1 /* $OpenBSD: mux.c,v 1.77 2018/09/26 07:32:44 djm Exp $ */ 2 /* 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* ssh session multiplexing support */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/stat.h> 23 #include <sys/socket.h> 24 #include <sys/un.h> 25 26 #include <errno.h> 27 #include <fcntl.h> 28 #include <poll.h> 29 #include <signal.h> 30 #include <stdarg.h> 31 #include <stddef.h> 32 #include <stdlib.h> 33 #include <stdio.h> 34 #include <string.h> 35 #include <unistd.h> 36 #include <util.h> 37 #include <paths.h> 38 39 #include "atomicio.h" 40 #include "xmalloc.h" 41 #include "log.h" 42 #include "ssh.h" 43 #include "ssh2.h" 44 #include "pathnames.h" 45 #include "misc.h" 46 #include "match.h" 47 #include "sshbuf.h" 48 #include "channels.h" 49 #include "msg.h" 50 #include "packet.h" 51 #include "monitor_fdpass.h" 52 #include "sshpty.h" 53 #include "sshkey.h" 54 #include "readconf.h" 55 #include "clientloop.h" 56 #include "ssherr.h" 57 58 /* from ssh.c */ 59 extern int tty_flag; 60 extern Options options; 61 extern int stdin_null_flag; 62 extern char *host; 63 extern int subsystem_flag; 64 extern struct sshbuf *command; 65 extern volatile sig_atomic_t quit_pending; 66 67 /* Context for session open confirmation callback */ 68 struct mux_session_confirm_ctx { 69 u_int want_tty; 70 u_int want_subsys; 71 u_int want_x_fwd; 72 u_int want_agent_fwd; 73 struct sshbuf *cmd; 74 char *term; 75 struct termios tio; 76 char **env; 77 u_int rid; 78 }; 79 80 /* Context for stdio fwd open confirmation callback */ 81 struct mux_stdio_confirm_ctx { 82 u_int rid; 83 }; 84 85 /* Context for global channel callback */ 86 struct mux_channel_confirm_ctx { 87 u_int cid; /* channel id */ 88 u_int rid; /* request id */ 89 int fid; /* forward id */ 90 }; 91 92 /* fd to control socket */ 93 int muxserver_sock = -1; 94 95 /* client request id */ 96 u_int muxclient_request_id = 0; 97 98 /* Multiplexing control command */ 99 u_int muxclient_command = 0; 100 101 /* Set when signalled. */ 102 static volatile sig_atomic_t muxclient_terminate = 0; 103 104 /* PID of multiplex server */ 105 static u_int muxserver_pid = 0; 106 107 static Channel *mux_listener_channel = NULL; 108 109 struct mux_master_state { 110 int hello_rcvd; 111 }; 112 113 /* mux protocol messages */ 114 #define MUX_MSG_HELLO 0x00000001 115 #define MUX_C_NEW_SESSION 0x10000002 116 #define MUX_C_ALIVE_CHECK 0x10000004 117 #define MUX_C_TERMINATE 0x10000005 118 #define MUX_C_OPEN_FWD 0x10000006 119 #define MUX_C_CLOSE_FWD 0x10000007 120 #define MUX_C_NEW_STDIO_FWD 0x10000008 121 #define MUX_C_STOP_LISTENING 0x10000009 122 #define MUX_C_PROXY 0x1000000f 123 #define MUX_S_OK 0x80000001 124 #define MUX_S_PERMISSION_DENIED 0x80000002 125 #define MUX_S_FAILURE 0x80000003 126 #define MUX_S_EXIT_MESSAGE 0x80000004 127 #define MUX_S_ALIVE 0x80000005 128 #define MUX_S_SESSION_OPENED 0x80000006 129 #define MUX_S_REMOTE_PORT 0x80000007 130 #define MUX_S_TTY_ALLOC_FAIL 0x80000008 131 #define MUX_S_PROXY 0x8000000f 132 133 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ 134 #define MUX_FWD_LOCAL 1 135 #define MUX_FWD_REMOTE 2 136 #define MUX_FWD_DYNAMIC 3 137 138 static void mux_session_confirm(struct ssh *, int, int, void *); 139 static void mux_stdio_confirm(struct ssh *, int, int, void *); 140 141 static int mux_master_process_hello(struct ssh *, u_int, 142 Channel *, struct sshbuf *, struct sshbuf *); 143 static int mux_master_process_new_session(struct ssh *, u_int, 144 Channel *, struct sshbuf *, struct sshbuf *); 145 static int mux_master_process_alive_check(struct ssh *, u_int, 146 Channel *, struct sshbuf *, struct sshbuf *); 147 static int mux_master_process_terminate(struct ssh *, u_int, 148 Channel *, struct sshbuf *, struct sshbuf *); 149 static int mux_master_process_open_fwd(struct ssh *, u_int, 150 Channel *, struct sshbuf *, struct sshbuf *); 151 static int mux_master_process_close_fwd(struct ssh *, u_int, 152 Channel *, struct sshbuf *, struct sshbuf *); 153 static int mux_master_process_stdio_fwd(struct ssh *, u_int, 154 Channel *, struct sshbuf *, struct sshbuf *); 155 static int mux_master_process_stop_listening(struct ssh *, u_int, 156 Channel *, struct sshbuf *, struct sshbuf *); 157 static int mux_master_process_proxy(struct ssh *, u_int, 158 Channel *, struct sshbuf *, struct sshbuf *); 159 160 static const struct { 161 u_int type; 162 int (*handler)(struct ssh *, u_int, Channel *, 163 struct sshbuf *, struct sshbuf *); 164 } mux_master_handlers[] = { 165 { MUX_MSG_HELLO, mux_master_process_hello }, 166 { MUX_C_NEW_SESSION, mux_master_process_new_session }, 167 { MUX_C_ALIVE_CHECK, mux_master_process_alive_check }, 168 { MUX_C_TERMINATE, mux_master_process_terminate }, 169 { MUX_C_OPEN_FWD, mux_master_process_open_fwd }, 170 { MUX_C_CLOSE_FWD, mux_master_process_close_fwd }, 171 { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd }, 172 { MUX_C_STOP_LISTENING, mux_master_process_stop_listening }, 173 { MUX_C_PROXY, mux_master_process_proxy }, 174 { 0, NULL } 175 }; 176 177 /* Cleanup callback fired on closure of mux slave _session_ channel */ 178 /* ARGSUSED */ 179 static void 180 mux_master_session_cleanup_cb(struct ssh *ssh, int cid, void *unused) 181 { 182 Channel *cc, *c = channel_by_id(ssh, cid); 183 184 debug3("%s: entering for channel %d", __func__, cid); 185 if (c == NULL) 186 fatal("%s: channel_by_id(%i) == NULL", __func__, cid); 187 if (c->ctl_chan != -1) { 188 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 189 fatal("%s: channel %d missing control channel %d", 190 __func__, c->self, c->ctl_chan); 191 c->ctl_chan = -1; 192 cc->remote_id = 0; 193 cc->have_remote_id = 0; 194 chan_rcvd_oclose(ssh, cc); 195 } 196 channel_cancel_cleanup(ssh, c->self); 197 } 198 199 /* Cleanup callback fired on closure of mux slave _control_ channel */ 200 /* ARGSUSED */ 201 static void 202 mux_master_control_cleanup_cb(struct ssh *ssh, int cid, void *unused) 203 { 204 Channel *sc, *c = channel_by_id(ssh, cid); 205 206 debug3("%s: entering for channel %d", __func__, cid); 207 if (c == NULL) 208 fatal("%s: channel_by_id(%i) == NULL", __func__, cid); 209 if (c->have_remote_id) { 210 if ((sc = channel_by_id(ssh, c->remote_id)) == NULL) 211 fatal("%s: channel %d missing session channel %u", 212 __func__, c->self, c->remote_id); 213 c->remote_id = 0; 214 c->have_remote_id = 0; 215 sc->ctl_chan = -1; 216 if (sc->type != SSH_CHANNEL_OPEN && 217 sc->type != SSH_CHANNEL_OPENING) { 218 debug2("%s: channel %d: not open", __func__, sc->self); 219 chan_mark_dead(ssh, sc); 220 } else { 221 if (sc->istate == CHAN_INPUT_OPEN) 222 chan_read_failed(ssh, sc); 223 if (sc->ostate == CHAN_OUTPUT_OPEN) 224 chan_write_failed(ssh, sc); 225 } 226 } 227 channel_cancel_cleanup(ssh, c->self); 228 } 229 230 /* Check mux client environment variables before passing them to mux master. */ 231 static int 232 env_permitted(char *env) 233 { 234 int i, ret; 235 char name[1024], *cp; 236 237 if ((cp = strchr(env, '=')) == NULL || cp == env) 238 return 0; 239 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env); 240 if (ret <= 0 || (size_t)ret >= sizeof(name)) { 241 error("%s: name '%.100s...' too long", __func__, env); 242 return 0; 243 } 244 245 for (i = 0; i < options.num_send_env; i++) 246 if (match_pattern(name, options.send_env[i])) 247 return 1; 248 249 return 0; 250 } 251 252 /* Mux master protocol message handlers */ 253 254 static int 255 mux_master_process_hello(struct ssh *ssh, u_int rid, 256 Channel *c, struct sshbuf *m, struct sshbuf *reply) 257 { 258 u_int ver; 259 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 260 int r; 261 262 if (state == NULL) 263 fatal("%s: channel %d: c->mux_ctx == NULL", __func__, c->self); 264 if (state->hello_rcvd) { 265 error("%s: HELLO received twice", __func__); 266 return -1; 267 } 268 if ((r = sshbuf_get_u32(m, &ver)) != 0) { 269 error("%s: malformed message: %s", __func__, ssh_err(r)); 270 return -1; 271 } 272 if (ver != SSHMUX_VER) { 273 error("%s: unsupported multiplexing protocol version %u " 274 "(expected %u)", __func__, ver, SSHMUX_VER); 275 return -1; 276 } 277 debug2("%s: channel %d slave version %u", __func__, c->self, ver); 278 279 /* No extensions are presently defined */ 280 while (sshbuf_len(m) > 0) { 281 char *name = NULL; 282 size_t value_len = 0; 283 284 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 285 (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) { 286 error("%s: malformed extension: %s", 287 __func__, ssh_err(r)); 288 return -1; 289 } 290 debug2("%s: Unrecognised extension \"%s\" length %zu", 291 __func__, name, value_len); 292 free(name); 293 } 294 state->hello_rcvd = 1; 295 return 0; 296 } 297 298 /* Enqueue a "ok" response to the reply buffer */ 299 static void 300 reply_ok(struct sshbuf *reply, u_int rid) 301 { 302 int r; 303 304 if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 || 305 (r = sshbuf_put_u32(reply, rid)) != 0) 306 fatal("%s: reply: %s", __func__, ssh_err(r)); 307 } 308 309 /* Enqueue an error response to the reply buffer */ 310 static void 311 reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg) 312 { 313 int r; 314 315 if ((r = sshbuf_put_u32(reply, type)) != 0 || 316 (r = sshbuf_put_u32(reply, rid)) != 0 || 317 (r = sshbuf_put_cstring(reply, msg)) != 0) 318 fatal("%s: reply: %s", __func__, ssh_err(r)); 319 } 320 321 static int 322 mux_master_process_new_session(struct ssh *ssh, u_int rid, 323 Channel *c, struct sshbuf *m, struct sshbuf *reply) 324 { 325 Channel *nc; 326 struct mux_session_confirm_ctx *cctx; 327 char *cmd, *cp; 328 u_int i, j, env_len, escape_char, window, packetmax; 329 int r, new_fd[3]; 330 331 /* Reply for SSHMUX_COMMAND_OPEN */ 332 cctx = xcalloc(1, sizeof(*cctx)); 333 cctx->term = NULL; 334 cctx->rid = rid; 335 cmd = NULL; 336 cctx->env = NULL; 337 env_len = 0; 338 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 339 (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 || 340 (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 || 341 (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 || 342 (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 || 343 (r = sshbuf_get_u32(m, &escape_char)) != 0 || 344 (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 || 345 (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) { 346 malf: 347 free(cmd); 348 for (j = 0; j < env_len; j++) 349 free(cctx->env[j]); 350 free(cctx->env); 351 free(cctx->term); 352 free(cctx); 353 error("%s: malformed message", __func__); 354 return -1; 355 } 356 357 #define MUX_MAX_ENV_VARS 4096 358 while (sshbuf_len(m) > 0) { 359 if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0) 360 goto malf; 361 if (!env_permitted(cp)) { 362 free(cp); 363 continue; 364 } 365 cctx->env = xreallocarray(cctx->env, env_len + 2, 366 sizeof(*cctx->env)); 367 cctx->env[env_len++] = cp; 368 cctx->env[env_len] = NULL; 369 if (env_len > MUX_MAX_ENV_VARS) { 370 error("%s: >%d environment variables received, " 371 "ignoring additional", __func__, MUX_MAX_ENV_VARS); 372 break; 373 } 374 } 375 376 debug2("%s: channel %d: request tty %d, X %d, agent %d, subsys %d, " 377 "term \"%s\", cmd \"%s\", env %u", __func__, c->self, 378 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd, 379 cctx->want_subsys, cctx->term, cmd, env_len); 380 381 if ((cctx->cmd = sshbuf_new()) == NULL) 382 fatal("%s: sshbuf_new", __func__); 383 if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0) 384 fatal("%s: sshbuf_put: %s", __func__, ssh_err(r)); 385 free(cmd); 386 cmd = NULL; 387 388 /* Gather fds from client */ 389 for(i = 0; i < 3; i++) { 390 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 391 error("%s: failed to receive fd %d from slave", 392 __func__, i); 393 for (j = 0; j < i; j++) 394 close(new_fd[j]); 395 for (j = 0; j < env_len; j++) 396 free(cctx->env[j]); 397 free(cctx->env); 398 free(cctx->term); 399 sshbuf_free(cctx->cmd); 400 free(cctx); 401 reply_error(reply, MUX_S_FAILURE, rid, 402 "did not receive file descriptors"); 403 return -1; 404 } 405 } 406 407 debug3("%s: got fds stdin %d, stdout %d, stderr %d", __func__, 408 new_fd[0], new_fd[1], new_fd[2]); 409 410 /* XXX support multiple child sessions in future */ 411 if (c->have_remote_id) { 412 debug2("%s: session already open", __func__); 413 reply_error(reply, MUX_S_FAILURE, rid, 414 "Multiple sessions not supported"); 415 cleanup: 416 close(new_fd[0]); 417 close(new_fd[1]); 418 close(new_fd[2]); 419 free(cctx->term); 420 if (env_len != 0) { 421 for (i = 0; i < env_len; i++) 422 free(cctx->env[i]); 423 free(cctx->env); 424 } 425 sshbuf_free(cctx->cmd); 426 free(cctx); 427 return 0; 428 } 429 430 if (options.control_master == SSHCTL_MASTER_ASK || 431 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 432 if (!ask_permission("Allow shared connection to %s? ", host)) { 433 debug2("%s: session refused by user", __func__); 434 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 435 "Permission denied"); 436 goto cleanup; 437 } 438 } 439 440 /* Try to pick up ttymodes from client before it goes raw */ 441 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 442 error("%s: tcgetattr: %s", __func__, strerror(errno)); 443 444 /* enable nonblocking unless tty */ 445 if (!isatty(new_fd[0])) 446 set_nonblock(new_fd[0]); 447 if (!isatty(new_fd[1])) 448 set_nonblock(new_fd[1]); 449 if (!isatty(new_fd[2])) 450 set_nonblock(new_fd[2]); 451 452 window = CHAN_SES_WINDOW_DEFAULT; 453 packetmax = CHAN_SES_PACKET_DEFAULT; 454 if (cctx->want_tty) { 455 window >>= 1; 456 packetmax >>= 1; 457 } 458 459 nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, 460 new_fd[0], new_fd[1], new_fd[2], window, packetmax, 461 CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); 462 463 nc->ctl_chan = c->self; /* link session -> control channel */ 464 c->remote_id = nc->self; /* link control -> session channel */ 465 c->have_remote_id = 1; 466 467 if (cctx->want_tty && escape_char != 0xffffffff) { 468 channel_register_filter(ssh, nc->self, 469 client_simple_escape_filter, NULL, 470 client_filter_cleanup, 471 client_new_escape_filter_ctx((int)escape_char)); 472 } 473 474 debug2("%s: channel_new: %d linked to control channel %d", 475 __func__, nc->self, nc->ctl_chan); 476 477 channel_send_open(ssh, nc->self); 478 channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx); 479 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 480 channel_register_cleanup(ssh, nc->self, 481 mux_master_session_cleanup_cb, 1); 482 483 /* reply is deferred, sent by mux_session_confirm */ 484 return 0; 485 } 486 487 static int 488 mux_master_process_alive_check(struct ssh *ssh, u_int rid, 489 Channel *c, struct sshbuf *m, struct sshbuf *reply) 490 { 491 int r; 492 493 debug2("%s: channel %d: alive check", __func__, c->self); 494 495 /* prepare reply */ 496 if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 || 497 (r = sshbuf_put_u32(reply, rid)) != 0 || 498 (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0) 499 fatal("%s: reply: %s", __func__, ssh_err(r)); 500 501 return 0; 502 } 503 504 static int 505 mux_master_process_terminate(struct ssh *ssh, u_int rid, 506 Channel *c, struct sshbuf *m, struct sshbuf *reply) 507 { 508 debug2("%s: channel %d: terminate request", __func__, c->self); 509 510 if (options.control_master == SSHCTL_MASTER_ASK || 511 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 512 if (!ask_permission("Terminate shared connection to %s? ", 513 host)) { 514 debug2("%s: termination refused by user", __func__); 515 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 516 "Permission denied"); 517 return 0; 518 } 519 } 520 521 quit_pending = 1; 522 reply_ok(reply, rid); 523 /* XXX exit happens too soon - message never makes it to client */ 524 return 0; 525 } 526 527 static char * 528 format_forward(u_int ftype, struct Forward *fwd) 529 { 530 char *ret; 531 532 switch (ftype) { 533 case MUX_FWD_LOCAL: 534 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d", 535 (fwd->listen_path != NULL) ? fwd->listen_path : 536 (fwd->listen_host == NULL) ? 537 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 538 fwd->listen_host, fwd->listen_port, 539 (fwd->connect_path != NULL) ? fwd->connect_path : 540 fwd->connect_host, fwd->connect_port); 541 break; 542 case MUX_FWD_DYNAMIC: 543 xasprintf(&ret, "dynamic forward %.200s:%d -> *", 544 (fwd->listen_host == NULL) ? 545 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 546 fwd->listen_host, fwd->listen_port); 547 break; 548 case MUX_FWD_REMOTE: 549 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d", 550 (fwd->listen_path != NULL) ? fwd->listen_path : 551 (fwd->listen_host == NULL) ? 552 "LOCALHOST" : fwd->listen_host, 553 fwd->listen_port, 554 (fwd->connect_path != NULL) ? fwd->connect_path : 555 fwd->connect_host, fwd->connect_port); 556 break; 557 default: 558 fatal("%s: unknown forward type %u", __func__, ftype); 559 } 560 return ret; 561 } 562 563 static int 564 compare_host(const char *a, const char *b) 565 { 566 if (a == NULL && b == NULL) 567 return 1; 568 if (a == NULL || b == NULL) 569 return 0; 570 return strcmp(a, b) == 0; 571 } 572 573 static int 574 compare_forward(struct Forward *a, struct Forward *b) 575 { 576 if (!compare_host(a->listen_host, b->listen_host)) 577 return 0; 578 if (!compare_host(a->listen_path, b->listen_path)) 579 return 0; 580 if (a->listen_port != b->listen_port) 581 return 0; 582 if (!compare_host(a->connect_host, b->connect_host)) 583 return 0; 584 if (!compare_host(a->connect_path, b->connect_path)) 585 return 0; 586 if (a->connect_port != b->connect_port) 587 return 0; 588 589 return 1; 590 } 591 592 static void 593 mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt) 594 { 595 struct mux_channel_confirm_ctx *fctx = ctxt; 596 char *failmsg = NULL; 597 struct Forward *rfwd; 598 Channel *c; 599 struct sshbuf *out; 600 int r; 601 602 if ((c = channel_by_id(ssh, fctx->cid)) == NULL) { 603 /* no channel for reply */ 604 error("%s: unknown channel", __func__); 605 return; 606 } 607 if ((out = sshbuf_new()) == NULL) 608 fatal("%s: sshbuf_new", __func__); 609 if (fctx->fid >= options.num_remote_forwards || 610 (options.remote_forwards[fctx->fid].connect_path == NULL && 611 options.remote_forwards[fctx->fid].connect_host == NULL)) { 612 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid); 613 goto fail; 614 } 615 rfwd = &options.remote_forwards[fctx->fid]; 616 debug("%s: %s for: listen %d, connect %s:%d", __func__, 617 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 618 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path : 619 rfwd->connect_host, rfwd->connect_port); 620 if (type == SSH2_MSG_REQUEST_SUCCESS) { 621 if (rfwd->listen_port == 0) { 622 rfwd->allocated_port = packet_get_int(); 623 debug("Allocated port %u for mux remote forward" 624 " to %s:%d", rfwd->allocated_port, 625 rfwd->connect_host, rfwd->connect_port); 626 if ((r = sshbuf_put_u32(out, 627 MUX_S_REMOTE_PORT)) != 0 || 628 (r = sshbuf_put_u32(out, fctx->rid)) != 0 || 629 (r = sshbuf_put_u32(out, 630 rfwd->allocated_port)) != 0) 631 fatal("%s: reply: %s", __func__, ssh_err(r)); 632 channel_update_permission(ssh, rfwd->handle, 633 rfwd->allocated_port); 634 } else { 635 reply_ok(out, fctx->rid); 636 } 637 goto out; 638 } else { 639 if (rfwd->listen_port == 0) 640 channel_update_permission(ssh, rfwd->handle, -1); 641 if (rfwd->listen_path != NULL) 642 xasprintf(&failmsg, "remote port forwarding failed for " 643 "listen path %s", rfwd->listen_path); 644 else 645 xasprintf(&failmsg, "remote port forwarding failed for " 646 "listen port %d", rfwd->listen_port); 647 648 debug2("%s: clearing registered forwarding for listen %d, " 649 "connect %s:%d", __func__, rfwd->listen_port, 650 rfwd->connect_path ? rfwd->connect_path : 651 rfwd->connect_host, rfwd->connect_port); 652 653 free(rfwd->listen_host); 654 free(rfwd->listen_path); 655 free(rfwd->connect_host); 656 free(rfwd->connect_path); 657 memset(rfwd, 0, sizeof(*rfwd)); 658 } 659 fail: 660 error("%s: %s", __func__, failmsg); 661 reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg); 662 free(failmsg); 663 out: 664 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 665 fatal("%s: sshbuf_put_stringb: %s", __func__, ssh_err(r)); 666 sshbuf_free(out); 667 if (c->mux_pause <= 0) 668 fatal("%s: mux_pause %d", __func__, c->mux_pause); 669 c->mux_pause = 0; /* start processing messages again */ 670 } 671 672 static int 673 mux_master_process_open_fwd(struct ssh *ssh, u_int rid, 674 Channel *c, struct sshbuf *m, struct sshbuf *reply) 675 { 676 struct Forward fwd; 677 char *fwd_desc = NULL; 678 char *listen_addr, *connect_addr; 679 u_int ftype; 680 u_int lport, cport; 681 int r, i, ret = 0, freefwd = 1; 682 683 memset(&fwd, 0, sizeof(fwd)); 684 685 /* XXX - lport/cport check redundant */ 686 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 687 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 688 (r = sshbuf_get_u32(m, &lport)) != 0 || 689 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 690 (r = sshbuf_get_u32(m, &cport)) != 0 || 691 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 692 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 693 error("%s: malformed message", __func__); 694 ret = -1; 695 goto out; 696 } 697 if (*listen_addr == '\0') { 698 free(listen_addr); 699 listen_addr = NULL; 700 } 701 if (*connect_addr == '\0') { 702 free(connect_addr); 703 connect_addr = NULL; 704 } 705 706 memset(&fwd, 0, sizeof(fwd)); 707 fwd.listen_port = lport; 708 if (fwd.listen_port == PORT_STREAMLOCAL) 709 fwd.listen_path = listen_addr; 710 else 711 fwd.listen_host = listen_addr; 712 fwd.connect_port = cport; 713 if (fwd.connect_port == PORT_STREAMLOCAL) 714 fwd.connect_path = connect_addr; 715 else 716 fwd.connect_host = connect_addr; 717 718 debug2("%s: channel %d: request %s", __func__, c->self, 719 (fwd_desc = format_forward(ftype, &fwd))); 720 721 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE && 722 ftype != MUX_FWD_DYNAMIC) { 723 logit("%s: invalid forwarding type %u", __func__, ftype); 724 invalid: 725 free(listen_addr); 726 free(connect_addr); 727 reply_error(reply, MUX_S_FAILURE, rid, 728 "Invalid forwarding request"); 729 return 0; 730 } 731 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) { 732 logit("%s: streamlocal and dynamic forwards " 733 "are mutually exclusive", __func__); 734 goto invalid; 735 } 736 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) { 737 logit("%s: invalid listen port %u", __func__, 738 fwd.listen_port); 739 goto invalid; 740 } 741 if ((fwd.connect_port != PORT_STREAMLOCAL && 742 fwd.connect_port >= 65536) || 743 (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && 744 fwd.connect_port == 0)) { 745 logit("%s: invalid connect port %u", __func__, 746 fwd.connect_port); 747 goto invalid; 748 } 749 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && 750 fwd.connect_path == NULL) { 751 logit("%s: missing connect host", __func__); 752 goto invalid; 753 } 754 755 /* Skip forwards that have already been requested */ 756 switch (ftype) { 757 case MUX_FWD_LOCAL: 758 case MUX_FWD_DYNAMIC: 759 for (i = 0; i < options.num_local_forwards; i++) { 760 if (compare_forward(&fwd, 761 options.local_forwards + i)) { 762 exists: 763 debug2("%s: found existing forwarding", 764 __func__); 765 reply_ok(reply, rid); 766 goto out; 767 } 768 } 769 break; 770 case MUX_FWD_REMOTE: 771 for (i = 0; i < options.num_remote_forwards; i++) { 772 if (!compare_forward(&fwd, options.remote_forwards + i)) 773 continue; 774 if (fwd.listen_port != 0) 775 goto exists; 776 debug2("%s: found allocated port", __func__); 777 if ((r = sshbuf_put_u32(reply, 778 MUX_S_REMOTE_PORT)) != 0 || 779 (r = sshbuf_put_u32(reply, rid)) != 0 || 780 (r = sshbuf_put_u32(reply, 781 options.remote_forwards[i].allocated_port)) != 0) 782 fatal("%s: reply: %s", __func__, ssh_err(r)); 783 goto out; 784 } 785 break; 786 } 787 788 if (options.control_master == SSHCTL_MASTER_ASK || 789 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 790 if (!ask_permission("Open %s on %s?", fwd_desc, host)) { 791 debug2("%s: forwarding refused by user", __func__); 792 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 793 "Permission denied"); 794 goto out; 795 } 796 } 797 798 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 799 if (!channel_setup_local_fwd_listener(ssh, &fwd, 800 &options.fwd_opts)) { 801 fail: 802 logit("%s: requested %s failed", __func__, fwd_desc); 803 reply_error(reply, MUX_S_FAILURE, rid, 804 "Port forwarding failed"); 805 goto out; 806 } 807 add_local_forward(&options, &fwd); 808 freefwd = 0; 809 } else { 810 struct mux_channel_confirm_ctx *fctx; 811 812 fwd.handle = channel_request_remote_forwarding(ssh, &fwd); 813 if (fwd.handle < 0) 814 goto fail; 815 add_remote_forward(&options, &fwd); 816 fctx = xcalloc(1, sizeof(*fctx)); 817 fctx->cid = c->self; 818 fctx->rid = rid; 819 fctx->fid = options.num_remote_forwards - 1; 820 client_register_global_confirm(mux_confirm_remote_forward, 821 fctx); 822 freefwd = 0; 823 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */ 824 /* delayed reply in mux_confirm_remote_forward */ 825 goto out; 826 } 827 reply_ok(reply, rid); 828 out: 829 free(fwd_desc); 830 if (freefwd) { 831 free(fwd.listen_host); 832 free(fwd.listen_path); 833 free(fwd.connect_host); 834 free(fwd.connect_path); 835 } 836 return ret; 837 } 838 839 static int 840 mux_master_process_close_fwd(struct ssh *ssh, u_int rid, 841 Channel *c, struct sshbuf *m, struct sshbuf *reply) 842 { 843 struct Forward fwd, *found_fwd; 844 char *fwd_desc = NULL; 845 const char *error_reason = NULL; 846 char *listen_addr = NULL, *connect_addr = NULL; 847 u_int ftype; 848 int r, i, ret = 0; 849 u_int lport, cport; 850 851 memset(&fwd, 0, sizeof(fwd)); 852 853 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 854 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 855 (r = sshbuf_get_u32(m, &lport)) != 0 || 856 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 857 (r = sshbuf_get_u32(m, &cport)) != 0 || 858 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 859 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 860 error("%s: malformed message", __func__); 861 ret = -1; 862 goto out; 863 } 864 865 if (*listen_addr == '\0') { 866 free(listen_addr); 867 listen_addr = NULL; 868 } 869 if (*connect_addr == '\0') { 870 free(connect_addr); 871 connect_addr = NULL; 872 } 873 874 memset(&fwd, 0, sizeof(fwd)); 875 fwd.listen_port = lport; 876 if (fwd.listen_port == PORT_STREAMLOCAL) 877 fwd.listen_path = listen_addr; 878 else 879 fwd.listen_host = listen_addr; 880 fwd.connect_port = cport; 881 if (fwd.connect_port == PORT_STREAMLOCAL) 882 fwd.connect_path = connect_addr; 883 else 884 fwd.connect_host = connect_addr; 885 886 debug2("%s: channel %d: request cancel %s", __func__, c->self, 887 (fwd_desc = format_forward(ftype, &fwd))); 888 889 /* make sure this has been requested */ 890 found_fwd = NULL; 891 switch (ftype) { 892 case MUX_FWD_LOCAL: 893 case MUX_FWD_DYNAMIC: 894 for (i = 0; i < options.num_local_forwards; i++) { 895 if (compare_forward(&fwd, 896 options.local_forwards + i)) { 897 found_fwd = options.local_forwards + i; 898 break; 899 } 900 } 901 break; 902 case MUX_FWD_REMOTE: 903 for (i = 0; i < options.num_remote_forwards; i++) { 904 if (compare_forward(&fwd, 905 options.remote_forwards + i)) { 906 found_fwd = options.remote_forwards + i; 907 break; 908 } 909 } 910 break; 911 } 912 913 if (found_fwd == NULL) 914 error_reason = "port not forwarded"; 915 else if (ftype == MUX_FWD_REMOTE) { 916 /* 917 * This shouldn't fail unless we confused the host/port 918 * between options.remote_forwards and permitted_opens. 