_secs); 2467 } 2468 2469 /* 2470 * Create sockets before allocating the select bitmasks. 2471 * This is necessary for things that need to happen after reading 2472 * the network-input but before channel_prepare_select(). 2473 */ 2474 static void 2475 channel_before_prepare_select(struct ssh *ssh) 2476 { 2477 struct ssh_channels *sc = ssh->chanctxt; 2478 Channel *c; 2479 u_int i, oalloc; 2480 2481 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { 2482 c = sc->channels[i]; 2483 if (c == NULL) 2484 continue; 2485 if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN) 2486 channel_before_prepare_select_rdynamic(ssh, c); 2487 } 2488 } 2489 2490 /* 2491 * Allocate/update select bitmasks and add any bits relevant to channels in 2492 * select bitmasks. 2493 */ 2494 void 2495 channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp, 2496 int *maxfdp, u_int *nallocp, time_t *minwait_secs) 2497 { 2498 u_int n, sz, nfdset; 2499 2500 channel_before_prepare_select(ssh); /* might update channel_max_fd */ 2501 2502 n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd); 2503 2504 nfdset = howmany(n+1, NFDBITS); 2505 /* Explicitly test here, because xrealloc isn't always called */ 2506 if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask)) 2507 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2508 sz = nfdset * sizeof(fd_mask); 2509 2510 /* perhaps check sz < nalloc/2 and shrink? */ 2511 if (*readsetp == NULL || sz > *nallocp) { 2512 *readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask)); 2513 *writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask)); 2514 *nallocp = sz; 2515 } 2516 *maxfdp = n; 2517 memset(*readsetp, 0, sz); 2518 memset(*writesetp, 0, sz); 2519 2520 if (!ssh_packet_is_rekeying(ssh)) 2521 channel_handler(ssh, CHAN_PRE, *readsetp, *writesetp, 2522 minwait_secs); 2523 } 2524 2525 /* 2526 * After select, perform any appropriate operations for channels which have 2527 * events pending. 2528 */ 2529 void 2530 channel_after_select(struct ssh *ssh, fd_set *readset, fd_set *writeset) 2531 { 2532 channel_handler(ssh, CHAN_POST, readset, writeset, NULL); 2533 } 2534 2535 /* 2536 * Enqueue data for channels with open or draining c->input. 2537 */ 2538 static void 2539 channel_output_poll_input_open(struct ssh *ssh, Channel *c) 2540 { 2541 size_t len, plen; 2542 const u_char *pkt; 2543 int r; 2544 2545 if ((len = sshbuf_len(c->input)) == 0) { 2546 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2547 /* 2548 * input-buffer is empty and read-socket shutdown: 2549 * tell peer, that we will not send more data: 2550 * send IEOF. 2551 * hack for extended data: delay EOF if EFD still 2552 * in use. 2553 */ 2554 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2555 debug2("channel %d: " 2556 "ibuf_empty delayed efd %d/(%zu)", 2557 c->self, c->efd, sshbuf_len(c->extended)); 2558 else 2559 chan_ibuf_empty(ssh, c); 2560 } 2561 return; 2562 } 2563 2564 if (!c->have_remote_id) 2565 fatal(":%s: channel %d: no remote id", __func__, c->self); 2566 2567 if (c->datagram) { 2568 /* Check datagram will fit; drop if not */ 2569 if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0) 2570 fatal("%s: channel %d: get datagram: %s", __func__, 2571 c->self, ssh_err(r)); 2572 /* 2573 * XXX this does tail-drop on the datagram queue which is 2574 * usually suboptimal compared to head-drop. Better to have 2575 * backpressure at read time? (i.e. read + discard) 2576 */ 2577 if (plen > c->remote_window || plen > c->remote_maxpacket) { 2578 debug("channel %d: datagram too big", c->self); 2579 return; 2580 } 2581 /* Enqueue it */ 2582 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 2583 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2584 (r = sshpkt_put_string(ssh, pkt, plen)) != 0 || 2585 (r = sshpkt_send(ssh)) != 0) { 2586 fatal("%s: channel %i: datagram: %s", __func__, 2587 c->self, ssh_err(r)); 2588 } 2589 c->remote_window -= plen; 2590 return; 2591 } 2592 2593 /* Enqueue packet for buffered data. */ 2594 if (len > c->remote_window) 2595 len = c->remote_window; 2596 if (len > c->remote_maxpacket) 2597 len = c->remote_maxpacket; 2598 if (len == 0) 2599 return; 2600 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 2601 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2602 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 || 2603 (r = sshpkt_send(ssh)) != 0) { 2604 fatal("%s: channel %i: data: %s", __func__, 2605 c->self, ssh_err(r)); 2606 } 2607 if ((r = sshbuf_consume(c->input, len)) != 0) 2608 fatal("%s: channel %i: consume: %s", __func__, 2609 c->self, ssh_err(r)); 2610 c->remote_window -= len; 2611 } 2612 2613 /* 2614 * Enqueue data for channels with open c->extended in read mode. 2615 */ 2616 static void 2617 channel_output_poll_extended_read(struct ssh *ssh, Channel *c) 2618 { 2619 size_t len; 2620 int r; 2621 2622 if ((len = sshbuf_len(c->extended)) == 0) 2623 return; 2624 2625 debug2("channel %d: rwin %u elen %zu euse %d", c->self, 2626 c->remote_window, sshbuf_len(c->extended), c->extended_usage); 2627 if (len > c->remote_window) 2628 len = c->remote_window; 2629 if (len > c->remote_maxpacket) 2630 len = c->remote_maxpacket; 2631 if (len == 0) 2632 return; 2633 if (!c->have_remote_id) 2634 fatal(":%s: channel %d: no remote id", __func__, c->self); 2635 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 || 2636 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2637 (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 || 2638 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 || 2639 (r = sshpkt_send(ssh)) != 0) { 2640 fatal("%s: channel %i: data: %s", __func__, 2641 c->self, ssh_err(r)); 2642 } 2643 if ((r = sshbuf_consume(c->extended, len)) != 0) 2644 fatal("%s: channel %i: consume: %s", __func__, 2645 c->self, ssh_err(r)); 2646 c->remote_window -= len; 2647 debug2("channel %d: sent ext data %zu", c->self, len); 2648 } 2649 2650 /* If there is data to send to the connection, enqueue some of it now. */ 2651 void 2652 channel_output_poll(struct ssh *ssh) 2653 { 2654 struct ssh_channels *sc = ssh->chanctxt; 2655 Channel *c; 2656 u_int i; 2657 2658 for (i = 0; i < sc->channels_alloc; i++) { 2659 c = sc->channels[i]; 2660 if (c == NULL) 2661 continue; 2662 2663 /* 2664 * We are only interested in channels that can have buffered 2665 * incoming data. 2666 */ 2667 if (c->type != SSH_CHANNEL_OPEN) 2668 continue; 2669 if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2670 /* XXX is this true? */ 2671 debug3("channel %d: will not send data after close", 2672 c->self); 2673 continue; 2674 } 2675 2676 /* Get the amount of buffered data for this channel. */ 2677 if (c->istate == CHAN_INPUT_OPEN || 2678 c->istate == CHAN_INPUT_WAIT_DRAIN) 2679 channel_output_poll_input_open(ssh, c); 2680 /* Send extended data, i.e. stderr */ 2681 if (!(c->flags & CHAN_EOF_SENT) && 2682 c->extended_usage == CHAN_EXTENDED_READ) 2683 channel_output_poll_extended_read(ssh, c); 2684 } 2685 } 2686 2687 /* -- mux proxy support */ 2688 2689 /* 2690 * When multiplexing channel messages for mux clients we have to deal 2691 * with downstream messages from the mux client and upstream messages 2692 * from the ssh server: 2693 * 1) Handling downstream messages is straightforward and happens 2694 * in channel_proxy_downstream(): 2695 * - We forward all messages (mostly) unmodified to the server. 2696 * - However, in order to route messages from upstream to the correct 2697 * downstream client, we have to replace the channel IDs used by the 2698 * mux clients with a unique channel ID because the mux clients might 2699 * use conflicting channel IDs. 2700 * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and 2701 * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local 2702 * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID 2703 * with the newly allocated channel ID. 2704 * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY 2705 * channels and processed by channel_proxy_upstream(). The local channel ID 2706 * is then translated back to the original mux client ID. 2707 * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE 2708 * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels. 2709 * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the 2710 * downstream mux client are removed. 2711 * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server 2712 * requires more work, because they are not addressed to a specific 2713 * channel. E.g. client_request_forwarded_tcpip() needs to figure 2714 * out whether the request is addressed to the local client or a 2715 * specific downstream client based on the listen-address/port. 2716 * 6) Agent and X11-Forwarding have a similar problem and are currently 2717 * not supported as the matching session/channel cannot be identified 2718 * easily. 2719 */ 2720 2721 /* 2722 * receive packets from downstream mux clients: 2723 * channel callback fired on read from mux client, creates 2724 * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs 2725 * on channel creation. 