diff --new-file -ru openssh-6.0p1-4+deb7u2/Makefile.in openssh-6.0p1-4+deb7u2-http-hybrid/Makefile.in --- openssh-6.0p1-4+deb7u2/Makefile.in 2017-01-29 02:58:47.000000000 +0800 +++ openssh-6.0p1-4+deb7u2-http-hybrid/Makefile.in 2017-10-04 18:25:27.000000000 +0800 @@ -94,7 +94,8 @@ sftp-server.o sftp-common.o \ roaming_common.o roaming_serv.o \ sandbox.o sandbox-null.o sandbox-rlimit.o sandbox-systrace.o \ - sandbox-darwin.o sandbox-seccomp-filter.o + sandbox-darwin.o sandbox-seccomp-filter.o \ + forward.o MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-vulnkey.1.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-vulnkey.1 sshd_config.5 ssh_config.5 diff --new-file -ru openssh-6.0p1-4+deb7u2/forward.c openssh-6.0p1-4+deb7u2-http-hybrid/forward.c --- openssh-6.0p1-4+deb7u2/forward.c 1970-01-01 08:00:00.000000000 +0800 +++ openssh-6.0p1-4+deb7u2-http-hybrid/forward.c 2017-10-04 18:24:16.000000000 +0800 @@ -0,0 +1,99 @@ +/* + * Copyright 2015-2017 Rivoreo + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +//#include "common.h" +#include "includes.h" +#include +#include +#include +#include +#include +#include +//#include "syncrw.h" +#include +#include +#include "log.h" +#include + +static int send_chunk(int wfd, int rfd) { + //fprintf(stderr, "function: send_chunk(%d, %d)\n", wfd, rfd); + char buffer[4096]; + int rs; + do { + rs = read(rfd, buffer, sizeof buffer); + } while(rs < 0 && errno == EINTR); + if(rs < 0) return -1; + if(!rs) return 0; + int wss = 0; + do { + int ws = write(wfd, buffer + wss, rs - wss); + if(ws < 0) { + if(errno == EINTR) continue; + return -1; + } + wss += ws; + } while(wss < rs); + return wss; +} + +int forward(int fd1, int fd2) { + //fprintf(stderr, "function: forward(%d, %d)\n", fd1, fd2); + fd_set fdset; + int max_fd = MAX(fd1, fd2); + int fd1_eof = 0, fd2_eof = 0; + do { + FD_ZERO(&fdset); + if(!fd1_eof) FD_SET(fd1, &fdset); + if(!fd2_eof) FD_SET(fd2, &fdset); + switch(select(max_fd + 1, &fdset, NULL, NULL, NULL)) { + case -1: + if(errno == EINTR) continue; + //perror("select"); + logit("%s: select: %s", __func__, strerror(errno)); + return -1; + case 0: + continue; + default: + if(FD_ISSET(fd1, &fdset)) { + switch(send_chunk(fd2, fd1)) { + case -1: + return -1; + case 0: + fd1_eof = 1; + break; + } + } else if(FD_ISSET(fd2, &fdset)) { + switch(send_chunk(fd1, fd2)) { + case -1: + return -1; + case 0: + fd2_eof = 1; + break; + } + } + } + //} while(!fd1_eof || !fd2_eof); + } while(!fd1_eof && !fd2_eof); + return 0; +} diff --new-file -ru openssh-6.0p1-4+deb7u2/servconf.c openssh-6.0p1-4+deb7u2-http-hybrid/servconf.c --- openssh-6.0p1-4+deb7u2/servconf.c 2017-01-29 02:58:47.000000000 +0800 +++ openssh-6.0p1-4+deb7u2-http-hybrid/servconf.c 2017-10-06 22:47:59.962604373 +0800 @@ -143,6 +143,12 @@ options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; options->debian_banner = -1; + options->use_http_hybrid = -1; + options->http_hybrid_port_count = 0; + options->http_hybrid_target_address = NULL; + options->http_hybrid_target_port = -1; + options->http_hybrid_protocol_timeout = -1; + options->http_hybrid_send_x_forwarded_for = -1; } void @@ -293,6 +299,13 @@ if (options->debian_banner == -1) options->debian_banner = 1; + if(options->use_http_hybrid == -1) options->use_http_hybrid = 0; + if(options->http_hybrid_port_count == 0) options->use_http_hybrid = 0; + if(options->http_hybrid_target_address == NULL) options->use_http_hybrid = 