919 * However, for dynamic allocated listen ports we need 920 * to use the actual listen port. 921 */ 922 if (channel_request_rforward_cancel(ssh, found_fwd) == -1) 923 error_reason = "port not in permitted opens"; 924 } else { /* local and dynamic forwards */ 925 /* Ditto */ 926 if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port, 927 &options.fwd_opts) == -1) 928 error_reason = "port not found"; 929 } 930 931 if (error_reason != NULL) 932 reply_error(reply, MUX_S_FAILURE, rid, error_reason); 933 else { 934 reply_ok(reply, rid); 935 free(found_fwd->listen_host); 936 free(found_fwd->listen_path); 937 free(found_fwd->connect_host); 938 free(found_fwd->connect_path); 939 found_fwd->listen_host = found_fwd->connect_host = NULL; 940 found_fwd->listen_path = found_fwd->connect_path = NULL; 941 found_fwd->listen_port = found_fwd->connect_port = 0; 942 } 943 out: 944 free(fwd_desc); 945 free(listen_addr); 946 free(connect_addr); 947 948 return ret; 949 } 950 951 static int 952 mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid, 953 Channel *c, struct sshbuf *m, struct sshbuf *reply) 954 { 955 Channel *nc; 956 char *chost = NULL; 957 u_int cport, i, j; 958 int r, new_fd[2]; 959 struct mux_stdio_confirm_ctx *cctx; 960 961 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 962 (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 || 963 (r = sshbuf_get_u32(m, &cport)) != 0) { 964 free(chost); 965 error("%s: malformed message", __func__); 966 return -1; 967 } 968 969 debug2("%s: channel %d: request stdio fwd to %s:%u", 970 __func__, c->self, chost, cport); 971 972 /* Gather fds from client */ 973 for(i = 0; i < 2; i++) { 974 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 975 error("%s: failed to receive fd %d from slave", 976 __func__, i); 977 for (j = 0; j < i; j++) 978 close(new_fd[j]); 979 free(chost); 980 981 /* prepare reply */ 982 reply_error(reply, MUX_S_FAILURE, rid, 983 "did not receive file descriptors"); 984 return -1; 985 } 986 } 987 988 debug3("%s: got fds stdin %d, stdout %d", __func__, 989 new_fd[0], new_fd[1]); 990 991 /* XXX support multiple child sessions in future */ 992 if (c->have_remote_id) { 993 debug2("%s: session already open", __func__); 994 reply_error(reply, MUX_S_FAILURE, rid, 995 "Multiple sessions not supported"); 996 cleanup: 997 close(new_fd[0]); 998 close(new_fd[1]); 999 free(chost); 1000 return 0; 1001 } 1002 1003 if (options.control_master == SSHCTL_MASTER_ASK || 1004 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1005 if (!ask_permission("Allow forward to %s:%u? ", 1006 chost, cport)) { 1007 debug2("%s: stdio fwd refused by user", __func__); 1008 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1009 "Permission denied"); 1010 goto cleanup; 1011 } 1012 } 1013 1014 /* enable nonblocking unless tty */ 1015 if (!isatty(new_fd[0])) 1016 set_nonblock(new_fd[0]); 1017 if (!isatty(new_fd[1])) 1018 set_nonblock(new_fd[1]); 1019 1020 nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]); 1021 free(chost); 1022 1023 nc->ctl_chan = c->self; /* link session -> control channel */ 1024 c->remote_id = nc->self; /* link control -> session channel */ 1025 c->have_remote_id = 1; 1026 1027 debug2("%s: channel_new: %d linked to control channel %d", 1028 __func__, nc->self, nc->ctl_chan); 1029 1030 channel_register_cleanup(ssh, nc->self, 1031 mux_master_session_cleanup_cb, 1); 1032 1033 cctx = xcalloc(1, sizeof(*cctx)); 1034 cctx->rid = rid; 1035 channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx); 1036 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 1037 1038 /* reply is deferred, sent by mux_session_confirm */ 1039 return 0; 1040 } 1041 1042 /* Callback on open confirmation in mux master for a mux stdio fwd session. */ 1043 static void 1044 mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg) 1045 { 1046 struct mux_stdio_confirm_ctx *cctx = arg; 1047 Channel *c, *cc; 1048 struct sshbuf *reply; 1049 int r; 1050 1051 if (cctx == NULL) 1052 fatal("%s: cctx == NULL", __func__); 1053 if ((c = channel_by_id(ssh, id)) == NULL) 1054 fatal("%s: no channel for id %d", __func__, id); 1055 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1056 fatal("%s: channel %d lacks control channel %d", __func__, 1057 id, c->ctl_chan); 1058 if ((reply = sshbuf_new()) == NULL) 1059 fatal("%s: sshbuf_new", __func__); 1060 1061 if (!success) { 1062 debug3("%s: sending failure reply", __func__); 1063 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1064 "Session open refused by peer"); 1065 /* prepare reply */ 1066 goto done; 1067 } 1068 1069 debug3("%s: sending success reply", __func__); 1070 /* prepare reply */ 1071 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1072 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1073 (r = sshbuf_put_u32(reply, c->self)) != 0) 1074 fatal("%s: reply: %s", __func__, ssh_err(r)); 1075 1076 done: 1077 /* Send reply */ 1078 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1079 fatal("%s: sshbuf_put_stringb: %s", __func__, ssh_err(r)); 1080 sshbuf_free(reply); 1081 1082 if (cc->mux_pause <= 0) 1083 fatal("%s: mux_pause %d", __func__, cc->mux_pause); 1084 cc->mux_pause = 0; /* start processing messages again */ 1085 c->open_confirm_ctx = NULL; 1086 free(cctx); 1087 } 1088 1089 static int 1090 mux_master_process_stop_listening(struct ssh *ssh, u_int rid, 1091 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1092 { 1093 debug("%s: channel %d: stop listening", __func__, c->self); 1094 1095 if (options.control_master == SSHCTL_MASTER_ASK || 1096 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1097 if (!ask_permission("Disable further multiplexing on shared " 1098 "connection to %s? ", host)) { 1099 debug2("%s: stop listen refused by user", __func__); 1100 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1101 "Permission denied"); 1102 return 0; 1103 } 1104 } 1105 1106 if (mux_listener_channel != NULL) { 1107 channel_free(ssh, mux_listener_channel); 1108 client_stop_mux(); 1109 free(options.control_path); 1110 options.control_path = NULL; 1111 mux_listener_channel = NULL; 1112 muxserver_sock = -1; 1113 } 1114 1115 reply_ok(reply, rid); 1116 return 0; 1117 } 1118 1119 static int 1120 mux_master_process_proxy(struct ssh *ssh, u_int rid, 1121 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1122 { 1123 int r; 1124 1125 debug("%s: channel %d: proxy request", __func__, c->self); 1126 1127 c->mux_rcb = channel_proxy_downstream; 1128 if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || 1129 (r = sshbuf_put_u32(reply, rid)) != 0) 1130 fatal("%s: reply: %s", __func__, ssh_err(r)); 1131 1132 return 0; 1133 } 1134 1135 /* Channel callbacks fired on read/write from mux slave fd */ 1136 static int 1137 mux_master_read_cb(struct ssh *ssh, Channel *c) 1138 { 1139 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 1140 struct sshbuf *in = NULL, *out = NULL; 1141 u_int type, rid, i; 1142 int r, ret = -1; 1143 1144 if ((out = sshbuf_new()) == NULL) 1145 fatal("%s: sshbuf_new", __func__); 1146 1147 /* Setup ctx and */ 1148 if (c->mux_ctx == NULL) { 1149 state = xcalloc(1, sizeof(*state)); 1150 c->mux_ctx = state; 1151 channel_register_cleanup(ssh, c->self, 1152 mux_master_control_cleanup_cb, 0); 1153 1154 /* Send hello */ 1155 if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 || 1156 (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0) 1157 fatal("%s: reply: %s", __func__, ssh_err(r)); 1158 /* no extensions */ 1159 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 1160 fatal("%s: sshbuf_put_stringb: %s", 1161 __func__, ssh_err(r)); 1162 debug3("%s: channel %d: hello sent", __func__, c->self); 1163 ret = 0; 1164 goto out; 1165 } 1166 1167 /* Channel code ensures that we receive whole packets */ 1168 if ((r = sshbuf_froms(c->input, &in)) != 0) { 1169 malf: 1170 error("%s: malformed message", __func__); 1171 goto out; 1172 } 1173 1174 if ((r = sshbuf_get_u32(in, &type)) != 0) 1175 goto malf; 1176 debug3("%s: channel %d packet type 0x%08x len %zu", 1177 __func__, c->self, type, sshbuf_len(in)); 1178 1179 if (type == MUX_MSG_HELLO) 1180 rid = 0; 1181 else { 1182 if (!state->hello_rcvd) { 1183 error("%s: expected MUX_MSG_HELLO(0x%08x), " 1184 "received 0x%08x", __func__, MUX_MSG_HELLO, type); 1185 goto out; 1186 } 1187 if ((r = sshbuf_get_u32(in, &rid)) != 0) 1188 goto malf; 1189 } 1190 1191 for (i = 0; mux_master_handlers[i].handler != NULL; i++) { 1192 if (type == mux_master_handlers[i].type) { 1193 ret = mux_master_handlers[i].handler(ssh, rid, 1194 c, in, out); 1195 break; 1196 } 1197 } 1198 if (mux_master_handlers[i].handler == NULL) { 1199 error("%s: unsupported mux