1 /* $OpenBSD: mux.c,v 1.91 2021/07/23 04:00:59 djm Exp $ */ 2 /* 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* ssh session multiplexing support */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/stat.h> 23 #include <sys/socket.h> 24 #include <sys/un.h> 25 26 #include <errno.h> 27 #include <fcntl.h> 28 #include <poll.h> 29 #include <signal.h> 30 #include <stdarg.h> 31 #include <stddef.h> 32 #include <stdlib.h> 33 #include <stdio.h> 34 #include <string.h> 35 #include <unistd.h> 36 #include <util.h> 37 #include <paths.h> 38 39 #include "atomicio.h" 40 #include "xmalloc.h" 41 #include "log.h" 42 #include "ssh.h" 43 #include "ssh2.h" 44 #include "pathnames.h" 45 #include "misc.h" 46 #include "match.h" 47 #include "sshbuf.h" 48 #include "channels.h" 49 #include "msg.h" 50 #include "packet.h" 51 #include "monitor_fdpass.h" 52 #include "sshpty.h" 53 #include "sshkey.h" 54 #include "readconf.h" 55 #include "clientloop.h" 56 #include "ssherr.h" 57 58 /* from ssh.c */ 59 extern int tty_flag; 60 extern Options options; 61 extern char *host; 62 extern struct sshbuf *command; 63 extern volatile sig_atomic_t quit_pending; 64 65 /* Context for session open confirmation callback */ 66 struct mux_session_confirm_ctx { 67 u_int want_tty; 68 u_int want_subsys; 69 u_int want_x_fwd; 70 u_int want_agent_fwd; 71 struct sshbuf *cmd; 72 char *term; 73 struct termios tio; 74 char **env; 75 u_int rid; 76 }; 77 78 /* Context for stdio fwd open confirmation callback */ 79 struct mux_stdio_confirm_ctx { 80 u_int rid; 81 }; 82 83 /* Context for global channel callback */ 84 struct mux_channel_confirm_ctx { 85 u_int cid; /* channel id */ 86 u_int rid; /* request id */ 87 int fid; /* forward id */ 88 }; 89 90 /* fd to control socket */ 91 int muxserver_sock = -1; 92 93 /* client request id */ 94 u_int muxclient_request_id = 0; 95 96 /* Multiplexing control command */ 97 u_int muxclient_command = 0; 98 99 /* Set when signalled. */ 100 static volatile sig_atomic_t muxclient_terminate = 0; 101 102 /* PID of multiplex server */ 103 static u_int muxserver_pid = 0; 104 105 static Channel *mux_listener_channel = NULL; 106 107 struct mux_master_state { 108 int hello_rcvd; 109 }; 110 111 /* mux protocol messages */ 112 #define MUX_MSG_HELLO 0x00000001 113 #define MUX_C_NEW_SESSION 0x10000002 114 #define MUX_C_ALIVE_CHECK 0x10000004 115 #define MUX_C_TERMINATE 0x10000005 116 #define MUX_C_OPEN_FWD 0x10000006 117 #define MUX_C_CLOSE_FWD 0x10000007 118 #define MUX_C_NEW_STDIO_FWD 0x10000008 119 #define MUX_C_STOP_LISTENING 0x10000009 120 #define MUX_C_PROXY 0x1000000f 121 #define MUX_S_OK 0x80000001 122 #define MUX_S_PERMISSION_DENIED 0x80000002 123 #define MUX_S_FAILURE 0x80000003 124 #define MUX_S_EXIT_MESSAGE 0x80000004 125 #define MUX_S_ALIVE 0x80000005 126 #define MUX_S_SESSION_OPENED 0x80000006 127 #define MUX_S_REMOTE_PORT 0x80000007 128 #define MUX_S_TTY_ALLOC_FAIL 0x80000008 129 #define MUX_S_PROXY 0x8000000f 130 131 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ 132 #define MUX_FWD_LOCAL 1 133 #define MUX_FWD_REMOTE 2 134 #define MUX_FWD_DYNAMIC 3 135 136 static void mux_session_confirm(struct ssh *, int, int, void *); 137 static void mux_stdio_confirm(struct ssh *, int, int, void *); 138 139 static int mux_master_process_hello(struct ssh *, u_int, 140 Channel *, struct sshbuf *, struct sshbuf *); 141 static int mux_master_process_new_session(struct ssh *, u_int, 142 Channel *, struct sshbuf *, struct sshbuf *); 143 static int mux_master_process_alive_check(struct ssh *, u_int, 144 Channel *, struct sshbuf *, struct sshbuf *); 145 static int mux_master_process_terminate(struct ssh *, u_int, 146 Channel *, struct sshbuf *, struct sshbuf *); 147 static int mux_master_process_open_fwd(struct ssh *, u_int, 148 Channel *, struct sshbuf *, struct sshbuf *); 149 static int mux_master_process_close_fwd(struct ssh *, u_int, 150 Channel *, struct sshbuf *, struct sshbuf *); 151 static int mux_master_process_stdio_fwd(struct ssh *, u_int, 152 Channel *, struct sshbuf *, struct sshbuf *); 153 static int mux_master_process_stop_listening(struct ssh *, u_int, 154 Channel *, struct sshbuf *, struct sshbuf *); 155 static int mux_master_process_proxy(struct ssh *, u_int, 156 Channel *, struct sshbuf *, struct sshbuf *); 157 158 static const struct { 159 u_int type; 160 int (*handler)(struct ssh *, u_int, Channel *, 161 struct sshbuf *, struct sshbuf *); 162 } mux_master_handlers[] = { 163 { MUX_MSG_HELLO, mux_master_process_hello }, 164 { MUX_C_NEW_SESSION, mux_master_process_new_session }, 165 { MUX_C_ALIVE_CHECK, mux_master_process_alive_check }, 166 { MUX_C_TERMINATE, mux_master_process_terminate }, 167 { MUX_C_OPEN_FWD, mux_master_process_open_fwd }, 168 { MUX_C_CLOSE_FWD, mux_master_process_close_fwd }, 169 { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd }, 170 { MUX_C_STOP_LISTENING, mux_master_process_stop_listening }, 171 { MUX_C_PROXY, mux_master_process_proxy }, 172 { 0, NULL } 173 }; 174 175 /* Cleanup callback fired on closure of mux client _session_ channel */ 176 /* ARGSUSED */ 177 static void 178 mux_master_session_cleanup_cb(struct ssh *ssh, int cid, void *unused) 179 { 180 Channel *cc, *c = channel_by_id(ssh, cid); 181 182 debug3_f("entering for channel %d", cid); 183 if (c == NULL) 184 fatal_f("channel_by_id(%i) == NULL", cid); 185 if (c->ctl_chan != -1) { 186 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 187 fatal_f("channel %d missing control channel %d", 188 c->self, c->ctl_chan); 189 c->ctl_chan = -1; 190 cc->remote_id = 0; 191 cc->have_remote_id = 0; 192 chan_rcvd_oclose(ssh, cc); 193 } 194 channel_cancel_cleanup(ssh, c->self); 195 } 196 197 /* Cleanup callback fired on closure of mux client _control_ channel */ 198 /* ARGSUSED */ 199 static void 200 mux_master_control_cleanup_cb(struct ssh *ssh, int cid, void *unused) 201 { 202 Channel *sc, *c = channel_by_id(ssh, cid); 203 204 debug3_f("entering for channel %d", cid); 205 if (c == NULL) 206 fatal_f("channel_by_id(%i) == NULL", cid); 207 if (c->have_remote_id) { 208 if ((sc = channel_by_id(ssh, c->remote_id)) == NULL) 209 fatal_f("channel %d missing session channel %u", 210 c->self, c->remote_id); 211 c->remote_id = 0; 212 c->have_remote_id = 0; 213 sc->ctl_chan = -1; 214 if (sc->type != SSH_CHANNEL_OPEN && 215 sc->type != SSH_CHANNEL_OPENING) { 216 debug2_f("channel %d: not open", sc->self); 217 chan_mark_dead(ssh, sc); 218 } else { 219 if (sc->istate == CHAN_INPUT_OPEN) 220 chan_read_failed(ssh, sc); 221 if (sc->ostate == CHAN_OUTPUT_OPEN) 222 chan_write_failed(ssh, sc); 223 } 224 } 225 channel_cancel_cleanup(ssh, c->self); 226 } 227 228 /* Check mux client environment variables before passing them to mux master. */ 229 static int 230 env_permitted(char *env) 231 { 232 int i, ret; 233 char name[1024], *cp; 234 235 if ((cp = strchr(env, '=')) == NULL || cp == env) 236 return 0; 237 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env); 238 if (ret <= 0 || (size_t)ret >= sizeof(name)) { 239 error_f("name '%.100s...' too long", env); 240 return 0; 241 } 242 243 for (i = 0; i < options.num_send_env; i++) 244 if (match_pattern(name, options.send_env[i])) 245 return 1; 246 247 return 0; 248 } 249 250 /* Mux master protocol message handlers */ 251 252 static int 253 mux_master_process_hello(struct ssh *ssh, u_int rid, 254 Channel *c, struct sshbuf *m, struct sshbuf *reply) 255 { 256 u_int ver; 257 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 258 int r; 259 260 if (state == NULL) 261 fatal_f("channel %d: c->mux_ctx == NULL", c->self); 262 if (state->hello_rcvd) { 263 error_f("HELLO received twice"); 264 return -1; 265 } 266 if ((r = sshbuf_get_u32(m, &ver)) != 0) { 267 error_fr(r, "parse"); 268 return -1; 269 } 270 if (ver != SSHMUX_VER) { 271 error_f("unsupported multiplexing protocol version %u " 272 "(expected %u)", ver, SSHMUX_VER); 273 return -1; 274 } 275 debug2_f("channel %d client version %u", c->self, ver); 276 277 /* No extensions are presently defined */ 278 while (sshbuf_len(m) > 0) { 279 char *name = NULL; 280 size_t value_len = 0; 281 282 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 283 (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) { 284 error_fr(r, "parse extension"); 285 return -1; 286 } 287 debug2_f("Unrecognised extension \"%s\" length %zu", 288 name, value_len); 289 free(name); 290 } 291 state->hello_rcvd = 1; 292 return 0; 293 } 294 295 /* Enqueue a "ok" response to the reply buffer */ 296 static void 297 reply_ok(struct sshbuf *reply, u_int rid) 298 { 299 int r; 300 301 if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 || 302 (r = sshbuf_put_u32(reply, rid)) != 0) 303 fatal_fr(r, "reply"); 304 } 305 306 /* Enqueue an error response to the reply buffer */ 307 static void 308 reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg) 309 { 310 int r; 311 312 if ((r = sshbuf_put_u32(reply, type)) != 0 || 313 (r = sshbuf_put_u32(reply, rid)) != 0 || 314 (r = sshbuf_put_cstring(reply, msg)) != 0) 315 fatal_fr(r, "reply"); 316 } 317 318 static int 319 mux_master_process_new_session(struct ssh *ssh, u_int rid, 320 Channel *c, struct sshbuf *m, struct sshbuf *reply) 321 { 322 Channel *nc; 323 struct mux_session_confirm_ctx *cctx; 324 char *cmd, *cp; 325 u_int i, j, env_len, escape_char, window, packetmax; 326 int r, new_fd[3]; 327 328 /* Reply for SSHMUX_COMMAND_OPEN */ 329 cctx = xcalloc(1, sizeof(*cctx)); 330 cctx->term = NULL; 331 cctx->rid = rid; 332 cmd = NULL; 333 cctx->env = NULL; 334 env_len = 0; 335 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 336 (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 || 337 (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 || 338 (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 || 339 (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 || 340 (r = sshbuf_get_u32(m, &escape_char)) != 0 || 341 (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 || 342 (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) { 343 malf: 344 free(cmd); 345 for (j = 0; j < env_len; j++) 346 free(cctx->env[j]); 347 free(cctx->env); 348 free(cctx->term); 349 free(cctx); 350 error_f("malformed message"); 351 return -1; 352 } 353 354 #define MUX_MAX_ENV_VARS 4096 355 while (sshbuf_len(m) > 0) { 356 if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0) 357 goto malf; 358 if (!env_permitted(cp)) { 359 free(cp); 360 continue; 361 } 362 cctx->env = xreallocarray(cctx->env, env_len + 2, 363 sizeof(*cctx->env)); 364 cctx->env[env_len++] = cp; 365 cctx->env[env_len] = NULL; 366 if (env_len > MUX_MAX_ENV_VARS) { 367 error_f(">%d environment variables received, " 368 "ignoring additional", MUX_MAX_ENV_VARS); 369 break; 370 } 371 } 372 373 debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, " 374 "term \"%s\", cmd \"%s\", env %u", c->self, 375 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd, 376 cctx->want_subsys, cctx->term, cmd, env_len); 377 378 if ((cctx->cmd = sshbuf_new()) == NULL) 379 fatal_f("sshbuf_new"); 380 if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0) 381 fatal_fr(r, "sshbuf_put"); 382 free(cmd); 383 cmd = NULL; 384 385 /* Gather fds from client */ 386 for(i = 0; i < 3; i++) { 387 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 388 error_f("failed to receive fd %d from client", i); 389 for (j = 0; j < i; j++) 390 close(new_fd[j]); 391 for (j = 0; j < env_len; j++) 392 free(cctx->env[j]); 393 free(cctx->env); 394 free(cctx->term); 395 sshbuf_free(cctx->cmd); 396 free(cctx); 397 reply_error(reply, MUX_S_FAILURE, rid, 398 "did not receive file descriptors"); 399 return -1; 400 } 401 } 402 403 debug3_f("got fds stdin %d, stdout %d, stderr %d", 404 new_fd[0], new_fd[1], new_fd[2]); 405 406 /* XXX support multiple child sessions in future */ 407 if (c->have_remote_id) { 408 debug2_f("session already open"); 409 reply_error(reply, MUX_S_FAILURE, rid, 410 "Multiple sessions not supported"); 411 cleanup: 412 close(new_fd[0]); 413 close(new_fd[1]); 414 close(new_fd[2]); 415 free(cctx->term); 416 if (env_len != 0) { 417 for (i = 0; i < env_len; i++) 418 free(cctx->env[i]); 419 free(cctx->env); 420 } 421 sshbuf_free(cctx->cmd); 422 free(cctx); 423 return 0; 424 } 425 426 if (options.control_master == SSHCTL_MASTER_ASK || 427 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 428 if (!ask_permission("Allow shared connection to %s? ", host)) { 429 debug2_f("session refused by user"); 430 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 431 "Permission denied"); 432 goto cleanup; 433 } 434 } 435 436 /* Try to pick up ttymodes from client before it goes raw */ 437 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 438 error_f("tcgetattr: %s", strerror(errno)); 439 440 window = CHAN_SES_WINDOW_DEFAULT; 441 packetmax = CHAN_SES_PACKET_DEFAULT; 442 if (cctx->want_tty) { 443 window >>= 1; 444 packetmax >>= 1; 445 } 446 447 nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, 448 new_fd[0], new_fd[1], new_fd[2], window, packetmax, 449 CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); 450 451 nc->ctl_chan = c->self; /* link session -> control channel */ 452 c->remote_id = nc->self; /* link control -> session channel */ 453 c->have_remote_id = 1; 454 455 if (cctx->want_tty && escape_char != 0xffffffff) { 456 channel_register_filter(ssh, nc->self, 457 client_simple_escape_filter, NULL, 458 client_filter_cleanup, 459 client_new_escape_filter_ctx((int)escape_char)); 460 } 461 462 debug2_f("channel_new: %d linked to control channel %d", 463 nc->self, nc->ctl_chan); 464 465 channel_send_open(ssh, nc->self); 466 channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx); 467 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 468 channel_register_cleanup(ssh, nc->self, 469 mux_master_session_cleanup_cb, 1); 470 471 /* reply is deferred, sent by mux_session_confirm */ 472 return 0; 473 } 474 475 static int 476 mux_master_process_alive_check(struct ssh *ssh, u_int rid, 477 Channel *c, struct sshbuf *m, struct sshbuf *reply) 478 { 479 int r; 480 481 debug2_f("channel %d: alive check", c->self); 482 483 /* prepare reply */ 484 if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 || 485 (r = sshbuf_put_u32(reply, rid)) != 0 || 486 (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0) 487 fatal_fr(r, "reply"); 488 489 return 0; 490 } 491 492 static int 493 mux_master_process_terminate(struct ssh *ssh, u_int rid, 494 Channel *c, struct sshbuf *m, struct sshbuf *reply) 495 { 496 debug2_f("channel %d: terminate request", c->self); 497 498 if (options.control_master == SSHCTL_MASTER_ASK || 499 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 500 if (!ask_permission("Terminate shared connection to %s? ", 501 host)) { 502 debug2_f("termination refused by user"); 503 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 504 "Permission denied"); 505 return 0; 506 } 507 } 508 509 quit_pending = 1; 510 reply_ok(reply, rid); 511 /* XXX exit happens too soon - message never makes it to client */ 512 return 0; 513 } 514 515 static char * 516 format_forward(u_int ftype, struct Forward *fwd) 517 { 518 char *ret; 519 520 switch (ftype) { 521 case MUX_FWD_LOCAL: 522 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d", 523 (fwd->listen_path != NULL) ? fwd->listen_path : 524 (fwd->listen_host == NULL) ? 525 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 526 fwd->listen_host, fwd->listen_port, 527 (fwd->connect_path != NULL) ? fwd->connect_path : 528 fwd->connect_host, fwd->connect_port); 529 break; 530 case MUX_FWD_DYNAMIC: 531 xasprintf(&ret, "dynamic forward %.200s:%d -> *", 532 (fwd->listen_host == NULL) ? 533 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 534 fwd->listen_host, fwd->listen_port); 535 break; 536 case MUX_FWD_REMOTE: 537 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d", 538 (fwd->listen_path != NULL) ? fwd->listen_path : 539 (fwd->listen_host == NULL) ? 540 "LOCALHOST" : fwd->listen_host, 541 fwd->listen_port, 542 (fwd->connect_path != NULL) ? fwd->connect_path : 543 fwd->connect_host, fwd->connect_port); 544 break; 545 default: 546 fatal_f("unknown forward type %u", ftype); 547 } 548 return ret; 549 } 550 551 static int 552 compare_host(const char *a, const char *b) 553 { 554 if (a == NULL && b == NULL) 555 return 1; 556 if (a == NULL || b == NULL) 557 return 0; 558 return strcmp(a, b) == 0; 559 } 560 561 static int 562 compare_forward(struct Forward *a, struct Forward *b) 563 { 564 if (!compare_host(a->listen_host, b->listen_host)) 565 return 0; 566 if (!compare_host(a->listen_path, b->listen_path)) 567 return 0; 568 if (a->listen_port != b->listen_port) 569 return 0; 570 if (!compare_host(a->connect_host, b->connect_host)) 571 return 0; 572 if (!compare_host(a->connect_path, b->connect_path)) 573 return 0; 574 if (a->connect_port != b->connect_port) 575 return 0; 576 577 return 1; 578 } 579 580 static void 581 mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt) 582 { 583 struct mux_channel_confirm_ctx *fctx = ctxt; 584 char *failmsg = NULL; 585 struct Forward *rfwd; 586 Channel *c; 587 struct sshbuf *out; 588 u_int port; 589 int r; 590 591 if ((c = channel_by_id(ssh, fctx->cid)) == NULL) { 592 /* no channel for