2726 */ 2727 int 2728 channel_proxy_downstream(struct ssh *ssh, Channel *downstream) 2729 { 2730 Channel *c = NULL; 2731 struct sshbuf *original = NULL, *modified = NULL; 2732 const u_char *cp; 2733 char *ctype = NULL, *listen_host = NULL; 2734 u_char type; 2735 size_t have; 2736 int ret = -1, r; 2737 u_int id, remote_id, listen_port; 2738 2739 /* sshbuf_dump(downstream->input, stderr); */ 2740 if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have)) 2741 != 0) { 2742 error("%s: malformed message: %s", __func__, ssh_err(r)); 2743 return -1; 2744 } 2745 if (have < 2) { 2746 error("%s: short message", __func__); 2747 return -1; 2748 } 2749 type = cp[1]; 2750 /* skip padlen + type */ 2751 cp += 2; 2752 have -= 2; 2753 if (ssh_packet_log_type(type)) 2754 debug3("%s: channel %u: down->up: type %u", __func__, 2755 downstream->self, type); 2756 2757 switch (type) { 2758 case SSH2_MSG_CHANNEL_OPEN: 2759 if ((original = sshbuf_from(cp, have)) == NULL || 2760 (modified = sshbuf_new()) == NULL) { 2761 error("%s: alloc", __func__); 2762 goto out; 2763 } 2764 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 || 2765 (r = sshbuf_get_u32(original, &id)) != 0) { 2766 error("%s: parse error %s", __func__, ssh_err(r)); 2767 goto out; 2768 } 2769 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY, 2770 -1, -1, -1, 0, 0, 0, ctype, 1); 2771 c->mux_ctx = downstream; /* point to mux client */ 2772 c->mux_downstream_id = id; /* original downstream id */ 2773 if ((r = sshbuf_put_cstring(modified, ctype)) != 0 || 2774 (r = sshbuf_put_u32(modified, c->self)) != 0 || 2775 (r = sshbuf_putb(modified, original)) != 0) { 2776 error("%s: compose error %s", __func__, ssh_err(r)); 2777 channel_free(ssh, c); 2778 goto out; 2779 } 2780 break; 2781 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2782 /* 2783 * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we 2784 * need to parse 'remote_id' instead of 'ctype'. 2785 */ 2786 if ((original = sshbuf_from(cp, have)) == NULL || 2787 (modified = sshbuf_new()) == NULL) { 2788 error("%s: alloc", __func__); 2789 goto out; 2790 } 2791 if ((r = sshbuf_get_u32(original, &remote_id)) != 0 || 2792 (r = sshbuf_get_u32(original, &id)) != 0) { 2793 error("%s: parse error %s", __func__, ssh_err(r)); 2794 goto out; 2795 } 2796 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY, 2797 -1, -1, -1, 0, 0, 0, "mux-down-connect", 1); 2798 c->mux_ctx = downstream; /* point to mux client */ 2799 c->mux_downstream_id = id; 2800 c->remote_id = remote_id; 2801 c->have_remote_id = 1; 2802 if ((r = sshbuf_put_u32(modified, remote_id)) != 0 || 2803 (r = sshbuf_put_u32(modified, c->self)) != 0 || 2804 (r = sshbuf_putb(modified, original)) != 0) { 2805 error("%s: compose error %s", __func__, ssh_err(r)); 2806 channel_free(ssh, c); 2807 goto out; 2808 } 2809 break; 2810 case SSH2_MSG_GLOBAL_REQUEST: 2811 if ((original = sshbuf_from(cp, have)) == NULL) { 2812 error("%s: alloc", __func__); 2813 goto out; 2814 } 2815 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) { 2816 error("%s: parse error %s", __func__, ssh_err(r)); 2817 goto out; 2818 } 2819 if (strcmp(ctype, "tcpip-forward") != 0) { 2820 error("%s: unsupported request %s", __func__, ctype); 2821 goto out; 2822 } 2823 if ((r = sshbuf_get_u8(original, NULL)) != 0 || 2824 (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 || 2825 (r = sshbuf_get_u32(original, &listen_port)) != 0) { 2826 error("%s: parse error %s", __func__, ssh_err(r)); 2827 goto out; 2828 } 2829 if (listen_port > 65535) { 2830 error("%s: tcpip-forward for %s: bad port %u", 2831 __func__, listen_host, listen_port); 2832 goto out; 2833 } 2834 /* Record that connection to this host/port is permitted. */ 2835 permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1, 2836 listen_host, NULL, (int)listen_port, downstream); 2837 listen_host = NULL; 2838 break; 2839 case SSH2_MSG_CHANNEL_CLOSE: 2840 if (have < 4) 2841 break; 2842 remote_id = PEEK_U32(cp); 2843 if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) { 2844 if (c->flags & CHAN_CLOSE_RCVD) 2845 channel_free(ssh, c); 2846 else 2847 c->flags |= CHAN_CLOSE_SENT; 2848 } 2849 break; 2850 } 2851 if (modified) { 2852 if ((r = sshpkt_start(ssh, type)) != 0 || 2853 (r = sshpkt_putb(ssh, modified)) != 0 || 2854 (r = sshpkt_send(ssh)) != 0) { 2855 error("%s: send %s", __func__, ssh_err(r)); 2856 goto out; 2857 } 2858 } else { 2859 if ((r = sshpkt_start(ssh, type)) != 0 || 2860 (r = sshpkt_put(ssh, cp, have)) != 0 || 2861 (r = sshpkt_send(ssh)) != 0) { 2862 error("%s: send %s", __func__, ssh_err(r)); 2863 goto out; 2864 } 2865 } 2866 ret = 0; 2867 out: 2868 free(ctype); 2869 free(listen_host); 2870 sshbuf_free(original); 2871 sshbuf_free(modified); 2872 return ret; 2873 } 2874 2875 /* 2876 * receive packets from upstream server and de-multiplex packets 2877 * to correct downstream: 2878 * implemented as a helper for channel input handlers, 2879 * replaces local (proxy) channel ID with downstream channel ID. 2880 */ 2881 int 2882 channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh) 2883 { 2884 struct sshbuf *b = NULL; 2885 Channel *downstream; 2886 const u_char *cp = NULL; 2887 size_t len; 2888 int r; 2889 2890 /* 2891 * When receiving packets from the peer we need to check whether we 2892 * need to forward the packets to the mux client. In this case we 2893 * restore the original channel id and keep track of CLOSE messages, 2894 * so we can cleanup the channel. 2895 */ 2896 if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY) 2897 return 0; 2898 if ((downstream = c->mux_ctx) == NULL) 2899 return 0; 2900 switch (type) { 2901 case SSH2_MSG_CHANNEL_CLOSE: 2902 case SSH2_MSG_CHANNEL_DATA: 2903 case SSH2_MSG_CHANNEL_EOF: 2904 case SSH2_MSG_CHANNEL_EXTENDED_DATA: 2905 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2906 case SSH2_MSG_CHANNEL_OPEN_FAILURE: 2907 case SSH2_MSG_CHANNEL_WINDOW_ADJUST: 2908 case SSH2_MSG_CHANNEL_SUCCESS: 2909 case SSH2_MSG_CHANNEL_FAILURE: 2910 case SSH2_MSG_CHANNEL_REQUEST: 2911 break; 2912 default: 2913 debug2("%s: channel %u: unsupported type %u", __func__, 2914 c->self, type); 2915 return 0; 2916 } 2917 if ((b = sshbuf_new()) == NULL) { 2918 error("%s: alloc reply", __func__); 2919 goto out; 2920 } 2921 /* get remaining payload (after id) */ 2922 cp = sshpkt_ptr(ssh, &len); 2923 if (cp == NULL) { 2924 error("%s: no packet", __func__); 2925 goto out; 2926 } 2927 /* translate id and send to muxclient */ 2928 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */ 2929 (r = sshbuf_put_u8(b, type)) != 0 || 2930 (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 || 2931 (r = sshbuf_put(b, cp, len)) != 0 || 2932 (r = sshbuf_put_stringb(downstream->output, b)) != 0) { 2933 error("%s: compose for muxclient %s", __func__, ssh_err(r)); 2934 goto out; 2935 } 2936 /* sshbuf_dump(b, stderr); */ 2937 if (ssh_packet_log_type(type)) 2938 debug3("%s: channel %u: up->down: type %u", __func__, c->self, 2939 type); 2940 out: 2941 /* update state */ 2942 switch (type) { 2943 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2944 /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */ 2945 if (cp && len > 4) { 2946 c->remote_id = PEEK_U32(cp); 2947 c->have_remote_id = 1; 2948 } 2949 break; 2950 case SSH2_MSG_CHANNEL_CLOSE: 2951 if (c->flags & CHAN_CLOSE_SENT) 2952 channel_free(ssh, c); 2953 else 2954 c->flags |= CHAN_CLOSE_RCVD; 2955 break; 2956 } 2957 sshbuf_free(b); 2958 return 1; 2959 } 2960 2961 /* -- protocol input */ 2962 2963 /* Parse a channel ID from the current packet */ 2964 static int 2965 channel_parse_id(struct ssh *ssh, const char *where, const char *what) 2966 { 2967 u_int32_t id; 2968 int r; 2969 2970 if ((r = sshpkt_get_u32(ssh, &id)) != 0) { 2971 error("%s: parse id: %s", where, ssh_err(r)); 2972 ssh_packet_disconnect(ssh, "Invalid %s message", what); 2973 } 2974 if (id > INT_MAX) { 2975 error("%s: bad channel id %u: %s", where, id, ssh_err(r)); 2976 ssh_packet_disconnect(ssh, "Invalid %s channel id", what); 2977 } 2978 return (int)id; 2979 } 2980 2981 /* Lookup a channel from an ID in the current packet */ 2982 static Channel * 2983 channel_from_packet_id(struct ssh *ssh, const char *where, const char *what) 2984 { 2985 int id = channel_parse_id(ssh, where, what); 2986 Channel *c; 2987 2988 if ((c = channel_lookup(ssh, id)) == NULL) { 2989 ssh_packet_disconnect(ssh, 2990 "%s packet referred to nonexistent channel %d", what, id); 2991 } 2992 return c; 2993 } 2994 2995 int 2996 channel_input_data(int type, u_int32_t seq, struct ssh *ssh) 2997 { 2998 const u_char *data; 2999 size_t data_len, win_len; 3000 Channel *c = channel_from_packet_id(ssh, __func__, "data"); 3001 int r; 3002 3003 if (channel_proxy_upstream(c, type, seq, ssh)) 3004 return 0; 3005 3006 /* Ignore any data for non-open channels (might happen on close) */ 3007 if (c->type != SSH_CHANNEL_OPEN && 3008 c->type != SSH_CHANNEL_RDYNAMIC_OPEN && 3009 c->type != SSH_CHANNEL_RDYNAMIC_FINISH && 3010 c->type != SSH_CHANNEL_X11_OPEN) 3011 return 0; 3012 3013 /* Get the data. */ 3014 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || 3015 (r = sshpkt_get_end(ssh)) != 0) 3016 fatal("%s: channel %d: get data: %s", __func__, 3017 c->self, ssh_err(r)); 3018 3019 win_len = data_len; 3020 if (c->datagram) 3021 win_len += 4; /* string length header */ 3022 3023 /* 3024 * The sending side reduces its window as it sends data, so we 3025 * must 'fake' consumption of the data in order to ensure that window 3026 * updates are sent back. Otherwise the connection might deadlock. 