1/* $NetBSD: mux.c,v 1.35 2023/12/20 17:15:20 christos Exp $ */ 2/* $OpenBSD: mux.c,v 1.101 2023/11/23 03:37:05 dtucker Exp $ */ 3 4/* 5 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20/* ssh session multiplexing support */ 21 22#include "includes.h" 23__RCSID("$NetBSD: mux.c,v 1.35 2023/12/20 17:15:20 christos Exp $"); 24#include <sys/types.h> 25#include <sys/queue.h> 26#include <sys/stat.h> 27#include <sys/socket.h> 28#include <sys/un.h> 29 30#include <errno.h> 31#include <fcntl.h> 32#include <poll.h> 33#include <limits.h> 34#include <signal.h> 35#include <stdarg.h> 36#include <stddef.h> 37#include <stdlib.h> 38#include <stdio.h> 39#include <string.h> 40#include <unistd.h> 41#include <util.h> 42#include <paths.h> 43 44#include "atomicio.h" 45#include "xmalloc.h" 46#include "log.h" 47#include "ssh.h" 48#include "ssh2.h" 49#include "pathnames.h" 50#include "misc.h" 51#include "match.h" 52#include "sshbuf.h" 53#include "channels.h" 54#include "msg.h" 55#include "packet.h" 56#include "monitor_fdpass.h" 57#include "sshpty.h" 58#include "sshkey.h" 59#include "readconf.h" 60#include "clientloop.h" 61#include "ssherr.h" 62#include "misc.h" 63 64/* from ssh.c */ 65extern int tty_flag; 66extern Options options; 67extern char *host; 68extern struct sshbuf *command; 69extern volatile sig_atomic_t quit_pending; 70 71/* Context for session open confirmation callback */ 72struct mux_session_confirm_ctx { 73 u_int want_tty; 74 u_int want_subsys; 75 u_int want_x_fwd; 76 u_int want_agent_fwd; 77 struct sshbuf *cmd; 78 char *term; 79 struct termios tio; 80 char **env; 81 u_int rid; 82}; 83 84/* Context for stdio fwd open confirmation callback */ 85struct mux_stdio_confirm_ctx { 86 u_int rid; 87}; 88 89/* Context for global channel callback */ 90struct mux_channel_confirm_ctx { 91 u_int cid; /* channel id */ 92 u_int rid; /* request id */ 93 int fid; /* forward id */ 94}; 95 96/* fd to control socket */ 97int muxserver_sock = -1; 98 99/* client request id */ 100u_int muxclient_request_id = 0; 101 102/* Multiplexing control command */ 103u_int muxclient_command = 0; 104 105/* Set when signalled. */ 106static volatile sig_atomic_t muxclient_terminate = 0; 107 108/* PID of multiplex server */ 109static u_int muxserver_pid = 0; 110 111static Channel *mux_listener_channel = NULL; 112 113struct mux_master_state { 114 int hello_rcvd; 115}; 116 117/* mux protocol messages */ 118#define MUX_MSG_HELLO 0x00000001 119#define MUX_C_NEW_SESSION 0x10000002 120#define MUX_C_ALIVE_CHECK 0x10000004 121#define MUX_C_TERMINATE 0x10000005 122#define MUX_C_OPEN_FWD 0x10000006 123#define MUX_C_CLOSE_FWD 0x10000007 124#define MUX_C_NEW_STDIO_FWD 0x10000008 125#define MUX_C_STOP_LISTENING 0x10000009 126#define MUX_C_PROXY 0x1000000f 127#define MUX_S_OK 0x80000001 128#define MUX_S_PERMISSION_DENIED 0x80000002 129#define MUX_S_FAILURE 0x80000003 130#define MUX_S_EXIT_MESSAGE 0x80000004 131#define MUX_S_ALIVE 0x80000005 132#define MUX_S_SESSION_OPENED 0x80000006 133#define MUX_S_REMOTE_PORT 0x80000007 134#define MUX_S_TTY_ALLOC_FAIL 0x80000008 135#define MUX_S_PROXY 0x8000000f 136 137/* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ 138#define MUX_FWD_LOCAL 1 139#define MUX_FWD_REMOTE 2 140#define MUX_FWD_DYNAMIC 3 141 142static void mux_session_confirm(struct ssh *, int, int, void *); 143static void mux_stdio_confirm(struct ssh *, int, int, void *); 144 145static int mux_master_process_hello(struct ssh *, u_int, 146 Channel *, struct sshbuf *, struct sshbuf *); 147static int mux_master_process_new_session(struct ssh *, u_int, 148 Channel *, struct sshbuf *, struct sshbuf *); 149static int mux_master_process_alive_check(struct ssh *, u_int, 150 Channel *, struct sshbuf *, struct sshbuf *); 151static int mux_master_process_terminate(struct ssh *, u_int, 152 Channel *, struct sshbuf *, struct sshbuf *); 153static int mux_master_process_open_fwd(struct ssh *, u_int, 154 Channel *, struct sshbuf *, struct sshbuf *); 155static int mux_master_process_close_fwd(struct ssh *, u_int, 156 Channel *, struct sshbuf *, struct sshbuf *); 157static int mux_master_process_stdio_fwd(struct ssh *, u_int, 158 Channel *, struct sshbuf *, struct sshbuf *); 159static int mux_master_process_stop_listening(struct ssh *, u_int, 160 Channel *, struct sshbuf *, struct sshbuf *); 161static int mux_master_process_proxy(struct ssh *, u_int, 162 Channel *, struct sshbuf *, struct sshbuf *); 163 164static const struct { 165 u_int type; 166 int (*handler)(struct ssh *, u_int, Channel *, 167 struct sshbuf *, struct sshbuf *); 168} mux_master_handlers[] = { 169 { MUX_MSG_HELLO, mux_master_process_hello }, 170 { MUX_C_NEW_SESSION, mux_master_process_new_session }, 171 { MUX_C_ALIVE_CHECK, mux_master_process_alive_check }, 172 { MUX_C_TERMINATE, mux_master_process_terminate }, 173 { MUX_C_OPEN_FWD, mux_master_process_open_fwd }, 174 { MUX_C_CLOSE_FWD, mux_master_process_close_fwd }, 175 { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd }, 176 { MUX_C_STOP_LISTENING, mux_master_process_stop_listening }, 177 { MUX_C_PROXY, mux_master_process_proxy }, 178 { 0, NULL } 179}; 180 181/* Cleanup callback fired on closure of mux client _session_ channel */ 182static void 183mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) 184{ 185 Channel *cc, *c = channel_by_id(ssh, cid); 186 187 debug3_f("entering for channel %d", cid); 188 if (c == NULL) 189 fatal_f("channel_by_id(%i) == NULL", cid); 190 if (c->ctl_chan != -1) { 191 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 192 fatal_f("channel %d missing control channel %d", 193 c->self, c->ctl_chan); 194 c->ctl_chan = -1; 195 cc->remote_id = 0; 196 cc->have_remote_id = 0; 197 chan_rcvd_oclose(ssh, cc); 198 } 199 channel_cancel_cleanup(ssh, c->self); 200} 201 202/* Cleanup callback fired on closure of mux client _control_ channel */ 203static void 204mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused) 205{ 206 Channel *sc, *c = channel_by_id(ssh, cid); 207 208 debug3_f("entering for channel %d", cid); 209 if (c == NULL) 210 fatal_f("channel_by_id(%i) == NULL", cid); 211 if (c->have_remote_id) { 212 if ((sc = channel_by_id(ssh, c->remote_id)) == NULL) 213 fatal_f("channel %d missing session channel %u", 214 c->self, c->remote_id); 215 c->remote_id = 0; 216 c->have_remote_id = 0; 217 sc->ctl_chan = -1; 218 if (sc->type != SSH_CHANNEL_OPEN && 219 sc->type != SSH_CHANNEL_OPENING) { 220 debug2_f("channel %d: not open", sc->self); 221 chan_mark_dead(ssh, sc); 222 } else { 223 if (sc->istate == CHAN_INPUT_OPEN) 224 chan_read_failed(ssh, sc); 225 if (sc->ostate == CHAN_OUTPUT_OPEN) 226 chan_write_failed(ssh, sc); 227 } 228 } 229 channel_cancel_cleanup(ssh, c->self); 230} 231 232/* Check mux client environment variables before passing them to mux master. */ 233static int 234env_permitted(const char *env) 235{ 236 u_int i; 237 int ret; 238 char name[1024], *cp; 239 240 if ((cp = strchr(env, '=')) == NULL || cp == env) 241 return 0; 242 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env); 243 if (ret <= 0 || (size_t)ret >= sizeof(name)) { 244 error_f("name '%.100s...' too long", env); 245 return 0; 246 } 247 248 for (i = 0; i < options.num_send_env; i++) 249 if (match_pattern(name, options.send_env[i])) 250 return 1; 251 252 return 0; 253} 254 255/* Mux master protocol message handlers */ 256 257static int 258mux_master_process_hello(struct ssh *ssh, u_int rid, 259 Channel *c, struct sshbuf *m, struct sshbuf *reply) 260{ 261 u_int ver; 262 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 263 int r; 264 265 if (state == NULL) 266 fatal_f("channel %d: c->mux_ctx == NULL", c->self); 267 if (state->hello_rcvd) { 268 error_f("HELLO received twice"); 269 return -1; 270 } 271 if ((r = sshbuf_get_u32(m, &ver)) != 0) { 272 error_fr(r, "parse"); 273 return -1; 274 } 275 if (ver != SSHMUX_VER) { 276 error_f("unsupported multiplexing protocol version %u " 277 "(expected %u)", ver, SSHMUX_VER); 278 return -1; 279 } 280 debug2_f("channel %d client version %u", c->self, ver); 281 282 /* No extensions are presently defined */ 283 while (sshbuf_len(m) > 0) { 284 char *name = NULL; 285 size_t value_len = 0; 286 287 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 288 (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) { 289 error_fr(r, "parse extension"); 290 return -1; 291 } 292 debug2_f("Unrecognised extension \"%s\" length %zu", 293 name, value_len); 294 free(name); 295 } 296 state->hello_rcvd = 1; 297 return 0; 298} 299 300/* Enqueue a "ok" response to the reply buffer */ 301static void 302reply_ok(struct sshbuf *reply, u_int rid) 303{ 304 int r; 305 306 if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 || 307 (r = sshbuf_put_u32(reply, rid)) != 