1 /* $OpenBSD: mux.c,v 1.95 2023/01/06 02:39:59 djm Exp $ */ 2 /* 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* ssh session multiplexing support */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/stat.h> 23 #include <sys/socket.h> 24 #include <sys/un.h> 25 26 #include <errno.h> 27 #include <fcntl.h> 28 #include <poll.h> 29 #include <signal.h> 30 #include <stdarg.h> 31 #include <stddef.h> 32 #include <stdlib.h> 33 #include <stdio.h> 34 #include <string.h> 35 #include <unistd.h> 36 #include <util.h> 37 #include <paths.h> 38 39 #include "atomicio.h" 40 #include "xmalloc.h" 41 #include "log.h" 42 #include "ssh.h" 43 #include "ssh2.h" 44 #include "pathnames.h" 45 #include "misc.h" 46 #include "match.h" 47 #include "sshbuf.h" 48 #include "channels.h" 49 #include "msg.h" 50 #include "packet.h" 51 #include "monitor_fdpass.h" 52 #include "sshpty.h" 53 #include "sshkey.h" 54 #include "readconf.h" 55 #include "clientloop.h" 56 #include "ssherr.h" 57 58 /* from ssh.c */ 59 extern int tty_flag; 60 extern Options options; 61 extern char *host; 62 extern struct sshbuf *command; 63 extern volatile sig_atomic_t quit_pending; 64 65 /* Context for session open confirmation callback */ 66 struct mux_session_confirm_ctx { 67 u_int want_tty; 68 u_int want_subsys; 69 u_int want_x_fwd; 70 u_int want_agent_fwd; 71 struct sshbuf *cmd; 72 char *term; 73 struct termios tio; 74 char **env; 75 u_int rid; 76 }; 77 78 /* Context for stdio fwd open confirmation callback */ 79 struct mux_stdio_confirm_ctx { 80 u_int rid; 81 }; 82 83 /* Context for global channel callback */ 84 struct mux_channel_confirm_ctx { 85 u_int cid; /* channel id */ 86 u_int rid; /* request id */ 87 int fid; /* forward id */ 88 }; 89 90 /* fd to control socket */ 91 int muxserver_sock = -1; 92 93 /* client request id */ 94 u_int muxclient_request_id = 0; 95 96 /* Multiplexing control command */ 97 u_int muxclient_command = 0; 98 99 /* Set when signalled. */ 100 static volatile sig_atomic_t muxclient_terminate = 0; 101 102 /* PID of multiplex server */ 103 static u_int muxserver_pid = 0; 104 105 static Channel *mux_listener_channel = NULL; 106 107 struct mux_master_state { 108 int hello_rcvd; 109 }; 110 111 /* mux protocol messages */ 112 #define MUX_MSG_HELLO 0x00000001 113 #define MUX_C_NEW_SESSION 0x10000002 114 #define MUX_C_ALIVE_CHECK 0x10000004 115 #define MUX_C_TERMINATE 0x10000005 116 #define MUX_C_OPEN_FWD 0x10000006 117 #define MUX_C_CLOSE_FWD 0x10000007 118 #define MUX_C_NEW_STDIO_FWD 0x10000008 119 #define MUX_C_STOP_LISTENING 0x10000009 120 #define MUX_C_PROXY 0x1000000f 121 #define MUX_S_OK 0x80000001 122 #define MUX_S_PERMISSION_DENIED 0x80000002 123 #define MUX_S_FAILURE 0x80000003 124 #define MUX_S_EXIT_MESSAGE 0x80000004 125 #define MUX_S_ALIVE 0x80000005 126 #define MUX_S_SESSION_OPENED 0x80000006 127 #define MUX_S_REMOTE_PORT 0x80000007 128 #define MUX_S_TTY_ALLOC_FAIL 0x80000008 129 #define MUX_S_PROXY 0x8000000f 130 131 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ 132 #define MUX_FWD_LOCAL 1 133 #define MUX_FWD_REMOTE 2 134 #define MUX_FWD_DYNAMIC 3 135 136 static void mux_session_confirm(struct ssh *, int, int, void *); 137 static void mux_stdio_confirm(struct ssh *, int, int, void *); 138 139 static int mux_master_process_hello(struct ssh *, u_int, 140 Channel *, struct sshbuf *, struct sshbuf *); 141 static int mux_master_process_new_session(struct ssh *, u_int, 142 Channel *, struct sshbuf *, struct sshbuf *); 143 static int mux_master_process_alive_check(struct ssh *, u_int, 144 Channel *, struct sshbuf *, struct sshbuf *); 145 static int mux_master_process_terminate(struct ssh *, u_int, 146 Channel *, struct sshbuf *, struct sshbuf *); 147 static int mux_master_process_open_fwd(struct ssh *, u_int, 148 Channel *, struct sshbuf *, struct sshbuf *); 149 static int mux_master_process_close_fwd(struct ssh *, u_int, 150 Channel *, struct sshbuf *, struct sshbuf *); 151 static int mux_master_process_stdio_fwd(struct ssh *, u_int, 152 Channel *, struct sshbuf *, struct sshbuf *); 153 static int mux_master_process_stop_listening(struct ssh *, u_int, 154 Channel *, struct sshbuf *, struct sshbuf *); 155 static int mux_master_process_proxy(struct ssh *, u_int, 156 Channel *, struct sshbuf *, struct sshbuf *); 157 158 static const struct { 159 u_int type; 160 int (*handler)(struct ssh *, u_int, Channel *, 161 struct sshbuf *, struct sshbuf *); 162 } mux_master_handlers[] = { 163 { MUX_MSG_HELLO, mux_master_process_hello }, 164 { MUX_C_NEW_SESSION, mux_master_process_new_session }, 165 { MUX_C_ALIVE_CHECK, mux_master_process_alive_check }, 166 { MUX_C_TERMINATE, mux_master_process_terminate }, 167 { MUX_C_OPEN_FWD, mux_master_process_open_fwd }, 168 { MUX_C_CLOSE_FWD, mux_master_process_close_fwd }, 169 { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd }, 170 { MUX_C_STOP_LISTENING, mux_master_process_stop_listening }, 171 { MUX_C_PROXY, mux_master_process_proxy }, 172 { 0, NULL } 173 }; 174 175 /* Cleanup callback fired on closure of mux client _session_ channel */ 176 /* ARGSUSED */ 177 static void 178 mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) 179 { 180 Channel *cc, *c = channel_by_id(ssh, cid); 181 182 debug3_f("entering for channel %d", cid); 183 if (c == NULL) 184 fatal_f("channel_by_id(%i) == NULL", cid); 185 if (c->ctl_chan != -1) { 186 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 187 fatal_f("channel %d missing control channel %d", 188 c->self, c->ctl_chan); 189 c->ctl_chan = -1; 190 cc->remote_id = 0; 191 cc->have_remote_id = 0; 192 chan_rcvd_oclose(ssh, cc); 193 } 194 channel_cancel_cleanup(ssh, c->self); 195 } 196 197 /* Cleanup callback fired on closure of mux client _control_ channel */ 198 /* ARGSUSED */ 199 static void 200 mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) 201 { 202 Channel *sc, *c = channel_by_id(ssh, cid); 203 204 debug3_f("entering for channel %d", cid); 205 if (c == NULL) 206 fatal_f("channel_by_id(%i) == NULL", cid); 207 if (c->have_remote_id) { 208 if ((sc = channel_by_id(ssh, c->remote_id)) == NULL) 209 fatal_f("channel %d missing session channel %u", 210 c->self, c->remote_id); 211 c->remote_id = 0; 212 c->have_remote_id = 0; 213 sc->ctl_chan = -1; 214 if (sc->type != SSH_CHANNEL_OPEN && 215 sc->type != SSH_CHANNEL_OPENING) { 216 debug2_f("channel %d: not open", sc->self); 217 chan_mark_dead(ssh, sc); 218 } else { 219 if (sc->istate == CHAN_INPUT_OPEN) 220 chan_read_failed(ssh, sc); 221 if (sc->ostate == CHAN_OUTPUT_OPEN) 222 chan_write_failed(ssh, sc); 223 } 224 } 225 channel_cancel_cleanup(ssh, c->self); 226 } 227 228 /* Check mux client environment variables before passing them to mux master. */ 229 static int 230 env_permitted(const char *env) 231 { 232 u_int i; 233 int ret; 234 char name[1024], *cp; 235 236 if ((cp = strchr(env, '=')) == NULL || cp == env) 237 return 0; 238 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env); 239 if (ret <= 0 || (size_t)ret >= sizeof(name)) { 240 error_f("name '%.100s...' too long", env); 241 return 0; 242 } 243 244 for (i = 0; i < options.num_send_env; i++) 245 if (match_pattern(name, options.send_env[i])) 246 return 1; 247 248 return 0; 249 } 250 251 /* Mux master protocol message handlers */ 252 253 static int 254 mux_master_process_hello(struct ssh *ssh, u_int rid, 255 Channel *c, struct sshbuf *m, struct sshbuf *reply) 256 { 257 u_int ver; 258 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 259 int r; 260 261 if (state == NULL) 262 fatal_f("channel %d: c->mux_ctx == NULL", c->self); 263 if (state->hello_rcvd) { 264 error_f("HELLO received twice"); 265 return -1; 266 } 267 if ((r = sshbuf_get_u32(m, &ver)) != 0) { 268 error_fr(r, "parse"); 269 return -1; 270 } 271 if (ver != SSHMUX_VER) { 272 error_f("unsupported multiplexing protocol version %u " 273 "(expected %u)", ver, SSHMUX_VER); 274 return -1; 275 } 276 debug2_f("channel %d client version %u", c->self, ver); 277 278 /* No extensions are presently defined */ 279 while (sshbuf_len(m) > 0) { 280 char *name = NULL; 281 size_t value_len = 0; 282 283 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 284 (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) { 285 error_fr(r, "parse extension"); 286 return -1; 287 } 288 debug2_f("Unrecognised extension \"%s\" length %zu", 289 name, value_len); 290 free(name); 291 } 292 state->hello_rcvd = 1; 293 return 0; 294 } 295 296 /* Enqueue a "ok" response to the reply buffer */ 297 static void 298 reply_ok(struct sshbuf *reply, u_int rid) 299 { 300 int r; 301 302 if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 || 303 (r = sshbuf_put_u32(reply, rid)) != 0) 304 fatal_fr(r, "reply"); 305 } 306 307 /* Enqueue an error response to the reply buffer */ 308 static void 309 reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg) 310 { 311 int r; 312 313 if ((r = sshbuf_put_u32(reply, type)) != 0 || 314 (r = sshbuf_put_u32(reply, rid)) != 0 || 315 (r = sshbuf_put_cstring(reply, msg)) != 0) 316 fatal_fr(r, "reply"); 317 } 318 319 static int 320 mux_master_process_new_session(struct ssh *ssh, u_int rid, 321 Channel *c, struct sshbuf *m, struct sshbuf *reply) 322 { 323 Channel *nc; 324 struct mux_session_confirm_ctx *cctx; 325 char *cmd, *cp; 326 u_int i, j, env_len, escape_char, window, packetmax; 327 int r, new_fd[3]; 328 329 /* Reply for SSHMUX_COMMAND_OPEN */ 330 cctx = xcalloc(1, sizeof(*cctx)); 331 cctx->term = NULL; 332 cctx->rid = rid; 333 cmd = NULL; 334 cctx->env = NULL; 335 env_len = 0; 336 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 337 (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 || 338 (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 || 339 (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 || 340 (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 || 341 (r = sshbuf_get_u32(m, &escape_char)) != 0 || 342 (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 || 343 (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) { 344 malf: 345 free(cmd); 346 for (j = 0; j < env_len; j++) 347 free(cctx->env[j]); 348 free(cctx->env); 349 free(cctx->term); 350 free(cctx); 351 error_f("malformed message"); 352 return -1; 353 } 354 355 #define MUX_MAX_ENV_VARS 4096 356 while (sshbuf_len(m) > 0) { 357 if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0) 358 goto malf; 359 if (!env_permitted(cp)) { 360 free(cp); 361 continue; 362 } 363 cctx->env = xreallocarray(cctx->env, env_len + 2, 364 sizeof(*cctx->env)); 365 cctx->env[env_len++] = cp; 366 cctx->env[env_len] = NULL; 367 if (env_len > MUX_MAX_ENV_VARS) { 368 error_f(">%d environment variables received, " 369 "ignoring additional", MUX_MAX_ENV_VARS); 370 break; 371 } 372 } 373 374 debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, " 375 "term \"%s\", cmd \"%s\", env %u", c->self, 376 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd, 377 cctx->want_subsys, cctx->term, cmd, env_len); 378 379 if ((cctx->cmd = sshbuf_new()) == NULL) 380 fatal_f("sshbuf_new"); 381 if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0) 382 fatal_fr(r, "sshbuf_put"); 383 free(cmd); 384 cmd = NULL; 385 386 /* Gather fds from client */ 387 for(i = 0; i < 3; i++) { 388 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 389 error_f("failed to receive fd %d from client", i); 390 for (j = 0; j < i; j++) 391 close(new_fd[j]); 392 for (j = 0; j < env_len; j++) 393 free(cctx->env[j]); 394 free(cctx->env); 395 free(cctx->term); 396 sshbuf_free(cctx->cmd); 397 free(cctx); 398 reply_error(reply, MUX_S_FAILURE, rid, 399 "did not receive file descriptors"); 400 return -1; 401 } 402 } 403 404 debug3_f("got fds stdin %d, stdout %d, stderr %d", 405 new_fd[0], new_fd[1], new_fd[2]); 406 407 /* XXX support multiple child sessions in future */ 408 if (c->have_remote_id) { 409 debug2_f("session already open"); 410 reply_error(reply, MUX_S_FAILURE, rid, 411 "Multiple sessions not supported"); 412 cleanup: 413 close(new_fd[0]); 414 close(new_fd[1]); 415 close(new_fd[2]); 416 free(cctx->term); 417 if (env_len != 0) { 418 for (i = 0; i < env_len; i++) 419 free(cctx->env[i]); 420 free(cctx->env); 421 } 422 sshbuf_free(cctx->cmd); 423 free(cctx); 424 return 0; 425 } 426 427 if (options.control_master == SSHCTL_MASTER_ASK || 428 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 429 if (!ask_permission("Allow shared connection to %s? ", host)) { 430 debug2_f("session refused by user"); 431 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 432 "Permission denied"); 433 goto cleanup; 434 } 435 } 436 437 /* Try to pick up ttymodes from client before it goes raw */ 438 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 439 error_f("tcgetattr: %s", strerror(errno)); 440 441 window = CHAN_SES_WINDOW_DEFAULT; 442 packetmax = CHAN_SES_PACKET_DEFAULT; 443 if (cctx->want_tty) { 444 window >>= 1; 445 packetmax >>= 1; 446 } 447 448 nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, 449 new_fd[0], new_fd[1], new_fd[2], window, packetmax, 450 CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); 451 452 nc->ctl_chan = c->self; /* link session -> control channel */ 453 c->remote_id = nc->self; /* link control -> session channel */ 454 c->have_remote_id = 1; 455 456 if (cctx->want_tty && escape_char != 0xffffffff) { 457 channel_register_filter(ssh, nc->self, 458 client_simple_escape_filter, NULL, 459 client_filter_cleanup, 460 client_new_escape_filter_ctx((int)escape_char)); 461 } 462 463 debug2_f("channel_new: %d linked to control channel %d", 464 nc->self, nc->ctl_chan); 465 466 channel_send_open(ssh, nc->self); 467 channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx); 468 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 469 channel_register_cleanup(ssh, nc->self, 470 mux_master_session_cleanup_cb, 1); 471 472 /* reply is deferred, sent by mux_session_confirm */ 473 return 0; 474 } 475 476 static int 477 mux_master_process_alive_check(struct ssh *ssh, u_int rid, 478 Channel *c, struct sshbuf *m, struct sshbuf *reply) 479 { 480 int r; 481 482 debug2_f("channel %d: alive check", c->self); 483 484 /* prepare reply */ 485 if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 || 486 (r = sshbuf_put_u32(reply, rid)) != 0 || 487 (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0) 488 fatal_fr(r, "reply"); 489 490 return 0; 491 } 492 493 static int 494 mux_master_process_terminate(struct ssh *ssh, u_int rid, 495 Channel *c, struct sshbuf *m, struct sshbuf *reply) 496 { 497 debug2_f("channel %d: terminate request", c->self); 498 499 if (options.control_master == SSHCTL_MASTER_ASK || 500 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 501 if (!ask_permission("Terminate shared connection to %s? ", 502 host)) { 503 debug2_f("termination refused by user"); 504 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 505 "Permission denied"); 506 return 0; 507 } 508 } 509 510 quit_pending = 1; 511 reply_ok(reply, rid); 512 /* XXX exit happens too soon - message never makes it to client */ 513 return 0; 514 } 515 516 static char * 517 format_forward(u_int ftype, struct Forward *fwd) 518 { 519 char *ret; 520 521 switch (ftype) { 522 case MUX_FWD_LOCAL: 523 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d", 524 (fwd->listen_path != NULL) ? fwd->listen_path : 525 (fwd->listen_host == NULL) ? 526 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 527 fwd->listen_host, fwd->listen_port, 528 (fwd->connect_path != NULL) ? fwd->connect_path : 529 fwd->connect_host, fwd->connect_port); 530 break; 531 case MUX_FWD_DYNAMIC: 532 xasprintf(&ret, "dynamic forward %.200s:%d -> *", 533 (fwd->listen_host == NULL) ? 534 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 535 fwd->listen_host, fwd->listen_port); 536 break; 537 case MUX_FWD_REMOTE: 538 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d", 539 (fwd->listen_path != NULL) ? fwd->listen_path : 540 (fwd->listen_host == NULL) ? 541 "LOCALHOST" : fwd->listen_host, 542 fwd->listen_port, 543 (fwd->connect_path != NULL) ? fwd->connect_path : 544 fwd->connect_host, fwd->connect_port); 545 break; 546 default: 547 fatal_f("unknown forward type %u", ftype); 548 } 549 return ret; 550 } 551 552 static int 553 compare_host(const char *a, const char *b) 554 { 555 if (a == NULL && b == NULL) 556 return 1; 557 if (a == NULL || b == NULL) 558 return 0; 559 return strcmp(a, b) == 0; 560 } 561 562 static int 563 compare_forward(struct Forward *a, struct Forward *b) 564 { 565 if (!compare_host(a->listen_host, b->listen_host)) 566 return 0; 567 if (!compare_host(a->listen_path, b->listen_path)) 568 return 0; 569 if (a->listen_port != b->listen_port) 570 return 0; 571 if (!compare_host(a->connect_host, b->connect_host)) 572 return 0; 573 if (!compare_host(a->connect_path, b->connect_path)) 574 return 0; 575 if (a->connect_port != b->connect_port) 576 return 0; 577 578 return 1; 579 } 580 581 static void 582 mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt) 583 { 584 struct mux_channel_confirm_ctx *fctx = ctxt; 585 char *failmsg = NULL; 586 struct Forward *rfwd; 587 Channel *c; 588 struct sshbuf *out; 589 u_int port; 590 int r; 591 592 if ((c = channel_by_id(ssh, fctx->cid)) == NULL) { 593 /* no channel for reply */ 