mux.c revision 1.19
1/* $OpenBSD: mux.c,v 1.19 2010/06/17 07:07:30 djm Exp $ */ 2/* 3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18/* ssh session multiplexing support */ 19 20/* 21 * TODO: 22 * - Better signalling from master to slave, especially passing of 23 * error messages 24 * - Better fall-back from mux slave error to new connection. 25 * - ExitOnForwardingFailure 26 * - Maybe extension mechanisms for multi-X11/multi-agent forwarding 27 * - Support ~^Z in mux slaves. 28 * - Inspect or control sessions in master. 29 * - If we ever support the "signal" channel request, send signals on 30 * sessions in master. 31 */ 32 33#include <sys/types.h> 34#include <sys/param.h> 35#include <sys/queue.h> 36#include <sys/stat.h> 37#include <sys/socket.h> 38#include <sys/un.h> 39 40#include <errno.h> 41#include <fcntl.h> 42#include <poll.h> 43#include <signal.h> 44#include <stdarg.h> 45#include <stddef.h> 46#include <stdlib.h> 47#include <stdio.h> 48#include <string.h> 49#include <unistd.h> 50#include <util.h> 51#include <paths.h> 52 53#include "atomicio.h" 54#include "xmalloc.h" 55#include "log.h" 56#include "ssh.h" 57#include "ssh2.h" 58#include "pathnames.h" 59#include "misc.h" 60#include "match.h" 61#include "buffer.h" 62#include "channels.h" 63#include "msg.h" 64#include "packet.h" 65#include "monitor_fdpass.h" 66#include "sshpty.h" 67#include "key.h" 68#include "readconf.h" 69#include "clientloop.h" 70 71/* from ssh.c */ 72extern int tty_flag; 73extern int force_tty_flag; 74extern Options options; 75extern int stdin_null_flag; 76extern char *host; 77extern int subsystem_flag; 78extern Buffer command; 79extern volatile sig_atomic_t quit_pending; 80extern char *stdio_forward_host; 81extern int stdio_forward_port; 82 83/* Context for session open confirmation callback */ 84struct mux_session_confirm_ctx { 85 u_int want_tty; 86 u_int want_subsys; 87 u_int want_x_fwd; 88 u_int want_agent_fwd; 89 Buffer cmd; 90 char *term; 91 struct termios tio; 92 char **env; 93 u_int rid; 94}; 95 96/* Context for global channel callback */ 97struct mux_channel_confirm_ctx { 98 u_int cid; /* channel id */ 99 u_int rid; /* request id */ 100 int fid; /* forward id */ 101}; 102 103/* fd to control socket */ 104int muxserver_sock = -1; 105 106/* client request id */ 107u_int muxclient_request_id = 0; 108 109/* Multiplexing control command */ 110u_int muxclient_command = 0; 111 112/* Set when signalled. */ 113static volatile sig_atomic_t muxclient_terminate = 0; 114 115/* PID of multiplex server */ 116static u_int muxserver_pid = 0; 117 118static Channel *mux_listener_channel = NULL; 119 120struct mux_master_state { 121 int hello_rcvd; 122}; 123 124/* mux protocol messages */ 125#define MUX_MSG_HELLO 0x00000001 126#define MUX_C_NEW_SESSION 0x10000002 127#define MUX_C_ALIVE_CHECK 0x10000004 128#define MUX_C_TERMINATE 0x10000005 129#define MUX_C_OPEN_FWD 0x10000006 130#define MUX_C_CLOSE_FWD 0x10000007 131#define MUX_C_NEW_STDIO_FWD 0x10000008 132#define MUX_S_OK 0x80000001 133#define MUX_S_PERMISSION_DENIED 0x80000002 134#define MUX_S_FAILURE 0x80000003 135#define MUX_S_EXIT_MESSAGE 0x80000004 136#define MUX_S_ALIVE 0x80000005 137#define MUX_S_SESSION_OPENED 0x80000006 138#define MUX_S_REMOTE_PORT 0x80000007 139 140/* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */ 141#define MUX_FWD_LOCAL 1 142#define MUX_FWD_REMOTE 2 143#define MUX_FWD_DYNAMIC 3 144 145static void mux_session_confirm(int, int, void *); 146 147static int process_mux_master_hello(u_int, Channel *, Buffer *, Buffer *); 148static int process_mux_new_session(u_int, Channel *, Buffer *, Buffer *); 149static int process_mux_alive_check(u_int, Channel *, Buffer *, Buffer *); 150static int process_mux_terminate(u_int, Channel *, Buffer *, Buffer *); 151static int process_mux_open_fwd(u_int, Channel *, Buffer *, Buffer *); 152static int process_mux_close_fwd(u_int, Channel *, Buffer *, Buffer *); 153static int process_mux_stdio_fwd(u_int, Channel *, Buffer *, Buffer *); 154 155static const struct { 156 u_int type; 157 int (*handler)(u_int, Channel *, Buffer *, Buffer *); 158} mux_master_handlers[] = { 159 { MUX_MSG_HELLO, process_mux_master_hello }, 160 { MUX_C_NEW_SESSION, process_mux_new_session }, 161 { MUX_C_ALIVE_CHECK, process_mux_alive_check }, 162 { MUX_C_TERMINATE, process_mux_terminate }, 163 { MUX_C_OPEN_FWD, process_mux_open_fwd }, 164 { MUX_C_CLOSE_FWD, process_mux_close_fwd }, 165 { MUX_C_NEW_STDIO_FWD, process_mux_stdio_fwd }, 166 { 0, NULL } 167}; 168 169/* Cleanup callback fired on closure of mux slave _session_ channel */ 170/* ARGSUSED */ 171static void 172mux_master_session_cleanup_cb(int cid, void *unused) 173{ 174 Channel *cc, *c = channel_by_id(cid); 175 176 debug3("%s: entering for channel %d", __func__, cid); 177 if (c == NULL) 178 fatal("%s: channel_by_id(%i) == NULL", __func__, cid); 179 if (c->ctl_chan != -1) { 180 if ((cc = channel_by_id(c->ctl_chan)) == NULL) 181 fatal("%s: channel %d missing control channel %d", 182 __func__, c->self, c->ctl_chan); 183 c->ctl_chan = -1; 184 cc->remote_id = -1; 185 chan_rcvd_oclose(cc); 186 } 187 channel_cancel_cleanup(c->self); 188} 189 190/* Cleanup callback fired on closure of mux slave _control_ channel */ 191/* ARGSUSED */ 192static void 193mux_master_control_cleanup_cb(int cid, void *unused) 194{ 195 Channel *sc, *c = channel_by_id(cid); 196 197 debug3("%s: entering for channel %d", __func__, cid); 198 if (c == NULL) 199 fatal("%s: channel_by_id(%i) == NULL", __func__, cid); 200 if (c->remote_id != -1) { 201 if ((sc = channel_by_id(c->remote_id)) == NULL) 202 fatal("%s: channel %d missing session channel %d", 203 __func__, c->self, c->remote_id); 204 c->remote_id = -1; 205 sc->ctl_chan = -1; 206 if (sc->type != SSH_CHANNEL_OPEN) { 207 debug2("%s: channel %d: not open", __func__, sc->self); 208 chan_mark_dead(sc); 209 } else { 210 if (sc->istate == CHAN_INPUT_OPEN) 211 chan_read_failed(sc); 212 if (sc->ostate == CHAN_OUTPUT_OPEN) 213 chan_write_failed(sc); 214 } 215 } 216 channel_cancel_cleanup(c->self); 217} 218 219/* Check mux client environment variables before passing them to mux master. */ 220static int 221env_permitted(char *env) 222{ 223 int i, ret; 224 char name[1024], *cp; 225 226 if ((cp = strchr(env, '=')) == NULL || cp == env) 227 return 0; 228 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env); 229 if (ret <= 0 || (size_t)ret >= sizeof(name)) { 230 error("env_permitted: name '%.100s...' too long", env); 231 return 0; 232 } 233 234 for (i = 0; i < options.num_send_env; i++) 235 if (match_pattern(name, options.send_env[i])) 236 return 1; 237 238 return 0; 239} 240 