0) 308 fatal_fr(r, "reply"); 309} 310 311/* Enqueue an error response to the reply buffer */ 312static void 313reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg) 314{ 315 int r; 316 317 if ((r = sshbuf_put_u32(reply, type)) != 0 || 318 (r = sshbuf_put_u32(reply, rid)) != 0 || 319 (r = sshbuf_put_cstring(reply, msg)) != 0) 320 fatal_fr(r, "reply"); 321} 322 323static int 324mux_master_process_new_session(struct ssh *ssh, u_int rid, 325 Channel *c, struct sshbuf *m, struct sshbuf *reply) 326{ 327 Channel *nc; 328 struct mux_session_confirm_ctx *cctx; 329 char *cmd, *cp; 330 u_int i, j, env_len, escape_char, window, packetmax; 331 int r, new_fd[3]; 332 333 /* Reply for SSHMUX_COMMAND_OPEN */ 334 cctx = xcalloc(1, sizeof(*cctx)); 335 cctx->term = NULL; 336 cctx->rid = rid; 337 cmd = NULL; 338 cctx->env = NULL; 339 env_len = 0; 340 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 341 (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 || 342 (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 || 343 (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 || 344 (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 || 345 (r = sshbuf_get_u32(m, &escape_char)) != 0 || 346 (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 || 347 (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) { 348 malf: 349 free(cmd); 350 for (j = 0; j < env_len; j++) 351 free(cctx->env[j]); 352 free(cctx->env); 353 free(cctx->term); 354 free(cctx); 355 error_f("malformed message"); 356 return -1; 357 } 358 359#define MUX_MAX_ENV_VARS 4096 360 while (sshbuf_len(m) > 0) { 361 if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0) 362 goto malf; 363 if (!env_permitted(cp)) { 364 free(cp); 365 continue; 366 } 367 cctx->env = xreallocarray(cctx->env, env_len + 2, 368 sizeof(*cctx->env)); 369 cctx->env[env_len++] = cp; 370 cctx->env[env_len] = NULL; 371 if (env_len > MUX_MAX_ENV_VARS) { 372 error_f(">%d environment variables received, " 373 "ignoring additional", MUX_MAX_ENV_VARS); 374 break; 375 } 376 } 377 378 debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, " 379 "term \"%s\", cmd \"%s\", env %u", c->self, 380 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd, 381 cctx->want_subsys, cctx->term, cmd, env_len); 382 383 if ((cctx->cmd = sshbuf_new()) == NULL) 384 fatal_f("sshbuf_new"); 385 if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0) 386 fatal_fr(r, "sshbuf_put"); 387 free(cmd); 388 cmd = NULL; 389 390 /* Gather fds from client */ 391 for(i = 0; i < 3; i++) { 392 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 393 error_f("failed to receive fd %d from client", i); 394 for (j = 0; j < i; j++) 395 close(new_fd[j]); 396 for (j = 0; j < env_len; j++) 397 free(cctx->env[j]); 398 free(cctx->env); 399 free(cctx->term); 400 sshbuf_free(cctx->cmd); 401 free(cctx); 402 reply_error(reply, MUX_S_FAILURE, rid, 403 "did not receive file descriptors"); 404 return -1; 405 } 406 } 407 408 debug3_f("got fds stdin %d, stdout %d, stderr %d", 409 new_fd[0], new_fd[1], new_fd[2]); 410 411 /* XXX support multiple child sessions in future */ 412 if (c->have_remote_id) { 413 debug2_f("session already open"); 414 reply_error(reply, MUX_S_FAILURE, rid, 415 "Multiple sessions not supported"); 416 cleanup: 417 close(new_fd[0]); 418 close(new_fd[1]); 419 close(new_fd[2]); 420 free(cctx->term); 421 if (env_len != 0) { 422 for (i = 0; i < env_len; i++) 423 free(cctx->env[i]); 424 free(cctx->env); 425 } 426 sshbuf_free(cctx->cmd); 427 free(cctx); 428 return 0; 429 } 430 431 if (options.control_master == SSHCTL_MASTER_ASK || 432 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 433 if (!ask_permission("Allow shared connection to %s? ", host)) { 434 debug2_f("session refused by user"); 435 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 436 "Permission denied"); 437 goto cleanup; 438 } 439 } 440 441 /* Try to pick up ttymodes from client before it goes raw */ 442 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 443 error_f("tcgetattr: %s", strerror(errno)); 444 445 window = CHAN_SES_WINDOW_DEFAULT; 446 packetmax = CHAN_SES_PACKET_DEFAULT; 447 if (cctx->want_tty) { 448 window >>= 1; 449 packetmax >>= 1; 450 } 451 452 nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING, 453 new_fd[0], new_fd[1], new_fd[2], window, packetmax, 454 CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO); 455 456 nc->ctl_chan = c->self; /* link session -> control channel */ 457 c->remote_id = nc->self; /* link control -> session channel */ 458 c->have_remote_id = 1; 459 460 if (cctx->want_tty && escape_char != 0xffffffff) { 461 channel_register_filter(ssh, nc->self, 462 client_simple_escape_filter, NULL, 463 client_filter_cleanup, 464 client_new_escape_filter_ctx((int)escape_char)); 465 } 466 467 debug2_f("channel_new: %d linked to control channel %d", 468 nc->self, nc->ctl_chan); 469 470 channel_send_open(ssh, nc->self); 471 channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx); 472 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 473 channel_register_cleanup(ssh, nc->self, 474 mux_master_session_cleanup_cb, 1); 475 476 /* reply is deferred, sent by mux_session_confirm */ 477 return 0; 478} 479 480static int 481mux_master_process_alive_check(struct ssh *ssh, u_int rid, 482 Channel *c, struct sshbuf *m, struct sshbuf *reply) 483{ 484 int r; 485 486 debug2_f("channel %d: alive check", c->self); 487 488 /* prepare reply */ 489 if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 || 490 (r = sshbuf_put_u32(reply, rid)) != 0 || 491 (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0) 492 fatal_fr(r, "reply"); 493 494 return 0; 495} 496 497static int 498mux_master_process_terminate(struct ssh *ssh, u_int rid, 499 Channel *c, struct sshbuf *m, struct sshbuf *reply) 500{ 501 debug2_f("channel %d: terminate request", c->self); 502 503 if (options.control_master == SSHCTL_MASTER_ASK || 504 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 505 if (!ask_permission("Terminate shared connection to %s? ", 506 host)) { 507 debug2_f("termination refused by user"); 508 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 509 "Permission denied"); 510 return 0; 511 } 512 } 513 514 quit_pending = 1; 515 reply_ok(reply, rid); 516 /* XXX exit happens too soon - message never makes it to client */ 517 return 0; 518} 519 520static char * 521format_forward(u_int ftype, struct Forward *fwd) 522{ 523 char *ret; 524 525 switch (ftype) { 526 case MUX_FWD_LOCAL: 527 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d", 528 (fwd->listen_path != NULL) ? fwd->listen_path : 529 (fwd->listen_host == NULL) ? 530 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 531 fwd->listen_host, fwd->listen_port, 532 (fwd->connect_path != NULL) ? fwd->connect_path : 533 fwd->connect_host, fwd->connect_port); 534 break; 535 case MUX_FWD_DYNAMIC: 536 xasprintf(&ret, "dynamic forward %.200s:%d -> *", 537 (fwd->listen_host == NULL) ? 538 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") : 539 fwd->listen_host, fwd->listen_port); 540 break; 541 case MUX_FWD_REMOTE: 542 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d", 543 (fwd->listen_path != NULL) ? fwd->listen_path : 544 (fwd->listen_host == NULL) ? 545 "LOCALHOST" : fwd->listen_host, 546 fwd->listen_port, 547 (fwd->connect_path != NULL) ? fwd->connect_path : 548 fwd->connect_host, fwd->connect_port); 549 break; 550 default: 551 fatal_f("unknown forward type %u", ftype); 552 } 553 return ret; 554} 555 556static int 557compare_host(const char *a, const char *b) 558{ 559 if (a == NULL && b == NULL) 560 return 1; 561 if (a == NULL || b == NULL) 562 return 0; 563 return strcmp(a, b) == 0; 564} 565 566static int 567compare_forward(struct Forward *a, struct Forward *b) 568{ 569 if (!compare_host(a->listen_host, b->listen_host)) 570 return 0; 571 if (!compare_host(a->listen_path, b->listen_path)) 572 return 0; 573 if (a->listen_port != b->listen_port) 574 return 0; 575 if (!compare_host(a->connect_host, b->connect_host)) 576 return 0; 577 if (!compare_host(a->connect_path, b->connect_path)) 578 return 0; 579 if (a->connect_port != b->connect_port) 580 return 0; 581 582 return 1; 583} 584 585static void 586mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt) 587{ 588 struct mux_channel_confirm_ctx *fctx = ctxt; 589 char *failmsg = NULL; 590 struct Forward *rfwd; 591 Channel *c; 592 struct sshbuf *out; 593 u_int port; 594 int r; 595 596 if ((c = channel_by_id(ssh, fctx->cid)) == NULL) { 597 /* no channel for reply */ 598 error_f("unknown channel"); 599 return; 600 } 601 if ((out = sshbuf_new()) == NULL) 602 fatal_f("sshbuf_new"); 603 if (fctx->fid >= options.num_remote_forwards || 604 (options.remote_forwards[fctx->fid].connect_path == NULL && 605 options.remote_forwards[fctx->fid].connect_host == NULL)) { 606 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid); 607 goto fail; 608 } 609 rfwd = &options.remote_forwards[fctx->fid]; 610 debug_f("%s for: listen %d, connect %s:%d", 611 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 612 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path : 613 rfwd->connect_host, rfwd->connect_port); 614 if (type == SSH2_MSG_REQUEST_SUCCESS) { 615 if (rfwd->listen_port == 0) { 616 if ((r = sshpkt_get_u32(ssh, &port)) != 0) 617 fatal_fr(r, "parse port"); 618 if (port > 65535) { 619 fatal("Invalid allocated port %u for " 620 "mux remote forward to %s:%d", port, 621 rfwd->connect_host, rfwd->connect_port); 622 } 623 rfwd->allocated_port = (int)port; 624 debug("Allocated port %u for mux remote forward" 625 " to %s:%d", rfwd->allocated_port, 626 rfwd->connect_host, rfwd->connect_port); 627 if ((r = sshbuf_put_u32(out, 628 MUX_S_REMOTE_PORT)) != 0 || 629 (r = sshbuf_put_u32(out, fctx->rid)) != 0 || 630 (r = sshbuf_put_u32(out, 631 rfwd->allocated_port)) != 0) 632 fatal_fr(r, "reply"); 633 channel_update_permission(ssh, rfwd->handle, 634 rfwd->allocated_port); 635 } else { 636 reply_ok(out, fctx->rid); 637 } 638 goto out; 639 } else { 640 if (rfwd->listen_port == 0) 641 channel_update_permission(ssh, rfwd->handle, -1); 642 if (rfwd->listen_path != NULL) 643 xasprintf(&failmsg, "remote port forwarding failed for " 644 "listen path %s", rfwd->listen_path); 645 else 646 xasprintf(&failmsg, "remote port forwarding failed for " 647 "listen port %d", rfwd->listen_port); 648 649 debug2_f("clearing registered forwarding for listen %d, " 650 "connect %s:%d", rfwd->listen_port, 651 rfwd->connect_path ? rfwd->connect_path : 652 rfwd->connect_host, rfwd->connect_port); 653 654 free(rfwd->listen_host); 655 free(rfwd->listen_path); 656 free(rfwd->connect_host); 657 free(rfwd->connect_path); 658 memset(rfwd, 0, sizeof(*rfwd)); 659 } 660 fail: 661 error_f("%s", failmsg); 662 reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg); 663 free(failmsg); 664 out: 665 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 666 fatal_fr(r, "enqueue"); 667 sshbuf_free(out); 668 if (c->mux_pause <= 0) 669 fatal_f("mux_pause %d", c->mux_pause); 670 c->mux_pause = 0; /* start processing messages again */ 671} 672 673static int 674mux_master_process_open_fwd(struct ssh *ssh, u_int rid, 675 Channel *c, struct sshbuf *m, struct sshbuf *reply) 676{ 677 struct Forward fwd; 678 char *fwd_desc = NULL; 679 char *listen_addr, *connect_addr; 680 u_int ftype; 681 u_int lport, cport; 682 int r, i, ret = 0, freefwd = 1; 683 684 memset(&fwd, 0, sizeof(fwd)); 685 686 /* XXX - lport/cport check redundant */ 687 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 688 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 689 (r = sshbuf_get_u32(m, &lport)) != 0 || 690 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 691 (r = sshbuf_get_u32(m, &cport)) != 0 || 692 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 693 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 694 error_f("malformed message"); 695 ret = -1; 696 goto out; 697 } 698 if (*listen_addr == '\0') { 699 free(listen_addr); 700 listen_addr = NULL; 701 } 702 if (*connect_addr == '\0') { 703 free(connect_addr); 704 connect_addr = NULL; 705 } 706 707 memset(&fwd, 0, sizeof(fwd)); 708 fwd.listen_port = lport; 709 if (fwd.listen_port == PORT_STREAMLOCAL) 710 fwd.listen_path = listen_addr; 711 else 712 fwd.listen_host = listen_addr; 713 fwd.connect_port = cport; 714 if (fwd.connect_port == PORT_STREAMLOCAL) 715 fwd.connect_path = connect_addr; 716 else 717 fwd.connect_host = connect_addr; 718 719 debug2_f("channel %d: request %s", c->self, 720 (fwd_desc = format_forward(ftype, &fwd))); 721 722 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE && 723 ftype != MUX_FWD_DYNAMIC) { 724 logit_f("invalid forwarding type %u", ftype); 725 invalid: 726 free(listen_addr); 727 free(connect_addr); 728 reply_error(reply, MUX_S_FAILURE, rid, 729 "Invalid forwarding request"); 730 return 0; 731 } 732 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) { 733 logit_f("streamlocal and dynamic forwards " 734 "are mutually exclusive"); 735 goto invalid; 736 } 737 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) { 738 logit_f("invalid listen port %u", fwd.listen_port); 739 goto invalid; 740 } 741 if ((fwd.connect_port != PORT_STREAMLOCAL && 742 fwd.connect_port >= 65536) || 743 (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && 744 fwd.connect_port == 0)) { 745 logit_f("invalid connect port %u", 746 fwd.connect_port); 747 goto invalid; 748 } 749 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && 750 fwd.connect_path == NULL) { 751 logit_f("missing connect host"); 752 goto invalid; 753 } 754 755 /* Skip forwards that have already been requested */ 756 switch (ftype) { 757 case MUX_FWD_LOCAL: 758 case MUX_FWD_DYNAMIC: 759 for (i = 0; i < options.num_local_forwards; i++) { 760 if (compare_forward(&fwd, 761 options.local_forwards + i)) { 762 exists: 763 debug2_f("found existing forwarding"); 764 reply_ok(reply, rid); 765 goto out; 766 } 767 } 768 break; 769 case MUX_FWD_REMOTE: 770 for (i = 0; i < options.num_remote_forwards; i++) { 771 if (!compare_forward(&fwd, options.remote_forwards + i)) 772 continue; 773 if (fwd.listen_port != 0) 774 goto exists; 775 debug2_f("found allocated port"); 776 if ((r = sshbuf_put_u32(reply, 777 MUX_S_REMOTE_PORT)) != 0 || 778 (r = sshbuf_put_u32(reply, rid)) != 0 || 779 (r = sshbuf_put_u32(reply, 780 options.remote_forwards[i].allocated_port)) != 0) 781 fatal_fr(r, "reply FWD_REMOTE"); 782 goto out; 783 } 784 break; 785 } 786 787 if (options.control_master == SSHCTL_MASTER_ASK || 788 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 789 if (!ask_permission("Open %s on %s?", fwd_desc, host)) { 790 debug2_f("forwarding refused by user"); 791 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 792 "Permission denied"); 793 goto out; 794 } 795 } 796 797 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 798 if (!channel_setup_local_fwd_listener(ssh, &fwd, 799 &options.fwd_opts)) { 800 fail: 801 logit_f("requested %s failed", fwd_desc); 802 reply_error(reply, MUX_S_FAILURE, rid, 803 "Port forwarding failed"); 804 goto out; 805 } 806 add_local_forward(&options, &fwd); 807 freefwd = 0; 808 } else { 809 struct mux_channel_confirm_ctx *fctx; 810 811 fwd.handle = channel_request_remote_forwarding(ssh, &fwd); 812 if (fwd.handle < 0) 813 goto fail; 814 add_remote_forward(&options, &fwd); 815 fctx = xcalloc(1, sizeof(*fctx)); 816 fctx->cid = c->self; 817 fctx->rid = rid; 818 fctx->fid = options.num_remote_forwards - 1; 819 client_register_global_confirm(mux_confirm_remote_forward, 820 fctx); 821 freefwd = 0; 822 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */ 823 /* delayed reply in mux_confirm_remote_forward */ 824 goto out; 825 } 826 reply_ok(reply, rid); 827 out: 828 free(fwd_desc); 829 if (freefwd) { 830 free(fwd.listen_host); 831 free(fwd.listen_path); 832 free(fwd.connect_host); 833 free(fwd.connect_path); 834 } 835 return ret; 836} 837 838static int 839mux_master_process_close_fwd(struct ssh *ssh, u_int rid, 840 Channel *c, struct sshbuf *m, struct sshbuf *reply) 841{ 842 struct Forward fwd, *found_fwd; 843 char *fwd_desc = NULL; 844 const char *error_reason = NULL; 845 char *listen_addr = NULL, *connect_addr = NULL; 846 u_int ftype; 847 int r, i, ret = 0; 848 u_int lport, cport; 849 850 memset(&fwd, 0, sizeof(fwd)); 851 852 if ((r = sshbuf_get_u32(m, &ftype)) != 0 || 853 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 || 854 (r = sshbuf_get_u32(m, &lport)) != 0 || 855 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 || 856 (r = sshbuf_get_u32(m, &cport)) != 0 || 857 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) || 858 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) { 859 error_f("malformed message"); 860 ret = -1; 861 goto out; 862 } 863 864 if (*listen_addr == '\0') { 865 free(listen_addr); 866 listen_addr = NULL; 867 } 868 if (*connect_addr == '\0') { 869 free(connect_addr); 870 connect_addr = NULL; 871 } 872 873 memset(&fwd, 0, sizeof(fwd)); 874 fwd.listen_port = lport; 875 if (fwd.listen_port == PORT_STREAMLOCAL) 876 fwd.listen_path = listen_addr; 877 else 878 fwd.listen_host = listen_addr; 879 fwd.connect_port = cport; 880 if (fwd.connect_port == PORT_STREAMLOCAL) 881 fwd.connect_path = connect_addr; 882 else 883 fwd.connect_host = connect_addr; 884 885 debug2_f("channel %d: request cancel %s", c->self, 886 (fwd_desc = format_forward(ftype, &fwd))); 887 888 /* make sure this has been requested */ 889 found_fwd = NULL; 890 switch (ftype) { 891 case MUX_FWD_LOCAL: 892 case MUX_FWD_DYNAMIC: 893 for (i = 0; i < options.num_local_forwards; i++) { 894 if (compare_forward(&fwd, 895 options.local_forwards + i)) { 896 found_fwd = options.local_forwards + i; 897 break; 898 } 899 } 900 break; 901 case MUX_FWD_REMOTE: 902 for (i = 0; i < options.num_remote_forwards; i++) { 903 if (compare_forward(&fwd, 904 options.remote_forwards + i)) { 905 found_fwd = options.remote_forwards + i; 906 break; 907 } 908 } 909 break; 910 } 911 912 if (found_fwd == NULL) 913 error_reason = "port not forwarded"; 914 else if (ftype == MUX_FWD_REMOTE) { 915 /* 916 * This shouldn't fail unless we confused the host/port 917 * between options.remote_forwards and permitted_opens. 