3027 */ 3028 if (c->ostate != CHAN_OUTPUT_OPEN) { 3029 c->local_window -= win_len; 3030 c->local_consumed += win_len; 3031 return 0; 3032 } 3033 3034 if (win_len > c->local_maxpacket) { 3035 logit("channel %d: rcvd big packet %zu, maxpack %u", 3036 c->self, win_len, c->local_maxpacket); 3037 return 0; 3038 } 3039 if (win_len > c->local_window) { 3040 logit("channel %d: rcvd too much data %zu, win %u", 3041 c->self, win_len, c->local_window); 3042 return 0; 3043 } 3044 c->local_window -= win_len; 3045 3046 if (c->datagram) { 3047 if ((r = sshbuf_put_string(c->output, data, data_len)) != 0) 3048 fatal("%s: channel %d: append datagram: %s", 3049 __func__, c->self, ssh_err(r)); 3050 } else if ((r = sshbuf_put(c->output, data, data_len)) != 0) 3051 fatal("%s: channel %d: append data: %s", 3052 __func__, c->self, ssh_err(r)); 3053 3054 return 0; 3055 } 3056 3057 int 3058 channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh) 3059 { 3060 const u_char *data; 3061 size_t data_len; 3062 u_int32_t tcode; 3063 Channel *c = channel_from_packet_id(ssh, __func__, "extended data"); 3064 int r; 3065 3066 if (channel_proxy_upstream(c, type, seq, ssh)) 3067 return 0; 3068 if (c->type != SSH_CHANNEL_OPEN) { 3069 logit("channel %d: ext data for non open", c->self); 3070 return 0; 3071 } 3072 if (c->flags & CHAN_EOF_RCVD) { 3073 if (datafellows & SSH_BUG_EXTEOF) 3074 debug("channel %d: accepting ext data after eof", 3075 c->self); 3076 else 3077 ssh_packet_disconnect(ssh, "Received extended_data " 3078 "after EOF on channel %d.", c->self); 3079 } 3080 3081 if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) { 3082 error("%s: parse tcode: %s", __func__, ssh_err(r)); 3083 ssh_packet_disconnect(ssh, "Invalid extended_data message"); 3084 } 3085 if (c->efd == -1 || 3086 c->extended_usage != CHAN_EXTENDED_WRITE || 3087 tcode != SSH2_EXTENDED_DATA_STDERR) { 3088 logit("channel %d: bad ext data", c->self); 3089 return 0; 3090 } 3091 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || 3092 (r = sshpkt_get_end(ssh)) != 0) { 3093 error("%s: parse data: %s", __func__, ssh_err(r)); 3094 ssh_packet_disconnect(ssh, "Invalid extended_data message"); 3095 } 3096 3097 if (data_len > c->local_window) { 3098 logit("channel %d: rcvd too much extended_data %zu, win %u", 3099 c->self, data_len, c->local_window); 3100 return 0; 3101 } 3102 debug2("channel %d: rcvd ext data %zu", c->self, data_len); 3103 /* XXX sshpkt_getb? */ 3104 if ((r = sshbuf_put(c->extended, data, data_len)) != 0) 3105 error("%s: append: %s", __func__, ssh_err(r)); 3106 c->local_window -= data_len; 3107 return 0; 3108 } 3109 3110 int 3111 channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh) 3112 { 3113 Channel *c = channel_from_packet_id(ssh, __func__, "ieof"); 3114 int r; 3115 3116 if ((r = sshpkt_get_end(ssh)) != 0) { 3117 error("%s: parse data: %s", __func__, ssh_err(r)); 3118 ssh_packet_disconnect(ssh, "Invalid ieof message"); 3119 } 3120 3121 if (channel_proxy_upstream(c, type, seq, ssh)) 3122 return 0; 3123 chan_rcvd_ieof(ssh, c); 3124 3125 /* XXX force input close */ 3126 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 3127 debug("channel %d: FORCE input drain", c->self); 3128 c->istate = CHAN_INPUT_WAIT_DRAIN; 3129 if (sshbuf_len(c->input) == 0) 3130 chan_ibuf_empty(ssh, c); 3131 } 3132 return 0; 3133 } 3134 3135 int 3136 channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh) 3137 { 3138 Channel *c = channel_from_packet_id(ssh, __func__, "oclose"); 3139 int r; 3140 3141 if (channel_proxy_upstream(c, type, seq, ssh)) 3142 return 0; 3143 if ((r = sshpkt_get_end(ssh)) != 0) { 3144 error("%s: parse data: %s", __func__, ssh_err(r)); 3145 ssh_packet_disconnect(ssh, "Invalid oclose message"); 3146 } 3147 chan_rcvd_oclose(ssh, c); 3148 return 0; 3149 } 3150 3151 int 3152 channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh) 3153 { 3154 Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation"); 3155 u_int32_t remote_window, remote_maxpacket; 3156 int r; 3157 3158 if (channel_proxy_upstream(c, type, seq, ssh)) 3159 return 0; 3160 if (c->type != SSH_CHANNEL_OPENING) 3161 ssh_packet_disconnect(ssh, "Received open confirmation for " 3162 "non-opening channel %d.", c->self); 3163 /* 3164 * Record the remote channel number and mark that the channel 3165 * is now open. 3166 */ 3167 if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 || 3168 (r = sshpkt_get_u32(ssh, &remote_window)) != 0 || 3169 (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 || 3170 (r = sshpkt_get_end(ssh)) != 0) { 3171 error("%s: window/maxpacket: %s", __func__, ssh_err(r)); 3172 ssh_packet_disconnect(ssh, "Invalid open confirmation message"); 3173 } 3174 3175 c->have_remote_id = 1; 3176 c->remote_window = remote_window; 3177 c->remote_maxpacket = remote_maxpacket; 3178 c->type = SSH_CHANNEL_OPEN; 3179 if (c->open_confirm) { 3180 debug2("%s: channel %d: callback start", __func__, c->self); 3181 c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx); 3182 debug2("%s: channel %d: callback done", __func__, c->self); 3183 } 3184 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 3185 c->remote_window, c->remote_maxpacket); 3186 return 0; 3187 } 3188 3189 static char * 3190 reason2txt(int reason) 3191 { 3192 switch (reason) { 3193 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 3194 return "administratively prohibited"; 3195 case SSH2_OPEN_CONNECT_FAILED: 3196 return "connect failed"; 3197 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 3198 return "unknown channel type"; 3199 case SSH2_OPEN_RESOURCE_SHORTAGE: 3200 return "resource shortage"; 3201 } 3202 return "unknown reason"; 3203 } 3204 3205 int 3206 channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh) 3207 { 3208 Channel *c = channel_from_packet_id(ssh, __func__, "open failure"); 3209 u_int32_t reason; 3210 char *msg = NULL; 3211 int r; 3212 3213 if (channel_proxy_upstream(c, type, seq, ssh)) 3214 return 0; 3215 if (c->type != SSH_CHANNEL_OPENING) 3216 ssh_packet_disconnect(ssh, "Received open failure for " 3217 "non-opening channel %d.", c->self); 3218 if ((r = sshpkt_get_u32(ssh, &reason)) != 0) { 3219 error("%s: reason: %s", __func__, ssh_err(r)); 3220 ssh_packet_disconnect(ssh, "Invalid open failure message"); 3221 } 3222 /* skip language */ 3223 if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 || 3224 (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0 || 3225 (r = sshpkt_get_end(ssh)) != 0) { 3226 error("%s: message/lang: %s", __func__, ssh_err(r)); 3227 ssh_packet_disconnect(ssh, "Invalid open failure message"); 3228 } 3229 logit("channel %d: open failed: %s%s%s", c->self, 3230 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 3231 free(msg); 3232 if (c->open_confirm) { 3233 debug2("%s: channel %d: callback start", __func__, c->self); 3234 c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx); 3235 debug2("%s: channel %d: callback done", __func__, c->self); 3236 } 3237 /* Schedule the channel for cleanup/deletion. */ 3238 chan_mark_dead(ssh, c); 3239 return 0; 3240 } 3241 3242 int 3243 channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh) 3244 { 3245 int id = channel_parse_id(ssh, __func__, "window adjust"); 3246 Channel *c; 3247 u_int32_t adjust; 3248 u_int new_rwin; 3249 int r; 3250 3251 if ((c = channel_lookup(ssh, id)) == NULL) { 3252 logit("Received window adjust for non-open channel %d.", id); 3253 return 0; 3254 } 3255 3256 if (channel_proxy_upstream(c, type, seq, ssh)) 3257 return 0; 3258 if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 || 3259 (r = sshpkt_get_end(ssh)) != 0) { 3260 error("%s: adjust: %s", __func__, ssh_err(r)); 3261 ssh_packet_disconnect(ssh, "Invalid window adjust message"); 3262 } 3263 debug2("channel %d: rcvd adjust %u", c->self, adjust); 3264 if ((new_rwin = c->remote_window + adjust) < c->remote_window) { 3265 fatal("channel %d: adjust %u overflows remote window %u", 3266 c->self, adjust, c->remote_window); 3267 } 3268 c->remote_window = new_rwin; 3269 return 0; 3270 } 3271 3272 int 3273 channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh) 3274 { 3275 int id = channel_parse_id(ssh, __func__, "status confirm"); 3276 Channel *c; 3277 struct channel_confirm *cc; 3278 3279 /* Reset keepalive timeout */ 3280 ssh_packet_set_alive_timeouts(ssh, 0); 3281 3282 debug2("%s: type %d id %d", __func__, type, id); 3283 3284 if ((c = channel_lookup(ssh, id)) == NULL) { 3285 logit("%s: %d: unknown", __func__, id); 3286 return 0; 3287 } 3288 if (channel_proxy_upstream(c, type, seq, ssh)) 3289 return 0; 3290 if (sshpkt_get_end(ssh) != 0) 3291 ssh_packet_disconnect(ssh, "Invalid status confirm message"); 3292 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 3293 return 0; 3294 cc->cb(ssh, type, c, cc->ctx); 3295 TAILQ_REMOVE(&c->status_confirms, cc, entry); 3296 freezero(cc, sizeof(*cc)); 3297 return 0; 3298 } 3299 3300 /* -- tcp forwarding */ 3301 3302 void 3303 channel_set_af(struct ssh *ssh, int af) 3304 { 3305 ssh->chanctxt->IPv4or6 = af; 3306 } 3307 3308 3309 /* 3310 * Determine whether or not a port forward listens to loopback, the 3311 * specified address or wildcard. On the client, a specified bind 3312 * address will always override gateway_ports. On the server, a 3313 * gateway_ports of 1 (``yes'') will override the client's specification 3314 * and force a wildcard bind, whereas a value of 2 (``clientspecified'') 3315 * will bind to whatever address the client asked for. 3316 * 3317 * Special-case listen_addrs are: 3318 * 3319 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 3320 * "" (empty string), "*" -> wildcard v4/v6 3321 * "localhost" -> loopback v4/v6 3322 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set 3323 */ 3324 static const char * 3325 channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp, 3326 int is_client, struct ForwardOptions *fwd_opts) 3327 { 3328 const char *addr = NULL; 3329 int wildcard = 0; 3330 3331 if (listen_addr == NULL) { 3332 /* No address specified: default to gateway_ports setting */ 3333 if (fwd_opts->gateway_ports) 3334 wildcard = 1; 3335 } else if (fwd_opts->gateway_ports || is_client) { 3336 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 3337 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 3338 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 3339 (!is_client && fwd_opts->gateway_ports == 1)) { 3340 wildcard = 1; 3341 /* 3342 * Notify client if they requested a specific listen 3343 * address and it was overridden. 