1 /* $OpenBSD: mux.c,v 1.103 2024/10/12 10:50:37 jsg Exp $ */
2 /*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 /* ssh session multiplexing support */
19
20 #include <sys/types.h>
21 #include <sys/queue.h>
22 #include <sys/stat.h>
23 #include <sys/socket.h>
24 #include <sys/un.h>
25
26 #include <errno.h>
27 #include <fcntl.h>
28 #include <poll.h>
29 #include <limits.h>
30 #include <signal.h>
31 #include <stdarg.h>
32 #include <stddef.h>
33 #include <stdlib.h>
34 #include <stdio.h>
35 #include <string.h>
36 #include <unistd.h>
37 #include <util.h>
38 #include <paths.h>
39
40 #include "atomicio.h"
41 #include "xmalloc.h"
42 #include "log.h"
43 #include "ssh.h"
44 #include "ssh2.h"
45 #include "pathnames.h"
46 #include "misc.h"
47 #include "match.h"
48 #include "sshbuf.h"
49 #include "channels.h"
50 #include "msg.h"
51 #include "packet.h"
52 #include "monitor_fdpass.h"
53 #include "sshpty.h"
54 #include "sshkey.h"
55 #include "readconf.h"
56 #include "clientloop.h"
57 #include "ssherr.h"
58
59 /* from ssh.c */
60 extern int tty_flag;
61 extern Options options;
62 extern char *host;
63 extern struct sshbuf *command;
64 extern volatile sig_atomic_t quit_pending;
65
66 /* Context for session open confirmation callback */
67 struct mux_session_confirm_ctx {
68 u_int want_tty;
69 u_int want_subsys;
70 u_int want_x_fwd;
71 u_int want_agent_fwd;
72 struct sshbuf *cmd;
73 char *term;
74 struct termios tio;
75 char **env;
76 u_int rid;
77 };
78
79 /* Context for stdio fwd open confirmation callback */
80 struct mux_stdio_confirm_ctx {
81 u_int rid;
82 };
83
84 /* Context for global channel callback */
85 struct mux_channel_confirm_ctx {
86 u_int cid; /* channel id */
87 u_int rid; /* request id */
88 int fid; /* forward id */
89 };
90
91 /* fd to control socket */
92 int muxserver_sock = -1;
93
94 /* client request id */
95 u_int muxclient_request_id = 0;
96
97 /* Multiplexing control command */
98 u_int muxclient_command = 0;
99
100 /* Set when signalled. */
101 static volatile sig_atomic_t muxclient_terminate = 0;
102
103 /* PID of multiplex server */
104 static u_int muxserver_pid = 0;
105
106 static Channel *mux_listener_channel = NULL;
107
108 struct mux_master_state {
109 int hello_rcvd;
110 };
111
112 /* mux protocol messages */
113 #define MUX_MSG_HELLO 0x00000001
114 #define MUX_C_NEW_SESSION 0x10000002
115 #define MUX_C_ALIVE_CHECK 0x10000004
116 #define MUX_C_TERMINATE 0x10000005
117 #define MUX_C_OPEN_FWD 0x10000006
118 #define MUX_C_CLOSE_FWD 0x10000007
119 #define MUX_C_NEW_STDIO_FWD 0x10000008
120 #define MUX_C_STOP_LISTENING 0x10000009
121 #define MUX_C_PROXY 0x1000000f
122 #define MUX_S_OK 0x80000001
123 #define MUX_S_PERMISSION_DENIED 0x80000002
124 #define MUX_S_FAILURE 0x80000003
125 #define MUX_S_EXIT_MESSAGE 0x80000004
126 #define MUX_S_ALIVE 0x80000005
127 #define MUX_S_SESSION_OPENED 0x80000006
128 #define MUX_S_REMOTE_PORT 0x80000007
129 #define MUX_S_TTY_ALLOC_FAIL 0x80000008
130 #define MUX_S_PROXY 0x8000000f
131
132 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */
133 #define MUX_FWD_LOCAL 1
134 #define MUX_FWD_REMOTE 2
135 #define MUX_FWD_DYNAMIC 3
136
137 static void mux_session_confirm(struct ssh *, int, int, void *);
138 static void mux_stdio_confirm(struct ssh *, int, int, void *);
139
140 static int mux_master_process_hello(struct ssh *, u_int,
141 Channel *, struct sshbuf *, struct sshbuf *);
142 static int mux_master_process_new_session(struct ssh *, u_int,
143 Channel *, struct sshbuf *, struct sshbuf *);
144 static int mux_master_process_alive_check(struct ssh *, u_int,
145 Channel *, struct sshbuf *, struct sshbuf *);
146 static int mux_master_process_terminate(struct ssh *, u_int,
147 Channel *, struct sshbuf *, struct sshbuf *);
148 static int mux_master_process_open_fwd(struct ssh *, u_int,
149 Channel *, struct sshbuf *, struct sshbuf *);
150 static int mux_master_process_close_fwd(struct ssh *, u_int,
151 Channel *, struct sshbuf *, struct sshbuf *);
152 static int mux_master_process_stdio_fwd(struct ssh *, u_int,
153 Channel *, struct sshbuf *, struct sshbuf *);
154 static int mux_master_process_stop_listening(struct ssh *, u_int,
155 Channel *, struct sshbuf *, struct sshbuf *);
156 static int mux_master_process_proxy(struct ssh *, u_int,
157 Channel *, struct sshbuf *, struct sshbuf *);
158
159 static const struct {
160 u_int type;
161 int (*handler)(struct ssh *, u_int, Channel *,
162 struct sshbuf *, struct sshbuf *);
163 } mux_master_handlers[] = {
164 { MUX_MSG_HELLO, mux_master_process_hello },
165 { MUX_C_NEW_SESSION, mux_master_process_new_session },
166 { MUX_C_ALIVE_CHECK, mux_master_process_alive_check },
167 { MUX_C_TERMINATE, mux_master_process_terminate },
168 { MUX_C_OPEN_FWD, mux_master_process_open_fwd },
169 { MUX_C_CLOSE_FWD, mux_master_process_close_fwd },
170 { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd },
171 { MUX_C_STOP_LISTENING, mux_master_process_stop_listening },
172 { MUX_C_PROXY, mux_master_process_proxy },
173 { 0, NULL }
174 };
175
176 /* Cleanup callback fired on closure of mux client _session_ channel */
177 static void
mux_master_session_cleanup_cb(struct ssh * ssh,int cid,int force,void * unused)178 mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
179 {
180 Channel *cc, *c = channel_by_id(ssh, cid);
181
182 debug3_f("entering for channel %d", cid);
183 if (c == NULL)
184 fatal_f("channel_by_id(%i) == NULL", cid);
185 if (c->ctl_chan != -1) {
186 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
187 fatal_f("channel %d missing control channel %d",
188 c->self, c->ctl_chan);
189 c->ctl_chan = -1;
190 cc->ctl_child_id = 0;
191 cc->have_ctl_child_id = 0;
192 chan_rcvd_oclose(ssh, cc);
193 }
194 channel_cancel_cleanup(ssh, c->self);
195 }
196
197 /* Cleanup callback fired on closure of mux client _control_ channel */
198 static void
mux_master_control_cleanup_cb(struct ssh * ssh,int cid,int force,void * unused)199 mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
200 {
201 Channel *sc, *c = channel_by_id(ssh, cid);
202
203 debug3_f("entering for channel %d", cid);
204 if (c == NULL)
205 fatal_f("channel_by_id(%i) == NULL", cid);
206 if (c->have_ctl_child_id) {
207 if ((sc = channel_by_id(ssh, c->ctl_child_id)) == NULL)
208 fatal_f("channel %d missing session channel %u",
209 c->self, c->ctl_child_id);
210 c->ctl_child_id = 0;
211 c->have_ctl_child_id = 0;
212 sc->ctl_chan = -1;
213 if (sc->type != SSH_CHANNEL_OPEN &&
214 sc->type != SSH_CHANNEL_OPENING) {
215 debug2_f("channel %d: not open", sc->self);
216 chan_mark_dead(ssh, sc);
217 } else {
218 if (sc->istate == CHAN_INPUT_OPEN)
219 chan_read_failed(ssh, sc);
220 if (sc->ostate == CHAN_OUTPUT_OPEN)
221 chan_write_failed(ssh, sc);
222 }
223 }
224 channel_cancel_cleanup(ssh, c->self);
225 }
226
227 /* Check mux client environment variables before passing them to mux master. */
228 static int
env_permitted(const char * env)229 env_permitted(const char *env)
230 {
231 u_int i;
232 int ret;
233 char name[1024], *cp;
234
235 if ((cp = strchr(env, '=')) == NULL || cp == env)
236 return 0;
237 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
238 if (ret <= 0 || (size_t)ret >= sizeof(name)) {
239 error_f("name '%.100s...' too long", env);
240 return 0;
241 }
242
243 for (i = 0; i < options.num_send_env; i++)
244 if (match_pattern(name, options.send_env[i]))
245 return 1;
246
247 return 0;
248 }
249
250 /* Mux master protocol message handlers */
251
252 static int
mux_master_process_hello(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)253 mux_master_process_hello(struct ssh *ssh, u_int rid,
254 Channel *c, struct sshbuf *m, struct sshbuf *reply)
255 {
256 u_int ver;
257 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
258 int r;
259
260 if (state == NULL)
261 fatal_f("channel %d: c->mux_ctx == NULL", c->self);
262 if (state->hello_rcvd) {
263 error_f("HELLO received twice");
264 return -1;
265 }
266 if ((r = sshbuf_get_u32(m, &ver)) != 0) {
267 error_fr(r, "parse");
268 return -1;
269 }
270 if (ver != SSHMUX_VER) {
271 error_f("unsupported multiplexing protocol version %u "
272 "(expected %u)", ver, SSHMUX_VER);
273 return -1;
274 }
275 debug2_f("channel %d client version %u", c->self, ver);
276
277 /* No extensions are presently defined */
278 while (sshbuf_len(m) > 0) {