918 * However, for dynamic allocated listen ports we need 919 * to use the actual listen port. 920 */ 921 if (channel_request_rforward_cancel(ssh, found_fwd) == -1) 922 error_reason = "port not in permitted opens"; 923 } else { /* local and dynamic forwards */ 924 /* Ditto */ 925 if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port, 926 &options.fwd_opts) == -1) 927 error_reason = "port not found"; 928 } 929 930 if (error_reason != NULL) 931 reply_error(reply, MUX_S_FAILURE, rid, error_reason); 932 else { 933 reply_ok(reply, rid); 934 free(found_fwd->listen_host); 935 free(found_fwd->listen_path); 936 free(found_fwd->connect_host); 937 free(found_fwd->connect_path); 938 found_fwd->listen_host = found_fwd->connect_host = NULL; 939 found_fwd->listen_path = found_fwd->connect_path = NULL; 940 found_fwd->listen_port = found_fwd->connect_port = 0; 941 } 942 out: 943 free(fwd_desc); 944 free(listen_addr); 945 free(connect_addr); 946 947 return ret; 948} 949 950static int 951mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid, 952 Channel *c, struct sshbuf *m, struct sshbuf *reply) 953{ 954 Channel *nc; 955 char *chost = NULL; 956 u_int _cport, i, j; 957 int ok = 0, cport, r, new_fd[2]; 958 struct mux_stdio_confirm_ctx *cctx; 959 960 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */ 961 (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 || 962 (r = sshbuf_get_u32(m, &_cport)) != 0) { 963 free(chost); 964 error_f("malformed message"); 965 return -1; 966 } 967 if (_cport == (u_int)PORT_STREAMLOCAL) 968 cport = PORT_STREAMLOCAL; 969 else if (_cport <= INT_MAX) 970 cport = (int)_cport; 971 else { 972 free(chost); 973 error_f("invalid port 0x%x", _cport); 974 return -1; 975 } 976 977 debug2_f("channel %d: stdio fwd to %s:%d", c->self, chost, cport); 978 979 /* Gather fds from client */ 980 for(i = 0; i < 2; i++) { 981 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 982 error_f("failed to receive fd %d from client", i); 983 for (j = 0; j < i; j++) 984 close(new_fd[j]); 985 free(chost); 986 987 /* prepare reply */ 988 reply_error(reply, MUX_S_FAILURE, rid, 989 "did not receive file descriptors"); 990 return -1; 991 } 992 } 993 994 debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]); 995 996 /* XXX support multiple child sessions in future */ 997 if (c->have_remote_id) { 998 debug2_f("session already open"); 999 reply_error(reply, MUX_S_FAILURE, rid, 1000 "Multiple sessions not supported"); 1001 cleanup: 1002 close(new_fd[0]); 1003 close(new_fd[1]); 1004 free(chost); 1005 return 0; 1006 } 1007 1008 if (options.control_master == SSHCTL_MASTER_ASK || 1009 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1010 if (cport == PORT_STREAMLOCAL) { 1011 ok = ask_permission("Allow forward to path %s", chost); 1012 } else { 1013 ok = ask_permission("Allow forward to [%s]:%d? ", 1014 chost, cport); 1015 } 1016 if (!ok) { 1017 debug2_f("stdio fwd refused by user"); 1018 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1019 "Permission denied"); 1020 goto cleanup; 1021 } 1022 } 1023 1024 nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1], 1025 CHANNEL_NONBLOCK_STDIO); 1026 free(chost); 1027 1028 nc->ctl_chan = c->self; /* link session -> control channel */ 1029 c->remote_id = nc->self; /* link control -> session channel */ 1030 c->have_remote_id = 1; 1031 1032 debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan); 1033 1034 channel_register_cleanup(ssh, nc->self, 1035 mux_master_session_cleanup_cb, 1); 1036 1037 cctx = xcalloc(1, sizeof(*cctx)); 1038 cctx->rid = rid; 1039 channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx); 1040 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 1041 1042 /* reply is deferred, sent by mux_session_confirm */ 1043 return 0; 1044} 1045 1046/* Callback on open confirmation in mux master for a mux stdio fwd session. */ 1047static void 1048mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg) 1049{ 1050 struct mux_stdio_confirm_ctx *cctx = arg; 1051 Channel *c, *cc; 1052 struct sshbuf *reply; 1053 int r; 1054 1055 if (cctx == NULL) 1056 fatal_f("cctx == NULL"); 1057 if ((c = channel_by_id(ssh, id)) == NULL) 1058 fatal_f("no channel for id %d", id); 1059 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1060 fatal_f("channel %d lacks control channel %d", 1061 id, c->ctl_chan); 1062 if ((reply = sshbuf_new()) == NULL) 1063 fatal_f("sshbuf_new"); 1064 1065 if (!success) { 1066 debug3_f("sending failure reply"); 1067 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1068 "Session open refused by peer"); 1069 /* prepare reply */ 1070 goto done; 1071 } 1072 1073 debug3_f("sending success reply"); 1074 /* prepare reply */ 1075 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1076 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1077 (r = sshbuf_put_u32(reply, c->self)) != 0) 1078 fatal_fr(r, "reply"); 1079 1080 done: 1081 /* Send reply */ 1082 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1083 fatal_fr(r, "enqueue"); 1084 sshbuf_free(reply); 1085 1086 if (cc->mux_pause <= 0) 1087 fatal_f("mux_pause %d", cc->mux_pause); 1088 cc->mux_pause = 0; /* start processing messages again */ 1089 c->open_confirm_ctx = NULL; 1090 free(cctx); 1091} 1092 1093static int 1094mux_master_process_stop_listening(struct ssh *ssh, u_int rid, 1095 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1096{ 1097 debug_f("channel %d: stop listening", c->self); 1098 1099 if (options.control_master == SSHCTL_MASTER_ASK || 1100 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 1101 if (!ask_permission("Disable further multiplexing on shared " 1102 "connection to %s? ", host)) { 1103 debug2_f("stop listen refused by user"); 1104 reply_error(reply, MUX_S_PERMISSION_DENIED, rid, 1105 "Permission denied"); 1106 return 0; 1107 } 1108 } 1109 1110 if (mux_listener_channel != NULL) { 1111 channel_free(ssh, mux_listener_channel); 1112 client_stop_mux(); 1113 free(options.control_path); 1114 options.control_path = NULL; 1115 mux_listener_channel = NULL; 1116 muxserver_sock = -1; 1117 } 1118 1119 reply_ok(reply, rid); 1120 return 0; 1121} 1122 1123static int 1124mux_master_process_proxy(struct ssh *ssh, u_int rid, 1125 Channel *c, struct sshbuf *m, struct sshbuf *reply) 1126{ 1127 int r; 1128 1129 debug_f("channel %d: proxy request", c->self); 1130 1131 c->mux_rcb = channel_proxy_downstream; 1132 if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 || 1133 (r = sshbuf_put_u32(reply, rid)) != 0) 1134 fatal_fr(r, "reply"); 1135 1136 return 0; 1137} 1138 1139/* Channel callbacks fired on read/write from mux client fd */ 1140static int 1141mux_master_read_cb(struct ssh *ssh, Channel *c) 1142{ 1143 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 1144 struct sshbuf *in = NULL, *out = NULL; 1145 u_int type, rid, i; 1146 int r, ret = -1; 1147 1148 if ((out = sshbuf_new()) == NULL) 1149 fatal_f("sshbuf_new"); 1150 1151 /* Setup ctx and */ 1152 if (c->mux_ctx == NULL) { 1153 state = xcalloc(1, sizeof(*state)); 1154 c->mux_ctx = state; 1155 channel_register_cleanup(ssh, c->self, 1156 mux_master_control_cleanup_cb, 0); 1157 1158 /* Send hello */ 1159 if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 || 1160 (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0) 1161 fatal_fr(r, "reply"); 1162 /* no extensions */ 1163 if ((r = sshbuf_put_stringb(c->output, out)) != 0) 1164 fatal_fr(r, "enqueue"); 1165 debug3_f("channel %d: hello sent", c->self); 1166 ret = 0; 1167 goto out; 1168 } 1169 1170 /* Channel code ensures that we receive whole packets */ 1171 if ((r = sshbuf_froms(c->input, &in)) != 0) { 1172 malf: 1173 error_f("malformed message"); 1174 goto out; 1175 } 1176 1177 if ((r = sshbuf_get_u32(in, &type)) != 0) 1178 goto malf; 1179 debug3_f("channel %d packet type 0x%08x len %zu", c->self, 1180 type, sshbuf_len(in)); 1181 1182 if (type == MUX_MSG_HELLO) 1183 rid = 0; 1184 else { 1185 if (!state->hello_rcvd) { 1186 error_f("expected