/*
- *
- * channels.c
- *
* Author: Tatu Ylonen <ylo@cs.hut.fi>
- *
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
- *
- * Created: Fri Mar 24 16:35:24 1995 ylo
- *
* This file contains functions for generic socket connection forwarding.
* There is also code for initiating connection forwarding for X11 connections,
* arbitrary tcp/ip connections, and the authentication agent connection.
*
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose. Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+ *
+ *
* SSH2 support added by Markus Friedl.
+ * Copyright (c) 1999,2000 Markus Friedl. All rights reserved.
+ * Copyright (c) 1999 Dug Song. All rights reserved.
+ * Copyright (c) 1999 Theo de Raadt. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.62 2000/06/20 01:39:39 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.89 2001/02/04 15:32:23 stevesk Exp $");
+
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
#include "ssh.h"
+#include "ssh1.h"
+#include "ssh2.h"
#include "packet.h"
#include "xmalloc.h"
#include "buffer.h"
-#include "authfd.h"
#include "uidswap.h"
-#include "readconf.h"
-#include "servconf.h"
-
+#include "log.h"
+#include "misc.h"
#include "channels.h"
#include "nchan.h"
#include "compat.h"
-
-#include "ssh2.h"
+#include "canohost.h"
+#include "key.h"
+#include "authfd.h"
/* Maximum number of fake X11 displays to try. */
#define MAX_DISPLAYS 1000
/* Max len of agent socket */
#define MAX_SOCKET_NAME 100
-/* default window/packet sizes for tcp/x11-fwd-channel */
-#define CHAN_TCP_WINDOW_DEFAULT (8*1024)
-#define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2)
-#define CHAN_X11_WINDOW_DEFAULT (4*1024)
-#define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2)
-
/*
* Pointer to an array containing all allocated channels. The array is
* dynamically extended as needed.
* Maximum file descriptor value used in any of the channels. This is
* updated in channel_allocate.
*/
-static int channel_max_fd_value = 0;
+static int channel_max_fd = 0;
/* Name and directory of socket for authentication agent forwarding. */
static char *channel_forwarded_auth_socket_name = NULL;
/* Saved X11 authentication data. This is the real data. */
char *x11_saved_data = NULL;
-unsigned int x11_saved_data_len = 0;
+u_int x11_saved_data_len = 0;
/*
* Fake X11 authentication data. This is what the server will be sending us;
* we should replace any occurrences of this by the real data.
*/
char *x11_fake_data = NULL;
-unsigned int x11_fake_data_len;
+u_int x11_fake_data_len;
/*
* Data structure for storing which hosts are permitted for forward requests.
/* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
static int have_hostname_in_open = 0;
+/* AF_UNSPEC or AF_INET or AF_INET6 */
+extern int IPv4or6;
+
/* Sets specific protocol options. */
void
channel_lookup(int id)
{
Channel *c;
- if (id < 0 && id > channels_alloc) {
+ if (id < 0 || id > channels_alloc) {
log("channel_lookup: %d: bad id", id);
return NULL;
}
*/
void
-channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
+channel_register_fds(Channel *c, int rfd, int wfd, int efd,
+ int extusage, int nonblock)
{
/* Update the maximum file descriptor value. */
- if (rfd > channel_max_fd_value)
- channel_max_fd_value = rfd;
- if (wfd > channel_max_fd_value)
- channel_max_fd_value = wfd;
- if (efd > channel_max_fd_value)
- channel_max_fd_value = efd;
+ channel_max_fd = MAX(channel_max_fd, rfd);
+ channel_max_fd = MAX(channel_max_fd, wfd);
+ channel_max_fd = MAX(channel_max_fd, efd);
+
/* XXX set close-on-exec -markus */
c->rfd = rfd;
c->sock = (rfd == wfd) ? rfd : -1;
c->efd = efd;
c->extended_usage = extusage;
- if (rfd != -1)
- set_nonblock(rfd);
- if (wfd != -1)
- set_nonblock(wfd);
- if (efd != -1)
- set_nonblock(efd);
+
+ /* enable nonblocking mode */
+ if (nonblock) {
+ if (rfd != -1)