279 char *name = NULL;
280 size_t value_len = 0;
281
282 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
283 (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) {
284 error_fr(r, "parse extension");
285 return -1;
286 }
287 debug2_f("Unrecognised extension \"%s\" length %zu",
288 name, value_len);
289 free(name);
290 }
291 state->hello_rcvd = 1;
292 return 0;
293 }
294
295 /* Enqueue a "ok" response to the reply buffer */
296 static void
reply_ok(struct sshbuf * reply,u_int rid)297 reply_ok(struct sshbuf *reply, u_int rid)
298 {
299 int r;
300
301 if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 ||
302 (r = sshbuf_put_u32(reply, rid)) != 0)
303 fatal_fr(r, "reply");
304 }
305
306 /* Enqueue an error response to the reply buffer */
307 static void
reply_error(struct sshbuf * reply,u_int type,u_int rid,const char * msg)308 reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg)
309 {
310 int r;
311
312 if ((r = sshbuf_put_u32(reply, type)) != 0 ||
313 (r = sshbuf_put_u32(reply, rid)) != 0 ||
314 (r = sshbuf_put_cstring(reply, msg)) != 0)
315 fatal_fr(r, "reply");
316 }
317
318 static int
mux_master_process_new_session(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)319 mux_master_process_new_session(struct ssh *ssh, u_int rid,
320 Channel *c, struct sshbuf *m, struct sshbuf *reply)
321 {
322 Channel *nc;
323 struct mux_session_confirm_ctx *cctx;
324 char *cmd, *cp;
325 u_int i, j, env_len, escape_char, window, packetmax;
326 int r, new_fd[3];
327
328 /* Reply for SSHMUX_COMMAND_OPEN */
329 cctx = xcalloc(1, sizeof(*cctx));
330 cctx->term = NULL;
331 cctx->rid = rid;
332 cmd = NULL;
333 cctx->env = NULL;
334 env_len = 0;
335 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
336 (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 ||
337 (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 ||
338 (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 ||
339 (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 ||
340 (r = sshbuf_get_u32(m, &escape_char)) != 0 ||
341 (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 ||
342 (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) {
343 malf:
344 free(cmd);
345 for (j = 0; j < env_len; j++)
346 free(cctx->env[j]);
347 free(cctx->env);
348 free(cctx->term);
349 free(cctx);
350 error_f("malformed message");
351 return -1;
352 }
353
354 #define MUX_MAX_ENV_VARS 4096
355 while (sshbuf_len(m) > 0) {
356 if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0)
357 goto malf;
358 if (!env_permitted(cp)) {
359 free(cp);
360 continue;
361 }
362 cctx->env = xreallocarray(cctx->env, env_len + 2,
363 sizeof(*cctx->env));
364 cctx->env[env_len++] = cp;
365 cctx->env[env_len] = NULL;
366 if (env_len > MUX_MAX_ENV_VARS) {
367 error_f(">%d environment variables received, "
368 "ignoring additional", MUX_MAX_ENV_VARS);
369 break;
370 }
371 }
372
373 debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, "
374 "term \"%s\", cmd \"%s\", env %u", c->self,
375 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd,
376 cctx->want_subsys, cctx->term, cmd, env_len);
377
378 if ((cctx->cmd = sshbuf_new()) == NULL)
379 fatal_f("sshbuf_new");
380 if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0)
381 fatal_fr(r, "sshbuf_put");
382 free(cmd);
383 cmd = NULL;
384
385 /* Gather fds from client */
386 for(i = 0; i < 3; i++) {
387 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
388 error_f("failed to receive fd %d from client", i);
389 for (j = 0; j < i; j++)
390 close(new_fd[j]);
391 for (j = 0; j < env_len; j++)
392 free(cctx->env[j]);
393 free(cctx->env);
394 free(cctx->term);
395 sshbuf_free(cctx->cmd);
396 free(cctx);
397 reply_error(reply, MUX_S_FAILURE, rid,
398 "did not receive file descriptors");
399 return -1;
400 }
401 }
402
403 debug3_f("got fds stdin %d, stdout %d, stderr %d",
404 new_fd[0], new_fd[1], new_fd[2]);
405
406 /* XXX support multiple child sessions in future */
407 if (c->have_ctl_child_id) {
408 debug2_f("session already open");
409 reply_error(reply, MUX_S_FAILURE, rid,
410 "Multiple sessions not supported");
411 cleanup:
412 close(new_fd[0]);
413 close(new_fd[1]);
414 close(new_fd[2]);
415 free(cctx->term);
416 if (env_len != 0) {
417 for (i = 0; i < env_len; i++)
418 free(cctx->env[i]);
419 free(cctx->env);
420 }
421 sshbuf_free(cctx->cmd);
422 free(cctx);
423 return 0;
424 }
425
426 if (options.control_master == SSHCTL_MASTER_ASK ||
427 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
428 if (!ask_permission("Allow shared connection to %s? ", host)) {
429 debug2_f("session refused by user");
430 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
431 "Permission denied");
432 goto cleanup;
433 }
434 }
435
436 /* Try to pick up ttymodes from client before it goes raw */
437 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
438 error_f("tcgetattr: %s", strerror(errno));
439
440 window = CHAN_SES_WINDOW_DEFAULT;
441 packetmax = CHAN_SES_PACKET_DEFAULT;
442 if (cctx->want_tty) {
443 window >>= 1;
444 packetmax >>= 1;
445 }
446
447 nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
448 new_fd[0], new_fd[1], new_fd[2], window, packetmax,
449 CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
450
451 nc->ctl_chan = c->self; /* link session -> control channel */
452 c->ctl_child_id = nc->self; /* link control -> session channel */
453 c->have_ctl_child_id = 1;
454
455 if (cctx->want_tty && escape_char != 0xffffffff) {
456 channel_register_filter(ssh, nc->self,
457 client_simple_escape_filter, NULL,
458 client_filter_cleanup,
459 client_new_escape_filter_ctx((int)escape_char));
460 }
461
462 debug2_f("channel_new: %d linked to control channel %d",
463 nc->self, nc->ctl_chan);
464
465 channel_send_open(ssh, nc->self);
466 channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx);
467 c->mux_pause = 1; /* stop handling messages until open_confirm done */
468 channel_register_cleanup(ssh, nc->self,
469 mux_master_session_cleanup_cb, 1);
470
471 /* reply is deferred, sent by mux_session_confirm */
472 return 0;
473 }
474
475 static int
mux_master_process_alive_check(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)476 mux_master_process_alive_check(struct ssh *ssh, u_int rid,
477 Channel *c, struct sshbuf *m, struct sshbuf *reply)
478 {
479 int r;
480
481 debug2_f("channel %d: alive check", c->self);
482
483 /* prepare reply */
484 if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 ||
485 (r = sshbuf_put_u32(reply, rid)) != 0 ||
486 (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0)
487 fatal_fr(r, "reply");
488
489 return 0;
490 }
491
492 static int
mux_master_process_terminate(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)493 mux_master_process_terminate(struct ssh *ssh, u_int rid,
494 Channel *c, struct sshbuf *m, struct sshbuf *reply)
495 {
496 debug2_f("channel %d: terminate request", c->self);
497
498 if (options.control_master == SSHCTL_MASTER_ASK ||
499 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
500 if (!ask_permission("Terminate shared connection to %s? ",
501 host)) {
502 debug2_f("termination refused by user");
503 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
504 "Permission denied");
505 return 0;
506 }
507 }
508
509 quit_pending = 1;
510 reply_ok(reply, rid);
511 /* XXX exit happens too soon - message never makes it to client */
512 return 0;
513 }
514
515 static char *
format_forward(u_int ftype,struct Forward * fwd)516 format_forward(u_int ftype, struct Forward *fwd)
517 {
518 char *ret;
519
520 switch (ftype) {
521 case MUX_FWD_LOCAL:
522 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
523 (fwd->listen_path != NULL) ? fwd->listen_path :
524 (fwd->listen_host == NULL) ?
525 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
526 fwd->listen_host, fwd->listen_port,
527 (fwd->connect_path != NULL) ? fwd->connect_path :
528 fwd->connect_host, fwd->connect_port);
529 break;
530 case MUX_FWD_DYNAMIC:
531 xasprintf(&ret, "dynamic forward %.200s:%d -> *",
532 (fwd->listen_host == NULL) ?
533 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
534 fwd->listen_host, fwd->listen_port);
535 break;
536 case MUX_FWD_REMOTE:
537 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
538 (fwd->listen_path != NULL) ? fwd->listen_path :
539 (fwd->listen_host == NULL) ?
