1 /* $OpenBSD: mux.c,v 1.54 2015/08/19 23:18:26 djm Exp $ */ 2 /* 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* ssh session multiplexing support */ 19 20 /* 21 * TODO: 22 * - Better signalling from master to slave, especially passing of 23 * error messages 24 * - Better fall-back from mux slave error to new connection. 25 * - ExitOnForwardingFailure 26 * - Maybe extension mechanisms for multi-X11/multi-agent forwarding 27 * - Support ~^Z in mux slaves. 28 * - Inspect or control sessions in master. 29 * - If we ever support the "signal" channel request, send signals on 30 * sessions in master. 31 */ 32 33 #include <sys/types.h> 34 #include <sys/queue.h> 35 #include <sys/stat.h> 36 #include <sys/socket.h> 37 #include <sys/un.h> 38 39 #include <errno.h> 40 #include <fcntl.h> 41 #include <poll.h> 42 #include <signal.h> 43 #include <stdarg.h> 44 #include <stddef.h> 45 #include <stdlib.h> 46 #include <stdio.h> 47 #include <string.h> 48 #include <unistd.h> 49 #include <util.h> 50 #include <paths.h> 51 52 #include "atomicio.h" 53 #include "xmalloc.h" 54 #include "log.h" 55 #include "ssh.h" 56 #include "ssh2.h" 57 #include "pathnames.h" 58 #include "misc.h" 59 #include "match.h" 60 #include "buffer.h" 61 #include "channels.h" 62 #include "msg.h" 63 #include "packet.h" 64 #include "monitor_fdpass.h" 65 #include "sshpty.h" 66 #include "key.h" 67 #include "readconf.h" 68 #include "clientloop.h" 69 70 /* from ssh.c */ 71 extern int tty_flag; 72 extern Options options; 73 extern int stdin_null_flag; 74 extern char *host; 75 extern int subsystem_flag; 76 extern Buffer command; 77 extern volatile sig_atomic_t quit_pending; 78 extern char *stdio_forward_host; 79 extern int stdio_forward_port; 80 81 /* Context for session open confirmation callback */ 82 struct mux_session_confirm_ctx { 83 u_int want_tty; 84 u_int want_subsys; 85 u_int want_x_fwd; 86 u_int want_agent_fwd; 87 Buffer cmd; 88 char *term; 89 struct termios tio; 90 char **env; 91 u_int rid; 92 }; 93 94 /* Context for stdio fwd open confirmation callback */ 95 struct mux_stdio_confirm_ctx { 96 u_int rid; 97 }; 98 99 /* Context for global channel callback */ 100 struct mux_channel_confirm_ctx { 101 u_int cid; /* channel id */ 102 u_int rid; /* request id */ 103 int fid; /* forward id */ 104 }; 105 106 /* fd to control socket */ 107 int muxserver_sock = -1; 108 109 /* client request id */ 110 u_int muxclient_request_id = 0; 111 112 /* Multiplexing control command */ 113 u_int muxclient_command = 0; 114 115 /* Set when signalled. */ 116 static volatile sig_atomic_t muxclient_terminate = 0; 117 118 /* PID of multiplex server */ 119 static u_int muxserver_pid = 0; 120 121 static Channel *mux_listener_channel = NULL; 122 123 struct mux_master_state { 124 int hello_rcvd; 125 }; 126 127 /* mux protocol messages */ 128 #define MUX_MSG_HELLO 0x00000001 129 #define MUX_C_NEW_SESSION 0x10000002 130 #define MUX_C_ALIVE_CHECK 0x10000004 131 #define MUX_C_TERMINATE 0x10000005 132 #define MUX_C_OPEN_FWD 0x10000006 133 #define MUX_C_CLOSE_FWD 0x10000007 134 #define MUX_C_NEW_STDIO_FWD 0x10000008 135 #define MUX_C_STOP_LISTENING 0x10000009 136 #define MUX_S_OK 0x80000001 137 #define MUX_S_PERMISSION_DENIED 0x80000002 138 #define MUX_S_FAILURE 0x80000003 139 #define MUX_S_EXIT_MESSAGE 0x80000004 140 #define MUX_S_ALIVE 0x80000005 141 #define MUX_S_SESSION_OPENED 0x80000006 142 #define MUX_S_REMOTE_PORT 0x80000007 143 #define MUX_S_TTY_ALLOC_FAIL 0x80000008 144 145 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ 146 #define MUX_FWD_LOCAL 1 147 #define MUX_FWD_REMOTE 2 148 #define MUX_FWD_DYNAMIC 3 149 150 static void mux_session_confirm(int, int, void *); 151 static void mux_stdio_confirm(int, int, void *); 152 153 static int process_mux_master_hello(u_int, Channel *, Buffer *, Buffer *); 154 static int process_mux_new_session(u_int, Channel *, Buffer *, Buffer *); 155 static int process_mux_alive_check(u_int, Channel *, Buffer *, Buffer *); 156 static int process_mux_terminate(u_int, Channel *, Buffer *, Buffer *); 157 static int process_mux_open_fwd(u_int, Channel *, Buffer *, Buffer *); 158 static int process_mux_close_fwd(u_int, Channel *, Buffer *, Buffer *); 159 static int process_mux_stdio_fwd(u_int, Channel *, Buffer *, Buffer *); 160 static int process_mux_stop_listening(u_int, Channel *, Buffer *, Buffer *); 161 162 static const struct { 163 u_int type; 164 int (*handler)(u_int, Channel *, Buffer *, Buffer *); 165 } mux_master_handlers[] = { 166 { MUX_MSG_HELLO, process_mux_master_hello }, 167 { MUX_C_NEW_SESSION, process_mux_new_session }, 168 { MUX_C_ALIVE_CHECK, process_mux_alive_check }, 169 { MUX_C_TERMINATE, process_mux_terminate }, 170 { MUX_C_OPEN_FWD, process_mux_open_fwd }, 171 { MUX_C_CLOSE_FWD, process_mux_close_fwd }, 172 { MUX_C_NEW_STDIO_FWD, process_mux_stdio_fwd }, 173 { MUX_C_STOP_LISTENING, process_mux_stop_listening }, 174 { 0, NULL } 175 }; 176 177 /* Cleanup callback fired on closure of mux slave _session_ channel */ 178 /* ARGSUSED */ 179 static void 180 mux_master_session_cleanup_cb(int cid, void *unused) 181 { 182 Channel *cc, *c = channel_by_id(cid); 183 184 debug3("%s: entering for channel %d", __func__, cid); 185 if (c == NULL) 186 fatal("%s: channel_by_id(%i) == NULL", __func__, cid); 187 if (c->ctl_chan != -1) { 188 if ((cc = channel_by_id(c->ctl_chan)) == NULL) 189 fatal("%s: channel %d missing control channel %d", 190 __func__, c->self, c->ctl_chan); 191 c->ctl_chan = -1; 192 cc->remote_id = -1; 193 chan_rcvd_oclose(cc); 194 } 195 channel_cancel_cleanup(c->self); 196 } 197 198 /* Cleanup callback fired on closure of mux slave _control_ channel */ 199 /* ARGSUSED */ 200 static void 201 mux_master_control_cleanup_cb(int cid, void *unused) 202 { 203 Channel *sc, *c = channel_by_id(cid); 204 205 debug3("%s: entering for channel %d", __func__, cid); 206 if (c == NULL) 207 fatal("%s: channel_by_id(%i) == NULL", __func__, cid); 208 if (c->remote_id != -1) { 209 if ((sc = channel_by_id(c->remote_id)) == NULL) 210 fatal("%s: channel %d missing session channel %d", 211 __func__, c->self, c->remote_id); 212 c->remote_id = -1; 213 sc->ctl_chan = -1; 214 if (sc->type != SSH_CHANNEL_OPEN && 215 sc->type != SSH_CHANNEL_OPENING) { 216 debug2("%s: channel %d: not open", __func__, sc->self); 217 chan_mark_dead(sc); 218 } else { 219 if (sc->istate == CHAN_INPUT_OPEN) 220 chan_read_failed(sc); 221 if (sc->ostate == CHAN_OUTPUT_OPEN) 222 chan_write_failed(sc); 223 } 224 } 225 channel_cancel_cleanup(c->self); 226 } 227 228 /* Check mux client environment variables before passing them to mux master. */ 229 static int 230 env_permitted(char *env) 231 { 232 int i, ret; 233 char name[1024], *cp; 234 235 if ((cp = strchr(env, '=')) == NULL || cp == env) 236 return 0; 237 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env); 238 if (ret <= 0 || (size_t)ret >= sizeof(name)) { 239 error("env_permitted: name '%.100s...' too long", env); 240 return 0; 241 } 242 243 for (i = 0; i < options.num_send_env; i++) 244 if (match_pattern(name, options.send_env[i])) 245 return 1; 246 247 return 0; 248 } 249 250 /* Mux master protocol message handlers */ 251 252 static int 253 process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r) 254 { 255 u_int ver; 256 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 257 258 if (state == NULL) 259 fatal("%s: channel %d: c->mux_ctx == NULL", __func__, c->self); 260 if (state->hello_rcvd) { 261 error("%s: HELLO received twice", __func__); 262 return -1; 263 } 264 if (buffer_get_int_ret(&ver, m) != 0) { 265 malf: 266 error("%s: malformed message", __func__); 267 return -1; 268 } 269 if (ver != SSHMUX_VER) { 270 error("Unsupported multiplexing protocol version %d " 271 "(expected %d)", ver, SSHMUX_VER); 272 return -1; 273 } 274 debug2("%s: channel %d slave version %u", __func__, c->self, ver); 275 276 /* No extensions are presently defined */ 277 while (buffer_len(m) > 0) { 278 char *name = buffer_get_string_ret(m, NULL); 279 char *value = buffer_get_string_ret(m, NULL); 