241/* Mux master protocol message handlers */ 242 243static int 244process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r) 245{ 246 u_int ver; 247 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 248 249 if (state == NULL) 250 fatal("%s: channel %d: c->mux_ctx == NULL", __func__, c->self); 251 if (state->hello_rcvd) { 252 error("%s: HELLO received twice", __func__); 253 return -1; 254 } 255 if (buffer_get_int_ret(&ver, m) != 0) { 256 malf: 257 error("%s: malformed message", __func__); 258 return -1; 259 } 260 if (ver != SSHMUX_VER) { 261 error("Unsupported multiplexing protocol version %d " 262 "(expected %d)", ver, SSHMUX_VER); 263 return -1; 264 } 265 debug2("%s: channel %d slave version %u", __func__, c->self, ver); 266 267 /* No extensions are presently defined */ 268 while (buffer_len(m) > 0) { 269 char *name = buffer_get_string_ret(m, NULL); 270 char *value = buffer_get_string_ret(m, NULL); 271 272 if (name == NULL || value == NULL) { 273 if (name != NULL) 274 xfree(name); 275 goto malf; 276 } 277 debug2("Unrecognised slave extension \"%s\"", name); 278 xfree(name); 279 xfree(value); 280 } 281 state->hello_rcvd = 1; 282 return 0; 283} 284 285static int 286process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r) 287{ 288 Channel *nc; 289 struct mux_session_confirm_ctx *cctx; 290 char *reserved, *cmd, *cp; 291 u_int i, j, len, env_len, escape_char, window, packetmax; 292 int new_fd[3]; 293 294 /* Reply for SSHMUX_COMMAND_OPEN */ 295 cctx = xcalloc(1, sizeof(*cctx)); 296 cctx->term = NULL; 297 cctx->rid = rid; 298 cmd = reserved = NULL; 299 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 300 buffer_get_int_ret(&cctx->want_tty, m) != 0 || 301 buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 || 302 buffer_get_int_ret(&cctx->want_agent_fwd, m) != 0 || 303 buffer_get_int_ret(&cctx->want_subsys, m) != 0 || 304 buffer_get_int_ret(&escape_char, m) != 0 || 305 (cctx->term = buffer_get_string_ret(m, &len)) == NULL || 306 (cmd = buffer_get_string_ret(m, &len)) == NULL) { 307 malf: 308 if (cmd != NULL) 309 xfree(cmd); 310 if (reserved != NULL) 311 xfree(reserved); 312 if (cctx->term != NULL) 313 xfree(cctx->term); 314 error("%s: malformed message", __func__); 315 return -1; 316 } 317 xfree(reserved); 318 reserved = NULL; 319 320 cctx->env = NULL; 321 env_len = 0; 322 while (buffer_len(m) > 0) { 323#define MUX_MAX_ENV_VARS 4096 324 if ((cp = buffer_get_string_ret(m, &len)) == NULL) { 325 xfree(cmd); 326 goto malf; 327 } 328 if (!env_permitted(cp)) { 329 xfree(cp); 330 continue; 331 } 332 cctx->env = xrealloc(cctx->env, env_len + 2, 333 sizeof(*cctx->env)); 334 cctx->env[env_len++] = cp; 335 cctx->env[env_len] = NULL; 336 if (env_len > MUX_MAX_ENV_VARS) { 337 error(">%d environment variables received, ignoring " 338 "additional", MUX_MAX_ENV_VARS); 339 break; 340 } 341 } 342 343 debug2("%s: channel %d: request tty %d, X %d, agent %d, subsys %d, " 344 "term \"%s\", cmd \"%s\", env %u", __func__, c->self, 345 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd, 346 cctx->want_subsys, cctx->term, cmd, env_len); 347 348 buffer_init(&cctx->cmd); 349 buffer_append(&cctx->cmd, cmd, strlen(cmd)); 350 xfree(cmd); 351 cmd = NULL; 352 353 /* Gather fds from client */ 354 for(i = 0; i < 3; i++) { 355 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 356 error("%s: failed to receive fd %d from slave", 357 __func__, i); 358 for (j = 0; j < i; j++) 359 close(new_fd[j]); 360 for (j = 0; j < env_len; j++) 361 xfree(cctx->env[j]); 362 if (env_len > 0) 363 xfree(cctx->env); 364 xfree(cctx->term); 365 buffer_free(&cctx->cmd); 366 xfree(cctx); 367 368 /* prepare reply */ 369 buffer_put_int(r, MUX_S_FAILURE); 370 buffer_put_int(r, rid); 371 buffer_put_cstring(r, 372 "did not receive file descriptors"); 373 return -1; 374 } 375 } 376 377 debug3("%s: got fds stdin %d, stdout %d, stderr %d", __func__, 378 new_fd[0], new_fd[1], new_fd[2]); 379 380 /* XXX support multiple child sessions in future */ 381 if (c->remote_id != -1) { 382 debug2("%s: session already open", __func__); 383 /* prepare reply */ 384 buffer_put_int(r, MUX_S_FAILURE); 385 buffer_put_int(r, rid); 386 buffer_put_cstring(r, "Multiple sessions not supported"); 387 cleanup: 388 close(new_fd[0]); 389 close(new_fd[1]); 390 close(new_fd[2]); 391 xfree(cctx->term); 392 if (env_len != 0) { 393 for (i = 0; i < env_len; i++) 394 xfree(cctx->env[i]); 395 xfree(cctx->env); 396 } 397 buffer_free(&cctx->cmd); 398 return 0; 399 } 400 401 if (options.control_master == SSHCTL_MASTER_ASK || 402 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 403 if (!ask_permission("Allow shared connection to %s? ", host)) { 404 debug2("%s: session refused by user", __func__); 405 /* prepare reply */ 406 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 407 buffer_put_int(r, rid); 408 buffer_put_cstring(r, "Permission denied"); 409 goto cleanup; 410 } 411 } 412 413 /* Try to pick up ttymodes from client before it goes raw */ 414 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1) 415 error("%s: tcgetattr: %s", __func__, strerror(errno)); 416 417 /* enable nonblocking unless tty */ 418 if (!isatty(new_fd[0])) 419 set_nonblock(new_fd[0]); 420 if (!isatty(new_fd[1])) 421 set_nonblock(new_fd[1]); 422 if (!isatty(new_fd[2])) 423 set_nonblock(new_fd[2]); 424 425 window = CHAN_SES_WINDOW_DEFAULT; 426 packetmax = CHAN_SES_PACKET_DEFAULT; 427 if (cctx->want_tty) { 428 window >>= 1; 429 packetmax >>= 1; 430 } 431 432 nc = channel_new("session", SSH_CHANNEL_OPENING, 433 new_fd[0], new_fd[1], new_fd[2], window, packetmax, 434 CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0); 435 436 nc->ctl_chan = c->self; /* link session -> control channel */ 437 c->remote_id = nc->self; /* link control -> session channel */ 438 439 if (cctx->want_tty && escape_char != 0xffffffff) { 440 channel_register_filter(nc->self, 441 client_simple_escape_filter, NULL, 442 client_filter_cleanup, 443 client_new_escape_filter_ctx((int)escape_char)); 444 } 445 446 debug2("%s: channel_new: %d linked to control channel %d", 447 __func__, nc->self, nc->ctl_chan); 448 449 channel_send_open(nc->self); 450 channel_register_open_confirm(nc->self, mux_session_confirm, cctx); 451 c->mux_pause = 1; /* stop handling messages until open_confirm done */ 452 channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1); 453 454 /* reply is deferred, sent by mux_session_confirm */ 455 return 0; 456} 457 458static int 459process_mux_alive_check(u_int rid, Channel *c, Buffer *m, Buffer *r) 460{ 461 debug2("%s: channel %d: alive check", __func__, c->self); 462 463 /* prepare reply */ 464 