]> andersk Git - openssh.git/blame - channels.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- More large OpenBSD CVS updates:
[openssh.git] / channels.c
CommitLineData
8efc0c15 1/*
5260325f 2 *
3 * channels.c
4 *
5 * Author: Tatu Ylonen <ylo@cs.hut.fi>
6 *
7 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
8 * All rights reserved
9 *
10 * Created: Fri Mar 24 16:35:24 1995 ylo
11 *
12 * This file contains functions for generic socket connection forwarding.
13 * There is also code for initiating connection forwarding for X11 connections,
14 * arbitrary tcp/ip connections, and the authentication agent connection.
15 *
7e7327a1 16 * SSH2 support added by Markus Friedl.
5260325f 17 */
8efc0c15 18
19#include "includes.h"
20RCSID("$Id$");
21
22#include "ssh.h"
23#include "packet.h"
24#include "xmalloc.h"
25#include "buffer.h"
26#include "authfd.h"
27#include "uidswap.h"
6fa724bc 28#include "readconf.h"
8efc0c15 29#include "servconf.h"
30
31#include "channels.h"
32#include "nchan.h"
33#include "compat.h"
34
7e7327a1 35#include "ssh2.h"
36
8efc0c15 37/* Maximum number of fake X11 displays to try. */
38#define MAX_DISPLAYS 1000
39
40/* Max len of agent socket */
41#define MAX_SOCKET_NAME 100
42
7368a6c8 43/* default buffer for tcp-fwd-channel */
44#define CHAN_WINDOW_DEFAULT (8*1024)
45#define CHAN_PACKET_DEFAULT (CHAN_WINDOW_DEFAULT/2)
46
aa3378df 47/*
48 * Pointer to an array containing all allocated channels. The array is
49 * dynamically extended as needed.
50 */
8efc0c15 51static Channel *channels = NULL;
52
aa3378df 53/*
54 * Size of the channel array. All slots of the array must always be
55 * initialized (at least the type field); unused slots are marked with type
56 * SSH_CHANNEL_FREE.
57 */
8efc0c15 58static int channels_alloc = 0;
59
aa3378df 60/*
61 * Maximum file descriptor value used in any of the channels. This is
62 * updated in channel_allocate.
63 */
8efc0c15 64static int channel_max_fd_value = 0;
65
66/* Name and directory of socket for authentication agent forwarding. */
67static char *channel_forwarded_auth_socket_name = NULL;
5260325f 68static char *channel_forwarded_auth_socket_dir = NULL;
8efc0c15 69
70/* Saved X11 authentication protocol name. */
71char *x11_saved_proto = NULL;
72
73/* Saved X11 authentication data. This is the real data. */
74char *x11_saved_data = NULL;
75unsigned int x11_saved_data_len = 0;
76
aa3378df 77/*
78 * Fake X11 authentication data. This is what the server will be sending us;
79 * we should replace any occurrences of this by the real data.
80 */
8efc0c15 81char *x11_fake_data = NULL;
82unsigned int x11_fake_data_len;
83
aa3378df 84/*
85 * Data structure for storing which hosts are permitted for forward requests.
86 * The local sides of any remote forwards are stored in this array to prevent
87 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
88 * network (which might be behind a firewall).
89 */
5260325f 90typedef struct {
7368a6c8 91 char *host_to_connect; /* Connect to 'host'. */
92 u_short port_to_connect; /* Connect to 'port'. */
93 u_short listen_port; /* Remote side should listen port number. */
8efc0c15 94} ForwardPermission;
95
96/* List of all permitted host/port pairs to connect. */
97static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
98/* Number of permitted host/port pairs in the array. */
99static int num_permitted_opens = 0;
aa3378df 100/*
101 * If this is true, all opens are permitted. This is the case on the server
102 * on which we have to trust the client anyway, and the user could do
103 * anything after logging in anyway.
104 */
8efc0c15 105static int all_opens_permitted = 0;
106
107/* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
108static int have_hostname_in_open = 0;
109
110/* Sets specific protocol options. */
111
5260325f 112void
113channel_set_options(int hostname_in_open)
8efc0c15 114{
5260325f 115 have_hostname_in_open = hostname_in_open;
8efc0c15 116}
117
aa3378df 118/*
119 * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually
120 * called by the server, because the user could connect to any port anyway,
121 * and the server has no way to know but to trust the client anyway.
122 */
8efc0c15 123
5260325f 124void
125channel_permit_all_opens()
8efc0c15 126{
5260325f 127 all_opens_permitted = 1;
8efc0c15 128}
129
7368a6c8 130/* lookup channel by id */
131
132Channel *
133channel_lookup(int id)
134{
135 Channel *c;
136 if (id < 0 && id > channels_alloc) {
137 log("channel_lookup: %d: bad id", id);
138 return NULL;
139 }
140 c = &channels[id];
141 if (c->type == SSH_CHANNEL_FREE) {
142 log("channel_lookup: %d: bad id: channel free", id);
143 return NULL;
144 }
145 return c;
146}
147
aa3378df 148/*
149 * Allocate a new channel object and set its type and socket. This will cause
150 * remote_name to be freed.
151 */
8efc0c15 152
5260325f 153int
7368a6c8 154channel_new(char *ctype, int type, int rfd, int wfd, int efd,
155 int window, int maxpack, int extended_usage, char *remote_name)
8efc0c15 156{
5260325f 157 int i, found;
158 Channel *c;
159
160 /* Update the maximum file descriptor value. */
7368a6c8 161 if (rfd > channel_max_fd_value)
162 channel_max_fd_value = rfd;
163 if (wfd > channel_max_fd_value)
164 channel_max_fd_value = wfd;
165 if (efd > channel_max_fd_value)
166 channel_max_fd_value = efd;
aa3378df 167 /* XXX set close-on-exec -markus */
5260325f 168
169 /* Do initial allocation if this is the first call. */
170 if (channels_alloc == 0) {
7e7327a1 171 chan_init();
5260325f 172 channels_alloc = 10;
173 channels = xmalloc(channels_alloc * sizeof(Channel));
174 for (i = 0; i < channels_alloc; i++)
175 channels[i].type = SSH_CHANNEL_FREE;
aa3378df 176 /*
177 * Kludge: arrange a call to channel_stop_listening if we
178 * terminate with fatal().
179 */
5260325f 180 fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL);
181 }
182 /* Try to find a free slot where to put the new channel. */
183 for (found = -1, i = 0; i < channels_alloc; i++)
184 if (channels[i].type == SSH_CHANNEL_FREE) {
185 /* Found a free slot. */
186 found = i;
187 break;
188 }
189 if (found == -1) {
aa3378df 190 /* There are no free slots. Take last+1 slot and expand the array. */
5260325f 191 found = channels_alloc;
192 channels_alloc += 10;
193 debug("channel: expanding %d", channels_alloc);
194 channels = xrealloc(channels, channels_alloc * sizeof(Channel));
195 for (i = found; i < channels_alloc; i++)
196 channels[i].type = SSH_CHANNEL_FREE;
197 }
198 /* Initialize and return new channel number. */
199 c = &channels[found];
200 buffer_init(&c->input);
201 buffer_init(&c->output);
7368a6c8 202 buffer_init(&c->extended);
5260325f 203 chan_init_iostates(c);
204 c->self = found;
205 c->type = type;
7368a6c8 206 c->ctype = ctype;
207 c->local_window = window;
208 c->local_window_max = window;
209 c->local_consumed = 0;
210 c->local_maxpacket = maxpack;
211 c->remote_window = 0;
212 c->remote_maxpacket = 0;
213 c->rfd = rfd;
214 c->wfd = wfd;
215 c->sock = (rfd == wfd) ? rfd : -1;
216 c->efd = efd;
217 c->extended_usage = extended_usage;
5260325f 218 c->remote_id = -1;
219 c->remote_name = remote_name;
7368a6c8 220 c->remote_window = 0;
221 c->remote_maxpacket = 0;
222 c->cb_fn = NULL;
223 c->cb_arg = NULL;
224 c->cb_event = 0;
225 c->dettach_user = NULL;
5260325f 226 debug("channel %d: new [%s]", found, remote_name);
227 return found;
8efc0c15 228}
7368a6c8 229int
230channel_allocate(int type, int sock, char *remote_name)
231{
232 return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
233}
8efc0c15 234
235/* Free the channel and close its socket. */
236
5260325f 237void
7368a6c8 238channel_free(int id)
8efc0c15 239{
7368a6c8 240 Channel *c = channel_lookup(id);
241 if (c == NULL)
242 packet_disconnect("channel free: bad local channel %d", id);
243 debug("channel_free: channel %d: status: %s", id, channel_open_message());
7e7327a1 244 if (c->dettach_user != NULL) {
245 debug("channel_free: channel %d: dettaching channel user", id);
246 c->dettach_user(c->self, NULL);
247 }
7368a6c8 248 if (c->sock != -1) {
249 shutdown(c->sock, SHUT_RDWR);
250 close(c->sock);
7e7327a1 251 c->sock = -1;
252 }
253 if (compat20) {
254 if (c->rfd != -1) {
255 close(c->rfd);
256 c->rfd = -1;
257 }
258 if (c->wfd != -1) {
259 close(c->wfd);
260 c->wfd = -1;
261 }
262 if (c->efd != -1) {
263 close(c->efd);
264 c->efd = -1;
265 }
7368a6c8 266 }
267 buffer_free(&c->input);
268 buffer_free(&c->output);
269 buffer_free(&c->extended);
270 c->type = SSH_CHANNEL_FREE;
271 if (c->remote_name) {
272 xfree(c->remote_name);
273 c->remote_name = NULL;
5260325f 274 }
8efc0c15 275}
276
aa3378df 277/*
7368a6c8 278 * 'channel_pre*' are called just before select() to add any bits relevant to
279 * channels in the select bitmasks.
aa3378df 280 */
7368a6c8 281/*
282 * 'channel_post*': perform any appropriate operations for channels which
283 * have events pending.
