GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: usr.bin/ssh/ssh/../mux.c Lines: 0 1222 0.0 %
Date: 2017-11-13 Branches: 0 609 0.0 %

Line Branch Exec Source
1
/* $OpenBSD: mux.c,v 1.69 2017/09/20 05:19:00 dtucker Exp $ */
2
/*
3
 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4
 *
5
 * Permission to use, copy, modify, and distribute this software for any
6
 * purpose with or without fee is hereby granted, provided that the above
7
 * copyright notice and this permission notice appear in all copies.
8
 *
9
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
 */
17
18
/* ssh session multiplexing support */
19
20
/*
21
 * TODO:
22
 *   - Better signalling from master to slave, especially passing of
23
 *      error messages
24
 *   - Better fall-back from mux slave error to new connection.
25
 *   - ExitOnForwardingFailure
26
 *   - Maybe extension mechanisms for multi-X11/multi-agent forwarding
27
 *   - Support ~^Z in mux slaves.
28
 *   - Inspect or control sessions in master.
29
 *   - If we ever support the "signal" channel request, send signals on
30
 *     sessions in master.
31
 */
32
33
#include <sys/types.h>
34
#include <sys/queue.h>
35
#include <sys/stat.h>
36
#include <sys/socket.h>
37
#include <sys/un.h>
38
39
#include <errno.h>
40
#include <fcntl.h>
41
#include <poll.h>
42
#include <signal.h>
43
#include <stdarg.h>
44
#include <stddef.h>
45
#include <stdlib.h>
46
#include <stdio.h>
47
#include <string.h>
48
#include <unistd.h>
49
#include <util.h>
50
#include <paths.h>
51
52
#include "atomicio.h"
53
#include "xmalloc.h"
54
#include "log.h"
55
#include "ssh.h"
56
#include "ssh2.h"
57
#include "pathnames.h"
58
#include "misc.h"
59
#include "match.h"
60
#include "buffer.h"
61
#include "channels.h"
62
#include "msg.h"
63
#include "packet.h"
64
#include "monitor_fdpass.h"
65
#include "sshpty.h"
66
#include "key.h"
67
#include "readconf.h"
68
#include "clientloop.h"
69
#include "ssherr.h"
70
71
/* from ssh.c */
72
extern int tty_flag;
73
extern Options options;
74
extern int stdin_null_flag;
75
extern char *host;
76
extern int subsystem_flag;
77
extern Buffer command;
78
extern volatile sig_atomic_t quit_pending;
79
80
/* Context for session open confirmation callback */
81
struct mux_session_confirm_ctx {
82
	u_int want_tty;
83
	u_int want_subsys;
84
	u_int want_x_fwd;
85
	u_int want_agent_fwd;
86
	Buffer cmd;
87
	char *term;
88
	struct termios tio;
89
	char **env;
90
	u_int rid;
91
};
92
93
/* Context for stdio fwd open confirmation callback */
94
struct mux_stdio_confirm_ctx {
95
	u_int rid;
96
};
97
98
/* Context for global channel callback */
99
struct mux_channel_confirm_ctx {
100
	u_int cid;	/* channel id */
101
	u_int rid;	/* request id */
102
	int fid;	/* forward id */
103
};
104
105
/* fd to control socket */
106
int muxserver_sock = -1;
107
108
/* client request id */
109
u_int muxclient_request_id = 0;
110
111
/* Multiplexing control command */
112
u_int muxclient_command = 0;
113
114
/* Set when signalled. */
115
static volatile sig_atomic_t muxclient_terminate = 0;
116
117
/* PID of multiplex server */
118
static u_int muxserver_pid = 0;
119
120
static Channel *mux_listener_channel = NULL;
121
122
struct mux_master_state {
123
	int hello_rcvd;
124
};
125
126
/* mux protocol messages */
127
#define MUX_MSG_HELLO		0x00000001
128
#define MUX_C_NEW_SESSION	0x10000002
129
#define MUX_C_ALIVE_CHECK	0x10000004
130
#define MUX_C_TERMINATE		0x10000005
131
#define MUX_C_OPEN_FWD		0x10000006
132
#define MUX_C_CLOSE_FWD		0x10000007
133
#define MUX_C_NEW_STDIO_FWD	0x10000008
134
#define MUX_C_STOP_LISTENING	0x10000009
135
#define MUX_C_PROXY		0x1000000f
136
#define MUX_S_OK		0x80000001
137
#define MUX_S_PERMISSION_DENIED	0x80000002
138
#define MUX_S_FAILURE		0x80000003
139
#define MUX_S_EXIT_MESSAGE	0x80000004
140
#define MUX_S_ALIVE		0x80000005
141
#define MUX_S_SESSION_OPENED	0x80000006
142
#define MUX_S_REMOTE_PORT	0x80000007
143
#define MUX_S_TTY_ALLOC_FAIL	0x80000008
144
#define MUX_S_PROXY		0x8000000f
145
146
/* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */
147
#define MUX_FWD_LOCAL   1
148
#define MUX_FWD_REMOTE  2
149
#define MUX_FWD_DYNAMIC 3
150
151
static void mux_session_confirm(struct ssh *, int, int, void *);
152
static void mux_stdio_confirm(struct ssh *, int, int, void *);
153
154
static int process_mux_master_hello(struct ssh *, u_int,
155
	    Channel *, struct sshbuf *, struct sshbuf *);
156
static int process_mux_new_session(struct ssh *, u_int,
157
	    Channel *, struct sshbuf *, struct sshbuf *);
158
static int process_mux_alive_check(struct ssh *, u_int,
159
	    Channel *, struct sshbuf *, struct sshbuf *);
160
static int process_mux_terminate(struct ssh *, u_int,
161
	    Channel *, struct sshbuf *, struct sshbuf *);
162
static int process_mux_open_fwd(struct ssh *, u_int,
163
	    Channel *, struct sshbuf *, struct sshbuf *);
164
static int process_mux_close_fwd(struct ssh *, u_int,
165
	    Channel *, struct sshbuf *, struct sshbuf *);
166
static int process_mux_stdio_fwd(struct ssh *, u_int,
167
	    Channel *, struct sshbuf *, struct sshbuf *);
168
static int process_mux_stop_listening(struct ssh *, u_int,
169
	    Channel *, struct sshbuf *, struct sshbuf *);
170
static int process_mux_proxy(struct ssh *, u_int,
171
	    Channel *, struct sshbuf *, struct sshbuf *);
172
173
static const struct {
174
	u_int type;
175
	int (*handler)(struct ssh *, u_int, Channel *,
176
	    struct sshbuf *, struct sshbuf *);
177
} mux_master_handlers[] = {
178
	{ MUX_MSG_HELLO, process_mux_master_hello },
179
	{ MUX_C_NEW_SESSION, process_mux_new_session },
180
	{ MUX_C_ALIVE_CHECK, process_mux_alive_check },
181
	{ MUX_C_TERMINATE, process_mux_terminate },
182
	{ MUX_C_OPEN_FWD, process_mux_open_fwd },
183
	{ MUX_C_CLOSE_FWD, process_mux_close_fwd },
184
	{ MUX_C_NEW_STDIO_FWD, process_mux_stdio_fwd },
185
	{ MUX_C_STOP_LISTENING, process_mux_stop_listening },
186
	{ MUX_C_PROXY, process_mux_proxy },
187
	{ 0, NULL }
188
};
189
190
/* Cleanup callback fired on closure of mux slave _session_ channel */
191
/* ARGSUSED */
192
static void
193
mux_master_session_cleanup_cb(struct ssh *ssh, int cid, void *unused)
194
{
195
	Channel *cc, *c = channel_by_id(ssh, cid);
196
197
	debug3("%s: entering for channel %d", __func__, cid);
198
	if (c == NULL)
199
		fatal("%s: channel_by_id(%i) == NULL", __func__, cid);
200
	if (c->ctl_chan != -1) {
201
		if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
202
			fatal("%s: channel %d missing control channel %d",
203
			    __func__, c->self, c->ctl_chan);
204
		c->ctl_chan = -1;
205
		cc->remote_id = 0;
206
		cc->have_remote_id = 0;
207
		chan_rcvd_oclose(ssh, cc);
208
	}
209
	channel_cancel_cleanup(ssh, c->self);
210
}
211
212
/* Cleanup callback fired on closure of mux slave _control_ channel */
213
/* ARGSUSED */
214
static void
215
mux_master_control_cleanup_cb(struct ssh *ssh, int cid, void *unused)
216
{
217
	Channel *sc, *c = channel_by_id(ssh, cid);
218
219
	debug3("%s: entering for channel %d", __func__, cid);
220
	if (c == NULL)
221
		fatal("%s: channel_by_id(%i) == NULL", __func__, cid);
222
	if (c->have_remote_id) {
223
		if ((sc = channel_by_id(ssh, c->remote_id)) == NULL)
224
			fatal("%s: channel %d missing session channel %u",
225
			    __func__, c->self, c->remote_id);
226
		c->remote_id = 0;
227
		c->have_remote_id = 0;
228
		sc->ctl_chan = -1;
229
		if (sc->type != SSH_CHANNEL_OPEN &&
230
		    sc->type != SSH_CHANNEL_OPENING) {
231
			debug2("%s: channel %d: not open", __func__, sc->self);
232
			chan_mark_dead(ssh, sc);
233
		} else {
234
			if (sc->istate == CHAN_INPUT_OPEN)
235
				chan_read_failed(ssh, sc);
236
			if (sc->ostate == CHAN_OUTPUT_OPEN)
237
				chan_write_failed(ssh, sc);
238
		}
239
	}
240
	channel_cancel_cleanup(ssh, c->self);
241
}
242
243
/* Check mux client environment variables before passing them to mux master. */
244
static int
245
env_permitted(char *env)
246
{
247
	int i, ret;
248
	char name[1024], *cp;
249
250
	if ((cp = strchr(env, '=')) == NULL || cp == env)
251
		return 0;
252
	ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
253
	if (ret <= 0 || (size_t)ret >= sizeof(name)) {
254
		error("env_permitted: name '%.100s...' too long", env);
255
		return 0;
256
	}
257
258
	for (i = 0; i < options.num_send_env; i++)
259
		if (match_pattern(name, options.send_env[i]))
260
			return 1;
261
262
	return 0;
263
}
264
265
/* Mux master protocol message handlers */
266
267
static int
268
process_mux_master_hello(struct ssh *ssh, u_int rid,
269
    Channel *c, Buffer *m, Buffer *r)
270
{
271
	u_int ver;
272
	struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
273
274
	if (state == NULL)
275
		fatal("%s: channel %d: c->mux_ctx == NULL", __func__, c->self);