280 281 if (name == NULL || value == NULL) { 282 free(name); 283 free(value); 284 goto malf; 285 } 286 debug2("Unrecognised slave extension \"%s\"", name); 287 free(name); 288 free(value); 289 } 290 state->hello_rcvd = 1; 291 return 0; 292 } 293 294 static int 295 process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) 296 { 297 Channel *nc; 298 struct mux_session_confirm_ctx *cctx; 299 char *reserved, *cmd, *cp; 300 u_int i, j, len, env_len, escape_char, window, packetmax; 301 int new_fd[3]; 302 303 /* Reply for SSHMUX_COMMAND_OPEN */ 304 cctx = xcalloc(1, sizeof(*cctx)); 305 cctx->term = NULL; 306 cctx->rid = rid; 307 cmd = reserved = NULL; 308 cctx->env = NULL; 309 env_len = 0; 310 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 311 buffer_get_int_ret(&cctx->want_tty, m) != 0 || 312 buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || 313 buffer_get_int_ret(&cctx->want_agent_fwd, m) != 0 || 314 buffer_get_int_ret(&cctx->want_subsys, m) != 0 || 315 buffer_get_int_ret(&escape_char, m) != 0 || 316 (cctx->term = buffer_get_string_ret(m, &len)) == NULL || 317 (cmd = buffer_get_string_ret(m, &len)) == NULL) { 318 malf: 319 free(cmd); 320 free(reserved); 321 for (j = 0; j < env_len; j++) 322 free(cctx->env[j]); 323 free(cctx->env); 324 free(cctx->term); 325 free(cctx); 326 error("%s: malformed message", __func__); 327 return -1; 328 } 329 free(reserved); 330 reserved = NULL; 331 332 while (buffer_len(m) > 0) { 333 #define MUX_MAX_ENV_VARS 4096 334 if ((cp = buffer_get_string_ret(m, &len)) == NULL) 335 goto malf; 336 if (!env_permitted(cp)) { 337 free(cp); 338 continue; 339 } 340 cctx->env = xreallocarray(cctx->env, env_len + 2, 341 sizeof(*cctx->env)); 342 cctx->env[env_len++] = cp; 343 cctx->env[env_len] = NULL; 344 if (env_len > MUX_MAX_ENV_VARS) { 345 error(">%d environment variables received, ignoring " 346 "additional", MUX_MAX_ENV_VARS); 347 break; 348 } 349 } 350 351 debug2("%s: channel %d: request tty %d, X %d, agent %d, subsys %d, " 352 "term \"%s\", cmd \"%s\", env %u", __func__, c->self, 353 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd, 354 cctx->want_subsys, cctx->term, cmd, env_len); 355 356 buffer_init(&cctx->cmd); 357 buffer_append(&cctx->cmd, cmd, strlen(cmd)); 358 free(cmd); 359 cmd = NULL; 360 361 /* Gather fds from client */ 362 for(i = 0; i < 3; i++) { 363 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 364 error("%s: failed to receive fd %d from slave", 365 __func__, i); 366 for (j = 0; j < i; j++) 367 close(new_fd[j]); 368 for (j = 0; j < env_len; j++) 369 free(cctx->env[j]); 370 free(cctx->env); 371 free(cctx->term); 372 buffer_free(&cctx->cmd); 373 free(cctx); 374 375 /* prepare reply */ 376 buffer_put_int(r, MUX_S_FAILURE); 377 buffer_put_int(r, rid); 378 buffer_put_cstring(r, 379 "did not receive file descriptors"); 380 return -1; 381 } 382 } 383 384 debug3("%s: got fds stdin %d, stdout %d, stderr %d", __func__, 385 new_fd[0], new_fd[1], new_fd[2]); 386 387 /* XXX support multiple child sessions in future */ 388 if (c->remote_id != -1) { 389 debug2("%s: session already open", __func__); 390 /* prepare reply */ 391 buffer_put_int(r, MUX_S_FAILURE); 392 buffer_put_int(r, rid); 393 buffer_put_cstring(r, "Multiple sessions not supported"); 394 cleanup: 395 close(new_fd[0]); 396 close(new_fd[1]); 397 close(new_fd[2]); 398 free(cctx->term); 399 if (env_len != 0) { 400 for (i = 0; i < env_len; i++) 401 free(cctx->env[i]); 402 free(cctx->env); 403 } 404 buffer_free(&cctx->cmd); 405 free(cctx); 406 return 0; 407 } 408 409 if (options.control_master == SSHCTL_MASTER_ASK || 410 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 411 if (!ask_permission("Allow shared connection to %s? ", host)) { 412 debug2("%s: session refused by user", __func__); 413 /* prepare reply */ 414 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 415 buffer_put_int(r, rid); 416 buffer_put_cstring(r, "Permission denied"); 417 goto cleanup; 418 } 419 } 420 421 /* Try to pick up ttymodes from client before it goes raw */ 422 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 423 error("%s: tcgetattr: %s", __func__, strerror(errno)); 424 425 /* enable nonblocking unless tty */ 426 if (!isatty(new_fd[0])) 427 set_nonblock(new_fd[0]); 428 if (!isatty(new_fd[1])) 429 set_nonblock(new_fd[1]); 430 if (!isatty(new_fd[2])) 431 set_nonblock(new_fd[2]); 432 433 window = CHAN_SES_WINDOW_DEFAULT; 434 packetmax = CHAN_SES_PACKET_DEFAULT; 435 if (cctx->want_tty) { 436 window >>= 1; 437 packetmax >>= 1; 438 } 439 440 nc = channel_new("session", SSH_CHANNEL_OPENING, 441 new_fd[0], new_fd[1], new_fd[2], window, packetmax, 442 CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); 443 444 nc->ctl_chan = c->self; /* link session -> control channel */ 445 c->remote_id = nc->self; /* link control -> session channel */ 446 447 if (cctx->want_tty && escape_char != 0xffffffff) { 448 channel_register_filter(nc->self, 449 client_simple_escape_filter, NULL, 450 client_filter_cleanup, 451 client_new_escape_filter_ctx((int)escape_char)); 452 } 453 454 debug2("%s: channel_new: %d linked to control channel %d", 455 __func__, nc->self, nc->ctl_chan); 456 457 channel_send_open(nc->self); 458 channel_register_open_confirm(nc->self, mux_session_confirm, cctx); 459 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 460 channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1); 461 462 /* reply is deferred, sent by mux_session_confirm */ 463 return 0; 464 } 465 466 static int 467 process_mux_alive_check(u_int rid, Channel *c, Buffer *m, Buffer *r) 468 { 469 debug2("%s: channel %d: alive check", __func__, c->self); 470 471 /* prepare reply */ 472 buffer_put_int(r, MUX_S_ALIVE); 473 buffer_put_int(r, rid); 474 buffer_put_int(r, (u_int)getpid()); 475 476 return 0; 477 } 478 479 static int 480 process_mux_terminate(u_int rid, Channel *c, Buffer *m, Buffer *r) 481 { 482 debug2("%s: channel %d: terminate request", __func__, c->self); 483 484 if (options.control_master == SSHCTL_MASTER_ASK || 485 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 486 if (!ask_permission("Terminate shared connection to %s? ", 487 host)) { 488 debug2("%s: termination refused by user", __func__); 489 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 490 buffer_put_int(r, rid); 491 buffer_put_cstring(r, "Permission denied"); 492 return 0; 493 } 494 } 495 496 quit_pending = 1; 497 buffer_put_int(r, MUX_S_OK); 498 buffer_put_int(r, rid); 499 /* XXX exit happens too soon - message never makes it to client */ 500 return 0; 501 } 502 503 static char * 504 format_forward(u_int ftype, struct Forward *fwd) 505 { 506 char *ret; 507 508 switch (ftype) { 509 case MUX_FWD_LOCAL: 510 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d", 511 (fwd->listen_path != NULL) ? fwd->listen_path : 512 (fwd->listen_host == NULL) ? 513 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 514 fwd->listen_host, fwd->listen_port, 515 (fwd->connect_path != NULL) ? fwd->connect_path : 516 fwd->connect_host, fwd->connect_port); 517 break; 518 case MUX_FWD_DYNAMIC: 519 xasprintf(&ret, "dynamic forward %.200s:%d -> *", 520 (fwd->listen_host == NULL) ? 521 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 522 fwd->listen_host, fwd->listen_port); 523 break; 524 case MUX_FWD_REMOTE: 525 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d", 526 (fwd->listen_path != NULL) ? fwd->listen_path : 527 (fwd->listen_host == NULL) ? 