message 0x%08x", __func__, type); 1200 reply_error(out, MUX_S_FAILURE, rid, "unsupported request"); 1201 ret = 0; 1202 } 1203 /* Enqueue reply packet */ 1204 if (sshbuf_len(out) != 0) { 1205 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 1206 fatal("%s: sshbuf_put_stringb: %s", 1207 __func__, ssh_err(r)); 1208 } 1209 out: 1210 sshbuf_free(in); 1211 sshbuf_free(out); 1212 return ret; 1213 } 1214 1215 void 1216 mux_exit_message(struct ssh *ssh, Channel *c, int exitval) 1217 { 1218 struct sshbuf *m; 1219 Channel *mux_chan; 1220 int r; 1221 1222 debug3("%s: channel %d: exit message, exitval %d", __func__, c->self, 1223 exitval); 1224 1225 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1226 fatal("%s: channel %d missing mux channel %d", 1227 __func__, c->self, c->ctl_chan); 1228 1229 /* Append exit message packet to control socket output queue */ 1230 if ((m = sshbuf_new()) == NULL) 1231 fatal("%s: sshbuf_new", __func__); 1232 if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 || 1233 (r = sshbuf_put_u32(m, c->self)) != 0 || 1234 (r = sshbuf_put_u32(m, exitval)) != 0 || 1235 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1236 fatal("%s: reply: %s", __func__, ssh_err(r)); 1237 sshbuf_free(m); 1238 } 1239 1240 void 1241 mux_tty_alloc_failed(struct ssh *ssh, Channel *c) 1242 { 1243 struct sshbuf *m; 1244 Channel *mux_chan; 1245 int r; 1246 1247 debug3("%s: channel %d: TTY alloc failed", __func__, c->self); 1248 1249 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1250 fatal("%s: channel %d missing mux channel %d", 1251 __func__, c->self, c->ctl_chan); 1252 1253 /* Append exit message packet to control socket output queue */ 1254 if ((m = sshbuf_new()) == NULL) 1255 fatal("%s: sshbuf_new", __func__); 1256 if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 || 1257 (r = sshbuf_put_u32(m, c->self)) != 0 || 1258 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1259 fatal("%s: reply: %s", __func__, ssh_err(r)); 1260 sshbuf_free(m); 1261 } 1262 1263 /* Prepare a mux master to listen on a Unix domain socket. */ 1264 void 1265 muxserver_listen(struct ssh *ssh) 1266 { 1267 mode_t old_umask; 1268 char *orig_control_path = options.control_path; 1269 char rbuf[16+1]; 1270 u_int i, r; 1271 int oerrno; 1272 1273 if (options.control_path == NULL || 1274 options.control_master == SSHCTL_MASTER_NO) 1275 return; 1276 1277 debug("setting up multiplex master socket"); 1278 1279 /* 1280 * Use a temporary path before listen so we can pseudo-atomically 1281 * establish the listening socket in its final location to avoid 1282 * other processes racing in between bind() and listen() and hitting 1283 * an unready socket. 1284 */ 1285 for (i = 0; i < sizeof(rbuf) - 1; i++) { 1286 r = arc4random_uniform(26+26+10); 1287 rbuf[i] = (r < 26) ? 'a' + r : 1288 (r < 26*2) ? 'A' + r - 26 : 1289 '0' + r - 26 - 26; 1290 } 1291 rbuf[sizeof(rbuf) - 1] = '\0'; 1292 options.control_path = NULL; 1293 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf); 1294 debug3("%s: temporary control path %s", __func__, options.control_path); 1295 1296 old_umask = umask(0177); 1297 muxserver_sock = unix_listener(options.control_path, 64, 0); 1298 oerrno = errno; 1299 umask(old_umask); 1300 if (muxserver_sock < 0) { 1301 if (oerrno == EINVAL || oerrno == EADDRINUSE) { 1302 error("ControlSocket %s already exists, " 1303 "disabling multiplexing", options.control_path); 1304 disable_mux_master: 1305 if (muxserver_sock != -1) { 1306 close(muxserver_sock); 1307 muxserver_sock = -1; 1308 } 1309 free(orig_control_path); 1310 free(options.control_path); 1311 options.control_path = NULL; 1312 options.control_master = SSHCTL_MASTER_NO; 1313 return; 1314 } else { 1315 /* unix_listener() logs the error */ 1316 cleanup_exit(255); 1317 } 1318 } 1319 1320 /* Now atomically "move" the mux socket into position */ 1321 if (link(options.control_path, orig_control_path) != 0) { 1322 if (errno != EEXIST) { 1323 fatal("%s: link mux listener %s => %s: %s", __func__, 1324 options.control_path, orig_control_path, 1325 strerror(errno)); 1326 } 1327 error("ControlSocket %s already exists, disabling multiplexing", 1328 orig_control_path); 1329 unlink(options.control_path); 1330 goto disable_mux_master; 1331 } 1332 unlink(options.control_path); 1333 free(options.control_path); 1334 options.control_path = orig_control_path; 1335 1336 set_nonblock(muxserver_sock); 1337 1338 mux_listener_channel = channel_new(ssh, "mux listener", 1339 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1, 1340 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1341 0, options.control_path, 1); 1342 mux_listener_channel->mux_rcb = mux_master_read_cb; 1343 debug3("%s: mux listener channel %d fd %d", __func__, 1344 mux_listener_channel->self, mux_listener_channel->sock); 1345 } 1346 1347 /* Callback on open confirmation in mux master for a mux client session. */ 1348 static void 1349 mux_session_confirm(struct ssh *ssh, int id, int success, void *arg) 1350 { 1351 struct mux_session_confirm_ctx *cctx = arg; 1352 const char *display; 1353 Channel *c, *cc; 1354 int i, r; 1355 struct sshbuf *reply; 1356 1357 if (cctx == NULL) 1358 fatal("%s: cctx == NULL", __func__); 1359 if ((c = channel_by_id(ssh, id)) == NULL) 1360 fatal("%s: no channel for id %d", __func__, id); 1361 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1362 fatal("%s: channel %d lacks control channel %d", __func__, 1363 id, c->ctl_chan); 1364 if ((reply = sshbuf_new()) == NULL) 1365 fatal("%s: sshbuf_new", __func__); 1366 1367 if (!success) { 1368 debug3("%s: sending failure reply", __func__); 1369 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1370 "Session open refused by peer"); 1371 goto done; 1372 } 1373 1374 display = getenv("DISPLAY"); 1375 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 1376 char *proto, *data; 1377 1378 /* Get reasonable local authentication information. */ 1379 if (client_x11_get_proto(ssh, display, options.xauth_location, 1380 options.forward_x11_trusted, options.forward_x11_timeout, 1381 &proto, &data) == 0) { 1382 /* Request forwarding with authentication spoofing. */ 1383 debug("Requesting X11 forwarding with authentication " 1384 "spoofing."); 1385 x11_request_forwarding_with_spoofing(ssh, id, 1386 display, proto, data, 1); 1387 /* XXX exit_on_forward_failure */ 1388 client_expect_confirm(ssh, id, "X11 forwarding", 1389 CONFIRM_WARN); 1390 } 1391 } 1392 1393 if (cctx->want_agent_fwd && options.forward_agent) { 1394 debug("Requesting authentication agent forwarding."); 1395 channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0); 1396 packet_send(); 1397 } 1398 1399 client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys, 1400 cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env); 1401 1402 debug3("%s: sending success reply", __func__); 1403 /* prepare reply */ 1404 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1405 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1406 (r = sshbuf_put_u32(reply, c->self)) != 0) 1407 fatal("%s: reply: %s", __func__, ssh_err(r)); 1408 1409 done: 1410 /* Send reply */ 1411 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1412 fatal("%s: sshbuf_put_stringb: %s", __func__, ssh_err(r)); 1413 sshbuf_free(reply); 1414 1415 if (cc->mux_pause <= 0) 1416 fatal("%s: mux_pause %d", __func__, cc->mux_pause); 1417 cc->mux_pause = 0; /* start processing messages again */ 1418 c->open_confirm_ctx = NULL; 1419 sshbuf_free(cctx->cmd); 1420 free(cctx->term); 1421 if (cctx->env != NULL) { 1422 for (i = 0; cctx->env[i] != NULL; i++) 1423 free(cctx->env[i]); 1424 free(cctx->env); 1425 } 1426 free(cctx); 1427 } 1428 1429 /* ** Multiplexing client support */ 1430 1431 /* Exit signal handler */ 1432 static void 1433 control_client_sighandler(int signo) 1434 { 1435 muxclient_terminate = signo; 1436 } 1437 1438 /* 1439 * Relay signal handler - used to pass some signals from mux client to 1440 * mux master. 