276
	if (state->hello_rcvd) {
277
		error("%s: HELLO received twice", __func__);
278
		return -1;
279
	}
280
	if (buffer_get_int_ret(&ver, m) != 0) {
281
 malf:
282
		error("%s: malformed message", __func__);
283
		return -1;
284
	}
285
	if (ver != SSHMUX_VER) {
286
		error("Unsupported multiplexing protocol version %d "
287
		    "(expected %d)", ver, SSHMUX_VER);
288
		return -1;
289
	}
290
	debug2("%s: channel %d slave version %u", __func__, c->self, ver);
291
292
	/* No extensions are presently defined */
293
	while (buffer_len(m) > 0) {
294
		char *name = buffer_get_string_ret(m, NULL);
295
		char *value = buffer_get_string_ret(m, NULL);
296
297
		if (name == NULL || value == NULL) {
298
			free(name);
299
			free(value);
300
			goto malf;
301
		}
302
		debug2("Unrecognised slave extension \"%s\"", name);
303
		free(name);
304
		free(value);
305
	}
306
	state->hello_rcvd = 1;
307
	return 0;
308
}
309
310
static int
311
process_mux_new_session(struct ssh *ssh, u_int rid,
312
    Channel *c, Buffer *m, Buffer *r)
313
{
314
	Channel *nc;
315
	struct mux_session_confirm_ctx *cctx;
316
	char *reserved, *cmd, *cp;
317
	u_int i, j, len, env_len, escape_char, window, packetmax;
318
	int new_fd[3];
319
320
	/* Reply for SSHMUX_COMMAND_OPEN */
321
	cctx = xcalloc(1, sizeof(*cctx));
322
	cctx->term = NULL;
323
	cctx->rid = rid;
324
	cmd = reserved = NULL;
325
	cctx->env = NULL;
326
	env_len = 0;
327
	if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
328
	    buffer_get_int_ret(&cctx->want_tty, m) != 0 ||
329
	    buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 ||
330
	    buffer_get_int_ret(&cctx->want_agent_fwd, m) != 0 ||
331
	    buffer_get_int_ret(&cctx->want_subsys, m) != 0 ||
332
	    buffer_get_int_ret(&escape_char, m) != 0 ||
333
	    (cctx->term = buffer_get_string_ret(m, &len)) == NULL ||
334
	    (cmd = buffer_get_string_ret(m, &len)) == NULL) {
335
 malf:
336
		free(cmd);
337
		free(reserved);
338
		for (j = 0; j < env_len; j++)
339
			free(cctx->env[j]);
340
		free(cctx->env);
341
		free(cctx->term);
342
		free(cctx);
343
		error("%s: malformed message", __func__);
344
		return -1;
345
	}
346
	free(reserved);
347
	reserved = NULL;
348
349
	while (buffer_len(m) > 0) {
350
#define MUX_MAX_ENV_VARS	4096
351
		if ((cp = buffer_get_string_ret(m, &len)) == NULL)
352
			goto malf;
353
		if (!env_permitted(cp)) {
354
			free(cp);
355
			continue;
356
		}
357
		cctx->env = xreallocarray(cctx->env, env_len + 2,
358
		    sizeof(*cctx->env));
359
		cctx->env[env_len++] = cp;
360
		cctx->env[env_len] = NULL;
361
		if (env_len > MUX_MAX_ENV_VARS) {
362
			error(">%d environment variables received, ignoring "
363
			    "additional", MUX_MAX_ENV_VARS);
364
			break;
365
		}
366
	}
367
368
	debug2("%s: channel %d: request tty %d, X %d, agent %d, subsys %d, "
369
	    "term \"%s\", cmd \"%s\", env %u", __func__, c->self,
370
	    cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd,
371
	    cctx->want_subsys, cctx->term, cmd, env_len);
372
373
	buffer_init(&cctx->cmd);
374
	buffer_append(&cctx->cmd, cmd, strlen(cmd));
375
	free(cmd);
376
	cmd = NULL;
377
378
	/* Gather fds from client */
379
	for(i = 0; i < 3; i++) {
380
		if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
381
			error("%s: failed to receive fd %d from slave",
382
			    __func__, i);
383
			for (j = 0; j < i; j++)
384
				close(new_fd[j]);
385
			for (j = 0; j < env_len; j++)
386
				free(cctx->env[j]);
387
			free(cctx->env);
388
			free(cctx->term);
389
			buffer_free(&cctx->cmd);
390
			free(cctx);
391
392
			/* prepare reply */
393
			buffer_put_int(r, MUX_S_FAILURE);
394
			buffer_put_int(r, rid);
395
			buffer_put_cstring(r,
396
			    "did not receive file descriptors");
397
			return -1;
398
		}
399
	}
400
401
	debug3("%s: got fds stdin %d, stdout %d, stderr %d", __func__,
402
	    new_fd[0], new_fd[1], new_fd[2]);
403
404
	/* XXX support multiple child sessions in future */
405
	if (c->have_remote_id) {
406
		debug2("%s: session already open", __func__);
407
		/* prepare reply */
408
		buffer_put_int(r, MUX_S_FAILURE);
409
		buffer_put_int(r, rid);
410
		buffer_put_cstring(r, "Multiple sessions not supported");
411
 cleanup:
412
		close(new_fd[0]);
413
		close(new_fd[1]);
414
		close(new_fd[2]);
415
		free(cctx->term);
416
		if (env_len != 0) {
417
			for (i = 0; i < env_len; i++)
418
				free(cctx->env[i]);
419
			free(cctx->env);
420
		}
421
		buffer_free(&cctx->cmd);
422
		free(cctx);
423
		return 0;
424
	}
425
426
	if (options.control_master == SSHCTL_MASTER_ASK ||
427
	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
428
		if (!ask_permission("Allow shared connection to %s? ", host)) {
429
			debug2("%s: session refused by user", __func__);
430
			/* prepare reply */
431
			buffer_put_int(r, MUX_S_PERMISSION_DENIED);
432
			buffer_put_int(r, rid);
433
			buffer_put_cstring(r, "Permission denied");
434
			goto cleanup;
435
		}
436
	}
437
438
	/* Try to pick up ttymodes from client before it goes raw */
439
	if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
440
		error("%s: tcgetattr: %s", __func__, strerror(errno));
441
442
	/* enable nonblocking unless tty */
443
	if (!isatty(new_fd[0]))
444
		set_nonblock(new_fd[0]);
445
	if (!isatty(new_fd[1]))
446
		set_nonblock(new_fd[1]);
447
	if (!isatty(new_fd[2]))
448
		set_nonblock(new_fd[2]);
449
450
	window = CHAN_SES_WINDOW_DEFAULT;
451
	packetmax = CHAN_SES_PACKET_DEFAULT;
452
	if (cctx->want_tty) {
453
		window >>= 1;
454
		packetmax >>= 1;
455
	}
456
457
	nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
458
	    new_fd[0], new_fd[1], new_fd[2], window, packetmax,
459
	    CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
460
461
	nc->ctl_chan = c->self;		/* link session -> control channel */
462
	c->remote_id = nc->self; 	/* link control -> session channel */
463
	c->have_remote_id = 1;
464
465
	if (cctx->want_tty && escape_char != 0xffffffff) {
466
		channel_register_filter(ssh, nc->self,
467
		    client_simple_escape_filter, NULL,
468
		    client_filter_cleanup,
469
		    client_new_escape_filter_ctx((int)escape_char));
470
	}
471
472
	debug2("%s: channel_new: %d linked to control channel %d",
473
	    __func__, nc->self, nc->ctl_chan);
474
475
	channel_send_open(ssh, nc->self);
476
	channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx);
477
	c->mux_pause = 1; /* stop handling messages until open_confirm done */
478
	channel_register_cleanup(ssh, nc->self,
479
	    mux_master_session_cleanup_cb, 1);
480
481
	/* reply is deferred, sent by mux_session_confirm */
482
	return 0;
483
}
484
485
static int
486
process_mux_alive_check(struct ssh *ssh, u_int rid,
487
    Channel *c, Buffer *m, Buffer *r)
488
{
489
	debug2("%s: channel %d: alive check", __func__, c->self);
490
491
	/* prepare reply */
492
	buffer_put_int(r, MUX_S_ALIVE);
493
	buffer_put_int(r, rid);
494
	buffer_put_int(r, (u_int)getpid());
495
496
	return 0;
497
}
498
499
static int
500
process_mux_terminate(struct ssh *ssh, u_int rid,
501
    Channel *c, Buffer *m, Buffer *r)
502
{
503
	debug2("%s: channel %d: terminate request", __func__, c->self);
504
505
	if (options.control_master == SSHCTL_MASTER_ASK ||
506
	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
507
		if (!ask_permission("Terminate shared connection to %s? ",
508
		    host)) {
509
			debug2("%s: termination refused by user", __func__);
510
			buffer_put_int(r, MUX_S_PERMISSION_DENIED);
511
			buffer_put_int(r, rid);
512
			buffer_put_cstring(r, "Permission denied");
513
			return 0;
514
		}
515
	}
516
517
	quit_pending = 1;
518
	buffer_put_int(r, MUX_S_OK);
519
	buffer_put_int(r, rid);
520
	/* XXX exit happens too soon - message never makes it to client */
521
	return 0;
522
}
523
524
static char *
525
format_forward(u_int ftype, struct Forward *fwd)
526
{
527
	char *ret;
528
529
	switch (ftype) {
530
	case MUX_FWD_LOCAL:
531
		xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
532
		    (fwd->listen_path != NULL) ? fwd->listen_path :
533
		    (fwd->listen_host == NULL) ?
534
		    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
535
		    fwd->listen_host, fwd->listen_port,
536
		    (fwd->connect_path != NULL) ? fwd->connect_path :
537
		    fwd->connect_host, fwd->connect_port);
538
		break;
539
	case MUX_FWD_DYNAMIC:
540
		xasprintf(&ret, "dynamic forward %.200s:%d -> *",
541
		    (fwd->listen_host == NULL) ?
542
		    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
543
		     fwd->listen_host, fwd->listen_port);
544
		break;
545
	case MUX_FWD_REMOTE:
546
		xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
547
		    (fwd->listen_path != NULL) ? fwd->listen_path :
548
		    (fwd->listen_host == NULL) ?
