1 /* 2 * Author: Tatu Ylonen <ylo (at) cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo (at) cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * This file contains functions for generic socket connection forwarding. 6 * There is also code for initiating connection forwarding for X11 connections, 7 * arbitrary tcp/ip connections, and the authentication agent connection. 8 * 9 * As far as I am concerned, the code I have written for this software 10 * can be used freely for any purpose. Any derived versions of this 11 * software must be clearly marked as such, and if the derived work is 12 * incompatible with the protocol description in the RFC file, it must be 13 * called by a name other than "ssh" or "Secure Shell". 14 * 15 * SSH2 support added by Markus Friedl. 16 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. 17 * Copyright (c) 1999 Dug Song. All rights reserved. 18 * Copyright (c) 1999 Theo de Raadt. All rights reserved. 19 * 20 * Redistribution and use in source and binary forms, with or without 21 * modification, are permitted provided that the following conditions 22 * are met: 23 * 1. Redistributions of source code must retain the above copyright 24 * notice, this list of conditions and the following disclaimer. 25 * 2. Redistributions in binary form must reproduce the above copyright 26 * notice, this list of conditions and the following disclaimer in the 27 * documentation and/or other materials provided with the distribution. 28 * 29 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 30 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 31 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 32 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 33 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 34 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 35 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 36 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 37 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 38 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 */ 40 /* 41 * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 42 * Use is subject to license terms. 43 */ 44 45 #include "includes.h" 46 RCSID("$OpenBSD: channels.c,v 1.183 2002/09/17 07:47:02 itojun Exp $"); 47 48 #pragma ident "%Z%%M% %I% %E% SMI" 49 50 #include "ssh.h" 51 #include "ssh1.h" 52 #include "ssh2.h" 53 #include "packet.h" 54 #include "xmalloc.h" 55 #include "log.h" 56 #include "misc.h" 57 #include "channels.h" 58 #include "compat.h" 59 #include "canohost.h" 60 #include "key.h" 61 #include "authfd.h" 62 #include "pathnames.h" 63 #include "bufaux.h" 64 65 66 /* -- channel core */ 67 68 /* 69 * Pointer to an array containing all allocated channels. The array is 70 * dynamically extended as needed. 71 */ 72 static Channel **channels = NULL; 73 74 /* 75 * Size of the channel array. All slots of the array must always be 76 * initialized (at least the type field); unused slots set to NULL 77 */ 78 static int channels_alloc = 0; 79 80 /* 81 * Maximum file descriptor value used in any of the channels. This is 82 * updated in channel_new. 83 */ 84 static int channel_max_fd = 0; 85 86 87 /* -- tcp forwarding */ 88 89 /* 90 * Data structure for storing which hosts are permitted for forward requests. 91 * The local sides of any remote forwards are stored in this array to prevent 92 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local 93 * network (which might be behind a firewall). 94 */ 95 typedef struct { 96 char *host_to_connect; /* Connect to 'host'. */ 97 u_short port_to_connect; /* Connect to 'port'. */ 98 u_short listen_port; /* Remote side should listen port number. */ 99 } ForwardPermission; 100 101 /* List of all permitted host/port pairs to connect. */ 102 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION]; 103 104 /* Number of permitted host/port pairs in the array. */ 105 static int num_permitted_opens = 0; 106 /* 107 * If this is true, all opens are permitted. This is the case on the server 108 * on which we have to trust the client anyway, and the user could do 109 * anything after logging in anyway. 