1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
|
/*
* Unix implementation of SSH connection-sharing IPC setup.
*/
#include <stdio.h>
#include <assert.h>
#include <errno.h>
#include <limits.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/file.h>
#include "tree234.h"
#include "putty.h"
#include "network.h"
#include "proxy.h"
#include "ssh.h"
#define CONNSHARE_SOCKETDIR_PREFIX "/tmp/putty-connshare"
#define SALT_FILENAME "salt"
#define SALT_SIZE 64
#ifndef PIPE_BUF
#define PIPE_BUF _POSIX_PIPE_BUF
#endif
static char *make_parentdir_name(void)
{
char *username, *parent;
username = get_username();
parent = dupprintf("%s.%s", CONNSHARE_SOCKETDIR_PREFIX, username);
sfree(username);
assert(*parent == '/');
return parent;
}
static char *make_dirname(const char *pi_name, char **logtext)
{
char *name, *parentdirname, *dirname, *err;
/*
* First, create the top-level directory for all shared PuTTY
* connections owned by this user.
*/
parentdirname = make_parentdir_name();
if ((err = make_dir_and_check_ours(parentdirname)) != NULL) {
*logtext = err;
sfree(parentdirname);
return NULL;
}
/*
* Transform the platform-independent version of the connection
* identifier into the name we'll actually use for the directory
* containing the Unix socket.
*
* We do this by hashing the identifier with some user-specific
* secret information, to avoid the privacy leak of having
* "user@host" strings show up in 'netstat -x'. (Irritatingly, the
* full pathname of a Unix-domain socket _does_ show up in the
* 'netstat -x' output, at least on Linux, even if that socket is
* in a directory not readable to the user running netstat. You'd
* think putting things inside an 0700 directory would hide their
* names from other users, but no.)
*
* The secret information we use to salt the hash lives in a file
* inside the top-level directory we just created, so we must
* first create that file (with some fresh random data in it) if
* it's not already been done by a previous PuTTY.
*/
{
unsigned char saltbuf[SALT_SIZE];
char *saltname;
int saltfd, i, ret;
saltname = dupprintf("%s/%s", parentdirname, SALT_FILENAME);
saltfd = open(saltname, O_RDONLY);
if (saltfd < 0) {
char *tmpname;
int pid;
if (errno != ENOENT) {
*logtext = dupprintf("%s: open: %s", saltname,
strerror(errno));
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* The salt file doesn't already exist, so try to create
* it. Another process may be attempting the same thing
* simultaneously, so we must do this carefully: we write
* a salt file under a different name, then hard-link it
* into place, which guarantees that we won't change the
* contents of an existing salt file.
*/
pid = getpid();
for (i = 0;; i++) {
tmpname = dupprintf("%s/%s.tmp.%d.%d",
parentdirname, SALT_FILENAME, pid, i);
saltfd = open(tmpname, O_WRONLY | O_EXCL | O_CREAT, 0400);
if (saltfd >= 0)
break;
if (errno != EEXIST) {
*logtext = dupprintf("%s: open: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
sfree(tmpname); /* go round and try again with i+1 */
}
/*
* Invent some random data.
*/
random_read(saltbuf, SALT_SIZE);
ret = write(saltfd, saltbuf, SALT_SIZE);
/* POSIX atomicity guarantee: because we wrote less than
* PIPE_BUF bytes, the write either completed in full or
* failed. */
assert(SALT_SIZE < PIPE_BUF);
assert(ret < 0 || ret == SALT_SIZE);
if (ret < 0) {
close(saltfd);
*logtext = dupprintf("%s: write: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
if (close(saltfd) < 0) {
*logtext = dupprintf("%s: close: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* Now attempt to hard-link our temp file into place. We
* tolerate EEXIST as an outcome, because that just means
* another PuTTY got their attempt in before we did (and
* we only care that there is a valid salt file we can
* agree on, no matter who created it).
*/
if (link(tmpname, saltname) < 0 && errno != EEXIST) {
*logtext = dupprintf("%s: link: %s", saltname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* Whether that succeeded or not, get rid of our temp file.
*/
if (unlink(tmpname) < 0) {
*logtext = dupprintf("%s: unlink: %s", tmpname,
strerror(errno));
sfree(tmpname);
sfree(saltname);
sfree(parentdirname);
return NULL;
}
/*
* And now we've arranged for there to be a salt file, so
* we can try to open it for reading again and this time
* expect it to work.