MUX_MSG_HELLO(0x%08x), " 1187 "received 0x%08x", MUX_MSG_HELLO, type); 1188 goto out; 1189 } 1190 if ((r = sshbuf_get_u32(in, &rid)) != 0) 1191 goto malf; 1192 } 1193 1194 for (i = 0; mux_master_handlers[i].handler != NULL; i++) { 1195 if (type == mux_master_handlers[i].type) { 1196 ret = mux_master_handlers[i].handler(ssh, rid, 1197 c, in, out); 1198 break; 1199 } 1200 } 1201 if (mux_master_handlers[i].handler == NULL) { 1202 error_f("unsupported mux message 0x%08x", type); 1203 reply_error(out, MUX_S_FAILURE, rid, "unsupported request"); 1204 ret = 0; 1205 } 1206 /* Enqueue reply packet */ 1207 if (sshbuf_len(out) != 0 && 1208 (r = sshbuf_put_stringb(c->output, out)) != 0) 1209 fatal_fr(r, "enqueue"); 1210 out: 1211 sshbuf_free(in); 1212 sshbuf_free(out); 1213 return ret; 1214} 1215 1216void 1217mux_exit_message(struct ssh *ssh, Channel *c, int exitval) 1218{ 1219 struct sshbuf *m; 1220 Channel *mux_chan; 1221 int r; 1222 1223 debug3_f("channel %d: exit message, exitval %d", c->self, exitval); 1224 1225 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1226 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1227 1228 /* Append exit message packet to control socket output queue */ 1229 if ((m = sshbuf_new()) == NULL) 1230 fatal_f("sshbuf_new"); 1231 if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 || 1232 (r = sshbuf_put_u32(m, c->self)) != 0 || 1233 (r = sshbuf_put_u32(m, exitval)) != 0 || 1234 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1235 fatal_fr(r, "reply"); 1236 sshbuf_free(m); 1237} 1238 1239void 1240mux_tty_alloc_failed(struct ssh *ssh, Channel *c) 1241{ 1242 struct sshbuf *m; 1243 Channel *mux_chan; 1244 int r; 1245 1246 debug3_f("channel %d: TTY alloc failed", c->self); 1247 1248 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL) 1249 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan); 1250 1251 /* Append exit message packet to control socket output queue */ 1252 if ((m = sshbuf_new()) == NULL) 1253 fatal_f("sshbuf_new"); 1254 if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 || 1255 (r = sshbuf_put_u32(m, c->self)) != 0 || 1256 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0) 1257 fatal_fr(r, "reply"); 1258 sshbuf_free(m); 1259} 1260 1261/* Prepare a mux master to listen on a Unix domain socket. */ 1262void 1263muxserver_listen(struct ssh *ssh) 1264{ 1265 mode_t old_umask; 1266 char *orig_control_path = options.control_path; 1267 char rbuf[16+1]; 1268 u_int i, r; 1269 int oerrno; 1270 1271 if (options.control_path == NULL || 1272 options.control_master == SSHCTL_MASTER_NO) 1273 return; 1274 1275 debug("setting up multiplex master socket"); 1276 1277 /* 1278 * Use a temporary path before listen so we can pseudo-atomically 1279 * establish the listening socket in its final location to avoid 1280 * other processes racing in between bind() and listen() and hitting 1281 * an unready socket. 1282 */ 1283 for (i = 0; i < sizeof(rbuf) - 1; i++) { 1284 r = arc4random_uniform(26+26+10); 1285 rbuf[i] = (r < 26) ? 'a' + r : 1286 (r < 26*2) ? 'A' + r - 26 : 1287 '0' + r - 26 - 26; 1288 } 1289 rbuf[sizeof(rbuf) - 1] = '\0'; 1290 options.control_path = NULL; 1291 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf); 1292 debug3_f("temporary control path %s", options.control_path); 1293 1294 old_umask = umask(0177); 1295 muxserver_sock = unix_listener(options.control_path, 64, 0); 1296 oerrno = errno; 1297 umask(old_umask); 1298 if (muxserver_sock < 0) { 1299 if (oerrno == EINVAL || oerrno == EADDRINUSE) { 1300 error("ControlSocket %s already exists, " 1301 "disabling multiplexing", options.control_path); 1302 disable_mux_master: 1303 if (muxserver_sock != -1) { 1304 close(muxserver_sock); 1305 muxserver_sock = -1; 1306 } 1307 free(orig_control_path); 1308 free(options.control_path); 1309 options.control_path = NULL; 1310 options.control_master = SSHCTL_MASTER_NO; 1311 return; 1312 } else { 1313 /* unix_listener() logs the error */ 1314 cleanup_exit(254); 1315 } 1316 } 1317 1318 /* Now atomically "move" the mux socket into position */ 1319 if (link(options.control_path, orig_control_path) != 0) { 1320 if (errno != EEXIST) { 1321 fatal_f("link mux listener %s => %s: %s", 1322 options.control_path, orig_control_path, 1323 strerror(errno)); 1324 } 1325 error("ControlSocket %s already exists, disabling multiplexing", 1326 orig_control_path); 1327 unlink(options.control_path); 1328 goto disable_mux_master; 1329 } 1330 unlink(options.control_path); 1331 free(options.control_path); 1332 options.control_path = orig_control_path; 1333 1334 set_nonblock(muxserver_sock); 1335 1336 mux_listener_channel = channel_new(ssh, "mux listener", 1337 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1, 1338 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1339 0, options.control_path, 1); 1340 mux_listener_channel->mux_rcb = mux_master_read_cb; 1341 debug3_f("mux listener channel %d fd %d", 1342 mux_listener_channel->self, mux_listener_channel->sock); 1343} 1344 1345/* Callback on open confirmation in mux master for a mux client session. */ 1346static void 1347mux_session_confirm(struct ssh *ssh, int id, int success, void *arg) 1348{ 1349 struct mux_session_confirm_ctx *cctx = arg; 1350 const char *display; 1351 Channel *c, *cc; 1352 int i, r; 1353 struct sshbuf *reply; 1354 1355 if (cctx == NULL) 1356 fatal_f("cctx == NULL"); 1357 if ((c = channel_by_id(ssh, id)) == NULL) 1358 fatal_f("no channel for id %d", id); 1359 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL) 1360 fatal_f("channel %d lacks control channel %d", 1361 id, c->ctl_chan); 1362 if ((reply = sshbuf_new()) == NULL) 1363 fatal_f("sshbuf_new"); 1364 1365 if (!success) { 1366 debug3_f("sending failure reply"); 1367 reply_error(reply, MUX_S_FAILURE, cctx->rid, 1368 "Session open refused by peer"); 1369 goto done; 1370 } 1371 1372 display = getenv("DISPLAY"); 1373 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 1374 char *proto, *data; 1375 1376 /* Get reasonable local authentication information. */ 1377 if (client_x11_get_proto(ssh, display, options.xauth_location, 1378 options.forward_x11_trusted, options.forward_x11_timeout, 1379 &proto, &data) == 0) { 1380 /* Request forwarding with authentication spoofing. */ 1381 debug("Requesting X11 forwarding with authentication " 1382 "spoofing."); 1383 x11_request_forwarding_with_spoofing(ssh, id, 1384 display, proto, data, 1); 1385 /* XXX exit_on_forward_failure */ 1386 client_expect_confirm(ssh, id, "X11 forwarding", 1387 CONFIRM_WARN); 1388 } 1389 } 1390 1391 if (cctx->want_agent_fwd && options.forward_agent) { 1392 debug("Requesting authentication agent forwarding."); 1393 channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0); 1394 if ((r = sshpkt_send(ssh)) != 0) 1395 fatal_fr(r, "send"); 1396 } 1397 1398 client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys, 1399 cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env); 1400 1401 debug3_f("sending success reply"); 1402 /* prepare reply */ 1403 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 || 1404 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 || 1405 (r = sshbuf_put_u32(reply, c->self)) != 0) 1406 fatal_fr(r, "reply"); 1407 1408 done: 1409 /* Send reply */ 1410 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0) 1411 fatal_fr(r, "enqueue"); 1412 sshbuf_free(reply); 1413 1414 if (cc->mux_pause <= 0) 1415 fatal_f("mux_pause %d", cc->mux_pause); 1416 cc->mux_pause = 0; /* start processing messages again */ 1417 c->open_confirm_ctx = NULL; 1418 sshbuf_free(cctx->cmd); 1419 free(cctx->term); 1420 if (cctx->env != NULL) { 1421 for (i = 0; cctx->env[i] != NULL; i++) 1422 free(cctx->env[i]); 1423 free(cctx->env); 1424 } 1425 free(cctx); 1426} 1427 1428/* ** Multiplexing client support */ 1429 1430/* Exit signal handler */ 1431static void 1432control_client_sighandler(int signo) 1433{ 1434 muxclient_terminate = signo; 1435} 1436 1437/* 1438 * Relay signal handler - used to pass some signals from mux client to 1439 * mux master. 