*/
#include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.187 2003/03/05 22:33:43 markus Exp $");
+RCSID("$OpenBSD: channels.c,v 1.201 2004/05/11 19:01:43 deraadt Exp $");
#include "ssh.h"
#include "ssh1.h"
#include "key.h"
#include "authfd.h"
#include "pathnames.h"
-
+#include "bufaux.h"
/* -- channel core */
/* XXX ugly hack: nonblock is only set by the server */
if (nonblock && isatty(c->rfd)) {
- debug("channel %d: rfd %d isatty", c->self, c->rfd);
+ debug2("channel %d: rfd %d isatty", c->self, c->rfd);
c->isatty = 1;
if (!isatty(c->wfd)) {
error("channel %d: wfd %d is not a tty?",
channels = xmalloc(channels_alloc * sizeof(Channel *));
for (i = 0; i < channels_alloc; i++)
channels[i] = NULL;
- fatal_add_cleanup((void (*) (void *)) channel_free_all, NULL);
}
/* Try to find a free slot where to put the new channel. */
for (found = -1, i = 0; i < channels_alloc; i++)
if (found == -1) {
/* There are no free slots. Take last+1 slot and expand the array. */
found = channels_alloc;
- channels_alloc += 10;
if (channels_alloc > 10000)
fatal("channel_new: internal error: channels_alloc %d "
"too big.", channels_alloc);
+ channels = xrealloc(channels,
+ (channels_alloc + 10) * sizeof(Channel *));
+ channels_alloc += 10;
debug2("channel: expanding %d", channels_alloc);
- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
for (i = found; i < channels_alloc; i++)
channels[i] = NULL;
}
c->local_consumed = 0;
c->local_maxpacket = maxpack;
c->remote_id = -1;
- c->remote_name = remote_name;
+ c->remote_name = xstrdup(remote_name);
c->remote_window = 0;
c->remote_maxpacket = 0;
c->force_drain = 0;
static void
channel_close_fds(Channel *c)
{
- debug3("channel_close_fds: channel %d: r %d w %d e %d",
+ debug3("channel %d: close_fds r %d w %d e %d",
c->self, c->rfd, c->wfd, c->efd);
channel_close_fd(&c->sock);
for (n = 0, i = 0; i < channels_alloc; i++)
if (channels[i])
n++;
- debug("channel_free: channel %d: %s, nchannels %d", c->self,
+ debug("channel %d: free: %s, nchannels %d", c->self,
c->remote_name ? c->remote_name : "???", n);
s = channel_open_message();
- debug3("channel_free: status: %s", s);
+ debug3("channel %d: status: %s", c->self, s);
xfree(s);
if (c->sock != -1)
}
#endif
if (buffer_len(&c->output) > packet_get_maxsize()) {
- debug2("channel %d: big output buffer %d > %d",
+ debug2("channel %d: big output buffer %u > %u",
c->self, buffer_len(&c->output),
packet_get_maxsize());
return 0;
logit("channel_request_start: %d: unknown channel id", id);
return;
}
- debug("channel %d: request %s", id, service) ;
+ debug2("channel %d: request %s", id, service) ;
packet_start(SSH2_MSG_CHANNEL_REQUEST);
packet_put_int(c->remote_id);
packet_put_cstring(service);
packet_put_int(c->remote_id);
packet_send();
c->type = SSH_CHANNEL_CLOSED;
- debug("channel %d: closing after input drain.", c->self);
+ debug2("channel %d: closing after input drain.", c->self);
}
}
proto_len = ucp[6] + 256 * ucp[7];
data_len = ucp[8] + 256 * ucp[9];
} else {
- debug("Initial X11 packet contains bad byte order byte: 0x%x",
+ debug2("Initial X11 packet contains bad byte order byte: 0x%x",
ucp[0]);
return -1;
}
/* Check if authentication protocol matches. */
if (proto_len != strlen(x11_saved_proto) ||
memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
- debug("X11 connection uses different authentication protocol.");
+ debug2("X11 connection uses different authentication protocol.");
return -1;
}
/* Check if authentication data matches our fake data. */
if (data_len != x11_fake_data_len ||
