1 /* $OpenBSD: channels.c,v 1.389 2019/01/19 21:37:13 djm Exp $ */ 2 /* 3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 5 * All rights reserved 6 * This file contains functions for generic socket connection forwarding. 7 * There is also code for initiating connection forwarding for X11 connections, 8 * arbitrary tcp/ip connections, and the authentication agent connection. 9 * 10 * As far as I am concerned, the code I have written for this software 11 * can be used freely for any purpose. Any derived versions of this 12 * software must be clearly marked as such, and if the derived work is 13 * incompatible with the protocol description in the RFC file, it must be 14 * called by a name other than "ssh" or "Secure Shell". 15 * 16 * SSH2 support added by Markus Friedl. 17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 18 * Copyright (c) 1999 Dug Song. All rights reserved. 19 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 20 * 21 * Redistribution and use in source and binary forms, with or without 22 * modification, are permitted provided that the following conditions 23 * are met: 24 * 1. Redistributions of source code must retain the above copyright 25 * notice, this list of conditions and the following disclaimer. 26 * 2. Redistributions in binary form must reproduce the above copyright 27 * notice, this list of conditions and the following disclaimer in the 28 * documentation and/or other materials provided with the distribution. 29 * 30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40 */ 41 42 #include "includes.h" 43 44 #include <sys/types.h> 45 #include <sys/stat.h> 46 #include <sys/ioctl.h> 47 #include <sys/un.h> 48 #include <sys/socket.h> 49 #ifdef HAVE_SYS_TIME_H 50 # include <sys/time.h> 51 #endif 52 53 #include <netinet/in.h> 54 #include <arpa/inet.h> 55 56 #include <errno.h> 57 #include <fcntl.h> 58 #include <limits.h> 59 #include <netdb.h> 60 #include <stdarg.h> 61 #ifdef HAVE_STDINT_H 62 #include <stdint.h> 63 #endif 64 #include <stdio.h> 65 #include <stdlib.h> 66 #include <string.h> 67 #include <termios.h> 68 #include <unistd.h> 69 70 #include "openbsd-compat/sys-queue.h" 71 #include "xmalloc.h" 72 #include "ssh.h" 73 #include "ssh2.h" 74 #include "ssherr.h" 75 #include "sshbuf.h" 76 #include "packet.h" 77 #include "log.h" 78 #include "misc.h" 79 #include "channels.h" 80 #include "compat.h" 81 #include "canohost.h" 82 #include "sshkey.h" 83 #include "authfd.h" 84 #include "pathnames.h" 85 #include "match.h" 86 87 /* -- agent forwarding */ 88 #define NUM_SOCKS 10 89 90 /* -- tcp forwarding */ 91 /* special-case port number meaning allow any port */ 92 #define FWD_PERMIT_ANY_PORT 0 93 94 /* special-case wildcard meaning allow any host */ 95 #define FWD_PERMIT_ANY_HOST "*" 96 97 /* -- X11 forwarding */ 98 /* Maximum number of fake X11 displays to try. */ 99 #define MAX_DISPLAYS 1000 100 101 /* Per-channel callback for pre/post select() actions */ 102 typedef void chan_fn(struct ssh *, Channel *c, 103 fd_set *readset, fd_set *writeset); 104 105 /* 106 * Data structure for storing which hosts are permitted for forward requests. 107 * The local sides of any remote forwards are stored in this array to prevent 108 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 109 * network (which might be behind a firewall). 110 */ 111 /* XXX: streamlocal wants a path instead of host:port */ 112 /* Overload host_to_connect; we could just make this match Forward */ 113 /* XXX - can we use listen_host instead of listen_path? */ 114 struct permission { 115 char *host_to_connect; /* Connect to 'host'. */ 116 int port_to_connect; /* Connect to 'port'. */ 117 char *listen_host; /* Remote side should listen address. */ 118 char *listen_path; /* Remote side should listen path. */ 119 int listen_port; /* Remote side should listen port. */ 120 Channel *downstream; /* Downstream mux*/ 121 }; 122 123 /* 124 * Stores the forwarding permission state for a single direction (local or 125 * remote). 126 */ 127 struct permission_set { 128 /* 129 * List of all local permitted host/port pairs to allow for the 130 * user. 131 */ 132 u_int num_permitted_user; 133 struct permission *permitted_user; 134 135 /* 136 * List of all permitted host/port pairs to allow for the admin. 137 */ 138 u_int num_permitted_admin; 139 struct permission *permitted_admin; 140 141 /* 142 * If this is true, all opens/listens are permitted. This is the 143 * case on the server on which we have to trust the client anyway, 144 * and the user could do anything after logging in. 145 */ 146 int all_permitted; 147 }; 148 149 /* Master structure for channels state */ 150 struct ssh_channels { 151 /* 152 * Pointer to an array containing all allocated channels. The array 153 * is dynamically extended as needed. 154 */ 155 Channel **channels; 156 157 /* 158 * Size of the channel array. All slots of the array must always be 159 * initialized (at least the type field); unused slots set to NULL 160 */ 161 u_int channels_alloc; 162 163 /* 164 * Maximum file descriptor value used in any of the channels. This is 165 * updated in channel_new. 166 */ 167 int channel_max_fd; 168 169 /* 170 * 'channel_pre*' are called just before select() to add any bits 171 * relevant to channels in the select bitmasks. 172 * 173 * 'channel_post*': perform any appropriate operations for 174 * channels which have events pending. 175 */ 176 chan_fn **channel_pre; 177 chan_fn **channel_post; 178 179 /* -- tcp forwarding */ 180 struct permission_set local_perms; 181 struct permission_set remote_perms; 182 183 /* -- X11 forwarding */ 184 185 /* Saved X11 local (client) display. */ 186 char *x11_saved_display; 187 188 /* Saved X11 authentication protocol name. */ 189 char *x11_saved_proto; 190 191 /* Saved X11 authentication data. This is the real data. */ 192 char *x11_saved_data; 193 u_int x11_saved_data_len; 194 195 /* Deadline after which all X11 connections are refused */ 196 u_int x11_refuse_time; 197 198 /* 199 * Fake X11 authentication data. This is what the server will be 200 * sending us; we should replace any occurrences of this by the 201 * real data. 202 */ 203 u_char *x11_fake_data; 204 u_int x11_fake_data_len; 205 206 /* AF_UNSPEC or AF_INET or AF_INET6 */ 207 int IPv4or6; 208 }; 209 210 /* helper */ 211 static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype); 212 static const char *channel_rfwd_bind_host(const char *listen_host); 213 214 /* non-blocking connect helpers */ 215 static int connect_next(struct channel_connect *); 216 static void channel_connect_ctx_free(struct channel_connect *); 217 static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *); 218 static int rdynamic_connect_finish(struct ssh *, Channel *); 219 220 /* Setup helper */ 221 static void channel_handler_init(struct ssh_channels *sc); 222 223 /* -- channel core */ 224 225 void 226 channel_init_channels(struct ssh *ssh) 227 { 228 struct ssh_channels *sc; 229 230 if ((sc = calloc(1, sizeof(*sc))) == NULL) 231 fatal("%s: allocation failed", __func__); 232 sc->channels_alloc = 10; 233 sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels)); 234 sc->IPv4or6 = AF_UNSPEC; 235 channel_handler_init(sc); 236 237 ssh->chanctxt = sc; 238 } 239 240 Channel * 241 channel_by_id(struct ssh *ssh, int id) 242 { 243 Channel *c; 244 245 if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) { 246 logit("%s: %d: bad id", __func__, id); 247 return NULL; 248 } 249 c = ssh->chanctxt->channels[id]; 250 if (c == NULL) { 251 logit("%s: %d: bad id: channel free", __func__, id); 252 return NULL; 253 } 254 return c; 255 } 256 257 Channel * 258 channel_by_remote_id(struct ssh *ssh, u_int remote_id) 259 { 260 Channel *c; 261 u_int i; 262 263 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 264 c = ssh->chanctxt->channels[i]; 265 if (c != NULL && c->have_remote_id && c->remote_id == remote_id) 266 return c; 267 } 268 return NULL; 269 } 270 271 /* 272 * Returns the channel if it is allowed to receive protocol messages. 273 * Private channels, like listening sockets, may not receive messages. 274 */ 275 Channel * 276 channel_lookup(struct ssh *ssh, int id) 277 { 278 Channel *c; 279 280 if ((c = channel_by_id(ssh, id)) == NULL) 281 return NULL; 282 283 switch (c->type) { 284 case SSH_CHANNEL_X11_OPEN: 285 case SSH_CHANNEL_LARVAL: 286 case SSH_CHANNEL_CONNECTING: 287 case SSH_CHANNEL_DYNAMIC: 288 case SSH_CHANNEL_RDYNAMIC_OPEN: 289 case SSH_CHANNEL_RDYNAMIC_FINISH: 290 case SSH_CHANNEL_OPENING: 291 case SSH_CHANNEL_OPEN: 292 case SSH_CHANNEL_ABANDONED: 293 case SSH_CHANNEL_MUX_PROXY: 294 return c; 295 } 296 logit("Non-public channel %d, type %d.", id, c->type); 297 return NULL; 298 } 299 300 /* 301 * Register filedescriptors for a channel, used when allocating a channel or 302 * when the channel consumer/producer is ready, e.g. shell exec'd 303 */ 304 static void 305 channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd, 306 int extusage, int nonblock, int is_tty) 307 { 308 struct ssh_channels *sc = ssh->chanctxt; 309 310 /* Update the maximum file descriptor value. */ 311 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, rfd); 312 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, wfd); 313 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, efd); 314 315 if (rfd != -1) 316 fcntl(rfd, F_SETFD, FD_CLOEXEC); 317 if (wfd != -1 && wfd != rfd) 318 fcntl(wfd, F_SETFD, FD_CLOEXEC); 319 if (efd != -1 && efd != rfd && efd != wfd) 320 fcntl(efd, F_SETFD, FD_CLOEXEC); 321 322 c->rfd = rfd; 323 c->wfd = wfd; 324 c->sock = (rfd == wfd) ? rfd : -1; 325 c->efd = efd; 326 c->extended_usage = extusage; 327 328 if ((c->isatty = is_tty) != 0) 329 debug2("channel %d: rfd %d isatty", c->self, c->rfd); 330 #ifdef _AIX 331 /* XXX: Later AIX versions can't push as much data to tty */ 332 c->wfd_isatty = is_tty || isatty(c->wfd); 333 #endif 334 335 /* enable nonblocking mode */ 336 if (nonblock) { 337 if (rfd != -1) 338 set_nonblock(rfd); 339 if (wfd != -1) 340 set_nonblock(wfd); 341 if (efd != -1) 342 set_nonblock(efd); 343 } 344 } 345 346 /* 347 * Allocate a new channel object and set its type and socket. This will cause 348 * remote_name to be freed. 349 */ 350 Channel * 351 channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd, 352 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 353 { 354 struct ssh_channels *sc = ssh->chanctxt; 355 u_int i, found; 356 Channel *c; 357 358 /* Try to find a free slot where to put the new channel. */ 359 for (i = 0; i < sc->channels_alloc; i++) { 360 if (sc->channels[i] == NULL) { 361 /* Found a free slot. */ 362 found = i; 363 break; 364 } 365 } 366 if (i >= sc->channels_alloc) { 367 /* 368 * There are no free slots. Take last+1 slot and expand 369 * the array. 370 */ 371 found = sc->channels_alloc; 372 if (sc->channels_alloc > CHANNELS_MAX_CHANNELS) 373 fatal("%s: internal error: channels_alloc %d too big", 374 __func__, sc->channels_alloc); 375 sc->channels = xrecallocarray(sc->channels, sc->channels_alloc, 376 sc->channels_alloc + 10, sizeof(*sc->channels)); 377 sc->channels_alloc += 10; 378 debug2("channel: expanding %d", sc->channels_alloc); 379 } 380 /* Initialize and return new channel. */ 381 c = sc->channels[found] = xcalloc(1, sizeof(Channel)); 382 if ((c->input = sshbuf_new()) == NULL || 383 (c->output = sshbuf_new()) == NULL || 384 (c->extended = sshbuf_new()) == NULL) 385 fatal("%s: sshbuf_new failed", __func__); 386 c->ostate = CHAN_OUTPUT_OPEN; 387 c->istate = CHAN_INPUT_OPEN; 388 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0); 389 c->self = found; 390 c->type = type; 391 c->ctype = ctype; 392 c->local_window = window; 393 c->local_window_max = window; 394 c->local_maxpacket = maxpack; 395 c->remote_name = xstrdup(remote_name); 396 c->ctl_chan = -1; 397 c->delayed = 1; /* prevent call to channel_post handler */ 398 TAILQ_INIT(&c->status_confirms); 399 debug("channel %d: new [%s]", found, remote_name); 400 return c; 401 } 402 403 static void 404 channel_find_maxfd(struct ssh_channels *sc) 405 { 406 u_int i; 407 int max = 0; 408 Channel *c; 409 410 for (i = 0; i < sc->channels_alloc; i++) { 411 c = sc->channels[i]; 412 if (c != NULL) { 413 max = MAXIMUM(max, c->rfd); 414 max = MAXIMUM(max, c->wfd); 415 max = MAXIMUM(max, c->efd); 416 } 417 } 418 sc->channel_max_fd = max; 419 } 420 421 int 422 channel_close_fd(struct ssh *ssh, int *fdp) 423 { 424 struct ssh_channels *sc = ssh->chanctxt; 425 int ret = 0, fd = *fdp; 426 427 if (fd != -1) { 428 ret = close(fd); 429 *fdp = -1; 430 if (fd == sc->channel_max_fd) 431 channel_find_maxfd(sc); 432 } 433 return ret; 434 } 435 436 /* Close all channel fd/socket. */ 437 static void 438 channel_close_fds(struct ssh *ssh, Channel *c) 439 { 440 int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd; 441 442 channel_close_fd(ssh, &c->sock); 443 if (rfd != sock) 444 channel_close_fd(ssh, &c->rfd); 445 if (wfd != sock && wfd != rfd) 446 channel_close_fd(ssh, &c->wfd); 447 if (efd != sock && efd != rfd && efd != wfd) 448 channel_close_fd(ssh, &c->efd); 449 } 450 451 static void 452 fwd_perm_clear(struct permission *perm) 453 { 454 free(perm->host_to_connect); 455 free(perm->listen_host); 456 free(perm->listen_path); 457 bzero(perm, sizeof(*perm)); 458 } 459 460 /* Returns an printable name for the specified forwarding permission list */ 461 static const char * 462 fwd_ident(int who, int where) 463 { 464 if (who == FORWARD_ADM) { 465 if (where == FORWARD_LOCAL) 466 return "admin local"; 467 else if (where == FORWARD_REMOTE) 468 return "admin remote"; 469 } else if (who == FORWARD_USER) { 470 if (where == FORWARD_LOCAL) 471 return "user local"; 472 else if (where == FORWARD_REMOTE) 473 return "user remote"; 474 } 475 fatal("Unknown forward permission list %d/%d", who, where); 476 } 477 478 /* Returns the forwarding permission list for the specified direction */ 479 static struct permission_set * 480 permission_set_get(struct ssh *ssh, int where) 481 { 482 struct ssh_channels *sc = ssh->chanctxt; 483 484 switch (where) { 485 case FORWARD_LOCAL: 486 return &sc->local_perms; 487 break; 488 case FORWARD_REMOTE: 489 return &sc->remote_perms; 490 break; 491 default: 492 fatal("%s: invalid forwarding direction %d", __func__, where); 493 } 494 } 495 496 /* Reutrns pointers to the specified forwarding list and its element count */ 497 static void 498 permission_set_get_array(struct ssh *ssh, int who, int where, 499 struct permission ***permpp, u_int **npermpp) 500 { 501 struct permission_set *pset = permission_set_get(ssh, where); 502 503 switch (who) { 504 case FORWARD_USER: 505 *permpp = &pset->permitted_user; 506 *npermpp = &pset->num_permitted_user; 507 break; 508 case FORWARD_ADM: 509 *permpp = &pset->permitted_admin; 510 *npermpp = &pset->num_permitted_admin; 511 break; 512 default: 513 fatal("%s: invalid forwarding client %d", __func__, who); 514 } 515 } 516 517 /* Adds an entry to the spcified forwarding list */ 518 static int 519 permission_set_add(struct ssh *ssh, int who, int where, 520 const char *host_to_connect, int port_to_connect, 521 const char *listen_host, const char *listen_path, int listen_port, 522 Channel *downstream) 523 { 524 struct permission **permp; 525 u_int n, *npermp; 526 527 permission_set_get_array(ssh, who, where, &permp, &npermp); 528 529 if (*npermp >= INT_MAX) 530 fatal("%s: %s overflow", __func__, fwd_ident(who, where)); 531 532 *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp)); 533 n = (*npermp)++; 534 #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s)) 535 (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect); 536 (*permp)[n].port_to_connect = port_to_connect; 537 (*permp)[n].listen_host = MAYBE_DUP(listen_host); 538 (*permp)[n].listen_path = MAYBE_DUP(listen_path); 539 (*permp)[n].listen_port = listen_port; 540 (*permp)[n].downstream = downstream; 541 #undef MAYBE_DUP 542 return (int)n; 543 } 544 545 static void 546 mux_remove_remote_forwardings(struct ssh *ssh, Channel *c) 547 { 548 struct ssh_channels *sc = ssh->chanctxt; 549 struct permission_set *pset = &sc->local_perms; 550 struct permission *perm; 551 int r; 552 u_int i; 553 554 for (i = 0; i < pset->num_permitted_user; i++) { 555 perm = &pset->permitted_user[i]; 556 if (perm->downstream != c) 557 continue; 558 559 /* cancel on the server, since mux client is gone */ 560 debug("channel %d: cleanup remote forward for %s:%u", 561 c->self, perm->listen_host, perm->listen_port); 562 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 563 (r = sshpkt_put_cstring(ssh, 564 "cancel-tcpip-forward")) != 0 || 565 (r = sshpkt_put_u8(ssh, 0)) != 0 || 566 (r = sshpkt_put_cstring(ssh, 567 channel_rfwd_bind_host(perm->listen_host))) != 0 || 568 (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 || 569 (r = sshpkt_send(ssh)) != 0) { 570 fatal("%s: channel %i: %s", __func__, 571 c->self, ssh_err(r)); 572 } 573 fwd_perm_clear(perm); /* unregister */ 574 } 575 } 576 577 /* Free the channel and close its fd/socket. */ 578 void 579 channel_free(struct ssh *ssh, Channel *c) 580 { 581 struct ssh_channels *sc = ssh->chanctxt; 582 char *s; 583 u_int i, n; 584 Channel *other; 585 struct channel_confirm *cc; 586 587 for (n = 0, i = 0; i < sc->channels_alloc; i++) { 588 if ((other = sc->channels[i]) == NULL) 589 continue; 590 n++; 591 /* detach from mux client and prepare for closing */ 592 if (c->type == SSH_CHANNEL_MUX_CLIENT && 593 other->type == SSH_CHANNEL_MUX_PROXY && 594 other->mux_ctx == c) { 595 other->mux_ctx = NULL; 596 other->type = SSH_CHANNEL_OPEN; 597 other->istate = CHAN_INPUT_CLOSED; 598 other->ostate = CHAN_OUTPUT_CLOSED; 599 } 600 } 601 debug("channel %d: free: %s, nchannels %u", c->self, 602 c->remote_name ? c->remote_name : "???", n); 603 604 if (c->type == SSH_CHANNEL_MUX_CLIENT) 605 mux_remove_remote_forwardings(ssh, c); 606 607 if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) { 608 s = channel_open_message(ssh); 609 debug3("channel %d: status: %s", c->self, s); 610 free(s); 611 } 612 613 channel_close_fds(ssh, c); 614 sshbuf_free(c->input); 615 sshbuf_free(c->output); 616 sshbuf_free(c->extended); 617 c->input = c->output = c->extended = NULL; 618 free(c->remote_name); 619 c->remote_name = NULL; 620 free(c->path); 621 c->path = NULL; 622 free(c->listening_addr); 623 c->listening_addr = NULL; 624 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) { 625 if (cc->abandon_cb != NULL) 626 cc->abandon_cb(ssh, c, cc->ctx); 627 TAILQ_REMOVE(&c->status_confirms, cc, entry); 628 explicit_bzero(cc, sizeof(*cc)); 629 free(cc); 630 } 631 if (c->filter_cleanup != NULL && c->filter_ctx != NULL) 632 c->filter_cleanup(ssh, c->self, c->filter_ctx); 633 sc->channels[c->self] = NULL; 634 explicit_bzero(c, sizeof(*c)); 635 free(c); 636 } 637 638 void 639 channel_free_all(struct ssh *ssh) 640 { 641 u_int i; 642 643 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) 644 if (ssh->chanctxt->channels[i] != NULL) 645 channel_free(ssh, ssh->chanctxt->channels[i]); 646 } 647 648 /* 649 * Closes the sockets/fds of all channels. This is used to close extra file 650 * descriptors after a fork. 651 */ 652 void 653 channel_close_all(struct ssh *ssh) 654 { 655 u_int i; 656 657 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) 658 if (ssh->chanctxt->channels[i] != NULL) 659 channel_close_fds(ssh, ssh->chanctxt->channels[i]); 660 } 661 662 /* 663 * Stop listening to channels. 