[BACK]Return to mux.c CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/mux.c, Revision 1.20

1.20    ! djm         1: /* $OpenBSD: mux.c,v 1.19 2010/06/17 07:07:30 djm Exp $ */
1.1       djm         2: /*
                      3:  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
                      4:  *
                      5:  * Permission to use, copy, modify, and distribute this software for any
                      6:  * purpose with or without fee is hereby granted, provided that the above
                      7:  * copyright notice and this permission notice appear in all copies.
                      8:  *
                      9:  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
                     10:  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
                     11:  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
                     12:  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
                     13:  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
                     14:  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
                     15:  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                     16:  */
                     17:
                     18: /* ssh session multiplexing support */
                     19:
1.2       djm        20: /*
                     21:  * TODO:
1.10      djm        22:  *   - Better signalling from master to slave, especially passing of
1.2       djm        23:  *      error messages
1.10      djm        24:  *   - Better fall-back from mux slave error to new connection.
                     25:  *   - ExitOnForwardingFailure
                     26:  *   - Maybe extension mechanisms for multi-X11/multi-agent forwarding
                     27:  *   - Support ~^Z in mux slaves.
                     28:  *   - Inspect or control sessions in master.
                     29:  *   - If we ever support the "signal" channel request, send signals on
                     30:  *     sessions in master.
1.2       djm        31:  */
                     32:
1.1       djm        33: #include <sys/types.h>
                     34: #include <sys/param.h>
                     35: #include <sys/queue.h>
                     36: #include <sys/stat.h>
                     37: #include <sys/socket.h>
                     38: #include <sys/un.h>
                     39:
                     40: #include <errno.h>
                     41: #include <fcntl.h>
1.10      djm        42: #include <poll.h>
1.1       djm        43: #include <signal.h>
                     44: #include <stdarg.h>
                     45: #include <stddef.h>
                     46: #include <stdlib.h>
                     47: #include <stdio.h>
                     48: #include <string.h>
                     49: #include <unistd.h>
                     50: #include <util.h>
                     51: #include <paths.h>
                     52:
1.10      djm        53: #include "atomicio.h"
1.1       djm        54: #include "xmalloc.h"
                     55: #include "log.h"
                     56: #include "ssh.h"
1.18      markus     57: #include "ssh2.h"
1.1       djm        58: #include "pathnames.h"
                     59: #include "misc.h"
                     60: #include "match.h"
                     61: #include "buffer.h"
                     62: #include "channels.h"
                     63: #include "msg.h"
                     64: #include "packet.h"
                     65: #include "monitor_fdpass.h"
                     66: #include "sshpty.h"
                     67: #include "key.h"
                     68: #include "readconf.h"
                     69: #include "clientloop.h"
                     70:
                     71: /* from ssh.c */
                     72: extern int tty_flag;
1.9       djm        73: extern int force_tty_flag;
1.1       djm        74: extern Options options;
                     75: extern int stdin_null_flag;
                     76: extern char *host;
1.8       dtucker    77: extern int subsystem_flag;
1.1       djm        78: extern Buffer command;
1.10      djm        79: extern volatile sig_atomic_t quit_pending;
                     80: extern char *stdio_forward_host;
                     81: extern int stdio_forward_port;
1.1       djm        82:
1.2       djm        83: /* Context for session open confirmation callback */
                     84: struct mux_session_confirm_ctx {
1.10      djm        85:        u_int want_tty;
                     86:        u_int want_subsys;
                     87:        u_int want_x_fwd;
                     88:        u_int want_agent_fwd;
1.2       djm        89:        Buffer cmd;
                     90:        char *term;
                     91:        struct termios tio;
                     92:        char **env;
1.17      djm        93:        u_int rid;
1.2       djm        94: };
                     95:
1.18      markus     96: /* Context for global channel callback */
                     97: struct mux_channel_confirm_ctx {
                     98:        u_int cid;      /* channel id */
                     99:        u_int rid;      /* request id */
                    100:        int fid;        /* forward id */
                    101: };
                    102:
1.1       djm       103: /* fd to control socket */
                    104: int muxserver_sock = -1;
                    105:
1.10      djm       106: /* client request id */
                    107: u_int muxclient_request_id = 0;
                    108:
1.1       djm       109: /* Multiplexing control command */
                    110: u_int muxclient_command = 0;
                    111:
                    112: /* Set when signalled. */
                    113: static volatile sig_atomic_t muxclient_terminate = 0;
                    114:
                    115: /* PID of multiplex server */
                    116: static u_int muxserver_pid = 0;
                    117:
1.10      djm       118: static Channel *mux_listener_channel = NULL;
                    119:
                    120: struct mux_master_state {
                    121:        int hello_rcvd;
                    122: };
1.1       djm       123:
1.10      djm       124: /* mux protocol messages */
                    125: #define MUX_MSG_HELLO          0x00000001
                    126: #define MUX_C_NEW_SESSION      0x10000002
                    127: #define MUX_C_ALIVE_CHECK      0x10000004
                    128: #define MUX_C_TERMINATE                0x10000005
                    129: #define MUX_C_OPEN_FWD         0x10000006
                    130: #define MUX_C_CLOSE_FWD                0x10000007
                    131: #define MUX_C_NEW_STDIO_FWD    0x10000008
                    132: #define MUX_S_OK               0x80000001
                    133: #define MUX_S_PERMISSION_DENIED        0x80000002
                    134: #define MUX_S_FAILURE          0x80000003
                    135: #define MUX_S_EXIT_MESSAGE     0x80000004
                    136: #define MUX_S_ALIVE            0x80000005
                    137: #define MUX_S_SESSION_OPENED   0x80000006
1.18      markus    138: #define MUX_S_REMOTE_PORT      0x80000007
1.10      djm       139:
                    140: /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */
                    141: #define MUX_FWD_LOCAL   1
                    142: #define MUX_FWD_REMOTE  2
                    143: #define MUX_FWD_DYNAMIC 3
                    144:
1.17      djm       145: static void mux_session_confirm(int, int, void *);
1.10      djm       146:
                    147: static int process_mux_master_hello(u_int, Channel *, Buffer *, Buffer *);
                    148: static int process_mux_new_session(u_int, Channel *, Buffer *, Buffer *);
                    149: static int process_mux_alive_check(u_int, Channel *, Buffer *, Buffer *);
                    150: static int process_mux_terminate(u_int, Channel *, Buffer *, Buffer *);
                    151: static int process_mux_open_fwd(u_int, Channel *, Buffer *, Buffer *);
                    152: static int process_mux_close_fwd(u_int, Channel *, Buffer *, Buffer *);
                    153: static int process_mux_stdio_fwd(u_int, Channel *, Buffer *, Buffer *);
                    154:
                    155: static const struct {
                    156:        u_int type;
                    157:        int (*handler)(u_int, Channel *, Buffer *, Buffer *);
                    158: } mux_master_handlers[] = {
                    159:        { MUX_MSG_HELLO, process_mux_master_hello },
                    160:        { MUX_C_NEW_SESSION, process_mux_new_session },
                    161:        { MUX_C_ALIVE_CHECK, process_mux_alive_check },
                    162:        { MUX_C_TERMINATE, process_mux_terminate },
                    163:        { MUX_C_OPEN_FWD, process_mux_open_fwd },
                    164:        { MUX_C_CLOSE_FWD, process_mux_close_fwd },
                    165:        { MUX_C_NEW_STDIO_FWD, process_mux_stdio_fwd },
                    166:        { 0, NULL }
                    167: };
1.1       djm       168:
1.10      djm       169: /* Cleanup callback fired on closure of mux slave _session_ channel */
                    170: /* ARGSUSED */
                    171: static void
                    172: mux_master_session_cleanup_cb(int cid, void *unused)
1.1       djm       173: {
1.10      djm       174:        Channel *cc, *c = channel_by_id(cid);
1.1       djm       175:
1.10      djm       176:        debug3("%s: entering for channel %d", __func__, cid);
                    177:        if (c == NULL)
                    178:                fatal("%s: channel_by_id(%i) == NULL", __func__, cid);
                    179:        if (c->ctl_chan != -1) {
                    180:                if ((cc = channel_by_id(c->ctl_chan)) == NULL)
                    181:                        fatal("%s: channel %d missing control channel %d",
                    182:                            __func__, c->self, c->ctl_chan);
                    183:                c->ctl_chan = -1;
                    184:                cc->remote_id = -1;
                    185:                chan_rcvd_oclose(cc);
1.1       djm       186:        }
1.10      djm       187:        channel_cancel_cleanup(c->self);
1.1       djm       188: }
                    189:
1.10      djm       190: /* Cleanup callback fired on closure of mux slave _control_ channel */
                    191: /* ARGSUSED */
1.1       djm       192: static void
1.10      djm       193: mux_master_control_cleanup_cb(int cid, void *unused)
1.1       djm       194: {
1.10      djm       195:        Channel *sc, *c = channel_by_id(cid);
1.1       djm       196:
1.10      djm       197:        debug3("%s: entering for channel %d", __func__, cid);
                    198:        if (c == NULL)
                    199:                fatal("%s: channel_by_id(%i) == NULL", __func__, cid);
                    200:        if (c->remote_id != -1) {
                    201:                if ((sc = channel_by_id(c->remote_id)) == NULL)
1.15      djm       202:                        fatal("%s: channel %d missing session channel %d",
1.10      djm       203:                            __func__, c->self, c->remote_id);
                    204:                c->remote_id = -1;
                    205:                sc->ctl_chan = -1;
1.12      djm       206:                if (sc->type != SSH_CHANNEL_OPEN) {
                    207:                        debug2("%s: channel %d: not open", __func__, sc->self);
1.13      djm       208:                        chan_mark_dead(sc);
1.12      djm       209:                } else {
1.14      djm       210:                        if (sc->istate == CHAN_INPUT_OPEN)
                    211:                                chan_read_failed(sc);
                    212:                        if (sc->ostate == CHAN_OUTPUT_OPEN)
                    213:                                chan_write_failed(sc);
1.12      djm       214:                }
1.1       djm       215:        }
1.10      djm       216:        channel_cancel_cleanup(c->self);
1.1       djm       217: }
                    218:
1.10      djm       219: /* Check mux client environment variables before passing them to mux master. */
                    220: static int
                    221: env_permitted(char *env)
1.1       djm       222: {
1.10      djm       223:        int i, ret;
                    224:        char name[1024], *cp;
1.1       djm       225:
1.10      djm       226:        if ((cp = strchr(env, '=')) == NULL || cp == env)
1.1       djm       227:                return 0;
1.10      djm       228:        ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
                    229:        if (ret <= 0 || (size_t)ret >= sizeof(name)) {
                    230:                error("env_permitted: name '%.100s...' too long", env);
1.1       djm       231:                return 0;
                    232:        }
                    233:
1.10      djm       234:        for (i = 0; i < options.num_send_env; i++)
                    235:                if (match_pattern(name, options.send_env[i]))
                    236:                        return 1;
1.1       djm       237:
1.10      djm       238:        return 0;
                    239: }
1.1       djm       240:
1.10      djm       241: /* Mux master protocol message handlers */
1.1       djm       242:
1.10      djm       243: static int
                    244: process_mux_master_hello(u_int rid, Channel *c, Buffer *m, Buffer *r)
                    245: {
                    246:        u_int ver;
                    247:        struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
1.1       djm       248:
1.10      djm       249:        if (state == NULL)
                    250:                fatal("%s: channel %d: c->mux_ctx == NULL", __func__, c->self);
                    251:        if (state->hello_rcvd) {
                    252:                error("%s: HELLO received twice", __func__);
                    253:                return -1;
                    254:        }
                    255:        if (buffer_get_int_ret(&ver, m) != 0) {
                    256:  malf:
                    257:                error("%s: malformed message", __func__);
                    258:                return -1;
                    259:        }
                    260:        if (ver != SSHMUX_VER) {
                    261:                error("Unsupported multiplexing protocol version %d "
                    262:                    "(expected %d)", ver, SSHMUX_VER);
                    263:                return -1;
                    264:        }
                    265:        debug2("%s: channel %d slave version %u", __func__, c->self, ver);
                    266:
                    267:        /* No extensions are presently defined */
                    268:        while (buffer_len(m) > 0) {
                    269:                char *name = buffer_get_string_ret(m, NULL);