memcmp(ucp + 12 + ((proto_len + 3) & ~3),
x11_fake_data, x11_fake_data_len) != 0) {
- debug("X11 auth data does not match fake data.");
+ debug2("X11 auth data does not match fake data.");
return -1;
}
/* Check fake data length */
channel_pre_open(c, readset, writeset);
} else if (ret == -1) {
logit("X11 connection rejected because of wrong authentication.");
- debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
+ debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
chan_read_failed(c);
buffer_clear(&c->input);
chan_ibuf_empty(c);
chan_write_failed(c);
else
c->type = SSH_CHANNEL_OPEN;
- debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
+ debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
}
}
strlcpy(c->path, host, sizeof(c->path));
c->host_port = ntohs(s4_req.dest_port);
- debug("channel %d: dynamic request: socks4 host %s port %u command %u",
+ debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
c->self, host, c->host_port, s4_req.command);
if (s4_req.command != 1) {
return 1;
}
+/* try to decode a socks5 header */
+#define SSH_SOCKS5_AUTHDONE 0x1000
+#define SSH_SOCKS5_NOAUTH 0x00
+#define SSH_SOCKS5_IPV4 0x01
+#define SSH_SOCKS5_DOMAIN 0x03
+#define SSH_SOCKS5_IPV6 0x04
+#define SSH_SOCKS5_CONNECT 0x01
+#define SSH_SOCKS5_SUCCESS 0x00
+
+static int
+channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset)
+{
+ struct {
+ u_int8_t version;
+ u_int8_t command;
+ u_int8_t reserved;
+ u_int8_t atyp;
+ } s5_req, s5_rsp;
+ u_int16_t dest_port;
+ u_char *p, dest_addr[255+1];
+ int i, have, found, nmethods, addrlen, af;
+
+ debug2("channel %d: decode socks5", c->self);
+ p = buffer_ptr(&c->input);
+ if (p[0] != 0x05)
+ return -1;
+ have = buffer_len(&c->input);
+ if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
+ /* format: ver | nmethods | methods */
+ if (have < 2)
+ return 0;
+ nmethods = p[1];
+ if (have < nmethods + 2)
+ return 0;
+ /* look for method: "NO AUTHENTICATION REQUIRED" */
+ for (found = 0, i = 2 ; i < nmethods + 2; i++) {
+ if (p[i] == SSH_SOCKS5_NOAUTH ) {
+ found = 1;
+ break;
+ }
+ }
+ if (!found) {
+ debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
+ c->self);
+ return -1;
+ }
+ buffer_consume(&c->input, nmethods + 2);
+ buffer_put_char(&c->output, 0x05); /* version */
+ buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */
+ FD_SET(c->sock, writeset);
+ c->flags |= SSH_SOCKS5_AUTHDONE;
+ debug2("channel %d: socks5 auth done", c->self);
+ return 0; /* need more */
+ }
+ debug2("channel %d: socks5 post auth", c->self);
+ if (have < sizeof(s5_req)+1)
+ return 0; /* need more */
+ memcpy((char *)&s5_req, p, sizeof(s5_req));
+ if (s5_req.version != 0x05 ||
+ s5_req.command != SSH_SOCKS5_CONNECT ||
+ s5_req.reserved != 0x00) {
+ debug2("channel %d: only socks5 connect supported", c->self);
+ return -1;
+ }
+ switch(s5_req.atyp){
+ case SSH_SOCKS5_IPV4:
+ addrlen = 4;
+ af = AF_INET;
+ break;
+ case SSH_SOCKS5_DOMAIN:
+ addrlen = p[sizeof(s5_req)];
+ af = -1;
+ break;
+ case SSH_SOCKS5_IPV6:
+ addrlen = 16;
+ af = AF_INET6;
+ break;
+ default:
+ debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
+ return -1;
+ }
+ if (have < 4 + addrlen + 2)
+ return 0;
+ buffer_consume(&c->input, sizeof(s5_req));
+ if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
+ buffer_consume(&c->input, 1); /* host string length */
+ buffer_get(&c->input, (char *)&dest_addr, addrlen);
+ buffer_get(&c->input, (char *)&dest_port, 2);
+ dest_addr[addrlen] = '\0';
+ if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
