1 /* $OpenBSD: channels.c,v 1.384 2018/07/27 12:03:17 markus Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * This file contains functions for generic socket connection forwarding.
7 * There is also code for initiating connection forwarding for X11 connections,
8 * arbitrary tcp/ip connections, and the authentication agent connection.
10 * As far as I am concerned, the code I have written for this software
11 * can be used freely for any purpose. Any derived versions of this
12 * software must be clearly marked as such, and if the derived work is
13 * incompatible with the protocol description in the RFC file, it must be
14 * called by a name other than "ssh" or "Secure Shell".
16 * SSH2 support added by Markus Friedl.
17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
18 * Copyright (c) 1999 Dug Song. All rights reserved.
19 * Copyright (c) 1999 Theo de Raadt. All rights reserved.
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
24 * 1. Redistributions of source code must retain the above copyright
25 * notice, this list of conditions and the following disclaimer.
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in the
28 * documentation and/or other materials provided with the distribution.
30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
44 #include <sys/types.h>
46 #include <sys/ioctl.h>
48 #include <sys/socket.h>
49 #ifdef HAVE_SYS_TIME_H
50 # include <sys/time.h>
53 #include <netinet/in.h>
54 #include <arpa/inet.h>
70 #include "openbsd-compat/sys-queue.h"
84 #include "pathnames.h"
87 /* -- agent forwarding */
90 /* -- tcp forwarding */
91 /* special-case port number meaning allow any port */
92 #define FWD_PERMIT_ANY_PORT 0
94 /* special-case wildcard meaning allow any host */
95 #define FWD_PERMIT_ANY_HOST "*"
97 /* -- X11 forwarding */
98 /* Maximum number of fake X11 displays to try. */
99 #define MAX_DISPLAYS 1000
101 /* Per-channel callback for pre/post select() actions */
102 typedef void chan_fn(struct ssh *, Channel *c,
103 fd_set *readset, fd_set *writeset);
106 * Data structure for storing which hosts are permitted for forward requests.
107 * The local sides of any remote forwards are stored in this array to prevent
108 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
109 * network (which might be behind a firewall).
111 /* XXX: streamlocal wants a path instead of host:port */
112 /* Overload host_to_connect; we could just make this match Forward */
113 /* XXX - can we use listen_host instead of listen_path? */
115 char *host_to_connect; /* Connect to 'host'. */
116 int port_to_connect; /* Connect to 'port'. */
117 char *listen_host; /* Remote side should listen address. */
118 char *listen_path; /* Remote side should listen path. */
119 int listen_port; /* Remote side should listen port. */
120 Channel *downstream; /* Downstream mux*/
124 * Stores the forwarding permission state for a single direction (local or
127 struct permission_set {
129 * List of all local permitted host/port pairs to allow for the
132 u_int num_permitted_user;
133 struct permission *permitted_user;
136 * List of all permitted host/port pairs to allow for the admin.
138 u_int num_permitted_admin;
139 struct permission *permitted_admin;
142 * If this is true, all opens/listens are permitted. This is the
143 * case on the server on which we have to trust the client anyway,
144 * and the user could do anything after logging in.
149 /* Master structure for channels state */
150 struct ssh_channels {
152 * Pointer to an array containing all allocated channels. The array
153 * is dynamically extended as needed.
158 * Size of the channel array. All slots of the array must always be
159 * initialized (at least the type field); unused slots set to NULL
161 u_int channels_alloc;
164 * Maximum file descriptor value used in any of the channels. This is
165 * updated in channel_new.
170 * 'channel_pre*' are called just before select() to add any bits
171 * relevant to channels in the select bitmasks.
173 * 'channel_post*': perform any appropriate operations for
174 * channels which have events pending.
176 chan_fn **channel_pre;
177 chan_fn **channel_post;
179 /* -- tcp forwarding */
180 struct permission_set local_perms;
181 struct permission_set remote_perms;
183 /* -- X11 forwarding */
185 /* Saved X11 local (client) display. */
186 char *x11_saved_display;
188 /* Saved X11 authentication protocol name. */
189 char *x11_saved_proto;
191 /* Saved X11 authentication data. This is the real data. */
192 char *x11_saved_data;
193 u_int x11_saved_data_len;
195 /* Deadline after which all X11 connections are refused */
196 u_int x11_refuse_time;
199 * Fake X11 authentication data. This is what the server will be
200 * sending us; we should replace any occurrences of this by the
203 u_char *x11_fake_data;
204 u_int x11_fake_data_len;
206 /* AF_UNSPEC or AF_INET or AF_INET6 */
211 static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype);
212 static const char *channel_rfwd_bind_host(const char *listen_host);
214 /* non-blocking connect helpers */
215 static int connect_next(struct channel_connect *);
216 static void channel_connect_ctx_free(struct channel_connect *);
217 static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *);
218 static int rdynamic_connect_finish(struct ssh *, Channel *);
221 static void channel_handler_init(struct ssh_channels *sc);
223 /* -- channel core */
226 channel_init_channels(struct ssh *ssh)
228 struct ssh_channels *sc;
230 if ((sc = calloc(1, sizeof(*sc))) == NULL ||
231 (sc->channel_pre = calloc(SSH_CHANNEL_MAX_TYPE,
232 sizeof(*sc->channel_pre))) == NULL ||
233 (sc->channel_post = calloc(SSH_CHANNEL_MAX_TYPE,
234 sizeof(*sc->channel_post))) == NULL)
235 fatal("%s: allocation failed", __func__);
236 sc->channels_alloc = 10;
237 sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
238 sc->IPv4or6 = AF_UNSPEC;
239 channel_handler_init(sc);
245 channel_by_id(struct ssh *ssh, int id)
249 if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) {
250 logit("%s: %d: bad id", __func__, id);
253 c = ssh->chanctxt->channels[id];
255 logit("%s: %d: bad id: channel free", __func__, id);
262 channel_by_remote_id(struct ssh *ssh, u_int remote_id)
267 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
268 c = ssh->chanctxt->channels[i];
269 if (c != NULL && c->have_remote_id && c->remote_id == remote_id)
276 * Returns the channel if it is allowed to receive protocol messages.
277 * Private channels, like listening sockets, may not receive messages.
280 channel_lookup(struct ssh *ssh, int id)
284 if ((c = channel_by_id(ssh, id)) == NULL)
288 case SSH_CHANNEL_X11_OPEN:
289 case SSH_CHANNEL_LARVAL:
290 case SSH_CHANNEL_CONNECTING:
291 case SSH_CHANNEL_DYNAMIC:
292 case SSH_CHANNEL_RDYNAMIC_OPEN:
293 case SSH_CHANNEL_RDYNAMIC_FINISH:
294 case SSH_CHANNEL_OPENING:
295 case SSH_CHANNEL_OPEN:
296 case SSH_CHANNEL_ABANDONED:
297 case SSH_CHANNEL_MUX_PROXY:
300 logit("Non-public channel %d, type %d.", id, c->type);
305 * Register filedescriptors for a channel, used when allocating a channel or
306 * when the channel consumer/producer is ready, e.g. shell exec'd
309 channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
310 int extusage, int nonblock, int is_tty)
312 struct ssh_channels *sc = ssh->chanctxt;
314 /* Update the maximum file descriptor value. */
315 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, rfd);
316 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, wfd);
317 sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, efd);
320 fcntl(rfd, F_SETFD, FD_CLOEXEC);
321 if (wfd != -1 && wfd != rfd)
322 fcntl(wfd, F_SETFD, FD_CLOEXEC);
323 if (efd != -1 && efd != rfd && efd != wfd)
324 fcntl(efd, F_SETFD, FD_CLOEXEC);
328 c->sock = (rfd == wfd) ? rfd : -1;
330 c->extended_usage = extusage;
332 if ((c->isatty = is_tty) != 0)
333 debug2("channel %d: rfd %d isatty", c->self, c->rfd);
335 /* XXX: Later AIX versions can't push as much data to tty */
336 c->wfd_isatty = is_tty || isatty(c->wfd);
339 /* enable nonblocking mode */
351 * Allocate a new channel object and set its type and socket. This will cause
352 * remote_name to be freed.
355 channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
356 u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
358 struct ssh_channels *sc = ssh->chanctxt;
362 /* Try to find a free slot where to put the new channel. */
363 for (i = 0; i < sc->channels_alloc; i++) {
364 if (sc->channels[i] == NULL) {
365 /* Found a free slot. */
370 if (i >= sc->channels_alloc) {
372 * There are no free slots. Take last+1 slot and expand
375 found = sc->channels_alloc;
376 if (sc->channels_alloc > CHANNELS_MAX_CHANNELS)
377 fatal("%s: internal error: channels_alloc %d too big",
378 __func__, sc->channels_alloc);
379 sc->channels = xrecallocarray(sc->channels, sc->channels_alloc,
380 sc->channels_alloc + 10, sizeof(*sc->channels));
381 sc->channels_alloc += 10;
382 debug2("channel: expanding %d", sc->channels_alloc);
384 /* Initialize and return new channel. */
385 c = sc->channels[found] = xcalloc(1, sizeof(Channel));
386 if ((c->input = sshbuf_new()) == NULL ||
387 (c->output = sshbuf_new()) == NULL ||
388 (c->extended = sshbuf_new()) == NULL)
389 fatal("%s: sshbuf_new failed", __func__);
390 c->ostate = CHAN_OUTPUT_OPEN;
391 c->istate = CHAN_INPUT_OPEN;
392 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
396 c->local_window = window;
397 c->local_window_max = window;
398 c->local_maxpacket = maxpack;
399 c->remote_name = xstrdup(remote_name);
401 c->delayed = 1; /* prevent call to channel_post handler */
402 TAILQ_INIT(&c->status_confirms);
403 debug("channel %d: new [%s]", found, remote_name);
408 channel_find_maxfd(struct ssh_channels *sc)
414 for (i = 0; i < sc->channels_alloc; i++) {
417 max = MAXIMUM(max, c->rfd);
418 max = MAXIMUM(max, c->wfd);
419 max = MAXIMUM(max, c->efd);
422 sc->channel_max_fd = max;
426 channel_close_fd(struct ssh *ssh, int *fdp)
428 struct ssh_channels *sc = ssh->chanctxt;
429 int ret = 0, fd = *fdp;
434 if (fd == sc->channel_max_fd)
435 channel_find_maxfd(sc);
440 /* Close all channel fd/socket. */
442 channel_close_fds(struct ssh *ssh, Channel *c)
444 int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
446 channel_close_fd(ssh, &c->sock);
448 channel_close_fd(ssh, &c->rfd);
449 if (wfd != sock && wfd != rfd)
450 channel_close_fd(ssh, &c->wfd);
451 if (efd != sock && efd != rfd && efd != wfd)
452 channel_close_fd(ssh, &c->efd);
456 fwd_perm_clear(struct permission *perm)
458 free(perm->host_to_connect);
459 free(perm->listen_host);
460 free(perm->listen_path);
461 bzero(perm, sizeof(*perm));
464 /* Returns an printable name for the specified forwarding permission list */
466 fwd_ident(int who, int where)
468 if (who == FORWARD_ADM) {
469 if (where == FORWARD_LOCAL)
470 return "admin local";
471 else if (where == FORWARD_REMOTE)
472 return "admin remote";
473 } else if (who == FORWARD_USER) {
474 if (where == FORWARD_LOCAL)
476 else if (where == FORWARD_REMOTE)
477 return "user remote";
479 fatal("Unknown forward permission list %d/%d", who, where);
482 /* Returns the forwarding permission list for the specified direction */
483 static struct permission_set *
484 permission_set_get(struct ssh *ssh, int where)
486 struct ssh_channels *sc = ssh->chanctxt;
490 return &sc->local_perms;
493 return &sc->remote_perms;
496 fatal("%s: invalid forwarding direction %d", __func__, where);
500 /* Reutrns pointers to the specified forwarding list and its element count */
502 permission_set_get_array(struct ssh *ssh, int who, int where,
503 struct permission ***permpp, u_int **npermpp)
505 struct permission_set *pset = permission_set_get(ssh, where);
509 *permpp = &pset->permitted_user;
510 *npermpp = &pset->num_permitted_user;
513 *permpp = &pset->permitted_admin;
514 *npermpp = &pset->num_permitted_admin;
517 fatal("%s: invalid forwarding client %d", __func__, who);
521 /* Adds an entry to the spcified forwarding list */
523 permission_set_add(struct ssh *ssh, int who, int where,
524 const char *host_to_connect, int port_to_connect,
525 const char *listen_host, const char *listen_path, int listen_port,
528 struct permission **permp;
531 permission_set_get_array(ssh, who, where, &permp, &npermp);
533 if (*npermp >= INT_MAX)
534 fatal("%s: %s overflow", __func__, fwd_ident(who, where));
536 *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp));
538 #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s))
539 (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect);
540 (*permp)[n].port_to_connect = port_to_connect;
541 (*permp)[n].listen_host = MAYBE_DUP(listen_host);
542 (*permp)[n].listen_path = MAYBE_DUP(listen_path);
543 (*permp)[n].listen_port = listen_port;
544 (*permp)[n].downstream = downstream;
550 mux_remove_remote_forwardings(struct ssh *ssh, Channel *c)
552 struct ssh_channels *sc = ssh->chanctxt;
553 struct permission_set *pset = &sc->local_perms;
554 struct permission *perm;
558 for (i = 0; i < pset->num_permitted_user; i++) {
559 perm = &pset->permitted_user[i];
560 if (perm->downstream != c)
563 /* cancel on the server, since mux client is gone */
564 debug("channel %d: cleanup remote forward for %s:%u",
565 c->self, perm->listen_host, perm->listen_port);
566 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
567 (r = sshpkt_put_cstring(ssh,
568 "cancel-tcpip-forward")) != 0 ||
569 (r = sshpkt_put_u8(ssh, 0)) != 0 ||
570 (r = sshpkt_put_cstring(ssh,
571 channel_rfwd_bind_host(perm->listen_host))) != 0 ||
572 (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 ||
573 (r = sshpkt_send(ssh)) != 0) {
574 fatal("%s: channel %i: %s", __func__,
575 c->self, ssh_err(r));
577 fwd_perm_clear(perm); /* unregister */
581 /* Free the channel and close its fd/socket. */
583 channel_free(struct ssh *ssh, Channel *c)
585 struct ssh_channels *sc = ssh->chanctxt;
589 struct channel_confirm *cc;
591 for (n = 0, i = 0; i < sc->channels_alloc; i++) {
592 if ((other = sc->channels[i]) == NULL)
595 /* detach from mux client and prepare for closing */
596 if (c->type == SSH_CHANNEL_MUX_CLIENT &&
597 other->type == SSH_CHANNEL_MUX_PROXY &&
598 other->mux_ctx == c) {
599 other->mux_ctx = NULL;
600 other->type = SSH_CHANNEL_OPEN;
601 other->istate = CHAN_INPUT_CLOSED;
602 other->ostate = CHAN_OUTPUT_CLOSED;
605 debug("channel %d: free: %s, nchannels %u", c->self,
606 c->remote_name ? c->remote_name : "???", n);
608 if (c->type == SSH_CHANNEL_MUX_CLIENT)
609 mux_remove_remote_forwardings(ssh, c);
611 if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) {
612 s = channel_open_message(ssh);
613 debug3("channel %d: status: %s", c->self, s);
617 channel_close_fds(ssh, c);
618 sshbuf_free(c->input);
619 sshbuf_free(c->output);
620 sshbuf_free(c->extended);
621 c->input = c->output = c->extended = NULL;
622 free(c->remote_name);
623 c->remote_name = NULL;
626 free(c->listening_addr);
627 c->listening_addr = NULL;
628 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
629 if (cc->abandon_cb != NULL)
630 cc->abandon_cb(ssh, c, cc->ctx);
631 TAILQ_REMOVE(&c->status_confirms, cc, entry);
632 explicit_bzero(cc, sizeof(*cc));
635 if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
636 c->filter_cleanup(ssh, c->self, c->filter_ctx);
637 sc->channels[c->self] = NULL;
638 explicit_bzero(c, sizeof(*c));
643 channel_free_all(struct ssh *ssh)
647 for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
648 if (ssh->chanctxt->channels[i] != NULL)
649 channel_free(ssh, ssh->chanctxt->channels[i]);
653 * Closes the sockets/fds of all channels. This is used to close extra file
654 * descriptors after a fork.