                    270:                char *value = buffer_get_string_ret(m, NULL);
                    271:
                    272:                if (name == NULL || value == NULL) {
                    273:                        if (name != NULL)
                    274:                                xfree(name);
                    275:                        goto malf;
1.1       djm       276:                }
1.10      djm       277:                debug2("Unrecognised slave extension \"%s\"", name);
                    278:                xfree(name);
                    279:                xfree(value);
1.1       djm       280:        }
1.10      djm       281:        state->hello_rcvd = 1;
                    282:        return 0;
                    283: }
                    284:
                    285: static int
                    286: process_mux_new_session(u_int rid, Channel *c, Buffer *m, Buffer *r)
                    287: {
                    288:        Channel *nc;
                    289:        struct mux_session_confirm_ctx *cctx;
                    290:        char *reserved, *cmd, *cp;
                    291:        u_int i, j, len, env_len, escape_char, window, packetmax;
                    292:        int new_fd[3];
1.1       djm       293:
                    294:        /* Reply for SSHMUX_COMMAND_OPEN */
1.10      djm       295:        cctx = xcalloc(1, sizeof(*cctx));
                    296:        cctx->term = NULL;
1.17      djm       297:        cctx->rid = rid;
1.11      djm       298:        cmd = reserved = NULL;
1.10      djm       299:        if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
                    300:            buffer_get_int_ret(&cctx->want_tty, m) != 0 ||
                    301:            buffer_get_int_ret(&cctx->want_x_fwd, m) != 0 ||
                    302:            buffer_get_int_ret(&cctx->want_agent_fwd, m) != 0 ||
                    303:            buffer_get_int_ret(&cctx->want_subsys, m) != 0 ||
                    304:            buffer_get_int_ret(&escape_char, m) != 0 ||
                    305:            (cctx->term = buffer_get_string_ret(m, &len)) == NULL ||
                    306:            (cmd = buffer_get_string_ret(m, &len)) == NULL) {
                    307:  malf:
1.11      djm       308:                if (cmd != NULL)
                    309:                        xfree(cmd);
                    310:                if (reserved != NULL)
                    311:                        xfree(reserved);
1.10      djm       312:                if (cctx->term != NULL)
                    313:                        xfree(cctx->term);
                    314:                error("%s: malformed message", __func__);
                    315:                return -1;
1.1       djm       316:        }
1.10      djm       317:        xfree(reserved);
1.11      djm       318:        reserved = NULL;
1.1       djm       319:
1.10      djm       320:        cctx->env = NULL;
                    321:        env_len = 0;
                    322:        while (buffer_len(m) > 0) {
                    323: #define MUX_MAX_ENV_VARS       4096
                    324:                if ((cp = buffer_get_string_ret(m, &len)) == NULL) {
                    325:                        xfree(cmd);
                    326:                        goto malf;
                    327:                }
                    328:                if (!env_permitted(cp)) {
                    329:                        xfree(cp);
                    330:                        continue;
                    331:                }
                    332:                cctx->env = xrealloc(cctx->env, env_len + 2,
                    333:                    sizeof(*cctx->env));
                    334:                cctx->env[env_len++] = cp;
                    335:                cctx->env[env_len] = NULL;
                    336:                if (env_len > MUX_MAX_ENV_VARS) {
                    337:                        error(">%d environment variables received, ignoring "
                    338:                            "additional", MUX_MAX_ENV_VARS);
                    339:                        break;
                    340:                }
1.1       djm       341:        }
                    342:
1.10      djm       343:        debug2("%s: channel %d: request tty %d, X %d, agent %d, subsys %d, "
                    344:            "term \"%s\", cmd \"%s\", env %u", __func__, c->self,
                    345:            cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd,
                    346:            cctx->want_subsys, cctx->term, cmd, env_len);
1.1       djm       347:
                    348:        buffer_init(&cctx->cmd);
                    349:        buffer_append(&cctx->cmd, cmd, strlen(cmd));
                    350:        xfree(cmd);
1.11      djm       351:        cmd = NULL;
1.1       djm       352:
                    353:        /* Gather fds from client */
                    354:        for(i = 0; i < 3; i++) {
1.10      djm       355:                if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
1.1       djm       356:                        error("%s: failed to receive fd %d from slave",
                    357:                            __func__, i);
                    358:                        for (j = 0; j < i; j++)
                    359:                                close(new_fd[j]);
                    360:                        for (j = 0; j < env_len; j++)
                    361:                                xfree(cctx->env[j]);
                    362:                        if (env_len > 0)
                    363:                                xfree(cctx->env);
                    364:                        xfree(cctx->term);
                    365:                        buffer_free(&cctx->cmd);
                    366:                        xfree(cctx);
1.10      djm       367:
                    368:                        /* prepare reply */
                    369:                        buffer_put_int(r, MUX_S_FAILURE);
                    370:                        buffer_put_int(r, rid);
                    371:                        buffer_put_cstring(r,
                    372:                            "did not receive file descriptors");
                    373:                        return -1;
1.1       djm       374:                }
                    375:        }
                    376:
1.10      djm       377:        debug3("%s: got fds stdin %d, stdout %d, stderr %d", __func__,
1.1       djm       378:            new_fd[0], new_fd[1], new_fd[2]);
                    379:
1.10      djm       380:        /* XXX support multiple child sessions in future */
                    381:        if (c->remote_id != -1) {
                    382:                debug2("%s: session already open", __func__);
                    383:                /* prepare reply */
                    384:                buffer_put_int(r, MUX_S_FAILURE);
                    385:                buffer_put_int(r, rid);
                    386:                buffer_put_cstring(r, "Multiple sessions not supported");
                    387:  cleanup:
1.1       djm       388:                close(new_fd[0]);
                    389:                close(new_fd[1]);
                    390:                close(new_fd[2]);
                    391:                xfree(cctx->term);