284 */
285typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset);
286chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
287chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
8efc0c15 288
7368a6c8 289void
290channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset)
8efc0c15 291{
7368a6c8 292 FD_SET(c->sock, readset);
293}
5260325f 294
7368a6c8 295void
296channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
297{
298 if (buffer_len(&c->input) < packet_get_maxsize())
299 FD_SET(c->sock, readset);
300 if (buffer_len(&c->output) > 0)
301 FD_SET(c->sock, writeset);
302}
5260325f 303
7368a6c8 304void
305channel_pre_open_15(Channel *c, fd_set * readset, fd_set * writeset)
306{
307 /* test whether sockets are 'alive' for read/write */
308 if (c->istate == CHAN_INPUT_OPEN)
309 if (buffer_len(&c->input) < packet_get_maxsize())
310 FD_SET(c->sock, readset);
311 if (c->ostate == CHAN_OUTPUT_OPEN ||
312 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
313 if (buffer_len(&c->output) > 0) {
314 FD_SET(c->sock, writeset);
315 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
316 chan_obuf_empty(c);
317 }
318 }
319}
5260325f 320
7e7327a1 321void
322channel_pre_open_20(Channel *c, fd_set * readset, fd_set * writeset)
323{
324 if (c->istate == CHAN_INPUT_OPEN &&
325 c->remote_window > 0 &&
326 buffer_len(&c->input) < c->remote_window)
327 FD_SET(c->rfd, readset);
328 if (c->ostate == CHAN_OUTPUT_OPEN ||
329 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
330 if (buffer_len(&c->output) > 0) {
331 FD_SET(c->wfd, writeset);
332 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
333 chan_obuf_empty(c);
334 }
335 }
336 /** XXX check close conditions, too */
337 if (c->efd != -1) {
338 if (c->extended_usage == CHAN_EXTENDED_WRITE &&
339 buffer_len(&c->extended) > 0)
340 FD_SET(c->efd, writeset);
341 else if (c->extended_usage == CHAN_EXTENDED_READ &&
342 buffer_len(&c->extended) < c->remote_window)
343 FD_SET(c->efd, readset);
344 }
345}
346
7368a6c8 347void
348channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset)
349{
350 if (buffer_len(&c->input) == 0) {
351 packet_start(SSH_MSG_CHANNEL_CLOSE);
352 packet_put_int(c->remote_id);
353 packet_send();
354 c->type = SSH_CHANNEL_CLOSED;
355 debug("Closing channel %d after input drain.", c->self);
356 }
357}
5260325f 358
7368a6c8 359void
360channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
361{
362 if (buffer_len(&c->output) == 0)
363 channel_free(c->self);
364 else
365 FD_SET(c->sock, writeset);
366}
5260325f 367
7368a6c8 368/*
369 * This is a special state for X11 authentication spoofing. An opened X11
370 * connection (when authentication spoofing is being done) remains in this
371 * state until the first packet has been completely read. The authentication
372 * data in that packet is then substituted by the real data if it matches the
373 * fake data, and the channel is put into normal mode.
374 */
375int
376x11_open_helper(Channel *c)
377{
378 unsigned char *ucp;
379 unsigned int proto_len, data_len;
5260325f 380
7368a6c8 381 /* Check if the fixed size part of the packet is in buffer. */
382 if (buffer_len(&c->output) < 12)
383 return 0;
384
385 /* Parse the lengths of variable-length fields. */
386 ucp = (unsigned char *) buffer_ptr(&c->output);
387 if (ucp[0] == 0x42) { /* Byte order MSB first. */
388 proto_len = 256 * ucp[6] + ucp[7];
389 data_len = 256 * ucp[8] + ucp[9];
390 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
391 proto_len = ucp[6] + 256 * ucp[7];
392 data_len = ucp[8] + 256 * ucp[9];
393 } else {
394 debug("Initial X11 packet contains bad byte order byte: 0x%x",
395 ucp[0]);
396 return -1;
397 }
5260325f 398
7368a6c8 399 /* Check if the whole packet is in buffer. */
400 if (buffer_len(&c->output) <
401 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
402 return 0;
5260325f 403
7368a6c8 404 /* Check if authentication protocol matches. */
405 if (proto_len != strlen(x11_saved_proto) ||
406 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
407 debug("X11 connection uses different authentication protocol.");
408 return -1;
409 }
410 /* Check if authentication data matches our fake data. */
411 if (data_len != x11_fake_data_len ||
412 memcmp(ucp + 12 + ((proto_len + 3) & ~3),
413 x11_fake_data, x11_fake_data_len) != 0) {
414 debug("X11 auth data does not match fake data.");
415 return -1;
416 }
417 /* Check fake data length */
418 if (x11_fake_data_len != x11_saved_data_len) {
419 error("X11 fake_data_len %d != saved_data_len %d",
420 x11_fake_data_len, x11_saved_data_len);
421 return -1;
422 }
423 /*
424 * Received authentication protocol and data match
425 * our fake data. Substitute the fake data with real
426 * data.
427 */
428 memcpy(ucp + 12 + ((proto_len + 3) & ~3),
429 x11_saved_data, x11_saved_data_len);
430 return 1;
431}
5260325f 432
7368a6c8 433void
434channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
435{
436 int ret = x11_open_helper(c);
437 if (ret == 1) {
438 /* Start normal processing for the channel. */
439 c->type = SSH_CHANNEL_OPEN;
440 } else if (ret == -1) {
441 /*
442 * We have received an X11 connection that has bad
443 * authentication information.
444 */
445 log("X11 connection rejected because of wrong authentication.\r\n");
446 buffer_clear(&c->input);
447 buffer_clear(&c->output);
448 close(c->sock);
449 c->sock = -1;
450 c->type = SSH_CHANNEL_CLOSED;
451 packet_start(SSH_MSG_CHANNEL_CLOSE);
452 packet_put_int(c->remote_id);
453 packet_send();
454 }
455}
5260325f 456
7368a6c8 457void
458channel_pre_x11_open_15(Channel *c, fd_set * readset, fd_set * writeset)
459{
460 int ret = x11_open_helper(c);
461 if (ret == 1) {
462 c->type = SSH_CHANNEL_OPEN;
463 } else if (ret == -1) {
464 debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
465 chan_read_failed(c);
466 chan_write_failed(c);
467 debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
468 }
469}
5260325f 470
7368a6c8 471/* This is our fake X11 server socket. */
472void
473channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
474{
475 struct sockaddr addr;
476 int newsock, newch;
477 socklen_t addrlen;
478 char buf[16384], *remote_hostname;
479
480 if (FD_ISSET(c->sock, readset)) {
481 debug("X11 connection requested.");
482 addrlen = sizeof(addr);
483 newsock = accept(c->sock, &addr, &addrlen);
484 if (newsock < 0) {
485 error("accept: %.100s", strerror(errno));
486 return;
5260325f 487 }
7368a6c8 488 remote_hostname = get_remote_hostname(newsock);
489 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
490 remote_hostname, get_peer_port(newsock));
491 xfree(remote_hostname);
492 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
493 xstrdup(buf));
494 packet_start(SSH_SMSG_X11_OPEN);
495 packet_put_int(newch);
496 if (have_hostname_in_open)
497 packet_put_string(buf, strlen(buf));
498 packet_send();
8efc0c15 499 }
8efc0c15 500}
501
aa3378df 502/*
7368a6c8 503 * This socket is listening for connections to a forwarded TCP/IP port.
aa3378df 504 */
7368a6c8 505void
506channel_post_port_listener(Channel *c, fd_set * readset, fd_set * writeset)
507{
508 struct sockaddr addr;
509 int newsock, newch;
510 socklen_t addrlen;
511 char buf[1024], *remote_hostname;
512 int remote_port;
513
514 if (FD_ISSET(c->sock, readset)) {
515 debug("Connection to port %d forwarding "
516 "to %.100s port %d requested.",
517 c->listening_port, c->path, c->host_port);
518 addrlen = sizeof(addr);
519 newsock = accept(c->sock, &addr, &addrlen);
520 if (newsock < 0) {
521 error("accept: %.100s", strerror(errno));
522 return;
523 }
524 remote_hostname = get_remote_hostname(newsock);
525 remote_port = get_peer_port(newsock);
526 snprintf(buf, sizeof buf,
527 "listen port %d for %.100s port %d, "
528 "connect from %.200s port %d",
529 c->listening_port, c->path, c->host_port,
530 remote_hostname, remote_port);
531 newch = channel_new("direct-tcpip",
532 SSH_CHANNEL_OPENING, newsock, newsock, -1,
533 c->local_window_max, c->local_maxpacket,
534 0, xstrdup(buf));
7e7327a1 535 if (compat20) {
536 packet_start(SSH2_MSG_CHANNEL_OPEN);
537 packet_put_cstring("direct-tcpip");
538 packet_put_int(newch);
539 packet_put_int(c->local_window_max);
540 packet_put_int(c->local_maxpacket);
541 packet_put_string(c->path, strlen(c->path));
542 packet_put_int(c->host_port);
543 packet_put_cstring(remote_hostname);
544 packet_put_int(remote_port);
545 packet_send();
546 } else {
547 packet_start(SSH_MSG_PORT_OPEN);
548 packet_put_int(newch);
549 packet_put_string(c->path, strlen(c->path));
550 packet_put_int(c->host_port);
551 if (have_hostname_in_open) {
552 packet_put_string(buf, strlen(buf));
553 }
554 packet_send();
7368a6c8 555 }
7368a6c8 556 xfree(remote_hostname);
557 }
558}
8efc0c15 559
7368a6c8 560/*
561 * This is the authentication agent socket listening for connections from
562 * clients.