+ set_nonblock(rfd);
+ if (wfd != -1)
+ set_nonblock(wfd);
+ if (efd != -1)
+ set_nonblock(efd);
+ }
}
/*
int
channel_new(char *ctype, int type, int rfd, int wfd, int efd,
- int window, int maxpack, int extusage, char *remote_name)
+ int window, int maxpack, int extusage, char *remote_name, int nonblock)
{
int i, found;
Channel *c;
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
channels_alloc += 10;
- debug("channel: expanding %d", channels_alloc);
+ debug2("channel: expanding %d", channels_alloc);
channels = xrealloc(channels, channels_alloc * sizeof(Channel));
for (i = found; i < channels_alloc; i++)
channels[i].type = SSH_CHANNEL_FREE;
buffer_init(&c->output);
buffer_init(&c->extended);
chan_init_iostates(c);
- channel_register_fds(c, rfd, wfd, efd, extusage);
+ channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
c->self = found;
c->type = type;
c->ctype = ctype;
c->cb_arg = NULL;
c->cb_event = 0;
c->dettach_user = NULL;
+ c->input_filter = NULL;
debug("channel %d: new [%s]", found, remote_name);
return found;
}
int
channel_allocate(int type, int sock, char *remote_name)
{
- return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name);
+ return channel_new("", type, sock, sock, -1, 0, 0, 0, remote_name, 1);
}
channel_free(int id)
{
Channel *c = channel_lookup(id);
+ char *s = channel_open_message();
+
if (c == NULL)
packet_disconnect("channel free: bad local channel %d", id);
- debug("channel_free: channel %d: status: %s", id, channel_open_message());
+ debug("channel_free: channel %d: status: %s", id, s);
+ xfree(s);
+
if (c->dettach_user != NULL) {
debug("channel_free: channel %d: dettaching channel user", id);
c->dettach_user(c->self, NULL);
FD_SET(c->sock, readset);
}
+void
+channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset)
+{
+ debug3("channel %d: waiting for connection", c->self);
+ FD_SET(c->sock, writeset);
+}
+
void
channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset)
{
int
x11_open_helper(Channel *c)
{
- unsigned char *ucp;
- unsigned int proto_len, data_len;
+ u_char *ucp;
+ u_int proto_len, data_len;
/* Check if the fixed size part of the packet is in buffer. */
if (buffer_len(&c->output) < 12)
return 0;
/* Parse the lengths of variable-length fields. */
- ucp = (unsigned char *) buffer_ptr(&c->output);
+ ucp = (u_char *) buffer_ptr(&c->output);
if (ucp[0] == 0x42) { /* Byte order MSB first. */
proto_len = 256 * ucp[6] + ucp[7];
data_len = 256 * ucp[8] + ucp[9];
struct sockaddr addr;
int newsock, newch;
socklen_t addrlen;
- char buf[16384], *remote_hostname;
+ char buf[16384], *remote_ipaddr;
int remote_port;
if (FD_ISSET(c->sock, readset)) {
error("accept: %.100s", strerror(errno));
return;
}
- remote_hostname = get_remote_hostname(newsock);
+ remote_ipaddr = get_peer_ipaddr(newsock);
remote_port = get_peer_port(newsock);
snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
- remote_hostname, remote_port);
+ remote_ipaddr, remote_port);
newch = channel_new("x11",
SSH_CHANNEL_OPENING, newsock, newsock, -1,
c->local_window_max, c->local_maxpacket,
- 0, xstrdup(buf));
+ 0, xstrdup(buf), 1);
if (compat20) {
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("x11");
packet_put_int(newch);
packet_put_int(c->local_window_max);
packet_put_int(c->local_maxpacket);
- /* originator host and port */
- packet_put_cstring(remote_hostname);
+ /* originator ipaddr and port */
+ packet_put_cstring(remote_ipaddr);
if (datafellows & SSH_BUG_X11FWD) {
debug("ssh2 x11 bug compat mode");
} else {
packet_put_string(buf, strlen(buf));
packet_send();
}
- xfree(remote_hostname);
+ xfree(remote_ipaddr);
}
}
struct sockaddr addr;
int newsock, newch;
socklen_t addrlen;
- char buf[1024], *remote_hostname;
+ char buf[1024], *remote_ipaddr, *rtype;
int remote_port;
+ rtype = (c->type == SSH_CHANNEL_RPORT_LISTENER) ?
