1 /* $OpenBSD: mux.c,v 1.96 2023/03/08 04:43:12 guenther Exp $ */ 2 /* 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18 /* ssh session multiplexing support */ 19 20 #include <sys/types.h> 21 #include <sys/queue.h> 22 #include <sys/stat.h> 23 #include <sys/socket.h> 24 #include <sys/un.h> 25 26 #include <errno.h> 27 #include <fcntl.h> 28 #include <poll.h> 29 #include <signal.h> 30 #include <stdarg.h> 31 #include <stddef.h> 32 #include <stdlib.h> 33 #include <stdio.h> 34 #include <string.h> 35 #include <unistd.h> 36 #include <util.h> 37 #include <paths.h> 38 39 #include "atomicio.h" 40 #include "xmalloc.h" 41 #include "log.h" 42 #include "ssh.h" 43 #include "ssh2.h" 44 #include "pathnames.h" 45 #include "misc.h" 46 #include "match.h" 47 #include "sshbuf.h" 48 #include "channels.h" 49 #include "msg.h" 50 #include "packet.h" 51 #include "monitor_fdpass.h" 52 #include "sshpty.h" 53 #include "sshkey.h" 54 #include "readconf.h" 55 #include "clientloop.h" 56 #include "ssherr.h" 57 58 /* from ssh.c */ 59 extern int tty_flag; 60 extern Options options; 61 extern char *host; 62 extern struct sshbuf *command; 63 extern volatile sig_atomic_t quit_pending; 64 65 /* Context for session open confirmation callback */ 66 struct mux_session_confirm_ctx { 67 u_int want_tty; 68 u_int want_subsys; 69 u_int want_x_fwd; 70 u_int want_agent_fwd; 71 struct sshbuf *cmd; 72 char *term; 73 struct termios tio; 74 char **env; 75 u_int rid; 76 }; 77 78 /* Context for stdio fwd open confirmation callback */ 79 struct mux_stdio_confirm_ctx { 80 u_int rid; 81 }; 82 83 /* Context for global channel callback */ 84 struct mux_channel_confirm_ctx { 85 u_int cid; /* channel id */ 86 u_int rid; /* request id */ 87 int fid; /* forward id */ 88 }; 89 90 /* fd to control socket */ 91 int muxserver_sock = -1; 92 93 /* client request id */ 94 u_int muxclient_request_id = 0; 95 96 /* Multiplexing control command */ 97 u_int muxclient_command = 0; 98 99 /* Set when signalled. */ 100 static volatile sig_atomic_t muxclient_terminate = 0; 101 102 /* PID of multiplex server */ 103 static u_int muxserver_pid = 0; 104 105 static Channel *mux_listener_channel = NULL; 106 107 struct mux_master_state { 108 int hello_rcvd; 109 }; 110 111 /* mux protocol messages */ 112 #define MUX_MSG_HELLO 0x00000001 113 #define MUX_C_NEW_SESSION 0x10000002 114 #define MUX_C_ALIVE_CHECK 0x10000004 115 #define MUX_C_TERMINATE 0x10000005 116 #define MUX_C_OPEN_FWD 0x10000006 117 #define MUX_C_CLOSE_FWD 0x10000007 118 #define MUX_C_NEW_STDIO_FWD 0x10000008 119 #define MUX_C_STOP_LISTENING 0x10000009 120 #define MUX_C_PROXY 0x1000000f 121 #define MUX_S_OK 0x80000001 122 #define MUX_S_PERMISSION_DENIED 0x80000002 123 #define MUX_S_FAILURE 0x80000003 124 #define MUX_S_EXIT_MESSAGE 0x80000004 125 #define MUX_S_ALIVE 0x80000005 126 #define MUX_S_SESSION_OPENED 0x80000006 127 #define MUX_S_REMOTE_PORT 0x80000007 128 #define MUX_S_TTY_ALLOC_FAIL 0x80000008 129 #define MUX_S_PROXY 0x8000000f 130 131 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ 132 #define MUX_FWD_LOCAL 1 133 #define MUX_FWD_REMOTE 2 134 #define MUX_FWD_DYNAMIC 3 135 136 static void mux_session_confirm(struct ssh *, int, int, void *); 137 static void mux_stdio_confirm(struct ssh *, int, int, void *); 138 139 static int mux_master_process_hello(struct ssh *, u_int, 140 Channel *, struct sshbuf *, struct sshbuf *); 141 static int mux_master_process_new_session(struct ssh *, u_int, 142 Channel *, struct sshbuf *, struct sshbuf *); 143 static int mux_master_process_alive_check(struct ssh *, u_int, 144 Channel *, struct sshbuf *, struct sshbuf *); 145 static int mux_master_process_terminate(struct ssh *, u_int, 146 Channel *, struct sshbuf *, struct sshbuf *); 147 static int mux_master_process_open_fwd(struct ssh *, u_int, 148 Channel *, struct sshbuf *, struct sshbuf *); 149 static int mux_master_process_close_fwd(struct ssh *, u_int, 150 Channel *, struct sshbuf *, struct sshbuf *); 151 static int mux_master_process_stdio_fwd(struct ssh *, u_int, 152 Channel *, struct sshbuf *, struct sshbuf *); 153 static int mux_master_process_stop_listening(struct ssh *, u_int, 154 Channel *, struct sshbuf *, struct sshbuf *); 155 static int mux_master_process_proxy(struct ssh *, u_int, 156 Channel *, struct sshbuf *, struct sshbuf *); 157 158 static const struct { 159 u_int type; 160 int (*handler)(struct ssh *, u_int, Channel *, 161 struct sshbuf *, struct sshbuf *); 162 } mux_master_handlers[] = { 163 { MUX_MSG_HELLO, mux_master_process_hello }, 164 { MUX_C_NEW_SESSION, mux_master_process_new_session }, 165 { MUX_C_ALIVE_CHECK, mux_master_process_alive_check }, 166 { MUX_C_TERMINATE, mux_master_process_terminate }, 167 { MUX_C_OPEN_FWD, mux_master_process_open_fwd }, 168 { MUX_C_CLOSE_FWD, mux_master_process_close_fwd }, 169 { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd }, 170 { MUX_C_STOP_LISTENING, mux_master_process_stop_listening }, 171 { MUX_C_PROXY, mux_master_process_proxy }, 172 { 0, NULL } 173 }; 174 175 /* Cleanup callback fired on closure of mux client _session_ channel */ 176 static void 177 mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) 178 { 179 Channel *cc, *c = channel_by_id(ssh, cid); 180 181 debug3_f("entering for channel %d", cid); 182 if (c == NULL) 183 fatal_f("channel_by_id(%i) == NULL", cid); 184 if (c->ctl_chan != -1) { 185 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 186 fatal_f("channel %d missing control channel %d", 187 c->self, c->ctl_chan); 188 c->ctl_chan = -1; 189 cc->remote_id = 0; 190 cc->have_remote_id = 0; 191 chan_rcvd_oclose(ssh, cc); 192 } 193 channel_cancel_cleanup(ssh, c->self); 194 } 195 196 /* Cleanup callback fired on closure of mux client _control_ channel */ 197 static void 198 mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) 199 { 200 Channel *sc, *c = channel_by_id(ssh, cid); 201 202 debug3_f("entering for channel %d", cid); 203 if (c == NULL) 204 fatal_f("channel_by_id(%i) == NULL", cid); 205 if (c->have_remote_id) { 206 if ((sc = channel_by_id(ssh, c->remote_id)) == NULL) 207 fatal_f("channel %d missing session channel %u", 208 c->self, c->remote_id); 209 c->remote_id = 0; 210 c->have_remote_id = 0; 211 sc->ctl_chan = -1; 212 if (sc->type != SSH_CHANNEL_OPEN && 213 sc->type != SSH_CHANNEL_OPENING) { 214 debug2_f("channel %d: not open", sc->self); 215 chan_mark_dead(ssh, sc); 216 } else { 217 if (sc->istate == CHAN_INPUT_OPEN) 218 chan_read_failed(ssh, sc); 219 if (sc->ostate == CHAN_OUTPUT_OPEN) 220 chan_write_failed(ssh, sc); 221 } 222 } 223 channel_cancel_cleanup(ssh, c->self); 224 } 225 226 /* Check mux client environment variables before passing them to mux master. */ 227 static int 228 env_permitted(const char *env) 229 { 230 u_int i; 231 int ret; 232 char name[1024], *cp; 233 234 if ((cp = strchr(env, '=')) == NULL || cp == env) 235 return 0; 236 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env); 237 if (ret <= 0 || (size_t)ret >= sizeof(name)) { 238 error_f("name '%.100s...' too long", env); 239 return 0; 240 } 241 242 for (i = 0; i < options.num_send_env; i++) 243 if (match_pattern(name, options.send_env[i])) 244 return 1; 245 246 return 0; 247 } 248 249 /* Mux master protocol message handlers */ 250 251 static int 252 mux_master_process_hello(struct ssh *ssh, u_int rid, 253 Channel *c, struct sshbuf *m, struct sshbuf *reply) 254 { 255 u_int ver; 256 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 257 int r; 258 259 if (state == NULL) 260 fatal_f("channel %d: c->mux_ctx == NULL", c->self); 261 if (state->hello_rcvd) { 262 error_f("HELLO received twice"); 263 return -1; 264 } 265 if ((r = sshbuf_get_u32(m, &ver)) != 0) { 266 error_fr(r, "parse"); 267 return -1; 268 } 269 if (ver != SSHMUX_VER) { 270 error_f("unsupported multiplexing protocol version %u " 271 "(expected %u)", ver, SSHMUX_VER); 272 return -1; 273 } 274 debug2_f("channel %d client version %u", c->self, ver); 275 276 /* No extensions are presently defined */ 277 while (sshbuf_len(m) > 0) { 278 char *name = NULL; 279 size_t value_len = 0; 280 281 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 282 (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) { 283 error_fr(r, "parse extension"); 284 return -1; 285 } 286 debug2_f("Unrecognised extension \"%s\" length %zu", 287 name, value_len); 288 free(name); 289 } 290 state->hello_rcvd = 1; 291 return 0; 292 } 293 294 /* Enqueue a "ok" response to the reply buffer */ 295 static void 296 reply_ok(struct sshbuf *reply, u_int rid) 297 { 298 int r; 299 300 if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 || 