540 "LOCALHOST" : fwd->listen_host,
541 fwd->listen_port,
542 (fwd->connect_path != NULL) ? fwd->connect_path :
543 fwd->connect_host, fwd->connect_port);
544 break;
545 default:
546 fatal_f("unknown forward type %u", ftype);
547 }
548 return ret;
549 }
550
551 static int
compare_host(const char * a,const char * b)552 compare_host(const char *a, const char *b)
553 {
554 if (a == NULL && b == NULL)
555 return 1;
556 if (a == NULL || b == NULL)
557 return 0;
558 return strcmp(a, b) == 0;
559 }
560
561 static int
compare_forward(struct Forward * a,struct Forward * b)562 compare_forward(struct Forward *a, struct Forward *b)
563 {
564 if (!compare_host(a->listen_host, b->listen_host))
565 return 0;
566 if (!compare_host(a->listen_path, b->listen_path))
567 return 0;
568 if (a->listen_port != b->listen_port)
569 return 0;
570 if (!compare_host(a->connect_host, b->connect_host))
571 return 0;
572 if (!compare_host(a->connect_path, b->connect_path))
573 return 0;
574 if (a->connect_port != b->connect_port)
575 return 0;
576
577 return 1;
578 }
579
580 static void
mux_confirm_remote_forward(struct ssh * ssh,int type,u_int32_t seq,void * ctxt)581 mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt)
582 {
583 struct mux_channel_confirm_ctx *fctx = ctxt;
584 char *failmsg = NULL;
585 struct Forward *rfwd;
586 Channel *c;
587 struct sshbuf *out;
588 u_int port;
589 int r;
590
591 if ((c = channel_by_id(ssh, fctx->cid)) == NULL) {
592 /* no channel for reply */
593 error_f("unknown channel");
594 return;
595 }
596 if ((out = sshbuf_new()) == NULL)
597 fatal_f("sshbuf_new");
598 if (fctx->fid >= options.num_remote_forwards ||
599 (options.remote_forwards[fctx->fid].connect_path == NULL &&
600 options.remote_forwards[fctx->fid].connect_host == NULL)) {
601 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid);
602 goto fail;
603 }
604 rfwd = &options.remote_forwards[fctx->fid];
605 debug_f("%s for: listen %d, connect %s:%d",
606 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
607 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
608 rfwd->connect_host, rfwd->connect_port);
609 if (type == SSH2_MSG_REQUEST_SUCCESS) {
610 if (rfwd->listen_port == 0) {
611 if ((r = sshpkt_get_u32(ssh, &port)) != 0)
612 fatal_fr(r, "parse port");
613 if (port > 65535) {
614 fatal("Invalid allocated port %u for "
615 "mux remote forward to %s:%d", port,
616 rfwd->connect_host, rfwd->connect_port);
617 }
618 rfwd->allocated_port = (int)port;
619 debug("Allocated port %u for mux remote forward"
620 " to %s:%d", rfwd->allocated_port,
621 rfwd->connect_host, rfwd->connect_port);
622 if ((r = sshbuf_put_u32(out,
623 MUX_S_REMOTE_PORT)) != 0 ||
624 (r = sshbuf_put_u32(out, fctx->rid)) != 0 ||
625 (r = sshbuf_put_u32(out,
626 rfwd->allocated_port)) != 0)
627 fatal_fr(r, "reply");
628 channel_update_permission(ssh, rfwd->handle,
629 rfwd->allocated_port);
630 } else {
631 reply_ok(out, fctx->rid);
632 }
633 goto out;
634 } else {
635 if (rfwd->listen_port == 0)
636 channel_update_permission(ssh, rfwd->handle, -1);
637 if (rfwd->listen_path != NULL)
638 xasprintf(&failmsg, "remote port forwarding failed for "
639 "listen path %s", rfwd->listen_path);
640 else
641 xasprintf(&failmsg, "remote port forwarding failed for "
642 "listen port %d", rfwd->listen_port);
643
644 debug2_f("clearing registered forwarding for listen %d, "
645 "connect %s:%d", rfwd->listen_port,
646 rfwd->connect_path ? rfwd->connect_path :
647 rfwd->connect_host, rfwd->connect_port);
648
649 free(rfwd->listen_host);
650 free(rfwd->listen_path);
651 free(rfwd->connect_host);
652 free(rfwd->connect_path);
653 memset(rfwd, 0, sizeof(*rfwd));
654 }
655 fail:
656 error_f("%s", failmsg);
657 reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg);
658 free(failmsg);
659 out:
660 if ((r = sshbuf_put_stringb(c->output, out)) != 0)
661 fatal_fr(r, "enqueue");
662 sshbuf_free(out);
663 if (c->mux_pause <= 0)
664 fatal_f("mux_pause %d", c->mux_pause);
665 c->mux_pause = 0; /* start processing messages again */
666 }
667
668 static int
mux_master_process_open_fwd(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)669 mux_master_process_open_fwd(struct ssh *ssh, u_int rid,
670 Channel *c, struct sshbuf *m, struct sshbuf *reply)
671 {
672 struct Forward fwd;
673 char *fwd_desc = NULL;
674 char *listen_addr, *connect_addr;
675 u_int ftype;
676 u_int lport, cport;
677 int r, i, ret = 0, freefwd = 1;
678
679 memset(&fwd, 0, sizeof(fwd));
680
681 /* XXX - lport/cport check redundant */
682 if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
683 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
684 (r = sshbuf_get_u32(m, &lport)) != 0 ||
685 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
686 (r = sshbuf_get_u32(m, &cport)) != 0 ||
687 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
688 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
689 error_f("malformed message");
690 ret = -1;
691 goto out;
692 }
693 if (*listen_addr == '\0') {
694 free(listen_addr);
695 listen_addr = NULL;
696 }
697 if (*connect_addr == '\0') {
698 free(connect_addr);
699 connect_addr = NULL;
700 }
701
702 memset(&fwd, 0, sizeof(fwd));
703 fwd.listen_port = lport;
704 if (fwd.listen_port == PORT_STREAMLOCAL)
705 fwd.listen_path = listen_addr;
706 else
707 fwd.listen_host = listen_addr;
708 fwd.connect_port = cport;
709 if (fwd.connect_port == PORT_STREAMLOCAL)
710 fwd.connect_path = connect_addr;
711 else
712 fwd.connect_host = connect_addr;
713
714 debug2_f("channel %d: request %s", c->self,
715 (fwd_desc = format_forward(ftype, &fwd)));
716
717 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE &&
718 ftype != MUX_FWD_DYNAMIC) {
719 logit_f("invalid forwarding type %u", ftype);
720 invalid:
721 free(listen_addr);
722 free(connect_addr);
723 reply_error(reply, MUX_S_FAILURE, rid,
724 "Invalid forwarding request");
725 return 0;
726 }
727 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) {
728 logit_f("streamlocal and dynamic forwards "
729 "are mutually exclusive");
730 goto invalid;
731 }
732 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) {
733 logit_f("invalid listen port %u", fwd.listen_port);
734 goto invalid;
735 }
736 if ((fwd.connect_port != PORT_STREAMLOCAL &&
737 fwd.connect_port >= 65536) ||
738 (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE &&
739 fwd.connect_port == 0)) {
740 logit_f("invalid connect port %u",
741 fwd.connect_port);
742 goto invalid;
743 }
744 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL &&
745 fwd.connect_path == NULL) {
746 logit_f("missing connect host");
747 goto invalid;
748 }
749
750 /* Skip forwards that have already been requested */
751 switch (ftype) {
752 case MUX_FWD_LOCAL:
753 case MUX_FWD_DYNAMIC:
754 for (i = 0; i < options.num_local_forwards; i++) {
755 if (compare_forward(&fwd,
756 options.local_forwards + i)) {
757 exists:
758 debug2_f("found existing forwarding");
759 reply_ok(reply, rid);
760 goto out;
761 }
762 }
763 break;
764 case MUX_FWD_REMOTE:
765 for (i = 0; i < options.num_remote_forwards; i++) {
766 if (!compare_forward(&fwd, options.remote_forwards + i))
767 continue;
768 if (fwd.listen_port != 0)
769 goto exists;
770 debug2_f("found allocated port");
771 if ((r = sshbuf_put_u32(reply,
772 MUX_S_REMOTE_PORT)) != 0 ||
773 (r = sshbuf_put_u32(reply, rid)) != 0 ||
774 (r = sshbuf_put_u32(reply,
775 options.remote_forwards[i].allocated_port)) != 0)
776 fatal_fr(r, "reply FWD_REMOTE");
777 goto out;
778 }
779 break;
780 }
781
782 if (options.control_master == SSHCTL_MASTER_ASK ||
783 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
784 if (!ask_permission("Open %s on %s?", fwd_desc, host)) {
785 debug2_f("forwarding refused by user");
786 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
787 "Permission denied");
788 goto out;
789 }
790 }
791
792 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
793 if (!channel_setup_local_fwd_listener(ssh, &fwd,
794 &options.fwd_opts)) {
795 fail:
796 logit_f("requested %s failed", fwd_desc);
797 reply_error(reply, MUX_S_FAILURE, rid,
798 "Port forwarding failed");
799 goto out;
800 }
801 add_local_forward(&options, &fwd);
802 freefwd = 0;
803 } else {
804 struct mux_channel_confirm_ctx *fctx;
805
806 fwd.handle = channel_request_remote_forwarding(ssh, &fwd);
807 if (fwd.handle < 0)
808 goto fail;
809 add_remote_forward(&options, &fwd);
810 fctx = xcalloc(1, sizeof(*fctx));
811 fctx->cid = c->self;
812 fctx->rid = rid;
813 fctx->fid = options.num_remote_forwards - 1;
814 client_register_global_confirm(mux_confirm_remote_forward,
815 fctx);
816 freefwd = 0;
817 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */
818 /* delayed reply in mux_confirm_remote_forward */
819 goto out;
820 }
821 reply_ok(reply, rid);
822 out:
823 free(fwd_desc);
824 if (freefwd) {
825 free(fwd.listen_host);
826 free(fwd.listen_path);
827 free(fwd.connect_host);
828 free(fwd.connect_path);
829 }
830 return ret;
831 }
832
833 static int
mux_master_process_close_fwd(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)834 mux_master_process_close_fwd(struct ssh *ssh, u_int rid,
835 Channel *c, struct sshbuf *m, struct sshbuf *reply)
836 {
837 struct Forward fwd, *found_fwd;
838 char *fwd_desc = NULL;
839 const char *error_reason = NULL;
840 char *listen_addr = NULL, *connect_addr = NULL;
841 u_int ftype;
842 int r, i, ret = 0;
843 u_int lport, cport;
844
845 memset(&fwd, 0, sizeof(fwd));
846
847 if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
848 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
849 (r = sshbuf_get_u32(m, &lport)) != 0 ||
850 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
851 (r = sshbuf_get_u32(m, &cport)) != 0 ||
852 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
853 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
854 error_f("malformed message");
855 ret = -1;
856 goto out;
857 }
858
859 if (*listen_addr == '\0') {
860 free(listen_addr);
861 listen_addr = NULL;
862 }
863 if (*connect_addr == '\0') {
864 free(connect_addr);
865 connect_addr = NULL;
866 }
867
868 memset(&fwd, 0, sizeof(fwd));
869 fwd.listen_port = lport;
870 if (fwd.listen_port == PORT_STREAMLOCAL)
871 fwd.listen_path = listen_addr;
872 else
873 fwd.listen_host = listen_addr;
874 fwd.connect_port = cport;
875 if (fwd.connect_port == PORT_STREAMLOCAL)
876 fwd.connect_path = connect_addr;
877 else
878 fwd.connect_host = connect_addr;
879
880 debug2_f("channel %d: request cancel %s", c->self,
881 (fwd_desc = format_forward(ftype, &fwd)));
882
883 /* make sure this has been requested */
884 found_fwd = NULL;
885 switch (ftype) {
886 case MUX_FWD_LOCAL:
887 case MUX_FWD_DYNAMIC:
888 for (i = 0; i < options.num_local_forwards; i++) {
889 if (compare_forward(&fwd,
890 options.local_forwards + i)) {
891 found_fwd = options.local_forwards + i;
892 break;
893 }
894 }
895 break;
896 case MUX_FWD_REMOTE:
897 for (i = 0; i < options.num_remote_forwards; i++) {
898 if (compare_forward(&fwd,
899 options.remote_forwards + i)) {
900 found_fwd = options.remote_forwards + i;
901 break;
902 }
903 }
904 break;
905 }
906
907 if (found_fwd == NULL)
908 error_reason = "port not forwarded";
909 else if (ftype == MUX_FWD_REMOTE) {
910 /*
911 * This shouldn't fail unless we confused the host/port
912 * between options.remote_forwards and permitted_opens.
