1/*	$NetBSD: mux.c,v 1.35 2023/12/20 17:15:20 christos Exp $	*/
2/* $OpenBSD: mux.c,v 1.101 2023/11/23 03:37:05 dtucker Exp $ */
3
4/*
5 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
6 *
7 * Permission to use, copy, modify, and distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 */
19
20/* ssh session multiplexing support */
21
22#include "includes.h"
23__RCSID("$NetBSD: mux.c,v 1.35 2023/12/20 17:15:20 christos Exp $");
24#include <sys/types.h>
25#include <sys/queue.h>
26#include <sys/stat.h>
27#include <sys/socket.h>
28#include <sys/un.h>
29
30#include <errno.h>
31#include <fcntl.h>
32#include <poll.h>
33#include <limits.h>
34#include <signal.h>
35#include <stdarg.h>
36#include <stddef.h>
37#include <stdlib.h>
38#include <stdio.h>
39#include <string.h>
40#include <unistd.h>
41#include <util.h>
42#include <paths.h>
43
44#include "atomicio.h"
45#include "xmalloc.h"
46#include "log.h"
47#include "ssh.h"
48#include "ssh2.h"
49#include "pathnames.h"
50#include "misc.h"
51#include "match.h"
52#include "sshbuf.h"
53#include "channels.h"
54#include "msg.h"
55#include "packet.h"
56#include "monitor_fdpass.h"
57#include "sshpty.h"
58#include "sshkey.h"
59#include "readconf.h"
60#include "clientloop.h"
61#include "ssherr.h"
62#include "misc.h"
63
64/* from ssh.c */
65extern int tty_flag;
66extern Options options;
67extern char *host;
68extern struct sshbuf *command;
69extern volatile sig_atomic_t quit_pending;
70
71/* Context for session open confirmation callback */
72struct mux_session_confirm_ctx {
73	u_int want_tty;
74	u_int want_subsys;
75	u_int want_x_fwd;
76	u_int want_agent_fwd;
77	struct sshbuf *cmd;
78	char *term;
79	struct termios tio;
80	char **env;
81	u_int rid;
82};
83
84/* Context for stdio fwd open confirmation callback */
85struct mux_stdio_confirm_ctx {
86	u_int rid;
87};
88
89/* Context for global channel callback */
90struct mux_channel_confirm_ctx {
91	u_int cid;	/* channel id */
92	u_int rid;	/* request id */
93	int fid;	/* forward id */
94};
95
96/* fd to control socket */
97int muxserver_sock = -1;
98
99/* client request id */
100u_int muxclient_request_id = 0;
101
102/* Multiplexing control command */
103u_int muxclient_command = 0;
104
105/* Set when signalled. */
106static volatile sig_atomic_t muxclient_terminate = 0;
107
108/* PID of multiplex server */
109static u_int muxserver_pid = 0;
110
111static Channel *mux_listener_channel = NULL;
112
113struct mux_master_state {
114	int hello_rcvd;
115};
116
117/* mux protocol messages */
118#define MUX_MSG_HELLO		0x00000001
119#define MUX_C_NEW_SESSION	0x10000002
120#define MUX_C_ALIVE_CHECK	0x10000004
121#define MUX_C_TERMINATE		0x10000005
122#define MUX_C_OPEN_FWD		0x10000006
123#define MUX_C_CLOSE_FWD		0x10000007
124#define MUX_C_NEW_STDIO_FWD	0x10000008
125#define MUX_C_STOP_LISTENING	0x10000009
126#define MUX_C_PROXY		0x1000000f
127#define MUX_S_OK		0x80000001
128#define MUX_S_PERMISSION_DENIED	0x80000002
129#define MUX_S_FAILURE		0x80000003
130#define MUX_S_EXIT_MESSAGE	0x80000004
131#define MUX_S_ALIVE		0x80000005
132#define MUX_S_SESSION_OPENED	0x80000006
133#define MUX_S_REMOTE_PORT	0x80000007
134#define MUX_S_TTY_ALLOC_FAIL	0x80000008
135#define MUX_S_PROXY		0x8000000f
136
137/* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */
138#define MUX_FWD_LOCAL   1
139#define MUX_FWD_REMOTE  2
140#define MUX_FWD_DYNAMIC 3
141
142static void mux_session_confirm(struct ssh *, int, int, void *);
143static void mux_stdio_confirm(struct ssh *, int, int, void *);
144
145static int mux_master_process_hello(struct ssh *, u_int,
146	    Channel *, struct sshbuf *, struct sshbuf *);
147static int mux_master_process_new_session(struct ssh *, u_int,
148	    Channel *, struct sshbuf *, struct sshbuf *);
149static int mux_master_process_alive_check(struct ssh *, u_int,
150	    Channel *, struct sshbuf *, struct sshbuf *);
151static int mux_master_process_terminate(struct ssh *, u_int,
152	    Channel *, struct sshbuf *, struct sshbuf *);
153static int mux_master_process_open_fwd(struct ssh *, u_int,
154	    Channel *, struct sshbuf *, struct sshbuf *);
155static int mux_master_process_close_fwd(struct ssh *, u_int,
156	    Channel *, struct sshbuf *, struct sshbuf *);
157static int mux_master_process_stdio_fwd(struct ssh *, u_int,
158	    Channel *, struct sshbuf *, struct sshbuf *);
159static int mux_master_process_stop_listening(struct ssh *, u_int,
160	    Channel *, struct sshbuf *, struct sshbuf *);
161static int mux_master_process_proxy(struct ssh *, u_int,
162	    Channel *, struct sshbuf *, struct sshbuf *);
163
164static const struct {
165	u_int type;
166	int (*handler)(struct ssh *, u_int, Channel *,
167	    struct sshbuf *, struct sshbuf *);
168} mux_master_handlers[] = {
169	{ MUX_MSG_HELLO, mux_master_process_hello },
170	{ MUX_C_NEW_SESSION, mux_master_process_new_session },
171	{ MUX_C_ALIVE_CHECK, mux_master_process_alive_check },
172	{ MUX_C_TERMINATE, mux_master_process_terminate },
173	{ MUX_C_OPEN_FWD, mux_master_process_open_fwd },
174	{ MUX_C_CLOSE_FWD, mux_master_process_close_fwd },
175	{ MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd },
176	{ MUX_C_STOP_LISTENING, mux_master_process_stop_listening },
177	{ MUX_C_PROXY, mux_master_process_proxy },
178	{ 0, NULL }
179};
180
181/* Cleanup callback fired on closure of mux client _session_ channel */
182static void
183mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
184{
185	Channel *cc, *c = channel_by_id(ssh, cid);
186
187	debug3_f("entering for channel %d", cid);
188	if (c == NULL)
189		fatal_f("channel_by_id(%i) == NULL", cid);
190	if (c->ctl_chan != -1) {
191		if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
192			fatal_f("channel %d missing control channel %d",
193			    c->self, c->ctl_chan);
194		c->ctl_chan = -1;
195		cc->remote_id = 0;
196		cc->have_remote_id = 0;
197		chan_rcvd_oclose(ssh, cc);
198	}
199	channel_cancel_cleanup(ssh, c->self);
200}
201
202/* Cleanup callback fired on closure of mux client _control_ channel */
203static void
204mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
205{
206	Channel *sc, *c = channel_by_id(ssh, cid);
207
208	debug3_f("entering for channel %d", cid);
209	if (c == NULL)
210		fatal_f("channel_by_id(%i) == NULL", cid);
211	if (c->have_remote_id) {
212		if ((sc = channel_by_id(ssh, c->remote_id)) == NULL)
213			fatal_f("channel %d missing session channel %u",
214			    c->self, c->remote_id);
215		c->remote_id = 0;
216		c->have_remote_id = 0;
217		sc->ctl_chan = -1;
218		if (sc->type != SSH_CHANNEL_OPEN &&
219		    sc->type != SSH_CHANNEL_OPENING) {
220			debug2_f("channel %d: not open", sc->self);
221			chan_mark_dead(ssh, sc);
222		} else {
223			if (sc->istate == CHAN_INPUT_OPEN)
224				chan_read_failed(ssh, sc);
225			if (sc->ostate == CHAN_OUTPUT_OPEN)
226				chan_write_failed(ssh, sc);
227		}
228	}
229	channel_cancel_cleanup(ssh, c->self);
230}
231
232/* Check mux client environment variables before passing them to mux master. */
233static int
234env_permitted(const char *env)
235{
236	u_int i;
237	int ret;
238	char name[1024], *cp;
239
240	if ((cp = strchr(env, '=')) == NULL || cp == env)
241		return 0;
242	ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
243	if (ret <= 0 || (size_t)ret >= sizeof(name)) {
244		error_f("name '%.100s...' too long", env);
245		return 0;
246	}
247
248	for (i = 0; i < options.num_send_env; i++)
249		if (match_pattern(name, options.send_env[i]))
250			return 1;
251
252	return 0;
253}
254
255/* Mux master protocol message handlers */
256
257static int
258mux_master_process_hello(struct ssh *ssh, u_int rid,
259    Channel *c, struct sshbuf *m, struct sshbuf *reply)
260{
261	u_int ver;
262	struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
263	int r;
264
265	if (state == NULL)
266		fatal_f("channel %d: c->mux_ctx == NULL", c->self);
267	if (state->hello_rcvd) {
268		error_f("HELLO received twice");
269		return -1;
270	}
271	if ((r = sshbuf_get_u32(m, &ver)) != 0) {
272		error_fr(r, "parse");
273		return -1;
274	}
275	if (ver != SSHMUX_VER) {
276		error_f("unsupported multiplexing protocol version %u "
277		    "(expected %u)", ver, SSHMUX_VER);
278		return -1;
279	}
280	debug2_f("channel %d client version %u", c->self, ver);
281