657 channel_close_all(struct ssh *ssh)
661 for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
662 if (ssh->chanctxt->channels[i] != NULL)
663 channel_close_fds(ssh, ssh->chanctxt->channels[i]);
667 * Stop listening to channels.
670 channel_stop_listening(struct ssh *ssh)
675 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
676 c = ssh->chanctxt->channels[i];
679 case SSH_CHANNEL_AUTH_SOCKET:
680 case SSH_CHANNEL_PORT_LISTENER:
681 case SSH_CHANNEL_RPORT_LISTENER:
682 case SSH_CHANNEL_X11_LISTENER:
683 case SSH_CHANNEL_UNIX_LISTENER:
684 case SSH_CHANNEL_RUNIX_LISTENER:
685 channel_close_fd(ssh, &c->sock);
686 channel_free(ssh, c);
694 * Returns true if no channel has too much buffered data, and false if one or
695 * more channel is overfull.
698 channel_not_very_much_buffered_data(struct ssh *ssh)
701 u_int maxsize = ssh_packet_get_maxsize(ssh);
704 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
705 c = ssh->chanctxt->channels[i];
706 if (c == NULL || c->type != SSH_CHANNEL_OPEN)
708 if (sshbuf_len(c->output) > maxsize) {
709 debug2("channel %d: big output buffer %zu > %u",
710 c->self, sshbuf_len(c->output), maxsize);
717 /* Returns true if any channel is still open. */
719 channel_still_open(struct ssh *ssh)
724 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
725 c = ssh->chanctxt->channels[i];
729 case SSH_CHANNEL_X11_LISTENER:
730 case SSH_CHANNEL_PORT_LISTENER:
731 case SSH_CHANNEL_RPORT_LISTENER:
732 case SSH_CHANNEL_MUX_LISTENER:
733 case SSH_CHANNEL_CLOSED:
734 case SSH_CHANNEL_AUTH_SOCKET:
735 case SSH_CHANNEL_DYNAMIC:
736 case SSH_CHANNEL_RDYNAMIC_OPEN:
737 case SSH_CHANNEL_CONNECTING:
738 case SSH_CHANNEL_ZOMBIE:
739 case SSH_CHANNEL_ABANDONED:
740 case SSH_CHANNEL_UNIX_LISTENER:
741 case SSH_CHANNEL_RUNIX_LISTENER:
743 case SSH_CHANNEL_LARVAL:
745 case SSH_CHANNEL_OPENING:
746 case SSH_CHANNEL_OPEN:
747 case SSH_CHANNEL_RDYNAMIC_FINISH:
748 case SSH_CHANNEL_X11_OPEN:
749 case SSH_CHANNEL_MUX_CLIENT:
750 case SSH_CHANNEL_MUX_PROXY:
753 fatal("%s: bad channel type %d", __func__, c->type);
760 /* Returns the id of an open channel suitable for keepaliving */
762 channel_find_open(struct ssh *ssh)
767 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
768 c = ssh->chanctxt->channels[i];
769 if (c == NULL || !c->have_remote_id)
772 case SSH_CHANNEL_CLOSED:
773 case SSH_CHANNEL_DYNAMIC:
774 case SSH_CHANNEL_RDYNAMIC_OPEN:
775 case SSH_CHANNEL_RDYNAMIC_FINISH:
776 case SSH_CHANNEL_X11_LISTENER:
777 case SSH_CHANNEL_PORT_LISTENER:
778 case SSH_CHANNEL_RPORT_LISTENER:
779 case SSH_CHANNEL_MUX_LISTENER:
780 case SSH_CHANNEL_MUX_CLIENT:
781 case SSH_CHANNEL_MUX_PROXY:
782 case SSH_CHANNEL_OPENING:
783 case SSH_CHANNEL_CONNECTING:
784 case SSH_CHANNEL_ZOMBIE:
785 case SSH_CHANNEL_ABANDONED:
786 case SSH_CHANNEL_UNIX_LISTENER:
787 case SSH_CHANNEL_RUNIX_LISTENER:
789 case SSH_CHANNEL_LARVAL:
790 case SSH_CHANNEL_AUTH_SOCKET:
791 case SSH_CHANNEL_OPEN:
792 case SSH_CHANNEL_X11_OPEN:
795 fatal("%s: bad channel type %d", __func__, c->type);
803 * Returns a message describing the currently open forwarded connections,
804 * suitable for sending to the client. The message contains crlf pairs for
808 channel_open_message(struct ssh *ssh)
816 if ((buf = sshbuf_new()) == NULL)
817 fatal("%s: sshbuf_new", __func__);
818 if ((r = sshbuf_putf(buf,
819 "The following connections are open:\r\n")) != 0)
820 fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r));
821 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
822 c = ssh->chanctxt->channels[i];
826 case SSH_CHANNEL_X11_LISTENER:
827 case SSH_CHANNEL_PORT_LISTENER:
828 case SSH_CHANNEL_RPORT_LISTENER:
829 case SSH_CHANNEL_CLOSED:
830 case SSH_CHANNEL_AUTH_SOCKET:
831 case SSH_CHANNEL_ZOMBIE:
832 case SSH_CHANNEL_ABANDONED:
833 case SSH_CHANNEL_MUX_LISTENER:
834 case SSH_CHANNEL_UNIX_LISTENER:
835 case SSH_CHANNEL_RUNIX_LISTENER:
837 case SSH_CHANNEL_LARVAL:
838 case SSH_CHANNEL_OPENING:
839 case SSH_CHANNEL_CONNECTING:
840 case SSH_CHANNEL_DYNAMIC:
841 case SSH_CHANNEL_RDYNAMIC_OPEN:
842 case SSH_CHANNEL_RDYNAMIC_FINISH:
843 case SSH_CHANNEL_OPEN:
844 case SSH_CHANNEL_X11_OPEN:
845 case SSH_CHANNEL_MUX_PROXY:
846 case SSH_CHANNEL_MUX_CLIENT:
847 if ((r = sshbuf_putf(buf, " #%d %.300s "
848 "(t%d %s%u i%u/%zu o%u/%zu fd %d/%d cc %d)\r\n",
849 c->self, c->remote_name,
851 c->have_remote_id ? "r" : "nr", c->remote_id,
852 c->istate, sshbuf_len(c->input),
853 c->ostate, sshbuf_len(c->output),
854 c->rfd, c->wfd, c->ctl_chan)) != 0)
855 fatal("%s: sshbuf_putf: %s",
856 __func__, ssh_err(r));
859 fatal("%s: bad channel type %d", __func__, c->type);
863 if ((ret = sshbuf_dup_string(buf)) == NULL)
864 fatal("%s: sshbuf_dup_string", __func__);
870 open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type)
874 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
875 (r = sshpkt_put_cstring(ssh, type)) != 0 ||
876 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
877 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
878 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
879 fatal("%s: channel %i: open: %s", where, c->self, ssh_err(r));
884 channel_send_open(struct ssh *ssh, int id)
886 Channel *c = channel_lookup(ssh, id);
890 logit("channel_send_open: %d: bad id", id);
893 debug2("channel %d: send open", id);
894 open_preamble(ssh, __func__, c, c->ctype);
895 if ((r = sshpkt_send(ssh)) != 0)
896 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
900 channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
902 Channel *c = channel_lookup(ssh, id);
906 logit("%s: %d: unknown channel id", __func__, id);
909 if (!c->have_remote_id)
910 fatal(":%s: channel %d: no remote id", __func__, c->self);
912 debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
913 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 ||
914 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
915 (r = sshpkt_put_cstring(ssh, service)) != 0 ||
916 (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) {
917 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
922 channel_register_status_confirm(struct ssh *ssh, int id,
923 channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx)
925 struct channel_confirm *cc;
928 if ((c = channel_lookup(ssh, id)) == NULL)
929 fatal("%s: %d: bad id", __func__, id);
931 cc = xcalloc(1, sizeof(*cc));
933 cc->abandon_cb = abandon_cb;
935 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
939 channel_register_open_confirm(struct ssh *ssh, int id,
940 channel_open_fn *fn, void *ctx)
942 Channel *c = channel_lookup(ssh, id);
945 logit("%s: %d: bad id", __func__, id);
948 c->open_confirm = fn;
949 c->open_confirm_ctx = ctx;
953 channel_register_cleanup(struct ssh *ssh, int id,
954 channel_callback_fn *fn, int do_close)
956 Channel *c = channel_by_id(ssh, id);
959 logit("%s: %d: bad id", __func__, id);
963 c->detach_close = do_close;
967 channel_cancel_cleanup(struct ssh *ssh, int id)
969 Channel *c = channel_by_id(ssh, id);
972 logit("%s: %d: bad id", __func__, id);
975 c->detach_user = NULL;
980 channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn,
981 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
983 Channel *c = channel_lookup(ssh, id);
986 logit("%s: %d: bad id", __func__, id);
989 c->input_filter = ifn;
990 c->output_filter = ofn;
992 c->filter_cleanup = cfn;
996 channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
997 int extusage, int nonblock, int is_tty, u_int window_max)
999 Channel *c = channel_lookup(ssh, id);
1002 if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
1003 fatal("channel_activate for non-larval channel %d.", id);
1004 if (!c->have_remote_id)
1005 fatal(":%s: channel %d: no remote id", __func__, c->self);
1007 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
1008 c->type = SSH_CHANNEL_OPEN;
1009 c->local_window = c->local_window_max = window_max;
1011 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
1012 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1013 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1014 (r = sshpkt_send(ssh)) != 0)
1015 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
1019 channel_pre_listener(struct ssh *ssh, Channel *c,
1020 fd_set *readset, fd_set *writeset)
1022 FD_SET(c->sock, readset);
1026 channel_pre_connecting(struct ssh *ssh, Channel *c,
1027 fd_set *readset, fd_set *writeset)
1029 debug3("channel %d: waiting for connection", c->self);
1030 FD_SET(c->sock, writeset);
1034 channel_pre_open(struct ssh *ssh, Channel *c,
1035 fd_set *readset, fd_set *writeset)
1037 if (c->istate == CHAN_INPUT_OPEN &&
1038 c->remote_window > 0 &&
1039 sshbuf_len(c->input) < c->remote_window &&
1040 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1041 FD_SET(c->rfd, readset);
1042 if (c->ostate == CHAN_OUTPUT_OPEN ||
1043 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1044 if (sshbuf_len(c->output) > 0) {
1045 FD_SET(c->wfd, writeset);
1046 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1047 if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
1048 debug2("channel %d: "
1049 "obuf_empty delayed efd %d/(%zu)", c->self,
1050 c->efd, sshbuf_len(c->extended));
1052 chan_obuf_empty(ssh, c);
1055 /** XXX check close conditions, too */
1056 if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED &&
1057 c->ostate == CHAN_OUTPUT_CLOSED)) {
1058 if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1059 sshbuf_len(c->extended) > 0)
1060 FD_SET(c->efd, writeset);
1061 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
1062 (c->extended_usage == CHAN_EXTENDED_READ ||
1063 c->extended_usage == CHAN_EXTENDED_IGNORE) &&
1064 sshbuf_len(c->extended) < c->remote_window)
1065 FD_SET(c->efd, readset);
1067 /* XXX: What about efd? races? */
1071 * This is a special state for X11 authentication spoofing. An opened X11
1072 * connection (when authentication spoofing is being done) remains in this
1073 * state until the first packet has been completely read. The authentication
1074 * data in that packet is then substituted by the real data if it matches the
1075 * fake data, and the channel is put into normal mode.
1076 * XXX All this happens at the client side.