reply */ 593 error_f("unknown channel"); 594 return; 595 } 596 if ((out = sshbuf_new()) == NULL) 597 fatal_f("sshbuf_new"); 598 if (fctx->fid >= options.num_remote_forwards || 599 (options.remote_forwards[fctx->fid].connect_path == NULL && 600 options.remote_forwards[fctx->fid].connect_host == NULL)) { 601 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid); 602 goto fail; 603 } 604 rfwd = &options.remote_forwards[fctx->fid]; 605 debug_f("%s for: listen %d, connect %s:%d", 606 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 607 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path : 608 rfwd->connect_host, rfwd->connect_port); 609 if (type == SSH2_MSG_REQUEST_SUCCESS) { 610 if (rfwd->listen_port == 0) { 611 if ((r = sshpkt_get_u32(ssh, &port)) != 0) 612 fatal_fr(r, "parse port"); 613 if (port > 65535) { 614 fatal("Invalid allocated port %u for " 615 "mux remote forward to %s:%d", port, 616 rfwd->connect_host, rfwd->connect_port); 617 } 618 rfwd->allocated_port = (int)port; 619 debug("Allocated port %u for mux remote forward" 620 " to %s:%d", rfwd->allocated_port, 621 rfwd->connect_host, rfwd->connect_port); 622 if ((r = sshbuf_put_u32(out, 623 MUX_S_REMOTE_PORT)) != 0 || 624 (r = sshbuf_put_u32(out, fctx->rid)) != 0 || 625 (r = sshbuf_put_u32(out, 626 rfwd->allocated_port)) != 0) 627 fatal_fr(r, "reply"); 628 channel_update_permission(ssh, rfwd->handle, 629 rfwd->allocated_port); 630 } else { 631 reply_ok(out, fctx->rid); 632 } 633 goto out; 634 } else { 635 if (rfwd->listen_port == 0) 636 channel_update_permission(ssh, rfwd->handle, -1); 637 if (rfwd->listen_path != NULL) 638 xasprintf(&failmsg, "remote port forwarding failed for " 639 "listen path %s", rfwd->listen_path); 640 else 641 xasprintf(&failmsg, "remote port forwarding failed for " 642 "listen port %d", rfwd->listen_port); 643 644 debug2_f("clearing registered forwarding for listen %d, " 645 "connect %s:%d", rfwd->listen_port, 646 rfwd->connect_path ? rfwd->connect_path : 647 rfwd->connect_host, rfwd->connect_port); 648 649 free(rfwd->listen_host); 650 free(rfwd->listen_path); 651 free(rfwd->connect_host); 652 free(rfwd->connect_path); 653 memset(rfwd, 0, sizeof(*rfwd)); 654 } 655 fail: 656 error_f("%s", failmsg); 657 reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg); 658 free(failmsg); 659 out: 660 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 661 fatal_fr(r, "enqueue"); 662 sshbuf_free(out); 663 if (c->mux_pause <= 0) 664 fatal_f("mux_pause %d", c->mux_pause); 665 c->mux_pause = 0; /* start processing messages again */ 666 } 667 668 static int 669 mux_master_process_open_fwd(struct ssh *ssh, u_int rid, 670 Channel *c, struct sshbuf *m, struct sshbuf *reply) 671 { 672 struct Forward fwd; 673 char *fwd_desc = NULL; 674 char *listen_addr, *connect_addr; 675 u_int ftype; 676 u_int lport, cport; 677 int r, i, ret = 0, freefwd = 1; 678 679 memset(&fwd, 0, sizeof(fwd)); 680 681 /* XXX - lport/cport check redundant */ 682 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 683 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 684 (r = sshbuf_get_u32(m, &lport)) != 0 || 685 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 686 (r = sshbuf_get_u32(m, &cport)) != 0 || 687 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 688 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 689 error_f("malformed message"); 690 ret = -1; 691 goto out; 692 } 693 if (*listen_addr == '\0') { 694 free(listen_addr); 695 listen_addr = NULL; 696 } 697 if (*connect_addr == '\0') { 698 free(connect_addr); 699 connect_addr = NULL; 700 } 701 702 memset(&fwd, 0, sizeof(fwd)); 703 fwd.listen_port = lport; 704 if (fwd.listen_port == PORT_STREAMLOCAL) 705 fwd.listen_path = listen_addr; 706 else 707 fwd.listen_host = listen_addr; 708 fwd.connect_port = cport; 709 if (fwd.connect_port == PORT_STREAMLOCAL) 710 fwd.connect_path = connect_addr; 711 else 712 fwd.connect_host = connect_addr; 713 714 debug2_f("channel %d: request %s", c->self, 715 (fwd_desc = format_forward(ftype, &fwd))); 716 717 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE && 718 ftype != MUX_FWD_DYNAMIC) { 719 logit_f("invalid forwarding type %u", ftype); 720 invalid: 721 free(listen_addr); 722 free(connect_addr); 723 reply_error(reply, MUX_S_FAILURE, rid, 724 "Invalid forwarding request"); 725 return 0; 726 } 727 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) { 728 logit_f("streamlocal and dynamic forwards " 729 "are mutually exclusive"); 730 goto invalid; 731 } 732 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) { 733 logit_f("invalid listen port %u", fwd.listen_port); 734 goto invalid; 735 } 736 if ((fwd.connect_port != PORT_STREAMLOCAL && 737 fwd.connect_port >= 65536) || 738 (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && 739 fwd.connect_port == 0)) { 740 logit_f("invalid connect port %u", 741 fwd.connect_port); 742 goto invalid; 743 } 744 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && 745 fwd.connect_path == NULL) { 746 logit_f("missing connect host"); 747 goto invalid; 748 } 749 750 /* Skip forwards that have already been requested */ 751 switch (ftype) { 752 case MUX_FWD_LOCAL: 753 case MUX_FWD_DYNAMIC: 754 for (i = 0; i < options.num_local_forwards; i++) { 755 if (compare_forward(&fwd, 756 options.local_forwards + i)) { 757 exists: 758 debug2_f("found existing forwarding"); 759 reply_ok(reply, rid); 760 goto out; 761 } 762 } 763 break; 764 case MUX_FWD_REMOTE: 765 for (i = 0; i < options.num_remote_forwards; i++) { 766 if (!compare_forward(&fwd, options.remote_forwards + i)) 767 continue; 768 if (fwd.listen_port != 0) 769 goto exists; 770 debug2_f("found allocated port"); 771 if ((r = sshbuf_put_u32(reply, 772 MUX_S_REMOTE_PORT)) != 0 || 773 (r = sshbuf_put_u32(reply, rid)) != 0 || 774 (r = sshbuf_put_u32(reply, 775 options.remote_forwards[i].allocated_port)) != 0) 776 fatal_fr(r, "reply FWD_REMOTE"); 777 goto out; 778 } 779 break; 780 } 781 782 if (options.control_master == SSHCTL_MASTER_ASK || 783 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 784 if (!ask_permission("Open %s on %s?", fwd_desc, host)) { 785 debug2_f("forwarding refused by user"); 786 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 787 "Permission denied"); 788 goto out; 789 } 790 } 791 792 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 793 if (!channel_setup_local_fwd_listener(ssh, &fwd, 794 &options.fwd_opts)) { 795 fail: 796 logit_f("requested %s failed", fwd_desc); 797 reply_error(reply, MUX_S_FAILURE, rid, 798 "Port forwarding failed"); 799 goto out; 800 } 801 add_local_forward(&options, &fwd); 802 freefwd = 0; 803 } else { 804 struct mux_channel_confirm_ctx *fctx; 805 806 fwd.handle = channel_request_remote_forwarding(ssh, &fwd); 807 if (fwd.handle < 0) 808 goto fail; 809 add_remote_forward(&options, &fwd); 810 fctx = xcalloc(1, sizeof(*fctx)); 811 fctx->cid = c->self; 812 fctx->rid = rid; 813 fctx->fid = options.num_remote_forwards - 1; 814 client_register_global_confirm(mux_confirm_remote_forward, 815 fctx); 816 freefwd = 0; 817 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */ 818 /* delayed reply in mux_confirm_remote_forward */ 819 goto out; 820 } 821 reply_ok(reply, rid); 822 out: 823 free(fwd_desc); 824 if (freefwd) { 825 free(fwd.listen_host); 826 free(fwd.listen_path); 827 free(fwd.connect_host); 828 free(fwd.connect_path); 829 } 830 return ret; 831 } 832 833 static int 834 mux_master_process_close_fwd(struct ssh *ssh, u_int rid, 835 Channel *c, struct sshbuf *m, struct sshbuf *reply) 836 { 837 struct Forward fwd, *found_fwd; 838 char *fwd_desc = NULL; 839 const char *error_reason = NULL; 840 char *listen_addr = NULL, *connect_addr = NULL; 841 u_int ftype; 842 int r, i, ret = 0; 843 u_int lport, cport; 844 845 memset(&fwd, 0, sizeof(fwd)); 846 847 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 848 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 849 (r = sshbuf_get_u32(m, &lport)) != 0 || 850 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 851 (r = sshbuf_get_u32(m, &cport)) != 0 || 852 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 853 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 854 error_f("malformed message"); 855 ret = -1; 856 goto out; 857 } 858 859 if (*listen_addr == '\0') { 860 free(listen_addr); 861 listen_addr = NULL; 862 } 863 if (*connect_addr == '\0') { 864 free(connect_addr); 865 connect_addr = NULL; 866 } 867 868 memset(&fwd, 0, sizeof(fwd)); 869 fwd.listen_port = lport; 870 if (fwd.listen_port == PORT_STREAMLOCAL) 871 fwd.listen_path = listen_addr; 872 else 873 fwd.listen_host = listen_addr; 874 fwd.connect_port = cport; 875 if (fwd.connect_port == PORT_STREAMLOCAL) 876 fwd.connect_path = connect_addr; 877 else 878 fwd.connect_host = connect_addr; 879 880 debug2_f("channel %d: request cancel %s", c->self, 881 (fwd_desc = format_forward(ftype, &fwd))); 882 883 /* make sure this has been requested */ 884 found_fwd = NULL; 885 switch (ftype) { 886 case MUX_FWD_LOCAL: 887 case MUX_FWD_DYNAMIC: 888 for (i = 0; i < options.num_local_forwards; i++) { 889 if (compare_forward(&fwd, 890 options.local_forwards + i)) { 891 found_fwd = options.local_forwards + i; 892 break; 893 } 894 } 895 break; 896 case MUX_FWD_REMOTE: 897 for (i = 0; i < options.num_remote_forwards; i++) { 898 if (compare_forward(&fwd, 899 options.remote_forwards + i)) { 900 found_fwd = options.remote_forwards + i; 901 break; 902 } 903 } 904 break; 905 } 906 907 if (found_fwd == NULL) 908 error_reason = "port not forwarded"; 909 else if (ftype == MUX_FWD_REMOTE) { 910 /* 911 * This shouldn't fail unless we confused the host/port 912 * between options.remote_forwards and permitted_opens. 