src/vsl_ssh.c

Go to the documentation of this file.

/*
 * Copyright 2006, Internet2
 * Legal conditions are in file LICENSE
 * (MD5 = c434f2e53b8089d8b4d0172c7ce07360).
 */

/**
 * @file   vsl_ssh.c
 * @author Nikolaus Rath
 * @brief  Functions to perform SSH Starting Mode handshake
 *
 **/

#include "vsl_ssh.h"
#include "vsl_util.h"
#include "vsl.h"
#include <sys/types.h>
#include <sys/wait.h>
#include <netdb.h>
#include <sys/select.h>
#include <fcntl.h>

//! message containing the secret
struct ssh_msg_secret {
    char magic[P_MAGIC_SIZE];
    unsigned char secret[VSL_KEYLEN];
};

//! message containing the port
struct ssh_msg_port {
    char magic[P_MAGIC_SIZE];
    uint32_t port;
};

/**
 * Fork ssh process to connect to remote host and and start
 * server process.
 *
 * Stores pid and stdin of the ssh process in the socket.
 *
 * @param[in] sock VSL socket to use
 * @param[in] host hostname to connect to
 * @param[in] user username for SSH connection, \c NULL to use current user
 * @param[in] cmd  program name of the server application
 * @param[in] argc  number of arguments in \a argv that are passed to the server application
 * @param[in] argv  arguments that is passed to the server application
 * @return
 *   - 0 on success
 *   - #VSL_ERRNO for all other errors (errno is set accordingly)
 **/
int ssh_fork(vsl_sock* sock, const char* host, const char* user,
             const char* cmd, int argc, const char* const* argv) {

    LOG("attempting to fork ssh...");

    /* Create pipes */
    int stdin_fd[2],
        stderr_fd[2],
        stdout_fd[2];
    if ( pipe(stdin_fd) == -1 ||
         pipe(stderr_fd) == -1 ||
         pipe(stdout_fd) == -1)
        LOGFAIL(VSL_ERRNO, "pipe failed: %s", strerror(err));

    /* Fork & Exec */
    pid_t pid;
    if ( (pid = fork()) == 0 ) {

        // Connect pipe to stdin
        if ( close(stdin_fd[1]) != 0)
            LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
        if ( stdin_fd[0] != STDIN_FILENO ) {
            if ( dup2(stdin_fd[0], STDIN_FILENO) != STDIN_FILENO ) {
                LOG("(child) dup2 failed: %s!", strerror(errno));
                exit(VSL_TEMP);
            }
            if ( close(stdin_fd[0]) != 0)
                LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
        }

        // Connect pipe to stdout
        if ( close(stdout_fd[0]) != 0)
            LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
        if ( stdout_fd[1] != STDOUT_FILENO) {
            if ( dup2(stdout_fd[1], STDOUT_FILENO) != STDOUT_FILENO ) {
                LOG("(child) dup2 failed: %s", strerror(errno));
                exit(VSL_TEMP);
            }
            if ( close(stdout_fd[1]) != 0)
                LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
        }

        // Connect pipe to stderr
        if ( close(stderr_fd[0]) != 0)
            LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
        if ( stderr_fd[1] != STDERR_FILENO ) {
            if ( dup2(stderr_fd[1], STDERR_FILENO) != STDERR_FILENO ) {
                LOG("(child) dup2 failed: %s", strerror(errno));
                exit(VSL_TEMP);
            }
            if ( close(stderr_fd[1]) != 0)
                LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
        }

        // Call ssh
        const char *tot_argv[7 + argc];
        int cur = 0;
        tot_argv[cur++] = "ssh";
        tot_argv[cur++] = "-T";
        if (user != NULL) {
            tot_argv[cur++] = "-l";
            tot_argv[cur++] = user;
        }
        tot_argv[cur++] = host;
        tot_argv[cur++] = cmd;
        for  (int i=0; i < argc; i++)
            tot_argv[cur++] = argv[i];
        tot_argv[cur++] = NULL;

