2003-05-06 19:52:31 +00:00
|
|
|
/*
|
|
|
|
* uxproxy.c: Unix implementation of platform_new_connection(),
|
|
|
|
* supporting an OpenSSH-like proxy command.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <assert.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
|
|
|
#include "tree234.h"
|
|
|
|
#include "putty.h"
|
|
|
|
#include "network.h"
|
2021-10-30 10:02:28 +00:00
|
|
|
#include "proxy/proxy.h"
|
2003-05-06 19:52:31 +00:00
|
|
|
|
Get rid of lots of implicit pointer types.
All the main backend structures - Ssh, Telnet, Pty, Serial etc - now
describe structure types themselves rather than pointers to them. The
same goes for the codebase-wide trait types Socket and Plug, and the
supporting types SockAddr and Pinger.
All those things that were typedefed as pointers are older types; the
newer ones have the explicit * at the point of use, because that's
what I now seem to be preferring. But whichever one of those is
better, inconsistently using a mixture of the two styles is worse, so
let's make everything consistent.
A few types are still implicitly pointers, such as Bignum and some of
the GSSAPI types; generally this is either because they have to be
void *, or because they're typedefed differently on different
platforms and aren't always pointers at all. Can't be helped. But I've
got rid of the main ones, at least.
2018-10-04 18:10:23 +00:00
|
|
|
Socket *platform_new_connection(SockAddr *addr, const char *hostname,
|
Convert a lot of 'int' variables to 'bool'.
My normal habit these days, in new code, is to treat int and bool as
_almost_ completely separate types. I'm still willing to use C's
implicit test for zero on an integer (e.g. 'if (!blob.len)' is fine,
no need to spell it out as blob.len != 0), but generally, if a
variable is going to be conceptually a boolean, I like to declare it
bool and assign to it using 'true' or 'false' rather than 0 or 1.
PuTTY is an exception, because it predates the C99 bool, and I've
stuck to its existing coding style even when adding new code to it.
But it's been annoying me more and more, so now that I've decided C99
bool is an acceptable thing to require from our toolchain in the first
place, here's a quite thorough trawl through the source doing
'boolification'. Many variables and function parameters are now typed
as bool rather than int; many assignments of 0 or 1 to those variables
are now spelled 'true' or 'false'.
I managed this thorough conversion with the help of a custom clang
plugin that I wrote to trawl the AST and apply heuristics to point out
where things might want changing. So I've even managed to do a decent
job on parts of the code I haven't looked at in years!
To make the plugin's work easier, I pushed platform front ends
generally in the direction of using standard 'bool' in preference to
platform-specific boolean types like Windows BOOL or GTK's gboolean;
I've left the platform booleans in places they _have_ to be for the
platform APIs to work right, but variables only used by my own code
have been converted wherever I found them.
In a few places there are int values that look very like booleans in
_most_ of the places they're used, but have a rarely-used third value,
or a distinction between different nonzero values that most users
don't care about. In these cases, I've _removed_ uses of 'true' and
'false' for the return values, to emphasise that there's something
more subtle going on than a simple boolean answer:
- the 'multisel' field in dialog.h's list box structure, for which
the GTK front end in particular recognises a difference between 1
and 2 but nearly everything else treats as boolean
- the 'urgent' parameter to plug_receive, where 1 vs 2 tells you
something about the specific location of the urgent pointer, but
most clients only care about 0 vs 'something nonzero'
- the return value of wc_match, where -1 indicates a syntax error in
the wildcard.
- the return values from SSH-1 RSA-key loading functions, which use
-1 for 'wrong passphrase' and 0 for all other failures (so any
caller which already knows it's not loading an _encrypted private_
key can treat them as boolean)
- term->esc_query, and the 'query' parameter in toggle_mode in
terminal.c, which _usually_ hold 0 for ESC[123h or 1 for ESC[?123h,
but can also hold -1 for some other intervening character that we
don't support.