913 * However, for dynamic allocated listen ports we need 914 * to use the actual listen port. 915 */ 916 if (channel_request_rforward_cancel(ssh, found_fwd) == -1) 917 error_reason = "port not in permitted opens"; 918 } else { /* local and dynamic forwards */ 919 /* Ditto */ 920 if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port, 921 &options.fwd_opts) == -1) 922 error_reason = "port not found"; 923 } 924 925 if (error_reason != NULL) 926 reply_error(reply, MUX_S_FAILURE, rid, error_reason); 927 else { 928 reply_ok(reply, rid); 929 free(found_fwd->listen_host); 930 free(found_fwd->listen_path); 931 free(found_fwd->connect_host); 932 free(found_fwd->connect_path); 933 found_fwd->listen_host = found_fwd->connect_host = NULL; 934 found_fwd->listen_path = found_fwd->connect_path = NULL; 935 found_fwd->listen_port = found_fwd->connect_port = 0; 936 } 937 out: 938 free(fwd_desc); 939 free(listen_addr); 940 free(connect_addr); 941 942 return ret; 943 } 944 945 static int 946 mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid, 947 Channel *c, struct sshbuf *m, struct sshbuf *reply) 948 { 949 Channel *nc; 950 char *chost = NULL; 951 u_int cport, i, j; 952 int r, new_fd[2]; 953 struct mux_stdio_confirm_ctx *cctx; 954 955 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 956 (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 || 957 (r = sshbuf_get_u32(m, &cport)) != 0) { 958 free(chost); 959 error_f("malformed message"); 960 return -1; 961 } 962 963 debug2_f("channel %d: stdio fwd to %s:%u", c->self, chost, cport); 964 965 /* Gather fds from client */ 966 for(i = 0; i < 2; i++) { 967 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 968 error_f("failed to receive fd %d from client", i); 969 for (j = 0; j < i; j++) 970 close(new_fd[j]); 971 free(chost); 972 973 /* prepare reply */ 974 reply_error(reply, MUX_S_FAILURE, rid, 975 "did not receive file descriptors"); 976 return -1; 977 } 978 } 979 980 debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]); 981 982 /* XXX support multiple child sessions in future */ 983 if (c->have_remote_id) { 984 debug2_f("session already open"); 985 reply_error(reply, MUX_S_FAILURE, rid, 986 "Multiple sessions not supported"); 987 cleanup: 988 close(new_fd[0]); 989 close(new_fd[1]); 990 free(chost); 991 return 0; 992 } 993 994 if (options.control_master == SSHCTL_MASTER_ASK || 995 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 996 if (!ask_permission("Allow forward to %s:%u? ", 997 chost, cport)) { 998 debug2_f("stdio fwd refused by user"); 999 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1000 "Permission denied"); 1001 goto cleanup; 1002 } 1003 } 1004 1005 nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1], 1006 CHANNEL_NONBLOCK_STDIO); 1007 free(chost); 1008 1009 nc->ctl_chan = c->self; /* link session -> control channel */ 1010 c->remote_id = nc->self; /* link control -> session channel */ 1011 c->have_remote_id = 1; 1012 1013 debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan); 1014 1015 channel_register_cleanup(ssh, nc->self, 1016 mux_master_session_cleanup_cb, 1); 1017 1018 cctx = xcalloc(1, sizeof(*cctx)); 1019 cctx->rid = rid; 1020 channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx); 1021 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 1022 1023 /* reply is deferred, sent by mux_session_confirm */ 1024 return 0; 1025 } 1026 1027 /* Callback on open confirmation in mux master for a mux stdio fwd session. */ 1028 static void 1029 mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg) 1030 { 1031 struct mux_stdio_confirm_ctx *cctx = arg; 1032 Channel *c, *cc; 1033 struct sshbuf *reply; 1034 int r; 1035 1036 if (cctx == NULL) 1037 fatal_f("cctx == NULL"); 1038 if ((c = channel_by_id(ssh, id)) == NULL) 1039 fatal_f("no channel for id %d", id); 1040 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1041 fatal_f("channel %d lacks control channel %d", 1042 id, c->ctl_chan); 1043 if ((reply = sshbuf_new()) == NULL) 1044 fatal_f("sshbuf_new"); 1045 1046 if (!success) { 1047 debug3_f("sending failure reply"); 1048 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1049 "Session open refused by peer"); 1050 /* prepare reply */ 1051 goto done; 1052 } 1053 1054 debug3_f("sending success reply"); 1055 /* prepare reply */ 1056 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1057 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1058 (r = sshbuf_put_u32(reply, c->self)) != 0) 1059 fatal_fr(r, "reply"); 1060 1061 done: 1062 /* Send reply */ 1063 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1064 fatal_fr(r, "enqueue"); 1065 sshbuf_free(reply); 1066 1067 if (cc->mux_pause <= 0) 1068 fatal_f("mux_pause %d", cc->mux_pause); 1069 cc->mux_pause = 0; /* start processing messages again */ 1070 c->open_confirm_ctx = NULL; 1071 free(cctx); 1072 } 1073 1074 static int 1075 mux_master_process_stop_listening(struct ssh *ssh, u_int rid, 1076 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1077 { 1078 debug_f("channel %d: stop listening", c->self); 1079 1080 if (options.control_master == SSHCTL_MASTER_ASK || 1081 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1082 if (!ask_permission("Disable further multiplexing on shared " 1083 "connection to %s? ", host)) { 1084 debug2_f("stop listen refused by user"); 1085 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1086 "Permission denied"); 1087 return 0; 1088 } 1089 } 1090 1091 if (mux_listener_channel != NULL) { 1092 channel_free(ssh, mux_listener_channel); 1093 client_stop_mux(); 1094 free(options.control_path); 1095 options.control_path = NULL; 1096 mux_listener_channel = NULL; 1097 muxserver_sock = -1; 1098 } 1099 1100 reply_ok(reply, rid); 1101 return 0; 1102 } 1103 1104 static int 1105 mux_master_process_proxy(struct ssh *ssh, u_int rid, 1106 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1107 { 1108 int r; 1109 1110 debug_f("channel %d: proxy request", c->self); 1111 1112 c->mux_rcb = channel_proxy_downstream; 1113 if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || 1114 (r = sshbuf_put_u32(reply, rid)) != 0) 1115 fatal_fr(r, "reply"); 1116 1117 return 0; 1118 } 1119 1120 /* Channel callbacks fired on read/write from mux client fd */ 1121 static int 1122 mux_master_read_cb(struct ssh *ssh, Channel *c) 1123 { 1124 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 1125 struct sshbuf *in = NULL, *out = NULL; 1126 u_int type, rid, i; 1127 int r, ret = -1; 1128 1129 if ((out = sshbuf_new()) == NULL) 1130 fatal_f("sshbuf_new"); 1131 1132 /* Setup ctx and */ 1133 if (c->mux_ctx == NULL) { 1134 state = xcalloc(1, sizeof(*state)); 1135 c->mux_ctx = state; 1136 channel_register_cleanup(ssh, c->self, 1137 mux_master_control_cleanup_cb, 0); 1138 1139 /* Send hello */ 1140 if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 || 1141 (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0) 1142 fatal_fr(r, "reply"); 1143 /* no extensions */ 1144 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 1145 fatal_fr(r, "enqueue"); 1146 debug3_f("channel %d: hello sent", c->self); 1147 ret = 0; 1148 goto out; 1149 } 1150 1151 /* Channel code ensures that we receive whole packets */ 1152 if ((r = sshbuf_froms(c->input, &in)) != 0) { 1153 malf: 1154 error_f("malformed message"); 1155 goto out; 1156 } 1157 1158 if ((r = sshbuf_get_u32(in, &type)) != 0) 1159 goto malf; 1160 debug3_f("channel %d packet type 0x%08x len %zu", c->self, 1161 type, sshbuf_len(in)); 1162 1163 if (type == MUX_MSG_HELLO) 