913 * However, for dynamic allocated listen ports we need
914 * to use the actual listen port.
915 */
916 if (channel_request_rforward_cancel(ssh, found_fwd) == -1)
917 error_reason = "port not in permitted opens";
918 } else { /* local and dynamic forwards */
919 /* Ditto */
920 if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port,
921 &options.fwd_opts) == -1)
922 error_reason = "port not found";
923 }
924
925 if (error_reason != NULL)
926 reply_error(reply, MUX_S_FAILURE, rid, error_reason);
927 else {
928 reply_ok(reply, rid);
929 free(found_fwd->listen_host);
930 free(found_fwd->listen_path);
931 free(found_fwd->connect_host);
932 free(found_fwd->connect_path);
933 found_fwd->listen_host = found_fwd->connect_host = NULL;
934 found_fwd->listen_path = found_fwd->connect_path = NULL;
935 found_fwd->listen_port = found_fwd->connect_port = 0;
936 }
937 out:
938 free(fwd_desc);
939 free(listen_addr);
940 free(connect_addr);
941
942 return ret;
943 }
944
945 static int
mux_master_process_stdio_fwd(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)946 mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
947 Channel *c, struct sshbuf *m, struct sshbuf *reply)
948 {
949 Channel *nc;
950 char *chost = NULL;
951 u_int _cport, i, j;
952 int ok = 0, cport, r, new_fd[2];
953 struct mux_stdio_confirm_ctx *cctx;
954
955 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
956 (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 ||
957 (r = sshbuf_get_u32(m, &_cport)) != 0) {
958 free(chost);
959 error_f("malformed message");
960 return -1;
961 }
962 if (_cport == (u_int)PORT_STREAMLOCAL)
963 cport = PORT_STREAMLOCAL;
964 else if (_cport <= INT_MAX)
965 cport = (int)_cport;
966 else {
967 free(chost);
968 error_f("invalid port 0x%x", _cport);
969 return -1;
970 }
971
972 debug2_f("channel %d: stdio fwd to %s:%d", c->self, chost, cport);
973
974 /* Gather fds from client */
975 for(i = 0; i < 2; i++) {
976 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
977 error_f("failed to receive fd %d from client", i);
978 for (j = 0; j < i; j++)
979 close(new_fd[j]);
980 free(chost);
981
982 /* prepare reply */
983 reply_error(reply, MUX_S_FAILURE, rid,
984 "did not receive file descriptors");
985 return -1;
986 }
987 }
988
989 debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]);
990
991 /* XXX support multiple child sessions in future */
992 if (c->have_ctl_child_id) {
993 debug2_f("session already open");
994 reply_error(reply, MUX_S_FAILURE, rid,
995 "Multiple sessions not supported");
996 cleanup:
997 close(new_fd[0]);
998 close(new_fd[1]);
999 free(chost);
1000 return 0;
1001 }
1002
1003 if (options.control_master == SSHCTL_MASTER_ASK ||
1004 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1005 if (cport == PORT_STREAMLOCAL) {
1006 ok = ask_permission("Allow forward to path %s", chost);
1007 } else {
1008 ok = ask_permission("Allow forward to [%s]:%d? ",
1009 chost, cport);
1010 }
1011 if (!ok) {
1012 debug2_f("stdio fwd refused by user");
1013 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
1014 "Permission denied");
1015 goto cleanup;
1016 }
1017 }
1018
1019 nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
1020 CHANNEL_NONBLOCK_STDIO);
1021 free(chost);
1022
1023 nc->ctl_chan = c->self; /* link session -> control channel */
1024 c->ctl_child_id = nc->self; /* link control -> session channel */
1025 c->have_ctl_child_id = 1;
1026
1027 debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan);
1028
1029 channel_register_cleanup(ssh, nc->self,
1030 mux_master_session_cleanup_cb, 1);
1031
1032 cctx = xcalloc(1, sizeof(*cctx));
1033 cctx->rid = rid;
1034 channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx);
1035 c->mux_pause = 1; /* stop handling messages until open_confirm done */
1036
1037 /* reply is deferred, sent by mux_session_confirm */
1038 return 0;
1039 }
1040
1041 /* Callback on open confirmation in mux master for a mux stdio fwd session. */
1042 static void
mux_stdio_confirm(struct ssh * ssh,int id,int success,void * arg)1043 mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg)
1044 {
1045 struct mux_stdio_confirm_ctx *cctx = arg;
1046 Channel *c, *cc;
1047 struct sshbuf *reply;
1048 int r;
1049
1050 if (cctx == NULL)
1051 fatal_f("cctx == NULL");
1052 if ((c = channel_by_id(ssh, id)) == NULL)
1053 fatal_f("no channel for id %d", id);
1054 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1055 fatal_f("channel %d lacks control channel %d",
1056 id, c->ctl_chan);
1057 if ((reply = sshbuf_new()) == NULL)
1058 fatal_f("sshbuf_new");
1059
1060 if (!success) {
1061 debug3_f("sending failure reply");
1062 reply_error(reply, MUX_S_FAILURE, cctx->rid,
1063 "Session open refused by peer");
1064 /* prepare reply */
1065 goto done;
1066 }
1067
1068 debug3_f("sending success reply");
1069 /* prepare reply */
1070 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
1071 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
1072 (r = sshbuf_put_u32(reply, c->self)) != 0)
1073 fatal_fr(r, "reply");
1074
1075 done:
1076 /* Send reply */
1077 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1078 fatal_fr(r, "enqueue");
1079 sshbuf_free(reply);
1080
1081 if (cc->mux_pause <= 0)
1082 fatal_f("mux_pause %d", cc->mux_pause);
1083 cc->mux_pause = 0; /* start processing messages again */
1084 c->open_confirm_ctx = NULL;
1085 free(cctx);
1086 }
1087
1088 static int
mux_master_process_stop_listening(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)1089 mux_master_process_stop_listening(struct ssh *ssh, u_int rid,
1090 Channel *c, struct sshbuf *m, struct sshbuf *reply)
1091 {
1092 debug_f("channel %d: stop listening", c->self);
1093
1094 if (options.control_master == SSHCTL_MASTER_ASK ||
1095 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1096 if (!ask_permission("Disable further multiplexing on shared "
1097 "connection to %s? ", host)) {
1098 debug2_f("stop listen refused by user");
1099 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
1100 "Permission denied");
1101 return 0;
1102 }
1103 }
1104
1105 if (mux_listener_channel != NULL) {
1106 channel_free(ssh, mux_listener_channel);
1107 client_stop_mux();
1108 free(options.control_path);
1109 options.control_path = NULL;
1110 mux_listener_channel = NULL;
1111 muxserver_sock = -1;
1112 }
1113
1114 reply_ok(reply, rid);
1115 return 0;
1116 }
1117
1118 static int
mux_master_process_proxy(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)1119 mux_master_process_proxy(struct ssh *ssh, u_int rid,
1120 Channel *c, struct sshbuf *m, struct sshbuf *reply)
1121 {
1122 int r;
1123
1124 debug_f("channel %d: proxy request", c->self);
1125
1126 c->mux_rcb = channel_proxy_downstream;
1127 if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
1128 (r = sshbuf_put_u32(reply, rid)) != 0)
1129 fatal_fr(r, "reply");
1130
1131 return 0;
1132 }
1133
1134 /* Channel callbacks fired on read/write from mux client fd */
1135 static int
mux_master_read_cb(struct ssh * ssh,Channel * c)1136 mux_master_read_cb(struct ssh *ssh, Channel *c)
1137 {
1138 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
1139 struct sshbuf *in = NULL, *out = NULL;
1140 u_int type, rid, i;
1141 int r, ret = -1;
1142
1143 if ((out = sshbuf_new()) == NULL)
1144 fatal_f("sshbuf_new");
1145
1146 /* Setup ctx and */
1147 if (c->mux_ctx == NULL) {
1148 state = xcalloc(1, sizeof(*state));
1149 c->mux_ctx = state;
1150 channel_register_cleanup(ssh, c->self,
1151 mux_master_control_cleanup_cb, 0);
1152
1153 /* Send hello */
1154 if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 ||
1155 (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0)
1156 fatal_fr(r, "reply");
1157 /* no extensions */
1158 if ((r = sshbuf_put_stringb(c->output, out)) != 0)
1159 fatal_fr(r, "enqueue");
1160 debug3_f("channel %d: hello sent", c->self);
1161 ret = 0;
1162 goto out;
1163 }
1164
1165 /* Channel code ensures that we receive whole packets */
1166 if ((r = sshbuf_froms(c->input, &in)) != 0) {
1167 malf:
1168 error_f("malformed message");
1169 goto out;
1170 }
1171
1172 if ((r = sshbuf_get_u32(in, &type)) != 0)
1173 goto malf;
1174 debug3_f("channel %d packet type 0x%08x len %zu", c->self,
1175 type, sshbuf_len(in));
1176
1177 if (type == MUX_MSG_HELLO)
1178 rid = 0;
1179 else {
1180 if (!state->hello_rcvd) {
1181 error_f("expected MUX_MSG_HELLO(0x%08x), "
1182 "received 0x%08x", MUX_MSG_HELLO, type);
1183 goto out;
1184 }
1185 if ((r = sshbuf_get_u32(in, &rid)) != 0)
1186 goto malf;
1187 }
1188
1189 for (i = 0; mux_master_handlers[i].handler != NULL; i++) {
1190 if (type == mux_master_handlers[i].type) {
1191 ret = mux_master_handlers[i].handler(ssh, rid,
1192 c, in, out);
1193 break;
1194 }
1195 }
1196 if (mux_master_handlers[i].handler == NULL) {
1197 error_f("unsupported mux message 0x%08x", type);
1198 reply_error(out, MUX_S_FAILURE, rid, "unsupported request");
1199 ret = 0;
1200 }
1201 /* Enqueue reply packet */
1202 if (sshbuf_len(out) != 0 &&
1203 (r = sshbuf_put_stringb(c->output, out)) != 0)
1204 fatal_fr(r, "enqueue");
1205 out:
1206 sshbuf_free(in);
1207 sshbuf_free(out);
1208 return ret;
1209 }
1210
1211 void
mux_exit_message(struct ssh * ssh,Channel * c,int exitval)1212 mux_exit_message(struct ssh *ssh, Channel *c, int exitval)
1213 {
1214 struct sshbuf *m;
1215 Channel *mux_chan;
1216 int r;
1217
1218 debug3_f("channel %d: exit message, exitval %d", c->self, exitval);
1219
1220 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1221 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1222
1223 /* Append exit message packet to control socket output queue */
1224 if ((m = sshbuf_new()) == NULL)
1225 fatal_f("sshbuf_new");
1226 if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 ||
1227 (r = sshbuf_put_u32(m, c->self)) != 0 ||
1228 (r = sshbuf_put_u32(m, exitval)) != 0 ||
1229 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1230 fatal_fr(r, "reply");
1231 sshbuf_free(m);
1232 }
1233
1234 void
mux_tty_alloc_failed(struct ssh * ssh,Channel * c)1235 mux_tty_alloc_failed(struct ssh *ssh, Channel *c)
1236 {
1237 struct sshbuf *m;
1238 Channel *mux_chan;
1239 int r;
1240
1241 debug3_f("channel %d: TTY alloc failed", c->self);
1242
1243 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1244 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1245
1246 /* Append exit message packet to control socket output queue */
1247 if ((m = sshbuf_new()) == NULL)
1248 fatal_f("sshbuf_new");
1249 if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 ||
1250 (r = sshbuf_put_u32(m, c->self)) != 0 ||
1251 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1252 fatal_fr(r, "reply");
1253 sshbuf_free(m);
1254 }
1255
1256 /* Prepare a mux master to listen on a Unix domain socket. */
1257 void
muxserver_listen(struct ssh * ssh)1258 muxserver_listen(struct ssh *ssh)
1259 {
1260 mode_t old_umask;
1261 char *orig_control_path = options.control_path;
1262 char rbuf[16+1];
1263 u_int i, r;
1264 int oerrno;
1265
1266 if (options.control_path == NULL ||
1267 options.control_master == SSHCTL_MASTER_NO)
1268 return;
1269
1270 debug("setting up multiplex master socket");
1271
1272 /*
1273 * Use a temporary path before listen so we can pseudo-atomically
1274 * establish the listening socket in its final location to avoid
1275 * other processes racing in between bind() and listen() and hitting
1276 * an unready socket.