528 "LOCALHOST" : fwd->listen_host, 529 fwd->listen_port, 530 (fwd->connect_path != NULL) ? fwd->connect_path : 531 fwd->connect_host, fwd->connect_port); 532 break; 533 default: 534 fatal("%s: unknown forward type %u", __func__, ftype); 535 } 536 return ret; 537 } 538 539 static int 540 compare_host(const char *a, const char *b) 541 { 542 if (a == NULL && b == NULL) 543 return 1; 544 if (a == NULL || b == NULL) 545 return 0; 546 return strcmp(a, b) == 0; 547 } 548 549 static int 550 compare_forward(struct Forward *a, struct Forward *b) 551 { 552 if (!compare_host(a->listen_host, b->listen_host)) 553 return 0; 554 if (!compare_host(a->listen_path, b->listen_path)) 555 return 0; 556 if (a->listen_port != b->listen_port) 557 return 0; 558 if (!compare_host(a->connect_host, b->connect_host)) 559 return 0; 560 if (!compare_host(a->connect_path, b->connect_path)) 561 return 0; 562 if (a->connect_port != b->connect_port) 563 return 0; 564 565 return 1; 566 } 567 568 static void 569 mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) 570 { 571 struct mux_channel_confirm_ctx *fctx = ctxt; 572 char *failmsg = NULL; 573 struct Forward *rfwd; 574 Channel *c; 575 Buffer out; 576 577 if ((c = channel_by_id(fctx->cid)) == NULL) { 578 /* no channel for reply */ 579 error("%s: unknown channel", __func__); 580 return; 581 } 582 buffer_init(&out); 583 if (fctx->fid >= options.num_remote_forwards || 584 (options.remote_forwards[fctx->fid].connect_path == NULL && 585 options.remote_forwards[fctx->fid].connect_host == NULL)) { 586 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid); 587 goto fail; 588 } 589 rfwd = &options.remote_forwards[fctx->fid]; 590 debug("%s: %s for: listen %d, connect %s:%d", __func__, 591 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 592 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path : 593 rfwd->connect_host, rfwd->connect_port); 594 if (type == SSH2_MSG_REQUEST_SUCCESS) { 595 if (rfwd->listen_port == 0) { 596 rfwd->allocated_port = packet_get_int(); 597 debug("Allocated port %u for mux remote forward" 598 " to %s:%d", rfwd->allocated_port, 599 rfwd->connect_host, rfwd->connect_port); 600 buffer_put_int(&out, MUX_S_REMOTE_PORT); 601 buffer_put_int(&out, fctx->rid); 602 buffer_put_int(&out, rfwd->allocated_port); 603 channel_update_permitted_opens(rfwd->handle, 604 rfwd->allocated_port); 605 } else { 606 buffer_put_int(&out, MUX_S_OK); 607 buffer_put_int(&out, fctx->rid); 608 } 609 goto out; 610 } else { 611 if (rfwd->listen_port == 0) 612 channel_update_permitted_opens(rfwd->handle, -1); 613 if (rfwd->listen_path != NULL) 614 xasprintf(&failmsg, "remote port forwarding failed for " 615 "listen path %s", rfwd->listen_path); 616 else 617 xasprintf(&failmsg, "remote port forwarding failed for " 618 "listen port %d", rfwd->listen_port); 619 620 debug2("%s: clearing registered forwarding for listen %d, " 621 "connect %s:%d", __func__, rfwd->listen_port, 622 rfwd->connect_path ? rfwd->connect_path : 623 rfwd->connect_host, rfwd->connect_port); 624 625 free(rfwd->listen_host); 626 free(rfwd->listen_path); 627 free(rfwd->connect_host); 628 free(rfwd->connect_path); 629 memset(rfwd, 0, sizeof(*rfwd)); 630 } 631 fail: 632 error("%s: %s", __func__, failmsg); 633 buffer_put_int(&out, MUX_S_FAILURE); 634 buffer_put_int(&out, fctx->rid); 635 buffer_put_cstring(&out, failmsg); 636 free(failmsg); 637 out: 638 buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out)); 639 buffer_free(&out); 640 if (c->mux_pause <= 0) 641 fatal("%s: mux_pause %d", __func__, c->mux_pause); 642 c->mux_pause = 0; /* start processing messages again */ 643 } 644 645 static int 646 process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) 647 { 648 struct Forward fwd; 649 char *fwd_desc = NULL; 650 char *listen_addr, *connect_addr; 651 u_int ftype; 652 u_int lport, cport; 653 int i, ret = 0, freefwd = 1; 654 655 memset(&fwd, 0, sizeof(fwd)); 656 657 /* XXX - lport/cport check redundant */ 658 if (buffer_get_int_ret(&ftype, m) != 0 || 659 (listen_addr = buffer_get_string_ret(m, NULL)) == NULL || 660 buffer_get_int_ret(&lport, m) != 0 || 661 (connect_addr = buffer_get_string_ret(m, NULL)) == NULL || 662 buffer_get_int_ret(&cport, m) != 0 || 663 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 664 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 665 error("%s: malformed message", __func__); 666 ret = -1; 667 goto out; 668 } 669 if (*listen_addr == '\0') { 670 free(listen_addr); 671 listen_addr = NULL; 672 } 673 if (*connect_addr == '\0') { 674 free(connect_addr); 675 connect_addr = NULL; 676 } 677 678 memset(&fwd, 0, sizeof(fwd)); 679 fwd.listen_port = lport; 680 if (fwd.listen_port == PORT_STREAMLOCAL) 681 fwd.listen_path = listen_addr; 682 else 683 fwd.listen_host = listen_addr; 684 fwd.connect_port = cport; 685 if (fwd.connect_port == PORT_STREAMLOCAL) 686 fwd.connect_path = connect_addr; 687 else 688 fwd.connect_host = connect_addr; 689 690 debug2("%s: channel %d: request %s", __func__, c->self, 691 (fwd_desc = format_forward(ftype, &fwd))); 692 693 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE && 694 ftype != MUX_FWD_DYNAMIC) { 695 logit("%s: invalid forwarding type %u", __func__, ftype); 696 invalid: 697 free(listen_addr); 698 free(connect_addr); 699 buffer_put_int(r, MUX_S_FAILURE); 700 buffer_put_int(r, rid); 701 buffer_put_cstring(r, "Invalid forwarding request"); 702 return 0; 703 } 704 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) { 705 logit("%s: streamlocal and dynamic forwards " 706 "are mutually exclusive", __func__); 707 goto invalid; 708 } 709 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) { 710 logit("%s: invalid listen port %u", __func__, 711 fwd.listen_port); 712 goto invalid; 713 } 714 if ((fwd.connect_port != PORT_STREAMLOCAL && fwd.connect_port >= 65536) 715 || (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && fwd.connect_port == 0)) { 716 logit("%s: invalid connect port %u", __func__, 717 fwd.connect_port); 718 goto invalid; 719 } 720 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && fwd.connect_path == NULL) { 721 logit("%s: missing connect host", __func__); 722 goto invalid; 723 } 724 725 /* Skip forwards that have already been requested */ 726 switch (ftype) { 727 case MUX_FWD_LOCAL: 728 case MUX_FWD_DYNAMIC: 729 for (i = 0; i < options.num_local_forwards; i++) { 730 if (compare_forward(&fwd, 731 options.local_forwards + i)) { 732 exists: 733 debug2("%s: found existing forwarding", 734 __func__); 735 buffer_put_int(r, MUX_S_OK); 736 buffer_put_int(r, rid); 737 goto out; 738 } 739 } 740 break; 741 case MUX_FWD_REMOTE: 742 for (i = 0; i < options.num_remote_forwards; i++) { 743 if (compare_forward(&fwd, 744 options.remote_forwards + i)) { 745 if (fwd.listen_port != 0) 746 goto exists; 747 debug2("%s: found allocated port", 748 __func__); 749 buffer_put_int(r, MUX_S_REMOTE_PORT); 750 buffer_put_int(r, rid); 751 buffer_put_int(r, 752 options.remote_forwards[i].allocated_port); 753 goto out; 754 } 755 } 756 break; 757 } 758 759 if (options.control_master == SSHCTL_MASTER_ASK || 760 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 761 if (!ask_permission("Open %s on %s?", fwd_desc, host)) { 762 debug2("%s: forwarding refused by user", __func__); 763 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 764 buffer_put_int(r, rid); 765 buffer_put_cstring(r, "Permission denied"); 766 goto out; 767 } 768 } 769 770 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 771 if (!channel_setup_local_fwd_listener(&fwd, 772 &options.fwd_opts)) { 773 fail: 774 logit("slave-requested %s failed", fwd_desc); 775 buffer_put_int(r, MUX_S_FAILURE); 776 buffer_put_int(r, rid); 777 buffer_put_cstring(r, "Port forwarding failed"); 778 goto out; 779 } 780 add_local_forward(&options, &fwd); 781 freefwd = 0; 782 } else { 783 struct mux_channel_confirm_ctx *fctx; 784 785 fwd.handle = channel_request_remote_forwarding(&fwd); 786 if (fwd.handle < 0) 787 goto fail; 788 add_remote_forward(&options, &fwd); 789 fctx = xcalloc(1, sizeof(*fctx)); 790 fctx->cid = c->self; 791 fctx->rid = rid; 792 fctx->fid = options.num_remote_forwards - 1; 793 client_register_global_confirm(mux_confirm_remote_forward, 794 fctx); 795 freefwd = 0; 796 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */ 797 /* delayed reply in mux_confirm_remote_forward */ 798 goto out; 799 } 800 buffer_put_int(r, MUX_S_OK); 801 buffer_put_int(r, rid); 802 out: 803 free(fwd_desc); 804 if (freefwd) { 805 free(fwd.listen_host); 806 free(fwd.listen_path); 807 free(fwd.connect_host); 808 free(fwd.connect_path); 809 } 810 return