        LOG("(child) exec'ing ssh...");
        execvp("ssh", (char *const*) tot_argv);
        LOG("(child) exec failed: %s", strerror(errno));
        exit(VSL_PERM);
    }

    else if(pid == -1)
        LOGFAIL(VSL_ERRNO, "fork failed: %s", strerror(err));

    /* close fds */
    if ( close(stdin_fd[0]) != 0 ||
         close(stdout_fd[1]) != 0 ||
         close(stderr_fd[1]) != 0 )
        LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
    sock->ssh_pid = pid;
    sock->ssh_stdin_fd = stdin_fd[1];
    sock->ssh_stdout_fd = stdout_fd[0];
    sock->ssh_stderr_fd = stderr_fd[0];

    /* Set Nonblocking Flags */
    if (!is_blocking(sock)) {
        long fdflags;
        if ( (fdflags = fcntl(sock->ssh_stdin_fd, F_GETFL, 0)) < 0 ||
             fcntl(sock->ssh_stdin_fd, F_SETFL, fdflags | O_NONBLOCK) < 0 ||
             (fdflags = fcntl(sock->ssh_stdout_fd, F_GETFL, 0)) < 0 ||
             fcntl(sock->ssh_stdout_fd, F_SETFL, fdflags | O_NONBLOCK) < 0 ||
             (fdflags = fcntl(sock->ssh_stderr_fd, F_GETFL, 0)) < 0 ||
             fcntl(sock->ssh_stderr_fd, F_SETFL, fdflags | O_NONBLOCK) < 0 )
            LOGFAIL(VSL_ERRNO, "fcntl failed: %s", strerror(err));
    }


    LOG("ssh forked successfully.");
    return(0);
}

/**
 * Sends the secret over the ssh connection.
 *
 * \param[in] sock socket to use
 * \param[in] secret secret to send (length VSL_KEYLENGTH)
 * \return
 *  - 0 on success
 *  - #VFER_INPROGRESS if the socket is nonblocking and the call would
 *    block.
 *  - #VSL_ERRNO for all other errors (errno is set accordingly)
 **/
int ssh_send_secret (vsl_sock* sock, const unsigned char* secret) {
    LOG("attempting to send shared secret over ssh...");
    LOG("secret is " KEY_STR, KEY_VEC(secret));

    /* Create message */
    struct ssh_msg_secret msg;
    FILL_MAGIC(msg.magic);
    memcpy((void *) msg.secret, (void*) secret, VSL_KEYLEN);

    /* Serialize */
    size_t buflen;
    void *buf;
    if ( (buf = write_objs(&buflen,
                           (void*) &msg.magic, sizeof(msg.magic),
                           (void*) &msg.secret, sizeof(msg.secret),
                           NULL)) == NULL)
        LOGFAIL(VSL_ERRNO, "malloc failed: %s", strerror(err));

    /* Ignore SIGPIPE */
    if ( signal(SIGPIPE, SIG_IGN) == SIG_ERR )
        LOGFATAL("cannot ignore sigpipe!");

    /* Send secret */
    if(write(sock->ssh_stdin_fd, buf, buflen) != buflen) {
         free(buf);
         if(!is_blocking(sock) &&
            errno == EAGAIN)
             return(VFER_INPROGRESS);
         LOGFAIL(VSL_ERRNO, "write failed: %s", strerror(err));
    }
    free(buf);

    /* Close fd */
    if ( close(sock->ssh_stdin_fd) != 0 )
        LOGFAIL(VSL_ERRNO, "close failed: %s", strerror(err));

    LOG("shared secret sent over ssh.");

    return(0);
}

/**
 * Read port number from ssh process
 *
 * \param[in] sock socket to use
 * \param[out] port read port
 * \return
 *  - 0 on success
 *  - #VFER_INPROGRESS if the socket is nonblocking and the call would
 *    block.
 *  - #VSL_BADPROT in case of a protocol error
 *  - #VSL_ERRNO for all other errors (errno is set accordingly)
 **/
int ssh_read_port (vsl_sock* sock, int* port) {
    LOG("attempting to get port number...");