1077 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1080 x11_open_helper(struct ssh *ssh, struct sshbuf *b)
1082 struct ssh_channels *sc = ssh->chanctxt;
1084 u_int proto_len, data_len;
1086 /* Is this being called after the refusal deadline? */
1087 if (sc->x11_refuse_time != 0 &&
1088 (u_int)monotime() >= sc->x11_refuse_time) {
1089 verbose("Rejected X11 connection after ForwardX11Timeout "
1094 /* Check if the fixed size part of the packet is in buffer. */
1095 if (sshbuf_len(b) < 12)
1098 /* Parse the lengths of variable-length fields. */
1099 ucp = sshbuf_mutable_ptr(b);
1100 if (ucp[0] == 0x42) { /* Byte order MSB first. */
1101 proto_len = 256 * ucp[6] + ucp[7];
1102 data_len = 256 * ucp[8] + ucp[9];
1103 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
1104 proto_len = ucp[6] + 256 * ucp[7];
1105 data_len = ucp[8] + 256 * ucp[9];
1107 debug2("Initial X11 packet contains bad byte order byte: 0x%x",
1112 /* Check if the whole packet is in buffer. */
1114 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
1117 /* Check if authentication protocol matches. */
1118 if (proto_len != strlen(sc->x11_saved_proto) ||
1119 memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) {
1120 debug2("X11 connection uses different authentication protocol.");
1123 /* Check if authentication data matches our fake data. */
1124 if (data_len != sc->x11_fake_data_len ||
1125 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
1126 sc->x11_fake_data, sc->x11_fake_data_len) != 0) {
1127 debug2("X11 auth data does not match fake data.");
1130 /* Check fake data length */
1131 if (sc->x11_fake_data_len != sc->x11_saved_data_len) {
1132 error("X11 fake_data_len %d != saved_data_len %d",
1133 sc->x11_fake_data_len, sc->x11_saved_data_len);
1137 * Received authentication protocol and data match
1138 * our fake data. Substitute the fake data with real
1141 memcpy(ucp + 12 + ((proto_len + 3) & ~3),
1142 sc->x11_saved_data, sc->x11_saved_data_len);
1147 channel_pre_x11_open(struct ssh *ssh, Channel *c,
1148 fd_set *readset, fd_set *writeset)
1150 int ret = x11_open_helper(ssh, c->output);
1152 /* c->force_drain = 1; */
1155 c->type = SSH_CHANNEL_OPEN;
1156 channel_pre_open(ssh, c, readset, writeset);
1157 } else if (ret == -1) {
1158 logit("X11 connection rejected because of wrong authentication.");
1159 debug2("X11 rejected %d i%d/o%d",
1160 c->self, c->istate, c->ostate);
1161 chan_read_failed(ssh, c);
1162 sshbuf_reset(c->input);
1163 chan_ibuf_empty(ssh, c);
1164 sshbuf_reset(c->output);
1165 chan_write_failed(ssh, c);
1166 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
1171 channel_pre_mux_client(struct ssh *ssh,
1172 Channel *c, fd_set *readset, fd_set *writeset)
1174 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause &&
1175 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1176 FD_SET(c->rfd, readset);
1177 if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1178 /* clear buffer immediately (discard any partial packet) */
1179 sshbuf_reset(c->input);
1180 chan_ibuf_empty(ssh, c);
1181 /* Start output drain. XXX just kill chan? */
1182 chan_rcvd_oclose(ssh, c);
1184 if (c->ostate == CHAN_OUTPUT_OPEN ||
1185 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1186 if (sshbuf_len(c->output) > 0)
1187 FD_SET(c->wfd, writeset);
1188 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN)
1189 chan_obuf_empty(ssh, c);
1193 /* try to decode a socks4 header */
1195 channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output)
1199 u_int len, have, i, found, need;
1204 u_int16_t dest_port;
1205 struct in_addr dest_addr;
1209 debug2("channel %d: decode socks4", c->self);
1211 have = sshbuf_len(input);
1212 len = sizeof(s4_req);
1215 p = sshbuf_ptr(input);
1218 /* SOCKS4A uses an invalid IP address 0.0.0.x */
1219 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1220 debug2("channel %d: socks4a request", c->self);
1221 /* ... and needs an extra string (the hostname) */
1224 /* Check for terminating NUL on the string(s) */
1225 for (found = 0, i = len; i < have; i++) {
1232 /* the peer is probably sending garbage */
1233 debug("channel %d: decode socks4: too long",
1240 if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 ||
1241 (r = sshbuf_get(input, &s4_req.command, 1)) != 0 ||
1242 (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 ||
1243 (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) {
1244 debug("channels %d: decode socks4: %s", c->self, ssh_err(r));
1247 have = sshbuf_len(input);
1248 p = sshbuf_ptr(input);
1249 if (memchr(p, '\0', have) == NULL) {
1250 error("channel %d: decode socks4: user not nul terminated",
1255 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1256 len++; /* trailing '\0' */
1257 strlcpy(username, p, sizeof(username));
1258 if ((r = sshbuf_consume(input, len)) != 0) {
1259 fatal("%s: channel %d: consume: %s", __func__,
1260 c->self, ssh_err(r));
1264 if (need == 1) { /* SOCKS4: one string */
1265 host = inet_ntoa(s4_req.dest_addr);
1266 c->path = xstrdup(host);
1267 } else { /* SOCKS4A: two strings */
1268 have = sshbuf_len(input);
1269 p = sshbuf_ptr(input);
1270 if (memchr(p, '\0', have) == NULL) {
1271 error("channel %d: decode socks4a: host not nul "
1272 "terminated", c->self);
1276 debug2("channel %d: decode socks4a: host %s/%d",
1278 len++; /* trailing '\0' */
1279 if (len > NI_MAXHOST) {
1280 error("channel %d: hostname \"%.100s\" too long",
1284 c->path = xstrdup(p);
1285 if ((r = sshbuf_consume(input, len)) != 0) {
1286 fatal("%s: channel %d: consume: %s", __func__,
1287 c->self, ssh_err(r));
1290 c->host_port = ntohs(s4_req.dest_port);
1292 debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1293 c->self, c->path, c->host_port, s4_req.command);
1295 if (s4_req.command != 1) {
1296 debug("channel %d: cannot handle: %s cn %d",
1297 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command);
1300 s4_rsp.version = 0; /* vn: 0 for reply */
1301 s4_rsp.command = 90; /* cd: req granted */
1302 s4_rsp.dest_port = 0; /* ignored */
1303 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */
1304 if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) {
1305 fatal("%s: channel %d: append reply: %s", __func__,
1306 c->self, ssh_err(r));
1311 /* try to decode a socks5 header */
1312 #define SSH_SOCKS5_AUTHDONE 0x1000
1313 #define SSH_SOCKS5_NOAUTH 0x00
1314 #define SSH_SOCKS5_IPV4 0x01
1315 #define SSH_SOCKS5_DOMAIN 0x03
1316 #define SSH_SOCKS5_IPV6 0x04
1317 #define SSH_SOCKS5_CONNECT 0x01
1318 #define SSH_SOCKS5_SUCCESS 0x00
1321 channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
1323 /* XXX use get/put_u8 instead of trusting struct padding */
1330 u_int16_t dest_port;
1331 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1333 u_int have, need, i, found, nmethods, addrlen, af;
1336 debug2("channel %d: decode socks5", c->self);
1337 p = sshbuf_ptr(input);
1340 have = sshbuf_len(input);
1341 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
1342 /* format: ver | nmethods | methods */
1346 if (have < nmethods + 2)
1348 /* look for method: "NO AUTHENTICATION REQUIRED" */
1349 for (found = 0, i = 2; i < nmethods + 2; i++) {
1350 if (p[i] == SSH_SOCKS5_NOAUTH) {
1356 debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
1360 if ((r = sshbuf_consume(input, nmethods + 2)) != 0) {
1361 fatal("%s: channel %d: consume: %s", __func__,
1362 c->self, ssh_err(r));
1364 /* version, method */
1365 if ((r = sshbuf_put_u8(output, 0x05)) != 0 ||
1366 (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0) {
1367 fatal("%s: channel %d: append reply: %s", __func__,
1368 c->self, ssh_err(r));
1370 c->flags |= SSH_SOCKS5_AUTHDONE;
1371 debug2("channel %d: socks5 auth done", c->self);
1372 return 0; /* need more */
1374 debug2("channel %d: socks5 post auth", c->self);
1375 if (have < sizeof(s5_req)+1)
1376 return 0; /* need more */
1377 memcpy(&s5_req, p, sizeof(s5_req));
1378 if (s5_req.version != 0x05 ||
1379 s5_req.command != SSH_SOCKS5_CONNECT ||
1380 s5_req.reserved != 0x00) {
1381 debug2("channel %d: only socks5 connect supported", c->self);
1384 switch (s5_req.atyp){
1385 case SSH_SOCKS5_IPV4:
1389 case SSH_SOCKS5_DOMAIN:
1390 addrlen = p[sizeof(s5_req)];
1393 case SSH_SOCKS5_IPV6:
1398 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
1401 need = sizeof(s5_req) + addrlen + 2;
1402 if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1406 if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) {
1407 fatal("%s: channel %d: consume: %s", __func__,
1408 c->self, ssh_err(r));
1410 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1411 /* host string length */
1412 if ((r = sshbuf_consume(input, 1)) != 0) {
1413 fatal("%s: channel %d: consume: %s", __func__,
1414 c->self, ssh_err(r));
1417 if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 ||
1418 (r = sshbuf_get(input, &dest_port, 2)) != 0) {
1419 debug("channel %d: parse addr/port: %s", c->self, ssh_err(r));
1422 dest_addr[addrlen] = '\0';
1425 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1426 if (addrlen >= NI_MAXHOST) {
1427 error("channel %d: dynamic request: socks5 hostname "
1428 "\"%.100s\" too long", c->self, dest_addr);
1431 c->path = xstrdup(dest_addr);
1433 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
1435 c->path = xstrdup(ntop);
1437 c->host_port = ntohs(dest_port);
1439 debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
1440 c->self, c->path, c->host_port, s5_req.command);
1442 s5_rsp.version = 0x05;
1443 s5_rsp.command = SSH_SOCKS5_SUCCESS;
1444 s5_rsp.reserved = 0; /* ignored */
1445 s5_rsp.atyp = SSH_SOCKS5_IPV4;
1446 dest_port = 0; /* ignored */
1448 if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 ||
1449 (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 ||
1450 (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0)
1451 fatal("%s: channel %d: append reply: %s", __func__,
1452 c->self, ssh_err(r));
1457 channel_connect_stdio_fwd(struct ssh *ssh,
1458 const char *host_to_connect, u_short port_to_connect, int in, int out)
1462 debug("%s %s:%d", __func__, host_to_connect, port_to_connect);
1464 c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
1465 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1466 0, "stdio-forward", /*nonblock*/0);
1468 c->path = xstrdup(host_to_connect);
1469 c->host_port = port_to_connect;
1470 c->listening_port = 0;
1473 channel_register_fds(ssh, c, in, out, -1, 0, 1, 0);
1474 port_open_helper(ssh, c, "direct-tcpip");
1479 /* dynamic port forwarding */
1481 channel_pre_dynamic(struct ssh *ssh, Channel *c,
1482 fd_set *readset, fd_set *writeset)
1488 have = sshbuf_len(c->input);
1489 debug2("channel %d: pre_dynamic: have %d", c->self, have);
1490 /* sshbuf_dump(c->input, stderr); */
1491 /* check if the fixed size part of the packet is in buffer. */
1494 FD_SET(c->sock, readset);
1497 /* try to guess the protocol */
1498 p = sshbuf_ptr(c->input);
1499 /* XXX sshbuf_peek_u8? */
1502 ret = channel_decode_socks4(c, c->input, c->output);
1505 ret = channel_decode_socks5(c, c->input, c->output);
1512 chan_mark_dead(ssh, c);
1513 } else if (ret == 0) {
1514 debug2("channel %d: pre_dynamic: need more", c->self);
1516 FD_SET(c->sock, readset);
1517 if (sshbuf_len(c->output))
1518 FD_SET(c->sock, writeset);
1520 /* switch to the next state */
1521 c->type = SSH_CHANNEL_OPENING;
1522 port_open_helper(ssh, c, "direct-tcpip");
1526 /* simulate read-error */
1528 rdynamic_close(struct ssh *ssh, Channel *c)
1530 c->type = SSH_CHANNEL_OPEN;
1531 chan_read_failed(ssh, c);
1532 sshbuf_reset(c->input);
1533 chan_ibuf_empty(ssh, c);
1534 sshbuf_reset(c->output);
1535 chan_write_failed(ssh, c);
1538 /* reverse dynamic port forwarding */
1540 channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c)
1546 have = sshbuf_len(c->output);
1547 debug2("channel %d: pre_rdynamic: have %d", c->self, have);
1548 /* sshbuf_dump(c->output, stderr); */
1550 if (c->flags & CHAN_EOF_RCVD) {
1551 if ((r = sshbuf_consume(c->output, have)) != 0) {
1552 fatal("%s: channel %d: consume: %s",
1553 __func__, c->self, ssh_err(r));
1555 rdynamic_close(ssh, c);
1558 /* check if the fixed size part of the packet is in buffer. */
1561 /* try to guess the protocol */
1562 p = sshbuf_ptr(c->output);
1565 /* switch input/output for reverse forwarding */
1566 ret = channel_decode_socks4(c, c->output, c->input);
1569 ret = channel_decode_socks5(c, c->output, c->input);
1576 rdynamic_close(ssh, c);
1577 } else if (ret == 0) {
1578 debug2("channel %d: pre_rdynamic: need more", c->self);
1579 /* send socks request to peer */
1580 len = sshbuf_len(c->input);
1581 if (len > 0 && len < c->remote_window) {
1582 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
1583 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1584 (r = sshpkt_put_stringb(ssh, c->input)) != 0 ||
1585 (r = sshpkt_send(ssh)) != 0) {
1586 fatal("%s: channel %i: rdynamic: %s", __func__,
1587 c->self, ssh_err(r));
1589 if ((r = sshbuf_consume(c->input, len)) != 0) {
1590 fatal("%s: channel %d: consume: %s",
1591 __func__, c->self, ssh_err(r));
1593 c->remote_window -= len;
1595 } else if (rdynamic_connect_finish(ssh, c) < 0) {
1596 /* the connect failed */
1597 rdynamic_close(ssh, c);
1601 /* This is our fake X11 server socket. */
1603 channel_post_x11_listener(struct ssh *ssh, Channel *c,
1604 fd_set *readset, fd_set *writeset)
1607 struct sockaddr_storage addr;
1608 int r, newsock, oerrno, remote_port;
1610 char buf[16384], *remote_ipaddr;
1612 if (!FD_ISSET(c->sock, readset))
1615 debug("X11 connection requested.");
1616 addrlen = sizeof(addr);
1617 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1618 if (c->single_connection) {
1620 debug2("single_connection: closing X11 listener.");
1621 channel_close_fd(ssh, &c->sock);
1622 chan_mark_dead(ssh, c);
1626 if (errno != EINTR && errno != EWOULDBLOCK &&
1627 errno != ECONNABORTED)
1628 error("accept: %.100s", strerror(errno));
1629 if (errno == EMFILE || errno == ENFILE)
1630 c->notbefore = monotime() + 1;
1633 set_nodelay(newsock);
1634 remote_ipaddr = get_peer_ipaddr(newsock);
1635 remote_port = get_peer_port(newsock);
1636 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1637 remote_ipaddr, remote_port);
1639 nc = channel_new(ssh, "accepted x11 socket",
1640 SSH_CHANNEL_OPENING, newsock, newsock, -1,
1641 c->local_window_max, c->local_maxpacket, 0, buf, 1);
1642 open_preamble(ssh, __func__, nc, "x11");
1643 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1644 (r = sshpkt_put_u32(ssh, remote_port)) != 0) {
1645 fatal("%s: channel %i: reply %s", __func__,
1646 c->self, ssh_err(r));
1648 if ((r = sshpkt_send(ssh)) != 0)
1649 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r));
1650 free(remote_ipaddr);
1654 port_open_helper(struct ssh *ssh, Channel *c, char *rtype)
1656 char *local_ipaddr = get_local_ipaddr(c->sock);
1657 int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
1658 char *remote_ipaddr = get_peer_ipaddr(c->sock);
1659 int remote_port = get_peer_port(c->sock);
1662 if (remote_port == -1) {
1663 /* Fake addr/port to appease peers that validate it (Tectia) */
1664 free(remote_ipaddr);
1665 remote_ipaddr = xstrdup("127.0.0.1");
1666 remote_port = 65535;
1669 free(c->remote_name);
1670 xasprintf(&c->remote_name,
1671 "%s: listening port %d for %.100s port %d, "
1672 "connect from %.200s port %d to %.100s port %d",
1673 rtype, c->listening_port, c->path, c->host_port,
1674 remote_ipaddr, remote_port, local_ipaddr, local_port);
1676 open_preamble(ssh, __func__, c, rtype);
1677 if (strcmp(rtype, "direct-tcpip") == 0) {
1678 /* target host, port */
1679 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1680 (r = sshpkt_put_u32(ssh, c->host_port)) != 0) {
1681 fatal("%s: channel %i: reply %s", __func__,
1682 c->self, ssh_err(r));
1684 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
1686 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) {
1687 fatal("%s: channel %i: reply %s", __func__,
1688 c->self, ssh_err(r));
1690 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1692 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) {
1693 fatal("%s: channel %i: reply %s", __func__,
1694 c->self, ssh_err(r));
1697 /* listen address, port */
1698 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1699 (r = sshpkt_put_u32(ssh, local_port)) != 0) {
1700 fatal("%s: channel %i: reply %s", __func__,
1701 c->self, ssh_err(r));
1704 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1705 /* reserved for future owner/mode info */
1706 if ((r = sshpkt_put_cstring(ssh, "")) != 0) {
1707 fatal("%s: channel %i: reply %s", __func__,
1708 c->self, ssh_err(r));
1711 /* originator host and port */
1712 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1713 (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) {
1714 fatal("%s: channel %i: reply %s", __func__,
1715 c->self, ssh_err(r));
1718 if ((r = sshpkt_send(ssh)) != 0)
1719 fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r));
1720 free(remote_ipaddr);
1725 channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time)
1727 ssh->chanctxt->x11_refuse_time = refuse_time;
1731 * This socket is listening for connections to a forwarded TCP/IP port.