buffer_put_int(r, MUX_S_ALIVE); 465 buffer_put_int(r, rid); 466 buffer_put_int(r, (u_int)getpid()); 467 468 return 0; 469} 470 471static int 472process_mux_terminate(u_int rid, Channel *c, Buffer *m, Buffer *r) 473{ 474 debug2("%s: channel %d: terminate request", __func__, c->self); 475 476 if (options.control_master == SSHCTL_MASTER_ASK || 477 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 478 if (!ask_permission("Terminate shared connection to %s? ", 479 host)) { 480 debug2("%s: termination refused by user", __func__); 481 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 482 buffer_put_int(r, rid); 483 buffer_put_cstring(r, "Permission denied"); 484 return 0; 485 } 486 } 487 488 quit_pending = 1; 489 buffer_put_int(r, MUX_S_OK); 490 buffer_put_int(r, rid); 491 /* XXX exit happens too soon - message never makes it to client */ 492 return 0; 493} 494 495static char * 496format_forward(u_int ftype, Forward *fwd) 497{ 498 char *ret; 499 500 switch (ftype) { 501 case MUX_FWD_LOCAL: 502 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d", 503 (fwd->listen_host == NULL) ? 504 (options.gateway_ports ? "*" : "LOCALHOST") : 505 fwd->listen_host, fwd->listen_port, 506 fwd->connect_host, fwd->connect_port); 507 break; 508 case MUX_FWD_DYNAMIC: 509 xasprintf(&ret, "dynamic forward %.200s:%d -> *", 510 (fwd->listen_host == NULL) ? 511 (options.gateway_ports ? "*" : "LOCALHOST") : 512 fwd->listen_host, fwd->listen_port); 513 break; 514 case MUX_FWD_REMOTE: 515 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d", 516 (fwd->listen_host == NULL) ? 517 "LOCALHOST" : fwd->listen_host, 518 fwd->listen_port, 519 fwd->connect_host, fwd->connect_port); 520 break; 521 default: 522 fatal("%s: unknown forward type %u", __func__, ftype); 523 } 524 return ret; 525} 526 527static int 528compare_host(const char *a, const char *b) 529{ 530 if (a == NULL && b == NULL) 531 return 1; 532 if (a == NULL || b == NULL) 533 return 0; 534 return strcmp(a, b) == 0; 535} 536 537static int 538compare_forward(Forward *a, Forward *b) 539{ 540 if (!compare_host(a->listen_host, b->listen_host)) 541 return 0; 542 if (a->listen_port != b->listen_port) 543 return 0; 544 if (!compare_host(a->connect_host, b->connect_host)) 545 return 0; 546 if (a->connect_port != b->connect_port) 547 return 0; 548 549 return 1; 550} 551 552static void 553mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) 554{ 555 struct mux_channel_confirm_ctx *fctx = ctxt; 556 char *failmsg = NULL; 557 Forward *rfwd; 558 Channel *c; 559 Buffer out; 560 561 if ((c = channel_by_id(fctx->cid)) == NULL) { 562 /* no channel for reply */ 563 error("%s: unknown channel", __func__); 564 return; 565 } 566 buffer_init(&out); 567 if (fctx->fid >= options.num_remote_forwards) { 568 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid); 569 goto fail; 570 } 571 rfwd = &options.remote_forwards[fctx->fid]; 572 debug("%s: %s for: listen %d, connect %s:%d", __func__, 573 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", 574 rfwd->listen_port, rfwd->connect_host, rfwd->connect_port); 575 if (type == SSH2_MSG_REQUEST_SUCCESS) { 576 if (rfwd->listen_port == 0) { 577 rfwd->allocated_port = packet_get_int(); 578 logit("Allocated port %u for mux remote forward" 579 " to %s:%d", rfwd->allocated_port, 580 rfwd->connect_host, rfwd->connect_port); 581 buffer_put_int(&out, MUX_S_REMOTE_PORT); 582 buffer_put_int(&out, fctx->rid); 583 buffer_put_int(&out, rfwd->allocated_port); 584 } else { 585 buffer_put_int(&out, MUX_S_OK); 586 buffer_put_int(&out, fctx->rid); 587 } 588 goto out; 589 } else { 590 xasprintf(&failmsg, "remote port forwarding failed for " 591 "listen port %d", rfwd->listen_port); 592 } 593 fail: 594 error("%s: %s", __func__, failmsg); 595 buffer_put_int(&out, MUX_S_FAILURE); 596 buffer_put_int(&out, fctx->rid); 597 buffer_put_cstring(&out, failmsg); 598 xfree(failmsg); 599 out: 600 buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out)); 601 buffer_free(&out); 602 if (c->mux_pause <= 0) 603 fatal("%s: mux_pause %d", __func__, c->mux_pause); 604 c->mux_pause = 0; /* start processing messages again */ 605} 606 607static int 608process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) 609{ 610 Forward fwd; 611 char *fwd_desc = NULL; 612 u_int ftype; 613 int i, ret = 0, freefwd = 1; 614 615 fwd.listen_host = fwd.connect_host = NULL; 616 if (buffer_get_int_ret(&ftype, m) != 0 || 617 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || 618 buffer_get_int_ret(&fwd.listen_port, m) != 0 || 619 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || 620 buffer_get_int_ret(&fwd.connect_port, m) != 0) { 621 error("%s: malformed message", __func__); 622 ret = -1; 623 goto out; 624 } 625 626 if (*fwd.listen_host == '\0') { 627 xfree(fwd.listen_host); 628 fwd.listen_host = NULL; 629 } 630 if (*fwd.connect_host == '\0') { 631 xfree(fwd.connect_host); 632 fwd.connect_host = NULL; 633 } 634 635 debug2("%s: channel %d: request %s", __func__, c->self, 636 (fwd_desc = format_forward(ftype, &fwd))); 637 638 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE && 639 ftype != MUX_FWD_DYNAMIC) { 640 logit("%s: invalid forwarding type %u", __func__, ftype); 641 invalid: 642 if (fwd.listen_host) 643 xfree(fwd.listen_host); 644 if (fwd.connect_host) 645 xfree(fwd.connect_host); 646 buffer_put_int(r, MUX_S_FAILURE); 647 buffer_put_int(r, rid); 648 buffer_put_cstring(r, "Invalid forwarding request"); 649 return 0; 650 } 651 if (fwd.listen_port >= 65536) { 652 logit("%s: invalid listen port %u", __func__, 653 fwd.listen_port); 654 goto invalid; 655 } 656 if (fwd.connect_port >= 65536 || (ftype != MUX_FWD_DYNAMIC && 657 ftype != MUX_FWD_REMOTE && fwd.connect_port == 0)) { 658 logit("%s: invalid connect port %u", __func__, 659 fwd.connect_port); 660 goto invalid; 661 } 662 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL) { 663 logit("%s: missing connect host", __func__); 664 goto invalid; 665 } 666 667 /* Skip forwards that have already been requested */ 668 switch (ftype) { 669 case MUX_FWD_LOCAL: 670 case MUX_FWD_DYNAMIC: 671 for (i = 0; i < options.num_local_forwards; i++) { 672 if (compare_forward(&fwd, 673 options.local_forwards + i)) { 674 exists: 675 debug2("%s: found existing forwarding", 676 __func__); 677 buffer_put_int(r, MUX_S_OK); 678 buffer_put_int(r, rid); 679 goto out; 680 } 681 } 682 break; 683 case MUX_FWD_REMOTE: 684 for (i = 0; i < options.num_remote_forwards; i++) { 685 if (compare_forward(&fwd, 686 options.remote_forwards + i)) { 687 if (fwd.listen_port != 0) 688 goto exists; 689 debug2("%s: found allocated port", 690 __func__); 691 buffer_put_int(r, MUX_S_REMOTE_PORT); 