ret; 811 } 812 813 static int 814 process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) 815 { 816 struct Forward fwd, *found_fwd; 817 char *fwd_desc = NULL; 818 const char *error_reason = NULL; 819 char *listen_addr = NULL, *connect_addr = NULL; 820 u_int ftype; 821 int i, ret = 0; 822 u_int lport, cport; 823 824 memset(&fwd, 0, sizeof(fwd)); 825 826 if (buffer_get_int_ret(&ftype, m) != 0 || 827 (listen_addr = buffer_get_string_ret(m, NULL)) == NULL || 828 buffer_get_int_ret(&lport, m) != 0 || 829 (connect_addr = buffer_get_string_ret(m, NULL)) == NULL || 830 buffer_get_int_ret(&cport, m) != 0 || 831 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 832 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 833 error("%s: malformed message", __func__); 834 ret = -1; 835 goto out; 836 } 837 838 if (*listen_addr == '\0') { 839 free(listen_addr); 840 listen_addr = NULL; 841 } 842 if (*connect_addr == '\0') { 843 free(connect_addr); 844 connect_addr = NULL; 845 } 846 847 memset(&fwd, 0, sizeof(fwd)); 848 fwd.listen_port = lport; 849 if (fwd.listen_port == PORT_STREAMLOCAL) 850 fwd.listen_path = listen_addr; 851 else 852 fwd.listen_host = listen_addr; 853 fwd.connect_port = cport; 854 if (fwd.connect_port == PORT_STREAMLOCAL) 855 fwd.connect_path = connect_addr; 856 else 857 fwd.connect_host = connect_addr; 858 859 debug2("%s: channel %d: request cancel %s", __func__, c->self, 860 (fwd_desc = format_forward(ftype, &fwd))); 861 862 /* make sure this has been requested */ 863 found_fwd = NULL; 864 switch (ftype) { 865 case MUX_FWD_LOCAL: 866 case MUX_FWD_DYNAMIC: 867 for (i = 0; i < options.num_local_forwards; i++) { 868 if (compare_forward(&fwd, 869 options.local_forwards + i)) { 870 found_fwd = options.local_forwards + i; 871 break; 872 } 873 } 874 break; 875 case MUX_FWD_REMOTE: 876 for (i = 0; i < options.num_remote_forwards; i++) { 877 if (compare_forward(&fwd, 878 options.remote_forwards + i)) { 879 found_fwd = options.remote_forwards + i; 880 break; 881 } 882 } 883 break; 884 } 885 886 if (found_fwd == NULL) 887 error_reason = "port not forwarded"; 888 else if (ftype == MUX_FWD_REMOTE) { 889 /* 890 * This shouldn't fail unless we confused the host/port 891 * between options.remote_forwards and permitted_opens. 892 * However, for dynamic allocated listen ports we need 893 * to use the actual listen port. 894 */ 895 if (channel_request_rforward_cancel(found_fwd) == -1) 896 error_reason = "port not in permitted opens"; 897 } else { /* local and dynamic forwards */ 898 /* Ditto */ 899 if (channel_cancel_lport_listener(&fwd, fwd.connect_port, 900 &options.fwd_opts) == -1) 901 error_reason = "port not found"; 902 } 903 904 if (error_reason == NULL) { 905 buffer_put_int(r, MUX_S_OK); 906 buffer_put_int(r, rid); 907 908 free(found_fwd->listen_host); 909 free(found_fwd->listen_path); 910 free(found_fwd->connect_host); 911 free(found_fwd->connect_path); 912 found_fwd->listen_host = found_fwd->connect_host = NULL; 913 found_fwd->listen_path = found_fwd->connect_path = NULL; 914 found_fwd->listen_port = found_fwd->connect_port = 0; 915 } else { 916 buffer_put_int(r, MUX_S_FAILURE); 917 buffer_put_int(r, rid); 918 buffer_put_cstring(r, error_reason); 919 } 920 out: 921 free(fwd_desc); 922 free(listen_addr); 923 free(connect_addr); 924 925 return ret; 926 } 927 928 static int 929 process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) 930 { 931 Channel *nc; 932 char *reserved, *chost; 933 u_int cport, i, j; 934 int new_fd[2]; 935 struct mux_stdio_confirm_ctx *cctx; 936 937 chost = reserved = NULL; 938 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 939 (chost = buffer_get_string_ret(m, NULL)) == NULL || 940 buffer_get_int_ret(&cport, m) != 0) { 941 free(reserved); 942 free(chost); 943 error("%s: malformed message", __func__); 944 return -1; 945 } 946 free(reserved); 947 948 debug2("%s: channel %d: request stdio fwd to %s:%u", 949 __func__, c->self, chost, cport); 950 951 /* Gather fds from client */ 952 for(i = 0; i < 2; i++) { 953 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 954 error("%s: failed to receive fd %d from slave", 955 __func__, i); 956 for (j = 0; j < i; j++) 957 close(new_fd[j]); 958 free(chost); 959 960 /* prepare reply */ 961 buffer_put_int(r, MUX_S_FAILURE); 962 buffer_put_int(r, rid); 963 buffer_put_cstring(r, 964 "did not receive file descriptors"); 965 return -1; 966 } 967 } 968 969 debug3("%s: got fds stdin %d, stdout %d", __func__, 970 new_fd[0], new_fd[1]); 971 972 /* XXX support multiple child sessions in future */ 973 if (c->remote_id != -1) { 974 debug2("%s: session already open", __func__); 975 /* prepare reply */ 976 buffer_put_int(r, MUX_S_FAILURE); 977 buffer_put_int(r, rid); 978 buffer_put_cstring(r, "Multiple sessions not supported"); 979 cleanup: 980 close(new_fd[0]); 981 close(new_fd[1]); 982 free(chost); 983 return 0; 984 } 985 986 if (options.control_master == SSHCTL_MASTER_ASK || 987 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 988 if (!ask_permission("Allow forward to %s:%u? ", 989 chost, cport)) { 990 debug2("%s: stdio fwd refused by user", __func__); 991 /* prepare reply */ 992 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 993 buffer_put_int(r, rid); 994 buffer_put_cstring(r, "Permission denied"); 995 goto cleanup; 996 } 997 } 998 999 /* enable nonblocking unless tty */ 1000 if (!isatty(new_fd[0])) 1001 set_nonblock(new_fd[0]); 1002 if (!isatty(new_fd[1])) 1003 set_nonblock(new_fd[1]); 1004 1005 nc = channel_connect_stdio_fwd(chost, cport, new_fd[0], new_fd[1]); 1006 1007 nc->ctl_chan = c->self; /* link session -> control channel */ 1008 c->remote_id = nc->self; /* link control -> session channel */ 1009 1010 debug2("%s: channel_new: %d linked to control channel %d", 1011 __func__, nc->self, nc->ctl_chan); 1012 1013 channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1); 1014 1015 cctx = xcalloc(1, sizeof(*cctx)); 1016 cctx->rid = rid; 1017 channel_register_open_confirm(nc->self, mux_stdio_confirm, cctx); 1018 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 1019 1020 /* reply is deferred, sent by mux_session_confirm */ 1021 return 0; 1022 } 1023 1024 /* Callback on open confirmation in mux master for a mux stdio fwd session. */ 1025 static void 1026 mux_stdio_confirm(int id, int success, void *arg) 1027 { 1028 struct mux_stdio_confirm_ctx *cctx = arg; 1029 Channel *c, *cc; 1030 Buffer reply; 1031 1032 if (cctx == NULL) 1033 fatal("%s: cctx == NULL", __func__); 1034 if ((c = channel_by_id(id)) == NULL) 1035 fatal("%s: no channel for id %d", __func__, id); 1036 if ((cc = channel_by_id(c->ctl_chan)) == NULL) 1037 fatal("%s: channel %d lacks control channel %d", __func__, 1038 id, c->ctl_chan); 1039 1040 if (!success) { 1041 debug3("%s: sending failure reply", __func__); 1042 /* prepare reply */ 1043 buffer_init(&reply); 1044 buffer_put_int(&reply, MUX_S_FAILURE); 1045 buffer_put_int(&reply, cctx->rid); 1046 buffer_put_cstring(&reply, "Session open refused by peer"); 1047 goto done; 1048 } 1049 1050 debug3("%s: sending success reply", __func__); 1051 /* prepare reply */ 1052 buffer_init(&reply); 1053 buffer_put_int(&reply, MUX_S_SESSION_OPENED); 1054 buffer_put_int(&reply, cctx->rid); 1055 buffer_put_int(&reply, c->self); 1056 1057 done: 1058 /* Send reply */ 1059 buffer_put_string(&cc->output, buffer_ptr(&reply), buffer_len(&reply)); 1060 buffer_free(&reply); 1061 1062 if (cc->mux_pause <= 0) 1063 fatal("%s: mux_pause %d", __func__, cc->mux_pause); 1064 cc->mux_pause = 0; /* start processing messages again */ 1065 c->open_confirm_ctx = NULL; 1066 free(cctx); 1067 } 1068 1069 static int 1070 process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r) 1071 { 1072 debug("%s: channel %d: stop listening", __func__, c->self); 1073 1074 if (options.control_master == SSHCTL_MASTER_ASK || 1075 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1076 if (!ask_permission("Disable further multiplexing on shared " 1077 "connection to %s? ", host)) { 1078 debug2("%s: stop listen