1734 channel_post_port_listener(struct ssh *ssh, Channel *c,
1735 fd_set *readset, fd_set *writeset)
1738 struct sockaddr_storage addr;
1739 int newsock, nextstate;
1743 if (!FD_ISSET(c->sock, readset))
1746 debug("Connection to port %d forwarding to %.100s port %d requested.",
1747 c->listening_port, c->path, c->host_port);
1749 if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1750 nextstate = SSH_CHANNEL_OPENING;
1751 rtype = "forwarded-tcpip";
1752 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) {
1753 nextstate = SSH_CHANNEL_OPENING;
1754 rtype = "forwarded-streamlocal@openssh.com";
1755 } else if (c->host_port == PORT_STREAMLOCAL) {
1756 nextstate = SSH_CHANNEL_OPENING;
1757 rtype = "direct-streamlocal@openssh.com";
1758 } else if (c->host_port == 0) {
1759 nextstate = SSH_CHANNEL_DYNAMIC;
1760 rtype = "dynamic-tcpip";
1762 nextstate = SSH_CHANNEL_OPENING;
1763 rtype = "direct-tcpip";
1766 addrlen = sizeof(addr);
1767 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1769 if (errno != EINTR && errno != EWOULDBLOCK &&
1770 errno != ECONNABORTED)
1771 error("accept: %.100s", strerror(errno));
1772 if (errno == EMFILE || errno == ENFILE)
1773 c->notbefore = monotime() + 1;
1776 if (c->host_port != PORT_STREAMLOCAL)
1777 set_nodelay(newsock);
1778 nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1,
1779 c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1780 nc->listening_port = c->listening_port;
1781 nc->host_port = c->host_port;
1782 if (c->path != NULL)
1783 nc->path = xstrdup(c->path);
1785 if (nextstate != SSH_CHANNEL_DYNAMIC)
1786 port_open_helper(ssh, nc, rtype);
1790 * This is the authentication agent socket listening for connections from
1794 channel_post_auth_listener(struct ssh *ssh, Channel *c,
1795 fd_set *readset, fd_set *writeset)
1799 struct sockaddr_storage addr;
1802 if (!FD_ISSET(c->sock, readset))
1805 addrlen = sizeof(addr);
1806 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1808 error("accept from auth socket: %.100s", strerror(errno));
1809 if (errno == EMFILE || errno == ENFILE)
1810 c->notbefore = monotime() + 1;
1813 nc = channel_new(ssh, "accepted auth socket",
1814 SSH_CHANNEL_OPENING, newsock, newsock, -1,
1815 c->local_window_max, c->local_maxpacket,
1816 0, "accepted auth socket", 1);
1817 open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
1818 if ((r = sshpkt_send(ssh)) != 0)
1819 fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
1823 channel_post_connecting(struct ssh *ssh, Channel *c,
1824 fd_set *readset, fd_set *writeset)
1826 int err = 0, sock, isopen, r;
1827 socklen_t sz = sizeof(err);
1829 if (!FD_ISSET(c->sock, writeset))
1831 if (!c->have_remote_id)
1832 fatal(":%s: channel %d: no remote id", __func__, c->self);
1833 /* for rdynamic the OPEN_CONFIRMATION has been sent already */
1834 isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH);
1835 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) {
1837 error("getsockopt SO_ERROR failed");
1840 debug("channel %d: connected to %s port %d",
1841 c->self, c->connect_ctx.host, c->connect_ctx.port);
1842 channel_connect_ctx_free(&c->connect_ctx);
1843 c->type = SSH_CHANNEL_OPEN;
1845 /* no message necessary */
1847 if ((r = sshpkt_start(ssh,
1848 SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
1849 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1850 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
1851 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1852 (r = sshpkt_put_u32(ssh, c->local_maxpacket))
1854 fatal("%s: channel %i: confirm: %s", __func__,
1855 c->self, ssh_err(r));
1856 if ((r = sshpkt_send(ssh)) != 0)
1857 fatal("%s: channel %i: %s", __func__, c->self,
1861 debug("channel %d: connection failed: %s",
1862 c->self, strerror(err));
1863 /* Try next address, if any */
1864 if ((sock = connect_next(&c->connect_ctx)) > 0) {
1866 c->sock = c->rfd = c->wfd = sock;
1867 channel_find_maxfd(ssh->chanctxt);
1870 /* Exhausted all addresses */
1871 error("connect_to %.100s port %d: failed.",
1872 c->connect_ctx.host, c->connect_ctx.port);
1873 channel_connect_ctx_free(&c->connect_ctx);
1875 rdynamic_close(ssh, c);
1877 if ((r = sshpkt_start(ssh,
1878 SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
1879 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1880 (r = sshpkt_put_u32(ssh,
1881 SSH2_OPEN_CONNECT_FAILED)) != 0 ||
1882 (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
1883 (r = sshpkt_put_cstring(ssh, "")) != 0) {
1884 fatal("%s: channel %i: failure: %s", __func__,
1885 c->self, ssh_err(r));
1887 if ((r = sshpkt_send(ssh)) != 0)
1888 fatal("%s: channel %i: %s", __func__, c->self,
1890 chan_mark_dead(ssh, c);
1896 channel_handle_rfd(struct ssh *ssh, Channel *c,
1897 fd_set *readset, fd_set *writeset)
1899 char buf[CHAN_RBUF];
1903 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
1905 if (c->rfd == -1 || (!force && !FD_ISSET(c->rfd, readset)))
1909 len = read(c->rfd, buf, sizeof(buf));
1910 if (len < 0 && (errno == EINTR ||
1911 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force)))
1913 #ifndef PTY_ZEROREAD
1916 if ((!c->isatty && len <= 0) ||
1917 (c->isatty && (len < 0 || (len == 0 && errno != 0)))) {
1919 debug2("channel %d: read<=0 rfd %d len %zd",
1920 c->self, c->rfd, len);
1921 if (c->type != SSH_CHANNEL_OPEN) {
1922 debug2("channel %d: not open", c->self);
1923 chan_mark_dead(ssh, c);
1926 chan_read_failed(ssh, c);
1930 if (c->input_filter != NULL) {
1931 if (c->input_filter(ssh, c, buf, len) == -1) {
1932 debug2("channel %d: filter stops", c->self);
1933 chan_read_failed(ssh, c);
1935 } else if (c->datagram) {
1936 if ((r = sshbuf_put_string(c->input, buf, len)) != 0)
1937 fatal("%s: channel %d: put datagram: %s", __func__,
1938 c->self, ssh_err(r));
1939 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) {
1940 fatal("%s: channel %d: put data: %s", __func__,
1941 c->self, ssh_err(r));
1947 channel_handle_wfd(struct ssh *ssh, Channel *c,
1948 fd_set *readset, fd_set *writeset)
1951 u_char *data = NULL, *buf; /* XXX const; need filter API change */
1952 size_t dlen, olen = 0;
1955 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) ||
1956 sshbuf_len(c->output) == 0)
1959 /* Send buffered output data to the socket. */
1960 olen = sshbuf_len(c->output);
1961 if (c->output_filter != NULL) {
1962 if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) {
1963 debug2("channel %d: filter stops", c->self);
1964 if (c->type != SSH_CHANNEL_OPEN)
1965 chan_mark_dead(ssh, c);
1967 chan_write_failed(ssh, c);
1970 } else if (c->datagram) {
1971 if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0)
1972 fatal("%s: channel %d: get datagram: %s", __func__,
1973 c->self, ssh_err(r));
1976 buf = data = sshbuf_mutable_ptr(c->output);
1977 dlen = sshbuf_len(c->output);
1981 /* ignore truncated writes, datagrams might get lost */
1982 len = write(c->wfd, buf, dlen);
1984 if (len < 0 && (errno == EINTR || errno == EAGAIN ||
1985 errno == EWOULDBLOCK))
1993 /* XXX: Later AIX versions can't push as much data to tty */
1995 dlen = MIN(dlen, 8*1024);
1998 len = write(c->wfd, buf, dlen);
2000 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK))
2004 if (c->type != SSH_CHANNEL_OPEN) {
2005 debug2("channel %d: not open", c->self);
2006 chan_mark_dead(ssh, c);
2009 chan_write_failed(ssh, c);
2013 #ifndef BROKEN_TCGETATTR_ICANON
2014 if (c->isatty && dlen >= 1 && buf[0] != '\r') {
2015 if (tcgetattr(c->wfd, &tio) == 0 &&
2016 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
2018 * Simulate echo to reduce the impact of
2019 * traffic analysis. We need to match the
2020 * size of a SSH2_MSG_CHANNEL_DATA message
2021 * (4 byte channel id + buf)
2023 if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 ||
2024 (r = sshpkt_send(ssh)) != 0)
2025 fatal("%s: channel %d: ignore: %s",
2026 __func__, c->self, ssh_err(r));
2029 #endif /* BROKEN_TCGETATTR_ICANON */
2030 if ((r = sshbuf_consume(c->output, len)) != 0) {
2031 fatal("%s: channel %d: consume: %s",
2032 __func__, c->self, ssh_err(r));
2035 c->local_consumed += olen - sshbuf_len(c->output);
2041 channel_handle_efd_write(struct ssh *ssh, Channel *c,
2042 fd_set *readset, fd_set *writeset)
2047 if (!FD_ISSET(c->efd, writeset) || sshbuf_len(c->extended) == 0)
2050 len = write(c->efd, sshbuf_ptr(c->extended),
2051 sshbuf_len(c->extended));
2052 debug2("channel %d: written %zd to efd %d", c->self, len, c->efd);
2053 if (len < 0 && (errno == EINTR || errno == EAGAIN ||
2054 errno == EWOULDBLOCK))
2057 debug2("channel %d: closing write-efd %d", c->self, c->efd);
2058 channel_close_fd(ssh, &c->efd);
2060 if ((r = sshbuf_consume(c->extended, len)) != 0) {
2061 fatal("%s: channel %d: consume: %s",
2062 __func__, c->self, ssh_err(r));
2064 c->local_consumed += len;
2070 channel_handle_efd_read(struct ssh *ssh, Channel *c,
2071 fd_set *readset, fd_set *writeset)
2073 char buf[CHAN_RBUF];
2077 if (!c->detach_close && !FD_ISSET(c->efd, readset))
2080 len = read(c->efd, buf, sizeof(buf));
2081 debug2("channel %d: read %zd from efd %d", c->self, len, c->efd);
2082 if (len < 0 && (errno == EINTR || ((errno == EAGAIN ||
2083 errno == EWOULDBLOCK) && !c->detach_close)))
2086 debug2("channel %d: closing read-efd %d",
2088 channel_close_fd(ssh, &c->efd);
2090 if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
2091 debug3("channel %d: discard efd",
2093 } else if ((r = sshbuf_put(c->extended, buf, len)) != 0) {
2094 fatal("%s: channel %d: append: %s",
2095 __func__, c->self, ssh_err(r));
2102 channel_handle_efd(struct ssh *ssh, Channel *c,
2103 fd_set *readset, fd_set *writeset)
2108 /** XXX handle drain efd, too */
2110 if (c->extended_usage == CHAN_EXTENDED_WRITE)
2111 return channel_handle_efd_write(ssh, c, readset, writeset);
2112 else if (c->extended_usage == CHAN_EXTENDED_READ ||
2113 c->extended_usage == CHAN_EXTENDED_IGNORE)
2114 return channel_handle_efd_read(ssh, c, readset, writeset);
2120 channel_check_window(struct ssh *ssh, Channel *c)
2124 if (c->type == SSH_CHANNEL_OPEN &&
2125 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
2126 ((c->local_window_max - c->local_window >
2127 c->local_maxpacket*3) ||
2128 c->local_window < c->local_window_max/2) &&
2129 c->local_consumed > 0) {
2130 if (!c->have_remote_id)
2131 fatal(":%s: channel %d: no remote id",
2133 if ((r = sshpkt_start(ssh,
2134 SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
2135 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2136 (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
2137 (r = sshpkt_send(ssh)) != 0) {
2138 fatal("%s: channel %i: %s", __func__,
2139 c->self, ssh_err(r));
2141 debug2("channel %d: window %d sent adjust %d",
2142 c->self, c->local_window,
2144 c->local_window += c->local_consumed;
2145 c->local_consumed = 0;
2151 channel_post_open(struct ssh *ssh, Channel *c,
2152 fd_set *readset, fd_set *writeset)
2154 channel_handle_rfd(ssh, c, readset, writeset);
2155 channel_handle_wfd(ssh, c, readset, writeset);
2156 channel_handle_efd(ssh, c, readset, writeset);
2157 channel_check_window(ssh, c);
2161 read_mux(struct ssh *ssh, Channel *c, u_int need)
2163 char buf[CHAN_RBUF];
2168 if (sshbuf_len(c->input) < need) {
2169 rlen = need - sshbuf_len(c->input);
2170 len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF));
2171 if (len < 0 && (errno == EINTR || errno == EAGAIN))
2172 return sshbuf_len(c->input);
2174 debug2("channel %d: ctl read<=0 rfd %d len %zd",
2175 c->self, c->rfd, len);
2176 chan_read_failed(ssh, c);
2178 } else if ((r = sshbuf_put(c->input, buf, len)) != 0) {
2179 fatal("%s: channel %d: append: %s",
2180 __func__, c->self, ssh_err(r));
2183 return sshbuf_len(c->input);
2187 channel_post_mux_client_read(struct ssh *ssh, Channel *c,
2188 fd_set *readset, fd_set *writeset)
2192 if (c->rfd == -1 || !FD_ISSET(c->rfd, readset))
2194 if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN)
2200 * Don't not read past the precise end of packets to
2201 * avoid disrupting fd passing.
2203 if (read_mux(ssh, c, 4) < 4) /* read header */
2205 /* XXX sshbuf_peek_u32 */
2206 need = PEEK_U32(sshbuf_ptr(c->input));
2207 #define CHANNEL_MUX_MAX_PACKET (256 * 1024)
2208 if (need > CHANNEL_MUX_MAX_PACKET) {
2209 debug2("channel %d: packet too big %u > %u",
2210 c->self, CHANNEL_MUX_MAX_PACKET, need);
2211 chan_rcvd_oclose(ssh, c);
2214 if (read_mux(ssh, c, need + 4) < need + 4) /* read body */
2216 if (c->mux_rcb(ssh, c) != 0) {
2217 debug("channel %d: mux_rcb failed", c->self);
2218 chan_mark_dead(ssh, c);
2224 channel_post_mux_client_write(struct ssh *ssh, Channel *c,
2225 fd_set *readset, fd_set *writeset)
2230 if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) ||
2231 sshbuf_len(c->output) == 0)
2234 len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output));
2235 if (len < 0 && (errno == EINTR || errno == EAGAIN))
2238 chan_mark_dead(ssh, c);
2241 if ((r = sshbuf_consume(c->output, len)) != 0)
2242 fatal("%s: channel %d: consume: %s", __func__,
2243 c->self, ssh_err(r));
2247 channel_post_mux_client(struct ssh *ssh, Channel *c,
2248 fd_set *readset, fd_set *writeset)
2250 channel_post_mux_client_read(ssh, c, readset, writeset);
2251 channel_post_mux_client_write(ssh, c, readset, writeset);
2255 channel_post_mux_listener(struct ssh *ssh, Channel *c,
2256 fd_set *readset, fd_set *writeset)
2259 struct sockaddr_storage addr;
2265 if (!FD_ISSET(c->sock, readset))
2268 debug("multiplexing control connection");
2271 * Accept connection on control socket
2273 memset(&addr, 0, sizeof(addr));
2274 addrlen = sizeof(addr);
2275 if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
2277 error("%s accept: %s", __func__, strerror(errno));
2278 if (errno == EMFILE || errno == ENFILE)
2279 c->notbefore = monotime() + 1;
2283 if (getpeereid(newsock, &euid, &egid) < 0) {
2284 error("%s getpeereid failed: %s", __func__,
2289 if ((euid != 0) && (getuid() != euid)) {
2290 error("multiplex uid mismatch: peer euid %u != uid %u",
2291 (u_int)euid, (u_int)getuid());
2295 nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT,
2296 newsock, newsock, -1, c->local_window_max,
2297 c->local_maxpacket, 0, "mux-control", 1);
2298 nc->mux_rcb = c->mux_rcb;
2299 debug3("%s: new mux channel %d fd %d", __func__, nc->self, nc->sock);
2300 /* establish state */
2301 nc->mux_rcb(ssh, nc);
2302 /* mux state transitions must not elicit protocol messages */
2303 nc->flags |= CHAN_LOCAL;
2307 channel_handler_init(struct ssh_channels *sc)
2309 chan_fn **pre, **post;
2311 if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL ||
2312 (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL)
2313 fatal("%s: allocation failed", __func__);
2315 pre[SSH_CHANNEL_OPEN] = &channel_pre_open;
2316 pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
2317 pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
2318 pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
2319 pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener;
2320 pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener;
2321 pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
2322 pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
2323 pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
2324 pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
2325 pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting;
2326 pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener;
2327 pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client;
2329 post[SSH_CHANNEL_OPEN] = &channel_post_open;
2330 post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
2331 post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
2332 post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener;
2333 post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener;
2334 post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
2335 post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
2336 post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
2337 post[SSH_CHANNEL_DYNAMIC] = &channel_post_open;
2338 post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting;
2339 post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener;
2340 post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client;
2342 sc->channel_pre = pre;
2343 sc->channel_post = post;
2346 /* gc dead channels */
2348 channel_garbage_collect(struct ssh *ssh, Channel *c)
2352 if (c->detach_user != NULL) {
2353 if (!chan_is_dead(ssh, c, c->detach_close))
2355 debug2("channel %d: gc: notify user", c->self);
2356 c->detach_user(ssh, c->self, NULL);
2357 /* if we still have a callback */
2358 if (c->detach_user != NULL)
2360 debug2("channel %d: gc: user detached", c->self);
2362 if (!chan_is_dead(ssh, c, 1))
2364 debug2("channel %d: garbage collecting", c->self);
2365 channel_free(ssh, c);
2368 enum channel_table { CHAN_PRE, CHAN_POST };
2371 channel_handler(struct ssh *ssh, int table,
2372 fd_set *readset, fd_set *writeset, time_t *unpause_secs)
2374 struct ssh_channels *sc = ssh->chanctxt;
2375 chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post;
2381 if (unpause_secs != NULL)
2383 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2384 c = sc->channels[i];
2388 if (table == CHAN_PRE)
2393 if (ftab[c->type] != NULL) {
2395 * Run handlers that are not paused.