110 */ 111 static int all_opens_permitted = 0; 112 113 114 /* -- X11 forwarding */ 115 116 /* Maximum number of fake X11 displays to try. */ 117 #define MAX_DISPLAYS 1000 118 119 /* Saved X11 authentication protocol name. */ 120 static char *x11_saved_proto = NULL; 121 122 /* Saved X11 authentication data. This is the real data. */ 123 static char *x11_saved_data = NULL; 124 static u_int x11_saved_data_len = 0; 125 126 /* 127 * Fake X11 authentication data. This is what the server will be sending us; 128 * we should replace any occurrences of this by the real data. 129 */ 130 static u_char *x11_fake_data = NULL; 131 static u_int x11_fake_data_len; 132 133 134 /* -- agent forwarding */ 135 136 #define NUM_SOCKS 10 137 138 /* AF_UNSPEC or AF_INET or AF_INET6 */ 139 static int IPv4or6 = AF_UNSPEC; 140 141 /* helper */ 142 static void port_open_helper(Channel *c, char *rtype); 143 144 /* -- channel core */ 145 146 Channel * 147 channel_lookup(int id) 148 { 149 Channel *c; 150 151 if (id < 0 || id >= channels_alloc) { 152 log("channel_lookup: %d: bad id", id); 153 return NULL; 154 } 155 c = channels[id]; 156 if (c == NULL) { 157 log("channel_lookup: %d: bad id: channel free", id); 158 return NULL; 159 } 160 return c; 161 } 162 163 /* 164 * Register filedescriptors for a channel, used when allocating a channel or 165 * when the channel consumer/producer is ready, e.g. shell exec'd 166 */ 167 168 static void 169 channel_register_fds(Channel *c, int rfd, int wfd, int efd, 170 int extusage, int nonblock) 171 { 172 /* Update the maximum file descriptor value. */ 173 channel_max_fd = MAX(channel_max_fd, rfd); 174 channel_max_fd = MAX(channel_max_fd, wfd); 175 channel_max_fd = MAX(channel_max_fd, efd); 176 177 /* XXX set close-on-exec -markus */ 178 179 c->rfd = rfd; 180 c->wfd = wfd; 181 c->sock = (rfd == wfd) ? rfd : -1; 182 c->efd = efd; 183 c->extended_usage = extusage; 184 185 /* XXX ugly hack: nonblock is only set by the server */ 186 if (nonblock && isatty(c->rfd)) { 187 debug("channel %d: rfd %d isatty", c->self, c->rfd); 188 c->isatty = 1; 189 if (!isatty(c->wfd)) { 190 error("channel %d: wfd %d is not a tty?", 191 c->self, c->wfd); 192 } 193 } else { 194 c->isatty = 0; 195 } 196 c->wfd_isatty = isatty(c->wfd); 197 198 /* enable nonblocking mode */ 199 if (nonblock) { 200 if (rfd != -1) 201 set_nonblock(rfd); 202 if (wfd != -1) 203 set_nonblock(wfd); 204 if (efd != -1) 205 set_nonblock(efd); 206 } 207 } 208 209 /* 210 * Allocate a new channel object and set its type and socket. This will cause 211 * remote_name to be freed. 212 */ 213 214 Channel * 215 channel_new(char *ctype, int type, int rfd, int wfd, int efd, 216 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock) 217 { 218 int i, found; 219 Channel *c; 220 221 /* Do initial allocation if this is the first call. */ 222 if (channels_alloc == 0) { 223 channels_alloc = 10; 224 channels = xmalloc(channels_alloc * sizeof(Channel *)); 225 for (i = 0; i < channels_alloc; i++) 226 channels[i] = NULL; 227 fatal_add_cleanup((void (*) (void *)) channel_free_all, NULL); 228 } 229 /* Try to find a free slot where to put the new channel. */ 230 for (found = -1, i = 0; i < channels_alloc; i++) 231 if (channels[i] == NULL) { 232 /* Found a free slot. */ 233 found = i; 234 break; 235 } 236 if (found == -1) { 237 /* There are no free slots. Take last+1 slot and expand the array. */ 238 found = channels_alloc; 239 if (channels_alloc > 10000) 240 fatal("channel_new: internal error: channels_alloc %d " 241 "too big.", channels_alloc); 242 channels = xrealloc(channels, 243 (channels_alloc + 10) * sizeof(Channel *)); 244 channels_alloc += 10; 245 debug2("channel: expanding %d", channels_alloc); 246 for (i = found; i < channels_alloc; i++) 247 channels[i] = NULL; 248 } 249 /* Initialize and return new channel. */ 250 c = channels[found] = xmalloc(sizeof(Channel)); 251 memset(c, 0, sizeof(Channel)); 252 buffer_init(&c->input); 253 buffer_init(&c->output); 254 buffer_init(&c->extended); 255 c->ostate = CHAN_OUTPUT_OPEN; 256 c->istate = CHAN_INPUT_OPEN; 257 c->flags = 0; 258 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 259 c->self = found; 260 c->type = type; 261 c->ctype = ctype; 262 c->local_window = window; 263 c->local_window_max = window; 264 c->local_consumed = 0; 265 c->local_maxpacket = maxpack; 266 c->remote_id = -1; 267 c->remote_name = remote_name; 268 c->remote_window = 0; 269 c->remote_maxpacket = 0; 270 c->force_drain = 0; 271 c->single_connection = 0; 272 c->detach_user = NULL; 273 c->confirm = NULL; 274 c->input_filter = NULL; 275 debug("channel %d: new [%s]", found, remote_name); 276 return c; 277 } 278 279 static int 280 channel_find_maxfd(void) 281 { 282 int i, max = 0; 283 Channel *c; 284 285 for (i = 0; i < channels_alloc; i++) { 286 c = channels[i]; 287 if (c != NULL) { 288 max = MAX(max, c->rfd); 289 max = MAX(max, c->wfd); 290 max = MAX(max, c->efd); 291 } 292 } 293 return max; 294 } 295 296 int 297 channel_close_fd(int *fdp) 298 { 299 int ret = 0, fd = *fdp; 300 301 if (fd != -1) { 302 ret = close(fd); 303 *fdp = -1; 304 if (fd == channel_max_fd) 305 channel_max_fd = channel_find_maxfd(); 306 } 307 return ret; 308 } 309 310 /* Close all channel fd/socket. */ 311 312 static void 313 channel_close_fds(Channel *c) 314 { 315 debug3("channel_close_fds: channel %d: r %d w %d e %d", 316 c->self, c->rfd, c->wfd, c->efd); 317 318 channel_close_fd(&c->sock); 319 channel_close_fd(&c->rfd); 320 channel_close_fd(&c->wfd); 321 channel_close_fd(&c->efd); 322 } 323 324 /* Free the channel and close its fd/socket. */ 325 326 void 327 channel_free(Channel *c) 328 { 329 char *s; 330 int i, n; 331 332 for (n = 0, i = 0; i < channels_alloc; i++) 333 if (channels[i]) 334 n++; 335 debug("channel_free: channel %d: %s, nchannels %d", c->self, 336 c->remote_name ? c->remote_name : "???", n); 337 338 s = channel_open_message(); 339 debug3("channel_free: status: %s", s); 340 xfree(s); 341 342 if (c->sock != -1) 343 shutdown(c->sock, SHUT_RDWR); 344 channel_close_fds(c); 345 buffer_free(&c->input); 346 buffer_free(&c->output); 347 buffer_free(&c->extended); 348 if (c->remote_name) { 349 xfree(c->remote_name); 350 c->remote_name = NULL; 351 } 352 channels[c->self] = NULL; 353 xfree(c); 354 } 355 356 void 357 channel_free_all(void) 358 { 359 int i; 360 361 for (i = 0; i < channels_alloc; i++) 362 if (channels[i] != NULL) 363 channel_free(channels[i]); 364 } 365 366 /* 367 * Closes the sockets/fds of all channels. This is used to close extra file 368 * descriptors after a fork. 369 */ 370 371 void 372 channel_close_all(void) 373 { 374 int i; 375 376 for (i = 0; i < channels_alloc; i++) 377 if (channels[i] != NULL) 378 channel_close_fds(channels[i]); 379 } 380 381 /* 382 * Stop listening to channels. 383 */ 384 385 void 386 channel_stop_listening(void) 387 { 388 int i; 389 Channel *c; 390 391 for (i = 0; i < channels_alloc; i++) { 392 c = channels[i]; 393 if (c != NULL) { 394 switch (c->type) { 395 case SSH_CHANNEL_AUTH_SOCKET: 396 case SSH_CHANNEL_PORT_LISTENER: 397 case SSH_CHANNEL_RPORT_LISTENER: 398 case SSH_CHANNEL_X11_LISTENER: 399 channel_close_fd(&c->sock); 400 channel_free(c); 401 break; 402 } 403 } 404 } 405 } 406 407 /* 408 * Returns true if no channel has too much buffered data, and false if one or 409 * more channel is overfull. 