                    392:                if (env_len != 0) {
                    393:                        for (i = 0; i < env_len; i++)
                    394:                                xfree(cctx->env[i]);
                    395:                        xfree(cctx->env);
                    396:                }
1.10      djm       397:                buffer_free(&cctx->cmd);
1.1       djm       398:                return 0;
                    399:        }
1.10      djm       400:
                    401:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    402:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                    403:                if (!ask_permission("Allow shared connection to %s? ", host)) {
                    404:                        debug2("%s: session refused by user", __func__);
                    405:                        /* prepare reply */
                    406:                        buffer_put_int(r, MUX_S_PERMISSION_DENIED);
                    407:                        buffer_put_int(r, rid);
                    408:                        buffer_put_cstring(r, "Permission denied");
                    409:                        goto cleanup;
                    410:                }
                    411:        }
                    412:
                    413:        /* Try to pick up ttymodes from client before it goes raw */
                    414:        if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
                    415:                error("%s: tcgetattr: %s", __func__, strerror(errno));
1.1       djm       416:
                    417:        /* enable nonblocking unless tty */
                    418:        if (!isatty(new_fd[0]))
                    419:                set_nonblock(new_fd[0]);
                    420:        if (!isatty(new_fd[1]))
                    421:                set_nonblock(new_fd[1]);
                    422:        if (!isatty(new_fd[2]))
                    423:                set_nonblock(new_fd[2]);
                    424:
                    425:        window = CHAN_SES_WINDOW_DEFAULT;
                    426:        packetmax = CHAN_SES_PACKET_DEFAULT;
                    427:        if (cctx->want_tty) {
                    428:                window >>= 1;
                    429:                packetmax >>= 1;
                    430:        }
1.10      djm       431:
                    432:        nc = channel_new("session", SSH_CHANNEL_OPENING,
1.1       djm       433:            new_fd[0], new_fd[1], new_fd[2], window, packetmax,
                    434:            CHAN_EXTENDED_WRITE, "client-session", /*nonblock*/0);
                    435:
1.10      djm       436:        nc->ctl_chan = c->self;         /* link session -> control channel */
                    437:        c->remote_id = nc->self;        /* link control -> session channel */
                    438:
1.2       djm       439:        if (cctx->want_tty && escape_char != 0xffffffff) {
1.10      djm       440:                channel_register_filter(nc->self,
1.2       djm       441:                    client_simple_escape_filter, NULL,
1.4       djm       442:                    client_filter_cleanup,
1.2       djm       443:                    client_new_escape_filter_ctx((int)escape_char));
                    444:        }
1.1       djm       445:
1.10      djm       446:        debug2("%s: channel_new: %d linked to control channel %d",
                    447:            __func__, nc->self, nc->ctl_chan);
                    448:
                    449:        channel_send_open(nc->self);
                    450:        channel_register_open_confirm(nc->self, mux_session_confirm, cctx);
1.17      djm       451:        c->mux_pause = 1; /* stop handling messages until open_confirm done */
1.16      djm       452:        channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1);
1.10      djm       453:
1.17      djm       454:        /* reply is deferred, sent by mux_session_confirm */
1.1       djm       455:        return 0;
                    456: }
                    457:
1.10      djm       458: static int
                    459: process_mux_alive_check(u_int rid, Channel *c, Buffer *m, Buffer *r)
1.1       djm       460: {
1.10      djm       461:        debug2("%s: channel %d: alive check", __func__, c->self);
1.1       djm       462:
1.10      djm       463:        /* prepare reply */
                    464:        buffer_put_int(r, MUX_S_ALIVE);
                    465:        buffer_put_int(r, rid);
                    466:        buffer_put_int(r, (u_int)getpid());
1.1       djm       467:
1.10      djm       468:        return 0;
1.1       djm       469: }
                    470:
                    471: static int
1.10      djm       472: process_mux_terminate(u_int rid, Channel *c, Buffer *m, Buffer *r)
1.1       djm       473: {
1.10      djm       474:        debug2("%s: channel %d: terminate request", __func__, c->self);
1.1       djm       475:
1.10      djm       476:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    477:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                    478:                if (!ask_permission("Terminate shared connection to %s? ",
                    479:                    host)) {
                    480:                        debug2("%s: termination refused by user", __func__);
                    481:                        buffer_put_int(r, MUX_S_PERMISSION_DENIED);
                    482:                        buffer_put_int(r, rid);
                    483:                        buffer_put_cstring(r, "Permission denied");
                    484:                        return 0;
                    485:                }
                    486:        }
1.1       djm       487:
1.10      djm       488:        quit_pending = 1;
                    489:        buffer_put_int(r, MUX_S_OK);
                    490:        buffer_put_int(r, rid);
                    491:        /* XXX exit happens too soon - message never makes it to client */
                    492:        return 0;
1.1       djm       493: }
                    494:
1.10      djm       495: static char *
                    496: format_forward(u_int ftype, Forward *fwd)
1.1       djm       497: {
1.10      djm       498:        char *ret;
1.1       djm       499:
1.10      djm       500:        switch (ftype) {
                    501:        case MUX_FWD_LOCAL:
                    502:                xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
                    503:                    (fwd->listen_host == NULL) ?
                    504:                    (options.gateway_ports ? "*" : "LOCALHOST") :
                    505:                    fwd->listen_host, fwd->listen_port,
                    506:                    fwd->connect_host, fwd->connect_port);
                    507:                break;
                    508:        case MUX_FWD_DYNAMIC:
                    509:                xasprintf(&ret, "dynamic forward %.200s:%d -> *",
                    510:                    (fwd->listen_host == NULL) ?
                    511:                    (options.gateway_ports ? "*" : "LOCALHOST") :
                    512:                     fwd->listen_host, fwd->listen_port);
                    513:                break;
                    514:        case MUX_FWD_REMOTE:
                    515:                xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
                    516:                    (fwd->listen_host == NULL) ?