549
		    "LOCALHOST" : fwd->listen_host,
550
		    fwd->listen_port,
551
		    (fwd->connect_path != NULL) ? fwd->connect_path :
552
		    fwd->connect_host, fwd->connect_port);
553
		break;
554
	default:
555
		fatal("%s: unknown forward type %u", __func__, ftype);
556
	}
557
	return ret;
558
}
559
560
static int
561
compare_host(const char *a, const char *b)
562
{
563
	if (a == NULL && b == NULL)
564
		return 1;
565
	if (a == NULL || b == NULL)
566
		return 0;
567
	return strcmp(a, b) == 0;
568
}
569
570
static int
571
compare_forward(struct Forward *a, struct Forward *b)
572
{
573
	if (!compare_host(a->listen_host, b->listen_host))
574
		return 0;
575
	if (!compare_host(a->listen_path, b->listen_path))
576
		return 0;
577
	if (a->listen_port != b->listen_port)
578
		return 0;
579
	if (!compare_host(a->connect_host, b->connect_host))
580
		return 0;
581
	if (!compare_host(a->connect_path, b->connect_path))
582
		return 0;
583
	if (a->connect_port != b->connect_port)
584
		return 0;
585
586
	return 1;
587
}
588
589
static void
590
mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt)
591
{
592
	struct mux_channel_confirm_ctx *fctx = ctxt;
593
	char *failmsg = NULL;
594
	struct Forward *rfwd;
595
	Channel *c;
596
	Buffer out;
597
598
	if ((c = channel_by_id(ssh, fctx->cid)) == NULL) {
599
		/* no channel for reply */
600
		error("%s: unknown channel", __func__);
601
		return;
602
	}
603
	buffer_init(&out);
604
	if (fctx->fid >= options.num_remote_forwards ||
605
	    (options.remote_forwards[fctx->fid].connect_path == NULL &&
606
	    options.remote_forwards[fctx->fid].connect_host == NULL)) {
607
		xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid);
608
		goto fail;
609
	}
610
	rfwd = &options.remote_forwards[fctx->fid];
611
	debug("%s: %s for: listen %d, connect %s:%d", __func__,
612
	    type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
613
	    rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
614
	    rfwd->connect_host, rfwd->connect_port);
615
	if (type == SSH2_MSG_REQUEST_SUCCESS) {
616
		if (rfwd->listen_port == 0) {
617
			rfwd->allocated_port = packet_get_int();
618
			debug("Allocated port %u for mux remote forward"
619
			    " to %s:%d", rfwd->allocated_port,
620
			    rfwd->connect_host, rfwd->connect_port);
621
			buffer_put_int(&out, MUX_S_REMOTE_PORT);
622
			buffer_put_int(&out, fctx->rid);
623
			buffer_put_int(&out, rfwd->allocated_port);
624
			channel_update_permitted_opens(ssh, rfwd->handle,
625
			   rfwd->allocated_port);
626
		} else {
627
			buffer_put_int(&out, MUX_S_OK);
628
			buffer_put_int(&out, fctx->rid);
629
		}
630
		goto out;
631
	} else {
632
		if (rfwd->listen_port == 0)
633
			channel_update_permitted_opens(ssh, rfwd->handle, -1);
634
		if (rfwd->listen_path != NULL)
635
			xasprintf(&failmsg, "remote port forwarding failed for "
636
			    "listen path %s", rfwd->listen_path);
637
		else
638
			xasprintf(&failmsg, "remote port forwarding failed for "
639
			    "listen port %d", rfwd->listen_port);
640
641
                debug2("%s: clearing registered forwarding for listen %d, "
642
		    "connect %s:%d", __func__, rfwd->listen_port,
643
		    rfwd->connect_path ? rfwd->connect_path :
644
		    rfwd->connect_host, rfwd->connect_port);
645
646
		free(rfwd->listen_host);
647
		free(rfwd->listen_path);
648
		free(rfwd->connect_host);
649
		free(rfwd->connect_path);
650
		memset(rfwd, 0, sizeof(*rfwd));
651
	}
652
 fail:
653
	error("%s: %s", __func__, failmsg);
654
	buffer_put_int(&out, MUX_S_FAILURE);
655
	buffer_put_int(&out, fctx->rid);
656
	buffer_put_cstring(&out, failmsg);
657
	free(failmsg);
658
 out:
659
	buffer_put_string(c->output, buffer_ptr(&out), buffer_len(&out));
660
	buffer_free(&out);
661
	if (c->mux_pause <= 0)
662
		fatal("%s: mux_pause %d", __func__, c->mux_pause);
663
	c->mux_pause = 0; /* start processing messages again */
664
}
665
666
static int
667
process_mux_open_fwd(struct ssh *ssh, u_int rid,
668
    Channel *c, Buffer *m, Buffer *r)
669
{
670
	struct Forward fwd;
671
	char *fwd_desc = NULL;
672
	char *listen_addr, *connect_addr;
673
	u_int ftype;
674
	u_int lport, cport;
675
	int i, ret = 0, freefwd = 1;
676
677
	memset(&fwd, 0, sizeof(fwd));
678
679
	/* XXX - lport/cport check redundant */
680
	if (buffer_get_int_ret(&ftype, m) != 0 ||
681
	    (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
682
	    buffer_get_int_ret(&lport, m) != 0 ||
683
	    (connect_addr = buffer_get_string_ret(m, NULL)) == NULL ||
684
	    buffer_get_int_ret(&cport, m) != 0 ||
685
	    (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
686
	    (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
687
		error("%s: malformed message", __func__);
688
		ret = -1;
689
		goto out;
690
	}
691
	if (*listen_addr == '\0') {
692
		free(listen_addr);
693
		listen_addr = NULL;
694
	}
695
	if (*connect_addr == '\0') {
696
		free(connect_addr);
697
		connect_addr = NULL;
698
	}
699
700
	memset(&fwd, 0, sizeof(fwd));
701
	fwd.listen_port = lport;
702
	if (fwd.listen_port == PORT_STREAMLOCAL)
703
		fwd.listen_path = listen_addr;
704
	else
705
		fwd.listen_host = listen_addr;
706
	fwd.connect_port = cport;
707
	if (fwd.connect_port == PORT_STREAMLOCAL)
708
		fwd.connect_path = connect_addr;
709
	else
710
		fwd.connect_host = connect_addr;
711
712
	debug2("%s: channel %d: request %s", __func__, c->self,
713
	    (fwd_desc = format_forward(ftype, &fwd)));
714
715
	if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE &&
716
	    ftype != MUX_FWD_DYNAMIC) {
717
		logit("%s: invalid forwarding type %u", __func__, ftype);
718
 invalid:
719
		free(listen_addr);
720
		free(connect_addr);
721
		buffer_put_int(r, MUX_S_FAILURE);
722
		buffer_put_int(r, rid);
723
		buffer_put_cstring(r, "Invalid forwarding request");
724
		return 0;
725
	}
726
	if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) {
727
		logit("%s: streamlocal and dynamic forwards "
728
		    "are mutually exclusive", __func__);
729
		goto invalid;
730
	}
731
	if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) {
732
		logit("%s: invalid listen port %u", __func__,
733
		    fwd.listen_port);
734
		goto invalid;
735
	}
736
	if ((fwd.connect_port != PORT_STREAMLOCAL &&
737
	    fwd.connect_port >= 65536) ||
738
	    (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE &&
739
	    fwd.connect_port == 0)) {
740
		logit("%s: invalid connect port %u", __func__,
741
		    fwd.connect_port);
742
		goto invalid;
743
	}
744
	if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL &&
745
	    fwd.connect_path == NULL) {
746
		logit("%s: missing connect host", __func__);
747
		goto invalid;
748
	}
749
750
	/* Skip forwards that have already been requested */
751
	switch (ftype) {
752
	case MUX_FWD_LOCAL:
753
	case MUX_FWD_DYNAMIC:
754
		for (i = 0; i < options.num_local_forwards; i++) {
755
			if (compare_forward(&fwd,
756
			    options.local_forwards + i)) {
757
 exists:
758
				debug2("%s: found existing forwarding",
759
				    __func__);
760
				buffer_put_int(r, MUX_S_OK);
761
				buffer_put_int(r, rid);
762
				goto out;
763
			}
764
		}
765
		break;
766
	case MUX_FWD_REMOTE:
767
		for (i = 0; i < options.num_remote_forwards; i++) {
768
			if (compare_forward(&fwd,
769
			    options.remote_forwards + i)) {
770
				if (fwd.listen_port != 0)
771
					goto exists;
772
				debug2("%s: found allocated port",
773
				    __func__);
774
				buffer_put_int(r, MUX_S_REMOTE_PORT);
775
				buffer_put_int(r, rid);
776
				buffer_put_int(r,
777
				    options.remote_forwards[i].allocated_port);
778
				goto out;
779
			}
780
		}
781
		break;
782
	}
783
784
	if (options.control_master == SSHCTL_MASTER_ASK ||
785
	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
786
		if (!ask_permission("Open %s on %s?", fwd_desc, host)) {
787
			debug2("%s: forwarding refused by user", __func__);
788
			buffer_put_int(r, MUX_S_PERMISSION_DENIED);
789
			buffer_put_int(r, rid);
790
			buffer_put_cstring(r, "Permission denied");
791
			goto out;
792
		}
793
	}
794
795
	if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
796
		if (!channel_setup_local_fwd_listener(ssh, &fwd,
797
		    &options.fwd_opts)) {
798
 fail:
799
			logit("slave-requested %s failed", fwd_desc);
800
			buffer_put_int(r, MUX_S_FAILURE);
801
			buffer_put_int(r, rid);
802
			buffer_put_cstring(r, "Port forwarding failed");
803
			goto out;
804
		}
805
		add_local_forward(&options, &fwd);
806
		freefwd = 0;
807
	} else {
808
		struct mux_channel_confirm_ctx *fctx;
809
810
		fwd.handle = channel_request_remote_forwarding(ssh, &fwd);
811
		if (fwd.handle < 0)
812
			goto fail;
813
		add_remote_forward(&options, &fwd);
814
		fctx = xcalloc(1, sizeof(*fctx));
815
		fctx->cid = c->self;
816
		fctx->rid = rid;
817
		fctx->fid = options.num_remote_forwards - 1;
818
		client_register_global_confirm(mux_confirm_remote_forward,
819
		    fctx);
820
		freefwd = 0;
821
		c->mux_pause = 1; /* wait for mux_confirm_remote_forward */
822
		/* delayed reply in mux_confirm_remote_forward */
823
		goto out;
824
	}
825
	buffer_put_int(r, MUX_S_OK);
826
	buffer_put_int(r, rid);
827
 out:
828
	free(fwd_desc);
829
	if (freefwd) {
830
		free(fwd.listen_host);
831
		free(fwd.listen_path);
832
		free(fwd.connect_host);
833
		free(fwd.connect_path);
834
	}
835
	return ret;
836
}
837
838
static int
839
process_mux_close_fwd(struct ssh *ssh, u_int rid,
840
    Channel *c, Buffer *m, Buffer *r)
841
{
842
	struct Forward fwd, *found_fwd;
843
	char *fwd_desc = NULL;
844
	const char *error_reason = NULL;
845
	char *listen_addr = NULL, *connect_addr = NULL;
846
	u_int ftype;
847
	int i, ret = 0;
848
	u_int lport, cport;
849
850
	memset(&fwd, 0, sizeof(fwd));
851
852
	if (buffer_get_int_ret(&ftype, m) != 0 ||
853
	    (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
854
	    buffer_get_int_ret(&lport, m) != 0 ||
855
	    (connect_addr = buffer_get_string_ret(m, NULL)) == NULL ||
856
	    buffer_get_int_ret(&cport, m) != 0 ||
857
	    (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
858
	    (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
859
		error("%s: malformed message", __func__);
860
		ret = -1;
861
		goto out;
862
	}
863
864
	if (*listen_addr == '\0') {
865
		free(listen_addr);
866
		listen_addr = NULL;
867
	}
868
	if (*connect_addr == '\0') {
869
		free(connect_addr);
870
		connect_addr = NULL;
871
	}
872
873
	memset(&fwd, 0, sizeof(fwd));
874
	fwd.listen_port = lport;
875
	if (fwd.listen_port == PORT_STREAMLOCAL)
876
		fwd.listen_path = listen_addr;
877
	else
878
		fwd.listen_host = listen_addr;
879
	fwd.connect_port = cport;
880
	if (fwd.connect_port == PORT_STREAMLOCAL)
881
		fwd.connect_path = connect_addr;
882
	else
883
		fwd.connect_host = connect_addr;
884
885
	debug2("%s: channel %d: request cancel %s", __func__, c->self,
886
	    (fwd_desc = format_forward(ftype, &fwd)));
887
888
	/* make sure this has been requested */
889
	found_fwd = NULL;
890
	switch (ftype) {
891
	case MUX_FWD_LOCAL:
892
	case MUX_FWD_DYNAMIC:
893
		for (i = 0; i < options.num_local_forwards; i++) {
894
			if (compare_forward(&fwd,
895
			    options.local_forwards + i)) {
896
				found_fwd = options.local_forwards + i;
897
				break;
898
			}
899
		}
900
		break;
901
	case MUX_FWD_REMOTE:
902
		for (i = 0; i < options.num_remote_forwards; i++) {
903
			if (compare_forward(&fwd,
904
			    options.remote_forwards + i)) {
905
				found_fwd = options.remote_forwards + i;
906
				break;
907
			}
908
		}
909
		break;
910
	}
911
912
	if (found_fwd == NULL)
913
		error_reason = "port not forwarded";
914
	else if (ftype == MUX_FWD_REMOTE) {
915
		/*
916
		 * This shouldn't fail unless we confused the host/port
917
		 * between options.remote_forwards and permitted_opens.