refused by user", __func__); 1079 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 1080 buffer_put_int(r, rid); 1081 buffer_put_cstring(r, "Permission denied"); 1082 return 0; 1083 } 1084 } 1085 1086 if (mux_listener_channel != NULL) { 1087 channel_free(mux_listener_channel); 1088 client_stop_mux(); 1089 free(options.control_path); 1090 options.control_path = NULL; 1091 mux_listener_channel = NULL; 1092 muxserver_sock = -1; 1093 } 1094 1095 /* prepare reply */ 1096 buffer_put_int(r, MUX_S_OK); 1097 buffer_put_int(r, rid); 1098 1099 return 0; 1100 } 1101 1102 /* Channel callbacks fired on read/write from mux slave fd */ 1103 static int 1104 mux_master_read_cb(Channel *c) 1105 { 1106 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 1107 Buffer in, out; 1108 const u_char *ptr; 1109 u_int type, rid, have, i; 1110 int ret = -1; 1111 1112 /* Setup ctx and */ 1113 if (c->mux_ctx == NULL) { 1114 state = xcalloc(1, sizeof(*state)); 1115 c->mux_ctx = state; 1116 channel_register_cleanup(c->self, 1117 mux_master_control_cleanup_cb, 0); 1118 1119 /* Send hello */ 1120 buffer_init(&out); 1121 buffer_put_int(&out, MUX_MSG_HELLO); 1122 buffer_put_int(&out, SSHMUX_VER); 1123 /* no extensions */ 1124 buffer_put_string(&c->output, buffer_ptr(&out), 1125 buffer_len(&out)); 1126 buffer_free(&out); 1127 debug3("%s: channel %d: hello sent", __func__, c->self); 1128 return 0; 1129 } 1130 1131 buffer_init(&in); 1132 buffer_init(&out); 1133 1134 /* Channel code ensures that we receive whole packets */ 1135 if ((ptr = buffer_get_string_ptr_ret(&c->input, &have)) == NULL) { 1136 malf: 1137 error("%s: malformed message", __func__); 1138 goto out; 1139 } 1140 buffer_append(&in, ptr, have); 1141 1142 if (buffer_get_int_ret(&type, &in) != 0) 1143 goto malf; 1144 debug3("%s: channel %d packet type 0x%08x len %u", 1145 __func__, c->self, type, buffer_len(&in)); 1146 1147 if (type == MUX_MSG_HELLO) 1148 rid = 0; 1149 else { 1150 if (!state->hello_rcvd) { 1151 error("%s: expected MUX_MSG_HELLO(0x%08x), " 1152 "received 0x%08x", __func__, MUX_MSG_HELLO, type); 1153 goto out; 1154 } 1155 if (buffer_get_int_ret(&rid, &in) != 0) 1156 goto malf; 1157 } 1158 1159 for (i = 0; mux_master_handlers[i].handler != NULL; i++) { 1160 if (type == mux_master_handlers[i].type) { 1161 ret = mux_master_handlers[i].handler(rid, c, &in, &out); 1162 break; 1163 } 1164 } 1165 if (mux_master_handlers[i].handler == NULL) { 1166 error("%s: unsupported mux message 0x%08x", __func__, type); 1167 buffer_put_int(&out, MUX_S_FAILURE); 1168 buffer_put_int(&out, rid); 1169 buffer_put_cstring(&out, "unsupported request"); 1170 ret = 0; 1171 } 1172 /* Enqueue reply packet */ 1173 if (buffer_len(&out) != 0) { 1174 buffer_put_string(&c->output, buffer_ptr(&out), 1175 buffer_len(&out)); 1176 } 1177 out: 1178 buffer_free(&in); 1179 buffer_free(&out); 1180 return ret; 1181 } 1182 1183 void 1184 mux_exit_message(Channel *c, int exitval) 1185 { 1186 Buffer m; 1187 Channel *mux_chan; 1188 1189 debug3("%s: channel %d: exit message, exitval %d", __func__, c->self, 1190 exitval); 1191 1192 if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) 1193 fatal("%s: channel %d missing mux channel %d", 1194 __func__, c->self, c->ctl_chan); 1195 1196 /* Append exit message packet to control socket output queue */ 1197 buffer_init(&m); 1198 buffer_put_int(&m, MUX_S_EXIT_MESSAGE); 1199 buffer_put_int(&m, c->self); 1200 buffer_put_int(&m, exitval); 1201 1202 buffer_put_string(&mux_chan->output, buffer_ptr(&m), buffer_len(&m)); 1203 buffer_free(&m); 1204 } 1205 1206 void 1207 mux_tty_alloc_failed(Channel *c) 1208 { 1209 Buffer m; 1210 Channel *mux_chan; 1211 1212 debug3("%s: channel %d: TTY alloc failed", __func__, c->self); 1213 1214 if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) 1215 fatal("%s: channel %d missing mux channel %d", 1216 __func__, c->self, c->ctl_chan); 1217 1218 /* Append exit message packet to control socket output queue */ 1219 buffer_init(&m); 1220 buffer_put_int(&m, MUX_S_TTY_ALLOC_FAIL); 1221 buffer_put_int(&m, c->self); 1222 1223 buffer_put_string(&mux_chan->output, buffer_ptr(&m), buffer_len(&m)); 1224 buffer_free(&m); 1225 } 1226 1227 /* Prepare a mux master to listen on a Unix domain socket. */ 1228 void 1229 muxserver_listen(void) 1230 { 1231 mode_t old_umask; 1232 char *orig_control_path = options.control_path; 1233 char rbuf[16+1]; 1234 u_int i, r; 1235 int oerrno; 1236 1237 if (options.control_path == NULL || 1238 options.control_master == SSHCTL_MASTER_NO) 1239 return; 1240 1241 debug("setting up multiplex master socket"); 1242 1243 /* 1244 * Use a temporary path before listen so we can pseudo-atomically 1245 * establish the listening socket in its final location to avoid 1246 * other processes racing in between bind() and listen() and hitting 1247 * an unready socket. 1248 */ 1249 for (i = 0; i < sizeof(rbuf) - 1; i++) { 1250 r = arc4random_uniform(26+26+10); 1251 rbuf[i] = (r < 26) ? 'a' + r : 1252 (r < 26*2) ? 'A' + r - 26 : 1253 '0' + r - 26 - 26; 1254 } 1255 rbuf[sizeof(rbuf) - 1] = '\0'; 1256 options.control_path = NULL; 1257 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf); 1258 debug3("%s: temporary control path %s", __func__, options.control_path); 1259 1260 old_umask = umask(0177); 1261 muxserver_sock = unix_listener(options.control_path, 64, 0); 1262 oerrno = errno; 1263 umask(old_umask); 1264 if (muxserver_sock < 0) { 1265 if (oerrno == EINVAL || oerrno == EADDRINUSE) { 1266 error("ControlSocket %s already exists, " 1267 "disabling multiplexing", options.control_path); 1268 disable_mux_master: 1269 if (muxserver_sock != -1) { 1270 close(muxserver_sock); 1271 muxserver_sock = -1; 1272 } 1273 free(orig_control_path); 1274 free(options.control_path); 1275 options.control_path = NULL; 1276 options.control_master = SSHCTL_MASTER_NO; 1277 return; 1278 } else { 1279 /* unix_listener() logs the error */ 1280 cleanup_exit(255); 1281 } 1282 } 1283 1284 /* Now atomically "move" the mux socket into position */ 1285 if (link(options.control_path, orig_control_path) != 0) { 1286 if (errno != EEXIST) { 1287 fatal("%s: link mux listener %s => %s: %s", __func__, 1288 options.control_path, orig_control_path, 1289 strerror(errno)); 1290 } 1291 error("ControlSocket %s already exists, disabling multiplexing", 1292 orig_control_path); 1293 unlink(options.control_path); 1294 goto disable_mux_master; 1295 } 1296 unlink(options.control_path); 1297 free(options.control_path); 1298 options.control_path = orig_control_path; 1299 1300 set_nonblock(muxserver_sock); 1301 1302 mux_listener_channel = channel_new("mux listener", 1303 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1, 1304 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1305 0, options.control_path, 1); 1306 mux_listener_channel->mux_rcb = mux_master_read_cb; 1307 debug3("%s: mux listener channel %d fd %d", __func__, 1308 mux_listener_channel->self, mux_listener_channel->sock); 1309 } 1310 1311 /* Callback on open confirmation in mux master for a mux client session. */ 1312 static void 1313 mux_session_confirm(int id, int success, void *arg) 1314 { 1315 struct mux_session_confirm_ctx *cctx = arg; 1316 const char *display; 1317 Channel *c, *cc; 1318 int i; 1319 Buffer reply; 1320 1321 if (cctx == NULL) 1322 fatal("%s: cctx == NULL", __func__); 1323 if ((c = channel_by_id(id)) == NULL) 1324 fatal("%s: no channel for id %d", __func__, id); 1325 if ((cc = channel_by_id(c->ctl_chan)) == NULL) 1326 fatal("%s: channel %d lacks control channel %d", __func__, 1327 id, c->ctl_chan); 1328 1329 if (!success) { 1330 debug3("%s: sending failure reply", __func__); 1331 /* prepare reply */ 1332 buffer_init(&reply); 1333 buffer_put_int(&reply, MUX_S_FAILURE); 1334 buffer_put_int(&reply, cctx->rid); 1335 buffer_put_cstring(&reply, "Session open refused by peer"); 1336 goto done; 1337 } 1338 1339 display = getenv("DISPLAY"); 1340 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 1341 char *proto, *data; 1342 1343 /* Get reasonable local authentication