563 */
564void
565channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
8efc0c15 566{
5260325f 567 struct sockaddr addr;
7368a6c8 568 int newsock, newch;
48e671d5 569 socklen_t addrlen;
5260325f 570
7368a6c8 571 if (FD_ISSET(c->sock, readset)) {
572 addrlen = sizeof(addr);
573 newsock = accept(c->sock, &addr, &addrlen);
574 if (newsock < 0) {
575 error("accept from auth socket: %.100s", strerror(errno));
576 return;
577 }
578 newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
579 xstrdup("accepted auth socket"));
580 packet_start(SSH_SMSG_AGENT_OPEN);
581 packet_put_int(newch);
582 packet_send();
583 }
584}
5260325f 585
7368a6c8 586int
587channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
588{
589 char buf[16*1024];
590 int len;
591
592 if (c->rfd != -1 &&
593 FD_ISSET(c->rfd, readset)) {
594 len = read(c->rfd, buf, sizeof(buf));
595 if (len <= 0) {
596 debug("channel %d: read<0 rfd %d len %d",
597 c->self, c->rfd, len);
598 if (compat13) {
599 buffer_consume(&c->output, buffer_len(&c->output));
600 c->type = SSH_CHANNEL_INPUT_DRAINING;
601 debug("Channel %d status set to input draining.", c->self);
602 } else {
603 chan_read_failed(c);
5260325f 604 }
7368a6c8 605 return -1;
606 }
607 buffer_append(&c->input, buf, len);
608 }
609 return 1;
610}
611int
612channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
613{
614 int len;
615
616 /* Send buffered output data to the socket. */
617 if (c->wfd != -1 &&
618 FD_ISSET(c->wfd, writeset) &&
619 buffer_len(&c->output) > 0) {
620 len = write(c->wfd, buffer_ptr(&c->output),
621 buffer_len(&c->output));
622 if (len <= 0) {
623 if (compat13) {
624 buffer_consume(&c->output, buffer_len(&c->output));
625 debug("Channel %d status set to input draining.", c->self);
626 c->type = SSH_CHANNEL_INPUT_DRAINING;
627 } else {
628 chan_write_failed(c);
5260325f 629 }
7368a6c8 630 return -1;
631 }
632 buffer_consume(&c->output, len);
7e7327a1 633 if (compat20 && len > 0) {
634 c->local_consumed += len;
635 }
636 }
637 return 1;
638}
639int
640channel_handle_efd(Channel *c, fd_set * readset, fd_set * writeset)
641{
642 char buf[16*1024];
643 int len;
644
8ce64345 645/** XXX handle drain efd, too */
7e7327a1 646 if (c->efd != -1) {
647 if (c->extended_usage == CHAN_EXTENDED_WRITE &&
648 FD_ISSET(c->efd, writeset) &&
649 buffer_len(&c->extended) > 0) {
650 len = write(c->efd, buffer_ptr(&c->extended),
651 buffer_len(&c->extended));
652 debug("channel %d: written %d to efd %d",
653 c->self, len, c->efd);
654 if (len > 0) {
655 buffer_consume(&c->extended, len);
656 c->local_consumed += len;
657 }
658 } else if (c->extended_usage == CHAN_EXTENDED_READ &&
659 FD_ISSET(c->efd, readset)) {
660 len = read(c->efd, buf, sizeof(buf));
661 debug("channel %d: read %d from efd %d",
662 c->self, len, c->efd);
8ce64345 663 if (len == 0) {
664 debug("channel %d: closing efd %d",
665 c->self, c->efd);
666 close(c->efd);
667 c->efd = -1;
668 } else if (len > 0)
7e7327a1 669 buffer_append(&c->extended, buf, len);
670 }
671 }
672 return 1;
673}
674int
675channel_check_window(Channel *c, fd_set * readset, fd_set * writeset)
676{
e78a59f5 677 if (!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
7e7327a1 678 c->local_window < c->local_window_max/2 &&
679 c->local_consumed > 0) {
680 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
681 packet_put_int(c->remote_id);
682 packet_put_int(c->local_consumed);
683 packet_send();
684 debug("channel %d: window %d sent adjust %d",
685 c->self, c->local_window,
686 c->local_consumed);
687 c->local_window += c->local_consumed;
688 c->local_consumed = 0;
7368a6c8 689 }
690 return 1;
691}
5260325f 692
7368a6c8 693void
694channel_post_open_1(Channel *c, fd_set * readset, fd_set * writeset)
695{
696 channel_handle_rfd(c, readset, writeset);
697 channel_handle_wfd(c, readset, writeset);
698}
aa3378df 699
7e7327a1 700void
701channel_post_open_2(Channel *c, fd_set * readset, fd_set * writeset)
702{
703 channel_handle_rfd(c, readset, writeset);
704 channel_handle_wfd(c, readset, writeset);
705 channel_handle_efd(c, readset, writeset);
706 channel_check_window(c, readset, writeset);
707}
708
7368a6c8 709void
710channel_post_output_drain_13(Channel *c, fd_set * readset, fd_set * writeset)
711{
712 int len;
713 /* Send buffered output data to the socket. */
714 if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
715 len = write(c->sock, buffer_ptr(&c->output),
716 buffer_len(&c->output));
717 if (len <= 0)
718 buffer_consume(&c->output, buffer_len(&c->output));
719 else
720 buffer_consume(&c->output, len);
721 }
722}
5260325f 723
7e7327a1 724void
725channel_handler_init_20(void)
726{
727 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
728 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
729
730 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
731 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
732}
733
7368a6c8 734void
735channel_handler_init_13(void)
736{
737 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_13;
738 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_13;
739 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
740 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
741 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
742 channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
743 channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
744
745 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
746 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
747 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
748 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
749 channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
750}
5260325f 751
7368a6c8 752void
753channel_handler_init_15(void)
754{
755 channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_15;
756 channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open_15;
757 channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
758 channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
759 channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
760
761 channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
762 channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
763 channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
764 channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
765}
766
767void
768channel_handler_init(void)
769{
770 int i;
771 for(i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
772 channel_pre[i] = NULL;
773 channel_post[i] = NULL;
774 }
7e7327a1 775 if (compat20)
776 channel_handler_init_20();
777 else if (compat13)
7368a6c8 778 channel_handler_init_13();
779 else
780 channel_handler_init_15();
781}
782
783void
784channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
785{
786 static int did_init = 0;
787 int i;
788 Channel *c;
789
790 if (!did_init) {
791 channel_handler_init();
792 did_init = 1;
793 }
794 for (i = 0; i < channels_alloc; i++) {
795 c = &channels[i];
796 if (c->type == SSH_CHANNEL_FREE)
5260325f 797 continue;
7368a6c8 798 if (ftab[c->type] == NULL)
799 continue;
800 (*ftab[c->type])(c, readset, writeset);
7e7327a1 801 chan_delete_if_full_closed(c);
8efc0c15 802 }
8efc0c15 803}
804
7368a6c8 805void
806channel_prepare_select(fd_set * readset, fd_set * writeset)
807{
808 channel_handler(channel_pre, readset, writeset);
809}
810
811void
812channel_after_select(fd_set * readset, fd_set * writeset)
813{
814 channel_handler(channel_post, readset, writeset);
815}
816
8efc0c15 817/* If there is data to send to the connection, send some of it now. */
818
5260325f 819void
820channel_output_poll()
8efc0c15 821{
5260325f 822 int len, i;
7368a6c8 823 Channel *c;
5260325f 824
825 for (i = 0; i < channels_alloc; i++) {
7368a6c8 826 c = &channels[i];
48e671d5 827
aa3378df 828 /* We are only interested in channels that can have buffered incoming data. */
48e671d5 829 if (compat13) {
7368a6c8 830 if (c->type != SSH_CHANNEL_OPEN &&
831 c->type != SSH_CHANNEL_INPUT_DRAINING)
48e671d5 832 continue;
833 } else {
7368a6c8 834 if (c->type != SSH_CHANNEL_OPEN)
48e671d5 835 continue;
7368a6c8 836 if (c->istate != CHAN_INPUT_OPEN &&
837 c->istate != CHAN_INPUT_WAIT_DRAIN)
48e671d5 838 continue;
839 }
e78a59f5 840 if (compat20 &&
841 (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
7e7327a1 842 debug("channel: %d: no data after CLOSE", c->self);
843 continue;
844 }
5260325f 845
846 /* Get the amount of buffered data for this channel. */
7368a6c8 847 len = buffer_len(&c->input);
5260325f 848 if (len > 0) {
aa3378df 849 /* Send some data for the other side over the secure connection. */
7e7327a1 850 if (compat20) {
851 if (len > c->remote_window)
852 len = c->remote_window;
853 if (len > c->remote_maxpacket)
854 len = c->remote_maxpacket;
5260325f 855 } else {
7e7327a1 856 if (packet_is_interactive()) {
857 if (len > 1024)
858 len = 512;
859 } else {
860 /* Keep the packets at reasonable size. */
861 if (len > packet_get_maxsize()/2)
862 len = packet_get_maxsize()/2;
863 }
5260325f 864 }
7368a6c8 865 if (len > 0) {
7e7327a1 866 packet_start(compat20 ?