282	/* No extensions are presently defined */
283	while (sshbuf_len(m) > 0) {
284		char *name = NULL;
285		size_t value_len = 0;
286
287		if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
288		    (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) {
289			error_fr(r, "parse extension");
290			return -1;
291		}
292		debug2_f("Unrecognised extension \"%s\" length %zu",
293		    name, value_len);
294		free(name);
295	}
296	state->hello_rcvd = 1;
297	return 0;
298}
299
300/* Enqueue a "ok" response to the reply buffer */
301static void
302reply_ok(struct sshbuf *reply, u_int rid)
303{
304	int r;
305
306	if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 ||
307	    (r = sshbuf_put_u32(reply, rid)) != 0)
308		fatal_fr(r, "reply");
309}
310
311/* Enqueue an error response to the reply buffer */
312static void
313reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg)
314{
315	int r;
316
317	if ((r = sshbuf_put_u32(reply, type)) != 0 ||
318	    (r = sshbuf_put_u32(reply, rid)) != 0 ||
319	    (r = sshbuf_put_cstring(reply, msg)) != 0)
320		fatal_fr(r, "reply");
321}
322
323static int
324mux_master_process_new_session(struct ssh *ssh, u_int rid,
325    Channel *c, struct sshbuf *m, struct sshbuf *reply)
326{
327	Channel *nc;
328	struct mux_session_confirm_ctx *cctx;
329	char *cmd, *cp;
330	u_int i, j, env_len, escape_char, window, packetmax;
331	int r, new_fd[3];
332
333	/* Reply for SSHMUX_COMMAND_OPEN */
334	cctx = xcalloc(1, sizeof(*cctx));
335	cctx->term = NULL;
336	cctx->rid = rid;
337	cmd = NULL;
338	cctx->env = NULL;
339	env_len = 0;
340	if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
341	    (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 ||
342	    (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 ||
343	    (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 ||
344	    (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 ||
345	    (r = sshbuf_get_u32(m, &escape_char)) != 0 ||
346	    (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 ||
347	    (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) {
348 malf:
349		free(cmd);
350		for (j = 0; j < env_len; j++)
351			free(cctx->env[j]);
352		free(cctx->env);
353		free(cctx->term);
354		free(cctx);
355		error_f("malformed message");
356		return -1;
357	}
358
359#define MUX_MAX_ENV_VARS	4096
360	while (sshbuf_len(m) > 0) {
361		if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0)
362			goto malf;
363		if (!env_permitted(cp)) {
364			free(cp);
365			continue;
366		}
367		cctx->env = xreallocarray(cctx->env, env_len + 2,
368		    sizeof(*cctx->env));
369		cctx->env[env_len++] = cp;
370		cctx->env[env_len] = NULL;
371		if (env_len > MUX_MAX_ENV_VARS) {
372			error_f(">%d environment variables received, "
373			    "ignoring additional", MUX_MAX_ENV_VARS);
374			break;
375		}
376	}
377
378	debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, "
379	    "term \"%s\", cmd \"%s\", env %u", c->self,
380	    cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd,
381	    cctx->want_subsys, cctx->term, cmd, env_len);
382
383	if ((cctx->cmd = sshbuf_new()) == NULL)
384		fatal_f("sshbuf_new");
385	if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0)
386		fatal_fr(r, "sshbuf_put");
387	free(cmd);
388	cmd = NULL;
389
390	/* Gather fds from client */
391	for(i = 0; i < 3; i++) {
392		if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
393			error_f("failed to receive fd %d from client", i);
394			for (j = 0; j < i; j++)
395				close(new_fd[j]);
396			for (j = 0; j < env_len; j++)
397				free(cctx->env[j]);
398			free(cctx->env);
399			free(cctx->term);
400			sshbuf_free(cctx->cmd);
401			free(cctx);
402			reply_error(reply, MUX_S_FAILURE, rid,
403			    "did not receive file descriptors");
404			return -1;
405		}
406	}
407
408	debug3_f("got fds stdin %d, stdout %d, stderr %d",
409	    new_fd[0], new_fd[1], new_fd[2]);
410
411	/* XXX support multiple child sessions in future */
412	if (c->have_remote_id) {
413		debug2_f("session already open");
414		reply_error(reply, MUX_S_FAILURE, rid,
415		    "Multiple sessions not supported");
416 cleanup:
417		close(new_fd[0]);
418		close(new_fd[1]);
419		close(new_fd[2]);
420		free(cctx->term);
421		if (env_len != 0) {
422			for (i = 0; i < env_len; i++)
423				free(cctx->env[i]);
424			free(cctx->env);
425		}
426		sshbuf_free(cctx->cmd);
427		free(cctx);
428		return 0;
429	}
430
431	if (options.control_master == SSHCTL_MASTER_ASK ||
432	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
433		if (!ask_permission("Allow shared connection to %s? ", host)) {
434			debug2_f("session refused by user");
435			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
436			    "Permission denied");
437			goto cleanup;
438		}
439	}
440
441	/* Try to pick up ttymodes from client before it goes raw */
442	if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
443		error_f("tcgetattr: %s", strerror(errno));
444
445	window = CHAN_SES_WINDOW_DEFAULT;
446	packetmax = CHAN_SES_PACKET_DEFAULT;
447	if (cctx->want_tty) {
448		window >>= 1;
449		packetmax >>= 1;
450	}
451
452	nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
453	    new_fd[0], new_fd[1], new_fd[2], window, packetmax,
454	    CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
455
456	nc->ctl_chan = c->self;		/* link session -> control channel */
457	c->remote_id = nc->self;	/* link control -> session channel */
458	c->have_remote_id = 1;
459
460	if (cctx->want_tty && escape_char != 0xffffffff) {
461		channel_register_filter(ssh, nc->self,
462		    client_simple_escape_filter, NULL,
463		    client_filter_cleanup,
464		    client_new_escape_filter_ctx((int)escape_char));
465	}
466
467	debug2_f("channel_new: %d linked to control channel %d",
468	    nc->self, nc->ctl_chan);
469
470	channel_send_open(ssh, nc->self);
471	channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx);
472	c->mux_pause = 1; /* stop handling messages until open_confirm done */
473	channel_register_cleanup(ssh, nc->self,
474	    mux_master_session_cleanup_cb, 1);
475
476	/* reply is deferred, sent by mux_session_confirm */
477	return 0;
478}
479
480static int
481mux_master_process_alive_check(struct ssh *ssh, u_int rid,
482    Channel *c, struct sshbuf *m, struct sshbuf *reply)
483{
484	int r;
485
486	debug2_f("channel %d: alive check", c->self);
487
488	/* prepare reply */
489	if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 ||
490	    (r = sshbuf_put_u32(reply, rid)) != 0 ||
491	    (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0)
492		fatal_fr(r, "reply");
493
494	return 0;
495}
496
497static int
498mux_master_process_terminate(struct ssh *ssh, u_int rid,
499    Channel *c, struct sshbuf *m, struct sshbuf *reply)
500{
501	debug2_f("channel %d: terminate request", c->self);
502
503	if (options.control_master == SSHCTL_MASTER_ASK ||
504	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
505		if (!ask_permission("Terminate shared connection to %s? ",
506		    host)) {
507			debug2_f("termination refused by user");
508			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
509			    "Permission denied");
510			return 0;
511		}
512	}
513
514	quit_pending = 1;
515	reply_ok(reply, rid);
516	/* XXX exit happens too soon - message never makes it to client */
517	return 0;
518}
519
520static char *
521format_forward(u_int ftype, struct Forward *fwd)
522{
523	char *ret;
524
525	switch (ftype) {
526	case MUX_FWD_LOCAL:
527		xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
528		    (fwd->listen_path != NULL) ? fwd->listen_path :
529		    (fwd->listen_host == NULL) ?
530		    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
531		    fwd->listen_host, fwd->listen_port,
532		    (fwd->connect_path != NULL) ? fwd->connect_path :
533		    fwd->connect_host, fwd->connect_port);
534		break;
535	case MUX_FWD_DYNAMIC:
536		xasprintf(&ret, "dynamic forward %.200s:%d -> *",
537		    (fwd->listen_host == NULL) ?
538		    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
539		    fwd->listen_host, fwd->listen_port);
540		break;
541	case MUX_FWD_REMOTE:
542		xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
543		    (fwd->listen_path != NULL) ? fwd->listen_path :
544		    (fwd->listen_host == NULL) ?
