X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/302121de61648a0aeacf28311cbee194c49f38ff..fabd1805a8f429ca83b4271aabd1206ac3537ebb:/x11fwd.c diff --git a/x11fwd.c b/x11fwd.c index 033184b2..54674866 100644 --- a/x11fwd.c +++ b/x11fwd.c @@ -1,6 +1,7 @@ -#include #include #include +#include +#include #include "putty.h" #include "ssh.h" @@ -12,18 +13,18 @@ ((unsigned long)(unsigned char)(cp)[3] << 24)) #define PUT_32BIT_LSB_FIRST(cp, value) ( \ - (cp)[0] = (value), \ - (cp)[1] = (value) >> 8, \ - (cp)[2] = (value) >> 16, \ - (cp)[3] = (value) >> 24 ) + (cp)[0] = (char)(value), \ + (cp)[1] = (char)((value) >> 8), \ + (cp)[2] = (char)((value) >> 16), \ + (cp)[3] = (char)((value) >> 24) ) #define GET_16BIT_LSB_FIRST(cp) \ (((unsigned long)(unsigned char)(cp)[0]) | \ ((unsigned long)(unsigned char)(cp)[1] << 8)) #define PUT_16BIT_LSB_FIRST(cp, value) ( \ - (cp)[0] = (value), \ - (cp)[1] = (value) >> 8 ) + (cp)[0] = (char)(value), \ + (cp)[1] = (char)((value) >> 8) ) #define GET_32BIT_MSB_FIRST(cp) \ (((unsigned long)(unsigned char)(cp)[0] << 24) | \ @@ -32,18 +33,18 @@ ((unsigned long)(unsigned char)(cp)[3])) #define PUT_32BIT_MSB_FIRST(cp, value) ( \ - (cp)[0] = (value) >> 24, \ - (cp)[1] = (value) >> 16, \ - (cp)[2] = (value) >> 8, \ - (cp)[3] = (value) ) + (cp)[0] = (char)((value) >> 24), \ + (cp)[1] = (char)((value) >> 16), \ + (cp)[2] = (char)((value) >> 8), \ + (cp)[3] = (char)(value) ) #define GET_16BIT_MSB_FIRST(cp) \ (((unsigned long)(unsigned char)(cp)[0] << 8) | \ ((unsigned long)(unsigned char)(cp)[1])) #define PUT_16BIT_MSB_FIRST(cp, value) ( \ - (cp)[0] = (value) >> 8, \ - (cp)[1] = (value) ) + (cp)[0] = (char)((value) >> 8), \ + (cp)[1] = (char)(value) ) #define GET_16BIT(endian, cp) \ (endian=='B' ? GET_16BIT_MSB_FIRST(cp) : GET_16BIT_LSB_FIRST(cp)) @@ -51,9 +52,14 @@ #define PUT_16BIT(endian, cp, val) \ (endian=='B' ? PUT_16BIT_MSB_FIRST(cp, val) : PUT_16BIT_LSB_FIRST(cp, val)) +const char *const x11_authnames[] = { + "", "MIT-MAGIC-COOKIE-1", "XDM-AUTHORIZATION-1" +}; + struct X11Auth { - unsigned char data[64]; - int len; + unsigned char fakedata[64], realdata[64]; + int fakeproto, realproto; + int fakelen, reallen; }; struct X11Private { @@ -66,44 +72,106 @@ struct X11Private { int data_read, auth_plen, auth_psize, auth_dlen, auth_dsize; int verified; int throttled, throttle_override; + unsigned long peer_ip; + int peer_port; void *c; /* data used by ssh.c */ Socket s; }; -void x11_close(Socket s); - void *x11_invent_auth(char *proto, int protomaxlen, - char *data, int datamaxlen) + char *data, int datamaxlen, int proto_id) { struct X11Auth *auth = smalloc(sizeof(struct X11Auth)); char ourdata[64]; int i; - /* MIT-MAGIC-COOKIE-1. Cookie size is 128 bits (16 bytes). */ - auth->len = 16; - for (i = 0; i < 16; i++) - auth->data[i] = random_byte(); + if (proto_id == X11_MIT) { + auth->fakeproto = X11_MIT; + + /* MIT-MAGIC-COOKIE-1. Cookie size is 128 bits (16 bytes). */ + auth->fakelen = 16; + for (i = 0; i < 16; i++) + auth->fakedata[i] = random_byte(); + } else { + assert(proto_id == X11_XDM); + auth->fakeproto = X11_XDM; + + /* XDM-AUTHORIZATION-1. Cookie size is 16 bytes; byte 8 is zero. */ + auth->fakelen = 16; + for (i = 0; i < 16; i++) + auth->fakedata[i] = (i == 8 ? 0 : random_byte()); + } /* Now format for the recipient. */ - strncpy(proto, "MIT-MAGIC-COOKIE-1", protomaxlen); + strncpy(proto, x11_authnames[auth->fakeproto], protomaxlen); ourdata[0] = '\0'; - for (i = 0; i < auth->len; i++) - sprintf(ourdata + strlen(ourdata), "%02x", auth->data[i]); + for (i = 0; i < auth->fakelen; i++) + sprintf(ourdata + strlen(ourdata), "%02x", auth->fakedata[i]); strncpy(data, ourdata, datamaxlen); return auth; } -static int x11_verify(struct X11Auth *auth, - char *proto, unsigned char *data, int dlen) +void x11_free_auth(void *auth) { - if (strcmp(proto, "MIT-MAGIC-COOKIE-1") != 0) - return 0; /* wrong protocol attempted */ - if (dlen != auth->len) - return 0; /* cookie was wrong length */ - if (memcmp(auth->data, data, dlen) != 0) - return 0; /* cookie was wrong cookie! */ - return 1; + + sfree(auth); +} + +/* + * Fetch the real auth data for a given display string, and store + * it in an X11Auth structure. Returns NULL on success, or an error + * string. + */ +void x11_get_real_auth(void *authv, char *display) +{ + struct X11Auth *auth = (struct X11Auth *)authv; + + auth->realproto = X11_NO_AUTH; /* in case next call does nothing */ + + auth->reallen = sizeof(auth->realdata); + platform_get_x11_auth(display, &auth->realproto, + auth->realdata, &auth->reallen); +} + +static char *x11_verify(unsigned long peer_ip, int peer_port, + struct X11Auth *auth, char *proto, + unsigned char *data, int dlen) +{ + if (strcmp(proto, x11_authnames[auth->fakeproto]) != 0) + return "wrong authentication protocol attempted"; + if (auth->fakeproto == X11_MIT) { + if (dlen != auth->fakelen) + return "MIT-MAGIC-COOKIE-1 data was wrong length"; + if (memcmp(auth->fakedata, data, dlen) != 0) + return "MIT-MAGIC-COOKIE-1 data did not match"; + } + if (auth->fakeproto == X11_XDM) { + unsigned long t; + time_t tim; + int i; + + if (dlen != 24) + return "XDM-AUTHORIZATION-1 data was wrong length"; + if (peer_port == -1) + return "cannot do XDM-AUTHORIZATION-1 without remote address data"; + des_decrypt_xdmauth(auth->fakedata+9, data, 24); + if (memcmp(auth->fakedata, data, 8) != 0) + return "XDM-AUTHORIZATION-1 data failed check"; /* cookie wrong */ + if (GET_32BIT_MSB_FIRST(data+8) != peer_ip) + return "XDM-AUTHORIZATION-1 data failed check"; /* IP wrong */ + if ((int)GET_16BIT_MSB_FIRST(data+12) != peer_port) + return "XDM-AUTHORIZATION-1 data failed check"; /* port wrong */ + t = GET_32BIT_MSB_FIRST(data+14); + for (i = 18; i < 24; i++) + if (data[i] != 0) /* zero padding wrong */ + return "XDM-AUTHORIZATION-1 data failed check"; + tim = time(NULL); + if (abs(t - tim) > 20*60) /* 20 minute clock skew should be OK */ + return "XDM-AUTHORIZATION-1 time stamp was too far out"; + } + /* implement other protocols here if ever required */ + return NULL; } static int x11_closing(Plug plug, char *error_msg, int error_code, @@ -141,12 +209,31 @@ static void x11_sent(Plug plug, int bufsize) } /* + * When setting up X forwarding, we should send the screen number + * from the specified local display. This function extracts it from + * the display string. + */ +int x11_get_screen_number(char *display) +{ + int n; + + n = strcspn(display, ":"); + if (!display[n]) + return 0; + n = strcspn(display, "."); + if (!display[n]) + return 0; + return atoi(display + n + 1); +} + +/* * Called to set up the raw connection. * * Returns an error message, or NULL on success. * also, fills the SocketsStructure */ -char *x11_init(Socket * s, char *display, void *c, void *auth) +char *x11_init(Socket * s, char *display, void *c, void *auth, + const char *peeraddr, int peerport, const Config *cfg) { static const struct plug_function_table fn_table = { x11_closing, @@ -172,18 +259,26 @@ char *x11_init(Socket * s, char *display, void *c, void *auth) displaynum = 0; /* sensible default */ if (n > sizeof(host) - 1) n = sizeof(host) - 1; - strncpy(host, display, n); - host[n] = '\0'; + if (n > 0) { + strncpy(host, display, n); + host[n] = '\0'; + } else { + /* + * Local display numbers, particularly on Unix, often omit + * the display part completely. + */ + strcpy(host, "localhost"); + } + + port = 6000 + displaynum; /* * Try to find host. */ - addr = sk_namelookup(host, &dummy_realhost); - if ((err = sk_addr_error(addr))) + addr = name_lookup(host, port, &dummy_realhost, cfg); + if ((err = sk_addr_error(addr)) != NULL) return err; - port = 6000 + displaynum; - /* * Open socket. */ @@ -196,12 +291,28 @@ char *x11_init(Socket * s, char *display, void *c, void *auth) pr->throttled = pr->throttle_override = 0; pr->c = c; - pr->s = *s = new_connection(addr, dummy_realhost, port, 0, 1, 0, (Plug) pr); - if ((err = sk_socket_error(*s))) { + pr->s = *s = new_connection(addr, dummy_realhost, port, + 0, 1, 0, (Plug) pr, cfg); + if ((err = sk_socket_error(*s)) != NULL) { sfree(pr); return err; } + /* + * See if we can make sense of the peer address we were given. + */ + { + int i[4]; + if (peeraddr && + 4 == sscanf(peeraddr, "%d.