918
		 * However, for dynamic allocated listen ports we need
919
		 * to use the actual listen port.
920
		 */
921
		if (channel_request_rforward_cancel(ssh, found_fwd) == -1)
922
			error_reason = "port not in permitted opens";
923
	} else {	/* local and dynamic forwards */
924
		/* Ditto */
925
		if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port,
926
		    &options.fwd_opts) == -1)
927
			error_reason = "port not found";
928
	}
929
930
	if (error_reason == NULL) {
931
		buffer_put_int(r, MUX_S_OK);
932
		buffer_put_int(r, rid);
933
934
		free(found_fwd->listen_host);
935
		free(found_fwd->listen_path);
936
		free(found_fwd->connect_host);
937
		free(found_fwd->connect_path);
938
		found_fwd->listen_host = found_fwd->connect_host = NULL;
939
		found_fwd->listen_path = found_fwd->connect_path = NULL;
940
		found_fwd->listen_port = found_fwd->connect_port = 0;
941
	} else {
942
		buffer_put_int(r, MUX_S_FAILURE);
943
		buffer_put_int(r, rid);
944
		buffer_put_cstring(r, error_reason);
945
	}
946
 out:
947
	free(fwd_desc);
948
	free(listen_addr);
949
	free(connect_addr);
950
951
	return ret;
952
}
953
954
static int
955
process_mux_stdio_fwd(struct ssh *ssh, u_int rid,
956
    Channel *c, Buffer *m, Buffer *r)
957
{
958
	Channel *nc;
959
	char *reserved, *chost;
960
	u_int cport, i, j;
961
	int new_fd[2];
962
	struct mux_stdio_confirm_ctx *cctx;
963
964
	chost = reserved = NULL;
965
	if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
966
	   (chost = buffer_get_string_ret(m, NULL)) == NULL ||
967
	    buffer_get_int_ret(&cport, m) != 0) {
968
		free(reserved);
969
		free(chost);
970
		error("%s: malformed message", __func__);
971
		return -1;
972
	}
973
	free(reserved);
974
975
	debug2("%s: channel %d: request stdio fwd to %s:%u",
976
	    __func__, c->self, chost, cport);
977
978
	/* Gather fds from client */
979
	for(i = 0; i < 2; i++) {
980
		if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
981
			error("%s: failed to receive fd %d from slave",
982
			    __func__, i);
983
			for (j = 0; j < i; j++)
984
				close(new_fd[j]);
985
			free(chost);
986
987
			/* prepare reply */
988
			buffer_put_int(r, MUX_S_FAILURE);
989
			buffer_put_int(r, rid);
990
			buffer_put_cstring(r,
991
			    "did not receive file descriptors");
992
			return -1;
993
		}
994
	}
995
996
	debug3("%s: got fds stdin %d, stdout %d", __func__,
997
	    new_fd[0], new_fd[1]);
998
999
	/* XXX support multiple child sessions in future */
1000
	if (c->have_remote_id) {
1001
		debug2("%s: session already open", __func__);
1002
		/* prepare reply */
1003
		buffer_put_int(r, MUX_S_FAILURE);
1004
		buffer_put_int(r, rid);
1005
		buffer_put_cstring(r, "Multiple sessions not supported");
1006
 cleanup:
1007
		close(new_fd[0]);
1008
		close(new_fd[1]);
1009
		free(chost);
1010
		return 0;
1011
	}
1012
1013
	if (options.control_master == SSHCTL_MASTER_ASK ||
1014
	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1015
		if (!ask_permission("Allow forward to %s:%u? ",
1016
		    chost, cport)) {
1017
			debug2("%s: stdio fwd refused by user", __func__);
1018
			/* prepare reply */
1019
			buffer_put_int(r, MUX_S_PERMISSION_DENIED);
1020
			buffer_put_int(r, rid);
1021
			buffer_put_cstring(r, "Permission denied");
1022
			goto cleanup;
1023
		}
1024
	}
1025
1026
	/* enable nonblocking unless tty */
1027
	if (!isatty(new_fd[0]))
1028
		set_nonblock(new_fd[0]);
1029
	if (!isatty(new_fd[1]))
1030
		set_nonblock(new_fd[1]);
1031
1032
	nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1]);
1033
1034
	nc->ctl_chan = c->self;		/* link session -> control channel */
1035
	c->remote_id = nc->self; 	/* link control -> session channel */
1036
	c->have_remote_id = 1;
1037
1038
	debug2("%s: channel_new: %d linked to control channel %d",
1039
	    __func__, nc->self, nc->ctl_chan);
1040
1041
	channel_register_cleanup(ssh, nc->self,
1042
	    mux_master_session_cleanup_cb, 1);
1043
1044
	cctx = xcalloc(1, sizeof(*cctx));
1045
	cctx->rid = rid;
1046
	channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx);
1047
	c->mux_pause = 1; /* stop handling messages until open_confirm done */
1048
1049
	/* reply is deferred, sent by mux_session_confirm */
1050
	return 0;
1051
}
1052
1053
/* Callback on open confirmation in mux master for a mux stdio fwd session. */
1054
static void
1055
mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg)
1056
{
1057
	struct mux_stdio_confirm_ctx *cctx = arg;
1058
	Channel *c, *cc;
1059
	Buffer reply;
1060
1061
	if (cctx == NULL)
1062
		fatal("%s: cctx == NULL", __func__);
1063
	if ((c = channel_by_id(ssh, id)) == NULL)
1064
		fatal("%s: no channel for id %d", __func__, id);
1065
	if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1066
		fatal("%s: channel %d lacks control channel %d", __func__,
1067
		    id, c->ctl_chan);
1068
1069
	if (!success) {
1070
		debug3("%s: sending failure reply", __func__);
1071
		/* prepare reply */
1072
		buffer_init(&reply);
1073
		buffer_put_int(&reply, MUX_S_FAILURE);
1074
		buffer_put_int(&reply, cctx->rid);
1075
		buffer_put_cstring(&reply, "Session open refused by peer");
1076
		goto done;
1077
	}
1078
1079
	debug3("%s: sending success reply", __func__);
1080
	/* prepare reply */
1081
	buffer_init(&reply);
1082
	buffer_put_int(&reply, MUX_S_SESSION_OPENED);
1083
	buffer_put_int(&reply, cctx->rid);
1084
	buffer_put_int(&reply, c->self);
1085
1086
 done:
1087
	/* Send reply */
1088
	buffer_put_string(cc->output, buffer_ptr(&reply), buffer_len(&reply));
1089
	buffer_free(&reply);
1090
1091
	if (cc->mux_pause <= 0)
1092
		fatal("%s: mux_pause %d", __func__, cc->mux_pause);
1093
	cc->mux_pause = 0; /* start processing messages again */
1094
	c->open_confirm_ctx = NULL;
1095
	free(cctx);
1096
}
1097
1098
static int
1099
process_mux_stop_listening(struct ssh *ssh, u_int rid,
1100
    Channel *c, Buffer *m, Buffer *r)
1101
{
1102
	debug("%s: channel %d: stop listening", __func__, c->self);
1103
1104
	if (options.control_master == SSHCTL_MASTER_ASK ||
1105
	    options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1106
		if (!ask_permission("Disable further multiplexing on shared "
1107
		    "connection to %s? ", host)) {
1108
			debug2("%s: stop listen refused by user", __func__);
1109
			buffer_put_int(r, MUX_S_PERMISSION_DENIED);
1110
			buffer_put_int(r, rid);
1111
			buffer_put_cstring(r, "Permission denied");
1112
			return 0;
1113
		}
1114
	}
1115
1116
	if (mux_listener_channel != NULL) {
1117
		channel_free(ssh, mux_listener_channel);
1118
		client_stop_mux();
1119
		free(options.control_path);
1120
		options.control_path = NULL;
1121
		mux_listener_channel = NULL;
1122
		muxserver_sock = -1;
1123
	}
1124
1125
	/* prepare reply */
1126
	buffer_put_int(r, MUX_S_OK);
1127
	buffer_put_int(r, rid);
1128
1129
	return 0;
1130
}
1131
1132
static int
1133
process_mux_proxy(struct ssh *ssh, u_int rid,
1134
    Channel *c, Buffer *m, Buffer *r)
1135
{
1136
	debug("%s: channel %d: proxy request", __func__, c->self);
1137
1138
	c->mux_rcb = channel_proxy_downstream;
1139
	buffer_put_int(r, MUX_S_PROXY);
1140
	buffer_put_int(r, rid);
1141
1142
	return 0;
1143
}
1144
1145
/* Channel callbacks fired on read/write from mux slave fd */
1146
static int
1147
mux_master_read_cb(struct ssh *ssh, Channel *c)
1148
{
1149
	struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
1150
	Buffer in, out;
1151
	const u_char *ptr;
1152
	u_int type, rid, have, i;
1153
	int ret = -1;
1154
1155
	/* Setup ctx and  */
1156
	if (c->mux_ctx == NULL) {
1157
		state = xcalloc(1, sizeof(*state));
1158
		c->mux_ctx = state;
1159
		channel_register_cleanup(ssh, c->self,
1160
		    mux_master_control_cleanup_cb, 0);
1161
1162
		/* Send hello */
1163
		buffer_init(&out);
1164
		buffer_put_int(&out, MUX_MSG_HELLO);
1165
		buffer_put_int(&out, SSHMUX_VER);
1166
		/* no extensions */
1167
		buffer_put_string(c->output, buffer_ptr(&out),
1168
		    buffer_len(&out));
1169
		buffer_free(&out);
1170
		debug3("%s: channel %d: hello sent", __func__, c->self);
1171
		return 0;
1172
	}
1173
1174
	buffer_init(&in);
1175
	buffer_init(&out);
1176
1177
	/* Channel code ensures that we receive whole packets */
1178
	if ((ptr = buffer_get_string_ptr_ret(c->input, &have)) == NULL) {
1179
 malf:
1180
		error("%s: malformed message", __func__);
1181
		goto out;
1182
	}
1183
	buffer_append(&in, ptr, have);
1184
1185
	if (buffer_get_int_ret(&type, &in) != 0)
1186
		goto malf;
1187
	debug3("%s: channel %d packet type 0x%08x len %u",
1188
	    __func__, c->self, type, buffer_len(&in));
1189
1190
	if (type == MUX_MSG_HELLO)