3344 */ 3345 if (*listen_addr != '\0' && 3346 strcmp(listen_addr, "0.0.0.0") != 0 && 3347 strcmp(listen_addr, "*") != 0) { 3348 ssh_packet_send_debug(ssh, 3349 "Forwarding listen address " 3350 "\"%s\" overridden by server " 3351 "GatewayPorts", listen_addr); 3352 } 3353 } else if (strcmp(listen_addr, "localhost") != 0 || 3354 strcmp(listen_addr, "127.0.0.1") == 0 || 3355 strcmp(listen_addr, "::1") == 0) { 3356 /* 3357 * Accept explicit localhost address when 3358 * GatewayPorts=yes. The "localhost" hostname is 3359 * deliberately skipped here so it will listen on all 3360 * available local address families. 3361 */ 3362 addr = listen_addr; 3363 } 3364 } else if (strcmp(listen_addr, "127.0.0.1") == 0 || 3365 strcmp(listen_addr, "::1") == 0) { 3366 /* 3367 * If a specific IPv4/IPv6 localhost address has been 3368 * requested then accept it even if gateway_ports is in 3369 * effect. This allows the client to prefer IPv4 or IPv6. 3370 */ 3371 addr = listen_addr; 3372 } 3373 if (wildcardp != NULL) 3374 *wildcardp = wildcard; 3375 return addr; 3376 } 3377 3378 static int 3379 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, 3380 struct Forward *fwd, int *allocated_listen_port, 3381 struct ForwardOptions *fwd_opts) 3382 { 3383 Channel *c; 3384 int sock, r, success = 0, wildcard = 0, is_client; 3385 struct addrinfo hints, *ai, *aitop; 3386 const char *host, *addr; 3387 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 3388 in_port_t *lport_p; 3389 3390 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 3391 3392 if (is_client && fwd->connect_path != NULL) { 3393 host = fwd->connect_path; 3394 } else { 3395 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 3396 fwd->listen_host : fwd->connect_host; 3397 if (host == NULL) { 3398 error("No forward host name."); 3399 return 0; 3400 } 3401 if (strlen(host) >= NI_MAXHOST) { 3402 error("Forward host name too long."); 3403 return 0; 3404 } 3405 } 3406 3407 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ 3408 addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard, 3409 is_client, fwd_opts); 3410 debug3("%s: type %d wildcard %d addr %s", __func__, 3411 type, wildcard, (addr == NULL) ? "NULL" : addr); 3412 3413 /* 3414 * getaddrinfo returns a loopback address if the hostname is 3415 * set to NULL and hints.ai_flags is not AI_PASSIVE 3416 */ 3417 memset(&hints, 0, sizeof(hints)); 3418 hints.ai_family = ssh->chanctxt->IPv4or6; 3419 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 3420 hints.ai_socktype = SOCK_STREAM; 3421 snprintf(strport, sizeof strport, "%d", fwd->listen_port); 3422 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 3423 if (addr == NULL) { 3424 /* This really shouldn't happen */ 3425 ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s", 3426 ssh_gai_strerror(r)); 3427 } else { 3428 error("%s: getaddrinfo(%.64s): %s", __func__, addr, 3429 ssh_gai_strerror(r)); 3430 } 3431 return 0; 3432 } 3433 if (allocated_listen_port != NULL) 3434 *allocated_listen_port = 0; 3435 for (ai = aitop; ai; ai = ai->ai_next) { 3436 switch (ai->ai_family) { 3437 case AF_INET: 3438 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 3439 sin_port; 3440 break; 3441 case AF_INET6: 3442 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 3443 sin6_port; 3444 break; 3445 default: 3446 continue; 3447 } 3448 /* 3449 * If allocating a port for -R forwards, then use the 3450 * same port for all address families. 3451 */ 3452 if (type == SSH_CHANNEL_RPORT_LISTENER && 3453 fwd->listen_port == 0 && allocated_listen_port != NULL && 3454 *allocated_listen_port > 0) 3455 *lport_p = htons(*allocated_listen_port); 3456 3457 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 3458 strport, sizeof(strport), 3459 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3460 error("%s: getnameinfo failed", __func__); 3461 continue; 3462 } 3463 /* Create a port to listen for the host. */ 3464 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3465 if (sock == -1) { 3466 /* this is no error since kernel may not support ipv6 */ 3467 verbose("socket [%s]:%s: %.100s", ntop, strport, 3468 strerror(errno)); 3469 continue; 3470 } 3471 3472 set_reuseaddr(sock); 3473 if (ai->ai_family == AF_INET6) 3474 sock_set_v6only(sock); 3475 3476 debug("Local forwarding listening on %s port %s.", 3477 ntop, strport); 3478 3479 /* Bind the socket to the address. */ 3480 if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { 3481 /* 3482 * address can be in if use ipv6 address is 3483 * already bound 3484 */ 3485 if (!ai->ai_next) 3486 error("bind [%s]:%s: %.100s", 3487 ntop, strport, strerror(errno)); 3488 else 3489 verbose("bind [%s]:%s: %.100s", 3490 ntop, strport, strerror(errno)); 3491 3492 close(sock); 3493 continue; 3494 } 3495 /* Start listening for connections on the socket. */ 3496 if (listen(sock, SSH_LISTEN_BACKLOG) == -1) { 3497 error("listen: %.100s", strerror(errno)); 3498 error("listen [%s]:%s: %.100s", ntop, strport, 3499 strerror(errno)); 3500 close(sock); 3501 continue; 3502 } 3503 3504 /* 3505 * fwd->listen_port == 0 requests a dynamically allocated port - 3506 * record what we got. 3507 */ 3508 if (type == SSH_CHANNEL_RPORT_LISTENER && 3509 fwd->listen_port == 0 && 3510 allocated_listen_port != NULL && 3511 *allocated_listen_port == 0) { 3512 *allocated_listen_port = get_local_port(sock); 3513 debug("Allocated listen port %d", 3514 *allocated_listen_port); 3515 } 3516 3517 /* Allocate a channel number for the socket. */ 3518 c = channel_new(ssh, "port listener", type, sock, sock, -1, 3519 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 3520 0, "port listener", 1); 3521 c->path = xstrdup(host); 3522 c->host_port = fwd->connect_port; 3523 c->listening_addr = addr == NULL ? NULL : xstrdup(addr); 3524 if (fwd->listen_port == 0 && allocated_listen_port != NULL && 3525 !(datafellows & SSH_BUG_DYNAMIC_RPORT)) 3526 c->listening_port = *allocated_listen_port; 3527 else 3528 c->listening_port = fwd->listen_port; 3529 success = 1; 3530 } 3531 if (success == 0) 3532 error("%s: cannot listen to port: %d", __func__, 3533 fwd->listen_port); 3534 freeaddrinfo(aitop); 3535 return success; 3536 } 3537 3538 static int 3539 channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type, 3540 struct Forward *fwd, struct ForwardOptions *fwd_opts) 3541 { 3542 struct sockaddr_un sunaddr; 3543 const char *path; 3544 Channel *c; 3545 int port, sock; 3546 mode_t omask; 3547 3548 switch (type) { 3549 case SSH_CHANNEL_UNIX_LISTENER: 3550 if (fwd->connect_path != NULL) { 3551 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) { 3552 error("Local connecting path too long: %s", 3553 fwd->connect_path); 3554 return 0; 3555 } 3556 path = fwd->connect_path; 3557 port = PORT_STREAMLOCAL; 3558 } else { 3559 if (fwd->connect_host == NULL) { 3560 error("No forward host name."); 3561 return 0; 3562 } 3563 if (strlen(fwd->connect_host) >= NI_MAXHOST) { 3564 error("Forward host name too long."); 3565 return 0; 3566 } 3567 path = fwd->connect_host; 3568 port = fwd->connect_port; 3569 } 3570 break; 3571 case SSH_CHANNEL_RUNIX_LISTENER: 3572 path = fwd->listen_path; 3573 port = PORT_STREAMLOCAL; 3574 break; 3575 default: 3576 error("%s: unexpected channel type %d", __func__, type); 3577 return 0; 3578 } 3579 3580 if (fwd->listen_path == NULL) { 3581 error("No forward path name."); 3582 return 0; 3583 } 3584 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) { 3585 error("Local listening path too long: %s", fwd->listen_path); 3586 return 0; 3587 } 3588 3589 debug3("%s: type %d path %s", __func__, type, fwd->listen_path); 3590 3591 /* Start a Unix domain listener. */ 3592 omask = umask(fwd_opts->streamlocal_bind_mask); 3593 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG, 3594 fwd_opts->streamlocal_bind_unlink); 3595 umask(omask); 3596 if (sock < 0) 3597 return 0; 3598 3599 debug("Local forwarding listening on path %s.", fwd->listen_path); 3600 3601 /* Allocate a channel number for the socket. */ 3602 c = channel_new(ssh, "unix listener", type, sock, sock, -1, 3603 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 3604 0, "unix listener", 1); 3605 c->path = xstrdup(path); 3606 c->host_port = port; 3607 c->listening_port = PORT_STREAMLOCAL; 3608 c->listening_addr = xstrdup(fwd->listen_path); 3609 return 1; 3610 } 3611 3612 static int 3613 channel_cancel_rport_listener_tcpip(struct ssh *ssh, 3614 const char *host, u_short port) 3615 { 3616 u_int i; 3617 int found = 0; 3618 3619 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3620 Channel *c = ssh->chanctxt->channels[i]; 3621 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER) 3622 continue; 3623 if (strcmp(c->path, host) == 0 && c->listening_port == port) { 3624 debug2("%s: close channel %d", __func__, i); 3625 channel_free(ssh, c); 3626 found = 1; 3627 } 3628 } 3629 3630 return found; 3631 } 3632 3633 static int 3634 channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path) 3635 { 3636 u_int i; 3637 int found = 0; 3638 3639 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3640 Channel *c = ssh->chanctxt->channels[i]; 3641 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER) 3642 continue; 3643 if (c->path == NULL) 3644 continue; 3645 if (strcmp(c->path, path) == 0) { 3646 debug2("%s: close channel %d", __func__, i); 3647 channel_free(ssh, c); 3648 found = 1; 3649 } 3650 } 3651 3652 return found; 3653 } 3654 3655 int 3656 channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd) 3657 { 3658 if (fwd->listen_path != NULL) { 3659 return channel_cancel_rport_listener_streamlocal(ssh, 