1441 */ 1442 static void 1443 control_client_sigrelay(int signo) 1444 { 1445 int save_errno = errno; 1446 1447 if (muxserver_pid > 1) 1448 kill(muxserver_pid, signo); 1449 1450 errno = save_errno; 1451 } 1452 1453 static int 1454 mux_client_read(int fd, struct sshbuf *b, size_t need) 1455 { 1456 size_t have; 1457 ssize_t len; 1458 u_char *p; 1459 struct pollfd pfd; 1460 int r; 1461 1462 pfd.fd = fd; 1463 pfd.events = POLLIN; 1464 if ((r = sshbuf_reserve(b, need, &p)) != 0) 1465 fatal("%s: reserve: %s", __func__, ssh_err(r)); 1466 for (have = 0; have < need; ) { 1467 if (muxclient_terminate) { 1468 errno = EINTR; 1469 return -1; 1470 } 1471 len = read(fd, p + have, need - have); 1472 if (len < 0) { 1473 switch (errno) { 1474 case EAGAIN: 1475 (void)poll(&pfd, 1, -1); 1476 /* FALLTHROUGH */ 1477 case EINTR: 1478 continue; 1479 default: 1480 return -1; 1481 } 1482 } 1483 if (len == 0) { 1484 errno = EPIPE; 1485 return -1; 1486 } 1487 have += (size_t)len; 1488 } 1489 return 0; 1490 } 1491 1492 static int 1493 mux_client_write_packet(int fd, struct sshbuf *m) 1494 { 1495 struct sshbuf *queue; 1496 u_int have, need; 1497 int r, oerrno, len; 1498 const u_char *ptr; 1499 struct pollfd pfd; 1500 1501 pfd.fd = fd; 1502 pfd.events = POLLOUT; 1503 if ((queue = sshbuf_new()) == NULL) 1504 fatal("%s: sshbuf_new", __func__); 1505 if ((r = sshbuf_put_stringb(queue, m)) != 0) 1506 fatal("%s: sshbuf_put_stringb: %s", __func__, ssh_err(r)); 1507 1508 need = sshbuf_len(queue); 1509 ptr = sshbuf_ptr(queue); 1510 1511 for (have = 0; have < need; ) { 1512 if (muxclient_terminate) { 1513 sshbuf_free(queue); 1514 errno = EINTR; 1515 return -1; 1516 } 1517 len = write(fd, ptr + have, need - have); 1518 if (len < 0) { 1519 switch (errno) { 1520 case EAGAIN: 1521 (void)poll(&pfd, 1, -1); 1522 /* FALLTHROUGH */ 1523 case EINTR: 1524 continue; 1525 default: 1526 oerrno = errno; 1527 sshbuf_free(queue); 1528 errno = oerrno; 1529 return -1; 1530 } 1531 } 1532 if (len == 0) { 1533 sshbuf_free(queue); 1534 errno = EPIPE; 1535 return -1; 1536 } 1537 have += (u_int)len; 1538 } 1539 sshbuf_free(queue); 1540 return 0; 1541 } 1542 1543 static int 1544 mux_client_read_packet(int fd, struct sshbuf *m) 1545 { 1546 struct sshbuf *queue; 1547 size_t need, have; 1548 const u_char *ptr; 1549 int r, oerrno; 1550 1551 if ((queue = sshbuf_new()) == NULL) 1552 fatal("%s: sshbuf_new", __func__); 1553 if (mux_client_read(fd, queue, 4) != 0) { 1554 if ((oerrno = errno) == EPIPE) 1555 debug3("%s: read header failed: %s", __func__, 1556 strerror(errno)); 1557 sshbuf_free(queue); 1558 errno = oerrno; 1559 return -1; 1560 } 1561 need = PEEK_U32(sshbuf_ptr(queue)); 1562 if (mux_client_read(fd, queue, need) != 0) { 1563 oerrno = errno; 1564 debug3("%s: read body failed: %s", __func__, strerror(errno)); 1565 sshbuf_free(queue); 1566 errno = oerrno; 1567 return -1; 1568 } 1569 if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 || 1570 (r = sshbuf_put(m, ptr, have)) != 0) 1571 fatal("%s: buffer error: %s", __func__, ssh_err(r)); 1572 sshbuf_free(queue); 1573 return 0; 1574 } 1575 1576 static int 1577 mux_client_hello_exchange(int fd) 1578 { 1579 struct sshbuf *m; 1580 u_int type, ver; 1581 int r, ret = -1; 1582 1583 if ((m = sshbuf_new()) == NULL) 1584 fatal("%s: sshbuf_new", __func__); 1585 if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 || 1586 (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0) 1587 fatal("%s: hello: %s", __func__, ssh_err(r)); 1588 /* no extensions */ 1589 1590 if (mux_client_write_packet(fd, m) != 0) { 1591 debug("%s: write packet: %s", __func__, strerror(errno)); 1592 goto out; 1593 } 1594 1595 sshbuf_reset(m); 1596 1597 /* Read their HELLO */ 1598 if (mux_client_read_packet(fd, m) != 0) { 1599 debug("%s: read packet failed", __func__); 1600 goto out; 1601 } 1602 1603 if ((r = sshbuf_get_u32(m, &type)) != 0) 1604 fatal("%s: decode type: %s", __func__, ssh_err(r)); 1605 if (type != MUX_MSG_HELLO) { 1606 error("%s: expected HELLO (%u) received %u", 1607 __func__, MUX_MSG_HELLO, type); 1608 goto out; 1609 } 1610 if ((r = sshbuf_get_u32(m, &ver)) != 0) 1611 fatal("%s: decode version: %s", __func__, ssh_err(r)); 1612 if (ver != SSHMUX_VER) { 1613 error("Unsupported multiplexing protocol version %d " 1614 "(expected %d)", ver, SSHMUX_VER); 1615 goto out; 1616 } 1617 debug2("%s: master version %u", __func__, ver); 1618 /* No extensions are presently defined */ 1619 while (sshbuf_len(m) > 0) { 1620 char *name = NULL; 1621 1622 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 1623 (r = sshbuf_skip_string(m)) != 0) { /* value */ 1624 error("%s: malformed extension: %s", 1625 __func__, ssh_err(r)); 1626 goto out; 1627 } 1628 debug2("Unrecognised master extension \"%s\"", name); 1629 free(name); 1630 } 1631 /* success */ 1632 ret = 0; 1633 out: 1634 sshbuf_free(m); 1635 return ret; 1636 } 1637 1638 static u_int 1639 mux_client_request_alive(int fd) 1640 { 1641 struct sshbuf *m; 1642 char *e; 1643 u_int pid, type, rid; 1644 int r; 1645 1646 debug3("%s: entering", __func__); 1647 1648 if ((m = sshbuf_new()) == NULL) 1649 fatal("%s: sshbuf_new", __func__); 1650 if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 || 1651 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1652 fatal("%s: request: %s", __func__, ssh_err(r)); 1653 1654 if (mux_client_write_packet(fd, m) != 0) 1655 fatal("%s: write packet: %s", __func__, strerror(errno)); 1656 1657 sshbuf_reset(m); 1658 1659 /* Read their reply */ 1660 if (mux_client_read_packet(fd, m) != 0) { 1661 sshbuf_free(m); 1662 return 0; 1663 } 1664 1665 if ((r = sshbuf_get_u32(m, &type)) != 0) 1666 fatal("%s: decode type: %s", __func__, ssh_err(r)); 1667 if (type != MUX_S_ALIVE) { 1668 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1669 fatal("%s: decode error: %s", __func__, ssh_err(r)); 1670 fatal("%s: master returned error: %s", __func__, e); 1671 } 1672 1673 if ((r = sshbuf_get_u32(m, &rid)) != 0) 1674 fatal("%s: decode remote ID: %s", __func__, ssh_err(r)); 1675 if (rid != muxclient_request_id) 1676 fatal("%s: out of sequence reply: my id %u theirs %u", 1677 __func__, muxclient_request_id, rid); 1678 if ((r = sshbuf_get_u32(m, &pid)) != 0) 1679 fatal("%s: decode PID: %s", __func__, ssh_err(r)); 1680 sshbuf_free(m); 1681 1682 debug3("%s: done pid = %u", __func__, pid); 1683 1684 muxclient_request_id++; 1685 1686 return pid; 1687 } 1688 1689 static void 1690 mux_client_request_terminate(int fd) 1691 { 1692 struct sshbuf *m; 1693 char *e; 1694 u_int type, rid; 1695 int r; 1696 1697 debug3("%s: entering", __func__); 1698 1699 if ((m = sshbuf_new()) == NULL) 1700 fatal("%s: sshbuf_new", __func__); 1701 if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 || 1702 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1703 fatal("%s: request: %s", __func__, ssh_err(r)); 1704 1705 if (mux_client_write_packet(fd, m) != 0) 1706 fatal("%s: write packet: %s", __func__, strerror(errno)); 1707 1708 sshbuf_reset(m); 1709 1710 /* Read their reply */ 1711 if (mux_client_read_packet(fd, m) != 0) { 1712 /* Remote end exited already */ 1713 if (errno == EPIPE) { 1714 sshbuf_free(m); 1715 return; 1716 } 1717 fatal("%s: read from master failed: %s", 1718 __func__, strerror(errno)); 1719 } 1720 1721 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1722 (r = sshbuf_get_u32(m, &rid)) != 0) 1723 fatal("%s: decode: %s", __func__, ssh_err(r)); 1724 if (rid != muxclient_request_id) 1725 fatal("%s: out of sequence reply: my id %u theirs %u", 1726 __func__, muxclient_request_id, rid); 1727 switch (type) { 1728 case MUX_S_OK: 1729 break; 1730 case MUX_S_PERMISSION_DENIED: 1731 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1732 fatal("%s: decode error: %s", __func__, ssh_err(r)); 1733 fatal("Master refused termination request: %s", e); 1734 case MUX_S_FAILURE: 1735 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1736 fatal("%s: decode error: %s", __func__, ssh_err(r)); 1737 fatal("%s: termination request failed: %s", __func__, e); 1738 default: 1739 fatal("%s: unexpected response from master 0x%08x", 1740 __func__, type); 1741 } 1742 sshbuf_free(m); 1743 muxclient_request_id++; 1744 } 1745 1746 static int 1747 mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd) 1748 { 1749 struct sshbuf *m; 1750 char *e, *fwd_desc; 1751 const char *lhost, *chost; 1752 u_int type, rid; 1753 int r; 1754 1755 fwd_desc = format_forward(ftype, fwd); 1756 debug("Requesting %s %s", 1757 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1758 free(fwd_desc); 1759 1760 type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD; 1761 if (fwd->listen_path != NULL) 1762 lhost = fwd->listen_path; 1763 else if (fwd->listen_host == NULL) 1764 lhost = ""; 1765 else if (*fwd->listen_host == '\0') 1766 lhost = "*"; 1767 else 1768 lhost = fwd->listen_host; 1769 1770 if (fwd->connect_path != NULL) 1771 chost = fwd->connect_path; 1772 else if (fwd->connect_host == NULL) 1773 chost = ""; 1774 else 1775 chost = fwd->connect_host; 1776 1777 if ((m = sshbuf_new()) == NULL) 1778 fatal("%s: sshbuf_new", __func__); 1779 if ((r = sshbuf_put_u32(m, type)) != 0 || 1780 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1781 (r = sshbuf_put_u32(m, ftype)) != 0 || 1782 (r = sshbuf_put_cstring(m, lhost)) != 0 || 1783 (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 || 1784 (r = sshbuf_put_cstring(m, chost)) != 0 || 1785 (r = sshbuf_put_u32(m, fwd->connect_port)) != 0) 1786 fatal("%s: request: %s", __func__, ssh_err(r)); 1787 1788 if (mux_client_write_packet(fd, m) != 0) 1789 fatal("%s: write packet: %s", __func__, strerror(errno)); 1790 1791 sshbuf_reset(m); 1792 1793 /* Read their reply */ 1794 if (mux_client_read_packet(fd, m) != 0) { 1795 sshbuf_free(m); 1796 return -1; 1797 } 1798 1799 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1800 (r = sshbuf_get_u32(m, &rid)) != 0) 1801 fatal("%s: decode: %s", __func__, ssh_err(r)); 1802 if (rid != muxclient_request_id) 1803 fatal("%s: out of sequence reply: my id %u theirs %u", 1804 __func__, muxclient_request_id, rid); 1805 1806 switch (type) { 1807 case MUX_S_OK: 1808 break; 1809 case MUX_S_REMOTE_PORT: 1810 if (cancel_flag) 1811 fatal("%s: got MUX_S_REMOTE_PORT for cancel", __func__); 1812 