1277 */
1278 for (i = 0; i < sizeof(rbuf) - 1; i++) {
1279 r = arc4random_uniform(26+26+10);
1280 rbuf[i] = (r < 26) ? 'a' + r :
1281 (r < 26*2) ? 'A' + r - 26 :
1282 '0' + r - 26 - 26;
1283 }
1284 rbuf[sizeof(rbuf) - 1] = '\0';
1285 options.control_path = NULL;
1286 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf);
1287 debug3_f("temporary control path %s", options.control_path);
1288
1289 old_umask = umask(0177);
1290 muxserver_sock = unix_listener(options.control_path, 64, 0);
1291 oerrno = errno;
1292 umask(old_umask);
1293 if (muxserver_sock < 0) {
1294 if (oerrno == EINVAL || oerrno == EADDRINUSE) {
1295 error("ControlSocket %s already exists, "
1296 "disabling multiplexing", options.control_path);
1297 disable_mux_master:
1298 if (muxserver_sock != -1) {
1299 close(muxserver_sock);
1300 muxserver_sock = -1;
1301 }
1302 free(orig_control_path);
1303 free(options.control_path);
1304 options.control_path = NULL;
1305 options.control_master = SSHCTL_MASTER_NO;
1306 return;
1307 } else {
1308 /* unix_listener() logs the error */
1309 cleanup_exit(255);
1310 }
1311 }
1312
1313 /* Now atomically "move" the mux socket into position */
1314 if (link(options.control_path, orig_control_path) != 0) {
1315 if (errno != EEXIST) {
1316 fatal_f("link mux listener %s => %s: %s",
1317 options.control_path, orig_control_path,
1318 strerror(errno));
1319 }
1320 error("ControlSocket %s already exists, disabling multiplexing",
1321 orig_control_path);
1322 unlink(options.control_path);
1323 goto disable_mux_master;
1324 }
1325 unlink(options.control_path);
1326 free(options.control_path);
1327 options.control_path = orig_control_path;
1328
1329 set_nonblock(muxserver_sock);
1330
1331 mux_listener_channel = channel_new(ssh, "mux listener",
1332 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1,
1333 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1334 0, options.control_path, 1);
1335 mux_listener_channel->mux_rcb = mux_master_read_cb;
1336 debug3_f("mux listener channel %d fd %d",
1337 mux_listener_channel->self, mux_listener_channel->sock);
1338 }
1339
1340 /* Callback on open confirmation in mux master for a mux client session. */
1341 static void
mux_session_confirm(struct ssh * ssh,int id,int success,void * arg)1342 mux_session_confirm(struct ssh *ssh, int id, int success, void *arg)
1343 {
1344 struct mux_session_confirm_ctx *cctx = arg;
1345 const char *display;
1346 Channel *c, *cc;
1347 int i, r;
1348 struct sshbuf *reply;
1349
1350 if (cctx == NULL)
1351 fatal_f("cctx == NULL");
1352 if ((c = channel_by_id(ssh, id)) == NULL)
1353 fatal_f("no channel for id %d", id);
1354 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1355 fatal_f("channel %d lacks control channel %d",
1356 id, c->ctl_chan);
1357 if ((reply = sshbuf_new()) == NULL)
1358 fatal_f("sshbuf_new");
1359
1360 if (!success) {
1361 debug3_f("sending failure reply");
1362 reply_error(reply, MUX_S_FAILURE, cctx->rid,
1363 "Session open refused by peer");
1364 goto done;
1365 }
1366
1367 display = getenv("DISPLAY");
1368 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
1369 char *proto, *data;
1370
1371 /* Get reasonable local authentication information. */
1372 if (client_x11_get_proto(ssh, display, options.xauth_location,
1373 options.forward_x11_trusted, options.forward_x11_timeout,
1374 &proto, &data) == 0) {
1375 /* Request forwarding with authentication spoofing. */
1376 debug("Requesting X11 forwarding with authentication "
1377 "spoofing.");
1378 x11_request_forwarding_with_spoofing(ssh, id,
1379 display, proto, data, 1);
1380 /* XXX exit_on_forward_failure */
1381 client_expect_confirm(ssh, id, "X11 forwarding",
1382 CONFIRM_WARN);
1383 }
1384 }
1385
1386 if (cctx->want_agent_fwd && options.forward_agent) {
1387 debug("Requesting authentication agent forwarding.");
1388 channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0);
1389 if ((r = sshpkt_send(ssh)) != 0)
1390 fatal_fr(r, "send");
1391 }
1392
1393 client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,
1394 cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env);
1395
1396 debug3_f("sending success reply");
1397 /* prepare reply */
1398 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
1399 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
1400 (r = sshbuf_put_u32(reply, c->self)) != 0)
1401 fatal_fr(r, "reply");
1402
1403 done:
1404 /* Send reply */
1405 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1406 fatal_fr(r, "enqueue");
1407 sshbuf_free(reply);
1408
1409 if (cc->mux_pause <= 0)
1410 fatal_f("mux_pause %d", cc->mux_pause);
1411 cc->mux_pause = 0; /* start processing messages again */
1412 c->open_confirm_ctx = NULL;
1413 sshbuf_free(cctx->cmd);
1414 free(cctx->term);
1415 if (cctx->env != NULL) {
1416 for (i = 0; cctx->env[i] != NULL; i++)
1417 free(cctx->env[i]);
1418 free(cctx->env);
1419 }
1420 free(cctx);
1421 }
1422
1423 /* ** Multiplexing client support */
1424
1425 /* Exit signal handler */
1426 static void
control_client_sighandler(int signo)1427 control_client_sighandler(int signo)
1428 {
1429 muxclient_terminate = signo;
1430 }
1431
1432 /*
1433 * Relay signal handler - used to pass some signals from mux client to
1434 * mux master.