545		    "LOCALHOST" : fwd->listen_host,
546		    fwd->listen_port,
547		    (fwd->connect_path != NULL) ? fwd->connect_path :
548		    fwd->connect_host, fwd->connect_port);
549		break;
550	default:
551		fatal_f("unknown forward type %u", ftype);
552	}
553	return ret;
554}
555
556static int
557compare_host(const char *a, const char *b)
558{
559	if (a == NULL && b == NULL)
560		return 1;
561	if (a == NULL || b == NULL)
562		return 0;
563	return strcmp(a, b) == 0;
564}
565
566static int
567compare_forward(struct Forward *a, struct Forward *b)
568{
569	if (!compare_host(a->listen_host, b->listen_host))
570		return 0;
571	if (!compare_host(a->listen_path, b->listen_path))
572		return 0;
573	if (a->listen_port != b->listen_port)
574		return 0;
575	if (!compare_host(a->connect_host, b->connect_host))
576		return 0;
577	if (!compare_host(a->connect_path, b->connect_path))
578		return 0;
579	if (a->connect_port != b->connect_port)
580		return 0;
581
582	return 1;
583}
584
585static void
586mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt)
587{
588	struct mux_channel_confirm_ctx *fctx = ctxt;
589	char *failmsg = NULL;
590	struct Forward *rfwd;
591	Channel *c;
592	struct sshbuf *out;
593	u_int port;
594	int r;
595
596	if ((c = channel_by_id(ssh, fctx->cid)) == NULL) {
597		/* no channel for reply */
598		error_f("unknown channel");
599		return;
600	}
601	if ((out = sshbuf_new()) == NULL)
602		fatal_f("sshbuf_new");
603	if (fctx->fid >= options.num_remote_forwards ||
604	    (options.remote_forwards[fctx->fid].connect_path == NULL &&
605	    options.remote_forwards[fctx->fid].connect_host == NULL)) {
606		xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid);
607		goto fail;
608	}
609	rfwd = &options.remote_forwards[fctx->fid];
610	debug_f("%s for: listen %d, connect %s:%d",
611	    type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
612	    rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
613	    rfwd->connect_host, rfwd->connect_port);
614	if (type == SSH2_MSG_REQUEST_SUCCESS) {
615		if (rfwd->listen_port == 0) {
616			if ((r = sshpkt_get_u32(ssh, &port)) != 0)
617				fatal_fr(r, "parse port");
618			if (port > 65535) {
619				fatal("Invalid allocated port %u for "
620				    "mux remote forward to %s:%d", port,
621				    rfwd->connect_host, rfwd->connect_port);
622			}
623			rfwd->allocated_port = (int)port;
624			debug("Allocated port %u for mux remote forward"
625			    " to %s:%d", rfwd->allocated_port,
626			    rfwd->connect_host, rfwd->connect_port);
627			if ((r = sshbuf_put_u32(out,
628			    MUX_S_REMOTE_PORT)) != 0 ||
629			    (r = sshbuf_put_u32(out, fctx->rid)) != 0 ||
630			    (r = sshbuf_put_u32(out,
631			    rfwd->allocated_port)) != 0)
632				fatal_fr(r, "reply");
633			channel_update_permission(ssh, rfwd->handle,
634			    rfwd->allocated_port);
635		} else {
636			reply_ok(out, fctx->rid);
637		}
638		goto out;
639	} else {
640		if (rfwd->listen_port == 0)
641			channel_update_permission(ssh, rfwd->handle, -1);
642		if (rfwd->listen_path != NULL)
643			xasprintf(&failmsg, "remote port forwarding failed for "
644			    "listen path %s", rfwd->listen_path);
645		else
646			xasprintf(&failmsg, "remote port forwarding failed for "
647			    "listen port %d", rfwd->listen_port);
648
649		debug2_f("clearing registered forwarding for listen %d, "
650		    "connect %s:%d", rfwd->listen_port,
651		    rfwd->connect_path ? rfwd->connect_path :
652		    rfwd->connect_host, rfwd->connect_port);
653
654		free(rfwd->listen_host);
655		free(rfwd->listen_path);
656		free(rfwd->connect_host);
657		free(rfwd->connect_path);
658		memset(rfwd, 0, sizeof(*rfwd));
659	}
660 fail:
661	error_f("%s", failmsg);
662	reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg);
663	free(failmsg);
664 out:
665	if ((r = sshbuf_put_stringb(c->output, out)) != 0)
666		fatal_fr(r, "enqueue");
667	sshbuf_free(out);
668	if (c->mux_pause <= 0)
669		fatal_f("mux_pause %d", c->mux_pause);
670	c->mux_pause = 0; /* start processing messages again */
671}
672
673static int
674mux_master_process_open_fwd(struct ssh *ssh, u_int rid,
675    Channel *c, struct sshbuf *m, struct sshbuf *reply)
676{
677	struct Forward fwd;
678	char *fwd_desc = NULL;
679	char *listen_addr, *connect_addr;
680	u_int ftype;
681	u_int lport, cport;
682	int r, i, ret = 0, freefwd = 1;
683
684	memset(&fwd, 0, sizeof(fwd));
685
686	/* XXX - lport/cport check redundant */
687	if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
688	    (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
689	    (r = sshbuf_get_u32(m, &lport)) != 0 ||
690	    (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
691	    (r = sshbuf_get_u32(m, &cport)) != 0 ||
692	    (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
693	    (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
694		error_f("malformed message");
695		ret = -1;
696		goto out;
697	}
698	if (*listen_addr == '\0') {
699		free(listen_addr);
700		listen_addr = NULL;
701	}
702	if (*connect_addr == '\0') {
703		free(connect_addr);
704		connect_addr = NULL;
705	}
706
707	memset(&fwd, 0, sizeof(fwd));
708	fwd.listen_port = lport;
709	if (fwd.listen_port == PORT_STREAMLOCAL)
710		fwd.listen_path = listen_addr;
711	else
712		fwd.listen_host = listen_addr;
713	fwd.connect_port = cport;
714	if (fwd.connect_port == PORT_STREAMLOCAL)
715		fwd.connect_path = connect_addr;
716	else
717		fwd.connect_host = connect_addr;
718
719	debug2_f("channel %d: request %s", c->self,
720	    (fwd_desc = format_forward(ftype, &fwd)));
721
722	if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE &&
723	    ftype != MUX_FWD_DYNAMIC) {
724		logit_f("invalid forwarding type %u", ftype);
725 invalid:
726		free(listen_addr);
727		free(connect_addr);
728		reply_error(reply, MUX_S_FAILURE, rid,
729		    "Invalid forwarding request");
730		return 0;
731	}
732	if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) {
733		logit_f("streamlocal and dynamic forwards "
734		    "are mutually exclusive");
735		goto invalid;
736	}
737	if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) {
738		logit_f("invalid listen port %u", fwd.listen_port);
739		goto invalid;
740	}
741	if ((fwd.connect_port != PORT_STREAMLOCAL &&
742	    fwd.connect_port >= 65536) ||
743	    (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE &&
744	    fwd.connect_port == 0)) {
745		logit_f("invalid connect port %u",
746		    fwd.connect_port);
747		goto invalid;
748	}
749	if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL &&
750	    fwd.connect_path == NULL) {
751		logit_f("missing connect host");
752		goto invalid;
753	}
754
755	/* Skip forwards that have already been requested */
756	switch (ftype) {
757	case MUX_FWD_LOCAL:
758	case MUX_FWD_DYNAMIC:
759		for (i = 0; i < options.num_local_forwards; i++) {
760			if (compare_forward(&fwd,
761			    options.local_forwards + i)) {
762 exists:
763				debug2_f("found existing forwarding");
764				reply_ok(reply, rid);
765				goto out;
766			}
767		}
768		break;
769	case MUX_FWD_REMOTE:
770		for (i = 0; i < options.num_remote_forwards; i++) {
771			if (!compare_forward(&fwd, options.remote_forwards + i))
772				continue;
773			if (fwd.listen_port != 0)
774				goto exists;
775			debug2_f("found allocated port");
776			if ((r = sshbuf_put_u32(reply,
777			    MUX_S_REMOTE_PORT)) != 0 ||
778			    (r = sshbuf_put_u32(reply, rid)) != 0 ||
779			    (r = sshbuf_put_u32(reply,
780			    options.remote_forwards[i].allocated_port)) != 0)
781				fatal_fr(r, "reply FWD_REMOTE");
782			goto out;
783		}
784		break;
785	}
786
787	if (options.control_master == SSHCTL_MASTER_ASK ||
788	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
789		if (!ask_permission("Open %s on %s?", fwd_desc, host)) {
790			debug2_f("forwarding refused by user");
791			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
792			    "Permission denied");
793			goto out;
794		}
795	}
796
797	if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
798		if (!channel_setup_local_fwd_listener(ssh, &fwd,
799		    &options.fwd_opts)) {
800 fail:
801			logit_f("requested %s failed", fwd_desc);
802			reply_error(reply, MUX_S_FAILURE, rid,
803			    "Port forwarding failed");
804			goto out;
805		}
806		add_local_forward(&options, &fwd);
807		freefwd = 0;
808	} else {
809		struct mux_channel_confirm_ctx *fctx;
810
811		fwd.handle = channel_request_remote_forwarding(ssh, &fwd);
812		if (fwd.handle < 0)
813			goto fail;
814		add_remote_forward(&options, &fwd);
815		fctx = xcalloc(1, sizeof(*fctx));
816		fctx->cid = c->self;
817		fctx->rid = rid;
818		fctx->fid = options.num_remote_forwards - 1;
819		client_register_global_confirm(mux_confirm_remote_forward,
820		    fctx);
821		freefwd = 0;
822		c->mux_pause = 1; /* wait for mux_confirm_remote_forward */
823		/* delayed reply in mux_confirm_remote_forward */
824		goto out;
825	}
826	reply_ok(reply, rid);
827 out:
828	free(fwd_desc);
829	if (freefwd) {
830		free(fwd.listen_host);
831		free(fwd.listen_path);
832		free(fwd.connect_host);
833		free(fwd.connect_path);
834	}
835	return ret;
836}
837
838static int
839mux_master_process_close_fwd(struct ssh *ssh, u_int rid,
840    Channel *c, struct sshbuf *m, struct sshbuf *reply)
841{
842	struct Forward fwd, *found_fwd;
843	char *fwd_desc = NULL;
844	const char *error_reason = NULL;
845	char *listen_addr = NULL, *connect_addr = NULL;
846	u_int ftype;
847	int r, i, ret = 0;
848	u_int lport, cport;
849
850	memset(&fwd, 0, sizeof(fwd));
851
852	if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
853	    (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
854	    (r = sshbuf_get_u32(m, &lport)) != 0 ||
855	    (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
856	    (r = sshbuf_get_u32(m, &cport)) != 0 ||
857	    (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
858	    (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
859		error_f("malformed message");
860		ret = -1;
861		goto out;
862	}
863
864	if (*listen_addr == '\0') {
865		free(listen_addr);
866		listen_addr = NULL;
867	}
868	if (*connect_addr == '\0') {
869		free(connect_addr);
870		connect_addr = NULL;
871	}
872
873	memset(&fwd, 0, sizeof(fwd));
874	fwd.listen_port = lport;
875	if (fwd.listen_port == PORT_STREAMLOCAL)
876		fwd.listen_path = listen_addr;
877	else
878		fwd.listen_host = listen_addr;
879	fwd.connect_port = cport;
880	if (fwd.connect_port == PORT_STREAMLOCAL)
881		fwd.connect_path = connect_addr;
882	else
883		fwd.connect_host = connect_addr;
884
885	debug2_f("channel %d: request cancel %s", c->self,
886	    (fwd_desc = format_forward(ftype, &fwd)));
887
888	/* make sure this has been requested */
889	found_fwd = NULL;
890	switch (ftype) {
891	case MUX_FWD_LOCAL:
892	case MUX_FWD_DYNAMIC:
893		for (i = 0; i < options.num_local_forwards; i++) {
894			if (compare_forward(&fwd,
895			    options.local_forwards + i)) {
896				found_fwd = options.local_forwards + i;
897				break;
898			}
899		}
900		break;
901	case MUX_FWD_REMOTE:
902		for (i = 0; i < options.num_remote_forwards; i++) {
903			if (compare_forward(&fwd,
904			    options.remote_forwards + i)) {
905				found_fwd = options.remote_forwards + i;
906				break;
907			}
908		}
909		break;
910	}
911
912	if (found_fwd == NULL)
913		error_reason = "port not forwarded";
914	else if (ftype == MUX_FWD_REMOTE) {
915		/*
916		 * This shouldn't fail unless we confused the host/port
917		 * between options.remote_forwards and permitted_opens.