                    517:                    "LOCALHOST" : fwd->listen_host,
                    518:                    fwd->listen_port,
                    519:                    fwd->connect_host, fwd->connect_port);
1.1       djm       520:                break;
                    521:        default:
1.10      djm       522:                fatal("%s: unknown forward type %u", __func__, ftype);
1.1       djm       523:        }
1.10      djm       524:        return ret;
                    525: }
1.1       djm       526:
1.10      djm       527: static int
                    528: compare_host(const char *a, const char *b)
                    529: {
                    530:        if (a == NULL && b == NULL)
                    531:                return 1;
                    532:        if (a == NULL || b == NULL)
                    533:                return 0;
                    534:        return strcmp(a, b) == 0;
                    535: }
1.1       djm       536:
1.10      djm       537: static int
                    538: compare_forward(Forward *a, Forward *b)
                    539: {
                    540:        if (!compare_host(a->listen_host, b->listen_host))
                    541:                return 0;
                    542:        if (a->listen_port != b->listen_port)
                    543:                return 0;
                    544:        if (!compare_host(a->connect_host, b->connect_host))
                    545:                return 0;
                    546:        if (a->connect_port != b->connect_port)
                    547:                return 0;
1.1       djm       548:
1.10      djm       549:        return 1;
                    550: }
1.1       djm       551:
1.18      markus    552: static void
                    553: mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
                    554: {
                    555:        struct mux_channel_confirm_ctx *fctx = ctxt;
                    556:        char *failmsg = NULL;
                    557:        Forward *rfwd;
                    558:        Channel *c;
                    559:        Buffer out;
                    560:
                    561:        if ((c = channel_by_id(fctx->cid)) == NULL) {
                    562:                /* no channel for reply */
                    563:                error("%s: unknown channel", __func__);
                    564:                return;
                    565:        }
                    566:        buffer_init(&out);
                    567:        if (fctx->fid >= options.num_remote_forwards) {
                    568:                xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid);
                    569:                goto fail;
                    570:        }
                    571:        rfwd = &options.remote_forwards[fctx->fid];
                    572:        debug("%s: %s for: listen %d, connect %s:%d", __func__,
                    573:            type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
                    574:            rfwd->listen_port, rfwd->connect_host, rfwd->connect_port);
                    575:        if (type == SSH2_MSG_REQUEST_SUCCESS) {
                    576:                if (rfwd->listen_port == 0) {
                    577:                        rfwd->allocated_port = packet_get_int();
                    578:                        logit("Allocated port %u for mux remote forward"
                    579:                            " to %s:%d", rfwd->allocated_port,
                    580:                            rfwd->connect_host, rfwd->connect_port);
                    581:                        buffer_put_int(&out, MUX_S_REMOTE_PORT);
                    582:                        buffer_put_int(&out, fctx->rid);
                    583:                        buffer_put_int(&out, rfwd->allocated_port);
                    584:                } else {
                    585:                        buffer_put_int(&out, MUX_S_OK);
                    586:                        buffer_put_int(&out, fctx->rid);
                    587:                }
                    588:                goto out;
                    589:        } else {
                    590:                xasprintf(&failmsg, "remote port forwarding failed for "
                    591:                    "listen port %d", rfwd->listen_port);
                    592:        }
                    593:  fail:
                    594:        error("%s: %s", __func__, failmsg);
                    595:        buffer_put_int(&out, MUX_S_FAILURE);
                    596:        buffer_put_int(&out, fctx->rid);
                    597:        buffer_put_cstring(&out, failmsg);
                    598:        xfree(failmsg);
                    599:  out:
                    600:        buffer_put_string(&c->output, buffer_ptr(&out), buffer_len(&out));
                    601:        buffer_free(&out);
                    602:        if (c->mux_pause <= 0)
                    603:                fatal("%s: mux_pause %d", __func__, c->mux_pause);
                    604:        c->mux_pause = 0; /* start processing messages again */
                    605: }
                    606:
1.10      djm       607: static int
                    608: process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
                    609: {
                    610:        Forward fwd;
                    611:        char *fwd_desc = NULL;
                    612:        u_int ftype;
                    613:        int i, ret = 0, freefwd = 1;
                    614:
                    615:        fwd.listen_host = fwd.connect_host = NULL;
                    616:        if (buffer_get_int_ret(&ftype, m) != 0 ||
                    617:            (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
                    618:            buffer_get_int_ret(&fwd.listen_port, m) != 0 ||
                    619:            (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
                    620:            buffer_get_int_ret(&fwd.connect_port, m) != 0) {
                    621:                error("%s: malformed message", __func__);
                    622:                ret = -1;
                    623:                goto out;
                    624:        }
                    625:
                    626:        if (*fwd.listen_host == '\0') {
                    627:                xfree(fwd.listen_host);
                    628:                fwd.listen_host = NULL;
                    629:        }
                    630:        if (*fwd.connect_host == '\0') {
                    631:                xfree(fwd.connect_host);
                    632:                fwd.connect_host = NULL;
                    633:        }
                    634:
                    635:        debug2("%s: channel %d: request %s", __func__, c->self,
                    636:            (fwd_desc = format_forward(ftype, &fwd)));
                    637:
                    638:        if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE &&
                    639:            ftype != MUX_FWD_DYNAMIC) {
                    640:                logit("%s: invalid forwarding type %u", __func__, ftype);
                    641:  invalid:
1.18      markus    642:                if (fwd.listen_host)
                    643:                        xfree(fwd.listen_host);
                    644:                if (fwd.connect_host)
                    645:                        xfree(fwd.connect_host);
1.10      djm       646:                buffer_put_int(r, MUX_S_FAILURE);
                    647:                buffer_put_int(r, rid);
                    648:                buffer_put_cstring(r, "Invalid forwarding request");
                    649:                return 0;
                    650:        }
1.18      markus    651:        if (fwd.listen_port >= 65536) {
1.10      djm       652:                logit("%s: invalid listen port %u", __func__,
                    653:                    fwd.listen_port);
                    654:                goto invalid;
                    655:        }
                    656:        if (fwd.connect_port >= 65536 || (ftype != MUX_FWD_DYNAMIC &&
                    657:            ftype != MUX_FWD_REMOTE && fwd.connect_port == 0)) {
                    658:                logit("%s: invalid connect port %u", __func__,
                    659:                    fwd.connect_port);
                    660:                goto invalid;
                    661:        }
                    662:        if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL) {
                    663:                logit("%s: missing connect host", __func__);
                    664:                goto invalid;
                    665:        }
                    666:
                    667:        /* Skip forwards that have already been requested */
                    668:        switch (ftype) {
                    669:        case MUX_FWD_LOCAL:
                    670:        case MUX_FWD_DYNAMIC:
                    671:                for (i = 0; i < options.num_local_forwards; i++) {
                    672:                        if (compare_forward(&fwd,
                    673:                            options.local_forwards + i)) {
                    674:  exists:
                    675:                                debug2("%s: found existing forwarding",