1440 */ 1441static void 1442control_client_sigrelay(int signo) 1443{ 1444 int save_errno = errno; 1445 1446 if (muxserver_pid > 1) 1447 kill(muxserver_pid, signo); 1448 1449 errno = save_errno; 1450} 1451 1452static int 1453mux_client_read(int fd, struct sshbuf *b, size_t need, int timeout_ms) 1454{ 1455 size_t have; 1456 ssize_t len; 1457 u_char *p; 1458 int r; 1459 1460 if ((r = sshbuf_reserve(b, need, &p)) != 0) 1461 fatal_fr(r, "reserve"); 1462 for (have = 0; have < need; ) { 1463 if (muxclient_terminate) { 1464 errno = EINTR; 1465 return -1; 1466 } 1467 len = read(fd, p + have, need - have); 1468 if (len == -1) { 1469 switch (errno) { 1470 case EAGAIN: 1471 if (waitrfd(fd, &timeout_ms, 1472 &muxclient_terminate) == -1 && 1473 errno != EINTR) 1474 return -1; /* timeout */ 1475 /* FALLTHROUGH */ 1476 case EINTR: 1477 continue; 1478 default: 1479 return -1; 1480 } 1481 } 1482 if (len == 0) { 1483 errno = EPIPE; 1484 return -1; 1485 } 1486 have += (size_t)len; 1487 } 1488 return 0; 1489} 1490 1491static int 1492mux_client_write_packet(int fd, struct sshbuf *m) 1493{ 1494 struct sshbuf *queue; 1495 u_int have, need; 1496 int r, oerrno, len; 1497 const u_char *ptr; 1498 struct pollfd pfd; 1499 1500 pfd.fd = fd; 1501 pfd.events = POLLOUT; 1502 if ((queue = sshbuf_new()) == NULL) 1503 fatal_f("sshbuf_new"); 1504 if ((r = sshbuf_put_stringb(queue, m)) != 0) 1505 fatal_fr(r, "enqueue"); 1506 1507 need = sshbuf_len(queue); 1508 ptr = sshbuf_ptr(queue); 1509 1510 for (have = 0; have < need; ) { 1511 if (muxclient_terminate) { 1512 sshbuf_free(queue); 1513 errno = EINTR; 1514 return -1; 1515 } 1516 len = write(fd, ptr + have, need - have); 1517 if (len == -1) { 1518 switch (errno) { 1519 case EAGAIN: 1520 (void)poll(&pfd, 1, -1); 1521 /* FALLTHROUGH */ 1522 case EINTR: 1523 continue; 1524 default: 1525 oerrno = errno; 1526 sshbuf_free(queue); 1527 errno = oerrno; 1528 return -1; 1529 } 1530 } 1531 if (len == 0) { 1532 sshbuf_free(queue); 1533 errno = EPIPE; 1534 return -1; 1535 } 1536 have += (u_int)len; 1537 } 1538 sshbuf_free(queue); 1539 return 0; 1540} 1541 1542static int 1543mux_client_read_packet_timeout(int fd, struct sshbuf *m, int timeout_ms) 1544{ 1545 struct sshbuf *queue; 1546 size_t need, have; 1547 const u_char *ptr; 1548 int r, oerrno; 1549 1550 if ((queue = sshbuf_new()) == NULL) 1551 fatal_f("sshbuf_new"); 1552 if (mux_client_read(fd, queue, 4, timeout_ms) != 0) { 1553 if ((oerrno = errno) == EPIPE) 1554 debug3_f("read header failed: %s", 1555 strerror(errno)); 1556 sshbuf_free(queue); 1557 errno = oerrno; 1558 return -1; 1559 } 1560 need = PEEK_U32(sshbuf_ptr(queue)); 1561 if (mux_client_read(fd, queue, need, timeout_ms) != 0) { 1562 oerrno = errno; 1563 debug3_f("read body failed: %s", strerror(errno)); 1564 sshbuf_free(queue); 1565 errno = oerrno; 1566 return -1; 1567 } 1568 if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 || 1569 (r = sshbuf_put(m, ptr, have)) != 0) 1570 fatal_fr(r, "dequeue"); 1571 sshbuf_free(queue); 1572 return 0; 1573} 1574 1575static int 1576mux_client_read_packet(int fd, struct sshbuf *m) 1577{ 1578 return mux_client_read_packet_timeout(fd, m, -1); 1579} 1580 1581static int 1582mux_client_hello_exchange(int fd, int timeout_ms) 1583{ 1584 struct sshbuf *m; 1585 u_int type, ver; 1586 int r, ret = -1; 1587 1588 if ((m = sshbuf_new()) == NULL) 1589 fatal_f("sshbuf_new"); 1590 if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 || 1591 (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0) 1592 fatal_fr(r, "assemble hello"); 1593 /* no extensions */ 1594 1595 if (mux_client_write_packet(fd, m) != 0) { 1596 debug_f("write packet: %s", strerror(errno)); 1597 goto out; 1598 } 1599 1600 sshbuf_reset(m); 1601 1602 /* Read their HELLO */ 1603 if (mux_client_read_packet_timeout(fd, m, timeout_ms) != 0) { 1604 debug_f("read packet failed"); 1605 goto out; 1606 } 1607 1608 if ((r = sshbuf_get_u32(m, &type)) != 0) 1609 fatal_fr(r, "parse type"); 1610 if (type != MUX_MSG_HELLO) { 1611 error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type); 1612 goto out; 1613 } 1614 if ((r = sshbuf_get_u32(m, &ver)) != 0) 1615 fatal_fr(r, "parse version"); 1616 if (ver != SSHMUX_VER) { 1617 error("Unsupported multiplexing protocol version %d " 1618 "(expected %d)", ver, SSHMUX_VER); 1619 goto out; 1620 } 1621 debug2_f("master version %u", ver); 1622 /* No extensions are presently defined */ 1623 while (sshbuf_len(m) > 0) { 1624 char *name = NULL; 1625 1626 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 || 1627 (r = sshbuf_skip_string(m)) != 0) { /* value */ 1628 error_fr(r, "parse extension"); 1629 goto out; 1630 } 1631 debug2("Unrecognised master extension \"%s\"", name); 1632 free(name); 1633 } 1634 /* success */ 1635 ret = 0; 1636 out: 1637 sshbuf_free(m); 1638 return ret; 1639} 1640 1641static u_int 1642mux_client_request_alive(int fd) 1643{ 1644 struct sshbuf *m; 1645 char *e; 1646 u_int pid, type, rid; 1647 int r; 1648 1649 debug3_f("entering"); 1650 1651 if ((m = sshbuf_new()) == NULL) 1652 fatal_f("sshbuf_new"); 1653 if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 || 1654 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1655 fatal_fr(r, "assemble"); 1656 1657 if (mux_client_write_packet(fd, m) != 0) 1658 fatal_f("write packet: %s", strerror(errno)); 1659 1660 sshbuf_reset(m); 1661 1662 /* Read their reply */ 1663 if (mux_client_read_packet(fd, m) != 0) { 1664 sshbuf_free(m); 1665 return 0; 1666 } 1667 1668 if ((r = sshbuf_get_u32(m, &type)) != 0) 1669 fatal_fr(r, "parse type"); 1670 if (type != MUX_S_ALIVE) { 1671 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1672 fatal_fr(r, "parse error message"); 1673 fatal_f("master returned error: %s", e); 1674 } 1675 1676 if ((r = sshbuf_get_u32(m, &rid)) != 0) 1677 fatal_fr(r, "parse remote ID"); 1678 if (rid != muxclient_request_id) 1679 fatal_f("out of sequence reply: my id %u theirs %u", 1680 muxclient_request_id, rid); 1681 if ((r = sshbuf_get_u32(m, &pid)) != 0) 1682 fatal_fr(r, "parse PID"); 1683 sshbuf_free(m); 1684 1685 debug3_f("done pid = %u", pid); 1686 1687 muxclient_request_id++; 1688 1689 return pid; 1690} 1691 1692static void 1693mux_client_request_terminate(int fd) 1694{ 1695 struct sshbuf *m; 1696 char *e; 1697 u_int type, rid; 1698 int r; 1699 1700 debug3_f("entering"); 1701 1702 if ((m = sshbuf_new()) == NULL) 1703 fatal_f("sshbuf_new"); 1704 if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 || 1705 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 1706 fatal_fr(r, "request"); 1707 1708 if (mux_client_write_packet(fd, m) != 0) 1709 fatal_f("write packet: %s", strerror(errno)); 1710 1711 sshbuf_reset(m); 1712 1713 /* Read their reply */ 1714 if (mux_client_read_packet(fd, m) != 0) { 1715 /* Remote end exited already */ 1716 if (errno == EPIPE) { 1717 sshbuf_free(m); 1718 return; 1719 } 1720 fatal_f("read from master failed: %s", strerror(errno)); 1721 } 1722 1723 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1724 (r = sshbuf_get_u32(m, &rid)) != 0) 1725 fatal_fr(r, "parse"); 1726 if (rid != muxclient_request_id) 1727 fatal_f("out of sequence reply: my id %u theirs %u", 1728 muxclient_request_id, rid); 1729 switch (type) { 1730 case MUX_S_OK: 1731 break; 1732 case MUX_S_PERMISSION_DENIED: 1733 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1734 fatal_fr(r, "parse error message"); 1735 fatal("Master refused termination request: %s", e); 1736 case MUX_S_FAILURE: 1737 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1738 fatal_fr(r, "parse error message"); 1739 fatal_f("termination request failed: %s", e); 1740 default: 1741 fatal_f("unexpected response from master 0x%08x", type); 1742 } 1743 sshbuf_free(m); 1744 muxclient_request_id++; 1745} 1746 1747static int 1748mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd) 1749{ 1750 struct sshbuf *m; 1751 char *e, *fwd_desc; 1752 const char *lhost, *chost; 1753 u_int type, rid; 1754 int r; 1755 1756 fwd_desc = format_forward(ftype, fwd); 1757 debug("Requesting %s %s", 1758 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc); 1759 free(fwd_desc); 1760 1761 type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD; 1762 if (fwd->listen_path != NULL) 1763 lhost = fwd->listen_path; 1764 else if (fwd->listen_host == NULL) 1765 lhost = ""; 1766 else if (*fwd->listen_host == '\0') 1767 lhost = "*"; 1768 else 1769 lhost = fwd->listen_host; 1770 1771 if (fwd->connect_path != NULL) 1772 chost = fwd->connect_path; 1773 else if (fwd->connect_host == NULL) 1774 chost = ""; 1775 else 1776 chost = fwd->connect_host; 1777 1778 if ((m = sshbuf_new()) == NULL) 1779 fatal_f("sshbuf_new"); 1780 if ((r = sshbuf_put_u32(m, type)) != 0 || 1781 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1782 (r = sshbuf_put_u32(m, ftype)) != 0 || 1783 (r = sshbuf_put_cstring(m, lhost)) != 0 || 1784 (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 || 1785 (r = sshbuf_put_cstring(m, chost)) != 0 || 1786 (r = sshbuf_put_u32(m, fwd->connect_port)) != 0) 1787 fatal_fr(r, "request"); 1788 1789 if (mux_client_write_packet(fd, m) != 0) 1790 fatal_f("write packet: %s", strerror(errno)); 1791 1792 sshbuf_reset(m); 1793 1794 /* Read their reply */ 1795 if (mux_client_read_packet(fd, m) != 0) { 1796 sshbuf_free(m); 1797 return -1; 1798 } 1799 1800 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1801 (r = sshbuf_get_u32(m, &rid)) != 0) 1802 fatal_fr(r, "parse"); 