1164 rid = 0; 1165 else { 1166 if (!state->hello_rcvd) { 1167 error_f("expected MUX_MSG_HELLO(0x%08x), " 1168 "received 0x%08x", MUX_MSG_HELLO, type); 1169 goto out; 1170 } 1171 if ((r = sshbuf_get_u32(in, &rid)) != 0) 1172 goto malf; 1173 } 1174 1175 for (i = 0; mux_master_handlers[i].handler != NULL; i++) { 1176 if (type == mux_master_handlers[i].type) { 1177 ret = mux_master_handlers[i].handler(ssh, rid, 1178 c, in, out); 1179 break; 1180 } 1181 } 1182 if (mux_master_handlers[i].handler == NULL) { 1183 error_f("unsupported mux message 0x%08x", type); 1184 reply_error(out, MUX_S_FAILURE, rid, "unsupported request"); 1185 ret = 0; 1186 } 1187 /* Enqueue reply packet */ 1188 if (sshbuf_len(out) != 0 && 1189 (r = sshbuf_put_stringb(c->output, out)) != 0) 1190 fatal_fr(r, "enqueue"); 1191 out: 1192 sshbuf_free(in); 1193 sshbuf_free(out); 1194 return ret; 1195 } 1196 1197 void 1198 mux_exit_message(struct ssh *ssh, Channel *c, int exitval) 1199 { 1200 struct sshbuf *m; 1201 Channel *mux_chan; 1202 int r; 1203 1204 debug3_f("channel %d: exit message, exitval %d", c->self, exitval); 1205 1206 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1207 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1208 1209 /* Append exit message packet to control socket output queue */ 1210 if ((m = sshbuf_new()) == NULL) 1211 fatal_f("sshbuf_new"); 1212 if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 || 1213 (r = sshbuf_put_u32(m, c->self)) != 0 || 1214 (r = sshbuf_put_u32(m, exitval)) != 0 || 1215 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1216 fatal_fr(r, "reply"); 1217 sshbuf_free(m); 1218 } 1219 1220 void 1221 mux_tty_alloc_failed(struct ssh *ssh, Channel *c) 1222 { 1223 struct sshbuf *m; 1224 Channel *mux_chan; 1225 int r; 1226 1227 debug3_f("channel %d: TTY alloc failed", c->self); 1228 1229 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1230 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1231 1232 /* Append exit message packet to control socket output queue */ 1233 if ((m = sshbuf_new()) == NULL) 1234 fatal_f("sshbuf_new"); 1235 if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 || 1236 (r = sshbuf_put_u32(m, c->self)) != 0 || 1237 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1238 fatal_fr(r, "reply"); 1239 sshbuf_free(m); 1240 } 1241 1242 /* Prepare a mux master to listen on a Unix domain socket. */ 1243 void 1244 muxserver_listen(struct ssh *ssh) 1245 { 1246 mode_t old_umask; 1247 char *orig_control_path = options.control_path; 1248 char rbuf[16+1]; 1249 u_int i, r; 1250 int oerrno; 1251 1252 if (options.control_path == NULL || 1253 options.control_master == SSHCTL_MASTER_NO) 1254 return; 1255 1256 debug("setting up multiplex master socket"); 1257 1258 /* 1259 * Use a temporary path before listen so we can pseudo-atomically 1260 * establish the listening socket in its final location to avoid 1261 * other processes racing in between bind() and listen() and hitting 1262 * an unready socket. 1263 */ 1264 for (i = 0; i < sizeof(rbuf) - 1; i++) { 1265 r = arc4random_uniform(26+26+10); 1266 rbuf[i] = (r < 26) ? 'a' + r : 1267 (r < 26*2) ? 'A' + r - 26 : 1268 '0' + r - 26 - 26; 1269 } 1270 rbuf[sizeof(rbuf) - 1] = '\0'; 1271 options.control_path = NULL; 1272 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf); 1273 debug3_f("temporary control path %s", options.control_path); 1274 1275 old_umask = umask(0177); 1276 muxserver_sock = unix_listener(options.control_path, 64, 0); 1277 oerrno = errno; 1278 umask(old_umask); 1279 if (muxserver_sock < 0) { 1280 if (oerrno == EINVAL || oerrno == EADDRINUSE) { 1281 error("ControlSocket %s already exists, " 1282 "disabling multiplexing", options.control_path); 1283 disable_mux_master: 1284 if (muxserver_sock != -1) { 1285 close(muxserver_sock); 1286 muxserver_sock = -1; 1287 } 1288 free(orig_control_path); 1289 free(options.control_path); 1290 options.control_path = NULL; 1291 options.control_master = SSHCTL_MASTER_NO; 1292 return; 1293 } else { 1294 /* unix_listener() logs the error */ 1295 cleanup_exit(255); 1296 } 1297 } 1298 1299 /* Now atomically "move" the mux socket into position */ 1300 if (link(options.control_path, orig_control_path) != 0) { 1301 if (errno != EEXIST) { 1302 fatal_f("link mux listener %s => %s: %s", 1303 options.control_path, orig_control_path, 1304 strerror(errno)); 1305 } 1306 error("ControlSocket %s already exists, disabling multiplexing", 1307 orig_control_path); 1308 unlink(options.control_path); 1309 goto disable_mux_master; 1310 } 1311 unlink(options.control_path); 1312 free(options.control_path); 1313 options.control_path = orig_control_path; 1314 1315 set_nonblock(muxserver_sock); 1316 1317 mux_listener_channel = channel_new(ssh, "mux listener", 1318 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1, 1319 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1320 0, options.control_path, 1); 1321 mux_listener_channel->mux_rcb = mux_master_read_cb; 1322 debug3_f("mux listener channel %d fd %d", 1323 mux_listener_channel->self, mux_listener_channel->sock); 1324 } 1325 1326 /* Callback on open confirmation in mux master for a mux client session. */ 1327 static void 1328 mux_session_confirm(struct ssh *ssh, int id, int success, void *arg) 1329 { 1330 struct mux_session_confirm_ctx *cctx = arg; 1331 const char *display; 1332 Channel *c, *cc; 1333 int i, r; 1334 struct sshbuf *reply; 1335 1336 if (cctx == NULL) 1337 fatal_f("cctx == NULL"); 1338 if ((c = channel_by_id(ssh, id)) == NULL) 1339 fatal_f("no channel for id %d", id); 1340 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1341 fatal_f("channel %d lacks control channel %d", 1342 id, c->ctl_chan); 1343 if ((reply = sshbuf_new()) == NULL) 1344 fatal_f("sshbuf_new"); 1345 1346 if (!success) { 1347 debug3_f("sending failure reply"); 1348 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1349 "Session open refused by peer"); 1350 goto done; 1351 } 1352 1353 display = getenv("DISPLAY"); 1354 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 1355 char *proto, *data; 1356 1357 /* Get reasonable local authentication information. */ 1358 if (client_x11_get_proto(ssh, display, options.xauth_location, 1359 options.forward_x11_trusted, options.forward_x11_timeout, 1360 &proto, &data) == 0) { 1361 /* Request forwarding with authentication spoofing. */ 1362 debug("Requesting X11 forwarding with authentication " 1363 "spoofing."); 1364 x11_request_forwarding_with_spoofing(ssh, id, 1365 display, proto, data, 1); 1366 /* XXX exit_on_forward_failure */ 1367 client_expect_confirm(ssh, id, "X11 forwarding", 1368 CONFIRM_WARN); 1369 } 1370 } 1371 1372 if (cctx->want_agent_fwd && options.forward_agent) { 1373 debug("Requesting authentication agent forwarding."); 1374 channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0); 1375 if ((r = sshpkt_send(ssh)) != 0) 1376 fatal_fr(r, "send"); 1377 } 1378 1379 client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys, 1380 cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env); 1381 1382 debug3_f("sending success reply"); 1383 /* prepare reply */ 1384 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1385 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1386 (r = sshbuf_put_u32(reply, c->self)) != 0) 1387 fatal_fr(r, "reply"); 1388 1389 done: 1390 /* Send reply */ 1391 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1392 fatal_fr(r, "enqueue"); 1393 sshbuf_free(reply); 1394 1395 if (cc->mux_pause <= 0) 1396 fatal_f("mux_pause %d", cc->mux_pause); 1397 cc->mux_pause = 0; /* start processing messages again */ 1398 c->open_confirm_ctx = NULL; 1399 sshbuf_free(cctx->cmd); 1400 free(cctx->term); 1401 if (cctx->env != NULL) { 1402 for (i = 0; cctx->env[i] != NULL; i++) 1403 free(cctx->env[i]); 1404 free(cctx->env); 1405 } 1406 free(cctx); 1407 } 1408 1409 /* ** Multiplexing client support */ 1410 1411 /* Exit signal handler */ 1412 static void 1413 control_client_sighandler(int signo) 1414 { 1415 muxclient_terminate = signo; 1416 } 1417 1418 /* 1419 * Relay signal handler - used to pass some signals from mux client to 1420 * mux master. 