1191
		rid = 0;
1192
	else {
1193
		if (!state->hello_rcvd) {
1194
			error("%s: expected MUX_MSG_HELLO(0x%08x), "
1195
			    "received 0x%08x", __func__, MUX_MSG_HELLO, type);
1196
			goto out;
1197
		}
1198
		if (buffer_get_int_ret(&rid, &in) != 0)
1199
			goto malf;
1200
	}
1201
1202
	for (i = 0; mux_master_handlers[i].handler != NULL; i++) {
1203
		if (type == mux_master_handlers[i].type) {
1204
			ret = mux_master_handlers[i].handler(ssh, rid,
1205
			    c, &in, &out);
1206
			break;
1207
		}
1208
	}
1209
	if (mux_master_handlers[i].handler == NULL) {
1210
		error("%s: unsupported mux message 0x%08x", __func__, type);
1211
		buffer_put_int(&out, MUX_S_FAILURE);
1212
		buffer_put_int(&out, rid);
1213
		buffer_put_cstring(&out, "unsupported request");
1214
		ret = 0;
1215
	}
1216
	/* Enqueue reply packet */
1217
	if (buffer_len(&out) != 0) {
1218
		buffer_put_string(c->output, buffer_ptr(&out),
1219
		    buffer_len(&out));
1220
	}
1221
 out:
1222
	buffer_free(&in);
1223
	buffer_free(&out);
1224
	return ret;
1225
}
1226
1227
void
1228
mux_exit_message(struct ssh *ssh, Channel *c, int exitval)
1229
{
1230
	Buffer m;
1231
	Channel *mux_chan;
1232
1233
	debug3("%s: channel %d: exit message, exitval %d", __func__, c->self,
1234
	    exitval);
1235
1236
	if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1237
		fatal("%s: channel %d missing mux channel %d",
1238
		    __func__, c->self, c->ctl_chan);
1239
1240
	/* Append exit message packet to control socket output queue */
1241
	buffer_init(&m);
1242
	buffer_put_int(&m, MUX_S_EXIT_MESSAGE);
1243
	buffer_put_int(&m, c->self);
1244
	buffer_put_int(&m, exitval);
1245
1246
	buffer_put_string(mux_chan->output, buffer_ptr(&m), buffer_len(&m));
1247
	buffer_free(&m);
1248
}
1249
1250
void
1251
mux_tty_alloc_failed(struct ssh *ssh, Channel *c)
1252
{
1253
	Buffer m;
1254
	Channel *mux_chan;
1255
1256
	debug3("%s: channel %d: TTY alloc failed", __func__, c->self);
1257
1258
	if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1259
		fatal("%s: channel %d missing mux channel %d",
1260
		    __func__, c->self, c->ctl_chan);
1261
1262
	/* Append exit message packet to control socket output queue */
1263
	buffer_init(&m);
1264
	buffer_put_int(&m, MUX_S_TTY_ALLOC_FAIL);
1265
	buffer_put_int(&m, c->self);
1266
1267
	buffer_put_string(mux_chan->output, buffer_ptr(&m), buffer_len(&m));
1268
	buffer_free(&m);
1269
}
1270
1271
/* Prepare a mux master to listen on a Unix domain socket. */
1272
void
1273
muxserver_listen(struct ssh *ssh)
1274
{
1275
	mode_t old_umask;
1276
	char *orig_control_path = options.control_path;
1277
	char rbuf[16+1];
1278
	u_int i, r;
1279
	int oerrno;
1280
1281
	if (options.control_path == NULL ||
1282
	    options.control_master == SSHCTL_MASTER_NO)
1283
		return;
1284
1285
	debug("setting up multiplex master socket");
1286
1287
	/*
1288
	 * Use a temporary path before listen so we can pseudo-atomically
1289
	 * establish the listening socket in its final location to avoid
1290
	 * other processes racing in between bind() and listen() and hitting
1291
	 * an unready socket.
1292
	 */
1293
	for (i = 0; i < sizeof(rbuf) - 1; i++) {
1294
		r = arc4random_uniform(26+26+10);
1295
		rbuf[i] = (r < 26) ? 'a' + r :
1296
		    (r < 26*2) ? 'A' + r - 26 :
1297
		    '0' + r - 26 - 26;
1298
	}
1299
	rbuf[sizeof(rbuf) - 1] = '\0';
1300
	options.control_path = NULL;
1301
	xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf);
1302
	debug3("%s: temporary control path %s", __func__, options.control_path);
1303
1304
	old_umask = umask(0177);
1305
	muxserver_sock = unix_listener(options.control_path, 64, 0);
1306
	oerrno = errno;
1307
	umask(old_umask);
1308
	if (muxserver_sock < 0) {
1309
		if (oerrno == EINVAL || oerrno == EADDRINUSE) {
1310
			error("ControlSocket %s already exists, "
1311
			    "disabling multiplexing", options.control_path);
1312
 disable_mux_master:
1313
			if (muxserver_sock != -1) {
1314
				close(muxserver_sock);
1315
				muxserver_sock = -1;
1316
			}
1317
			free(orig_control_path);
1318
			free(options.control_path);
1319
			options.control_path = NULL;
1320
			options.control_master = SSHCTL_MASTER_NO;
1321
			return;
1322
		} else {
1323
			/* unix_listener() logs the error */
1324
			cleanup_exit(255);
1325
		}
1326
	}
1327
1328
	/* Now atomically "move" the mux socket into position */
1329
	if (link(options.control_path, orig_control_path) != 0) {
1330
		if (errno != EEXIST) {
1331
			fatal("%s: link mux listener %s => %s: %s", __func__,
1332
			    options.control_path, orig_control_path,
1333
			    strerror(errno));
1334
		}
1335
		error("ControlSocket %s already exists, disabling multiplexing",
1336
		    orig_control_path);
1337
		unlink(options.control_path);
1338
		goto disable_mux_master;
1339
	}
1340
	unlink(options.control_path);
1341
	free(options.control_path);
1342
	options.control_path = orig_control_path;
1343
1344
	set_nonblock(muxserver_sock);
1345
1346
	mux_listener_channel = channel_new(ssh, "mux listener",
1347
	    SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1,
1348
	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1349
	    0, options.control_path, 1);
1350
	mux_listener_channel->mux_rcb = mux_master_read_cb;
1351
	debug3("%s: mux listener channel %d fd %d", __func__,
1352
	    mux_listener_channel->self, mux_listener_channel->sock);
1353
}
1354
1355
/* Callback on open confirmation in mux master for a mux client session. */
1356
static void
1357
mux_session_confirm(struct ssh *ssh, int id, int success, void *arg)
1358
{
1359
	struct mux_session_confirm_ctx *cctx = arg;
1360
	const char *display;
1361
	Channel *c, *cc;
1362
	int i;
1363
	Buffer reply;
1364
1365
	if (cctx == NULL)
1366
		fatal("%s: cctx == NULL", __func__);
1367
	if ((c = channel_by_id(ssh, id)) == NULL)
1368
		fatal("%s: no channel for id %d", __func__, id);
1369
	if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1370
		fatal("%s: channel %d lacks control channel %d", __func__,
1371
		    id, c->ctl_chan);
1372
1373
	if (!success) {
1374
		debug3("%s: sending failure reply", __func__);
1375
		/* prepare reply */
1376
		buffer_init(&reply);
1377
		buffer_put_int(&reply, MUX_S_FAILURE);
1378
		buffer_put_int(&reply, cctx->rid);
1379
		buffer_put_cstring(&reply, "Session open refused by peer");
1380
		goto done;
1381
	}
1382
1383
	display = getenv("DISPLAY");
1384
	if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
1385
		char *proto, *data;
1386
1387
		/* Get reasonable local authentication information. */
1388
		if (client_x11_get_proto(ssh, display, options.xauth_location,
1389
		    options.forward_x11_trusted, options.forward_x11_timeout,
1390
		    &proto, &data) == 0) {
1391
			/* Request forwarding with authentication spoofing. */
1392
			debug("Requesting X11 forwarding with authentication "
1393
			    "spoofing.");
1394
			x11_request_forwarding_with_spoofing(ssh, id,
1395
			    display, proto, data, 1);
1396
			/* XXX exit_on_forward_failure */
1397
			client_expect_confirm(ssh, id, "X11 forwarding",
1398
			    CONFIRM_WARN);
1399
		}
1400
	}
1401
1402
	if (cctx->want_agent_fwd && options.forward_agent) {
1403
		debug("Requesting authentication agent forwarding.");
1404
		channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0);
1405
		packet_send();
1406
	}
1407
1408
	client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,
1409
	    cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env);
1410
1411
	debug3("%s: sending success reply", __func__);
1412
	/* prepare reply */
1413
	buffer_init(&reply);
1414
	buffer_put_int(&reply, MUX_S_SESSION_OPENED);
1415
	buffer_put_int(&reply, cctx->rid);
1416
	buffer_put_int(&reply, c->self);
1417
1418
 done:
1419
	/* Send reply */
1420
	buffer_put_string(cc->output, buffer_ptr(&reply), buffer_len(&reply));
1421
	buffer_free(&reply);
1422
1423
	if (cc->mux_pause <= 0)
1424
		fatal("%s: mux_pause %d", __func__, cc->mux_pause);
1425
	cc->mux_pause = 0; /* start processing messages again */
1426
	c->open_confirm_ctx = NULL;
1427
	buffer_free(&cctx->cmd);
1428
	free(cctx->term);
1429
	if (cctx->env != NULL) {
1430
		for (i = 0; cctx->env[i] != NULL; i++)
1431
			free(cctx->env[i]);
1432
		free(cctx->env);
1433
	}
1434
	free(cctx);
1435
}
1436
1437
/* ** Multiplexing client support */
1438
1439
/* Exit signal handler */
1440
static void
1441
control_client_sighandler(int signo)
1442
{
1443
	muxclient_terminate = signo;
1444
}
1445
1446
/*
1447
 * Relay signal handler - used to pass some signals from mux client to
1448
 * mux master.