+ "forwarded-tcpip" : "direct-tcpip";
+
if (FD_ISSET(c->sock, readset)) {
debug("Connection to port %d forwarding "
"to %.100s port %d requested.",
error("accept: %.100s", strerror(errno));
return;
}
- remote_hostname = get_remote_hostname(newsock);
+ remote_ipaddr = get_peer_ipaddr(newsock);
remote_port = get_peer_port(newsock);
snprintf(buf, sizeof buf,
"listen port %d for %.100s port %d, "
"connect from %.200s port %d",
c->listening_port, c->path, c->host_port,
- remote_hostname, remote_port);
- newch = channel_new("direct-tcpip",
+ remote_ipaddr, remote_port);
+
+ newch = channel_new(rtype,
SSH_CHANNEL_OPENING, newsock, newsock, -1,
c->local_window_max, c->local_maxpacket,
- 0, xstrdup(buf));
+ 0, xstrdup(buf), 1);
if (compat20) {
packet_start(SSH2_MSG_CHANNEL_OPEN);
- packet_put_cstring("direct-tcpip");
+ packet_put_cstring(rtype);
packet_put_int(newch);
packet_put_int(c->local_window_max);
packet_put_int(c->local_maxpacket);
- /* target host and port */
- packet_put_string(c->path, strlen(c->path));
- packet_put_int(c->host_port);
+ if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
+ /* listen address, port */
+ packet_put_string(c->path, strlen(c->path));
+ packet_put_int(c->listening_port);
+ } else {
+ /* target host, port */
+ packet_put_string(c->path, strlen(c->path));
+ packet_put_int(c->host_port);
+ }
/* originator host and port */
- packet_put_cstring(remote_hostname);
+ packet_put_cstring(remote_ipaddr);
packet_put_int(remote_port);
packet_send();
} else {
}
packet_send();
}
- xfree(remote_hostname);
+ xfree(remote_ipaddr);
}
}
error("accept from auth socket: %.100s", strerror(errno));
return;
}
- newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
- xstrdup("accepted auth socket"));
- packet_start(SSH_SMSG_AGENT_OPEN);
- packet_put_int(newch);
+ newch = channel_new("accepted auth socket",
+ SSH_CHANNEL_OPENING, newsock, newsock, -1,
+ c->local_window_max, c->local_maxpacket,
+ 0, xstrdup("accepted auth socket"), 1);
+ if (compat20) {
+ packet_start(SSH2_MSG_CHANNEL_OPEN);
+ packet_put_cstring("auth-agent@openssh.com");
+ packet_put_int(newch);
+ packet_put_int(c->local_window_max);
+ packet_put_int(c->local_maxpacket);
+ } else {
+ packet_start(SSH_SMSG_AGENT_OPEN);
+ packet_put_int(newch);
+ }
packet_send();
}
}
+void
+channel_post_connecting(Channel *c, fd_set * readset, fd_set * writeset)
+{
+ if (FD_ISSET(c->sock, writeset)) {
+ int err = 0;
+ int sz = sizeof(err);
+ c->type = SSH_CHANNEL_OPEN;
+ if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, (char *)&err, &sz) < 0) {
+ debug("getsockopt SO_ERROR failed");
+ } else {
+ if (err == 0) {
+ debug("channel %d: connected)", c->self);
+ } else {
+ debug("channel %d: not connected: %s",
+ c->self, strerror(err));
+ chan_read_failed(c);
+ chan_write_failed(c);
+ }
+ }
+ }
+}
+
int
channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
{
}
return -1;
}
- buffer_append(&c->input, buf, len);
+ if(c->input_filter != NULL) {
+ if (c->input_filter(c, buf, len) == -1) {
+ debug("filter stops channel %d", c->self);
+ chan_read_failed(c);
+ }
+ } else {
+ buffer_append(&c->input, buf, len);
+ }
}
return 1;
}
buffer_len(&c->extended) > 0) {
len = write(c->efd, buffer_ptr(&c->extended),
buffer_len(&c->extended));
- debug("channel %d: written %d to efd %d",
+ debug2("channel %d: written %d to efd %d",
c->self, len, c->efd);
if (len > 0) {
buffer_consume(&c->extended, len);
} else if (c->extended_usage == CHAN_EXTENDED_READ &&
FD_ISSET(c->efd, readset)) {
len = read(c->efd, buf, sizeof(buf));
- debug("channel %d: read %d from efd %d",
+ debug2("channel %d: read %d from efd %d",
c->self, len, c->efd);
if (len == 0) {
debug("channel %d: closing efd %d",
packet_put_int(c->remote_id);
packet_put_int(c->local_consumed);
packet_send();