664 */ 665 void 666 channel_stop_listening(struct ssh *ssh) 667 { 668 u_int i; 669 Channel *c; 670 671 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 672 c = ssh->chanctxt->channels[i]; 673 if (c != NULL) { 674 switch (c->type) { 675 case SSH_CHANNEL_AUTH_SOCKET: 676 case SSH_CHANNEL_PORT_LISTENER: 677 case SSH_CHANNEL_RPORT_LISTENER: 678 case SSH_CHANNEL_X11_LISTENER: 679 case SSH_CHANNEL_UNIX_LISTENER: 680 case SSH_CHANNEL_RUNIX_LISTENER: 681 channel_close_fd(ssh, &c->sock); 682 channel_free(ssh, c); 683 break; 684 } 685 } 686 } 687 } 688 689 /* 690 * Returns true if no channel has too much buffered data, and false if one or 691 * more channel is overfull. 692 */ 693 int 694 channel_not_very_much_buffered_data(struct ssh *ssh) 695 { 696 u_int i; 697 u_int maxsize = ssh_packet_get_maxsize(ssh); 698 Channel *c; 699 700 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 701 c = ssh->chanctxt->channels[i]; 702 if (c == NULL || c->type != SSH_CHANNEL_OPEN) 703 continue; 704 if (sshbuf_len(c->output) > maxsize) { 705 debug2("channel %d: big output buffer %zu > %u", 706 c->self, sshbuf_len(c->output), maxsize); 707 return 0; 708 } 709 } 710 return 1; 711 } 712 713 /* Returns true if any channel is still open. */ 714 int 715 channel_still_open(struct ssh *ssh) 716 { 717 u_int i; 718 Channel *c; 719 720 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 721 c = ssh->chanctxt->channels[i]; 722 if (c == NULL) 723 continue; 724 switch (c->type) { 725 case SSH_CHANNEL_X11_LISTENER: 726 case SSH_CHANNEL_PORT_LISTENER: 727 case SSH_CHANNEL_RPORT_LISTENER: 728 case SSH_CHANNEL_MUX_LISTENER: 729 case SSH_CHANNEL_CLOSED: 730 case SSH_CHANNEL_AUTH_SOCKET: 731 case SSH_CHANNEL_DYNAMIC: 732 case SSH_CHANNEL_RDYNAMIC_OPEN: 733 case SSH_CHANNEL_CONNECTING: 734 case SSH_CHANNEL_ZOMBIE: 735 case SSH_CHANNEL_ABANDONED: 736 case SSH_CHANNEL_UNIX_LISTENER: 737 case SSH_CHANNEL_RUNIX_LISTENER: 738 continue; 739 case SSH_CHANNEL_LARVAL: 740 continue; 741 case SSH_CHANNEL_OPENING: 742 case SSH_CHANNEL_OPEN: 743 case SSH_CHANNEL_RDYNAMIC_FINISH: 744 case SSH_CHANNEL_X11_OPEN: 745 case SSH_CHANNEL_MUX_CLIENT: 746 case SSH_CHANNEL_MUX_PROXY: 747 return 1; 748 default: 749 fatal("%s: bad channel type %d", __func__, c->type); 750 /* NOTREACHED */ 751 } 752 } 753 return 0; 754 } 755 756 /* Returns the id of an open channel suitable for keepaliving */ 757 int 758 channel_find_open(struct ssh *ssh) 759 { 760 u_int i; 761 Channel *c; 762 763 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 764 c = ssh->chanctxt->channels[i]; 765 if (c == NULL || !c->have_remote_id) 766 continue; 767 switch (c->type) { 768 case SSH_CHANNEL_CLOSED: 769 case SSH_CHANNEL_DYNAMIC: 770 case SSH_CHANNEL_RDYNAMIC_OPEN: 771 case SSH_CHANNEL_RDYNAMIC_FINISH: 772 case SSH_CHANNEL_X11_LISTENER: 773 case SSH_CHANNEL_PORT_LISTENER: 774 case SSH_CHANNEL_RPORT_LISTENER: 775 case SSH_CHANNEL_MUX_LISTENER: 776 case SSH_CHANNEL_MUX_CLIENT: 777 case SSH_CHANNEL_MUX_PROXY: 778 case SSH_CHANNEL_OPENING: 779 case SSH_CHANNEL_CONNECTING: 780 case SSH_CHANNEL_ZOMBIE: 781 case SSH_CHANNEL_ABANDONED: 782 case SSH_CHANNEL_UNIX_LISTENER: 783 case SSH_CHANNEL_RUNIX_LISTENER: 784 continue; 785 case SSH_CHANNEL_LARVAL: 786 case SSH_CHANNEL_AUTH_SOCKET: 787 case SSH_CHANNEL_OPEN: 788 case SSH_CHANNEL_X11_OPEN: 789 return i; 790 default: 791 fatal("%s: bad channel type %d", __func__, c->type); 792 /* NOTREACHED */ 793 } 794 } 795 return -1; 796 } 797 798 /* Returns the state of the channel's extended usage flag */ 799 const char * 800 channel_format_extended_usage(const Channel *c) 801 { 802 if (c->efd == -1) 803 return "closed"; 804 805 switch (c->extended_usage) { 806 case CHAN_EXTENDED_WRITE: 807 return "write"; 808 case CHAN_EXTENDED_READ: 809 return "read"; 810 case CHAN_EXTENDED_IGNORE: 811 return "ignore"; 812 default: 813 return "UNKNOWN"; 814 } 815 } 816 817 static char * 818 channel_format_status(const Channel *c) 819 { 820 char *ret = NULL; 821 822 xasprintf(&ret, "t%d %s%u i%u/%zu o%u/%zu e[%s]/%zu " 823 "fd %d/%d/%d sock %d cc %d", 824 c->type, 825 c->have_remote_id ? "r" : "nr", c->remote_id, 826 c->istate, sshbuf_len(c->input), 827 c->ostate, sshbuf_len(c->output), 828 channel_format_extended_usage(c), sshbuf_len(c->extended), 829 c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan); 830 return ret; 831 } 832 833 /* 834 * Returns a message describing the currently open forwarded connections, 835 * suitable for sending to the client. The message contains crlf pairs for 836 * newlines. 837 */ 838 char * 839 channel_open_message(struct ssh *ssh) 840 { 841 struct sshbuf *buf; 842 Channel *c; 843 u_int i; 844 int r; 845 char *cp, *ret; 846 847 if ((buf = sshbuf_new()) == NULL) 848 fatal("%s: sshbuf_new", __func__); 849 if ((r = sshbuf_putf(buf, 850 "The following connections are open:\r\n")) != 0) 851 fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r)); 852 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 853 c = ssh->chanctxt->channels[i]; 854 if (c == NULL) 855 continue; 856 switch (c->type) { 857 case SSH_CHANNEL_X11_LISTENER: 858 case SSH_CHANNEL_PORT_LISTENER: 859 case SSH_CHANNEL_RPORT_LISTENER: 860 case SSH_CHANNEL_CLOSED: 861 case SSH_CHANNEL_AUTH_SOCKET: 862 case SSH_CHANNEL_ZOMBIE: 863 case SSH_CHANNEL_ABANDONED: 864 case SSH_CHANNEL_MUX_LISTENER: 865 case SSH_CHANNEL_UNIX_LISTENER: 866 case SSH_CHANNEL_RUNIX_LISTENER: 867 continue; 868 case SSH_CHANNEL_LARVAL: 869 case SSH_CHANNEL_OPENING: 870 case SSH_CHANNEL_CONNECTING: 871 case SSH_CHANNEL_DYNAMIC: 872 case SSH_CHANNEL_RDYNAMIC_OPEN: 873 case SSH_CHANNEL_RDYNAMIC_FINISH: 874 case SSH_CHANNEL_OPEN: 875 case SSH_CHANNEL_X11_OPEN: 876 case SSH_CHANNEL_MUX_PROXY: 877 case SSH_CHANNEL_MUX_CLIENT: 878 cp = channel_format_status(c); 879 if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n", 880 c->self, c->remote_name, cp)) != 0) { 881 free(cp); 882 fatal("%s: sshbuf_putf: %s", 883 __func__, ssh_err(r)); 884 } 885 free(cp); 886 continue; 887 default: 888 fatal("%s: bad channel type %d", __func__, c->type); 889 /* NOTREACHED */ 890 } 891 } 892 if ((ret = sshbuf_dup_string(buf)) == NULL) 893 fatal("%s: sshbuf_dup_string", __func__); 894 sshbuf_free(buf); 895 return ret; 896 } 897 898 static void 899 open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type) 900 { 901 int r; 902 903 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 || 904 (r = sshpkt_put_cstring(ssh, type)) != 0 || 905 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 906 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 907 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { 908 fatal("%s: channel %i: open: %s", where, c->self, ssh_err(r)); 909 } 910 } 911 912 void 913 channel_send_open(struct ssh *ssh, int id) 914 { 915 Channel *c = channel_lookup(ssh, id); 916 int r; 917 918 if (c == NULL) { 919 logit("channel_send_open: %d: bad id", id); 920 return; 921 } 922 debug2("channel %d: send open", id); 923 open_preamble(ssh, __func__, c, c->ctype); 924 if ((r = sshpkt_send(ssh)) != 0) 925 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 926 } 927 928 void 929 channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm) 930 { 931 Channel *c = channel_lookup(ssh, id); 932 int r; 933 934 if (c == NULL) { 935 logit("%s: %d: unknown channel id", __func__, id); 936 return; 937 } 938 if (!c->have_remote_id) 939 fatal(":%s: channel %d: no remote id", __func__, c->self); 940 941 debug2("channel %d: request %s confirm %d", id, service, wantconfirm); 942 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 || 943 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 944 (r = sshpkt_put_cstring(ssh, service)) != 0 || 945 (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) { 946 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 947 } 948 } 949 950 void 951 channel_register_status_confirm(struct ssh *ssh, int id, 952 channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx) 953 { 954 struct channel_confirm *cc; 955 Channel *c; 956 957 if ((c = channel_lookup(ssh, id)) == NULL) 958 fatal("%s: %d: bad id", __func__, id); 959 960 cc = xcalloc(1, sizeof(*cc)); 961 cc->cb = cb; 962 cc->abandon_cb = abandon_cb; 963 cc->ctx = ctx; 964 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry); 965 } 966 967 void 968 channel_register_open_confirm(struct ssh *ssh, int id, 969 channel_open_fn *fn, void *ctx) 970 { 971 Channel *c = channel_lookup(ssh, id); 972 973 if (c == NULL) { 974 logit("%s: %d: bad id", __func__, id); 975 return; 976 } 977 c->open_confirm = fn; 978 c->open_confirm_ctx = ctx; 979 } 980 981 void 982 channel_register_cleanup(struct ssh *ssh, int id, 983 channel_callback_fn *fn, int do_close) 984 { 985 Channel *c = channel_by_id(ssh, id); 986 987 if (c == NULL) { 988 logit("%s: %d: bad id", __func__, id); 989 return; 990 } 991 c->detach_user = fn; 992 c->detach_close = do_close; 993 } 994 995 void 996 channel_cancel_cleanup(struct ssh *ssh, int id) 997 { 998 Channel *c = channel_by_id(ssh, id); 999 1000 if (c == NULL) { 1001 logit("%s: %d: bad id", __func__, id); 1002 return; 1003 } 1004 c->detach_user = NULL; 1005 c->detach_close = 0; 1006 } 1007 1008 void 1009 channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn, 1010 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx) 1011 { 1012 Channel *c = channel_lookup(ssh, id); 1013 1014 if (c == NULL) { 1015 logit("%s: %d: bad id", __func__, id); 1016 return; 1017 } 1018 c->input_filter = ifn; 1019 c->output_filter = ofn; 1020 c->filter_ctx = ctx; 1021 c->filter_cleanup = cfn; 1022 } 1023 1024 void 1025 channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd, 1026 int extusage, int nonblock, int is_tty, u_int window_max) 1027 { 1028 Channel *c = channel_lookup(ssh, id); 1029 int r; 1030 1031 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 1032 fatal("channel_activate for non-larval channel %d.", id); 1033 if (!c->have_remote_id) 1034 fatal(":%s: channel %d: no remote id", __func__, c->self); 1035 1036 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty); 1037 c->type = SSH_CHANNEL_OPEN; 1038 c->local_window = c->local_window_max = window_max; 1039 1040 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || 1041 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1042 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 1043 (r = sshpkt_send(ssh)) != 0) 1044 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 1045 } 1046 1047 static void 1048 channel_pre_listener(struct ssh *ssh, Channel *c, 1049 fd_set *readset, fd_set *writeset) 1050 { 1051 FD_SET(c->sock, readset); 1052 } 1053 1054 static void 1055 channel_pre_connecting(struct ssh *ssh, Channel *c, 1056 fd_set *readset, fd_set *writeset) 1057 { 1058 debug3("channel %d: waiting for connection", c->self); 1059 FD_SET(c->sock, writeset); 1060 } 1061 1062 static void 1063 channel_pre_open(struct ssh *ssh, Channel *c, 1064 fd_set *readset, fd_set *writeset) 1065 { 1066 if (c->istate == CHAN_INPUT_OPEN && 1067 c->remote_window > 0 && 1068 sshbuf_len(c->input) < c->remote_window && 1069 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0) 1070 FD_SET(c->rfd, readset); 1071 if (c->ostate == CHAN_OUTPUT_OPEN || 1072 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1073 if (sshbuf_len(c->output) > 0) { 1074 FD_SET(c->wfd, writeset); 1075 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1076 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 1077 debug2("channel %d: " 1078 "obuf_empty delayed efd %d/(%zu)", c->self, 1079 c->efd, sshbuf_len(c->extended)); 1080 else 1081 chan_obuf_empty(ssh, c); 1082 } 1083 } 1084 /** XXX check close conditions, too */ 1085 if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED && 1086 c->ostate == CHAN_OUTPUT_CLOSED)) { 1087 if (c->extended_usage == CHAN_EXTENDED_WRITE && 1088 sshbuf_len(c->extended) > 0) 1089 FD_SET(c->efd, writeset); 1090 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) && 1091 (c->extended_usage == CHAN_EXTENDED_READ || 1092 c->extended_usage == CHAN_EXTENDED_IGNORE) && 1093 sshbuf_len(c->extended) < c->remote_window) 1094 FD_SET(c->efd, readset); 1095 } 1096 /* XXX: What about efd? races? */ 1097 } 1098 1099 /* 1100 * This is a special state for X11 authentication spoofing. An opened X11 1101 * connection (when authentication spoofing is being done) remains in this 1102 * state until the first packet has been completely read. The authentication 1103 * data in that packet is then substituted by the real data if it matches the 1104 * fake data, and the channel is put into normal mode. 1105 * XXX All this happens at the client side. 1106 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 1107 */ 1108 static int 1109 x11_open_helper(struct ssh *ssh, struct sshbuf *b) 1110 { 1111 struct ssh_channels *sc = ssh->chanctxt; 1112 u_char *ucp; 1113 u_int proto_len, data_len; 1114 1115 /* Is this being called after the refusal deadline? */ 1116 if (sc->x11_refuse_time != 0 && 1117 (u_int)monotime() >= sc->x11_refuse_time) { 1118 verbose("Rejected X11 connection after ForwardX11Timeout " 1119 "expired"); 1120 return -1; 1121 } 1122 1123 /* Check if the fixed size part of the packet is in buffer. */ 1124 if (sshbuf_len(b) < 12) 1125 return 0; 1126 1127 /* Parse the lengths of variable-length fields. */ 1128 ucp = sshbuf_mutable_ptr(b); 1129 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 1130 proto_len = 256 * ucp[6] + ucp[7]; 1131 data_len = 256 * ucp[8] + ucp[9]; 1132 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 1133 proto_len = ucp[6] + 256 * ucp[7]; 1134 data_len = ucp[8] + 256 * ucp[9]; 1135 } else { 1136 debug2("Initial X11 packet contains bad byte order byte: 0x%x", 1137 ucp[0]); 1138 return -1; 1139 } 1140 1141 /* Check if the whole packet is in buffer. */ 1142 if (sshbuf_len(b) < 1143 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 1144 return 0; 1145 1146 /* Check if authentication protocol matches. */ 1147 if (proto_len != strlen(sc->x11_saved_proto) || 1148 memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) { 1149 debug2("X11 connection uses different authentication protocol."); 1150 return -1; 1151 } 1152 /* Check if authentication data matches our fake data. */ 1153 if (data_len != sc->x11_fake_data_len || 1154 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3), 1155 sc->x11_fake_data, sc->x11_fake_data_len) != 0) { 1156 debug2("X11 auth data does not match fake data."); 1157 return -1; 1158 } 1159 /* Check fake data length */ 1160 if (sc->x11_fake_data_len != sc->x11_saved_data_len) { 1161 error("X11 fake_data_len %d != saved_data_len %d", 1162 sc->x11_fake_data_len, sc->x11_saved_data_len); 1163 return -1; 1164 } 1165 /* 1166 * Received authentication protocol and data match 1167 * our fake data. Substitute the fake data with real 1168 * data. 1169 */ 1170 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 1171 sc->x11_saved_data, sc->x11_saved_data_len); 1172 return 1; 1173 } 1174 1175 static void 1176 channel_pre_x11_open(struct ssh *ssh, Channel *c, 1177 fd_set *readset, fd_set *writeset) 1178 { 1179 int ret = x11_open_helper(ssh, c->output); 1180 1181 /* c->force_drain = 1; */ 1182 1183 if (ret == 1) { 1184 c->type = SSH_CHANNEL_OPEN; 1185 channel_pre_open(ssh, c, readset, writeset); 1186 } else if (ret == -1) { 1187 logit("X11 connection rejected because of wrong authentication."); 1188 debug2("X11 rejected %d i%d/o%d", 1189 c->self, c->istate, c->ostate); 1190 chan_read_failed(ssh, c); 1191 sshbuf_reset(c->input); 1192 chan_ibuf_empty(ssh, c); 1193 sshbuf_reset(c->output); 1194 chan_write_failed(ssh, c); 1195 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 1196 } 1197 } 1198 1199 static void 1200 channel_pre_mux_client(struct ssh *ssh, 1201 Channel *c, fd_set *readset, fd_set *writeset) 1202 { 1203 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause && 1204 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0) 1205 FD_SET(c->rfd, readset); 1206 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 1207 /* clear buffer immediately (discard any partial packet) */ 1208 sshbuf_reset(c->input); 1209 chan_ibuf_empty(ssh, c); 1210 /* Start output drain. XXX just kill chan? */ 1211 chan_rcvd_oclose(ssh, c); 1212 } 1213 if (c->ostate == CHAN_OUTPUT_OPEN || 1214 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 1215 if (sshbuf_len(c->output) > 0) 1216 FD_SET(c->wfd, writeset); 1217 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) 1218 chan_obuf_empty(ssh, c); 1219 } 1220 } 1221 1222 /* try to decode a socks4 header */ 1223 static int 1224 channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output) 1225 { 1226 const u_char *p; 1227 char *host; 1228 u_int len, have, i, found, need; 1229 char username[256]; 1230 struct { 1231 u_int8_t version; 1232 u_int8_t command; 1233 u_int16_t dest_port; 1234 struct in_addr dest_addr; 1235 } s4_req, s4_rsp; 1236 int r; 1237 1238 debug2("channel %d: decode socks4", c->self); 1239 1240 have = sshbuf_len(input); 1241 len = sizeof(s4_req); 1242 if (have < len) 1243 return 0; 1244 p = sshbuf_ptr(input); 1245 1246 need = 1; 1247 /* SOCKS4A uses an invalid IP address 0.0.0.x */ 1248 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) { 1249 debug2("channel %d: socks4a request", c->self); 1250 /* ... and needs an extra string (the hostname) */ 1251 need = 2; 1252 } 1253 /* Check for terminating NUL on the string(s) */ 1254 for (found = 0, i = len; i < have; i++) { 1255 if (p[i] == '\0') { 1256 found++; 1257 if (found == need) 1258 break; 1259 } 1260 if (i > 1024) { 1261 /* the peer is probably sending garbage */ 1262 debug("channel %d: decode socks4: too long", 1263 c->self); 1264 return -1; 1265 } 1266 } 1267 if (found < need) 1268 return 0; 1269 if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 || 1270 (r = sshbuf_get(input, &s4_req.command, 1)) != 0 || 1271 (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 || 1272 (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) { 1273 debug("channels %d: decode socks4: %s", c->self, ssh_err(r)); 1274 return -1; 1275 } 1276 have = sshbuf_len(input); 1277 p = sshbuf_ptr(input); 1278 if (memchr(p, '\0', have) == NULL) { 1279 error("channel %d: decode socks4: user not nul terminated", 1280 c->self); 1281 return -1; 1282 } 1283 len = strlen(p); 1284 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 1285 len++; /* trailing '\0' */ 1286 strlcpy(username, p, sizeof(username)); 1287 if ((r = sshbuf_consume(input, len)) != 0) { 1288 fatal("%s: channel %d: consume: %s", __func__, 1289 c->self, ssh_err(r)); 1290 } 1291 free(c->path); 1292 c->path = NULL; 1293 if (need == 1) { /* SOCKS4: one string */ 1294 host = inet_ntoa(s4_req.dest_addr); 1295 c->path = xstrdup(host); 1296 } else { /* SOCKS4A: two strings */ 1297 have = sshbuf_len(input); 1298 p = sshbuf_ptr(input); 1299 if (memchr(p, '\0', have) == NULL) { 1300 error("channel %d: decode socks4a: host not nul " 1301 "terminated", c->self); 1302 return -1; 1303 } 1304 len = strlen(p); 1305 debug2("channel %d: decode socks4a: host %s/%d", 1306 c->self, p, len); 1307 len++; /* trailing '\0' */ 1308 if (len > NI_MAXHOST) { 1309 error("channel %d: hostname \"%.100s\" too long", 1310 c->self, p); 1311 return -1; 1312 } 1313 c->path = xstrdup(p); 1314 if ((r = sshbuf_consume(input, len)) != 0) { 1315 fatal("%s: channel %d: consume: %s", __func__, 1316 c->self, ssh_err(r)); 1317 } 1318 } 1319 c->host_port = ntohs(s4_req.dest_port); 1320 1321 debug2("channel %d: dynamic request: socks4 host %s port %u command %u", 1322 c->self, c->path, c->host_port, s4_req.command); 1323 1324 if (s4_req.command != 1) { 1325 debug("channel %d: cannot handle: %s cn %d", 1326 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command); 1327 return -1; 1328 } 1329 s4_rsp.version = 0; /* vn: 0 for reply */ 1330 s4_rsp.command = 90; /* cd: req granted */ 1331 s4_rsp.dest_port = 0; /* ignored */ 1332 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 1333 if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) { 1334 fatal("%s: channel %d: append reply: %s", __func__, 1335 c->self, ssh_err(r)); 1336 } 1337 return 1; 1338 } 1339 1340 /* try to decode a socks5 header */ 1341 #define SSH_SOCKS5_AUTHDONE 0x1000 1342 #define SSH_SOCKS5_NOAUTH 0x00 1343 #define SSH_SOCKS5_IPV4 0x01 1344 #define SSH_SOCKS5_DOMAIN 0x03 1345 #define SSH_SOCKS5_IPV6 0x04 1346 #define SSH_SOCKS5_CONNECT 0x01 1347 #define SSH_SOCKS5_SUCCESS 0x00 1348 1349 static int 1350 channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output) 1351 { 1352 /* XXX use get/put_u8 instead of trusting struct padding */ 1353 struct { 1354 u_int8_t version; 1355 u_int8_t command; 1356 u_int8_t reserved; 1357 u_int8_t atyp; 1358 } s5_req, s5_rsp; 1359 u_int16_t dest_port; 1360 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN]; 1361 const u_char *p; 1362 u_int have, need, i, found, nmethods, addrlen, af; 1363 int r; 1364 1365 debug2("channel %d: decode socks5", c->self); 1366 p = sshbuf_ptr(input); 1367 if (p[0] != 0x05) 1368 return -1; 1369 have = sshbuf_len(input); 1370 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 1371 /* format: ver | nmethods | methods */ 1372 if (have < 2) 1373 return 0; 1374 nmethods = p[1]; 1375 if (have < nmethods + 2) 1376 return 0; 1377 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1378 for (found = 0, i = 2; i < nmethods + 2; i++) { 1379 if (p[i] == SSH_SOCKS5_NOAUTH) { 1380 found = 1; 1381 break; 1382 } 1383 } 1384 if (!found) { 1385 debug("channel %d: method SSH_SOCKS5_NOAUTH not found", 1386 c->self); 1387 return -1; 1388 } 1389 if ((r = sshbuf_consume(input, nmethods + 2)) != 0) { 1390 fatal("%s: channel %d: consume: %s", __func__, 1391 c->self, ssh_err(r)); 1392 } 1393 /* version, method */ 1394 if ((r = sshbuf_put_u8(output, 0x05)) != 0 || 1395 (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0) { 1396 fatal("%s: channel %d: append reply: %s", __func__, 1397 c->self, ssh_err(r)); 1398 } 1399 c->flags |= SSH_SOCKS5_AUTHDONE; 1400 debug2("channel %d: socks5 auth done", c->self); 1401 return 0; /* need more */ 1402 } 1403 debug2("channel %d: socks5 post auth", c->self); 1404 if (have < sizeof(s5_req)+1) 1405 return 0; /* need more */ 1406 memcpy(&s5_req, p, sizeof(s5_req)); 1407 if (s5_req.version != 0x05 || 1408 s5_req.command != SSH_SOCKS5_CONNECT || 1409 s5_req.reserved != 0x00) { 1410 debug2("channel %d: only socks5 connect supported", c->self); 1411 return -1; 1412 } 1413 switch (s5_req.atyp){ 1414 case SSH_SOCKS5_IPV4: 1415 addrlen = 4; 1416 af = AF_INET; 1417 break; 1418 case SSH_SOCKS5_DOMAIN: 1419 addrlen = p[sizeof(s5_req)]; 1420 af = -1; 1421 break; 1422 case SSH_SOCKS5_IPV6: 1423 addrlen = 16; 1424 af = AF_INET6; 1425 break; 1426 default: 1427 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp); 1428 return -1; 1429 } 1430 need = sizeof(s5_req) + addrlen + 2; 1431 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1432 need++; 1433 if (have < need) 1434 return 0; 1435 if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) { 1436 fatal("%s: channel %d: consume: %s", __func__, 1437 c->self, ssh_err(r)); 1438 } 1439 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1440 /* host string length */ 1441 if ((r = sshbuf_consume(input, 1)) != 0) { 1442 fatal("%s: channel %d: consume: %s", __func__, 1443 c->self, ssh_err(r)); 1444 } 1445 } 1446 if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 || 1447 (r = sshbuf_get(input, &dest_port, 2)) != 0) { 1448 debug("channel %d: parse addr/port: %s", c->self, ssh_err(r)); 1449 return -1; 1450 } 1451 dest_addr[addrlen] = '\0'; 1452 free(c->path); 1453 c->path = NULL; 1454 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) { 1455 if (addrlen >= NI_MAXHOST) { 1456 error("channel %d: dynamic request: socks5 hostname " 1457 "\"%.100s\" too long", c->self, dest_addr); 1458 return -1; 1459 } 1460 c->path = xstrdup(dest_addr); 1461 } else { 1462 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL) 1463 return -1; 1464 c->path = xstrdup(ntop); 1465 } 1466 c->host_port = ntohs(dest_port); 1467 1468 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1469 c->self, c->path, c->host_port, s5_req.command); 1470 1471 s5_rsp.version = 0x05; 1472 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1473 s5_rsp.reserved = 0; /* ignored */ 1474 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1475 dest_port = 0; /* ignored */ 1476 1477 if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 || 1478 (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 || 1479 (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0) 1480 fatal("%s: channel %d: append reply: %s", __func__, 1481 c->self, ssh_err(r)); 1482 return 1; 1483 } 1484 1485 Channel * 1486 channel_connect_stdio_fwd(struct ssh *ssh, 1487 const char *host_to_connect, u_short port_to_connect, int in, int out) 1488 { 1489 Channel *c; 1490 1491 debug("%s %s:%d", __func__, host_to_connect, port_to_connect); 1492 1493 c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out, 1494 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1495 0, "stdio-forward", /*nonblock*/0); 1496 1497 c->path = xstrdup(host_to_connect); 1498 c->host_port = port_to_connect; 1499 c->listening_port = 0; 1500 c->force_drain = 1; 1501 1502 channel_register_fds(ssh, c, in, out, -1, 0, 1, 0); 1503 port_open_helper(ssh, c, "direct-tcpip"); 1504 1505 return c; 1506 } 1507 1508 /* dynamic port forwarding */ 1509 static void 1510 channel_pre_dynamic(struct ssh *ssh, Channel *c, 1511 fd_set *readset, fd_set *writeset) 1512 { 1513 const u_char *p; 1514 u_int have; 1515 int ret; 1516 1517 have = sshbuf_len(c->input); 1518 debug2("channel %d: pre_dynamic: have %d", c->self, have); 1519 /* sshbuf_dump(c->input, stderr); */ 1520 /* check if the fixed size part of the packet is in buffer. */ 1521 if (have < 3) { 1522 /* need more */ 1523 FD_SET(c->sock, readset); 1524 return; 1525 } 1526 /* try to guess the protocol */ 1527 p = sshbuf_ptr(c->input); 1528 /* XXX sshbuf_peek_u8? */ 1529 switch (p[0]) { 1530 case 0x04: 1531 ret = channel_decode_socks4(c, c->input, c->output); 1532 break; 1533 case 0x05: 1534 ret = channel_decode_socks5(c, c->input, c->output); 1535 break; 1536 default: 1537 ret = -1; 1538 break; 1539 } 1540 if (ret < 0) { 1541 chan_mark_dead(ssh, c); 1542 } else if (ret == 0) { 1543 debug2("channel %d: pre_dynamic: need more", c->self); 1544 /* need more */ 1545 FD_SET(c->sock, readset); 1546 if (sshbuf_len(c->output)) 1547 FD_SET(c->sock, writeset); 1548 } else { 1549 /* switch to the next state */ 1550 c->type = SSH_CHANNEL_OPENING; 1551 port_open_helper(ssh, c, "direct-tcpip"); 1552 } 1553 } 1554 1555 /* simulate read-error */ 1556 static void 1557 rdynamic_close(struct ssh *ssh, Channel *c) 1558 { 1559 c->type = SSH_CHANNEL_OPEN; 1560 chan_read_failed(ssh, c); 1561 sshbuf_reset(c->input); 1562 chan_ibuf_empty(ssh, c); 1563 sshbuf_reset(c->output); 1564 chan_write_failed(ssh, c); 1565 } 1566 1567 /* reverse dynamic port forwarding */ 1568 static void 1569 channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c) 1570 { 1571 const u_char *p; 1572 u_int have, len; 1573 int r, ret; 1574 1575 have = sshbuf_len(c->output); 1576 debug2("channel %d: pre_rdynamic: have %d", c->self, have); 1577 /* sshbuf_dump(c->output, stderr); */ 1578 /* EOF received */ 1579 if (c->flags & CHAN_EOF_RCVD) { 1580 if ((r = sshbuf_consume(c->output, have)) != 0) { 1581 fatal("%s: channel %d: consume: %s", 1582 __func__, c->self, ssh_err(r)); 1583 } 1584 rdynamic_close(ssh, c); 1585 return; 1586 } 1587 /* check if the fixed size part of the packet is in buffer. */ 1588 if (have < 3) 1589 return; 1590 /* try to guess the protocol */ 1591 p = sshbuf_ptr(c->output); 1592 switch (p[0]) { 1593 case 0x04: 1594 /* switch input/output for reverse forwarding */ 1595 ret = channel_decode_socks4(c, c->output, c->input); 1596 break; 1597 case 0x05: 1598 ret = channel_decode_socks5(c, c->output, c->input); 1599 break; 1600 default: 1601 ret = -1; 1602 break; 1603 } 1604 if (ret < 0) { 1605 rdynamic_close(ssh, c); 1606 } else if (ret == 0) { 1607 debug2("channel %d: pre_rdynamic: need more", c->self); 1608 /* send socks request to peer */ 1609 len = sshbuf_len(c->input); 1610 if (len > 0 && len < c->remote_window) { 1611 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 1612 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1613 (r = sshpkt_put_stringb(ssh, c->input)) != 0 || 1614 (r = sshpkt_send(ssh)) != 0) { 1615 fatal("%s: channel %i: rdynamic: %s", __func__, 1616 c->self, ssh_err(r)); 1617 } 1618 if ((r = sshbuf_consume(c->input, len)) != 0) { 1619 fatal("%s: channel %d: consume: %s", 1620 __func__, c->self, ssh_err(r)); 1621 } 1622 c->remote_window -= len; 1623 } 1624 } else if (rdynamic_connect_finish(ssh, c) < 0) { 1625 /* the connect failed */ 1626 rdynamic_close(ssh, c); 1627 } 1628 } 1629 1630 /* This is our fake X11 server socket. */ 1631 static void 1632 channel_post_x11_listener(struct ssh *ssh, Channel *c, 1633 fd_set *readset, fd_set *writeset) 1634 { 1635 Channel *nc; 1636 struct sockaddr_storage addr; 1637 int r, newsock, oerrno, remote_port; 1638 socklen_t addrlen; 1639 char buf[16384], *remote_ipaddr; 1640 1641 if (!FD_ISSET(c->sock, readset)) 1642 return; 1643 1644 debug("X11 connection requested."); 1645 addrlen = sizeof(addr); 1646 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1647 if (c->single_connection) { 1648 oerrno = errno; 1649 debug2("single_connection: closing X11 listener."); 1650 channel_close_fd(ssh, &c->sock); 1651 chan_mark_dead(ssh, c); 1652 errno = oerrno; 1653 } 1654 if (newsock < 0) { 1655 if (errno != EINTR && errno != EWOULDBLOCK && 1656 errno != ECONNABORTED) 1657 error("accept: %.100s", strerror(errno)); 1658 if (errno == EMFILE || errno == ENFILE) 1659 c->notbefore = monotime() + 1; 1660 return; 1661 } 1662 set_nodelay(newsock); 1663 remote_ipaddr = get_peer_ipaddr(newsock); 1664 remote_port = get_peer_port(newsock); 1665 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d", 1666 remote_ipaddr, remote_port); 1667 1668 nc = channel_new(ssh, "accepted x11 socket", 1669 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1670 c->local_window_max, c->local_maxpacket, 0, buf, 1); 1671 open_preamble(ssh, __func__, nc, "x11"); 1672 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || 1673 (r = sshpkt_put_u32(ssh, remote_port)) != 0) { 1674 fatal("%s: channel %i: reply %s", __func__, 1675 c->self, ssh_err(r)); 1676 } 1677 if ((r = sshpkt_send(ssh)) != 0) 1678 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r)); 1679 free(remote_ipaddr); 1680 } 1681 1682 static void 1683 port_open_helper(struct ssh *ssh, Channel *c, char *rtype) 1684 { 1685 char *local_ipaddr = get_local_ipaddr(c->sock); 1686 int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock); 1687 char *remote_ipaddr = get_peer_ipaddr(c->sock); 1688 int remote_port = get_peer_port(c->sock); 1689 int r; 1690 1691 if (remote_port == -1) { 1692 /* Fake addr/port to appease peers that validate it (Tectia) */ 1693 free(remote_ipaddr); 1694 remote_ipaddr = xstrdup("127.0.0.1"); 1695 remote_port = 65535; 1696 } 1697 1698 free(c->remote_name); 1699 xasprintf(&c->remote_name, 1700 "%s: listening port %d for %.100s port %d, " 1701 "connect from %.200s port %d to %.100s port %d", 1702 rtype, c->listening_port, c->path, c->host_port, 1703 remote_ipaddr, remote_port, local_ipaddr, local_port); 1704 1705 open_preamble(ssh, __func__, c, rtype); 1706 if (strcmp(rtype, "direct-tcpip") == 0) { 1707 /* target host, port */ 1708 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || 1709 (r = sshpkt_put_u32(ssh, c->host_port)) != 0) { 1710 fatal("%s: channel %i: reply %s", __func__, 1711 c->self, ssh_err(r)); 1712 } 1713 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) { 1714 /* target path */ 1715 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) { 1716 fatal("%s: channel %i: reply %s", __func__, 1717 c->self, ssh_err(r)); 1718 } 1719 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1720 /* listen path */ 1721 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) { 1722 fatal("%s: channel %i: reply %s", __func__, 1723 c->self, ssh_err(r)); 1724 } 1725 } else { 1726 /* listen address, port */ 1727 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 || 1728 (r = sshpkt_put_u32(ssh, local_port)) != 0) { 1729 fatal("%s: channel %i: reply %s", __func__, 1730 c->self, ssh_err(r)); 1731 } 1732 } 1733 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) { 1734 /* reserved for future owner/mode info */ 1735 if ((r = sshpkt_put_cstring(ssh, "")) != 0) { 1736 fatal("%s: channel %i: reply %s", __func__, 1737 c->self, ssh_err(r)); 1738 } 1739 } else { 1740 /* originator host and port */ 1741 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 || 1742 (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) { 1743 fatal("%s: channel %i: reply %s", __func__, 1744 c->self, ssh_err(r)); 1745 } 1746 } 1747 if ((r = sshpkt_send(ssh)) != 0) 1748 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r)); 1749 free(remote_ipaddr); 1750 free(local_ipaddr); 1751 } 1752 1753 void 1754 channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time) 1755 { 1756 ssh->chanctxt->x11_refuse_time = refuse_time; 1757 } 1758 1759 /* 1760 * This socket is listening for connections to a forwarded TCP/IP port. 1761 */ 1762 static void 1763 channel_post_port_listener(struct ssh *ssh, Channel *c, 1764 fd_set *readset, fd_set *writeset) 1765 { 1766 Channel *nc; 1767 struct sockaddr_storage addr; 1768 int newsock, nextstate; 1769 socklen_t addrlen; 1770 char *rtype; 1771 1772 if (!FD_ISSET(c->sock, readset)) 1773 return; 1774 1775 debug("Connection to port %d forwarding to %.100s port %d requested.", 1776 c->listening_port, c->path, c->host_port); 1777 1778 if (c->type == SSH_CHANNEL_RPORT_LISTENER) { 1779 nextstate = SSH_CHANNEL_OPENING; 1780 rtype = "forwarded-tcpip"; 1781 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) { 1782 nextstate = SSH_CHANNEL_OPENING; 1783 rtype = "forwarded-streamlocal@openssh.com"; 1784 } else if (c->host_port == PORT_STREAMLOCAL) { 1785 nextstate = SSH_CHANNEL_OPENING; 1786 rtype = "direct-streamlocal@openssh.com"; 1787 } else if (c->host_port == 0) { 1788 nextstate = SSH_CHANNEL_DYNAMIC; 1789 rtype = "dynamic-tcpip"; 1790 } else { 1791 nextstate = SSH_CHANNEL_OPENING; 1792 rtype = "direct-tcpip"; 1793 } 1794 1795 addrlen = sizeof(addr); 1796 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1797 if (newsock < 0) { 1798 if (errno != EINTR && errno != EWOULDBLOCK && 1799 errno != ECONNABORTED) 1800 error("accept: %.100s", strerror(errno)); 1801 if (errno == EMFILE || errno == ENFILE) 1802 c->notbefore = monotime() + 1; 1803 return; 1804 } 1805 if (c->host_port != PORT_STREAMLOCAL) 1806 set_nodelay(newsock); 1807 nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1, 1808 c->local_window_max, c->local_maxpacket, 0, rtype, 1); 1809 nc->listening_port = c->listening_port; 1810 nc->host_port = c->host_port; 1811 if (c->path != NULL) 1812 nc->path = xstrdup(c->path); 1813 1814 if (nextstate != SSH_CHANNEL_DYNAMIC) 1815 port_open_helper(ssh, nc, rtype); 1816 } 1817 1818 /* 1819 * This is the authentication agent socket listening for connections from 1820 * clients. 