1 /* $OpenBSD: channels.c,v 1.420 2022/09/19 08:49:50 djm Exp $ */
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6 * This file contains functions for generic socket connection forwarding.
7 * There is also code for initiating connection forwarding for X11 connections,
8 * arbitrary tcp/ip connections, and the authentication agent connection.
10 * As far as I am concerned, the code I have written for this software
11 * can be used freely for any purpose. Any derived versions of this
12 * software must be clearly marked as such, and if the derived work is
13 * incompatible with the protocol description in the RFC file, it must be
14 * called by a name other than "ssh" or "Secure Shell".
16 * SSH2 support added by Markus Friedl.
17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
18 * Copyright (c) 1999 Dug Song. All rights reserved.
19 * Copyright (c) 1999 Theo de Raadt. All rights reserved.
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
24 * 1. Redistributions of source code must retain the above copyright
25 * notice, this list of conditions and the following disclaimer.
26 * 2. Redistributions in binary form must reproduce the above copyright
27 * notice, this list of conditions and the following disclaimer in the
28 * documentation and/or other materials provided with the distribution.
30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
44 #include <sys/types.h>
46 #include <sys/ioctl.h>
48 #include <sys/socket.h>
49 #ifdef HAVE_SYS_TIME_H
50 # include <sys/time.h>
53 #include <netinet/in.h>
54 #include <arpa/inet.h>
73 #include "openbsd-compat/sys-queue.h"
87 #include "pathnames.h"
90 /* XXX remove once we're satisfied there's no lurking bugs */
91 /* #define DEBUG_CHANNEL_POLL 1 */
93 /* -- agent forwarding */
96 /* -- tcp forwarding */
97 /* special-case port number meaning allow any port */
98 #define FWD_PERMIT_ANY_PORT 0
100 /* special-case wildcard meaning allow any host */
101 #define FWD_PERMIT_ANY_HOST "*"
103 /* -- X11 forwarding */
104 /* Maximum number of fake X11 displays to try. */
105 #define MAX_DISPLAYS 1000
107 /* Per-channel callback for pre/post IO actions */
108 typedef void chan_fn(struct ssh *, Channel *c);
111 * Data structure for storing which hosts are permitted for forward requests.
112 * The local sides of any remote forwards are stored in this array to prevent
113 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
114 * network (which might be behind a firewall).
116 /* XXX: streamlocal wants a path instead of host:port */
117 /* Overload host_to_connect; we could just make this match Forward */
118 /* XXX - can we use listen_host instead of listen_path? */
120 char *host_to_connect; /* Connect to 'host'. */
121 int port_to_connect; /* Connect to 'port'. */
122 char *listen_host; /* Remote side should listen address. */
123 char *listen_path; /* Remote side should listen path. */
124 int listen_port; /* Remote side should listen port. */
125 Channel *downstream; /* Downstream mux*/
129 * Stores the forwarding permission state for a single direction (local or
132 struct permission_set {
134 * List of all local permitted host/port pairs to allow for the
137 u_int num_permitted_user;
138 struct permission *permitted_user;
141 * List of all permitted host/port pairs to allow for the admin.
143 u_int num_permitted_admin;
144 struct permission *permitted_admin;
147 * If this is true, all opens/listens are permitted. This is the
148 * case on the server on which we have to trust the client anyway,
149 * and the user could do anything after logging in.
154 /* Master structure for channels state */
155 struct ssh_channels {
157 * Pointer to an array containing all allocated channels. The array
158 * is dynamically extended as needed.
163 * Size of the channel array. All slots of the array must always be
164 * initialized (at least the type field); unused slots set to NULL
166 u_int channels_alloc;
169 * 'channel_pre*' are called just before IO to add any bits
170 * relevant to channels in the c->io_want bitmasks.
172 * 'channel_post*': perform any appropriate operations for
173 * channels which have c->io_ready events pending.
175 chan_fn **channel_pre;
176 chan_fn **channel_post;
178 /* -- tcp forwarding */
179 struct permission_set local_perms;
180 struct permission_set remote_perms;
182 /* -- X11 forwarding */
184 /* Saved X11 local (client) display. */
185 char *x11_saved_display;
187 /* Saved X11 authentication protocol name. */
188 char *x11_saved_proto;
190 /* Saved X11 authentication data. This is the real data. */
191 char *x11_saved_data;
192 u_int x11_saved_data_len;
194 /* Deadline after which all X11 connections are refused */
195 u_int x11_refuse_time;
198 * Fake X11 authentication data. This is what the server will be
199 * sending us; we should replace any occurrences of this by the
202 u_char *x11_fake_data;
203 u_int x11_fake_data_len;
205 /* AF_UNSPEC or AF_INET or AF_INET6 */
210 static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype);
211 static const char *channel_rfwd_bind_host(const char *listen_host);
213 /* non-blocking connect helpers */
214 static int connect_next(struct channel_connect *);
215 static void channel_connect_ctx_free(struct channel_connect *);
216 static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *);
217 static int rdynamic_connect_finish(struct ssh *, Channel *);
220 static void channel_handler_init(struct ssh_channels *sc);
222 /* -- channel core */
225 channel_init_channels(struct ssh *ssh)
227 struct ssh_channels *sc;
229 if ((sc = calloc(1, sizeof(*sc))) == NULL)
230 fatal_f("allocation failed");
231 sc->channels_alloc = 10;
232 sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
233 sc->IPv4or6 = AF_UNSPEC;
234 channel_handler_init(sc);
240 channel_by_id(struct ssh *ssh, int id)
244 if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) {
245 logit_f("%d: bad id", id);
248 c = ssh->chanctxt->channels[id];
250 logit_f("%d: bad id: channel free", id);
257 channel_by_remote_id(struct ssh *ssh, u_int remote_id)
262 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
263 c = ssh->chanctxt->channels[i];
264 if (c != NULL && c->have_remote_id && c->remote_id == remote_id)
271 * Returns the channel if it is allowed to receive protocol messages.
272 * Private channels, like listening sockets, may not receive messages.
275 channel_lookup(struct ssh *ssh, int id)
279 if ((c = channel_by_id(ssh, id)) == NULL)
283 case SSH_CHANNEL_X11_OPEN:
284 case SSH_CHANNEL_LARVAL:
285 case SSH_CHANNEL_CONNECTING:
286 case SSH_CHANNEL_DYNAMIC:
287 case SSH_CHANNEL_RDYNAMIC_OPEN:
288 case SSH_CHANNEL_RDYNAMIC_FINISH:
289 case SSH_CHANNEL_OPENING:
290 case SSH_CHANNEL_OPEN:
291 case SSH_CHANNEL_ABANDONED:
292 case SSH_CHANNEL_MUX_PROXY:
295 logit("Non-public channel %d, type %d.", id, c->type);
300 * Register filedescriptors for a channel, used when allocating a channel or
301 * when the channel consumer/producer is ready, e.g. shell exec'd
304 channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
305 int extusage, int nonblock, int is_tty)
310 fcntl(rfd, F_SETFD, FD_CLOEXEC);
311 if (wfd != -1 && wfd != rfd)
312 fcntl(wfd, F_SETFD, FD_CLOEXEC);
313 if (efd != -1 && efd != rfd && efd != wfd)
314 fcntl(efd, F_SETFD, FD_CLOEXEC);
318 c->sock = (rfd == wfd) ? rfd : -1;
320 c->extended_usage = extusage;
322 if ((c->isatty = is_tty) != 0)
323 debug2("channel %d: rfd %d isatty", c->self, c->rfd);
325 /* XXX: Later AIX versions can't push as much data to tty */
326 c->wfd_isatty = is_tty || isatty(c->wfd);
329 /* enable nonblocking mode */
330 c->restore_block = 0;
331 if (nonblock == CHANNEL_NONBLOCK_STDIO) {
333 * Special handling for stdio file descriptors: do not set
334 * non-blocking mode if they are TTYs. Otherwise prepare to
335 * restore their blocking state on exit to avoid interfering
336 * with other programs that follow.
338 if (rfd != -1 && !isatty(rfd) &&
339 (val = fcntl(rfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
340 c->restore_block |= CHANNEL_RESTORE_RFD;
343 if (wfd != -1 && !isatty(wfd) &&
344 (val = fcntl(wfd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
345 c->restore_block |= CHANNEL_RESTORE_WFD;
348 if (efd != -1 && !isatty(efd) &&
349 (val = fcntl(efd, F_GETFL)) != -1 && !(val & O_NONBLOCK)) {
350 c->restore_block |= CHANNEL_RESTORE_EFD;
353 } else if (nonblock) {
364 * Allocate a new channel object and set its type and socket.
367 channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
368 u_int window, u_int maxpack, int extusage, const char *remote_name,
371 struct ssh_channels *sc = ssh->chanctxt;
376 /* Try to find a free slot where to put the new channel. */
377 for (i = 0; i < sc->channels_alloc; i++) {
378 if (sc->channels[i] == NULL) {
379 /* Found a free slot. */
384 if (i >= sc->channels_alloc) {
386 * There are no free slots. Take last+1 slot and expand
389 found = sc->channels_alloc;
390 if (sc->channels_alloc > CHANNELS_MAX_CHANNELS)
391 fatal_f("internal error: channels_alloc %d too big",
393 sc->channels = xrecallocarray(sc->channels, sc->channels_alloc,
394 sc->channels_alloc + 10, sizeof(*sc->channels));
395 sc->channels_alloc += 10;
396 debug2("channel: expanding %d", sc->channels_alloc);
398 /* Initialize and return new channel. */
399 c = sc->channels[found] = xcalloc(1, sizeof(Channel));
400 if ((c->input = sshbuf_new()) == NULL ||
401 (c->output = sshbuf_new()) == NULL ||
402 (c->extended = sshbuf_new()) == NULL)
403 fatal_f("sshbuf_new failed");
404 if ((r = sshbuf_set_max_size(c->input, CHAN_INPUT_MAX)) != 0)
405 fatal_fr(r, "sshbuf_set_max_size");
406 c->ostate = CHAN_OUTPUT_OPEN;
407 c->istate = CHAN_INPUT_OPEN;
408 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
412 c->local_window = window;
413 c->local_window_max = window;
414 c->local_maxpacket = maxpack;
415 c->remote_name = xstrdup(remote_name);
417 c->delayed = 1; /* prevent call to channel_post handler */
418 TAILQ_INIT(&c->status_confirms);
419 debug("channel %d: new [%s]", found, remote_name);
424 channel_close_fd(struct ssh *ssh, Channel *c, int *fdp)
431 if ((*fdp == c->rfd && (c->restore_block & CHANNEL_RESTORE_RFD) != 0) ||
432 (*fdp == c->wfd && (c->restore_block & CHANNEL_RESTORE_WFD) != 0) ||
433 (*fdp == c->efd && (c->restore_block & CHANNEL_RESTORE_EFD) != 0))
434 (void)fcntl(*fdp, F_SETFL, 0); /* restore blocking */
436 if (*fdp == c->rfd) {
437 c->io_want &= ~SSH_CHAN_IO_RFD;
438 c->io_ready &= ~SSH_CHAN_IO_RFD;
442 if (*fdp == c->wfd) {
443 c->io_want &= ~SSH_CHAN_IO_WFD;
444 c->io_ready &= ~SSH_CHAN_IO_WFD;
448 if (*fdp == c->efd) {
449 c->io_want &= ~SSH_CHAN_IO_EFD;
450 c->io_ready &= ~SSH_CHAN_IO_EFD;
454 if (*fdp == c->sock) {
455 c->io_want &= ~SSH_CHAN_IO_SOCK;
456 c->io_ready &= ~SSH_CHAN_IO_SOCK;
462 *fdp = -1; /* probably redundant */
466 /* Close all channel fd/socket. */
468 channel_close_fds(struct ssh *ssh, Channel *c)
470 int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
472 channel_close_fd(ssh, c, &c->sock);
474 channel_close_fd(ssh, c, &c->rfd);
475 if (wfd != sock && wfd != rfd)
476 channel_close_fd(ssh, c, &c->wfd);
477 if (efd != sock && efd != rfd && efd != wfd)
478 channel_close_fd(ssh, c, &c->efd);
482 fwd_perm_clear(struct permission *perm)
484 free(perm->host_to_connect);
485 free(perm->listen_host);
486 free(perm->listen_path);
487 memset(perm, 0, sizeof(*perm));
490 /* Returns an printable name for the specified forwarding permission list */
492 fwd_ident(int who, int where)
494 if (who == FORWARD_ADM) {
495 if (where == FORWARD_LOCAL)
496 return "admin local";
497 else if (where == FORWARD_REMOTE)
498 return "admin remote";
499 } else if (who == FORWARD_USER) {
500 if (where == FORWARD_LOCAL)
502 else if (where == FORWARD_REMOTE)
503 return "user remote";
505 fatal("Unknown forward permission list %d/%d", who, where);
508 /* Returns the forwarding permission list for the specified direction */
509 static struct permission_set *
510 permission_set_get(struct ssh *ssh, int where)
512 struct ssh_channels *sc = ssh->chanctxt;
516 return &sc->local_perms;
519 return &sc->remote_perms;
522 fatal_f("invalid forwarding direction %d", where);
526 /* Returns pointers to the specified forwarding list and its element count */
528 permission_set_get_array(struct ssh *ssh, int who, int where,
529 struct permission ***permpp, u_int **npermpp)
531 struct permission_set *pset = permission_set_get(ssh, where);
535 *permpp = &pset->permitted_user;
536 *npermpp = &pset->num_permitted_user;
539 *permpp = &pset->permitted_admin;
540 *npermpp = &pset->num_permitted_admin;
543 fatal_f("invalid forwarding client %d", who);
547 /* Adds an entry to the specified forwarding list */
549 permission_set_add(struct ssh *ssh, int who, int where,
550 const char *host_to_connect, int port_to_connect,
551 const char *listen_host, const char *listen_path, int listen_port,
554 struct permission **permp;
557 permission_set_get_array(ssh, who, where, &permp, &npermp);
559 if (*npermp >= INT_MAX)
560 fatal_f("%s overflow", fwd_ident(who, where));
562 *permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp));
564 #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s))
565 (*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect);
566 (*permp)[n].port_to_connect = port_to_connect;
567 (*permp)[n].listen_host = MAYBE_DUP(listen_host);
568 (*permp)[n].listen_path = MAYBE_DUP(listen_path);
569 (*permp)[n].listen_port = listen_port;
570 (*permp)[n].downstream = downstream;
576 mux_remove_remote_forwardings(struct ssh *ssh, Channel *c)
578 struct ssh_channels *sc = ssh->chanctxt;
579 struct permission_set *pset = &sc->local_perms;
580 struct permission *perm;
584 for (i = 0; i < pset->num_permitted_user; i++) {
585 perm = &pset->permitted_user[i];
586 if (perm->downstream != c)
589 /* cancel on the server, since mux client is gone */
590 debug("channel %d: cleanup remote forward for %s:%u",
591 c->self, perm->listen_host, perm->listen_port);
592 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
593 (r = sshpkt_put_cstring(ssh,
594 "cancel-tcpip-forward")) != 0 ||
595 (r = sshpkt_put_u8(ssh, 0)) != 0 ||
596 (r = sshpkt_put_cstring(ssh,
597 channel_rfwd_bind_host(perm->listen_host))) != 0 ||
598 (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 ||
599 (r = sshpkt_send(ssh)) != 0) {
600 fatal_fr(r, "channel %i", c->self);
602 fwd_perm_clear(perm); /* unregister */
606 /* Free the channel and close its fd/socket. */
608 channel_free(struct ssh *ssh, Channel *c)
610 struct ssh_channels *sc = ssh->chanctxt;
614 struct channel_confirm *cc;
616 for (n = 0, i = 0; i < sc->channels_alloc; i++) {
617 if ((other = sc->channels[i]) == NULL)
620 /* detach from mux client and prepare for closing */
621 if (c->type == SSH_CHANNEL_MUX_CLIENT &&
622 other->type == SSH_CHANNEL_MUX_PROXY &&
623 other->mux_ctx == c) {
624 other->mux_ctx = NULL;
625 other->type = SSH_CHANNEL_OPEN;
626 other->istate = CHAN_INPUT_CLOSED;
627 other->ostate = CHAN_OUTPUT_CLOSED;
630 debug("channel %d: free: %s, nchannels %u", c->self,
631 c->remote_name ? c->remote_name : "???", n);
633 if (c->type == SSH_CHANNEL_MUX_CLIENT) {
634 mux_remove_remote_forwardings(ssh, c);
637 } else if (c->type == SSH_CHANNEL_MUX_LISTENER) {
642 if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) {
643 s = channel_open_message(ssh);
644 debug3("channel %d: status: %s", c->self, s);
648 channel_close_fds(ssh, c);
649 sshbuf_free(c->input);
650 sshbuf_free(c->output);
651 sshbuf_free(c->extended);
652 c->input = c->output = c->extended = NULL;
653 free(c->remote_name);
654 c->remote_name = NULL;
657 free(c->listening_addr);
658 c->listening_addr = NULL;
659 while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
660 if (cc->abandon_cb != NULL)
661 cc->abandon_cb(ssh, c, cc->ctx);
662 TAILQ_REMOVE(&c->status_confirms, cc, entry);
663 freezero(cc, sizeof(*cc));
665 if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
666 c->filter_cleanup(ssh, c->self, c->filter_ctx);
667 sc->channels[c->self] = NULL;
668 freezero(c, sizeof(*c));
672 channel_free_all(struct ssh *ssh)
675 struct ssh_channels *sc = ssh->chanctxt;
677 for (i = 0; i < sc->channels_alloc; i++)
678 if (sc->channels[i] != NULL)
679 channel_free(ssh, sc->channels[i]);
683 sc->channels_alloc = 0;
685 free(sc->x11_saved_display);
686 sc->x11_saved_display = NULL;
688 free(sc->x11_saved_proto);
689 sc->x11_saved_proto = NULL;
691 free(sc->x11_saved_data);
692 sc->x11_saved_data = NULL;
693 sc->x11_saved_data_len = 0;
695 free(sc->x11_fake_data);
696 sc->x11_fake_data = NULL;
697 sc->x11_fake_data_len = 0;
701 * Closes the sockets/fds of all channels. This is used to close extra file
702 * descriptors after a fork.