918		 * However, for dynamic allocated listen ports we need
919		 * to use the actual listen port.
920		 */
921		if (channel_request_rforward_cancel(ssh, found_fwd) == -1)
922			error_reason = "port not in permitted opens";
923	} else {	/* local and dynamic forwards */
924		/* Ditto */
925		if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port,
926		    &options.fwd_opts) == -1)
927			error_reason = "port not found";
928	}
929
930	if (error_reason != NULL)
931		reply_error(reply, MUX_S_FAILURE, rid, error_reason);
932	else {
933		reply_ok(reply, rid);
934		free(found_fwd->listen_host);
935		free(found_fwd->listen_path);
936		free(found_fwd->connect_host);
937		free(found_fwd->connect_path);
938		found_fwd->listen_host = found_fwd->connect_host = NULL;
939		found_fwd->listen_path = found_fwd->connect_path = NULL;
940		found_fwd->listen_port = found_fwd->connect_port = 0;
941	}
942 out:
943	free(fwd_desc);
944	free(listen_addr);
945	free(connect_addr);
946
947	return ret;
948}
949
950static int
951mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
952    Channel *c, struct sshbuf *m, struct sshbuf *reply)
953{
954	Channel *nc;
955	char *chost = NULL;
956	u_int _cport, i, j;
957	int ok = 0, cport, r, new_fd[2];
958	struct mux_stdio_confirm_ctx *cctx;
959
960	if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
961	    (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 ||
962	    (r = sshbuf_get_u32(m, &_cport)) != 0) {
963		free(chost);
964		error_f("malformed message");
965		return -1;
966	}
967	if (_cport == (u_int)PORT_STREAMLOCAL)
968		cport = PORT_STREAMLOCAL;
969	else if (_cport <= INT_MAX)
970		cport = (int)_cport;
971	else {
972		free(chost);
973		error_f("invalid port 0x%x", _cport);
974		return -1;
975	}
976
977	debug2_f("channel %d: stdio fwd to %s:%d", c->self, chost, cport);
978
979	/* Gather fds from client */
980	for(i = 0; i < 2; i++) {
981		if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
982			error_f("failed to receive fd %d from client", i);
983			for (j = 0; j < i; j++)
984				close(new_fd[j]);
985			free(chost);
986
987			/* prepare reply */
988			reply_error(reply, MUX_S_FAILURE, rid,
989			    "did not receive file descriptors");
990			return -1;
991		}
992	}
993
994	debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]);
995
996	/* XXX support multiple child sessions in future */
997	if (c->have_remote_id) {
998		debug2_f("session already open");
999		reply_error(reply, MUX_S_FAILURE, rid,
1000		    "Multiple sessions not supported");
1001 cleanup:
1002		close(new_fd[0]);
1003		close(new_fd[1]);
1004		free(chost);
1005		return 0;
1006	}
1007
1008	if (options.control_master == SSHCTL_MASTER_ASK ||
1009	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1010		if (cport == PORT_STREAMLOCAL) {
1011			ok = ask_permission("Allow forward to path %s", chost);
1012		} else {
1013			ok = ask_permission("Allow forward to [%s]:%d? ",
1014			    chost, cport);
1015		}
1016		if (!ok) {
1017			debug2_f("stdio fwd refused by user");
1018			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
1019			    "Permission denied");
1020			goto cleanup;
1021		}
1022	}
1023
1024	nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
1025	    CHANNEL_NONBLOCK_STDIO);
1026	free(chost);
1027
1028	nc->ctl_chan = c->self;		/* link session -> control channel */
1029	c->remote_id = nc->self;	/* link control -> session channel */
1030	c->have_remote_id = 1;
1031
1032	debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan);
1033
1034	channel_register_cleanup(ssh, nc->self,
1035	    mux_master_session_cleanup_cb, 1);
1036
1037	cctx = xcalloc(1, sizeof(*cctx));
1038	cctx->rid = rid;
1039	channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx);
1040	c->mux_pause = 1; /* stop handling messages until open_confirm done */
1041
1042	/* reply is deferred, sent by mux_session_confirm */
1043	return 0;
1044}
1045
1046/* Callback on open confirmation in mux master for a mux stdio fwd session. */
1047static void
1048mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg)
1049{
1050	struct mux_stdio_confirm_ctx *cctx = arg;
1051	Channel *c, *cc;
1052	struct sshbuf *reply;
1053	int r;
1054
1055	if (cctx == NULL)
1056		fatal_f("cctx == NULL");
1057	if ((c = channel_by_id(ssh, id)) == NULL)
1058		fatal_f("no channel for id %d", id);
1059	if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1060		fatal_f("channel %d lacks control channel %d",
1061		    id, c->ctl_chan);
1062	if ((reply = sshbuf_new()) == NULL)
1063		fatal_f("sshbuf_new");
1064
1065	if (!success) {
1066		debug3_f("sending failure reply");
1067		reply_error(reply, MUX_S_FAILURE, cctx->rid,
1068		    "Session open refused by peer");
1069		/* prepare reply */
1070		goto done;
1071	}
1072
1073	debug3_f("sending success reply");
1074	/* prepare reply */
1075	if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
1076	    (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
1077	    (r = sshbuf_put_u32(reply, c->self)) != 0)
1078		fatal_fr(r, "reply");
1079
1080 done:
1081	/* Send reply */
1082	if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1083		fatal_fr(r, "enqueue");
1084	sshbuf_free(reply);
1085
1086	if (cc->mux_pause <= 0)
1087		fatal_f("mux_pause %d", cc->mux_pause);
1088	cc->mux_pause = 0; /* start processing messages again */
1089	c->open_confirm_ctx = NULL;
1090	free(cctx);
1091}
1092
1093static int
1094mux_master_process_stop_listening(struct ssh *ssh, u_int rid,
1095    Channel *c, struct sshbuf *m, struct sshbuf *reply)
1096{
1097	debug_f("channel %d: stop listening", c->self);
1098
1099	if (options.control_master == SSHCTL_MASTER_ASK ||
1100	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1101		if (!ask_permission("Disable further multiplexing on shared "
1102		    "connection to %s? ", host)) {
1103			debug2_f("stop listen refused by user");
1104			reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
1105			    "Permission denied");
1106			return 0;
1107		}
1108	}
1109
1110	if (mux_listener_channel != NULL) {
1111		channel_free(ssh, mux_listener_channel);
1112		client_stop_mux();
1113		free(options.control_path);
1114		options.control_path = NULL;
1115		mux_listener_channel = NULL;
1116		muxserver_sock = -1;
1117	}
1118
1119	reply_ok(reply, rid);
1120	return 0;
1121}
1122
1123static int
1124mux_master_process_proxy(struct ssh *ssh, u_int rid,
1125    Channel *c, struct sshbuf *m, struct sshbuf *reply)
1126{
1127	int r;
1128
1129	debug_f("channel %d: proxy request", c->self);
1130
1131	c->mux_rcb = channel_proxy_downstream;
1132	if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
1133	    (r = sshbuf_put_u32(reply, rid)) != 0)
1134		fatal_fr(r, "reply");
1135
1136	return 0;
1137}
1138
1139/* Channel callbacks fired on read/write from mux client fd */
1140static int
1141mux_master_read_cb(struct ssh *ssh, Channel *c)
1142{
1143	struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
1144	struct sshbuf *in = NULL, *out = NULL;
1145	u_int type, rid, i;
1146	int r, ret = -1;
1147
1148	if ((out = sshbuf_new()) == NULL)
1149		fatal_f("sshbuf_new");
1150
1151	/* Setup ctx and  */
1152	if (c->mux_ctx == NULL) {
1153		state = xcalloc(1, sizeof(*state));
1154		c->mux_ctx = state;
1155		channel_register_cleanup(ssh, c->self,
1156		    mux_master_control_cleanup_cb, 0);
1157
1158		/* Send hello */
1159		if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 ||
1160		    (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0)
1161			fatal_fr(r, "reply");
1162		/* no extensions */
1163		if ((r = sshbuf_put_stringb(c->output, out)) != 0)
1164			fatal_fr(r, "enqueue");
1165		debug3_f("channel %d: hello sent", c->self);
1166		ret = 0;
1167		goto out;
1168	}
1169
1170	/* Channel code ensures that we receive whole packets */
1171	if ((r = sshbuf_froms(c->input, &in)) != 0) {
1172 malf:
1173		error_f("malformed message");
1174		goto out;
1175	}
1176
1177	if ((r = sshbuf_get_u32(in, &type)) != 0)
1178		goto malf;
1179	debug3_f("channel %d packet type 0x%08x len %zu", c->self,
1180	    type, sshbuf_len(in));
1181
1182	if (type == MUX_MSG_HELLO)
1183		rid = 0;
1184	else {
1185		if (!state->hello_rcvd) {
1186			error_f("expected MUX_MSG_HELLO(0x%08x), "
1187			    "received 0x%08x", MUX_MSG_HELLO, type);
1188			goto out;
1189		}
1190		if ((r = sshbuf_get_u32(in, &rid)) != 0)
1191			goto malf;
1192	}
1193
1194	for (i = 0; mux_master_handlers[i].handler != NULL; i++) {
1195		if (type == mux_master_handlers[i].type) {
1196			ret = mux_master_handlers[i].handler(ssh, rid,
1197			    c, in, out);
1198			break;
1199		}
1200	}
1201	if (mux_master_handlers[i].handler == NULL) {
1202		error_f("unsupported mux message 0x%08x", type);
1203		reply_error(out, MUX_S_FAILURE, rid, "unsupported request");
1204		ret = 0;
1205	}
1206	/* Enqueue reply packet */
1207	if (sshbuf_len(out) != 0 &&
1208	    (r = sshbuf_put_stringb(c->output, out)) != 0)
1209		fatal_fr(r, "enqueue");
1210 out:
1211	sshbuf_free(in);
1212	sshbuf_free(out);
1213	return ret;
1214}
1215
1216void
1217mux_exit_message(struct ssh *ssh, Channel *c, int exitval)
1218{
1219	struct sshbuf *m;
1220	Channel *mux_chan;
1221	int r;
1222
1223	debug3_f("channel %d: exit message, exitval %d", c->self, exitval);
1224
1225	if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1226		fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1227
1228	/* Append exit message packet to control socket output queue */
1229	if ((m = sshbuf_new()) == NULL)
1230		fatal_f("sshbuf_new");
1231	if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 ||
1232	    (r = sshbuf_put_u32(m, c->self)) != 0 ||
1233	    (r = sshbuf_put_u32(m, exitval)) != 0 ||
1234	    (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1235		fatal_fr(r, "reply");
1236	sshbuf_free(m);
1237}
1238
1239void
1240mux_tty_alloc_failed(struct ssh *ssh, Channel *c)
1241{
1242	struct sshbuf *m;
1243	Channel *mux_chan;
1244	int r;
1245
1246	debug3_f("channel %d: TTY alloc failed", c->self);
1247
1248	if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1249		fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1250
1251	/* Append exit message packet to control socket output queue */
1252	if ((m = sshbuf_new()) == NULL)
1253		fatal_f("sshbuf_new");
1254	if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 ||
1255	    (r = sshbuf_put_u32(m, c->self)) != 0 ||
1256	    (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1257		fatal_fr(r, "reply");
1258	sshbuf_free(m);
1259}
1260
1261/* Prepare a mux master to listen on a Unix domain socket. */
1262void
1263muxserver_listen(struct ssh *ssh)
1264{
1265	mode_t old_umask;
1266	char *orig_control_path = options.control_path;
1267	char rbuf[16+1];
1268	u_int i, r;
1269	int oerrno;
1270
1271	if (options.control_path == NULL ||
1272	    options.control_master == SSHCTL_MASTER_NO)
1273		return;
1274
1275	debug("setting up multiplex master socket");
1276
1277	/*
1278	 * Use a temporary path before listen so we can pseudo-atomically
1279	 * establish the listening socket in its final location to avoid
1280	 * other processes racing in between bind() and listen() and hitting
1281	 * an unready socket.