1803 if (rid != muxclient_request_id) 1804 fatal_f("out of sequence reply: my id %u theirs %u", 1805 muxclient_request_id, rid); 1806 1807 switch (type) { 1808 case MUX_S_OK: 1809 break; 1810 case MUX_S_REMOTE_PORT: 1811 if (cancel_flag) 1812 fatal_f("got MUX_S_REMOTE_PORT for cancel"); 1813 if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0) 1814 fatal_fr(r, "parse port"); 1815 verbose("Allocated port %u for remote forward to %s:%d", 1816 fwd->allocated_port, 1817 fwd->connect_host ? fwd->connect_host : "", 1818 fwd->connect_port); 1819 if (muxclient_command == SSHMUX_COMMAND_FORWARD) 1820 fprintf(stdout, "%i\n", fwd->allocated_port); 1821 break; 1822 case MUX_S_PERMISSION_DENIED: 1823 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1824 fatal_fr(r, "parse error message"); 1825 sshbuf_free(m); 1826 error("Master refused forwarding request: %s", e); 1827 return -1; 1828 case MUX_S_FAILURE: 1829 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1830 fatal_fr(r, "parse error message"); 1831 sshbuf_free(m); 1832 error_f("forwarding request failed: %s", e); 1833 return -1; 1834 default: 1835 fatal_f("unexpected response from master 0x%08x", type); 1836 } 1837 sshbuf_free(m); 1838 1839 muxclient_request_id++; 1840 return 0; 1841} 1842 1843static int 1844mux_client_forwards(int fd, int cancel_flag) 1845{ 1846 int i, ret = 0; 1847 1848 debug3_f("%s forwardings: %d local, %d remote", 1849 cancel_flag ? "cancel" : "request", 1850 options.num_local_forwards, options.num_remote_forwards); 1851 1852 /* XXX ExitOnForwardingFailure */ 1853 for (i = 0; i < options.num_local_forwards; i++) { 1854 if (mux_client_forward(fd, cancel_flag, 1855 options.local_forwards[i].connect_port == 0 ? 1856 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL, 1857 options.local_forwards + i) != 0) 1858 ret = -1; 1859 } 1860 for (i = 0; i < options.num_remote_forwards; i++) { 1861 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE, 1862 options.remote_forwards + i) != 0) 1863 ret = -1; 1864 } 1865 return ret; 1866} 1867 1868static int 1869mux_client_request_session(int fd) 1870{ 1871 struct sshbuf *m; 1872 char *e; 1873 const char *term = NULL; 1874 u_int i, echar, rid, sid, esid, exitval, type, exitval_seen; 1875 extern char **environ; 1876 int r, rawmode = 0; 1877 1878 debug3_f("entering"); 1879 1880 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1881 error_f("master alive request failed"); 1882 return -1; 1883 } 1884 1885 ssh_signal(SIGPIPE, SIG_IGN); 1886 1887 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 1888 fatal_f("stdfd_devnull failed"); 1889 1890 if ((term = lookup_env_in_list("TERM", options.setenv, 1891 options.num_setenv)) == NULL || *term == '\0') 1892 term = getenv("TERM"); 1893 1894 echar = 0xffffffff; 1895 if (options.escape_char != SSH_ESCAPECHAR_NONE) 1896 echar = (u_int)options.escape_char; 1897 1898 if ((m = sshbuf_new()) == NULL) 1899 fatal_f("sshbuf_new"); 1900 if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 || 1901 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 1902 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 1903 (r = sshbuf_put_u32(m, tty_flag)) != 0 || 1904 (r = sshbuf_put_u32(m, options.forward_x11)) != 0 || 1905 (r = sshbuf_put_u32(m, options.forward_agent)) != 0 || 1906 (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 || 1907 (r = sshbuf_put_u32(m, echar)) != 0 || 1908 (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 || 1909 (r = sshbuf_put_stringb(m, command)) != 0) 1910 fatal_fr(r, "request"); 1911 1912 /* Pass environment */ 1913 if (options.num_send_env > 0 && environ != NULL) { 1914 for (i = 0; environ[i] != NULL; i++) { 1915 if (!env_permitted(environ[i])) 1916 continue; 1917 if ((r = sshbuf_put_cstring(m, environ[i])) != 0) 1918 fatal_fr(r, "request sendenv"); 1919 } 1920 } 1921 for (i = 0; i < options.num_setenv; i++) { 1922 if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0) 1923 fatal_fr(r, "request setenv"); 1924 } 1925 1926 if (mux_client_write_packet(fd, m) != 0) 1927 fatal_f("write packet: %s", strerror(errno)); 1928 1929 /* Send the stdio file descriptors */ 1930 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1931 mm_send_fd(fd, STDOUT_FILENO) == -1 || 1932 mm_send_fd(fd, STDERR_FILENO) == -1) 1933 fatal_f("send fds failed"); 1934 1935 debug3_f("session request sent"); 1936 1937 /* Read their reply */ 1938 sshbuf_reset(m); 1939 if (mux_client_read_packet(fd, m) != 0) { 1940 error_f("read from master failed: %s", strerror(errno)); 1941 sshbuf_free(m); 1942 return -1; 1943 } 1944 1945 if ((r = sshbuf_get_u32(m, &type)) != 0 || 1946 (r = sshbuf_get_u32(m, &rid)) != 0) 1947 fatal_fr(r, "parse"); 1948 if (rid != muxclient_request_id) 1949 fatal_f("out of sequence reply: my id %u theirs %u", 1950 muxclient_request_id, rid); 1951 1952 switch (type) { 1953 case MUX_S_SESSION_OPENED: 1954 if ((r = sshbuf_get_u32(m, &sid)) != 0) 1955 fatal_fr(r, "parse session ID"); 1956 debug_f("master session id: %u", sid); 1957 break; 1958 case MUX_S_PERMISSION_DENIED: 1959 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1960 fatal_fr(r, "parse error message"); 1961 error("Master refused session request: %s", e); 1962 sshbuf_free(m); 1963 return -1; 1964 case MUX_S_FAILURE: 1965 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 1966 fatal_fr(r, "parse error message"); 1967 error_f("session request failed: %s", e); 1968 sshbuf_free(m); 1969 return -1; 1970 default: 1971 sshbuf_free(m); 1972 error_f("unexpected response from master 0x%08x", type); 1973 return -1; 1974 } 1975 muxclient_request_id++; 1976 1977#ifdef __OpenBSD__ 1978 if (pledge("stdio proc tty", NULL) == -1) 1979 fatal_f("pledge(): %s", strerror(errno)); 1980#endif 1981 1982 ssh_signal(SIGHUP, control_client_sighandler); 1983 ssh_signal(SIGINT, control_client_sighandler); 1984 ssh_signal(SIGTERM, control_client_sighandler); 1985 ssh_signal(SIGWINCH, control_client_sigrelay); 1986 1987 if (options.fork_after_authentication) 1988 daemon(1, 1); 1989 else { 1990 rawmode = tty_flag; 1991 if (tty_flag) { 1992 enter_raw_mode( 1993 options.request_tty == REQUEST_TTY_FORCE); 1994 } 1995 } 1996 1997 /* 1998 * Stick around until the controlee closes the client_fd. 1999 * Before it does, it is expected to write an exit message. 2000 * This process must read the value and wait for the closure of 2001 * the client_fd; if this one closes early, the multiplex master will 2002 * terminate early too (possibly losing data). 2003 */ 2004 for (exitval = 255, exitval_seen = 0;;) { 2005 sshbuf_reset(m); 2006 if (mux_client_read_packet(fd, m) != 0) 2007 break; 2008 if ((r = sshbuf_get_u32(m, &type)) != 0) 2009 fatal_fr(r, "parse type"); 2010 switch (type) { 2011 case MUX_S_TTY_ALLOC_FAIL: 2012 if ((r = sshbuf_get_u32(m, &esid)) != 0) 2013 fatal_fr(r, "parse session ID"); 2014 if (esid != sid) 2015 fatal_f("tty alloc fail on unknown session: " 2016 "my id %u theirs %u", sid, esid); 2017 leave_raw_mode(options.request_tty == 2018 REQUEST_TTY_FORCE); 2019 rawmode = 0; 2020 continue; 2021 case MUX_S_EXIT_MESSAGE: 2022 if ((r = sshbuf_get_u32(m, &esid)) != 0) 2023 fatal_fr(r, "parse session ID"); 2024 if (esid != sid) 2025 fatal_f("exit on unknown session: " 2026 "my id %u theirs %u", sid, esid); 2027 if (exitval_seen) 2028 fatal_f("exitval sent twice"); 2029 if ((r = sshbuf_get_u32(m, &exitval)) != 0) 2030 fatal_fr(r, "parse exitval"); 2031 exitval_seen = 1; 2032 continue; 2033 default: 2034 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2035 fatal_fr(r, "parse error message"); 2036 fatal_f("master returned error: %s", e); 2037 } 2038 } 2039 2040 close(fd); 2041 if (rawmode) 2042 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE); 2043 2044 if (muxclient_terminate) { 2045 debug2("Exiting on signal: %s", strsignal(muxclient_terminate)); 2046 exitval = 255; 2047 } else if (!exitval_seen) { 2048 debug2("Control master terminated unexpectedly"); 2049 exitval = 255; 2050 } else 2051 debug2("Received exit status from master %d", exitval); 2052 2053 if (tty_flag && options.log_level >= SYSLOG_LEVEL_INFO) 2054 fprintf(stderr, "Shared connection to %s closed.