information. */ 1344 client_x11_get_proto(display, options.xauth_location, 1345 options.forward_x11_trusted, options.forward_x11_timeout, 1346 &proto, &data); 1347 /* Request forwarding with authentication spoofing. */ 1348 debug("Requesting X11 forwarding with authentication " 1349 "spoofing."); 1350 x11_request_forwarding_with_spoofing(id, display, proto, 1351 data, 1); 1352 client_expect_confirm(id, "X11 forwarding", CONFIRM_WARN); 1353 /* XXX exit_on_forward_failure */ 1354 } 1355 1356 if (cctx->want_agent_fwd && options.forward_agent) { 1357 debug("Requesting authentication agent forwarding."); 1358 channel_request_start(id, "auth-agent-req@openssh.com", 0); 1359 packet_send(); 1360 } 1361 1362 client_session2_setup(id, cctx->want_tty, cctx->want_subsys, 1363 cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env); 1364 1365 debug3("%s: sending success reply", __func__); 1366 /* prepare reply */ 1367 buffer_init(&reply); 1368 buffer_put_int(&reply, MUX_S_SESSION_OPENED); 1369 buffer_put_int(&reply, cctx->rid); 1370 buffer_put_int(&reply, c->self); 1371 1372 done: 1373 /* Send reply */ 1374 buffer_put_string(&cc->output, buffer_ptr(&reply), buffer_len(&reply)); 1375 buffer_free(&reply); 1376 1377 if (cc->mux_pause <= 0) 1378 fatal("%s: mux_pause %d", __func__, cc->mux_pause); 1379 cc->mux_pause = 0; /* start processing messages again */ 1380 c->open_confirm_ctx = NULL; 1381 buffer_free(&cctx->cmd); 1382 free(cctx->term); 1383 if (cctx->env != NULL) { 1384 for (i = 0; cctx->env[i] != NULL; i++) 1385 free(cctx->env[i]); 1386 free(cctx->env); 1387 } 1388 free(cctx); 1389 } 1390 1391 /* ** Multiplexing client support */ 1392 1393 /* Exit signal handler */ 1394 static void 1395 control_client_sighandler(int signo) 1396 { 1397 muxclient_terminate = signo; 1398 } 1399 1400 /* 1401 * Relay signal handler - used to pass some signals from mux client to 1402 * mux master. 1403 */ 1404 static void 1405 control_client_sigrelay(int signo) 1406 { 1407 int save_errno = errno; 1408 1409 if (muxserver_pid > 1) 1410 kill(muxserver_pid, signo); 1411 1412 errno = save_errno; 1413 } 1414 1415 static int 1416 mux_client_read(int fd, Buffer *b, u_int need) 1417 { 1418 u_int have; 1419 ssize_t len; 1420 u_char *p; 1421 struct pollfd pfd; 1422 1423 pfd.fd = fd; 1424 pfd.events = POLLIN; 1425 p = buffer_append_space(b, need); 1426 for (have = 0; have < need; ) { 1427 if (muxclient_terminate) { 1428 errno = EINTR; 1429 return -1; 1430 } 1431 len = read(fd, p + have, need - have); 1432 if (len < 0) { 1433 switch (errno) { 1434 case EAGAIN: 1435 (void)poll(&pfd, 1, -1); 1436 /* FALLTHROUGH */ 1437 case EINTR: 1438 continue; 1439 default: 1440 return -1; 1441 } 1442 } 1443 if (len == 0) { 1444 errno = EPIPE; 1445 return -1; 1446 } 1447 have += (u_int)len; 1448 } 1449 return 0; 1450 } 1451 1452 static int 1453 mux_client_write_packet(int fd, Buffer *m) 1454 { 1455 Buffer queue; 1456 u_int have, need; 1457 int oerrno, len; 1458 u_char *ptr; 1459 struct pollfd pfd; 1460 1461 pfd.fd = fd; 1462 pfd.events = POLLOUT; 1463 buffer_init(&queue); 1464 buffer_put_string(&queue, buffer_ptr(m), buffer_len(m)); 1465 1466 need = buffer_len(&queue); 1467 ptr = buffer_ptr(&queue); 1468 1469 for (have = 0; have < need; ) { 1470 if (muxclient_terminate) { 1471 buffer_free(&queue); 1472 errno = EINTR; 1473 return -1; 1474 } 1475 len = write(fd, ptr + have, need - have); 1476 if (len < 0) { 1477 switch (errno) { 1478 case EAGAIN: 1479 (void)poll(&pfd, 1, -1); 1480 /* FALLTHROUGH */ 1481 case EINTR: 1482 continue; 1483 default: 1484 oerrno = errno; 1485 buffer_free(&queue); 1486 errno = oerrno; 1487 return -1; 1488 } 1489 } 1490 if (len == 0) { 1491 buffer_free(&queue); 1492 errno = EPIPE; 1493 return -1; 1494 } 1495 have += (u_int)len; 1496 } 1497 buffer_free(&queue); 1498 return 0; 1499 } 1500 1501 static int 1502 mux_client_read_packet(int fd, Buffer *m) 1503 { 1504 Buffer queue; 1505 u_int need, have; 1506 const u_char *ptr; 1507 int oerrno; 1508 1509 buffer_init(&queue); 1510 if (mux_client_read(fd, &queue, 4) != 0) { 1511 if ((oerrno = errno) == EPIPE) 1512 debug3("%s: read header failed: %s", __func__, 1513 strerror(errno)); 1514 buffer_free(&queue); 1515 errno = oerrno; 1516 return -1; 1517 } 1518 need = get_u32(buffer_ptr(&queue)); 1519 if (mux_client_read(fd, &queue, need) != 0) { 1520 oerrno = errno; 1521 debug3("%s: read body failed: %s", __func__, strerror(errno)); 1522 buffer_free(&queue); 1523 errno = oerrno; 1524 return -1; 1525 } 1526 ptr = buffer_get_string_ptr(&queue, &have); 1527 buffer_append(m, ptr, have); 1528 buffer_free(&queue); 1529 return 0; 1530 } 1531 1532 static int 1533 mux_client_hello_exchange(int fd) 1534 { 1535 Buffer m; 1536 u_int type, ver; 1537 1538 buffer_init(&m); 1539 buffer_put_int(&m, MUX_MSG_HELLO); 1540 buffer_put_int(&m, SSHMUX_VER); 1541 /* no extensions */ 1542 1543 if (mux_client_write_packet(fd, &m) != 0) 1544 fatal("%s: write packet: %s", __func__, strerror(errno)); 1545 1546 buffer_clear(&m); 1547 1548 /* Read their HELLO */ 1549 if (mux_client_read_packet(fd, &m) != 0) { 1550 buffer_free(&m); 1551 return -1; 1552 } 1553 1554 type = buffer_get_int(&m); 1555 if (type != MUX_MSG_HELLO) 1556 fatal("%s: expected HELLO (%u) received %u", 1557 __func__, MUX_MSG_HELLO, type); 1558 ver = buffer_get_int(&m); 1559 if (ver != SSHMUX_VER) 1560 fatal("Unsupported multiplexing protocol version %d " 1561 "(expected %d)", ver, SSHMUX_VER); 1562 debug2("%s: master version %u", __func__, ver); 1563 /* No extensions are presently defined */ 1564 while (buffer_len(&m) > 0) { 1565 char *name = buffer_get_string(&m, NULL); 1566 char *value = buffer_get_string(&m, NULL); 1567 1568 debug2("Unrecognised master extension \"%s\"", name); 1569 free(name); 1570 free(value); 1571 } 1572 buffer_free(&m); 1573 return 0; 1574 } 1575 1576 static u_int 1577 mux_client_request_alive(int fd) 1578 { 1579 Buffer m; 1580 char *e; 1581 u_int pid, type, rid; 1582 1583 debug3("%s: entering", __func__); 1584 1585 buffer_init(&m); 1586 buffer_put_int(&m, MUX_C_ALIVE_CHECK); 1587 buffer_put_int(&m, muxclient_request_id); 1588 1589 if (mux_client_write_packet(fd, &m) != 0) 1590 fatal("%s: write packet: %s", __func__, strerror(errno)); 1591 1592 buffer_clear(&m); 1593 1594 /* Read their reply */ 1595 if (mux_client_read_packet(fd, &m) != 0) { 1596 buffer_free(&m); 1597 return 0; 1598 } 1599 1600 type = buffer_get_int(&m); 1601 if (type != MUX_S_ALIVE) { 1602 e = buffer_get_string(&m, NULL); 1603 fatal("%s: master returned error: %s", __func__, e); 1604 } 1605 1606 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1607 fatal("%s: out of sequence reply: my id %u theirs %u", 1608 __func__, muxclient_request_id, rid); 1609 pid = buffer_get_int(&m); 1610 buffer_free(&m); 1611 1612 debug3("%s: done pid = %u", __func__, pid); 1613 1614 muxclient_request_id++; 1615 1616 return pid; 1617 } 1618 1619 static void 1620 mux_client_request_terminate(int fd) 1621 { 1622 Buffer m; 1623 char *e; 1624 u_int type, rid; 1625 1626 debug3("%s: entering", __func__); 1627 1628 buffer_init(&m); 1629 buffer_put_int(&m, MUX_C_TERMINATE); 1630 buffer_put_int(&m, muxclient_request_id); 1631 1632 if (mux_client_write_packet(fd, &m) != 0) 1633 fatal("%s: write packet: %s", __func__, strerror(errno)); 1634 1635 buffer_clear(&m); 1636 1637 /* Read their reply */ 1638 if (mux_client_read_packet(fd, &m) != 0) { 1639 /* Remote end exited already */ 1640 if (errno == EPIPE) { 1641 buffer_free(&m); 1642 return; 1643 } 1644 fatal("%s: read from master failed: %s", 1645 __func__, strerror(errno)); 1646 } 1647 1648 type = buffer_get_int(&m); 1649 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1650 fatal("%s: out of sequence reply: my id %u theirs %u", 1651 __func__, muxclient_request_id, rid); 1652 switch (type) { 1653 case MUX_S_OK: 1654 break; 1655 case MUX_S_PERMISSION_DENIED: 1656 e = buffer_get_string(&m, NULL); 1657 fatal("Master refused termination request: %s", e); 1658 case MUX_S_FAILURE: 1659 e = buffer_get_string(&m, NULL); 