1421 */ 1422 static void 1423 control_client_sigrelay(int signo) 1424 { 1425 int save_errno = errno; 1426 1427 if (muxserver_pid > 1) 1428 kill(muxserver_pid, signo); 1429 1430 errno = save_errno; 1431 } 1432 1433 static int 1434 mux_client_read(int fd, struct sshbuf *b, size_t need) 1435 { 1436 size_t have; 1437 ssize_t len; 1438 u_char *p; 1439 struct pollfd pfd; 1440 int r; 1441 1442 pfd.fd = fd; 1443 pfd.events = POLLIN; 1444 if ((r = sshbuf_reserve(b, need, &p)) != 0) 1445 fatal_fr(r, "reserve"); 1446 for (have = 0; have < need; ) { 1447 if (muxclient_terminate) { 1448 errno = EINTR; 1449 return -1; 1450 } 1451 len = read(fd, p + have, need - have); 1452 if (len == -1) { 1453 switch (errno) { 1454 case EAGAIN: 1455 (void)poll(&pfd, 1, -1); 1456 /* FALLTHROUGH */ 1457 case EINTR: 1458 continue; 1459 default: 1460 return -1; 1461 } 1462 } 1463 if (len == 0) { 1464 errno = EPIPE; 1465 return -1; 1466 } 1467 have += (size_t)len; 1468 } 1469 return 0; 1470 } 1471 1472 static int 1473 mux_client_write_packet(int fd, struct sshbuf *m) 1474 { 1475 struct sshbuf *queue; 1476 u_int have, need; 1477 int r, oerrno, len; 1478 const u_char *ptr; 1479 struct pollfd pfd; 1480 1481 pfd.fd = fd; 1482 pfd.events = POLLOUT; 1483 if ((queue = sshbuf_new()) == NULL) 1484 fatal_f("sshbuf_new"); 1485 if ((r = sshbuf_put_stringb(queue, m)) != 0) 1486 fatal_fr(r, "enqueue"); 1487 1488 need = sshbuf_len(queue); 1489 ptr = sshbuf_ptr(queue); 1490 1491 for (have = 0; have < need; ) { 1492 if (muxclient_terminate) { 1493 sshbuf_free(queue); 1494 errno = EINTR; 1495 return -1; 1496 } 1497 len = write(fd, ptr + have, need - have); 1498 if (len == -1) { 1499 switch (errno) { 1500 case EAGAIN: 1501 (void)poll(&pfd, 1, -1); 1502 /* FALLTHROUGH */ 1503 case EINTR: 1504 continue; 1505 default: 1506 oerrno = errno; 1507 sshbuf_free(queue); 1508 errno = oerrno; 1509 return -1; 1510 } 1511 } 1512 if (len == 0) { 1513 sshbuf_free(queue); 1514 errno = EPIPE; 1515 return -1; 1516 } 1517 have += (u_int)len; 1518 } 1519 sshbuf_free(queue); 1520 return 0; 1521 } 1522 1523 static int 1524 mux_client_read_packet(int fd, struct sshbuf *m) 1525 { 1526 struct sshbuf *queue; 1527 size_t need, have; 1528 const u_char *ptr; 1529 int r, oerrno; 1530 1531 if ((queue = sshbuf_new()) == NULL) 1532 fatal_f("sshbuf_new"); 1533 if (mux_client_read(fd, queue, 4) != 0) { 1534 if ((oerrno = errno) == EPIPE) 1535 debug3_f("read header failed: %s", 1536 strerror(errno)); 1537 sshbuf_free(queue); 1538 errno = oerrno; 1539 return -1; 1540 } 1541 need = PEEK_U32(sshbuf_ptr(queue)); 1542 if (mux_client_read(fd, queue, need) != 0) { 1543 oerrno = errno; 1544 debug3_f("read body failed: %s", strerror(errno)); 1545 sshbuf_free(queue); 1546 errno = oerrno; 1547 return -1; 1548 } 1549 if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 || 1550 (r = sshbuf_put(m, ptr, have)) != 0) 1551 fatal_fr(r, "dequeue"); 1552 sshbuf_free(queue); 1553 return 0; 1554 } 1555 1556 static int 1557 mux_client_hello_exchange(int fd) 1558 { 1559 struct sshbuf *m; 1560 u_int type, ver; 1561 int r, ret = -1; 1562 1563 if ((m = sshbuf_new()) == NULL) 1564 fatal_f("sshbuf_new"); 1565 if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 || 1566 (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0) 1567 fatal_fr(r, "assemble hello"); 1568 /* no extensions */ 1569 1570 if (mux_client_write_packet(fd, m) != 0) { 1571 debug_f("write packet: %s", strerror(errno)); 1572 goto out; 1573 } 1574 1575 sshbuf_reset(m); 1576 1577 /* Read their HELLO */ 1578 if (mux_client_read_packet(fd, m) != 0) { 1579 debug_f("read packet failed"); 1580 goto out; 1581 } 1582 1583 if ((r = sshbuf_get_u32(m, &type)) != 0) 1584 fatal_fr(r, "parse type"); 1585 if (type != MUX_MSG_HELLO) { 1586 error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type); 1587 goto out; 1588 } 1589 if ((r = sshbuf_get_u32(m, &ver)) != 0) 1590 fatal_fr(r, "parse version"); 1591 if (ver != SSHMUX_VER) { 1592 error("Unsupported multiplexing protocol version %d " 1593 "(expected %d)", ver, SSHMUX_VER); 1594 goto out; 1595 } 1596 debug2_f("master version %u", ver); 1597 /* No extensions are presently defined */ 1598 while (sshbuf_len(m) > 0) { 1599 char *name = NULL; 1600 1601 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 1602 (r = sshbuf_skip_string(m)) != 0) { /* value */ 1603 error_fr(r, "parse extension"); 1604 goto out; 1605 } 1606 debug2("Unrecognised master extension \"%s\"", name); 1607 free(name); 1608 } 1609 /* success */ 1610 ret = 0; 1611 out: 1612 sshbuf_free(m); 1613 return ret; 1614 } 1615 1616 static u_int 1617 mux_client_request_alive(int fd) 1618 { 1619 struct sshbuf *m; 1620 char *e; 1621 u_int pid, type, rid; 1622 int r; 1623 1624 debug3_f("entering"); 1625 1626 if ((m = sshbuf_new()) == NULL) 1627 fatal_f("sshbuf_new"); 1628 if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 || 1629 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1630 fatal_fr(r, "assemble"); 1631 1632 if (mux_client_write_packet(fd, m) != 0) 1633 fatal_f("write packet: %s", strerror(errno)); 1634 1635 sshbuf_reset(m); 1636 1637 /* Read their reply */ 1638 if (mux_client_read_packet(fd, m) != 0) { 1639 sshbuf_free(m); 1640 return 0; 1641 } 1642 1643 if ((r = sshbuf_get_u32(m, &type)) != 0) 1644 fatal_fr(r, "parse type"); 1645 if (type != MUX_S_ALIVE) { 1646 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1647 fatal_fr(r, "parse error message"); 1648 fatal_f("master returned error: %s", e); 1649 } 1650 1651 if ((r = sshbuf_get_u32(m, &rid)) != 0) 1652 fatal_fr(r, "parse remote ID"); 1653 if (rid != muxclient_request_id) 1654 fatal_f("out of sequence reply: my id %u theirs %u", 1655 muxclient_request_id, rid); 1656 if ((r = sshbuf_get_u32(m, &pid)) != 0) 1657 fatal_fr(r, "parse PID"); 1658 sshbuf_free(m); 1659 1660 debug3_f("done pid = %u", pid); 1661 1662 muxclient_request_id++; 1663 1664 return pid; 1665 } 1666 1667 static void 1668 mux_client_request_terminate(int fd) 1669 { 1670 struct sshbuf *m; 1671 char *e; 1672 u_int type, rid; 1673 int r; 1674 1675 debug3_f("entering"); 1676 1677 if ((m = sshbuf_new()) == NULL) 1678 fatal_f("sshbuf_new"); 1679 if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 || 1680 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1681 fatal_fr(r, "request"); 1682 1683 if (mux_client_write_packet(fd, m) != 0) 1684 fatal_f("write packet: %s", strerror(errno)); 1685 1686 sshbuf_reset(m); 1687 1688 /* Read their reply */ 1689 if (mux_client_read_packet(fd, m) != 0) { 1690 /* Remote end exited already */ 1691 if (errno == EPIPE) { 1692 sshbuf_free(m); 1693 return; 1694 } 1695 fatal_f("read from master failed: %s", strerror(errno)); 1696 } 1697 1698 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1699 (r = sshbuf_get_u32(m, &rid)) != 0) 1700 fatal_fr(r, "parse"); 1701 if (rid != muxclient_request_id) 1702 fatal_f("out of sequence reply: my id %u theirs %u", 1703 muxclient_request_id, rid); 1704 switch (type) { 1705 case MUX_S_OK: 1706 break; 1707 case MUX_S_PERMISSION_DENIED: 1708 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1709 fatal_fr(r, "parse error message"); 1710 fatal("Master refused termination request: %s", e); 1711 case MUX_S_FAILURE: 1712 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1713 fatal_fr(r, "parse error message"); 1714 fatal_f("termination request failed: %s", e); 1715 default: 1716 fatal_f("unexpected response from master 0x%08x", type); 1717 } 1718 sshbuf_free(m); 1719 muxclient_request_id++; 1720 } 1721 1722 static int 1723 mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd) 1724 { 1725 struct sshbuf *m; 1726 char *e, *fwd_desc; 1727 const char *lhost, *chost; 1728 u_int type, rid; 1729 int r; 1730 1731 fwd_desc = format_forward(ftype, fwd); 1732 debug("Requesting %s %s", 1733 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1734 free(fwd_desc); 1735 1736 type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD; 1737 if (fwd->listen_path != NULL) 1738 lhost = fwd->listen_path; 1739 else if (fwd->listen_host == NULL) 1740 lhost = ""; 1741 else if (*fwd->listen_host == '\0') 1742 lhost = "*"; 1743 else 1744 lhost = fwd->listen_host; 1745 1746 if (fwd->connect_path != NULL) 1747 chost = fwd->connect_path; 1748 else if (fwd->connect_host == NULL) 1749 chost = ""; 1750 else 1751 chost = fwd->connect_host; 1752 1753 if ((m = sshbuf_new()) == NULL) 1754 fatal_f("sshbuf_new"); 1755 if ((r = sshbuf_put_u32(m, type)) != 0 || 1756 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1757 (r = sshbuf_put_u32(m, ftype)) != 0 || 1758 (r = sshbuf_put_cstring(m, lhost)) != 0 || 1759 (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 || 1760 (r = sshbuf_put_cstring(m, chost)) != 0 || 1761 (r = sshbuf_put_u32(m, fwd->connect_port)) != 0) 1762 fatal_fr(r, "request"); 1763 1764 if (mux_client_write_packet(fd, m) != 0) 1765 fatal_f("write packet: %s", strerror(errno)); 1766 1767 sshbuf_reset(m); 1768 1769 /* Read their reply */ 1770 if (mux_client_read_packet(fd, m) != 0) { 1771 sshbuf_free(m); 1772 return -1; 1773 } 1774 1775 