\r\n", host); 2055 2056 exit(exitval); 2057} 2058 2059static int 2060mux_client_proxy(int fd) 2061{ 2062 struct sshbuf *m; 2063 char *e; 2064 u_int type, rid; 2065 int r; 2066 2067 if ((m = sshbuf_new()) == NULL) 2068 fatal_f("sshbuf_new"); 2069 if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 || 2070 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2071 fatal_fr(r, "request"); 2072 if (mux_client_write_packet(fd, m) != 0) 2073 fatal_f("write packet: %s", strerror(errno)); 2074 2075 sshbuf_reset(m); 2076 2077 /* Read their reply */ 2078 if (mux_client_read_packet(fd, m) != 0) { 2079 sshbuf_free(m); 2080 return 0; 2081 } 2082 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2083 (r = sshbuf_get_u32(m, &rid)) != 0) 2084 fatal_fr(r, "parse"); 2085 if (rid != muxclient_request_id) 2086 fatal_f("out of sequence reply: my id %u theirs %u", 2087 muxclient_request_id, rid); 2088 if (type != MUX_S_PROXY) { 2089 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2090 fatal_fr(r, "parse error message"); 2091 fatal_f("master returned error: %s", e); 2092 } 2093 sshbuf_free(m); 2094 2095 debug3_f("done"); 2096 muxclient_request_id++; 2097 return 0; 2098} 2099 2100static int 2101mux_client_request_stdio_fwd(int fd) 2102{ 2103 struct sshbuf *m; 2104 char *e; 2105 u_int type, rid, sid; 2106 int r; 2107 2108 debug3_f("entering"); 2109 2110 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 2111 error_f("master alive request failed"); 2112 return -1; 2113 } 2114 2115 ssh_signal(SIGPIPE, SIG_IGN); 2116 2117 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1) 2118 fatal_f("stdfd_devnull failed"); 2119 2120 if ((m = sshbuf_new()) == NULL) 2121 fatal_f("sshbuf_new"); 2122 if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 || 2123 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 || 2124 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */ 2125 (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 || 2126 (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0) 2127 fatal_fr(r, "request"); 2128 2129 if (mux_client_write_packet(fd, m) != 0) 2130 fatal_f("write packet: %s", strerror(errno)); 2131 2132 /* Send the stdio file descriptors */ 2133 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 2134 mm_send_fd(fd, STDOUT_FILENO) == -1) 2135 fatal_f("send fds failed"); 2136 2137#ifdef __OpenBSD__ 2138 if (pledge("stdio proc tty", NULL) == -1) 2139 fatal_f("pledge(): %s", strerror(errno)); 2140#endif 2141 2142 debug3_f("stdio forward request sent"); 2143 2144 /* Read their reply */ 2145 sshbuf_reset(m); 2146 2147 if (mux_client_read_packet(fd, m) != 0) { 2148 error_f("read from master failed: %s", strerror(errno)); 2149 sshbuf_free(m); 2150 return -1; 2151 } 2152 2153 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2154 (r = sshbuf_get_u32(m, &rid)) != 0) 2155 fatal_fr(r, "parse"); 2156 if (rid != muxclient_request_id) 2157 fatal_f("out of sequence reply: my id %u theirs %u", 2158 muxclient_request_id, rid); 2159 switch (type) { 2160 case MUX_S_SESSION_OPENED: 2161 if ((r = sshbuf_get_u32(m, &sid)) != 0) 2162 fatal_fr(r, "parse session ID"); 2163 debug_f("master session id: %u", sid); 2164 break; 2165 case MUX_S_PERMISSION_DENIED: 2166 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2167 fatal_fr(r, "parse error message"); 2168 sshbuf_free(m); 2169 fatal("Master refused stdio forwarding request: %s", e); 2170 case MUX_S_FAILURE: 2171 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2172 fatal_fr(r, "parse error message"); 2173 sshbuf_free(m); 2174 fatal("Stdio forwarding request failed: %s", e); 2175 default: 2176 sshbuf_free(m); 2177 error_f("unexpected response from master 0x%08x", type); 2178 return -1; 2179 } 2180 muxclient_request_id++; 2181 2182 ssh_signal(SIGHUP, control_client_sighandler); 2183 ssh_signal(SIGINT, control_client_sighandler); 2184 ssh_signal(SIGTERM, control_client_sighandler); 2185 ssh_signal(SIGWINCH, control_client_sigrelay); 2186 2187 /* 2188 * Stick around until the controlee closes the client_fd. 2189 */ 2190 sshbuf_reset(m); 2191 if (mux_client_read_packet(fd, m) != 0) { 2192 if (errno == EPIPE || 2193 (errno == EINTR && muxclient_terminate != 0)) 2194 return 0; 2195 fatal_f("mux_client_read_packet: %s", strerror(errno)); 2196 } 2197 fatal_f("master returned unexpected message %u", type); 2198} 2199 2200static void 2201mux_client_request_stop_listening(int fd) 2202{ 2203 struct sshbuf *m; 2204 char *e; 2205 u_int type, rid; 2206 int r; 2207 2208 debug3_f("entering"); 2209 2210 if ((m = sshbuf_new()) == NULL) 2211 fatal_f("sshbuf_new"); 2212 if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 || 2213 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0) 2214 fatal_fr(r, "request"); 2215 2216 if (mux_client_write_packet(fd, m) != 0) 2217 fatal_f("write packet: %s", strerror(errno)); 2218 2219 sshbuf_reset(m); 2220 2221 /* Read their reply */ 2222 if (mux_client_read_packet(fd, m) != 0) 2223 fatal_f("read from master failed: %s", strerror(errno)); 2224 2225 if ((r = sshbuf_get_u32(m, &type)) != 0 || 2226 (r = sshbuf_get_u32(m, &rid)) != 0) 2227 fatal_fr(r, "parse"); 2228 if (rid != muxclient_request_id) 2229 fatal_f("out of sequence reply: my id %u theirs %u", 2230 muxclient_request_id, rid); 2231 2232 switch (type) { 2233 case MUX_S_OK: 2234 break; 2235 case MUX_S_PERMISSION_DENIED: 2236 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2237 fatal_fr(r, "parse error message"); 2238 fatal("Master refused stop listening request: %s", e); 2239 case MUX_S_FAILURE: 2240 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0) 2241 fatal_fr(r, "parse error message"); 2242 fatal_f("stop listening request failed: %s", e); 2243 default: 2244 fatal_f("unexpected response from master 0x%08x", type); 2245 } 2246 sshbuf_free(m); 2247 muxclient_request_id++; 2248} 2249 2250/* Multiplex client main loop. */ 2251int 2252muxclient(const char *path) 2253{ 2254 struct sockaddr_un addr; 2255 int sock, timeout = options.connection_timeout, timeout_ms = -1; 2256 u_int pid; 2257 2258 if (muxclient_command == 0) { 2259 if (options.stdio_forward_host != NULL) 2260 muxclient_command = SSHMUX_COMMAND_STDIO_FWD; 2261 else 2262 muxclient_command = SSHMUX_COMMAND_OPEN; 2263 } 2264 2265 switch (options.control_master) { 2266 case SSHCTL_MASTER_AUTO: 2267 case SSHCTL_MASTER_AUTO_ASK: 2268 debug("auto-mux: Trying existing master at '%s'", path); 2269 /* FALLTHROUGH */ 2270 case SSHCTL_MASTER_NO: 2271 break; 2272 default: 2273 return -1; 2274 } 2275 2276 memset(&addr, '\0', sizeof(addr)); 2277 addr.sun_family = AF_UNIX; 2278 2279 if (strlcpy(addr.sun_path, path, 2280 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 2281 fatal("ControlPath too long ('%s' >= %u bytes)", path, 2282 (unsigned int)sizeof(addr.sun_path)); 2283 2284 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) 2285 fatal_f("socket(): %s", strerror(errno)); 2286 2287 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) { 2288 switch (muxclient_command) { 2289 case SSHMUX_COMMAND_OPEN: 2290 case SSHMUX_COMMAND_STDIO_FWD: 2291 break; 2292 default: 2293 fatal("Control socket connect(%.100s): %s", path, 2294 strerror(errno)); 2295 } 2296 if (errno == ECONNREFUSED && 2297 options.control_master != SSHCTL_MASTER_NO) { 2298 debug("Stale control socket %.100s, unlinking", path); 2299 unlink(path); 2300 } else if (errno == ENOENT) { 2301 debug("Control socket \"%.100s\" does not exist", path); 2302 } else { 2303 error("Control socket connect(%.100s): %s", path, 2304 strerror(errno)); 2305 } 2306 close(sock); 2307 return -1; 2308 } 2309 set_nonblock(sock); 2310 2311 /* Timeout on initial connection only. */ 2312 if (timeout > 0 && timeout < INT_MAX / 1000) 2313 timeout_ms = timeout * 1000; 2314 2315 if (mux_client_hello_exchange(sock, timeout_ms) != 0) { 2316 error_f("master hello exchange failed"); 2317 close(sock); 2318 return -1; 2319 } 2320 2321 switch (muxclient_command) { 2322 case SSHMUX_COMMAND_ALIVE_CHECK: 2323 if ((pid = mux_client_request_alive(sock)) == 0) 2324 fatal_f("master alive check failed"); 2325 fprintf(stderr, "Master running (pid=%u)\r\n", pid); 2326 exit(0); 2327 case SSHMUX_COMMAND_TERMINATE: 2328 mux_client_request_terminate(sock); 2329 if (options.log_level != SYSLOG_LEVEL_QUIET) 2330 fprintf(stderr, "Exit request sent.\r\n"); 2331 exit(0); 2332 case SSHMUX_COMMAND_FORWARD: 2333 if (mux_client_forwards(sock, 0) != 0) 2334 fatal_f("master forward request failed"); 2335 exit(0); 2336 case SSHMUX_COMMAND_OPEN: 2337 if (mux_client_forwards(sock, 0) != 0) { 2338 error_f("master forward request failed"); 2339 return -1; 2340 } 2341 mux_client_request_session(sock); 2342 return -1; 2343 case SSHMUX_COMMAND_STDIO_FWD: 2344 mux_client_request_stdio_fwd(sock); 2345 exit(0); 2346 case SSHMUX_COMMAND_STOP: 2347 mux_client_request_stop_listening(sock); 2348 if (options.log_level != SYSLOG_LEVEL_QUIET) 2349 fprintf(stderr, "Stop listening request sent.\r\n"); 2350 exit(0); 2351 case SSHMUX_COMMAND_CANCEL_FWD: 2352 if (mux_client_forwards(sock, 1) != 0) 2353 error_f("master cancel forward request failed"); 2354 exit(0); 2355 case SSHMUX_COMMAND_PROXY: 2356 mux_client_proxy(sock); 2357 return (sock); 2358 default: 2359 fatal("unrecognised muxclient_command %d", muxclient_command); 2360 } 2361} 2362