In a few places there's an integer that I haven't turned into a bool
even though it really _can_ only take values 0 or 1 (and, as above,
tried to make the call sites consistent in not calling those values
true and false), on the grounds that I thought it would make it more
confusing to imply that the 0 value was in some sense 'negative' or
bad and the 1 positive or good:
- the return value of plug_accepting uses the POSIXish convention of
0=success and nonzero=error; I think if I made it bool then I'd
also want to reverse its sense, and that's a job for a separate
piece of work.
- the 'screen' parameter to lineptr() in terminal.c, where 0 and 1
represent the default and alternate screens. There's no obvious
reason why one of those should be considered 'true' or 'positive'
or 'success' - they're just indices - so I've left it as int.
ssh_scp_recv had particularly confusing semantics for its previous int
return value: its call sites used '<= 0' to check for error, but it
never actually returned a negative number, just 0 or 1. Now the
function and its call sites agree that it's a bool.
In a couple of places I've renamed variables called 'ret', because I
don't like that name any more - it's unclear whether it means the
return value (in preparation) for the _containing_ function or the
return value received from a subroutine call, and occasionally I've
accidentally used the same variable for both and introduced a bug. So
where one of those got in my way, I've renamed it to 'toret' or 'retd'
(the latter short for 'returned') in line with my usual modern
practice, but I haven't done a thorough job of finding all of them.
Finally, one amusing side effect of doing this is that I've had to
separate quite a few chained assignments. It used to be perfectly fine
to write 'a = b = c = TRUE' when a,b,c were int and TRUE was just a
the 'true' defined by stdbool.h, that idiom provokes a warning from
gcc: 'suggest parentheses around assignment used as truth value'!
2018-11-02 19:23:19 +00:00
|
|
|
int port, bool privport,
|
|
|
|
bool oobinline, bool nodelay, bool keepalive,
|
2021-12-21 13:35:51 +00:00
|
|
|
Plug *plug, Conf *conf, Interactor *itr)
|
2003-05-06 19:52:31 +00:00
|
|
|
{
|
|
|
|
char *cmd;
|
|
|
|
|
2015-11-22 11:50:37 +00:00
|
|
|
int to_cmd_pipe[2], from_cmd_pipe[2], cmd_err_pipe[2], pid, proxytype;
|
2018-10-07 13:55:32 +00:00
|
|
|
int infd, outfd, inerrfd;
|
2003-05-06 19:52:31 +00:00
|
|
|
|
2015-10-17 13:06:06 +00:00
|
|
|
proxytype = conf_get_int(conf, CONF_proxy_type);
|
|
|
|
if (proxytype != PROXY_CMD && proxytype != PROXY_FUZZ)
|
2019-09-08 19:29:00 +00:00
|
|
|
return NULL;
|
2003-05-06 19:52:31 +00:00
|
|
|
|
2015-10-17 13:06:06 +00:00
|
|
|
if (proxytype == PROXY_CMD) {
|
Support interactive password prompts in Telnet proxy.
The Telnet proxy system is not a proper network protocol - we have no
reliable way to receive communication from the proxy telling us
whether a password is even required. However, we _do_ know (a) whether
the keywords '%user' or '%pass' appeared in the format string stored
in the Conf, and (b) whether we actually had a username or a password
to substitute into them. So that's how we know whether to ask for a
username or a password: if the format string asks for them and the
Conf doesn't provide them, we prompt for them at startup.
This involved turning TelnetProxyNegotiator into a coroutine (matching
all the other proxy types, but previously, it was the only one simple
enough not to need to be one), so that it can wait until a response
arrives to that prompt. (And also, as it turned out, so that it can
wait until setup is finished before even presenting the prompt!)
It also involves having format_telnet_command grow an extra output
parameter, in the form of 'unsigned *flags', with which it can
communicate back to the caller that a username or password was wanted
but not found. The other clients of that function (the local proxy
implementations) don't use those flags, but if necessary, they could.