301 (r = sshbuf_put_u32(reply, rid)) != 0) 302 fatal_fr(r, "reply"); 303 } 304 305 /* Enqueue an error response to the reply buffer */ 306 static void 307 reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg) 308 { 309 int r; 310 311 if ((r = sshbuf_put_u32(reply, type)) != 0 || 312 (r = sshbuf_put_u32(reply, rid)) != 0 || 313 (r = sshbuf_put_cstring(reply, msg)) != 0) 314 fatal_fr(r, "reply"); 315 } 316 317 static int 318 mux_master_process_new_session(struct ssh *ssh, u_int rid, 319 Channel *c, struct sshbuf *m, struct sshbuf *reply) 320 { 321 Channel *nc; 322 struct mux_session_confirm_ctx *cctx; 323 char *cmd, *cp; 324 u_int i, j, env_len, escape_char, window, packetmax; 325 int r, new_fd[3]; 326 327 /* Reply for SSHMUX_COMMAND_OPEN */ 328 cctx = xcalloc(1, sizeof(*cctx)); 329 cctx->term = NULL; 330 cctx->rid = rid; 331 cmd = NULL; 332 cctx->env = NULL; 333 env_len = 0; 334 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 335 (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 || 336 (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 || 337 (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 || 338 (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 || 339 (r = sshbuf_get_u32(m, &escape_char)) != 0 || 340 (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 || 341 (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) { 342 malf: 343 free(cmd); 344 for (j = 0; j < env_len; j++) 345 free(cctx->env[j]); 346 free(cctx->env); 347 free(cctx->term); 348 free(cctx); 349 error_f("malformed message"); 350 return -1; 351 } 352 353 #define MUX_MAX_ENV_VARS 4096 354 while (sshbuf_len(m) > 0) { 355 if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0) 356 goto malf; 357 if (!env_permitted(cp)) { 358 free(cp); 359 continue; 360 } 361 cctx->env = xreallocarray(cctx->env, env_len + 2, 362 sizeof(*cctx->env)); 363 cctx->env[env_len++] = cp; 364 cctx->env[env_len] = NULL; 365 if (env_len > MUX_MAX_ENV_VARS) { 366 error_f(">%d environment variables received, " 367 "ignoring additional", MUX_MAX_ENV_VARS); 368 break; 369 } 370 } 371 372 debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, " 373 "term \"%s\", cmd \"%s\", env %u", c->self, 374 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd, 375 cctx->want_subsys, cctx->term, cmd, env_len); 376 377 if ((cctx->cmd = sshbuf_new()) == NULL) 378 fatal_f("sshbuf_new"); 379 if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0) 380 fatal_fr(r, "sshbuf_put"); 381 free(cmd); 382 cmd = NULL; 383 384 /* Gather fds from client */ 385 for(i = 0; i < 3; i++) { 386 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 387 error_f("failed to receive fd %d from client", i); 388 for (j = 0; j < i; j++) 389 close(new_fd[j]); 390 for (j = 0; j < env_len; j++) 391 free(cctx->env[j]); 392 free(cctx->env); 393 free(cctx->term); 394 sshbuf_free(cctx->cmd); 395 free(cctx); 396 reply_error(reply, MUX_S_FAILURE, rid, 397 "did not receive file descriptors"); 398 return -1; 399 } 400 } 401 402 debug3_f("got fds stdin %d, stdout %d, stderr %d", 403 new_fd[0], new_fd[1], new_fd[2]); 404 405 /* XXX support multiple child sessions in future */ 406 if (c->have_remote_id) { 407 debug2_f("session already open"); 408 reply_error(reply, MUX_S_FAILURE, rid, 409 "Multiple sessions not supported"); 410 cleanup: 411 close(new_fd[0]); 412 close(new_fd[1]); 413 close(new_fd[2]); 414 free(cctx->term); 415 if (env_len != 0) { 416 for (i = 0; i < env_len; i++) 417 free(cctx->env[i]); 418 free(cctx->env); 419 } 420 sshbuf_free(cctx->cmd); 421 free(cctx); 422 return 0; 423 } 424 425 if (options.control_master == SSHCTL_MASTER_ASK || 426 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 427 if (!ask_permission("Allow shared connection to %s? ", host)) { 428 debug2_f("session refused by user"); 429 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 430 "Permission denied"); 431 goto cleanup; 432 } 433 } 434 435 /* Try to pick up ttymodes from client before it goes raw */ 436 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 437 error_f("tcgetattr: %s", strerror(errno)); 438 439 window = CHAN_SES_WINDOW_DEFAULT; 440 packetmax = CHAN_SES_PACKET_DEFAULT; 441 if (cctx->want_tty) { 442 window >>= 1; 443 packetmax >>= 1; 444 } 445 446 nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, 447 new_fd[0], new_fd[1], new_fd[2], window, packetmax, 448 CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); 449 450 nc->ctl_chan = c->self; /* link session -> control channel */ 451 c->remote_id = nc->self; /* link control -> session channel */ 452 c->have_remote_id = 1; 453 454 if (cctx->want_tty && escape_char != 0xffffffff) { 455 channel_register_filter(ssh, nc->self, 456 client_simple_escape_filter, NULL, 457 client_filter_cleanup, 458 client_new_escape_filter_ctx((int)escape_char)); 459 } 460 461 debug2_f("channel_new: %d linked to control channel %d", 462 nc->self, nc->ctl_chan); 463 464 channel_send_open(ssh, nc->self); 465 channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx); 466 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 467 channel_register_cleanup(ssh, nc->self, 468 mux_master_session_cleanup_cb, 1); 469 470 /* reply is deferred, sent by mux_session_confirm */ 471 return 0; 472 } 473 474 static int 475 mux_master_process_alive_check(struct ssh *ssh, u_int rid, 476 Channel *c, struct sshbuf *m, struct sshbuf *reply) 477 { 478 int r; 479 480 debug2_f("channel %d: alive check", c->self); 481 482 /* prepare reply */ 483 if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 || 484 (r = sshbuf_put_u32(reply, rid)) != 0 || 485 (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0) 486 fatal_fr(r, "reply"); 487 488 return 0; 489 } 490 491 static int 492 mux_master_process_terminate(struct ssh *ssh, u_int rid, 493 Channel *c, struct sshbuf *m, struct sshbuf *reply) 494 { 495 debug2_f("channel %d: terminate request", c->self); 496 497 if (options.control_master == SSHCTL_MASTER_ASK || 498 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 499 if (!ask_permission("Terminate shared connection to %s? ", 500 host)) { 501 debug2_f("termination refused by user"); 502 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 503 "Permission denied"); 504 return 0; 505 } 506 } 507 508 quit_pending = 1; 509 reply_ok(reply, rid); 510 /* XXX exit happens too soon - message never makes it to client */ 511 return 0; 512 } 513 514 static char * 515 format_forward(u_int ftype, struct Forward *fwd) 516 { 517 char *ret; 518 519 switch (ftype) { 520 case MUX_FWD_LOCAL: 521 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d", 522 (fwd->listen_path != NULL) ? fwd->listen_path : 523 (fwd->listen_host == NULL) ? 524 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 525 fwd->listen_host, fwd->listen_port, 526 (fwd->connect_path != NULL) ? fwd->connect_path : 527 fwd->connect_host, fwd->connect_port); 528 break; 529 case MUX_FWD_DYNAMIC: 530 xasprintf(&ret, "dynamic forward %.200s:%d -> *", 531 (fwd->listen_host == NULL) ? 532 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 533 fwd->listen_host, fwd->listen_port); 534 break; 535 case MUX_FWD_REMOTE: 536 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d", 537 (fwd->listen_path != NULL) ? fwd->listen_path : 538 (fwd->listen_host == NULL) ? 539 "LOCALHOST" : fwd->listen_host, 540 fwd->listen_port, 541 (fwd->connect_path != NULL) ? fwd->connect_path : 542 fwd->connect_host, fwd->connect_port); 543 break; 544 default: 545 fatal_f("unknown forward type %u", ftype); 546 } 547 return ret; 548 } 549 550 static int 551 compare_host(const char *a, const char *b) 552 { 553 if (a == NULL && b == NULL) 554 return 1; 555 if (a == NULL || b == NULL) 556 return 0; 557 return strcmp(a, b) == 0; 558 } 559 560 static int 561 compare_forward(struct Forward *a, struct Forward *b) 562 { 563 if (!compare_host(a->listen_host, b->listen_host)) 564 return 0; 565 if (!compare_host(a->listen_path, b->listen_path)) 566 return 0; 567 if (a->listen_port != b->listen_port) 568 return 0; 569 if (!compare_host(a->connect_host, b->connect_host)) 570 return 0; 571 if (!compare_host(a->connect_path, b->connect_path)) 572 return 0; 573 if (a->connect_port != b->connect_port) 574 return 0; 575 576 return 1; 577 } 578 579 static void 580 mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt) 581 { 582 struct mux_channel_confirm_ctx *fctx = ctxt; 583 char *failmsg = NULL; 584 struct Forward *rfwd; 585 Channel *c; 586 struct sshbuf *out; 587 u_int port; 588 int r; 589 590 if ((c = channel_by_id(ssh, fctx->cid)) == NULL) { 591 /* no channel for reply */ 592 