1821 */ 1822 static void 1823 channel_post_auth_listener(struct ssh *ssh, Channel *c, 1824 fd_set *readset, fd_set *writeset) 1825 { 1826 Channel *nc; 1827 int r, newsock; 1828 struct sockaddr_storage addr; 1829 socklen_t addrlen; 1830 1831 if (!FD_ISSET(c->sock, readset)) 1832 return; 1833 1834 addrlen = sizeof(addr); 1835 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen); 1836 if (newsock < 0) { 1837 error("accept from auth socket: %.100s", strerror(errno)); 1838 if (errno == EMFILE || errno == ENFILE) 1839 c->notbefore = monotime() + 1; 1840 return; 1841 } 1842 nc = channel_new(ssh, "accepted auth socket", 1843 SSH_CHANNEL_OPENING, newsock, newsock, -1, 1844 c->local_window_max, c->local_maxpacket, 1845 0, "accepted auth socket", 1); 1846 open_preamble(ssh, __func__, nc, "auth-agent@openssh.com"); 1847 if ((r = sshpkt_send(ssh)) != 0) 1848 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r)); 1849 } 1850 1851 static void 1852 channel_post_connecting(struct ssh *ssh, Channel *c, 1853 fd_set *readset, fd_set *writeset) 1854 { 1855 int err = 0, sock, isopen, r; 1856 socklen_t sz = sizeof(err); 1857 1858 if (!FD_ISSET(c->sock, writeset)) 1859 return; 1860 if (!c->have_remote_id) 1861 fatal(":%s: channel %d: no remote id", __func__, c->self); 1862 /* for rdynamic the OPEN_CONFIRMATION has been sent already */ 1863 isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH); 1864 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) { 1865 err = errno; 1866 error("getsockopt SO_ERROR failed"); 1867 } 1868 if (err == 0) { 1869 debug("channel %d: connected to %s port %d", 1870 c->self, c->connect_ctx.host, c->connect_ctx.port); 1871 channel_connect_ctx_free(&c->connect_ctx); 1872 c->type = SSH_CHANNEL_OPEN; 1873 if (isopen) { 1874 /* no message necessary */ 1875 } else { 1876 if ((r = sshpkt_start(ssh, 1877 SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || 1878 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1879 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 1880 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 1881 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) 1882 != 0) 1883 fatal("%s: channel %i: confirm: %s", __func__, 1884 c->self, ssh_err(r)); 1885 if ((r = sshpkt_send(ssh)) != 0) 1886 fatal("%s: channel %i: %s", __func__, c->self, 1887 ssh_err(r)); 1888 } 1889 } else { 1890 debug("channel %d: connection failed: %s", 1891 c->self, strerror(err)); 1892 /* Try next address, if any */ 1893 if ((sock = connect_next(&c->connect_ctx)) > 0) { 1894 close(c->sock); 1895 c->sock = c->rfd = c->wfd = sock; 1896 channel_find_maxfd(ssh->chanctxt); 1897 return; 1898 } 1899 /* Exhausted all addresses */ 1900 error("connect_to %.100s port %d: failed.", 1901 c->connect_ctx.host, c->connect_ctx.port); 1902 channel_connect_ctx_free(&c->connect_ctx); 1903 if (isopen) { 1904 rdynamic_close(ssh, c); 1905 } else { 1906 if ((r = sshpkt_start(ssh, 1907 SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 || 1908 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 1909 (r = sshpkt_put_u32(ssh, 1910 SSH2_OPEN_CONNECT_FAILED)) != 0 || 1911 (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 || 1912 (r = sshpkt_put_cstring(ssh, "")) != 0) { 1913 fatal("%s: channel %i: failure: %s", __func__, 1914 c->self, ssh_err(r)); 1915 } 1916 if ((r = sshpkt_send(ssh)) != 0) 1917 fatal("%s: channel %i: %s", __func__, c->self, 1918 ssh_err(r)); 1919 chan_mark_dead(ssh, c); 1920 } 1921 } 1922 } 1923 1924 static int 1925 channel_handle_rfd(struct ssh *ssh, Channel *c, 1926 fd_set *readset, fd_set *writeset) 1927 { 1928 char buf[CHAN_RBUF]; 1929 ssize_t len; 1930 int r, force; 1931 1932 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 1933 1934 if (c->rfd == -1 || (!force && !FD_ISSET(c->rfd, readset))) 1935 return 1; 1936 1937 errno = 0; 1938 len = read(c->rfd, buf, sizeof(buf)); 1939 if (len < 0 && (errno == EINTR || 1940 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force))) 1941 return 1; 1942 #ifndef PTY_ZEROREAD 1943 if (len <= 0) { 1944 #else 1945 if ((!c->isatty && len <= 0) || 1946 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) { 1947 #endif 1948 debug2("channel %d: read<=0 rfd %d len %zd", 1949 c->self, c->rfd, len); 1950 if (c->type != SSH_CHANNEL_OPEN) { 1951 debug2("channel %d: not open", c->self); 1952 chan_mark_dead(ssh, c); 1953 return -1; 1954 } else { 1955 chan_read_failed(ssh, c); 1956 } 1957 return -1; 1958 } 1959 if (c->input_filter != NULL) { 1960 if (c->input_filter(ssh, c, buf, len) == -1) { 1961 debug2("channel %d: filter stops", c->self); 1962 chan_read_failed(ssh, c); 1963 } 1964 } else if (c->datagram) { 1965 if ((r = sshbuf_put_string(c->input, buf, len)) != 0) 1966 fatal("%s: channel %d: put datagram: %s", __func__, 1967 c->self, ssh_err(r)); 1968 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) { 1969 fatal("%s: channel %d: put data: %s", __func__, 1970 c->self, ssh_err(r)); 1971 } 1972 return 1; 1973 } 1974 1975 static int 1976 channel_handle_wfd(struct ssh *ssh, Channel *c, 1977 fd_set *readset, fd_set *writeset) 1978 { 1979 struct termios tio; 1980 u_char *data = NULL, *buf; /* XXX const; need filter API change */ 1981 size_t dlen, olen = 0; 1982 int r, len; 1983 1984 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) || 1985 sshbuf_len(c->output) == 0) 1986 return 1; 1987 1988 /* Send buffered output data to the socket. */ 1989 olen = sshbuf_len(c->output); 1990 if (c->output_filter != NULL) { 1991 if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) { 1992 debug2("channel %d: filter stops", c->self); 1993 if (c->type != SSH_CHANNEL_OPEN) 1994 chan_mark_dead(ssh, c); 1995 else 1996 chan_write_failed(ssh, c); 1997 return -1; 1998 } 1999 } else if (c->datagram) { 2000 if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0) 2001 fatal("%s: channel %d: get datagram: %s", __func__, 2002 c->self, ssh_err(r)); 2003 buf = data; 2004 } else { 2005 buf = data = sshbuf_mutable_ptr(c->output); 2006 dlen = sshbuf_len(c->output); 2007 } 2008 2009 if (c->datagram) { 2010 /* ignore truncated writes, datagrams might get lost */ 2011 len = write(c->wfd, buf, dlen); 2012 free(data); 2013 if (len < 0 && (errno == EINTR || errno == EAGAIN || 2014 errno == EWOULDBLOCK)) 2015 return 1; 2016 if (len <= 0) 2017 goto write_fail; 2018 goto out; 2019 } 2020 2021 #ifdef _AIX 2022 /* XXX: Later AIX versions can't push as much data to tty */ 2023 if (c->wfd_isatty) 2024 dlen = MIN(dlen, 8*1024); 2025 #endif 2026 2027 len = write(c->wfd, buf, dlen); 2028 if (len < 0 && 2029 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)) 2030 return 1; 2031 if (len <= 0) { 2032 write_fail: 2033 if (c->type != SSH_CHANNEL_OPEN) { 2034 debug2("channel %d: not open", c->self); 2035 chan_mark_dead(ssh, c); 2036 return -1; 2037 } else { 2038 chan_write_failed(ssh, c); 2039 } 2040 return -1; 2041 } 2042 #ifndef BROKEN_TCGETATTR_ICANON 2043 if (c->isatty && dlen >= 1 && buf[0] != '\r') { 2044 if (tcgetattr(c->wfd, &tio) == 0 && 2045 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) { 2046 /* 2047 * Simulate echo to reduce the impact of 2048 * traffic analysis. We need to match the 2049 * size of a SSH2_MSG_CHANNEL_DATA message 2050 * (4 byte channel id + buf) 2051 */ 2052 if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 || 2053 (r = sshpkt_send(ssh)) != 0) 2054 fatal("%s: channel %d: ignore: %s", 2055 __func__, c->self, ssh_err(r)); 2056 } 2057 } 2058 #endif /* BROKEN_TCGETATTR_ICANON */ 2059 if ((r = sshbuf_consume(c->output, len)) != 0) { 2060 fatal("%s: channel %d: consume: %s", 2061 __func__, c->self, ssh_err(r)); 2062 } 2063 out: 2064 c->local_consumed += olen - sshbuf_len(c->output); 2065 2066 return 1; 2067 } 2068 2069 static int 2070 channel_handle_efd_write(struct ssh *ssh, Channel *c, 2071 fd_set *readset, fd_set *writeset) 2072 { 2073 int r; 2074 ssize_t len; 2075 2076 if (!FD_ISSET(c->efd, writeset) || sshbuf_len(c->extended) == 0) 2077 return 1; 2078 2079 len = write(c->efd, sshbuf_ptr(c->extended), 2080 sshbuf_len(c->extended)); 2081 debug2("channel %d: written %zd to efd %d", c->self, len, c->efd); 2082 if (len < 0 && (errno == EINTR || errno == EAGAIN || 2083 errno == EWOULDBLOCK)) 2084 return 1; 2085 if (len <= 0) { 2086 debug2("channel %d: closing write-efd %d", c->self, c->efd); 2087 channel_close_fd(ssh, &c->efd); 2088 } else { 2089 if ((r = sshbuf_consume(c->extended, len)) != 0) { 2090 fatal("%s: channel %d: consume: %s", 2091 __func__, c->self, ssh_err(r)); 2092 } 2093 c->local_consumed += len; 2094 } 2095 return 1; 2096 } 2097 2098 static int 2099 channel_handle_efd_read(struct ssh *ssh, Channel *c, 2100 fd_set *readset, fd_set *writeset) 2101 { 2102 char buf[CHAN_RBUF]; 2103 ssize_t len; 2104 int r, force; 2105 2106 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED; 2107 2108 if (c->efd == -1 || (!force && !FD_ISSET(c->efd, readset))) 2109 return 1; 2110 2111 len = read(c->efd, buf, sizeof(buf)); 2112 debug2("channel %d: read %zd from efd %d", c->self, len, c->efd); 2113 if (len < 0 && (errno == EINTR || ((errno == EAGAIN || 2114 errno == EWOULDBLOCK) && !force))) 2115 return 1; 2116 if (len <= 0) { 2117 debug2("channel %d: closing read-efd %d", 2118 c->self, c->efd); 2119 channel_close_fd(ssh, &c->efd); 2120 } else { 2121 if (c->extended_usage == CHAN_EXTENDED_IGNORE) { 2122 debug3("channel %d: discard efd", 2123 c->self); 2124 } else if ((r = sshbuf_put(c->extended, buf, len)) != 0) { 2125 fatal("%s: channel %d: append: %s", 2126 __func__, c->self, ssh_err(r)); 2127 } 2128 } 2129 return 1; 2130 } 2131 2132 static int 2133 channel_handle_efd(struct ssh *ssh, Channel *c, 2134 fd_set *readset, fd_set *writeset) 2135 { 2136 if (c->efd == -1) 2137 return 1; 2138 2139 /** XXX handle drain efd, too */ 2140 2141 if (c->extended_usage == CHAN_EXTENDED_WRITE) 2142 return channel_handle_efd_write(ssh, c, readset, writeset); 2143 else if (c->extended_usage == CHAN_EXTENDED_READ || 2144 c->extended_usage == CHAN_EXTENDED_IGNORE) 2145 return channel_handle_efd_read(ssh, c, readset, writeset); 2146 2147 return 1; 2148 } 2149 2150 static int 2151 channel_check_window(struct ssh *ssh, Channel *c) 2152 { 2153 int r; 2154 2155 if (c->type == SSH_CHANNEL_OPEN && 2156 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) && 2157 ((c->local_window_max - c->local_window > 2158 c->local_maxpacket*3) || 2159 c->local_window < c->local_window_max/2) && 2160 c->local_consumed > 0) { 2161 if (!c->have_remote_id) 2162 fatal(":%s: channel %d: no remote id", 2163 __func__, c->self); 2164 if ((r = sshpkt_start(ssh, 2165 SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 || 2166 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2167 (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 || 2168 (r = sshpkt_send(ssh)) != 0) { 2169 fatal("%s: channel %i: %s", __func__, 2170 c->self, ssh_err(r)); 2171 } 2172 debug2("channel %d: window %d sent adjust %d", 2173 c->self, c->local_window, 2174 c->local_consumed); 2175 c->local_window += c->local_consumed; 2176 c->local_consumed = 0; 2177 } 2178 return 1; 2179 } 2180 2181 static void 2182 channel_post_open(struct ssh *ssh, Channel *c, 2183 fd_set *readset, fd_set *writeset) 2184 { 2185 channel_handle_rfd(ssh, c, readset, writeset); 2186 channel_handle_wfd(ssh, c, readset, writeset); 2187 channel_handle_efd(ssh, c, readset, writeset); 2188 channel_check_window(ssh, c); 2189 } 2190 2191 static u_int 2192 read_mux(struct ssh *ssh, Channel *c, u_int need) 2193 { 2194 char buf[CHAN_RBUF]; 2195 ssize_t len; 2196 u_int rlen; 2197 int r; 2198 2199 if (sshbuf_len(c->input) < need) { 2200 rlen = need - sshbuf_len(c->input); 2201 len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF)); 2202 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 2203 return sshbuf_len(c->input); 2204 if (len <= 0) { 2205 debug2("channel %d: ctl read<=0 rfd %d len %zd", 2206 c->self, c->rfd, len); 2207 chan_read_failed(ssh, c); 2208 return 0; 2209 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) { 2210 fatal("%s: channel %d: append: %s", 2211 __func__, c->self, ssh_err(r)); 2212 } 2213 } 2214 return sshbuf_len(c->input); 2215 } 2216 2217 static void 2218 channel_post_mux_client_read(struct ssh *ssh, Channel *c, 2219 fd_set *readset, fd_set *writeset) 2220 { 2221 u_int need; 2222 2223 if (c->rfd == -1 || !FD_ISSET(c->rfd, readset)) 2224 return; 2225 if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN) 2226 return; 2227 if (c->mux_pause) 2228 return; 2229 2230 /* 2231 * Don't not read past the precise end of packets to 2232 * avoid disrupting fd passing. 2233 */ 2234 if (read_mux(ssh, c, 4) < 4) /* read header */ 2235 return; 2236 /* XXX sshbuf_peek_u32 */ 2237 need = PEEK_U32(sshbuf_ptr(c->input)); 2238 #define CHANNEL_MUX_MAX_PACKET (256 * 1024) 2239 if (need > CHANNEL_MUX_MAX_PACKET) { 2240 debug2("channel %d: packet too big %u > %u", 2241 c->self, CHANNEL_MUX_MAX_PACKET, need); 2242 chan_rcvd_oclose(ssh, c); 2243 return; 2244 } 2245 if (read_mux(ssh, c, need + 4) < need + 4) /* read body */ 2246 return; 2247 if (c->mux_rcb(ssh, c) != 0) { 2248 debug("channel %d: mux_rcb failed", c->self); 2249 chan_mark_dead(ssh, c); 2250 return; 2251 } 2252 } 2253 2254 static void 2255 channel_post_mux_client_write(struct ssh *ssh, Channel *c, 2256 fd_set *readset, fd_set *writeset) 2257 { 2258 ssize_t len; 2259 int r; 2260 2261 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) || 2262 sshbuf_len(c->output) == 0) 2263 return; 2264 2265 len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output)); 2266 if (len < 0 && (errno == EINTR || errno == EAGAIN)) 2267 return; 2268 if (len <= 0) { 2269 chan_mark_dead(ssh, c); 2270 return; 2271 } 2272 if ((r = sshbuf_consume(c->output, len)) != 0) 2273 fatal("%s: channel %d: consume: %s", __func__, 2274 c->self, ssh_err(r)); 2275 } 2276 2277 static void 2278 channel_post_mux_client(struct ssh *ssh, Channel *c, 2279 fd_set *readset, fd_set *writeset) 2280 { 2281 channel_post_mux_client_read(ssh, c, readset, writeset); 2282 channel_post_mux_client_write(ssh, c, readset, writeset); 2283 } 2284 2285 static void 2286 channel_post_mux_listener(struct ssh *ssh, Channel *c, 2287 fd_set *readset, fd_set *writeset) 2288 { 2289 Channel *nc; 2290 struct sockaddr_storage addr; 2291 socklen_t addrlen; 2292 int newsock; 2293 uid_t euid; 2294 gid_t egid; 2295 2296 if (!FD_ISSET(c->sock, readset)) 2297 return; 2298 2299 debug("multiplexing control connection"); 2300 2301 /* 2302 * Accept connection on control socket 2303 */ 2304 memset(&addr, 0, sizeof(addr)); 2305 addrlen = sizeof(addr); 2306 if ((newsock = accept(c->sock, (struct sockaddr*)&addr, 2307 &addrlen)) == -1) { 2308 error("%s accept: %s", __func__, strerror(errno)); 2309 if (errno == EMFILE || errno == ENFILE) 2310 c->notbefore = monotime() + 1; 2311 return; 2312 } 2313 2314 if (getpeereid(newsock, &euid, &egid) < 0) { 2315 error("%s getpeereid failed: %s", __func__, 2316 strerror(errno)); 2317 close(newsock); 2318 return; 2319 } 2320 if ((euid != 0) && (getuid() != euid)) { 2321 error("multiplex uid mismatch: peer euid %u != uid %u", 2322 (u_int)euid, (u_int)getuid()); 2323 close(newsock); 2324 return; 2325 } 2326 nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT, 2327 newsock, newsock, -1, c->local_window_max, 2328 c->local_maxpacket, 0, "mux-control", 1); 2329 nc->mux_rcb = c->mux_rcb; 2330 debug3("%s: new mux channel %d fd %d", __func__, nc->self, nc->sock); 2331 /* establish state */ 2332 nc->mux_rcb(ssh, nc); 2333 /* mux state transitions must not elicit protocol messages */ 2334 nc->flags |= CHAN_LOCAL; 2335 } 2336 2337 static void 2338 channel_handler_init(struct ssh_channels *sc) 2339 { 2340 chan_fn **pre, **post; 2341 2342 if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL || 2343 (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL) 2344 fatal("%s: allocation failed", __func__); 2345 2346 pre[SSH_CHANNEL_OPEN] = &channel_pre_open; 2347 pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; 2348 pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; 2349 pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener; 2350 pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener; 2351 pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener; 2352 pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; 2353 pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener; 2354 pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting; 2355 pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic; 2356 pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting; 2357 pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener; 2358 pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client; 2359 2360 post[SSH_CHANNEL_OPEN] = &channel_post_open; 2361 post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; 2362 post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener; 2363 post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener; 2364 post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener; 2365 post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; 2366 post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener; 2367 post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting; 2368 post[SSH_CHANNEL_DYNAMIC] = &channel_post_open; 2369 post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting; 2370 post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener; 2371 post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client; 2372 2373 sc->channel_pre = pre; 2374 sc->channel_post = post; 2375 } 2376 2377 /* gc dead channels */ 2378 static void 2379 channel_garbage_collect(struct ssh *ssh, Channel *c) 2380 { 2381 if (c == NULL) 2382 return; 2383 if (c->detach_user != NULL) { 2384 if (!chan_is_dead(ssh, c, c->detach_close)) 2385 return; 2386 2387 debug2("channel %d: gc: notify user", c->self); 2388 c->detach_user(ssh, c->self, NULL); 2389 /* if we still have a callback */ 2390 if (c->detach_user != NULL) 2391 return; 2392 debug2("channel %d: gc: user detached", c->self); 2393 } 2394 if (!chan_is_dead(ssh, c, 1)) 2395 return; 2396 debug2("channel %d: garbage collecting", c->self); 2397 channel_free(ssh, c); 2398 } 2399 2400 enum channel_table { CHAN_PRE, CHAN_POST }; 2401 2402 static void 2403 channel_handler(struct ssh *ssh, int table, 2404 fd_set *readset, fd_set *writeset, time_t *unpause_secs) 2405 { 2406 struct ssh_channels *sc = ssh->chanctxt; 2407 chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post; 2408 u_int i, oalloc; 2409 Channel *c; 2410 time_t now; 2411 2412 now = monotime(); 2413 if (unpause_secs != NULL) 2414 *unpause_secs = 0; 2415 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { 2416 c = sc->channels[i]; 2417 if (c == NULL) 2418 continue; 2419 if (c->delayed) { 2420 if (table == CHAN_PRE) 2421 c->delayed = 0; 2422 else 2423 continue; 2424 } 2425 if (ftab[c->type] != NULL) { 2426 /* 2427 * Run handlers that are not paused. 2428 */ 2429 if (c->notbefore <= now) 2430 (*ftab[c->type])(ssh, c, readset, writeset); 2431 else if (unpause_secs != NULL) { 2432 /* 2433 * Collect the time that the earliest 2434 * channel comes off pause. 2435 */ 2436 debug3("%s: chan %d: skip for %d more seconds", 2437 __func__, c->self, 2438 (int)(c->notbefore - now)); 2439 if (*unpause_secs == 0 || 2440 (c->notbefore - now) < *unpause_secs) 2441 *unpause_secs = c->notbefore - now; 2442 } 2443 } 2444 channel_garbage_collect(ssh, c); 2445 } 2446 if (unpause_secs != NULL && *unpause_secs != 0) 2447 debug3("%s: first channel unpauses in %d seconds", 2448 __func__, (int)*unpause_secs); 2449 } 2450 2451 /* 2452 * Create sockets before allocating the select bitmasks. 2453 * This is necessary for things that need to happen after reading 2454 * the network-input but before channel_prepare_select(). 2455 */ 2456 static void 2457 channel_before_prepare_select(struct ssh *ssh) 2458 { 2459 struct ssh_channels *sc = ssh->chanctxt; 2460 Channel *c; 2461 u_int i, oalloc; 2462 2463 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) { 2464 c = sc->channels[i]; 2465 if (c == NULL) 2466 continue; 2467 if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN) 2468 channel_before_prepare_select_rdynamic(ssh, c); 2469 } 2470 } 2471 2472 /* 2473 * Allocate/update select bitmasks and add any bits relevant to channels in 2474 * select bitmasks. 