692 buffer_put_int(r, rid); 693 buffer_put_int(r, 694 options.remote_forwards[i].allocated_port); 695 goto out; 696 } 697 } 698 break; 699 } 700 701 if (options.control_master == SSHCTL_MASTER_ASK || 702 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 703 if (!ask_permission("Open %s on %s?", fwd_desc, host)) { 704 debug2("%s: forwarding refused by user", __func__); 705 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 706 buffer_put_int(r, rid); 707 buffer_put_cstring(r, "Permission denied"); 708 goto out; 709 } 710 } 711 712 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) { 713 if (options.num_local_forwards + 1 >= 714 SSH_MAX_FORWARDS_PER_DIRECTION || 715 channel_setup_local_fwd_listener(fwd.listen_host, 716 fwd.listen_port, fwd.connect_host, fwd.connect_port, 717 options.gateway_ports) < 0) { 718 fail: 719 logit("slave-requested %s failed", fwd_desc); 720 buffer_put_int(r, MUX_S_FAILURE); 721 buffer_put_int(r, rid); 722 buffer_put_cstring(r, "Port forwarding failed"); 723 goto out; 724 } 725 add_local_forward(&options, &fwd); 726 freefwd = 0; 727 } else { 728 struct mux_channel_confirm_ctx *fctx; 729 730 if (options.num_remote_forwards + 1 >= 731 SSH_MAX_FORWARDS_PER_DIRECTION || 732 channel_request_remote_forwarding(fwd.listen_host, 733 fwd.listen_port, fwd.connect_host, fwd.connect_port) < 0) 734 goto fail; 735 add_remote_forward(&options, &fwd); 736 fctx = xcalloc(1, sizeof(*fctx)); 737 fctx->cid = c->self; 738 fctx->rid = rid; 739 fctx->fid = options.num_remote_forwards-1; 740 client_register_global_confirm(mux_confirm_remote_forward, 741 fctx); 742 freefwd = 0; 743 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */ 744 /* delayed reply in mux_confirm_remote_forward */ 745 goto out; 746 } 747 buffer_put_int(r, MUX_S_OK); 748 buffer_put_int(r, rid); 749 out: 750 if (fwd_desc != NULL) 751 xfree(fwd_desc); 752 if (freefwd) { 753 if (fwd.listen_host != NULL) 754 xfree(fwd.listen_host); 755 if (fwd.connect_host != NULL) 756 xfree(fwd.connect_host); 757 } 758 return ret; 759} 760 761static int 762process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) 763{ 764 Forward fwd; 765 char *fwd_desc = NULL; 766 u_int ftype; 767 int ret = 0; 768 769 fwd.listen_host = fwd.connect_host = NULL; 770 if (buffer_get_int_ret(&ftype, m) != 0 || 771 (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL || 772 buffer_get_int_ret(&fwd.listen_port, m) != 0 || 773 (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL || 774 buffer_get_int_ret(&fwd.connect_port, m) != 0) { 775 error("%s: malformed message", __func__); 776 ret = -1; 777 goto out; 778 } 779 780 if (*fwd.listen_host == '\0') { 781 xfree(fwd.listen_host); 782 fwd.listen_host = NULL; 783 } 784 if (*fwd.connect_host == '\0') { 785 xfree(fwd.connect_host); 786 fwd.connect_host = NULL; 787 } 788 789 debug2("%s: channel %d: request %s", __func__, c->self, 790 (fwd_desc = format_forward(ftype, &fwd))); 791 792 /* XXX implement this */ 793 buffer_put_int(r, MUX_S_FAILURE); 794 buffer_put_int(r, rid); 795 buffer_put_cstring(r, "unimplemented"); 796 797 out: 798 if (fwd_desc != NULL) 799 xfree(fwd_desc); 800 if (fwd.listen_host != NULL) 801 xfree(fwd.listen_host); 802 if (fwd.connect_host != NULL) 803 xfree(fwd.connect_host); 804 805 return ret; 806} 807 808static int 809process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r) 810{ 811 Channel *nc; 812 char *reserved, *chost; 813 u_int cport, i, j; 814 int new_fd[2]; 815 816 chost = reserved = NULL; 817 if ((reserved = buffer_get_string_ret(m, NULL)) == NULL || 818 (chost = buffer_get_string_ret(m, NULL)) == NULL || 819 buffer_get_int_ret(&cport, m) != 0) { 820 if (reserved != NULL) 821 xfree(reserved); 822 if (chost != NULL) 823 xfree(chost); 824 error("%s: malformed message", __func__); 825 return -1; 826 } 827 xfree(reserved); 828 829 debug2("%s: channel %d: request stdio fwd to %s:%u", 830 __func__, c->self, chost, cport); 831 832 /* Gather fds from client */ 833 for(i = 0; i < 2; i++) { 834 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) { 835 error("%s: failed to receive fd %d from slave", 836 __func__, i); 837 for (j = 0; j < i; j++) 838 close(new_fd[j]); 839 xfree(chost); 840 841 /* prepare reply */ 842 buffer_put_int(r, MUX_S_FAILURE); 843 buffer_put_int(r, rid); 844 buffer_put_cstring(r, 845 "did not receive file descriptors"); 846 return -1; 847 } 848 } 849 850 debug3("%s: got fds stdin %d, stdout %d", __func__, 851 new_fd[0], new_fd[1]); 852 853 /* XXX support multiple child sessions in future */ 854 if (c->remote_id != -1) { 855 debug2("%s: session already open", __func__); 856 /* prepare reply */ 857 buffer_put_int(r, MUX_S_FAILURE); 858 buffer_put_int(r, rid); 859 buffer_put_cstring(r, "Multiple sessions not supported"); 860 cleanup: 861 close(new_fd[0]); 862 close(new_fd[1]); 863 xfree(chost); 864 return 0; 865 } 866 867 if (options.control_master == SSHCTL_MASTER_ASK || 868 options.control_master == SSHCTL_MASTER_AUTO_ASK) { 869 if (!ask_permission("Allow forward to to %s:%u? ", 870 chost, cport)) { 871 debug2("%s: stdio fwd refused by user", __func__); 872 /* prepare reply */ 873 buffer_put_int(r, MUX_S_PERMISSION_DENIED); 874 buffer_put_int(r, rid); 875 buffer_put_cstring(r, "Permission denied"); 876 goto cleanup; 877 } 878 } 879 880 /* enable nonblocking unless tty */ 881 if (!isatty(new_fd[0])) 882 set_nonblock(new_fd[0]); 883 if (!isatty(new_fd[1])) 884 set_nonblock(new_fd[1]); 885 886 nc = channel_connect_stdio_fwd(chost, cport, new_fd[0], new_fd[1]); 887 888 nc->ctl_chan = c->self; /* link session -> control channel */ 889 c->remote_id = nc->self; /* link control -> session channel */ 890 891 debug2("%s: channel_new: %d linked to control channel %d", 892 __func__, nc->self, nc->ctl_chan); 893 894 channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1); 895 896 /* prepare reply */ 897 /* XXX defer until channel confirmed */ 898 buffer_put_int(r, MUX_S_SESSION_OPENED); 899 buffer_put_int(r, rid); 900 buffer_put_int(r, nc->self); 901 902 return 0; 903} 904 905/* Channel callbacks fired on read/write from mux slave fd */ 906static int 907mux_master_read_cb(Channel *c) 908{ 909 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx; 910 Buffer in, out; 911 void *ptr; 912 u_int type, rid, have, i; 913 int ret = -1; 914 915 /* Setup ctx and */ 916 if (c->mux_ctx == NULL) { 917 state = xcalloc(1, sizeof(*state)); 918 c->mux_ctx = state; 919 channel_register_cleanup(c->self, 920 mux_master_control_cleanup_cb, 0); 921 922 /* Send hello */ 923 buffer_init(&out); 924 buffer_put_int(&out, MUX_MSG_HELLO); 925 buffer_put_int(&out, SSHMUX_VER); 