- debug("channel %d: window %d sent adjust %d",
+ debug2("channel %d: window %d sent adjust %d",
c->self, c->local_window,
c->local_consumed);
c->local_window += c->local_consumed;
channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20;
channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
+ channel_pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
+ channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
+ channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2;
channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
+ channel_post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
+ channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
+ channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
}
void
channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
channel_pre[SSH_CHANNEL_INPUT_DRAINING] = &channel_pre_input_draining;
channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_pre_output_draining;
+ channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
channel_post[SSH_CHANNEL_OUTPUT_DRAINING] = &channel_post_output_drain_13;
+ channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
}
void
channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
channel_pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
+ channel_pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
channel_post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_1;
+ channel_post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
}
void
}
void
-channel_prepare_select(fd_set * readset, fd_set * writeset)
+channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp)
{
- channel_handler(channel_pre, readset, writeset);
+ int n;
+ u_int sz;
+
+ n = MAX(*maxfdp, channel_max_fd);
+
+ sz = howmany(n+1, NFDBITS) * sizeof(fd_mask);
+ if (*readsetp == NULL || n > *maxfdp) {
+ if (*readsetp)
+ xfree(*readsetp);
+ if (*writesetp)
+ xfree(*writesetp);
+ *readsetp = xmalloc(sz);
+ *writesetp = xmalloc(sz);
+ *maxfdp = n;
+ }
+ memset(*readsetp, 0, sz);
+ memset(*writesetp, 0, sz);
+
+ channel_handler(channel_pre, *readsetp, *writesetp);
}
void
channel_handler(channel_post, readset, writeset);
}
-/* If there is data to send to the connection, send some of it now. */
+/* If there is data to send to the connection, enqueue some of it now. */
void
channel_output_poll()
*/
void
-channel_input_data(int type, int plen)
+channel_input_data(int type, int plen, void *ctxt)
{
int id;
char *data;
- unsigned int data_len;
+ u_int data_len;
Channel *c;
/* Get the channel number and verify it. */
xfree(data);
}
void
-channel_input_extended_data(int type, int plen)
+channel_input_extended_data(int type, int plen, void *ctxt)
{
int id;
int tcode;
char *data;
- unsigned int data_len;
+ u_int data_len;
Channel *c;
/* Get the channel number and verify it. */
xfree(data);
return;
}
- debug("channel %d: rcvd ext data %d", c->self, data_len);
+ debug2("channel %d: rcvd ext data %d", c->self, data_len);
c->local_window -= data_len;
buffer_append(&c->extended, data, data_len);
xfree(data);
int
channel_not_very_much_buffered_data()
{
- unsigned int i;
+ u_int i;
Channel *c;
for (i = 0; i < channels_alloc; i++) {
}
void
-channel_input_ieof(int type, int plen)
+channel_input_ieof(int type, int plen, void *ctxt)
{
int id;
Channel *c;
}
void
-channel_input_close(int type, int plen)
+channel_input_close(int type, int plen, void *ctxt)
{
int id;
Channel *c;
/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
void
-channel_input_oclose(int type, int plen)
+channel_input_oclose(int type, int plen, void *ctxt)
{
int id = packet_get_int();
Channel *c = channel_lookup(id);
}
void
-channel_input_close_confirmation(int type, int plen)
+channel_input_close_confirmation(int type, int plen, void *ctxt)
{
int id = packet_get_int();