+ strlcpy(c->path, (char *)dest_addr, sizeof(c->path));
+ else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL)
+ return -1;
+ c->host_port = ntohs(dest_port);
+
+ debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
+ c->self, c->path, c->host_port, s5_req.command);
+
+ s5_rsp.version = 0x05;
+ s5_rsp.command = SSH_SOCKS5_SUCCESS;
+ s5_rsp.reserved = 0; /* ignored */
+ s5_rsp.atyp = SSH_SOCKS5_IPV4;
+ ((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
+ dest_port = 0; /* ignored */
+
+ buffer_append(&c->output, (char *)&s5_rsp, sizeof(s5_rsp));
+ buffer_append(&c->output, (char *)&dest_addr, sizeof(struct in_addr));
+ buffer_append(&c->output, (char *)&dest_port, sizeof(dest_port));
+ return 1;
+}
+
/* dynamic port forwarding */
static void
channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset)
debug2("channel %d: pre_dynamic: have %d", c->self, have);
/* buffer_dump(&c->input); */
/* check if the fixed size part of the packet is in buffer. */
- if (have < 4) {
+ if (have < 3) {
/* need more */
FD_SET(c->sock, readset);
return;
case 0x04:
ret = channel_decode_socks4(c, readset, writeset);
break;
+ case 0x05:
+ ret = channel_decode_socks5(c, readset, writeset);
+ break;
default:
ret = -1;
break;
addrlen = sizeof(addr);
newsock = accept(c->sock, &addr, &addrlen);
if (c->single_connection) {
- debug("single_connection: closing X11 listener.");
+ debug2("single_connection: closing X11 listener.");
channel_close_fd(&c->sock);
chan_mark_dead(c);
}
nc = channel_new("accepted x11 socket",
SSH_CHANNEL_OPENING, newsock, newsock, -1,
- c->local_window_max, c->local_maxpacket,
- 0, xstrdup(buf), 1);
+ c->local_window_max, c->local_maxpacket, 0, buf, 1);
if (compat20) {
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("x11");
/* originator ipaddr and port */
packet_put_cstring(remote_ipaddr);
if (datafellows & SSH_BUG_X11FWD) {
- debug("ssh2 x11 bug compat mode");
+ debug2("ssh2 x11 bug compat mode");
} else {
packet_put_int(remote_port);
}
return;
}
set_nodelay(newsock);
- nc = channel_new(rtype,
- nextstate, newsock, newsock, -1,
- c->local_window_max, c->local_maxpacket,
- 0, xstrdup(rtype), 1);
+ nc = channel_new(rtype, nextstate, newsock, newsock, -1,
+ c->local_window_max, c->local_maxpacket, 0, rtype, 1);
nc->listening_port = c->listening_port;
nc->host_port = c->host_port;
strlcpy(nc->path, c->path, sizeof(nc->path));
channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
{
Channel *nc;
- char *name;
int newsock;
struct sockaddr addr;
socklen_t addrlen;
error("accept from auth socket: %.100s", strerror(errno));
return;
}
- name = xstrdup("accepted auth socket");
nc = channel_new("accepted auth socket",
SSH_CHANNEL_OPENING, newsock, newsock, -1,
c->local_window_max, c->local_maxpacket,
- 0, name, 1);
+ 0, "accepted auth socket", 1);
if (compat20) {
packet_start(SSH2_MSG_CHANNEL_OPEN);
packet_put_cstring("auth-agent@openssh.com");
if (len < 0 && (errno == EINTR || errno == EAGAIN))
return 1;
if (len <= 0) {
- debug("channel %d: read<=0 rfd %d len %d",
+ debug2("channel %d: read<=0 rfd %d len %d",
c->self, c->rfd, len);
if (c->type != SSH_CHANNEL_OPEN) {
- debug("channel %d: not open", c->self);
+ debug2("channel %d: not open", c->self);
chan_mark_dead(c);
return -1;
} else if (compat13) {
buffer_clear(&c->output);
c->type = SSH_CHANNEL_INPUT_DRAINING;
- debug("channel %d: input draining.", c->self);
+ debug2("channel %d: input draining.", c->self);
} else {
chan_read_failed(c);
}
}
if (c->input_filter != NULL) {