3660 fwd->listen_path); 3661 } else { 3662 return channel_cancel_rport_listener_tcpip(ssh, 3663 fwd->listen_host, fwd->listen_port); 3664 } 3665 } 3666 3667 static int 3668 channel_cancel_lport_listener_tcpip(struct ssh *ssh, 3669 const char *lhost, u_short lport, int cport, 3670 struct ForwardOptions *fwd_opts) 3671 { 3672 u_int i; 3673 int found = 0; 3674 const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL, 1, fwd_opts); 3675 3676 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3677 Channel *c = ssh->chanctxt->channels[i]; 3678 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER) 3679 continue; 3680 if (c->listening_port != lport) 3681 continue; 3682 if (cport == CHANNEL_CANCEL_PORT_STATIC) { 3683 /* skip dynamic forwardings */ 3684 if (c->host_port == 0) 3685 continue; 3686 } else { 3687 if (c->host_port != cport) 3688 continue; 3689 } 3690 if ((c->listening_addr == NULL && addr != NULL) || 3691 (c->listening_addr != NULL && addr == NULL)) 3692 continue; 3693 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) { 3694 debug2("%s: close channel %d", __func__, i); 3695 channel_free(ssh, c); 3696 found = 1; 3697 } 3698 } 3699 3700 return found; 3701 } 3702 3703 static int 3704 channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path) 3705 { 3706 u_int i; 3707 int found = 0; 3708 3709 if (path == NULL) { 3710 error("%s: no path specified.", __func__); 3711 return 0; 3712 } 3713 3714 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3715 Channel *c = ssh->chanctxt->channels[i]; 3716 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER) 3717 continue; 3718 if (c->listening_addr == NULL) 3719 continue; 3720 if (strcmp(c->listening_addr, path) == 0) { 3721 debug2("%s: close channel %d", __func__, i); 3722 channel_free(ssh, c); 3723 found = 1; 3724 } 3725 } 3726 3727 return found; 3728 } 3729 3730 int 3731 channel_cancel_lport_listener(struct ssh *ssh, 3732 struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts) 3733 { 3734 if (fwd->listen_path != NULL) { 3735 return channel_cancel_lport_listener_streamlocal(ssh, 3736 fwd->listen_path); 3737 } else { 3738 return channel_cancel_lport_listener_tcpip(ssh, 3739 fwd->listen_host, fwd->listen_port, cport, fwd_opts); 3740 } 3741 } 3742 3743 /* protocol local port fwd, used by ssh */ 3744 int 3745 channel_setup_local_fwd_listener(struct ssh *ssh, 3746 struct Forward *fwd, struct ForwardOptions *fwd_opts) 3747 { 3748 if (fwd->listen_path != NULL) { 3749 return channel_setup_fwd_listener_streamlocal(ssh, 3750 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts); 3751 } else { 3752 return channel_setup_fwd_listener_tcpip(ssh, 3753 SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts); 3754 } 3755 } 3756 3757 /* Matches a remote forwarding permission against a requested forwarding */ 3758 static int 3759 remote_open_match(struct permission *allowed_open, struct Forward *fwd) 3760 { 3761 int ret; 3762 char *lhost; 3763 3764 /* XXX add ACLs for streamlocal */ 3765 if (fwd->listen_path != NULL) 3766 return 1; 3767 3768 if (fwd->listen_host == NULL || allowed_open->listen_host == NULL) 3769 return 0; 3770 3771 if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT && 3772 allowed_open->listen_port != fwd->listen_port) 3773 return 0; 3774 3775 /* Match hostnames case-insensitively */ 3776 lhost = xstrdup(fwd->listen_host); 3777 lowercase(lhost); 3778 ret = match_pattern(lhost, allowed_open->listen_host); 3779 free(lhost); 3780 3781 return ret; 3782 } 3783 3784 /* Checks whether a requested remote forwarding is permitted */ 3785 static int 3786 check_rfwd_permission(struct ssh *ssh, struct Forward *fwd) 3787 { 3788 struct ssh_channels *sc = ssh->chanctxt; 3789 struct permission_set *pset = &sc->remote_perms; 3790 u_int i, permit, permit_adm = 1; 3791 struct permission *perm; 3792 3793 /* XXX apply GatewayPorts override before checking? */ 3794 3795 permit = pset->all_permitted; 3796 if (!permit) { 3797 for (i = 0; i < pset->num_permitted_user; i++) { 3798 perm = &pset->permitted_user[i]; 3799 if (remote_open_match(perm, fwd)) { 3800 permit = 1; 3801 break; 3802 } 3803 } 3804 } 3805 3806 if (pset->num_permitted_admin > 0) { 3807 permit_adm = 0; 3808 for (i = 0; i < pset->num_permitted_admin; i++) { 3809 perm = &pset->permitted_admin[i]; 3810 if (remote_open_match(perm, fwd)) { 3811 permit_adm = 1; 3812 break; 3813 } 3814 } 3815 } 3816 3817 return permit && permit_adm; 3818 } 3819 3820 /* protocol v2 remote port fwd, used by sshd */ 3821 int 3822 channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, 3823 int *allocated_listen_port, struct ForwardOptions *fwd_opts) 3824 { 3825 if (!check_rfwd_permission(ssh, fwd)) { 3826 ssh_packet_send_debug(ssh, "port forwarding refused"); 3827 if (fwd->listen_path != NULL) 3828 /* XXX always allowed, see remote_open_match() */ 3829 logit("Received request from %.100s port %d to " 3830 "remote forward to path \"%.100s\", " 3831 "but the request was denied.", 3832 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 3833 fwd->listen_path); 3834 else if(fwd->listen_host != NULL) 3835 logit("Received request from %.100s port %d to " 3836 "remote forward to host %.100s port %d, " 3837 "but the request was denied.", 3838 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), 3839 fwd->listen_host, fwd->listen_port ); 3840 else 3841 logit("Received request from %.100s port %d to remote " 3842 "forward, but the request was denied.", 3843 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); 3844 return 0; 3845 } 3846 if (fwd->listen_path != NULL) { 3847 return channel_setup_fwd_listener_streamlocal(ssh, 3848 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts); 3849 } else { 3850 return channel_setup_fwd_listener_tcpip(ssh, 3851 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port, 3852 fwd_opts); 3853 } 3854 } 3855 3856 /* 3857 * Translate the requested rfwd listen host to something usable for 3858 * this server. 3859 */ 3860 static const char * 3861 channel_rfwd_bind_host(const char *listen_host) 3862 { 3863 if (listen_host == NULL) { 3864 return "localhost"; 3865 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { 3866 return ""; 3867 } else 3868 return listen_host; 3869 } 3870 3871 /* 3872 * Initiate forwarding of connections to port "port" on remote host through 3873 * the secure channel to host:port from local side. 3874 * Returns handle (index) for updating the dynamic listen port with 3875 * channel_update_permission(). 3876 */ 3877 int 3878 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) 3879 { 3880 int r, success = 0, idx = -1; 3881 char *host_to_connect, *listen_host, *listen_path; 3882 int port_to_connect, listen_port; 3883 3884 /* Send the forward request to the remote side. */ 3885 if (fwd->listen_path != NULL) { 3886 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3887 (r = sshpkt_put_cstring(ssh, 3888 "streamlocal-forward@openssh.com")) != 0 || 3889 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ 3890 (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 || 3891 (r = sshpkt_send(ssh)) != 0 || 3892 (r = ssh_packet_write_wait(ssh)) != 0) 3893 fatal("%s: request streamlocal: %s", 3894 __func__, ssh_err(r)); 3895 } else { 3896 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3897 (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 || 3898 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ 3899 (r = sshpkt_put_cstring(ssh, 3900 channel_rfwd_bind_host(fwd->listen_host))) != 0 || 3901 (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 || 3902 (r = sshpkt_send(ssh)) != 0 || 3903 (r = ssh_packet_write_wait(ssh)) != 0) 3904 fatal("%s: request tcpip-forward: %s", 3905 __func__, ssh_err(r)); 3906 } 3907 /* Assume that server accepts the request */ 3908 success = 1; 3909 if (success) { 3910 /* Record that connection to this host/port is permitted. */ 3911 host_to_connect = listen_host = listen_path = NULL; 3912 port_to_connect = listen_port = 0; 3913 if (fwd->connect_path != NULL) { 3914 host_to_connect = xstrdup(fwd->connect_path); 3915 port_to_connect = PORT_STREAMLOCAL; 3916 } else { 3917 host_to_connect = xstrdup(fwd->connect_host); 3918 port_to_connect = fwd->connect_port; 3919 } 3920 if (fwd->listen_path != NULL) { 3921 listen_path = xstrdup(fwd->listen_path); 3922 listen_port = PORT_STREAMLOCAL; 3923 } else { 3924 if (fwd->listen_host != NULL) 3925 listen_host = xstrdup(fwd->listen_host); 3926 listen_port = fwd->listen_port; 3927 } 3928 idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, 3929 host_to_connect, port_to_connect, 3930 listen_host, listen_path, listen_port, NULL); 3931 } 3932 return idx; 3933 } 3934 3935 static int 3936 open_match(struct permission *allowed_open, const char *requestedhost, 3937 int requestedport) 3938 { 3939 if (allowed_open->host_to_connect == NULL) 3940 return 0; 3941 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT && 3942 allowed_open->port_to_connect != requestedport) 3943 return 0; 3944 if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 && 3945 strcmp(allowed_open->host_to_connect, requestedhost) != 0) 3946 return 0; 3947 return 1; 3948 } 3949 3950 /* 3951 * Note that in the listen host/port case 3952 * we don't support FWD_PERMIT_ANY_PORT and 3953 * need to translate between the configured-host (listen_host) 3954 * and what we've sent to the remote server (channel_rfwd_bind_host) 3955 */ 3956 static int 3957 open_listen_match_tcpip(struct permission *allowed_open, 3958 const char *requestedhost, u_short requestedport, int translate) 3959 { 3960 const char *allowed_host; 3961 3962 if (allowed_open->host_to_connect == NULL) 3963 return 0; 3964 if (allowed_open->listen_port != requestedport) 3965 return 0; 3966 if (!translate && allowed_open->listen_host == NULL && 3967 requestedhost == NULL) 3968 return 1; 3969 allowed_host = translate ? 