594 error_f("unknown channel"); 595 return; 596 } 597 if ((out = sshbuf_new()) == NULL) 598 fatal_f("sshbuf_new"); 599 if (fctx->fid >= options.num_remote_forwards || 600 (options.remote_forwards[fctx->fid].connect_path == NULL && 601 options.remote_forwards[fctx->fid].connect_host == NULL)) { 602 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid); 603 goto fail; 604 } 605 rfwd = &options.remote_forwards[fctx->fid]; 606 debug_f("%s for: listen %d, connect %s:%d", 607 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 608 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path : 609 rfwd->connect_host, rfwd->connect_port); 610 if (type == SSH2_MSG_REQUEST_SUCCESS) { 611 if (rfwd->listen_port == 0) { 612 if ((r = sshpkt_get_u32(ssh, &port)) != 0) 613 fatal_fr(r, "parse port"); 614 if (port > 65535) { 615 fatal("Invalid allocated port %u for " 616 "mux remote forward to %s:%d", port, 617 rfwd->connect_host, rfwd->connect_port); 618 } 619 rfwd->allocated_port = (int)port; 620 debug("Allocated port %u for mux remote forward" 621 " to %s:%d", rfwd->allocated_port, 622 rfwd->connect_host, rfwd->connect_port); 623 if ((r = sshbuf_put_u32(out, 624 MUX_S_REMOTE_PORT)) != 0 || 625 (r = sshbuf_put_u32(out, fctx->rid)) != 0 || 626 (r = sshbuf_put_u32(out, 627 rfwd->allocated_port)) != 0) 628 fatal_fr(r, "reply"); 629 channel_update_permission(ssh, rfwd->handle, 630 rfwd->allocated_port); 631 } else { 632 reply_ok(out, fctx->rid); 633 } 634 goto out; 635 } else { 636 if (rfwd->listen_port == 0) 637 channel_update_permission(ssh, rfwd->handle, -1); 638 if (rfwd->listen_path != NULL) 639 xasprintf(&failmsg, "remote port forwarding failed for " 640 "listen path %s", rfwd->listen_path); 641 else 642 xasprintf(&failmsg, "remote port forwarding failed for " 643 "listen port %d", rfwd->listen_port); 644 645 debug2_f("clearing registered forwarding for listen %d, " 646 "connect %s:%d", rfwd->listen_port, 647 rfwd->connect_path ? rfwd->connect_path : 648 rfwd->connect_host, rfwd->connect_port); 649 650 free(rfwd->listen_host); 651 free(rfwd->listen_path); 652 free(rfwd->connect_host); 653 free(rfwd->connect_path); 654 memset(rfwd, 0, sizeof(*rfwd)); 655 } 656 fail: 657 error_f("%s", failmsg); 658 reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg); 659 free(failmsg); 660 out: 661 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 662 fatal_fr(r, "enqueue"); 663 sshbuf_free(out); 664 if (c->mux_pause <= 0) 665 fatal_f("mux_pause %d", c->mux_pause); 666 c->mux_pause = 0; /* start processing messages again */ 667 } 668 669 static int 670 mux_master_process_open_fwd(struct ssh *ssh, u_int rid, 671 Channel *c, struct sshbuf *m, struct sshbuf *reply) 672 { 673 struct Forward fwd; 674 char *fwd_desc = NULL; 675 char *listen_addr, *connect_addr; 676 u_int ftype; 677 u_int lport, cport; 678 int r, i, ret = 0, freefwd = 1; 679 680 memset(&fwd, 0, sizeof(fwd)); 681 682 /* XXX - lport/cport check redundant */ 683 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 684 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 685 (r = sshbuf_get_u32(m, &lport)) != 0 || 686 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 687 (r = sshbuf_get_u32(m, &cport)) != 0 || 688 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 689 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 690 error_f("malformed message"); 691 ret = -1; 692 goto out; 693 } 694 if (*listen_addr == '\0') { 695 free(listen_addr); 696 listen_addr = NULL; 697 } 698 if (*connect_addr == '\0') { 699 free(connect_addr); 700 connect_addr = NULL; 701 } 702 703 memset(&fwd, 0, sizeof(fwd)); 704 fwd.listen_port = lport; 705 if (fwd.listen_port == PORT_STREAMLOCAL) 706 fwd.listen_path = listen_addr; 707 else 708 fwd.listen_host = listen_addr; 709 fwd.connect_port = cport; 710 if (fwd.connect_port == PORT_STREAMLOCAL) 711 fwd.connect_path = connect_addr; 712 else 713 fwd.connect_host = connect_addr; 714 715 debug2_f("channel %d: request %s", c->self, 716 (fwd_desc = format_forward(ftype, &fwd))); 717 718 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE && 719 ftype != MUX_FWD_DYNAMIC) { 720 logit_f("invalid forwarding type %u", ftype); 721 invalid: 722 free(listen_addr); 723 free(connect_addr); 724 reply_error(reply, MUX_S_FAILURE, rid, 725 "Invalid forwarding request"); 726 return 0; 727 } 728 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) { 729 logit_f("streamlocal and dynamic forwards " 730 "are mutually exclusive"); 731 goto invalid; 732 } 733 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) { 734 logit_f("invalid listen port %u", fwd.listen_port); 735 goto invalid; 736 } 737 if ((fwd.connect_port != PORT_STREAMLOCAL && 738 fwd.connect_port >= 65536) || 739 (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && 740 fwd.connect_port == 0)) { 741 logit_f("invalid connect port %u", 742 fwd.connect_port); 743 goto invalid; 744 } 745 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && 746 fwd.connect_path == NULL) { 747 logit_f("missing connect host"); 748 goto invalid; 749 } 750 751 /* Skip forwards that have already been requested */ 752 switch (ftype) { 753 case MUX_FWD_LOCAL: 754 case MUX_FWD_DYNAMIC: 755 for (i = 0; i < options.num_local_forwards; i++) { 756 if (compare_forward(&fwd, 757 options.local_forwards + i)) { 758 exists: 759 debug2_f("found existing forwarding"); 760 reply_ok(reply, rid); 761 goto out; 762 } 763 } 764 break; 765 case MUX_FWD_REMOTE: 766 for (i = 0; i < options.num_remote_forwards; i++) { 767 if (!compare_forward(&fwd, options.remote_forwards + i)) 768 continue; 769 if (fwd.listen_port != 0) 770 goto exists; 771 debug2_f("found allocated port"); 772 if ((r = sshbuf_put_u32(reply, 773 MUX_S_REMOTE_PORT)) != 0 || 774 (r = sshbuf_put_u32(reply, rid)) != 0 || 775 (r = sshbuf_put_u32(reply, 776 options.remote_forwards[i].allocated_port)) != 0) 777 fatal_fr(r, "reply FWD_REMOTE"); 778 goto out; 779 } 780 break; 781 } 782 783 if (options.control_master == SSHCTL_MASTER_ASK || 784 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 785 if (!ask_permission("Open %s on %s?", fwd_desc, host)) { 786 debug2_f("forwarding refused by user"); 787 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 788 "Permission denied"); 789 goto out; 790 } 791 } 792 793 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 794 if (!channel_setup_local_fwd_listener(ssh, &fwd, 795 &options.fwd_opts)) { 796 fail: 797 logit_f("requested %s failed", fwd_desc); 798 reply_error(reply, MUX_S_FAILURE, rid, 799 "Port forwarding failed"); 800 goto out; 801 } 802 add_local_forward(&options, &fwd); 803 freefwd = 0; 804 } else { 805 struct mux_channel_confirm_ctx *fctx; 806 807 fwd.handle = channel_request_remote_forwarding(ssh, &fwd); 808 if (fwd.handle < 0) 809 goto fail; 810 add_remote_forward(&options, &fwd); 811 fctx = xcalloc(1, sizeof(*fctx)); 812 fctx->cid = c->self; 813 fctx->rid = rid; 814 fctx->fid = options.num_remote_forwards - 1; 815 client_register_global_confirm(mux_confirm_remote_forward, 816 fctx); 817 freefwd = 0; 818 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */ 819 /* delayed reply in mux_confirm_remote_forward */ 820 goto out; 821 } 822 reply_ok(reply, rid); 823 out: 824 free(fwd_desc); 825 if (freefwd) { 826 free(fwd.listen_host); 827 free(fwd.listen_path); 828 free(fwd.connect_host); 829 free(fwd.connect_path); 830 } 831 return ret; 832 } 833 834 static int 835 mux_master_process_close_fwd(struct ssh *ssh, u_int rid, 836 Channel *c, struct sshbuf *m, struct sshbuf *reply) 837 { 838 struct Forward fwd, *found_fwd; 839 char *fwd_desc = NULL; 840 const char *error_reason = NULL; 841 char *listen_addr = NULL, *connect_addr = NULL; 842 u_int ftype; 843 int r, i, ret = 0; 844 u_int lport, cport; 845 846 memset(&fwd, 0, sizeof(fwd)); 847 848 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 849 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 850 (r = sshbuf_get_u32(m, &lport)) != 0 || 851 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 852 (r = sshbuf_get_u32(m, &cport)) != 0 || 853 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 854 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 855 error_f("malformed message"); 856 ret = -1; 857 goto out; 858 } 859 860 if (*listen_addr == '\0') { 861 free(listen_addr); 862 listen_addr = NULL; 863 } 864 if (*connect_addr == '\0') { 865 free(connect_addr); 866 connect_addr = NULL; 867 } 868 869 memset(&fwd, 0, sizeof(fwd)); 870 fwd.listen_port = lport; 871 if (fwd.listen_port == PORT_STREAMLOCAL) 872 fwd.listen_path = listen_addr; 873 else 874 fwd.listen_host = listen_addr; 875 fwd.connect_port = cport; 876 if (fwd.connect_port == PORT_STREAMLOCAL) 877 fwd.connect_path = connect_addr; 878 else 879 fwd.connect_host = connect_addr; 880 881 debug2_f("channel %d: request cancel %s", c->self, 882 (fwd_desc = format_forward(ftype, &fwd))); 883 884 /* make sure this has been requested */ 885 found_fwd = NULL; 886 switch (ftype) { 887 case MUX_FWD_LOCAL: 888 case MUX_FWD_DYNAMIC: 889 for (i = 0; i < options.num_local_forwards; i++) { 890 if (compare_forward(&fwd, 891 options.local_forwards + i)) { 892 found_fwd = options.local_forwards + i; 893 break; 894 } 895 } 896 break; 897 case MUX_FWD_REMOTE: 898 for (i = 0; i < options.num_remote_forwards; i++) { 899 if (compare_forward(&fwd, 900 options.remote_forwards + i)) { 901 found_fwd = options.remote_forwards + i; 902 break; 903 } 904 } 905 break; 906 } 907 908 if (found_fwd == NULL) 909 error_reason = "port not forwarded"; 910 else if (ftype == MUX_FWD_REMOTE) { 911 /* 912 * This shouldn't fail unless we confused the host/port 913 * between options.remote_forwards and permitted_opens. 