705 channel_close_all(struct ssh *ssh)
709 for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
710 if (ssh->chanctxt->channels[i] != NULL)
711 channel_close_fds(ssh, ssh->chanctxt->channels[i]);
715 * Stop listening to channels.
718 channel_stop_listening(struct ssh *ssh)
723 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
724 c = ssh->chanctxt->channels[i];
727 case SSH_CHANNEL_AUTH_SOCKET:
728 case SSH_CHANNEL_PORT_LISTENER:
729 case SSH_CHANNEL_RPORT_LISTENER:
730 case SSH_CHANNEL_X11_LISTENER:
731 case SSH_CHANNEL_UNIX_LISTENER:
732 case SSH_CHANNEL_RUNIX_LISTENER:
733 channel_close_fd(ssh, c, &c->sock);
734 channel_free(ssh, c);
742 * Returns true if no channel has too much buffered data, and false if one or
743 * more channel is overfull.
746 channel_not_very_much_buffered_data(struct ssh *ssh)
749 u_int maxsize = ssh_packet_get_maxsize(ssh);
752 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
753 c = ssh->chanctxt->channels[i];
754 if (c == NULL || c->type != SSH_CHANNEL_OPEN)
756 if (sshbuf_len(c->output) > maxsize) {
757 debug2("channel %d: big output buffer %zu > %u",
758 c->self, sshbuf_len(c->output), maxsize);
765 /* Returns true if any channel is still open. */
767 channel_still_open(struct ssh *ssh)
772 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
773 c = ssh->chanctxt->channels[i];
777 case SSH_CHANNEL_X11_LISTENER:
778 case SSH_CHANNEL_PORT_LISTENER:
779 case SSH_CHANNEL_RPORT_LISTENER:
780 case SSH_CHANNEL_MUX_LISTENER:
781 case SSH_CHANNEL_CLOSED:
782 case SSH_CHANNEL_AUTH_SOCKET:
783 case SSH_CHANNEL_DYNAMIC:
784 case SSH_CHANNEL_RDYNAMIC_OPEN:
785 case SSH_CHANNEL_CONNECTING:
786 case SSH_CHANNEL_ZOMBIE:
787 case SSH_CHANNEL_ABANDONED:
788 case SSH_CHANNEL_UNIX_LISTENER:
789 case SSH_CHANNEL_RUNIX_LISTENER:
791 case SSH_CHANNEL_LARVAL:
793 case SSH_CHANNEL_OPENING:
794 case SSH_CHANNEL_OPEN:
795 case SSH_CHANNEL_RDYNAMIC_FINISH:
796 case SSH_CHANNEL_X11_OPEN:
797 case SSH_CHANNEL_MUX_CLIENT:
798 case SSH_CHANNEL_MUX_PROXY:
801 fatal_f("bad channel type %d", c->type);
808 /* Returns the id of an open channel suitable for keepaliving */
810 channel_find_open(struct ssh *ssh)
815 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
816 c = ssh->chanctxt->channels[i];
817 if (c == NULL || !c->have_remote_id)
820 case SSH_CHANNEL_CLOSED:
821 case SSH_CHANNEL_DYNAMIC:
822 case SSH_CHANNEL_RDYNAMIC_OPEN:
823 case SSH_CHANNEL_RDYNAMIC_FINISH:
824 case SSH_CHANNEL_X11_LISTENER:
825 case SSH_CHANNEL_PORT_LISTENER:
826 case SSH_CHANNEL_RPORT_LISTENER:
827 case SSH_CHANNEL_MUX_LISTENER:
828 case SSH_CHANNEL_MUX_CLIENT:
829 case SSH_CHANNEL_MUX_PROXY:
830 case SSH_CHANNEL_OPENING:
831 case SSH_CHANNEL_CONNECTING:
832 case SSH_CHANNEL_ZOMBIE:
833 case SSH_CHANNEL_ABANDONED:
834 case SSH_CHANNEL_UNIX_LISTENER:
835 case SSH_CHANNEL_RUNIX_LISTENER:
837 case SSH_CHANNEL_LARVAL:
838 case SSH_CHANNEL_AUTH_SOCKET:
839 case SSH_CHANNEL_OPEN:
840 case SSH_CHANNEL_X11_OPEN:
843 fatal_f("bad channel type %d", c->type);
850 /* Returns the state of the channel's extended usage flag */
852 channel_format_extended_usage(const Channel *c)
857 switch (c->extended_usage) {
858 case CHAN_EXTENDED_WRITE:
860 case CHAN_EXTENDED_READ:
862 case CHAN_EXTENDED_IGNORE:
870 channel_format_status(const Channel *c)
874 xasprintf(&ret, "t%d %s%u i%u/%zu o%u/%zu e[%s]/%zu "
875 "fd %d/%d/%d sock %d cc %d io 0x%02x/0x%02x",
877 c->have_remote_id ? "r" : "nr", c->remote_id,
878 c->istate, sshbuf_len(c->input),
879 c->ostate, sshbuf_len(c->output),
880 channel_format_extended_usage(c), sshbuf_len(c->extended),
881 c->rfd, c->wfd, c->efd, c->sock, c->ctl_chan,
882 c->io_want, c->io_ready);
887 * Returns a message describing the currently open forwarded connections,
888 * suitable for sending to the client. The message contains crlf pairs for
892 channel_open_message(struct ssh *ssh)
900 if ((buf = sshbuf_new()) == NULL)
901 fatal_f("sshbuf_new");
902 if ((r = sshbuf_putf(buf,
903 "The following connections are open:\r\n")) != 0)
904 fatal_fr(r, "sshbuf_putf");
905 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
906 c = ssh->chanctxt->channels[i];
910 case SSH_CHANNEL_X11_LISTENER:
911 case SSH_CHANNEL_PORT_LISTENER:
912 case SSH_CHANNEL_RPORT_LISTENER:
913 case SSH_CHANNEL_CLOSED:
914 case SSH_CHANNEL_AUTH_SOCKET:
915 case SSH_CHANNEL_ZOMBIE:
916 case SSH_CHANNEL_ABANDONED:
917 case SSH_CHANNEL_MUX_LISTENER:
918 case SSH_CHANNEL_UNIX_LISTENER:
919 case SSH_CHANNEL_RUNIX_LISTENER:
921 case SSH_CHANNEL_LARVAL:
922 case SSH_CHANNEL_OPENING:
923 case SSH_CHANNEL_CONNECTING:
924 case SSH_CHANNEL_DYNAMIC:
925 case SSH_CHANNEL_RDYNAMIC_OPEN:
926 case SSH_CHANNEL_RDYNAMIC_FINISH:
927 case SSH_CHANNEL_OPEN:
928 case SSH_CHANNEL_X11_OPEN:
929 case SSH_CHANNEL_MUX_PROXY:
930 case SSH_CHANNEL_MUX_CLIENT:
931 cp = channel_format_status(c);
932 if ((r = sshbuf_putf(buf, " #%d %.300s (%s)\r\n",
933 c->self, c->remote_name, cp)) != 0) {
935 fatal_fr(r, "sshbuf_putf");
940 fatal_f("bad channel type %d", c->type);
944 if ((ret = sshbuf_dup_string(buf)) == NULL)
945 fatal_f("sshbuf_dup_string");
951 open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type)
955 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
956 (r = sshpkt_put_cstring(ssh, type)) != 0 ||
957 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
958 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
959 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
960 fatal_r(r, "%s: channel %i: open", where, c->self);
965 channel_send_open(struct ssh *ssh, int id)
967 Channel *c = channel_lookup(ssh, id);
971 logit("channel_send_open: %d: bad id", id);
974 debug2("channel %d: send open", id);
975 open_preamble(ssh, __func__, c, c->ctype);
976 if ((r = sshpkt_send(ssh)) != 0)
977 fatal_fr(r, "channel %i", c->self);
981 channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
983 Channel *c = channel_lookup(ssh, id);
987 logit_f("%d: unknown channel id", id);
990 if (!c->have_remote_id)
991 fatal_f("channel %d: no remote id", c->self);
993 debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
994 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 ||
995 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
996 (r = sshpkt_put_cstring(ssh, service)) != 0 ||
997 (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) {
998 fatal_fr(r, "channel %i", c->self);
1003 channel_register_status_confirm(struct ssh *ssh, int id,
1004 channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx)
1006 struct channel_confirm *cc;
1009 if ((c = channel_lookup(ssh, id)) == NULL)
1010 fatal_f("%d: bad id", id);
1012 cc = xcalloc(1, sizeof(*cc));
1014 cc->abandon_cb = abandon_cb;
1016 TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
1020 channel_register_open_confirm(struct ssh *ssh, int id,
1021 channel_open_fn *fn, void *ctx)
1023 Channel *c = channel_lookup(ssh, id);
1026 logit_f("%d: bad id", id);
1029 c->open_confirm = fn;
1030 c->open_confirm_ctx = ctx;
1034 channel_register_cleanup(struct ssh *ssh, int id,
1035 channel_callback_fn *fn, int do_close)
1037 Channel *c = channel_by_id(ssh, id);
1040 logit_f("%d: bad id", id);
1043 c->detach_user = fn;
1044 c->detach_close = do_close;
1048 channel_cancel_cleanup(struct ssh *ssh, int id)
1050 Channel *c = channel_by_id(ssh, id);
1053 logit_f("%d: bad id", id);
1056 c->detach_user = NULL;
1057 c->detach_close = 0;
1061 channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn,
1062 channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
1064 Channel *c = channel_lookup(ssh, id);
1067 logit_f("%d: bad id", id);
1070 c->input_filter = ifn;
1071 c->output_filter = ofn;
1072 c->filter_ctx = ctx;
1073 c->filter_cleanup = cfn;
1077 channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
1078 int extusage, int nonblock, int is_tty, u_int window_max)
1080 Channel *c = channel_lookup(ssh, id);
1083 if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
1084 fatal("channel_activate for non-larval channel %d.", id);
1085 if (!c->have_remote_id)
1086 fatal_f("channel %d: no remote id", c->self);
1088 channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
1089 c->type = SSH_CHANNEL_OPEN;
1090 c->local_window = c->local_window_max = window_max;
1092 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
1093 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1094 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1095 (r = sshpkt_send(ssh)) != 0)
1096 fatal_fr(r, "channel %i", c->self);
1100 channel_pre_listener(struct ssh *ssh, Channel *c)
1102 c->io_want = SSH_CHAN_IO_SOCK_R;
1106 channel_pre_connecting(struct ssh *ssh, Channel *c)
1108 debug3("channel %d: waiting for connection", c->self);
1109 c->io_want = SSH_CHAN_IO_SOCK_W;
1113 channel_pre_open(struct ssh *ssh, Channel *c)
1116 if (c->istate == CHAN_INPUT_OPEN &&
1117 c->remote_window > 0 &&
1118 sshbuf_len(c->input) < c->remote_window &&
1119 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1120 c->io_want |= SSH_CHAN_IO_RFD;
1121 if (c->ostate == CHAN_OUTPUT_OPEN ||
1122 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1123 if (sshbuf_len(c->output) > 0) {
1124 c->io_want |= SSH_CHAN_IO_WFD;
1125 } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1126 if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
1127 debug2("channel %d: "
1128 "obuf_empty delayed efd %d/(%zu)", c->self,
1129 c->efd, sshbuf_len(c->extended));
1131 chan_obuf_empty(ssh, c);
1134 /** XXX check close conditions, too */
1135 if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED &&
1136 c->ostate == CHAN_OUTPUT_CLOSED)) {
1137 if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1138 sshbuf_len(c->extended) > 0)
1139 c->io_want |= SSH_CHAN_IO_EFD_W;
1140 else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
1141 (c->extended_usage == CHAN_EXTENDED_READ ||
1142 c->extended_usage == CHAN_EXTENDED_IGNORE) &&
1143 sshbuf_len(c->extended) < c->remote_window)
1144 c->io_want |= SSH_CHAN_IO_EFD_R;
1146 /* XXX: What about efd? races? */
1150 * This is a special state for X11 authentication spoofing. An opened X11
1151 * connection (when authentication spoofing is being done) remains in this
1152 * state until the first packet has been completely read. The authentication
1153 * data in that packet is then substituted by the real data if it matches the
1154 * fake data, and the channel is put into normal mode.
1155 * XXX All this happens at the client side.