Channel *c = channel_lookup(id);
}
void
-channel_input_open_confirmation(int type, int plen)
+channel_input_open_confirmation(int type, int plen, void *ctxt)
{
int id, remote_id;
Channel *c;
c->remote_maxpacket = packet_get_int();
packet_done();
if (c->cb_fn != NULL && c->cb_event == type) {
- debug("callback start");
+ debug2("callback start");
c->cb_fn(c->self, c->cb_arg);
- debug("callback done");
+ debug2("callback done");
}
debug("channel %d: open confirm rwindow %d rmax %d", c->self,
c->remote_window, c->remote_maxpacket);
}
void
-channel_input_open_failure(int type, int plen)
+channel_input_open_failure(int type, int plen, void *ctxt)
{
- int id;
+ int id, reason;
+ char *msg = NULL, *lang = NULL;
Channel *c;
if (!compat20)
packet_disconnect("Received open failure for "
"non-opening channel %d.", id);
if (compat20) {
- int reason = packet_get_int();
- char *msg = packet_get_string(NULL);
- char *lang = packet_get_string(NULL);
- log("channel_open_failure: %d: reason %d: %s", id, reason, msg);
+ reason = packet_get_int();
+ if (packet_remaining() > 0) {
+ msg = packet_get_string(NULL);
+ lang = packet_get_string(NULL);
+ }
packet_done();
- xfree(msg);
- xfree(lang);
+ log("channel_open_failure: %d: reason %d %s", id,
+ reason, msg ? msg : "<no additional info>");
+ if (msg != NULL)
+ xfree(msg);
+ if (lang != NULL)
+ xfree(lang);
}
/* Free the channel. This will also close the socket. */
channel_free(id);
}
void
-channel_input_channel_request(int type, int plen)
+channel_input_channel_request(int type, int plen, void *ctxt)
{
int id;
Channel *c;
packet_disconnect("Received request for "
"non-open channel %d.", id);
if (c->cb_fn != NULL && c->cb_event == type) {
- debug("callback start");
+ debug2("callback start");
c->cb_fn(c->self, c->cb_arg);
- debug("callback done");
+ debug2("callback done");
} else {
char *service = packet_get_string(NULL);
debug("channel: %d rcvd request for %s", c->self, service);
-debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
+ debug("cb_fn %p cb_event %d", c->cb_fn , c->cb_event);
xfree(service);
}
}
void
-channel_input_window_adjust(int type, int plen)
+channel_input_window_adjust(int type, int plen, void *ctxt)
{
Channel *c;
int id, adjust;
}
adjust = packet_get_int();
packet_done();
- debug("channel %d: rcvd adjust %d", id, adjust);
+ debug2("channel %d: rcvd adjust %d", id, adjust);
c->remote_window += adjust;
}
switch (channels[i].type) {
case SSH_CHANNEL_AUTH_SOCKET:
close(channels[i].sock);
- remove(channels[i].path);
+ unlink(channels[i].path);
channel_free(i);
break;
case SSH_CHANNEL_PORT_LISTENER:
+ case SSH_CHANNEL_RPORT_LISTENER:
case SSH_CHANNEL_X11_LISTENER:
close(channels[i].sock);
channel_free(i);
channel_close_fds(&channels[i]);
}
-/* Returns the maximum file descriptor number used by the channels. */
-
-int
-channel_max_fd()
-{
- return channel_max_fd_value;
-}
-
/* Returns true if any channel is still open. */
int
channel_still_open()
{
- unsigned int i;
+ u_int i;
for (i = 0; i < channels_alloc; i++)
switch (channels[i].type) {
case SSH_CHANNEL_FREE:
case SSH_CHANNEL_X11_LISTENER:
case SSH_CHANNEL_PORT_LISTENER:
+ case SSH_CHANNEL_RPORT_LISTENER:
case SSH_CHANNEL_CLOSED:
case SSH_CHANNEL_AUTH_SOCKET:
+ case SSH_CHANNEL_CONNECTING: /* XXX ??? */
continue;
case SSH_CHANNEL_LARVAL:
if (!compat20)
case SSH_CHANNEL_FREE:
case SSH_CHANNEL_X11_LISTENER:
case SSH_CHANNEL_PORT_LISTENER:
+ case SSH_CHANNEL_RPORT_LISTENER:
case SSH_CHANNEL_CLOSED:
case SSH_CHANNEL_AUTH_SOCKET:
continue;
case SSH_CHANNEL_LARVAL:
case SSH_CHANNEL_OPENING:
+ case SSH_CHANNEL_CONNECTING:
case SSH_CHANNEL_OPEN:
case SSH_CHANNEL_X11_OPEN:
case SSH_CHANNEL_INPUT_DRAINING:
* Initiate forwarding of connections to local port "port" through the secure
* channel to host:port from remote side.