3970 channel_rfwd_bind_host(allowed_open->listen_host) : 3971 allowed_open->listen_host; 3972 if (allowed_host == NULL || requestedhost == NULL || 3973 strcmp(allowed_host, requestedhost) != 0) 3974 return 0; 3975 return 1; 3976 } 3977 3978 static int 3979 open_listen_match_streamlocal(struct permission *allowed_open, 3980 const char *requestedpath) 3981 { 3982 if (allowed_open->host_to_connect == NULL) 3983 return 0; 3984 if (allowed_open->listen_port != PORT_STREAMLOCAL) 3985 return 0; 3986 if (allowed_open->listen_path == NULL || 3987 strcmp(allowed_open->listen_path, requestedpath) != 0) 3988 return 0; 3989 return 1; 3990 } 3991 3992 /* 3993 * Request cancellation of remote forwarding of connection host:port from 3994 * local side. 3995 */ 3996 static int 3997 channel_request_rforward_cancel_tcpip(struct ssh *ssh, 3998 const char *host, u_short port) 3999 { 4000 struct ssh_channels *sc = ssh->chanctxt; 4001 struct permission_set *pset = &sc->local_perms; 4002 int r; 4003 u_int i; 4004 struct permission *perm = NULL; 4005 4006 for (i = 0; i < pset->num_permitted_user; i++) { 4007 perm = &pset->permitted_user[i]; 4008 if (open_listen_match_tcpip(perm, host, port, 0)) 4009 break; 4010 perm = NULL; 4011 } 4012 if (perm == NULL) { 4013 debug("%s: requested forward not found", __func__); 4014 return -1; 4015 } 4016 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 4017 (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 || 4018 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ 4019 (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 || 4020 (r = sshpkt_put_u32(ssh, port)) != 0 || 4021 (r = sshpkt_send(ssh)) != 0) 4022 fatal("%s: send cancel: %s", __func__, ssh_err(r)); 4023 4024 fwd_perm_clear(perm); /* unregister */ 4025 4026 return 0; 4027 } 4028 4029 /* 4030 * Request cancellation of remote forwarding of Unix domain socket 4031 * path from local side. 4032 */ 4033 static int 4034 channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path) 4035 { 4036 struct ssh_channels *sc = ssh->chanctxt; 4037 struct permission_set *pset = &sc->local_perms; 4038 int r; 4039 u_int i; 4040 struct permission *perm = NULL; 4041 4042 for (i = 0; i < pset->num_permitted_user; i++) { 4043 perm = &pset->permitted_user[i]; 4044 if (open_listen_match_streamlocal(perm, path)) 4045 break; 4046 perm = NULL; 4047 } 4048 if (perm == NULL) { 4049 debug("%s: requested forward not found", __func__); 4050 return -1; 4051 } 4052 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 4053 (r = sshpkt_put_cstring(ssh, 4054 "cancel-streamlocal-forward@openssh.com")) != 0 || 4055 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ 4056 (r = sshpkt_put_cstring(ssh, path)) != 0 || 4057 (r = sshpkt_send(ssh)) != 0) 4058 fatal("%s: send cancel: %s", __func__, ssh_err(r)); 4059 4060 fwd_perm_clear(perm); /* unregister */ 4061 4062 return 0; 4063 } 4064 4065 /* 4066 * Request cancellation of remote forwarding of a connection from local side. 4067 */ 4068 int 4069 channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd) 4070 { 4071 if (fwd->listen_path != NULL) { 4072 return channel_request_rforward_cancel_streamlocal(ssh, 4073 fwd->listen_path); 4074 } else { 4075 return channel_request_rforward_cancel_tcpip(ssh, 4076 fwd->listen_host, 4077 fwd->listen_port ? fwd->listen_port : fwd->allocated_port); 4078 } 4079 } 4080 4081 /* 4082 * Permits opening to any host/port if permitted_user[] is empty. This is 4083 * usually called by the server, because the user could connect to any port 4084 * anyway, and the server has no way to know but to trust the client anyway. 4085 */ 4086 void 4087 channel_permit_all(struct ssh *ssh, int where) 4088 { 4089 struct permission_set *pset = permission_set_get(ssh, where); 4090 4091 if (pset->num_permitted_user == 0) 4092 pset->all_permitted = 1; 4093 } 4094 4095 /* 4096 * Permit the specified host/port for forwarding. 4097 */ 4098 void 4099 channel_add_permission(struct ssh *ssh, int who, int where, 4100 char *host, int port) 4101 { 4102 int local = where == FORWARD_LOCAL; 4103 struct permission_set *pset = permission_set_get(ssh, where); 4104 4105 debug("allow %s forwarding to host %s port %d", 4106 fwd_ident(who, where), host, port); 4107 /* 4108 * Remote forwards set listen_host/port, local forwards set 4109 * host/port_to_connect. 4110 */ 4111 permission_set_add(ssh, who, where, 4112 local ? host : 0, local ? port : 0, 4113 local ? NULL : host, NULL, local ? 0 : port, NULL); 4114 pset->all_permitted = 0; 4115 } 4116 4117 /* 4118 * Administratively disable forwarding. 4119 */ 4120 void 4121 channel_disable_admin(struct ssh *ssh, int where) 4122 { 4123 channel_clear_permission(ssh, FORWARD_ADM, where); 4124 permission_set_add(ssh, FORWARD_ADM, where, 4125 NULL, 0, NULL, NULL, 0, NULL); 4126 } 4127 4128 /* 4129 * Clear a list of permitted opens. 4130 */ 4131 void 4132 channel_clear_permission(struct ssh *ssh, int who, int where) 4133 { 4134 struct permission **permp; 4135 u_int *npermp; 4136 4137 permission_set_get_array(ssh, who, where, &permp, &npermp); 4138 *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp)); 4139 *npermp = 0; 4140 } 4141 4142 /* 4143 * Update the listen port for a dynamic remote forward, after 4144 * the actual 'newport' has been allocated. If 'newport' < 0 is 4145 * passed then they entry will be invalidated. 4146 */ 4147 void 4148 channel_update_permission(struct ssh *ssh, int idx, int newport) 4149 { 4150 struct permission_set *pset = &ssh->chanctxt->local_perms; 4151 4152 if (idx < 0 || (u_int)idx >= pset->num_permitted_user) { 4153 debug("%s: index out of range: %d num_permitted_user %d", 4154 __func__, idx, pset->num_permitted_user); 4155 return; 4156 } 4157 debug("%s allowed port %d for forwarding to host %s port %d", 4158 newport > 0 ? "Updating" : "Removing", 4159 newport, 4160 pset->permitted_user[idx].host_to_connect, 4161 pset->permitted_user[idx].port_to_connect); 4162 if (newport <= 0) 4163 fwd_perm_clear(&pset->permitted_user[idx]); 4164 else { 4165 pset->permitted_user[idx].listen_port = 4166 (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport; 4167 } 4168 } 4169 4170 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ 4171 int 4172 permitopen_port(const char *p) 4173 { 4174 int port; 4175 4176 if (strcmp(p, "*") == 0) 4177 return FWD_PERMIT_ANY_PORT; 4178 if ((port = a2port(p)) > 0) 4179 return port; 4180 return -1; 4181 } 4182 4183 /* Try to start non-blocking connect to next host in cctx list */ 4184 static int 4185 connect_next(struct channel_connect *cctx) 4186 { 4187 int sock, saved_errno; 4188 struct sockaddr_un *sunaddr; 4189 char ntop[NI_MAXHOST]; 4190 char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))]; 4191 4192 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 4193 switch (cctx->ai->ai_family) { 4194 case AF_UNIX: 4195 /* unix:pathname instead of host:port */ 4196 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr; 4197 strlcpy(ntop, "unix", sizeof(ntop)); 4198 strlcpy(strport, sunaddr->sun_path, sizeof(strport)); 4199 break; 4200 case AF_INET: 4201 case AF_INET6: 4202 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 4203 ntop, sizeof(ntop), strport, sizeof(strport), 4204 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 4205 error("connect_next: getnameinfo failed"); 4206 continue; 4207 } 4208 break; 4209 default: 4210 continue; 4211 } 4212 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 4213 cctx->ai->ai_protocol)) == -1) { 4214 if (cctx->ai->ai_next == NULL) 4215 error("socket: %.100s", strerror(errno)); 4216 else 4217 verbose("socket: %.100s", strerror(errno)); 4218 continue; 4219 } 4220 if (set_nonblock(sock) == -1) 4221 fatal("%s: set_nonblock(%d)", __func__, sock); 4222 if (connect(sock, cctx->ai->ai_addr, 4223 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 4224 debug("connect_next: host %.100s ([%.100s]:%s): " 4225 "%.100s", cctx->host, ntop, strport, 4226 strerror(errno)); 4227 saved_errno = errno; 4228 close(sock); 4229 errno = saved_errno; 4230 continue; /* fail -- try next */ 4231 } 4232 if (cctx->ai->ai_family != AF_UNIX) 4233 set_nodelay(sock); 4234 debug("connect_next: host %.100s ([%.100s]:%s) " 4235 "in progress, fd=%d", cctx->host, ntop, strport, sock); 4236 cctx->ai = cctx->ai->ai_next; 4237 return sock; 4238 } 4239 return -1; 4240 } 4241 4242 static void 4243 channel_connect_ctx_free(struct channel_connect *cctx) 4244 { 4245 free(cctx->host); 4246 if (cctx->aitop) { 4247 if (cctx->aitop->ai_family == AF_UNIX) 4248 free(cctx->aitop); 4249 else 4250 freeaddrinfo(cctx->aitop); 4251 } 4252 memset(cctx, 0, sizeof(*cctx)); 4253 } 4254 4255 /* 4256 * Return connecting socket to remote host:port or local socket path, 4257 * passing back the failure reason if appropriate. 4258 */ 4259 static int 4260 connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, 4261 char *ctype, char *rname, struct channel_connect *cctx, 4262 int *reason, const char **errmsg) 4263 { 4264 struct addrinfo hints; 4265 int gaierr; 4266 int sock = -1; 4267 char strport[NI_MAXSERV]; 4268 4269 if (port == PORT_STREAMLOCAL) { 4270 struct sockaddr_un *sunaddr; 4271 struct addrinfo *ai; 4272 4273 if (strlen(name) > sizeof(sunaddr->sun_path)) { 4274 error("%.100s: %.100s", name, strerror(ENAMETOOLONG)); 4275 return -1; 4276 } 4277 4278 /* 4279 * Fake up a struct addrinfo for AF_UNIX connections. 