2397 if (c->notbefore <= now)
2398 (*ftab[c->type])(ssh, c, readset, writeset);
2399 else if (unpause_secs != NULL) {
2401 * Collect the time that the earliest
2402 * channel comes off pause.
2404 debug3("%s: chan %d: skip for %d more seconds",
2406 (int)(c->notbefore - now));
2407 if (*unpause_secs == 0 ||
2408 (c->notbefore - now) < *unpause_secs)
2409 *unpause_secs = c->notbefore - now;
2412 channel_garbage_collect(ssh, c);
2414 if (unpause_secs != NULL && *unpause_secs != 0)
2415 debug3("%s: first channel unpauses in %d seconds",
2416 __func__, (int)*unpause_secs);
2420 * Create sockets before allocating the select bitmasks.
2421 * This is necessary for things that need to happen after reading
2422 * the network-input but before channel_prepare_select().
2425 channel_before_prepare_select(struct ssh *ssh)
2427 struct ssh_channels *sc = ssh->chanctxt;
2431 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2432 c = sc->channels[i];
2435 if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN)
2436 channel_before_prepare_select_rdynamic(ssh, c);
2441 * Allocate/update select bitmasks and add any bits relevant to channels in
2445 channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp,
2446 int *maxfdp, u_int *nallocp, time_t *minwait_secs)
2448 u_int n, sz, nfdset;
2450 channel_before_prepare_select(ssh); /* might update channel_max_fd */
2452 n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd);
2454 nfdset = howmany(n+1, NFDBITS);
2455 /* Explicitly test here, because xrealloc isn't always called */
2456 if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask))
2457 fatal("channel_prepare_select: max_fd (%d) is too large", n);
2458 sz = nfdset * sizeof(fd_mask);
2460 /* perhaps check sz < nalloc/2 and shrink? */
2461 if (*readsetp == NULL || sz > *nallocp) {
2462 *readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask));
2463 *writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask));
2467 memset(*readsetp, 0, sz);
2468 memset(*writesetp, 0, sz);
2470 if (!ssh_packet_is_rekeying(ssh))
2471 channel_handler(ssh, CHAN_PRE, *readsetp, *writesetp,
2476 * After select, perform any appropriate operations for channels which have
2480 channel_after_select(struct ssh *ssh, fd_set *readset, fd_set *writeset)
2482 channel_handler(ssh, CHAN_POST, readset, writeset, NULL);
2486 * Enqueue data for channels with open or draining c->input.
2489 channel_output_poll_input_open(struct ssh *ssh, Channel *c)
2495 if ((len = sshbuf_len(c->input)) == 0) {
2496 if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
2498 * input-buffer is empty and read-socket shutdown:
2499 * tell peer, that we will not send more data:
2501 * hack for extended data: delay EOF if EFD still
2504 if (CHANNEL_EFD_INPUT_ACTIVE(c))
2505 debug2("channel %d: "
2506 "ibuf_empty delayed efd %d/(%zu)",
2507 c->self, c->efd, sshbuf_len(c->extended));
2509 chan_ibuf_empty(ssh, c);
2514 if (!c->have_remote_id)
2515 fatal(":%s: channel %d: no remote id", __func__, c->self);
2518 /* Check datagram will fit; drop if not */
2519 if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0)
2520 fatal("%s: channel %d: get datagram: %s", __func__,
2521 c->self, ssh_err(r));
2523 * XXX this does tail-drop on the datagram queue which is
2524 * usually suboptimal compared to head-drop. Better to have
2525 * backpressure at read time? (i.e. read + discard)
2527 if (plen > c->remote_window || plen > c->remote_maxpacket) {
2528 debug("channel %d: datagram too big", c->self);
2532 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2533 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2534 (r = sshpkt_put_string(ssh, pkt, plen)) != 0 ||
2535 (r = sshpkt_send(ssh)) != 0) {
2536 fatal("%s: channel %i: datagram: %s", __func__,
2537 c->self, ssh_err(r));
2539 c->remote_window -= plen;
2543 /* Enqueue packet for buffered data. */
2544 if (len > c->remote_window)
2545 len = c->remote_window;
2546 if (len > c->remote_maxpacket)
2547 len = c->remote_maxpacket;
2550 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2551 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2552 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 ||
2553 (r = sshpkt_send(ssh)) != 0) {
2554 fatal("%s: channel %i: data: %s", __func__,
2555 c->self, ssh_err(r));
2557 if ((r = sshbuf_consume(c->input, len)) != 0)
2558 fatal("%s: channel %i: consume: %s", __func__,
2559 c->self, ssh_err(r));
2560 c->remote_window -= len;
2564 * Enqueue data for channels with open c->extended in read mode.
2567 channel_output_poll_extended_read(struct ssh *ssh, Channel *c)
2572 if ((len = sshbuf_len(c->extended)) == 0)
2575 debug2("channel %d: rwin %u elen %zu euse %d", c->self,
2576 c->remote_window, sshbuf_len(c->extended), c->extended_usage);
2577 if (len > c->remote_window)
2578 len = c->remote_window;
2579 if (len > c->remote_maxpacket)
2580 len = c->remote_maxpacket;
2583 if (!c->have_remote_id)
2584 fatal(":%s: channel %d: no remote id", __func__, c->self);
2585 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 ||
2586 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2587 (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 ||
2588 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 ||
2589 (r = sshpkt_send(ssh)) != 0) {
2590 fatal("%s: channel %i: data: %s", __func__,
2591 c->self, ssh_err(r));
2593 if ((r = sshbuf_consume(c->extended, len)) != 0)
2594 fatal("%s: channel %i: consume: %s", __func__,
2595 c->self, ssh_err(r));
2596 c->remote_window -= len;
2597 debug2("channel %d: sent ext data %zu", c->self, len);
2600 /* If there is data to send to the connection, enqueue some of it now. */
2602 channel_output_poll(struct ssh *ssh)
2604 struct ssh_channels *sc = ssh->chanctxt;
2608 for (i = 0; i < sc->channels_alloc; i++) {
2609 c = sc->channels[i];
2614 * We are only interested in channels that can have buffered
2617 if (c->type != SSH_CHANNEL_OPEN)
2619 if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
2620 /* XXX is this true? */
2621 debug3("channel %d: will not send data after close",
2626 /* Get the amount of buffered data for this channel. */
2627 if (c->istate == CHAN_INPUT_OPEN ||
2628 c->istate == CHAN_INPUT_WAIT_DRAIN)
2629 channel_output_poll_input_open(ssh, c);
2630 /* Send extended data, i.e. stderr */
2631 if (!(c->flags & CHAN_EOF_SENT) &&
2632 c->extended_usage == CHAN_EXTENDED_READ)
2633 channel_output_poll_extended_read(ssh, c);
2637 /* -- mux proxy support */
2640 * When multiplexing channel messages for mux clients we have to deal
2641 * with downstream messages from the mux client and upstream messages
2642 * from the ssh server:
2643 * 1) Handling downstream messages is straightforward and happens
2644 * in channel_proxy_downstream():
2645 * - We forward all messages (mostly) unmodified to the server.
2646 * - However, in order to route messages from upstream to the correct
2647 * downstream client, we have to replace the channel IDs used by the
2648 * mux clients with a unique channel ID because the mux clients might
2649 * use conflicting channel IDs.
2650 * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
2651 * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
2652 * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
2653 * with the newly allocated channel ID.
2654 * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
2655 * channels and processed by channel_proxy_upstream(). The local channel ID
2656 * is then translated back to the original mux client ID.
2657 * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
2658 * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
2659 * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
2660 * downstream mux client are removed.
2661 * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
2662 * requires more work, because they are not addressed to a specific
2663 * channel. E.g. client_request_forwarded_tcpip() needs to figure
2664 * out whether the request is addressed to the local client or a
2665 * specific downstream client based on the listen-address/port.
2666 * 6) Agent and X11-Forwarding have a similar problem and are currently
2667 * not supported as the matching session/channel cannot be identified
2672 * receive packets from downstream mux clients:
2673 * channel callback fired on read from mux client, creates
2674 * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
2675 * on channel creation.
2678 channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
2681 struct sshbuf *original = NULL, *modified = NULL;
2683 char *ctype = NULL, *listen_host = NULL;
2687 u_int id, remote_id, listen_port;
2689 /* sshbuf_dump(downstream->input, stderr); */
2690 if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have))
2692 error("%s: malformed message: %s", __func__, ssh_err(r));
2696 error("%s: short message", __func__);
2700 /* skip padlen + type */
2703 if (ssh_packet_log_type(type))
2704 debug3("%s: channel %u: down->up: type %u", __func__,
2705 downstream->self, type);
2708 case SSH2_MSG_CHANNEL_OPEN:
2709 if ((original = sshbuf_from(cp, have)) == NULL ||
2710 (modified = sshbuf_new()) == NULL) {
2711 error("%s: alloc", __func__);
2714 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 ||
2715 (r = sshbuf_get_u32(original, &id)) != 0) {
2716 error("%s: parse error %s", __func__, ssh_err(r));
2719 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
2720 -1, -1, -1, 0, 0, 0, ctype, 1);
2721 c->mux_ctx = downstream; /* point to mux client */
2722 c->mux_downstream_id = id; /* original downstream id */
2723 if ((r = sshbuf_put_cstring(modified, ctype)) != 0 ||
2724 (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2725 (r = sshbuf_putb(modified, original)) != 0) {
2726 error("%s: compose error %s", __func__, ssh_err(r));
2727 channel_free(ssh, c);
2731 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2733 * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
2734 * need to parse 'remote_id' instead of 'ctype'.
2736 if ((original = sshbuf_from(cp, have)) == NULL ||
2737 (modified = sshbuf_new()) == NULL) {
2738 error("%s: alloc", __func__);
2741 if ((r = sshbuf_get_u32(original, &remote_id)) != 0 ||
2742 (r = sshbuf_get_u32(original, &id)) != 0) {
2743 error("%s: parse error %s", __func__, ssh_err(r));
2746 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
2747 -1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
2748 c->mux_ctx = downstream; /* point to mux client */
2749 c->mux_downstream_id = id;
2750 c->remote_id = remote_id;
2751 c->have_remote_id = 1;
2752 if ((r = sshbuf_put_u32(modified, remote_id)) != 0 ||
2753 (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2754 (r = sshbuf_putb(modified, original)) != 0) {
2755 error("%s: compose error %s", __func__, ssh_err(r));
2756 channel_free(ssh, c);
2760 case SSH2_MSG_GLOBAL_REQUEST:
2761 if ((original = sshbuf_from(cp, have)) == NULL) {
2762 error("%s: alloc", __func__);
2765 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) {
2766 error("%s: parse error %s", __func__, ssh_err(r));
2769 if (strcmp(ctype, "tcpip-forward") != 0) {
2770 error("%s: unsupported request %s", __func__, ctype);
2773 if ((r = sshbuf_get_u8(original, NULL)) != 0 ||
2774 (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 ||
2775 (r = sshbuf_get_u32(original, &listen_port)) != 0) {
2776 error("%s: parse error %s", __func__, ssh_err(r));
2779 if (listen_port > 65535) {
2780 error("%s: tcpip-forward for %s: bad port %u",
2781 __func__, listen_host, listen_port);
2784 /* Record that connection to this host/port is permitted. */
2785 permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
2786 listen_host, NULL, (int)listen_port, downstream);
2789 case SSH2_MSG_CHANNEL_CLOSE:
2792 remote_id = PEEK_U32(cp);
2793 if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) {
2794 if (c->flags & CHAN_CLOSE_RCVD)
2795 channel_free(ssh, c);
2797 c->flags |= CHAN_CLOSE_SENT;
2802 if ((r = sshpkt_start(ssh, type)) != 0 ||
2803 (r = sshpkt_putb(ssh, modified)) != 0 ||
2804 (r = sshpkt_send(ssh)) != 0) {
2805 error("%s: send %s", __func__, ssh_err(r));
2809 if ((r = sshpkt_start(ssh, type)) != 0 ||
2810 (r = sshpkt_put(ssh, cp, have)) != 0 ||
2811 (r = sshpkt_send(ssh)) != 0) {
2812 error("%s: send %s", __func__, ssh_err(r));
2820 sshbuf_free(original);
2821 sshbuf_free(modified);
2826 * receive packets from upstream server and de-multiplex packets
2827 * to correct downstream:
2828 * implemented as a helper for channel input handlers,
2829 * replaces local (proxy) channel ID with downstream channel ID.
2832 channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh)
2834 struct sshbuf *b = NULL;
2835 Channel *downstream;
2836 const u_char *cp = NULL;
2841 * When receiving packets from the peer we need to check whether we
2842 * need to forward the packets to the mux client. In this case we
2843 * restore the original channel id and keep track of CLOSE messages,
2844 * so we can cleanup the channel.
2846 if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY)
2848 if ((downstream = c->mux_ctx) == NULL)
2851 case SSH2_MSG_CHANNEL_CLOSE:
2852 case SSH2_MSG_CHANNEL_DATA:
2853 case SSH2_MSG_CHANNEL_EOF:
2854 case SSH2_MSG_CHANNEL_EXTENDED_DATA:
2855 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2856 case SSH2_MSG_CHANNEL_OPEN_FAILURE:
2857 case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
2858 case SSH2_MSG_CHANNEL_SUCCESS:
2859 case SSH2_MSG_CHANNEL_FAILURE:
2860 case SSH2_MSG_CHANNEL_REQUEST:
2863 debug2("%s: channel %u: unsupported type %u", __func__,
2867 if ((b = sshbuf_new()) == NULL) {
2868 error("%s: alloc reply", __func__);
2871 /* get remaining payload (after id) */
2872 cp = sshpkt_ptr(ssh, &len);
2874 error("%s: no packet", __func__);
2877 /* translate id and send to muxclient */
2878 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */
2879 (r = sshbuf_put_u8(b, type)) != 0 ||
2880 (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 ||
2881 (r = sshbuf_put(b, cp, len)) != 0 ||
2882 (r = sshbuf_put_stringb(downstream->output, b)) != 0) {
2883 error("%s: compose for muxclient %s", __func__, ssh_err(r));
2886 /* sshbuf_dump(b, stderr); */
2887 if (ssh_packet_log_type(type))
2888 debug3("%s: channel %u: up->down: type %u", __func__, c->self,
2893 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2894 /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
2895 if (cp && len > 4) {
2896 c->remote_id = PEEK_U32(cp);
2897 c->have_remote_id = 1;
2900 case SSH2_MSG_CHANNEL_CLOSE:
2901 if (c->flags & CHAN_CLOSE_SENT)
2902 channel_free(ssh, c);
2904 c->flags |= CHAN_CLOSE_RCVD;
2911 /* -- protocol input */
2913 /* Parse a channel ID from the current packet */
2915 channel_parse_id(struct ssh *ssh, const char *where, const char *what)
2920 if ((r = sshpkt_get_u32(ssh, &id)) != 0) {
2921 error("%s: parse id: %s", where, ssh_err(r));
2922 ssh_packet_disconnect(ssh, "Invalid %s message", what);
2925 error("%s: bad channel id %u: %s", where, id, ssh_err(r));
2926 ssh_packet_disconnect(ssh, "Invalid %s channel id", what);
2931 /* Lookup a channel from an ID in the current packet */
2933 channel_from_packet_id(struct ssh *ssh, const char *where, const char *what)
2935 int id = channel_parse_id(ssh, where, what);
2938 if ((c = channel_lookup(ssh, id)) == NULL) {
2939 ssh_packet_disconnect(ssh,
2940 "%s packet referred to nonexistent channel %d", what, id);
2946 channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
2949 size_t data_len, win_len;
2950 Channel *c = channel_from_packet_id(ssh, __func__, "data");
2953 if (channel_proxy_upstream(c, type, seq, ssh))
2956 /* Ignore any data for non-open channels (might happen on close) */
2957 if (c->type != SSH_CHANNEL_OPEN &&
2958 c->type != SSH_CHANNEL_RDYNAMIC_OPEN &&
2959 c->type != SSH_CHANNEL_RDYNAMIC_FINISH &&
2960 c->type != SSH_CHANNEL_X11_OPEN)
2964 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0)
2965 fatal("%s: channel %d: get data: %s", __func__,
2966 c->self, ssh_err(r));
2967 ssh_packet_check_eom(ssh);
2971 win_len += 4; /* string length header */
2974 * The sending side reduces its window as it sends data, so we
2975 * must 'fake' consumption of the data in order to ensure that window
2976 * updates are sent back. Otherwise the connection might deadlock.