if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0) 1813 fatal("%s: decode port: %s", __func__, ssh_err(r)); 1814 verbose("Allocated port %u for remote forward to %s:%d", 1815 fwd->allocated_port, 1816 fwd->connect_host ? fwd->connect_host : "", 1817 fwd->connect_port); 1818 if (muxclient_command == SSHMUX_COMMAND_FORWARD) 1819 fprintf(stdout, "%i\n", fwd->allocated_port); 1820 break; 1821 case MUX_S_PERMISSION_DENIED: 1822 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1823 fatal("%s: decode error: %s", __func__, ssh_err(r)); 1824 sshbuf_free(m); 1825 error("Master refused forwarding request: %s", e); 1826 return -1; 1827 case MUX_S_FAILURE: 1828 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1829 fatal("%s: decode error: %s", __func__, ssh_err(r)); 1830 sshbuf_free(m); 1831 error("%s: forwarding request failed: %s", __func__, e); 1832 return -1; 1833 default: 1834 fatal("%s: unexpected response from master 0x%08x", 1835 __func__, type); 1836 } 1837 sshbuf_free(m); 1838 1839 muxclient_request_id++; 1840 return 0; 1841 } 1842 1843 static int 1844 mux_client_forwards(int fd, int cancel_flag) 1845 { 1846 int i, ret = 0; 1847 1848 debug3("%s: %s forwardings: %d local, %d remote", __func__, 1849 cancel_flag ? "cancel" : "request", 1850 options.num_local_forwards, options.num_remote_forwards); 1851 1852 /* XXX ExitOnForwardingFailure */ 1853 for (i = 0; i < options.num_local_forwards; i++) { 1854 if (mux_client_forward(fd, cancel_flag, 1855 options.local_forwards[i].connect_port == 0 ? 1856 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL, 1857 options.local_forwards + i) != 0) 1858 ret = -1; 1859 } 1860 for (i = 0; i < options.num_remote_forwards; i++) { 1861 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE, 1862 options.remote_forwards + i) != 0) 1863 ret = -1; 1864 } 1865 return ret; 1866 } 1867 1868 static int 1869 mux_client_request_session(int fd) 1870 { 1871 struct sshbuf *m; 1872 char *e; 1873 const char *term; 1874 u_int echar, rid, sid, esid, exitval, type, exitval_seen; 1875 extern char **environ; 1876 int r, i, devnull, rawmode; 1877 1878 debug3("%s: entering", __func__); 1879 1880 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1881 error("%s: master alive request failed", __func__); 1882 return -1; 1883 } 1884 1885 signal(SIGPIPE, SIG_IGN); 1886 1887 if (stdin_null_flag) { 1888 if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) 1889 fatal("open(/dev/null): %s", strerror(errno)); 1890 if (dup2(devnull, STDIN_FILENO) == -1) 1891 fatal("dup2: %s", strerror(errno)); 1892 if (devnull > STDERR_FILENO) 1893 close(devnull); 1894 } 1895 1896 if ((term = getenv("TERM")) == NULL) 1897 term = ""; 1898 echar = 0xffffffff; 1899 if (options.escape_char != SSH_ESCAPECHAR_NONE) 1900 echar = (u_int)options.escape_char; 1901 1902 if ((m = sshbuf_new()) == NULL) 1903 fatal("%s: sshbuf_new", __func__); 1904 if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 || 1905 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1906 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 1907 (r = sshbuf_put_u32(m, tty_flag)) != 0 || 1908 (r = sshbuf_put_u32(m, options.forward_x11)) != 0 || 1909 (r = sshbuf_put_u32(m, options.forward_agent)) != 0 || 1910 (r = sshbuf_put_u32(m, subsystem_flag)) != 0 || 1911 (r = sshbuf_put_u32(m, echar)) != 0 || 1912 (r = sshbuf_put_cstring(m, term)) != 0 || 1913 (r = sshbuf_put_stringb(m, command)) != 0) 1914 fatal("%s: request: %s", __func__, ssh_err(r)); 1915 1916 /* Pass environment */ 1917 if (options.num_send_env > 0 && environ != NULL) { 1918 for (i = 0; environ[i] != NULL; i++) { 1919 if (!env_permitted(environ[i])) 1920 continue; 1921 if ((r = sshbuf_put_cstring(m, environ[i])) != 0) 1922 fatal("%s: request: %s", __func__, ssh_err(r)); 1923 } 1924 } 1925 for (i = 0; i < options.num_setenv; i++) { 1926 if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0) 1927 fatal("%s: request: %s", __func__, ssh_err(r)); 1928 } 1929 1930 if (mux_client_write_packet(fd, m) != 0) 1931 fatal("%s: write packet: %s", __func__, strerror(errno)); 1932 1933 /* Send the stdio file descriptors */ 1934 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1935 mm_send_fd(fd, STDOUT_FILENO) == -1 || 1936 mm_send_fd(fd, STDERR_FILENO) == -1) 1937 fatal("%s: send fds failed", __func__); 1938 1939 debug3("%s: session request sent", __func__); 1940 1941 /* Read their reply */ 1942 sshbuf_reset(m); 1943 if (mux_client_read_packet(fd, m) != 0) { 1944 error("%s: read from master failed: %s", 1945 __func__, strerror(errno)); 1946 sshbuf_free(m); 1947 return -1; 1948 } 1949 1950 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1951 (r = sshbuf_get_u32(m, &rid)) != 0) 1952 fatal("%s: decode: %s", __func__, ssh_err(r)); 1953 if (rid != muxclient_request_id) 1954 fatal("%s: out of sequence reply: my id %u theirs %u", 1955 __func__, muxclient_request_id, rid); 1956 1957 switch (type) { 1958 case MUX_S_SESSION_OPENED: 1959 if ((r = sshbuf_get_u32(m, &sid)) != 0) 1960 fatal("%s: decode ID: %s", __func__, ssh_err(r)); 1961 break; 1962 case MUX_S_PERMISSION_DENIED: 1963 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1964 fatal("%s: decode error: %s", __func__, ssh_err(r)); 1965 error("Master refused session request: %s", e); 1966 sshbuf_free(m); 1967 return -1; 1968 case MUX_S_FAILURE: 1969 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1970 fatal("%s: decode error: %s", __func__, ssh_err(r)); 1971 error("%s: session request failed: %s", __func__, e); 1972 sshbuf_free(m); 1973 return -1; 1974 default: 1975 sshbuf_free(m); 1976 error("%s: unexpected response from master 0x%08x", 1977 __func__, type); 1978 return -1; 1979 } 1980 muxclient_request_id++; 1981 1982 if (pledge("stdio proc tty", NULL) == -1) 1983 fatal("%s pledge(): %s", __func__, strerror(errno)); 1984 1985 signal(SIGHUP, control_client_sighandler); 1986 signal(SIGINT, control_client_sighandler); 1987 signal(SIGTERM, control_client_sighandler); 1988 signal(SIGWINCH, control_client_sigrelay); 1989 1990 rawmode = tty_flag; 1991 if (tty_flag) 1992 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1993 1994 /* 1995 * Stick around until the controlee closes the client_fd. 1996 * Before it does, it is expected to write an exit message. 1997 * This process must read the value and wait for the closure of 1998 * the client_fd; if this one closes early, the multiplex master will 1999 * terminate early too (possibly losing data). 2000 */ 2001 for (exitval = 255, exitval_seen = 0;;) { 2002 sshbuf_reset(m); 2003 if (mux_client_read_packet(fd, m) != 0) 2004 break; 2005 if ((r = sshbuf_get_u32(m, &type)) != 0) 2006 fatal("%s: decode type: %s", __func__, ssh_err(r)); 2007 switch (type) { 2008 case MUX_S_TTY_ALLOC_FAIL: 2009 if ((r = sshbuf_get_u32(m, &esid)) != 0) 2010 fatal("%s: decode ID: %s", 2011 __func__, ssh_err(r)); 2012 if (esid != sid) 2013 fatal("%s: tty alloc fail on unknown session: " 2014 "my id %u theirs %u", 2015 __func__, sid, esid); 2016 leave_raw_mode(options.request_tty == 2017 REQUEST_TTY_FORCE); 2018 rawmode = 0; 2019 continue; 2020 case MUX_S_EXIT_MESSAGE: 2021 if ((r = sshbuf_get_u32(m, &esid)) != 0) 2022 fatal("%s: decode ID: %s", 2023 __func__, ssh_err(r)); 2024 if (esid != sid) 2025 fatal("%s: exit on unknown session: " 2026 "my id %u theirs %u", 2027 __func__, sid, esid); 2028 if (exitval_seen) 2029 fatal("%s: exitval sent twice", __func__); 2030 if ((r = sshbuf_get_u32(m, &exitval)) != 0) 2031 fatal("%s: decode exit value: %s", 2032 __func__, ssh_err(r)); 2033 exitval_seen = 1; 2034 continue; 2035 default: 2036 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2037 fatal("%s: decode error: %s", 2038 __func__, ssh_err(r)); 2039 fatal("%s: master returned error: %s", __func__, e); 2040 } 2041 } 2042 2043 close(fd); 2044 if (rawmode) 2045 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 2046 2047 if (muxclient_terminate) { 2048 debug2("Exiting on signal: %s", strsignal(muxclient_terminate)); 2049 exitval = 255; 2050 } else if (!exitval_seen) { 2051 debug2("Control master terminated unexpectedly"); 2052 exitval = 255; 2053 } else 2054 debug2("Received exit status from master %d", exitval); 2055 2056 if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) 2057 fprintf(stderr, "Shared connection to %s closed.