if (c->input_filter(c, buf, len) == -1) {
- debug("channel %d: filter stops", c->self);
+ debug2("channel %d: filter stops", c->self);
chan_read_failed(c);
}
} else {
data = buffer_ptr(&c->output);
dlen = buffer_len(&c->output);
#ifdef _AIX
- /* XXX: Later AIX versions can't push as much data to tty */
- if (compat20 && c->wfd_isatty && dlen > 8*1024)
- dlen = 8*1024;
+ /* XXX: Later AIX versions can't push as much data to tty */
+ if (compat20 && c->wfd_isatty)
+ dlen = MIN(dlen, 8*1024);
#endif
len = write(c->wfd, data, dlen);
if (len < 0 && (errno == EINTR || errno == EAGAIN))
return 1;
if (len <= 0) {
if (c->type != SSH_CHANNEL_OPEN) {
- debug("channel %d: not open", c->self);
+ debug2("channel %d: not open", c->self);
chan_mark_dead(c);
return -1;
} else if (compat13) {
buffer_clear(&c->output);
- debug("channel %d: input draining.", c->self);
+ debug2("channel %d: input draining.", c->self);
c->type = SSH_CHANNEL_INPUT_DRAINING;
} else {
chan_write_failed(c);
if (c->detach_user != NULL) {
if (!chan_is_dead(c, 0))
return;
- debug("channel %d: gc: notify user", c->self);
+ debug2("channel %d: gc: notify user", c->self);
c->detach_user(c->self, NULL);
/* if we still have a callback */
if (c->detach_user != NULL)
return;
- debug("channel %d: gc: user detached", c->self);
+ debug2("channel %d: gc: user detached", c->self);
}
if (!chan_is_dead(c, 1))
return;
- debug("channel %d: garbage collecting", c->self);
+ debug2("channel %d: garbage collecting", c->self);
channel_free(c);
}
c->type != SSH_CHANNEL_X11_OPEN)
return;
- /* same for protocol 1.5 if output end is no longer open */
- if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN)
- return;
-
/* Get the data. */
data = packet_get_string(&data_len);
+ /*
+ * Ignore data for protocol > 1.3 if output end is no longer open.
+ * For protocol 2 the sending side is reducing its window as it sends
+ * data, so we must 'fake' consumption of the data in order to ensure
+ * that window updates are sent back. Otherwise the connection might
+ * deadlock.
+ */
+ if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) {
+ if (compat20) {
+ c->local_window -= data_len;
+ c->local_consumed += data_len;
+ }
+ xfree(data);
+ return;
+ }
+
if (compat20) {
if (data_len > c->local_maxpacket) {
logit("channel %d: rcvd big packet %d, maxpack %d",
c->confirm(c->self, NULL);
debug2("callback done");
}
- debug("channel %d: open confirm rwindow %u rmax %u", c->self,
+ debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
c->remote_window, c->remote_maxpacket);
}
packet_check_eom();
originator_string, 1);
c->remote_id = remote_id;
}
+ xfree(originator_string);
if (c == NULL) {
- xfree(originator_string);
packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(remote_id);
packet_send();
continue;
}
/* Create a port to listen for the host. */
- sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
/* this is no error since kernel may not support ipv6 */
verbose("socket: %.100s", strerror(errno));
continue;
}
/* Start listening for connections on the socket. */
- if (listen(sock, 5) < 0) {
+ if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
error("listen: %.100s", strerror(errno));
close(sock);
continue;
/* Allocate a channel number for the socket. */
c = channel_new("port listener", type, sock, sock, -1,
CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, xstrdup("port listener"), 1);
+ 0, "port listener", 1);
strlcpy(c->path, host, sizeof(c->path));
c->host_port = port_to_connect;
c->listening_port = listen_port;
* privileged port.