914 * However, for dynamic allocated listen ports we need 915 * to use the actual listen port. 916 */ 917 if (channel_request_rforward_cancel(ssh, found_fwd) == -1) 918 error_reason = "port not in permitted opens"; 919 } else { /* local and dynamic forwards */ 920 /* Ditto */ 921 if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port, 922 &options.fwd_opts) == -1) 923 error_reason = "port not found"; 924 } 925 926 if (error_reason != NULL) 927 reply_error(reply, MUX_S_FAILURE, rid, error_reason); 928 else { 929 reply_ok(reply, rid); 930 free(found_fwd->listen_host); 931 free(found_fwd->listen_path); 932 free(found_fwd->connect_host); 933 free(found_fwd->connect_path); 934 found_fwd->listen_host = found_fwd->connect_host = NULL; 935 found_fwd->listen_path = found_fwd->connect_path = NULL; 936 found_fwd->listen_port = found_fwd->connect_port = 0; 937 } 938 out: 939 free(fwd_desc); 940 free(listen_addr); 941 free(connect_addr); 942 943 return ret; 944 } 945 946 static int 947 mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid, 948 Channel *c, struct sshbuf *m, struct sshbuf *reply) 949 { 950 Channel *nc; 951 char *chost = NULL; 952 u_int cport, i, j; 953 int r, new_fd[2]; 954 struct mux_stdio_confirm_ctx *cctx; 955 956 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 957 (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 || 958 (r = sshbuf_get_u32(m, &cport)) != 0) { 959 free(chost); 960 error_f("malformed message"); 961 return -1; 962 } 963 964 debug2_f("channel %d: stdio fwd to %s:%u", c->self, chost, cport); 965 966 /* Gather fds from client */ 967 for(i = 0; i < 2; i++) { 968 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 969 error_f("failed to receive fd %d from client", i); 970 for (j = 0; j < i; j++) 971 close(new_fd[j]); 972 free(chost); 973 974 /* prepare reply */ 975 reply_error(reply, MUX_S_FAILURE, rid, 976 "did not receive file descriptors"); 977 return -1; 978 } 979 } 980 981 debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]); 982 983 /* XXX support multiple child sessions in future */ 984 if (c->have_remote_id) { 985 debug2_f("session already open"); 986 reply_error(reply, MUX_S_FAILURE, rid, 987 "Multiple sessions not supported"); 988 cleanup: 989 close(new_fd[0]); 990 close(new_fd[1]); 991 free(chost); 992 return 0; 993 } 994 995 if (options.control_master == SSHCTL_MASTER_ASK || 996 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 997 if (!ask_permission("Allow forward to %s:%u? ", 998 chost, cport)) { 999 debug2_f("stdio fwd refused by user"); 1000 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1001 "Permission denied"); 1002 goto cleanup; 1003 } 1004 } 1005 1006 nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1], 1007 CHANNEL_NONBLOCK_STDIO); 1008 free(chost); 1009 1010 nc->ctl_chan = c->self; /* link session -> control channel */ 1011 c->remote_id = nc->self; /* link control -> session channel */ 1012 c->have_remote_id = 1; 1013 1014 debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan); 1015 1016 channel_register_cleanup(ssh, nc->self, 1017 mux_master_session_cleanup_cb, 1); 1018 1019 cctx = xcalloc(1, sizeof(*cctx)); 1020 cctx->rid = rid; 1021 channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx); 1022 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 1023 1024 /* reply is deferred, sent by mux_session_confirm */ 1025 return 0; 1026 } 1027 1028 /* Callback on open confirmation in mux master for a mux stdio fwd session. */ 1029 static void 1030 mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg) 1031 { 1032 struct mux_stdio_confirm_ctx *cctx = arg; 1033 Channel *c, *cc; 1034 struct sshbuf *reply; 1035 int r; 1036 1037 if (cctx == NULL) 1038 fatal_f("cctx == NULL"); 1039 if ((c = channel_by_id(ssh, id)) == NULL) 1040 fatal_f("no channel for id %d", id); 1041 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1042 fatal_f("channel %d lacks control channel %d", 1043 id, c->ctl_chan); 1044 if ((reply = sshbuf_new()) == NULL) 1045 fatal_f("sshbuf_new"); 1046 1047 if (!success) { 1048 debug3_f("sending failure reply"); 1049 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1050 "Session open refused by peer"); 1051 /* prepare reply */ 1052 goto done; 1053 } 1054 1055 debug3_f("sending success reply"); 1056 /* prepare reply */ 1057 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1058 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1059 (r = sshbuf_put_u32(reply, c->self)) != 0) 1060 fatal_fr(r, "reply"); 1061 1062 done: 1063 /* Send reply */ 1064 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1065 fatal_fr(r, "enqueue"); 1066 sshbuf_free(reply); 1067 1068 if (cc->mux_pause <= 0) 1069 fatal_f("mux_pause %d", cc->mux_pause); 1070 cc->mux_pause = 0; /* start processing messages again */ 1071 c->open_confirm_ctx = NULL; 1072 free(cctx); 1073 } 1074 1075 static int 1076 mux_master_process_stop_listening(struct ssh *ssh, u_int rid, 1077 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1078 { 1079 debug_f("channel %d: stop listening", c->self); 1080 1081 if (options.control_master == SSHCTL_MASTER_ASK || 1082 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1083 if (!ask_permission("Disable further multiplexing on shared " 1084 "connection to %s? ", host)) { 1085 debug2_f("stop listen refused by user"); 1086 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1087 "Permission denied"); 1088 return 0; 1089 } 1090 } 1091 1092 if (mux_listener_channel != NULL) { 1093 channel_free(ssh, mux_listener_channel); 1094 client_stop_mux(); 1095 free(options.control_path); 1096 options.control_path = NULL; 1097 mux_listener_channel = NULL; 1098 muxserver_sock = -1; 1099 } 1100 1101 reply_ok(reply, rid); 1102 return 0; 1103 } 1104 1105 static int 1106 mux_master_process_proxy(struct ssh *ssh, u_int rid, 1107 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1108 { 1109 int r; 1110 1111 debug_f("channel %d: proxy request", c->self); 1112 1113 c->mux_rcb = channel_proxy_downstream; 1114 if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || 1115 (r = sshbuf_put_u32(reply, rid)) != 0) 1116 fatal_fr(r, "reply"); 1117 1118 return 0; 1119 } 1120 1121 /* Channel callbacks fired on read/write from mux client fd */ 1122 static int 1123 mux_master_read_cb(struct ssh *ssh, Channel *c) 1124 { 1125 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 1126 struct sshbuf *in = NULL, *out = NULL; 1127 u_int type, rid, i; 1128 int r, ret = -1; 1129 1130 if ((out = sshbuf_new()) == NULL) 1131 fatal_f("sshbuf_new"); 1132 1133 /* Setup ctx and */ 1134 if (c->mux_ctx == NULL) { 1135 state = xcalloc(1, sizeof(*state)); 1136 c->mux_ctx = state; 1137 channel_register_cleanup(ssh, c->self, 1138 mux_master_control_cleanup_cb, 0); 1139 1140 /* Send hello */ 1141 if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 || 1142 (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0) 1143 fatal_fr(r, "reply"); 1144 /* no extensions */ 1145 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 1146 fatal_fr(r, "enqueue"); 1147 debug3_f("channel %d: hello sent", c->self); 1148 ret = 0; 1149 goto out; 1150 } 1151 1152 /* Channel code ensures that we receive whole packets */ 1153 if ((r = sshbuf_froms(c->input, &in)) != 0) { 1154 malf: 1155 error_f("malformed message"); 1156 goto out; 1157 } 1158 1159 if ((r = sshbuf_get_u32(in, &type)) != 0) 1160 goto malf; 1161 debug3_f("channel %d packet type 0x%08x len %zu", c->self, 1162 type, sshbuf_len(in)); 1163 1164 if (type == MUX_MSG_HELLO) 