\r\n", host); 2058 2059 exit(exitval); 2060 } 2061 2062 static int 2063 mux_client_proxy(int fd) 2064 { 2065 struct sshbuf *m; 2066 char *e; 2067 u_int type, rid; 2068 int r; 2069 2070 if ((m = sshbuf_new()) == NULL) 2071 fatal("%s: sshbuf_new", __func__); 2072 if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 || 2073 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2074 fatal("%s: request: %s", __func__, ssh_err(r)); 2075 if (mux_client_write_packet(fd, m) != 0) 2076 fatal("%s: write packet: %s", __func__, strerror(errno)); 2077 2078 sshbuf_reset(m); 2079 2080 /* Read their reply */ 2081 if (mux_client_read_packet(fd, m) != 0) { 2082 sshbuf_free(m); 2083 return 0; 2084 } 2085 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2086 (r = sshbuf_get_u32(m, &rid)) != 0) 2087 fatal("%s: decode: %s", __func__, ssh_err(r)); 2088 if (rid != muxclient_request_id) 2089 fatal("%s: out of sequence reply: my id %u theirs %u", 2090 __func__, muxclient_request_id, rid); 2091 if (type != MUX_S_PROXY) { 2092 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2093 fatal("%s: decode error: %s", __func__, ssh_err(r)); 2094 fatal("%s: master returned error: %s", __func__, e); 2095 } 2096 sshbuf_free(m); 2097 2098 debug3("%s: done", __func__); 2099 muxclient_request_id++; 2100 return 0; 2101 } 2102 2103 static int 2104 mux_client_request_stdio_fwd(int fd) 2105 { 2106 struct sshbuf *m; 2107 char *e; 2108 u_int type, rid, sid; 2109 int r, devnull; 2110 2111 debug3("%s: entering", __func__); 2112 2113 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 2114 error("%s: master alive request failed", __func__); 2115 return -1; 2116 } 2117 2118 signal(SIGPIPE, SIG_IGN); 2119 2120 if (stdin_null_flag) { 2121 if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) 2122 fatal("open(/dev/null): %s", strerror(errno)); 2123 if (dup2(devnull, STDIN_FILENO) == -1) 2124 fatal("dup2: %s", strerror(errno)); 2125 if (devnull > STDERR_FILENO) 2126 close(devnull); 2127 } 2128 2129 if ((m = sshbuf_new()) == NULL) 2130 fatal("%s: sshbuf_new", __func__); 2131 if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 || 2132 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 2133 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 2134 (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 || 2135 (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0) 2136 fatal("%s: request: %s", __func__, ssh_err(r)); 2137 2138 if (mux_client_write_packet(fd, m) != 0) 2139 fatal("%s: write packet: %s", __func__, strerror(errno)); 2140 2141 /* Send the stdio file descriptors */ 2142 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 2143 mm_send_fd(fd, STDOUT_FILENO) == -1) 2144 fatal("%s: send fds failed", __func__); 2145 2146 if (pledge("stdio proc tty", NULL) == -1) 2147 fatal("%s pledge(): %s", __func__, strerror(errno)); 2148 2149 debug3("%s: stdio forward request sent", __func__); 2150 2151 /* Read their reply */ 2152 sshbuf_reset(m); 2153 2154 if (mux_client_read_packet(fd, m) != 0) { 2155 error("%s: read from master failed: %s", 2156 __func__, strerror(errno)); 2157 sshbuf_free(m); 2158 return -1; 2159 } 2160 2161 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2162 (r = sshbuf_get_u32(m, &rid)) != 0) 2163 fatal("%s: decode: %s", __func__, ssh_err(r)); 2164 if (rid != muxclient_request_id) 2165 fatal("%s: out of sequence reply: my id %u theirs %u", 2166 __func__, muxclient_request_id, rid); 2167 switch (type) { 2168 case MUX_S_SESSION_OPENED: 2169 if ((r = sshbuf_get_u32(m, &sid)) != 0) 2170 fatal("%s: decode ID: %s", __func__, ssh_err(r)); 2171 debug("%s: master session id: %u", __func__, sid); 2172 break; 2173 case MUX_S_PERMISSION_DENIED: 2174 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2175 fatal("%s: decode error: %s", __func__, ssh_err(r)); 2176 sshbuf_free(m); 2177 fatal("Master refused stdio forwarding request: %s", e); 2178 case MUX_S_FAILURE: 2179 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2180 fatal("%s: decode error: %s", __func__, ssh_err(r)); 2181 sshbuf_free(m); 2182 fatal("Stdio forwarding request failed: %s", e); 2183 default: 2184 sshbuf_free(m); 2185 error("%s: unexpected response from master 0x%08x", 2186 __func__, type); 2187 return -1; 2188 } 2189 muxclient_request_id++; 2190 2191 signal(SIGHUP, control_client_sighandler); 2192 signal(SIGINT, control_client_sighandler); 2193 signal(SIGTERM, control_client_sighandler); 2194 signal(SIGWINCH, control_client_sigrelay); 2195 2196 /* 2197 * Stick around until the controlee closes the client_fd. 2198 */ 2199 sshbuf_reset(m); 2200 if (mux_client_read_packet(fd, m) != 0) { 2201 if (errno == EPIPE || 2202 (errno == EINTR && muxclient_terminate != 0)) 2203 return 0; 2204 fatal("%s: mux_client_read_packet: %s", 2205 __func__, strerror(errno)); 2206 } 2207 fatal("%s: master returned unexpected message %u", __func__, type); 2208 } 2209 2210 static void 2211 mux_client_request_stop_listening(int fd) 2212 { 2213 struct sshbuf *m; 2214 char *e; 2215 u_int type, rid; 2216 int r; 2217 2218 debug3("%s: entering", __func__); 2219 2220 if ((m = sshbuf_new()) == NULL) 2221 fatal("%s: sshbuf_new", __func__); 2222 if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 || 2223 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2224 fatal("%s: request: %s", __func__, ssh_err(r)); 2225 2226 if (mux_client_write_packet(fd, m) != 0) 2227 fatal("%s: write packet: %s", __func__, strerror(errno)); 2228 2229 sshbuf_reset(m); 2230 2231 /* Read their reply */ 2232 if (mux_client_read_packet(fd, m) != 0) 2233 fatal("%s: read from master failed: %s", 2234 __func__, strerror(errno)); 2235 2236 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2237 (r = sshbuf_get_u32(m, &rid)) != 0) 2238 fatal("%s: decode: %s", __func__, ssh_err(r)); 2239 if (rid != muxclient_request_id) 2240 fatal("%s: out of sequence reply: my id %u theirs %u", 2241 __func__, muxclient_request_id, rid); 2242 2243 switch (type) { 2244 case MUX_S_OK: 2245 break; 2246 case MUX_S_PERMISSION_DENIED: 2247 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2248 fatal("%s: decode error: %s", __func__, ssh_err(r)); 2249 fatal("Master refused stop listening request: %s", e); 2250 case MUX_S_FAILURE: 2251 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2252 fatal("%s: decode error: %s", __func__, ssh_err(r)); 2253 fatal("%s: stop listening request failed: %s", __func__, e); 2254 default: 2255 fatal("%s: unexpected response from master 0x%08x", 2256 __func__, type); 2257 } 2258 sshbuf_free(m); 2259 muxclient_request_id++; 2260 } 2261 2262 /* Multiplex client main loop. */ 2263 int 2264 muxclient(const char *path) 2265 { 2266 struct sockaddr_un addr; 2267 int sock; 2268 u_int pid; 2269 2270 if (muxclient_command == 0) { 2271 if (options.stdio_forward_host != NULL) 2272 muxclient_command = SSHMUX_COMMAND_STDIO_FWD; 2273 else 2274 muxclient_command = SSHMUX_COMMAND_OPEN; 2275 } 2276 2277 switch (options.control_master) { 2278 case SSHCTL_MASTER_AUTO: 2279 case SSHCTL_MASTER_AUTO_ASK: 2280 debug("auto-mux: Trying existing master"); 2281 /* FALLTHROUGH */ 2282 case SSHCTL_MASTER_NO: 2283 break; 2284 default: 2285 return -1; 2286 } 2287 2288 memset(&addr, '\0', sizeof(addr)); 2289 addr.sun_family = AF_UNIX; 2290 2291 if (strlcpy(addr.sun_path, path, 2292 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 2293 fatal("ControlPath too long ('%s' >= %u bytes)", path, 2294 (unsigned int)sizeof(addr.sun_path)); 2295 2296 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) 2297 fatal("%s socket(): %s", __func__, strerror(errno)); 2298 2299 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) { 2300 switch (muxclient_command) { 2301 case SSHMUX_COMMAND_OPEN: 2302 case SSHMUX_COMMAND_STDIO_FWD: 2303 break; 2304 default: 2305 fatal("Control socket connect(%.100s): %s", path, 2306 strerror(errno)); 2307 } 2308 if (errno == ECONNREFUSED && 2309 options.control_master != SSHCTL_MASTER_NO) { 2310 debug("Stale control socket %.100s, unlinking", path); 2311 unlink(path); 2312 } else if (errno == ENOENT) { 2313 debug("Control socket \"%.100s\" does not exist", path); 2314 } else { 2315 error("Control socket connect(%.100s): %s", path, 2316 strerror(errno)); 2317 } 2318 close(sock); 2319 return -1; 2320 } 2321 set_nonblock(sock); 2322 2323 if (mux_client_hello_exchange(sock) != 0) { 2324 error("%s: master hello exchange failed", __func__); 2325 close(sock); 2326 return -1; 2327 } 2328 2329 switch (muxclient_command) { 2330 case SSHMUX_COMMAND_ALIVE_CHECK: 2331 if ((pid = mux_client_request_alive(sock)) == 0) 2332 fatal("%s: master alive check failed", __func__); 2333 fprintf(stderr, "Master running (pid=%u)\r\n", pid); 2334 exit(0); 2335 case SSHMUX_COMMAND_TERMINATE: 2336 mux_client_request_terminate(sock); 2337 if (options.log_level != SYSLOG_LEVEL_QUIET) 2338 fprintf(stderr, "Exit request sent.\r\n"); 2339 exit(0); 2340 case SSHMUX_COMMAND_FORWARD: 2341 if (mux_client_forwards(sock, 0) != 0) 2342 fatal("%s: master forward request failed", __func__); 2343 exit(0); 2344 case SSHMUX_COMMAND_OPEN: 2345 if (mux_client_forwards(sock, 0) != 0) { 2346 error("%s: master forward request failed", __func__); 2347 return -1; 2348 } 2349 mux_client_request_session(sock); 2350 return -1; 2351 case SSHMUX_COMMAND_STDIO_FWD: 2352 mux_client_request_stdio_fwd(sock); 2353 exit(0); 2354 case SSHMUX_COMMAND_STOP: 2355 mux_client_request_stop_listening(sock); 2356 if (options.log_level != SYSLOG_LEVEL_QUIET) 2357 fprintf(stderr, "Stop listening request sent.\r\n"); 2358 exit(0); 2359 case SSHMUX_COMMAND_CANCEL_FWD: 2360 if (mux_client_forwards(sock, 1) != 0) 2361 error("%s: master cancel forward request failed", 2362 __func__); 2363 exit(0); 2364 case SSHMUX_COMMAND_PROXY: 2365 mux_client_proxy(sock); 2366 return (sock); 2367 default: 2368 fatal("unrecognised muxclient_command %d", muxclient_command); 2369 } 2370 } 2371