410 */ 411 412 int 413 channel_not_very_much_buffered_data(void) 414 { 415 u_int i; 416 Channel *c; 417 418 for (i = 0; i < channels_alloc; i++) { 419 c = channels[i]; 420 if (c != NULL && c->type == SSH_CHANNEL_OPEN) { 421 #if 0 422 if (!compat20 && 423 buffer_len(&c->input) > packet_get_maxsize()) { 424 debug("channel %d: big input buffer %d", 425 c->self, buffer_len(&c->input)); 426 return 0; 427 } 428 #endif 429 if (buffer_len(&c->output) > packet_get_maxsize()) { 430 debug("channel %d: big output buffer %d > %d", 431 c->self, buffer_len(&c->output), 432 packet_get_maxsize()); 433 return 0; 434 } 435 } 436 } 437 return 1; 438 } 439 440 /* Returns true if any channel is still open. */ 441 442 int 443 channel_still_open(void) 444 { 445 int i; 446 Channel *c; 447 448 for (i = 0; i < channels_alloc; i++) { 449 c = channels[i]; 450 if (c == NULL) 451 continue; 452 switch (c->type) { 453 case SSH_CHANNEL_X11_LISTENER: 454 case SSH_CHANNEL_PORT_LISTENER: 455 case SSH_CHANNEL_RPORT_LISTENER: 456 case SSH_CHANNEL_CLOSED: 457 case SSH_CHANNEL_AUTH_SOCKET: 458 case SSH_CHANNEL_DYNAMIC: 459 case SSH_CHANNEL_CONNECTING: 460 case SSH_CHANNEL_ZOMBIE: 461 continue; 462 case SSH_CHANNEL_LARVAL: 463 if (!compat20) 464 fatal("cannot happen: SSH_CHANNEL_LARVAL"); 465 continue; 466 case SSH_CHANNEL_OPENING: 467 case SSH_CHANNEL_OPEN: 468 case SSH_CHANNEL_X11_OPEN: 469 return 1; 470 case SSH_CHANNEL_INPUT_DRAINING: 471 case SSH_CHANNEL_OUTPUT_DRAINING: 472 if (!compat13) 473 fatal("cannot happen: OUT_DRAIN"); 474 return 1; 475 default: 476 fatal("channel_still_open: bad channel type %d", c->type); 477 /* NOTREACHED */ 478 } 479 } 480 return 0; 481 } 482 483 /* Returns the id of an open channel suitable for keepaliving */ 484 485 int 486 channel_find_open(void) 487 { 488 int i; 489 Channel *c; 490 491 for (i = 0; i < channels_alloc; i++) { 492 c = channels[i]; 493 if (c == NULL) 494 continue; 495 switch (c->type) { 496 case SSH_CHANNEL_CLOSED: 497 case SSH_CHANNEL_DYNAMIC: 498 case SSH_CHANNEL_X11_LISTENER: 499 case SSH_CHANNEL_PORT_LISTENER: 500 case SSH_CHANNEL_RPORT_LISTENER: 501 case SSH_CHANNEL_OPENING: 502 case SSH_CHANNEL_CONNECTING: 503 case SSH_CHANNEL_ZOMBIE: 504 continue; 505 case SSH_CHANNEL_LARVAL: 506 case SSH_CHANNEL_AUTH_SOCKET: 507 case SSH_CHANNEL_OPEN: 508 case SSH_CHANNEL_X11_OPEN: 509 return i; 510 case SSH_CHANNEL_INPUT_DRAINING: 511 case SSH_CHANNEL_OUTPUT_DRAINING: 512 if (!compat13) 513 fatal("cannot happen: OUT_DRAIN"); 514 return i; 515 default: 516 fatal("channel_find_open: bad channel type %d", c->type); 517 /* NOTREACHED */ 518 } 519 } 520 return -1; 521 } 522 523 524 /* 525 * Returns a message describing the currently open forwarded connections, 526 * suitable for sending to the client. The message contains crlf pairs for 527 * newlines. 528 */ 529 530 char * 531 channel_open_message(void) 532 { 533 Buffer buffer; 534 Channel *c; 535 char buf[1024], *cp; 536 int i; 537 538 buffer_init(&buffer); 539 snprintf(buf, sizeof buf, "The following connections are open:\r\n"); 540 buffer_append(&buffer, buf, strlen(buf)); 541 for (i = 0; i < channels_alloc; i++) { 542 c = channels[i]; 543 if (c == NULL) 544 continue; 545 switch (c->type) { 546 case SSH_CHANNEL_X11_LISTENER: 547 case SSH_CHANNEL_PORT_LISTENER: 548 case SSH_CHANNEL_RPORT_LISTENER: 549 case SSH_CHANNEL_CLOSED: 550 case SSH_CHANNEL_AUTH_SOCKET: 551 case SSH_CHANNEL_ZOMBIE: 552 continue; 553 case SSH_CHANNEL_LARVAL: 554 case SSH_CHANNEL_OPENING: 555 case SSH_CHANNEL_CONNECTING: 556 case SSH_CHANNEL_DYNAMIC: 557 case SSH_CHANNEL_OPEN: 558 case SSH_CHANNEL_X11_OPEN: 559 case SSH_CHANNEL_INPUT_DRAINING: 560 case SSH_CHANNEL_OUTPUT_DRAINING: 561 snprintf(buf, sizeof buf, " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n", 562 c->self, c->remote_name, 563 c->type, c->remote_id, 564 c->istate, buffer_len(&c->input), 565 c->ostate, buffer_len(&c->output), 566 c->rfd, c->wfd); 567 buffer_append(&buffer, buf, strlen(buf)); 568 continue; 569 default: 570 fatal("channel_open_message: bad channel type %d", c->type); 571 /* NOTREACHED */ 