1435 */
1436 static void
control_client_sigrelay(int signo)1437 control_client_sigrelay(int signo)
1438 {
1439 int save_errno = errno;
1440
1441 if (muxserver_pid > 1)
1442 kill(muxserver_pid, signo);
1443
1444 errno = save_errno;
1445 }
1446
1447 static int
mux_client_read(int fd,struct sshbuf * b,size_t need,int timeout_ms)1448 mux_client_read(int fd, struct sshbuf *b, size_t need, int timeout_ms)
1449 {
1450 size_t have;
1451 ssize_t len;
1452 u_char *p;
1453 int r;
1454
1455 if ((r = sshbuf_reserve(b, need, &p)) != 0)
1456 fatal_fr(r, "reserve");
1457 for (have = 0; have < need; ) {
1458 if (muxclient_terminate) {
1459 errno = EINTR;
1460 return -1;
1461 }
1462 len = read(fd, p + have, need - have);
1463 if (len == -1) {
1464 switch (errno) {
1465 case EAGAIN:
1466 if (waitrfd(fd, &timeout_ms,
1467 &muxclient_terminate) == -1 &&
1468 errno != EINTR)
1469 return -1; /* timeout */
1470 /* FALLTHROUGH */
1471 case EINTR:
1472 continue;
1473 default:
1474 return -1;
1475 }
1476 }
1477 if (len == 0) {
1478 errno = EPIPE;
1479 return -1;
1480 }
1481 have += (size_t)len;
1482 }
1483 return 0;
1484 }
1485
1486 static int
mux_client_write_packet(int fd,struct sshbuf * m)1487 mux_client_write_packet(int fd, struct sshbuf *m)
1488 {
1489 struct sshbuf *queue;
1490 u_int have, need;
1491 int r, oerrno, len;
1492 const u_char *ptr;
1493 struct pollfd pfd;
1494
1495 pfd.fd = fd;
1496 pfd.events = POLLOUT;
1497 if ((queue = sshbuf_new()) == NULL)
1498 fatal_f("sshbuf_new");
1499 if ((r = sshbuf_put_stringb(queue, m)) != 0)
1500 fatal_fr(r, "enqueue");
1501
1502 need = sshbuf_len(queue);
1503 ptr = sshbuf_ptr(queue);
1504
1505 for (have = 0; have < need; ) {
1506 if (muxclient_terminate) {
1507 sshbuf_free(queue);
1508 errno = EINTR;
1509 return -1;
1510 }
1511 len = write(fd, ptr + have, need - have);
1512 if (len == -1) {
1513 switch (errno) {
1514 case EAGAIN:
1515 (void)poll(&pfd, 1, -1);
1516 /* FALLTHROUGH */
1517 case EINTR:
1518 continue;
1519 default:
1520 oerrno = errno;
1521 sshbuf_free(queue);
1522 errno = oerrno;
1523 return -1;
1524 }
1525 }
1526 if (len == 0) {
1527 sshbuf_free(queue);
1528 errno = EPIPE;
1529 return -1;
1530 }
1531 have += (u_int)len;
1532 }
1533 sshbuf_free(queue);
1534 return 0;
1535 }
1536
1537 static int
mux_client_read_packet_timeout(int fd,struct sshbuf * m,int timeout_ms)1538 mux_client_read_packet_timeout(int fd, struct sshbuf *m, int timeout_ms)
1539 {
1540 struct sshbuf *queue;
1541 size_t need, have;
1542 const u_char *ptr;
1543 int r, oerrno;
1544
1545 if ((queue = sshbuf_new()) == NULL)
1546 fatal_f("sshbuf_new");
1547 if (mux_client_read(fd, queue, 4, timeout_ms) != 0) {
1548 if ((oerrno = errno) == EPIPE)
1549 debug3_f("read header failed: %s",
1550 strerror(errno));
1551 sshbuf_free(queue);
1552 errno = oerrno;
1553 return -1;
1554 }
1555 need = PEEK_U32(sshbuf_ptr(queue));
1556 if (mux_client_read(fd, queue, need, timeout_ms) != 0) {
1557 oerrno = errno;
1558 debug3_f("read body failed: %s", strerror(errno));
1559 sshbuf_free(queue);
1560 errno = oerrno;
1561 return -1;
1562 }
1563 if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 ||
1564 (r = sshbuf_put(m, ptr, have)) != 0)
1565 fatal_fr(r, "dequeue");
1566 sshbuf_free(queue);
1567 return 0;
1568 }
1569
1570 static int
mux_client_read_packet(int fd,struct sshbuf * m)1571 mux_client_read_packet(int fd, struct sshbuf *m)
1572 {
1573 return mux_client_read_packet_timeout(fd, m, -1);
1574 }
1575
1576 static int
mux_client_hello_exchange(int fd,int timeout_ms)1577 mux_client_hello_exchange(int fd, int timeout_ms)
1578 {
1579 struct sshbuf *m;
1580 u_int type, ver;
1581 int r, ret = -1;
1582
1583 if ((m = sshbuf_new()) == NULL)
1584 fatal_f("sshbuf_new");
1585 if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 ||
1586 (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0)
1587 fatal_fr(r, "assemble hello");
1588 /* no extensions */
1589
1590 if (mux_client_write_packet(fd, m) != 0) {
1591 debug_f("write packet: %s", strerror(errno));
1592 goto out;
1593 }
1594
1595 sshbuf_reset(m);
1596
1597 /* Read their HELLO */
1598 if (mux_client_read_packet_timeout(fd, m, timeout_ms) != 0) {
1599 debug_f("read packet failed");
1600 goto out;
1601 }
1602
1603 if ((r = sshbuf_get_u32(m, &type)) != 0)
1604 fatal_fr(r, "parse type");
1605 if (type != MUX_MSG_HELLO) {
1606 error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type);
1607 goto out;
1608 }
1609 if ((r = sshbuf_get_u32(m, &ver)) != 0)
1610 fatal_fr(r, "parse version");
1611 if (ver != SSHMUX_VER) {
1612 error("Unsupported multiplexing protocol version %d "
1613 "(expected %d)", ver, SSHMUX_VER);
1614 goto out;
1615 }
1616 debug2_f("master version %u", ver);
1617 /* No extensions are presently defined */
1618 while (sshbuf_len(m) > 0) {
1619 char *name = NULL;
1620
1621 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
1622 (r = sshbuf_skip_string(m)) != 0) { /* value */
1623 error_fr(r, "parse extension");
1624 goto out;
1625 }
1626 debug2("Unrecognised master extension \"%s\"", name);
1627 free(name);
1628 }
1629 /* success */
1630 ret = 0;
1631 out:
1632 sshbuf_free(m);
1633 return ret;
1634 }
1635
1636 static u_int
mux_client_request_alive(int fd)1637 mux_client_request_alive(int fd)
1638 {
1639 struct sshbuf *m;
1640 char *e;
1641 u_int pid, type, rid;
1642 int r;
1643
1644 debug3_f("entering");
1645
1646 if ((m = sshbuf_new()) == NULL)
1647 fatal_f("sshbuf_new");
1648 if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 ||
1649 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1650 fatal_fr(r, "assemble");
1651
1652 if (mux_client_write_packet(fd, m) != 0)
1653 fatal_f("write packet: %s", strerror(errno));
1654
1655 sshbuf_reset(m);
1656
1657 /* Read their reply */
1658 if (mux_client_read_packet(fd, m) != 0) {
1659 sshbuf_free(m);
1660 return 0;
1661 }
1662
1663 if ((r = sshbuf_get_u32(m, &type)) != 0)
1664 fatal_fr(r, "parse type");
1665 if (type != MUX_S_ALIVE) {
1666 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1667 fatal_fr(r, "parse error message");
1668 fatal_f("master returned error: %s", e);
1669 }
1670
1671 if ((r = sshbuf_get_u32(m, &rid)) != 0)
1672 fatal_fr(r, "parse remote ID");
1673 if (rid != muxclient_request_id)
1674 fatal_f("out of sequence reply: my id %u theirs %u",
1675 muxclient_request_id, rid);
1676 if ((r = sshbuf_get_u32(m, &pid)) != 0)
1677 fatal_fr(r, "parse PID");
1678 sshbuf_free(m);
1679
1680 debug3_f("done pid = %u", pid);
1681
1682 muxclient_request_id++;
1683
1684 return pid;
1685 }
1686
1687 static void
mux_client_request_terminate(int fd)1688 mux_client_request_terminate(int fd)
1689 {
1690 struct sshbuf *m;
1691 char *e;
1692 u_int type, rid;
1693 int r;
1694
1695 debug3_f("entering");
1696
1697 if ((m = sshbuf_new()) == NULL)
1698 fatal_f("sshbuf_new");
1699 if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 ||
1700 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1701 fatal_fr(r, "request");
1702
1703 if (mux_client_write_packet(fd, m) != 0)
1704 fatal_f("write packet: %s", strerror(errno));
1705
1706 sshbuf_reset(m);
1707
1708 /* Read their reply */
1709 if (mux_client_read_packet(fd, m) != 0) {
1710 /* Remote end exited already */
1711 if (errno == EPIPE) {
1712 sshbuf_free(m);
1713 return;
1714 }
1715 fatal_f("read from master failed: %s", strerror(errno));
1716 }
1717
1718 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1719 (r = sshbuf_get_u32(m, &rid)) != 0)
1720 fatal_fr(r, "parse");
1721 if (rid != muxclient_request_id)
1722 fatal_f("out of sequence reply: my id %u theirs %u",
1723 muxclient_request_id, rid);
1724 switch (type) {
1725 case MUX_S_OK:
1726 break;
1727 case MUX_S_PERMISSION_DENIED:
1728 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1729 fatal_fr(r, "parse error message");
1730 fatal("Master refused termination request: %s", e);
1731 case MUX_S_FAILURE:
1732 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1733 fatal_fr(r, "parse error message");
1734 fatal_f("termination request failed: %s", e);
1735 default:
1736 fatal_f("unexpected response from master 0x%08x", type);
1737 }
1738 sshbuf_free(m);
1739 muxclient_request_id++;
1740 }
1741
1742 static int
mux_client_forward(int fd,int cancel_flag,u_int ftype,struct Forward * fwd)1743 mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
1744 {
1745 struct sshbuf *m;
1746 char *e, *fwd_desc;
1747 const char *lhost, *chost;
1748 u_int type, rid;
1749 int r;
1750
1751 fwd_desc = format_forward(ftype, fwd);
1752 debug("Requesting %s %s",
1753 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
1754 free(fwd_desc);
1755
1756 type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD;
1757 if (fwd->listen_path != NULL)
1758 lhost = fwd->listen_path;
1759 else if (fwd->listen_host == NULL)
1760 lhost = "";
1761 else if (*fwd->listen_host == '\0')
1762 lhost = "*";
1763 else
1764 lhost = fwd->listen_host;
1765
1766 if (fwd->connect_path != NULL)
1767 chost = fwd->connect_path;
1768 else if (fwd->connect_host == NULL)
1769 chost = "";
1770 else
1771 chost = fwd->connect_host;
1772
1773 if ((m = sshbuf_new()) == NULL)
1774 fatal_f("sshbuf_new");
1775 if ((r = sshbuf_put_u32(m, type)) != 0 ||
1776 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
1777 (r = sshbuf_put_u32(m, ftype)) != 0 ||
1778 (r = sshbuf_put_cstring(m, lhost)) != 0 ||
1779 (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 ||
1780 (r = sshbuf_put_cstring(m, chost)) != 0 ||
1781 (r = sshbuf_put_u32(m, fwd->connect_port)) != 0)
1782 fatal_fr(r, "request");
1783
1784 if (mux_client_write_packet(fd, m) != 0)
1785 fatal_f("write packet: %s", strerror(errno));
1786
1787 sshbuf_reset(m);
1788
1789 /* Read their reply */
1790 if (mux_client_read_packet(fd, m) != 0) {
1791 sshbuf_free(m);
1792 return -1;
1793 }
1794
1795 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1796 (r = sshbuf_get_u32(m, &rid)) != 0)
1797 fatal_fr(r, "parse");
1798 if (rid != muxclient_request_id)
1799 fatal_f("out of sequence reply: my id %u theirs %u",
1800 muxclient_request_id, rid);
1801
1802 switch (type) {
1803 case MUX_S_OK:
1804 break;
1805 case MUX_S_REMOTE_PORT:
1806 if (cancel_flag)
1807 fatal_f("got MUX_S_REMOTE_PORT for cancel");
1808 if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0)
1809 fatal_fr(r, "parse port");
1810 verbose("Allocated port %u for remote forward to %s:%d",
1811 fwd->allocated_port,
1812 fwd->connect_host ? fwd->connect_host : "",
1813 fwd->connect_port);
1814 if (muxclient_command == SSHMUX_COMMAND_FORWARD)
1815 fprintf(stdout, "%i\n", fwd->allocated_port);
1816 break;
1817 case MUX_S_PERMISSION_DENIED:
1818 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1819 fatal_fr(r, "parse error message");
1820 sshbuf_free(m);
1821 error("Master refused forwarding request: %s", e);
1822 return -1;
1823 case MUX_S_FAILURE:
1824 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1825 fatal_fr(r, "parse error message");
1826 sshbuf_free(m);
1827 error_f("forwarding request failed: %s", e);
1828 return -1;
1829 default:
1830 fatal_f("unexpected response from master 0x%08x", type);
1831 }
1832 sshbuf_free(m);
1833
1834 muxclient_request_id++;
1835 return 0;
1836 }
1837
1838 static int
mux_client_forwards(int fd,int cancel_flag)1839 mux_client_forwards(int fd, int cancel_flag)
1840 {
1841 int i, ret = 0;
1842
1843 debug3_f("%s forwardings: %d local, %d remote",
1844 cancel_flag ? "cancel" : "request",
1845 options.num_local_forwards, options.num_remote_forwards);
1846
1847 /* XXX ExitOnForwardingFailure */
1848 for (i = 0; i < options.num_local_forwards; i++) {
1849 if (mux_client_forward(fd, cancel_flag,
1850 options.local_forwards[i].connect_port == 0 ?