2978 if (c->ostate != CHAN_OUTPUT_OPEN) {
2979 c->local_window -= win_len;
2980 c->local_consumed += win_len;
2984 if (win_len > c->local_maxpacket) {
2985 logit("channel %d: rcvd big packet %zu, maxpack %u",
2986 c->self, win_len, c->local_maxpacket);
2989 if (win_len > c->local_window) {
2990 logit("channel %d: rcvd too much data %zu, win %u",
2991 c->self, win_len, c->local_window);
2994 c->local_window -= win_len;
2997 if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
2998 fatal("%s: channel %d: append datagram: %s",
2999 __func__, c->self, ssh_err(r));
3000 } else if ((r = sshbuf_put(c->output, data, data_len)) != 0)
3001 fatal("%s: channel %d: append data: %s",
3002 __func__, c->self, ssh_err(r));
3008 channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
3013 Channel *c = channel_from_packet_id(ssh, __func__, "extended data");
3016 if (channel_proxy_upstream(c, type, seq, ssh))
3018 if (c->type != SSH_CHANNEL_OPEN) {
3019 logit("channel %d: ext data for non open", c->self);
3022 if (c->flags & CHAN_EOF_RCVD) {
3023 if (datafellows & SSH_BUG_EXTEOF)
3024 debug("channel %d: accepting ext data after eof",
3027 ssh_packet_disconnect(ssh, "Received extended_data "
3028 "after EOF on channel %d.", c->self);
3031 if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) {
3032 error("%s: parse tcode: %s", __func__, ssh_err(r));
3033 ssh_packet_disconnect(ssh, "Invalid extended_data message");
3036 c->extended_usage != CHAN_EXTENDED_WRITE ||
3037 tcode != SSH2_EXTENDED_DATA_STDERR) {
3038 logit("channel %d: bad ext data", c->self);
3041 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0) {
3042 error("%s: parse data: %s", __func__, ssh_err(r));
3043 ssh_packet_disconnect(ssh, "Invalid extended_data message");
3045 ssh_packet_check_eom(ssh);
3047 if (data_len > c->local_window) {
3048 logit("channel %d: rcvd too much extended_data %zu, win %u",
3049 c->self, data_len, c->local_window);
3052 debug2("channel %d: rcvd ext data %zu", c->self, data_len);
3053 /* XXX sshpkt_getb? */
3054 if ((r = sshbuf_put(c->extended, data, data_len)) != 0)
3055 error("%s: append: %s", __func__, ssh_err(r));
3056 c->local_window -= data_len;
3061 channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
3063 Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
3065 ssh_packet_check_eom(ssh);
3067 if (channel_proxy_upstream(c, type, seq, ssh))
3069 chan_rcvd_ieof(ssh, c);
3071 /* XXX force input close */
3072 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
3073 debug("channel %d: FORCE input drain", c->self);
3074 c->istate = CHAN_INPUT_WAIT_DRAIN;
3075 if (sshbuf_len(c->input) == 0)
3076 chan_ibuf_empty(ssh, c);
3082 channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
3084 Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
3086 if (channel_proxy_upstream(c, type, seq, ssh))
3088 ssh_packet_check_eom(ssh);
3089 chan_rcvd_oclose(ssh, c);
3094 channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
3096 Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation");
3097 u_int32_t remote_window, remote_maxpacket;
3100 if (channel_proxy_upstream(c, type, seq, ssh))
3102 if (c->type != SSH_CHANNEL_OPENING)
3103 packet_disconnect("Received open confirmation for "
3104 "non-opening channel %d.", c->self);
3106 * Record the remote channel number and mark that the channel
3109 if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 ||
3110 (r = sshpkt_get_u32(ssh, &remote_window)) != 0 ||
3111 (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0) {
3112 error("%s: window/maxpacket: %s", __func__, ssh_err(r));
3113 packet_disconnect("Invalid open confirmation message");
3115 ssh_packet_check_eom(ssh);
3117 c->have_remote_id = 1;
3118 c->remote_window = remote_window;
3119 c->remote_maxpacket = remote_maxpacket;
3120 c->type = SSH_CHANNEL_OPEN;
3121 if (c->open_confirm) {
3122 debug2("%s: channel %d: callback start", __func__, c->self);
3123 c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
3124 debug2("%s: channel %d: callback done", __func__, c->self);
3126 debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
3127 c->remote_window, c->remote_maxpacket);
3132 reason2txt(int reason)
3135 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
3136 return "administratively prohibited";
3137 case SSH2_OPEN_CONNECT_FAILED:
3138 return "connect failed";
3139 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
3140 return "unknown channel type";
3141 case SSH2_OPEN_RESOURCE_SHORTAGE:
3142 return "resource shortage";
3144 return "unknown reason";
3148 channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
3150 Channel *c = channel_from_packet_id(ssh, __func__, "open failure");
3155 if (channel_proxy_upstream(c, type, seq, ssh))
3157 if (c->type != SSH_CHANNEL_OPENING)
3158 packet_disconnect("Received open failure for "
3159 "non-opening channel %d.", c->self);
3160 if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
3161 error("%s: reason: %s", __func__, ssh_err(r));
3162 packet_disconnect("Invalid open failure message");
3165 if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
3166 (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0) {
3167 error("%s: message/lang: %s", __func__, ssh_err(r));
3168 packet_disconnect("Invalid open failure message");
3170 ssh_packet_check_eom(ssh);
3171 logit("channel %d: open failed: %s%s%s", c->self,
3172 reason2txt(reason), msg ? ": ": "", msg ? msg : "");
3174 if (c->open_confirm) {
3175 debug2("%s: channel %d: callback start", __func__, c->self);
3176 c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx);
3177 debug2("%s: channel %d: callback done", __func__, c->self);
3179 /* Schedule the channel for cleanup/deletion. */
3180 chan_mark_dead(ssh, c);
3185 channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
3187 int id = channel_parse_id(ssh, __func__, "window adjust");
3193 if ((c = channel_lookup(ssh, id)) == NULL) {
3194 logit("Received window adjust for non-open channel %d.", id);
3198 if (channel_proxy_upstream(c, type, seq, ssh))
3200 if ((r = sshpkt_get_u32(ssh, &adjust)) != 0) {
3201 error("%s: adjust: %s", __func__, ssh_err(r));
3202 packet_disconnect("Invalid window adjust message");
3204 ssh_packet_check_eom(ssh);
3205 debug2("channel %d: rcvd adjust %u", c->self, adjust);
3206 if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
3207 fatal("channel %d: adjust %u overflows remote window %u",
3208 c->self, adjust, c->remote_window);
3210 c->remote_window = new_rwin;
3215 channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
3217 int id = channel_parse_id(ssh, __func__, "status confirm");
3219 struct channel_confirm *cc;
3221 /* Reset keepalive timeout */
3222 packet_set_alive_timeouts(0);
3224 debug2("%s: type %d id %d", __func__, type, id);
3226 if ((c = channel_lookup(ssh, id)) == NULL) {
3227 logit("%s: %d: unknown", __func__, id);
3230 if (channel_proxy_upstream(c, type, seq, ssh))
3232 ssh_packet_check_eom(ssh);
3233 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
3235 cc->cb(ssh, type, c, cc->ctx);
3236 TAILQ_REMOVE(&c->status_confirms, cc, entry);
3237 explicit_bzero(cc, sizeof(*cc));
3242 /* -- tcp forwarding */
3245 channel_set_af(struct ssh *ssh, int af)
3247 ssh->chanctxt->IPv4or6 = af;
3252 * Determine whether or not a port forward listens to loopback, the
3253 * specified address or wildcard. On the client, a specified bind
3254 * address will always override gateway_ports. On the server, a
3255 * gateway_ports of 1 (``yes'') will override the client's specification
3256 * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
3257 * will bind to whatever address the client asked for.
3259 * Special-case listen_addrs are:
3261 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
3262 * "" (empty string), "*" -> wildcard v4/v6
3263 * "localhost" -> loopback v4/v6
3264 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set
3267 channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
3268 int is_client, struct ForwardOptions *fwd_opts)
3270 const char *addr = NULL;
3273 if (listen_addr == NULL) {
3274 /* No address specified: default to gateway_ports setting */
3275 if (fwd_opts->gateway_ports)
3277 } else if (fwd_opts->gateway_ports || is_client) {
3278 if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
3279 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
3280 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
3281 (!is_client && fwd_opts->gateway_ports == 1)) {
3284 * Notify client if they requested a specific listen
3285 * address and it was overridden.
3287 if (*listen_addr != '\0' &&
3288 strcmp(listen_addr, "0.0.0.0") != 0 &&
3289 strcmp(listen_addr, "*") != 0) {
3290 packet_send_debug("Forwarding listen address "
3291 "\"%s\" overridden by server "
3292 "GatewayPorts", listen_addr);
3294 } else if (strcmp(listen_addr, "localhost") != 0 ||
3295 strcmp(listen_addr, "127.0.0.1") == 0 ||
3296 strcmp(listen_addr, "::1") == 0) {
3297 /* Accept localhost address when GatewayPorts=yes */
3300 } else if (strcmp(listen_addr, "127.0.0.1") == 0 ||
3301 strcmp(listen_addr, "::1") == 0) {
3303 * If a specific IPv4/IPv6 localhost address has been
3304 * requested then accept it even if gateway_ports is in
3305 * effect. This allows the client to prefer IPv4 or IPv6.
3309 if (wildcardp != NULL)
3310 *wildcardp = wildcard;
3315 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
3316 struct Forward *fwd, int *allocated_listen_port,
3317 struct ForwardOptions *fwd_opts)
3320 int sock, r, success = 0, wildcard = 0, is_client;
3321 struct addrinfo hints, *ai, *aitop;
3322 const char *host, *addr;
3323 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
3326 is_client = (type == SSH_CHANNEL_PORT_LISTENER);
3328 if (is_client && fwd->connect_path != NULL) {
3329 host = fwd->connect_path;
3331 host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
3332 fwd->listen_host : fwd->connect_host;
3334 error("No forward host name.");
3337 if (strlen(host) >= NI_MAXHOST) {
3338 error("Forward host name too long.");
3343 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
3344 addr = channel_fwd_bind_addr(fwd->listen_host, &wildcard,
3345 is_client, fwd_opts);
3346 debug3("%s: type %d wildcard %d addr %s", __func__,
3347 type, wildcard, (addr == NULL) ? "NULL" : addr);
3350 * getaddrinfo returns a loopback address if the hostname is
3351 * set to NULL and hints.ai_flags is not AI_PASSIVE
3353 memset(&hints, 0, sizeof(hints));
3354 hints.ai_family = ssh->chanctxt->IPv4or6;
3355 hints.ai_flags = wildcard ? AI_PASSIVE : 0;
3356 hints.ai_socktype = SOCK_STREAM;
3357 snprintf(strport, sizeof strport, "%d", fwd->listen_port);
3358 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
3360 /* This really shouldn't happen */
3361 packet_disconnect("getaddrinfo: fatal error: %s",
3362 ssh_gai_strerror(r));
3364 error("%s: getaddrinfo(%.64s): %s", __func__, addr,
3365 ssh_gai_strerror(r));
3369 if (allocated_listen_port != NULL)
3370 *allocated_listen_port = 0;
3371 for (ai = aitop; ai; ai = ai->ai_next) {
3372 switch (ai->ai_family) {
3374 lport_p = &((struct sockaddr_in *)ai->ai_addr)->
3378 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
3385 * If allocating a port for -R forwards, then use the
3386 * same port for all address families.
3388 if (type == SSH_CHANNEL_RPORT_LISTENER &&
3389 fwd->listen_port == 0 && allocated_listen_port != NULL &&
3390 *allocated_listen_port > 0)
3391 *lport_p = htons(*allocated_listen_port);
3393 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
3394 strport, sizeof(strport),
3395 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
3396 error("%s: getnameinfo failed", __func__);
3399 /* Create a port to listen for the host. */
3400 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3402 /* this is no error since kernel may not support ipv6 */
3403 verbose("socket [%s]:%s: %.100s", ntop, strport,
3408 set_reuseaddr(sock);
3409 if (ai->ai_family == AF_INET6)
3410 sock_set_v6only(sock);
3412 debug("Local forwarding listening on %s port %s.",
3415 /* Bind the socket to the address. */
3416 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
3418 * address can be in if use ipv6 address is
3422 error("bind [%s]:%s: %.100s",
3423 ntop, strport, strerror(errno));
3425 verbose("bind [%s]:%s: %.100s",
3426 ntop, strport, strerror(errno));
3431 /* Start listening for connections on the socket. */
3432 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
3433 error("listen: %.100s", strerror(errno));
3434 error("listen [%s]:%s: %.100s", ntop, strport,
3441 * fwd->listen_port == 0 requests a dynamically allocated port -
3442 * record what we got.