1156 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1159 x11_open_helper(struct ssh *ssh, struct sshbuf *b)
1161 struct ssh_channels *sc = ssh->chanctxt;
1163 u_int proto_len, data_len;
1165 /* Is this being called after the refusal deadline? */
1166 if (sc->x11_refuse_time != 0 &&
1167 (u_int)monotime() >= sc->x11_refuse_time) {
1168 verbose("Rejected X11 connection after ForwardX11Timeout "
1173 /* Check if the fixed size part of the packet is in buffer. */
1174 if (sshbuf_len(b) < 12)
1177 /* Parse the lengths of variable-length fields. */
1178 ucp = sshbuf_mutable_ptr(b);
1179 if (ucp[0] == 0x42) { /* Byte order MSB first. */
1180 proto_len = 256 * ucp[6] + ucp[7];
1181 data_len = 256 * ucp[8] + ucp[9];
1182 } else if (ucp[0] == 0x6c) { /* Byte order LSB first. */
1183 proto_len = ucp[6] + 256 * ucp[7];
1184 data_len = ucp[8] + 256 * ucp[9];
1186 debug2("Initial X11 packet contains bad byte order byte: 0x%x",
1191 /* Check if the whole packet is in buffer. */
1193 12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
1196 /* Check if authentication protocol matches. */
1197 if (proto_len != strlen(sc->x11_saved_proto) ||
1198 memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) {
1199 debug2("X11 connection uses different authentication protocol.");
1202 /* Check if authentication data matches our fake data. */
1203 if (data_len != sc->x11_fake_data_len ||
1204 timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
1205 sc->x11_fake_data, sc->x11_fake_data_len) != 0) {
1206 debug2("X11 auth data does not match fake data.");
1209 /* Check fake data length */
1210 if (sc->x11_fake_data_len != sc->x11_saved_data_len) {
1211 error("X11 fake_data_len %d != saved_data_len %d",
1212 sc->x11_fake_data_len, sc->x11_saved_data_len);
1216 * Received authentication protocol and data match
1217 * our fake data. Substitute the fake data with real
1220 memcpy(ucp + 12 + ((proto_len + 3) & ~3),
1221 sc->x11_saved_data, sc->x11_saved_data_len);
1226 channel_pre_x11_open(struct ssh *ssh, Channel *c)
1228 int ret = x11_open_helper(ssh, c->output);
1230 /* c->force_drain = 1; */
1233 c->type = SSH_CHANNEL_OPEN;
1234 channel_pre_open(ssh, c);
1235 } else if (ret == -1) {
1236 logit("X11 connection rejected because of wrong authentication.");
1237 debug2("X11 rejected %d i%d/o%d",
1238 c->self, c->istate, c->ostate);
1239 chan_read_failed(ssh, c);
1240 sshbuf_reset(c->input);
1241 chan_ibuf_empty(ssh, c);
1242 sshbuf_reset(c->output);
1243 chan_write_failed(ssh, c);
1244 debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
1249 channel_pre_mux_client(struct ssh *ssh, Channel *c)
1252 if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause &&
1253 sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1254 c->io_want |= SSH_CHAN_IO_RFD;
1255 if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1256 /* clear buffer immediately (discard any partial packet) */
1257 sshbuf_reset(c->input);
1258 chan_ibuf_empty(ssh, c);
1259 /* Start output drain. XXX just kill chan? */
1260 chan_rcvd_oclose(ssh, c);
1262 if (c->ostate == CHAN_OUTPUT_OPEN ||
1263 c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1264 if (sshbuf_len(c->output) > 0)
1265 c->io_want |= SSH_CHAN_IO_WFD;
1266 else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN)
1267 chan_obuf_empty(ssh, c);
1271 /* try to decode a socks4 header */
1273 channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output)
1277 u_int len, have, i, found, need;
1282 u_int16_t dest_port;
1283 struct in_addr dest_addr;
1287 debug2("channel %d: decode socks4", c->self);
1289 have = sshbuf_len(input);
1290 len = sizeof(s4_req);
1293 p = sshbuf_ptr(input);
1296 /* SOCKS4A uses an invalid IP address 0.0.0.x */
1297 if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1298 debug2("channel %d: socks4a request", c->self);
1299 /* ... and needs an extra string (the hostname) */
1302 /* Check for terminating NUL on the string(s) */
1303 for (found = 0, i = len; i < have; i++) {
1310 /* the peer is probably sending garbage */
1311 debug("channel %d: decode socks4: too long",
1318 if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 ||
1319 (r = sshbuf_get(input, &s4_req.command, 1)) != 0 ||
1320 (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 ||
1321 (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) {
1322 debug_r(r, "channels %d: decode socks4", c->self);
1325 have = sshbuf_len(input);
1326 p = sshbuf_ptr(input);
1327 if (memchr(p, '\0', have) == NULL) {
1328 error("channel %d: decode socks4: unterminated user", c->self);
1332 debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1333 len++; /* trailing '\0' */
1334 strlcpy(username, p, sizeof(username));
1335 if ((r = sshbuf_consume(input, len)) != 0)
1336 fatal_fr(r, "channel %d: consume", c->self);
1339 if (need == 1) { /* SOCKS4: one string */
1340 host = inet_ntoa(s4_req.dest_addr);
1341 c->path = xstrdup(host);
1342 } else { /* SOCKS4A: two strings */
1343 have = sshbuf_len(input);
1344 p = sshbuf_ptr(input);
1345 if (memchr(p, '\0', have) == NULL) {
1346 error("channel %d: decode socks4a: host not nul "
1347 "terminated", c->self);
1351 debug2("channel %d: decode socks4a: host %s/%d",
1353 len++; /* trailing '\0' */
1354 if (len > NI_MAXHOST) {
1355 error("channel %d: hostname \"%.100s\" too long",
1359 c->path = xstrdup(p);
1360 if ((r = sshbuf_consume(input, len)) != 0)
1361 fatal_fr(r, "channel %d: consume", c->self);
1363 c->host_port = ntohs(s4_req.dest_port);
1365 debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1366 c->self, c->path, c->host_port, s4_req.command);
1368 if (s4_req.command != 1) {
1369 debug("channel %d: cannot handle: %s cn %d",
1370 c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command);
1373 s4_rsp.version = 0; /* vn: 0 for reply */
1374 s4_rsp.command = 90; /* cd: req granted */
1375 s4_rsp.dest_port = 0; /* ignored */
1376 s4_rsp.dest_addr.s_addr = INADDR_ANY; /* ignored */
1377 if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0)
1378 fatal_fr(r, "channel %d: append reply", c->self);
1382 /* try to decode a socks5 header */
1383 #define SSH_SOCKS5_AUTHDONE 0x1000
1384 #define SSH_SOCKS5_NOAUTH 0x00
1385 #define SSH_SOCKS5_IPV4 0x01
1386 #define SSH_SOCKS5_DOMAIN 0x03
1387 #define SSH_SOCKS5_IPV6 0x04
1388 #define SSH_SOCKS5_CONNECT 0x01
1389 #define SSH_SOCKS5_SUCCESS 0x00
1392 channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
1394 /* XXX use get/put_u8 instead of trusting struct padding */
1401 u_int16_t dest_port;
1402 char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1404 u_int have, need, i, found, nmethods, addrlen, af;
1407 debug2("channel %d: decode socks5", c->self);
1408 p = sshbuf_ptr(input);
1411 have = sshbuf_len(input);
1412 if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
1413 /* format: ver | nmethods | methods */
1417 if (have < nmethods + 2)
1419 /* look for method: "NO AUTHENTICATION REQUIRED" */
1420 for (found = 0, i = 2; i < nmethods + 2; i++) {
1421 if (p[i] == SSH_SOCKS5_NOAUTH) {
1427 debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
1431 if ((r = sshbuf_consume(input, nmethods + 2)) != 0)
1432 fatal_fr(r, "channel %d: consume", c->self);
1433 /* version, method */
1434 if ((r = sshbuf_put_u8(output, 0x05)) != 0 ||
1435 (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0)
1436 fatal_fr(r, "channel %d: append reply", c->self);
1437 c->flags |= SSH_SOCKS5_AUTHDONE;
1438 debug2("channel %d: socks5 auth done", c->self);
1439 return 0; /* need more */
1441 debug2("channel %d: socks5 post auth", c->self);
1442 if (have < sizeof(s5_req)+1)
1443 return 0; /* need more */
1444 memcpy(&s5_req, p, sizeof(s5_req));
1445 if (s5_req.version != 0x05 ||
1446 s5_req.command != SSH_SOCKS5_CONNECT ||
1447 s5_req.reserved != 0x00) {
1448 debug2("channel %d: only socks5 connect supported", c->self);
1451 switch (s5_req.atyp){
1452 case SSH_SOCKS5_IPV4:
1456 case SSH_SOCKS5_DOMAIN:
1457 addrlen = p[sizeof(s5_req)];
1460 case SSH_SOCKS5_IPV6:
1465 debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
1468 need = sizeof(s5_req) + addrlen + 2;
1469 if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1473 if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0)
1474 fatal_fr(r, "channel %d: consume", c->self);
1475 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1476 /* host string length */
1477 if ((r = sshbuf_consume(input, 1)) != 0)
1478 fatal_fr(r, "channel %d: consume", c->self);
1480 if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 ||
1481 (r = sshbuf_get(input, &dest_port, 2)) != 0) {
1482 debug_r(r, "channel %d: parse addr/port", c->self);
1485 dest_addr[addrlen] = '\0';
1488 if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1489 if (addrlen >= NI_MAXHOST) {
1490 error("channel %d: dynamic request: socks5 hostname "
1491 "\"%.100s\" too long", c->self, dest_addr);
1494 c->path = xstrdup(dest_addr);
1496 if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
1498 c->path = xstrdup(ntop);
1500 c->host_port = ntohs(dest_port);
1502 debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
1503 c->self, c->path, c->host_port, s5_req.command);
1505 s5_rsp.version = 0x05;
1506 s5_rsp.command = SSH_SOCKS5_SUCCESS;
1507 s5_rsp.reserved = 0; /* ignored */
1508 s5_rsp.atyp = SSH_SOCKS5_IPV4;
1509 dest_port = 0; /* ignored */
1511 if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 ||
1512 (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 ||
1513 (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0)
1514 fatal_fr(r, "channel %d: append reply", c->self);
1519 channel_connect_stdio_fwd(struct ssh *ssh,
1520 const char *host_to_connect, u_short port_to_connect,
1521 int in, int out, int nonblock)
1525 debug_f("%s:%d", host_to_connect, port_to_connect);
1527 c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
1528 -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1529 0, "stdio-forward", nonblock);
1531 c->path = xstrdup(host_to_connect);
1532 c->host_port = port_to_connect;
1533 c->listening_port = 0;
1536 channel_register_fds(ssh, c, in, out, -1, 0, 1, 0);
1537 port_open_helper(ssh, c, "direct-tcpip");
1542 /* dynamic port forwarding */
1544 channel_pre_dynamic(struct ssh *ssh, Channel *c)
1551 have = sshbuf_len(c->input);
1552 debug2("channel %d: pre_dynamic: have %d", c->self, have);
1553 /* sshbuf_dump(c->input, stderr); */
1554 /* check if the fixed size part of the packet is in buffer. */
1557 c->io_want |= SSH_CHAN_IO_RFD;
1560 /* try to guess the protocol */
1561 p = sshbuf_ptr(c->input);
1562 /* XXX sshbuf_peek_u8? */
1565 ret = channel_decode_socks4(c, c->input, c->output);
1568 ret = channel_decode_socks5(c, c->input, c->output);
1575 chan_mark_dead(ssh, c);
1576 } else if (ret == 0) {
1577 debug2("channel %d: pre_dynamic: need more", c->self);
1579 c->io_want |= SSH_CHAN_IO_RFD;
1580 if (sshbuf_len(c->output))
1581 c->io_want |= SSH_CHAN_IO_WFD;
1583 /* switch to the next state */
1584 c->type = SSH_CHANNEL_OPENING;
1585 port_open_helper(ssh, c, "direct-tcpip");
1589 /* simulate read-error */
1591 rdynamic_close(struct ssh *ssh, Channel *c)
1593 c->type = SSH_CHANNEL_OPEN;
1594 chan_read_failed(ssh, c);
1595 sshbuf_reset(c->input);
1596 chan_ibuf_empty(ssh, c);
1597 sshbuf_reset(c->output);
1598 chan_write_failed(ssh, c);
1601 /* reverse dynamic port forwarding */
1603 channel_before_prepare_io_rdynamic(struct ssh *ssh, Channel *c)
1609 have = sshbuf_len(c->output);
1610 debug2("channel %d: pre_rdynamic: have %d", c->self, have);
1611 /* sshbuf_dump(c->output, stderr); */
1613 if (c->flags & CHAN_EOF_RCVD) {
1614 if ((r = sshbuf_consume(c->output, have)) != 0)
1615 fatal_fr(r, "channel %d: consume", c->self);
1616 rdynamic_close(ssh, c);
1619 /* check if the fixed size part of the packet is in buffer. */
1622 /* try to guess the protocol */
1623 p = sshbuf_ptr(c->output);
1626 /* switch input/output for reverse forwarding */
1627 ret = channel_decode_socks4(c, c->output, c->input);
1630 ret = channel_decode_socks5(c, c->output, c->input);
1637 rdynamic_close(ssh, c);
1638 } else if (ret == 0) {
1639 debug2("channel %d: pre_rdynamic: need more", c->self);
1640 /* send socks request to peer */
1641 len = sshbuf_len(c->input);
1642 if (len > 0 && len < c->remote_window) {
1643 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
1644 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1645 (r = sshpkt_put_stringb(ssh, c->input)) != 0 ||
1646 (r = sshpkt_send(ssh)) != 0) {
1647 fatal_fr(r, "channel %i: rdynamic", c->self);
1649 if ((r = sshbuf_consume(c->input, len)) != 0)
1650 fatal_fr(r, "channel %d: consume", c->self);
1651 c->remote_window -= len;
1653 } else if (rdynamic_connect_finish(ssh, c) < 0) {
1654 /* the connect failed */
1655 rdynamic_close(ssh, c);
1659 /* This is our fake X11 server socket. */
1661 channel_post_x11_listener(struct ssh *ssh, Channel *c)
1664 struct sockaddr_storage addr;
1665 int r, newsock, oerrno, remote_port;
1667 char buf[16384], *remote_ipaddr;
1669 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1672 debug("X11 connection requested.");
1673 addrlen = sizeof(addr);
1674 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1675 if (c->single_connection) {
1677 debug2("single_connection: closing X11 listener.");
1678 channel_close_fd(ssh, c, &c->sock);
1679 chan_mark_dead(ssh, c);
1682 if (newsock == -1) {
1683 if (errno != EINTR && errno != EWOULDBLOCK &&
1684 errno != ECONNABORTED)
1685 error("accept: %.100s", strerror(errno));
1686 if (errno == EMFILE || errno == ENFILE)
1687 c->notbefore = monotime() + 1;
1690 set_nodelay(newsock);
1691 remote_ipaddr = get_peer_ipaddr(newsock);
1692 remote_port = get_peer_port(newsock);
1693 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1694 remote_ipaddr, remote_port);
1696 nc = channel_new(ssh, "accepted x11 socket",
1697 SSH_CHANNEL_OPENING, newsock, newsock, -1,
1698 c->local_window_max, c->local_maxpacket, 0, buf, 1);
1699 open_preamble(ssh, __func__, nc, "x11");
1700 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1701 (r = sshpkt_put_u32(ssh, remote_port)) != 0) {
1702 fatal_fr(r, "channel %i: reply", c->self);
1704 if ((r = sshpkt_send(ssh)) != 0)
1705 fatal_fr(r, "channel %i: send", c->self);
1706 free(remote_ipaddr);
1710 port_open_helper(struct ssh *ssh, Channel *c, char *rtype)
1712 char *local_ipaddr = get_local_ipaddr(c->sock);
1713 int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
1714 char *remote_ipaddr = get_peer_ipaddr(c->sock);
1715 int remote_port = get_peer_port(c->sock);
1718 if (remote_port == -1) {
1719 /* Fake addr/port to appease peers that validate it (Tectia) */
1720 free(remote_ipaddr);
1721 remote_ipaddr = xstrdup("127.0.0.1");
1722 remote_port = 65535;
1725 free(c->remote_name);
1726 xasprintf(&c->remote_name,
1727 "%s: listening port %d for %.100s port %d, "
1728 "connect from %.200s port %d to %.100s port %d",
1729 rtype, c->listening_port, c->path, c->host_port,
1730 remote_ipaddr, remote_port, local_ipaddr, local_port);
1732 open_preamble(ssh, __func__, c, rtype);
1733 if (strcmp(rtype, "direct-tcpip") == 0) {
1734 /* target host, port */
1735 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1736 (r = sshpkt_put_u32(ssh, c->host_port)) != 0)
1737 fatal_fr(r, "channel %i: reply", c->self);
1738 } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
1740 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1741 fatal_fr(r, "channel %i: reply", c->self);
1742 } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1744 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0)
1745 fatal_fr(r, "channel %i: reply", c->self);
1747 /* listen address, port */
1748 if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1749 (r = sshpkt_put_u32(ssh, local_port)) != 0)
1750 fatal_fr(r, "channel %i: reply", c->self);
1752 if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1753 /* reserved for future owner/mode info */
1754 if ((r = sshpkt_put_cstring(ssh, "")) != 0)
1755 fatal_fr(r, "channel %i: reply", c->self);
1757 /* originator host and port */
1758 if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1759 (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0)
1760 fatal_fr(r, "channel %i: reply", c->self);
1762 if ((r = sshpkt_send(ssh)) != 0)
1763 fatal_fr(r, "channel %i: send", c->self);
1764 free(remote_ipaddr);
1769 channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time)
1771 ssh->chanctxt->x11_refuse_time = refuse_time;
1775 * This socket is listening for connections to a forwarded TCP/IP port.
1778 channel_post_port_listener(struct ssh *ssh, Channel *c)
1781 struct sockaddr_storage addr;
1782 int newsock, nextstate;
1786 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1789 debug("Connection to port %d forwarding to %.100s port %d requested.",
1790 c->listening_port, c->path, c->host_port);
1792 if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1793 nextstate = SSH_CHANNEL_OPENING;
1794 rtype = "forwarded-tcpip";
1795 } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) {
1796 nextstate = SSH_CHANNEL_OPENING;
1797 rtype = "forwarded-streamlocal@openssh.com";
1798 } else if (c->host_port == PORT_STREAMLOCAL) {
1799 nextstate = SSH_CHANNEL_OPENING;
1800 rtype = "direct-streamlocal@openssh.com";
1801 } else if (c->host_port == 0) {
1802 nextstate = SSH_CHANNEL_DYNAMIC;
1803 rtype = "dynamic-tcpip";
1805 nextstate = SSH_CHANNEL_OPENING;
1806 rtype = "direct-tcpip";
1809 addrlen = sizeof(addr);
1810 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1811 if (newsock == -1) {
1812 if (errno != EINTR && errno != EWOULDBLOCK &&
1813 errno != ECONNABORTED)
1814 error("accept: %.100s", strerror(errno));
1815 if (errno == EMFILE || errno == ENFILE)
1816 c->notbefore = monotime() + 1;
1819 if (c->host_port != PORT_STREAMLOCAL)
1820 set_nodelay(newsock);
1821 nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1,
1822 c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1823 nc->listening_port = c->listening_port;
1824 nc->host_port = c->host_port;
1825 if (c->path != NULL)
1826 nc->path = xstrdup(c->path);
1828 if (nextstate != SSH_CHANNEL_DYNAMIC)
1829 port_open_helper(ssh, nc, rtype);
1833 * This is the authentication agent socket listening for connections from
1837 channel_post_auth_listener(struct ssh *ssh, Channel *c)
1841 struct sockaddr_storage addr;
1844 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
1847 addrlen = sizeof(addr);
1848 newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1849 if (newsock == -1) {
1850 error("accept from auth socket: %.100s", strerror(errno));
1851 if (errno == EMFILE || errno == ENFILE)
1852 c->notbefore = monotime() + 1;
1855 nc = channel_new(ssh, "accepted auth socket",
1856 SSH_CHANNEL_OPENING, newsock, newsock, -1,
1857 c->local_window_max, c->local_maxpacket,
1858 0, "accepted auth socket", 1);
1859 open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
1860 if ((r = sshpkt_send(ssh)) != 0)
1861 fatal_fr(r, "channel %i", c->self);
1865 channel_post_connecting(struct ssh *ssh, Channel *c)
1867 int err = 0, sock, isopen, r;
1868 socklen_t sz = sizeof(err);
1870 if ((c->io_ready & SSH_CHAN_IO_SOCK_W) == 0)
1872 if (!c->have_remote_id)
1873 fatal_f("channel %d: no remote id", c->self);
1874 /* for rdynamic the OPEN_CONFIRMATION has been sent already */
1875 isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH);
1876 if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) == -1) {
1878 error("getsockopt SO_ERROR failed");
1881 debug("channel %d: connected to %s port %d",
1882 c->self, c->connect_ctx.host, c->connect_ctx.port);
1883 channel_connect_ctx_free(&c->connect_ctx);
1884 c->type = SSH_CHANNEL_OPEN;
1886 /* no message necessary */
1888 if ((r = sshpkt_start(ssh,
1889 SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
1890 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1891 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
1892 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1893 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0 ||
1894 (r = sshpkt_send(ssh)) != 0)
1895 fatal_fr(r, "channel %i open confirm", c->self);
1898 debug("channel %d: connection failed: %s",
1899 c->self, strerror(err));
1900 /* Try next address, if any */
1901 if ((sock = connect_next(&c->connect_ctx)) > 0) {
1903 c->sock = c->rfd = c->wfd = sock;
1906 /* Exhausted all addresses */
1907 error("connect_to %.100s port %d: failed.",
1908 c->connect_ctx.host, c->connect_ctx.port);
1909 channel_connect_ctx_free(&c->connect_ctx);
1911 rdynamic_close(ssh, c);
1913 if ((r = sshpkt_start(ssh,
1914 SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
1915 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1916 (r = sshpkt_put_u32(ssh,
1917 SSH2_OPEN_CONNECT_FAILED)) != 0 ||
1918 (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
1919 (r = sshpkt_put_cstring(ssh, "")) != 0 ||
1920 (r = sshpkt_send(ssh)) != 0)
1921 fatal_fr(r, "channel %i: failure", c->self);
1922 chan_mark_dead(ssh, c);
1928 channel_handle_rfd(struct ssh *ssh, Channel *c)
1930 char buf[CHAN_RBUF];
1933 size_t have, avail, maxlen = CHANNEL_MAX_READ;
1934 int pty_zeroread = 0;
1937 /* Bug on AIX: read(1) can return 0 for a non-closed fd */
1938 pty_zeroread = c->isatty;
1941 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
1943 if (!force && (c->io_ready & SSH_CHAN_IO_RFD) == 0)
1945 if ((avail = sshbuf_avail(c->input)) == 0)
1946 return 1; /* Shouldn't happen */
1949 * For "simple" channels (i.e. not datagram or filtered), we can
1950 * read directly to the channel buffer.