1449
 */
1450
static void
1451
control_client_sigrelay(int signo)
1452
{
1453
	int save_errno = errno;
1454
1455
	if (muxserver_pid > 1)
1456
		kill(muxserver_pid, signo);
1457
1458
	errno = save_errno;
1459
}
1460
1461
static int
1462
mux_client_read(int fd, Buffer *b, u_int need)
1463
{
1464
	u_int have;
1465
	ssize_t len;
1466
	u_char *p;
1467
	struct pollfd pfd;
1468
1469
	pfd.fd = fd;
1470
	pfd.events = POLLIN;
1471
	p = buffer_append_space(b, need);
1472
	for (have = 0; have < need; ) {
1473
		if (muxclient_terminate) {
1474
			errno = EINTR;
1475
			return -1;
1476
		}
1477
		len = read(fd, p + have, need - have);
1478
		if (len < 0) {
1479
			switch (errno) {
1480
			case EAGAIN:
1481
				(void)poll(&pfd, 1, -1);
1482
				/* FALLTHROUGH */
1483
			case EINTR:
1484
				continue;
1485
			default:
1486
				return -1;
1487
			}
1488
		}
1489
		if (len == 0) {
1490
			errno = EPIPE;
1491
			return -1;
1492
		}
1493
		have += (u_int)len;
1494
	}
1495
	return 0;
1496
}
1497
1498
static int
1499
mux_client_write_packet(int fd, Buffer *m)
1500
{
1501
	Buffer queue;
1502
	u_int have, need;
1503
	int oerrno, len;
1504
	u_char *ptr;
1505
	struct pollfd pfd;
1506
1507
	pfd.fd = fd;
1508
	pfd.events = POLLOUT;
1509
	buffer_init(&queue);
1510
	buffer_put_string(&queue, buffer_ptr(m), buffer_len(m));
1511
1512
	need = buffer_len(&queue);
1513
	ptr = buffer_ptr(&queue);
1514
1515
	for (have = 0; have < need; ) {
1516
		if (muxclient_terminate) {
1517
			buffer_free(&queue);
1518
			errno = EINTR;
1519
			return -1;
1520
		}
1521
		len = write(fd, ptr + have, need - have);
1522
		if (len < 0) {
1523
			switch (errno) {
1524
			case EAGAIN:
1525
				(void)poll(&pfd, 1, -1);
1526
				/* FALLTHROUGH */
1527
			case EINTR:
1528
				continue;
1529
			default:
1530
				oerrno = errno;
1531
				buffer_free(&queue);
1532
				errno = oerrno;
1533
				return -1;
1534
			}
1535
		}
1536
		if (len == 0) {
1537
			buffer_free(&queue);
1538
			errno = EPIPE;
1539
			return -1;
1540
		}
1541
		have += (u_int)len;
1542
	}
1543
	buffer_free(&queue);
1544
	return 0;
1545
}
1546
1547
static int
1548
mux_client_read_packet(int fd, Buffer *m)
1549
{
1550
	Buffer queue;
1551
	u_int need, have;
1552
	const u_char *ptr;
1553
	int oerrno;
1554
1555
	buffer_init(&queue);
1556
	if (mux_client_read(fd, &queue, 4) != 0) {
1557
		if ((oerrno = errno) == EPIPE)
1558
			debug3("%s: read header failed: %s", __func__,
1559
			    strerror(errno));
1560
		buffer_free(&queue);
1561
		errno = oerrno;
1562
		return -1;
1563
	}
1564
	need = get_u32(buffer_ptr(&queue));
1565
	if (mux_client_read(fd, &queue, need) != 0) {
1566
		oerrno = errno;
1567
		debug3("%s: read body failed: %s", __func__, strerror(errno));
1568
		buffer_free(&queue);
1569
		errno = oerrno;
1570
		return -1;
1571
	}
1572
	ptr = buffer_get_string_ptr(&queue, &have);
1573
	buffer_append(m, ptr, have);
1574
	buffer_free(&queue);
1575
	return 0;
1576
}
1577
1578
static int
1579
mux_client_hello_exchange(int fd)
1580
{
1581
	Buffer m;
1582
	u_int type, ver;
1583
	int ret = -1;
1584
1585
	buffer_init(&m);
1586
	buffer_put_int(&m, MUX_MSG_HELLO);
1587
	buffer_put_int(&m, SSHMUX_VER);
1588
	/* no extensions */
1589
1590
	if (mux_client_write_packet(fd, &m) != 0) {
1591
		debug("%s: write packet: %s", __func__, strerror(errno));
1592
		goto out;
1593
	}
1594
1595
	buffer_clear(&m);
1596
1597
	/* Read their HELLO */
1598
	if (mux_client_read_packet(fd, &m) != 0) {
1599
		debug("%s: read packet failed", __func__);
1600
		goto out;
1601
	}
1602
1603
	type = buffer_get_int(&m);
1604
	if (type != MUX_MSG_HELLO) {
1605
		error("%s: expected HELLO (%u) received %u",
1606
		    __func__, MUX_MSG_HELLO, type);
1607
		goto out;
1608
	}
1609
	ver = buffer_get_int(&m);
1610
	if (ver != SSHMUX_VER) {
1611
		error("Unsupported multiplexing protocol version %d "
1612
		    "(expected %d)", ver, SSHMUX_VER);
1613
		goto out;
1614
	}
1615
	debug2("%s: master version %u", __func__, ver);
1616
	/* No extensions are presently defined */
1617
	while (buffer_len(&m) > 0) {
1618
		char *name = buffer_get_string(&m, NULL);
1619
		char *value = buffer_get_string(&m, NULL);
1620
1621
		debug2("Unrecognised master extension \"%s\"", name);
1622
		free(name);
1623
		free(value);
1624
	}
1625
	/* success */
1626
	ret = 0;
1627
 out:
1628
	buffer_free(&m);
1629
	return ret;
1630
}
1631
1632
static u_int
1633
mux_client_request_alive(int fd)
1634
{
1635
	Buffer m;
1636
	char *e;
1637
	u_int pid, type, rid;
1638
1639
	debug3("%s: entering", __func__);
1640
1641
	buffer_init(&m);
1642
	buffer_put_int(&m, MUX_C_ALIVE_CHECK);
1643
	buffer_put_int(&m, muxclient_request_id);
1644
1645
	if (mux_client_write_packet(fd, &m) != 0)
1646
		fatal("%s: write packet: %s", __func__, strerror(errno));
1647
1648
	buffer_clear(&m);
1649
1650
	/* Read their reply */
1651
	if (mux_client_read_packet(fd, &m) != 0) {
1652
		buffer_free(&m);
1653
		return 0;
1654
	}
1655
1656
	type = buffer_get_int(&m);
1657
	if (type != MUX_S_ALIVE) {
1658
		e = buffer_get_string(&m, NULL);
1659
		fatal("%s: master returned error: %s", __func__, e);
1660
	}
1661
1662
	if ((rid = buffer_get_int(&m)) != muxclient_request_id)
1663
		fatal("%s: out of sequence reply: my id %u theirs %u",
1664
		    __func__, muxclient_request_id, rid);
1665
	pid = buffer_get_int(&m);
1666
	buffer_free(&m);
1667
1668
	debug3("%s: done pid = %u", __func__, pid);
1669
1670
	muxclient_request_id++;
1671
1672
	return pid;
1673
}
1674
1675
static void
1676
mux_client_request_terminate(int fd)
1677
{
1678
	Buffer m;
1679
	char *e;
1680
	u_int type, rid;
1681
1682
	debug3("%s: entering", __func__);
1683
1684
	buffer_init(&m);
1685
	buffer_put_int(&m, MUX_C_TERMINATE);
1686
	buffer_put_int(&m, muxclient_request_id);
1687
1688
	if (mux_client_write_packet(fd, &m) != 0)
1689
		fatal("%s: write packet: %s", __func__, strerror(errno));
1690
1691
	buffer_clear(&m);
1692
1693
	/* Read their reply */
1694
	if (mux_client_read_packet(fd, &m) != 0) {
1695
		/* Remote end exited already */
1696
		if (errno == EPIPE) {
1697
			buffer_free(&m);
1698
			return;
1699
		}
1700
		fatal("%s: read from master failed: %s",
1701
		    __func__, strerror(errno));
1702
	}
1703
1704
	type = buffer_get_int(&m);
1705
	if ((rid = buffer_get_int(&m)) != muxclient_request_id)
1706
		fatal("%s: out of sequence reply: my id %u theirs %u",
1707
		    __func__, muxclient_request_id, rid);
1708
	switch (type) {
1709
	case MUX_S_OK:
1710
		break;
1711
	case MUX_S_PERMISSION_DENIED:
1712
		e = buffer_get_string(&m, NULL);
1713
		fatal("Master refused termination request: %s", e);
1714
	case MUX_S_FAILURE:
1715
		e = buffer_get_string(&m, NULL);
1716
		fatal("%s: termination request failed: %s", __func__, e);
1717
	default:
1718
		fatal("%s: unexpected response from master 0x%08x",
1719
		    __func__, type);
1720
	}
1721
	buffer_free(&m);
1722
	muxclient_request_id++;
1723
}
1724
1725
static int
1726
mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
1727
{
1728
	Buffer m;
1729
	char *e, *fwd_desc;
1730
	u_int type, rid;
1731
1732
	fwd_desc = format_forward(ftype, fwd);
1733
	debug("Requesting %s %s",
1734
	    cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
1735
	free(fwd_desc);
1736
1737
	buffer_init(&m);
1738
	buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
1739
	buffer_put_int(&m, muxclient_request_id);
1740
	buffer_put_int(&m, ftype);
1741
	if (fwd->listen_path != NULL) {
1742
		buffer_put_cstring(&m, fwd->listen_path);
1743
	} else {
1744
		buffer_put_cstring(&m,
1745
		    fwd->listen_host == NULL ? "" :
1746
		    (*fwd->listen_host == '\0' ? "*" : fwd->listen_host));
1747
	}
1748
	buffer_put_int(&m, fwd->listen_port);
1749
	if (fwd->connect_path != NULL) {
1750
		buffer_put_cstring(&m, fwd->connect_path);
1751
	} else {
1752
		buffer_put_cstring(&m,
1753
		    fwd->connect_host == NULL ? "" : fwd->connect_host);
1754
	}
1755
	buffer_put_int(&m, fwd->connect_port);
1756
1757
	if (mux_client_write_packet(fd, &m) != 0)
1758
		fatal("%s: write packet: %s", __func__, strerror(errno));
1759
1760
	buffer_clear(&m);
1761
1762
	/* Read their reply */
1763
	if (mux_client_read_packet(fd, &m) != 0) {
1764
		buffer_free(&m);
1765
		return -1;
1766
	}
1767
1768
	type = buffer_get_int(&m);
1769
	if ((rid = buffer_get_int(&m)) != muxclient_request_id)
1770
		fatal("%s: out of sequence reply: my id %u theirs %u",
1771
		    __func__, muxclient_request_id, rid);
1772
	switch (type) {
1773
	case MUX_S_OK:
1774
		break;
1775
	case MUX_S_REMOTE_PORT:
1776
		if (cancel_flag)
1777
			fatal("%s: got MUX_S_REMOTE_PORT for cancel", __func__);
1778
		fwd->allocated_port = buffer_get_int(&m);
1779
		verbose("Allocated port %u for remote forward to %s:%d",
1780
		    fwd->allocated_port,
1781
		    fwd->connect_host ? fwd->connect_host : "",
1782
		    fwd->connect_port);
1783
		if (muxclient_command == SSHMUX_COMMAND_FORWARD)
1784
			fprintf(stdout, "%i\n", fwd->allocated_port);
1785
		break;
1786
	case MUX_S_PERMISSION_DENIED:
1787
		e = buffer_get_string(&m, NULL);
1788
		buffer_free(&m);
1789
		error("Master refused forwarding request: %s", e);
1790
		return -1;
1791
	case MUX_S_FAILURE:
1792
		e = buffer_get_string(&m, NULL);
1793
		buffer_free(&m);
1794
		error("%s: forwarding request failed: %s", __func__, e);
1795
		return -1;
1796
	default:
1797
		fatal("%s: unexpected response from master 0x%08x",
1798
		    __func__, type);
1799
	}
1800
	buffer_free(&m);
1801
1802
	muxclient_request_id++;
1803
	return 0;
1804
}
1805
1806
static int
1807
mux_client_forwards(int fd, int cancel_flag)
1808
{
1809
	int i, ret = 0;
1810
1811
	debug3("%s: %s forwardings: %d local, %d remote", __func__,
1812
	    cancel_flag ? "cancel" : "request",
1813
	    options.num_local_forwards, options.num_remote_forwards);
1814
1815
	/* XXX ExitOnForwardingFailure */
1816
	for (i = 0; i < options.num_local_forwards; i++) {
1817
		if (mux_client_forward(fd, cancel_flag,
1818
		    options.local_forwards[i].connect_port == 0 ?