2475 */ 2476 void 2477 channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp, 2478 int *maxfdp, u_int *nallocp, time_t *minwait_secs) 2479 { 2480 u_int n, sz, nfdset; 2481 2482 channel_before_prepare_select(ssh); /* might update channel_max_fd */ 2483 2484 n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd); 2485 2486 nfdset = howmany(n+1, NFDBITS); 2487 /* Explicitly test here, because xrealloc isn't always called */ 2488 if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask)) 2489 fatal("channel_prepare_select: max_fd (%d) is too large", n); 2490 sz = nfdset * sizeof(fd_mask); 2491 2492 /* perhaps check sz < nalloc/2 and shrink? */ 2493 if (*readsetp == NULL || sz > *nallocp) { 2494 *readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask)); 2495 *writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask)); 2496 *nallocp = sz; 2497 } 2498 *maxfdp = n; 2499 memset(*readsetp, 0, sz); 2500 memset(*writesetp, 0, sz); 2501 2502 if (!ssh_packet_is_rekeying(ssh)) 2503 channel_handler(ssh, CHAN_PRE, *readsetp, *writesetp, 2504 minwait_secs); 2505 } 2506 2507 /* 2508 * After select, perform any appropriate operations for channels which have 2509 * events pending. 2510 */ 2511 void 2512 channel_after_select(struct ssh *ssh, fd_set *readset, fd_set *writeset) 2513 { 2514 channel_handler(ssh, CHAN_POST, readset, writeset, NULL); 2515 } 2516 2517 /* 2518 * Enqueue data for channels with open or draining c->input. 2519 */ 2520 static void 2521 channel_output_poll_input_open(struct ssh *ssh, Channel *c) 2522 { 2523 size_t len, plen; 2524 const u_char *pkt; 2525 int r; 2526 2527 if ((len = sshbuf_len(c->input)) == 0) { 2528 if (c->istate == CHAN_INPUT_WAIT_DRAIN) { 2529 /* 2530 * input-buffer is empty and read-socket shutdown: 2531 * tell peer, that we will not send more data: 2532 * send IEOF. 2533 * hack for extended data: delay EOF if EFD still 2534 * in use. 2535 */ 2536 if (CHANNEL_EFD_INPUT_ACTIVE(c)) 2537 debug2("channel %d: " 2538 "ibuf_empty delayed efd %d/(%zu)", 2539 c->self, c->efd, sshbuf_len(c->extended)); 2540 else 2541 chan_ibuf_empty(ssh, c); 2542 } 2543 return; 2544 } 2545 2546 if (!c->have_remote_id) 2547 fatal(":%s: channel %d: no remote id", __func__, c->self); 2548 2549 if (c->datagram) { 2550 /* Check datagram will fit; drop if not */ 2551 if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0) 2552 fatal("%s: channel %d: get datagram: %s", __func__, 2553 c->self, ssh_err(r)); 2554 /* 2555 * XXX this does tail-drop on the datagram queue which is 2556 * usually suboptimal compared to head-drop. Better to have 2557 * backpressure at read time? (i.e. read + discard) 2558 */ 2559 if (plen > c->remote_window || plen > c->remote_maxpacket) { 2560 debug("channel %d: datagram too big", c->self); 2561 return; 2562 } 2563 /* Enqueue it */ 2564 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 2565 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2566 (r = sshpkt_put_string(ssh, pkt, plen)) != 0 || 2567 (r = sshpkt_send(ssh)) != 0) { 2568 fatal("%s: channel %i: datagram: %s", __func__, 2569 c->self, ssh_err(r)); 2570 } 2571 c->remote_window -= plen; 2572 return; 2573 } 2574 2575 /* Enqueue packet for buffered data. */ 2576 if (len > c->remote_window) 2577 len = c->remote_window; 2578 if (len > c->remote_maxpacket) 2579 len = c->remote_maxpacket; 2580 if (len == 0) 2581 return; 2582 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 || 2583 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2584 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 || 2585 (r = sshpkt_send(ssh)) != 0) { 2586 fatal("%s: channel %i: data: %s", __func__, 2587 c->self, ssh_err(r)); 2588 } 2589 if ((r = sshbuf_consume(c->input, len)) != 0) 2590 fatal("%s: channel %i: consume: %s", __func__, 2591 c->self, ssh_err(r)); 2592 c->remote_window -= len; 2593 } 2594 2595 /* 2596 * Enqueue data for channels with open c->extended in read mode. 2597 */ 2598 static void 2599 channel_output_poll_extended_read(struct ssh *ssh, Channel *c) 2600 { 2601 size_t len; 2602 int r; 2603 2604 if ((len = sshbuf_len(c->extended)) == 0) 2605 return; 2606 2607 debug2("channel %d: rwin %u elen %zu euse %d", c->self, 2608 c->remote_window, sshbuf_len(c->extended), c->extended_usage); 2609 if (len > c->remote_window) 2610 len = c->remote_window; 2611 if (len > c->remote_maxpacket) 2612 len = c->remote_maxpacket; 2613 if (len == 0) 2614 return; 2615 if (!c->have_remote_id) 2616 fatal(":%s: channel %d: no remote id", __func__, c->self); 2617 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 || 2618 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 2619 (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 || 2620 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 || 2621 (r = sshpkt_send(ssh)) != 0) { 2622 fatal("%s: channel %i: data: %s", __func__, 2623 c->self, ssh_err(r)); 2624 } 2625 if ((r = sshbuf_consume(c->extended, len)) != 0) 2626 fatal("%s: channel %i: consume: %s", __func__, 2627 c->self, ssh_err(r)); 2628 c->remote_window -= len; 2629 debug2("channel %d: sent ext data %zu", c->self, len); 2630 } 2631 2632 /* If there is data to send to the connection, enqueue some of it now. */ 2633 void 2634 channel_output_poll(struct ssh *ssh) 2635 { 2636 struct ssh_channels *sc = ssh->chanctxt; 2637 Channel *c; 2638 u_int i; 2639 2640 for (i = 0; i < sc->channels_alloc; i++) { 2641 c = sc->channels[i]; 2642 if (c == NULL) 2643 continue; 2644 2645 /* 2646 * We are only interested in channels that can have buffered 2647 * incoming data. 2648 */ 2649 if (c->type != SSH_CHANNEL_OPEN) 2650 continue; 2651 if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) { 2652 /* XXX is this true? */ 2653 debug3("channel %d: will not send data after close", 2654 c->self); 2655 continue; 2656 } 2657 2658 /* Get the amount of buffered data for this channel. */ 2659 if (c->istate == CHAN_INPUT_OPEN || 2660 c->istate == CHAN_INPUT_WAIT_DRAIN) 2661 channel_output_poll_input_open(ssh, c); 2662 /* Send extended data, i.e. stderr */ 2663 if (!(c->flags & CHAN_EOF_SENT) && 2664 c->extended_usage == CHAN_EXTENDED_READ) 2665 channel_output_poll_extended_read(ssh, c); 2666 } 2667 } 2668 2669 /* -- mux proxy support */ 2670 2671 /* 2672 * When multiplexing channel messages for mux clients we have to deal 2673 * with downstream messages from the mux client and upstream messages 2674 * from the ssh server: 2675 * 1) Handling downstream messages is straightforward and happens 2676 * in channel_proxy_downstream(): 2677 * - We forward all messages (mostly) unmodified to the server. 2678 * - However, in order to route messages from upstream to the correct 2679 * downstream client, we have to replace the channel IDs used by the 2680 * mux clients with a unique channel ID because the mux clients might 2681 * use conflicting channel IDs. 2682 * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and 2683 * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local 2684 * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID 2685 * with the newly allocated channel ID. 2686 * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY 2687 * channels and processed by channel_proxy_upstream(). The local channel ID 2688 * is then translated back to the original mux client ID. 2689 * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE 2690 * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels. 2691 * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the 2692 * downstream mux client are removed. 2693 * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server 2694 * requires more work, because they are not addressed to a specific 2695 * channel. E.g. client_request_forwarded_tcpip() needs to figure 2696 * out whether the request is addressed to the local client or a 2697 * specific downstream client based on the listen-address/port. 2698 * 6) Agent and X11-Forwarding have a similar problem and are currently 2699 * not supported as the matching session/channel cannot be identified 2700 * easily. 2701 */ 2702 2703 /* 2704 * receive packets from downstream mux clients: 2705 * channel callback fired on read from mux client, creates 2706 * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs 2707 * on channel creation. 2708 */ 2709 int 2710 channel_proxy_downstream(struct ssh *ssh, Channel *downstream) 2711 { 2712 Channel *c = NULL; 2713 struct sshbuf *original = NULL, *modified = NULL; 2714 const u_char *cp; 2715 char *ctype = NULL, *listen_host = NULL; 2716 u_char type; 2717 size_t have; 2718 int ret = -1, r; 2719 u_int id, remote_id, listen_port; 2720 2721 /* sshbuf_dump(downstream->input, stderr); */ 2722 if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have)) 2723 != 0) { 2724 error("%s: malformed message: %s", __func__, ssh_err(r)); 2725 return -1; 2726 } 2727 if (have < 2) { 2728 error("%s: short message", __func__); 2729 return -1; 2730 } 2731 type = cp[1]; 2732 /* skip padlen + type */ 2733 cp += 2; 2734 have -= 2; 2735 if (ssh_packet_log_type(type)) 2736 debug3("%s: channel %u: down->up: type %u", __func__, 2737 downstream->self, type); 2738 2739 switch (type) { 2740 case SSH2_MSG_CHANNEL_OPEN: 2741 if ((original = sshbuf_from(cp, have)) == NULL || 2742 (modified = sshbuf_new()) == NULL) { 2743 error("%s: alloc", __func__); 2744 goto out; 2745 } 2746 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 || 2747 (r = sshbuf_get_u32(original, &id)) != 0) { 2748 error("%s: parse error %s", __func__, ssh_err(r)); 2749 goto out; 2750 } 2751 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY, 2752 -1, -1, -1, 0, 0, 0, ctype, 1); 2753 c->mux_ctx = downstream; /* point to mux client */ 2754 c->mux_downstream_id = id; /* original downstream id */ 2755 if ((r = sshbuf_put_cstring(modified, ctype)) != 0 || 2756 (r = sshbuf_put_u32(modified, c->self)) != 0 || 2757 (r = sshbuf_putb(modified, original)) != 0) { 2758 error("%s: compose error %s", __func__, ssh_err(r)); 2759 channel_free(ssh, c); 2760 goto out; 2761 } 2762 break; 2763 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2764 /* 2765 * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we 2766 * need to parse 'remote_id' instead of 'ctype'. 2767 */ 2768 if ((original = sshbuf_from(cp, have)) == NULL || 2769 (modified = sshbuf_new()) == NULL) { 2770 error("%s: alloc", __func__); 2771 goto out; 2772 } 2773 if ((r = sshbuf_get_u32(original, &remote_id)) != 0 || 2774 (r = sshbuf_get_u32(original, &id)) != 0) { 2775 error("%s: parse error %s", __func__, ssh_err(r)); 2776 goto out; 2777 } 2778 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY, 2779 -1, -1, -1, 0, 0, 0, "mux-down-connect", 1); 2780 c->mux_ctx = downstream; /* point to mux client */ 2781 c->mux_downstream_id = id; 2782 c->remote_id = remote_id; 2783 c->have_remote_id = 1; 2784 if ((r = sshbuf_put_u32(modified, remote_id)) != 0 || 2785 (r = sshbuf_put_u32(modified, c->self)) != 0 || 2786 (r = sshbuf_putb(modified, original)) != 0) { 2787 error("%s: compose error %s", __func__, ssh_err(r)); 2788 channel_free(ssh, c); 2789 goto out; 2790 } 2791 break; 2792 case SSH2_MSG_GLOBAL_REQUEST: 2793 if ((original = sshbuf_from(cp, have)) == NULL) { 2794 error("%s: alloc", __func__); 2795 goto out; 2796 } 2797 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) { 2798 error("%s: parse error %s", __func__, ssh_err(r)); 2799 goto out; 2800 } 2801 if (strcmp(ctype, "tcpip-forward") != 0) { 2802 error("%s: unsupported request %s", __func__, ctype); 2803 goto out; 2804 } 2805 if ((r = sshbuf_get_u8(original, NULL)) != 0 || 2806 (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 || 2807 (r = sshbuf_get_u32(original, &listen_port)) != 0) { 2808 error("%s: parse error %s", __func__, ssh_err(r)); 2809 goto out; 2810 } 2811 if (listen_port > 65535) { 2812 error("%s: tcpip-forward for %s: bad port %u", 2813 __func__, listen_host, listen_port); 2814 goto out; 2815 } 2816 /* Record that connection to this host/port is permitted. */ 2817 permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1, 2818 listen_host, NULL, (int)listen_port, downstream); 2819 listen_host = NULL; 2820 break; 2821 case SSH2_MSG_CHANNEL_CLOSE: 2822 if (have < 4) 2823 break; 2824 remote_id = PEEK_U32(cp); 2825 if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) { 2826 if (c->flags & CHAN_CLOSE_RCVD) 2827 channel_free(ssh, c); 2828 else 2829 c->flags |= CHAN_CLOSE_SENT; 2830 } 2831 break; 2832 } 2833 if (modified) { 2834 if ((r = sshpkt_start(ssh, type)) != 0 || 2835 (r = sshpkt_putb(ssh, modified)) != 0 || 2836 (r = sshpkt_send(ssh)) != 0) { 2837 error("%s: send %s", __func__, ssh_err(r)); 2838 goto out; 2839 } 2840 } else { 2841 if ((r = sshpkt_start(ssh, type)) != 0 || 2842 (r = sshpkt_put(ssh, cp, have)) != 0 || 2843 (r = sshpkt_send(ssh)) != 0) { 2844 error("%s: send %s", __func__, ssh_err(r)); 2845 goto out; 2846 } 2847 } 2848 ret = 0; 2849 out: 2850 free(ctype); 2851 free(listen_host); 2852 sshbuf_free(original); 2853 sshbuf_free(modified); 2854 return ret; 2855 } 2856 2857 /* 2858 * receive packets from upstream server and de-multiplex packets 2859 * to correct downstream: 2860 * implemented as a helper for channel input handlers, 2861 * replaces local (proxy) channel ID with downstream channel ID. 2862 */ 2863 int 2864 channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh) 2865 { 2866 struct sshbuf *b = NULL; 2867 Channel *downstream; 2868 const u_char *cp = NULL; 2869 size_t len; 2870 int r; 2871 2872 /* 2873 * When receiving packets from the peer we need to check whether we 2874 * need to forward the packets to the mux client. In this case we 2875 * restore the original channel id and keep track of CLOSE messages, 2876 * so we can cleanup the channel. 2877 */ 2878 if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY) 2879 return 0; 2880 if ((downstream = c->mux_ctx) == NULL) 2881 return 0; 2882 switch (type) { 2883 case SSH2_MSG_CHANNEL_CLOSE: 2884 case SSH2_MSG_CHANNEL_DATA: 2885 case SSH2_MSG_CHANNEL_EOF: 2886 case SSH2_MSG_CHANNEL_EXTENDED_DATA: 2887 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2888 case SSH2_MSG_CHANNEL_OPEN_FAILURE: 2889 case SSH2_MSG_CHANNEL_WINDOW_ADJUST: 2890 case SSH2_MSG_CHANNEL_SUCCESS: 2891 case SSH2_MSG_CHANNEL_FAILURE: 2892 case SSH2_MSG_CHANNEL_REQUEST: 2893 break; 2894 default: 2895 debug2("%s: channel %u: unsupported type %u", __func__, 2896 c->self, type); 2897 return 0; 2898 } 2899 if ((b = sshbuf_new()) == NULL) { 2900 error("%s: alloc reply", __func__); 2901 goto out; 2902 } 2903 /* get remaining payload (after id) */ 2904 cp = sshpkt_ptr(ssh, &len); 2905 if (cp == NULL) { 2906 error("%s: no packet", __func__); 2907 goto out; 2908 } 2909 /* translate id and send to muxclient */ 2910 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */ 2911 (r = sshbuf_put_u8(b, type)) != 0 || 2912 (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 || 2913 (r = sshbuf_put(b, cp, len)) != 0 || 2914 (r = sshbuf_put_stringb(downstream->output, b)) != 0) { 2915 error("%s: compose for muxclient %s", __func__, ssh_err(r)); 2916 goto out; 2917 } 2918 /* sshbuf_dump(b, stderr); */ 2919 if (ssh_packet_log_type(type)) 2920 debug3("%s: channel %u: up->down: type %u", __func__, c->self, 2921 type); 2922 out: 2923 /* update state */ 2924 switch (type) { 2925 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION: 2926 /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */ 2927 if (cp && len > 4) { 2928 c->remote_id = PEEK_U32(cp); 2929 c->have_remote_id = 1; 2930 } 2931 break; 2932 case SSH2_MSG_CHANNEL_CLOSE: 2933 if (c->flags & CHAN_CLOSE_SENT) 2934 channel_free(ssh, c); 2935 else 2936 c->flags |= CHAN_CLOSE_RCVD; 2937 break; 2938 } 2939 sshbuf_free(b); 2940 return 1; 2941 } 2942 2943 /* -- protocol input */ 2944 2945 /* Parse a channel ID from the current packet */ 2946 static int 2947 channel_parse_id(struct ssh *ssh, const char *where, const char *what) 2948 { 2949 u_int32_t id; 2950 int r; 2951 2952 if ((r = sshpkt_get_u32(ssh, &id)) != 0) { 2953 error("%s: parse id: %s", where, ssh_err(r)); 2954 ssh_packet_disconnect(ssh, "Invalid %s message", what); 2955 } 2956 if (id > INT_MAX) { 2957 error("%s: bad channel id %u: %s", where, id, ssh_err(r)); 2958 ssh_packet_disconnect(ssh, "Invalid %s channel id", what); 2959 } 2960 return (int)id; 2961 } 2962 2963 /* Lookup a channel from an ID in the current packet */ 2964 static Channel * 2965 channel_from_packet_id(struct ssh *ssh, const char *where, const char *what) 2966 { 2967 int id = channel_parse_id(ssh, where, what); 2968 Channel *c; 2969 2970 if ((c = channel_lookup(ssh, id)) == NULL) { 2971 ssh_packet_disconnect(ssh, 2972 "%s packet referred to nonexistent channel %d", what, id); 2973 } 2974 return c; 2975 } 2976 2977 int 2978 channel_input_data(int type, u_int32_t seq, struct ssh *ssh) 2979 { 2980 const u_char *data; 2981 size_t data_len, win_len; 2982 Channel *c = channel_from_packet_id(ssh, __func__, "data"); 2983 int r; 2984 2985 if (channel_proxy_upstream(c, type, seq, ssh)) 2986 return 0; 2987 2988 /* Ignore any data for non-open channels (might happen on close) */ 2989 if (c->type != SSH_CHANNEL_OPEN && 2990 c->type != SSH_CHANNEL_RDYNAMIC_OPEN && 2991 c->type != SSH_CHANNEL_RDYNAMIC_FINISH && 2992 c->type != SSH_CHANNEL_X11_OPEN) 2993 return 0; 2994 2995 /* Get the data. */ 2996 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || 2997 (r = sshpkt_get_end(ssh)) != 0) 2998 fatal("%s: channel %d: get data: %s", __func__, 2999 c->self, ssh_err(r)); 3000 3001 win_len = data_len; 3002 if (c->datagram) 3003 win_len += 4; /* string length header */ 3004 3005 /* 3006 * The sending side reduces its window as it sends data, so we 3007 * must 'fake' consumption of the data in order to ensure that window 3008 * updates are sent back. Otherwise the connection might deadlock. 