0; + if(options->http_hybrid_target_port == -1) options->http_hybrid_target_port = 80; // ? + if(options->http_hybrid_protocol_timeout == -1) options->http_hybrid_protocol_timeout = 1000000; + if(options->http_hybrid_send_x_forwarded_for == -1) options->http_hybrid_send_x_forwarded_for = 1; + /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = PRIVSEP_ON; @@ -342,6 +355,8 @@ sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, sKexAlgorithms, sIPQoS, sDebianBanner, + sUseHTTPHybrid, sHTTPHybridPort, sHTTPHybridTarget, + sHTTPHybridProtocolTimeout, sHTTPHybridSendXForwardedFor, sDeprecated, sUnsupported } ServerOpCodes; @@ -478,6 +493,11 @@ { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL }, { "ipqos", sIPQoS, SSHCFG_ALL }, { "debianbanner", sDebianBanner, SSHCFG_GLOBAL }, + { "usehttphybrid", sUseHTTPHybrid, SSHCFG_GLOBAL }, + { "httphybridport", sHTTPHybridPort, SSHCFG_GLOBAL }, + { "httphybridtarget", sHTTPHybridTarget, SSHCFG_GLOBAL }, + { "httphybridprotocoltimeout", sHTTPHybridProtocolTimeout, SSHCFG_GLOBAL }, + { "httphybridsendxforwardedfor", sHTTPHybridSendXForwardedFor, SSHCFG_GLOBAL }, { NULL, sBadOption, 0 } }; @@ -752,6 +772,7 @@ u_int i, flags = 0; size_t len; const struct multistate *multistate_ptr; + int port_arg_from_http_hybrid = 0; cp = line; if ((arg = strdelim(&cp)) == NULL) @@ -792,6 +813,7 @@ case sBadOption: return -1; case sPort: + add_port: /* ignore ports from configfile if cmdline specifies ports */ if (options->ports_from_cmdline) return 0; @@ -801,10 +823,12 @@ if (options->num_ports >= MAX_PORTS) fatal("%s line %d: too many ports.", filename, linenum); - arg = strdelim(&cp); - if (!arg || *arg == '\0') - fatal("%s line %d: missing port number.", - filename, linenum); + if(!port_arg_from_http_hybrid) { + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing port number.", + filename, linenum); + } options->ports[options->num_ports++] = a2port(arg); if (options->ports[options->num_ports-1] <= 0) fatal("%s line %d: Badly formatted port number.", @@ -1445,6 +1469,71 @@ intptr = &options->debian_banner; goto parse_int; + case sUseHTTPHybrid: + intptr = &options->use_http_hybrid; + goto parse_flag; + + case sHTTPHybridPort: +#if 0 + /* ignore ports from configfile if cmdline specifies ports */ + if (options->ports_from_cmdline) + return 0; + if (options->listen_addrs != NULL) + fatal("%s line %d: ports must be specified before " + "ListenAddress.", filename, linenum); + if (options->num_ports >= MAX_PORTS) + fatal("%s line %d: too many ports.", + filename, linenum); + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing port number.", + filename, linenum); + options->ports[options->num_ports++] = a2port(arg); + if (options->ports[options->num_ports-1] <= 0) + fatal("%s line %d: Badly formatted port number.", + filename, linenum); + break; +#else + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing port number.", + filename, linenum); + options->http_hybrid_ports[options->http_hybrid_port_count++] = a2port(arg); + port_arg_from_http_hybrid = 1; + goto add_port; +#endif + + case sHTTPHybridTarget: + arg = strdelim(&cp); + if (arg == NULL || *arg == '\0') + fatal("%s line %d: missing address", + filename, linenum); + p = hpdelim(&arg); + if (p == NULL) + fatal("%s line %d: bad address:port usage", + filename, linenum); + p = cleanhostname(p); + options->http_hybrid_target_address = xstrdup(p); + if (arg == NULL) { + fatal("%s line %d: missing port