1819
		    MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
1820
		    options.local_forwards + i) != 0)
1821
			ret = -1;
1822
	}
1823
	for (i = 0; i < options.num_remote_forwards; i++) {
1824
		if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE,
1825
		    options.remote_forwards + i) != 0)
1826
			ret = -1;
1827
	}
1828
	return ret;
1829
}
1830
1831
static int
1832
mux_client_request_session(int fd)
1833
{
1834
	Buffer m;
1835
	char *e, *term;
1836
	u_int i, rid, sid, esid, exitval, type, exitval_seen;
1837
	extern char **environ;
1838
	int devnull, rawmode;
1839
1840
	debug3("%s: entering", __func__);
1841
1842
	if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
1843
		error("%s: master alive request failed", __func__);
1844
		return -1;
1845
	}
1846
1847
	signal(SIGPIPE, SIG_IGN);
1848
1849
	if (stdin_null_flag) {
1850
		if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1)
1851
			fatal("open(/dev/null): %s", strerror(errno));
1852
		if (dup2(devnull, STDIN_FILENO) == -1)
1853
			fatal("dup2: %s", strerror(errno));
1854
		if (devnull > STDERR_FILENO)
1855
			close(devnull);
1856
	}
1857
1858
	term = getenv("TERM");
1859
1860
	buffer_init(&m);
1861
	buffer_put_int(&m, MUX_C_NEW_SESSION);
1862
	buffer_put_int(&m, muxclient_request_id);
1863
	buffer_put_cstring(&m, ""); /* reserved */
1864
	buffer_put_int(&m, tty_flag);
1865
	buffer_put_int(&m, options.forward_x11);
1866
	buffer_put_int(&m, options.forward_agent);
1867
	buffer_put_int(&m, subsystem_flag);
1868
	buffer_put_int(&m, options.escape_char == SSH_ESCAPECHAR_NONE ?
1869
	    0xffffffff : (u_int)options.escape_char);
1870
	buffer_put_cstring(&m, term == NULL ? "" : term);
1871
	buffer_put_string(&m, buffer_ptr(&command), buffer_len(&command));
1872
1873
	if (options.num_send_env > 0 && environ != NULL) {
1874
		/* Pass environment */
1875
		for (i = 0; environ[i] != NULL; i++) {
1876
			if (env_permitted(environ[i])) {
1877
				buffer_put_cstring(&m, environ[i]);
1878
			}
1879
		}
1880
	}
1881
1882
	if (mux_client_write_packet(fd, &m) != 0)
1883
		fatal("%s: write packet: %s", __func__, strerror(errno));
1884
1885
	/* Send the stdio file descriptors */
1886
	if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
1887
	    mm_send_fd(fd, STDOUT_FILENO) == -1 ||
1888
	    mm_send_fd(fd, STDERR_FILENO) == -1)
1889
		fatal("%s: send fds failed", __func__);
1890
1891
	debug3("%s: session request sent", __func__);
1892
1893
	/* Read their reply */
1894
	buffer_clear(&m);
1895
	if (mux_client_read_packet(fd, &m) != 0) {
1896
		error("%s: read from master failed: %s",
1897
		    __func__, strerror(errno));
1898
		buffer_free(&m);
1899
		return -1;
1900
	}
1901
1902
	type = buffer_get_int(&m);
1903
	if ((rid = buffer_get_int(&m)) != muxclient_request_id)
1904
		fatal("%s: out of sequence reply: my id %u theirs %u",
1905
		    __func__, muxclient_request_id, rid);
1906
	switch (type) {
1907
	case MUX_S_SESSION_OPENED:
1908
		sid = buffer_get_int(&m);
1909
		debug("%s: master session id: %u", __func__, sid);
1910
		break;
1911
	case MUX_S_PERMISSION_DENIED:
1912
		e = buffer_get_string(&m, NULL);
1913
		buffer_free(&m);
1914
		error("Master refused session request: %s", e);
1915
		return -1;
1916
	case MUX_S_FAILURE:
1917
		e = buffer_get_string(&m, NULL);
1918
		buffer_free(&m);
1919
		error("%s: session request failed: %s", __func__, e);
1920
		return -1;
1921
	default:
1922
		buffer_free(&m);
1923
		error("%s: unexpected response from master 0x%08x",
1924
		    __func__, type);
1925
		return -1;
1926
	}
1927
	muxclient_request_id++;
1928
1929
	if (pledge("stdio proc tty flock rpath cpath wpath", NULL) == -1)
1930
		fatal("%s pledge(): %s", __func__, strerror(errno));
1931
1932
	signal(SIGHUP, control_client_sighandler);
1933
	signal(SIGINT, control_client_sighandler);
1934
	signal(SIGTERM, control_client_sighandler);
1935
	signal(SIGWINCH, control_client_sigrelay);
1936
1937
	rawmode = tty_flag;
1938
	if (tty_flag)
1939
		enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
1940
1941
	/*
1942
	 * Stick around until the controlee closes the client_fd.
1943
	 * Before it does, it is expected to write an exit message.
1944
	 * This process must read the value and wait for the closure of
1945
	 * the client_fd; if this one closes early, the multiplex master will
1946
	 * terminate early too (possibly losing data).