                    676:                                    __func__);
                    677:                                buffer_put_int(r, MUX_S_OK);
                    678:                                buffer_put_int(r, rid);
                    679:                                goto out;
                    680:                        }
                    681:                }
                    682:                break;
                    683:        case MUX_FWD_REMOTE:
                    684:                for (i = 0; i < options.num_remote_forwards; i++) {
                    685:                        if (compare_forward(&fwd,
1.18      markus    686:                            options.remote_forwards + i)) {
                    687:                                if (fwd.listen_port != 0)
                    688:                                        goto exists;
                    689:                                debug2("%s: found allocated port",
                    690:                                    __func__);
                    691:                                buffer_put_int(r, MUX_S_REMOTE_PORT);
                    692:                                buffer_put_int(r, rid);
                    693:                                buffer_put_int(r,
                    694:                                    options.remote_forwards[i].allocated_port);
                    695:                                goto out;
                    696:                        }
1.10      djm       697:                }
                    698:                break;
                    699:        }
                    700:
                    701:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    702:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                    703:                if (!ask_permission("Open %s on %s?", fwd_desc, host)) {
                    704:                        debug2("%s: forwarding refused by user", __func__);
                    705:                        buffer_put_int(r, MUX_S_PERMISSION_DENIED);
                    706:                        buffer_put_int(r, rid);
                    707:                        buffer_put_cstring(r, "Permission denied");
                    708:                        goto out;
                    709:                }
                    710:        }
                    711:
                    712:        if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
1.20    ! djm       713:                if (channel_setup_local_fwd_listener(fwd.listen_host,
1.10      djm       714:                    fwd.listen_port, fwd.connect_host, fwd.connect_port,
                    715:                    options.gateway_ports) < 0) {
                    716:  fail:
                    717:                        logit("slave-requested %s failed", fwd_desc);
                    718:                        buffer_put_int(r, MUX_S_FAILURE);
                    719:                        buffer_put_int(r, rid);
                    720:                        buffer_put_cstring(r, "Port forwarding failed");
                    721:                        goto out;
                    722:                }
                    723:                add_local_forward(&options, &fwd);
                    724:                freefwd = 0;
                    725:        } else {
1.18      markus    726:                struct mux_channel_confirm_ctx *fctx;
                    727:
1.20    ! djm       728:                if (channel_request_remote_forwarding(fwd.listen_host,
1.10      djm       729:                    fwd.listen_port, fwd.connect_host, fwd.connect_port) < 0)
                    730:                        goto fail;
                    731:                add_remote_forward(&options, &fwd);
1.18      markus    732:                fctx = xcalloc(1, sizeof(*fctx));
                    733:                fctx->cid = c->self;
                    734:                fctx->rid = rid;
1.20    ! djm       735:                fctx->fid = options.num_remote_forwards - 1;
1.18      markus    736:                client_register_global_confirm(mux_confirm_remote_forward,
                    737:                    fctx);
1.10      djm       738:                freefwd = 0;
1.18      markus    739:                c->mux_pause = 1; /* wait for mux_confirm_remote_forward */
                    740:                /* delayed reply in mux_confirm_remote_forward */
                    741:                goto out;
1.10      djm       742:        }
                    743:        buffer_put_int(r, MUX_S_OK);
                    744:        buffer_put_int(r, rid);
                    745:  out:
                    746:        if (fwd_desc != NULL)
                    747:                xfree(fwd_desc);
                    748:        if (freefwd) {
                    749:                if (fwd.listen_host != NULL)
                    750:                        xfree(fwd.listen_host);
                    751:                if (fwd.connect_host != NULL)
                    752:                        xfree(fwd.connect_host);
                    753:        }
                    754:        return ret;
                    755: }
                    756:
                    757: static int
                    758: process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
                    759: {
                    760:        Forward fwd;
                    761:        char *fwd_desc = NULL;
                    762:        u_int ftype;
                    763:        int ret = 0;
                    764:
                    765:        fwd.listen_host = fwd.connect_host = NULL;
                    766:        if (buffer_get_int_ret(&ftype, m) != 0 ||
                    767:            (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
                    768:            buffer_get_int_ret(&fwd.listen_port, m) != 0 ||
                    769:            (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
                    770:            buffer_get_int_ret(&fwd.connect_port, m) != 0) {
                    771:                error("%s: malformed message", __func__);
                    772:                ret = -1;
                    773:                goto out;
                    774:        }
                    775:
                    776:        if (*fwd.listen_host == '\0') {
                    777:                xfree(fwd.listen_host);
                    778:                fwd.listen_host = NULL;
                    779:        }
                    780:        if (*fwd.connect_host == '\0') {
                    781:                xfree(fwd.connect_host);
                    782:                fwd.connect_host = NULL;
                    783:        }
                    784:
                    785:        debug2("%s: channel %d: request %s", __func__, c->self,
                    786:            (fwd_desc = format_forward(ftype, &fwd)));
                    787:
                    788:        /* XXX implement this */
                    789:        buffer_put_int(r, MUX_S_FAILURE);
                    790:        buffer_put_int(r, rid);
                    791:        buffer_put_cstring(r, "unimplemented");
                    792:
                    793:  out:
                    794:        if (fwd_desc != NULL)
                    795:                xfree(fwd_desc);
                    796:        if (fwd.listen_host != NULL)
                    797:                xfree(fwd.listen_host);
                    798:        if (fwd.connect_host != NULL)
                    799:                xfree(fwd.connect_host);
                    800:
                    801:        return ret;
                    802: }
                    803:
                    804: static int
                    805: process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
                    806: {
                    807:        Channel *nc;
                    808:        char *reserved, *chost;
                    809:        u_int cport, i, j;
                    810:        int new_fd[2];
                    811:
1.11      djm       812:        chost = reserved = NULL;
1.10      djm       813:        if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
                    814:           (chost = buffer_get_string_ret(m, NULL)) == NULL ||
                    815:            buffer_get_int_ret(&cport, m) != 0) {
1.11      djm       816:                if (reserved != NULL)
                    817:                        xfree(reserved);
1.10      djm       818:                if (chost != NULL)
                    819:                        xfree(chost);
                    820:                error("%s: malformed message", __func__);
                    821:                return -1;
                    822:        }
                    823:        xfree(reserved);
                    824:
                    825:        debug2("%s: channel %d: request stdio fwd to %s:%u",
                    826:            __func__, c->self, chost, cport);
                    827:
                    828:        /* Gather fds from client */
                    829:        for(i = 0; i < 2; i++) {
                    830:                if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
                    831:                        error("%s: failed to receive fd %d from slave",
                    832:                            __func__, i);