4280 * channel_connect_ctx_free() must check ai_family 4281 * and use free() not freeaddirinfo() for AF_UNIX. 4282 */ 4283 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr)); 4284 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr)); 4285 ai->ai_addr = (struct sockaddr *)(ai + 1); 4286 ai->ai_addrlen = sizeof(*sunaddr); 4287 ai->ai_family = AF_UNIX; 4288 ai->ai_socktype = socktype; 4289 ai->ai_protocol = PF_UNSPEC; 4290 sunaddr = (struct sockaddr_un *)ai->ai_addr; 4291 sunaddr->sun_family = AF_UNIX; 4292 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); 4293 cctx->aitop = ai; 4294 } else { 4295 memset(&hints, 0, sizeof(hints)); 4296 hints.ai_family = ssh->chanctxt->IPv4or6; 4297 hints.ai_socktype = socktype; 4298 snprintf(strport, sizeof strport, "%d", port); 4299 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop)) 4300 != 0) { 4301 if (errmsg != NULL) 4302 *errmsg = ssh_gai_strerror(gaierr); 4303 if (reason != NULL) 4304 *reason = SSH2_OPEN_CONNECT_FAILED; 4305 error("connect_to %.100s: unknown host (%s)", name, 4306 ssh_gai_strerror(gaierr)); 4307 return -1; 4308 } 4309 } 4310 4311 cctx->host = xstrdup(name); 4312 cctx->port = port; 4313 cctx->ai = cctx->aitop; 4314 4315 if ((sock = connect_next(cctx)) == -1) { 4316 error("connect to %.100s port %d failed: %s", 4317 name, port, strerror(errno)); 4318 return -1; 4319 } 4320 4321 return sock; 4322 } 4323 4324 /* Return CONNECTING channel to remote host:port or local socket path */ 4325 static Channel * 4326 connect_to(struct ssh *ssh, const char *host, int port, 4327 char *ctype, char *rname) 4328 { 4329 struct channel_connect cctx; 4330 Channel *c; 4331 int sock; 4332 4333 memset(&cctx, 0, sizeof(cctx)); 4334 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, 4335 &cctx, NULL, NULL); 4336 if (sock == -1) { 4337 channel_connect_ctx_free(&cctx); 4338 return NULL; 4339 } 4340 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 4341 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4342 c->host_port = port; 4343 c->path = xstrdup(host); 4344 c->connect_ctx = cctx; 4345 4346 return c; 4347 } 4348 4349 /* 4350 * returns either the newly connected channel or the downstream channel 4351 * that needs to deal with this connection. 4352 */ 4353 Channel * 4354 channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host, 4355 u_short listen_port, char *ctype, char *rname) 4356 { 4357 struct ssh_channels *sc = ssh->chanctxt; 4358 struct permission_set *pset = &sc->local_perms; 4359 u_int i; 4360 struct permission *perm; 4361 4362 for (i = 0; i < pset->num_permitted_user; i++) { 4363 perm = &pset->permitted_user[i]; 4364 if (open_listen_match_tcpip(perm, 4365 listen_host, listen_port, 1)) { 4366 if (perm->downstream) 4367 return perm->downstream; 4368 if (perm->port_to_connect == 0) 4369 return rdynamic_connect_prepare(ssh, 4370 ctype, rname); 4371 return connect_to(ssh, 4372 perm->host_to_connect, perm->port_to_connect, 4373 ctype, rname); 4374 } 4375 } 4376 error("WARNING: Server requests forwarding for unknown listen_port %d", 4377 listen_port); 4378 return NULL; 4379 } 4380 4381 Channel * 4382 channel_connect_by_listen_path(struct ssh *ssh, const char *path, 4383 char *ctype, char *rname) 4384 { 4385 struct ssh_channels *sc = ssh->chanctxt; 4386 struct permission_set *pset = &sc->local_perms; 4387 u_int i; 4388 struct permission *perm; 4389 4390 for (i = 0; i < pset->num_permitted_user; i++) { 4391 perm = &pset->permitted_user[i]; 4392 if (open_listen_match_streamlocal(perm, path)) { 4393 return connect_to(ssh, 4394 perm->host_to_connect, perm->port_to_connect, 4395 ctype, rname); 4396 } 4397 } 4398 error("WARNING: Server requests forwarding for unknown path %.100s", 4399 path); 4400 return NULL; 4401 } 4402 4403 /* Check if connecting to that port is permitted and connect. */ 4404 Channel * 4405 channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, 4406 char *ctype, char *rname, int *reason, const char **errmsg) 4407 { 4408 struct ssh_channels *sc = ssh->chanctxt; 4409 struct permission_set *pset = &sc->local_perms; 4410 struct channel_connect cctx; 4411 Channel *c; 4412 u_int i, permit, permit_adm = 1; 4413 int sock; 4414 struct permission *perm; 4415 4416 permit = pset->all_permitted; 4417 if (!permit) { 4418 for (i = 0; i < pset->num_permitted_user; i++) { 4419 perm = &pset->permitted_user[i]; 4420 if (open_match(perm, host, port)) { 4421 permit = 1; 4422 break; 4423 } 4424 } 4425 } 4426 4427 if (pset->num_permitted_admin > 0) { 4428 permit_adm = 0; 4429 for (i = 0; i < pset->num_permitted_admin; i++) { 4430 perm = &pset->permitted_admin[i]; 4431 if (open_match(perm, host, port)) { 4432 permit_adm = 1; 4433 break; 4434 } 4435 } 4436 } 4437 4438 if (!permit || !permit_adm) { 4439 logit("Received request from %.100s port %d to connect to " 4440 "host %.100s port %d, but the request was denied.", 4441 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port); 4442 if (reason != NULL) 4443 *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; 4444 return NULL; 4445 } 4446 4447 memset(&cctx, 0, sizeof(cctx)); 4448 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, 4449 &cctx, reason, errmsg); 4450 if (sock == -1) { 4451 channel_connect_ctx_free(&cctx); 4452 return NULL; 4453 } 4454 4455 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 4456 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4457 c->host_port = port; 4458 c->path = xstrdup(host); 4459 c->connect_ctx = cctx; 4460 4461 return c; 4462 } 4463 4464 /* Check if connecting to that path is permitted and connect. */ 4465 Channel * 4466 channel_connect_to_path(struct ssh *ssh, const char *path, 4467 char *ctype, char *rname) 4468 { 4469 struct ssh_channels *sc = ssh->chanctxt; 4470 struct permission_set *pset = &sc->local_perms; 4471 u_int i, permit, permit_adm = 1; 4472 struct permission *perm; 4473 4474 permit = pset->all_permitted; 4475 if (!permit) { 4476 for (i = 0; i < pset->num_permitted_user; i++) { 4477 perm = &pset->permitted_user[i]; 4478 if (open_match(perm, path, PORT_STREAMLOCAL)) { 4479 permit = 1; 4480 break; 4481 } 4482 } 4483 } 4484 4485 if (pset->num_permitted_admin > 0) { 4486 permit_adm = 0; 4487 for (i = 0; i < pset->num_permitted_admin; i++) { 4488 perm = &pset->permitted_admin[i]; 4489 if (open_match(perm, path, PORT_STREAMLOCAL)) { 4490 permit_adm = 1; 4491 break; 4492 } 4493 } 4494 } 4495 4496 if (!permit || !permit_adm) { 4497 logit("Received request to connect to path %.100s, " 4498 "but the request was denied.", path); 4499 return NULL; 4500 } 4501 return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname); 4502 } 4503 4504 void 4505 channel_send_window_changes(struct ssh *ssh) 4506 { 4507 struct ssh_channels *sc = ssh->chanctxt; 4508 struct winsize ws; 4509 int r; 4510 u_int i; 4511 4512 for (i = 0; i < sc->channels_alloc; i++) { 4513 if (sc->channels[i] == NULL || !sc->channels[i]->client_tty || 4514 sc->channels[i]->type != SSH_CHANNEL_OPEN) 4515 continue; 4516 if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) == -1) 4517 continue; 4518 channel_request_start(ssh, i, "window-change", 0); 4519 if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 || 4520 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 || 4521 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 || 4522 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 || 4523 (r = sshpkt_send(ssh)) != 0) 4524 fatal("%s: channel %u: send window-change: %s", 4525 __func__, i, ssh_err(r)); 4526 } 4527 } 4528 4529 /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */ 4530 static Channel * 4531 rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname) 4532 { 4533 Channel *c; 4534 int r; 4535 4536 c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1, 4537 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4538 c->host_port = 0; 4539 c->path = NULL; 4540 4541 /* 4542 * We need to open the channel before we have a FD, 4543 * so that we can get SOCKS header from peer. 4544 */ 4545 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || 4546 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 4547 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 4548 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 4549 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { 4550 fatal("%s: channel %i: confirm: %s", __func__, 4551 c->self, ssh_err(r)); 4552 } 4553 return c; 4554 } 4555 4556 /* Return CONNECTING socket to remote host:port or local socket path */ 4557 static int 4558 rdynamic_connect_finish(struct ssh *ssh, Channel *c) 4559 { 4560 struct channel_connect cctx; 4561 int sock; 4562 4563 memset(&cctx, 0, sizeof(cctx)); 4564 sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL, 4565 NULL, &cctx, NULL, NULL); 4566 if (sock == -1) 4567 channel_connect_ctx_free(&cctx); 4568 else { 4569 /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */ 4570 c->type = SSH_CHANNEL_RDYNAMIC_FINISH; 4571 c->connect_ctx = cctx; 4572 channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0); 4573 } 4574 return sock; 4575 } 4576 4577 /* -- X11 forwarding */ 4578 4579 /* 4580 * Creates an internet domain socket for listening for X11 connections. 4581 * Returns 0 and a suitable display number for the DISPLAY variable 4582 * stored in display_numberp , or -1 if an error occurs. 