1947
	 */
1948
	for (exitval = 255, exitval_seen = 0;;) {
1949
		buffer_clear(&m);
1950
		if (mux_client_read_packet(fd, &m) != 0)
1951
			break;
1952
		type = buffer_get_int(&m);
1953
		switch (type) {
1954
		case MUX_S_TTY_ALLOC_FAIL:
1955
			if ((esid = buffer_get_int(&m)) != sid)
1956
				fatal("%s: tty alloc fail on unknown session: "
1957
				    "my id %u theirs %u",
1958
				    __func__, sid, esid);
1959
			leave_raw_mode(options.request_tty ==
1960
			    REQUEST_TTY_FORCE);
1961
			rawmode = 0;
1962
			continue;
1963
		case MUX_S_EXIT_MESSAGE:
1964
			if ((esid = buffer_get_int(&m)) != sid)
1965
				fatal("%s: exit on unknown session: "
1966
				    "my id %u theirs %u",
1967
				    __func__, sid, esid);
1968
			if (exitval_seen)
1969
				fatal("%s: exitval sent twice", __func__);
1970
			exitval = buffer_get_int(&m);
1971
			exitval_seen = 1;
1972
			continue;
1973
		default:
1974
			e = buffer_get_string(&m, NULL);
1975
			fatal("%s: master returned error: %s", __func__, e);
1976
		}
1977
	}
1978
1979
	close(fd);
1980
	if (rawmode)
1981
		leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
1982
1983
	if (muxclient_terminate) {
1984
		debug2("Exiting on signal: %s", strsignal(muxclient_terminate));
1985
		exitval = 255;
1986
	} else if (!exitval_seen) {
1987
		debug2("Control master terminated unexpectedly");
1988
		exitval = 255;
1989
	} else
1990
		debug2("Received exit status from master %d", exitval);
1991
1992
	if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
1993
		fprintf(stderr, "Shared connection to %s closed.\r\n", host);
1994
1995
	exit(exitval);
1996
}
1997
1998
static int
1999
mux_client_proxy(int fd)
2000
{
2001
	Buffer m;
2002
	char *e;
2003
	u_int type, rid;
2004
2005
	buffer_init(&m);
2006
	buffer_put_int(&m, MUX_C_PROXY);
2007
	buffer_put_int(&m, muxclient_request_id);
2008
	if (mux_client_write_packet(fd, &m) != 0)
2009
		fatal("%s: write packet: %s", __func__, strerror(errno));
2010
2011
	buffer_clear(&m);
2012
2013
	/* Read their reply */
2014
	if (mux_client_read_packet(fd, &m) != 0) {
2015
		buffer_free(&m);
2016
		return 0;
2017
	}
2018
	type = buffer_get_int(&m);
2019
	if (type != MUX_S_PROXY) {
2020
		e = buffer_get_string(&m, NULL);
2021
		fatal("%s: master returned error: %s", __func__, e);
2022
	}
2023
	if ((rid = buffer_get_int(&m)) != muxclient_request_id)
2024
		fatal("%s: out of sequence reply: my id %u theirs %u",
2025
		    __func__, muxclient_request_id, rid);
2026
	buffer_free(&m);
2027
2028
	debug3("%s: done", __func__);
2029
	muxclient_request_id++;
2030
	return 0;
2031
}
2032
2033
static int
2034
mux_client_request_stdio_fwd(int fd)
2035
{
2036
	Buffer m;
2037
	char *e;
2038
	u_int type, rid, sid;
2039
	int devnull;
2040
2041
	debug3("%s: entering", __func__);
2042
2043
	if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
2044
		error("%s: master alive request failed", __func__);
2045
		return -1;
2046
	}
2047
2048
	signal(SIGPIPE, SIG_IGN);
2049
2050
	if (stdin_null_flag) {
2051
		if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1)
2052
			fatal("open(/dev/null): %s", strerror(errno));
2053
		if (dup2(devnull, STDIN_FILENO) == -1)
2054
			fatal("dup2: %s", strerror(errno));
2055
		if (devnull > STDERR_FILENO)
2056
			close(devnull);
2057
	}
2058
2059
	buffer_init(&m);
2060
	buffer_put_int(&m, MUX_C_NEW_STDIO_FWD);
2061
	buffer_put_int(&m, muxclient_request_id);
2062
	buffer_put_cstring(&m, ""); /* reserved */
2063
	buffer_put_cstring(&m, options.stdio_forward_host);
2064
	buffer_put_int(&m, options.stdio_forward_port);
2065
2066
	if (mux_client_write_packet(fd, &m) != 0)
2067
		fatal("%s: write packet: %s", __func__, strerror(errno));
2068
2069
	/* Send the stdio file descriptors */
2070
	if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
2071
	    mm_send_fd(fd, STDOUT_FILENO) == -1)
2072
		fatal("%s: send fds failed", __func__);
2073
2074
	if (pledge("stdio proc tty flock rpath cpath wpath", NULL) == -1)
2075
		fatal("%s pledge(): %s", __func__, strerror(errno));
2076
2077
	debug3("%s: stdio forward request sent", __func__);
2078
2079
	/* Read their reply */
2080
	buffer_clear(&m);
2081
2082
	if (mux_client_read_packet(fd, &m) != 0) {
2083
		error("%s: read from master failed: %s",
2084
		    __func__, strerror(errno));
2085
		buffer_free(&m);
2086
		return -1;
2087
	}
2088
2089
	type = buffer_get_int(&m);
2090
	if ((rid = buffer_get_int(&m)) != muxclient_request_id)
2091
		fatal("%s: out of sequence reply: my id %u theirs %u",
2092
		    __func__, muxclient_request_id, rid);
2093
	switch (type) {
2094
	case MUX_S_SESSION_OPENED:
2095
		sid = buffer_get_int(&m);
2096
		debug("%s: master session id: %u", __func__, sid);
2097
		break;
2098
	case MUX_S_PERMISSION_DENIED:
2099
		e = buffer_get_string(&m, NULL);
2100
		buffer_free(&m);
2101
		fatal("Master refused stdio forwarding request: %s", e);
2102
	case MUX_S_FAILURE:
2103
		e = buffer_get_string(&m, NULL);
2104
		buffer_free(&m);
2105
		fatal("Stdio forwarding request failed: %s", e);
2106
	default:
2107
		buffer_free(&m);
2108
		error("%s: unexpected response from master 0x%08x",
2109
		    __func__, type);
2110
		return -1;
2111
	}
2112
	muxclient_request_id++;
2113
2114
	signal(SIGHUP, control_client_sighandler);
2115
	signal(SIGINT, control_client_sighandler);
2116
	signal(SIGTERM, control_client_sighandler);
2117
	signal(SIGWINCH, control_client_sigrelay);
2118
2119
	/*
2120
	 * Stick around until the controlee closes the client_fd.
2121
	 */
2122
	buffer_clear(&m);
2123
	if (mux_client_read_packet(fd, &m) != 0) {
2124
		if (errno == EPIPE ||
2125
		    (errno == EINTR && muxclient_terminate != 0))
2126
			return 0;
2127
		fatal("%s: mux_client_read_packet: %s",
2128
		    __func__, strerror(errno));
2129
	}
2130
	fatal("%s: master returned unexpected message %u", __func__, type);
2131
}
2132
2133
static void
2134
mux_client_request_stop_listening(int fd)
2135
{
2136
	Buffer m;
2137
	char *e;
2138
	u_int type, rid;
2139
2140
	debug3("%s: entering", __func__);
2141
2142
	buffer_init(&m);
2143
	buffer_put_int(&m, MUX_C_STOP_LISTENING);
2144
	buffer_put_int(&m, muxclient_request_id);
2145
2146
	if (mux_client_write_packet(fd, &m) != 0)
2147
		fatal("%s: write packet: %s", __func__, strerror(errno));
2148
2149
	buffer_clear(&m);
2150
2151
	/* Read their reply */
2152
	if (mux_client_read_packet(fd, &m) != 0)
2153
		fatal("%s: read from master failed: %s",
2154
		    __func__, strerror(errno));
2155
2156
	type = buffer_get_int(&m);
2157
	if ((rid = buffer_get_int(&m)) != muxclient_request_id)
2158
		fatal("%s: out of sequence reply: my id %u theirs %u",
2159
		    __func__, muxclient_request_id, rid);
2160
	switch (type) {
2161
	case MUX_S_OK:
2162
		break;
2163
	case MUX_S_PERMISSION_DENIED:
2164
		e = buffer_get_string(&m, NULL);
2165
		fatal("Master refused stop listening request: %s", e);
2166
	case MUX_S_FAILURE:
2167
		e = buffer_get_string(&m, NULL);
2168
		fatal("%s: stop listening request failed: %s", __func__, e);
2169
	default:
2170
		fatal("%s: unexpected response from master 0x%08x",
2171
		    __func__, type);
2172
	}
2173
	buffer_free(&m);
2174
	muxclient_request_id++;
2175
}
2176
2177
/* Multiplex client main loop. */
2178
int
2179
muxclient(const char *path)
2180
{
2181
	struct sockaddr_un addr;
2182
	int sock;
2183
	u_int pid;
2184
2185
	if (muxclient_command == 0) {
2186
		if (options.stdio_forward_host != NULL)
2187
			muxclient_command = SSHMUX_COMMAND_STDIO_FWD;
2188
		else
2189
			muxclient_command = SSHMUX_COMMAND_OPEN;
2190
	}
2191
2192
	switch (options.control_master) {
2193
	case SSHCTL_MASTER_AUTO:
2194
	case SSHCTL_MASTER_AUTO_ASK:
2195
		debug("auto-mux: Trying existing master");
2196
		/* FALLTHROUGH */
2197
	case SSHCTL_MASTER_NO:
2198
		break;
2199
	default:
2200
		return -1;
2201
	}
2202
2203
	memset(&addr, '\0', sizeof(addr));
2204
	addr.sun_family = AF_UNIX;
2205
2206
	if (strlcpy(addr.sun_path, path,
2207
	    sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
2208
		fatal("ControlPath too long ('%s' >= %u bytes)", path,
2209
		     (unsigned int)sizeof(addr.sun_path));
2210
2211
	if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
2212
		fatal("%s socket(): %s", __func__, strerror(errno));
2213
2214
	if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
2215
		switch (muxclient_command) {
2216
		case SSHMUX_COMMAND_OPEN:
2217
		case SSHMUX_COMMAND_STDIO_FWD:
2218
			break;
2219
		default:
2220
			fatal("Control socket connect(%.100s): %s", path,
2221
			    strerror(errno));
2222
		}
2223
		if (errno == ECONNREFUSED &&
2224
		    options.control_master != SSHCTL_MASTER_NO) {
2225
			debug("Stale control socket %.100s, unlinking", path);
2226
			unlink(path);
2227
		} else if (errno == ENOENT) {
2228
			debug("Control socket \"%.100s\" does not exist", path);
2229
		} else {
2230
			error("Control socket connect(%.100s): %s", path,
2231
			    strerror(errno));
2232
		}
2233
		close(sock);
2234
		return -1;
2235
	}
2236
	set_nonblock(sock);
2237
2238
	if (mux_client_hello_exchange(sock) != 0) {
2239
		error("%s: master hello exchange failed", __func__);
2240
		close(sock);
2241
		return -1;
2242
	}
2243
2244
	switch (muxclient_command) {
2245
	case SSHMUX_COMMAND_ALIVE_CHECK:
2246
		if ((pid = mux_client_request_alive(sock)) == 0)
2247
			fatal("%s: master alive check failed", __func__);
2248
		fprintf(stderr, "Master running (pid=%u)\r\n", pid);
2249
		exit(0);
2250
	case SSHMUX_COMMAND_TERMINATE:
2251
		mux_client_request_terminate(sock);
2252
		if (options.log_level != SYSLOG_LEVEL_QUIET)
2253
			fprintf(stderr, "Exit request sent.\r\n");
2254
		exit(0);
2255
	case SSHMUX_COMMAND_FORWARD:
2256
		if (mux_client_forwards(sock, 0) != 0)
2257
			fatal("%s: master forward request failed", __func__);
2258
		exit(0);
2259
	case SSHMUX_COMMAND_OPEN:
2260
		if (mux_client_forwards(sock, 0) != 0) {
2261
			error("%s: master forward request failed", __func__);
2262
			return -1;
2263
		}
2264
		mux_client_request_session(sock);
2265
		return -1;
2266
	case SSHMUX_COMMAND_STDIO_FWD:
2267
		mux_client_request_stdio_fwd(sock);
2268
		exit(0);
2269
	case SSHMUX_COMMAND_STOP:
2270
		mux_client_request_stop_listening(sock);
2271
		if (options.log_level != SYSLOG_LEVEL_QUIET)
2272
			fprintf(stderr, "Stop listening request sent.\r\n");
2273
		exit(0);
2274
	case SSHMUX_COMMAND_CANCEL_FWD:
2275
		if (mux_client_forwards(sock, 1) != 0)
2276
			error("%s: master cancel forward request failed",
2277
			    __func__);
2278
		exit(0);
2279
	case SSHMUX_COMMAND_PROXY:
2280
		mux_client_proxy(sock);
2281
		return (sock);
2282
	default:
2283
		fatal("unrecognised muxclient_command %d", muxclient_command);
2284
	}
2285
}