926 /* no extensions */ 927 buffer_put_string(&c->output, buffer_ptr(&out), 928 buffer_len(&out)); 929 buffer_free(&out); 930 debug3("%s: channel %d: hello sent", __func__, c->self); 931 return 0; 932 } 933 934 buffer_init(&in); 935 buffer_init(&out); 936 937 /* Channel code ensures that we receive whole packets */ 938 if ((ptr = buffer_get_string_ptr_ret(&c->input, &have)) == NULL) { 939 malf: 940 error("%s: malformed message", __func__); 941 goto out; 942 } 943 buffer_append(&in, ptr, have); 944 945 if (buffer_get_int_ret(&type, &in) != 0) 946 goto malf; 947 debug3("%s: channel %d packet type 0x%08x len %u", 948 __func__, c->self, type, buffer_len(&in)); 949 950 if (type == MUX_MSG_HELLO) 951 rid = 0; 952 else { 953 if (!state->hello_rcvd) { 954 error("%s: expected MUX_MSG_HELLO(0x%08x), " 955 "received 0x%08x", __func__, MUX_MSG_HELLO, type); 956 goto out; 957 } 958 if (buffer_get_int_ret(&rid, &in) != 0) 959 goto malf; 960 } 961 962 for (i = 0; mux_master_handlers[i].handler != NULL; i++) { 963 if (type == mux_master_handlers[i].type) { 964 ret = mux_master_handlers[i].handler(rid, c, &in, &out); 965 break; 966 } 967 } 968 if (mux_master_handlers[i].handler == NULL) { 969 error("%s: unsupported mux message 0x%08x", __func__, type); 970 buffer_put_int(&out, MUX_S_FAILURE); 971 buffer_put_int(&out, rid); 972 buffer_put_cstring(&out, "unsupported request"); 973 ret = 0; 974 } 975 /* Enqueue reply packet */ 976 if (buffer_len(&out) != 0) { 977 buffer_put_string(&c->output, buffer_ptr(&out), 978 buffer_len(&out)); 979 } 980 out: 981 buffer_free(&in); 982 buffer_free(&out); 983 return ret; 984} 985 986void 987mux_exit_message(Channel *c, int exitval) 988{ 989 Buffer m; 990 Channel *mux_chan; 991 992 debug3("%s: channel %d: exit message, evitval %d", __func__, c->self, 993 exitval); 994 995 if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL) 996 fatal("%s: channel %d missing mux channel %d", 997 __func__, c->self, c->ctl_chan); 998 999 /* Append exit message packet to control socket output queue */ 1000 buffer_init(&m); 1001 buffer_put_int(&m, MUX_S_EXIT_MESSAGE); 1002 buffer_put_int(&m, c->self); 1003 buffer_put_int(&m, exitval); 1004 1005 buffer_put_string(&mux_chan->output, buffer_ptr(&m), buffer_len(&m)); 1006 buffer_free(&m); 1007} 1008 1009/* Prepare a mux master to listen on a Unix domain socket. */ 1010void 1011muxserver_listen(void) 1012{ 1013 struct sockaddr_un addr; 1014 mode_t old_umask; 1015 1016 if (options.control_path == NULL || 1017 options.control_master == SSHCTL_MASTER_NO) 1018 return; 1019 1020 debug("setting up multiplex master socket"); 1021 1022 memset(&addr, '\0', sizeof(addr)); 1023 addr.sun_family = AF_UNIX; 1024 addr.sun_len = offsetof(struct sockaddr_un, sun_path) + 1025 strlen(options.control_path) + 1; 1026 1027 if (strlcpy(addr.sun_path, options.control_path, 1028 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 1029 fatal("ControlPath too long"); 1030 1031 if ((muxserver_sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) 1032 fatal("%s socket(): %s", __func__, strerror(errno)); 1033 1034 old_umask = umask(0177); 1035 if (bind(muxserver_sock, (struct sockaddr *)&addr, addr.sun_len) == -1) { 1036 muxserver_sock = -1; 1037 if (errno == EINVAL || errno == EADDRINUSE) { 1038 error("ControlSocket %s already exists, " 1039 "disabling multiplexing", options.control_path); 1040 close(muxserver_sock); 1041 muxserver_sock = -1; 1042 xfree(options.control_path); 1043 options.control_path = NULL; 1044 options.control_master = SSHCTL_MASTER_NO; 1045 return; 1046 } else 1047 fatal("%s bind(): %s", __func__, strerror(errno)); 1048 } 1049 umask(old_umask); 1050 1051 if (listen(muxserver_sock, 64) == -1) 1052 fatal("%s listen(): %s", __func__, strerror(errno)); 1053 1054 set_nonblock(muxserver_sock); 1055 1056 mux_listener_channel = channel_new("mux listener", 1057 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1, 1058 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 1059 0, addr.sun_path, 1); 1060 mux_listener_channel->mux_rcb = mux_master_read_cb; 1061 debug3("%s: mux listener channel %d fd %d", __func__, 1062 mux_listener_channel->self, mux_listener_channel->sock); 1063} 1064 1065/* Callback on open confirmation in mux master for a mux client session. */ 1066static void 1067mux_session_confirm(int id, int success, void *arg) 1068{ 1069 struct mux_session_confirm_ctx *cctx = arg; 1070 const char *display; 1071 Channel *c, *cc; 1072 int i; 1073 Buffer reply; 1074 1075 if (cctx == NULL) 1076 fatal("%s: cctx == NULL", __func__); 1077 if ((c = channel_by_id(id)) == NULL) 1078 fatal("%s: no channel for id %d", __func__, id); 1079 if ((cc = channel_by_id(c->ctl_chan)) == NULL) 1080 fatal("%s: channel %d lacks control channel %d", __func__, 1081 id, c->ctl_chan); 1082 1083 if (!success) { 1084 debug3("%s: sending failure reply", __func__); 1085 /* prepare reply */ 1086 buffer_init(&reply); 1087 buffer_put_int(&reply, MUX_S_FAILURE); 1088 buffer_put_int(&reply, cctx->rid); 1089 buffer_put_cstring(&reply, "Session open refused by peer"); 1090 goto done; 1091 } 1092 1093 display = getenv("DISPLAY"); 1094 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) { 1095 char *proto, *data; 1096 /* Get reasonable local authentication information. */ 1097 client_x11_get_proto(display, options.xauth_location, 1098 options.forward_x11_trusted, &proto, &data); 1099 /* Request forwarding with authentication spoofing. */ 1100 debug("Requesting X11 forwarding with authentication spoofing."); 1101 x11_request_forwarding_with_spoofing(id, display, proto, data); 1102 /* XXX wait for reply */ 1103 } 1104 1105 if (cctx->want_agent_fwd && options.forward_agent) { 1106 debug("Requesting authentication agent forwarding."); 1107 channel_request_start(id, "auth-agent-req@openssh.com", 0); 1108 packet_send(); 1109 } 1110 1111 client_session2_setup(id, cctx->want_tty, cctx->want_subsys, 1112 cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env); 1113 1114 debug3("%s: sending success reply", __func__); 1115 /* prepare reply */ 1116 buffer_init(&reply); 1117 buffer_put_int(&reply, MUX_S_SESSION_OPENED); 1118 buffer_put_int(&reply, cctx->rid); 1119 buffer_put_int(&reply, c->self); 1120 1121 done: 1122 /* Send reply */ 1123 buffer_put_string(&cc->output, buffer_ptr(&reply), buffer_len(&reply)); 1124 buffer_free(&reply); 1125 1126 if (cc->mux_pause <= 0) 1127 fatal("%s: mux_pause %d", __func__, cc->mux_pause); 1128 cc->mux_pause = 0; /* start processing messages again */ 1129 c->open_confirm_ctx = NULL; 1130 buffer_free(&cctx->cmd); 1131 xfree(cctx->term); 1132 if (cctx->env != NULL) { 1133 for (i = 0; cctx->env[i] != NULL; i++) 1134 xfree(cctx->env[i]); 1135 xfree(cctx->env); 1136 } 1137 xfree(cctx); 1138} 1139 1140/* ** Multiplexing client support */ 1141 1142/* Exit signal handler */ 1143static void 1144control_client_sighandler(int signo) 1145{ 1146 muxclient_terminate = signo; 1147} 1148 1149/* 1150 * Relay signal handler - used to pass some signals from mux client to 1151 * mux master. 