%d.%d.%d", i+0, i+1, i+2, i+3)) { + pr->peer_ip = (i[0] << 24) | (i[1] << 16) | (i[2] << 8) | i[3]; + pr->peer_port = peerport; + } else { + pr->peer_ip = 0; + pr->peer_port = -1; + } + } + sk_set_private_ptr(*s, pr); sk_addr_free(addr); return NULL; @@ -274,7 +385,7 @@ int x11_send(Socket s, char *data, int len) pr->auth_dsize = (pr->auth_dlen + 3) & ~3; /* Leave room for a terminating zero, to make our lives easier. */ pr->auth_protocol = (char *) smalloc(pr->auth_psize + 1); - pr->auth_data = (char *) smalloc(pr->auth_dsize); + pr->auth_data = (unsigned char *) smalloc(pr->auth_dsize); } /* @@ -292,41 +403,87 @@ int x11_send(Socket s, char *data, int len) * If we haven't verified the authentication, do so now. */ if (!pr->verified) { - int ret; + char *err; pr->auth_protocol[pr->auth_plen] = '\0'; /* ASCIZ */ - ret = x11_verify(pr->auth, pr->auth_protocol, + err = x11_verify(pr->peer_ip, pr->peer_port, + pr->auth, pr->auth_protocol, pr->auth_data, pr->auth_dlen); /* * If authentication failed, construct and send an error * packet, then terminate the connection. */ - if (!ret) { - char message[] = "Authentication failed at PuTTY X11 proxy"; - unsigned char reply[8 + sizeof(message) + 4]; - int msglen = sizeof(message) - 1; /* skip zero byte */ - int msgsize = (msglen + 3) & ~3; + if (err) { + char *message; + int msglen, msgsize; + unsigned char *reply; + + message = dupprintf("PuTTY X11 proxy: %s", err); + msglen = strlen(message); + reply = smalloc(8 + msglen+1 + 4); /* include zero byte */ + msgsize = (msglen + 3) & ~3; reply[0] = 0; /* failure */ reply[1] = msglen; /* length of reason string */ memcpy(reply + 2, pr->firstpkt + 2, 4); /* major/minor proto vsn */ PUT_16BIT(pr->firstpkt[0], reply + 6, msgsize >> 2);/* data len */ memset(reply + 8, 0, msgsize); memcpy(reply + 8, message, msglen); - sshfwd_write(pr->c, reply, 8 + msgsize); + sshfwd_write(pr->c, (char *)reply, 8 + msgsize); sshfwd_close(pr->c); x11_close(s); + sfree(reply); + sfree(message); return 0; } /* * Now we know we're going to accept the connection. Strip - * the auth data. (TODO: if we ever work out how, we should - * replace some real auth data in here.) + * the fake auth data, and optionally put real auth data in + * instead. */ - PUT_16BIT(pr->firstpkt[0], pr->firstpkt + 6, 0); /* auth proto */ - PUT_16BIT(pr->firstpkt[0], pr->firstpkt + 8, 0); /* auth data */ - sk_write(s, pr->firstpkt, 12); + { + char realauthdata[64]; + int realauthlen = 0; + int authstrlen = strlen(x11_authnames[pr->auth->realproto]); + unsigned long ip; + int port; + static const char zeroes[4] = { 0,0,0,0 }; + + if (pr->auth->realproto == X11_MIT) { + assert(pr->auth->reallen <= lenof(realauthdata)); + realauthlen = pr->auth->reallen; + memcpy(realauthdata, pr->auth->realdata, realauthlen); + } else if (pr->auth->realproto == X11_XDM && + pr->auth->reallen == 16 && + sk_getxdmdata(s, &ip, &port)) { + time_t t; + realauthlen = 24; + memset(realauthdata, 0, 24); + memcpy(realauthdata, pr->auth->realdata, 8); + PUT_32BIT_MSB_FIRST(realauthdata+8, ip); + PUT_16BIT_MSB_FIRST(realauthdata+12, port); + t = time(NULL); + PUT_32BIT_MSB_FIRST(realauthdata+14, t); + des_encrypt_xdmauth(pr->auth->realdata+9, + (unsigned char *)realauthdata, 24); + } + /* implement other auth methods here if required */ + + PUT_16BIT(pr->firstpkt[0], pr->firstpkt + 6, authstrlen); + PUT_16BIT(pr->firstpkt[0], pr->firstpkt + 8, realauthlen); + + sk_write(s, (char *)pr->firstpkt, 12); + + if (authstrlen) { + sk_write(s, x11_authnames[pr->auth->realproto], authstrlen); + sk_write(s, zeroes, 3 & (-authstrlen)); + } + if (realauthlen) { + sk_write(s, realauthdata, realauthlen); + sk_write(s, zeroes, 3 & (-realauthlen)); + } + } pr->verified = 1; }