3009 */ 3010 if (c->ostate != CHAN_OUTPUT_OPEN) { 3011 c->local_window -= win_len; 3012 c->local_consumed += win_len; 3013 return 0; 3014 } 3015 3016 if (win_len > c->local_maxpacket) { 3017 logit("channel %d: rcvd big packet %zu, maxpack %u", 3018 c->self, win_len, c->local_maxpacket); 3019 return 0; 3020 } 3021 if (win_len > c->local_window) { 3022 logit("channel %d: rcvd too much data %zu, win %u", 3023 c->self, win_len, c->local_window); 3024 return 0; 3025 } 3026 c->local_window -= win_len; 3027 3028 if (c->datagram) { 3029 if ((r = sshbuf_put_string(c->output, data, data_len)) != 0) 3030 fatal("%s: channel %d: append datagram: %s", 3031 __func__, c->self, ssh_err(r)); 3032 } else if ((r = sshbuf_put(c->output, data, data_len)) != 0) 3033 fatal("%s: channel %d: append data: %s", 3034 __func__, c->self, ssh_err(r)); 3035 3036 return 0; 3037 } 3038 3039 int 3040 channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh) 3041 { 3042 const u_char *data; 3043 size_t data_len; 3044 u_int32_t tcode; 3045 Channel *c = channel_from_packet_id(ssh, __func__, "extended data"); 3046 int r; 3047 3048 if (channel_proxy_upstream(c, type, seq, ssh)) 3049 return 0; 3050 if (c->type != SSH_CHANNEL_OPEN) { 3051 logit("channel %d: ext data for non open", c->self); 3052 return 0; 3053 } 3054 if (c->flags & CHAN_EOF_RCVD) { 3055 if (datafellows & SSH_BUG_EXTEOF) 3056 debug("channel %d: accepting ext data after eof", 3057 c->self); 3058 else 3059 ssh_packet_disconnect(ssh, "Received extended_data " 3060 "after EOF on channel %d.", c->self); 3061 } 3062 3063 if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) { 3064 error("%s: parse tcode: %s", __func__, ssh_err(r)); 3065 ssh_packet_disconnect(ssh, "Invalid extended_data message"); 3066 } 3067 if (c->efd == -1 || 3068 c->extended_usage != CHAN_EXTENDED_WRITE || 3069 tcode != SSH2_EXTENDED_DATA_STDERR) { 3070 logit("channel %d: bad ext data", c->self); 3071 return 0; 3072 } 3073 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 || 3074 (r = sshpkt_get_end(ssh)) != 0) { 3075 error("%s: parse data: %s", __func__, ssh_err(r)); 3076 ssh_packet_disconnect(ssh, "Invalid extended_data message"); 3077 } 3078 3079 if (data_len > c->local_window) { 3080 logit("channel %d: rcvd too much extended_data %zu, win %u", 3081 c->self, data_len, c->local_window); 3082 return 0; 3083 } 3084 debug2("channel %d: rcvd ext data %zu", c->self, data_len); 3085 /* XXX sshpkt_getb? */ 3086 if ((r = sshbuf_put(c->extended, data, data_len)) != 0) 3087 error("%s: append: %s", __func__, ssh_err(r)); 3088 c->local_window -= data_len; 3089 return 0; 3090 } 3091 3092 int 3093 channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh) 3094 { 3095 Channel *c = channel_from_packet_id(ssh, __func__, "ieof"); 3096 int r; 3097 3098 if ((r = sshpkt_get_end(ssh)) != 0) { 3099 error("%s: parse data: %s", __func__, ssh_err(r)); 3100 ssh_packet_disconnect(ssh, "Invalid ieof message"); 3101 } 3102 3103 if (channel_proxy_upstream(c, type, seq, ssh)) 3104 return 0; 3105 chan_rcvd_ieof(ssh, c); 3106 3107 /* XXX force input close */ 3108 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) { 3109 debug("channel %d: FORCE input drain", c->self); 3110 c->istate = CHAN_INPUT_WAIT_DRAIN; 3111 if (sshbuf_len(c->input) == 0) 3112 chan_ibuf_empty(ssh, c); 3113 } 3114 return 0; 3115 } 3116 3117 int 3118 channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh) 3119 { 3120 Channel *c = channel_from_packet_id(ssh, __func__, "oclose"); 3121 int r; 3122 3123 if (channel_proxy_upstream(c, type, seq, ssh)) 3124 return 0; 3125 if ((r = sshpkt_get_end(ssh)) != 0) { 3126 error("%s: parse data: %s", __func__, ssh_err(r)); 3127 ssh_packet_disconnect(ssh, "Invalid oclose message"); 3128 } 3129 chan_rcvd_oclose(ssh, c); 3130 return 0; 3131 } 3132 3133 int 3134 channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh) 3135 { 3136 Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation"); 3137 u_int32_t remote_window, remote_maxpacket; 3138 int r; 3139 3140 if (channel_proxy_upstream(c, type, seq, ssh)) 3141 return 0; 3142 if (c->type != SSH_CHANNEL_OPENING) 3143 ssh_packet_disconnect(ssh, "Received open confirmation for " 3144 "non-opening channel %d.", c->self); 3145 /* 3146 * Record the remote channel number and mark that the channel 3147 * is now open. 3148 */ 3149 if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 || 3150 (r = sshpkt_get_u32(ssh, &remote_window)) != 0 || 3151 (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 || 3152 (r = sshpkt_get_end(ssh)) != 0) { 3153 error("%s: window/maxpacket: %s", __func__, ssh_err(r)); 3154 ssh_packet_disconnect(ssh, "Invalid open confirmation message"); 3155 } 3156 3157 c->have_remote_id = 1; 3158 c->remote_window = remote_window; 3159 c->remote_maxpacket = remote_maxpacket; 3160 c->type = SSH_CHANNEL_OPEN; 3161 if (c->open_confirm) { 3162 debug2("%s: channel %d: callback start", __func__, c->self); 3163 c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx); 3164 debug2("%s: channel %d: callback done", __func__, c->self); 3165 } 3166 debug2("channel %d: open confirm rwindow %u rmax %u", c->self, 3167 c->remote_window, c->remote_maxpacket); 3168 return 0; 3169 } 3170 3171 static char * 3172 reason2txt(int reason) 3173 { 3174 switch (reason) { 3175 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED: 3176 return "administratively prohibited"; 3177 case SSH2_OPEN_CONNECT_FAILED: 3178 return "connect failed"; 3179 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE: 3180 return "unknown channel type"; 3181 case SSH2_OPEN_RESOURCE_SHORTAGE: 3182 return "resource shortage"; 3183 } 3184 return "unknown reason"; 3185 } 3186 3187 int 3188 channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh) 3189 { 3190 Channel *c = channel_from_packet_id(ssh, __func__, "open failure"); 3191 u_int32_t reason; 3192 char *msg = NULL; 3193 int r; 3194 3195 if (channel_proxy_upstream(c, type, seq, ssh)) 3196 return 0; 3197 if (c->type != SSH_CHANNEL_OPENING) 3198 ssh_packet_disconnect(ssh, "Received open failure for " 3199 "non-opening channel %d.", c->self); 3200 if ((r = sshpkt_get_u32(ssh, &reason)) != 0) { 3201 error("%s: reason: %s", __func__, ssh_err(r)); 3202 ssh_packet_disconnect(ssh, "Invalid open failure message"); 3203 } 3204 /* skip language */ 3205 if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 || 3206 (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0 || 3207 (r = sshpkt_get_end(ssh)) != 0) { 3208 error("%s: message/lang: %s", __func__, ssh_err(r)); 3209 ssh_packet_disconnect(ssh, "Invalid open failure message"); 3210 } 3211 logit("channel %d: open failed: %s%s%s", c->self, 3212 reason2txt(reason), msg ? ": ": "", msg ? msg : ""); 3213 free(msg); 3214 if (c->open_confirm) { 3215 debug2("%s: channel %d: callback start", __func__, c->self); 3216 c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx); 3217 debug2("%s: channel %d: callback done", __func__, c->self); 3218 } 3219 /* Schedule the channel for cleanup/deletion. */ 3220 chan_mark_dead(ssh, c); 3221 return 0; 3222 } 3223 3224 int 3225 channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh) 3226 { 3227 int id = channel_parse_id(ssh, __func__, "window adjust"); 3228 Channel *c; 3229 u_int32_t adjust; 3230 u_int new_rwin; 3231 int r; 3232 3233 if ((c = channel_lookup(ssh, id)) == NULL) { 3234 logit("Received window adjust for non-open channel %d.", id); 3235 return 0; 3236 } 3237 3238 if (channel_proxy_upstream(c, type, seq, ssh)) 3239 return 0; 3240 if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 || 3241 (r = sshpkt_get_end(ssh)) != 0) { 3242 error("%s: adjust: %s", __func__, ssh_err(r)); 3243 ssh_packet_disconnect(ssh, "Invalid window adjust message"); 3244 } 3245 debug2("channel %d: rcvd adjust %u", c->self, adjust); 3246 if ((new_rwin = c->remote_window + adjust) < c->remote_window) { 3247 fatal("channel %d: adjust %u overflows remote window %u", 3248 c->self, adjust, c->remote_window); 3249 } 3250 c->remote_window = new_rwin; 3251 return 0; 3252 } 3253 3254 int 3255 channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh) 3256 { 3257 int id = channel_parse_id(ssh, __func__, "status confirm"); 3258 Channel *c; 3259 struct channel_confirm *cc; 3260 int r; 3261 3262 /* Reset keepalive timeout */ 3263 ssh_packet_set_alive_timeouts(ssh, 0); 3264 3265 debug2("%s: type %d id %d", __func__, type, id); 3266 3267 if ((c = channel_lookup(ssh, id)) == NULL) { 3268 logit("%s: %d: unknown", __func__, id); 3269 return 0; 3270 } 3271 if (channel_proxy_upstream(c, type, seq, ssh)) 3272 return 0; 3273 if ((r = sshpkt_get_end(ssh)) != 0) 3274 ssh_packet_disconnect(ssh, "Invalid status confirm message"); 3275 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL) 3276 return 0; 3277 cc->cb(ssh, type, c, cc->ctx); 3278 TAILQ_REMOVE(&c->status_confirms, cc, entry); 3279 explicit_bzero(cc, sizeof(*cc)); 3280 free(cc); 3281 return 0; 3282 } 3283 3284 /* -- tcp forwarding */ 3285 3286 void 3287 channel_set_af(struct ssh *ssh, int af) 3288 { 3289 ssh->chanctxt->IPv4or6 = af; 3290 } 3291 3292 3293 /* 3294 * Determine whether or not a port forward listens to loopback, the 3295 * specified address or wildcard. On the client, a specified bind 3296 * address will always override gateway_ports. On the server, a 3297 * gateway_ports of 1 (``yes'') will override the client's specification 3298 * and force a wildcard bind, whereas a value of 2 (``clientspecified'') 3299 * will bind to whatever address the client asked for. 3300 * 3301 * Special-case listen_addrs are: 3302 * 3303 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR 3304 * "" (empty string), "*" -> wildcard v4/v6 3305 * "localhost" -> loopback v4/v6 3306 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set 3307 */ 3308 static const char * 3309 channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp, 3310 int is_client, struct ForwardOptions *fwd_opts) 3311 { 3312 const char *addr = NULL; 3313 int wildcard = 0; 3314 3315 if (listen_addr == NULL) { 3316 /* No address specified: default to gateway_ports setting */ 3317 if (fwd_opts->gateway_ports) 3318 wildcard = 1; 3319 } else if (fwd_opts->gateway_ports || is_client) { 3320 if (((datafellows & SSH_OLD_FORWARD_ADDR) && 3321 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) || 3322 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 || 3323 (!is_client && fwd_opts->gateway_ports == 1)) { 3324 wildcard = 1; 3325 /* 3326 * Notify client if they requested a specific listen 3327 * address and it was overridden. 3328 */ 3329 if (*listen_addr != '\0' && 3330 strcmp(listen_addr, "0.0.0.0") != 0 && 3331 strcmp(listen_addr, "*") != 0) { 3332 ssh_packet_send_debug(ssh, 3333 "Forwarding listen address " 3334 "\"%s\" overridden by server " 3335 "GatewayPorts", listen_addr); 3336 } 3337 } else if (strcmp(listen_addr, "localhost") != 0 || 3338 strcmp(listen_addr, "127.0.0.1") == 0 || 3339 strcmp(listen_addr, "::1") == 0) { 3340 /* Accept localhost address when GatewayPorts=yes */ 3341 addr = listen_addr; 3342 } 3343 } else if (strcmp(listen_addr, "127.0.0.1") == 0 || 3344 strcmp(listen_addr, "::1") == 0) { 3345 /* 3346 * If a specific IPv4/IPv6 localhost address has been 3347 * requested then accept it even if gateway_ports is in 3348 * effect. This allows the client to prefer IPv4 or IPv6. 3349 */ 3350 addr = listen_addr; 3351 } 3352 if (wildcardp != NULL) 3353 *wildcardp = wildcard; 3354 return addr; 3355 } 3356 3357 static int 3358 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type, 3359 struct Forward *fwd, int *allocated_listen_port, 3360 struct ForwardOptions *fwd_opts) 3361 { 3362 Channel *c; 3363 int sock, r, success = 0, wildcard = 0, is_client; 3364 struct addrinfo hints, *ai, *aitop; 3365 const char *host, *addr; 3366 char ntop[NI_MAXHOST], strport[NI_MAXSERV]; 3367 in_port_t *lport_p; 3368 3369 is_client = (type == SSH_CHANNEL_PORT_LISTENER); 3370 3371 if (is_client && fwd->connect_path != NULL) { 3372 host = fwd->connect_path; 3373 } else { 3374 host = (type == SSH_CHANNEL_RPORT_LISTENER) ? 3375 fwd->listen_host : fwd->connect_host; 3376 if (host == NULL) { 3377 error("No forward host name."); 3378 return 0; 3379 } 3380 if (strlen(host) >= NI_MAXHOST) { 3381 error("Forward host name too long."); 3382 return 0; 3383 } 3384 } 3385 3386 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */ 3387 addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard, 3388 is_client, fwd_opts); 3389 debug3("%s: type %d wildcard %d addr %s", __func__, 3390 type, wildcard, (addr == NULL) ? "NULL" : addr); 3391 3392 /* 3393 * getaddrinfo returns a loopback address if the hostname is 3394 * set to NULL and hints.ai_flags is not AI_PASSIVE 3395 */ 3396 memset(&hints, 0, sizeof(hints)); 3397 hints.ai_family = ssh->chanctxt->IPv4or6; 3398 hints.ai_flags = wildcard ? AI_PASSIVE : 0; 3399 hints.ai_socktype = SOCK_STREAM; 3400 snprintf(strport, sizeof strport, "%d", fwd->listen_port); 3401 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { 3402 if (addr == NULL) { 3403 /* This really shouldn't happen */ 3404 ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s", 3405 ssh_gai_strerror(r)); 3406 } else { 3407 error("%s: getaddrinfo(%.64s): %s", __func__, addr, 3408 ssh_gai_strerror(r)); 3409 } 3410 return 0; 3411 } 3412 if (allocated_listen_port != NULL) 3413 *allocated_listen_port = 0; 3414 for (ai = aitop; ai; ai = ai->ai_next) { 3415 switch (ai->ai_family) { 3416 case AF_INET: 3417 lport_p = &((struct sockaddr_in *)ai->ai_addr)-> 3418 sin_port; 3419 break; 3420 case AF_INET6: 3421 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)-> 3422 sin6_port; 3423 break; 3424 default: 3425 continue; 3426 } 3427 /* 3428 * If allocating a port for -R forwards, then use the 3429 * same port for all address families. 3430 */ 3431 if (type == SSH_CHANNEL_RPORT_LISTENER && 3432 fwd->listen_port == 0 && allocated_listen_port != NULL && 3433 *allocated_listen_port > 0) 3434 *lport_p = htons(*allocated_listen_port); 3435 3436 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), 3437 strport, sizeof(strport), 3438 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 3439 error("%s: getnameinfo failed", __func__); 3440 continue; 3441 } 3442 /* Create a port to listen for the host. */ 3443 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 3444 if (sock < 0) { 3445 /* this is no error since kernel may not support ipv6 */ 3446 verbose("socket [%s]:%s: %.100s", ntop, strport, 3447 strerror(errno)); 3448 continue; 3449 } 3450 3451 set_reuseaddr(sock); 3452 if (ai->ai_family == AF_INET6) 3453 sock_set_v6only(sock); 3454 3455 debug("Local forwarding listening on %s port %s.", 3456 ntop, strport); 3457 3458 /* Bind the socket to the address. */ 3459 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 3460 /* 3461 * address can be in if use ipv6 address is 3462 * already bound 3463 */ 3464 if (!ai->ai_next) 3465 error("bind [%s]:%s: %.100s", 3466 ntop, strport, strerror(errno)); 3467 else 3468 verbose("bind [%s]:%s: %.100s", 3469 ntop, strport, strerror(errno)); 3470 3471 close(sock); 3472 continue; 3473 } 3474 /* Start listening for connections on the socket. */ 3475 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 3476 error("listen: %.100s", strerror(errno)); 3477 error("listen [%s]:%s: %.100s", ntop, strport, 3478 strerror(errno)); 3479 close(sock); 3480 continue; 3481 } 3482 3483 /* 3484 * fwd->listen_port == 0 requests a dynamically allocated port - 3485 * record what we got. 3486 */ 3487 if (type == SSH_CHANNEL_RPORT_LISTENER && 3488 fwd->listen_port == 0 && 3489 allocated_listen_port != NULL && 3490 *allocated_listen_port == 0) { 3491 *allocated_listen_port = get_local_port(sock); 3492 debug("Allocated listen port %d", 3493 *allocated_listen_port); 3494 } 3495 3496 /* Allocate a channel number for the socket. */ 3497 c = channel_new(ssh, "port listener", type, sock, sock, -1, 3498 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 3499 0, "port listener", 1); 3500 c->path = xstrdup(host); 3501 c->host_port = fwd->connect_port; 3502 c->listening_addr = addr == NULL ? NULL : xstrdup(addr); 3503 if (fwd->listen_port == 0 && allocated_listen_port != NULL && 3504 !(datafellows & SSH_BUG_DYNAMIC_RPORT)) 3505 c->listening_port = *allocated_listen_port; 3506 else 3507 c->listening_port = fwd->listen_port; 3508 success = 1; 3509 } 3510 if (success == 0) 3511 error("%s: cannot listen to port: %d", __func__, 3512 fwd->listen_port); 3513 freeaddrinfo(aitop); 3514 return success; 3515 } 3516 3517 static int 3518 channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type, 3519 struct Forward *fwd, struct ForwardOptions *fwd_opts) 3520 { 3521 struct sockaddr_un sunaddr; 3522 const char *path; 3523 Channel *c; 3524 int port, sock; 3525 mode_t omask; 3526 3527 switch (type) { 3528 case SSH_CHANNEL_UNIX_LISTENER: 3529 if (fwd->connect_path != NULL) { 3530 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) { 3531 error("Local connecting path too long: %s", 3532 fwd->connect_path); 3533 return 0; 3534 } 3535 path = fwd->connect_path; 3536 port = PORT_STREAMLOCAL; 3537 } else { 3538 if (fwd->connect_host == NULL) { 3539 error("No forward host name."); 3540 return 0; 3541 } 3542 if (strlen(fwd->connect_host) >= NI_MAXHOST) { 3543 error("Forward host name too long."); 3544 return 0; 3545 } 3546 path = fwd->connect_host; 3547 port = fwd->connect_port; 3548 } 3549 break; 3550 case SSH_CHANNEL_RUNIX_LISTENER: 3551 path = fwd->listen_path; 3552 port = PORT_STREAMLOCAL; 3553 break; 3554 default: 3555 error("%s: unexpected channel type %d", __func__, type); 3556 return 0; 3557 } 3558 3559 if (fwd->listen_path == NULL) { 3560 error("No forward path name."); 3561 return 0; 3562 } 3563 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) { 3564 error("Local listening path too long: %s", fwd->listen_path); 3565 return 0; 3566 } 3567 3568 debug3("%s: type %d path %s", __func__, type, fwd->listen_path); 3569 3570 /* Start a Unix domain listener. */ 3571 omask = umask(fwd_opts->streamlocal_bind_mask); 3572 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG, 3573 fwd_opts->streamlocal_bind_unlink); 3574 umask(omask); 3575 if (sock < 0) 3576 return 0; 3577 3578 debug("Local forwarding listening on path %s.", fwd->listen_path); 3579 3580 /* Allocate a channel number for the socket. */ 3581 c = channel_new(ssh, "unix listener", type, sock, sock, -1, 3582 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 3583 0, "unix listener", 1); 3584 c->path = xstrdup(path); 3585 c->host_port = port; 3586 c->listening_port = PORT_STREAMLOCAL; 3587 c->listening_addr = xstrdup(fwd->listen_path); 3588 return 1; 3589 } 3590 3591 static int 3592 channel_cancel_rport_listener_tcpip(struct ssh *ssh, 3593 const char *host, u_short port) 3594 { 3595 u_int i; 3596 int found = 0; 3597 3598 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3599 Channel *c = ssh->chanctxt->channels[i]; 3600 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER) 3601 continue; 3602 if (strcmp(c->path, host) == 0 && c->listening_port == port) { 3603 debug2("%s: close channel %d", __func__, i); 3604 channel_free(ssh, c); 3605 found = 1; 3606 } 3607 } 3608 3609 return found; 3610 } 3611 3612 static int 3613 channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path) 3614 { 3615 u_int i; 3616 int found = 0; 3617 3618 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3619 Channel *c = ssh->chanctxt->channels[i]; 3620 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER) 3621 continue; 3622 if (c->path == NULL) 3623 continue; 3624 if (strcmp(c->path, path) == 0) { 3625 debug2("%s: close channel %d", __func__, i); 3626 channel_free(ssh, c); 3627 found = 1; 3628 } 3629 } 3630 3631 return found; 3632 } 3633 3634 int 3635 channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd) 3636 { 3637 if (fwd->listen_path != NULL) { 3638 return channel_cancel_rport_listener_streamlocal(ssh, 3639 fwd->listen_path); 3640 } else { 3641 return channel_cancel_rport_listener_tcpip(ssh, 3642 fwd->listen_host, fwd->listen_port); 3643 } 3644 } 3645 3646 static int 3647 