error_f("unknown channel"); 593 return; 594 } 595 if ((out = sshbuf_new()) == NULL) 596 fatal_f("sshbuf_new"); 597 if (fctx->fid >= options.num_remote_forwards || 598 (options.remote_forwards[fctx->fid].connect_path == NULL && 599 options.remote_forwards[fctx->fid].connect_host == NULL)) { 600 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid); 601 goto fail; 602 } 603 rfwd = &options.remote_forwards[fctx->fid]; 604 debug_f("%s for: listen %d, connect %s:%d", 605 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 606 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path : 607 rfwd->connect_host, rfwd->connect_port); 608 if (type == SSH2_MSG_REQUEST_SUCCESS) { 609 if (rfwd->listen_port == 0) { 610 if ((r = sshpkt_get_u32(ssh, &port)) != 0) 611 fatal_fr(r, "parse port"); 612 if (port > 65535) { 613 fatal("Invalid allocated port %u for " 614 "mux remote forward to %s:%d", port, 615 rfwd->connect_host, rfwd->connect_port); 616 } 617 rfwd->allocated_port = (int)port; 618 debug("Allocated port %u for mux remote forward" 619 " to %s:%d", rfwd->allocated_port, 620 rfwd->connect_host, rfwd->connect_port); 621 if ((r = sshbuf_put_u32(out, 622 MUX_S_REMOTE_PORT)) != 0 || 623 (r = sshbuf_put_u32(out, fctx->rid)) != 0 || 624 (r = sshbuf_put_u32(out, 625 rfwd->allocated_port)) != 0) 626 fatal_fr(r, "reply"); 627 channel_update_permission(ssh, rfwd->handle, 628 rfwd->allocated_port); 629 } else { 630 reply_ok(out, fctx->rid); 631 } 632 goto out; 633 } else { 634 if (rfwd->listen_port == 0) 635 channel_update_permission(ssh, rfwd->handle, -1); 636 if (rfwd->listen_path != NULL) 637 xasprintf(&failmsg, "remote port forwarding failed for " 638 "listen path %s", rfwd->listen_path); 639 else 640 xasprintf(&failmsg, "remote port forwarding failed for " 641 "listen port %d", rfwd->listen_port); 642 643 debug2_f("clearing registered forwarding for listen %d, " 644 "connect %s:%d", rfwd->listen_port, 645 rfwd->connect_path ? rfwd->connect_path : 646 rfwd->connect_host, rfwd->connect_port); 647 648 free(rfwd->listen_host); 649 free(rfwd->listen_path); 650 free(rfwd->connect_host); 651 free(rfwd->connect_path); 652 memset(rfwd, 0, sizeof(*rfwd)); 653 } 654 fail: 655 error_f("%s", failmsg); 656 reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg); 657 free(failmsg); 658 out: 659 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 660 fatal_fr(r, "enqueue"); 661 sshbuf_free(out); 662 if (c->mux_pause <= 0) 663 fatal_f("mux_pause %d", c->mux_pause); 664 c->mux_pause = 0; /* start processing messages again */ 665 } 666 667 static int 668 mux_master_process_open_fwd(struct ssh *ssh, u_int rid, 669 Channel *c, struct sshbuf *m, struct sshbuf *reply) 670 { 671 struct Forward fwd; 672 char *fwd_desc = NULL; 673 char *listen_addr, *connect_addr; 674 u_int ftype; 675 u_int lport, cport; 676 int r, i, ret = 0, freefwd = 1; 677 678 memset(&fwd, 0, sizeof(fwd)); 679 680 /* XXX - lport/cport check redundant */ 681 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 682 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 683 (r = sshbuf_get_u32(m, &lport)) != 0 || 684 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 685 (r = sshbuf_get_u32(m, &cport)) != 0 || 686 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 687 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 688 error_f("malformed message"); 689 ret = -1; 690 goto out; 691 } 692 if (*listen_addr == '\0') { 693 free(listen_addr); 694 listen_addr = NULL; 695 } 696 if (*connect_addr == '\0') { 697 free(connect_addr); 698 connect_addr = NULL; 699 } 700 701 memset(&fwd, 0, sizeof(fwd)); 702 fwd.listen_port = lport; 703 if (fwd.listen_port == PORT_STREAMLOCAL) 704 fwd.listen_path = listen_addr; 705 else 706 fwd.listen_host = listen_addr; 707 fwd.connect_port = cport; 708 if (fwd.connect_port == PORT_STREAMLOCAL) 709 fwd.connect_path = connect_addr; 710 else 711 fwd.connect_host = connect_addr; 712 713 debug2_f("channel %d: request %s", c->self, 714 (fwd_desc = format_forward(ftype, &fwd))); 715 716 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE && 717 ftype != MUX_FWD_DYNAMIC) { 718 logit_f("invalid forwarding type %u", ftype); 719 invalid: 720 free(listen_addr); 721 free(connect_addr); 722 reply_error(reply, MUX_S_FAILURE, rid, 723 "Invalid forwarding request"); 724 return 0; 725 } 726 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) { 727 logit_f("streamlocal and dynamic forwards " 728 "are mutually exclusive"); 729 goto invalid; 730 } 731 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) { 732 logit_f("invalid listen port %u", fwd.listen_port); 733 goto invalid; 734 } 735 if ((fwd.connect_port != PORT_STREAMLOCAL && 736 fwd.connect_port >= 65536) || 737 (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && 738 fwd.connect_port == 0)) { 739 logit_f("invalid connect port %u", 740 fwd.connect_port); 741 goto invalid; 742 } 743 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && 744 fwd.connect_path == NULL) { 745 logit_f("missing connect host"); 746 goto invalid; 747 } 748 749 /* Skip forwards that have already been requested */ 750 switch (ftype) { 751 case MUX_FWD_LOCAL: 752 case MUX_FWD_DYNAMIC: 753 for (i = 0; i < options.num_local_forwards; i++) { 754 if (compare_forward(&fwd, 755 options.local_forwards + i)) { 756 exists: 757 debug2_f("found existing forwarding"); 758 reply_ok(reply, rid); 759 goto out; 760 } 761 } 762 break; 763 case MUX_FWD_REMOTE: 764 for (i = 0; i < options.num_remote_forwards; i++) { 765 if (!compare_forward(&fwd, options.remote_forwards + i)) 766 continue; 767 if (fwd.listen_port != 0) 768 goto exists; 769 debug2_f("found allocated port"); 770 if ((r = sshbuf_put_u32(reply, 771 MUX_S_REMOTE_PORT)) != 0 || 772 (r = sshbuf_put_u32(reply, rid)) != 0 || 773 (r = sshbuf_put_u32(reply, 774 options.remote_forwards[i].allocated_port)) != 0) 775 fatal_fr(r, "reply FWD_REMOTE"); 776 goto out; 777 } 778 break; 779 } 780 781 if (options.control_master == SSHCTL_MASTER_ASK || 782 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 783 if (!ask_permission("Open %s on %s?", fwd_desc, host)) { 784 debug2_f("forwarding refused by user"); 785 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 786 "Permission denied"); 787 goto out; 788 } 789 } 790 791 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 792 if (!channel_setup_local_fwd_listener(ssh, &fwd, 793 &options.fwd_opts)) { 794 fail: 795 logit_f("requested %s failed", fwd_desc); 796 reply_error(reply, MUX_S_FAILURE, rid, 797 "Port forwarding failed"); 798 goto out; 799 } 800 add_local_forward(&options, &fwd); 801 freefwd = 0; 802 } else { 803 struct mux_channel_confirm_ctx *fctx; 804 805 fwd.handle = channel_request_remote_forwarding(ssh, &fwd); 806 if (fwd.handle < 0) 807 goto fail; 808 add_remote_forward(&options, &fwd); 809 fctx = xcalloc(1, sizeof(*fctx)); 810 fctx->cid = c->self; 811 fctx->rid = rid; 812 fctx->fid = options.num_remote_forwards - 1; 813 client_register_global_confirm(mux_confirm_remote_forward, 814 fctx); 815 freefwd = 0; 816 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */ 817 /* delayed reply in mux_confirm_remote_forward */ 818 goto out; 819 } 820 reply_ok(reply, rid); 821 out: 822 free(fwd_desc); 823 if (freefwd) { 824 free(fwd.listen_host); 825 free(fwd.listen_path); 826 free(fwd.connect_host); 827 free(fwd.connect_path); 828 } 829 return ret; 830 } 831 832 static int 833 mux_master_process_close_fwd(struct ssh *ssh, u_int rid, 834 Channel *c, struct sshbuf *m, struct sshbuf *reply) 835 { 836 struct Forward fwd, *found_fwd; 837 char *fwd_desc = NULL; 838 const char *error_reason = NULL; 839 char *listen_addr = NULL, *connect_addr = NULL; 840 u_int ftype; 841 int r, i, ret = 0; 842 u_int lport, cport; 843 844 memset(&fwd, 0, sizeof(fwd)); 845 846 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 847 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 848 (r = sshbuf_get_u32(m, &lport)) != 0 || 849 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 850 (r = sshbuf_get_u32(m, &cport)) != 0 || 851 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 852 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 853 error_f("malformed message"); 854 ret = -1; 855 goto out; 856 } 857 858 if (*listen_addr == '\0') { 859 free(listen_addr); 860 listen_addr = NULL; 861 } 862 if (*connect_addr == '\0') { 863 free(connect_addr); 864 connect_addr = NULL; 865 } 866 867 memset(&fwd, 0, sizeof(fwd)); 868 fwd.listen_port = lport; 869 if (fwd.listen_port == PORT_STREAMLOCAL) 870 fwd.listen_path = listen_addr; 871 else 872 fwd.listen_host = listen_addr; 873 fwd.connect_port = cport; 874 if (fwd.connect_port == PORT_STREAMLOCAL) 875 fwd.connect_path = connect_addr; 876 else 877 fwd.connect_host = connect_addr; 878 879 debug2_f("channel %d: request cancel %s", c->self, 880 (fwd_desc = format_forward(ftype, &fwd))); 881 882 /* make sure this has been requested */ 883 found_fwd = NULL; 884 switch (ftype) { 885 case MUX_FWD_LOCAL: 886 case MUX_FWD_DYNAMIC: 887 for (i = 0; i < options.num_local_forwards; i++) { 888 if (compare_forward(&fwd, 889 options.local_forwards + i)) { 890 found_fwd = options.local_forwards + i; 891 break; 892 } 893 } 894 break; 895 case MUX_FWD_REMOTE: 896 for (i = 0; i < options.num_remote_forwards; i++) { 897 if (compare_forward(&fwd, 898 options.remote_forwards + i)) { 899 found_fwd = options.remote_forwards + i; 900 break; 901 } 902 } 903 break; 904 } 905 906 if (found_fwd == NULL) 907 error_reason = "port not forwarded"; 908 else if (ftype == MUX_FWD_REMOTE) { 909 /* 910 * This shouldn't fail unless we confused the host/port 911 * between options.remote_forwards and permitted_opens. 