1165 rid = 0; 1166 else { 1167 if (!state->hello_rcvd) { 1168 error_f("expected MUX_MSG_HELLO(0x%08x), " 1169 "received 0x%08x", MUX_MSG_HELLO, type); 1170 goto out; 1171 } 1172 if ((r = sshbuf_get_u32(in, &rid)) != 0) 1173 goto malf; 1174 } 1175 1176 for (i = 0; mux_master_handlers[i].handler != NULL; i++) { 1177 if (type == mux_master_handlers[i].type) { 1178 ret = mux_master_handlers[i].handler(ssh, rid, 1179 c, in, out); 1180 break; 1181 } 1182 } 1183 if (mux_master_handlers[i].handler == NULL) { 1184 error_f("unsupported mux message 0x%08x", type); 1185 reply_error(out, MUX_S_FAILURE, rid, "unsupported request"); 1186 ret = 0; 1187 } 1188 /* Enqueue reply packet */ 1189 if (sshbuf_len(out) != 0 && 1190 (r = sshbuf_put_stringb(c->output, out)) != 0) 1191 fatal_fr(r, "enqueue"); 1192 out: 1193 sshbuf_free(in); 1194 sshbuf_free(out); 1195 return ret; 1196 } 1197 1198 void 1199 mux_exit_message(struct ssh *ssh, Channel *c, int exitval) 1200 { 1201 struct sshbuf *m; 1202 Channel *mux_chan; 1203 int r; 1204 1205 debug3_f("channel %d: exit message, exitval %d", c->self, exitval); 1206 1207 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1208 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1209 1210 /* Append exit message packet to control socket output queue */ 1211 if ((m = sshbuf_new()) == NULL) 1212 fatal_f("sshbuf_new"); 1213 if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 || 1214 (r = sshbuf_put_u32(m, c->self)) != 0 || 1215 (r = sshbuf_put_u32(m, exitval)) != 0 || 1216 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1217 fatal_fr(r, "reply"); 1218 sshbuf_free(m); 1219 } 1220 1221 void 1222 mux_tty_alloc_failed(struct ssh *ssh, Channel *c) 1223 { 1224 struct sshbuf *m; 1225 Channel *mux_chan; 1226 int r; 1227 1228 debug3_f("channel %d: TTY alloc failed", c->self); 1229 1230 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1231 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1232 1233 /* Append exit message packet to control socket output queue */ 1234 if ((m = sshbuf_new()) == NULL) 1235 fatal_f("sshbuf_new"); 1236 if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 || 1237 (r = sshbuf_put_u32(m, c->self)) != 0 || 1238 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1239 fatal_fr(r, "reply"); 1240 sshbuf_free(m); 1241 } 1242 1243 /* Prepare a mux master to listen on a Unix domain socket. */ 1244 void 1245 muxserver_listen(struct ssh *ssh) 1246 { 1247 mode_t old_umask; 1248 char *orig_control_path = options.control_path; 1249 char rbuf[16+1]; 1250 u_int i, r; 1251 int oerrno; 1252 1253 if (options.control_path == NULL || 1254 options.control_master == SSHCTL_MASTER_NO) 1255 return; 1256 1257 debug("setting up multiplex master socket"); 1258 1259 /* 1260 * Use a temporary path before listen so we can pseudo-atomically 1261 * establish the listening socket in its final location to avoid 1262 * other processes racing in between bind() and listen() and hitting 1263 * an unready socket. 1264 */ 1265 for (i = 0; i < sizeof(rbuf) - 1; i++) { 1266 r = arc4random_uniform(26+26+10); 1267 rbuf[i] = (r < 26) ? 'a' + r : 1268 (r < 26*2) ? 'A' + r - 26 : 1269 '0' + r - 26 - 26; 1270 } 1271 rbuf[sizeof(rbuf) - 1] = '\0'; 1272 options.control_path = NULL; 1273 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf); 1274 debug3_f("temporary control path %s", options.control_path); 1275 1276 old_umask = umask(0177); 1277 muxserver_sock = unix_listener(options.control_path, 64, 0); 1278 oerrno = errno; 1279 umask(old_umask); 1280 if (muxserver_sock < 0) { 1281 if (oerrno == EINVAL || oerrno == EADDRINUSE) { 1282 error("ControlSocket %s already exists, " 1283 "disabling multiplexing", options.control_path); 1284 disable_mux_master: 1285 if (muxserver_sock != -1) { 1286 close(muxserver_sock); 1287 muxserver_sock = -1; 1288 } 1289 free(orig_control_path); 1290 free(options.control_path); 1291 options.control_path = NULL; 1292 options.control_master = SSHCTL_MASTER_NO; 1293 return; 1294 } else { 1295 /* unix_listener() logs the error */ 1296 cleanup_exit(255); 1297 } 1298 } 1299 1300 /* Now atomically "move" the mux socket into position */ 1301 if (link(options.control_path, orig_control_path) != 0) { 1302 if (errno != EEXIST) { 1303 fatal_f("link mux listener %s => %s: %s", 1304 options.control_path, orig_control_path, 1305 strerror(errno)); 1306 } 1307 error("ControlSocket %s already exists, disabling multiplexing", 1308 orig_control_path); 1309 unlink(options.control_path); 1310 goto disable_mux_master; 1311 } 1312 unlink(options.control_path); 1313 free(options.control_path); 1314 options.control_path = orig_control_path; 1315 1316 set_nonblock(muxserver_sock); 1317 1318 mux_listener_channel = channel_new(ssh, "mux listener", 1319 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1, 1320 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1321 0, options.control_path, 1); 1322 mux_listener_channel->mux_rcb = mux_master_read_cb; 1323 debug3_f("mux listener channel %d fd %d", 1324 mux_listener_channel->self, mux_listener_channel->sock); 1325 } 1326 1327 /* Callback on open confirmation in mux master for a mux client session. */ 1328 static void 1329 mux_session_confirm(struct ssh *ssh, int id, int success, void *arg) 1330 { 1331 struct mux_session_confirm_ctx *cctx = arg; 1332 const char *display; 1333 Channel *c, *cc; 1334 int i, r; 1335 struct sshbuf *reply; 1336 1337 if (cctx == NULL) 1338 fatal_f("cctx == NULL"); 1339 if ((c = channel_by_id(ssh, id)) == NULL) 1340 fatal_f("no channel for id %d", id); 1341 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1342 fatal_f("channel %d lacks control channel %d", 1343 id, c->ctl_chan); 1344 if ((reply = sshbuf_new()) == NULL) 1345 fatal_f("sshbuf_new"); 1346 1347 if (!success) { 1348 debug3_f("sending failure reply"); 1349 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1350 "Session open refused by peer"); 1351 goto done; 1352 } 1353 1354 display = getenv("DISPLAY"); 1355 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 1356 char *proto, *data; 1357 1358 /* Get reasonable local authentication information. */ 1359 if (client_x11_get_proto(ssh, display, options.xauth_location, 1360 options.forward_x11_trusted, options.forward_x11_timeout, 1361 &proto, &data) == 0) { 1362 /* Request forwarding with authentication spoofing. */ 1363 debug("Requesting X11 forwarding with authentication " 1364 "spoofing."); 1365 x11_request_forwarding_with_spoofing(ssh, id, 1366 display, proto, data, 1); 1367 /* XXX exit_on_forward_failure */ 1368 client_expect_confirm(ssh, id, "X11 forwarding", 1369 CONFIRM_WARN); 1370 } 1371 } 1372 1373 if (cctx->want_agent_fwd && options.forward_agent) { 1374 debug("Requesting authentication agent forwarding."); 1375 channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0); 1376 if ((r = sshpkt_send(ssh)) != 0) 1377 fatal_fr(r, "send"); 1378 } 1379 1380 client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys, 1381 cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env); 1382 1383 debug3_f("sending success reply"); 1384 /* prepare reply */ 1385 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1386 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1387 (r = sshbuf_put_u32(reply, c->self)) != 0) 1388 fatal_fr(r, "reply"); 1389 1390 done: 1391 /* Send reply */ 1392 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1393 fatal_fr(r, "enqueue"); 1394 sshbuf_free(reply); 1395 1396 if (cc->mux_pause <= 0) 1397 fatal_f("mux_pause %d", cc->mux_pause); 1398 cc->mux_pause = 0; /* start processing messages again */ 1399 c->open_confirm_ctx = NULL; 1400 sshbuf_free(cctx->cmd); 1401 free(cctx->term); 1402 if (cctx->env != NULL) { 1403 for (i = 0; cctx->env[i] != NULL; i++) 1404 free(cctx->env[i]); 1405 free(cctx->env); 1406 } 1407 free(cctx); 1408 } 1409 1410 /* ** Multiplexing client support */ 1411 1412 /* Exit signal handler */ 1413 static void 1414 control_client_sighandler(int signo) 1415 { 1416 muxclient_terminate = signo; 1417 } 1418 1419 /* 1420 * Relay signal handler - used to pass some signals from mux client to 1421 * mux master. 