867 SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
7368a6c8 868 packet_put_int(c->remote_id);
869 packet_put_string(buffer_ptr(&c->input), len);
870 packet_send();
871 buffer_consume(&c->input, len);
872 c->remote_window -= len;
7e7327a1 873 debug("channel %d: send data len %d", c->self, len);
7368a6c8 874 }
875 } else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
5260325f 876 if (compat13)
877 fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
aa3378df 878 /*
879 * input-buffer is empty and read-socket shutdown:
880 * tell peer, that we will not send more data: send IEOF
881 */
7368a6c8 882 chan_ibuf_empty(c);
5260325f 883 }
7e7327a1 884 /* Send extended data, i.e. stderr */
885 if (compat20 &&
886 c->remote_window > 0 &&
887 (len = buffer_len(&c->extended)) > 0 &&
888 c->extended_usage == CHAN_EXTENDED_READ) {
889 if (len > c->remote_window)
890 len = c->remote_window;
891 if (len > c->remote_maxpacket)
892 len = c->remote_maxpacket;
893 packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
894 packet_put_int(c->remote_id);
895 packet_put_int(SSH2_EXTENDED_DATA_STDERR);
896 packet_put_string(buffer_ptr(&c->extended), len);
897 packet_send();
898 buffer_consume(&c->extended, len);
899 c->remote_window -= len;
900 }
8efc0c15 901 }
8efc0c15 902}
903
aa3378df 904/*
905 * This is called when a packet of type CHANNEL_DATA has just been received.
906 * The message type has already been consumed, but channel number and data is
907 * still there.
908 */
8efc0c15 909
5260325f 910void
7368a6c8 911channel_input_data(int type, int plen)
8efc0c15 912{
48e671d5 913 int id;
5260325f 914 char *data;
915 unsigned int data_len;
7368a6c8 916 Channel *c;
5260325f 917
918 /* Get the channel number and verify it. */
48e671d5 919 id = packet_get_int();
7368a6c8 920 c = channel_lookup(id);
921 if (c == NULL)
48e671d5 922 packet_disconnect("Received data for nonexistent channel %d.", id);
5260325f 923
924 /* Ignore any data for non-open channels (might happen on close) */
7368a6c8 925 if (c->type != SSH_CHANNEL_OPEN &&
926 c->type != SSH_CHANNEL_X11_OPEN)
48e671d5 927 return;
928
929 /* same for protocol 1.5 if output end is no longer open */
7368a6c8 930 if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
5260325f 931 return;
932
933 /* Get the data. */
934 data = packet_get_string(&data_len);
7368a6c8 935
7e7327a1 936 if (compat20){
937 if (data_len > c->local_maxpacket) {
938 log("channel %d: rcvd big packet %d, maxpack %d",
939 c->self, data_len, c->local_maxpacket);
940 }
941 if (data_len > c->local_window) {
942 log("channel %d: rcvd too much data %d, win %d",
943 c->self, data_len, c->local_window);
944 xfree(data);
945 return;
946 }
947 c->local_window -= data_len;
948 }else{
949 packet_integrity_check(plen, 4 + 4 + data_len, type);
950 }
7368a6c8 951 buffer_append(&c->output, data, data_len);
5260325f 952 xfree(data);
8efc0c15 953}
7e7327a1 954void
955channel_input_extended_data(int type, int plen)
956{
957 int id;
958 int tcode;
959 char *data;
960 unsigned int data_len;
961 Channel *c;
962
963 /* Get the channel number and verify it. */
964 id = packet_get_int();
965 c = channel_lookup(id);
966
967 if (c == NULL)
968 packet_disconnect("Received extended_data for bad channel %d.", id);
969 if (c->type != SSH_CHANNEL_OPEN) {
970 log("channel %d: ext data for non open", id);
971 return;
972 }
973 tcode = packet_get_int();
974 if (c->efd == -1 ||
975 c->extended_usage != CHAN_EXTENDED_WRITE ||
976 tcode != SSH2_EXTENDED_DATA_STDERR) {
977 log("channel %d: bad ext data", c->self);
978 return;
979 }
980 data = packet_get_string(&data_len);
981 if (data_len > c->local_window) {
982 log("channel %d: rcvd too much extended_data %d, win %d",
983 c->self, data_len, c->local_window);
984 xfree(data);
985 return;
986 }
987 debug("channel %d: rcvd ext data %d", c->self, data_len);
988 c->local_window -= data_len;
989 buffer_append(&c->extended, data, data_len);
990 xfree(data);
991}
992
8efc0c15 993
aa3378df 994/*
995 * Returns true if no channel has too much buffered data, and false if one or
996 * more channel is overfull.
997 */
8efc0c15 998
5260325f 999int
1000channel_not_very_much_buffered_data()
8efc0c15 1001{
5260325f 1002 unsigned int i;
7368a6c8 1003 Channel *c;
5260325f 1004
1005 for (i = 0; i < channels_alloc; i++) {
7368a6c8 1006 c = &channels[i];
1007 if (c->type == SSH_CHANNEL_OPEN) {
7e7327a1 1008 if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
7368a6c8 1009 debug("channel %d: big input buffer %d",
1010 c->self, buffer_len(&c->input));
5260325f 1011 return 0;
7368a6c8 1012 }
1013 if (buffer_len(&c->output) > packet_get_maxsize()) {
1014 debug("channel %d: big output buffer %d",
1015 c->self, buffer_len(&c->output));
5260325f 1016 return 0;
7368a6c8 1017 }
5260325f 1018 }
8efc0c15 1019 }
5260325f 1020 return 1;
8efc0c15 1021}
1022
7368a6c8 1023void
1024channel_input_ieof(int type, int plen)
1025{
1026 int id;
1027 Channel *c;
1028
1029 packet_integrity_check(plen, 4, type);
1030
1031 id = packet_get_int();
1032 c = channel_lookup(id);
1033 if (c == NULL)
1034 packet_disconnect("Received ieof for nonexistent channel %d.", id);
1035 chan_rcvd_ieof(c);
1036}
8efc0c15 1037
5260325f 1038void
7368a6c8 1039channel_input_close(int type, int plen)
8efc0c15 1040{
7368a6c8 1041 int id;
1042 Channel *c;
5260325f 1043
7368a6c8 1044 packet_integrity_check(plen, 4, type);
1045
1046 id = packet_get_int();
1047 c = channel_lookup(id);
1048 if (c == NULL)
1049 packet_disconnect("Received close for nonexistent channel %d.", id);
aa3378df 1050
1051 /*
1052 * Send a confirmation that we have closed the channel and no more
1053 * data is coming for it.
1054 */
5260325f 1055 packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
7368a6c8 1056 packet_put_int(c->remote_id);
5260325f 1057 packet_send();
1058
aa3378df 1059 /*
1060 * If the channel is in closed state, we have sent a close request,
1061 * and the other side will eventually respond with a confirmation.
1062 * Thus, we cannot free the channel here, because then there would be
1063 * no-one to receive the confirmation. The channel gets freed when
1064 * the confirmation arrives.
1065 */
7368a6c8 1066 if (c->type != SSH_CHANNEL_CLOSED) {
aa3378df 1067 /*
1068 * Not a closed channel - mark it as draining, which will
1069 * cause it to be freed later.
1070 */
7368a6c8 1071 buffer_consume(&c->input, buffer_len(&c->input));
1072 c->type = SSH_CHANNEL_OUTPUT_DRAINING;
5260325f 1073 }
8efc0c15 1074}
1075
7368a6c8 1076/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
5260325f 1077void
7368a6c8 1078channel_input_oclose(int type, int plen)
8efc0c15 1079{
7368a6c8 1080 int id = packet_get_int();
1081 Channel *c = channel_lookup(id);
1082 packet_integrity_check(plen, 4, type);
1083 if (c == NULL)
1084 packet_disconnect("Received oclose for nonexistent channel %d.", id);
1085 chan_rcvd_oclose(c);
8efc0c15 1086}
1087
7368a6c8 1088void
1089channel_input_close_confirmation(int type, int plen)
1090{
1091 int id = packet_get_int();
1092 Channel *c = channel_lookup(id);
1093
1094 if (c == NULL)
1095 packet_disconnect("Received close confirmation for "
1096 "out-of-range channel %d.", id);
1097 if (c->type != SSH_CHANNEL_CLOSED)
1098 packet_disconnect("Received close confirmation for "
1099 "non-closed channel %d (type %d).", id, c->type);
1100 channel_free(c->self);
1101}
8efc0c15 1102
5260325f 1103void
7368a6c8 1104channel_input_open_confirmation(int type, int plen)
8efc0c15 1105{
7368a6c8 1106 int id, remote_id;
1107 Channel *c;
5260325f 1108
7e7327a1 1109 if (!compat20)
1110 packet_integrity_check(plen, 4 + 4, type);
5260325f 1111
7368a6c8 1112 id = packet_get_int();
1113 c = channel_lookup(id);
5260325f 1114
7368a6c8 1115 if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1116 packet_disconnect("Received open confirmation for "
1117 "non-opening channel %d.", id);
1118 remote_id = packet_get_int();
aa3378df 1119 /* Record the remote channel number and mark that the channel is now open. */
7368a6c8 1120 c->remote_id = remote_id;
1121 c->type = SSH_CHANNEL_OPEN;
7e7327a1 1122
1123 if (compat20) {
1124 c->remote_window = packet_get_int();
1125 c->remote_maxpacket = packet_get_int();
1126 if (c->cb_fn != NULL && c->cb_event == type) {
1127 debug("callback start");
1128 c->cb_fn(c->self, c->cb_arg);
1129 debug("callback done");
1130 }
1131 debug("channel %d: open confirm rwindow %d rmax %d", c->self,
1132 c->remote_window, c->remote_maxpacket);
1133 }
8efc0c15 1134}
1135
5260325f 1136void
7368a6c8 1137channel_input_open_failure(int type, int plen)
8efc0c15 1138{
7368a6c8 1139 int id;
1140 Channel *c;
5260325f 1141
7e7327a1 1142 if (!compat20)
1143 packet_integrity_check(plen, 4, type);
7368a6c8 1144
1145 id = packet_get_int();
1146 c = channel_lookup(id);
1147
1148 if (c==NULL || c->type != SSH_CHANNEL_OPENING)
1149 packet_disconnect("Received open failure for "
1150 "non-opening channel %d.", id);
7e7327a1 1151 if (compat20) {
1152 int reason = packet_get_int();
1153 char *msg = packet_get_string(NULL);
1154 log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
1155 xfree(msg);
1156 }
5260325f 1157 /* Free the channel. This will also close the socket. */
7368a6c8 1158 channel_free(id);
8efc0c15 1159}
1160
7e7327a1 1161void
1162channel_input_channel_request(int type, int plen)
1163{
1164 int id;
1165 Channel *c;
1166
1167 id = packet_get_int();
1168 c = channel_lookup(id);
1169
1170 if (c == NULL ||
1171 (c->type != SSH_CHANNEL_OPEN && c->type != SSH_CHANNEL_LARVAL))
1172 packet_disconnect("Received request for "
1173 "non-open channel %d.", id);
1174 if (c->cb_fn != NULL && c->cb_event == type) {
1175 debug("callback start");
1176 c->cb_fn(c->self, c->cb_arg);
1177 debug("callback done");
1178 } else {
1179 char *service = packet_get_string(NULL);
1180 debug("channel: %d rcvd request for %s", c->self, service);
1181debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
1182 xfree(service);
1183 }
1184}
1185
1186void
1187channel_input_window_adjust(int type, int plen)
1188{
1189 Channel *c;
1190 int id, adjust;
1191
1192 if (!compat20)
1193 return;
1194
1195 /* Get the channel number and verify it. */
1196 id = packet_get_int();
1197 c = channel_lookup(id);
1198
1199 if (c == NULL || c->type != SSH_CHANNEL_OPEN) {
1200 log("Received window adjust for "
1201 "non-open channel %d.", id);
1202 return;
1203 }
1204 adjust = packet_get_int();
1205 debug("channel %d: rcvd adjust %d", id, adjust);
1206 c->remote_window += adjust;
1207}
1208
aa3378df 1209/*
1210 * Stops listening for channels, and removes any unix domain sockets that we
1211 * might have.