    /* Try to read a message */
    ssize_t ret;
    struct ssh_msg_port msg;
    unsigned char buf[sizeof msg];
    if ( (ret = read(sock->ssh_stdout_fd, (void*) buf, sizeof(msg))) < 0) {
        if (errno == EAGAIN)
            return VFER_INPROGRESS;
        else
            LOGFAIL(VSL_ERRNO, "read failed: %s", strerror(errno));
    }

    /* Deserialize and verify structure */
    if ( read_objs(buf, ret,
                   (void*) &msg.magic, sizeof(msg.magic),
                   (void*) &msg.port, sizeof(msg.port),
                   NULL) == NULL )
        LOGFAIL(VSL_BADPROT, "received message too short!");

    if(!CHECK_MAGIC(msg.magic))
        LOGFAIL(VSL_BADPROT, "invalid message received");
    *port = ntohl(msg.port);

    LOG("read port nr. %d.", *port);
    return 0;
}

/**
 * Close ssh process
 *
 * \param[in] sock socket to use
 * \param[out] errmsg if the ssh process returned an error message, it
 *   is written into this variable, which has to have a minimum length
 *   of 513 bytes.
 * \return
 *  - 0 on success
 *  - #VFER_INPROGRESS if the socket is nonblocking and the call would
 *    block.
 *  - #VSL_SSHF if the ssh process failed
 *  - #VSL_TEMP if the server signaled a temporary error
 *  - #VSL_PERM if the server signaled a permanent error
 *  - #VSL_BADPROT in case of a protocol error
 *  - #VSL_ERRNO for all other errors (errno is set accordingly)
 **/
int ssh_close (vsl_sock* sock, char* errmsg)  {
    int retval = 0;

    LOG("attempting to read error message...");

    /* Try to read an error message */
    int ret;
    if ( (ret = read(sock->ssh_stderr_fd, (void*) errmsg, 512)) != 0 ) {
        if (ret == -1 &&
            errno == EAGAIN) {
            LOG("call would block, returning.");
            return VFER_INPROGRESS;
        }
        else if (ret == -1)
            LOGFAIL(VSL_ERRNO, "read failed: %s", strerror(errno));
        errmsg[ret] = '\0';
        LOG("got error message: %s.", errmsg);
        retval = VSL_SSHF;
    }

    /* close fds */
    /** \todo This close call often fails with 'Bad file descriptor!'
     *  -- ist that normal behaviour if the program has quit and there's
     * no data on the pipe?
     */
    if ( close(sock->ssh_stdin_fd) != 0 ||
         close(sock->ssh_stdout_fd) != 0 ||
         close(sock->ssh_stderr_fd) != 0 )
        //LOGFAIL(VSL_ERRNO, "can't close pipe: %s!", strerror(errno));
        ;


    // We migth have wait()ed already in vsl_select
    int pidstat;
    if ( sock->ssh_pid == 0 ) {
        LOG("using existing ssh exit status...");
        pidstat = sock->ssh_pid_stat;
    }
    else {
        /* wait for process */
        LOG("attempting to wait for ssh process...");
        if(!is_blocking(sock)) {
            if( (ret=waitpid(sock->ssh_pid, &pidstat, WNOHANG)) == 0) {
                LOG("call would block, returning.");
                return VFER_INPROGRESS;
            }
        }
        else
            ret = waitpid(sock->ssh_pid, &pidstat, 0);

        if(ret != sock->ssh_pid)
            LOGFAIL(VSL_ERRNO, "waitpid failed: %s", strerror(err));
    }

    /* Exit code? */
    if( !WIFEXITED(pidstat) )
        LOGFAIL(VSL_SSHF, "ssh process aborted.");

    if(WEXITSTATUS(pidstat) == 255) {
        LOGFAIL(VSL_SSHF, "ssh process failed!");
    }
    else if (WEXITSTATUS(pidstat) == VSL_TEMP ||
             WEXITSTATUS(pidstat) == VSL_PERM ) {
        LOGFAIL(WEXITSTATUS(pidstat), "server signaled error!");
    }
    else if(WEXITSTATUS(pidstat) != 0 )
        LOGFAIL(VSL_BADPROT, "invalid exit code!");