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1776 (r = sshbuf_get_u32(m, &rid)) != 0) 1777 fatal_fr(r, "parse"); 1778 if (rid != muxclient_request_id) 1779 fatal_f("out of sequence reply: my id %u theirs %u", 1780 muxclient_request_id, rid); 1781 1782 switch (type) { 1783 case MUX_S_OK: 1784 break; 1785 case MUX_S_REMOTE_PORT: 1786 if (cancel_flag) 1787 fatal_f("got MUX_S_REMOTE_PORT for cancel"); 1788 if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0) 1789 fatal_fr(r, "parse port"); 1790 verbose("Allocated port %u for remote forward to %s:%d", 1791 fwd->allocated_port, 1792 fwd->connect_host ? fwd->connect_host : "", 1793 fwd->connect_port); 1794 if (muxclient_command == SSHMUX_COMMAND_FORWARD) 1795 fprintf(stdout, "%i\n", fwd->allocated_port); 1796 break; 1797 case MUX_S_PERMISSION_DENIED: 1798 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1799 fatal_fr(r, "parse error message"); 1800 sshbuf_free(m); 1801 error("Master refused forwarding request: %s", e); 1802 return -1; 1803 case MUX_S_FAILURE: 1804 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1805 fatal_fr(r, "parse error message"); 1806 sshbuf_free(m); 1807 error_f("forwarding request failed: %s", e); 1808 return -1; 1809 default: 1810 fatal_f("unexpected response from master 0x%08x", type); 1811 } 1812 sshbuf_free(m); 1813 1814 muxclient_request_id++; 1815 return 0; 1816 } 1817 1818 static int 1819 mux_client_forwards(int fd, int cancel_flag) 1820 { 1821 int i, ret = 0; 1822 1823 debug3_f("%s forwardings: %d local, %d remote", 1824 cancel_flag ? "cancel" : "request", 1825 options.num_local_forwards, options.num_remote_forwards); 1826 1827 /* XXX ExitOnForwardingFailure */ 1828 for (i = 0; i < options.num_local_forwards; i++) { 1829 if (mux_client_forward(fd, cancel_flag, 1830 options.local_forwards[i].connect_port == 0 ? 1831 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL, 1832 options.local_forwards + i) != 0) 1833 ret = -1; 1834 } 1835 for (i = 0; i < options.num_remote_forwards; i++) { 1836 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE, 1837 options.remote_forwards + i) != 0) 1838 ret = -1; 1839 } 1840 return ret; 1841 } 1842 1843 static int 1844 mux_client_request_session(int fd) 1845 { 1846 struct sshbuf *m; 1847 char *e; 1848 const char *term = NULL; 1849 u_int echar, rid, sid, esid, exitval, type, exitval_seen; 1850 extern char **environ; 1851 int r, i, rawmode; 1852 1853 debug3_f("entering"); 1854 1855 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1856 error_f("master alive request failed"); 1857 return -1; 1858 } 1859 1860 ssh_signal(SIGPIPE, SIG_IGN); 1861 1862 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 1863 fatal_f("stdfd_devnull failed"); 1864 1865 if ((term = lookup_env_in_list("TERM", options.setenv, 1866 options.num_setenv)) == NULL || *term == '\0') 1867 term = getenv("TERM"); 1868 1869 echar = 0xffffffff; 1870 if (options.escape_char != SSH_ESCAPECHAR_NONE) 1871 echar = (u_int)options.escape_char; 1872 1873 if ((m = sshbuf_new()) == NULL) 1874 fatal_f("sshbuf_new"); 1875 if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 || 1876 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1877 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 1878 (r = sshbuf_put_u32(m, tty_flag)) != 0 || 1879 (r = sshbuf_put_u32(m, options.forward_x11)) != 0 || 1880 (r = sshbuf_put_u32(m, options.forward_agent)) != 0 || 1881 (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 || 1882 (r = sshbuf_put_u32(m, echar)) != 0 || 1883 (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 || 1884 (r = sshbuf_put_stringb(m, command)) != 0) 1885 fatal_fr(r, "request"); 1886 1887 /* Pass environment */ 1888 if (options.num_send_env > 0 && environ != NULL) { 1889 for (i = 0; environ[i] != NULL; i++) { 1890 if (!env_permitted(environ[i])) 1891 continue; 1892 if ((r = sshbuf_put_cstring(m, environ[i])) != 0) 1893 fatal_fr(r, "request sendenv"); 1894 } 1895 } 1896 for (i = 0; i < options.num_setenv; i++) { 1897 if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0) 1898 fatal_fr(r, "request setenv"); 1899 } 1900 1901 if (mux_client_write_packet(fd, m) != 0) 1902 fatal_f("write packet: %s", strerror(errno)); 1903 1904 /* Send the stdio file descriptors */ 1905 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1906 mm_send_fd(fd, STDOUT_FILENO) == -1 || 1907 mm_send_fd(fd, STDERR_FILENO) == -1) 1908 fatal_f("send fds failed"); 1909 1910 debug3_f("session request sent"); 1911 1912 /* Read their reply */ 1913 sshbuf_reset(m); 1914 if (mux_client_read_packet(fd, m) != 0) { 1915 error_f("read from master failed: %s", strerror(errno)); 1916 sshbuf_free(m); 1917 return -1; 1918 } 1919 1920 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1921 (r = sshbuf_get_u32(m, &rid)) != 0) 1922 fatal_fr(r, "parse"); 1923 if (rid != muxclient_request_id) 1924 fatal_f("out of sequence reply: my id %u theirs %u", 1925 muxclient_request_id, rid); 1926 1927 switch (type) { 1928 case MUX_S_SESSION_OPENED: 1929 if ((r = sshbuf_get_u32(m, &sid)) != 0) 1930 fatal_fr(r, "parse session ID"); 1931 debug_f("master session id: %u", sid); 1932 break; 1933 case MUX_S_PERMISSION_DENIED: 1934 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1935 fatal_fr(r, "parse error message"); 1936 error("Master refused session request: %s", e); 1937 sshbuf_free(m); 1938 return -1; 1939 case MUX_S_FAILURE: 1940 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1941 fatal_fr(r, "parse error message"); 1942 error_f("session request failed: %s", e); 1943 sshbuf_free(m); 1944 return -1; 1945 default: 1946 sshbuf_free(m); 1947 error_f("unexpected response from master 0x%08x", type); 1948 return -1; 1949 } 1950 muxclient_request_id++; 1951 1952 if (pledge("stdio proc tty", NULL) == -1) 1953 fatal_f("pledge(): %s", strerror(errno)); 1954 1955 ssh_signal(SIGHUP, control_client_sighandler); 1956 ssh_signal(SIGINT, control_client_sighandler); 1957 ssh_signal(SIGTERM, control_client_sighandler); 1958 ssh_signal(SIGWINCH, control_client_sigrelay); 1959 1960 rawmode = tty_flag; 1961 if (tty_flag) 1962 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1963 1964 /* 1965 * Stick around until the controlee closes the client_fd. 1966 * Before it does, it is expected to write an exit message. 1967 * This process must read the value and wait for the closure of 1968 * the client_fd; if this one closes early, the multiplex master will 1969 * terminate early too (possibly losing data). 1970 */ 1971 for (exitval = 255, exitval_seen = 0;;) { 1972 sshbuf_reset(m); 1973 if (mux_client_read_packet(fd, m) != 0) 1974 break; 1975 if ((r = sshbuf_get_u32(m, &type)) != 0) 1976 fatal_fr(r, "parse type"); 1977 switch (type) { 1978 case MUX_S_TTY_ALLOC_FAIL: 1979 if ((r = sshbuf_get_u32(m, &esid)) != 0) 1980 fatal_fr(r, "parse session ID"); 1981 if (esid != sid) 1982 fatal_f("tty alloc fail on unknown session: " 1983 "my id %u theirs %u", sid, esid); 1984 leave_raw_mode(options.request_tty == 1985 REQUEST_TTY_FORCE); 1986 rawmode = 0; 1987 continue; 1988 case MUX_S_EXIT_MESSAGE: 1989 if ((r = sshbuf_get_u32(m, &esid)) != 0) 1990 fatal_fr(r, "parse session ID"); 1991 if (esid != sid) 1992 fatal_f("exit on unknown session: " 1993 "my id %u theirs %u", sid, esid); 1994 if (exitval_seen) 1995 fatal_f("exitval sent twice"); 1996 if ((r = sshbuf_get_u32(m, &exitval)) != 0) 1997 fatal_fr(r, "parse exitval"); 1998 exitval_seen = 1; 1999 continue; 2000 default: 2001 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2002 fatal_fr(r, "parse error message"); 2003 fatal_f("master returned error: %s", e); 2004 } 2005 } 2006 2007 close(fd); 2008 if (rawmode) 2009 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 2010 2011 if (muxclient_terminate) { 2012 debug2("Exiting on signal: %s", strsignal(muxclient_terminate)); 2013 exitval = 255; 2014 } else if (!exitval_seen) { 2015 debug2("Control master terminated unexpectedly"); 2016 exitval = 255; 2017 } else 2018 debug2("Received exit status from master %d", exitval); 2019 2020 if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) 2021 fprintf(stderr, "Shared connection to %s closed.