2021-11-19 16:03:22 +00:00
|
|
|
cmd = format_telnet_command(addr, port, conf, NULL);
|
2015-10-17 13:06:06 +00:00
|
|
|
|
2015-11-22 12:15:52 +00:00
|
|
|
{
|
|
|
|
char *logmsg = dupprintf("Starting local proxy command: %s", cmd);
|
2020-02-07 19:17:45 +00:00
|
|
|
plug_log(plug, PLUGLOG_PROXY_MSG, NULL, 0, logmsg, 0);
|
2015-11-22 12:15:52 +00:00
|
|
|
sfree(logmsg);
|
|
|
|
}
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
/*
|
|
|
|
* Create the pipes to the proxy command, and spawn the proxy
|
|
|
|
* command process.
|
|
|
|
*/
|
|
|
|
if (pipe(to_cmd_pipe) < 0 ||
|
|
|
|
pipe(from_cmd_pipe) < 0 ||
|
Remove FLAG_STDERR completely.
Originally, it controlled whether ssh.c should send terminal messages
(such as login and password prompts) to terminal.c or to stderr. But
we've had the from_backend() abstraction for ages now, which even has
an existing flag to indicate that the data is stderr rather than
stdout data; applications which set FLAG_STDERR are precisely those
that link against uxcons or wincons, so from_backend will do the
expected thing anyway with data sent to it with that flag set. So
there's no reason ssh.c can't just unconditionally pass everything
through that, and remove the special case.
FLAG_STDERR was also used by winproxy and uxproxy to decide whether to
capture standard error from a local proxy command, or whether to let
the proxy command send its diagnostics directly to the usual standard
error. On reflection, I think it's better to unconditionally capture
the proxy's stderr, for three reasons. Firstly, it means proxy
diagnostics are prefixed with 'proxy:' so that you can tell them apart
from any other stderr spew (which used to be particularly confusing if
both the main application and the proxy command were instances of
Plink); secondly, proxy diagnostics are now reliably copied to packet
log files along with all the other Event Log entries, even by
command-line tools; and thirdly, this means the option to suppress
proxy command diagnostics after the main session starts will actually
_work_ in the command-line tools, which it previously couldn't.
A more minor structure change is that copying of Event Log messages to
stderr in verbose mode is now done by wincons/uxcons, instead of
centrally in logging.c (since logging.c can now no longer check
FLAG_STDERR to decide whether to do it). The total amount of code to
do this is considerably smaller than the defensive-sounding comment in
logevent.c explaining why I did it the other way instead :-)
2018-09-21 15:15:49 +00:00
|
|
|
pipe(cmd_err_pipe) < 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
sfree(cmd);
|
2018-10-07 13:55:32 +00:00
|
|
|
return new_error_socket_fmt(plug, "pipe: %s", strerror(errno));
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
cloexec(to_cmd_pipe[1]);
|
|
|
|
cloexec(from_cmd_pipe[0]);
|
Remove FLAG_STDERR completely.
Originally, it controlled whether ssh.c should send terminal messages
(such as login and password prompts) to terminal.c or to stderr. But
we've had the from_backend() abstraction for ages now, which even has
an existing flag to indicate that the data is stderr rather than
stdout data; applications which set FLAG_STDERR are precisely those
that link against uxcons or wincons, so from_backend will do the
expected thing anyway with data sent to it with that flag set. So
there's no reason ssh.c can't just unconditionally pass everything
through that, and remove the special case.
FLAG_STDERR was also used by winproxy and uxproxy to decide whether to
capture standard error from a local proxy command, or whether to let
the proxy command send its diagnostics directly to the usual standard
error. On reflection, I think it's better to unconditionally capture
the proxy's stderr, for three reasons. Firstly, it means proxy
diagnostics are prefixed with 'proxy:' so that you can tell them apart
from any other stderr spew (which used to be particularly confusing if
both the main application and the proxy command were instances of
Plink); secondly, proxy diagnostics are now reliably copied to packet
log files along with all the other Event Log entries, even by
command-line tools; and thirdly, this means the option to suppress
proxy command diagnostics after the main session starts will actually
_work_ in the command-line tools, which it previously couldn't.