1282	 */
1283	for (i = 0; i < sizeof(rbuf) - 1; i++) {
1284		r = arc4random_uniform(26+26+10);
1285		rbuf[i] = (r < 26) ? 'a' + r :
1286		    (r < 26*2) ? 'A' + r - 26 :
1287		    '0' + r - 26 - 26;
1288	}
1289	rbuf[sizeof(rbuf) - 1] = '\0';
1290	options.control_path = NULL;
1291	xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf);
1292	debug3_f("temporary control path %s", options.control_path);
1293
1294	old_umask = umask(0177);
1295	muxserver_sock = unix_listener(options.control_path, 64, 0);
1296	oerrno = errno;
1297	umask(old_umask);
1298	if (muxserver_sock < 0) {
1299		if (oerrno == EINVAL || oerrno == EADDRINUSE) {
1300			error("ControlSocket %s already exists, "
1301			    "disabling multiplexing", options.control_path);
1302 disable_mux_master:
1303			if (muxserver_sock != -1) {
1304				close(muxserver_sock);
1305				muxserver_sock = -1;
1306			}
1307			free(orig_control_path);
1308			free(options.control_path);
1309			options.control_path = NULL;
1310			options.control_master = SSHCTL_MASTER_NO;
1311			return;
1312		} else {
1313			/* unix_listener() logs the error */
1314			cleanup_exit(254);
1315		}
1316	}
1317
1318	/* Now atomically "move" the mux socket into position */
1319	if (link(options.control_path, orig_control_path) != 0) {
1320		if (errno != EEXIST) {
1321			fatal_f("link mux listener %s => %s: %s",
1322			    options.control_path, orig_control_path,
1323			    strerror(errno));
1324		}
1325		error("ControlSocket %s already exists, disabling multiplexing",
1326		    orig_control_path);
1327		unlink(options.control_path);
1328		goto disable_mux_master;
1329	}
1330	unlink(options.control_path);
1331	free(options.control_path);
1332	options.control_path = orig_control_path;
1333
1334	set_nonblock(muxserver_sock);
1335
1336	mux_listener_channel = channel_new(ssh, "mux listener",
1337	    SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1,
1338	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1339	    0, options.control_path, 1);
1340	mux_listener_channel->mux_rcb = mux_master_read_cb;
1341	debug3_f("mux listener channel %d fd %d",
1342	    mux_listener_channel->self, mux_listener_channel->sock);
1343}
1344
1345/* Callback on open confirmation in mux master for a mux client session. */
1346static void
1347mux_session_confirm(struct ssh *ssh, int id, int success, void *arg)
1348{
1349	struct mux_session_confirm_ctx *cctx = arg;
1350	const char *display;
1351	Channel *c, *cc;
1352	int i, r;
1353	struct sshbuf *reply;
1354
1355	if (cctx == NULL)
1356		fatal_f("cctx == NULL");
1357	if ((c = channel_by_id(ssh, id)) == NULL)
1358		fatal_f("no channel for id %d", id);
1359	if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1360		fatal_f("channel %d lacks control channel %d",
1361		    id, c->ctl_chan);
1362	if ((reply = sshbuf_new()) == NULL)
1363		fatal_f("sshbuf_new");
1364
1365	if (!success) {
1366		debug3_f("sending failure reply");
1367		reply_error(reply, MUX_S_FAILURE, cctx->rid,
1368		    "Session open refused by peer");
1369		goto done;
1370	}
1371
1372	display = getenv("DISPLAY");
1373	if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
1374		char *proto, *data;
1375
1376		/* Get reasonable local authentication information. */
1377		if (client_x11_get_proto(ssh, display, options.xauth_location,
1378		    options.forward_x11_trusted, options.forward_x11_timeout,
1379		    &proto, &data) == 0) {
1380			/* Request forwarding with authentication spoofing. */
1381			debug("Requesting X11 forwarding with authentication "
1382			    "spoofing.");
1383			x11_request_forwarding_with_spoofing(ssh, id,
1384			    display, proto, data, 1);
1385			/* XXX exit_on_forward_failure */
1386			client_expect_confirm(ssh, id, "X11 forwarding",
1387			    CONFIRM_WARN);
1388		}
1389	}
1390
1391	if (cctx->want_agent_fwd && options.forward_agent) {
1392		debug("Requesting authentication agent forwarding.");
1393		channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0);
1394		if ((r = sshpkt_send(ssh)) != 0)
1395			fatal_fr(r, "send");
1396	}
1397
1398	client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,
1399	    cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env);
1400
1401	debug3_f("sending success reply");
1402	/* prepare reply */
1403	if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
1404	    (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
1405	    (r = sshbuf_put_u32(reply, c->self)) != 0)
1406		fatal_fr(r, "reply");
1407
1408 done:
1409	/* Send reply */
1410	if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1411		fatal_fr(r, "enqueue");
1412	sshbuf_free(reply);
1413
1414	if (cc->mux_pause <= 0)
1415		fatal_f("mux_pause %d", cc->mux_pause);
1416	cc->mux_pause = 0; /* start processing messages again */
1417	c->open_confirm_ctx = NULL;
1418	sshbuf_free(cctx->cmd);
1419	free(cctx->term);
1420	if (cctx->env != NULL) {
1421		for (i = 0; cctx->env[i] != NULL; i++)
1422			free(cctx->env[i]);
1423		free(cctx->env);
1424	}
1425	free(cctx);
1426}
1427
1428/* ** Multiplexing client support */
1429
1430/* Exit signal handler */
1431static void
1432control_client_sighandler(int signo)
1433{
1434	muxclient_terminate = signo;
1435}
1436
1437/*
1438 * Relay signal handler - used to pass some signals from mux client to
1439 * mux master.