572 } 573 } 574 buffer_append(&buffer, "\0", 1); 575 cp = xstrdup(buffer_ptr(&buffer)); 576 buffer_free(&buffer); 577 return cp; 578 } 579 580 void 581 channel_send_open(int id) 582 { 583 Channel *c = channel_lookup(id); 584 585 if (c == NULL) { 586 log("channel_send_open: %d: bad id", id); 587 return; 588 } 589 debug("send channel open %d", id); 590 packet_start(SSH2_MSG_CHANNEL_OPEN); 591 packet_put_cstring(c->ctype); 592 packet_put_int(c->self); 593 packet_put_int(c->local_window); 594 packet_put_int(c->local_maxpacket); 595 packet_send(); 596 } 597 598 void 599 channel_request_start(int local_id, char *service, int wantconfirm) 600 { 601 Channel *c = channel_lookup(local_id); 602 603 if (c == NULL) { 604 log("channel_request_start: %d: unknown channel id", local_id); 605 return; 606 } 607 debug("channel request %d: %s", local_id, service) ; 608 packet_start(SSH2_MSG_CHANNEL_REQUEST); 609 packet_put_int(c->remote_id); 610 packet_put_cstring(service); 611 packet_put_char(wantconfirm); 612 } 613 void 614 channel_register_confirm(int id, channel_callback_fn *fn) 615 { 616 Channel *c = channel_lookup(id); 617 618 if (c == NULL) { 619 log("channel_register_comfirm: %d: bad id", id); 620 return; 621 } 622 c->confirm = fn; 623 } 624 void 625 channel_register_cleanup(int id, channel_callback_fn *fn) 626 { 627 Channel *c = channel_lookup(id); 628 629 if (c == NULL) { 630 log("channel_register_cleanup: %d: bad id", id); 631 return; 632 } 633 c->detach_user = fn; 634 } 635 void 636 channel_cancel_cleanup(int id) 637 { 638 Channel *c = channel_lookup(id); 639 640 if (c == NULL) { 641 log("channel_cancel_cleanup: %d: bad id", id); 642 return; 643 } 644 c->detach_user = NULL; 645 } 646 void 647 channel_register_filter(int id, channel_filter_fn *fn) 648 { 649 Channel *c = channel_lookup(id); 650 651 if (c == NULL) { 652 log("channel_register_filter: %d: bad id", id); 653 return; 654 } 655 c->input_filter = fn; 656 } 657 658 void 659 channel_set_fds(int id, int rfd, int wfd, int efd, 660 int extusage, int nonblock, u_int window_max) 661 { 662 Channel *c = channel_lookup(id); 663 664 if (c == NULL || c->type != SSH_CHANNEL_LARVAL) 665 fatal("channel_activate for non-larval channel %d.", id); 666 channel_register_fds(c, rfd, wfd, efd, extusage, nonblock); 667 c->type = SSH_CHANNEL_OPEN; 668 c->local_window = c->local_window_max = window_max; 669 packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST); 670 packet_put_int(c->remote_id); 671 packet_put_int(c->local_window); 672 packet_send(); 673 } 674 675 void 676 channel_set_wait_for_exit(int id, int wait_for_exit) 677 { 678 Channel *c = channel_lookup(id); 679 680 if (c == NULL || c->type != SSH_CHANNEL_OPEN) 681 fatal("channel_set_wait_for_exit for non-open channel %d.", id); 682 683 debug3("channel_set_wait_for_exit %d, %d (type: %d)", id, wait_for_exit, c->type); 684 c->wait_for_exit = wait_for_exit; 685 } 686 687 /* 688 * 'channel_pre*' are called just before select() to add any bits relevant to 689 * channels in the select bitmasks. 690 */ 691 /* 692 * 'channel_post*': perform any appropriate operations for channels which 693 * have events pending. 694 */ 695 typedef void chan_fn(Channel *c, fd_set * readset, fd_set * writeset); 696 chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE]; 697 chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE]; 698 699 static void 700 channel_pre_listener(Channel *c, fd_set * readset, fd_set * writeset) 701 { 702 FD_SET(c->sock, readset); 703 } 704 705 static void 706 channel_pre_connecting(Channel *c, fd_set * readset, fd_set * writeset) 707 { 708 debug3("channel %d: waiting for connection", c->self); 709 FD_SET(c->sock, writeset); 710 } 711 712 static void 713 channel_pre_open_13(Channel *c, fd_set * readset, fd_set * writeset) 714 { 715 if (buffer_len(&c->input) < packet_get_maxsize()) 716 FD_SET(c->sock, readset); 