    LOG("ssh connection closed.");
    return retval;
}


/**
 * Establish a VFER connection to the given host
 *
 * @param[in] sock VSL socket to use
 * @param[in] host hostname to connect to
 * @param[in] port port to connect to
 * @return
 *   - 0 on success
 *   - #VSL_ERRNO for all other errors (errno is set accordingly)
 **/
int ssh_vfer_connect(vsl_sock* sock, const char* host, int port) {

    LOG("attempting vfer_connect to %s:%d...", host, port);
    int ret;

    // setup sockaddr structure for client
    struct sockaddr_in client_sa;
    bzero((char*)(&client_sa), sizeof(client_sa));
    client_sa.sin_port = htons(0);
    client_sa.sin_family = AF_INET;

    // bind the socket to a local addr
    if ( (ret=vfer_bind(sock->vfd, (struct sockaddr*) &client_sa, sizeof(client_sa))) < 0)
        LOGFATAL("vfer_bind failed [%s]", vfer_errortext(ret));

    /* get the remote ip */
    char remote_ip[INET_ADDRSTRLEN];
    struct hostent* h;
    if ((h = gethostbyname(host)) == NULL)
        LOGFAIL(VSL_ERRNO, "can't get remote ip: %s", strerror(errno));
    if (h->h_addr_list != 0) {
        inet_ntop(h->h_addrtype, (h->h_addr_list)[0], remote_ip, sizeof(remote_ip));
    }

    /* setup sockaddr structure for server */
    struct sockaddr_in server_sa;
    bzero((char*)(&server_sa), sizeof(server_sa));
    server_sa.sin_family = AF_INET;
    server_sa.sin_port = htons(port);
    if (inet_pton(AF_INET, remote_ip, &server_sa.sin_addr) != 1)
        LOGFAIL(VSL_ERRNO, "inet_pton failed: %s", strerror(errno));

    /* connect on the socket */
    //! \todo Disabled, for debbugging we use blocking IO.
     /*
    bool blocking = is_blocking(sock);
    set_blocking(sock, false);
    if ((ret = vfer_connect(sock->vfd, (struct sockaddr*) &server_sa,
                            sizeof(server_sa))) != VFER_INPROGRESS)
        LOGFATAL("vfer_connect failed [%s]", vfer_errortext(ret));
    set_blocking(sock, blocking);
    LOG("connection continues in background, returning.");
    */
    // /*
    if ((ret = vfer_connect(sock->vfd, (struct sockaddr*) &server_sa,
                            sizeof(server_sa))) != 0 &&
        ret != VFER_INPROGRESS )
        LOGFATAL("vfer_connect failed [%s]", vfer_errortext(ret));
    LOG("connection established.");
    // */

    return 0;
}

/**
 * Reads the secret from stdin and stores it in the socket.
 *
 * @param[out] secret variable to store secret in, minimum length
 * #VSL_KEYLEN
 *
 * \return
 *  - 0 on success
 *  - #VSL_BADPROT in case of a protocol error
 *  - #VSL_ERRNO if a system call failed (errno is set accordingly)
 **/
int ssh_read_secret (unsigned char* secret) {
    LOG("attempting to get secret...");

    /* Try to read a message */
    ssize_t ret;
    struct ssh_msg_secret msg;
    unsigned char buf[sizeof msg];
    if ( (ret = read(STDIN_FILENO, (void*) buf, sizeof(msg))) < 0) {
        if (errno == EAGAIN)
            return VFER_INPROGRESS;
        else
            LOGFAIL(VSL_ERRNO, "read failed: %s", strerror(errno));
    }

    /* Deserialize and verify structure */
    if ( read_objs(buf, ret,
                   (void*) &msg.magic, sizeof(msg.magic),
                   (void*) &msg.secret, sizeof(msg.secret),
                   NULL) == NULL )
        LOGFAIL(VSL_BADPROT, "received message too short!");

    if(!CHECK_MAGIC(msg.magic))
        LOGFAIL(VSL_BADPROT, "invalid message received!");
    memcpy((void*) secret, (void*) msg.secret, VSL_KEYLEN);