1422 */ 1423 static void 1424 control_client_sigrelay(int signo) 1425 { 1426 int save_errno = errno; 1427 1428 if (muxserver_pid > 1) 1429 kill(muxserver_pid, signo); 1430 1431 errno = save_errno; 1432 } 1433 1434 static int 1435 mux_client_read(int fd, struct sshbuf *b, size_t need) 1436 { 1437 size_t have; 1438 ssize_t len; 1439 u_char *p; 1440 struct pollfd pfd; 1441 int r; 1442 1443 pfd.fd = fd; 1444 pfd.events = POLLIN; 1445 if ((r = sshbuf_reserve(b, need, &p)) != 0) 1446 fatal_fr(r, "reserve"); 1447 for (have = 0; have < need; ) { 1448 if (muxclient_terminate) { 1449 errno = EINTR; 1450 return -1; 1451 } 1452 len = read(fd, p + have, need - have); 1453 if (len == -1) { 1454 switch (errno) { 1455 case EAGAIN: 1456 (void)poll(&pfd, 1, -1); 1457 /* FALLTHROUGH */ 1458 case EINTR: 1459 continue; 1460 default: 1461 return -1; 1462 } 1463 } 1464 if (len == 0) { 1465 errno = EPIPE; 1466 return -1; 1467 } 1468 have += (size_t)len; 1469 } 1470 return 0; 1471 } 1472 1473 static int 1474 mux_client_write_packet(int fd, struct sshbuf *m) 1475 { 1476 struct sshbuf *queue; 1477 u_int have, need; 1478 int r, oerrno, len; 1479 const u_char *ptr; 1480 struct pollfd pfd; 1481 1482 pfd.fd = fd; 1483 pfd.events = POLLOUT; 1484 if ((queue = sshbuf_new()) == NULL) 1485 fatal_f("sshbuf_new"); 1486 if ((r = sshbuf_put_stringb(queue, m)) != 0) 1487 fatal_fr(r, "enqueue"); 1488 1489 need = sshbuf_len(queue); 1490 ptr = sshbuf_ptr(queue); 1491 1492 for (have = 0; have < need; ) { 1493 if (muxclient_terminate) { 1494 sshbuf_free(queue); 1495 errno = EINTR; 1496 return -1; 1497 } 1498 len = write(fd, ptr + have, need - have); 1499 if (len == -1) { 1500 switch (errno) { 1501 case EAGAIN: 1502 (void)poll(&pfd, 1, -1); 1503 /* FALLTHROUGH */ 1504 case EINTR: 1505 continue; 1506 default: 1507 oerrno = errno; 1508 sshbuf_free(queue); 1509 errno = oerrno; 1510 return -1; 1511 } 1512 } 1513 if (len == 0) { 1514 sshbuf_free(queue); 1515 errno = EPIPE; 1516 return -1; 1517 } 1518 have += (u_int)len; 1519 } 1520 sshbuf_free(queue); 1521 return 0; 1522 } 1523 1524 static int 1525 mux_client_read_packet(int fd, struct sshbuf *m) 1526 { 1527 struct sshbuf *queue; 1528 size_t need, have; 1529 const u_char *ptr; 1530 int r, oerrno; 1531 1532 if ((queue = sshbuf_new()) == NULL) 1533 fatal_f("sshbuf_new"); 1534 if (mux_client_read(fd, queue, 4) != 0) { 1535 if ((oerrno = errno) == EPIPE) 1536 debug3_f("read header failed: %s", 1537 strerror(errno)); 1538 sshbuf_free(queue); 1539 errno = oerrno; 1540 return -1; 1541 } 1542 need = PEEK_U32(sshbuf_ptr(queue)); 1543 if (mux_client_read(fd, queue, need) != 0) { 1544 oerrno = errno; 1545 debug3_f("read body failed: %s", strerror(errno)); 1546 sshbuf_free(queue); 1547 errno = oerrno; 1548 return -1; 1549 } 1550 if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 || 1551 (r = sshbuf_put(m, ptr, have)) != 0) 1552 fatal_fr(r, "dequeue"); 1553 sshbuf_free(queue); 1554 return 0; 1555 } 1556 1557 static int 1558 mux_client_hello_exchange(int fd) 1559 { 1560 struct sshbuf *m; 1561 u_int type, ver; 1562 int r, ret = -1; 1563 1564 if ((m = sshbuf_new()) == NULL) 1565 fatal_f("sshbuf_new"); 1566 if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 || 1567 (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0) 1568 fatal_fr(r, "assemble hello"); 1569 /* no extensions */ 1570 1571 if (mux_client_write_packet(fd, m) != 0) { 1572 debug_f("write packet: %s", strerror(errno)); 1573 goto out; 1574 } 1575 1576 sshbuf_reset(m); 1577 1578 /* Read their HELLO */ 1579 if (mux_client_read_packet(fd, m) != 0) { 1580 debug_f("read packet failed"); 1581 goto out; 1582 } 1583 1584 if ((r = sshbuf_get_u32(m, &type)) != 0) 1585 fatal_fr(r, "parse type"); 1586 if (type != MUX_MSG_HELLO) { 1587 error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type); 1588 goto out; 1589 } 1590 if ((r = sshbuf_get_u32(m, &ver)) != 0) 1591 fatal_fr(r, "parse version"); 1592 if (ver != SSHMUX_VER) { 1593 error("Unsupported multiplexing protocol version %d " 1594 "(expected %d)", ver, SSHMUX_VER); 1595 goto out; 1596 } 1597 debug2_f("master version %u", ver); 1598 /* No extensions are presently defined */ 1599 while (sshbuf_len(m) > 0) { 1600 char *name = NULL; 1601 1602 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 1603 (r = sshbuf_skip_string(m)) != 0) { /* value */ 1604 error_fr(r, "parse extension"); 1605 goto out; 1606 } 1607 debug2("Unrecognised master extension \"%s\"", name); 1608 free(name); 1609 } 1610 /* success */ 1611 ret = 0; 1612 out: 1613 sshbuf_free(m); 1614 return ret; 1615 } 1616 1617 static u_int 1618 mux_client_request_alive(int fd) 1619 { 1620 struct sshbuf *m; 1621 char *e; 1622 u_int pid, type, rid; 1623 int r; 1624 1625 debug3_f("entering"); 1626 1627 if ((m = sshbuf_new()) == NULL) 1628 fatal_f("sshbuf_new"); 1629 if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 || 1630 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1631 fatal_fr(r, "assemble"); 1632 1633 if (mux_client_write_packet(fd, m) != 0) 1634 fatal_f("write packet: %s", strerror(errno)); 1635 1636 sshbuf_reset(m); 1637 1638 /* Read their reply */ 1639 if (mux_client_read_packet(fd, m) != 0) { 1640 sshbuf_free(m); 1641 return 0; 1642 } 1643 1644 if ((r = sshbuf_get_u32(m, &type)) != 0) 1645 fatal_fr(r, "parse type"); 1646 if (type != MUX_S_ALIVE) { 1647 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1648 fatal_fr(r, "parse error message"); 1649 fatal_f("master returned error: %s", e); 1650 } 1651 1652 if ((r = sshbuf_get_u32(m, &rid)) != 0) 1653 fatal_fr(r, "parse remote ID"); 1654 if (rid != muxclient_request_id) 1655 fatal_f("out of sequence reply: my id %u theirs %u", 1656 muxclient_request_id, rid); 1657 if ((r = sshbuf_get_u32(m, &pid)) != 0) 1658 fatal_fr(r, "parse PID"); 1659 sshbuf_free(m); 1660 1661 debug3_f("done pid = %u", pid); 1662 1663 muxclient_request_id++; 1664 1665 return pid; 1666 } 1667 1668 static void 1669 mux_client_request_terminate(int fd) 1670 { 1671 struct sshbuf *m; 1672 char *e; 1673 u_int type, rid; 1674 int r; 1675 1676 debug3_f("entering"); 1677 1678 if ((m = sshbuf_new()) == NULL) 1679 fatal_f("sshbuf_new"); 1680 if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 || 1681 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1682 fatal_fr(r, "request"); 1683 1684 if (mux_client_write_packet(fd, m) != 0) 1685 fatal_f("write packet: %s", strerror(errno)); 1686 1687 sshbuf_reset(m); 1688 1689 /* Read their reply */ 1690 if (mux_client_read_packet(fd, m) != 0) { 1691 /* Remote end exited already */ 1692 if (errno == EPIPE) { 1693 sshbuf_free(m); 1694 return; 1695 } 1696 fatal_f("read from master failed: %s", strerror(errno)); 1697 } 1698 1699 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1700 (r = sshbuf_get_u32(m, &rid)) != 0) 1701 fatal_fr(r, "parse"); 1702 if (rid != muxclient_request_id) 1703 fatal_f("out of sequence reply: my id %u theirs %u", 1704 muxclient_request_id, rid); 1705 switch (type) { 1706 case MUX_S_OK: 1707 break; 1708 case MUX_S_PERMISSION_DENIED: 1709 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1710 fatal_fr(r, "parse error message"); 1711 fatal("Master refused termination request: %s", e); 1712 case MUX_S_FAILURE: 1713 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1714 fatal_fr(r, "parse error message"); 1715 fatal_f("termination request failed: %s", e); 1716 default: 1717 fatal_f("unexpected response from master 0x%08x", type); 1718 } 1719 sshbuf_free(m); 1720 muxclient_request_id++; 1721 } 1722 1723 static int 1724 mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd) 1725 { 1726 struct sshbuf *m; 1727 char *e, *fwd_desc; 1728 const char *lhost, *chost; 1729 u_int type, rid; 1730 int r; 1731 1732 fwd_desc = format_forward(ftype, fwd); 1733 debug("Requesting %s %s", 1734 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1735 free(fwd_desc); 1736 1737 type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD; 1738 if (fwd->listen_path != NULL) 1739 lhost = fwd->listen_path; 1740 else if (fwd->listen_host == NULL) 1741 lhost = ""; 1742 else if (*fwd->listen_host == '\0') 1743 lhost = "*"; 1744 else 1745 lhost = fwd->listen_host; 1746 1747 if (fwd->connect_path != NULL) 1748 chost = fwd->connect_path; 1749 else if (fwd->connect_host == NULL) 1750 chost = ""; 1751 else 1752 chost = fwd->connect_host; 1753 1754 if ((m = sshbuf_new()) == NULL) 1755 fatal_f("sshbuf_new"); 1756 if ((r = sshbuf_put_u32(m, type)) != 0 || 1757 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1758 (r = sshbuf_put_u32(m, ftype)) != 0 || 1759 (r = sshbuf_put_cstring(m, lhost)) != 0 || 1760 (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 || 1761 (r = sshbuf_put_cstring(m, chost)) != 0 || 1762 (r = sshbuf_put_u32(m, fwd->connect_port)) != 0) 1763 fatal_fr(r, "request"); 1764 1765 if (mux_client_write_packet(fd, m) != 0) 1766 fatal_f("write packet: %s", strerror(errno)); 1767 1768 sshbuf_reset(m); 1769 1770 /* Read their reply */ 1771 if (mux_client_read_packet(fd, m) != 0) { 1772 sshbuf_free(m); 1773 return -1; 1774 } 1775 1776 