1660 fatal("%s: termination request failed: %s", __func__, e); 1661 default: 1662 fatal("%s: unexpected response from master 0x%08x", 1663 __func__, type); 1664 } 1665 buffer_free(&m); 1666 muxclient_request_id++; 1667 } 1668 1669 static int 1670 mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd) 1671 { 1672 Buffer m; 1673 char *e, *fwd_desc; 1674 u_int type, rid; 1675 1676 fwd_desc = format_forward(ftype, fwd); 1677 debug("Requesting %s %s", 1678 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1679 free(fwd_desc); 1680 1681 buffer_init(&m); 1682 buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD); 1683 buffer_put_int(&m, muxclient_request_id); 1684 buffer_put_int(&m, ftype); 1685 if (fwd->listen_path != NULL) { 1686 buffer_put_cstring(&m, fwd->listen_path); 1687 } else { 1688 buffer_put_cstring(&m, 1689 fwd->listen_host == NULL ? "" : 1690 (*fwd->listen_host == '\0' ? "*" : fwd->listen_host)); 1691 } 1692 buffer_put_int(&m, fwd->listen_port); 1693 if (fwd->connect_path != NULL) { 1694 buffer_put_cstring(&m, fwd->connect_path); 1695 } else { 1696 buffer_put_cstring(&m, 1697 fwd->connect_host == NULL ? "" : fwd->connect_host); 1698 } 1699 buffer_put_int(&m, fwd->connect_port); 1700 1701 if (mux_client_write_packet(fd, &m) != 0) 1702 fatal("%s: write packet: %s", __func__, strerror(errno)); 1703 1704 buffer_clear(&m); 1705 1706 /* Read their reply */ 1707 if (mux_client_read_packet(fd, &m) != 0) { 1708 buffer_free(&m); 1709 return -1; 1710 } 1711 1712 type = buffer_get_int(&m); 1713 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1714 fatal("%s: out of sequence reply: my id %u theirs %u", 1715 __func__, muxclient_request_id, rid); 1716 switch (type) { 1717 case MUX_S_OK: 1718 break; 1719 case MUX_S_REMOTE_PORT: 1720 if (cancel_flag) 1721 fatal("%s: got MUX_S_REMOTE_PORT for cancel", __func__); 1722 fwd->allocated_port = buffer_get_int(&m); 1723 verbose("Allocated port %u for remote forward to %s:%d", 1724 fwd->allocated_port, 1725 fwd->connect_host ? fwd->connect_host : "", 1726 fwd->connect_port); 1727 if (muxclient_command == SSHMUX_COMMAND_FORWARD) 1728 fprintf(stdout, "%u\n", fwd->allocated_port); 1729 break; 1730 case MUX_S_PERMISSION_DENIED: 1731 e = buffer_get_string(&m, NULL); 1732 buffer_free(&m); 1733 error("Master refused forwarding request: %s", e); 1734 return -1; 1735 case MUX_S_FAILURE: 1736 e = buffer_get_string(&m, NULL); 1737 buffer_free(&m); 1738 error("%s: forwarding request failed: %s", __func__, e); 1739 return -1; 1740 default: 1741 fatal("%s: unexpected response from master 0x%08x", 1742 __func__, type); 1743 } 1744 buffer_free(&m); 1745 1746 muxclient_request_id++; 1747 return 0; 1748 } 1749 1750 static int 1751 mux_client_forwards(int fd, int cancel_flag) 1752 { 1753 int i, ret = 0; 1754 1755 debug3("%s: %s forwardings: %d local, %d remote", __func__, 1756 cancel_flag ? "cancel" : "request", 1757 options.num_local_forwards, options.num_remote_forwards); 1758 1759 /* XXX ExitOnForwardingFailure */ 1760 for (i = 0; i < options.num_local_forwards; i++) { 1761 if (mux_client_forward(fd, cancel_flag, 1762 options.local_forwards[i].connect_port == 0 ? 1763 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL, 1764 options.local_forwards + i) != 0) 1765 ret = -1; 1766 } 1767 for (i = 0; i < options.num_remote_forwards; i++) { 1768 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE, 1769 options.remote_forwards + i) != 0) 1770 ret = -1; 1771 } 1772 return ret; 1773 } 1774 1775 static int 1776 mux_client_request_session(int fd) 1777 { 1778 Buffer m; 1779 char *e, *term; 1780 u_int i, rid, sid, esid, exitval, type, exitval_seen; 1781 extern char **environ; 1782 int devnull, rawmode; 1783 1784 debug3("%s: entering", __func__); 1785 1786 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1787 error("%s: master alive request failed", __func__); 1788 return -1; 1789 } 1790 1791 signal(SIGPIPE, SIG_IGN); 1792 1793 if (stdin_null_flag) { 1794 if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) 1795 fatal("open(/dev/null): %s", strerror(errno)); 1796 if (dup2(devnull, STDIN_FILENO) == -1) 1797 fatal("dup2: %s", strerror(errno)); 1798 if (devnull > STDERR_FILENO) 1799 close(devnull); 1800 } 1801 1802 term = getenv("TERM"); 1803 1804 buffer_init(&m); 1805 buffer_put_int(&m, MUX_C_NEW_SESSION); 1806 buffer_put_int(&m, muxclient_request_id); 1807 buffer_put_cstring(&m, ""); /* reserved */ 1808 buffer_put_int(&m, tty_flag); 1809 buffer_put_int(&m, options.forward_x11); 1810 buffer_put_int(&m, options.forward_agent); 1811 buffer_put_int(&m, subsystem_flag); 1812 buffer_put_int(&m, options.escape_char == SSH_ESCAPECHAR_NONE ? 1813 0xffffffff : (u_int)options.escape_char); 1814 buffer_put_cstring(&m, term == NULL ? "" : term); 1815 buffer_put_string(&m, buffer_ptr(&command), buffer_len(&command)); 1816 1817 if (options.num_send_env > 0 && environ != NULL) { 1818 /* Pass environment */ 1819 for (i = 0; environ[i] != NULL; i++) { 1820 if (env_permitted(environ[i])) { 1821 buffer_put_cstring(&m, environ[i]); 1822 } 1823 } 1824 } 1825 1826 if (mux_client_write_packet(fd, &m) != 0) 1827 fatal("%s: write packet: %s", __func__, strerror(errno)); 1828 1829 /* Send the stdio file descriptors */ 1830 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1831 mm_send_fd(fd, STDOUT_FILENO) == -1 || 1832 mm_send_fd(fd, STDERR_FILENO) == -1) 1833 fatal("%s: send fds failed", __func__); 1834 1835 debug3("%s: session request sent", __func__); 1836 1837 /* Read their reply */ 1838 buffer_clear(&m); 1839 if (mux_client_read_packet(fd, &m) != 0) { 1840 error("%s: read from master failed: %s", 1841 __func__, strerror(errno)); 1842 buffer_free(&m); 1843 return -1; 1844 } 1845 1846 type = buffer_get_int(&m); 1847 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1848 fatal("%s: out of sequence reply: my id %u theirs %u", 1849 __func__, muxclient_request_id, rid); 1850 switch (type) { 1851 case MUX_S_SESSION_OPENED: 1852 sid = buffer_get_int(&m); 1853 debug("%s: master session id: %u", __func__, sid); 1854 break; 1855 case MUX_S_PERMISSION_DENIED: 1856 e = buffer_get_string(&m, NULL); 1857 buffer_free(&m); 1858 error("Master refused session request: %s", e); 1859 return -1; 1860 case MUX_S_FAILURE: 1861 e = buffer_get_string(&m, NULL); 1862 buffer_free(&m); 1863 error("%s: session request failed: %s", __func__, e); 1864 return -1; 1865 default: 1866 buffer_free(&m); 1867 error("%s: unexpected response from master 0x%08x", 1868 __func__, type); 1869 return -1; 1870 } 1871 muxclient_request_id++; 1872 1873 signal(SIGHUP, control_client_sighandler); 1874 signal(SIGINT, control_client_sighandler); 1875 signal(SIGTERM, control_client_sighandler); 1876 signal(SIGWINCH, control_client_sigrelay); 1877 1878 rawmode = tty_flag; 1879 if (tty_flag) 1880 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1881 1882 /* 1883 * Stick around until the controlee closes the client_fd. 1884 * Before it does, it is expected to write an exit message. 1885 * This process must read the value and wait for the closure of 1886 * the client_fd; if this one closes early, the multiplex master will 1887 * terminate early too (possibly losing data). 1888 */ 1889 for (exitval = 255, exitval_seen = 0;;) { 1890 buffer_clear(&m); 1891 if (mux_client_read_packet(fd, &m) != 0) 1892 break; 1893 type = buffer_get_int(&m); 1894 switch (type) { 1895 case MUX_S_TTY_ALLOC_FAIL: 1896 if ((esid = buffer_get_int(&m)) != sid) 1897 fatal("%s: tty alloc fail on unknown session: " 1898 "my id %u theirs %u", 1899 __func__, sid, esid); 1900 leave_raw_mode(options.request_tty == 1901 REQUEST_TTY_FORCE); 1902 rawmode = 0; 1903 continue; 1904 case MUX_S_EXIT_MESSAGE: 1905 if ((esid = buffer_get_int(&m)) != sid) 1906 fatal("%s: exit on unknown session: " 1907 "my id %u theirs %u", 1908 __func__, sid, esid); 1909 if (exitval_seen) 1910 fatal("%s: exitval sent twice", __func__); 1911 exitval = buffer_get_int(&m); 1912 exitval_seen = 1; 1913 continue; 1914 default: 1915 e = buffer_get_string(&m, NULL); 1916 fatal("%s: master returned error: %s", __func__, e); 1917 } 1918 } 1919 1920 close(fd); 1921 if (rawmode) 1922 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1923 1924 if (muxclient_terminate) { 1925 debug2("Exiting on signal %d", muxclient_terminate); 1926 exitval = 255; 1927 } else if (!exitval_seen) { 1928 debug2("Control master terminated unexpectedly"); 1929 exitval = 255; 1930 } else 1931 debug2("Received exit status from master %d", exitval); 1932 1933 if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) 1934 fprintf(stderr, "Shared connection to %s closed.