1212 */
8efc0c15 1213
5260325f 1214void
1215channel_stop_listening()
8efc0c15 1216{
5260325f 1217 int i;
1218 for (i = 0; i < channels_alloc; i++) {
1219 switch (channels[i].type) {
1220 case SSH_CHANNEL_AUTH_SOCKET:
1221 close(channels[i].sock);
1222 remove(channels[i].path);
1223 channel_free(i);
1224 break;
1225 case SSH_CHANNEL_PORT_LISTENER:
1226 case SSH_CHANNEL_X11_LISTENER:
1227 close(channels[i].sock);
1228 channel_free(i);
1229 break;
1230 default:
1231 break;
1232 }
8efc0c15 1233 }
8efc0c15 1234}
1235
aa3378df 1236/*
1237 * Closes the sockets of all channels. This is used to close extra file
1238 * descriptors after a fork.
1239 */
8efc0c15 1240
5260325f 1241void
1242channel_close_all()
8efc0c15 1243{
5260325f 1244 int i;
1245 for (i = 0; i < channels_alloc; i++) {
1246 if (channels[i].type != SSH_CHANNEL_FREE)
1247 close(channels[i].sock);
1248 }
8efc0c15 1249}
1250
1251/* Returns the maximum file descriptor number used by the channels. */
1252
5260325f 1253int
1254channel_max_fd()
8efc0c15 1255{
5260325f 1256 return channel_max_fd_value;
8efc0c15 1257}
1258
1259/* Returns true if any channel is still open. */
1260
5260325f 1261int
1262channel_still_open()
8efc0c15 1263{
5260325f 1264 unsigned int i;
1265 for (i = 0; i < channels_alloc; i++)
1266 switch (channels[i].type) {
1267 case SSH_CHANNEL_FREE:
1268 case SSH_CHANNEL_X11_LISTENER:
1269 case SSH_CHANNEL_PORT_LISTENER:
1270 case SSH_CHANNEL_CLOSED:
1271 case SSH_CHANNEL_AUTH_SOCKET:
1272 continue;
7e7327a1 1273 case SSH_CHANNEL_LARVAL:
1274 if (!compat20)
1275 fatal("cannot happen: SSH_CHANNEL_LARVAL");
1276 continue;
5260325f 1277 case SSH_CHANNEL_OPENING:
1278 case SSH_CHANNEL_OPEN:
1279 case SSH_CHANNEL_X11_OPEN:
1280 return 1;
1281 case SSH_CHANNEL_INPUT_DRAINING:
1282 case SSH_CHANNEL_OUTPUT_DRAINING:
1283 if (!compat13)
1284 fatal("cannot happen: OUT_DRAIN");
1285 return 1;
1286 default:
1287 fatal("channel_still_open: bad channel type %d", channels[i].type);
1288 /* NOTREACHED */
1289 }
1290 return 0;
8efc0c15 1291}
1292
aa3378df 1293/*
1294 * Returns a message describing the currently open forwarded connections,
1295 * suitable for sending to the client. The message contains crlf pairs for
1296 * newlines.
1297 */
8efc0c15 1298
5260325f 1299char *
1300channel_open_message()
8efc0c15 1301{
5260325f 1302 Buffer buffer;
1303 int i;
1304 char buf[512], *cp;
1305
1306 buffer_init(&buffer);
1307 snprintf(buf, sizeof buf, "The following connections are open:\r\n");
8efc0c15 1308 buffer_append(&buffer, buf, strlen(buf));
5260325f 1309 for (i = 0; i < channels_alloc; i++) {
1310 Channel *c = &channels[i];
1311 switch (c->type) {
1312 case SSH_CHANNEL_FREE:
1313 case SSH_CHANNEL_X11_LISTENER:
1314 case SSH_CHANNEL_PORT_LISTENER:
1315 case SSH_CHANNEL_CLOSED:
1316 case SSH_CHANNEL_AUTH_SOCKET:
1317 continue;
7e7327a1 1318 case SSH_CHANNEL_LARVAL:
5260325f 1319 case SSH_CHANNEL_OPENING:
1320 case SSH_CHANNEL_OPEN:
1321 case SSH_CHANNEL_X11_OPEN:
1322 case SSH_CHANNEL_INPUT_DRAINING:
1323 case SSH_CHANNEL_OUTPUT_DRAINING:
7368a6c8 1324 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
48e671d5 1325 c->self, c->remote_name,
1326 c->type, c->remote_id,
1327 c->istate, buffer_len(&c->input),
7368a6c8 1328 c->ostate, buffer_len(&c->output),
1329 c->rfd, c->wfd);
5260325f 1330 buffer_append(&buffer, buf, strlen(buf));
1331 continue;
1332 default:
7368a6c8 1333 fatal("channel_open_message: bad channel type %d", c->type);
5260325f 1334 /* NOTREACHED */
1335 }
1336 }
1337 buffer_append(&buffer, "\0", 1);
1338 cp = xstrdup(buffer_ptr(&buffer));
1339 buffer_free(&buffer);
1340 return cp;
8efc0c15 1341}
1342
aa3378df 1343/*
1344 * Initiate forwarding of connections to local port "port" through the secure
1345 * channel to host:port from remote side.
1346 */
8efc0c15 1347
5260325f 1348void
57112b5a 1349channel_request_local_forwarding(u_short port, const char *host,
95f1eccc 1350 u_short host_port, int gateway_ports)
8efc0c15 1351{
48e671d5 1352 int success, ch, sock, on = 1;
1353 struct addrinfo hints, *ai, *aitop;
1354 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
aa3378df 1355 struct linger linger;
5260325f 1356
1357 if (strlen(host) > sizeof(channels[0].path) - 1)
1358 packet_disconnect("Forward host name too long.");
1359
aa3378df 1360 /*
48e671d5 1361 * getaddrinfo returns a loopback address if the hostname is
1362 * set to NULL and hints.ai_flags is not AI_PASSIVE
aa3378df 1363 */
48e671d5 1364 memset(&hints, 0, sizeof(hints));
1365 hints.ai_family = IPv4or6;
1366 hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
1367 hints.ai_socktype = SOCK_STREAM;
1368 snprintf(strport, sizeof strport, "%d", port);
1369 if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
1370 packet_disconnect("getaddrinfo: fatal error");
1371
1372 success = 0;
1373 for (ai = aitop; ai; ai = ai->ai_next) {
1374 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1375 continue;
1376 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1377 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
1378 error("channel_request_local_forwarding: getnameinfo failed");
1379 continue;
1380 }
1381 /* Create a port to listen for the host. */
1382 sock = socket(ai->ai_family, SOCK_STREAM, 0);
1383 if (sock < 0) {
1384 /* this is no error since kernel may not support ipv6 */
1385 verbose("socket: %.100s", strerror(errno));
1386 continue;
1387 }
1388 /*
1389 * Set socket options. We would like the socket to disappear
1390 * as soon as it has been closed for whatever reason.