number", filename, linenum); + }/* else if ((port = a2port(arg)) <= 0) { + fatal("%s line %d: bad port number", filename, linenum); + }*/ + //options->http_hybird_target_port = port; + options->http_hybrid_target_port = a2port(arg); + if(options->http_hybrid_target_port <= 0) { + fatal("%s line %d: bad port number", filename, linenum); + } + break; + + case sHTTPHybridProtocolTimeout: + intptr = &options->http_hybrid_protocol_timeout; + goto parse_int; + + case sHTTPHybridSendXForwardedFor: + intptr = &options->http_hybrid_send_x_forwarded_for; + goto parse_flag; + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); diff --new-file -ru openssh-6.0p1-4+deb7u2/servconf.h openssh-6.0p1-4+deb7u2-http-hybrid/servconf.h --- openssh-6.0p1-4+deb7u2/servconf.h 2017-01-29 02:58:47.000000000 +0800 +++ openssh-6.0p1-4+deb7u2-http-hybrid/servconf.h 2017-10-04 18:24:16.000000000 +0800 @@ -172,6 +172,15 @@ char *revoked_keys_file; char *trusted_user_ca_keys; char *authorized_principals_file; + + int use_http_hybrid; + int http_hybrid_ports[MAX_PORTS]; + u_int http_hybrid_port_count; + //char *http_hybrid_target; + char *http_hybrid_target_address; + int http_hybrid_target_port; + int http_hybrid_protocol_timeout; + int http_hybrid_send_x_forwarded_for; } ServerOptions; /* diff --new-file -ru openssh-6.0p1-4+deb7u2/sshd.c openssh-6.0p1-4+deb7u2-http-hybrid/sshd.c --- openssh-6.0p1-4+deb7u2/sshd.c 2017-01-29 02:58:47.000000000 +0800 +++ openssh-6.0p1-4+deb7u2-http-hybrid/sshd.c 2017-10-06 22:51:45.011589192 +0800 @@ -132,6 +132,8 @@ int deny_severity; #endif /* LIBWRAP */ +#include + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -400,17 +402,176 @@ key_do_regen = 1; } +static int num_in_array(int n, const int *a, size_t len) { + unsigned int i = 0; + while(i < len) if(a[i++] == n) return 1; + return 0; +} + static void sshd_exchange_identification(int sock_in, int sock_out) { - u_int i; + u_int i = 0; int mismatch; int remote_major, remote_minor; int major, minor; char *s, *newline = "\n"; + char read_buf[1024]; /* HTTP header can be large */ char buf[256]; /* Must not be larger than remote_version. */ char remote_version[256]; /* Must be at least as big as buf. */ + if(options.use_http_hybrid && + num_in_array(get_local_port(), options.http_hybrid_ports, options.http_hybrid_port_count)) { + fd_set fdset; + FD_ZERO(&fdset); + FD_SET(sock_in, &fdset); + struct timeval read_timeout = { + .tv_usec = options.http_hybrid_protocol_timeout % 1000000, + .tv_sec = options.http_hybrid_protocol_timeout / 1000000 + }; + //debug3("HTTP hybrid protocol on port %d", get_local_port()); + int n = select(sock_in + 1, &fdset, NULL, NULL, &read_timeout); + if(n < 0) fatal("sshd_exchange_identification: select failed: %s", strerror(errno)); + if(n) { + //char buffer[256]; + int s; + do { + //s = read(sock_in, buffer, sizeof buffer); + s = read(sock_in, read_buf, sizeof read_buf); + } while(n < 0 && errno == EINTR); + if(s < 0) fatal("%s: read failed: %s", __func__, strerror(errno)); + if(!s) fatal("%s: connection from %s:%d closed", __func__, get_remote_ipaddr(), get_remote_port()); + i = s; + if(i > 4 && strncmp(read_buf, "SSH-", 4) && read_buf[i - 1] == '\n' && read_buf[i - 2] == '\r') { + extern int forward(int, int); + int http_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); + if(http_fd == -1) { + fatal("%s: socket: AF_INET,SOCK_STREAM,IPPROTO_TCP: %s", __func__, strerror(errno)); + } + struct addrinfo