1440 */
1441static void
1442control_client_sigrelay(int signo)
1443{
1444	int save_errno = errno;
1445
1446	if (muxserver_pid > 1)
1447		kill(muxserver_pid, signo);
1448
1449	errno = save_errno;
1450}
1451
1452static int
1453mux_client_read(int fd, struct sshbuf *b, size_t need, int timeout_ms)
1454{
1455	size_t have;
1456	ssize_t len;
1457	u_char *p;
1458	int r;
1459
1460	if ((r = sshbuf_reserve(b, need, &p)) != 0)
1461		fatal_fr(r, "reserve");
1462	for (have = 0; have < need; ) {
1463		if (muxclient_terminate) {
1464			errno = EINTR;
1465			return -1;
1466		}
1467		len = read(fd, p + have, need - have);
1468		if (len == -1) {
1469			switch (errno) {
1470			case EAGAIN:
1471				if (waitrfd(fd, &timeout_ms,
1472				    &muxclient_terminate) == -1 &&
1473				    errno != EINTR)
1474					return -1;	/* timeout */
1475				/* FALLTHROUGH */
1476			case EINTR:
1477				continue;
1478			default:
1479				return -1;
1480			}
1481		}
1482		if (len == 0) {
1483			errno = EPIPE;
1484			return -1;
1485		}
1486		have += (size_t)len;
1487	}
1488	return 0;
1489}
1490
1491static int
1492mux_client_write_packet(int fd, struct sshbuf *m)
1493{
1494	struct sshbuf *queue;
1495	u_int have, need;
1496	int r, oerrno, len;
1497	const u_char *ptr;
1498	struct pollfd pfd;
1499
1500	pfd.fd = fd;
1501	pfd.events = POLLOUT;
1502	if ((queue = sshbuf_new()) == NULL)
1503		fatal_f("sshbuf_new");
1504	if ((r = sshbuf_put_stringb(queue, m)) != 0)
1505		fatal_fr(r, "enqueue");
1506
1507	need = sshbuf_len(queue);
1508	ptr = sshbuf_ptr(queue);
1509
1510	for (have = 0; have < need; ) {
1511		if (muxclient_terminate) {
1512			sshbuf_free(queue);
1513			errno = EINTR;
1514			return -1;
1515		}
1516		len = write(fd, ptr + have, need - have);
1517		if (len == -1) {
1518			switch (errno) {
1519			case EAGAIN:
1520				(void)poll(&pfd, 1, -1);
1521				/* FALLTHROUGH */
1522			case EINTR:
1523				continue;
1524			default:
1525				oerrno = errno;
1526				sshbuf_free(queue);
1527				errno = oerrno;
1528				return -1;
1529			}
1530		}
1531		if (len == 0) {
1532			sshbuf_free(queue);
1533			errno = EPIPE;
1534			return -1;
1535		}
1536		have += (u_int)len;
1537	}
1538	sshbuf_free(queue);
1539	return 0;
1540}
1541
1542static int
1543mux_client_read_packet_timeout(int fd, struct sshbuf *m, int timeout_ms)
1544{
1545	struct sshbuf *queue;
1546	size_t need, have;
1547	const u_char *ptr;
1548	int r, oerrno;
1549
1550	if ((queue = sshbuf_new()) == NULL)
1551		fatal_f("sshbuf_new");
1552	if (mux_client_read(fd, queue, 4, timeout_ms) != 0) {
1553		if ((oerrno = errno) == EPIPE)
1554			debug3_f("read header failed: %s",
1555			    strerror(errno));
1556		sshbuf_free(queue);
1557		errno = oerrno;
1558		return -1;
1559	}
1560	need = PEEK_U32(sshbuf_ptr(queue));
1561	if (mux_client_read(fd, queue, need, timeout_ms) != 0) {
1562		oerrno = errno;
1563		debug3_f("read body failed: %s", strerror(errno));
1564		sshbuf_free(queue);
1565		errno = oerrno;
1566		return -1;
1567	}
1568	if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 ||
1569	    (r = sshbuf_put(m, ptr, have)) != 0)
1570		fatal_fr(r, "dequeue");
1571	sshbuf_free(queue);
1572	return 0;
1573}
1574
1575static int
1576mux_client_read_packet(int fd, struct sshbuf *m)
1577{
1578	return mux_client_read_packet_timeout(fd, m, -1);
1579}
1580
1581static int
1582mux_client_hello_exchange(int fd, int timeout_ms)
1583{
1584	struct sshbuf *m;
1585	u_int type, ver;
1586	int r, ret = -1;
1587
1588	if ((m = sshbuf_new()) == NULL)
1589		fatal_f("sshbuf_new");
1590	if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 ||
1591	    (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0)
1592		fatal_fr(r, "assemble hello");
1593	/* no extensions */
1594
1595	if (mux_client_write_packet(fd, m) != 0) {
1596		debug_f("write packet: %s", strerror(errno));
1597		goto out;
1598	}
1599
1600	sshbuf_reset(m);
1601
1602	/* Read their HELLO */
1603	if (mux_client_read_packet_timeout(fd, m, timeout_ms) != 0) {
1604		debug_f("read packet failed");
1605		goto out;
1606	}
1607
1608	if ((r = sshbuf_get_u32(m, &type)) != 0)
1609		fatal_fr(r, "parse type");
1610	if (type != MUX_MSG_HELLO) {
1611		error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type);
1612		goto out;
1613	}
1614	if ((r = sshbuf_get_u32(m, &ver)) != 0)
1615		fatal_fr(r, "parse version");
1616	if (ver != SSHMUX_VER) {
1617		error("Unsupported multiplexing protocol version %d "
1618		    "(expected %d)", ver, SSHMUX_VER);
1619		goto out;
1620	}
1621	debug2_f("master version %u", ver);
1622	/* No extensions are presently defined */
1623	while (sshbuf_len(m) > 0) {
1624		char *name = NULL;
1625
1626		if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
1627		    (r = sshbuf_skip_string(m)) != 0) { /* value */
1628			error_fr(r, "parse extension");
1629			goto out;
1630		}
1631		debug2("Unrecognised master extension \"%s\"", name);
1632		free(name);
1633	}
1634	/* success */
1635	ret = 0;
1636 out:
1637	sshbuf_free(m);
1638	return ret;
1639}
1640
1641static u_int
1642mux_client_request_alive(int fd)
1643{
1644	struct sshbuf *m;
1645	char *e;
1646	u_int pid, type, rid;
1647	int r;
1648
1649	debug3_f("entering");
1650
1651	if ((m = sshbuf_new()) == NULL)
1652		fatal_f("sshbuf_new");
1653	if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 ||
1654	    (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1655		fatal_fr(r, "assemble");
1656
1657	if (mux_client_write_packet(fd, m) != 0)
1658		fatal_f("write packet: %s", strerror(errno));
1659
1660	sshbuf_reset(m);
1661
1662	/* Read their reply */
1663	if (mux_client_read_packet(fd, m) != 0) {
1664		sshbuf_free(m);
1665		return 0;
1666	}
1667
1668	if ((r = sshbuf_get_u32(m, &type)) != 0)
1669		fatal_fr(r, "parse type");
1670	if (type != MUX_S_ALIVE) {
1671		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1672			fatal_fr(r, "parse error message");
1673		fatal_f("master returned error: %s", e);
1674	}
1675
1676	if ((r = sshbuf_get_u32(m, &rid)) != 0)
1677		fatal_fr(r, "parse remote ID");
1678	if (rid != muxclient_request_id)
1679		fatal_f("out of sequence reply: my id %u theirs %u",
1680		    muxclient_request_id, rid);
1681	if ((r = sshbuf_get_u32(m, &pid)) != 0)
1682		fatal_fr(r, "parse PID");
1683	sshbuf_free(m);
1684
1685	debug3_f("done pid = %u", pid);
1686
1687	muxclient_request_id++;
1688
1689	return pid;
1690}
1691
1692static void
1693mux_client_request_terminate(int fd)
1694{
1695	struct sshbuf *m;
1696	char *e;
1697	u_int type, rid;
1698	int r;
1699
1700	debug3_f("entering");
1701
1702	if ((m = sshbuf_new()) == NULL)
1703		fatal_f("sshbuf_new");
1704	if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 ||
1705	    (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1706		fatal_fr(r, "request");
1707
1708	if (mux_client_write_packet(fd, m) != 0)
1709		fatal_f("write packet: %s", strerror(errno));
1710
1711	sshbuf_reset(m);
1712
1713	/* Read their reply */
1714	if (mux_client_read_packet(fd, m) != 0) {
1715		/* Remote end exited already */
1716		if (errno == EPIPE) {
1717			sshbuf_free(m);
1718			return;
1719		}
1720		fatal_f("read from master failed: %s", strerror(errno));
1721	}
1722
1723	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1724	    (r = sshbuf_get_u32(m, &rid)) != 0)
1725		fatal_fr(r, "parse");
1726	if (rid != muxclient_request_id)
1727		fatal_f("out of sequence reply: my id %u theirs %u",
1728		    muxclient_request_id, rid);
1729	switch (type) {
1730	case MUX_S_OK:
1731		break;
1732	case MUX_S_PERMISSION_DENIED:
1733		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1734			fatal_fr(r, "parse error message");
1735		fatal("Master refused termination request: %s", e);
1736	case MUX_S_FAILURE:
1737		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1738			fatal_fr(r, "parse error message");
1739		fatal_f("termination request failed: %s", e);
1740	default:
1741		fatal_f("unexpected response from master 0x%08x", type);
1742	}
1743	sshbuf_free(m);
1744	muxclient_request_id++;
1745}
1746
1747static int
1748mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
1749{
1750	struct sshbuf *m;
1751	char *e, *fwd_desc;
1752	const char *lhost, *chost;
1753	u_int type, rid;
1754	int r;
1755
1756	fwd_desc = format_forward(ftype, fwd);
1757	debug("Requesting %s %s",
1758	    cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
1759	free(fwd_desc);
1760
1761	type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD;
1762	if (fwd->listen_path != NULL)
1763		lhost = fwd->listen_path;
1764	else if (fwd->listen_host == NULL)
1765		lhost = "";
1766	else if (*fwd->listen_host == '\0')
1767		lhost = "*";
1768	else
1769		lhost = fwd->listen_host;
1770
1771	if (fwd->connect_path != NULL)
1772		chost = fwd->connect_path;
1773	else if (fwd->connect_host == NULL)
1774		chost = "";
1775	else
1776		chost = fwd->connect_host;
1777
1778	if ((m = sshbuf_new()) == NULL)
1779		fatal_f("sshbuf_new");
1780	if ((r = sshbuf_put_u32(m, type)) != 0 ||
1781	    (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
1782	    (r = sshbuf_put_u32(m, ftype)) != 0 ||
1783	    (r = sshbuf_put_cstring(m, lhost)) != 0 ||
1784	    (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 ||
1785	    (r = sshbuf_put_cstring(m, chost)) != 0 ||
1786	    (r = sshbuf_put_u32(m, fwd->connect_port)) != 0)
1787		fatal_fr(r, "request");
1788
1789	if (mux_client_write_packet(fd, m) != 0)
1790		fatal_f("write packet: %s", strerror(errno));
1791
1792	sshbuf_reset(m);
1793
1794	/* Read their reply */
1795	if (mux_client_read_packet(fd, m) != 0) {
1796		sshbuf_free(m);
1797		return -1;
1798	}
1799
1800	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1801	    (r = sshbuf_get_u32(m, &rid)) != 0)
1802		fatal_fr(r, "parse");
1803	if (rid != muxclient_request_id)
1804		fatal_f("out of sequence reply: my id %u theirs %u",
1805		    muxclient_request_id, rid);
1806
1807	switch (type) {
1808	case MUX_S_OK:
1809		break;
1810	case MUX_S_REMOTE_PORT:
1811		if (cancel_flag)
1812			fatal_f("got MUX_S_REMOTE_PORT for cancel");
1813		if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0)
1814			fatal_fr(r, "parse port");
1815		verbose("Allocated port %u for remote forward to %s:%d",
1816		    fwd->allocated_port,
1817		    fwd->connect_host ? fwd->connect_host : "",
1818		    fwd->connect_port);
1819		if (muxclient_command == SSHMUX_COMMAND_FORWARD)
1820			fprintf(stdout, "%i\n", fwd->allocated_port);
1821		break;
1822	case MUX_S_PERMISSION_DENIED:
1823		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1824			fatal_fr(r, "parse error message");
1825		sshbuf_free(m);
1826		error("Master refused forwarding request: %s", e);
1827		return -1;
1828	case MUX_S_FAILURE:
1829		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1830			fatal_fr(r, "parse error message");
1831		sshbuf_free(m);
1832		error_f("forwarding request failed: %s", e);
1833		return -1;
1834	default:
1835		fatal_f("unexpected response from master 0x%08x", type);
1836	}
1837	sshbuf_free(m);
1838
1839	muxclient_request_id++;
1840	return 0;
1841}
1842
1843static int
1844mux_client_forwards(int fd, int cancel_flag)
1845{
1846	int i, ret = 0;
1847
1848	debug3_f("%s forwardings: %d local, %d remote",
1849	    cancel_flag ? "cancel" : "request",
1850	    options.num_local_forwards, options.num_remote_forwards);
1851
1852	/* XXX ExitOnForwardingFailure */
1853	for (i = 0; i < options.num_local_forwards; i++) {
1854		if (mux_client_forward(fd, cancel_flag,
1855		    options.local_forwards[i].connect_port == 0 ?