3444 if (type == SSH_CHANNEL_RPORT_LISTENER &&
3445 fwd->listen_port == 0 &&
3446 allocated_listen_port != NULL &&
3447 *allocated_listen_port == 0) {
3448 *allocated_listen_port = get_local_port(sock);
3449 debug("Allocated listen port %d",
3450 *allocated_listen_port);
3453 /* Allocate a channel number for the socket. */
3454 c = channel_new(ssh, "port listener", type, sock, sock, -1,
3455 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3456 0, "port listener", 1);
3457 c->path = xstrdup(host);
3458 c->host_port = fwd->connect_port;
3459 c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
3460 if (fwd->listen_port == 0 && allocated_listen_port != NULL &&
3461 !(datafellows & SSH_BUG_DYNAMIC_RPORT))
3462 c->listening_port = *allocated_listen_port;
3464 c->listening_port = fwd->listen_port;
3468 error("%s: cannot listen to port: %d", __func__,
3470 freeaddrinfo(aitop);
3475 channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type,
3476 struct Forward *fwd, struct ForwardOptions *fwd_opts)
3478 struct sockaddr_un sunaddr;
3485 case SSH_CHANNEL_UNIX_LISTENER:
3486 if (fwd->connect_path != NULL) {
3487 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
3488 error("Local connecting path too long: %s",
3492 path = fwd->connect_path;
3493 port = PORT_STREAMLOCAL;
3495 if (fwd->connect_host == NULL) {
3496 error("No forward host name.");
3499 if (strlen(fwd->connect_host) >= NI_MAXHOST) {
3500 error("Forward host name too long.");
3503 path = fwd->connect_host;
3504 port = fwd->connect_port;
3507 case SSH_CHANNEL_RUNIX_LISTENER:
3508 path = fwd->listen_path;
3509 port = PORT_STREAMLOCAL;
3512 error("%s: unexpected channel type %d", __func__, type);
3516 if (fwd->listen_path == NULL) {
3517 error("No forward path name.");
3520 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
3521 error("Local listening path too long: %s", fwd->listen_path);
3525 debug3("%s: type %d path %s", __func__, type, fwd->listen_path);
3527 /* Start a Unix domain listener. */
3528 omask = umask(fwd_opts->streamlocal_bind_mask);
3529 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
3530 fwd_opts->streamlocal_bind_unlink);
3535 debug("Local forwarding listening on path %s.", fwd->listen_path);
3537 /* Allocate a channel number for the socket. */
3538 c = channel_new(ssh, "unix listener", type, sock, sock, -1,
3539 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3540 0, "unix listener", 1);
3541 c->path = xstrdup(path);
3542 c->host_port = port;
3543 c->listening_port = PORT_STREAMLOCAL;
3544 c->listening_addr = xstrdup(fwd->listen_path);
3549 channel_cancel_rport_listener_tcpip(struct ssh *ssh,
3550 const char *host, u_short port)
3555 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3556 Channel *c = ssh->chanctxt->channels[i];
3557 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
3559 if (strcmp(c->path, host) == 0 && c->listening_port == port) {
3560 debug2("%s: close channel %d", __func__, i);
3561 channel_free(ssh, c);
3570 channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path)
3575 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3576 Channel *c = ssh->chanctxt->channels[i];
3577 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER)
3579 if (c->path == NULL)
3581 if (strcmp(c->path, path) == 0) {
3582 debug2("%s: close channel %d", __func__, i);
3583 channel_free(ssh, c);
3592 channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd)
3594 if (fwd->listen_path != NULL) {
3595 return channel_cancel_rport_listener_streamlocal(ssh,
3598 return channel_cancel_rport_listener_tcpip(ssh,
3599 fwd->listen_host, fwd->listen_port);
3604 channel_cancel_lport_listener_tcpip(struct ssh *ssh,
3605 const char *lhost, u_short lport, int cport,
3606 struct ForwardOptions *fwd_opts)
3610 const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, fwd_opts);
3612 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3613 Channel *c = ssh->chanctxt->channels[i];
3614 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
3616 if (c->listening_port != lport)
3618 if (cport == CHANNEL_CANCEL_PORT_STATIC) {
3619 /* skip dynamic forwardings */
3620 if (c->host_port == 0)
3623 if (c->host_port != cport)
3626 if ((c->listening_addr == NULL && addr != NULL) ||
3627 (c->listening_addr != NULL && addr == NULL))
3629 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
3630 debug2("%s: close channel %d", __func__, i);
3631 channel_free(ssh, c);
3640 channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path)
3646 error("%s: no path specified.", __func__);
3650 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3651 Channel *c = ssh->chanctxt->channels[i];
3652 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER)
3654 if (c->listening_addr == NULL)
3656 if (strcmp(c->listening_addr, path) == 0) {
3657 debug2("%s: close channel %d", __func__, i);
3658 channel_free(ssh, c);
3667 channel_cancel_lport_listener(struct ssh *ssh,
3668 struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts)
3670 if (fwd->listen_path != NULL) {
3671 return channel_cancel_lport_listener_streamlocal(ssh,
3674 return channel_cancel_lport_listener_tcpip(ssh,
3675 fwd->listen_host, fwd->listen_port, cport, fwd_opts);
3679 /* protocol local port fwd, used by ssh */
3681 channel_setup_local_fwd_listener(struct ssh *ssh,
3682 struct Forward *fwd, struct ForwardOptions *fwd_opts)
3684 if (fwd->listen_path != NULL) {
3685 return channel_setup_fwd_listener_streamlocal(ssh,
3686 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts);
3688 return channel_setup_fwd_listener_tcpip(ssh,
3689 SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts);
3693 /* Matches a remote forwarding permission against a requested forwarding */
3695 remote_open_match(struct permission *allowed_open, struct Forward *fwd)
3700 /* XXX add ACLs for streamlocal */
3701 if (fwd->listen_path != NULL)
3704 if (fwd->listen_host == NULL || allowed_open->listen_host == NULL)
3707 if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT &&
3708 allowed_open->listen_port != fwd->listen_port)
3711 /* Match hostnames case-insensitively */
3712 lhost = xstrdup(fwd->listen_host);
3714 ret = match_pattern(lhost, allowed_open->listen_host);
3720 /* Checks whether a requested remote forwarding is permitted */
3722 check_rfwd_permission(struct ssh *ssh, struct Forward *fwd)
3724 struct ssh_channels *sc = ssh->chanctxt;
3725 struct permission_set *pset = &sc->remote_perms;
3726 u_int i, permit, permit_adm = 1;
3727 struct permission *perm;
3729 /* XXX apply GatewayPorts override before checking? */
3731 permit = pset->all_permitted;
3733 for (i = 0; i < pset->num_permitted_user; i++) {
3734 perm = &pset->permitted_user[i];
3735 if (remote_open_match(perm, fwd)) {
3742 if (pset->num_permitted_admin > 0) {
3744 for (i = 0; i < pset->num_permitted_admin; i++) {
3745 perm = &pset->permitted_admin[i];
3746 if (remote_open_match(perm, fwd)) {
3753 return permit && permit_adm;
3756 /* protocol v2 remote port fwd, used by sshd */
3758 channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
3759 int *allocated_listen_port, struct ForwardOptions *fwd_opts)
3761 if (!check_rfwd_permission(ssh, fwd)) {
3762 packet_send_debug("port forwarding refused");
3765 if (fwd->listen_path != NULL) {
3766 return channel_setup_fwd_listener_streamlocal(ssh,
3767 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);
3769 return channel_setup_fwd_listener_tcpip(ssh,
3770 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,
3776 * Translate the requested rfwd listen host to something usable for
3780 channel_rfwd_bind_host(const char *listen_host)
3782 if (listen_host == NULL) {
3784 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
3791 * Initiate forwarding of connections to port "port" on remote host through
3792 * the secure channel to host:port from local side.
3793 * Returns handle (index) for updating the dynamic listen port with
3794 * channel_update_permission().
3797 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
3799 int r, success = 0, idx = -1;
3800 char *host_to_connect, *listen_host, *listen_path;
3801 int port_to_connect, listen_port;
3803 /* Send the forward request to the remote side. */
3804 if (fwd->listen_path != NULL) {
3805 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3806 (r = sshpkt_put_cstring(ssh,
3807 "streamlocal-forward@openssh.com")) != 0 ||
3808 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3809 (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 ||
3810 (r = sshpkt_send(ssh)) != 0 ||
3811 (r = ssh_packet_write_wait(ssh)) != 0)
3812 fatal("%s: request streamlocal: %s",
3813 __func__, ssh_err(r));
3815 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3816 (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 ||
3817 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3818 (r = sshpkt_put_cstring(ssh,
3819 channel_rfwd_bind_host(fwd->listen_host))) != 0 ||
3820 (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 ||
3821 (r = sshpkt_send(ssh)) != 0 ||
3822 (r = ssh_packet_write_wait(ssh)) != 0)
3823 fatal("%s: request tcpip-forward: %s",
3824 __func__, ssh_err(r));
3826 /* Assume that server accepts the request */
3829 /* Record that connection to this host/port is permitted. */
3830 host_to_connect = listen_host = listen_path = NULL;
3831 port_to_connect = listen_port = 0;
3832 if (fwd->connect_path != NULL) {
3833 host_to_connect = xstrdup(fwd->connect_path);
3834 port_to_connect = PORT_STREAMLOCAL;
3836 host_to_connect = xstrdup(fwd->connect_host);
3837 port_to_connect = fwd->connect_port;
3839 if (fwd->listen_path != NULL) {
3840 listen_path = xstrdup(fwd->listen_path);
3841 listen_port = PORT_STREAMLOCAL;
3843 if (fwd->listen_host != NULL)
3844 listen_host = xstrdup(fwd->listen_host);
3845 listen_port = fwd->listen_port;
3847 idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL,
3848 host_to_connect, port_to_connect,
3849 listen_host, listen_path, listen_port, NULL);
3855 open_match(struct permission *allowed_open, const char *requestedhost,
3858 if (allowed_open->host_to_connect == NULL)
3860 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
3861 allowed_open->port_to_connect != requestedport)
3863 if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
3864 strcmp(allowed_open->host_to_connect, requestedhost) != 0)
3870 * Note that in the listen host/port case
3871 * we don't support FWD_PERMIT_ANY_PORT and
3872 * need to translate between the configured-host (listen_host)
3873 * and what we've sent to the remote server (channel_rfwd_bind_host)
3876 open_listen_match_tcpip(struct permission *allowed_open,
3877 const char *requestedhost, u_short requestedport, int translate)
3879 const char *allowed_host;
3881 if (allowed_open->host_to_connect == NULL)
3883 if (allowed_open->listen_port != requestedport)
3885 if (!translate && allowed_open->listen_host == NULL &&
3886 requestedhost == NULL)
3888 allowed_host = translate ?
3889 channel_rfwd_bind_host(allowed_open->listen_host) :
3890 allowed_open->listen_host;
3891 if (allowed_host == NULL || requestedhost == NULL ||
3892 strcmp(allowed_host, requestedhost) != 0)
3898 open_listen_match_streamlocal(struct permission *allowed_open,
3899 const char *requestedpath)
3901 if (allowed_open->host_to_connect == NULL)
3903 if (allowed_open->listen_port != PORT_STREAMLOCAL)
3905 if (allowed_open->listen_path == NULL ||
3906 strcmp(allowed_open->listen_path, requestedpath) != 0)
3912 * Request cancellation of remote forwarding of connection host:port from
3916 channel_request_rforward_cancel_tcpip(struct ssh *ssh,
3917 const char *host, u_short port)
3919 struct ssh_channels *sc = ssh->chanctxt;
3920 struct permission_set *pset = &sc->local_perms;
3923 struct permission *perm;
3925 for (i = 0; i < pset->num_permitted_user; i++) {
3926 perm = &pset->permitted_user[i];
3927 if (open_listen_match_tcpip(perm, host, port, 0))
3932 debug("%s: requested forward not found", __func__);
3935 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3936 (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 ||
3937 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
3938 (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 ||
3939 (r = sshpkt_put_u32(ssh, port)) != 0 ||
3940 (r = sshpkt_send(ssh)) != 0)
3941 fatal("%s: send cancel: %s", __func__, ssh_err(r));
3943 fwd_perm_clear(perm); /* unregister */
3949 * Request cancellation of remote forwarding of Unix domain socket
3950 * path from local side.
3953 channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path)
3955 struct ssh_channels *sc = ssh->chanctxt;
3956 struct permission_set *pset = &sc->local_perms;
3959 struct permission *perm;
3961 for (i = 0; i < pset->num_permitted_user; i++) {
3962 perm = &pset->permitted_user[i];
3963 if (open_listen_match_streamlocal(perm, path))
3968 debug("%s: requested forward not found", __func__);
3971 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3972 (r = sshpkt_put_cstring(ssh,
3973 "cancel-streamlocal-forward@openssh.com")) != 0 ||
3974 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
3975 (r = sshpkt_put_cstring(ssh, path)) != 0 ||
3976 (r = sshpkt_send(ssh)) != 0)
3977 fatal("%s: send cancel: %s", __func__, ssh_err(r));
3979 fwd_perm_clear(perm); /* unregister */
3985 * Request cancellation of remote forwarding of a connection from local side.
3988 channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd)
3990 if (fwd->listen_path != NULL) {
3991 return channel_request_rforward_cancel_streamlocal(ssh,
3994 return channel_request_rforward_cancel_tcpip(ssh,
3996 fwd->listen_port ? fwd->listen_port : fwd->allocated_port);
4001 * Permits opening to any host/port if permitted_user[] is empty. This is
4002 * usually called by the server, because the user could connect to any port
4003 * anyway, and the server has no way to know but to trust the client anyway.
4006 channel_permit_all(struct ssh *ssh, int where)
4008 struct permission_set *pset = permission_set_get(ssh, where);
4010 if (pset->num_permitted_user == 0)
4011 pset->all_permitted = 1;
4015 * Permit the specified host/port for forwarding.
4018 channel_add_permission(struct ssh *ssh, int who, int where,
4019 char *host, int port)
4021 int local = where == FORWARD_LOCAL;
4022 struct permission_set *pset = permission_set_get(ssh, where);
4024 debug("allow %s forwarding to host %s port %d",
4025 fwd_ident(who, where), host, port);
4027 * Remote forwards set listen_host/port, local forwards set
4028 * host/port_to_connect.
4030 permission_set_add(ssh, who, where,
4031 local ? host : 0, local ? port : 0,
4032 local ? NULL : host, NULL, local ? 0 : port, NULL);
4033 pset->all_permitted = 0;
4037 * Administratively disable forwarding.
4040 channel_disable_admin(struct ssh *ssh, int where)
4042 channel_clear_permission(ssh, FORWARD_ADM, where);
4043 permission_set_add(ssh, FORWARD_ADM, where,
4044 NULL, 0, NULL, NULL, 0, NULL);
4048 * Clear a list of permitted opens.
4051 channel_clear_permission(struct ssh *ssh, int who, int where)
4053 struct permission **permp;
4056 permission_set_get_array(ssh, who, where, &permp, &npermp);
4057 *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp));
4062 * Update the listen port for a dynamic remote forward, after
4063 * the actual 'newport' has been allocated. If 'newport' < 0 is
4064 * passed then they entry will be invalidated.
4067 channel_update_permission(struct ssh *ssh, int idx, int newport)
4069 struct permission_set *pset = &ssh->chanctxt->local_perms;
4071 if (idx < 0 || (u_int)idx >= pset->num_permitted_user) {
4072 debug("%s: index out of range: %d num_permitted_user %d",
4073 __func__, idx, pset->num_permitted_user);
4076 debug("%s allowed port %d for forwarding to host %s port %d",
4077 newport > 0 ? "Updating" : "Removing",
4079 pset->permitted_user[idx].host_to_connect,
4080 pset->permitted_user[idx].port_to_connect);
4082 fwd_perm_clear(&pset->permitted_user[idx]);
4084 pset->permitted_user[idx].listen_port =
4085 (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
4089 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
4091 permitopen_port(const char *p)
4095 if (strcmp(p, "*") == 0)
4096 return FWD_PERMIT_ANY_PORT;
4097 if ((port = a2port(p)) > 0)
4102 /* Try to start non-blocking connect to next host in cctx list */
4104 connect_next(struct channel_connect *cctx)
4106 int sock, saved_errno;
4107 struct sockaddr_un *sunaddr;
4108 char ntop[NI_MAXHOST];
4109 char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))];
4111 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
4112 switch (cctx->ai->ai_family) {
4114 /* unix:pathname instead of host:port */
4115 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
4116 strlcpy(ntop, "unix", sizeof(ntop));
4117 strlcpy(strport, sunaddr->sun_path, sizeof(strport));
4121 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
4122 ntop, sizeof(ntop), strport, sizeof(strport),
4123 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
4124 error("connect_next: getnameinfo failed");
4131 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
4132 cctx->ai->ai_protocol)) == -1) {
4133 if (cctx->ai->ai_next == NULL)
4134 error("socket: %.100s", strerror(errno));
4136 verbose("socket: %.100s", strerror(errno));
4139 if (set_nonblock(sock) == -1)
4140 fatal("%s: set_nonblock(%d)", __func__, sock);
4141 if (connect(sock, cctx->ai->ai_addr,
4142 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
4143 debug("connect_next: host %.100s ([%.100s]:%s): "
4144 "%.100s", cctx->host, ntop, strport,
4146 saved_errno = errno;
4148 errno = saved_errno;
4149 continue; /* fail -- try next */
4151 if (cctx->ai->ai_family != AF_UNIX)
4153 debug("connect_next: host %.100s ([%.100s]:%s) "
4154 "in progress, fd=%d", cctx->host, ntop, strport, sock);
4155 cctx->ai = cctx->ai->ai_next;
4162 channel_connect_ctx_free(struct channel_connect *cctx)
4166 if (cctx->aitop->ai_family == AF_UNIX)
4169 freeaddrinfo(cctx->aitop);
4171 memset(cctx, 0, sizeof(*cctx));
4175 * Return connecting socket to remote host:port or local socket path,
4176 * passing back the failure reason if appropriate.