912 * However, for dynamic allocated listen ports we need 913 * to use the actual listen port. 914 */ 915 if (channel_request_rforward_cancel(ssh, found_fwd) == -1) 916 error_reason = "port not in permitted opens"; 917 } else { /* local and dynamic forwards */ 918 /* Ditto */ 919 if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port, 920 &options.fwd_opts) == -1) 921 error_reason = "port not found"; 922 } 923 924 if (error_reason != NULL) 925 reply_error(reply, MUX_S_FAILURE, rid, error_reason); 926 else { 927 reply_ok(reply, rid); 928 free(found_fwd->listen_host); 929 free(found_fwd->listen_path); 930 free(found_fwd->connect_host); 931 free(found_fwd->connect_path); 932 found_fwd->listen_host = found_fwd->connect_host = NULL; 933 found_fwd->listen_path = found_fwd->connect_path = NULL; 934 found_fwd->listen_port = found_fwd->connect_port = 0; 935 } 936 out: 937 free(fwd_desc); 938 free(listen_addr); 939 free(connect_addr); 940 941 return ret; 942 } 943 944 static int 945 mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid, 946 Channel *c, struct sshbuf *m, struct sshbuf *reply) 947 { 948 Channel *nc; 949 char *chost = NULL; 950 u_int cport, i, j; 951 int r, new_fd[2]; 952 struct mux_stdio_confirm_ctx *cctx; 953 954 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 955 (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 || 956 (r = sshbuf_get_u32(m, &cport)) != 0) { 957 free(chost); 958 error_f("malformed message"); 959 return -1; 960 } 961 962 debug2_f("channel %d: stdio fwd to %s:%u", c->self, chost, cport); 963 964 /* Gather fds from client */ 965 for(i = 0; i < 2; i++) { 966 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 967 error_f("failed to receive fd %d from client", i); 968 for (j = 0; j < i; j++) 969 close(new_fd[j]); 970 free(chost); 971 972 /* prepare reply */ 973 reply_error(reply, MUX_S_FAILURE, rid, 974 "did not receive file descriptors"); 975 return -1; 976 } 977 } 978 979 debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]); 980 981 /* XXX support multiple child sessions in future */ 982 if (c->have_remote_id) { 983 debug2_f("session already open"); 984 reply_error(reply, MUX_S_FAILURE, rid, 985 "Multiple sessions not supported"); 986 cleanup: 987 close(new_fd[0]); 988 close(new_fd[1]); 989 free(chost); 990 return 0; 991 } 992 993 if (options.control_master == SSHCTL_MASTER_ASK || 994 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 995 if (!ask_permission("Allow forward to %s:%u? ", 996 chost, cport)) { 997 debug2_f("stdio fwd refused by user"); 998 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 999 "Permission denied"); 1000 goto cleanup; 1001 } 1002 } 1003 1004 nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1], 1005 CHANNEL_NONBLOCK_STDIO); 1006 free(chost); 1007 1008 nc->ctl_chan = c->self; /* link session -> control channel */ 1009 c->remote_id = nc->self; /* link control -> session channel */ 1010 c->have_remote_id = 1; 1011 1012 debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan); 1013 1014 channel_register_cleanup(ssh, nc->self, 1015 mux_master_session_cleanup_cb, 1); 1016 1017 cctx = xcalloc(1, sizeof(*cctx)); 1018 cctx->rid = rid; 1019 channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx); 1020 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 1021 1022 /* reply is deferred, sent by mux_session_confirm */ 1023 return 0; 1024 } 1025 1026 /* Callback on open confirmation in mux master for a mux stdio fwd session. */ 1027 static void 1028 mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg) 1029 { 1030 struct mux_stdio_confirm_ctx *cctx = arg; 1031 Channel *c, *cc; 1032 struct sshbuf *reply; 1033 int r; 1034 1035 if (cctx == NULL) 1036 fatal_f("cctx == NULL"); 1037 if ((c = channel_by_id(ssh, id)) == NULL) 1038 fatal_f("no channel for id %d", id); 1039 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1040 fatal_f("channel %d lacks control channel %d", 1041 id, c->ctl_chan); 1042 if ((reply = sshbuf_new()) == NULL) 1043 fatal_f("sshbuf_new"); 1044 1045 if (!success) { 1046 debug3_f("sending failure reply"); 1047 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1048 "Session open refused by peer"); 1049 /* prepare reply */ 1050 goto done; 1051 } 1052 1053 debug3_f("sending success reply"); 1054 /* prepare reply */ 1055 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1056 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1057 (r = sshbuf_put_u32(reply, c->self)) != 0) 1058 fatal_fr(r, "reply"); 1059 1060 done: 1061 /* Send reply */ 1062 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1063 fatal_fr(r, "enqueue"); 1064 sshbuf_free(reply); 1065 1066 if (cc->mux_pause <= 0) 1067 fatal_f("mux_pause %d", cc->mux_pause); 1068 cc->mux_pause = 0; /* start processing messages again */ 1069 c->open_confirm_ctx = NULL; 1070 free(cctx); 1071 } 1072 1073 static int 1074 mux_master_process_stop_listening(struct ssh *ssh, u_int rid, 1075 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1076 { 1077 debug_f("channel %d: stop listening", c->self); 1078 1079 if (options.control_master == SSHCTL_MASTER_ASK || 1080 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1081 if (!ask_permission("Disable further multiplexing on shared " 1082 "connection to %s? ", host)) { 1083 debug2_f("stop listen refused by user"); 1084 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1085 "Permission denied"); 1086 return 0; 1087 } 1088 } 1089 1090 if (mux_listener_channel != NULL) { 1091 channel_free(ssh, mux_listener_channel); 1092 client_stop_mux(); 1093 free(options.control_path); 1094 options.control_path = NULL; 1095 mux_listener_channel = NULL; 1096 muxserver_sock = -1; 1097 } 1098 1099 reply_ok(reply, rid); 1100 return 0; 1101 } 1102 1103 static int 1104 mux_master_process_proxy(struct ssh *ssh, u_int rid, 1105 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1106 { 1107 int r; 1108 1109 debug_f("channel %d: proxy request", c->self); 1110 1111 c->mux_rcb = channel_proxy_downstream; 1112 if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || 1113 (r = sshbuf_put_u32(reply, rid)) != 0) 1114 fatal_fr(r, "reply"); 1115 1116 return 0; 1117 } 1118 1119 /* Channel callbacks fired on read/write from mux client fd */ 1120 static int 1121 mux_master_read_cb(struct ssh *ssh, Channel *c) 1122 { 1123 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 1124 struct sshbuf *in = NULL, *out = NULL; 1125 u_int type, rid, i; 1126 int r, ret = -1; 1127 1128 if ((out = sshbuf_new()) == NULL) 1129 fatal_f("sshbuf_new"); 1130 1131 /* Setup ctx and */ 1132 if (c->mux_ctx == NULL) { 1133 state = xcalloc(1, sizeof(*state)); 1134 c->mux_ctx = state; 1135 channel_register_cleanup(ssh, c->self, 1136 mux_master_control_cleanup_cb, 0); 1137 1138 /* Send hello */ 1139 if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 || 1140 (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0) 1141 fatal_fr(r, "reply"); 1142 /* no extensions */ 1143 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 1144 fatal_fr(r, "enqueue"); 1145 debug3_f("channel %d: hello sent", c->self); 1146 ret = 0; 1147 goto out; 1148 } 1149 1150 /* Channel code ensures that we receive whole packets */ 1151 if ((r = sshbuf_froms(c->input, &in)) != 0) { 1152 malf: 1153 error_f("malformed message"); 1154 goto out; 1155 } 1156 1157 if ((r = sshbuf_get_u32(in, &type)) != 0) 1158 goto malf; 1159 debug3_f("channel %d packet type 0x%08x len %zu", c->self, 1160 type, sshbuf_len(in)); 1161 1162 if (type == MUX_MSG_HELLO) 1163 