1856		    MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
1857		    options.local_forwards + i) != 0)
1858			ret = -1;
1859	}
1860	for (i = 0; i < options.num_remote_forwards; i++) {
1861		if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE,
1862		    options.remote_forwards + i) != 0)
1863			ret = -1;
1864	}
1865	return ret;
1866}
1867
1868static int
1869mux_client_request_session(int fd)
1870{
1871	struct sshbuf *m;
1872	char *e;
1873	const char *term = NULL;
1874	u_int i, echar, rid, sid, esid, exitval, type, exitval_seen;
1875	extern char **environ;
1876	int r, rawmode = 0;
1877
1878	debug3_f("entering");
1879
1880	if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
1881		error_f("master alive request failed");
1882		return -1;
1883	}
1884
1885	ssh_signal(SIGPIPE, SIG_IGN);
1886
1887	if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
1888		fatal_f("stdfd_devnull failed");
1889
1890	if ((term = lookup_env_in_list("TERM", options.setenv,
1891	    options.num_setenv)) == NULL || *term == '\0')
1892		term = getenv("TERM");
1893
1894	echar = 0xffffffff;
1895	if (options.escape_char != SSH_ESCAPECHAR_NONE)
1896	    echar = (u_int)options.escape_char;
1897
1898	if ((m = sshbuf_new()) == NULL)
1899		fatal_f("sshbuf_new");
1900	if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 ||
1901	    (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
1902	    (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
1903	    (r = sshbuf_put_u32(m, tty_flag)) != 0 ||
1904	    (r = sshbuf_put_u32(m, options.forward_x11)) != 0 ||
1905	    (r = sshbuf_put_u32(m, options.forward_agent)) != 0 ||
1906	    (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 ||
1907	    (r = sshbuf_put_u32(m, echar)) != 0 ||
1908	    (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 ||
1909	    (r = sshbuf_put_stringb(m, command)) != 0)
1910		fatal_fr(r, "request");
1911
1912	/* Pass environment */
1913	if (options.num_send_env > 0 && environ != NULL) {
1914		for (i = 0; environ[i] != NULL; i++) {
1915			if (!env_permitted(environ[i]))
1916				continue;
1917			if ((r = sshbuf_put_cstring(m, environ[i])) != 0)
1918				fatal_fr(r, "request sendenv");
1919		}
1920	}
1921	for (i = 0; i < options.num_setenv; i++) {
1922		if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0)
1923			fatal_fr(r, "request setenv");
1924	}
1925
1926	if (mux_client_write_packet(fd, m) != 0)
1927		fatal_f("write packet: %s", strerror(errno));
1928
1929	/* Send the stdio file descriptors */
1930	if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
1931	    mm_send_fd(fd, STDOUT_FILENO) == -1 ||
1932	    mm_send_fd(fd, STDERR_FILENO) == -1)
1933		fatal_f("send fds failed");
1934
1935	debug3_f("session request sent");
1936
1937	/* Read their reply */
1938	sshbuf_reset(m);
1939	if (mux_client_read_packet(fd, m) != 0) {
1940		error_f("read from master failed: %s", strerror(errno));
1941		sshbuf_free(m);
1942		return -1;
1943	}
1944
1945	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1946	    (r = sshbuf_get_u32(m, &rid)) != 0)
1947		fatal_fr(r, "parse");
1948	if (rid != muxclient_request_id)
1949		fatal_f("out of sequence reply: my id %u theirs %u",
1950		    muxclient_request_id, rid);
1951
1952	switch (type) {
1953	case MUX_S_SESSION_OPENED:
1954		if ((r = sshbuf_get_u32(m, &sid)) != 0)
1955			fatal_fr(r, "parse session ID");
1956		debug_f("master session id: %u", sid);
1957		break;
1958	case MUX_S_PERMISSION_DENIED:
1959		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1960			fatal_fr(r, "parse error message");
1961		error("Master refused session request: %s", e);
1962		sshbuf_free(m);
1963		return -1;
1964	case MUX_S_FAILURE:
1965		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1966			fatal_fr(r, "parse error message");
1967		error_f("session request failed: %s", e);
1968		sshbuf_free(m);
1969		return -1;
1970	default:
1971		sshbuf_free(m);
1972		error_f("unexpected response from master 0x%08x", type);
1973		return -1;
1974	}
1975	muxclient_request_id++;
1976
1977#ifdef __OpenBSD__
1978	if (pledge("stdio proc tty", NULL) == -1)
1979		fatal_f("pledge(): %s", strerror(errno));
1980#endif
1981
1982	ssh_signal(SIGHUP, control_client_sighandler);
1983	ssh_signal(SIGINT, control_client_sighandler);
1984	ssh_signal(SIGTERM, control_client_sighandler);
1985	ssh_signal(SIGWINCH, control_client_sigrelay);
1986
1987	if (options.fork_after_authentication)
1988		daemon(1, 1);
1989	else {
1990		rawmode = tty_flag;
1991		if (tty_flag) {
1992			enter_raw_mode(
1993			    options.request_tty == REQUEST_TTY_FORCE);
1994		}
1995	}
1996
1997	/*
1998	 * Stick around until the controlee closes the client_fd.
1999	 * Before it does, it is expected to write an exit message.
2000	 * This process must read the value and wait for the closure of
2001	 * the client_fd; if this one closes early, the multiplex master will
2002	 * terminate early too (possibly losing data).