717 if (buffer_len(&c->output) > 0) 718 FD_SET(c->sock, writeset); 719 } 720 721 static void 722 channel_pre_open(Channel *c, fd_set * readset, fd_set * writeset) 723 { 724 u_int limit = compat20 ? c->remote_window : packet_get_maxsize(); 725 726 if (c->istate == CHAN_INPUT_OPEN && 727 limit > 0 && 728 buffer_len(&c->input) < limit) 729 FD_SET(c->rfd, readset); 730 if (c->ostate == CHAN_OUTPUT_OPEN || 731 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 732 if (buffer_len(&c->output) > 0) { 733 FD_SET(c->wfd, writeset); 734 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) { 735 if (CHANNEL_EFD_OUTPUT_ACTIVE(c)) 736 debug2("channel %d: obuf_empty delayed efd %d/(%d)", 737 c->self, c->efd, buffer_len(&c->extended)); 738 else 739 chan_obuf_empty(c); 740 } 741 } 742 /** XXX check close conditions, too */ 743 if (compat20 && c->efd != -1) { 744 if (c->extended_usage == CHAN_EXTENDED_WRITE && 745 buffer_len(&c->extended) > 0) 746 FD_SET(c->efd, writeset); 747 else if (!(c->flags & CHAN_EOF_SENT) && 748 c->extended_usage == CHAN_EXTENDED_READ && 749 buffer_len(&c->extended) < c->remote_window) 750 FD_SET(c->efd, readset); 751 } 752 } 753 754 static void 755 channel_pre_input_draining(Channel *c, fd_set * readset, fd_set * writeset) 756 { 757 if (buffer_len(&c->input) == 0) { 758 packet_start(SSH_MSG_CHANNEL_CLOSE); 759 packet_put_int(c->remote_id); 760 packet_send(); 761 c->type = SSH_CHANNEL_CLOSED; 762 debug("channel %d: closing after input drain.", c->self); 763 } 764 } 765 766 static void 767 channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset) 768 { 769 if (buffer_len(&c->output) == 0) 770 chan_mark_dead(c); 771 else 772 FD_SET(c->sock, writeset); 773 } 774 775 /* 776 * This is a special state for X11 authentication spoofing. An opened X11 777 * connection (when authentication spoofing is being done) remains in this 778 * state until the first packet has been completely read. The authentication 779 * data in that packet is then substituted by the real data if it matches the 780 * fake data, and the channel is put into normal mode. 781 * XXX All this happens at the client side. 782 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok 783 */ 784 static int 785 x11_open_helper(Buffer *b) 786 { 787 u_char *ucp; 788 u_int proto_len, data_len; 789 790 /* Check if the fixed size part of the packet is in buffer. */ 791 if (buffer_len(b) < 12) 792 return 0; 793 794 /* Parse the lengths of variable-length fields. */ 795 ucp = buffer_ptr(b); 796 if (ucp[0] == 0x42) { /* Byte order MSB first. */ 797 proto_len = 256 * ucp[6] + ucp[7]; 798 data_len = 256 * ucp[8] + ucp[9]; 799 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */ 800 proto_len = ucp[6] + 256 * ucp[7]; 801 data_len = ucp[8] + 256 * ucp[9]; 802 } else { 803 debug("Initial X11 packet contains bad byte order byte: 0x%x", 804 ucp[0]); 805 return -1; 806 } 807 808 /* Check if the whole packet is in buffer. */ 809 if (buffer_len(b) < 810 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3)) 811 return 0; 812 813 /* Check if authentication protocol matches. */ 814 if (proto_len != strlen(x11_saved_proto) || 815 memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) { 816 debug("X11 connection uses different authentication protocol."); 817 return -1; 818 } 819 /* Check if authentication data matches our fake data. */ 820 if (data_len != x11_fake_data_len || 821 memcmp(ucp + 12 + ((proto_len + 3) & ~3), 822 x11_fake_data, x11_fake_data_len) != 0) { 823 debug("X11 auth data does not match fake data."); 824 return -1; 825 } 826 /* Check fake data length */ 827 if (x11_fake_data_len != x11_saved_data_len) { 828 error("X11 fake_data_len %d != saved_data_len %d", 829 x11_fake_data_len, x11_saved_data_len); 830 return -1; 831 } 832 /* 833 * Received authentication protocol and data match 834 * our fake data. Substitute the fake data with real 835 * data. 836 */ 837 memcpy(ucp + 12 + ((proto_len + 3) & ~3), 838 x11_saved_data, x11_saved_data_len); 839 return 1; 840 } 841 842 static void 843 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset) 844 { 845 int ret = x11_open_helper(&c->output); 846 847 if (ret == 1) { 848 /* Start normal processing for the channel. */ 849 c->type = SSH_CHANNEL_OPEN; 850 channel_pre_open_13(c, readset, writeset); 851 } else if (ret == -1) { 852 /* 853 * We have received an X11 connection that has bad 854 * authentication information. 