    LOG("got secret " KEY_STR ".", KEY_VEC(secret));
    return 0;
}



/**
 * Configures the socket to listen on a free port and returns that
 * port.
 *
 * @param[in] sock socket to use
 * \param[out] port reserved port
 *
 * \return
 *  - 0 on success
 *  - #VSL_ERRNO if a system call failed (errno is set accordingly)
 **/
int ssh_vfer_listen (vsl_sock* sock, int* port) {
    LOG("attempting to listen...");

    struct sockaddr_in sa;
    socklen_t len = sizeof(sa);
    int ret;

    bzero((char*)(&sa), sizeof(sa));
    sa.sin_family = AF_INET;
    sa.sin_addr.s_addr = htonl(INADDR_ANY);
    sa.sin_port = htons(0);

    if ((ret = vfer_bind(sock->vfd, (struct sockaddr*) &sa, sizeof(sa))) != 0)
        LOGFATAL("vfer_bind failed: %s!", vfer_errortext(ret));

    if ((ret = vfer_listen(sock->vfd, 3)) != 0)
        LOGFATAL("vfer_listen failed: %s!", vfer_errortext(ret));

    if ((ret = vfer_getsockname(sock->vfd, (struct sockaddr*) &sa, &len)) != 0)
        LOGFATAL("vfer_getsockname failed: %s!", vfer_errortext(ret));

    *port = ntohs(sa.sin_port);

    LOG("listening on port %d.", *port);
    return 0;
}


/**
 * Prints the given port
 *
 * \param[in] port port
 *
 * \return
 *  - 0 on success
 *  - #VSL_ERRNO if a system call failed (errno is set accordingly)
 **/
int ssh_send_port (int port) {
    LOG("attempting to send port %d...", port);

    /* Create message */
    struct ssh_msg_port msg;
    FILL_MAGIC(msg.magic);
    msg.port = htonl(port);

    /* Serialize */
    size_t buflen;
    void *buf;
    if ( (buf = write_objs(&buflen,
                           (void*) &msg.magic, sizeof(msg.magic),
                           (void*) &msg.port, sizeof(msg.port),
                           NULL)) == NULL)
        LOGFAIL(VSL_ERRNO, "malloc failed: %s", strerror(err));

    /* Send key */
    if(write(STDOUT_FILENO, (void*) buf, buflen) != buflen) {
         free(buf);
         LOGFAIL(VSL_ERRNO, "write failed: %s", strerror(errno));
    }
    free(buf);

    LOG("port message sent.");
    return 0;
}


/**
 * Waits for a vfer connection and closes the listening socket.
 *
 * @param[in] sock socket to use
 *
 * \return
 *  - 0 on success
 *  - #VFER_TIMEOUT a timeout occured
 **/
int ssh_vfer_accept (vsl_sock* sock) {
    LOG("attempting to accept vfer connection...");

    /* Set timeout */
    int ret;
    if ( (ret = vfer_setsockopt(sock->vfd, VFERSO_ACCEPTTIMEOUT,
                                &((int) { 60000000 } ), sizeof(int))) != 0)
        LOGFATAL("can't set socket state: %s!", vfer_errortext(ret));

    /* Accept connection */
    struct sockaddr_in sa;
    bzero((char*)(&sa), sizeof(sa));
    socklen_t len = sizeof(sa);
    int vfd;
    if ((vfd = vfer_accept(sock->vfd, (struct sockaddr*) &sa, &len)) == VFER_TIMEOUT)
        LOGFAIL(vfd, "timed out, returning.");
    else if ( vfd < 0 )
        LOGFATAL("vfer_accept failed: %s!", vfer_errortext(vfd));
    sock->vfd = vfd;

    LOG("Done.");
    return 0;
}

/**
 * Daemonizes the process
 *
 * \return
 *  - 0 on success
 *  - #VSL_ERRNO if a system call failed (errno is set accordingly)
 **/
int ssh_daemonize (void) {
    LOG("daemonizing...");
    if (daemon(0,0) != 0 )
        LOGFAIL(VSL_ERRNO, "daemon failed: %s!", strerror(errno));
    return 0;
}


/*
 * Local Variables:
 * compile-command: "cd ..; make tests file_xfer"
 * compilation-search-path: ("..")
 * End:
 */

---