2003	 */
2004	for (exitval = 255, exitval_seen = 0;;) {
2005		sshbuf_reset(m);
2006		if (mux_client_read_packet(fd, m) != 0)
2007			break;
2008		if ((r = sshbuf_get_u32(m, &type)) != 0)
2009			fatal_fr(r, "parse type");
2010		switch (type) {
2011		case MUX_S_TTY_ALLOC_FAIL:
2012			if ((r = sshbuf_get_u32(m, &esid)) != 0)
2013				fatal_fr(r, "parse session ID");
2014			if (esid != sid)
2015				fatal_f("tty alloc fail on unknown session: "
2016				    "my id %u theirs %u", sid, esid);
2017			leave_raw_mode(options.request_tty ==
2018			    REQUEST_TTY_FORCE);
2019			rawmode = 0;
2020			continue;
2021		case MUX_S_EXIT_MESSAGE:
2022			if ((r = sshbuf_get_u32(m, &esid)) != 0)
2023				fatal_fr(r, "parse session ID");
2024			if (esid != sid)
2025				fatal_f("exit on unknown session: "
2026				    "my id %u theirs %u", sid, esid);
2027			if (exitval_seen)
2028				fatal_f("exitval sent twice");
2029			if ((r = sshbuf_get_u32(m, &exitval)) != 0)
2030				fatal_fr(r, "parse exitval");
2031			exitval_seen = 1;
2032			continue;
2033		default:
2034			if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2035				fatal_fr(r, "parse error message");
2036			fatal_f("master returned error: %s", e);
2037		}
2038	}
2039
2040	close(fd);
2041	if (rawmode)
2042		leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
2043
2044	if (muxclient_terminate) {
2045		debug2("Exiting on signal: %s", strsignal(muxclient_terminate));
2046		exitval = 255;
2047	} else if (!exitval_seen) {
2048		debug2("Control master terminated unexpectedly");
2049		exitval = 255;
2050	} else
2051		debug2("Received exit status from master %d", exitval);
2052
2053	if (tty_flag && options.log_level >= SYSLOG_LEVEL_INFO)
2054		fprintf(stderr, "Shared connection to %s closed.\r\n", host);
2055
2056	exit(exitval);
2057}
2058
2059static int
2060mux_client_proxy(int fd)
2061{
2062	struct sshbuf *m;
2063	char *e;
2064	u_int type, rid;
2065	int r;
2066
2067	if ((m = sshbuf_new()) == NULL)
2068		fatal_f("sshbuf_new");
2069	if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 ||
2070	    (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
2071		fatal_fr(r, "request");
2072	if (mux_client_write_packet(fd, m) != 0)
2073		fatal_f("write packet: %s", strerror(errno));
2074
2075	sshbuf_reset(m);
2076
2077	/* Read their reply */
2078	if (mux_client_read_packet(fd, m) != 0) {
2079		sshbuf_free(m);
2080		return 0;
2081	}
2082	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2083	    (r = sshbuf_get_u32(m, &rid)) != 0)
2084		fatal_fr(r, "parse");
2085	if (rid != muxclient_request_id)
2086		fatal_f("out of sequence reply: my id %u theirs %u",
2087		    muxclient_request_id, rid);
2088	if (type != MUX_S_PROXY) {
2089		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2090			fatal_fr(r, "parse error message");
2091		fatal_f("master returned error: %s", e);
2092	}
2093	sshbuf_free(m);
2094
2095	debug3_f("done");
2096	muxclient_request_id++;
2097	return 0;
2098}
2099
2100static int
2101mux_client_request_stdio_fwd(int fd)
2102{
2103	struct sshbuf *m;
2104	char *e;
2105	u_int type, rid, sid;
2106	int r;
2107
2108	debug3_f("entering");
2109
2110	if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
2111		error_f("master alive request failed");
2112		return -1;
2113	}
2114
2115	ssh_signal(SIGPIPE, SIG_IGN);
2116
2117	if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
2118		fatal_f("stdfd_devnull failed");
2119
2120	if ((m = sshbuf_new()) == NULL)
2121		fatal_f("sshbuf_new");
2122	if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 ||
2123	    (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
2124	    (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
2125	    (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 ||
2126	    (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0)
2127		fatal_fr(r, "request");
2128
2129	if (mux_client_write_packet(fd, m) != 0)
2130		fatal_f("write packet: %s", strerror(errno));
2131
2132	/* Send the stdio file descriptors */
2133	if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
2134	    mm_send_fd(fd, STDOUT_FILENO) == -1)
2135		fatal_f("send fds failed");
2136
2137#ifdef __OpenBSD__
2138	if (pledge("stdio proc tty", NULL) == -1)
2139		fatal_f("pledge(): %s", strerror(errno));
2140#endif
2141
2142	debug3_f("stdio forward request sent");
2143
2144	/* Read their reply */
2145	sshbuf_reset(m);
2146
2147	if (mux_client_read_packet(fd, m) != 0) {
2148		error_f("read from master failed: %s", strerror(errno));
2149		sshbuf_free(m);
2150		return -1;
2151	}
2152
2153	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2154	    (r = sshbuf_get_u32(m, &rid)) != 0)
2155		fatal_fr(r, "parse");
2156	if (rid != muxclient_request_id)
2157		fatal_f("out of sequence reply: my id %u theirs %u",
2158		    muxclient_request_id, rid);
2159	switch (type) {
2160	case MUX_S_SESSION_OPENED:
2161		if ((r = sshbuf_get_u32(m, &sid)) != 0)
2162			fatal_fr(r, "parse session ID");
2163		debug_f("master session id: %u", sid);
2164		break;
2165	case MUX_S_PERMISSION_DENIED:
2166		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2167			fatal_fr(r, "parse error message");
2168		sshbuf_free(m);
2169		fatal("Master refused stdio forwarding request: %s", e);
2170	case MUX_S_FAILURE:
2171		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2172			fatal_fr(r, "parse error message");
2173		sshbuf_free(m);
2174		fatal("Stdio forwarding request failed: %s", e);
2175	default:
2176		sshbuf_free(m);
2177		error_f("unexpected response from master 0x%08x", type);
2178		return -1;
2179	}
2180	muxclient_request_id++;
2181
2182	ssh_signal(SIGHUP, control_client_sighandler);
2183	ssh_signal(SIGINT, control_client_sighandler);
2184	ssh_signal(SIGTERM, control_client_sighandler);
2185	ssh_signal(SIGWINCH, control_client_sigrelay);
2186
2187	/*
2188	 * Stick around until the controlee closes the client_fd.
2189	 */
2190	sshbuf_reset(m);
2191	if (mux_client_read_packet(fd, m) != 0) {
2192		if (errno == EPIPE ||
2193		    (errno == EINTR && muxclient_terminate != 0))
2194			return 0;
2195		fatal_f("mux_client_read_packet: %s", strerror(errno));
2196	}
2197	fatal_f("master returned unexpected message %u", type);
2198}
2199
2200static void
2201mux_client_request_stop_listening(int fd)
2202{
2203	struct sshbuf *m;
2204	char *e;
2205	u_int type, rid;
2206	int r;
2207
2208	debug3_f("entering");
2209
2210	if ((m = sshbuf_new()) == NULL)
2211		fatal_f("sshbuf_new");
2212	if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 ||
2213	    (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
2214		fatal_fr(r, "request");
2215
2216	if (mux_client_write_packet(fd, m) != 0)
2217		fatal_f("write packet: %s", strerror(errno));
2218
2219	sshbuf_reset(m);
2220
2221	/* Read their reply */
2222	if (mux_client_read_packet(fd, m) != 0)
2223		fatal_f("read from master failed: %s", strerror(errno));
2224
2225	if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2226	    (r = sshbuf_get_u32(m, &rid)) != 0)
2227		fatal_fr(r, "parse");
2228	if (rid != muxclient_request_id)
2229		fatal_f("out of sequence reply: my id %u theirs %u",
2230		    muxclient_request_id, rid);
2231
2232	switch (type) {
2233	case MUX_S_OK:
2234		break;
2235	case MUX_S_PERMISSION_DENIED:
2236		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2237			fatal_fr(r, "parse error message");
2238		fatal("Master refused stop listening request: %s", e);
2239	case MUX_S_FAILURE:
2240		if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2241			fatal_fr(r, "parse error message");
2242		fatal_f("stop listening request failed: %s", e);
2243	default:
2244		fatal_f("unexpected response from master 0x%08x", type);
2245	}
2246	sshbuf_free(m);
2247	muxclient_request_id++;
2248}
2249
2250/* Multiplex client main loop. */
2251int
2252muxclient(const char *path)
2253{
2254	struct sockaddr_un addr;
2255	int sock, timeout = options.connection_timeout, timeout_ms = -1;
2256	u_int pid;
2257
2258	if (muxclient_command == 0) {
2259		if (options.stdio_forward_host != NULL)
2260			muxclient_command = SSHMUX_COMMAND_STDIO_FWD;
2261		else
2262			muxclient_command = SSHMUX_COMMAND_OPEN;
2263	}
2264
2265	switch (options.control_master) {
2266	case SSHCTL_MASTER_AUTO:
2267	case SSHCTL_MASTER_AUTO_ASK:
2268		debug("auto-mux: Trying existing master at '%s'", path);
2269		/* FALLTHROUGH */
2270	case SSHCTL_MASTER_NO:
2271		break;
2272	default:
2273		return -1;
2274	}
2275
2276	memset(&addr, '\0', sizeof(addr));
2277	addr.sun_family = AF_UNIX;
2278
2279	if (strlcpy(addr.sun_path, path,
2280	    sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
2281		fatal("ControlPath too long ('%s' >= %u bytes)", path,
2282		    (unsigned int)sizeof(addr.sun_path));
2283
2284	if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
2285		fatal_f("socket(): %s", strerror(errno));
2286
2287	if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
2288		switch (muxclient_command) {
2289		case SSHMUX_COMMAND_OPEN:
2290		case SSHMUX_COMMAND_STDIO_FWD:
2291			break;
2292		default:
2293			fatal("Control socket connect(%.100s): %s", path,
2294			    strerror(errno));
2295		}
2296		if (errno == ECONNREFUSED &&
2297		    options.control_master != SSHCTL_MASTER_NO) {
2298			debug("Stale control socket %.100s, unlinking", path);
2299			unlink(path);
2300		} else if (errno == ENOENT) {
2301			debug("Control socket \"%.100s\" does not exist", path);
2302		} else {
2303			error("Control socket connect(%.100s): %s", path,
2304			    strerror(errno));
2305		}
2306		close(sock);
2307		return -1;
2308	}
2309	set_nonblock(sock);
2310
2311	/* Timeout on initial connection only. */
2312	if (timeout > 0 && timeout < INT_MAX / 1000)
2313		timeout_ms = timeout * 1000;
2314
2315	if (mux_client_hello_exchange(sock, timeout_ms) != 0) {
2316		error_f("master hello exchange failed");
2317		close(sock);
2318		return -1;
2319	}
2320
2321	switch (muxclient_command) {
2322	case SSHMUX_COMMAND_ALIVE_CHECK:
2323		if ((pid = mux_client_request_alive(sock)) == 0)
2324			fatal_f("master alive check failed");
2325		fprintf(stderr, "Master running (pid=%u)\r\n", pid);
2326		exit(0);
2327	case SSHMUX_COMMAND_TERMINATE:
2328		mux_client_request_terminate(sock);
2329		if (options.log_level != SYSLOG_LEVEL_QUIET)
2330			fprintf(stderr, "Exit request sent.\r\n");
2331		exit(0);
2332	case SSHMUX_COMMAND_FORWARD:
2333		if (mux_client_forwards(sock, 0) != 0)
2334			fatal_f("master forward request failed");
2335		exit(0);
2336	case SSHMUX_COMMAND_OPEN:
2337		if (mux_client_forwards(sock, 0) != 0) {
2338			error_f("master forward request failed");
2339			return -1;
2340		}
2341		mux_client_request_session(sock);
2342		return -1;
2343	case SSHMUX_COMMAND_STDIO_FWD:
2344		mux_client_request_stdio_fwd(sock);
2345		exit(0);
2346	case SSHMUX_COMMAND_STOP:
2347		mux_client_request_stop_listening(sock);
2348		if (options.log_level != SYSLOG_LEVEL_QUIET)
2349			fprintf(stderr, "Stop listening request sent.\r\n");
2350		exit(0);
2351	case SSHMUX_COMMAND_CANCEL_FWD:
2352		if (mux_client_forwards(sock, 1) != 0)
2353			error_f("master cancel forward request failed");
2354		exit(0);
2355	case SSHMUX_COMMAND_PROXY:
2356		mux_client_proxy(sock);
2357		return (sock);
2358	default:
2359		fatal("unrecognised muxclient_command %d", muxclient_command);
2360	}
2361}
2362