                    833:                        for (j = 0; j < i; j++)
                    834:                                close(new_fd[j]);
                    835:                        xfree(chost);
                    836:
                    837:                        /* prepare reply */
                    838:                        buffer_put_int(r, MUX_S_FAILURE);
                    839:                        buffer_put_int(r, rid);
                    840:                        buffer_put_cstring(r,
                    841:                            "did not receive file descriptors");
                    842:                        return -1;
                    843:                }
                    844:        }
                    845:
                    846:        debug3("%s: got fds stdin %d, stdout %d", __func__,
                    847:            new_fd[0], new_fd[1]);
                    848:
                    849:        /* XXX support multiple child sessions in future */
                    850:        if (c->remote_id != -1) {
                    851:                debug2("%s: session already open", __func__);
                    852:                /* prepare reply */
                    853:                buffer_put_int(r, MUX_S_FAILURE);
                    854:                buffer_put_int(r, rid);
                    855:                buffer_put_cstring(r, "Multiple sessions not supported");
                    856:  cleanup:
                    857:                close(new_fd[0]);
                    858:                close(new_fd[1]);
                    859:                xfree(chost);
                    860:                return 0;
                    861:        }
                    862:
                    863:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    864:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                    865:                if (!ask_permission("Allow forward to to %s:%u? ",
                    866:                    chost, cport)) {
                    867:                        debug2("%s: stdio fwd refused by user", __func__);
                    868:                        /* prepare reply */
                    869:                        buffer_put_int(r, MUX_S_PERMISSION_DENIED);
                    870:                        buffer_put_int(r, rid);
                    871:                        buffer_put_cstring(r, "Permission denied");
                    872:                        goto cleanup;
                    873:                }
                    874:        }
                    875:
                    876:        /* enable nonblocking unless tty */
                    877:        if (!isatty(new_fd[0]))
                    878:                set_nonblock(new_fd[0]);
                    879:        if (!isatty(new_fd[1]))
                    880:                set_nonblock(new_fd[1]);
                    881:
                    882:        nc = channel_connect_stdio_fwd(chost, cport, new_fd[0], new_fd[1]);
                    883:
                    884:        nc->ctl_chan = c->self;         /* link session -> control channel */
                    885:        c->remote_id = nc->self;        /* link control -> session channel */
                    886:
                    887:        debug2("%s: channel_new: %d linked to control channel %d",
                    888:            __func__, nc->self, nc->ctl_chan);
                    889:
1.16      djm       890:        channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1);
1.10      djm       891:
                    892:        /* prepare reply */
                    893:        /* XXX defer until channel confirmed */
                    894:        buffer_put_int(r, MUX_S_SESSION_OPENED);
                    895:        buffer_put_int(r, rid);
                    896:        buffer_put_int(r, nc->self);
                    897:
                    898:        return 0;
                    899: }
                    900:
                    901: /* Channel callbacks fired on read/write from mux slave fd */
                    902: static int
                    903: mux_master_read_cb(Channel *c)
                    904: {
                    905:        struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
                    906:        Buffer in, out;
                    907:        void *ptr;
                    908:        u_int type, rid, have, i;
                    909:        int ret = -1;
                    910:
                    911:        /* Setup ctx and  */
                    912:        if (c->mux_ctx == NULL) {
1.19      djm       913:                state = xcalloc(1, sizeof(*state));
1.10      djm       914:                c->mux_ctx = state;
                    915:                channel_register_cleanup(c->self,
                    916:                    mux_master_control_cleanup_cb, 0);
                    917:
                    918:                /* Send hello */
                    919:                buffer_init(&out);
                    920:                buffer_put_int(&out, MUX_MSG_HELLO);
                    921:                buffer_put_int(&out, SSHMUX_VER);
                    922:                /* no extensions */
                    923:                buffer_put_string(&c->output, buffer_ptr(&out),
                    924:                    buffer_len(&out));
                    925:                buffer_free(&out);
                    926:                debug3("%s: channel %d: hello sent", __func__, c->self);
                    927:                return 0;
                    928:        }
                    929:
                    930:        buffer_init(&in);
                    931:        buffer_init(&out);
                    932:
                    933:        /* Channel code ensures that we receive whole packets */
                    934:        if ((ptr = buffer_get_string_ptr_ret(&c->input, &have)) == NULL) {
                    935:  malf:
                    936:                error("%s: malformed message", __func__);
                    937:                goto out;
                    938:        }
                    939:        buffer_append(&in, ptr, have);
                    940:
                    941:        if (buffer_get_int_ret(&type, &in) != 0)
                    942:                goto malf;
                    943:        debug3("%s: channel %d packet type 0x%08x len %u",
                    944:            __func__, c->self, type, buffer_len(&in));
                    945:
                    946:        if (type == MUX_MSG_HELLO)
                    947:                rid = 0;
                    948:        else {
                    949:                if (!state->hello_rcvd) {
                    950:                        error("%s: expected MUX_MSG_HELLO(0x%08x), "
                    951:                            "received 0x%08x", __func__, MUX_MSG_HELLO, type);
                    952:                        goto out;
1.1       djm       953:                }
1.10      djm       954:                if (buffer_get_int_ret(&rid, &in) != 0)
                    955:                        goto malf;
                    956:        }
                    957:
                    958:        for (i = 0; mux_master_handlers[i].handler != NULL; i++) {
                    959:                if (type == mux_master_handlers[i].type) {
                    960:                        ret = mux_master_handlers[i].handler(rid, c, &in, &out);
                    961:                        break;
1.1       djm       962:                }
1.10      djm       963:        }
                    964:        if (mux_master_handlers[i].handler == NULL) {
                    965:                error("%s: unsupported mux message 0x%08x", __func__, type);
                    966:                buffer_put_int(&out, MUX_S_FAILURE);
                    967:                buffer_put_int(&out, rid);
                    968:                buffer_put_cstring(&out, "unsupported request");
                    969:                ret = 0;
                    970:        }
                    971:        /* Enqueue reply packet */
                    972:        if (buffer_len(&out) != 0) {
                    973:                buffer_put_string(&c->output, buffer_ptr(&out),
                    974:                    buffer_len(&out));
                    975:        }
                    976:  out:
                    977:        buffer_free(&in);
                    978:        buffer_free(&out);
                    979:        return ret;
                    980: }
                    981:
                    982: void
                    983: mux_exit_message(Channel *c, int exitval)
                    984: {
                    985:        Buffer m;
                    986:        Channel *mux_chan;
                    987:
                    988:        debug3("%s: channel %d: exit message, evitval %d", __func__, c->self,
                    989:            exitval);
                    990:
                    991:        if ((mux_chan = channel_by_id(c->ctl_chan)) == NULL)
                    992:                fatal("%s: channel %d missing mux channel %d",
                    993:                    __func__, c->self, c->ctl_chan);
                    994:
                    995:        /* Append exit message packet to control socket output queue */