*/
+int
+channel_request_local_forwarding(u_short listen_port, const char *host_to_connect,
+ u_short port_to_connect, int gateway_ports)
+{
+ return channel_request_forwarding(
+ NULL, listen_port,
+ host_to_connect, port_to_connect,
+ gateway_ports, /*remote_fwd*/ 0);
+}
-void
-channel_request_local_forwarding(u_short port, const char *host,
- u_short host_port, int gateway_ports)
+/*
+ * If 'remote_fwd' is true we have a '-R style' listener for protocol 2
+ * (SSH_CHANNEL_RPORT_LISTENER).
+ */
+int
+channel_request_forwarding(
+ const char *listen_address, u_short listen_port,
+ const char *host_to_connect, u_short port_to_connect,
+ int gateway_ports, int remote_fwd)
{
- int success, ch, sock, on = 1;
+ int success, ch, sock, on = 1, ctype;
struct addrinfo hints, *ai, *aitop;
char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+ const char *host;
struct linger linger;
- if (strlen(host) > sizeof(channels[0].path) - 1)
- packet_disconnect("Forward host name too long.");
+ success = 0;
+ if (remote_fwd) {
+ host = listen_address;
+ ctype = SSH_CHANNEL_RPORT_LISTENER;
+ } else {
+ host = host_to_connect;
+ ctype =SSH_CHANNEL_PORT_LISTENER;
+ }
+
+ if (strlen(host) > sizeof(channels[0].path) - 1) {
+ error("Forward host name too long.");
+ return success;
+ }
+
+ /* XXX listen_address is currently ignored */
/*
* getaddrinfo returns a loopback address if the hostname is
* set to NULL and hints.ai_flags is not AI_PASSIVE
hints.ai_family = IPv4or6;
hints.ai_flags = gateway_ports ? AI_PASSIVE : 0;
hints.ai_socktype = SOCK_STREAM;
- snprintf(strport, sizeof strport, "%d", port);
+ snprintf(strport, sizeof strport, "%d", listen_port);
if (getaddrinfo(NULL, strport, &hints, &aitop) != 0)
packet_disconnect("getaddrinfo: fatal error");
- success = 0;
for (ai = aitop; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
continue;
if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
- error("channel_request_local_forwarding: getnameinfo failed");
+ error("channel_request_forwarding: getnameinfo failed");
continue;
}
/* Create a port to listen for the host. */
error("bind: %.100s", strerror(errno));
else
verbose("bind: %.100s", strerror(errno));
-
+
close(sock);
continue;
}
continue;
}
/* Allocate a channel number for the socket. */
- ch = channel_new(
- "port listener", SSH_CHANNEL_PORT_LISTENER,
- sock, sock, -1,
+ ch = channel_new("port listener", ctype, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, xstrdup("port listener"));
+ 0, xstrdup("port listener"), 1);
strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
- channels[ch].host_port = host_port;
- channels[ch].listening_port = port;
+ channels[ch].host_port = port_to_connect;
+ channels[ch].listening_port = listen_port;
success = 1;
}
if (success == 0)
- packet_disconnect("cannot listen port: %d", port);
+ error("channel_request_forwarding: cannot listen to port: %d",
+ listen_port);
freeaddrinfo(aitop);
+ return success;
}
/*
*/
void
-channel_request_remote_forwarding(u_short listen_port, const char *host_to_connect,
- u_short port_to_connect)
+channel_request_remote_forwarding(u_short listen_port,
+ const char *host_to_connect, u_short port_to_connect)
{
- int payload_len;
+ int payload_len, type, success = 0;
+
/* Record locally that connection to this host/port is permitted. */
if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION)
fatal("channel_request_remote_forwarding: too many forwards");
- permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
- permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
- permitted_opens[num_permitted_opens].listen_port = listen_port;
- num_permitted_opens++;
-
/* Send the forward request to the remote side. */
if (compat20) {
const char *address_to_bind = "0.0.0.0";
packet_put_char(0); /* boolean: want reply */
packet_put_cstring(address_to_bind);
packet_put_int(listen_port);
+ packet_send();
+ packet_write_wait();
+ /* Assume that server accepts the request */
+ success = 1;
} else {
packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
packet_put_int(listen_port);
packet_put_int(port_to_connect);
packet_send();
packet_write_wait();
- /*
- * Wait for response from the remote side. It will send a disconnect
- * message on failure, and we will never see it here.