855 */ 856 log("X11 connection rejected because of wrong authentication."); 857 buffer_clear(&c->input); 858 buffer_clear(&c->output); 859 channel_close_fd(&c->sock); 860 c->sock = -1; 861 c->type = SSH_CHANNEL_CLOSED; 862 packet_start(SSH_MSG_CHANNEL_CLOSE); 863 packet_put_int(c->remote_id); 864 packet_send(); 865 } 866 } 867 868 static void 869 channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset) 870 { 871 int ret = x11_open_helper(&c->output); 872 873 /* c->force_drain = 1; */ 874 875 if (ret == 1) { 876 c->type = SSH_CHANNEL_OPEN; 877 channel_pre_open(c, readset, writeset); 878 } else if (ret == -1) { 879 log("X11 connection rejected because of wrong authentication."); 880 debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate); 881 chan_read_failed(c); 882 buffer_clear(&c->input); 883 chan_ibuf_empty(c); 884 buffer_clear(&c->output); 885 /* for proto v1, the peer will send an IEOF */ 886 if (compat20) 887 chan_write_failed(c); 888 else 889 c->type = SSH_CHANNEL_OPEN; 890 debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate); 891 } 892 } 893 894 /* try to decode a socks4 header */ 895 static int 896 channel_decode_socks4(Channel *c, fd_set * readset, fd_set * writeset) 897 { 898 char *p, *host; 899 int len, have, i, found; 900 char username[256]; 901 struct { 902 u_int8_t version; 903 u_int8_t command; 904 u_int16_t dest_port; 905 struct in_addr dest_addr; 906 } s4_req, s4_rsp; 907 908 debug2("channel %d: decode socks4", c->self); 909 910 have = buffer_len(&c->input); 911 len = sizeof(s4_req); 912 if (have < len) 913 return 0; 914 p = buffer_ptr(&c->input); 915 for (found = 0, i = len; i < have; i++) { 916 if (p[i] == '\0') { 917 found = 1; 918 break; 919 } 920 if (i > 1024) { 921 /* the peer is probably sending garbage */ 922 debug("channel %d: decode socks4: too long", 923 c->self); 924 return -1; 925 } 926 } 927 if (!found) 928 return 0; 929 buffer_get(&c->input, (char *)&s4_req.version, 1); 930 buffer_get(&c->input, (char *)&s4_req.command, 1); 931 buffer_get(&c->input, (char *)&s4_req.dest_port, 2); 932 buffer_get(&c->input, (char *)&s4_req.dest_addr, 4); 933 have = buffer_len(&c->input); 934 p = buffer_ptr(&c->input); 935 len = strlen(p); 936 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len); 937 if (len > have) 938 fatal("channel %d: decode socks4: len %d > have %d", 939 c->self, len, have); 940 strlcpy(username, p, sizeof(username)); 941 buffer_consume(&c->input, len); 942 buffer_consume(&c->input, 1); /* trailing '\0' */ 943 944 host = inet_ntoa(s4_req.dest_addr); 945 strlcpy(c->path, host, sizeof(c->path)); 946 c->host_port = ntohs(s4_req.dest_port); 947 948 debug("channel %d: dynamic request: socks4 host %s port %u command %u", 949 c->self, host, c->host_port, s4_req.command); 950 951 if (s4_req.command != 1) { 952 debug("channel %d: cannot handle: socks4 cn %d", 953 c->self, s4_req.command); 954 return -1; 955 } 956 s4_rsp.version = 0; /* vn: 0 for reply */ 957 s4_rsp.command = 90; /* cd: req granted */ 958 s4_rsp.dest_port = 0; /* ignored */ 959 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */ 960 buffer_append(&c->output, (char *)&s4_rsp, sizeof(s4_rsp)); 961 return 1; 962 } 963 964 /* try to decode a socks5 header */ 965 #define SSH_SOCKS5_AUTHDONE 0x1000 966 #define SSH_SOCKS5_NOAUTH 0x00 967 #define SSH_SOCKS5_IPV4 0x01 