A more minor structure change is that copying of Event Log messages to
stderr in verbose mode is now done by wincons/uxcons, instead of
centrally in logging.c (since logging.c can now no longer check
FLAG_STDERR to decide whether to do it). The total amount of code to
do this is considerably smaller than the defensive-sounding comment in
logevent.c explaining why I did it the other way instead :-)
2018-09-21 15:15:49 +00:00
|
|
|
cloexec(cmd_err_pipe[0]);
|
2015-10-17 13:06:06 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
pid = fork();
|
2018-10-07 13:55:32 +00:00
|
|
|
if (pid == 0) {
|
2019-09-08 19:29:00 +00:00
|
|
|
close(0);
|
|
|
|
close(1);
|
|
|
|
dup2(to_cmd_pipe[0], 0);
|
|
|
|
dup2(from_cmd_pipe[1], 1);
|
|
|
|
close(to_cmd_pipe[0]);
|
|
|
|
close(from_cmd_pipe[1]);
|
Remove FLAG_STDERR completely.
Originally, it controlled whether ssh.c should send terminal messages
(such as login and password prompts) to terminal.c or to stderr. But
we've had the from_backend() abstraction for ages now, which even has
an existing flag to indicate that the data is stderr rather than
stdout data; applications which set FLAG_STDERR are precisely those
that link against uxcons or wincons, so from_backend will do the
expected thing anyway with data sent to it with that flag set. So
there's no reason ssh.c can't just unconditionally pass everything
through that, and remove the special case.
FLAG_STDERR was also used by winproxy and uxproxy to decide whether to
capture standard error from a local proxy command, or whether to let
the proxy command send its diagnostics directly to the usual standard
error. On reflection, I think it's better to unconditionally capture
the proxy's stderr, for three reasons. Firstly, it means proxy
diagnostics are prefixed with 'proxy:' so that you can tell them apart
from any other stderr spew (which used to be particularly confusing if
both the main application and the proxy command were instances of
Plink); secondly, proxy diagnostics are now reliably copied to packet
log files along with all the other Event Log entries, even by
command-line tools; and thirdly, this means the option to suppress
proxy command diagnostics after the main session starts will actually
_work_ in the command-line tools, which it previously couldn't.
A more minor structure change is that copying of Event Log messages to
stderr in verbose mode is now done by wincons/uxcons, instead of
centrally in logging.c (since logging.c can now no longer check
FLAG_STDERR to decide whether to do it). The total amount of code to
do this is considerably smaller than the defensive-sounding comment in
logevent.c explaining why I did it the other way instead :-)
2018-09-21 15:15:49 +00:00
|
|
|
dup2(cmd_err_pipe[1], 2);
|
2019-09-08 19:29:00 +00:00
|
|
|
noncloexec(0);
|
|
|
|
noncloexec(1);
|
|
|
|
execl("/bin/sh", "sh", "-c", cmd, (void *)NULL);
|
|
|
|
_exit(255);
|
|
|
|
}
|
2003-05-06 19:52:31 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
sfree(cmd);
|
2009-08-21 21:16:22 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
if (pid < 0)
|
2018-10-07 13:55:32 +00:00
|
|
|
return new_error_socket_fmt(plug, "fork: %s", strerror(errno));
|
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
close(to_cmd_pipe[0]);
|
|
|
|
close(from_cmd_pipe[1]);
|
Remove FLAG_STDERR completely.
Originally, it controlled whether ssh.c should send terminal messages
(such as login and password prompts) to terminal.c or to stderr. But
we've had the from_backend() abstraction for ages now, which even has
an existing flag to indicate that the data is stderr rather than
stdout data; applications which set FLAG_STDERR are precisely those
that link against uxcons or wincons, so from_backend will do the
expected thing anyway with data sent to it with that flag set. So
there's no reason ssh.c can't just unconditionally pass everything
through that, and remove the special case.