rid = 0; 1164 else { 1165 if (!state->hello_rcvd) { 1166 error_f("expected MUX_MSG_HELLO(0x%08x), " 1167 "received 0x%08x", MUX_MSG_HELLO, type); 1168 goto out; 1169 } 1170 if ((r = sshbuf_get_u32(in, &rid)) != 0) 1171 goto malf; 1172 } 1173 1174 for (i = 0; mux_master_handlers[i].handler != NULL; i++) { 1175 if (type == mux_master_handlers[i].type) { 1176 ret = mux_master_handlers[i].handler(ssh, rid, 1177 c, in, out); 1178 break; 1179 } 1180 } 1181 if (mux_master_handlers[i].handler == NULL) { 1182 error_f("unsupported mux message 0x%08x", type); 1183 reply_error(out, MUX_S_FAILURE, rid, "unsupported request"); 1184 ret = 0; 1185 } 1186 /* Enqueue reply packet */ 1187 if (sshbuf_len(out) != 0 && 1188 (r = sshbuf_put_stringb(c->output, out)) != 0) 1189 fatal_fr(r, "enqueue"); 1190 out: 1191 sshbuf_free(in); 1192 sshbuf_free(out); 1193 return ret; 1194 } 1195 1196 void 1197 mux_exit_message(struct ssh *ssh, Channel *c, int exitval) 1198 { 1199 struct sshbuf *m; 1200 Channel *mux_chan; 1201 int r; 1202 1203 debug3_f("channel %d: exit message, exitval %d", c->self, exitval); 1204 1205 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1206 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1207 1208 /* Append exit message packet to control socket output queue */ 1209 if ((m = sshbuf_new()) == NULL) 1210 fatal_f("sshbuf_new"); 1211 if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 || 1212 (r = sshbuf_put_u32(m, c->self)) != 0 || 1213 (r = sshbuf_put_u32(m, exitval)) != 0 || 1214 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1215 fatal_fr(r, "reply"); 1216 sshbuf_free(m); 1217 } 1218 1219 void 1220 mux_tty_alloc_failed(struct ssh *ssh, Channel *c) 1221 { 1222 struct sshbuf *m; 1223 Channel *mux_chan; 1224 int r; 1225 1226 debug3_f("channel %d: TTY alloc failed", c->self); 1227 1228 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1229 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1230 1231 /* Append exit message packet to control socket output queue */ 1232 if ((m = sshbuf_new()) == NULL) 1233 fatal_f("sshbuf_new"); 1234 if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 || 1235 (r = sshbuf_put_u32(m, c->self)) != 0 || 1236 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1237 fatal_fr(r, "reply"); 1238 sshbuf_free(m); 1239 } 1240 1241 /* Prepare a mux master to listen on a Unix domain socket. */ 1242 void 1243 muxserver_listen(struct ssh *ssh) 1244 { 1245 mode_t old_umask; 1246 char *orig_control_path = options.control_path; 1247 char rbuf[16+1]; 1248 u_int i, r; 1249 int oerrno; 1250 1251 if (options.control_path == NULL || 1252 options.control_master == SSHCTL_MASTER_NO) 1253 return; 1254 1255 debug("setting up multiplex master socket"); 1256 1257 /* 1258 * Use a temporary path before listen so we can pseudo-atomically 1259 * establish the listening socket in its final location to avoid 1260 * other processes racing in between bind() and listen() and hitting 1261 * an unready socket. 1262 */ 1263 for (i = 0; i < sizeof(rbuf) - 1; i++) { 1264 r = arc4random_uniform(26+26+10); 1265 rbuf[i] = (r < 26) ? 'a' + r : 1266 (r < 26*2) ? 'A' + r - 26 : 1267 '0' + r - 26 - 26; 1268 } 1269 rbuf[sizeof(rbuf) - 1] = '\0'; 1270 options.control_path = NULL; 1271 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf); 1272 debug3_f("temporary control path %s", options.control_path); 1273 1274 old_umask = umask(0177); 1275 muxserver_sock = unix_listener(options.control_path, 64, 0); 1276 oerrno = errno; 1277 umask(old_umask); 1278 if (muxserver_sock < 0) { 1279 if (oerrno == EINVAL || oerrno == EADDRINUSE) { 1280 error("ControlSocket %s already exists, " 1281 "disabling multiplexing", options.control_path); 1282 disable_mux_master: 1283 if (muxserver_sock != -1) { 1284 close(muxserver_sock); 1285 muxserver_sock = -1; 1286 } 1287 free(orig_control_path); 1288 free(options.control_path); 1289 options.control_path = NULL; 1290 options.control_master = SSHCTL_MASTER_NO; 1291 return; 1292 } else { 1293 /* unix_listener() logs the error */ 1294 cleanup_exit(255); 1295 } 1296 } 1297 1298 /* Now atomically "move" the mux socket into position */ 1299 if (link(options.control_path, orig_control_path) != 0) { 1300 if (errno != EEXIST) { 1301 fatal_f("link mux listener %s => %s: %s", 1302 options.control_path, orig_control_path, 1303 strerror(errno)); 1304 } 1305 error("ControlSocket %s already exists, disabling multiplexing", 1306 orig_control_path); 1307 unlink(options.control_path); 1308 goto disable_mux_master; 1309 } 1310 unlink(options.control_path); 1311 free(options.control_path); 1312 options.control_path = orig_control_path; 1313 1314 set_nonblock(muxserver_sock); 1315 1316 mux_listener_channel = channel_new(ssh, "mux listener", 1317 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1, 1318 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1319 0, options.control_path, 1); 1320 mux_listener_channel->mux_rcb = mux_master_read_cb; 1321 debug3_f("mux listener channel %d fd %d", 1322 mux_listener_channel->self, mux_listener_channel->sock); 1323 } 1324 1325 /* Callback on open confirmation in mux master for a mux client session. */ 1326 static void 1327 mux_session_confirm(struct ssh *ssh, int id, int success, void *arg) 1328 { 1329 struct mux_session_confirm_ctx *cctx = arg; 1330 const char *display; 1331 Channel *c, *cc; 1332 int i, r; 1333 struct sshbuf *reply; 1334 1335 if (cctx == NULL) 1336 fatal_f("cctx == NULL"); 1337 if ((c = channel_by_id(ssh, id)) == NULL) 1338 fatal_f("no channel for id %d", id); 1339 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1340 fatal_f("channel %d lacks control channel %d", 1341 id, c->ctl_chan); 1342 if ((reply = sshbuf_new()) == NULL) 1343 fatal_f("sshbuf_new"); 1344 1345 if (!success) { 1346 debug3_f("sending failure reply"); 1347 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1348 "Session open refused by peer"); 1349 goto done; 1350 } 1351 1352 display = getenv("DISPLAY"); 1353 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 1354 char *proto, *data; 1355 1356 /* Get reasonable local authentication information. */ 1357 if (client_x11_get_proto(ssh, display, options.xauth_location, 1358 options.forward_x11_trusted, options.forward_x11_timeout, 1359 &proto, &data) == 0) { 1360 /* Request forwarding with authentication spoofing. */ 1361 debug("Requesting X11 forwarding with authentication " 1362 "spoofing."); 1363 x11_request_forwarding_with_spoofing(ssh, id, 1364 display, proto, data, 1); 1365 /* XXX exit_on_forward_failure */ 1366 client_expect_confirm(ssh, id, "X11 forwarding", 1367 CONFIRM_WARN); 1368 } 1369 } 1370 1371 if (cctx->want_agent_fwd && options.forward_agent) { 1372 debug("Requesting authentication agent forwarding."); 1373 channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0); 1374 if ((r = sshpkt_send(ssh)) != 0) 1375 fatal_fr(r, "send"); 1376 } 1377 1378 client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys, 1379 cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env); 1380 1381 debug3_f("sending success reply"); 1382 /* prepare reply */ 1383 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1384 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1385 (r = sshbuf_put_u32(reply, c->self)) != 0) 1386 fatal_fr(r, "reply"); 1387 1388 done: 1389 /* Send reply */ 1390 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1391 fatal_fr(r, "enqueue"); 1392 sshbuf_free(reply); 1393 1394 if (cc->mux_pause <= 0) 1395 fatal_f("mux_pause %d", cc->mux_pause); 1396 cc->mux_pause = 0; /* start processing messages again */ 1397 c->open_confirm_ctx = NULL; 1398 sshbuf_free(cctx->cmd); 1399 free(cctx->term); 1400 if (cctx->env != NULL) { 1401 for (i = 0; cctx->env[i] != NULL; i++) 1402 free(cctx->env[i]); 1403 free(cctx->env); 1404 } 1405 free(cctx); 1406 } 1407 1408 /* ** Multiplexing client support */ 1409 1410 /* Exit signal handler */ 1411 static void 1412 control_client_sighandler(int signo) 1413 { 1414 muxclient_terminate = signo; 1415 } 1416 1417 /* 1418 * Relay signal handler - used to pass some signals from mux client to 1419 * mux master. 