968 #define SSH_SOCKS5_DOMAIN 0x03 969 #define SSH_SOCKS5_IPV6 0x04 970 #define SSH_SOCKS5_CONNECT 0x01 971 #define SSH_SOCKS5_SUCCESS 0x00 972 973 /* ARGSUSED */ 974 static int 975 channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset) 976 { 977 struct { 978 u_int8_t version; 979 u_int8_t command; 980 u_int8_t reserved; 981 u_int8_t atyp; 982 } s5_req, s5_rsp; 983 u_int16_t dest_port; 984 u_char *p, dest_addr[255+1]; 985 u_int have, need, i, found, nmethods, addrlen; 986 struct in_addr bnd_addr; 987 int af; 988 989 debug2("channel %d: decode socks5", c->self); 990 p = buffer_ptr(&c->input); 991 if (p[0] != 0x05) 992 return -1; 993 have = buffer_len(&c->input); 994 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { 995 /* format: ver | nmethods | methods */ 996 if (have < 2) 997 return 0; 998 nmethods = p[1]; 999 if (have < nmethods + 2) 1000 return 0; 1001 /* look for method: "NO AUTHENTICATION REQUIRED" */ 1002 for (found = 0, i = 2 ; i < nmethods + 2; i++) { 1003 if (p[i] == SSH_SOCKS5_NOAUTH) { 1004 found = 1; 1005 break; 1006 } 1007 } 1008 if (!found) { 1009 error("channel %d: socks5 authentication methods not implemented", 1010 c->self); 1011 error("channel %d: forwarding failed: " 1012 "SSH_SOCKS5_NOAUTH method not found", c->self); 1013 return -1; 1014 } 1015 buffer_consume(&c->input, nmethods + 2); 1016 buffer_put_char(&c->output, 0x05); /* version */ 1017 buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH); /* method */ 1018 FD_SET(c->sock, writeset); 1019 c->flags |= SSH_SOCKS5_AUTHDONE; 1020 debug2("channel %d: socks5 auth done", c->self); 1021 return 0; /* need more */ 1022 } 1023 debug2("channel %d: socks5 post auth", c->self); 1024 if (have < sizeof(s5_req)+1) 1025 return 0; /* need more */ 1026 memcpy(&s5_req, p, sizeof(s5_req)); 1027 if (s5_req.version != 0x05 || 1028 s5_req.command != SSH_SOCKS5_CONNECT || 1029 s5_req.reserved != 0x00) { 1030 error("channel %d: forwarding failed: " 1031 "only socks5 connect is supported", c->self); 1032 return -1; 1033 } 1034 switch (s5_req.atyp){ 1035 case SSH_SOCKS5_IPV4: 1036 addrlen = 4; 1037 af = AF_INET; 1038 break; 1039 case SSH_SOCKS5_DOMAIN: 1040 addrlen = p[sizeof(s5_req)]; 1041 af = -1; 1042 break; 1043 case SSH_SOCKS5_IPV6: 1044 addrlen = 16; 1045 af = AF_INET6; 1046 break; 1047 default: 1048 error("channel %d: forwarding failed: " 1049 "bad socks5 atyp %d", c->self, s5_req.atyp); 1050 return -1; 1051 } 1052 need = sizeof(s5_req) + addrlen + 2; 1053 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1054 need++; 1055 if (have < need) 1056 return 0; 1057 buffer_consume(&c->input, sizeof(s5_req)); 1058 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1059 buffer_consume(&c->input, 1); /* host string length */ 1060 buffer_get(&c->input, (char *)&dest_addr, addrlen); 1061 buffer_get(&c->input, (char *)&dest_port, 2); 1062 dest_addr[addrlen] = '\0'; 1063 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) 1064 strlcpy(c->path, (char *)dest_addr, sizeof(c->path)); 1065 else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) 1066 return -1; 1067 c->host_port = ntohs(dest_port); 1068 1069 debug2("channel %d: dynamic request: socks5 host %s port %u command %u", 1070 c->self, c->path, c->host_port, s5_req.command); 1071 1072 s5_rsp.version = 0x05; 1073 s5_rsp.command = SSH_SOCKS5_SUCCESS; 1074 s5_rsp.reserved = 0; /* ignored */ 1075 s5_rsp.atyp = SSH_SOCKS5_IPV4; 1076 bzero(&bnd_addr, sizeof(bnd_addr)); 1077 bnd_addr.s_addr = htonl(INADDR_ANY); 1078 dest_port = 0; /* ignored */ 1079 1080 buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp)); 1081 buffer_append(&c->output, &bnd_addr, sizeof(struct in_addr)); 1082 buffer_append(&c->output, &dest_port, sizeof(dest_port)); 1083 return 1; 1084 } 1085 1086 /* dynamic port forwarding */ 1087 static void 1088 channel_pre_dynamic(Channel *c, fd_set * readset, fd_set * writeset<