- */
- packet_read_expect(&payload_len, SSH_SMSG_SUCCESS);
+
+ /* Wait for response from the remote side. */
+ type = packet_read(&payload_len);
+ switch (type) {
+ case SSH_SMSG_SUCCESS:
+ success = 1;
+ break;
+ case SSH_SMSG_FAILURE:
+ log("Warning: Server denied remote port forwarding.");
+ break;
+ default:
+ /* Unknown packet */
+ packet_disconnect("Protocol error for port forward request:"
+ "received packet type %d.", type);
+ }
+ }
+ if (success) {
+ permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
+ permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
+ permitted_opens[num_permitted_opens].listen_port = listen_port;
+ num_permitted_opens++;
}
}
hostname = packet_get_string(NULL);
host_port = packet_get_int();
+#ifndef HAVE_CYGWIN
/*
* Check that an unprivileged user is not trying to forward a
* privileged port.
if (port < IPPORT_RESERVED && !is_root)
packet_disconnect("Requested forwarding of port %d but user is not root.",
port);
- /*
- * Initiate forwarding,
- */
+#endif
+ /* Initiate forwarding */
channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
/* Free the argument string. */
error("socket: %.100s", strerror(errno));
continue;
}
+ if (fcntl(sock, F_SETFL, O_NONBLOCK) < 0)
+ fatal("connect_to: F_SETFL: %s", strerror(errno));
/* Connect to the host/port. */
- if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
+ if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
+ errno != EINPROGRESS) {
error("connect %.100s port %s: %.100s", ntop, strport,
strerror(errno));
close(sock);
- continue; /* fail -- try next */
+ continue; /* fail -- try next */
}
break; /* success */
}
freeaddrinfo(aitop);
if (!ai) {
- error("connect %.100s port %d: failed.", host, host_port);
+ error("connect %.100s port %d: failed.", host, host_port);
return -1;
}
/* success */
return sock;
}
+int
+channel_connect_by_listen_adress(u_short listen_port)
+{
+ int i;
+ for (i = 0; i < num_permitted_opens; i++)
+ if (permitted_opens[i].listen_port == listen_port)
+ return channel_connect_to(
+ permitted_opens[i].host_to_connect,
+ permitted_opens[i].port_to_connect);
+ error("WARNING: Server requests forwarding for unknown listen_port %d",
+ listen_port);
+ return -1;
+}
/*
* This is called after receiving PORT_OPEN message. This attempts to
*/
void
-channel_input_port_open(int type, int plen)
+channel_input_port_open(int type, int plen, void *ctxt)
{
u_short host_port;
char *host, *originator_string;
int remote_channel, sock = -1, newch, i, denied;
- unsigned int host_len, originator_len;
+ u_int host_len, originator_len;
/* Get remote channel number. */
remote_channel = packet_get_int();
sock = denied ? -1 : channel_connect_to(host, host_port);
if (sock > 0) {
/* Allocate a channel for this connection. */
- newch = channel_allocate(SSH_CHANNEL_OPEN, sock, originator_string);
+ newch = channel_allocate(SSH_CHANNEL_CONNECTING,
+ sock, originator_string);
+/*XXX delay answer? */
channels[newch].remote_id = remote_channel;
packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
continue;
sock = socket(ai->ai_family, SOCK_STREAM, 0);
if (sock < 0) {
- if (errno != EINVAL) {
+ if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
error("socket: %.100s", strerror(errno));
return NULL;
} else {
- debug("Socket family %d not supported [X11 disp create]", ai->ai_family);
+ debug("x11_create_display_inet: Socket family %d not supported",
+ ai->ai_family);
continue;
}
}
break;
#endif
}
+ freeaddrinfo(aitop);
if (num_socks > 0)
break;
}
}
/* Set up a suitable value for the DISPLAY variable. */
-
if (gethostname(hostname, sizeof(hostname)) < 0)
fatal("gethostname: %.100s", strerror(errno));
#ifdef IPADDR_IN_DISPLAY
- /*
+ /*
* HPUX detects the local hostname in the DISPLAY variable and tries
* to set up a shared memory connection to the server, which it
* incorrectly supposes to be local.