1420 */ 1421 static void 1422 control_client_sigrelay(int signo) 1423 { 1424 int save_errno = errno; 1425 1426 if (muxserver_pid > 1) 1427 kill(muxserver_pid, signo); 1428 1429 errno = save_errno; 1430 } 1431 1432 static int 1433 mux_client_read(int fd, struct sshbuf *b, size_t need) 1434 { 1435 size_t have; 1436 ssize_t len; 1437 u_char *p; 1438 struct pollfd pfd; 1439 int r; 1440 1441 pfd.fd = fd; 1442 pfd.events = POLLIN; 1443 if ((r = sshbuf_reserve(b, need, &p)) != 0) 1444 fatal_fr(r, "reserve"); 1445 for (have = 0; have < need; ) { 1446 if (muxclient_terminate) { 1447 errno = EINTR; 1448 return -1; 1449 } 1450 len = read(fd, p + have, need - have); 1451 if (len == -1) { 1452 switch (errno) { 1453 case EAGAIN: 1454 (void)poll(&pfd, 1, -1); 1455 /* FALLTHROUGH */ 1456 case EINTR: 1457 continue; 1458 default: 1459 return -1; 1460 } 1461 } 1462 if (len == 0) { 1463 errno = EPIPE; 1464 return -1; 1465 } 1466 have += (size_t)len; 1467 } 1468 return 0; 1469 } 1470 1471 static int 1472 mux_client_write_packet(int fd, struct sshbuf *m) 1473 { 1474 struct sshbuf *queue; 1475 u_int have, need; 1476 int r, oerrno, len; 1477 const u_char *ptr; 1478 struct pollfd pfd; 1479 1480 pfd.fd = fd; 1481 pfd.events = POLLOUT; 1482 if ((queue = sshbuf_new()) == NULL) 1483 fatal_f("sshbuf_new"); 1484 if ((r = sshbuf_put_stringb(queue, m)) != 0) 1485 fatal_fr(r, "enqueue"); 1486 1487 need = sshbuf_len(queue); 1488 ptr = sshbuf_ptr(queue); 1489 1490 for (have = 0; have < need; ) { 1491 if (muxclient_terminate) { 1492 sshbuf_free(queue); 1493 errno = EINTR; 1494 return -1; 1495 } 1496 len = write(fd, ptr + have, need - have); 1497 if (len == -1) { 1498 switch (errno) { 1499 case EAGAIN: 1500 (void)poll(&pfd, 1, -1); 1501 /* FALLTHROUGH */ 1502 case EINTR: 1503 continue; 1504 default: 1505 oerrno = errno; 1506 sshbuf_free(queue); 1507 errno = oerrno; 1508 return -1; 1509 } 1510 } 1511 if (len == 0) { 1512 sshbuf_free(queue); 1513 errno = EPIPE; 1514 return -1; 1515 } 1516 have += (u_int)len; 1517 } 1518 sshbuf_free(queue); 1519 return 0; 1520 } 1521 1522 static int 1523 mux_client_read_packet(int fd, struct sshbuf *m) 1524 { 1525 struct sshbuf *queue; 1526 size_t need, have; 1527 const u_char *ptr; 1528 int r, oerrno; 1529 1530 if ((queue = sshbuf_new()) == NULL) 1531 fatal_f("sshbuf_new"); 1532 if (mux_client_read(fd, queue, 4) != 0) { 1533 if ((oerrno = errno) == EPIPE) 1534 debug3_f("read header failed: %s", 1535 strerror(errno)); 1536 sshbuf_free(queue); 1537 errno = oerrno; 1538 return -1; 1539 } 1540 need = PEEK_U32(sshbuf_ptr(queue)); 1541 if (mux_client_read(fd, queue, need) != 0) { 1542 oerrno = errno; 1543 debug3_f("read body failed: %s", strerror(errno)); 1544 sshbuf_free(queue); 1545 errno = oerrno; 1546 return -1; 1547 } 1548 if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 || 1549 (r = sshbuf_put(m, ptr, have)) != 0) 1550 fatal_fr(r, "dequeue"); 1551 sshbuf_free(queue); 1552 return 0; 1553 } 1554 1555 static int 1556 mux_client_hello_exchange(int fd) 1557 { 1558 struct sshbuf *m; 1559 u_int type, ver; 1560 int r, ret = -1; 1561 1562 if ((m = sshbuf_new()) == NULL) 1563 fatal_f("sshbuf_new"); 1564 if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 || 1565 (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0) 1566 fatal_fr(r, "assemble hello"); 1567 /* no extensions */ 1568 1569 if (mux_client_write_packet(fd, m) != 0) { 1570 debug_f("write packet: %s", strerror(errno)); 1571 goto out; 1572 } 1573 1574 sshbuf_reset(m); 1575 1576 /* Read their HELLO */ 1577 if (mux_client_read_packet(fd, m) != 0) { 1578 debug_f("read packet failed"); 1579 goto out; 1580 } 1581 1582 if ((r = sshbuf_get_u32(m, &type)) != 0) 1583 fatal_fr(r, "parse type"); 1584 if (type != MUX_MSG_HELLO) { 1585 error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type); 1586 goto out; 1587 } 1588 if ((r = sshbuf_get_u32(m, &ver)) != 0) 1589 fatal_fr(r, "parse version"); 1590 if (ver != SSHMUX_VER) { 1591 error("Unsupported multiplexing protocol version %d " 1592 "(expected %d)", ver, SSHMUX_VER); 1593 goto out; 1594 } 1595 debug2_f("master version %u", ver); 1596 /* No extensions are presently defined */ 1597 while (sshbuf_len(m) > 0) { 1598 char *name = NULL; 1599 1600 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 1601 (r = sshbuf_skip_string(m)) != 0) { /* value */ 1602 error_fr(r, "parse extension"); 1603 goto out; 1604 } 1605 debug2("Unrecognised master extension \"%s\"", name); 1606 free(name); 1607 } 1608 /* success */ 1609 ret = 0; 1610 out: 1611 sshbuf_free(m); 1612 return ret; 1613 } 1614 1615 static u_int 1616 mux_client_request_alive(int fd) 1617 { 1618 struct sshbuf *m; 1619 char *e; 1620 u_int pid, type, rid; 1621 int r; 1622 1623 debug3_f("entering"); 1624 1625 if ((m = sshbuf_new()) == NULL) 1626 fatal_f("sshbuf_new"); 1627 if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 || 1628 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1629 fatal_fr(r, "assemble"); 1630 1631 if (mux_client_write_packet(fd, m) != 0) 1632 fatal_f("write packet: %s", strerror(errno)); 1633 1634 sshbuf_reset(m); 1635 1636 /* Read their reply */ 1637 if (mux_client_read_packet(fd, m) != 0) { 1638 sshbuf_free(m); 1639 return 0; 1640 } 1641 1642 if ((r = sshbuf_get_u32(m, &type)) != 0) 1643 fatal_fr(r, "parse type"); 1644 if (type != MUX_S_ALIVE) { 1645 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1646 fatal_fr(r, "parse error message"); 1647 fatal_f("master returned error: %s", e); 1648 } 1649 1650 if ((r = sshbuf_get_u32(m, &rid)) != 0) 1651 fatal_fr(r, "parse remote ID"); 1652 if (rid != muxclient_request_id) 1653 fatal_f("out of sequence reply: my id %u theirs %u", 1654 muxclient_request_id, rid); 1655 if ((r = sshbuf_get_u32(m, &pid)) != 0) 1656 fatal_fr(r, "parse PID"); 1657 sshbuf_free(m); 1658 1659 debug3_f("done pid = %u", pid); 1660 1661 muxclient_request_id++; 1662 1663 return pid; 1664 } 1665 1666 static void 1667 mux_client_request_terminate(int fd) 1668 { 1669 struct sshbuf *m; 1670 char *e; 1671 u_int type, rid; 1672 int r; 1673 1674 debug3_f("entering"); 1675 1676 if ((m = sshbuf_new()) == NULL) 1677 fatal_f("sshbuf_new"); 1678 if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 || 1679 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1680 fatal_fr(r, "request"); 1681 1682 if (mux_client_write_packet(fd, m) != 0) 1683 fatal_f("write packet: %s", strerror(errno)); 1684 1685 sshbuf_reset(m); 1686 1687 /* Read their reply */ 1688 if (mux_client_read_packet(fd, m) != 0) { 1689 /* Remote end exited already */ 1690 if (errno == EPIPE) { 1691 sshbuf_free(m); 1692 return; 1693 } 1694 fatal_f("read from master failed: %s", strerror(errno)); 1695 } 1696 1697 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1698 (r = sshbuf_get_u32(m, &rid)) != 0) 1699 fatal_fr(r, "parse"); 1700 if (rid != muxclient_request_id) 1701 fatal_f("out of sequence reply: my id %u theirs %u", 1702 muxclient_request_id, rid); 1703 switch (type) { 1704 case MUX_S_OK: 1705 break; 1706 case MUX_S_PERMISSION_DENIED: 1707 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1708 fatal_fr(r, "parse error message"); 1709 fatal("Master refused termination request: %s", e); 1710 case MUX_S_FAILURE: 1711 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1712 fatal_fr(r, "parse error message"); 1713 fatal_f("termination request failed: %s", e); 1714 default: 1715 fatal_f("unexpected response from master 0x%08x", type); 1716 } 1717 sshbuf_free(m); 1718 muxclient_request_id++; 1719 } 1720 1721 static int 1722 mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd) 1723 { 1724 struct sshbuf *m; 1725 char *e, *fwd_desc; 1726 const char *lhost, *chost; 1727 u_int type, rid; 1728 int r; 1729 1730 fwd_desc = format_forward(ftype, fwd); 1731 debug("Requesting %s %s", 1732 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1733 free(fwd_desc); 1734 1735 type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD; 1736 if (fwd->listen_path != NULL) 1737 lhost = fwd->listen_path; 1738 else if (fwd->listen_host == NULL) 1739 lhost = ""; 1740 else if (*fwd->listen_host == '\0') 1741 lhost = "*"; 1742 else 1743 lhost = fwd->listen_host; 1744 1745 if (fwd->connect_path != NULL) 1746 chost = fwd->connect_path; 1747 else if (fwd->connect_host == NULL) 1748 chost = ""; 1749 else 1750 chost = fwd->connect_host; 1751 1752 if ((m = sshbuf_new()) == NULL) 1753 fatal_f("sshbuf_new"); 1754 if ((r = sshbuf_put_u32(m, type)) != 0 || 1755 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1756 (r = sshbuf_put_u32(m, ftype)) != 0 || 1757 (r = sshbuf_put_cstring(m, lhost)) != 0 || 1758 (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 || 1759 (r = sshbuf_put_cstring(m, chost)) != 0 || 1760 (r = sshbuf_put_u32(m, fwd->connect_port)) != 0) 1761 fatal_fr(r, "request"); 1762 1763 if (mux_client_write_packet(fd, m) != 0) 1764 fatal_f("write packet: %s", strerror(errno)); 1765 1766 sshbuf_reset(m); 1767 1768 /* Read their reply */ 1769 if (mux_client_read_packet(fd, m) != 0) { 1770 sshbuf_free(m); 1771 return -1; 1772 } 1773 1774 