1391 */
1392 setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *)&on, sizeof(on));
1393 linger.l_onoff = 1;
1394 linger.l_linger = 5;
1395 setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger));
1396 debug("Local forwarding listening on %s port %s.", ntop, strport);
1397
1398 /* Bind the socket to the address. */
1399 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1400 /* address can be in use ipv6 address is already bound */
16218745 1401 if (!ai->ai_next)
1402 error("bind: %.100s", strerror(errno));
1403 else
1404 verbose("bind: %.100s", strerror(errno));
1405
48e671d5 1406 close(sock);
1407 continue;
1408 }
1409 /* Start listening for connections on the socket. */
1410 if (listen(sock, 5) < 0) {
1411 error("listen: %.100s", strerror(errno));
1412 close(sock);
1413 continue;
1414 }
1415 /* Allocate a channel number for the socket. */
7368a6c8 1416 ch = channel_new(
1417 "port listener", SSH_CHANNEL_PORT_LISTENER,
1418 sock, sock, -1,
1419 CHAN_WINDOW_DEFAULT, CHAN_PACKET_DEFAULT,
1420 0, xstrdup("port listener"));
48e671d5 1421 strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
1422 channels[ch].host_port = host_port;
1423 channels[ch].listening_port = port;
1424 success = 1;
1425 }
1426 if (success == 0)
1427 packet_disconnect("cannot listen port: %d", port);
1428 freeaddrinfo(aitop);
5260325f 1429}
8efc0c15 1430
aa3378df 1431/*
1432 * Initiate forwarding of connections to port "port" on remote host through
1433 * the secure channel to host:port from local side.
1434 */
8efc0c15 1435
5260325f 1436void
7368a6c8 1437channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
1438 u_short port_to_connect)
8efc0c15 1439{
5260325f 1440 int payload_len;
1441 /* Record locally that connection to this host/port is permitted. */
1442 if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
1443 fatal("channel_request_remote_forwarding: too many forwards");
1444
7368a6c8 1445 permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
1446 permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
1447 permitted_opens[num_permitted_opens].listen_port = listen_port;
5260325f 1448 num_permitted_opens++;
1449
1450 /* Send the forward request to the remote side. */
7e7327a1 1451 if (compat20) {
1452 const char *address_to_bind = "0.0.0.0";
1453 packet_start(SSH2_MSG_GLOBAL_REQUEST);
1454 packet_put_cstring("tcpip-forward");
1455 packet_put_char(0); /* boolean: want reply */
1456 packet_put_cstring(address_to_bind);
1457 packet_put_int(listen_port);
1458 } else {
1459 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
1460 packet_put_int(port_to_connect);
1461 packet_put_cstring(host_to_connect);
1462 packet_put_int(listen_port);
1463 packet_send();
1464 packet_write_wait();
1465 /*
1466 * Wait for response from the remote side. It will send a disconnect
1467 * message on failure, and we will never see it here.
1468 */
1469 packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
1470 }
8efc0c15 1471}
1472
aa3378df 1473/*
1474 * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates
1475 * listening for the port, and sends back a success reply (or disconnect
1476 * message if there was an error). This never returns if there was an error.
1477 */
8efc0c15 1478
5260325f 1479void
1480channel_input_port_forward_request(int is_root)
8efc0c15 1481{
57112b5a 1482 u_short port, host_port;
5260325f 1483 char *hostname;
1484
1485 /* Get arguments from the packet. */
1486 port = packet_get_int();
1487 hostname = packet_get_string(NULL);
1488 host_port = packet_get_int();
1489
aa3378df 1490 /*
1491 * Check that an unprivileged user is not trying to forward a
1492 * privileged port.
1493 */
5260325f 1494 if (port < IPPORT_RESERVED && !is_root)
1495 packet_disconnect("Requested forwarding of port %d but user is not root.",
1496 port);
95f1eccc 1497 /*
1498 * Initiate forwarding,
1499 * bind port to localhost only (gateway ports == 0).
1500 */
1501 channel_request_local_forwarding(port, hostname, host_port, 0);
5260325f 1502
1503 /* Free the argument string. */
1504 xfree(hostname);
8efc0c15 1505}
1506
7368a6c8 1507/* XXX move to aux.c */
1508int
1509channel_connect_to(const char *host, u_short host_port)
8efc0c15 1510{
48e671d5 1511 struct addrinfo hints, *ai, *aitop;
1512 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
1513 int gaierr;
7368a6c8 1514 int sock = -1;
48e671d5 1515
1516 memset(&hints, 0, sizeof(hints));
1517 hints.ai_family = IPv4or6;
1518 hints.ai_socktype = SOCK_STREAM;
1519 snprintf(strport, sizeof strport, "%d", host_port);
1520 if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) {
1521 error("%.100s: unknown host (%s)", host, gai_strerror(gaierr));
7368a6c8 1522 return -1;
48e671d5 1523 }
48e671d5 1524 for (ai = aitop; ai; ai = ai->ai_next) {
1525 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1526 continue;
1527 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
1528 strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
7368a6c8 1529 error("channel_connect_to: getnameinfo failed");
48e671d5 1530 continue;
5260325f 1531 }
48e671d5 1532 /* Create the socket. */
1533 sock = socket(ai->ai_family, SOCK_STREAM, 0);
1534 if (sock < 0) {
1535 error("socket: %.100s", strerror(errno));
1536 continue;
5260325f 1537 }
48e671d5 1538 /* Connect to the host/port. */
1539 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1540 error("connect %.100s port %s: %.100s", ntop, strport,
1541 strerror(errno));
1542 close(sock);
1543 continue; /* fail -- try next */
1544 }
1545 break; /* success */
5260325f 1546
5260325f 1547 }
48e671d5 1548 freeaddrinfo(aitop);
48e671d5 1549 if (!ai) {
1550 error("connect %.100s port %d: failed.", host, host_port);
7368a6c8 1551 return -1;
8efc0c15 1552 }
7368a6c8 1553 /* success */
1554 return sock;
1555}
48e671d5 1556
7368a6c8 1557/*
1558 * This is called after receiving PORT_OPEN message. This attempts to
1559 * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
1560 * or CHANNEL_OPEN_FAILURE.
1561 */
5260325f 1562
7368a6c8 1563void
1564channel_input_port_open(int type, int plen)
1565{
1566 u_short host_port;
1567 char *host, *originator_string;
1568 int remote_channel, sock = -1, newch, i, denied;
1569 unsigned int host_len, originator_len;
5260325f 1570
7368a6c8 1571 /* Get remote channel number. */
1572 remote_channel = packet_get_int();
5260325f 1573
7368a6c8 1574 /* Get host name to connect to. */
1575 host = packet_get_string(&host_len);
5260325f 1576
7368a6c8 1577 /* Get port to connect to. */
1578 host_port = packet_get_int();
5260325f 1579
7368a6c8 1580 /* Get remote originator name. */
1581 if (have_hostname_in_open) {
1582 originator_string = packet_get_string(&originator_len);
1583 originator_len += 4; /* size of packet_int */
1584 } else {
1585 originator_string = xstrdup("unknown (remote did not supply name)");
1586 originator_len = 0; /* no originator supplied */
1587 }
5260325f 1588
7368a6c8 1589 packet_integrity_check(plen,
1590 4 + 4 + host_len + 4 + originator_len, SSH_MSG_PORT_OPEN);
1591
1592 /* Check if opening that port is permitted. */
1593 denied = 0;
1594 if (!all_opens_permitted) {
1595 /* Go trough all permitted ports. */
1596 for (i = 0; i < num_permitted_opens; i++)
1597 if (permitted_opens[i].port_to_connect == host_port &&
1598 strcmp(permitted_opens[i].host_to_connect, host) == 0)
1599 break;
1600
1601 /* Check if we found the requested port among those permitted. */
1602 if (i >= num_permitted_opens) {
1603 /* The port is not permitted. */
1604 log("Received request to connect to %.100s:%d, but the request was denied.",
1605 host, host_port);
1606 denied = 1;
1607 }
1608 }
1609 sock = denied ? -1 : channel_connect_to(host, host_port);
1610 if (sock > 0) {
1611 /* Allocate a channel for this connection. */
1612 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
1613 channels[newch].remote_id = remote_channel;
1614
1615 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1616 packet_put_int(remote_channel);
1617 packet_put_int(newch);
1618 packet_send();
1619 } else {
1620 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1621 packet_put_int(remote_channel);
1622 packet_send();
1623 }
1624 xfree(host);
8efc0c15 1625}
1626
aa3378df 1627/*
1628 * Creates an internet domain socket for listening for X11 connections.
1629 * Returns a suitable value for the DISPLAY variable, or NULL if an error
1630 * occurs.