4179 connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype,
4180 char *ctype, char *rname, struct channel_connect *cctx,
4181 int *reason, const char **errmsg)
4183 struct addrinfo hints;
4186 char strport[NI_MAXSERV];
4188 if (port == PORT_STREAMLOCAL) {
4189 struct sockaddr_un *sunaddr;
4190 struct addrinfo *ai;
4192 if (strlen(name) > sizeof(sunaddr->sun_path)) {
4193 error("%.100s: %.100s", name, strerror(ENAMETOOLONG));
4198 * Fake up a struct addrinfo for AF_UNIX connections.
4199 * channel_connect_ctx_free() must check ai_family
4200 * and use free() not freeaddirinfo() for AF_UNIX.
4202 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr));
4203 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr));
4204 ai->ai_addr = (struct sockaddr *)(ai + 1);
4205 ai->ai_addrlen = sizeof(*sunaddr);
4206 ai->ai_family = AF_UNIX;
4207 ai->ai_socktype = socktype;
4208 ai->ai_protocol = PF_UNSPEC;
4209 sunaddr = (struct sockaddr_un *)ai->ai_addr;
4210 sunaddr->sun_family = AF_UNIX;
4211 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
4214 memset(&hints, 0, sizeof(hints));
4215 hints.ai_family = ssh->chanctxt->IPv4or6;
4216 hints.ai_socktype = socktype;
4217 snprintf(strport, sizeof strport, "%d", port);
4218 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop))
4221 *errmsg = ssh_gai_strerror(gaierr);
4223 *reason = SSH2_OPEN_CONNECT_FAILED;
4224 error("connect_to %.100s: unknown host (%s)", name,
4225 ssh_gai_strerror(gaierr));
4230 cctx->host = xstrdup(name);
4232 cctx->ai = cctx->aitop;
4234 if ((sock = connect_next(cctx)) == -1) {
4235 error("connect to %.100s port %d failed: %s",
4236 name, port, strerror(errno));
4243 /* Return CONNECTING channel to remote host:port or local socket path */
4245 connect_to(struct ssh *ssh, const char *host, int port,
4246 char *ctype, char *rname)
4248 struct channel_connect cctx;
4252 memset(&cctx, 0, sizeof(cctx));
4253 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4256 channel_connect_ctx_free(&cctx);
4259 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4260 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4261 c->host_port = port;
4262 c->path = xstrdup(host);
4263 c->connect_ctx = cctx;
4269 * returns either the newly connected channel or the downstream channel
4270 * that needs to deal with this connection.
4273 channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host,
4274 u_short listen_port, char *ctype, char *rname)
4276 struct ssh_channels *sc = ssh->chanctxt;
4277 struct permission_set *pset = &sc->local_perms;
4279 struct permission *perm;
4281 for (i = 0; i < pset->num_permitted_user; i++) {
4282 perm = &pset->permitted_user[i];
4283 if (open_listen_match_tcpip(perm,
4284 listen_host, listen_port, 1)) {
4285 if (perm->downstream)
4286 return perm->downstream;
4287 if (perm->port_to_connect == 0)
4288 return rdynamic_connect_prepare(ssh,
4290 return connect_to(ssh,
4291 perm->host_to_connect, perm->port_to_connect,
4295 error("WARNING: Server requests forwarding for unknown listen_port %d",
4301 channel_connect_by_listen_path(struct ssh *ssh, const char *path,
4302 char *ctype, char *rname)
4304 struct ssh_channels *sc = ssh->chanctxt;
4305 struct permission_set *pset = &sc->local_perms;
4307 struct permission *perm;
4309 for (i = 0; i < pset->num_permitted_user; i++) {
4310 perm = &pset->permitted_user[i];
4311 if (open_listen_match_streamlocal(perm, path)) {
4312 return connect_to(ssh,
4313 perm->host_to_connect, perm->port_to_connect,
4317 error("WARNING: Server requests forwarding for unknown path %.100s",
4322 /* Check if connecting to that port is permitted and connect. */
4324 channel_connect_to_port(struct ssh *ssh, const char *host, u_short port,
4325 char *ctype, char *rname, int *reason, const char **errmsg)
4327 struct ssh_channels *sc = ssh->chanctxt;
4328 struct permission_set *pset = &sc->local_perms;
4329 struct channel_connect cctx;
4331 u_int i, permit, permit_adm = 1;
4333 struct permission *perm;
4335 permit = pset->all_permitted;
4337 for (i = 0; i < pset->num_permitted_user; i++) {
4338 perm = &pset->permitted_user[i];
4339 if (open_match(perm, host, port)) {
4346 if (pset->num_permitted_admin > 0) {
4348 for (i = 0; i < pset->num_permitted_admin; i++) {
4349 perm = &pset->permitted_admin[i];
4350 if (open_match(perm, host, port)) {
4357 if (!permit || !permit_adm) {
4358 logit("Received request to connect to host %.100s port %d, "
4359 "but the request was denied.", host, port);
4361 *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
4365 memset(&cctx, 0, sizeof(cctx));
4366 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4367 &cctx, reason, errmsg);
4369 channel_connect_ctx_free(&cctx);
4373 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4374 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4375 c->host_port = port;
4376 c->path = xstrdup(host);
4377 c->connect_ctx = cctx;
4382 /* Check if connecting to that path is permitted and connect. */
4384 channel_connect_to_path(struct ssh *ssh, const char *path,
4385 char *ctype, char *rname)
4387 struct ssh_channels *sc = ssh->chanctxt;
4388 struct permission_set *pset = &sc->local_perms;
4389 u_int i, permit, permit_adm = 1;
4390 struct permission *perm;
4392 permit = pset->all_permitted;
4394 for (i = 0; i < pset->num_permitted_user; i++) {
4395 perm = &pset->permitted_user[i];
4396 if (open_match(perm, path, PORT_STREAMLOCAL)) {
4403 if (pset->num_permitted_admin > 0) {
4405 for (i = 0; i < pset->num_permitted_admin; i++) {
4406 perm = &pset->permitted_admin[i];
4407 if (open_match(perm, path, PORT_STREAMLOCAL)) {
4414 if (!permit || !permit_adm) {
4415 logit("Received request to connect to path %.100s, "
4416 "but the request was denied.", path);
4419 return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname);
4423 channel_send_window_changes(struct ssh *ssh)
4425 struct ssh_channels *sc = ssh->chanctxt;
4430 for (i = 0; i < sc->channels_alloc; i++) {
4431 if (sc->channels[i] == NULL || !sc->channels[i]->client_tty ||
4432 sc->channels[i]->type != SSH_CHANNEL_OPEN)
4434 if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
4436 channel_request_start(ssh, i, "window-change", 0);
4437 if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 ||
4438 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
4439 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
4440 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 ||
4441 (r = sshpkt_send(ssh)) != 0)
4442 fatal("%s: channel %u: send window-change: %s",
4443 __func__, i, ssh_err(r));
4447 /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */
4449 rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname)
4454 c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1,
4455 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4460 * We need to open the channel before we have a FD,
4461 * so that we can get SOCKS header from peer.
4463 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
4464 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
4465 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
4466 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
4467 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
4468 fatal("%s: channel %i: confirm: %s", __func__,
4469 c->self, ssh_err(r));
4474 /* Return CONNECTING socket to remote host:port or local socket path */
4476 rdynamic_connect_finish(struct ssh *ssh, Channel *c)
4478 struct channel_connect cctx;
4481 memset(&cctx, 0, sizeof(cctx));
4482 sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL,
4483 NULL, &cctx, NULL, NULL);
4485 channel_connect_ctx_free(&cctx);
4487 /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */
4488 c->type = SSH_CHANNEL_RDYNAMIC_FINISH;
4489 c->connect_ctx = cctx;
4490 channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0);
4495 /* -- X11 forwarding */
4498 * Creates an internet domain socket for listening for X11 connections.
4499 * Returns 0 and a suitable display number for the DISPLAY variable
4500 * stored in display_numberp , or -1 if an error occurs.
4503 x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
4504 int x11_use_localhost, int single_connection,
4505 u_int *display_numberp, int **chanids)
4508 int display_number, sock;
4510 struct addrinfo hints, *ai, *aitop;
4511 char strport[NI_MAXSERV];
4512 int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
4514 if (chanids == NULL)
4517 for (display_number = x11_display_offset;
4518 display_number < MAX_DISPLAYS;
4520 port = 6000 + display_number;
4521 memset(&hints, 0, sizeof(hints));
4522 hints.ai_family = ssh->chanctxt->IPv4or6;
4523 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
4524 hints.ai_socktype = SOCK_STREAM;
4525 snprintf(strport, sizeof strport, "%d", port);
4526 if ((gaierr = getaddrinfo(NULL, strport,
4527 &hints, &aitop)) != 0) {
4528 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
4531 for (ai = aitop; ai; ai = ai->ai_next) {
4532 if (ai->ai_family != AF_INET &&
4533 ai->ai_family != AF_INET6)
4535 sock = socket(ai->ai_family, ai->ai_socktype,
4538 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
4540 && (errno != EPFNOSUPPORT)
4543 error("socket: %.100s", strerror(errno));
4544 freeaddrinfo(aitop);
4547 debug("x11_create_display_inet: Socket family %d not supported",
4552 if (ai->ai_family == AF_INET6)
4553 sock_set_v6only(sock);
4554 if (x11_use_localhost)
4555 set_reuseaddr(sock);
4556 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
4557 debug2("%s: bind port %d: %.100s", __func__,
4558 port, strerror(errno));
4560 for (n = 0; n < num_socks; n++)
4565 socks[num_socks++] = sock;
4566 if (num_socks == NUM_SOCKS)
4569 freeaddrinfo(aitop);
4573 if (display_number >= MAX_DISPLAYS) {
4574 error("Failed to allocate internet-domain X11 display socket.");
4577 /* Start listening for connections on the socket. */
4578 for (n = 0; n < num_socks; n++) {
4580 if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
4581 error("listen: %.100s", strerror(errno));
4587 /* Allocate a channel for each socket. */
4588 *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
4589 for (n = 0; n < num_socks; n++) {
4591 nc = channel_new(ssh, "x11 listener",
4592 SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
4593 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
4594 0, "X11 inet listener", 1);
4595 nc->single_connection = single_connection;
4596 (*chanids)[n] = nc->self;
4600 /* Return the display number for the DISPLAY environment variable. */
4601 *display_numberp = display_number;
4606 connect_local_xsocket_path(const char *pathname)
4609 struct sockaddr_un addr;
4611 sock = socket(AF_UNIX, SOCK_STREAM, 0);
4613 error("socket: %.100s", strerror(errno));
4614 memset(&addr, 0, sizeof(addr));
4615 addr.sun_family = AF_UNIX;
4616 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
4617 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
4620 error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
4625 connect_local_xsocket(u_int dnr)
4628 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);
4629 return connect_local_xsocket_path(buf);
4634 is_path_to_xsocket(const char *display, char *path, size_t pathlen)
4638 if (strlcpy(path, display, pathlen) >= pathlen) {
4639 error("%s: display path too long", __func__);
4642 if (display[0] != '/')
4644 if (stat(path, &sbuf) == 0) {
4647 char *dot = strrchr(path, '.');
4650 if (stat(path, &sbuf) == 0) {
4660 x11_connect_display(struct ssh *ssh)
4662 u_int display_number;
4663 const char *display;
4664 char buf[1024], *cp;
4665 struct addrinfo hints, *ai, *aitop;
4666 char strport[NI_MAXSERV];
4667 int gaierr, sock = 0;
4669 /* Try to open a socket for the local X server. */
4670 display = getenv("DISPLAY");
4672 error("DISPLAY not set.");
4676 * Now we decode the value of the DISPLAY variable and make a
4677 * connection to the real X server.
4681 /* Check if display is a path to a socket (as set by launchd). */
4683 char path[PATH_MAX];
4685 if (is_path_to_xsocket(display, path, sizeof(path))) {
4686 debug("x11_connect_display: $DISPLAY is launchd");
4688 /* Create a socket. */
4689 sock = connect_local_xsocket_path(path);
4693 /* OK, we now have a connection to the display. */
4699 * Check if it is a unix domain socket. Unix domain displays are in
4700 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
4702 if (strncmp(display, "unix:", 5) == 0 ||
4703 display[0] == ':') {
4704 /* Connect to the unix domain socket. */
4705 if (sscanf(strrchr(display, ':') + 1, "%u",
4706 &display_number) != 1) {
4707 error("Could not parse display number from DISPLAY: "
4711 /* Create a socket. */
4712 sock = connect_local_xsocket(display_number);
4716 /* OK, we now have a connection to the display. */
4720 * Connect to an inet socket. The DISPLAY value is supposedly
4721 * hostname:d[.s], where hostname may also be numeric IP address.
4723 strlcpy(buf, display, sizeof(buf));
4724 cp = strchr(buf, ':');
4726 error("Could not find ':' in DISPLAY: %.100s", display);
4731 * buf now contains the host name. But first we parse the
4734 if (sscanf(cp + 1, "%u", &display_number) != 1) {
4735 error("Could not parse display number from DISPLAY: %.100s",
4740 /* Look up the host address */
4741 memset(&hints, 0, sizeof(hints));
4742 hints.ai_family = ssh->chanctxt->IPv4or6;
4743 hints.ai_socktype = SOCK_STREAM;
4744 snprintf(strport, sizeof strport, "%u", 6000 + display_number);
4745 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
4746 error("%.100s: unknown host. (%s)", buf,
4747 ssh_gai_strerror(gaierr));
4750 for (ai = aitop; ai; ai = ai->ai_next) {
4751 /* Create a socket. */
4752 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
4754 debug2("socket: %.100s", strerror(errno));
4757 /* Connect it to the display. */
4758 if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
4759 debug2("connect %.100s port %u: %.100s", buf,
4760 6000 + display_number, strerror(errno));
4767 freeaddrinfo(aitop);
4769 error("connect %.100s port %u: %.100s", buf,
4770 6000 + display_number, strerror(errno));
4778 * Requests forwarding of X11 connections, generates fake authentication
4779 * data, and enables authentication spoofing.
4780 * This should be called in the client only.
4783 x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
4784 const char *disp, const char *proto, const char *data, int want_reply)
4786 struct ssh_channels *sc = ssh->chanctxt;
4787 u_int data_len = (u_int) strlen(data) / 2;
4791 int r, screen_number;
4793 if (sc->x11_saved_display == NULL)
4794 sc->x11_saved_display = xstrdup(disp);
4795 else if (strcmp(disp, sc->x11_saved_display) != 0) {
4796 error("x11_request_forwarding_with_spoofing: different "
4797 "$DISPLAY already forwarded");
4801 cp = strchr(disp, ':');
4803 cp = strchr(cp, '.');
4805 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
4809 if (sc->x11_saved_proto == NULL) {
4810 /* Save protocol name. */
4811 sc->x11_saved_proto = xstrdup(proto);
4813 /* Extract real authentication data. */
4814 sc->x11_saved_data = xmalloc(data_len);
4815 for (i = 0; i < data_len; i++) {
4816 if (sscanf(data + 2 * i, "%2x", &value) != 1)
4817 fatal("x11_request_forwarding: bad "
4818 "authentication data: %.100s", data);
4819 sc->x11_saved_data[i] = value;
4821 sc->x11_saved_data_len = data_len;
4823 /* Generate fake data of the same length. */
4824 sc->x11_fake_data = xmalloc(data_len);
4825 arc4random_buf(sc->x11_fake_data, data_len);
4826 sc->x11_fake_data_len = data_len;
4829 /* Convert the fake data into hex. */
4830 new_data = tohex(sc->x11_fake_data, data_len);
4832 /* Send the request packet. */
4833 channel_request_start(ssh, client_session_id, "x11-req", want_reply);
4834 if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */
4835 (r = sshpkt_put_cstring(ssh, proto)) != 0 ||
4836 (r = sshpkt_put_cstring(ssh, new_data)) != 0 ||
4837 (r = sshpkt_put_u32(ssh, screen_number)) != 0 ||
4838 (r = sshpkt_send(ssh)) != 0 ||
4839 (r = ssh_packet_write_wait(ssh)) != 0)
4840 fatal("%s: send x11-req: %s", __func__, ssh_err(r));
projects / FreeBSD / FreeBSD.git / blob