*/
if (port < IPPORT_RESERVED && !is_root)
- packet_disconnect("Requested forwarding of port %d but user is not root.",
- port);
+ packet_disconnect(
+ "Requested forwarding of port %d but user is not root.",
+ port);
+ if (host_port == 0)
+ packet_disconnect("Dynamic forwarding denied.");
#endif
+
/* Initiate forwarding */
channel_setup_local_fwd_listener(port, hostname, host_port, gateway_ports);
error("connect_to: getnameinfo failed");
continue;
}
- sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
if (ai->ai_next == NULL)
error("socket: %.100s", strerror(errno));
for (ai = aitop; ai; ai = ai->ai_next) {
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
continue;
- sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ sock = socket(ai->ai_family, ai->ai_socktype,
+ ai->ai_protocol);
if (sock < 0) {
if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
error("socket: %.100s", strerror(errno));
}
#endif
if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- debug("bind port %d: %.100s", port, strerror(errno));
+ debug2("bind port %d: %.100s", port, strerror(errno));
close(sock);
if (ai->ai_next)
/* Start listening for connections on the socket. */
for (n = 0; n < num_socks; n++) {
sock = socks[n];
- if (listen(sock, 5) < 0) {
+ if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
error("listen: %.100s", strerror(errno));
close(sock);
return -1;
nc = channel_new("x11 listener",
SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, xstrdup("X11 inet listener"), 1);
+ 0, "X11 inet listener", 1);
nc->single_connection = single_connection;
}
}
for (ai = aitop; ai; ai = ai->ai_next) {
/* Create a socket. */
- sock = socket(ai->ai_family, SOCK_STREAM, 0);
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
if (sock < 0) {
- debug("socket: %.100s", strerror(errno));
+ debug2("socket: %.100s", strerror(errno));
continue;
}
/* Connect it to the display. */
if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
- debug("connect %.100s port %d: %.100s", buf,
+ debug2("connect %.100s port %d: %.100s", buf,
6000 + display_number, strerror(errno));
close(sock);
continue;
c->remote_id = remote_id;
c->force_drain = 1;
}
+ xfree(remote_host);
if (c == NULL) {
/* Send refusal to the remote host. */
packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
packet_put_int(remote_id);
- xfree(remote_host);
} else {
/* Send a confirmation to the remote host. */
packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
packet_send();
packet_write_wait();
}
-
-/* This is called to process an SSH_SMSG_AGENT_OPEN message. */
-
-void
-auth_input_open_request(int type, u_int32_t seq, void *ctxt)
-{
- Channel *c = NULL;
- int remote_id, sock;
- char *name;
-
- /* Read the remote channel number from the message. */
- remote_id = packet_get_int();
- packet_check_eom();
-
- /*
- * Get a connection to the local authentication agent (this may again
- * get forwarded).
- */
- sock = ssh_get_authentication_socket();
-
- /*
- * If we could not connect the agent, send an error message back to
- * the server. This should never happen unless the agent dies,
- * because authentication forwarding is only enabled if we have an
- * agent.
- */
- if (sock >= 0) {
- name = xstrdup("authentication agent connection");
- c = channel_new("", SSH_CHANNEL_OPEN, sock, sock,
- -1, 0, 0, 0, name, 1);
- c->remote_id = remote_id;
- c->force_drain = 1;
- }
- if (c == NULL) {
- packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
- packet_put_int(remote_id);
- } else {
- /* Send a confirmation to the remote host. */
- debug("Forwarding authentication connection.");
- packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
- packet_put_int(remote_id);
- packet_put_int(c->self);
- }
- packet_send();
-}