1952 if (!pty_zeroread && c->input_filter == NULL && !c->datagram) {
1953 /* Only OPEN channels have valid rwin */
1954 if (c->type == SSH_CHANNEL_OPEN) {
1955 if ((have = sshbuf_len(c->input)) >= c->remote_window)
1956 return 1; /* shouldn't happen */
1957 if (maxlen > c->remote_window - have)
1958 maxlen = c->remote_window - have;
1962 if ((r = sshbuf_read(c->rfd, c->input, maxlen, NULL)) != 0) {
1963 if (errno == EINTR || (!force &&
1964 (errno == EAGAIN || errno == EWOULDBLOCK)))
1966 debug2("channel %d: read failed rfd %d maxlen %zu: %s",
1967 c->self, c->rfd, maxlen, ssh_err(r));
1974 len = read(c->rfd, buf, sizeof(buf));
1975 /* fixup AIX zero-length read with errno set to look more like errors */
1976 if (pty_zeroread && len == 0 && errno != 0)
1978 if (len == -1 && (errno == EINTR ||
1979 ((errno == EAGAIN || errno == EWOULDBLOCK) && !force)))
1981 if (len < 0 || (!pty_zeroread && len == 0)) {
1982 debug2("channel %d: read<=0 rfd %d len %zd: %s",
1983 c->self, c->rfd, len,
1984 len == 0 ? "closed" : strerror(errno));
1986 if (c->type != SSH_CHANNEL_OPEN) {
1987 debug2("channel %d: not open", c->self);
1988 chan_mark_dead(ssh, c);
1991 chan_read_failed(ssh, c);
1995 if (c->input_filter != NULL) {
1996 if (c->input_filter(ssh, c, buf, len) == -1) {
1997 debug2("channel %d: filter stops", c->self);
1998 chan_read_failed(ssh, c);
2000 } else if (c->datagram) {
2001 if ((r = sshbuf_put_string(c->input, buf, len)) != 0)
2002 fatal_fr(r, "channel %i: put datagram", c->self);
2003 } else if ((r = sshbuf_put(c->input, buf, len)) != 0)
2004 fatal_fr(r, "channel %i: put data", c->self);
2010 channel_handle_wfd(struct ssh *ssh, Channel *c)
2013 u_char *data = NULL, *buf; /* XXX const; need filter API change */
2014 size_t dlen, olen = 0;
2017 if ((c->io_ready & SSH_CHAN_IO_WFD) == 0)
2019 if (sshbuf_len(c->output) == 0)
2022 /* Send buffered output data to the socket. */
2023 olen = sshbuf_len(c->output);
2024 if (c->output_filter != NULL) {
2025 if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) {
2026 debug2("channel %d: filter stops", c->self);
2027 if (c->type != SSH_CHANNEL_OPEN)
2028 chan_mark_dead(ssh, c);
2030 chan_write_failed(ssh, c);
2033 } else if (c->datagram) {
2034 if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0)
2035 fatal_fr(r, "channel %i: get datagram", c->self);
2038 buf = data = sshbuf_mutable_ptr(c->output);
2039 dlen = sshbuf_len(c->output);
2043 /* ignore truncated writes, datagrams might get lost */
2044 len = write(c->wfd, buf, dlen);
2046 if (len == -1 && (errno == EINTR || errno == EAGAIN ||
2047 errno == EWOULDBLOCK))
2055 /* XXX: Later AIX versions can't push as much data to tty */
2057 dlen = MINIMUM(dlen, 8*1024);
2060 len = write(c->wfd, buf, dlen);
2062 (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK))
2066 if (c->type != SSH_CHANNEL_OPEN) {
2067 debug2("channel %d: not open", c->self);
2068 chan_mark_dead(ssh, c);
2071 chan_write_failed(ssh, c);
2075 #ifndef BROKEN_TCGETATTR_ICANON
2076 if (c->isatty && dlen >= 1 && buf[0] != '\r') {
2077 if (tcgetattr(c->wfd, &tio) == 0 &&
2078 !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
2080 * Simulate echo to reduce the impact of
2081 * traffic analysis. We need to match the
2082 * size of a SSH2_MSG_CHANNEL_DATA message
2083 * (4 byte channel id + buf)
2085 if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 ||
2086 (r = sshpkt_send(ssh)) != 0)
2087 fatal_fr(r, "channel %i: ignore", c->self);
2090 #endif /* BROKEN_TCGETATTR_ICANON */
2091 if ((r = sshbuf_consume(c->output, len)) != 0)
2092 fatal_fr(r, "channel %i: consume", c->self);
2094 c->local_consumed += olen - sshbuf_len(c->output);
2100 channel_handle_efd_write(struct ssh *ssh, Channel *c)
2105 if ((c->io_ready & SSH_CHAN_IO_EFD_W) == 0)
2107 if (sshbuf_len(c->extended) == 0)
2110 len = write(c->efd, sshbuf_ptr(c->extended),
2111 sshbuf_len(c->extended));
2112 debug2("channel %d: written %zd to efd %d", c->self, len, c->efd);
2113 if (len == -1 && (errno == EINTR || errno == EAGAIN ||
2114 errno == EWOULDBLOCK))
2117 debug2("channel %d: closing write-efd %d", c->self, c->efd);
2118 channel_close_fd(ssh, c, &c->efd);
2120 if ((r = sshbuf_consume(c->extended, len)) != 0)
2121 fatal_fr(r, "channel %i: consume", c->self);
2122 c->local_consumed += len;
2128 channel_handle_efd_read(struct ssh *ssh, Channel *c)
2130 char buf[CHAN_RBUF];
2134 force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
2136 if (!force && (c->io_ready & SSH_CHAN_IO_EFD_R) == 0)
2139 len = read(c->efd, buf, sizeof(buf));
2140 debug2("channel %d: read %zd from efd %d", c->self, len, c->efd);
2141 if (len == -1 && (errno == EINTR || ((errno == EAGAIN ||
2142 errno == EWOULDBLOCK) && !force)))
2145 debug2("channel %d: closing read-efd %d", c->self, c->efd);
2146 channel_close_fd(ssh, c, &c->efd);
2147 } else if (c->extended_usage == CHAN_EXTENDED_IGNORE)
2148 debug3("channel %d: discard efd", c->self);
2149 else if ((r = sshbuf_put(c->extended, buf, len)) != 0)
2150 fatal_fr(r, "channel %i: append", c->self);
2155 channel_handle_efd(struct ssh *ssh, Channel *c)
2160 /** XXX handle drain efd, too */
2162 if (c->extended_usage == CHAN_EXTENDED_WRITE)
2163 return channel_handle_efd_write(ssh, c);
2164 else if (c->extended_usage == CHAN_EXTENDED_READ ||
2165 c->extended_usage == CHAN_EXTENDED_IGNORE)
2166 return channel_handle_efd_read(ssh, c);
2172 channel_check_window(struct ssh *ssh, Channel *c)
2176 if (c->type == SSH_CHANNEL_OPEN &&
2177 !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
2178 ((c->local_window_max - c->local_window >
2179 c->local_maxpacket*3) ||
2180 c->local_window < c->local_window_max/2) &&
2181 c->local_consumed > 0) {
2182 if (!c->have_remote_id)
2183 fatal_f("channel %d: no remote id", c->self);
2184 if ((r = sshpkt_start(ssh,
2185 SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
2186 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2187 (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
2188 (r = sshpkt_send(ssh)) != 0) {
2189 fatal_fr(r, "channel %i", c->self);
2191 debug2("channel %d: window %d sent adjust %d", c->self,
2192 c->local_window, c->local_consumed);
2193 c->local_window += c->local_consumed;
2194 c->local_consumed = 0;
2200 channel_post_open(struct ssh *ssh, Channel *c)
2202 channel_handle_rfd(ssh, c);
2203 channel_handle_wfd(ssh, c);
2204 channel_handle_efd(ssh, c);
2205 channel_check_window(ssh, c);
2209 read_mux(struct ssh *ssh, Channel *c, u_int need)
2211 char buf[CHAN_RBUF];
2216 if (sshbuf_len(c->input) < need) {
2217 rlen = need - sshbuf_len(c->input);
2218 len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF));
2219 if (len == -1 && (errno == EINTR || errno == EAGAIN))
2220 return sshbuf_len(c->input);
2222 debug2("channel %d: ctl read<=0 rfd %d len %zd",
2223 c->self, c->rfd, len);
2224 chan_read_failed(ssh, c);
2226 } else if ((r = sshbuf_put(c->input, buf, len)) != 0)
2227 fatal_fr(r, "channel %i: append", c->self);
2229 return sshbuf_len(c->input);
2233 channel_post_mux_client_read(struct ssh *ssh, Channel *c)
2237 if ((c->io_ready & SSH_CHAN_IO_RFD) == 0)
2239 if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN)
2245 * Don't not read past the precise end of packets to
2246 * avoid disrupting fd passing.
2248 if (read_mux(ssh, c, 4) < 4) /* read header */
2250 /* XXX sshbuf_peek_u32 */
2251 need = PEEK_U32(sshbuf_ptr(c->input));
2252 #define CHANNEL_MUX_MAX_PACKET (256 * 1024)
2253 if (need > CHANNEL_MUX_MAX_PACKET) {
2254 debug2("channel %d: packet too big %u > %u",
2255 c->self, CHANNEL_MUX_MAX_PACKET, need);
2256 chan_rcvd_oclose(ssh, c);
2259 if (read_mux(ssh, c, need + 4) < need + 4) /* read body */
2261 if (c->mux_rcb(ssh, c) != 0) {
2262 debug("channel %d: mux_rcb failed", c->self);
2263 chan_mark_dead(ssh, c);
2269 channel_post_mux_client_write(struct ssh *ssh, Channel *c)
2274 if ((c->io_ready & SSH_CHAN_IO_WFD) == 0)
2276 if (sshbuf_len(c->output) == 0)
2279 len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output));
2280 if (len == -1 && (errno == EINTR || errno == EAGAIN))
2283 chan_mark_dead(ssh, c);
2286 if ((r = sshbuf_consume(c->output, len)) != 0)
2287 fatal_fr(r, "channel %i: consume", c->self);
2291 channel_post_mux_client(struct ssh *ssh, Channel *c)
2293 channel_post_mux_client_read(ssh, c);
2294 channel_post_mux_client_write(ssh, c);
2298 channel_post_mux_listener(struct ssh *ssh, Channel *c)
2301 struct sockaddr_storage addr;
2307 if ((c->io_ready & SSH_CHAN_IO_SOCK_R) == 0)
2310 debug("multiplexing control connection");
2313 * Accept connection on control socket
2315 memset(&addr, 0, sizeof(addr));
2316 addrlen = sizeof(addr);
2317 if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
2319 error_f("accept: %s", strerror(errno));
2320 if (errno == EMFILE || errno == ENFILE)
2321 c->notbefore = monotime() + 1;
2325 if (getpeereid(newsock, &euid, &egid) == -1) {
2326 error_f("getpeereid failed: %s", strerror(errno));
2330 if ((euid != 0) && (getuid() != euid)) {
2331 error("multiplex uid mismatch: peer euid %u != uid %u",
2332 (u_int)euid, (u_int)getuid());
2336 nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT,
2337 newsock, newsock, -1, c->local_window_max,
2338 c->local_maxpacket, 0, "mux-control", 1);
2339 nc->mux_rcb = c->mux_rcb;
2340 debug3_f("new mux channel %d fd %d", nc->self, nc->sock);
2341 /* establish state */
2342 nc->mux_rcb(ssh, nc);
2343 /* mux state transitions must not elicit protocol messages */
2344 nc->flags |= CHAN_LOCAL;
2348 channel_handler_init(struct ssh_channels *sc)
2350 chan_fn **pre, **post;
2352 if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL ||
2353 (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL)
2354 fatal_f("allocation failed");
2356 pre[SSH_CHANNEL_OPEN] = &channel_pre_open;
2357 pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open;
2358 pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener;
2359 pre[SSH_CHANNEL_RPORT_LISTENER] = &channel_pre_listener;
2360 pre[SSH_CHANNEL_UNIX_LISTENER] = &channel_pre_listener;
2361 pre[SSH_CHANNEL_RUNIX_LISTENER] = &channel_pre_listener;
2362 pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener;
2363 pre[SSH_CHANNEL_AUTH_SOCKET] = &channel_pre_listener;
2364 pre[SSH_CHANNEL_CONNECTING] = &channel_pre_connecting;
2365 pre[SSH_CHANNEL_DYNAMIC] = &channel_pre_dynamic;
2366 pre[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_pre_connecting;
2367 pre[SSH_CHANNEL_MUX_LISTENER] = &channel_pre_listener;
2368 pre[SSH_CHANNEL_MUX_CLIENT] = &channel_pre_mux_client;
2370 post[SSH_CHANNEL_OPEN] = &channel_post_open;
2371 post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener;
2372 post[SSH_CHANNEL_RPORT_LISTENER] = &channel_post_port_listener;
2373 post[SSH_CHANNEL_UNIX_LISTENER] = &channel_post_port_listener;
2374 post[SSH_CHANNEL_RUNIX_LISTENER] = &channel_post_port_listener;
2375 post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener;
2376 post[SSH_CHANNEL_AUTH_SOCKET] = &channel_post_auth_listener;
2377 post[SSH_CHANNEL_CONNECTING] = &channel_post_connecting;
2378 post[SSH_CHANNEL_DYNAMIC] = &channel_post_open;
2379 post[SSH_CHANNEL_RDYNAMIC_FINISH] = &channel_post_connecting;
2380 post[SSH_CHANNEL_MUX_LISTENER] = &channel_post_mux_listener;
2381 post[SSH_CHANNEL_MUX_CLIENT] = &channel_post_mux_client;
2383 sc->channel_pre = pre;
2384 sc->channel_post = post;
2387 /* gc dead channels */
2389 channel_garbage_collect(struct ssh *ssh, Channel *c)
2393 if (c->detach_user != NULL) {
2394 if (!chan_is_dead(ssh, c, c->detach_close))
2397 debug2("channel %d: gc: notify user", c->self);
2398 c->detach_user(ssh, c->self, NULL);
2399 /* if we still have a callback */
2400 if (c->detach_user != NULL)
2402 debug2("channel %d: gc: user detached", c->self);
2404 if (!chan_is_dead(ssh, c, 1))
2406 debug2("channel %d: garbage collecting", c->self);
2407 channel_free(ssh, c);
2410 enum channel_table { CHAN_PRE, CHAN_POST };
2413 channel_handler(struct ssh *ssh, int table, time_t *unpause_secs)
2415 struct ssh_channels *sc = ssh->chanctxt;
2416 chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post;
2422 if (unpause_secs != NULL)
2424 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2425 c = sc->channels[i];
2428 /* Try to keep IO going while rekeying */
2429 if (ssh_packet_is_rekeying(ssh) && c->type != SSH_CHANNEL_OPEN)
2432 if (table == CHAN_PRE)
2437 if (ftab[c->type] != NULL) {
2439 * Run handlers that are not paused.
2441 if (c->notbefore <= now)
2442 (*ftab[c->type])(ssh, c);
2443 else if (unpause_secs != NULL) {
2445 * Collect the time that the earliest
2446 * channel comes off pause.
2448 debug3_f("chan %d: skip for %d more "
2450 (int)(c->notbefore - now));
2451 if (*unpause_secs == 0 ||
2452 (c->notbefore - now) < *unpause_secs)
2453 *unpause_secs = c->notbefore - now;
2456 channel_garbage_collect(ssh, c);
2458 if (unpause_secs != NULL && *unpause_secs != 0)
2459 debug3_f("first channel unpauses in %d seconds",
2460 (int)*unpause_secs);
2464 * Create sockets before preparing IO.
2465 * This is necessary for things that need to happen after reading
2466 * the network-input but need to be completed before IO event setup, e.g.
2467 * because they may create new channels.