channel_cancel_lport_listener_tcpip(struct ssh *ssh, 3648 const char *lhost, u_short lport, int cport, 3649 struct ForwardOptions *fwd_opts) 3650 { 3651 u_int i; 3652 int found = 0; 3653 const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL, 1, fwd_opts); 3654 3655 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3656 Channel *c = ssh->chanctxt->channels[i]; 3657 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER) 3658 continue; 3659 if (c->listening_port != lport) 3660 continue; 3661 if (cport == CHANNEL_CANCEL_PORT_STATIC) { 3662 /* skip dynamic forwardings */ 3663 if (c->host_port == 0) 3664 continue; 3665 } else { 3666 if (c->host_port != cport) 3667 continue; 3668 } 3669 if ((c->listening_addr == NULL && addr != NULL) || 3670 (c->listening_addr != NULL && addr == NULL)) 3671 continue; 3672 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) { 3673 debug2("%s: close channel %d", __func__, i); 3674 channel_free(ssh, c); 3675 found = 1; 3676 } 3677 } 3678 3679 return found; 3680 } 3681 3682 static int 3683 channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path) 3684 { 3685 u_int i; 3686 int found = 0; 3687 3688 if (path == NULL) { 3689 error("%s: no path specified.", __func__); 3690 return 0; 3691 } 3692 3693 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) { 3694 Channel *c = ssh->chanctxt->channels[i]; 3695 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER) 3696 continue; 3697 if (c->listening_addr == NULL) 3698 continue; 3699 if (strcmp(c->listening_addr, path) == 0) { 3700 debug2("%s: close channel %d", __func__, i); 3701 channel_free(ssh, c); 3702 found = 1; 3703 } 3704 } 3705 3706 return found; 3707 } 3708 3709 int 3710 channel_cancel_lport_listener(struct ssh *ssh, 3711 struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts) 3712 { 3713 if (fwd->listen_path != NULL) { 3714 return channel_cancel_lport_listener_streamlocal(ssh, 3715 fwd->listen_path); 3716 } else { 3717 return channel_cancel_lport_listener_tcpip(ssh, 3718 fwd->listen_host, fwd->listen_port, cport, fwd_opts); 3719 } 3720 } 3721 3722 /* protocol local port fwd, used by ssh */ 3723 int 3724 channel_setup_local_fwd_listener(struct ssh *ssh, 3725 struct Forward *fwd, struct ForwardOptions *fwd_opts) 3726 { 3727 if (fwd->listen_path != NULL) { 3728 return channel_setup_fwd_listener_streamlocal(ssh, 3729 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts); 3730 } else { 3731 return channel_setup_fwd_listener_tcpip(ssh, 3732 SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts); 3733 } 3734 } 3735 3736 /* Matches a remote forwarding permission against a requested forwarding */ 3737 static int 3738 remote_open_match(struct permission *allowed_open, struct Forward *fwd) 3739 { 3740 int ret; 3741 char *lhost; 3742 3743 /* XXX add ACLs for streamlocal */ 3744 if (fwd->listen_path != NULL) 3745 return 1; 3746 3747 if (fwd->listen_host == NULL || allowed_open->listen_host == NULL) 3748 return 0; 3749 3750 if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT && 3751 allowed_open->listen_port != fwd->listen_port) 3752 return 0; 3753 3754 /* Match hostnames case-insensitively */ 3755 lhost = xstrdup(fwd->listen_host); 3756 lowercase(lhost); 3757 ret = match_pattern(lhost, allowed_open->listen_host); 3758 free(lhost); 3759 3760 return ret; 3761 } 3762 3763 /* Checks whether a requested remote forwarding is permitted */ 3764 static int 3765 check_rfwd_permission(struct ssh *ssh, struct Forward *fwd) 3766 { 3767 struct ssh_channels *sc = ssh->chanctxt; 3768 struct permission_set *pset = &sc->remote_perms; 3769 u_int i, permit, permit_adm = 1; 3770 struct permission *perm; 3771 3772 /* XXX apply GatewayPorts override before checking? */ 3773 3774 permit = pset->all_permitted; 3775 if (!permit) { 3776 for (i = 0; i < pset->num_permitted_user; i++) { 3777 perm = &pset->permitted_user[i]; 3778 if (remote_open_match(perm, fwd)) { 3779 permit = 1; 3780 break; 3781 } 3782 } 3783 } 3784 3785 if (pset->num_permitted_admin > 0) { 3786 permit_adm = 0; 3787 for (i = 0; i < pset->num_permitted_admin; i++) { 3788 perm = &pset->permitted_admin[i]; 3789 if (remote_open_match(perm, fwd)) { 3790 permit_adm = 1; 3791 break; 3792 } 3793 } 3794 } 3795 3796 return permit && permit_adm; 3797 } 3798 3799 /* protocol v2 remote port fwd, used by sshd */ 3800 int 3801 channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd, 3802 int *allocated_listen_port, struct ForwardOptions *fwd_opts) 3803 { 3804 if (!check_rfwd_permission(ssh, fwd)) { 3805 ssh_packet_send_debug(ssh, "port forwarding refused"); 3806 return 0; 3807 } 3808 if (fwd->listen_path != NULL) { 3809 return channel_setup_fwd_listener_streamlocal(ssh, 3810 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts); 3811 } else { 3812 return channel_setup_fwd_listener_tcpip(ssh, 3813 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port, 3814 fwd_opts); 3815 } 3816 } 3817 3818 /* 3819 * Translate the requested rfwd listen host to something usable for 3820 * this server. 3821 */ 3822 static const char * 3823 channel_rfwd_bind_host(const char *listen_host) 3824 { 3825 if (listen_host == NULL) { 3826 return "localhost"; 3827 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) { 3828 return ""; 3829 } else 3830 return listen_host; 3831 } 3832 3833 /* 3834 * Initiate forwarding of connections to port "port" on remote host through 3835 * the secure channel to host:port from local side. 3836 * Returns handle (index) for updating the dynamic listen port with 3837 * channel_update_permission(). 3838 */ 3839 int 3840 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd) 3841 { 3842 int r, success = 0, idx = -1; 3843 char *host_to_connect, *listen_host, *listen_path; 3844 int port_to_connect, listen_port; 3845 3846 /* Send the forward request to the remote side. */ 3847 if (fwd->listen_path != NULL) { 3848 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3849 (r = sshpkt_put_cstring(ssh, 3850 "streamlocal-forward@openssh.com")) != 0 || 3851 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ 3852 (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 || 3853 (r = sshpkt_send(ssh)) != 0 || 3854 (r = ssh_packet_write_wait(ssh)) != 0) 3855 fatal("%s: request streamlocal: %s", 3856 __func__, ssh_err(r)); 3857 } else { 3858 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3859 (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 || 3860 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */ 3861 (r = sshpkt_put_cstring(ssh, 3862 channel_rfwd_bind_host(fwd->listen_host))) != 0 || 3863 (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 || 3864 (r = sshpkt_send(ssh)) != 0 || 3865 (r = ssh_packet_write_wait(ssh)) != 0) 3866 fatal("%s: request tcpip-forward: %s", 3867 __func__, ssh_err(r)); 3868 } 3869 /* Assume that server accepts the request */ 3870 success = 1; 3871 if (success) { 3872 /* Record that connection to this host/port is permitted. */ 3873 host_to_connect = listen_host = listen_path = NULL; 3874 port_to_connect = listen_port = 0; 3875 if (fwd->connect_path != NULL) { 3876 host_to_connect = xstrdup(fwd->connect_path); 3877 port_to_connect = PORT_STREAMLOCAL; 3878 } else { 3879 host_to_connect = xstrdup(fwd->connect_host); 3880 port_to_connect = fwd->connect_port; 3881 } 3882 if (fwd->listen_path != NULL) { 3883 listen_path = xstrdup(fwd->listen_path); 3884 listen_port = PORT_STREAMLOCAL; 3885 } else { 3886 if (fwd->listen_host != NULL) 3887 listen_host = xstrdup(fwd->listen_host); 3888 listen_port = fwd->listen_port; 3889 } 3890 idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, 3891 host_to_connect, port_to_connect, 3892 listen_host, listen_path, listen_port, NULL); 3893 } 3894 return idx; 3895 } 3896 3897 static int 3898 open_match(struct permission *allowed_open, const char *requestedhost, 3899 int requestedport) 3900 { 3901 if (allowed_open->host_to_connect == NULL) 3902 return 0; 3903 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT && 3904 allowed_open->port_to_connect != requestedport) 3905 return 0; 3906 if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 && 3907 strcmp(allowed_open->host_to_connect, requestedhost) != 0) 3908 return 0; 3909 return 1; 3910 } 3911 3912 /* 3913 * Note that in the listen host/port case 3914 * we don't support FWD_PERMIT_ANY_PORT and 3915 * need to translate between the configured-host (listen_host) 3916 * and what we've sent to the remote server (channel_rfwd_bind_host) 3917 */ 3918 static int 3919 open_listen_match_tcpip(struct permission *allowed_open, 3920 const char *requestedhost, u_short requestedport, int translate) 3921 { 3922 const char *allowed_host; 3923 3924 if (allowed_open->host_to_connect == NULL) 3925 return 0; 3926 if (allowed_open->listen_port != requestedport) 3927 return 0; 3928 if (!translate && allowed_open->listen_host == NULL && 3929 requestedhost == NULL) 3930 return 1; 3931 allowed_host = translate ? 3932 channel_rfwd_bind_host(allowed_open->listen_host) : 3933 allowed_open->listen_host; 3934 if (allowed_host == NULL || requestedhost == NULL || 3935 strcmp(allowed_host, requestedhost) != 0) 3936 return 0; 3937 return 1; 3938 } 3939 3940 static int 3941 open_listen_match_streamlocal(struct permission *allowed_open, 3942 const char *requestedpath) 3943 { 3944 if (allowed_open->host_to_connect == NULL) 3945 return 0; 3946 if (allowed_open->listen_port != PORT_STREAMLOCAL) 3947 return 0; 3948 if (allowed_open->listen_path == NULL || 3949 strcmp(allowed_open->listen_path, requestedpath) != 0) 3950 return 0; 3951 return 1; 3952 } 3953 3954 /* 3955 * Request cancellation of remote forwarding of connection host:port from 3956 * local side. 3957 */ 3958 static int 3959 channel_request_rforward_cancel_tcpip(struct ssh *ssh, 3960 const char *host, u_short port) 3961 { 3962 struct ssh_channels *sc = ssh->chanctxt; 3963 struct permission_set *pset = &sc->local_perms; 3964 int r; 3965 u_int i; 3966 struct permission *perm; 3967 3968 for (i = 0; i < pset->num_permitted_user; i++) { 3969 perm = &pset->permitted_user[i]; 3970 if (open_listen_match_tcpip(perm, host, port, 0)) 3971 break; 3972 perm = NULL; 3973 } 3974 if (perm == NULL) { 3975 debug("%s: requested forward not found", __func__); 3976 return -1; 3977 } 3978 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 3979 (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 || 3980 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ 3981 (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 || 3982 (r = sshpkt_put_u32(ssh, port)) != 0 || 3983 (r = sshpkt_send(ssh)) != 0) 3984 fatal("%s: send cancel: %s", __func__, ssh_err(r)); 3985 3986 fwd_perm_clear(perm); /* unregister */ 3987 3988 return 0; 3989 } 3990 3991 /* 3992 * Request cancellation of remote forwarding of Unix domain socket 3993 * path from local side. 3994 */ 3995 static int 3996 channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path) 3997 { 3998 struct ssh_channels *sc = ssh->chanctxt; 3999 struct permission_set *pset = &sc->local_perms; 4000 int r; 4001 u_int i; 4002 struct permission *perm; 4003 4004 for (i = 0; i < pset->num_permitted_user; i++) { 4005 perm = &pset->permitted_user[i]; 4006 if (open_listen_match_streamlocal(perm, path)) 4007 break; 4008 perm = NULL; 4009 } 4010 if (perm == NULL) { 4011 debug("%s: requested forward not found", __func__); 4012 return -1; 4013 } 4014 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 || 4015 (r = sshpkt_put_cstring(ssh, 4016 "cancel-streamlocal-forward@openssh.com")) != 0 || 4017 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */ 4018 (r = sshpkt_put_cstring(ssh, path)) != 0 || 4019 (r = sshpkt_send(ssh)) != 0) 4020 fatal("%s: send cancel: %s", __func__, ssh_err(r)); 4021 4022 fwd_perm_clear(perm); /* unregister */ 4023 4024 return 0; 4025 } 4026 4027 /* 4028 * Request cancellation of remote forwarding of a connection from local side. 4029 */ 4030 int 4031 channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd) 4032 { 4033 if (fwd->listen_path != NULL) { 4034 return channel_request_rforward_cancel_streamlocal(ssh, 4035 fwd->listen_path); 4036 } else { 4037 return channel_request_rforward_cancel_tcpip(ssh, 4038 fwd->listen_host, 4039 fwd->listen_port ? fwd->listen_port : fwd->allocated_port); 4040 } 4041 } 4042 4043 /* 4044 * Permits opening to any host/port if permitted_user[] is empty. This is 4045 * usually called by the server, because the user could connect to any port 4046 * anyway, and the server has no way to know but to trust the client anyway. 4047 */ 4048 void 4049 channel_permit_all(struct ssh *ssh, int where) 4050 { 4051 struct permission_set *pset = permission_set_get(ssh, where); 4052 4053 if (pset->num_permitted_user == 0) 4054 pset->all_permitted = 1; 4055 } 4056 4057 /* 4058 * Permit the specified host/port for forwarding. 4059 */ 4060 void 4061 channel_add_permission(struct ssh *ssh, int who, int where, 4062 char *host, int port) 4063 { 4064 int local = where == FORWARD_LOCAL; 4065 struct permission_set *pset = permission_set_get(ssh, where); 4066 4067 debug("allow %s forwarding to host %s port %d", 4068 fwd_ident(who, where), host, port); 4069 /* 4070 * Remote forwards set listen_host/port, local forwards set 4071 * host/port_to_connect. 4072 */ 4073 permission_set_add(ssh, who, where, 4074 local ? host : 0, local ? port : 0, 4075 local ? NULL : host, NULL, local ? 0 : port, NULL); 4076 pset->all_permitted = 0; 4077 } 4078 4079 /* 4080 * Administratively disable forwarding. 4081 */ 4082 void 4083 channel_disable_admin(struct ssh *ssh, int where) 4084 { 4085 channel_clear_permission(ssh, FORWARD_ADM, where); 4086 permission_set_add(ssh, FORWARD_ADM, where, 4087 NULL, 0, NULL, NULL, 0, NULL); 4088 } 4089 4090 /* 4091 * Clear a list of permitted opens. 4092 */ 4093 void 4094 channel_clear_permission(struct ssh *ssh, int who, int where) 4095 { 4096 struct permission **permp; 4097 u_int *npermp; 4098 4099 permission_set_get_array(ssh, who, where, &permp, &npermp); 4100 *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp)); 4101 *npermp = 0; 4102 } 4103 4104 /* 4105 * Update the listen port for a dynamic remote forward, after 4106 * the actual 'newport' has been allocated. If 'newport' < 0 is 4107 * passed then they entry will be invalidated. 4108 */ 4109 void 4110 channel_update_permission(struct ssh *ssh, int idx, int newport) 4111 { 4112 struct permission_set *pset = &ssh->chanctxt->local_perms; 4113 4114 if (idx < 0 || (u_int)idx >= pset->num_permitted_user) { 4115 debug("%s: index out of range: %d num_permitted_user %d", 4116 __func__, idx, pset->num_permitted_user); 4117 return; 4118 } 4119 debug("%s allowed port %d for forwarding to host %s port %d", 4120 newport > 0 ? "Updating" : "Removing", 4121 newport, 4122 pset->permitted_user[idx].host_to_connect, 4123 pset->permitted_user[idx].port_to_connect); 4124 if (newport <= 0) 4125 fwd_perm_clear(&pset->permitted_user[idx]); 4126 else { 4127 pset->permitted_user[idx].listen_port = 4128 (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport; 4129 } 4130 } 4131 4132 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */ 4133 int 4134 permitopen_port(const char *p) 4135 { 4136 int port; 4137 4138 if (strcmp(p, "*") == 0) 4139 return FWD_PERMIT_ANY_PORT; 4140 if ((port = a2port(p)) > 0) 4141 return port; 4142 return -1; 4143 } 4144 4145 /* Try to start non-blocking connect to next host in cctx list */ 4146 static int 4147 connect_next(struct channel_connect *cctx) 4148 { 4149 int sock, saved_errno; 4150 struct sockaddr_un *sunaddr; 4151 char ntop[NI_MAXHOST]; 4152 char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))]; 4153 4154 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) { 4155 switch (cctx->ai->ai_family) { 4156 case AF_UNIX: 4157 /* unix:pathname instead of host:port */ 4158 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr; 4159 strlcpy(ntop, "unix", sizeof(ntop)); 4160 strlcpy(strport, sunaddr->sun_path, sizeof(strport)); 4161 break; 4162 case AF_INET: 4163 case AF_INET6: 4164 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen, 4165 ntop, sizeof(ntop), strport, sizeof(strport), 4166 NI_NUMERICHOST|NI_NUMERICSERV) != 0) { 4167 error("connect_next: getnameinfo failed"); 4168 continue; 4169 } 4170 break; 4171 default: 4172 continue; 4173 } 4174 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype, 4175 cctx->ai->ai_protocol)) == -1) { 4176 if (cctx->ai->ai_next == NULL) 4177 error("socket: %.100s", strerror(errno)); 4178 else 4179 verbose("socket: %.100s", strerror(errno)); 4180 continue; 4181 } 4182 if (set_nonblock(sock) == -1) 4183 fatal("%s: set_nonblock(%d)", __func__, sock); 4184 if (connect(sock, cctx->ai->ai_addr, 4185 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) { 4186 debug("connect_next: host %.100s ([%.100s]:%s): " 4187 "%.100s", cctx->host, ntop, strport, 4188 strerror(errno)); 4189 saved_errno = errno; 4190 close(sock); 4191 errno = saved_errno; 4192 continue; /* fail -- try next */ 4193 } 4194 if (cctx->ai->ai_family != AF_UNIX) 4195 set_nodelay(sock); 4196 debug("connect_next: host %.100s ([%.100s]:%s) " 4197 "in progress, fd=%d", cctx->host, ntop, strport, sock); 4198 cctx->ai = cctx->ai->ai_next; 4199 return sock; 4200 } 4201 return -1; 4202 } 4203 4204 static void 4205 channel_connect_ctx_free(struct channel_connect *cctx) 4206 { 4207 free(cctx->host); 4208 if (cctx->aitop) { 4209 if (cctx->aitop->ai_family == AF_UNIX) 4210 free(cctx->aitop); 4211 else 4212 freeaddrinfo(cctx->aitop); 4213 } 4214 memset(cctx, 0, sizeof(*cctx)); 4215 } 4216 4217 /* 4218 * Return connecting socket to remote host:port or local socket path, 4219 * passing back the failure reason if appropriate. 4220 */ 4221 static int 4222 connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype, 4223 char *ctype, char *rname, struct channel_connect *cctx, 4224 int *reason, const char **errmsg) 4225 { 4226 struct addrinfo hints; 4227 int gaierr; 4228 int sock = -1; 4229 char strport[NI_MAXSERV]; 4230 4231 if (port == PORT_STREAMLOCAL) { 4232 struct sockaddr_un *sunaddr; 4233 struct addrinfo *ai; 4234 4235 if (strlen(name) > sizeof(sunaddr->sun_path)) { 4236 error("%.100s: %.100s", name, strerror(ENAMETOOLONG)); 4237 return -1; 4238 } 4239 4240 /* 4241 * Fake up a struct addrinfo for AF_UNIX connections. 