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1777 (r = sshbuf_get_u32(m, &rid)) != 0) 1778 fatal_fr(r, "parse"); 1779 if (rid != muxclient_request_id) 1780 fatal_f("out of sequence reply: my id %u theirs %u", 1781 muxclient_request_id, rid); 1782 1783 switch (type) { 1784 case MUX_S_OK: 1785 break; 1786 case MUX_S_REMOTE_PORT: 1787 if (cancel_flag) 1788 fatal_f("got MUX_S_REMOTE_PORT for cancel"); 1789 if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0) 1790 fatal_fr(r, "parse port"); 1791 verbose("Allocated port %u for remote forward to %s:%d", 1792 fwd->allocated_port, 1793 fwd->connect_host ? fwd->connect_host : "", 1794 fwd->connect_port); 1795 if (muxclient_command == SSHMUX_COMMAND_FORWARD) 1796 fprintf(stdout, "%i\n", fwd->allocated_port); 1797 break; 1798 case MUX_S_PERMISSION_DENIED: 1799 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1800 fatal_fr(r, "parse error message"); 1801 sshbuf_free(m); 1802 error("Master refused forwarding request: %s", e); 1803 return -1; 1804 case MUX_S_FAILURE: 1805 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1806 fatal_fr(r, "parse error message"); 1807 sshbuf_free(m); 1808 error_f("forwarding request failed: %s", e); 1809 return -1; 1810 default: 1811 fatal_f("unexpected response from master 0x%08x", type); 1812 } 1813 sshbuf_free(m); 1814 1815 muxclient_request_id++; 1816 return 0; 1817 } 1818 1819 static int 1820 mux_client_forwards(int fd, int cancel_flag) 1821 { 1822 int i, ret = 0; 1823 1824 debug3_f("%s forwardings: %d local, %d remote", 1825 cancel_flag ? "cancel" : "request", 1826 options.num_local_forwards, options.num_remote_forwards); 1827 1828 /* XXX ExitOnForwardingFailure */ 1829 for (i = 0; i < options.num_local_forwards; i++) { 1830 if (mux_client_forward(fd, cancel_flag, 1831 options.local_forwards[i].connect_port == 0 ? 1832 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL, 1833 options.local_forwards + i) != 0) 1834 ret = -1; 1835 } 1836 for (i = 0; i < options.num_remote_forwards; i++) { 1837 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE, 1838 options.remote_forwards + i) != 0) 1839 ret = -1; 1840 } 1841 return ret; 1842 } 1843 1844 static int 1845 mux_client_request_session(int fd) 1846 { 1847 struct sshbuf *m; 1848 char *e; 1849 const char *term = NULL; 1850 u_int i, echar, rid, sid, esid, exitval, type, exitval_seen; 1851 extern char **environ; 1852 int r, rawmode; 1853 1854 debug3_f("entering"); 1855 1856 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1857 error_f("master alive request failed"); 1858 return -1; 1859 } 1860 1861 ssh_signal(SIGPIPE, SIG_IGN); 1862 1863 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 1864 fatal_f("stdfd_devnull failed"); 1865 1866 if ((term = lookup_env_in_list("TERM", options.setenv, 1867 options.num_setenv)) == NULL || *term == '\0') 1868 term = getenv("TERM"); 1869 1870 echar = 0xffffffff; 1871 if (options.escape_char != SSH_ESCAPECHAR_NONE) 1872 echar = (u_int)options.escape_char; 1873 1874 if ((m = sshbuf_new()) == NULL) 1875 fatal_f("sshbuf_new"); 1876 if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 || 1877 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1878 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 1879 (r = sshbuf_put_u32(m, tty_flag)) != 0 || 1880 (r = sshbuf_put_u32(m, options.forward_x11)) != 0 || 1881 (r = sshbuf_put_u32(m, options.forward_agent)) != 0 || 1882 (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 || 1883 (r = sshbuf_put_u32(m, echar)) != 0 || 1884 (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 || 1885 (r = sshbuf_put_stringb(m, command)) != 0) 1886 fatal_fr(r, "request"); 1887 1888 /* Pass environment */ 1889 if (options.num_send_env > 0 && environ != NULL) { 1890 for (i = 0; environ[i] != NULL; i++) { 1891 if (!env_permitted(environ[i])) 1892 continue; 1893 if ((r = sshbuf_put_cstring(m, environ[i])) != 0) 1894 fatal_fr(r, "request sendenv"); 1895 } 1896 } 1897 for (i = 0; i < options.num_setenv; i++) { 1898 if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0) 1899 fatal_fr(r, "request setenv"); 1900 } 1901 1902 if (mux_client_write_packet(fd, m) != 0) 1903 fatal_f("write packet: %s", strerror(errno)); 1904 1905 /* Send the stdio file descriptors */ 1906 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1907 mm_send_fd(fd, STDOUT_FILENO) == -1 || 1908 mm_send_fd(fd, STDERR_FILENO) == -1) 1909 fatal_f("send fds failed"); 1910 1911 debug3_f("session request sent"); 1912 1913 /* Read their reply */ 1914 sshbuf_reset(m); 1915 if (mux_client_read_packet(fd, m) != 0) { 1916 error_f("read from master failed: %s", strerror(errno)); 1917 sshbuf_free(m); 1918 return -1; 1919 } 1920 1921 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1922 (r = sshbuf_get_u32(m, &rid)) != 0) 1923 fatal_fr(r, "parse"); 1924 if (rid != muxclient_request_id) 1925 fatal_f("out of sequence reply: my id %u theirs %u", 1926 muxclient_request_id, rid); 1927 1928 switch (type) { 1929 case MUX_S_SESSION_OPENED: 1930 if ((r = sshbuf_get_u32(m, &sid)) != 0) 1931 fatal_fr(r, "parse session ID"); 1932 debug_f("master session id: %u", sid); 1933 break; 1934 case MUX_S_PERMISSION_DENIED: 1935 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1936 fatal_fr(r, "parse error message"); 1937 error("Master refused session request: %s", e); 1938 sshbuf_free(m); 1939 return -1; 1940 case MUX_S_FAILURE: 1941 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1942 fatal_fr(r, "parse error message"); 1943 error_f("session request failed: %s", e); 1944 sshbuf_free(m); 1945 return -1; 1946 default: 1947 sshbuf_free(m); 1948 error_f("unexpected response from master 0x%08x", type); 1949 return -1; 1950 } 1951 muxclient_request_id++; 1952 1953 if (pledge("stdio proc tty", NULL) == -1) 1954 fatal_f("pledge(): %s", strerror(errno)); 1955 1956 ssh_signal(SIGHUP, control_client_sighandler); 1957 ssh_signal(SIGINT, control_client_sighandler); 1958 ssh_signal(SIGTERM, control_client_sighandler); 1959 ssh_signal(SIGWINCH, control_client_sigrelay); 1960 1961 rawmode = tty_flag; 1962 if (tty_flag) 1963 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1964 1965 /* 1966 * Stick around until the controlee closes the client_fd. 1967 * Before it does, it is expected to write an exit message. 1968 * This process must read the value and wait for the closure of 1969 * the client_fd; if this one closes early, the multiplex master will 1970 * terminate early too (possibly losing data). 1971 */ 1972 for (exitval = 255, exitval_seen = 0;;) { 1973 sshbuf_reset(m); 1974 if (mux_client_read_packet(fd, m) != 0) 1975 break; 1976 if ((r = sshbuf_get_u32(m, &type)) != 0) 1977 fatal_fr(r, "parse type"); 1978 switch (type) { 1979 case MUX_S_TTY_ALLOC_FAIL: 1980 if ((r = sshbuf_get_u32(m, &esid)) != 0) 1981 fatal_fr(r, "parse session ID"); 1982 if (esid != sid) 1983 fatal_f("tty alloc fail on unknown session: " 1984 "my id %u theirs %u", sid, esid); 1985 leave_raw_mode(options.request_tty == 1986 REQUEST_TTY_FORCE); 1987 rawmode = 0; 1988 continue; 1989 case MUX_S_EXIT_MESSAGE: 1990 if ((r = sshbuf_get_u32(m, &esid)) != 0) 1991 fatal_fr(r, "parse session ID"); 1992 if (esid != sid) 1993 fatal_f("exit on unknown session: " 1994 "my id %u theirs %u", sid, esid); 1995 if (exitval_seen) 1996 fatal_f("exitval sent twice"); 1997 if ((r = sshbuf_get_u32(m, &exitval)) != 0) 1998 fatal_fr(r, "parse exitval"); 1999 exitval_seen = 1; 2000 continue; 2001 default: 2002 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2003 fatal_fr(r, "parse error message"); 2004 fatal_f("master returned error: %s", e); 2005 } 2006 } 2007 2008 close(fd); 2009 if (rawmode) 2010 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 2011 2012 if (muxclient_terminate) { 2013 debug2("Exiting on signal: %s", strsignal(muxclient_terminate)); 2014 exitval = 255; 2015 } else if (!exitval_seen) { 2016 debug2("Control master terminated unexpectedly"); 2017 exitval = 255; 2018 } else 2019 debug2("Received exit status from master %d", exitval); 2020 2021 if (tty_flag && options.log_level >= SYSLOG_LEVEL_INFO) 2022 fprintf(stderr, "Shared connection to %s closed.