1851 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
1852 options.local_forwards + i) != 0)
1853 ret = -1;
1854 }
1855 for (i = 0; i < options.num_remote_forwards; i++) {
1856 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE,
1857 options.remote_forwards + i) != 0)
1858 ret = -1;
1859 }
1860 return ret;
1861 }
1862
1863 static int
mux_client_request_session(int fd)1864 mux_client_request_session(int fd)
1865 {
1866 struct sshbuf *m;
1867 char *e;
1868 const char *term = NULL;
1869 u_int i, echar, rid, sid, esid, exitval, type, exitval_seen;
1870 extern char **environ;
1871 int r, rawmode = 0;
1872
1873 debug3_f("entering");
1874
1875 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
1876 error_f("master alive request failed");
1877 return -1;
1878 }
1879
1880 ssh_signal(SIGPIPE, SIG_IGN);
1881
1882 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
1883 fatal_f("stdfd_devnull failed");
1884
1885 if ((term = lookup_env_in_list("TERM", options.setenv,
1886 options.num_setenv)) == NULL || *term == '\0')
1887 term = getenv("TERM");
1888
1889 echar = 0xffffffff;
1890 if (options.escape_char != SSH_ESCAPECHAR_NONE)
1891 echar = (u_int)options.escape_char;
1892
1893 if ((m = sshbuf_new()) == NULL)
1894 fatal_f("sshbuf_new");
1895 if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 ||
1896 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
1897 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
1898 (r = sshbuf_put_u32(m, tty_flag)) != 0 ||
1899 (r = sshbuf_put_u32(m, options.forward_x11)) != 0 ||
1900 (r = sshbuf_put_u32(m, options.forward_agent)) != 0 ||
1901 (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 ||
1902 (r = sshbuf_put_u32(m, echar)) != 0 ||
1903 (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 ||
1904 (r = sshbuf_put_stringb(m, command)) != 0)
1905 fatal_fr(r, "request");
1906
1907 /* Pass environment */
1908 if (options.num_send_env > 0 && environ != NULL) {
1909 for (i = 0; environ[i] != NULL; i++) {
1910 if (!env_permitted(environ[i]))
1911 continue;
1912 if ((r = sshbuf_put_cstring(m, environ[i])) != 0)
1913 fatal_fr(r, "request sendenv");
1914 }
1915 }
1916 for (i = 0; i < options.num_setenv; i++) {
1917 if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0)
1918 fatal_fr(r, "request setenv");
1919 }
1920
1921 if (mux_client_write_packet(fd, m) != 0)
1922 fatal_f("write packet: %s", strerror(errno));
1923
1924 /* Send the stdio file descriptors */
1925 if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
1926 mm_send_fd(fd, STDOUT_FILENO) == -1 ||
1927 mm_send_fd(fd, STDERR_FILENO) == -1)
1928 fatal_f("send fds failed");
1929
1930 debug3_f("session request sent");
1931
1932 /* Read their reply */
1933 sshbuf_reset(m);
1934 if (mux_client_read_packet(fd, m) != 0) {
1935 error_f("read from master failed: %s", strerror(errno));
1936 sshbuf_free(m);
1937 return -1;
1938 }
1939
1940 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1941 (r = sshbuf_get_u32(m, &rid)) != 0)
1942 fatal_fr(r, "parse");
1943 if (rid != muxclient_request_id)
1944 fatal_f("out of sequence reply: my id %u theirs %u",
1945 muxclient_request_id, rid);
1946
1947 switch (type) {
1948 case MUX_S_SESSION_OPENED:
1949 if ((r = sshbuf_get_u32(m, &sid)) != 0)
1950 fatal_fr(r, "parse session ID");
1951 debug_f("master session id: %u", sid);
1952 break;
1953 case MUX_S_PERMISSION_DENIED:
1954 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1955 fatal_fr(r, "parse error message");
1956 error("Master refused session request: %s", e);
1957 sshbuf_free(m);
1958 return -1;
1959 case MUX_S_FAILURE:
1960 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1961 fatal_fr(r, "parse error message");
1962 error_f("session request failed: %s", e);
1963 sshbuf_free(m);
1964 return -1;
1965 default:
1966 sshbuf_free(m);
1967 error_f("unexpected response from master 0x%08x", type);
1968 return -1;
1969 }
1970 muxclient_request_id++;
1971
1972 if (pledge("stdio proc tty", NULL) == -1)
1973 fatal_f("pledge(): %s", strerror(errno));
1974
1975 ssh_signal(SIGHUP, control_client_sighandler);
1976 ssh_signal(SIGINT, control_client_sighandler);
1977 ssh_signal(SIGTERM, control_client_sighandler);
1978 ssh_signal(SIGWINCH, control_client_sigrelay);
1979
1980 if (options.fork_after_authentication)
1981 daemon(1, 1);
1982 else {
1983 rawmode = tty_flag;
1984 if (tty_flag) {
1985 enter_raw_mode(
1986 options.request_tty == REQUEST_TTY_FORCE);
1987 }
1988 }
1989
1990 /*
1991 * Stick around until the controlee closes the client_fd.
1992 * Before it does, it is expected to write an exit message.
1993 * This process must read the value and wait for the closure of
1994 * the client_fd; if this one closes early, the multiplex master will
1995 * terminate early too (possibly losing data).