1631 */
8efc0c15 1632
48e671d5 1633#define NUM_SOCKS 10
1634
5260325f 1635char *
95f1eccc 1636x11_create_display_inet(int screen_number, int x11_display_offset)
8efc0c15 1637{
57112b5a 1638 int display_number, sock;
1639 u_short port;
48e671d5 1640 struct addrinfo hints, *ai, *aitop;
1641 char strport[NI_MAXSERV];
1642 int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
1643 char display[512];
5260325f 1644 char hostname[MAXHOSTNAMELEN];
1645
95f1eccc 1646 for (display_number = x11_display_offset;
5260325f 1647 display_number < MAX_DISPLAYS;
1648 display_number++) {
1649 port = 6000 + display_number;
48e671d5 1650 memset(&hints, 0, sizeof(hints));
1651 hints.ai_family = IPv4or6;
1652 hints.ai_flags = AI_PASSIVE; /* XXX loopback only ? */
1653 hints.ai_socktype = SOCK_STREAM;
1654 snprintf(strport, sizeof strport, "%d", port);
1655 if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
1656 error("getaddrinfo: %.100s", gai_strerror(gaierr));
5260325f 1657 return NULL;
1658 }
48e671d5 1659 for (ai = aitop; ai; ai = ai->ai_next) {
1660 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
1661 continue;
1662 sock = socket(ai->ai_family, SOCK_STREAM, 0);
1663 if (sock < 0) {
80a44451 1664 if (errno != EINVAL) {
1665 error("socket: %.100s", strerror(errno));
1666 return NULL;
1667 } else {
1668 debug("Socket family %d not supported [X11 disp create]", ai->ai_family);
1669 continue;
1670 }
48e671d5 1671 }
1672 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1673 debug("bind port %d: %.100s", port, strerror(errno));
1674 shutdown(sock, SHUT_RDWR);
1675 close(sock);
16218745 1676
1677 if (ai->ai_next)
1678 continue;
1679
48e671d5 1680 for (n = 0; n < num_socks; n++) {
1681 shutdown(socks[n], SHUT_RDWR);
1682 close(socks[n]);
1683 }
1684 num_socks = 0;
1685 break;
1686 }
1687 socks[num_socks++] = sock;
80faa19f 1688#ifndef DONT_TRY_OTHER_AF
48e671d5 1689 if (num_socks == NUM_SOCKS)
1690 break;
80faa19f 1691#else
1692 break;
1693#endif
5260325f 1694 }
48e671d5 1695 if (num_socks > 0)
1696 break;
5260325f 1697 }
1698 if (display_number >= MAX_DISPLAYS) {
1699 error("Failed to allocate internet-domain X11 display socket.");
1700 return NULL;
8efc0c15 1701 }
5260325f 1702 /* Start listening for connections on the socket. */
48e671d5 1703 for (n = 0; n < num_socks; n++) {
1704 sock = socks[n];
1705 if (listen(sock, 5) < 0) {
1706 error("listen: %.100s", strerror(errno));
1707 shutdown(sock, SHUT_RDWR);
1708 close(sock);
1709 return NULL;
1710 }
8efc0c15 1711 }
48e671d5 1712
5260325f 1713 /* Set up a suitable value for the DISPLAY variable. */
a7effaac 1714
5260325f 1715 if (gethostname(hostname, sizeof(hostname)) < 0)
1716 fatal("gethostname: %.100s", strerror(errno));
a7effaac 1717
1718#ifdef IPADDR_IN_DISPLAY
1719 /*
1720 * HPUX detects the local hostname in the DISPLAY variable and tries
1721 * to set up a shared memory connection to the server, which it
1722 * incorrectly supposes to be local.
1723 *
1724 * The workaround - as used in later $$H and other programs - is
1725 * is to set display to the host's IP address.
1726 */
1727 {
1728 struct hostent *he;
1729 struct in_addr my_addr;
1730
1731 he = gethostbyname(hostname);
1732 if (he == NULL) {
1733 error("[X11-broken-fwd-hostname-workaround] Could not get "
1734 "IP address for hostname %s.", hostname);
1735
1736 packet_send_debug("[X11-broken-fwd-hostname-workaround]"
1737 "Could not get IP address for hostname %s.", hostname);
1738
1739 shutdown(sock, SHUT_RDWR);
1740 close(sock);
1741
1742 return NULL;
1743 }
1744
1745 memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
1746
1747 /* Set DISPLAY to <ip address>:screen.display */
48e671d5 1748 snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr),
a7effaac 1749 display_number, screen_number);
1750 }
1751#else /* IPADDR_IN_DISPLAY */
1752 /* Just set DISPLAY to hostname:screen.display */
48e671d5 1753 snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
a7effaac 1754 display_number, screen_number);
1755#endif /* IPADDR_IN_DISPLAY */
5260325f 1756
48e671d5 1757 /* Allocate a channel for each socket. */
1758 for (n = 0; n < num_socks; n++) {
1759 sock = socks[n];
1760 (void) channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
1761 xstrdup("X11 inet listener"));
1762 }
5260325f 1763
1764 /* Return a suitable value for the DISPLAY environment variable. */
48e671d5 1765 return xstrdup(display);
8efc0c15 1766}
1767
1768#ifndef X_UNIX_PATH
1769#define X_UNIX_PATH "/tmp/.X11-unix/X"
1770#endif
1771
1772static
1773int
2f450969 1774connect_local_xsocket(unsigned int dnr)
8efc0c15 1775{
5260325f 1776 static const char *const x_sockets[] = {
1777 X_UNIX_PATH "%u",
1778 "/var/X/.X11-unix/X" "%u",
1779 "/usr/spool/sockets/X11/" "%u",
1780 NULL
1781 };
1782 int sock;
1783 struct sockaddr_un addr;
1784 const char *const * path;
1785
1786 for (path = x_sockets; *path; ++path) {
1787 sock = socket(AF_UNIX, SOCK_STREAM, 0);
1788 if (sock < 0)
1789 error("socket: %.100s", strerror(errno));
1790 memset(&addr, 0, sizeof(addr));
1791 addr.sun_family = AF_UNIX;
1792 snprintf(addr.sun_path, sizeof addr.sun_path, *path, dnr);
1793 if (connect(sock, (struct sockaddr *) & addr, sizeof(addr)) == 0)
1794 return sock;
1795 close(sock);
1796 }
1797 error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
1798 return -1;
8efc0c15 1799}
1800
1801
aa3378df 1802/*
1803 * This is called when SSH_SMSG_X11_OPEN is received. The packet contains
1804 * the remote channel number. We should do whatever we want, and respond
1805 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
1806 */
8efc0c15 1807
5260325f 1808void
7368a6c8 1809x11_input_open(int type, int plen)
8efc0c15 1810{
48e671d5 1811 int remote_channel, display_number, sock = 0, newch;
5260325f 1812 const char *display;
5260325f 1813 char buf[1024], *cp, *remote_host;
610cd5c6 1814 unsigned int remote_len;
48e671d5 1815 struct addrinfo hints, *ai, *aitop;
1816 char strport[NI_MAXSERV];
1817 int gaierr;
5260325f 1818
1819 /* Get remote channel number. */
1820 remote_channel = packet_get_int();
1821
1822 /* Get remote originator name. */
aa3378df 1823 if (have_hostname_in_open) {
5260325f 1824 remote_host = packet_get_string(&remote_len);
aa3378df 1825 remote_len += 4;
1826 } else {
5260325f 1827 remote_host = xstrdup("unknown (remote did not supply name)");
aa3378df 1828 remote_len = 0;
1829 }
5260325f 1830
1831 debug("Received X11 open request.");
7368a6c8 1832 packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
5260325f 1833
1834 /* Try to open a socket for the local X server. */
1835 display = getenv("DISPLAY");
1836 if (!display) {
1837 error("DISPLAY not set.");
1838 goto fail;
1839 }
aa3378df 1840 /*
1841 * Now we decode the value of the DISPLAY variable and make a
1842 * connection to the real X server.
1843 */
1844
1845 /*
1846 * Check if it is a unix domain socket. Unix domain displays are in
1847 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
1848 */
5260325f 1849 if (strncmp(display, "unix:", 5) == 0 ||
1850 display[0] == ':') {
1851 /* Connect to the unix domain socket. */
1852 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
1853 error("Could not parse display number from DISPLAY: %.100s",
1854 display);
1855 goto fail;
1856 }
1857 /* Create a socket. */
1858 sock = connect_local_xsocket(display_number);
1859 if (sock < 0)
1860 goto fail;
1861
1862 /* OK, we now have a connection to the display. */
1863 goto success;
1864 }
aa3378df 1865 /*
1866 * Connect to an inet socket. The DISPLAY value is supposedly
1867 * hostname:d[.s], where hostname may also be numeric IP address.
1868 */
5260325f 1869 strncpy(buf, display, sizeof(buf));
1870 buf[sizeof(buf) - 1] = 0;
1871 cp = strchr(buf, ':');
1872 if (!cp) {
1873 error("Could not find ':' in DISPLAY: %.100s", display);
1874 goto fail;
1875 }
1876 *cp = 0;
aa3378df 1877 /* buf now contains the host name. But first we parse the display number. */
5260325f 1878 if (sscanf(cp + 1, "%d", &display_number) != 1) {
1879 error("Could not parse display number from DISPLAY: %.100s",
1880 display);
1881 goto fail;
1882 }
5260325f 1883
48e671d5 1884 /* Look up the host address */
1885 memset(&hints, 0, sizeof(hints));
1886 hints.ai_family = IPv4or6;
1887 hints.ai_socktype = SOCK_STREAM;
1888 snprintf(strport, sizeof strport, "%d", 6000 + display_number);
1889 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
1890 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
5260325f 1891 goto fail;
8efc0c15 1892 }
48e671d5 1893 for (ai = aitop; ai; ai = ai->ai_next) {
1894 /* Create a socket. */
1895 sock = socket(ai->ai_family, SOCK_STREAM, 0);
1896 if (sock < 0) {
1897 debug("socket: %.100s", strerror(errno));
7368a6c8 1898 continue;
1899 }
1900 /* Connect it to the display. */
1901 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
1902 debug("connect %.100s port %d: %.100s", buf,
1903 6000 + display_number, strerror(errno));
1904 close(sock);
1905 continue;
1906 }
1907 /* Success */
1908 break;
48e671d5 1909 }
48e671d5 1910 freeaddrinfo(aitop);
1911 if (!ai) {
1912 error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
1913 strerror(errno));
5260325f 1914 goto fail;
8efc0c15 1915 }
5260325f 1916success:
1917 /* We have successfully obtained a connection to the real X display. */
1918
1919 /* Allocate a channel for this connection. */
1920 if (x11_saved_proto == NULL)
1921 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
1922 else
1923 newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
1924 channels[newch].remote_id = remote_channel;
1925
1926 /* Send a confirmation to the remote host. */
1927 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1928 packet_put_int(remote_channel);
1929 packet_put_int(newch);
1930 packet_send();
1931
1932 return;
1933
1934fail:
1935 /* Send refusal to the remote host. */
1936 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1937 packet_put_int(remote_channel);
1938 packet_send();
8efc0c15 1939}
1940
aa3378df 1941/*
1942 * Requests forwarding of X11 connections, generates fake authentication
1943 * data, and enables authentication spoofing.