hints = { + .ai_family = AF_INET, + .ai_socktype = 0, + .ai_protocol = 0 + }; + struct addrinfo *info; + int e = getaddrinfo(options.http_hybrid_target_address, NULL, &hints, &info); + if(e) { + fatal("%s: cannot resolve HTTP server name '%s': %s\n", + __func__, options.http_hybrid_target_address, gai_strerror(e)); + } + struct sockaddr_in http_server_addr = { + .sin_family = AF_INET, + .sin_addr = ((struct sockaddr_in *)info->ai_addr)->sin_addr, + .sin_port = htons(options.http_hybrid_target_port) + }; + freeaddrinfo(info); + debug("Received probably a HTTP protocol from %s:%d to hybrid port %d, connecting to HTTP server %s:%d", + get_remote_ipaddr(), get_remote_port(), get_local_port(), + options.http_hybrid_target_address, options.http_hybrid_target_port); + while(connect(http_fd, (struct sockaddr *)&http_server_addr, sizeof http_server_addr) < 0) { + int e = errno; + if(e == EINTR) continue; + if(e == EINPROGRESS) e = ETIMEDOUT; + fatal("%s: connecting to HTTP server %s:%d: %s", __func__, + options.http_hybrid_target_address, options.http_hybrid_target_port, strerror(e)); + } + if(options.http_hybrid_send_x_forwarded_for) { + char *double_crlf; + while(!(double_crlf = memmem(read_buf, i, "\r\n\r\n", 4))) { + if(i >= sizeof read_buf) { + logit("Out of buffer space while reading HTTP header"); + cleanup_exit(255); + } + s = read(sock_in, read_buf + i, sizeof read_buf - i); + if(s < 0) { + if(errno == EINTR) continue; + fatal("%s: reading HTTP header from client: %s", + __func__, strerror(errno)); + } + i += s; + } + + const char *remote_addr = get_remote_ipaddr(); + size_t remote_addr_len = strlen(remote_addr); + size_t header_size = double_crlf - read_buf; + size_t remaining_size_after_header = i - header_size; + debug3("HTTP header size %zu, remaining data size after header including the double CRLF %zu", + header_size, remaining_size_after_header); + char *xff = memmem(read_buf, header_size, "\r\nX-Forwarded-For:", 18); + if(xff) { + xff += 2; + size_t before_xff_size = xff - read_buf; + if(atomicio(vwrite, http_fd, read_buf, before_xff_size) != before_xff_size) { + logit("Could not write HTTP header to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + char *end_of_xff = memmem(xff, i - before_xff_size, "\r\n", 2); + assert(end_of_xff != NULL); + //end_of_xff += 2; + size_t xff_len = end_of_xff - xff; + size_t new_xff_len = xff_len + 2 + remote_addr_len; + char new_xff[new_xff_len]; + memcpy(new_xff, xff, xff_len); + memcpy(new_xff + xff_len, ", ", 2); + memcpy(new_xff + xff_len + 2, remote_addr, remote_addr_len); + debug3("HTTP client header already have an XFF, len %zu", xff_len); + if(atomicio(vwrite, http_fd, new_xff, new_xff_len) != new_xff_len) { + logit("Could not write X-Forwarded-For header to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + if(end_of_xff != double_crlf) { + size_t remaining_len = i - (end_of_xff - read_buf); + if(atomicio(vwrite, http_fd, end_of_xff, remaining_len) != remaining_len) { + logit("Could not write data after X-Forwarded-For to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + } else if(atomicio(vwrite, http_fd, double_crlf, remaining_size_after_header) != + remaining_size_after_header) { + logit("Could not write remain data after header to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + } else { + debug3("HTTP client did not sent an XFF"); + if(atomicio(vwrite, http_fd, read_buf, header_size) != header_size) { + logit("Could