memcpy(&my_addr, he->h_addr_list[0], sizeof(struct in_addr));
/* Set DISPLAY to <ip address>:screen.display */
- snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr),
- display_number, screen_number);
+ snprintf(display, sizeof(display), "%.50s:%d.%d", inet_ntoa(my_addr),
+ display_number, screen_number);
}
#else /* IPADDR_IN_DISPLAY */
/* Just set DISPLAY to hostname:screen.display */
snprintf(display, sizeof display, "%.400s:%d.%d", hostname,
- display_number, screen_number);
+ display_number, screen_number);
#endif /* IPADDR_IN_DISPLAY */
/* Allocate a channel for each socket. */
(void) channel_new("x11 listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, xstrdup("X11 inet listener"));
+ 0, xstrdup("X11 inet listener"), 1);
}
/* Return a suitable value for the DISPLAY environment variable. */
static
int
-connect_local_xsocket(unsigned int dnr)
+connect_local_xsocket(u_int dnr)
{
static const char *const x_sockets[] = {
X_UNIX_PATH "%u",
*/
void
-x11_input_open(int type, int plen)
+x11_input_open(int type, int plen, void *ctxt)
{
int remote_channel, sock = 0, newch;
char *remote_host;
- unsigned int remote_len;
+ u_int remote_len;
/* Get remote channel number. */
remote_channel = packet_get_int();
}
}
+/* dummy protocol handler that denies SSH-1 requests (agent/x11) */
+void
+deny_input_open(int type, int plen, void *ctxt)
+{
+ int rchan = packet_get_int();
+ switch(type){
+ case SSH_SMSG_AGENT_OPEN:
+ error("Warning: ssh server tried agent forwarding.");
+ break;
+ case SSH_SMSG_X11_OPEN:
+ error("Warning: ssh server tried X11 forwarding.");
+ break;
+ default:
+ error("deny_input_open: type %d plen %d", type, plen);
+ break;
+ }
+ error("Warning: this is probably a break in attempt by a malicious server.");
+ packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+ packet_put_int(rchan);
+ packet_send();
+}
+
/*
* Requests forwarding of X11 connections, generates fake authentication
* data, and enables authentication spoofing.
x11_request_forwarding_with_spoofing(int client_session_id,
const char *proto, const char *data)
{
- unsigned int data_len = (unsigned int) strlen(data) / 2;
- unsigned int i, value;
+ u_int data_len = (u_int) strlen(data) / 2;
+ u_int i, value;
char *new_data;
int screen_number;
const char *cp;
/* Convert the fake data into hex. */
new_data = xmalloc(2 * data_len + 1);
for (i = 0; i < data_len; i++)
- sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
+ sprintf(new_data + 2 * i, "%02x", (u_char) x11_fake_data[i]);
/* Send the request packet. */
if (compat20) {
void
cleanup_socket(void)
{
- remove(channel_forwarded_auth_socket_name);
+ unlink(channel_forwarded_auth_socket_name);
rmdir(channel_forwarded_auth_socket_dir);
}
packet_disconnect("listen: %.100s", strerror(errno));
/* Allocate a channel for the authentication agent socket. */
- newch = channel_allocate(SSH_CHANNEL_AUTH_SOCKET, sock,
- xstrdup("auth socket"));
+ newch = channel_new("auth socket",
+ SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
+ CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+ 0, xstrdup("auth socket"), 1);
+
strlcpy(channels[newch].path, channel_forwarded_auth_socket_name,
sizeof(channels[newch].path));
return 1;
/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
void
-auth_input_open_request(int type, int plen)
+auth_input_open_request(int type, int plen, void *ctxt)
{
int remch, sock, newch;
char *dummyname;
}
c->dettach_user = NULL;
}
+void
+channel_register_filter(int id, channel_filter_fn *fn)
+{
+ Channel *c = channel_lookup(id);
+ if (c == NULL) {
+ log("channel_register_filter: %d: bad id", id);
+ return;
+ }
+ c->input_filter = fn;
+}
void
-channel_set_fds(int id, int rfd, int wfd, int efd, int extusage)
+channel_set_fds(int id, int rfd, int wfd, int efd,
+ int extusage, int nonblock)
{
Channel *c = channel_lookup(id);
if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
fatal("channel_activate for non-larval channel %d.", id);
-
- channel_register_fds(c, rfd, wfd, efd, extusage);
+ channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
c->type = SSH_CHANNEL_OPEN;
/* XXX window size? */
- c->local_window = c->local_window_max = c->local_maxpacket/2;
+ c->local_window = c->local_window_max = c->local_maxpacket * 2;
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
packet_put_int(c->remote_id);
packet_put_int(c->local_window);