1944 */
8efc0c15 1945
5260325f 1946void
1947x11_request_forwarding_with_spoofing(const char *proto, const char *data)
8efc0c15 1948{
5260325f 1949 unsigned int data_len = (unsigned int) strlen(data) / 2;
1950 unsigned int i, value;
1951 char *new_data;
1952 int screen_number;
1953 const char *cp;
1954 u_int32_t rand = 0;
1955
1956 cp = getenv("DISPLAY");
1957 if (cp)
1958 cp = strchr(cp, ':');
1959 if (cp)
1960 cp = strchr(cp, '.');
1961 if (cp)
1962 screen_number = atoi(cp + 1);
1963 else
1964 screen_number = 0;
1965
1966 /* Save protocol name. */
1967 x11_saved_proto = xstrdup(proto);
1968
aa3378df 1969 /*
1970 * Extract real authentication data and generate fake data of the
1971 * same length.
1972 */
5260325f 1973 x11_saved_data = xmalloc(data_len);
1974 x11_fake_data = xmalloc(data_len);
1975 for (i = 0; i < data_len; i++) {
1976 if (sscanf(data + 2 * i, "%2x", &value) != 1)
1977 fatal("x11_request_forwarding: bad authentication data: %.100s", data);
1978 if (i % 4 == 0)
1979 rand = arc4random();
1980 x11_saved_data[i] = value;
1981 x11_fake_data[i] = rand & 0xff;
1982 rand >>= 8;
1983 }
1984 x11_saved_data_len = data_len;
1985 x11_fake_data_len = data_len;
1986
1987 /* Convert the fake data into hex. */
1988 new_data = xmalloc(2 * data_len + 1);
1989 for (i = 0; i < data_len; i++)
1990 sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
1991
1992 /* Send the request packet. */
1993 packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
1994 packet_put_string(proto, strlen(proto));
1995 packet_put_string(new_data, strlen(new_data));
1996 packet_put_int(screen_number);
1997 packet_send();
1998 packet_write_wait();
1999 xfree(new_data);
8efc0c15 2000}
2001
2002/* Sends a message to the server to request authentication fd forwarding. */
2003
5260325f 2004void
2005auth_request_forwarding()
8efc0c15 2006{
5260325f 2007 packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
2008 packet_send();
2009 packet_write_wait();
8efc0c15 2010}
2011
aa3378df 2012/*
2013 * Returns the name of the forwarded authentication socket. Returns NULL if
2014 * there is no forwarded authentication socket. The returned value points to
2015 * a static buffer.
2016 */
8efc0c15 2017
5260325f 2018char *
2019auth_get_socket_name()
8efc0c15 2020{
5260325f 2021 return channel_forwarded_auth_socket_name;
8efc0c15 2022}
2023
2024/* removes the agent forwarding socket */
2025
5260325f 2026void
2027cleanup_socket(void)
2028{
2029 remove(channel_forwarded_auth_socket_name);
2030 rmdir(channel_forwarded_auth_socket_dir);
8efc0c15 2031}
2032
aa3378df 2033/*
2034 * This if called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server.
2035 * This starts forwarding authentication requests.
2036 */
8efc0c15 2037
5260325f 2038void
2039auth_input_request_forwarding(struct passwd * pw)
8efc0c15 2040{
5260325f 2041 int sock, newch;
2042 struct sockaddr_un sunaddr;
2043
2044 if (auth_get_socket_name() != NULL)
2045 fatal("Protocol error: authentication forwarding requested twice.");
2046
2047 /* Temporarily drop privileged uid for mkdir/bind. */
2048 temporarily_use_uid(pw->pw_uid);
2049
2050 /* Allocate a buffer for the socket name, and format the name. */
2051 channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
2052 channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
2053 strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
2054
2055 /* Create private directory for socket */
2056 if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL)
2057 packet_disconnect("mkdtemp: %.100s", strerror(errno));
2058 snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
2059 channel_forwarded_auth_socket_dir, (int) getpid());
2060
2061 if (atexit(cleanup_socket) < 0) {
2062 int saved = errno;
2063 cleanup_socket();
2064 packet_disconnect("socket: %.100s", strerror(saved));
2065 }
2066 /* Create the socket. */
2067 sock = socket(AF_UNIX, SOCK_STREAM, 0);
2068 if (sock < 0)
2069 packet_disconnect("socket: %.100s", strerror(errno));
2070
2071 /* Bind it to the name. */
2072 memset(&sunaddr, 0, sizeof(sunaddr));
2073 sunaddr.sun_family = AF_UNIX;
2074 strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
2075 sizeof(sunaddr.sun_path));
2076
2077 if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
2078 packet_disconnect("bind: %.100s", strerror(errno));
2079
2080 /* Restore the privileged uid. */
2081 restore_uid();
2082
2083 /* Start listening on the socket. */
2084 if (listen(sock, 5) < 0)
2085 packet_disconnect("listen: %.100s", strerror(errno));
2086
2087 /* Allocate a channel for the authentication agent socket. */
2088 newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
2089 xstrdup("auth socket"));
a408af76 2090 strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
2091 sizeof(channels[newch].path));
8efc0c15 2092}
2093
2094/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
2095
5260325f 2096void
7368a6c8 2097auth_input_open_request(int type, int plen)
8efc0c15 2098{
5260325f 2099 int remch, sock, newch;
2100 char *dummyname;
2101
7368a6c8 2102 packet_integrity_check(plen, 4, type);
2103
5260325f 2104 /* Read the remote channel number from the message. */
2105 remch = packet_get_int();
2106
aa3378df 2107 /*
2108 * Get a connection to the local authentication agent (this may again
2109 * get forwarded).
2110 */
5260325f 2111 sock = ssh_get_authentication_socket();
2112
aa3378df 2113 /*
2114 * If we could not connect the agent, send an error message back to
2115 * the server. This should never happen unless the agent dies,
2116 * because authentication forwarding is only enabled if we have an
2117 * agent.
2118 */
5260325f 2119 if (sock < 0) {
2120 packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2121 packet_put_int(remch);
2122 packet_send();
2123 return;
2124 }
2125 debug("Forwarding authentication connection.");
2126
aa3378df 2127 /*
2128 * Dummy host name. This will be freed when the channel is freed; it
2129 * will still be valid in the packet_put_string below since the
2130 * channel cannot yet be freed at that point.
2131 */
5260325f 2132 dummyname = xstrdup("authentication agent connection");
2133
2134 newch = channel_allocate(SSH_CHANNEL_OPEN, sock, dummyname);
2135 channels[newch].remote_id = remch;
2136
2137 /* Send a confirmation to the remote host. */
2138 packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
2139 packet_put_int(remch);
2140 packet_put_int(newch);
2141 packet_send();
8efc0c15 2142}
7e7327a1 2143
2144void
2145channel_open(int id)
2146{
2147 Channel *c = channel_lookup(id);
2148 if (c == NULL) {
2149 log("channel_open: %d: bad id", id);
2150 return;
2151 }
2152 packet_start(SSH2_MSG_CHANNEL_OPEN);
2153 packet_put_cstring(c->ctype);
2154 packet_put_int(c->self);
2155 packet_put_int(c->local_window);
2156 packet_put_int(c->local_maxpacket);
2157 packet_send();
2158 debug("channel open %d", id);
2159}
2160void
2161channel_request(int id, char *service, int wantconfirm)
2162{
2163 channel_request_start(id, service, wantconfirm);
2164 packet_send();
2165 debug("channel request %d: %s", id, service) ;
2166}
2167void
2168channel_request_start(int id, char *service, int wantconfirm)
2169{
2170 Channel *c = channel_lookup(id);
2171 if (c == NULL) {
2172 log("channel_request: %d: bad id", id);
2173 return;
2174 }
2175 packet_start(SSH2_MSG_CHANNEL_REQUEST);
2176 packet_put_int(c->remote_id);
2177 packet_put_cstring(service);
2178 packet_put_char(wantconfirm);
2179}
2180void
2181channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
2182{
2183 Channel *c = channel_lookup(id);
2184 if (c == NULL) {
2185 log("channel_register_callback: %d: bad id", id);
2186 return;
2187 }
2188 c->cb_event = mtype;
2189 c->cb_fn = fn;
2190 c->cb_arg = arg;
2191}
2192void
2193channel_register_cleanup(int id, channel_callback_fn *fn)
2194{
2195 Channel *c = channel_lookup(id);
2196 if (c == NULL) {
2197 log("channel_register_cleanup: %d: bad id", id);
2198 return;
2199 }
2200 c->dettach_user = fn;
2201}
2202void
2203channel_cancel_cleanup(int id)
2204{
2205 Channel *c = channel_lookup(id);
2206 if (c == NULL) {
2207 log("channel_cancel_cleanup: %d: bad id", id);
2208 return;
2209 }
2210 c->dettach_user = NULL;
2211}
2212
2213void
2214channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
2215{
2216 Channel *c = channel_lookup(id);
2217 if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
2218 fatal("channel_activate for non-larval channel %d.", id);
2219 if (rfd > channel_max_fd_value)
2220 channel_max_fd_value = rfd;
2221 if (wfd > channel_max_fd_value)
2222 channel_max_fd_value = wfd;
2223 if (efd > channel_max_fd_value)
2224 channel_max_fd_value = efd;
2225 c->type = SSH_CHANNEL_OPEN;
2226 c->rfd = rfd;
2227 c->wfd = wfd;
2228 c->efd = efd;
2229 c->extended_usage = extusage;
2230 /* XXX window size? */
2231 c->local_window = c->local_window_max = c->local_maxpacket/2;
2232 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
2233 packet_put_int(c->remote_id);
2234 packet_put_int(c->local_window);
2235 packet_send();
2236}
git-cvsimport mirror of OpenSSH
This page took 1.195679 seconds and 5 git commands to generate.