1152 */ 1153static void 1154control_client_sigrelay(int signo) 1155{ 1156 int save_errno = errno; 1157 1158 if (muxserver_pid > 1) 1159 kill(muxserver_pid, signo); 1160 1161 errno = save_errno; 1162} 1163 1164static int 1165mux_client_read(int fd, Buffer *b, u_int need) 1166{ 1167 u_int have; 1168 ssize_t len; 1169 u_char *p; 1170 struct pollfd pfd; 1171 1172 pfd.fd = fd; 1173 pfd.events = POLLIN; 1174 p = buffer_append_space(b, need); 1175 for (have = 0; have < need; ) { 1176 if (muxclient_terminate) { 1177 errno = EINTR; 1178 return -1; 1179 } 1180 len = read(fd, p + have, need - have); 1181 if (len < 0) { 1182 switch (errno) { 1183 case EAGAIN: 1184 (void)poll(&pfd, 1, -1); 1185 /* FALLTHROUGH */ 1186 case EINTR: 1187 continue; 1188 default: 1189 return -1; 1190 } 1191 } 1192 if (len == 0) { 1193 errno = EPIPE; 1194 return -1; 1195 } 1196 have += (u_int)len; 1197 } 1198 return 0; 1199} 1200 1201static int 1202mux_client_write_packet(int fd, Buffer *m) 1203{ 1204 Buffer queue; 1205 u_int have, need; 1206 int oerrno, len; 1207 u_char *ptr; 1208 struct pollfd pfd; 1209 1210 pfd.fd = fd; 1211 pfd.events = POLLOUT; 1212 buffer_init(&queue); 1213 buffer_put_string(&queue, buffer_ptr(m), buffer_len(m)); 1214 1215 need = buffer_len(&queue); 1216 ptr = buffer_ptr(&queue); 1217 1218 for (have = 0; have < need; ) { 1219 if (muxclient_terminate) { 1220 buffer_free(&queue); 1221 errno = EINTR; 1222 return -1; 1223 } 1224 len = write(fd, ptr + have, need - have); 1225 if (len < 0) { 1226 switch (errno) { 1227 case EAGAIN: 1228 (void)poll(&pfd, 1, -1); 1229 /* FALLTHROUGH */ 1230 case EINTR: 1231 continue; 1232 default: 1233 oerrno = errno; 1234 buffer_free(&queue); 1235 errno = oerrno; 1236 return -1; 1237 } 1238 } 1239 if (len == 0) { 1240 buffer_free(&queue); 1241 errno = EPIPE; 1242 return -1; 1243 } 1244 have += (u_int)len; 1245 } 1246 buffer_free(&queue); 1247 return 0; 1248} 1249 1250static int 1251mux_client_read_packet(int fd, Buffer *m) 1252{ 1253 Buffer queue; 1254 u_int need, have; 1255 void *ptr; 1256 int oerrno; 1257 1258 buffer_init(&queue); 1259 if (mux_client_read(fd, &queue, 4) != 0) { 1260 if ((oerrno = errno) == EPIPE) 1261 debug3("%s: read header failed: %s", __func__, strerror(errno)); 1262 errno = oerrno; 1263 return -1; 1264 } 1265 need = get_u32(buffer_ptr(&queue)); 1266 if (mux_client_read(fd, &queue, need) != 0) { 1267 oerrno = errno; 1268 debug3("%s: read body failed: %s", __func__, strerror(errno)); 1269 errno = oerrno; 1270 return -1; 1271 } 1272 ptr = buffer_get_string_ptr(&queue, &have); 1273 buffer_append(m, ptr, have); 1274 buffer_free(&queue); 1275 return 0; 1276} 1277 1278static int 1279mux_client_hello_exchange(int fd) 1280{ 1281 Buffer m; 1282 u_int type, ver; 1283 1284 buffer_init(&m); 1285 buffer_put_int(&m, MUX_MSG_HELLO); 1286 buffer_put_int(&m, SSHMUX_VER); 1287 /* no extensions */ 1288 1289 if (mux_client_write_packet(fd, &m) != 0) 1290 fatal("%s: write packet: %s", __func__, strerror(errno)); 1291 1292 buffer_clear(&m); 1293 1294 /* Read their HELLO */ 1295 if (mux_client_read_packet(fd, &m) != 0) { 1296 buffer_free(&m); 1297 return -1; 1298 } 1299 1300 type = buffer_get_int(&m); 1301 if (type != MUX_MSG_HELLO) 1302 fatal("%s: expected HELLO (%u) received %u", 1303 __func__, MUX_MSG_HELLO, type); 1304 ver = buffer_get_int(&m); 1305 if (ver != SSHMUX_VER) 1306 fatal("Unsupported multiplexing protocol version %d " 1307 "(expected %d)", ver, SSHMUX_VER); 1308 debug2("%s: master version %u", __func__, ver); 1309 /* No extensions are presently defined */ 1310 while (buffer_len(&m) > 0) { 1311 char *name = buffer_get_string(&m, NULL); 1312 char *value = buffer_get_string(&m, NULL); 1313 1314 debug2("Unrecognised master extension \"%s\"", name); 1315 xfree(name); 1316 xfree(value); 1317 } 1318 buffer_free(&m); 1319 return 0; 1320} 1321 1322static u_int 1323mux_client_request_alive(int fd) 1324{ 1325 Buffer m; 1326 char *e; 1327 u_int pid, type, rid; 1328 1329 debug3("%s: entering", __func__); 1330 1331 buffer_init(&m); 1332 buffer_put_int(&m, MUX_C_ALIVE_CHECK); 1333 buffer_put_int(&m, muxclient_request_id); 1334 1335 if (mux_client_write_packet(fd, &m) != 0) 1336 fatal("%s: write packet: %s", __func__, strerror(errno)); 1337 1338 buffer_clear(&m); 1339 1340 /* Read their reply */ 1341 if (mux_client_read_packet(fd, &m) != 0) { 1342 buffer_free(&m); 1343 return 0; 1344 } 1345 1346 type = buffer_get_int(&m); 1347 if (type != MUX_S_ALIVE) { 1348 e = buffer_get_string(&m, NULL); 1349 fatal("%s: master returned error: %s", __func__, e); 1350 } 1351 1352 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1353 fatal("%s: out of sequence reply: my id %u theirs %u", 1354 __func__, muxclient_request_id, rid); 1355 pid = buffer_get_int(&m); 1356 buffer_free(&m); 1357 1358 debug3("%s: done pid = %u", __func__, pid); 1359 1360 muxclient_request_id++; 1361 1362 return pid; 1363} 1364 1365static void 1366mux_client_request_terminate(int fd) 1367{ 1368 Buffer m; 1369 char *e; 1370 u_int type, rid; 1371 1372 debug3("%s: entering", __func__); 1373 1374 buffer_init(&m); 1375 buffer_put_int(&m, MUX_C_TERMINATE); 1376 buffer_put_int(&m, muxclient_request_id); 1377 1378 if (mux_client_write_packet(fd, &m) != 0) 1379 fatal("%s: write packet: %s", __func__, strerror(errno)); 1380 1381 buffer_clear(&m); 1382 1383 /* Read their reply */ 1384 if (mux_client_read_packet(fd, &m) != 0) { 1385 /* Remote end exited already */ 1386 if (errno == EPIPE) { 1387 buffer_free(&m); 1388 return; 1389 } 1390 fatal("%s: read from master failed: %s", 1391 __func__, strerror(errno)); 1392 } 1393 1394 type = buffer_get_int(&m); 1395 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1396 fatal("%s: out of sequence reply: my id %u theirs %u", 1397 __func__, muxclient_request_id, rid); 1398 switch (type) { 1399 case MUX_S_OK: 1400 break; 1401 case MUX_S_PERMISSION_DENIED: 1402 e = buffer_get_string(&m, NULL); 1403 fatal("Master refused termination request: %s", e); 1404 case MUX_S_FAILURE: 1405 e = buffer_get_string(&m, NULL); 1406 fatal("%s: termination request failed: %s", __func__, e); 1407 default: 1408 fatal("%s: unexpected response from master 0x%08x", 1409 __func__, type); 1410 } 1411 