2470 channel_before_prepare_io(struct ssh *ssh)
2472 struct ssh_channels *sc = ssh->chanctxt;
2476 for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2477 c = sc->channels[i];
2480 if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN)
2481 channel_before_prepare_io_rdynamic(ssh, c);
2486 dump_channel_poll(const char *func, const char *what, Channel *c,
2487 u_int pollfd_offset, struct pollfd *pfd)
2489 #ifdef DEBUG_CHANNEL_POLL
2490 debug3("%s: channel %d: %s r%d w%d e%d s%d c->pfds [ %d %d %d %d ] "
2491 "io_want 0x%02x io_ready 0x%02x pfd[%u].fd=%d "
2492 "pfd.ev 0x%02x pfd.rev 0x%02x", func, c->self, what,
2493 c->rfd, c->wfd, c->efd, c->sock,
2494 c->pfds[0], c->pfds[1], c->pfds[2], c->pfds[3],
2495 c->io_want, c->io_ready,
2496 pollfd_offset, pfd->fd, pfd->events, pfd->revents);
2500 /* Prepare pollfd entries for a single channel */
2502 channel_prepare_pollfd(Channel *c, u_int *next_pollfd,
2503 struct pollfd *pfd, u_int npfd)
2505 u_int ev, p = *next_pollfd;
2510 /* Shouldn't happen */
2511 fatal_f("channel %d: bad pfd offset %u (max %u)",
2514 c->pfds[0] = c->pfds[1] = c->pfds[2] = c->pfds[3] = -1;
2518 * This is a special case, since c->rfd might be the same as
2519 * c->wfd, c->efd and/or c->sock. Handle those here if they want
2524 if ((c->io_want & SSH_CHAN_IO_RFD) != 0)
2527 if (c->wfd == c->rfd) {
2528 if ((c->io_want & SSH_CHAN_IO_WFD) != 0)
2532 if (c->efd == c->rfd) {
2533 if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
2535 if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
2539 if (c->sock == c->rfd) {
2540 if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
2542 if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
2545 /* Pack a pfd entry if any event armed for this fd */
2550 dump_channel_poll(__func__, "rfd", c, p, &pfd[p]);
2554 /* prepare c->wfd if wanting IO and not already handled above */
2555 if (c->wfd != -1 && c->rfd != c->wfd) {
2557 if ((c->io_want & SSH_CHAN_IO_WFD))
2559 /* Pack a pfd entry if any event armed for this fd */
2564 dump_channel_poll(__func__, "wfd", c, p, &pfd[p]);
2568 /* prepare c->efd if wanting IO and not already handled above */
2569 if (c->efd != -1 && c->rfd != c->efd) {
2571 if ((c->io_want & SSH_CHAN_IO_EFD_R) != 0)
2573 if ((c->io_want & SSH_CHAN_IO_EFD_W) != 0)
2575 /* Pack a pfd entry if any event armed for this fd */
2580 dump_channel_poll(__func__, "efd", c, p, &pfd[p]);
2584 /* prepare c->sock if wanting IO and not already handled above */
2585 if (c->sock != -1 && c->rfd != c->sock) {
2587 if ((c->io_want & SSH_CHAN_IO_SOCK_R) != 0)
2589 if ((c->io_want & SSH_CHAN_IO_SOCK_W) != 0)
2591 /* Pack a pfd entry if any event armed for this fd */
2594 pfd[p].fd = c->sock;
2596 dump_channel_poll(__func__, "sock", c, p, &pfd[p]);
2603 /* * Allocate/prepare poll structure */
2605 channel_prepare_poll(struct ssh *ssh, struct pollfd **pfdp, u_int *npfd_allocp,
2606 u_int *npfd_activep, u_int npfd_reserved, time_t *minwait_secs)
2608 struct ssh_channels *sc = ssh->chanctxt;
2609 u_int i, oalloc, p, npfd = npfd_reserved;
2611 channel_before_prepare_io(ssh); /* might create a new channel */
2612 /* clear out I/O flags from last poll */
2613 for (i = 0; i < sc->channels_alloc; i++) {
2614 if (sc->channels[i] == NULL)
2616 sc->channels[i]->io_want = sc->channels[i]->io_ready = 0;
2618 /* Allocate 4x pollfd for each channel (rfd, wfd, efd, sock) */
2619 if (sc->channels_alloc >= (INT_MAX / 4) - npfd_reserved)
2620 fatal_f("too many channels"); /* shouldn't happen */
2621 npfd += sc->channels_alloc * 4;
2622 if (npfd > *npfd_allocp) {
2623 *pfdp = xrecallocarray(*pfdp, *npfd_allocp,
2624 npfd, sizeof(**pfdp));
2625 *npfd_allocp = npfd;
2627 *npfd_activep = npfd_reserved;
2628 oalloc = sc->channels_alloc;
2630 channel_handler(ssh, CHAN_PRE, minwait_secs);
2632 if (oalloc != sc->channels_alloc) {
2633 /* shouldn't happen */
2634 fatal_f("channels_alloc changed during CHAN_PRE "
2635 "(was %u, now %u)", oalloc, sc->channels_alloc);
2638 /* Prepare pollfd */
2640 for (i = 0; i < sc->channels_alloc; i++)
2641 channel_prepare_pollfd(sc->channels[i], &p, *pfdp, npfd);
2646 fd_ready(Channel *c, int p, struct pollfd *pfds, u_int npfd, int fd,
2647 const char *what, u_int revents_mask, u_int ready)
2649 struct pollfd *pfd = &pfds[p];
2653 if (p == -1 || (u_int)p >= npfd)
2654 fatal_f("channel %d: bad pfd %d (max %u)", c->self, p, npfd);
2655 dump_channel_poll(__func__, what, c, p, pfd);
2656 if (pfd->fd != fd) {
2657 fatal("channel %d: inconsistent %s fd=%d pollfd[%u].fd %d "
2658 "r%d w%d e%d s%d", c->self, what, fd, p, pfd->fd,
2659 c->rfd, c->wfd, c->efd, c->sock);
2661 if ((pfd->revents & POLLNVAL) != 0) {
2662 fatal("channel %d: invalid %s pollfd[%u].fd %d r%d w%d e%d s%d",
2663 c->self, what, p, pfd->fd, c->rfd, c->wfd, c->efd, c->sock);
2665 if ((pfd->revents & (revents_mask|POLLHUP|POLLERR)) != 0)
2666 c->io_ready |= ready & c->io_want;
2670 * After poll, perform any appropriate operations for channels which have
2674 channel_after_poll(struct ssh *ssh, struct pollfd *pfd, u_int npfd)
2676 struct ssh_channels *sc = ssh->chanctxt;
2681 #ifdef DEBUG_CHANNEL_POLL
2682 for (p = 0; p < (int)npfd; p++) {
2683 if (pfd[p].revents == 0)
2685 debug_f("pfd[%u].fd %d rev 0x%04x",
2686 p, pfd[p].fd, pfd[p].revents);
2690 /* Convert pollfd into c->io_ready */
2691 for (i = 0; i < sc->channels_alloc; i++) {
2692 c = sc->channels[i];
2695 /* if rfd is shared with efd/sock then wfd should be too */
2696 if (c->rfd != -1 && c->wfd != -1 && c->rfd != c->wfd &&
2697 (c->rfd == c->efd || c->rfd == c->sock)) {
2698 /* Shouldn't happen */
2699 fatal_f("channel %d: unexpected fds r%d w%d e%d s%d",
2700 c->self, c->rfd, c->wfd, c->efd, c->sock);
2703 /* rfd, potentially shared with wfd, efd and sock */
2704 if (c->rfd != -1 && (p = c->pfds[0]) != -1) {
2705 fd_ready(c, p, pfd, npfd, c->rfd,
2706 "rfd", POLLIN, SSH_CHAN_IO_RFD);
2707 if (c->rfd == c->wfd) {
2708 fd_ready(c, p, pfd, npfd, c->wfd,
2709 "wfd/r", POLLOUT, SSH_CHAN_IO_WFD);
2711 if (c->rfd == c->efd) {
2712 fd_ready(c, p, pfd, npfd, c->efd,
2713 "efdr/r", POLLIN, SSH_CHAN_IO_EFD_R);
2714 fd_ready(c, p, pfd, npfd, c->efd,
2715 "efdw/r", POLLOUT, SSH_CHAN_IO_EFD_W);
2717 if (c->rfd == c->sock) {
2718 fd_ready(c, p, pfd, npfd, c->sock,
2719 "sockr/r", POLLIN, SSH_CHAN_IO_SOCK_R);
2720 fd_ready(c, p, pfd, npfd, c->sock,
2721 "sockw/r", POLLOUT, SSH_CHAN_IO_SOCK_W);
2723 dump_channel_poll(__func__, "rfd", c, p, pfd);
2726 if (c->wfd != -1 && c->wfd != c->rfd &&
2727 (p = c->pfds[1]) != -1) {
2728 fd_ready(c, p, pfd, npfd, c->wfd,
2729 "wfd", POLLOUT, SSH_CHAN_IO_WFD);
2730 dump_channel_poll(__func__, "wfd", c, p, pfd);
2733 if (c->efd != -1 && c->efd != c->rfd &&
2734 (p = c->pfds[2]) != -1) {
2735 fd_ready(c, p, pfd, npfd, c->efd,
2736 "efdr", POLLIN, SSH_CHAN_IO_EFD_R);
2737 fd_ready(c, p, pfd, npfd, c->efd,
2738 "efdw", POLLOUT, SSH_CHAN_IO_EFD_W);
2739 dump_channel_poll(__func__, "efd", c, p, pfd);
2742 if (c->sock != -1 && c->sock != c->rfd &&
2743 (p = c->pfds[3]) != -1) {
2744 fd_ready(c, p, pfd, npfd, c->sock,
2745 "sockr", POLLIN, SSH_CHAN_IO_SOCK_R);
2746 fd_ready(c, p, pfd, npfd, c->sock,
2747 "sockw", POLLOUT, SSH_CHAN_IO_SOCK_W);
2748 dump_channel_poll(__func__, "sock", c, p, pfd);
2751 channel_handler(ssh, CHAN_POST, NULL);
2755 * Enqueue data for channels with open or draining c->input.
2758 channel_output_poll_input_open(struct ssh *ssh, Channel *c)
2764 if ((len = sshbuf_len(c->input)) == 0) {
2765 if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
2767 * input-buffer is empty and read-socket shutdown:
2768 * tell peer, that we will not send more data:
2770 * hack for extended data: delay EOF if EFD still
2773 if (CHANNEL_EFD_INPUT_ACTIVE(c))
2774 debug2("channel %d: "
2775 "ibuf_empty delayed efd %d/(%zu)",
2776 c->self, c->efd, sshbuf_len(c->extended));
2778 chan_ibuf_empty(ssh, c);
2783 if (!c->have_remote_id)
2784 fatal_f("channel %d: no remote id", c->self);
2787 /* Check datagram will fit; drop if not */
2788 if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0)
2789 fatal_fr(r, "channel %i: get datagram", c->self);
2791 * XXX this does tail-drop on the datagram queue which is
2792 * usually suboptimal compared to head-drop. Better to have
2793 * backpressure at read time? (i.e. read + discard)
2795 if (plen > c->remote_window || plen > c->remote_maxpacket) {
2796 debug("channel %d: datagram too big", c->self);
2800 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2801 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2802 (r = sshpkt_put_string(ssh, pkt, plen)) != 0 ||
2803 (r = sshpkt_send(ssh)) != 0)
2804 fatal_fr(r, "channel %i: send datagram", c->self);
2805 c->remote_window -= plen;
2809 /* Enqueue packet for buffered data. */
2810 if (len > c->remote_window)
2811 len = c->remote_window;
2812 if (len > c->remote_maxpacket)
2813 len = c->remote_maxpacket;
2816 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2817 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2818 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 ||
2819 (r = sshpkt_send(ssh)) != 0)
2820 fatal_fr(r, "channel %i: send data", c->self);
2821 if ((r = sshbuf_consume(c->input, len)) != 0)
2822 fatal_fr(r, "channel %i: consume", c->self);
2823 c->remote_window -= len;
2827 * Enqueue data for channels with open c->extended in read mode.
2830 channel_output_poll_extended_read(struct ssh *ssh, Channel *c)
2835 if ((len = sshbuf_len(c->extended)) == 0)
2838 debug2("channel %d: rwin %u elen %zu euse %d", c->self,
2839 c->remote_window, sshbuf_len(c->extended), c->extended_usage);
2840 if (len > c->remote_window)
2841 len = c->remote_window;
2842 if (len > c->remote_maxpacket)
2843 len = c->remote_maxpacket;
2846 if (!c->have_remote_id)
2847 fatal_f("channel %d: no remote id", c->self);
2848 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 ||
2849 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2850 (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 ||
2851 (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 ||
2852 (r = sshpkt_send(ssh)) != 0)
2853 fatal_fr(r, "channel %i: data", c->self);
2854 if ((r = sshbuf_consume(c->extended, len)) != 0)
2855 fatal_fr(r, "channel %i: consume", c->self);
2856 c->remote_window -= len;
2857 debug2("channel %d: sent ext data %zu", c->self, len);
2860 /* If there is data to send to the connection, enqueue some of it now. */
2862 channel_output_poll(struct ssh *ssh)
2864 struct ssh_channels *sc = ssh->chanctxt;
2868 for (i = 0; i < sc->channels_alloc; i++) {
2869 c = sc->channels[i];
2874 * We are only interested in channels that can have buffered
2877 if (c->type != SSH_CHANNEL_OPEN)
2879 if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
2880 /* XXX is this true? */
2881 debug3("channel %d: will not send data after close",
2886 /* Get the amount of buffered data for this channel. */
2887 if (c->istate == CHAN_INPUT_OPEN ||
2888 c->istate == CHAN_INPUT_WAIT_DRAIN)
2889 channel_output_poll_input_open(ssh, c);
2890 /* Send extended data, i.e. stderr */
2891 if (!(c->flags & CHAN_EOF_SENT) &&
2892 c->extended_usage == CHAN_EXTENDED_READ)
2893 channel_output_poll_extended_read(ssh, c);
2897 /* -- mux proxy support */
2900 * When multiplexing channel messages for mux clients we have to deal
2901 * with downstream messages from the mux client and upstream messages
2902 * from the ssh server:
2903 * 1) Handling downstream messages is straightforward and happens
2904 * in channel_proxy_downstream():
2905 * - We forward all messages (mostly) unmodified to the server.
2906 * - However, in order to route messages from upstream to the correct
2907 * downstream client, we have to replace the channel IDs used by the
2908 * mux clients with a unique channel ID because the mux clients might
2909 * use conflicting channel IDs.
2910 * - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
2911 * SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
2912 * SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
2913 * with the newly allocated channel ID.
2914 * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
2915 * channels and processed by channel_proxy_upstream(). The local channel ID
2916 * is then translated back to the original mux client ID.
2917 * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
2918 * messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
2919 * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
2920 * downstream mux client are removed.
2921 * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
2922 * requires more work, because they are not addressed to a specific
2923 * channel. E.g. client_request_forwarded_tcpip() needs to figure
2924 * out whether the request is addressed to the local client or a
2925 * specific downstream client based on the listen-address/port.
2926 * 6) Agent and X11-Forwarding have a similar problem and are currently
2927 * not supported as the matching session/channel cannot be identified
2932 * receive packets from downstream mux clients:
2933 * channel callback fired on read from mux client, creates
2934 * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
2935 * on channel creation.
2938 channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
2941 struct sshbuf *original = NULL, *modified = NULL;
2943 char *ctype = NULL, *listen_host = NULL;
2947 u_int id, remote_id, listen_port;
2949 /* sshbuf_dump(downstream->input, stderr); */
2950 if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have))
2952 error_fr(r, "parse");
2956 error_f("short message");
2960 /* skip padlen + type */
2963 if (ssh_packet_log_type(type))
2964 debug3_f("channel %u: down->up: type %u",
2965 downstream->self, type);
2968 case SSH2_MSG_CHANNEL_OPEN:
2969 if ((original = sshbuf_from(cp, have)) == NULL ||
2970 (modified = sshbuf_new()) == NULL) {
2974 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 ||
2975 (r = sshbuf_get_u32(original, &id)) != 0) {
2976 error_fr(r, "parse");
2979 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
2980 -1, -1, -1, 0, 0, 0, ctype, 1);
2981 c->mux_ctx = downstream; /* point to mux client */
2982 c->mux_downstream_id = id; /* original downstream id */
2983 if ((r = sshbuf_put_cstring(modified, ctype)) != 0 ||
2984 (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2985 (r = sshbuf_putb(modified, original)) != 0) {
2986 error_fr(r, "compose");
2987 channel_free(ssh, c);
2991 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2993 * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
2994 * need to parse 'remote_id' instead of 'ctype'.
2996 if ((original = sshbuf_from(cp, have)) == NULL ||
2997 (modified = sshbuf_new()) == NULL) {
3001 if ((r = sshbuf_get_u32(original, &remote_id)) != 0 ||
3002 (r = sshbuf_get_u32(original, &id)) != 0) {
3003 error_fr(r, "parse");
3006 c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
3007 -1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
3008 c->mux_ctx = downstream; /* point to mux client */
3009 c->mux_downstream_id = id;
3010 c->remote_id = remote_id;
3011 c->have_remote_id = 1;
3012 if ((r = sshbuf_put_u32(modified, remote_id)) != 0 ||
3013 (r = sshbuf_put_u32(modified, c->self)) != 0 ||
3014 (r = sshbuf_putb(modified, original)) != 0) {
3015 error_fr(r, "compose");
3016 channel_free(ssh, c);
3020 case SSH2_MSG_GLOBAL_REQUEST:
3021 if ((original = sshbuf_from(cp, have)) == NULL) {
3025 if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) {
3026 error_fr(r, "parse");
3029 if (strcmp(ctype, "tcpip-forward") != 0) {
3030 error_f("unsupported request %s", ctype);
3033 if ((r = sshbuf_get_u8(original, NULL)) != 0 ||
3034 (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 ||
3035 (r = sshbuf_get_u32(original, &listen_port)) != 0) {
3036 error_fr(r, "parse");
3039 if (listen_port > 65535) {
3040 error_f("tcpip-forward for %s: bad port %u",
3041 listen_host, listen_port);
3044 /* Record that connection to this host/port is permitted. */
3045 permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
3046 listen_host, NULL, (int)listen_port, downstream);
3049 case SSH2_MSG_CHANNEL_CLOSE:
3052 remote_id = PEEK_U32(cp);
3053 if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) {
3054 if (c->flags & CHAN_CLOSE_RCVD)
3055 channel_free(ssh, c);
3057 c->flags |= CHAN_CLOSE_SENT;
3062 if ((r = sshpkt_start(ssh, type)) != 0 ||
3063 (r = sshpkt_putb(ssh, modified)) != 0 ||
3064 (r = sshpkt_send(ssh)) != 0) {
3065 error_fr(r, "send");
3069 if ((r = sshpkt_start(ssh, type)) != 0 ||
3070 (r = sshpkt_put(ssh, cp, have)) != 0 ||
3071 (r = sshpkt_send(ssh)) != 0) {
3072 error_fr(r, "send");
3080 sshbuf_free(original);
3081 sshbuf_free(modified);
3086 * receive packets from upstream server and de-multiplex packets
3087 * to correct downstream:
3088 * implemented as a helper for channel input handlers,
3089 * replaces local (proxy) channel ID with downstream channel ID.