4242 * channel_connect_ctx_free() must check ai_family 4243 * and use free() not freeaddirinfo() for AF_UNIX. 4244 */ 4245 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr)); 4246 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr)); 4247 ai->ai_addr = (struct sockaddr *)(ai + 1); 4248 ai->ai_addrlen = sizeof(*sunaddr); 4249 ai->ai_family = AF_UNIX; 4250 ai->ai_socktype = socktype; 4251 ai->ai_protocol = PF_UNSPEC; 4252 sunaddr = (struct sockaddr_un *)ai->ai_addr; 4253 sunaddr->sun_family = AF_UNIX; 4254 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path)); 4255 cctx->aitop = ai; 4256 } else { 4257 memset(&hints, 0, sizeof(hints)); 4258 hints.ai_family = ssh->chanctxt->IPv4or6; 4259 hints.ai_socktype = socktype; 4260 snprintf(strport, sizeof strport, "%d", port); 4261 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop)) 4262 != 0) { 4263 if (errmsg != NULL) 4264 *errmsg = ssh_gai_strerror(gaierr); 4265 if (reason != NULL) 4266 *reason = SSH2_OPEN_CONNECT_FAILED; 4267 error("connect_to %.100s: unknown host (%s)", name, 4268 ssh_gai_strerror(gaierr)); 4269 return -1; 4270 } 4271 } 4272 4273 cctx->host = xstrdup(name); 4274 cctx->port = port; 4275 cctx->ai = cctx->aitop; 4276 4277 if ((sock = connect_next(cctx)) == -1) { 4278 error("connect to %.100s port %d failed: %s", 4279 name, port, strerror(errno)); 4280 return -1; 4281 } 4282 4283 return sock; 4284 } 4285 4286 /* Return CONNECTING channel to remote host:port or local socket path */ 4287 static Channel * 4288 connect_to(struct ssh *ssh, const char *host, int port, 4289 char *ctype, char *rname) 4290 { 4291 struct channel_connect cctx; 4292 Channel *c; 4293 int sock; 4294 4295 memset(&cctx, 0, sizeof(cctx)); 4296 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, 4297 &cctx, NULL, NULL); 4298 if (sock == -1) { 4299 channel_connect_ctx_free(&cctx); 4300 return NULL; 4301 } 4302 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 4303 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4304 c->host_port = port; 4305 c->path = xstrdup(host); 4306 c->connect_ctx = cctx; 4307 4308 return c; 4309 } 4310 4311 /* 4312 * returns either the newly connected channel or the downstream channel 4313 * that needs to deal with this connection. 4314 */ 4315 Channel * 4316 channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host, 4317 u_short listen_port, char *ctype, char *rname) 4318 { 4319 struct ssh_channels *sc = ssh->chanctxt; 4320 struct permission_set *pset = &sc->local_perms; 4321 u_int i; 4322 struct permission *perm; 4323 4324 for (i = 0; i < pset->num_permitted_user; i++) { 4325 perm = &pset->permitted_user[i]; 4326 if (open_listen_match_tcpip(perm, 4327 listen_host, listen_port, 1)) { 4328 if (perm->downstream) 4329 return perm->downstream; 4330 if (perm->port_to_connect == 0) 4331 return rdynamic_connect_prepare(ssh, 4332 ctype, rname); 4333 return connect_to(ssh, 4334 perm->host_to_connect, perm->port_to_connect, 4335 ctype, rname); 4336 } 4337 } 4338 error("WARNING: Server requests forwarding for unknown listen_port %d", 4339 listen_port); 4340 return NULL; 4341 } 4342 4343 Channel * 4344 channel_connect_by_listen_path(struct ssh *ssh, const char *path, 4345 char *ctype, char *rname) 4346 { 4347 struct ssh_channels *sc = ssh->chanctxt; 4348 struct permission_set *pset = &sc->local_perms; 4349 u_int i; 4350 struct permission *perm; 4351 4352 for (i = 0; i < pset->num_permitted_user; i++) { 4353 perm = &pset->permitted_user[i]; 4354 if (open_listen_match_streamlocal(perm, path)) { 4355 return connect_to(ssh, 4356 perm->host_to_connect, perm->port_to_connect, 4357 ctype, rname); 4358 } 4359 } 4360 error("WARNING: Server requests forwarding for unknown path %.100s", 4361 path); 4362 return NULL; 4363 } 4364 4365 /* Check if connecting to that port is permitted and connect. */ 4366 Channel * 4367 channel_connect_to_port(struct ssh *ssh, const char *host, u_short port, 4368 char *ctype, char *rname, int *reason, const char **errmsg) 4369 { 4370 struct ssh_channels *sc = ssh->chanctxt; 4371 struct permission_set *pset = &sc->local_perms; 4372 struct channel_connect cctx; 4373 Channel *c; 4374 u_int i, permit, permit_adm = 1; 4375 int sock; 4376 struct permission *perm; 4377 4378 permit = pset->all_permitted; 4379 if (!permit) { 4380 for (i = 0; i < pset->num_permitted_user; i++) { 4381 perm = &pset->permitted_user[i]; 4382 if (open_match(perm, host, port)) { 4383 permit = 1; 4384 break; 4385 } 4386 } 4387 } 4388 4389 if (pset->num_permitted_admin > 0) { 4390 permit_adm = 0; 4391 for (i = 0; i < pset->num_permitted_admin; i++) { 4392 perm = &pset->permitted_admin[i]; 4393 if (open_match(perm, host, port)) { 4394 permit_adm = 1; 4395 break; 4396 } 4397 } 4398 } 4399 4400 if (!permit || !permit_adm) { 4401 logit("Received request to connect to host %.100s port %d, " 4402 "but the request was denied.", host, port); 4403 if (reason != NULL) 4404 *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED; 4405 return NULL; 4406 } 4407 4408 memset(&cctx, 0, sizeof(cctx)); 4409 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname, 4410 &cctx, reason, errmsg); 4411 if (sock == -1) { 4412 channel_connect_ctx_free(&cctx); 4413 return NULL; 4414 } 4415 4416 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1, 4417 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4418 c->host_port = port; 4419 c->path = xstrdup(host); 4420 c->connect_ctx = cctx; 4421 4422 return c; 4423 } 4424 4425 /* Check if connecting to that path is permitted and connect. */ 4426 Channel * 4427 channel_connect_to_path(struct ssh *ssh, const char *path, 4428 char *ctype, char *rname) 4429 { 4430 struct ssh_channels *sc = ssh->chanctxt; 4431 struct permission_set *pset = &sc->local_perms; 4432 u_int i, permit, permit_adm = 1; 4433 struct permission *perm; 4434 4435 permit = pset->all_permitted; 4436 if (!permit) { 4437 for (i = 0; i < pset->num_permitted_user; i++) { 4438 perm = &pset->permitted_user[i]; 4439 if (open_match(perm, path, PORT_STREAMLOCAL)) { 4440 permit = 1; 4441 break; 4442 } 4443 } 4444 } 4445 4446 if (pset->num_permitted_admin > 0) { 4447 permit_adm = 0; 4448 for (i = 0; i < pset->num_permitted_admin; i++) { 4449 perm = &pset->permitted_admin[i]; 4450 if (open_match(perm, path, PORT_STREAMLOCAL)) { 4451 permit_adm = 1; 4452 break; 4453 } 4454 } 4455 } 4456 4457 if (!permit || !permit_adm) { 4458 logit("Received request to connect to path %.100s, " 4459 "but the request was denied.", path); 4460 return NULL; 4461 } 4462 return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname); 4463 } 4464 4465 void 4466 channel_send_window_changes(struct ssh *ssh) 4467 { 4468 struct ssh_channels *sc = ssh->chanctxt; 4469 struct winsize ws; 4470 int r; 4471 u_int i; 4472 4473 for (i = 0; i < sc->channels_alloc; i++) { 4474 if (sc->channels[i] == NULL || !sc->channels[i]->client_tty || 4475 sc->channels[i]->type != SSH_CHANNEL_OPEN) 4476 continue; 4477 if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) < 0) 4478 continue; 4479 channel_request_start(ssh, i, "window-change", 0); 4480 if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 || 4481 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 || 4482 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 || 4483 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 || 4484 (r = sshpkt_send(ssh)) != 0) 4485 fatal("%s: channel %u: send window-change: %s", 4486 __func__, i, ssh_err(r)); 4487 } 4488 } 4489 4490 /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */ 4491 static Channel * 4492 rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname) 4493 { 4494 Channel *c; 4495 int r; 4496 4497 c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1, 4498 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1); 4499 c->host_port = 0; 4500 c->path = NULL; 4501 4502 /* 4503 * We need to open the channel before we have a FD, 4504 * so that we can get SOCKS header from peer. 4505 */ 4506 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 || 4507 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 || 4508 (r = sshpkt_put_u32(ssh, c->self)) != 0 || 4509 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 || 4510 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) { 4511 fatal("%s: channel %i: confirm: %s", __func__, 4512 c->self, ssh_err(r)); 4513 } 4514 return c; 4515 } 4516 4517 /* Return CONNECTING socket to remote host:port or local socket path */ 4518 static int 4519 rdynamic_connect_finish(struct ssh *ssh, Channel *c) 4520 { 4521 struct channel_connect cctx; 4522 int sock; 4523 4524 memset(&cctx, 0, sizeof(cctx)); 4525 sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL, 4526 NULL, &cctx, NULL, NULL); 4527 if (sock == -1) 4528 channel_connect_ctx_free(&cctx); 4529 else { 4530 /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */ 4531 c->type = SSH_CHANNEL_RDYNAMIC_FINISH; 4532 c->connect_ctx = cctx; 4533 channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0); 4534 } 4535 return sock; 4536 } 4537 4538 /* -- X11 forwarding */ 4539 4540 /* 4541 * Creates an internet domain socket for listening for X11 connections. 4542 * Returns 0 and a suitable display number for the DISPLAY variable 4543 * stored in display_numberp , or -1 if an error occurs. 4544 */ 4545 int 4546 x11_create_display_inet(struct ssh *ssh, int x11_display_offset, 4547 int x11_use_localhost, int single_connection, 4548 u_int *display_numberp, int **chanids) 4549 { 4550 Channel *nc = NULL; 4551 int display_number, sock; 4552 u_short port; 4553 struct addrinfo hints, *ai, *aitop; 4554 char strport[NI_MAXSERV]; 4555 int gaierr, n, num_socks = 0, socks[NUM_SOCKS]; 4556 4557 if (chanids == NULL) 4558 return -1; 4559 4560 for (display_number = x11_display_offset; 4561 display_number < MAX_DISPLAYS; 4562 display_number++) { 4563 port = 6000 + display_number; 4564 memset(&hints, 0, sizeof(hints)); 4565 hints.ai_family = ssh->chanctxt->IPv4or6; 4566 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE; 4567 hints.ai_socktype = SOCK_STREAM; 4568 snprintf(strport, sizeof strport, "%d", port); 4569 if ((gaierr = getaddrinfo(NULL, strport, 4570 &hints, &aitop)) != 0) { 4571 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr)); 4572 return -1; 4573 } 4574 for (ai = aitop; ai; ai = ai->ai_next) { 4575 if (ai->ai_family != AF_INET && 4576 ai->ai_family != AF_INET6) 4577 continue; 4578 sock = socket(ai->ai_family, ai->ai_socktype, 4579 ai->ai_protocol); 4580 if (sock < 0) { 4581 if ((errno != EINVAL) && (errno != EAFNOSUPPORT) 4582 #ifdef EPFNOSUPPORT 4583 && (errno != EPFNOSUPPORT) 4584 #endif 4585 ) { 4586 error("socket: %.100s", strerror(errno)); 4587 freeaddrinfo(aitop); 4588 return -1; 4589 } else { 4590 debug("x11_create_display_inet: Socket family %d not supported", 4591 ai->ai_family); 4592 continue; 4593 } 4594 } 4595 if (ai->ai_family == AF_INET6) 4596 sock_set_v6only(sock); 4597 if (x11_use_localhost) 4598 set_reuseaddr(sock); 4599 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 4600 debug2("%s: bind port %d: %.100s", __func__, 4601 port, strerror(errno)); 4602 close(sock); 4603 for (n = 0; n < num_socks; n++) 4604 close(socks[n]); 4605 num_socks = 0; 4606 break; 4607 } 4608 socks[num_socks++] = sock; 4609 if (num_socks == NUM_SOCKS) 4610 break; 4611 } 4612 freeaddrinfo(aitop); 4613 if (num_socks > 0) 4614 break; 4615 } 4616 if (display_number >= MAX_DISPLAYS) { 4617 error("Failed to allocate internet-domain X11 display socket."); 4618 return -1; 4619 } 4620 /* Start listening for connections on the socket. */ 4621 for (n = 0; n < num_socks; n++) { 4622 sock = socks[n]; 4623 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { 4624 error("listen: %.100s", strerror(errno)); 4625 close(sock); 4626 return -1; 4627 } 4628 } 4629 4630 /* Allocate a channel for each socket. */ 4631 *chanids = xcalloc(num_socks + 1, sizeof(**chanids)); 4632 for (n = 0; n < num_socks; n++) { 4633 sock = socks[n]; 4634 nc = channel_new(ssh, "x11 listener", 4635 SSH_CHANNEL_X11_LISTENER, sock, sock, -1, 4636 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 4637 0, "X11 inet listener", 1); 4638 nc->single_connection = single_connection; 4639 (*chanids)[n] = nc->self; 4640 } 4641 (*chanids)[n] = -1; 4642 4643 /* Return the display number for the DISPLAY environment variable. */ 4644 *display_numberp = display_number; 4645 return 0; 4646 } 4647 4648 static int 4649 connect_local_xsocket_path(const char *pathname) 4650 { 4651 int sock; 4652 struct sockaddr_un addr; 4653 4654 sock = socket(AF_UNIX, SOCK_STREAM, 0); 4655 if (sock < 0) 4656 error("socket: %.100s", strerror(errno)); 4657 memset(&addr, 0, sizeof(addr)); 4658 addr.sun_family = AF_UNIX; 4659 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path); 4660 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0) 4661 return sock; 4662 close(sock); 4663 error("connect %.100s: %.100s", addr.sun_path, strerror(errno)); 4664 return -1; 4665 } 4666 4667 static int 4668 connect_local_xsocket(u_int dnr) 4669 { 4670 char buf[1024]; 4671 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr); 4672 return connect_local_xsocket_path(buf); 4673 } 4674 4675 #ifdef __APPLE__ 4676 static int 4677 is_path_to_xsocket(const char *display, char *path, size_t pathlen) 4678 { 4679 struct stat sbuf; 4680 4681 if (strlcpy(path, display, pathlen) >= pathlen) { 4682 error("%s: display path too long", __func__); 4683 return 0; 4684 } 4685 if (display[0] != '/') 4686 return 0; 4687 if (stat(path, &sbuf) == 0) { 4688 return 1; 4689 } else { 4690 char *dot = strrchr(path, '.'); 4691 if (dot != NULL) { 4692 *dot = '\0'; 4693 if (stat(path, &sbuf) == 0) { 4694 return 1; 4695 } 4696 } 4697 } 4698 return 0; 4699 } 4700 #endif 4701 4702 int 4703 x11_connect_display(struct ssh *ssh) 4704 { 4705 u_int display_number; 4706 const char *display; 4707 char buf[1024], *cp; 4708 struct addrinfo hints, *ai, *aitop; 4709 char strport[NI_MAXSERV]; 4710 int gaierr, sock = 0; 4711 4712 /* Try to open a socket for the local X server. */ 4713 display = getenv("DISPLAY"); 4714 if (!display) { 4715 error("DISPLAY not set."); 4716 return -1; 4717 } 4718 /* 4719 * Now we decode the value of the DISPLAY variable and make a 4720 * connection to the real X server. 4721 */ 4722 4723 #ifdef __APPLE__ 4724 /* Check if display is a path to a socket (as set by launchd). */ 4725 { 4726 char path[PATH_MAX]; 4727 4728 if (is_path_to_xsocket(display, path, sizeof(path))) { 4729 debug("x11_connect_display: $DISPLAY is launchd"); 4730 4731 /* Create a socket. */ 4732 sock = connect_local_xsocket_path(path); 4733 if (sock < 0) 4734 return -1; 4735 4736 /* OK, we now have a connection to the display. */ 4737 return sock; 4738 } 4739 } 4740 #endif 4741 /* 4742 * Check if it is a unix domain socket. Unix domain displays are in 4743 * one of the following formats: unix:d[.s], :d[.s], ::d[.s] 4744 */ 4745 if (strncmp(display, "unix:", 5) == 0 || 4746 display[0] == ':') { 4747 /* Connect to the unix domain socket. */ 4748 if (sscanf(strrchr(display, ':') + 1, "%u", 4749 &display_number) != 1) { 4750 error("Could not parse display number from DISPLAY: " 4751 "%.100s", display); 4752 return -1; 4753 } 4754 /* Create a socket. */ 4755 sock = connect_local_xsocket(display_number); 4756 if (sock < 0) 4757 return -1; 4758 4759 /* OK, we now have a connection to the display. */ 4760 return sock; 4761 } 4762 /* 4763 * Connect to an inet socket. The DISPLAY value is supposedly 4764 * hostname:d[.s], where hostname may also be numeric IP address. 4765 */ 4766 strlcpy(buf, display, sizeof(buf)); 4767 cp = strchr(buf, ':'); 4768 if (!cp) { 4769 error("Could not find ':' in DISPLAY: %.100s", display); 4770 return -1; 4771 } 4772 *cp = 0; 4773 /* 4774 * buf now contains the host name. But first we parse the 4775 * display number. 4776 */ 4777 if (sscanf(cp + 1, "%u", &display_number) != 1) { 4778 error("Could not parse display number from DISPLAY: %.100s", 4779 display); 4780 return -1; 4781 } 4782 4783 /* Look up the host address */ 4784 memset(&hints, 0, sizeof(hints)); 4785 hints.ai_family = ssh->chanctxt->IPv4or6; 4786 hints.ai_socktype = SOCK_STREAM; 4787 snprintf(strport, sizeof strport, "%u", 6000 + display_number); 4788 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) { 4789 error("%.100s: unknown host. (%s)", buf, 4790 ssh_gai_strerror(gaierr)); 4791 return -1; 4792 } 4793 for (ai = aitop; ai; ai = ai->ai_next) { 4794 /* Create a socket. */ 4795 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); 4796 if (sock < 0) { 4797 debug2("socket: %.100s", strerror(errno)); 4798 continue; 4799 } 4800 /* Connect it to the display. */ 4801 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { 4802 debug2("connect %.100s port %u: %.100s", buf, 4803 6000 + display_number, strerror(errno)); 4804 close(sock); 4805 continue; 4806 } 4807 /* Success */ 4808 break; 4809 } 4810 freeaddrinfo(aitop); 4811 if (!ai) { 4812 error("connect %.100s port %u: %.100s", buf, 4813 6000 + display_number, strerror(errno)); 4814 return -1; 4815 } 4816 set_nodelay(sock); 4817 return sock; 4818 } 4819 4820 /* 4821 * Requests forwarding of X11 connections, generates fake authentication 4822 * data, and enables authentication spoofing. 4823 * This should be called in the client only. 4824 */ 4825 void 4826 x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id, 4827 const char *disp, const char *proto, const char *data, int want_reply) 4828 { 4829 struct ssh_channels *sc = ssh->chanctxt; 4830 u_int data_len = (u_int) strlen(data) / 2; 4831 u_int i, value; 4832 const char *cp; 4833 char *new_data; 4834 int r, screen_number; 4835 4836 if (sc->x11_saved_display == NULL) 4837 sc->x11_saved_display = xstrdup(disp); 4838 else if (strcmp(disp, sc->x11_saved_display) != 0) { 4839 error("x11_request_forwarding_with_spoofing: different " 4840 "$DISPLAY already forwarded"); 4841 return; 4842 } 4843 4844 cp = strchr(disp, ':'); 4845 if (cp) 4846 cp = strchr(cp, '.'); 4847 if (cp) 4848 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL); 4849 else 4850 screen_number = 0; 4851 4852 if (sc->x11_saved_proto == NULL) { 4853 /* Save protocol name. */ 4854 sc->x11_saved_proto = xstrdup(proto); 4855 4856 /* Extract real authentication data. */ 4857 sc->x11_saved_data = xmalloc(data_len); 4858 for (i = 0; i < data_len; i++) { 4859 if (sscanf(data + 2 * i, "%2x", &value) != 1) 4860 fatal("x11_request_forwarding: bad " 4861 "authentication data: %.100s", data); 4862 sc->x11_saved_data[i] = value; 4863 } 4864 sc->x11_saved_data_len = data_len; 4865 4866 /* Generate fake data of the same length. */ 4867 sc->x11_fake_data = xmalloc(data_len); 4868 arc4random_buf(sc->x11_fake_data, data_len); 4869 sc->x11_fake_data_len = data_len; 4870 } 4871 4872 /* Convert the fake data into hex. */ 4873 new_data = tohex(sc->x11_fake_data, data_len); 4874 4875 /* Send the request packet. */ 4876 channel_request_start(ssh, client_session_id, "x11-req", want_reply); 4877 if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */ 4878 (r = sshpkt_put_cstring(ssh, proto)) != 0 || 4879 (r = sshpkt_put_cstring(ssh, new_data)) != 0 || 4880 (r = sshpkt_put_u32(ssh, screen_number)) != 0 || 4881 (r = sshpkt_send(ssh)) != 0 || 4882 (r = ssh_packet_write_wait(ssh)) != 0) 4883 fatal("%s: send x11-req: %s", __func__, ssh_err(r)); 4884 free(new_data); 4885 } 4886