buffer_free(&m); 1412 muxclient_request_id++; 1413} 1414 1415static int 1416mux_client_request_forward(int fd, u_int ftype, Forward *fwd) 1417{ 1418 Buffer m; 1419 char *e, *fwd_desc; 1420 u_int type, rid; 1421 1422 fwd_desc = format_forward(ftype, fwd); 1423 debug("Requesting %s", fwd_desc); 1424 xfree(fwd_desc); 1425 1426 buffer_init(&m); 1427 buffer_put_int(&m, MUX_C_OPEN_FWD); 1428 buffer_put_int(&m, muxclient_request_id); 1429 buffer_put_int(&m, ftype); 1430 buffer_put_cstring(&m, 1431 fwd->listen_host == NULL ? "" : fwd->listen_host); 1432 buffer_put_int(&m, fwd->listen_port); 1433 buffer_put_cstring(&m, 1434 fwd->connect_host == NULL ? "" : fwd->connect_host); 1435 buffer_put_int(&m, fwd->connect_port); 1436 1437 if (mux_client_write_packet(fd, &m) != 0) 1438 fatal("%s: write packet: %s", __func__, strerror(errno)); 1439 1440 buffer_clear(&m); 1441 1442 /* Read their reply */ 1443 if (mux_client_read_packet(fd, &m) != 0) { 1444 buffer_free(&m); 1445 return -1; 1446 } 1447 1448 type = buffer_get_int(&m); 1449 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1450 fatal("%s: out of sequence reply: my id %u theirs %u", 1451 __func__, muxclient_request_id, rid); 1452 switch (type) { 1453 case MUX_S_OK: 1454 break; 1455 case MUX_S_REMOTE_PORT: 1456 fwd->allocated_port = buffer_get_int(&m); 1457 logit("Allocated port %u for remote forward to %s:%d", 1458 fwd->allocated_port, 1459 fwd->connect_host ? fwd->connect_host : "", 1460 fwd->connect_port); 1461 if (muxclient_command == SSHMUX_COMMAND_FORWARD) 1462 fprintf(stdout, "%u\n", fwd->allocated_port); 1463 break; 1464 case MUX_S_PERMISSION_DENIED: 1465 e = buffer_get_string(&m, NULL); 1466 buffer_free(&m); 1467 error("Master refused forwarding request: %s", e); 1468 return -1; 1469 case MUX_S_FAILURE: 1470 e = buffer_get_string(&m, NULL); 1471 buffer_free(&m); 1472 error("%s: session request failed: %s", __func__, e); 1473 return -1; 1474 default: 1475 fatal("%s: unexpected response from master 0x%08x", 1476 __func__, type); 1477 } 1478 buffer_free(&m); 1479 1480 muxclient_request_id++; 1481 return 0; 1482} 1483 1484static int 1485mux_client_request_forwards(int fd) 1486{ 1487 int i; 1488 1489 debug3("%s: requesting forwardings: %d local, %d remote", __func__, 1490 options.num_local_forwards, options.num_remote_forwards); 1491 1492 /* XXX ExitOnForwardingFailure */ 1493 for (i = 0; i < options.num_local_forwards; i++) { 1494 if (mux_client_request_forward(fd, 1495 options.local_forwards[i].connect_port == 0 ? 1496 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL, 1497 options.local_forwards + i) != 0) 1498 return -1; 1499 } 1500 for (i = 0; i < options.num_remote_forwards; i++) { 1501 if (mux_client_request_forward(fd, MUX_FWD_REMOTE, 1502 options.remote_forwards + i) != 0) 1503 return -1; 1504 } 1505 return 0; 1506} 1507 1508static int 1509mux_client_request_session(int fd) 1510{ 1511 Buffer m; 1512 char *e, *term; 1513 u_int i, rid, sid, esid, exitval, type, exitval_seen; 1514 extern char **environ; 1515 int devnull; 1516 1517 debug3("%s: entering", __func__); 1518 1519 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1520 error("%s: master alive request failed", __func__); 1521 return -1; 1522 } 1523 1524 signal(SIGPIPE, SIG_IGN); 1525 1526 if (stdin_null_flag) { 1527 if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) 1528 fatal("open(/dev/null): %s", strerror(errno)); 1529 if (dup2(devnull, STDIN_FILENO) == -1) 1530 fatal("dup2: %s", strerror(errno)); 1531 if (devnull > STDERR_FILENO) 1532 close(devnull); 1533 } 1534 1535 term = getenv("TERM"); 1536 1537 buffer_init(&m); 1538 buffer_put_int(&m, MUX_C_NEW_SESSION); 1539 buffer_put_int(&m, muxclient_request_id); 1540 buffer_put_cstring(&m, ""); /* reserved */ 1541 buffer_put_int(&m, tty_flag); 1542 buffer_put_int(&m, options.forward_x11); 1543 buffer_put_int(&m, options.forward_agent); 1544 buffer_put_int(&m, subsystem_flag); 1545 buffer_put_int(&m, options.escape_char == SSH_ESCAPECHAR_NONE ? 1546 0xffffffff : (u_int)options.escape_char); 1547 buffer_put_cstring(&m, term == NULL ? "" : term); 1548 buffer_put_string(&m, buffer_ptr(&command), buffer_len(&command)); 1549 1550 if (options.num_send_env > 0 && environ != NULL) { 1551 /* Pass environment */ 1552 for (i = 0; environ[i] != NULL; i++) { 1553 if (env_permitted(environ[i])) { 1554 buffer_put_cstring(&m, environ[i]); 1555 } 1556 } 1557 } 1558 1559 if (mux_client_write_packet(fd, &m) != 0) 1560 fatal("%s: write packet: %s", __func__, strerror(errno)); 1561 1562 /* Send the stdio file descriptors */ 1563 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1564 mm_send_fd(fd, STDOUT_FILENO) == -1 || 1565 mm_send_fd(fd, STDERR_FILENO) == -1) 1566 fatal("%s: send fds failed", __func__); 1567 1568 debug3("%s: session request sent", __func__); 1569 1570 /* Read their reply */ 1571 buffer_clear(&m); 1572 if (mux_client_read_packet(fd, &m) != 0) { 1573 error("%s: read from master failed: %s", 1574 __func__, strerror(errno)); 1575 buffer_free(&m); 1576 return -1; 1577 } 1578 1579 type = buffer_get_int(&m); 1580 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1581 fatal("%s: out of sequence reply: my id %u theirs %u", 1582 __func__, muxclient_request_id, rid); 1583 switch (type) { 1584 case MUX_S_SESSION_OPENED: 1585 sid = buffer_get_int(&m); 1586 debug("%s: master session id: %u", __func__, sid); 1587 break; 1588 case MUX_S_PERMISSION_DENIED: 1589 e = buffer_get_string(&m, NULL); 1590 buffer_free(&m); 1591 error("Master refused forwarding request: %s", e); 1592 return -1; 1593 case MUX_S_FAILURE: 1594 e = buffer_get_string(&m, NULL); 1595 buffer_free(&m); 1596 error("%s: forwarding request failed: %s", __func__, e); 1597 return -1; 1598 default: 1599 buffer_free(&m); 1600 error("%s: unexpected response from master 0x%08x", 1601 __func__, type); 1602 return -1; 1603 } 1604 muxclient_request_id++; 1605 1606 signal(SIGHUP, control_client_sighandler); 1607 signal(SIGINT, control_client_sighandler); 1608 signal(SIGTERM, control_client_sighandler); 1609 signal(SIGWINCH, control_client_sigrelay); 1610 1611 if (tty_flag) 1612 enter_raw_mode(force_tty_flag); 1613 1614 /* 1615 * Stick around until the controlee closes the client_fd. 1616 * Before it does, it is expected to write an exit message. 1617 * This process must read the value and wait for the closure of 1618 * the client_fd; if this one closes early, the multiplex master will 1619 * terminate early too (possibly losing data). 