3092 channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh)
3094 struct sshbuf *b = NULL;
3095 Channel *downstream;
3096 const u_char *cp = NULL;
3101 * When receiving packets from the peer we need to check whether we
3102 * need to forward the packets to the mux client. In this case we
3103 * restore the original channel id and keep track of CLOSE messages,
3104 * so we can cleanup the channel.
3106 if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY)
3108 if ((downstream = c->mux_ctx) == NULL)
3111 case SSH2_MSG_CHANNEL_CLOSE:
3112 case SSH2_MSG_CHANNEL_DATA:
3113 case SSH2_MSG_CHANNEL_EOF:
3114 case SSH2_MSG_CHANNEL_EXTENDED_DATA:
3115 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
3116 case SSH2_MSG_CHANNEL_OPEN_FAILURE:
3117 case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
3118 case SSH2_MSG_CHANNEL_SUCCESS:
3119 case SSH2_MSG_CHANNEL_FAILURE:
3120 case SSH2_MSG_CHANNEL_REQUEST:
3123 debug2_f("channel %u: unsupported type %u", c->self, type);
3126 if ((b = sshbuf_new()) == NULL) {
3127 error_f("alloc reply");
3130 /* get remaining payload (after id) */
3131 cp = sshpkt_ptr(ssh, &len);
3133 error_f("no packet");
3136 /* translate id and send to muxclient */
3137 if ((r = sshbuf_put_u8(b, 0)) != 0 || /* padlen */
3138 (r = sshbuf_put_u8(b, type)) != 0 ||
3139 (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 ||
3140 (r = sshbuf_put(b, cp, len)) != 0 ||
3141 (r = sshbuf_put_stringb(downstream->output, b)) != 0) {
3142 error_fr(r, "compose muxclient");
3145 /* sshbuf_dump(b, stderr); */
3146 if (ssh_packet_log_type(type))
3147 debug3_f("channel %u: up->down: type %u", c->self, type);
3151 case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
3152 /* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
3153 if (cp && len > 4) {
3154 c->remote_id = PEEK_U32(cp);
3155 c->have_remote_id = 1;
3158 case SSH2_MSG_CHANNEL_CLOSE:
3159 if (c->flags & CHAN_CLOSE_SENT)
3160 channel_free(ssh, c);
3162 c->flags |= CHAN_CLOSE_RCVD;
3169 /* -- protocol input */
3171 /* Parse a channel ID from the current packet */
3173 channel_parse_id(struct ssh *ssh, const char *where, const char *what)
3178 if ((r = sshpkt_get_u32(ssh, &id)) != 0) {
3179 error_r(r, "%s: parse id", where);
3180 ssh_packet_disconnect(ssh, "Invalid %s message", what);
3183 error_r(r, "%s: bad channel id %u", where, id);
3184 ssh_packet_disconnect(ssh, "Invalid %s channel id", what);
3189 /* Lookup a channel from an ID in the current packet */
3191 channel_from_packet_id(struct ssh *ssh, const char *where, const char *what)
3193 int id = channel_parse_id(ssh, where, what);
3196 if ((c = channel_lookup(ssh, id)) == NULL) {
3197 ssh_packet_disconnect(ssh,
3198 "%s packet referred to nonexistent channel %d", what, id);
3204 channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
3207 size_t data_len, win_len;
3208 Channel *c = channel_from_packet_id(ssh, __func__, "data");
3211 if (channel_proxy_upstream(c, type, seq, ssh))
3214 /* Ignore any data for non-open channels (might happen on close) */
3215 if (c->type != SSH_CHANNEL_OPEN &&
3216 c->type != SSH_CHANNEL_RDYNAMIC_OPEN &&
3217 c->type != SSH_CHANNEL_RDYNAMIC_FINISH &&
3218 c->type != SSH_CHANNEL_X11_OPEN)
3222 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
3223 (r = sshpkt_get_end(ssh)) != 0)
3224 fatal_fr(r, "channel %i: get data", c->self);
3228 win_len += 4; /* string length header */
3231 * The sending side reduces its window as it sends data, so we
3232 * must 'fake' consumption of the data in order to ensure that window
3233 * updates are sent back. Otherwise the connection might deadlock.
3235 if (c->ostate != CHAN_OUTPUT_OPEN) {
3236 c->local_window -= win_len;
3237 c->local_consumed += win_len;
3241 if (win_len > c->local_maxpacket) {
3242 logit("channel %d: rcvd big packet %zu, maxpack %u",
3243 c->self, win_len, c->local_maxpacket);
3246 if (win_len > c->local_window) {
3247 logit("channel %d: rcvd too much data %zu, win %u",
3248 c->self, win_len, c->local_window);
3251 c->local_window -= win_len;
3254 if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
3255 fatal_fr(r, "channel %i: append datagram", c->self);
3256 } else if ((r = sshbuf_put(c->output, data, data_len)) != 0)
3257 fatal_fr(r, "channel %i: append data", c->self);
3263 channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
3268 Channel *c = channel_from_packet_id(ssh, __func__, "extended data");
3271 if (channel_proxy_upstream(c, type, seq, ssh))
3273 if (c->type != SSH_CHANNEL_OPEN) {
3274 logit("channel %d: ext data for non open", c->self);
3277 if (c->flags & CHAN_EOF_RCVD) {
3278 if (ssh->compat & SSH_BUG_EXTEOF)
3279 debug("channel %d: accepting ext data after eof",
3282 ssh_packet_disconnect(ssh, "Received extended_data "
3283 "after EOF on channel %d.", c->self);
3286 if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) {
3287 error_fr(r, "parse tcode");
3288 ssh_packet_disconnect(ssh, "Invalid extended_data message");
3291 c->extended_usage != CHAN_EXTENDED_WRITE ||
3292 tcode != SSH2_EXTENDED_DATA_STDERR) {
3293 logit("channel %d: bad ext data", c->self);
3296 if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0 ||
3297 (r = sshpkt_get_end(ssh)) != 0) {
3298 error_fr(r, "parse data");
3299 ssh_packet_disconnect(ssh, "Invalid extended_data message");
3302 if (data_len > c->local_window) {
3303 logit("channel %d: rcvd too much extended_data %zu, win %u",
3304 c->self, data_len, c->local_window);
3307 debug2("channel %d: rcvd ext data %zu", c->self, data_len);
3308 /* XXX sshpkt_getb? */
3309 if ((r = sshbuf_put(c->extended, data, data_len)) != 0)
3310 error_fr(r, "append");
3311 c->local_window -= data_len;
3316 channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
3318 Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
3321 if ((r = sshpkt_get_end(ssh)) != 0) {
3322 error_fr(r, "parse data");
3323 ssh_packet_disconnect(ssh, "Invalid ieof message");
3326 if (channel_proxy_upstream(c, type, seq, ssh))
3328 chan_rcvd_ieof(ssh, c);
3330 /* XXX force input close */
3331 if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
3332 debug("channel %d: FORCE input drain", c->self);
3333 c->istate = CHAN_INPUT_WAIT_DRAIN;
3334 if (sshbuf_len(c->input) == 0)
3335 chan_ibuf_empty(ssh, c);
3341 channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
3343 Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
3346 if (channel_proxy_upstream(c, type, seq, ssh))
3348 if ((r = sshpkt_get_end(ssh)) != 0) {
3349 error_fr(r, "parse data");
3350 ssh_packet_disconnect(ssh, "Invalid oclose message");
3352 chan_rcvd_oclose(ssh, c);
3357 channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
3359 Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation");
3360 u_int32_t remote_window, remote_maxpacket;
3363 if (channel_proxy_upstream(c, type, seq, ssh))
3365 if (c->type != SSH_CHANNEL_OPENING)
3366 ssh_packet_disconnect(ssh, "Received open confirmation for "
3367 "non-opening channel %d.", c->self);
3369 * Record the remote channel number and mark that the channel
3372 if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 ||
3373 (r = sshpkt_get_u32(ssh, &remote_window)) != 0 ||
3374 (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0 ||
3375 (r = sshpkt_get_end(ssh)) != 0) {
3376 error_fr(r, "window/maxpacket");
3377 ssh_packet_disconnect(ssh, "Invalid open confirmation message");
3380 c->have_remote_id = 1;
3381 c->remote_window = remote_window;
3382 c->remote_maxpacket = remote_maxpacket;
3383 c->type = SSH_CHANNEL_OPEN;
3384 if (c->open_confirm) {
3385 debug2_f("channel %d: callback start", c->self);
3386 c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
3387 debug2_f("channel %d: callback done", c->self);
3389 debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
3390 c->remote_window, c->remote_maxpacket);
3395 reason2txt(int reason)
3398 case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
3399 return "administratively prohibited";
3400 case SSH2_OPEN_CONNECT_FAILED:
3401 return "connect failed";
3402 case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
3403 return "unknown channel type";
3404 case SSH2_OPEN_RESOURCE_SHORTAGE:
3405 return "resource shortage";
3407 return "unknown reason";
3411 channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
3413 Channel *c = channel_from_packet_id(ssh, __func__, "open failure");
3418 if (channel_proxy_upstream(c, type, seq, ssh))
3420 if (c->type != SSH_CHANNEL_OPENING)
3421 ssh_packet_disconnect(ssh, "Received open failure for "
3422 "non-opening channel %d.", c->self);
3423 if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
3424 error_fr(r, "parse reason");
3425 ssh_packet_disconnect(ssh, "Invalid open failure message");
3428 if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
3429 (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0 ||
3430 (r = sshpkt_get_end(ssh)) != 0) {
3431 error_fr(r, "parse msg/lang");
3432 ssh_packet_disconnect(ssh, "Invalid open failure message");
3434 logit("channel %d: open failed: %s%s%s", c->self,
3435 reason2txt(reason), msg ? ": ": "", msg ? msg : "");
3437 if (c->open_confirm) {
3438 debug2_f("channel %d: callback start", c->self);
3439 c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx);
3440 debug2_f("channel %d: callback done", c->self);
3442 /* Schedule the channel for cleanup/deletion. */
3443 chan_mark_dead(ssh, c);
3448 channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
3450 int id = channel_parse_id(ssh, __func__, "window adjust");
3456 if ((c = channel_lookup(ssh, id)) == NULL) {
3457 logit("Received window adjust for non-open channel %d.", id);
3461 if (channel_proxy_upstream(c, type, seq, ssh))
3463 if ((r = sshpkt_get_u32(ssh, &adjust)) != 0 ||
3464 (r = sshpkt_get_end(ssh)) != 0) {
3465 error_fr(r, "parse adjust");
3466 ssh_packet_disconnect(ssh, "Invalid window adjust message");
3468 debug2("channel %d: rcvd adjust %u", c->self, adjust);
3469 if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
3470 fatal("channel %d: adjust %u overflows remote window %u",
3471 c->self, adjust, c->remote_window);
3473 c->remote_window = new_rwin;
3478 channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
3480 int id = channel_parse_id(ssh, __func__, "status confirm");
3482 struct channel_confirm *cc;
3484 /* Reset keepalive timeout */
3485 ssh_packet_set_alive_timeouts(ssh, 0);
3487 debug2_f("type %d id %d", type, id);
3489 if ((c = channel_lookup(ssh, id)) == NULL) {
3490 logit_f("%d: unknown", id);
3493 if (channel_proxy_upstream(c, type, seq, ssh))
3495 if (sshpkt_get_end(ssh) != 0)
3496 ssh_packet_disconnect(ssh, "Invalid status confirm message");
3497 if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
3499 cc->cb(ssh, type, c, cc->ctx);
3500 TAILQ_REMOVE(&c->status_confirms, cc, entry);
3501 freezero(cc, sizeof(*cc));
3505 /* -- tcp forwarding */
3508 channel_set_af(struct ssh *ssh, int af)
3510 ssh->chanctxt->IPv4or6 = af;
3515 * Determine whether or not a port forward listens to loopback, the
3516 * specified address or wildcard. On the client, a specified bind
3517 * address will always override gateway_ports. On the server, a
3518 * gateway_ports of 1 (``yes'') will override the client's specification
3519 * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
3520 * will bind to whatever address the client asked for.
3522 * Special-case listen_addrs are:
3524 * "0.0.0.0" -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
3525 * "" (empty string), "*" -> wildcard v4/v6
3526 * "localhost" -> loopback v4/v6
3527 * "127.0.0.1" / "::1" -> accepted even if gateway_ports isn't set
3530 channel_fwd_bind_addr(struct ssh *ssh, const char *listen_addr, int *wildcardp,
3531 int is_client, struct ForwardOptions *fwd_opts)
3533 const char *addr = NULL;
3536 if (listen_addr == NULL) {
3537 /* No address specified: default to gateway_ports setting */
3538 if (fwd_opts->gateway_ports)
3540 } else if (fwd_opts->gateway_ports || is_client) {
3541 if (((ssh->compat & SSH_OLD_FORWARD_ADDR) &&
3542 strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
3543 *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
3544 (!is_client && fwd_opts->gateway_ports == 1)) {
3547 * Notify client if they requested a specific listen
3548 * address and it was overridden.
3550 if (*listen_addr != '\0' &&
3551 strcmp(listen_addr, "0.0.0.0") != 0 &&
3552 strcmp(listen_addr, "*") != 0) {
3553 ssh_packet_send_debug(ssh,
3554 "Forwarding listen address "
3555 "\"%s\" overridden by server "
3556 "GatewayPorts", listen_addr);
3558 } else if (strcmp(listen_addr, "localhost") != 0 ||
3559 strcmp(listen_addr, "127.0.0.1") == 0 ||
3560 strcmp(listen_addr, "::1") == 0) {
3562 * Accept explicit localhost address when
3563 * GatewayPorts=yes. The "localhost" hostname is
3564 * deliberately skipped here so it will listen on all
3565 * available local address families.
3569 } else if (strcmp(listen_addr, "127.0.0.1") == 0 ||
3570 strcmp(listen_addr, "::1") == 0) {
3572 * If a specific IPv4/IPv6 localhost address has been
3573 * requested then accept it even if gateway_ports is in
3574 * effect. This allows the client to prefer IPv4 or IPv6.
3578 if (wildcardp != NULL)
3579 *wildcardp = wildcard;
3584 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
3585 struct Forward *fwd, int *allocated_listen_port,
3586 struct ForwardOptions *fwd_opts)
3589 int sock, r, success = 0, wildcard = 0, is_client;
3590 struct addrinfo hints, *ai, *aitop;
3591 const char *host, *addr;
3592 char ntop[NI_MAXHOST], strport[NI_MAXSERV];
3595 is_client = (type == SSH_CHANNEL_PORT_LISTENER);
3597 if (is_client && fwd->connect_path != NULL) {
3598 host = fwd->connect_path;
3600 host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
3601 fwd->listen_host : fwd->connect_host;
3603 error("No forward host name.");
3606 if (strlen(host) >= NI_MAXHOST) {
3607 error("Forward host name too long.");
3612 /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
3613 addr = channel_fwd_bind_addr(ssh, fwd->listen_host, &wildcard,
3614 is_client, fwd_opts);
3615 debug3_f("type %d wildcard %d addr %s", type, wildcard,
3616 (addr == NULL) ? "NULL" : addr);
3619 * getaddrinfo returns a loopback address if the hostname is
3620 * set to NULL and hints.ai_flags is not AI_PASSIVE
3622 memset(&hints, 0, sizeof(hints));
3623 hints.ai_family = ssh->chanctxt->IPv4or6;
3624 hints.ai_flags = wildcard ? AI_PASSIVE : 0;
3625 hints.ai_socktype = SOCK_STREAM;
3626 snprintf(strport, sizeof strport, "%d", fwd->listen_port);
3627 if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
3629 /* This really shouldn't happen */
3630 ssh_packet_disconnect(ssh, "getaddrinfo: fatal error: %s",
3631 ssh_gai_strerror(r));
3633 error_f("getaddrinfo(%.64s): %s", addr,
3634 ssh_gai_strerror(r));
3638 if (allocated_listen_port != NULL)
3639 *allocated_listen_port = 0;
3640 for (ai = aitop; ai; ai = ai->ai_next) {
3641 switch (ai->ai_family) {
3643 lport_p = &((struct sockaddr_in *)ai->ai_addr)->
3647 lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
3654 * If allocating a port for -R forwards, then use the
3655 * same port for all address families.
3657 if (type == SSH_CHANNEL_RPORT_LISTENER &&
3658 fwd->listen_port == 0 && allocated_listen_port != NULL &&
3659 *allocated_listen_port > 0)
3660 *lport_p = htons(*allocated_listen_port);
3662 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
3663 strport, sizeof(strport),
3664 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
3665 error_f("getnameinfo failed");
3668 /* Create a port to listen for the host. */
3669 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3671 /* this is no error since kernel may not support ipv6 */
3672 verbose("socket [%s]:%s: %.100s", ntop, strport,
3677 set_reuseaddr(sock);
3678 if (ai->ai_family == AF_INET6)
3679 sock_set_v6only(sock);
3681 debug("Local forwarding listening on %s port %s.",
3684 /* Bind the socket to the address. */
3685 if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
3687 * address can be in if use ipv6 address is
3691 error("bind [%s]:%s: %.100s",
3692 ntop, strport, strerror(errno));
3694 verbose("bind [%s]:%s: %.100s",
3695 ntop, strport, strerror(errno));
3700 /* Start listening for connections on the socket. */
3701 if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
3702 error("listen [%s]:%s: %.100s", ntop, strport,
3709 * fwd->listen_port == 0 requests a dynamically allocated port -
3710 * record what we got.