1996 */
1997 for (exitval = 255, exitval_seen = 0;;) {
1998 sshbuf_reset(m);
1999 if (mux_client_read_packet(fd, m) != 0)
2000 break;
2001 if ((r = sshbuf_get_u32(m, &type)) != 0)
2002 fatal_fr(r, "parse type");
2003 switch (type) {
2004 case MUX_S_TTY_ALLOC_FAIL:
2005 if ((r = sshbuf_get_u32(m, &esid)) != 0)
2006 fatal_fr(r, "parse session ID");
2007 if (esid != sid)
2008 fatal_f("tty alloc fail on unknown session: "
2009 "my id %u theirs %u", sid, esid);
2010 leave_raw_mode(options.request_tty ==
2011 REQUEST_TTY_FORCE);
2012 rawmode = 0;
2013 continue;
2014 case MUX_S_EXIT_MESSAGE:
2015 if ((r = sshbuf_get_u32(m, &esid)) != 0)
2016 fatal_fr(r, "parse session ID");
2017 if (esid != sid)
2018 fatal_f("exit on unknown session: "
2019 "my id %u theirs %u", sid, esid);
2020 if (exitval_seen)
2021 fatal_f("exitval sent twice");
2022 if ((r = sshbuf_get_u32(m, &exitval)) != 0)
2023 fatal_fr(r, "parse exitval");
2024 exitval_seen = 1;
2025 continue;
2026 default:
2027 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2028 fatal_fr(r, "parse error message");
2029 fatal_f("master returned error: %s", e);
2030 }
2031 }
2032
2033 close(fd);
2034 if (rawmode)
2035 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
2036
2037 if (muxclient_terminate) {
2038 debug2("Exiting on signal: %s", strsignal(muxclient_terminate));
2039 exitval = 255;
2040 } else if (!exitval_seen) {
2041 debug2("Control master terminated unexpectedly");
2042 exitval = 255;
2043 } else
2044 debug2("Received exit status from master %d", exitval);
2045
2046 if (tty_flag && options.log_level >= SYSLOG_LEVEL_INFO)
2047 fprintf(stderr, "Shared connection to %s closed.\r\n", host);
2048
2049 exit(exitval);
2050 }
2051
2052 static int
mux_client_proxy(int fd)2053 mux_client_proxy(int fd)
2054 {
2055 struct sshbuf *m;
2056 char *e;
2057 u_int type, rid;
2058 int r;
2059
2060 if ((m = sshbuf_new()) == NULL)
2061 fatal_f("sshbuf_new");
2062 if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 ||
2063 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
2064 fatal_fr(r, "request");
2065 if (mux_client_write_packet(fd, m) != 0)
2066 fatal_f("write packet: %s", strerror(errno));
2067
2068 sshbuf_reset(m);
2069
2070 /* Read their reply */
2071 if (mux_client_read_packet(fd, m) != 0) {
2072 sshbuf_free(m);
2073 return 0;
2074 }
2075 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2076 (r = sshbuf_get_u32(m, &rid)) != 0)
2077 fatal_fr(r, "parse");
2078 if (rid != muxclient_request_id)
2079 fatal_f("out of sequence reply: my id %u theirs %u",
2080 muxclient_request_id, rid);
2081 if (type != MUX_S_PROXY) {
2082 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2083 fatal_fr(r, "parse error message");
2084 fatal_f("master returned error: %s", e);
2085 }
2086 sshbuf_free(m);
2087
2088 debug3_f("done");
2089 muxclient_request_id++;
2090 return 0;
2091 }
2092
2093 static int
mux_client_request_stdio_fwd(int fd)2094 mux_client_request_stdio_fwd(int fd)
2095 {
2096 struct sshbuf *m;
2097 char *e;
2098 u_int type, rid, sid;
2099 int r;
2100
2101 debug3_f("entering");
2102
2103 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
2104 error_f("master alive request failed");
2105 return -1;
2106 }
2107
2108 ssh_signal(SIGPIPE, SIG_IGN);
2109
2110 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
2111 fatal_f("stdfd_devnull failed");
2112
2113 if ((m = sshbuf_new()) == NULL)
2114 fatal_f("sshbuf_new");
2115 if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 ||
2116 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
2117 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
2118 (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 ||
2119 (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0)
2120 fatal_fr(r, "request");
2121
2122 if (mux_client_write_packet(fd, m) != 0)
2123 fatal_f("write packet: %s", strerror(errno));
2124
2125 /* Send the stdio file descriptors */
2126 if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
2127 mm_send_fd(fd, STDOUT_FILENO) == -1)
2128 fatal_f("send fds failed");
2129
2130 if (pledge("stdio proc tty", NULL) == -1)
2131 fatal_f("pledge(): %s", strerror(errno));
2132
2133 debug3_f("stdio forward request sent");
2134
2135 /* Read their reply */
2136 sshbuf_reset(m);
2137
2138 if (mux_client_read_packet(fd, m) != 0) {
2139 error_f("read from master failed: %s", strerror(errno));
2140 sshbuf_free(m);
2141 return -1;
2142 }
2143
2144 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2145 (r = sshbuf_get_u32(m, &rid)) != 0)
2146 fatal_fr(r, "parse");
2147 if (rid != muxclient_request_id)
2148 fatal_f("out of sequence reply: my id %u theirs %u",
2149 muxclient_request_id, rid);
2150 switch (type) {
2151 case MUX_S_SESSION_OPENED:
2152 if ((r = sshbuf_get_u32(m, &sid)) != 0)
2153 fatal_fr(r, "parse session ID");
2154 debug_f("master session id: %u", sid);
2155 break;
2156 case MUX_S_PERMISSION_DENIED:
2157 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2158 fatal_fr(r, "parse error message");
2159 sshbuf_free(m);
2160 fatal("Master refused stdio forwarding request: %s", e);
2161 case MUX_S_FAILURE:
2162 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2163 fatal_fr(r, "parse error message");
2164 sshbuf_free(m);
2165 fatal("Stdio forwarding request failed: %s", e);
2166 default:
2167 sshbuf_free(m);
2168 error_f("unexpected response from master 0x%08x", type);
2169 return -1;
2170 }
2171 muxclient_request_id++;
2172
2173 ssh_signal(SIGHUP, control_client_sighandler);
2174 ssh_signal(SIGINT, control_client_sighandler);
2175 ssh_signal(SIGTERM, control_client_sighandler);
2176 ssh_signal(SIGWINCH, control_client_sigrelay);
2177
2178 /*
2179 * Stick around until the controlee closes the client_fd.
2180 */
2181 sshbuf_reset(m);
2182 if (mux_client_read_packet(fd, m) != 0) {
2183 if (errno == EPIPE ||
2184 (errno == EINTR && muxclient_terminate != 0))
2185 return 0;
2186 fatal_f("mux_client_read_packet: %s", strerror(errno));
2187 }
2188 fatal_f("master returned unexpected message %u", type);
2189 }
2190
2191 static void
mux_client_request_stop_listening(int fd)2192 mux_client_request_stop_listening(int fd)
2193 {
2194 struct sshbuf *m;
2195 char *e;
2196 u_int type, rid;
2197 int r;
2198
2199 debug3_f("entering");
2200
2201 if ((m = sshbuf_new()) == NULL)
2202 fatal_f("sshbuf_new");
2203 if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 ||
2204 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
2205 fatal_fr(r, "request");
2206
2207 if (mux_client_write_packet(fd, m) != 0)
2208 fatal_f("write packet: %s", strerror(errno));
2209
2210 sshbuf_reset(m);
2211
2212 /* Read their reply */
2213 if (mux_client_read_packet(fd, m) != 0)
2214 fatal_f("read from master failed: %s", strerror(errno));
2215
2216 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2217 (r = sshbuf_get_u32(m, &rid)) != 0)
2218 fatal_fr(r, "parse");
2219 if (rid != muxclient_request_id)
2220 fatal_f("out of sequence reply: my id %u theirs %u",
2221 muxclient_request_id, rid);
2222
2223 switch (type) {
2224 case MUX_S_OK:
2225 break;
2226 case MUX_S_PERMISSION_DENIED:
2227 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2228 fatal_fr(r, "parse error message");
2229 fatal("Master refused stop listening request: %s", e);
2230 case MUX_S_FAILURE:
2231 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2232 fatal_fr(r, "parse error message");
2233 fatal_f("stop listening request failed: %s", e);
2234 default:
2235 fatal_f("unexpected response from master 0x%08x", type);
2236 }
2237 sshbuf_free(m);
2238 muxclient_request_id++;
2239 }
2240
2241 /* Multiplex client main loop. */
2242 int
muxclient(const char * path)2243 muxclient(const char *path)
2244 {
2245 struct sockaddr_un addr;
2246 int sock, timeout = options.connection_timeout, timeout_ms = -1;
2247 u_int pid;
2248
2249 if (muxclient_command == 0) {
2250 if (options.stdio_forward_host != NULL)
2251 muxclient_command = SSHMUX_COMMAND_STDIO_FWD;
2252 else
2253 muxclient_command = SSHMUX_COMMAND_OPEN;
2254 }
2255
2256 switch (options.control_master) {
2257 case SSHCTL_MASTER_AUTO:
2258 case SSHCTL_MASTER_AUTO_ASK:
2259 debug("auto-mux: Trying existing master at '%s'", path);
2260 /* FALLTHROUGH */
2261 case SSHCTL_MASTER_NO:
2262 break;
2263 default:
2264 return -1;
2265 }
2266
2267 memset(&addr, '\0', sizeof(addr));
2268 addr.sun_family = AF_UNIX;
2269
2270 if (strlcpy(addr.sun_path, path,
2271 sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
2272 fatal("ControlPath too long ('%s' >= %u bytes)", path,
2273 (unsigned int)sizeof(addr.sun_path));
2274
2275 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
2276 fatal_f("socket(): %s", strerror(errno));
2277
2278 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
2279 switch (muxclient_command) {
2280 case SSHMUX_COMMAND_OPEN:
2281 case SSHMUX_COMMAND_STDIO_FWD:
2282 break;
2283 default:
2284 fatal("Control socket connect(%.100s): %s", path,
2285 strerror(errno));
2286 }
2287 if (errno == ECONNREFUSED &&
2288 options.control_master != SSHCTL_MASTER_NO) {
2289 debug("Stale control socket %.100s, unlinking", path);
2290 unlink(path);
2291 } else if (errno == ENOENT) {
2292 debug("Control socket \"%.100s\" does not exist", path);
2293 } else {
2294 error("Control socket connect(%.100s): %s", path,
2295 strerror(errno));
2296 }
2297 close(sock);
2298 return -1;
2299 }
2300 set_nonblock(sock);
2301
2302 /* Timeout on initial connection only. */
2303 if (timeout > 0 && timeout < INT_MAX / 1000)
2304 timeout_ms = timeout * 1000;
2305
2306 if (mux_client_hello_exchange(sock, timeout_ms) != 0) {
2307 error_f("master hello exchange failed");
2308 close(sock);
2309 return -1;
2310 }
2311
2312 switch (muxclient_command) {
2313 case SSHMUX_COMMAND_ALIVE_CHECK:
2314 if ((pid = mux_client_request_alive(sock)) == 0)
2315 fatal_f("master alive check failed");
2316 fprintf(stderr, "Master running (pid=%u)\r\n", pid);
2317 exit(0);
2318 case SSHMUX_COMMAND_TERMINATE:
2319 mux_client_request_terminate(sock);
2320 if (options.log_level != SYSLOG_LEVEL_QUIET)
2321 fprintf(stderr, "Exit request sent.\r\n");
2322 exit(0);
2323 case SSHMUX_COMMAND_FORWARD:
2324 if (mux_client_forwards(sock, 0) != 0)
2325 fatal_f("master forward request failed");
2326 exit(0);
2327 case SSHMUX_COMMAND_OPEN:
2328 if (mux_client_forwards(sock, 0) != 0) {
2329 error_f("master forward request failed");
2330 return -1;
2331 }
2332 mux_client_request_session(sock);
2333 return -1;
2334 case SSHMUX_COMMAND_STDIO_FWD:
2335 mux_client_request_stdio_fwd(sock);
2336 exit(0);
2337 case SSHMUX_COMMAND_STOP:
2338 mux_client_request_stop_listening(sock);
2339 if (options.log_level != SYSLOG_LEVEL_QUIET)
2340 fprintf(stderr, "Stop listening request sent.\r\n");
2341 exit(0);
2342 case SSHMUX_COMMAND_CANCEL_FWD:
2343 if (mux_client_forwards(sock, 1) != 0)
2344 error_f("master cancel forward request failed");
2345 exit(0);
2346 case SSHMUX_COMMAND_PROXY:
2347 mux_client_proxy(sock);
2348 return (sock);
2349 default:
2350 fatal("unrecognised muxclient_command %d", muxclient_command);
2351 }
2352 }
2353