4583 */ 4584 int 4585 x11_create_display_inet(struct ssh *ssh, int x11_display_offset, 4586 int x11_use_localhost, int single_connection, 4587 u_int *display_numberp, int **chanids) 4588 { 4589 Channel *nc = NULL; 4590 int display_number, sock; 4591 u_short port; 4592 struct addrinfo hints, *ai, *aitop; 4593 char strport[NI_MAXSERV]; 4594 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 4595 4596 if (chanids == NULL) 4597 return -1; 4598 4599 for (display_number = x11_display_offset; 4600 display_number < MAX_DISPLAYS; 4601 display_number++) { 4602 port = 6000 + display_number; 4603 memset(&hints, 0, sizeof(hints)); 4604 hints.ai_family = ssh->chanctxt->IPv4or6; 4605 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 4606 hints.ai_socktype = SOCK_STREAM; 4607 snprintf(strport, sizeof strport, "%d", port); 4608 if ((gaierr = getaddrinfo(NULL, strport, 4609 &hints, &aitop)) != 0) { 4610 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 4611 return -1; 4612 } 4613 for (ai = aitop; ai; ai = ai->ai_next) { 4614 if (ai->ai_family != AF_INET && 4615 ai->ai_family != AF_INET6) 4616 continue; 4617 sock = socket(ai->ai_family, ai->ai_socktype, 4618 ai->ai_protocol); 4619 if (sock == -1) { 4620 if ((errno != EINVAL) && (errno != EAFNOSUPPORT) 4621 #ifdef EPFNOSUPPORT 4622 && (errno != EPFNOSUPPORT) 4623 #endif 4624 ) { 4625 error("socket: %.100s", strerror(errno)); 4626 freeaddrinfo(aitop); 4627 return -1; 4628 } else { 4629 debug("x11_create_display_inet: Socket family %d not supported", 4630 ai->ai_family); 4631 continue; 4632 } 4633 } 4634 if (ai->ai_family == AF_INET6) 4635 sock_set_v6only(sock); 4636 if (x11_use_localhost) 4637 set_reuseaddr(sock); 4638 if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) { 4639 debug2("%s: bind port %d: %.100s", __func__, 4640 port, strerror(errno)); 4641 close(sock); 4642 for (n = 0; n < num_socks; n++) 4643 close(socks[n]); 4644 num_socks = 0; 4645 break; 4646 } 4647 socks[num_socks++] = sock; 4648 if (num_socks == NUM_SOCKS) 4649 break; 4650 } 4651 freeaddrinfo(aitop); 4652 if (num_socks > 0) 4653 break; 4654 } 4655 if (display_number >= MAX_DISPLAYS) { 4656 error("Failed to allocate internet-domain X11 display socket."); 4657 return -1; 4658 } 4659 /* Start listening for connections on the socket. */ 4660 for (n = 0; n < num_socks; n++) { 4661 sock = socks[n]; 4662 if (listen(sock, SSH_LISTEN_BACKLOG) == -1) { 4663 error("listen: %.100s", strerror(errno)); 4664 close(sock); 4665 return -1; 4666 } 4667 } 4668 4669 /* Allocate a channel for each socket. */ 4670 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 4671 for (n = 0; n < num_socks; n++) { 4672 sock = socks[n]; 4673 nc = channel_new(ssh, "x11 listener", 4674 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 4675 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 4676 0, "X11 inet listener", 1); 4677 nc->single_connection = single_connection; 4678 (*chanids)[n] = nc->self; 4679 } 4680 (*chanids)[n] = -1; 4681 4682 /* Return the display number for the DISPLAY environment variable. */ 4683 *display_numberp = display_number; 4684 return 0; 4685 } 4686 4687 static int 4688 connect_local_xsocket_path(const char *pathname) 4689 { 4690 int sock; 4691 struct sockaddr_un addr; 4692 4693 sock = socket(AF_UNIX, SOCK_STREAM, 0); 4694 if (sock == -1) 4695 error("socket: %.100s", strerror(errno)); 4696 memset(&addr, 0, sizeof(addr)); 4697 addr.sun_family = AF_UNIX; 4698 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 4699 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 4700 return sock; 4701 close(sock); 4702 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 4703 return -1; 4704 } 4705 4706 static int 4707 connect_local_xsocket(u_int dnr) 4708 { 4709 char buf[1024]; 4710 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 4711 return connect_local_xsocket_path(buf); 4712 } 4713 4714 #ifdef __APPLE__ 4715 static int 4716 is_path_to_xsocket(const char *display, char *path, size_t pathlen) 4717 { 4718 struct stat sbuf; 4719 4720 if (strlcpy(path, display, pathlen) >= pathlen) { 4721 error("%s: display path too long", __func__); 4722 return 0; 4723 } 4724 if (display[0] != '/') 4725 return 0; 4726 if (stat(path, &sbuf) == 0) { 4727 return 1; 4728 } else { 4729 char *dot = strrchr(path, '.'); 4730 if (dot != NULL) { 4731 *dot = '\0'; 4732 if (stat(path, &sbuf) == 0) { 4733 return 1; 4734 } 4735 } 4736 } 4737 return 0; 4738 } 4739 #endif 4740 4741 int 4742 x11_connect_display(struct ssh *ssh) 4743 { 4744 u_int display_number; 4745 const char *display; 4746 char buf[1024], *cp; 4747 struct addrinfo hints, *ai, *aitop; 4748 char strport[NI_MAXSERV]; 4749 int gaierr, sock = 0; 4750 4751 /* Try to open a socket for the local X server. */ 4752 display = getenv("DISPLAY"); 4753 if (!display) { 4754 error("DISPLAY not set."); 4755 return -1; 4756 } 4757 /* 4758 * Now we decode the value of the DISPLAY variable and make a 4759 * connection to the real X server. 4760 */ 4761 4762 #ifdef __APPLE__ 4763 /* Check if display is a path to a socket (as set by launchd). */ 4764 { 4765 char path[PATH_MAX]; 4766 4767 if (is_path_to_xsocket(display, path, sizeof(path))) { 4768 debug("x11_connect_display: $DISPLAY is launchd"); 4769 4770 /* Create a socket. */ 4771 sock = connect_local_xsocket_path(path); 4772 if (sock < 0) 4773 return -1; 4774 4775 /* OK, we now have a connection to the display. */ 4776 return sock; 4777 } 4778 } 4779 #endif 4780 /* 4781 * Check if it is a unix domain socket. Unix domain displays are in 4782 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 4783 */ 4784 if (strncmp(display, "unix:", 5) == 0 || 4785 display[0] == ':') { 4786 /* Connect to the unix domain socket. */ 4787 if (sscanf(strrchr(display, ':') + 1, "%u", 4788 &display_number) != 1) { 4789 error("Could not parse display number from DISPLAY: " 4790 "%.100s", display); 4791 return -1; 4792 } 4793 /* Create a socket. */ 4794 sock = connect_local_xsocket(display_number); 4795 if (sock < 0) 4796 return -1; 4797 4798 /* OK, we now have a connection to the display. */ 4799 return sock; 4800 } 4801 /* 4802 * Connect to an inet socket. The DISPLAY value is supposedly 4803 * hostname:d[.s], where hostname may also be numeric IP address. 4804 */ 4805 strlcpy(buf, display, sizeof(buf)); 4806 cp = strchr(buf, ':'); 4807 if (!cp) { 4808 error("Could not find ':' in DISPLAY: %.100s", display); 4809 return -1; 4810 } 4811 *cp = 0; 4812 /* 4813 * buf now contains the host name. But first we parse the 4814 * display number. 4815 */ 4816 if (sscanf(cp + 1, "%u", &display_number) != 1) { 4817 error("Could not parse display number from DISPLAY: %.100s", 4818 display); 4819 return -1; 4820 } 4821 4822 /* Look up the host address */ 4823 memset(&hints, 0, sizeof(hints)); 4824 hints.ai_family = ssh->chanctxt->IPv4or6; 4825 hints.ai_socktype = SOCK_STREAM; 4826 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 4827 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 4828 error("%.100s: unknown host. (%s)", buf, 4829 ssh_gai_strerror(gaierr)); 4830 return -1; 4831 } 4832 for (ai = aitop; ai; ai = ai->ai_next) { 4833 /* Create a socket. */ 4834 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 4835 if (sock == -1) { 4836 debug2("socket: %.100s", strerror(errno)); 4837 continue; 4838 } 4839 /* Connect it to the display. */ 4840 if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) { 4841 debug2("connect %.100s port %u: %.100s", buf, 4842 6000 + display_number, strerror(errno)); 4843 close(sock); 4844 continue; 4845 } 4846 /* Success */ 4847 break; 4848 } 4849 freeaddrinfo(aitop); 4850 if (!ai) { 4851 error("connect %.100s port %u: %.100s", buf, 4852 6000 + display_number, strerror(errno)); 4853 return -1; 4854 } 4855 set_nodelay(sock); 4856 return sock; 4857 } 4858 4859 /* 4860 * Requests forwarding of X11 connections, generates fake authentication 4861 * data, and enables authentication spoofing. 4862 * This should be called in the client only. 4863 */ 4864 void 4865 x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id, 4866 const char *disp, const char *proto, const char *data, int want_reply) 4867 { 4868 struct ssh_channels *sc = ssh->chanctxt; 4869 u_int data_len = (u_int) strlen(data) / 2; 4870 u_int i, value; 4871 const char *cp; 4872 char *new_data; 4873 int r, screen_number; 4874 4875 if (sc->x11_saved_display == NULL) 4876 sc->x11_saved_display = xstrdup(disp); 4877 else if (strcmp(disp, sc->x11_saved_display) != 0) { 4878 error("x11_request_forwarding_with_spoofing: different " 4879 "$DISPLAY already forwarded"); 4880 return; 4881 } 4882 4883 cp = strchr(disp, ':'); 4884 if (cp) 4885 cp = strchr(cp, '.'); 4886 if (cp) 4887 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 4888 else 4889 screen_number = 0; 4890 4891 if (sc->x11_saved_proto == NULL) { 4892 /* Save protocol name. */ 4893 sc->x11_saved_proto = xstrdup(proto); 4894 4895 /* Extract real authentication data. */ 4896 sc->x11_saved_data = xmalloc(data_len); 4897 for (i = 0; i < data_len; i++) { 4898 if (sscanf(data + 2 * i, "%2x", &value) != 1) 4899 fatal("x11_request_forwarding: bad " 4900 "authentication data: %.100s", data); 4901 sc->x11_saved_data[i] = value; 4902 } 4903 sc->x11_saved_data_len = data_len; 4904 4905 /* Generate fake data of the same length. */ 4906 sc->x11_fake_data = xmalloc(data_len); 4907 arc4random_buf(sc->x11_fake_data, data_len); 4908 sc->x11_fake_data_len = data_len; 4909 } 4910 4911 /* Convert the fake data into hex. */ 4912 new_data = tohex(sc->x11_fake_data, data_len); 4913 4914 /* Send the request packet. */ 4915 channel_request_start(ssh, client_session_id, "x11-req", want_reply); 4916 if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */ 4917 (r = sshpkt_put_cstring(ssh, proto)) != 0 || 4918 (r = sshpkt_put_cstring(ssh, new_data)) != 0 || 4919 (r = sshpkt_put_u32(ssh, screen_number)) != 0 || 4920 (r = sshpkt_send(ssh)) != 0 || 4921 (r = ssh_packet_write_wait(ssh)) != 0) 4922 fatal("%s: send x11-req: %s", __func__, ssh_err(r)); 4923 free(new_data); 4924 } 4925