FLAG_STDERR was also used by winproxy and uxproxy to decide whether to
capture standard error from a local proxy command, or whether to let
the proxy command send its diagnostics directly to the usual standard
error. On reflection, I think it's better to unconditionally capture
the proxy's stderr, for three reasons. Firstly, it means proxy
diagnostics are prefixed with 'proxy:' so that you can tell them apart
from any other stderr spew (which used to be particularly confusing if
both the main application and the proxy command were instances of
Plink); secondly, proxy diagnostics are now reliably copied to packet
log files along with all the other Event Log entries, even by
command-line tools; and thirdly, this means the option to suppress
proxy command diagnostics after the main session starts will actually
_work_ in the command-line tools, which it previously couldn't.
A more minor structure change is that copying of Event Log messages to
stderr in verbose mode is now done by wincons/uxcons, instead of
centrally in logging.c (since logging.c can now no longer check
FLAG_STDERR to decide whether to do it). The total amount of code to
do this is considerably smaller than the defensive-sounding comment in
logevent.c explaining why I did it the other way instead :-)
2018-09-21 15:15:49 +00:00
|
|
|
close(cmd_err_pipe[1]);
|
2003-05-06 19:52:31 +00:00
|
|
|
|
2019-09-08 19:29:00 +00:00
|
|
|
outfd = to_cmd_pipe[1];
|
|
|
|
infd = from_cmd_pipe[0];
|
|
|
|
inerrfd = cmd_err_pipe[0];
|
2015-10-17 13:06:06 +00:00
|
|
|
} else {
|
Support interactive password prompts in Telnet proxy.
The Telnet proxy system is not a proper network protocol - we have no
reliable way to receive communication from the proxy telling us
whether a password is even required. However, we _do_ know (a) whether
the keywords '%user' or '%pass' appeared in the format string stored
in the Conf, and (b) whether we actually had a username or a password
to substitute into them. So that's how we know whether to ask for a
username or a password: if the format string asks for them and the
Conf doesn't provide them, we prompt for them at startup.
This involved turning TelnetProxyNegotiator into a coroutine (matching
all the other proxy types, but previously, it was the only one simple
enough not to need to be one), so that it can wait until a response
arrives to that prompt. (And also, as it turned out, so that it can
wait until setup is finished before even presenting the prompt!)
It also involves having format_telnet_command grow an extra output
parameter, in the form of 'unsigned *flags', with which it can
communicate back to the caller that a username or password was wanted
but not found. The other clients of that function (the local proxy
implementations) don't use those flags, but if necessary, they could.
2021-11-19 16:03:22 +00:00
|
|
|
cmd = format_telnet_command(addr, port, conf, NULL);
|
2019-09-08 19:29:00 +00:00
|
|
|
outfd = open("/dev/null", O_WRONLY);
|
|
|
|
if (outfd == -1) {
|
|
|
|
sfree(cmd);
|
|
|
|
return new_error_socket_fmt(
|
2018-10-07 13:55:32 +00:00
|
|
|
plug, "/dev/null: %s", strerror(errno));
|
2019-09-08 19:29:00 +00:00
|
|
|
}
|
|
|
|
infd = open(cmd, O_RDONLY);
|
|
|
|
if (infd == -1) {
|
2019-05-04 14:47:33 +00:00
|
|
|
Socket *toret = new_error_socket_fmt(
|
|
|
|
plug, "%s: %s", cmd, strerror(errno));
|
2019-09-08 19:29:00 +00:00
|
|
|
sfree(cmd);
|
2019-05-04 14:47:33 +00:00
|
|
|
close(outfd);
|
2019-09-08 19:29:00 +00:00
|
|
|
return toret;
|
|
|
|
}
|
|
|
|
sfree(cmd);
|
|
|
|
inerrfd = -1;
|
2015-10-17 13:06:06 +00:00
|
|
|
}
|
2003-05-06 19:52:31 +00:00
|
|
|
|
2021-09-13 13:34:46 +00:00
|
|
|
return make_fd_socket(infd, outfd, inerrfd, addr, port, plug);
|
2003-05-06 19:52:31 +00:00
|
|
|
}
|