1620 */ 1621 for (exitval = 255, exitval_seen = 0;;) { 1622 buffer_clear(&m); 1623 if (mux_client_read_packet(fd, &m) != 0) 1624 break; 1625 type = buffer_get_int(&m); 1626 if (type != MUX_S_EXIT_MESSAGE) { 1627 e = buffer_get_string(&m, NULL); 1628 fatal("%s: master returned error: %s", __func__, e); 1629 } 1630 if ((esid = buffer_get_int(&m)) != sid) 1631 fatal("%s: exit on unknown session: my id %u theirs %u", 1632 __func__, sid, esid); 1633 debug("%s: master session id: %u", __func__, sid); 1634 if (exitval_seen) 1635 fatal("%s: exitval sent twice", __func__); 1636 exitval = buffer_get_int(&m); 1637 exitval_seen = 1; 1638 } 1639 1640 close(fd); 1641 leave_raw_mode(force_tty_flag); 1642 1643 if (muxclient_terminate) { 1644 debug2("Exiting on signal %d", muxclient_terminate); 1645 exitval = 255; 1646 } else if (!exitval_seen) { 1647 debug2("Control master terminated unexpectedly"); 1648 exitval = 255; 1649 } else 1650 debug2("Received exit status from master %d", exitval); 1651 1652 if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET) 1653 fprintf(stderr, "Shared connection to %s closed.\r\n", host); 1654 1655 exit(exitval); 1656} 1657 1658static int 1659mux_client_request_stdio_fwd(int fd) 1660{ 1661 Buffer m; 1662 char *e; 1663 u_int type, rid, sid; 1664 int devnull; 1665 1666 debug3("%s: entering", __func__); 1667 1668 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) { 1669 error("%s: master alive request failed", __func__); 1670 return -1; 1671 } 1672 1673 signal(SIGPIPE, SIG_IGN); 1674 1675 if (stdin_null_flag) { 1676 if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1) 1677 fatal("open(/dev/null): %s", strerror(errno)); 1678 if (dup2(devnull, STDIN_FILENO) == -1) 1679 fatal("dup2: %s", strerror(errno)); 1680 if (devnull > STDERR_FILENO) 1681 close(devnull); 1682 } 1683 1684 buffer_init(&m); 1685 buffer_put_int(&m, MUX_C_NEW_STDIO_FWD); 1686 buffer_put_int(&m, muxclient_request_id); 1687 buffer_put_cstring(&m, ""); /* reserved */ 1688 buffer_put_cstring(&m, stdio_forward_host); 1689 buffer_put_int(&m, stdio_forward_port); 1690 1691 if (mux_client_write_packet(fd, &m) != 0) 1692 fatal("%s: write packet: %s", __func__, strerror(errno)); 1693 1694 /* Send the stdio file descriptors */ 1695 if (mm_send_fd(fd, STDIN_FILENO) == -1 || 1696 mm_send_fd(fd, STDOUT_FILENO) == -1) 1697 fatal("%s: send fds failed", __func__); 1698 1699 debug3("%s: stdio forward request sent", __func__); 1700 1701 /* Read their reply */ 1702 buffer_clear(&m); 1703 1704 if (mux_client_read_packet(fd, &m) != 0) { 1705 error("%s: read from master failed: %s", 1706 __func__, strerror(errno)); 1707 buffer_free(&m); 1708 return -1; 1709 } 1710 1711 type = buffer_get_int(&m); 1712 if ((rid = buffer_get_int(&m)) != muxclient_request_id) 1713 fatal("%s: out of sequence reply: my id %u theirs %u", 1714 __func__, muxclient_request_id, rid); 1715 switch (type) { 1716 case MUX_S_SESSION_OPENED: 1717 sid = buffer_get_int(&m); 1718 debug("%s: master session id: %u", __func__, sid); 1719 break; 1720 case MUX_S_PERMISSION_DENIED: 1721 e = buffer_get_string(&m, NULL); 1722 buffer_free(&m); 1723 fatal("Master refused forwarding request: %s", e); 1724 case MUX_S_FAILURE: 1725 e = buffer_get_string(&m, NULL); 1726 buffer_free(&m); 1727 fatal("%s: stdio forwarding request failed: %s", __func__, e); 1728 default: 1729 buffer_free(&m); 1730 error("%s: unexpected response from master 0x%08x", 1731 __func__, type); 1732 return -1; 1733 } 1734 muxclient_request_id++; 1735 1736 signal(SIGHUP, control_client_sighandler); 1737 signal(SIGINT, control_client_sighandler); 1738 signal(SIGTERM, control_client_sighandler); 1739 signal(SIGWINCH, control_client_sigrelay); 1740 1741 /* 1742 * Stick around until the controlee closes the client_fd. 1743 */ 1744 buffer_clear(&m); 1745 if (mux_client_read_packet(fd, &m) != 0) { 1746 if (errno == EPIPE || 1747 (errno == EINTR && muxclient_terminate != 0)) 1748 return 0; 1749 fatal("%s: mux_client_read_packet: %s", 1750 __func__, strerror(errno)); 1751 } 1752 fatal("%s: master returned unexpected message %u", __func__, type); 1753} 1754 1755/* Multiplex client main loop. */ 1756void 1757muxclient(const char *path) 1758{ 1759 struct sockaddr_un addr; 1760 int sock; 1761 u_int pid; 1762 1763 if (muxclient_command == 0) { 1764 if (stdio_forward_host != NULL) 1765 muxclient_command = SSHMUX_COMMAND_STDIO_FWD; 1766 else 1767 muxclient_command = SSHMUX_COMMAND_OPEN; 1768 } 1769 1770 switch (options.control_master) { 1771 case SSHCTL_MASTER_AUTO: 1772 case SSHCTL_MASTER_AUTO_ASK: 1773 debug("auto-mux: Trying existing master"); 1774 /* FALLTHROUGH */ 1775 case SSHCTL_MASTER_NO: 1776 break; 1777 default: 1778 return; 1779 } 1780 1781 memset(&addr, '\0', sizeof(addr)); 1782 addr.sun_family = AF_UNIX; 1783 addr.sun_len = offsetof(struct sockaddr_un, sun_path) + 1784 strlen(path) + 1; 1785 1786 if (strlcpy(addr.sun_path, path, 1787 sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) 1788 fatal("ControlPath too long"); 1789 1790 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) 1791 fatal("%s socket(): %s", __func__, strerror(errno)); 1792 1793 if (connect(sock, (struct sockaddr *)&addr, addr.sun_len) == -1) { 1794 switch (muxclient_command) { 1795 case SSHMUX_COMMAND_OPEN: 1796 case SSHMUX_COMMAND_STDIO_FWD: 1797 break; 1798 default: 1799 fatal("Control socket connect(%.100s): %s", path, 1800 strerror(errno)); 1801 } 1802 if (errno == ENOENT) 1803 debug("Control socket \"%.100s\" does not exist", path); 1804 else { 1805 error("Control socket connect(%.100s): %s", path, 1806 strerror(errno)); 1807 } 1808 close(sock); 1809 return; 1810 } 1811 set_nonblock(sock); 1812 1813 if (mux_client_hello_exchange(sock) != 0) { 1814 error("%s: master hello exchange failed", __func__); 1815 close(sock); 1816 return; 1817 } 1818 1819 switch (muxclient_command) { 1820 case SSHMUX_COMMAND_ALIVE_CHECK: 1821 if ((pid = mux_client_request_alive(sock)) == 0) 1822 fatal("%s: master alive check failed", __func__); 1823 fprintf(stderr, "Master running (pid=%d)\r\n", pid); 1824 exit(0); 1825 case SSHMUX_COMMAND_TERMINATE: 1826 mux_client_request_terminate(sock); 1827 fprintf(stderr, "Exit request sent.\r\n"); 1828 exit(0); 1829 case SSHMUX_COMMAND_FORWARD: 1830 if (mux_client_request_forwards(sock) != 0) 1831 fatal("%s: master forward request failed", __func__); 1832 exit(0); 1833 case SSHMUX_COMMAND_OPEN: 1834 if (mux_client_request_forwards(sock) != 0) { 1835 error("%s: master forward request failed", __func__); 1836 return; 1837 } 1838 mux_client_request_session(sock); 1839 return; 1840 case SSHMUX_COMMAND_STDIO_FWD: 1841 mux_client_request_stdio_fwd(sock); 1842 exit(0); 1843 default: 1844 fatal("unrecognised muxclient_command %d", muxclient_command); 1845 } 1846} 1847