*/
sfree(tmpname);
saltfd = open(saltname, O_RDONLY);
if (saltfd < 0) {
*logtext = dupprintf("%s: open: %s", saltname,
strerror(errno));
sfree(saltname);
sfree(parentdirname);
return NULL;
}
}
for (i = 0; i < SALT_SIZE; i++) {
ret = read(saltfd, saltbuf, SALT_SIZE);
if (ret <= 0) {
close(saltfd);
*logtext = dupprintf("%s: read: %s", saltname,
ret == 0 ? "unexpected EOF" :
strerror(errno));
sfree(saltname);
sfree(parentdirname);
return NULL;
}
assert(0 < ret && ret <= SALT_SIZE - i);
i += ret;
}
close(saltfd);
sfree(saltname);
/*
* Now we've got our salt, hash it with the connection
* identifier to produce our actual socket name.
*/
{
unsigned char digest[32];
char retbuf[65];
ssh_hash *h = ssh_hash_new(&ssh_sha256);
put_string(h, saltbuf, SALT_SIZE);
put_stringz(h, pi_name);
ssh_hash_final(h, digest);
/*
* And make it printable.
*/
for (i = 0; i < 32; i++) {
sprintf(retbuf + 2*i, "%02x", digest[i]);
/* the last of those will also write the trailing NUL */
}
name = dupstr(retbuf);
}
smemclr(saltbuf, sizeof(saltbuf));
}
dirname = dupprintf("%s/%s", parentdirname, name);
sfree(parentdirname);
sfree(name);
return dirname;
}
int platform_ssh_share(const char *pi_name, Conf *conf,
Plug *downplug, Plug *upplug, Socket **sock,
char **logtext, char **ds_err, char **us_err,
bool can_upstream, bool can_downstream)
{
char *dirname, *lockname, *sockname, *err;
int lockfd;
Socket *retsock;
/*
* Sort out what we're going to call the directory in which we
* keep the socket. This has the side effect of potentially
* creating its top-level containing dir and/or the salt file
* within that, if they don't already exist.
*/
dirname = make_dirname(pi_name, logtext);
if (!dirname) {
return SHARE_NONE;
}
/*
* Now make sure the subdirectory exists.
*/
if ((err = make_dir_and_check_ours(dirname)) != NULL) {
*logtext = err;
sfree(dirname);
return SHARE_NONE;
}
/*
* Acquire a lock on a file in that directory.
*/
lockname = dupcat(dirname, "/lock");
lockfd = open(lockname, O_CREAT | O_RDWR | O_TRUNC, 0600);
if (lockfd < 0) {
*logtext = dupprintf("%s: open: %s", lockname, strerror(errno));
sfree(dirname);
sfree(lockname);
return SHARE_NONE;
}
if (flock(lockfd, LOCK_EX) < 0) {
*logtext = dupprintf("%s: flock(LOCK_EX): %s",
lockname, strerror(errno));
sfree(dirname);
sfree(lockname);
close(lockfd);
return SHARE_NONE;
}
sockname = dupprintf("%s/socket", dirname);
*logtext = NULL;
if (can_downstream) {
retsock = new_connection(unix_sock_addr(sockname),
"", 0, false, true, false, false,
downplug, conf);
if (sk_socket_error(retsock) == NULL) {
sfree(*logtext);
*logtext = sockname;
*sock = retsock;
sfree(dirname);
sfree(lockname);
close(lockfd);
return SHARE_DOWNSTREAM;
}
sfree(*ds_err);
*ds_err = dupprintf("%s: %s", sockname, sk_socket_error(retsock));
sk_close(retsock);
}
if (can_upstream) {
retsock = new_unix_listener(unix_sock_addr(sockname), upplug);
if (sk_socket_error(retsock) == NULL) {
sfree(*logtext);
*logtext = sockname;
*sock = retsock;
sfree(dirname);
sfree(lockname);
close(lockfd);
return SHARE_UPSTREAM;
}
sfree(*us_err);
*us_err = dupprintf("%s: %s", sockname, sk_socket_error(retsock));
sk_close(retsock);
}
/* One of the above clauses ought to have happened. */
assert(*logtext || *ds_err || *us_err);
sfree(dirname);
sfree(lockname);
sfree(sockname);
close(lockfd);
return SHARE_NONE;
}
void platform_ssh_share_cleanup(const char *name)
{
char *dirname, *filename, *logtext;
dirname = make_dirname(name, &logtext);
if (!dirname) {
sfree(logtext); /* we can't do much with this */
return;
}
filename = dupcat(dirname, "/socket");
remove(filename);
sfree(filename);
filename = dupcat(dirname, "/lock");
remove(filename);
sfree(filename);
rmdir(dirname);
/*
* We deliberately _don't_ clean up the parent directory
* /tmp/putty-connshare.<username>, because if we leave it around
* then it reduces the ability for other users to be a nuisance by
* putting their own directory in the way of it. Also, the salt
* file in it can be reused.
*/
sfree(dirname);
}
|