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1775 (r = sshbuf_get_u32(m, &rid)) != 0) 1776 fatal_fr(r, "parse"); 1777 if (rid != muxclient_request_id) 1778 fatal_f("out of sequence reply: my id %u theirs %u", 1779 muxclient_request_id, rid); 1780 1781 switch (type) { 1782 case MUX_S_OK: 1783 break; 1784 case MUX_S_REMOTE_PORT: 1785 if (cancel_flag) 1786 fatal_f("got MUX_S_REMOTE_PORT for cancel"); 1787 if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0) 1788 fatal_fr(r, "parse port"); 1789 verbose("Allocated port %u for remote forward to %s:%d", 1790 fwd->allocated_port, 1791 fwd->connect_host ? fwd->connect_host : "", 1792 fwd->connect_port); 1793 if (muxclient_command == SSHMUX_COMMAND_FORWARD) 1794 fprintf(stdout, "%i\n", fwd->allocated_port); 1795 break; 1796 case MUX_S_PERMISSION_DENIED: 1797 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1798 fatal_fr(r, "parse error message"); 1799 sshbuf_free(m); 1800 error("Master refused forwarding request: %s", e); 1801 return -1; 1802 case MUX_S_FAILURE: 1803 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1804 fatal_fr(r, "parse error message"); 1805 sshbuf_free(m); 1806 error_f("forwarding request failed: %s", e); 1807 return -1; 1808 default: 1809 fatal_f("unexpected response from master 0x%08x", type); 1810 } 1811 sshbuf_free(m); 1812 1813 muxclient_request_id++; 1814 return 0; 1815 } 1816 1817 static int 1818 mux_client_forwards(int fd, int cancel_flag) 1819 { 1820 int i, ret = 0; 1821 1822 debug3_f("%s forwardings: %d local, %d remote", 1823 cancel_flag ? "cancel" : "request", 1824 options.num_local_forwards, options.num_remote_forwards); 1825 1826 /* XXX ExitOnForwardingFailure */ 1827 for (i = 0; i < options.num_local_forwards; i++) { 1828 if (mux_client_forward(fd, cancel_flag, 1829 options.local_forwards[i].connect_port == 0 ? 1830 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL, 1831 options.local_forwards + i) != 0) 1832 ret = -1; 1833 } 1834 for (i = 0; i < options.num_remote_forwards; i++) { 1835 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE, 1836 options.remote_forwards + i) != 0) 1837 ret = -1; 1838 } 1839 return ret; 1840 } 1841 1842 static int 1843 mux_client_request_session(int fd) 1844 { 1845 struct sshbuf *m; 1846 char *e; 1847 const char *term = NULL; 1848 u_int i, echar, rid, sid, esid, exitval, type, exitval_seen; 1849 extern char **environ; 1850 int r, rawmode; 1851 1852 debug3_f("entering"); 1853 1854 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1855 error_f("master alive request failed"); 1856 return -1; 1857 } 1858 1859 ssh_signal(SIGPIPE, SIG_IGN); 1860 1861 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 1862 fatal_f("stdfd_devnull failed"); 1863 1864 if ((term = lookup_env_in_list("TERM", options.setenv, 1865 options.num_setenv)) == NULL || *term == '\0') 1866 term = getenv("TERM"); 1867 1868 echar = 0xffffffff; 1869 if (options.escape_char != SSH_ESCAPECHAR_NONE) 1870 echar = (u_int)options.escape_char; 1871 1872 if ((m = sshbuf_new()) == NULL) 1873 fatal_f("sshbuf_new"); 1874 if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 || 1875 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1876 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 1877 (r = sshbuf_put_u32(m, tty_flag)) != 0 || 1878 (r = sshbuf_put_u32(m, options.forward_x11)) != 0 || 1879 (r = sshbuf_put_u32(m, options.forward_agent)) != 0 || 1880 (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 || 1881 (r = sshbuf_put_u32(m, echar)) != 0 || 1882 (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 || 1883 (r = sshbuf_put_stringb(m, command)) != 0) 1884 fatal_fr(r, "request"); 1885 1886 /* Pass environment */ 1887 if (options.num_send_env > 0 && environ != NULL) { 1888 for (i = 0; environ[i] != NULL; i++) { 1889 if (!env_permitted(environ[i])) 1890 continue; 1891 if ((r = sshbuf_put_cstring(m, environ[i])) != 0) 1892 fatal_fr(r, "request sendenv"); 1893 } 1894 } 1895 for (i = 0; i < options.num_setenv; i++) { 1896 if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0) 1897 fatal_fr(r, "request setenv"); 1898 } 1899 1900 if (mux_client_write_packet(fd, m) != 0) 1901 fatal_f("write packet: %s", strerror(errno)); 1902 1903 /* Send the stdio file descriptors */ 1904 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1905 mm_send_fd(fd, STDOUT_FILENO) == -1 || 1906 mm_send_fd(fd, STDERR_FILENO) == -1) 1907 fatal_f("send fds failed"); 1908 1909 debug3_f("session request sent"); 1910 1911 /* Read their reply */ 1912 sshbuf_reset(m); 1913 if (mux_client_read_packet(fd, m) != 0) { 1914 error_f("read from master failed: %s", strerror(errno)); 1915 sshbuf_free(m); 1916 return -1; 1917 } 1918 1919 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1920 (r = sshbuf_get_u32(m, &rid)) != 0) 1921 fatal_fr(r, "parse"); 1922 if (rid != muxclient_request_id) 1923 fatal_f("out of sequence reply: my id %u theirs %u", 1924 muxclient_request_id, rid); 1925 1926 switch (type) { 1927 case MUX_S_SESSION_OPENED: 1928 if ((r = sshbuf_get_u32(m, &sid)) != 0) 1929 fatal_fr(r, "parse session ID"); 1930 debug_f("master session id: %u", sid); 1931 break; 1932 case MUX_S_PERMISSION_DENIED: 1933 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1934 fatal_fr(r, "parse error message"); 1935 error("Master refused session request: %s", e); 1936 sshbuf_free(m); 1937 return -1; 1938 case MUX_S_FAILURE: 1939 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1940 fatal_fr(r, "parse error message"); 1941 error_f("session request failed: %s", e); 1942 sshbuf_free(m); 1943 return -1; 1944 default: 1945 sshbuf_free(m); 1946 error_f("unexpected response from master 0x%08x", type); 1947 return -1; 1948 } 1949 muxclient_request_id++; 1950 1951 if (pledge("stdio proc tty", NULL) == -1) 1952 fatal_f("pledge(): %s", strerror(errno)); 1953 1954 ssh_signal(SIGHUP, control_client_sighandler); 1955 ssh_signal(SIGINT, control_client_sighandler); 1956 ssh_signal(SIGTERM, control_client_sighandler); 1957 ssh_signal(SIGWINCH, control_client_sigrelay); 1958 1959 rawmode = tty_flag; 1960 if (tty_flag) 1961 enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 1962 1963 /* 1964 * Stick around until the controlee closes the client_fd. 1965 * Before it does, it is expected to write an exit message. 1966 * This process must read the value and wait for the closure of 1967 * the client_fd; if this one closes early, the multiplex master will 1968 * terminate early too (possibly losing data). 1969 */ 1970 for (exitval = 255, exitval_seen = 0;;) { 1971 sshbuf_reset(m); 1972 if (mux_client_read_packet(fd, m) != 0) 1973 break; 1974 if ((r = sshbuf_get_u32(m, &type)) != 0) 1975 fatal_fr(r, "parse type"); 1976 switch (type) { 1977 case MUX_S_TTY_ALLOC_FAIL: 1978 if ((r = sshbuf_get_u32(m, &esid)) != 0) 1979 fatal_fr(r, "parse session ID"); 1980 if (esid != sid) 1981 fatal_f("tty alloc fail on unknown session: " 1982 "my id %u theirs %u", sid, esid); 1983 leave_raw_mode(options.request_tty == 1984 REQUEST_TTY_FORCE); 1985 rawmode = 0; 1986 continue; 1987 case MUX_S_EXIT_MESSAGE: 1988 if ((r = sshbuf_get_u32(m, &esid)) != 0) 1989 fatal_fr(r, "parse session ID"); 1990 if (esid != sid) 1991 fatal_f("exit on unknown session: " 1992 "my id %u theirs %u", sid, esid); 1993 if (exitval_seen) 1994 fatal_f("exitval sent twice"); 1995 if ((r = sshbuf_get_u32(m, &exitval)) != 0) 1996 fatal_fr(r, "parse exitval"); 1997 exitval_seen = 1; 1998 continue; 1999 default: 2000 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2001 fatal_fr(r, "parse error message"); 2002 fatal_f("master returned error: %s", e); 2003 } 2004 } 2005 2006 close(fd); 2007 if (rawmode) 2008 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 2009 2010 if (muxclient_terminate) { 2011 debug2("Exiting on signal: %s", strsignal(muxclient_terminate)); 2012 exitval = 255; 2013 } else if (!exitval_seen) { 2014 debug2("Control master terminated unexpectedly"); 2015 exitval = 255; 2016 } else 2017 debug2("Received exit status from master %d", exitval); 2018 2019 if (tty_flag && options.log_level >= SYSLOG_LEVEL_INFO) 2020 fprintf(stderr, "Shared connection to %s closed.