\r\n", host); 2023 2024 exit(exitval); 2025 } 2026 2027 static int 2028 mux_client_proxy(int fd) 2029 { 2030 struct sshbuf *m; 2031 char *e; 2032 u_int type, rid; 2033 int r; 2034 2035 if ((m = sshbuf_new()) == NULL) 2036 fatal_f("sshbuf_new"); 2037 if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 || 2038 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2039 fatal_fr(r, "request"); 2040 if (mux_client_write_packet(fd, m) != 0) 2041 fatal_f("write packet: %s", strerror(errno)); 2042 2043 sshbuf_reset(m); 2044 2045 /* Read their reply */ 2046 if (mux_client_read_packet(fd, m) != 0) { 2047 sshbuf_free(m); 2048 return 0; 2049 } 2050 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2051 (r = sshbuf_get_u32(m, &rid)) != 0) 2052 fatal_fr(r, "parse"); 2053 if (rid != muxclient_request_id) 2054 fatal_f("out of sequence reply: my id %u theirs %u", 2055 muxclient_request_id, rid); 2056 if (type != MUX_S_PROXY) { 2057 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2058 fatal_fr(r, "parse error message"); 2059 fatal_f("master returned error: %s", e); 2060 } 2061 sshbuf_free(m); 2062 2063 debug3_f("done"); 2064 muxclient_request_id++; 2065 return 0; 2066 } 2067 2068 static int 2069 mux_client_request_stdio_fwd(int fd) 2070 { 2071 struct sshbuf *m; 2072 char *e; 2073 u_int type, rid, sid; 2074 int r; 2075 2076 debug3_f("entering"); 2077 2078 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 2079 error_f("master alive request failed"); 2080 return -1; 2081 } 2082 2083 ssh_signal(SIGPIPE, SIG_IGN); 2084 2085 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 2086 fatal_f("stdfd_devnull failed"); 2087 2088 if ((m = sshbuf_new()) == NULL) 2089 fatal_f("sshbuf_new"); 2090 if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 || 2091 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 2092 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 2093 (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 || 2094 (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0) 2095 fatal_fr(r, "request"); 2096 2097 if (mux_client_write_packet(fd, m) != 0) 2098 fatal_f("write packet: %s", strerror(errno)); 2099 2100 /* Send the stdio file descriptors */ 2101 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 2102 mm_send_fd(fd, STDOUT_FILENO) == -1) 2103 fatal_f("send fds failed"); 2104 2105 if (pledge("stdio proc tty", NULL) == -1) 2106 fatal_f("pledge(): %s", strerror(errno)); 2107 2108 debug3_f("stdio forward request sent"); 2109 2110 /* Read their reply */ 2111 sshbuf_reset(m); 2112 2113 if (mux_client_read_packet(fd, m) != 0) { 2114 error_f("read from master failed: %s", strerror(errno)); 2115 sshbuf_free(m); 2116 return -1; 2117 } 2118 2119 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2120 (r = sshbuf_get_u32(m, &rid)) != 0) 2121 fatal_fr(r, "parse"); 2122 if (rid != muxclient_request_id) 2123 fatal_f("out of sequence reply: my id %u theirs %u", 2124 muxclient_request_id, rid); 2125 switch (type) { 2126 case MUX_S_SESSION_OPENED: 2127 if ((r = sshbuf_get_u32(m, &sid)) != 0) 2128 fatal_fr(r, "parse session ID"); 2129 debug_f("master session id: %u", sid); 2130 break; 2131 case MUX_S_PERMISSION_DENIED: 2132 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2133 fatal_fr(r, "parse error message"); 2134 sshbuf_free(m); 2135 fatal("Master refused stdio forwarding request: %s", e); 2136 case MUX_S_FAILURE: 2137 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2138 fatal_fr(r, "parse error message"); 2139 sshbuf_free(m); 2140 fatal("Stdio forwarding request failed: %s", e); 2141 default: 2142 sshbuf_free(m); 2143 error_f("unexpected response from master 0x%08x", type); 2144 return -1; 2145 } 2146 muxclient_request_id++; 2147 2148 ssh_signal(SIGHUP, control_client_sighandler); 2149 ssh_signal(SIGINT, control_client_sighandler); 2150 ssh_signal(SIGTERM, control_client_sighandler); 2151 ssh_signal(SIGWINCH, control_client_sigrelay); 2152 2153 /* 2154 * Stick around until the controlee closes the client_fd. 2155 */ 2156 sshbuf_reset(m); 2157 if (mux_client_read_packet(fd, m) != 0) { 2158 if (errno == EPIPE || 2159 (errno == EINTR && muxclient_terminate != 0)) 2160 return 0; 2161 fatal_f("mux_client_read_packet: %s", strerror(errno)); 2162 } 2163 fatal_f("master returned unexpected message %u", type); 2164 } 2165 2166 static void 2167 mux_client_request_stop_listening(int fd) 2168 { 2169 struct sshbuf *m; 2170 char *e; 2171 u_int type, rid; 2172 int r; 2173 2174 debug3_f("entering"); 2175 2176 if ((m = sshbuf_new()) == NULL) 2177 fatal_f("sshbuf_new"); 2178 if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 || 2179 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2180 fatal_fr(r, "request"); 2181 2182 if (mux_client_write_packet(fd, m) != 0) 2183 fatal_f("write packet: %s", strerror(errno)); 2184 2185 sshbuf_reset(m); 2186 2187 /* Read their reply */ 2188 if (mux_client_read_packet(fd, m) != 0) 2189 fatal_f("read from master failed: %s", strerror(errno)); 2190 2191 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2192 (r = sshbuf_get_u32(m, &rid)) != 0) 2193 fatal_fr(r, "parse"); 2194 if (rid != muxclient_request_id) 2195 fatal_f("out of sequence reply: my id %u theirs %u", 2196 muxclient_request_id, rid); 2197 2198 switch (type) { 2199 case MUX_S_OK: 2200 break; 2201 case MUX_S_PERMISSION_DENIED: 2202 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2203 fatal_fr(r, "parse error message"); 2204 fatal("Master refused stop listening request: %s", e); 2205 case MUX_S_FAILURE: 2206 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2207 fatal_fr(r, "parse error message"); 2208 fatal_f("stop listening request failed: %s", e); 2209 default: 2210 fatal_f("unexpected response from master 0x%08x", type); 2211 } 2212 sshbuf_free(m); 2213 muxclient_request_id++; 2214 } 2215 2216 /* Multiplex client main loop. */ 2217 int 2218 muxclient(const char *path) 2219 { 2220 struct sockaddr_un addr; 2221 int sock; 2222 u_int pid; 2223 2224 if (muxclient_command == 0) { 2225 if (options.stdio_forward_host != NULL) 2226 muxclient_command = SSHMUX_COMMAND_STDIO_FWD; 2227 else 2228 muxclient_command = SSHMUX_COMMAND_OPEN; 2229 } 2230 2231 switch (options.control_master) { 2232 case SSHCTL_MASTER_AUTO: 2233 case SSHCTL_MASTER_AUTO_ASK: 2234 debug("auto-mux: Trying existing master"); 2235 /* FALLTHROUGH */ 2236 case SSHCTL_MASTER_NO: 2237 break; 2238 default: 2239 return -1; 2240 } 2241 2242 memset(&addr, '\0', sizeof(addr)); 2243 addr.sun_family = AF_UNIX; 2244 2245 if (strlcpy(addr.sun_path, path, 2246 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 2247 fatal("ControlPath too long ('%s' >= %u bytes)", path, 2248 (unsigned int)sizeof(addr.sun_path)); 2249 2250 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) 2251 fatal_f("socket(): %s", strerror(errno)); 2252 2253 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) { 2254 switch (muxclient_command) { 2255 case SSHMUX_COMMAND_OPEN: 2256 case SSHMUX_COMMAND_STDIO_FWD: 2257 break; 2258 default: 2259 fatal("Control socket connect(%.100s): %s", path, 2260 strerror(errno)); 2261 } 2262 if (errno == ECONNREFUSED && 2263 options.control_master != SSHCTL_MASTER_NO) { 2264 debug("Stale control socket %.100s, unlinking", path); 2265 unlink(path); 2266 } else if (errno == ENOENT) { 2267 debug("Control socket \"%.100s\" does not exist", path); 2268 } else { 2269 error("Control socket connect(%.100s): %s", path, 2270 strerror(errno)); 2271 } 2272 close(sock); 2273 return -1; 2274 } 2275 set_nonblock(sock); 2276 2277 if (mux_client_hello_exchange(sock) != 0) { 2278 error_f("master hello exchange failed"); 2279 close(sock); 2280 return -1; 2281 } 2282 2283 switch (muxclient_command) { 2284 case SSHMUX_COMMAND_ALIVE_CHECK: 2285 if ((pid = mux_client_request_alive(sock)) == 0) 2286 fatal_f("master alive check failed"); 2287 fprintf(stderr, "Master running (pid=%u)\r\n", pid); 2288 exit(0); 2289 case SSHMUX_COMMAND_TERMINATE: 2290 mux_client_request_terminate(sock); 2291 if (options.log_level != SYSLOG_LEVEL_QUIET) 2292 fprintf(stderr, "Exit request sent.\r\n"); 2293 exit(0); 2294 case SSHMUX_COMMAND_FORWARD: 2295 if (mux_client_forwards(sock, 0) != 0) 2296 fatal_f("master forward request failed"); 2297 exit(0); 2298 case SSHMUX_COMMAND_OPEN: 2299 if (mux_client_forwards(sock, 0) != 0) { 2300 error_f("master forward request failed"); 2301 return -1; 2302 } 2303 mux_client_request_session(sock); 2304 return -1; 2305 case SSHMUX_COMMAND_STDIO_FWD: 2306 mux_client_request_stdio_fwd(sock); 2307 exit(0); 2308 case SSHMUX_COMMAND_STOP: 2309 mux_client_request_stop_listening(sock); 2310 if (options.log_level != SYSLOG_LEVEL_QUIET) 2311 fprintf(stderr, "Stop listening request sent.\r\n"); 2312 exit(0); 2313 case SSHMUX_COMMAND_CANCEL_FWD: 2314 if (mux_client_forwards(sock, 1) != 0) 2315 error_f("master cancel forward request failed"); 2316 exit(0); 2317 case SSHMUX_COMMAND_PROXY: 2318 mux_client_proxy(sock); 2319 return (sock); 2320 default: 2321 fatal("unrecognised muxclient_command %d", muxclient_command); 2322 } 2323 } 2324