not write HTTP header to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + //size_t xff_len = 19 + remote_addr_len; + //memcpy(xff, "\r\nX-Forwarded-For: ", 19); + //memcpy(xff + 19, remote_addr, remote_addr_len); + if(atomicio(vwrite, http_fd, "\r\nX-Forwarded-For: ", 19) != 19) { + logit("Could not write X-Forwarded-For header to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + if(atomicio(vwrite, http_fd, (void *)remote_addr, remote_addr_len) != remote_addr_len) { + logit("Could not write X-Forwarded-For header to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + if(atomicio(vwrite, http_fd, double_crlf, remaining_size_after_header) != + remaining_size_after_header) { + logit("Could not write remain data after header to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + } + } else if(atomicio(vwrite, http_fd, read_buf, i) != i) { + logit("Could not write to HTTP server %s:%d", + options.http_hybrid_target_address, options.http_hybrid_target_port); + cleanup_exit(255); + } + cleanup_exit(forward(http_fd, sock_out) == 0 ? 0 : 1); + } + //i = s; + } + } + if ((options.protocol & SSH_PROTO_1) && (options.protocol & SSH_PROTO_2)) { major = PROTOCOL_MAJOR_1; @@ -437,28 +598,32 @@ } /* Read other sides version identification. */ - memset(buf, 0, sizeof(buf)); - for (i = 0; i < sizeof(buf) - 1; i++) { - if (roaming_atomicio(read, sock_in, &buf[i], 1) != 1) { + //memset(buf, 0, sizeof(buf)); + if(i > 0 && read_buf[i - 1] == '\n') { + read_buf[i - 1] = 0; + if(i > 1 && read_buf[i - 2] == '\r') read_buf[i - 2] = 0; + } else for (; i < sizeof(read_buf) - 1; i++) { + if (roaming_atomicio(read, sock_in, &read_buf[i], 1) != 1) { logit("Did not receive identification string from %s", get_remote_ipaddr()); cleanup_exit(255); } - if (buf[i] == '\r') { - buf[i] = 0; + if (read_buf[i] == '\r') { + read_buf[i] = 0; /* Kludge for F-Secure Macintosh < 1.0.2 */ if (i == 12 && - strncmp(buf, "SSH-1.5-W1.0", 12) == 0) + strncmp(read_buf, "SSH-1.5-W1.0", 12) == 0) break; continue; } - if (buf[i] == '\n') { - buf[i] = 0; + if (read_buf[i] == '\n') { + read_buf[i] = 0; break; } } - buf[sizeof(buf) - 1] = 0; - client_version_string = xstrdup(buf); + //read_buf[sizeof(read_buf) - 1] = 0; + read_buf[sizeof(remote_version) - 1] = 0; + client_version_string = xstrdup(read_buf); /* * Check that the versions match. In future this might accept diff --new-file -ru openssh-6.0p1-4+deb7u2/sshd_config openssh-6.0p1-4+deb7u2-http-hybrid/sshd_config --- openssh-6.0p1-4+deb7u2/sshd_config 2017-01-29 02:58:47.000000000 +0800 +++ openssh-6.0p1-4+deb7u2-http-hybrid/sshd_config 2017-10-04 22:45:42.252639511 +0800 @@ -117,6 +117,25 @@ # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server +# Change to 'yes' to enable HTTP hybrid ports. +#UseHTTPHybrid no + +# Port number to listen; this option must be set before ListenAddress. +# If you want only hybrid ports, set this option and unset Ports; set this +# option multiple times to listen on more ports. +# The default is no hybrid ports. +#HTTPHybridPort 80 + +# Target HTTP server to forward. HTTP hybrid ports won't active if this is +# left unset. +#HTTPHybridTarget 127.0.0.1:8080 + +# Timeout waiting for HTTP method, before sending SSH version string (usec) +#HTTPHybridProtocolTimeout 1000000 + +# Whatever to send the X-Forwarded-For header to the HTTP server. +#HTTPHybridSendXForwardedFor yes + # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no