\r\n", host); 1935 1936 exit(exitval); 1937 } 1938 1939 static int 1940 mux_client_request_stdio_fwd(int fd) 1941 { 1942 Buffer m; 1943 char *e; 1944 u_int type, rid, sid; 1945 int devnull; 1946 1947 debug3("%s: entering", __func__); 1948 1949 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1950 error("%s: master alive request failed", __func__); 1951 return -1; 1952 } 1953 1954 signal(SIGPIPE, SIG_IGN); 1955 1956 if (stdin_null_flag) { 1957 if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) 1958 fatal("open(/dev/null): %s", strerror(errno)); 1959 if (dup2(devnull, STDIN_FILENO) == -1) 1960 fatal("dup2: %s", strerror(errno)); 1961 if (devnull > STDERR_FILENO) 1962 close(devnull); 1963 } 1964 1965 buffer_init(&m); 1966 buffer_put_int(&m, MUX_C_NEW_STDIO_FWD); 1967 buffer_put_int(&m, muxclient_request_id); 1968 buffer_put_cstring(&m, ""); /* reserved */ 1969 buffer_put_cstring(&m, stdio_forward_host); 1970 buffer_put_int(&m, stdio_forward_port); 1971 1972 if (mux_client_write_packet(fd, &m) != 0) 1973 fatal("%s: write packet: %s", __func__, strerror(errno)); 1974 1975 /* Send the stdio file descriptors */ 1976 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1977 mm_send_fd(fd, STDOUT_FILENO) == -1) 1978 fatal("%s: send fds failed", __func__); 1979 1980 debug3("%s: stdio forward request sent", __func__); 1981 1982 /* Read their reply */ 1983 buffer_clear(&m); 1984 1985 if (mux_client_read_packet(fd, &m) != 0) { 1986 error("%s: read from master failed: %s", 1987 __func__, strerror(errno)); 1988 buffer_free(&m); 1989 return -1; 1990 } 1991 1992 type = buffer_get_int(&m); 1993 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1994 fatal("%s: out of sequence reply: my id %u theirs %u", 1995 __func__, muxclient_request_id, rid); 1996 switch (type) { 1997 case MUX_S_SESSION_OPENED: 1998 sid = buffer_get_int(&m); 1999 debug("%s: master session id: %u", __func__, sid); 2000 break; 2001 case MUX_S_PERMISSION_DENIED: 2002 e = buffer_get_string(&m, NULL); 2003 buffer_free(&m); 2004 fatal("Master refused stdio forwarding request: %s", e); 2005 case MUX_S_FAILURE: 2006 e = buffer_get_string(&m, NULL); 2007 buffer_free(&m); 2008 fatal("Stdio forwarding request failed: %s", e); 2009 default: 2010 buffer_free(&m); 2011 error("%s: unexpected response from master 0x%08x", 2012 __func__, type); 2013 return -1; 2014 } 2015 muxclient_request_id++; 2016 2017 signal(SIGHUP, control_client_sighandler); 2018 signal(SIGINT, control_client_sighandler); 2019 signal(SIGTERM, control_client_sighandler); 2020 signal(SIGWINCH, control_client_sigrelay); 2021 2022 /* 2023 * Stick around until the controlee closes the client_fd. 2024 */ 2025 buffer_clear(&m); 2026 if (mux_client_read_packet(fd, &m) != 0) { 2027 if (errno == EPIPE || 2028 (errno == EINTR && muxclient_terminate != 0)) 2029 return 0; 2030 fatal("%s: mux_client_read_packet: %s", 2031 __func__, strerror(errno)); 2032 } 2033 fatal("%s: master returned unexpected message %u", __func__, type); 2034 } 2035 2036 static void 2037 mux_client_request_stop_listening(int fd) 2038 { 2039 Buffer m; 2040 char *e; 2041 u_int type, rid; 2042 2043 debug3("%s: entering", __func__); 2044 2045 buffer_init(&m); 2046 buffer_put_int(&m, MUX_C_STOP_LISTENING); 2047 buffer_put_int(&m, muxclient_request_id); 2048 2049 if (mux_client_write_packet(fd, &m) != 0) 2050 fatal("%s: write packet: %s", __func__, strerror(errno)); 2051 2052 buffer_clear(&m); 2053 2054 /* Read their reply */ 2055 if (mux_client_read_packet(fd, &m) != 0) 2056 fatal("%s: read from master failed: %s", 2057 __func__, strerror(errno)); 2058 2059 type = buffer_get_int(&m); 2060 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 2061 fatal("%s: out of sequence reply: my id %u theirs %u", 2062 __func__, muxclient_request_id, rid); 2063 switch (type) { 2064 case MUX_S_OK: 2065 break; 2066 case MUX_S_PERMISSION_DENIED: 2067 e = buffer_get_string(&m, NULL); 2068 fatal("Master refused stop listening request: %s", e); 2069 case MUX_S_FAILURE: 2070 e = buffer_get_string(&m, NULL); 2071 fatal("%s: stop listening request failed: %s", __func__, e); 2072 default: 2073 fatal("%s: unexpected response from master 0x%08x", 2074 __func__, type); 2075 } 2076 buffer_free(&m); 2077 muxclient_request_id++; 2078 } 2079 2080 /* Multiplex client main loop. */ 2081 void 2082 muxclient(const char *path) 2083 { 2084 struct sockaddr_un addr; 2085 int sock; 2086 u_int pid; 2087 2088 if (muxclient_command == 0) { 2089 if (stdio_forward_host != NULL) 2090 muxclient_command = SSHMUX_COMMAND_STDIO_FWD; 2091 else 2092 muxclient_command = SSHMUX_COMMAND_OPEN; 2093 } 2094 2095 switch (options.control_master) { 2096 case SSHCTL_MASTER_AUTO: 2097 case SSHCTL_MASTER_AUTO_ASK: 2098 debug("auto-mux: Trying existing master"); 2099 /* FALLTHROUGH */ 2100 case SSHCTL_MASTER_NO: 2101 break; 2102 default: 2103 return; 2104 } 2105 2106 memset(&addr, '\0', sizeof(addr)); 2107 addr.sun_family = AF_UNIX; 2108 addr.sun_len = offsetof(struct sockaddr_un, sun_path) + 2109 strlen(path) + 1; 2110 2111 if (strlcpy(addr.sun_path, path, 2112 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 2113 fatal("ControlPath too long"); 2114 2115 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) 2116 fatal("%s socket(): %s", __func__, strerror(errno)); 2117 2118 if (connect(sock, (struct sockaddr *)&addr, addr.sun_len) == -1) { 2119 switch (muxclient_command) { 2120 case SSHMUX_COMMAND_OPEN: 2121 case SSHMUX_COMMAND_STDIO_FWD: 2122 break; 2123 default: 2124 fatal("Control socket connect(%.100s): %s", path, 2125 strerror(errno)); 2126 } 2127 if (errno == ECONNREFUSED && 2128 options.control_master != SSHCTL_MASTER_NO) { 2129 debug("Stale control socket %.100s, unlinking", path); 2130 unlink(path); 2131 } else if (errno == ENOENT) { 2132 debug("Control socket \"%.100s\" does not exist", path); 2133 } else { 2134 error("Control socket connect(%.100s): %s", path, 2135 strerror(errno)); 2136 } 2137 close(sock); 2138 return; 2139 } 2140 set_nonblock(sock); 2141 2142 if (mux_client_hello_exchange(sock) != 0) { 2143 error("%s: master hello exchange failed", __func__); 2144 close(sock); 2145 return; 2146 } 2147 2148 switch (muxclient_command) { 2149 case SSHMUX_COMMAND_ALIVE_CHECK: 2150 if ((pid = mux_client_request_alive(sock)) == 0) 2151 fatal("%s: master alive check failed", __func__); 2152 fprintf(stderr, "Master running (pid=%d)\r\n", pid); 2153 exit(0); 2154 case SSHMUX_COMMAND_TERMINATE: 2155 mux_client_request_terminate(sock); 2156 fprintf(stderr, "Exit request sent.\r\n"); 2157 exit(0); 2158 case SSHMUX_COMMAND_FORWARD: 2159 if (mux_client_forwards(sock, 0) != 0) 2160 fatal("%s: master forward request failed", __func__); 2161 exit(0); 2162 case SSHMUX_COMMAND_OPEN: 2163 if (mux_client_forwards(sock, 0) != 0) { 2164 error("%s: master forward request failed", __func__); 2165 return; 2166 } 2167 mux_client_request_session(sock); 2168 return; 2169 case SSHMUX_COMMAND_STDIO_FWD: 2170 mux_client_request_stdio_fwd(sock); 2171 exit(0); 2172 case SSHMUX_COMMAND_STOP: 2173 mux_client_request_stop_listening(sock); 2174 fprintf(stderr, "Stop listening request sent.\r\n"); 2175 exit(0); 2176 case SSHMUX_COMMAND_CANCEL_FWD: 2177 if (mux_client_forwards(sock, 1) != 0) 2178 error("%s: master cancel forward request failed", 2179 __func__); 2180 exit(0); 2181 default: 2182 fatal("unrecognised muxclient_command %d", muxclient_command); 2183 } 2184 } 2185