3712 if (type == SSH_CHANNEL_RPORT_LISTENER &&
3713 fwd->listen_port == 0 &&
3714 allocated_listen_port != NULL &&
3715 *allocated_listen_port == 0) {
3716 *allocated_listen_port = get_local_port(sock);
3717 debug("Allocated listen port %d",
3718 *allocated_listen_port);
3721 /* Allocate a channel number for the socket. */
3722 c = channel_new(ssh, "port listener", type, sock, sock, -1,
3723 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3724 0, "port listener", 1);
3725 c->path = xstrdup(host);
3726 c->host_port = fwd->connect_port;
3727 c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
3728 if (fwd->listen_port == 0 && allocated_listen_port != NULL &&
3729 !(ssh->compat & SSH_BUG_DYNAMIC_RPORT))
3730 c->listening_port = *allocated_listen_port;
3732 c->listening_port = fwd->listen_port;
3736 error_f("cannot listen to port: %d", fwd->listen_port);
3737 freeaddrinfo(aitop);
3742 channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type,
3743 struct Forward *fwd, struct ForwardOptions *fwd_opts)
3745 struct sockaddr_un sunaddr;
3752 case SSH_CHANNEL_UNIX_LISTENER:
3753 if (fwd->connect_path != NULL) {
3754 if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
3755 error("Local connecting path too long: %s",
3759 path = fwd->connect_path;
3760 port = PORT_STREAMLOCAL;
3762 if (fwd->connect_host == NULL) {
3763 error("No forward host name.");
3766 if (strlen(fwd->connect_host) >= NI_MAXHOST) {
3767 error("Forward host name too long.");
3770 path = fwd->connect_host;
3771 port = fwd->connect_port;
3774 case SSH_CHANNEL_RUNIX_LISTENER:
3775 path = fwd->listen_path;
3776 port = PORT_STREAMLOCAL;
3779 error_f("unexpected channel type %d", type);
3783 if (fwd->listen_path == NULL) {
3784 error("No forward path name.");
3787 if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
3788 error("Local listening path too long: %s", fwd->listen_path);
3792 debug3_f("type %d path %s", type, fwd->listen_path);
3794 /* Start a Unix domain listener. */
3795 omask = umask(fwd_opts->streamlocal_bind_mask);
3796 sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
3797 fwd_opts->streamlocal_bind_unlink);
3802 debug("Local forwarding listening on path %s.", fwd->listen_path);
3804 /* Allocate a channel number for the socket. */
3805 c = channel_new(ssh, "unix listener", type, sock, sock, -1,
3806 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3807 0, "unix listener", 1);
3808 c->path = xstrdup(path);
3809 c->host_port = port;
3810 c->listening_port = PORT_STREAMLOCAL;
3811 c->listening_addr = xstrdup(fwd->listen_path);
3816 channel_cancel_rport_listener_tcpip(struct ssh *ssh,
3817 const char *host, u_short port)
3822 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3823 Channel *c = ssh->chanctxt->channels[i];
3824 if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
3826 if (strcmp(c->path, host) == 0 && c->listening_port == port) {
3827 debug2_f("close channel %d", i);
3828 channel_free(ssh, c);
3837 channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path)
3842 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3843 Channel *c = ssh->chanctxt->channels[i];
3844 if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER)
3846 if (c->path == NULL)
3848 if (strcmp(c->path, path) == 0) {
3849 debug2_f("close channel %d", i);
3850 channel_free(ssh, c);
3859 channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd)
3861 if (fwd->listen_path != NULL) {
3862 return channel_cancel_rport_listener_streamlocal(ssh,
3865 return channel_cancel_rport_listener_tcpip(ssh,
3866 fwd->listen_host, fwd->listen_port);
3871 channel_cancel_lport_listener_tcpip(struct ssh *ssh,
3872 const char *lhost, u_short lport, int cport,
3873 struct ForwardOptions *fwd_opts)
3877 const char *addr = channel_fwd_bind_addr(ssh, lhost, NULL, 1, fwd_opts);
3879 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3880 Channel *c = ssh->chanctxt->channels[i];
3881 if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
3883 if (c->listening_port != lport)
3885 if (cport == CHANNEL_CANCEL_PORT_STATIC) {
3886 /* skip dynamic forwardings */
3887 if (c->host_port == 0)
3890 if (c->host_port != cport)
3893 if ((c->listening_addr == NULL && addr != NULL) ||
3894 (c->listening_addr != NULL && addr == NULL))
3896 if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
3897 debug2_f("close channel %d", i);
3898 channel_free(ssh, c);
3907 channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path)
3913 error_f("no path specified.");
3917 for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3918 Channel *c = ssh->chanctxt->channels[i];
3919 if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER)
3921 if (c->listening_addr == NULL)
3923 if (strcmp(c->listening_addr, path) == 0) {
3924 debug2_f("close channel %d", i);
3925 channel_free(ssh, c);
3934 channel_cancel_lport_listener(struct ssh *ssh,
3935 struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts)
3937 if (fwd->listen_path != NULL) {
3938 return channel_cancel_lport_listener_streamlocal(ssh,
3941 return channel_cancel_lport_listener_tcpip(ssh,
3942 fwd->listen_host, fwd->listen_port, cport, fwd_opts);
3946 /* protocol local port fwd, used by ssh */
3948 channel_setup_local_fwd_listener(struct ssh *ssh,
3949 struct Forward *fwd, struct ForwardOptions *fwd_opts)
3951 if (fwd->listen_path != NULL) {
3952 return channel_setup_fwd_listener_streamlocal(ssh,
3953 SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts);
3955 return channel_setup_fwd_listener_tcpip(ssh,
3956 SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts);
3960 /* Matches a remote forwarding permission against a requested forwarding */
3962 remote_open_match(struct permission *allowed_open, struct Forward *fwd)
3967 /* XXX add ACLs for streamlocal */
3968 if (fwd->listen_path != NULL)
3971 if (fwd->listen_host == NULL || allowed_open->listen_host == NULL)
3974 if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT &&
3975 allowed_open->listen_port != fwd->listen_port)
3978 /* Match hostnames case-insensitively */
3979 lhost = xstrdup(fwd->listen_host);
3981 ret = match_pattern(lhost, allowed_open->listen_host);
3987 /* Checks whether a requested remote forwarding is permitted */
3989 check_rfwd_permission(struct ssh *ssh, struct Forward *fwd)
3991 struct ssh_channels *sc = ssh->chanctxt;
3992 struct permission_set *pset = &sc->remote_perms;
3993 u_int i, permit, permit_adm = 1;
3994 struct permission *perm;
3996 /* XXX apply GatewayPorts override before checking? */
3998 permit = pset->all_permitted;
4000 for (i = 0; i < pset->num_permitted_user; i++) {
4001 perm = &pset->permitted_user[i];
4002 if (remote_open_match(perm, fwd)) {
4009 if (pset->num_permitted_admin > 0) {
4011 for (i = 0; i < pset->num_permitted_admin; i++) {
4012 perm = &pset->permitted_admin[i];
4013 if (remote_open_match(perm, fwd)) {
4020 return permit && permit_adm;
4023 /* protocol v2 remote port fwd, used by sshd */
4025 channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
4026 int *allocated_listen_port, struct ForwardOptions *fwd_opts)
4028 if (!check_rfwd_permission(ssh, fwd)) {
4029 ssh_packet_send_debug(ssh, "port forwarding refused");
4030 if (fwd->listen_path != NULL)
4031 /* XXX always allowed, see remote_open_match() */
4032 logit("Received request from %.100s port %d to "
4033 "remote forward to path \"%.100s\", "
4034 "but the request was denied.",
4035 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
4037 else if(fwd->listen_host != NULL)
4038 logit("Received request from %.100s port %d to "
4039 "remote forward to host %.100s port %d, "
4040 "but the request was denied.",
4041 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
4042 fwd->listen_host, fwd->listen_port );
4044 logit("Received request from %.100s port %d to remote "
4045 "forward, but the request was denied.",
4046 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
4049 if (fwd->listen_path != NULL) {
4050 return channel_setup_fwd_listener_streamlocal(ssh,
4051 SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);
4053 return channel_setup_fwd_listener_tcpip(ssh,
4054 SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,
4060 * Translate the requested rfwd listen host to something usable for
4064 channel_rfwd_bind_host(const char *listen_host)
4066 if (listen_host == NULL) {
4068 } else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
4075 * Initiate forwarding of connections to port "port" on remote host through
4076 * the secure channel to host:port from local side.
4077 * Returns handle (index) for updating the dynamic listen port with
4078 * channel_update_permission().
4081 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
4083 int r, success = 0, idx = -1;
4084 char *host_to_connect, *listen_host, *listen_path;
4085 int port_to_connect, listen_port;
4087 /* Send the forward request to the remote side. */
4088 if (fwd->listen_path != NULL) {
4089 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4090 (r = sshpkt_put_cstring(ssh,
4091 "streamlocal-forward@openssh.com")) != 0 ||
4092 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
4093 (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 ||
4094 (r = sshpkt_send(ssh)) != 0 ||
4095 (r = ssh_packet_write_wait(ssh)) != 0)
4096 fatal_fr(r, "request streamlocal");
4098 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4099 (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 ||
4100 (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
4101 (r = sshpkt_put_cstring(ssh,
4102 channel_rfwd_bind_host(fwd->listen_host))) != 0 ||
4103 (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 ||
4104 (r = sshpkt_send(ssh)) != 0 ||
4105 (r = ssh_packet_write_wait(ssh)) != 0)
4106 fatal_fr(r, "request tcpip-forward");
4108 /* Assume that server accepts the request */
4111 /* Record that connection to this host/port is permitted. */
4112 host_to_connect = listen_host = listen_path = NULL;
4113 port_to_connect = listen_port = 0;
4114 if (fwd->connect_path != NULL) {
4115 host_to_connect = xstrdup(fwd->connect_path);
4116 port_to_connect = PORT_STREAMLOCAL;
4118 host_to_connect = xstrdup(fwd->connect_host);
4119 port_to_connect = fwd->connect_port;
4121 if (fwd->listen_path != NULL) {
4122 listen_path = xstrdup(fwd->listen_path);
4123 listen_port = PORT_STREAMLOCAL;
4125 if (fwd->listen_host != NULL)
4126 listen_host = xstrdup(fwd->listen_host);
4127 listen_port = fwd->listen_port;
4129 idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL,
4130 host_to_connect, port_to_connect,
4131 listen_host, listen_path, listen_port, NULL);
4137 open_match(struct permission *allowed_open, const char *requestedhost,
4140 if (allowed_open->host_to_connect == NULL)
4142 if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
4143 allowed_open->port_to_connect != requestedport)
4145 if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
4146 strcmp(allowed_open->host_to_connect, requestedhost) != 0)
4152 * Note that in the listen host/port case
4153 * we don't support FWD_PERMIT_ANY_PORT and
4154 * need to translate between the configured-host (listen_host)
4155 * and what we've sent to the remote server (channel_rfwd_bind_host)
4158 open_listen_match_tcpip(struct permission *allowed_open,
4159 const char *requestedhost, u_short requestedport, int translate)
4161 const char *allowed_host;
4163 if (allowed_open->host_to_connect == NULL)
4165 if (allowed_open->listen_port != requestedport)
4167 if (!translate && allowed_open->listen_host == NULL &&
4168 requestedhost == NULL)
4170 allowed_host = translate ?
4171 channel_rfwd_bind_host(allowed_open->listen_host) :
4172 allowed_open->listen_host;
4173 if (allowed_host == NULL || requestedhost == NULL ||
4174 strcmp(allowed_host, requestedhost) != 0)
4180 open_listen_match_streamlocal(struct permission *allowed_open,
4181 const char *requestedpath)
4183 if (allowed_open->host_to_connect == NULL)
4185 if (allowed_open->listen_port != PORT_STREAMLOCAL)
4187 if (allowed_open->listen_path == NULL ||
4188 strcmp(allowed_open->listen_path, requestedpath) != 0)
4194 * Request cancellation of remote forwarding of connection host:port from
4198 channel_request_rforward_cancel_tcpip(struct ssh *ssh,
4199 const char *host, u_short port)
4201 struct ssh_channels *sc = ssh->chanctxt;
4202 struct permission_set *pset = &sc->local_perms;
4205 struct permission *perm = NULL;
4207 for (i = 0; i < pset->num_permitted_user; i++) {
4208 perm = &pset->permitted_user[i];
4209 if (open_listen_match_tcpip(perm, host, port, 0))
4214 debug_f("requested forward not found");
4217 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4218 (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 ||
4219 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
4220 (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 ||
4221 (r = sshpkt_put_u32(ssh, port)) != 0 ||
4222 (r = sshpkt_send(ssh)) != 0)
4223 fatal_fr(r, "send cancel");
4225 fwd_perm_clear(perm); /* unregister */
4231 * Request cancellation of remote forwarding of Unix domain socket
4232 * path from local side.
4235 channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path)
4237 struct ssh_channels *sc = ssh->chanctxt;
4238 struct permission_set *pset = &sc->local_perms;
4241 struct permission *perm = NULL;
4243 for (i = 0; i < pset->num_permitted_user; i++) {
4244 perm = &pset->permitted_user[i];
4245 if (open_listen_match_streamlocal(perm, path))
4250 debug_f("requested forward not found");
4253 if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
4254 (r = sshpkt_put_cstring(ssh,
4255 "cancel-streamlocal-forward@openssh.com")) != 0 ||
4256 (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
4257 (r = sshpkt_put_cstring(ssh, path)) != 0 ||
4258 (r = sshpkt_send(ssh)) != 0)
4259 fatal_fr(r, "send cancel");
4261 fwd_perm_clear(perm); /* unregister */
4267 * Request cancellation of remote forwarding of a connection from local side.
4270 channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd)
4272 if (fwd->listen_path != NULL) {
4273 return channel_request_rforward_cancel_streamlocal(ssh,
4276 return channel_request_rforward_cancel_tcpip(ssh,
4278 fwd->listen_port ? fwd->listen_port : fwd->allocated_port);
4283 * Permits opening to any host/port if permitted_user[] is empty. This is
4284 * usually called by the server, because the user could connect to any port
4285 * anyway, and the server has no way to know but to trust the client anyway.
4288 channel_permit_all(struct ssh *ssh, int where)
4290 struct permission_set *pset = permission_set_get(ssh, where);
4292 if (pset->num_permitted_user == 0)
4293 pset->all_permitted = 1;
4297 * Permit the specified host/port for forwarding.
4300 channel_add_permission(struct ssh *ssh, int who, int where,
4301 char *host, int port)
4303 int local = where == FORWARD_LOCAL;
4304 struct permission_set *pset = permission_set_get(ssh, where);
4306 debug("allow %s forwarding to host %s port %d",
4307 fwd_ident(who, where), host, port);
4309 * Remote forwards set listen_host/port, local forwards set
4310 * host/port_to_connect.
4312 permission_set_add(ssh, who, where,
4313 local ? host : 0, local ? port : 0,
4314 local ? NULL : host, NULL, local ? 0 : port, NULL);
4315 pset->all_permitted = 0;
4319 * Administratively disable forwarding.
4322 channel_disable_admin(struct ssh *ssh, int where)
4324 channel_clear_permission(ssh, FORWARD_ADM, where);
4325 permission_set_add(ssh, FORWARD_ADM, where,
4326 NULL, 0, NULL, NULL, 0, NULL);
4330 * Clear a list of permitted opens.
4333 channel_clear_permission(struct ssh *ssh, int who, int where)
4335 struct permission **permp;
4338 permission_set_get_array(ssh, who, where, &permp, &npermp);
4339 *permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp));
4344 * Update the listen port for a dynamic remote forward, after
4345 * the actual 'newport' has been allocated. If 'newport' < 0 is
4346 * passed then they entry will be invalidated.
4349 channel_update_permission(struct ssh *ssh, int idx, int newport)
4351 struct permission_set *pset = &ssh->chanctxt->local_perms;
4353 if (idx < 0 || (u_int)idx >= pset->num_permitted_user) {
4354 debug_f("index out of range: %d num_permitted_user %d",
4355 idx, pset->num_permitted_user);
4358 debug("%s allowed port %d for forwarding to host %s port %d",
4359 newport > 0 ? "Updating" : "Removing",
4361 pset->permitted_user[idx].host_to_connect,
4362 pset->permitted_user[idx].port_to_connect);
4364 fwd_perm_clear(&pset->permitted_user[idx]);
4366 pset->permitted_user[idx].listen_port =
4367 (ssh->compat & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
4371 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
4373 permitopen_port(const char *p)
4377 if (strcmp(p, "*") == 0)
4378 return FWD_PERMIT_ANY_PORT;
4379 if ((port = a2port(p)) > 0)
4384 /* Try to start non-blocking connect to next host in cctx list */
4386 connect_next(struct channel_connect *cctx)
4388 int sock, saved_errno;
4389 struct sockaddr_un *sunaddr;
4390 char ntop[NI_MAXHOST];
4391 char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))];
4393 for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
4394 switch (cctx->ai->ai_family) {
4396 /* unix:pathname instead of host:port */
4397 sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
4398 strlcpy(ntop, "unix", sizeof(ntop));
4399 strlcpy(strport, sunaddr->sun_path, sizeof(strport));
4403 if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
4404 ntop, sizeof(ntop), strport, sizeof(strport),
4405 NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
4406 error_f("getnameinfo failed");
4413 debug_f("start for host %.100s ([%.100s]:%s)",
4414 cctx->host, ntop, strport);
4415 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
4416 cctx->ai->ai_protocol)) == -1) {
4417 if (cctx->ai->ai_next == NULL)
4418 error("socket: %.100s", strerror(errno));
4420 verbose("socket: %.100s", strerror(errno));
4423 if (set_nonblock(sock) == -1)
4424 fatal_f("set_nonblock(%d)", sock);
4425 if (connect(sock, cctx->ai->ai_addr,
4426 cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
4427 debug_f("host %.100s ([%.100s]:%s): %.100s",
4428 cctx->host, ntop, strport, strerror(errno));
4429 saved_errno = errno;
4431 errno = saved_errno;
4432 continue; /* fail -- try next */
4434 if (cctx->ai->ai_family != AF_UNIX)
4436 debug_f("connect host %.100s ([%.100s]:%s) in progress, fd=%d",
4437 cctx->host, ntop, strport, sock);
4438 cctx->ai = cctx->ai->ai_next;
4445 channel_connect_ctx_free(struct channel_connect *cctx)
4449 if (cctx->aitop->ai_family == AF_UNIX)
4452 freeaddrinfo(cctx->aitop);
4454 memset(cctx, 0, sizeof(*cctx));
4458 * Return connecting socket to remote host:port or local socket path,
4459 * passing back the failure reason if appropriate.