\r\n", host); 2021 2022 exit(exitval); 2023 } 2024 2025 static int 2026 mux_client_proxy(int fd) 2027 { 2028 struct sshbuf *m; 2029 char *e; 2030 u_int type, rid; 2031 int r; 2032 2033 if ((m = sshbuf_new()) == NULL) 2034 fatal_f("sshbuf_new"); 2035 if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 || 2036 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2037 fatal_fr(r, "request"); 2038 if (mux_client_write_packet(fd, m) != 0) 2039 fatal_f("write packet: %s", strerror(errno)); 2040 2041 sshbuf_reset(m); 2042 2043 /* Read their reply */ 2044 if (mux_client_read_packet(fd, m) != 0) { 2045 sshbuf_free(m); 2046 return 0; 2047 } 2048 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2049 (r = sshbuf_get_u32(m, &rid)) != 0) 2050 fatal_fr(r, "parse"); 2051 if (rid != muxclient_request_id) 2052 fatal_f("out of sequence reply: my id %u theirs %u", 2053 muxclient_request_id, rid); 2054 if (type != MUX_S_PROXY) { 2055 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2056 fatal_fr(r, "parse error message"); 2057 fatal_f("master returned error: %s", e); 2058 } 2059 sshbuf_free(m); 2060 2061 debug3_f("done"); 2062 muxclient_request_id++; 2063 return 0; 2064 } 2065 2066 static int 2067 mux_client_request_stdio_fwd(int fd) 2068 { 2069 struct sshbuf *m; 2070 char *e; 2071 u_int type, rid, sid; 2072 int r; 2073 2074 debug3_f("entering"); 2075 2076 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 2077 error_f("master alive request failed"); 2078 return -1; 2079 } 2080 2081 ssh_signal(SIGPIPE, SIG_IGN); 2082 2083 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 2084 fatal_f("stdfd_devnull failed"); 2085 2086 if ((m = sshbuf_new()) == NULL) 2087 fatal_f("sshbuf_new"); 2088 if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 || 2089 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 2090 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 2091 (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 || 2092 (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0) 2093 fatal_fr(r, "request"); 2094 2095 if (mux_client_write_packet(fd, m) != 0) 2096 fatal_f("write packet: %s", strerror(errno)); 2097 2098 /* Send the stdio file descriptors */ 2099 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 2100 mm_send_fd(fd, STDOUT_FILENO) == -1) 2101 fatal_f("send fds failed"); 2102 2103 if (pledge("stdio proc tty", NULL) == -1) 2104 fatal_f("pledge(): %s", strerror(errno)); 2105 2106 debug3_f("stdio forward request sent"); 2107 2108 /* Read their reply */ 2109 sshbuf_reset(m); 2110 2111 if (mux_client_read_packet(fd, m) != 0) { 2112 error_f("read from master failed: %s", strerror(errno)); 2113 sshbuf_free(m); 2114 return -1; 2115 } 2116 2117 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2118 (r = sshbuf_get_u32(m, &rid)) != 0) 2119 fatal_fr(r, "parse"); 2120 if (rid != muxclient_request_id) 2121 fatal_f("out of sequence reply: my id %u theirs %u", 2122 muxclient_request_id, rid); 2123 switch (type) { 2124 case MUX_S_SESSION_OPENED: 2125 if ((r = sshbuf_get_u32(m, &sid)) != 0) 2126 fatal_fr(r, "parse session ID"); 2127 debug_f("master session id: %u", sid); 2128 break; 2129 case MUX_S_PERMISSION_DENIED: 2130 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2131 fatal_fr(r, "parse error message"); 2132 sshbuf_free(m); 2133 fatal("Master refused stdio forwarding request: %s", e); 2134 case MUX_S_FAILURE: 2135 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2136 fatal_fr(r, "parse error message"); 2137 sshbuf_free(m); 2138 fatal("Stdio forwarding request failed: %s", e); 2139 default: 2140 sshbuf_free(m); 2141 error_f("unexpected response from master 0x%08x", type); 2142 return -1; 2143 } 2144 muxclient_request_id++; 2145 2146 ssh_signal(SIGHUP, control_client_sighandler); 2147 ssh_signal(SIGINT, control_client_sighandler); 2148 ssh_signal(SIGTERM, control_client_sighandler); 2149 ssh_signal(SIGWINCH, control_client_sigrelay); 2150 2151 /* 2152 * Stick around until the controlee closes the client_fd. 2153 */ 2154 sshbuf_reset(m); 2155 if (mux_client_read_packet(fd, m) != 0) { 2156 if (errno == EPIPE || 2157 (errno == EINTR && muxclient_terminate != 0)) 2158 return 0; 2159 fatal_f("mux_client_read_packet: %s", strerror(errno)); 2160 } 2161 fatal_f("master returned unexpected message %u", type); 2162 } 2163 2164 static void 2165 mux_client_request_stop_listening(int fd) 2166 { 2167 struct sshbuf *m; 2168 char *e; 2169 u_int type, rid; 2170 int r; 2171 2172 debug3_f("entering"); 2173 2174 if ((m = sshbuf_new()) == NULL) 2175 fatal_f("sshbuf_new"); 2176 if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 || 2177 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2178 fatal_fr(r, "request"); 2179 2180 if (mux_client_write_packet(fd, m) != 0) 2181 fatal_f("write packet: %s", strerror(errno)); 2182 2183 sshbuf_reset(m); 2184 2185 /* Read their reply */ 2186 if (mux_client_read_packet(fd, m) != 0) 2187 fatal_f("read from master failed: %s", strerror(errno)); 2188 2189 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2190 (r = sshbuf_get_u32(m, &rid)) != 0) 2191 fatal_fr(r, "parse"); 2192 if (rid != muxclient_request_id) 2193 fatal_f("out of sequence reply: my id %u theirs %u", 2194 muxclient_request_id, rid); 2195 2196 switch (type) { 2197 case MUX_S_OK: 2198 break; 2199 case MUX_S_PERMISSION_DENIED: 2200 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2201 fatal_fr(r, "parse error message"); 2202 fatal("Master refused stop listening request: %s", e); 2203 case MUX_S_FAILURE: 2204 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2205 fatal_fr(r, "parse error message"); 2206 fatal_f("stop listening request failed: %s", e); 2207 default: 2208 fatal_f("unexpected response from master 0x%08x", type); 2209 } 2210 sshbuf_free(m); 2211 muxclient_request_id++; 2212 } 2213 2214 /* Multiplex client main loop. */ 2215 int 2216 muxclient(const char *path) 2217 { 2218 struct sockaddr_un addr; 2219 int sock; 2220 u_int pid; 2221 2222 if (muxclient_command == 0) { 2223 if (options.stdio_forward_host != NULL) 2224 muxclient_command = SSHMUX_COMMAND_STDIO_FWD; 2225 else 2226 muxclient_command = SSHMUX_COMMAND_OPEN; 2227 } 2228 2229 switch (options.control_master) { 2230 case SSHCTL_MASTER_AUTO: 2231 case SSHCTL_MASTER_AUTO_ASK: 2232 debug("auto-mux: Trying existing master"); 2233 /* FALLTHROUGH */ 2234 case SSHCTL_MASTER_NO: 2235 break; 2236 default: 2237 return -1; 2238 } 2239 2240 memset(&addr, '\0', sizeof(addr)); 2241 addr.sun_family = AF_UNIX; 2242 2243 if (strlcpy(addr.sun_path, path, 2244 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 2245 fatal("ControlPath too long ('%s' >= %u bytes)", path, 2246 (unsigned int)sizeof(addr.sun_path)); 2247 2248 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) 2249 fatal_f("socket(): %s", strerror(errno)); 2250 2251 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) { 2252 switch (muxclient_command) { 2253 case SSHMUX_COMMAND_OPEN: 2254 case SSHMUX_COMMAND_STDIO_FWD: 2255 break; 2256 default: 2257 fatal("Control socket connect(%.100s): %s", path, 2258 strerror(errno)); 2259 } 2260 if (errno == ECONNREFUSED && 2261 options.control_master != SSHCTL_MASTER_NO) { 2262 debug("Stale control socket %.100s, unlinking", path); 2263 unlink(path); 2264 } else if (errno == ENOENT) { 2265 debug("Control socket \"%.100s\" does not exist", path); 2266 } else { 2267 error("Control socket connect(%.100s): %s", path, 2268 strerror(errno)); 2269 } 2270 close(sock); 2271 return -1; 2272 } 2273 set_nonblock(sock); 2274 2275 if (mux_client_hello_exchange(sock) != 0) { 2276 error_f("master hello exchange failed"); 2277 close(sock); 2278 return -1; 2279 } 2280 2281 switch (muxclient_command) { 2282 case SSHMUX_COMMAND_ALIVE_CHECK: 2283 if ((pid = mux_client_request_alive(sock)) == 0) 2284 fatal_f("master alive check failed"); 2285 fprintf(stderr, "Master running (pid=%u)\r\n", pid); 2286 exit(0); 2287 case SSHMUX_COMMAND_TERMINATE: 2288 mux_client_request_terminate(sock); 2289 if (options.log_level != SYSLOG_LEVEL_QUIET) 2290 fprintf(stderr, "Exit request sent.\r\n"); 2291 exit(0); 2292 case SSHMUX_COMMAND_FORWARD: 2293 if (mux_client_forwards(sock, 0) != 0) 2294 fatal_f("master forward request failed"); 2295 exit(0); 2296 case SSHMUX_COMMAND_OPEN: 2297 if (mux_client_forwards(sock, 0) != 0) { 2298 error_f("master forward request failed"); 2299 return -1; 2300 } 2301 mux_client_request_session(sock); 2302 return -1; 2303 case SSHMUX_COMMAND_STDIO_FWD: 2304 mux_client_request_stdio_fwd(sock); 2305 exit(0); 2306 case SSHMUX_COMMAND_STOP: 2307 mux_client_request_stop_listening(sock); 2308 if (options.log_level != SYSLOG_LEVEL_QUIET) 2309 fprintf(stderr, "Stop listening request sent.\r\n"); 2310 exit(0); 2311 case SSHMUX_COMMAND_CANCEL_FWD: 2312 if (mux_client_forwards(sock, 1) != 0) 2313 error_f("master cancel forward request failed"); 2314 exit(0); 2315 case SSHMUX_COMMAND_PROXY: 2316 mux_client_proxy(sock); 2317 return (sock); 2318 default: 2319 fatal("unrecognised muxclient_command %d", muxclient_command); 2320 } 2321 } 2322