\r\n", host); 2022 2023 exit(exitval); 2024 } 2025 2026 static int 2027 mux_client_proxy(int fd) 2028 { 2029 struct sshbuf *m; 2030 char *e; 2031 u_int type, rid; 2032 int r; 2033 2034 if ((m = sshbuf_new()) == NULL) 2035 fatal_f("sshbuf_new"); 2036 if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 || 2037 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2038 fatal_fr(r, "request"); 2039 if (mux_client_write_packet(fd, m) != 0) 2040 fatal_f("write packet: %s", strerror(errno)); 2041 2042 sshbuf_reset(m); 2043 2044 /* Read their reply */ 2045 if (mux_client_read_packet(fd, m) != 0) { 2046 sshbuf_free(m); 2047 return 0; 2048 } 2049 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2050 (r = sshbuf_get_u32(m, &rid)) != 0) 2051 fatal_fr(r, "parse"); 2052 if (rid != muxclient_request_id) 2053 fatal_f("out of sequence reply: my id %u theirs %u", 2054 muxclient_request_id, rid); 2055 if (type != MUX_S_PROXY) { 2056 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2057 fatal_fr(r, "parse error message"); 2058 fatal_f("master returned error: %s", e); 2059 } 2060 sshbuf_free(m); 2061 2062 debug3_f("done"); 2063 muxclient_request_id++; 2064 return 0; 2065 } 2066 2067 static int 2068 mux_client_request_stdio_fwd(int fd) 2069 { 2070 struct sshbuf *m; 2071 char *e; 2072 u_int type, rid, sid; 2073 int r; 2074 2075 debug3_f("entering"); 2076 2077 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 2078 error_f("master alive request failed"); 2079 return -1; 2080 } 2081 2082 ssh_signal(SIGPIPE, SIG_IGN); 2083 2084 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 2085 fatal_f("stdfd_devnull failed"); 2086 2087 if ((m = sshbuf_new()) == NULL) 2088 fatal_f("sshbuf_new"); 2089 if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 || 2090 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 2091 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 2092 (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 || 2093 (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0) 2094 fatal_fr(r, "request"); 2095 2096 if (mux_client_write_packet(fd, m) != 0) 2097 fatal_f("write packet: %s", strerror(errno)); 2098 2099 /* Send the stdio file descriptors */ 2100 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 2101 mm_send_fd(fd, STDOUT_FILENO) == -1) 2102 fatal_f("send fds failed"); 2103 2104 if (pledge("stdio proc tty", NULL) == -1) 2105 fatal_f("pledge(): %s", strerror(errno)); 2106 2107 debug3_f("stdio forward request sent"); 2108 2109 /* Read their reply */ 2110 sshbuf_reset(m); 2111 2112 if (mux_client_read_packet(fd, m) != 0) { 2113 error_f("read from master failed: %s", strerror(errno)); 2114 sshbuf_free(m); 2115 return -1; 2116 } 2117 2118 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2119 (r = sshbuf_get_u32(m, &rid)) != 0) 2120 fatal_fr(r, "parse"); 2121 if (rid != muxclient_request_id) 2122 fatal_f("out of sequence reply: my id %u theirs %u", 2123 muxclient_request_id, rid); 2124 switch (type) { 2125 case MUX_S_SESSION_OPENED: 2126 if ((r = sshbuf_get_u32(m, &sid)) != 0) 2127 fatal_fr(r, "parse session ID"); 2128 debug_f("master session id: %u", sid); 2129 break; 2130 case MUX_S_PERMISSION_DENIED: 2131 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2132 fatal_fr(r, "parse error message"); 2133 sshbuf_free(m); 2134 fatal("Master refused stdio forwarding request: %s", e); 2135 case MUX_S_FAILURE: 2136 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2137 fatal_fr(r, "parse error message"); 2138 sshbuf_free(m); 2139 fatal("Stdio forwarding request failed: %s", e); 2140 default: 2141 sshbuf_free(m); 2142 error_f("unexpected response from master 0x%08x", type); 2143 return -1; 2144 } 2145 muxclient_request_id++; 2146 2147 ssh_signal(SIGHUP, control_client_sighandler); 2148 ssh_signal(SIGINT, control_client_sighandler); 2149 ssh_signal(SIGTERM, control_client_sighandler); 2150 ssh_signal(SIGWINCH, control_client_sigrelay); 2151 2152 /* 2153 * Stick around until the controlee closes the client_fd. 2154 */ 2155 sshbuf_reset(m); 2156 if (mux_client_read_packet(fd, m) != 0) { 2157 if (errno == EPIPE || 2158 (errno == EINTR && muxclient_terminate != 0)) 2159 return 0; 2160 fatal_f("mux_client_read_packet: %s", strerror(errno)); 2161 } 2162 fatal_f("master returned unexpected message %u", type); 2163 } 2164 2165 static void 2166 mux_client_request_stop_listening(int fd) 2167 { 2168 struct sshbuf *m; 2169 char *e; 2170 u_int type, rid; 2171 int r; 2172 2173 debug3_f("entering"); 2174 2175 if ((m = sshbuf_new()) == NULL) 2176 fatal_f("sshbuf_new"); 2177 if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 || 2178 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2179 fatal_fr(r, "request"); 2180 2181 if (mux_client_write_packet(fd, m) != 0) 2182 fatal_f("write packet: %s", strerror(errno)); 2183 2184 sshbuf_reset(m); 2185 2186 /* Read their reply */ 2187 if (mux_client_read_packet(fd, m) != 0) 2188 fatal_f("read from master failed: %s", strerror(errno)); 2189 2190 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2191 (r = sshbuf_get_u32(m, &rid)) != 0) 2192 fatal_fr(r, "parse"); 2193 if (rid != muxclient_request_id) 2194 fatal_f("out of sequence reply: my id %u theirs %u", 2195 muxclient_request_id, rid); 2196 2197 switch (type) { 2198 case MUX_S_OK: 2199 break; 2200 case MUX_S_PERMISSION_DENIED: 2201 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2202 fatal_fr(r, "parse error message"); 2203 fatal("Master refused stop listening request: %s", e); 2204 case MUX_S_FAILURE: 2205 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2206 fatal_fr(r, "parse error message"); 2207 fatal_f("stop listening request failed: %s", e); 2208 default: 2209 fatal_f("unexpected response from master 0x%08x", type); 2210 } 2211 sshbuf_free(m); 2212 muxclient_request_id++; 2213 } 2214 2215 /* Multiplex client main loop. */ 2216 int 2217 muxclient(const char *path) 2218 { 2219 struct sockaddr_un addr; 2220 int sock; 2221 u_int pid; 2222 2223 if (muxclient_command == 0) { 2224 if (options.stdio_forward_host != NULL) 2225 muxclient_command = SSHMUX_COMMAND_STDIO_FWD; 2226 else 2227 muxclient_command = SSHMUX_COMMAND_OPEN; 2228 } 2229 2230 switch (options.control_master) { 2231 case SSHCTL_MASTER_AUTO: 2232 case SSHCTL_MASTER_AUTO_ASK: 2233 debug("auto-mux: Trying existing master"); 2234 /* FALLTHROUGH */ 2235 case SSHCTL_MASTER_NO: 2236 break; 2237 default: 2238 return -1; 2239 } 2240 2241 memset(&addr, '\0', sizeof(addr)); 2242 addr.sun_family = AF_UNIX; 2243 2244 if (strlcpy(addr.sun_path, path, 2245 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 2246 fatal("ControlPath too long ('%s' >= %u bytes)", path, 2247 (unsigned int)sizeof(addr.sun_path)); 2248 2249 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) 2250 fatal_f("socket(): %s", strerror(errno)); 2251 2252 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) { 2253 switch (muxclient_command) { 2254 case SSHMUX_COMMAND_OPEN: 2255 case SSHMUX_COMMAND_STDIO_FWD: 2256 break; 2257 default: 2258 fatal("Control socket connect(%.100s): %s", path, 2259 strerror(errno)); 2260 } 2261 if (errno == ECONNREFUSED && 2262 options.control_master != SSHCTL_MASTER_NO) { 2263 debug("Stale control socket %.100s, unlinking", path); 2264 unlink(path); 2265 } else if (errno == ENOENT) { 2266 debug("Control socket \"%.100s\" does not exist", path); 2267 } else { 2268 error("Control socket connect(%.100s): %s", path, 2269 strerror(errno)); 2270 } 2271 close(sock); 2272 return -1; 2273 } 2274 set_nonblock(sock); 2275 2276 if (mux_client_hello_exchange(sock) != 0) { 2277 error_f("master hello exchange failed"); 2278 close(sock); 2279 return -1; 2280 } 2281 2282 switch (muxclient_command) { 2283 case SSHMUX_COMMAND_ALIVE_CHECK: 2284 if ((pid = mux_client_request_alive(sock)) == 0) 2285 fatal_f("master alive check failed"); 2286 fprintf(stderr, "Master running (pid=%u)\r\n", pid); 2287 exit(0); 2288 case SSHMUX_COMMAND_TERMINATE: 2289 mux_client_request_terminate(sock); 2290 if (options.log_level != SYSLOG_LEVEL_QUIET) 2291 fprintf(stderr, "Exit request sent.\r\n"); 2292 exit(0); 2293 case SSHMUX_COMMAND_FORWARD: 2294 if (mux_client_forwards(sock, 0) != 0) 2295 fatal_f("master forward request failed"); 2296 exit(0); 2297 case SSHMUX_COMMAND_OPEN: 2298 if (mux_client_forwards(sock, 0) != 0) { 2299 error_f("master forward request failed"); 2300 return -1; 2301 } 2302 mux_client_request_session(sock); 2303 return -1; 2304 case SSHMUX_COMMAND_STDIO_FWD: 2305 mux_client_request_stdio_fwd(sock); 2306 exit(0); 2307 case SSHMUX_COMMAND_STOP: 2308 mux_client_request_stop_listening(sock); 2309 if (options.log_level != SYSLOG_LEVEL_QUIET) 2310 fprintf(stderr, "Stop listening request sent.\r\n"); 2311 exit(0); 2312 case SSHMUX_COMMAND_CANCEL_FWD: 2313 if (mux_client_forwards(sock, 1) != 0) 2314 error_f("master cancel forward request failed"); 2315 exit(0); 2316 case SSHMUX_COMMAND_PROXY: 2317 mux_client_proxy(sock); 2318 return (sock); 2319 default: 2320 fatal("unrecognised muxclient_command %d", muxclient_command); 2321 } 2322 } 2323