4462 connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype,
4463 char *ctype, char *rname, struct channel_connect *cctx,
4464 int *reason, const char **errmsg)
4466 struct addrinfo hints;
4469 char strport[NI_MAXSERV];
4471 if (port == PORT_STREAMLOCAL) {
4472 struct sockaddr_un *sunaddr;
4473 struct addrinfo *ai;
4475 if (strlen(name) > sizeof(sunaddr->sun_path)) {
4476 error("%.100s: %.100s", name, strerror(ENAMETOOLONG));
4481 * Fake up a struct addrinfo for AF_UNIX connections.
4482 * channel_connect_ctx_free() must check ai_family
4483 * and use free() not freeaddirinfo() for AF_UNIX.
4485 ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr));
4486 memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr));
4487 ai->ai_addr = (struct sockaddr *)(ai + 1);
4488 ai->ai_addrlen = sizeof(*sunaddr);
4489 ai->ai_family = AF_UNIX;
4490 ai->ai_socktype = socktype;
4491 ai->ai_protocol = PF_UNSPEC;
4492 sunaddr = (struct sockaddr_un *)ai->ai_addr;
4493 sunaddr->sun_family = AF_UNIX;
4494 strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
4497 memset(&hints, 0, sizeof(hints));
4498 hints.ai_family = ssh->chanctxt->IPv4or6;
4499 hints.ai_socktype = socktype;
4500 snprintf(strport, sizeof strport, "%d", port);
4501 if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop))
4504 *errmsg = ssh_gai_strerror(gaierr);
4506 *reason = SSH2_OPEN_CONNECT_FAILED;
4507 error("connect_to %.100s: unknown host (%s)", name,
4508 ssh_gai_strerror(gaierr));
4513 cctx->host = xstrdup(name);
4515 cctx->ai = cctx->aitop;
4517 if ((sock = connect_next(cctx)) == -1) {
4518 error("connect to %.100s port %d failed: %s",
4519 name, port, strerror(errno));
4526 /* Return CONNECTING channel to remote host:port or local socket path */
4528 connect_to(struct ssh *ssh, const char *host, int port,
4529 char *ctype, char *rname)
4531 struct channel_connect cctx;
4535 memset(&cctx, 0, sizeof(cctx));
4536 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4539 channel_connect_ctx_free(&cctx);
4542 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4543 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4544 c->host_port = port;
4545 c->path = xstrdup(host);
4546 c->connect_ctx = cctx;
4552 * returns either the newly connected channel or the downstream channel
4553 * that needs to deal with this connection.
4556 channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host,
4557 u_short listen_port, char *ctype, char *rname)
4559 struct ssh_channels *sc = ssh->chanctxt;
4560 struct permission_set *pset = &sc->local_perms;
4562 struct permission *perm;
4564 for (i = 0; i < pset->num_permitted_user; i++) {
4565 perm = &pset->permitted_user[i];
4566 if (open_listen_match_tcpip(perm,
4567 listen_host, listen_port, 1)) {
4568 if (perm->downstream)
4569 return perm->downstream;
4570 if (perm->port_to_connect == 0)
4571 return rdynamic_connect_prepare(ssh,
4573 return connect_to(ssh,
4574 perm->host_to_connect, perm->port_to_connect,
4578 error("WARNING: Server requests forwarding for unknown listen_port %d",
4584 channel_connect_by_listen_path(struct ssh *ssh, const char *path,
4585 char *ctype, char *rname)
4587 struct ssh_channels *sc = ssh->chanctxt;
4588 struct permission_set *pset = &sc->local_perms;
4590 struct permission *perm;
4592 for (i = 0; i < pset->num_permitted_user; i++) {
4593 perm = &pset->permitted_user[i];
4594 if (open_listen_match_streamlocal(perm, path)) {
4595 return connect_to(ssh,
4596 perm->host_to_connect, perm->port_to_connect,
4600 error("WARNING: Server requests forwarding for unknown path %.100s",
4605 /* Check if connecting to that port is permitted and connect. */
4607 channel_connect_to_port(struct ssh *ssh, const char *host, u_short port,
4608 char *ctype, char *rname, int *reason, const char **errmsg)
4610 struct ssh_channels *sc = ssh->chanctxt;
4611 struct permission_set *pset = &sc->local_perms;
4612 struct channel_connect cctx;
4614 u_int i, permit, permit_adm = 1;
4616 struct permission *perm;
4618 permit = pset->all_permitted;
4620 for (i = 0; i < pset->num_permitted_user; i++) {
4621 perm = &pset->permitted_user[i];
4622 if (open_match(perm, host, port)) {
4629 if (pset->num_permitted_admin > 0) {
4631 for (i = 0; i < pset->num_permitted_admin; i++) {
4632 perm = &pset->permitted_admin[i];
4633 if (open_match(perm, host, port)) {
4640 if (!permit || !permit_adm) {
4641 logit("Received request from %.100s port %d to connect to "
4642 "host %.100s port %d, but the request was denied.",
4643 ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), host, port);
4645 *reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
4649 memset(&cctx, 0, sizeof(cctx));
4650 sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4651 &cctx, reason, errmsg);
4653 channel_connect_ctx_free(&cctx);
4657 c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4658 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4659 c->host_port = port;
4660 c->path = xstrdup(host);
4661 c->connect_ctx = cctx;
4666 /* Check if connecting to that path is permitted and connect. */
4668 channel_connect_to_path(struct ssh *ssh, const char *path,
4669 char *ctype, char *rname)
4671 struct ssh_channels *sc = ssh->chanctxt;
4672 struct permission_set *pset = &sc->local_perms;
4673 u_int i, permit, permit_adm = 1;
4674 struct permission *perm;
4676 permit = pset->all_permitted;
4678 for (i = 0; i < pset->num_permitted_user; i++) {
4679 perm = &pset->permitted_user[i];
4680 if (open_match(perm, path, PORT_STREAMLOCAL)) {
4687 if (pset->num_permitted_admin > 0) {
4689 for (i = 0; i < pset->num_permitted_admin; i++) {
4690 perm = &pset->permitted_admin[i];
4691 if (open_match(perm, path, PORT_STREAMLOCAL)) {
4698 if (!permit || !permit_adm) {
4699 logit("Received request to connect to path %.100s, "
4700 "but the request was denied.", path);
4703 return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname);
4707 channel_send_window_changes(struct ssh *ssh)
4709 struct ssh_channels *sc = ssh->chanctxt;
4714 for (i = 0; i < sc->channels_alloc; i++) {
4715 if (sc->channels[i] == NULL || !sc->channels[i]->client_tty ||
4716 sc->channels[i]->type != SSH_CHANNEL_OPEN)
4718 if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) == -1)
4720 channel_request_start(ssh, i, "window-change", 0);
4721 if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 ||
4722 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
4723 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
4724 (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 ||
4725 (r = sshpkt_send(ssh)) != 0)
4726 fatal_fr(r, "channel %u; send window-change", i);
4730 /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */
4732 rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname)
4737 c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1,
4738 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4743 * We need to open the channel before we have a FD,
4744 * so that we can get SOCKS header from peer.
4746 if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
4747 (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
4748 (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
4749 (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
4750 (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0)
4751 fatal_fr(r, "channel %i; confirm", c->self);
4755 /* Return CONNECTING socket to remote host:port or local socket path */
4757 rdynamic_connect_finish(struct ssh *ssh, Channel *c)
4759 struct ssh_channels *sc = ssh->chanctxt;
4760 struct permission_set *pset = &sc->local_perms;
4761 struct permission *perm;
4762 struct channel_connect cctx;
4763 u_int i, permit_adm = 1;
4766 if (pset->num_permitted_admin > 0) {
4768 for (i = 0; i < pset->num_permitted_admin; i++) {
4769 perm = &pset->permitted_admin[i];
4770 if (open_match(perm, c->path, c->host_port)) {
4777 debug_f("requested forward not permitted");
4781 memset(&cctx, 0, sizeof(cctx));
4782 sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL,
4783 NULL, &cctx, NULL, NULL);
4785 channel_connect_ctx_free(&cctx);
4787 /* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */
4788 c->type = SSH_CHANNEL_RDYNAMIC_FINISH;
4789 c->connect_ctx = cctx;
4790 channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0);
4795 /* -- X11 forwarding */
4798 * Creates an internet domain socket for listening for X11 connections.
4799 * Returns 0 and a suitable display number for the DISPLAY variable
4800 * stored in display_numberp , or -1 if an error occurs.
4803 x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
4804 int x11_use_localhost, int single_connection,
4805 u_int *display_numberp, int **chanids)
4808 int display_number, sock;
4810 struct addrinfo hints, *ai, *aitop;
4811 char strport[NI_MAXSERV];
4812 int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
4814 if (chanids == NULL)
4817 for (display_number = x11_display_offset;
4818 display_number < MAX_DISPLAYS;
4820 port = 6000 + display_number;
4821 memset(&hints, 0, sizeof(hints));
4822 hints.ai_family = ssh->chanctxt->IPv4or6;
4823 hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
4824 hints.ai_socktype = SOCK_STREAM;
4825 snprintf(strport, sizeof strport, "%d", port);
4826 if ((gaierr = getaddrinfo(NULL, strport,
4827 &hints, &aitop)) != 0) {
4828 error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
4831 for (ai = aitop; ai; ai = ai->ai_next) {
4832 if (ai->ai_family != AF_INET &&
4833 ai->ai_family != AF_INET6)
4835 sock = socket(ai->ai_family, ai->ai_socktype,
4838 if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
4840 && (errno != EPFNOSUPPORT)
4843 error("socket: %.100s", strerror(errno));
4844 freeaddrinfo(aitop);
4847 debug("x11_create_display_inet: Socket family %d not supported",
4852 if (ai->ai_family == AF_INET6)
4853 sock_set_v6only(sock);
4854 if (x11_use_localhost)
4855 set_reuseaddr(sock);
4856 if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
4857 debug2_f("bind port %d: %.100s", port,
4860 for (n = 0; n < num_socks; n++)
4865 socks[num_socks++] = sock;
4866 if (num_socks == NUM_SOCKS)
4869 freeaddrinfo(aitop);
4873 if (display_number >= MAX_DISPLAYS) {
4874 error("Failed to allocate internet-domain X11 display socket.");
4877 /* Start listening for connections on the socket. */
4878 for (n = 0; n < num_socks; n++) {
4880 if (listen(sock, SSH_LISTEN_BACKLOG) == -1) {
4881 error("listen: %.100s", strerror(errno));
4887 /* Allocate a channel for each socket. */
4888 *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
4889 for (n = 0; n < num_socks; n++) {
4891 nc = channel_new(ssh, "x11 listener",
4892 SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
4893 CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
4894 0, "X11 inet listener", 1);
4895 nc->single_connection = single_connection;
4896 (*chanids)[n] = nc->self;
4900 /* Return the display number for the DISPLAY environment variable. */
4901 *display_numberp = display_number;
4906 connect_local_xsocket_path(const char *pathname)
4909 struct sockaddr_un addr;
4911 sock = socket(AF_UNIX, SOCK_STREAM, 0);
4913 error("socket: %.100s", strerror(errno));
4914 memset(&addr, 0, sizeof(addr));
4915 addr.sun_family = AF_UNIX;
4916 strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
4917 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
4920 error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
4925 connect_local_xsocket(u_int dnr)
4928 snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);
4929 return connect_local_xsocket_path(buf);
4934 is_path_to_xsocket(const char *display, char *path, size_t pathlen)
4938 if (strlcpy(path, display, pathlen) >= pathlen) {
4939 error("%s: display path too long", __func__);
4942 if (display[0] != '/')
4944 if (stat(path, &sbuf) == 0) {
4947 char *dot = strrchr(path, '.');
4950 if (stat(path, &sbuf) == 0) {
4960 x11_connect_display(struct ssh *ssh)
4962 u_int display_number;
4963 const char *display;
4964 char buf[1024], *cp;
4965 struct addrinfo hints, *ai, *aitop;
4966 char strport[NI_MAXSERV];
4967 int gaierr, sock = 0;
4969 /* Try to open a socket for the local X server. */
4970 display = getenv("DISPLAY");
4972 error("DISPLAY not set.");
4976 * Now we decode the value of the DISPLAY variable and make a
4977 * connection to the real X server.
4981 /* Check if display is a path to a socket (as set by launchd). */
4983 char path[PATH_MAX];
4985 if (is_path_to_xsocket(display, path, sizeof(path))) {
4986 debug("x11_connect_display: $DISPLAY is launchd");
4988 /* Create a socket. */
4989 sock = connect_local_xsocket_path(path);
4993 /* OK, we now have a connection to the display. */
4999 * Check if it is a unix domain socket. Unix domain displays are in
5000 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
5002 if (strncmp(display, "unix:", 5) == 0 ||
5003 display[0] == ':') {
5004 /* Connect to the unix domain socket. */
5005 if (sscanf(strrchr(display, ':') + 1, "%u",
5006 &display_number) != 1) {
5007 error("Could not parse display number from DISPLAY: "
5011 /* Create a socket. */
5012 sock = connect_local_xsocket(display_number);
5016 /* OK, we now have a connection to the display. */
5020 * Connect to an inet socket. The DISPLAY value is supposedly
5021 * hostname:d[.s], where hostname may also be numeric IP address.
5023 strlcpy(buf, display, sizeof(buf));
5024 cp = strchr(buf, ':');
5026 error("Could not find ':' in DISPLAY: %.100s", display);
5031 * buf now contains the host name. But first we parse the
5034 if (sscanf(cp + 1, "%u", &display_number) != 1) {
5035 error("Could not parse display number from DISPLAY: %.100s",
5040 /* Look up the host address */
5041 memset(&hints, 0, sizeof(hints));
5042 hints.ai_family = ssh->chanctxt->IPv4or6;
5043 hints.ai_socktype = SOCK_STREAM;
5044 snprintf(strport, sizeof strport, "%u", 6000 + display_number);
5045 if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
5046 error("%.100s: unknown host. (%s)", buf,
5047 ssh_gai_strerror(gaierr));
5050 for (ai = aitop; ai; ai = ai->ai_next) {
5051 /* Create a socket. */
5052 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
5054 debug2("socket: %.100s", strerror(errno));
5057 /* Connect it to the display. */
5058 if (connect(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
5059 debug2("connect %.100s port %u: %.100s", buf,
5060 6000 + display_number, strerror(errno));
5067 freeaddrinfo(aitop);
5069 error("connect %.100s port %u: %.100s", buf,
5070 6000 + display_number, strerror(errno));
5078 * Requests forwarding of X11 connections, generates fake authentication
5079 * data, and enables authentication spoofing.
5080 * This should be called in the client only.
5083 x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
5084 const char *disp, const char *proto, const char *data, int want_reply)
5086 struct ssh_channels *sc = ssh->chanctxt;
5087 u_int data_len = (u_int) strlen(data) / 2;
5091 int r, screen_number;
5093 if (sc->x11_saved_display == NULL)
5094 sc->x11_saved_display = xstrdup(disp);
5095 else if (strcmp(disp, sc->x11_saved_display) != 0) {
5096 error("x11_request_forwarding_with_spoofing: different "
5097 "$DISPLAY already forwarded");
5101 cp = strchr(disp, ':');
5103 cp = strchr(cp, '.');
5105 screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
5109 if (sc->x11_saved_proto == NULL) {
5110 /* Save protocol name. */
5111 sc->x11_saved_proto = xstrdup(proto);
5113 /* Extract real authentication data. */
5114 sc->x11_saved_data = xmalloc(data_len);
5115 for (i = 0; i < data_len; i++) {
5116 if (sscanf(data + 2 * i, "%2x", &value) != 1) {
5117 fatal("x11_request_forwarding: bad "
5118 "authentication data: %.100s", data);
5120 sc->x11_saved_data[i] = value;
5122 sc->x11_saved_data_len = data_len;
5124 /* Generate fake data of the same length. */
5125 sc->x11_fake_data = xmalloc(data_len);
5126 arc4random_buf(sc->x11_fake_data, data_len);
5127 sc->x11_fake_data_len = data_len;
5130 /* Convert the fake data into hex. */
5131 new_data = tohex(sc->x11_fake_data, data_len);
5133 /* Send the request packet. */
5134 channel_request_start(ssh, client_session_id, "x11-req", want_reply);
5135 if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */
5136 (r = sshpkt_put_cstring(ssh, proto)) != 0 ||
5137 (r = sshpkt_put_cstring(ssh, new_data)) != 0 ||
5138 (r = sshpkt_put_u32(ssh, screen_number)) != 0 ||
5139 (r = sshpkt_send(ssh)) != 0 ||
5140 (r = ssh_packet_write_wait(ssh)) != 0)
5141 fatal_fr(r, "send x11-req");
projects / FreeBSD / FreeBSD.git / blob