                    996:        buffer_init(&m);
                    997:        buffer_put_int(&m, MUX_S_EXIT_MESSAGE);
                    998:        buffer_put_int(&m, c->self);
                    999:        buffer_put_int(&m, exitval);
                   1000:
                   1001:        buffer_put_string(&mux_chan->output, buffer_ptr(&m), buffer_len(&m));
                   1002:        buffer_free(&m);
                   1003: }
                   1004:
                   1005: /* Prepare a mux master to listen on a Unix domain socket. */
                   1006: void
                   1007: muxserver_listen(void)
                   1008: {
                   1009:        struct sockaddr_un addr;
                   1010:        mode_t old_umask;
                   1011:
                   1012:        if (options.control_path == NULL ||
                   1013:            options.control_master == SSHCTL_MASTER_NO)
1.1       djm      1014:                return;
1.10      djm      1015:
                   1016:        debug("setting up multiplex master socket");
                   1017:
                   1018:        memset(&addr, '\0', sizeof(addr));
                   1019:        addr.sun_family = AF_UNIX;
                   1020:        addr.sun_len = offsetof(struct sockaddr_un, sun_path) +
                   1021:            strlen(options.control_path) + 1;
                   1022:
                   1023:        if (strlcpy(addr.sun_path, options.control_path,
                   1024:            sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
                   1025:                fatal("ControlPath too long");
                   1026:
                   1027:        if ((muxserver_sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
                   1028:                fatal("%s socket(): %s", __func__, strerror(errno));
                   1029:
                   1030:        old_umask = umask(0177);
                   1031:        if (bind(muxserver_sock, (struct sockaddr *)&addr, addr.sun_len) == -1) {
                   1032:                muxserver_sock = -1;
                   1033:                if (errno == EINVAL || errno == EADDRINUSE) {
                   1034:                        error("ControlSocket %s already exists, "
                   1035:                            "disabling multiplexing", options.control_path);
                   1036:                        close(muxserver_sock);
                   1037:                        muxserver_sock = -1;
                   1038:                        xfree(options.control_path);
                   1039:                        options.control_path = NULL;
                   1040:                        options.control_master = SSHCTL_MASTER_NO;
                   1041:                        return;
                   1042:                } else
                   1043:                        fatal("%s bind(): %s", __func__, strerror(errno));
                   1044:        }
                   1045:        umask(old_umask);
                   1046:
                   1047:        if (listen(muxserver_sock, 64) == -1)
                   1048:                fatal("%s listen(): %s", __func__, strerror(errno));
                   1049:
                   1050:        set_nonblock(muxserver_sock);
                   1051:
                   1052:        mux_listener_channel = channel_new("mux listener",
                   1053:            SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1,
                   1054:            CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
                   1055:            0, addr.sun_path, 1);
                   1056:        mux_listener_channel->mux_rcb = mux_master_read_cb;
                   1057:        debug3("%s: mux listener channel %d fd %d", __func__,
                   1058:            mux_listener_channel->self, mux_listener_channel->sock);
                   1059: }
                   1060:
                   1061: /* Callback on open confirmation in mux master for a mux client session. */
                   1062: static void
1.17      djm      1063: mux_session_confirm(int id, int success, void *arg)
1.10      djm      1064: {
                   1065:        struct mux_session_confirm_ctx *cctx = arg;
                   1066:        const char *display;
1.17      djm      1067:        Channel *c, *cc;
1.10      djm      1068:        int i;
1.17      djm      1069:        Buffer reply;
1.10      djm      1070:
                   1071:        if (cctx == NULL)
                   1072:                fatal("%s: cctx == NULL", __func__);
                   1073:        if ((c = channel_by_id(id)) == NULL)
                   1074:                fatal("%s: no channel for id %d", __func__, id);
1.17      djm      1075:        if ((cc = channel_by_id(c->ctl_chan)) == NULL)
                   1076:                fatal("%s: channel %d lacks control channel %d", __func__,
                   1077:                    id, c->ctl_chan);
                   1078:
                   1079:        if (!success) {
                   1080:                debug3("%s: sending failure reply", __func__);
                   1081:                /* prepare reply */
                   1082:                buffer_init(&reply);
                   1083:                buffer_put_int(&reply, MUX_S_FAILURE);
                   1084:                buffer_put_int(&reply, cctx->rid);
                   1085:                buffer_put_cstring(&reply, "Session open refused by peer");
                   1086:                goto done;
                   1087:        }
1.10      djm      1088:
                   1089:        display = getenv("DISPLAY");
                   1090:        if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
                   1091:                char *proto, *data;
                   1092:                /* Get reasonable local authentication information. */
                   1093:                client_x11_get_proto(display, options.xauth_location,
                   1094:                    options.forward_x11_trusted, &proto, &data);
                   1095:                /* Request forwarding with authentication spoofing. */
                   1096:                debug("Requesting X11 forwarding with authentication spoofing.");
                   1097:                x11_request_forwarding_with_spoofing(id, display, proto, data);
                   1098:                /* XXX wait for reply */
                   1099:        }
                   1100:
                   1101:        if (cctx->want_agent_fwd && options.forward_agent) {
                   1102:                debug("Requesting authentication agent forwarding.");
                   1103:                channel_request_start(id, "auth-agent-req@openssh.com", 0);
                   1104:                packet_send();
                   1105:        }
                   1106:
                   1107:        client_session2_setup(id, cctx->want_tty, cctx->want_subsys,
                   1108:            cctx->term, &cctx->tio, c->rfd, &cctx->cmd, cctx->env);
                   1109:
1.17      djm      1110:        debug3("%s: sending success reply", __func__);
                   1111:        /* prepare reply */
                   1112:        buffer_init(&reply);
                   1113:        buffer_put_int(&reply, MUX_S_SESSION_OPENED);
                   1114:        buffer_put_int(&reply, cctx->rid);
                   1115:        buffer_put_int(&reply, c->self);
                   1116:
                   1117:  done:
                   1118:        /* Send reply */
                   1119:        buffer_put_string(&cc->output, buffer_ptr(&reply), buffer_len(&reply));
                   1120:        buffer_free(&reply);
                   1121:
                   1122:        if (cc->mux_pause <= 0)
                   1123:                fatal("%s: mux_pause %d", __func__, cc->mux_pause);
                   1124:        cc->mux_pause = 0; /* start processing messages again */
1.10      djm      1125:        c->open_confirm_ctx = NULL;
                   1126:        buffer_free(&cctx->cmd);
                   1127:        xfree(cctx->term);
                   1128:        if (cctx->env != NULL) {
                   1129:                for (i = 0; cctx->env[i] != NULL; i++)
                   1130:                        xfree(cctx->env[i]);
                   1131:                xfree(cctx->env);
1.1       djm      1132:        }
1.10      djm      1133:        xfree(cctx);
                   1134: }
                   1135:
                   1136: /* ** Multiplexing client support */
                   1137:
                   1138: /* Exit signal handler */
                   1139: static void
                   1140: control_client_sighandler(int signo)
                   1141: {
                   1142:        muxclient_terminate = signo;
                   1143: }
                   1144:
                   1145: /*
                   1146:  * Relay signal handler - used to pass some signals from mux client to
                   1147:  * mux master.
                   1148:  */
                   1149: static void
                   1150: control_client_sigrelay(int signo)
                   1151: {
                   1152:        int save_errno = errno;
                   1153:
                   1154:        if (muxserver_pid > 1)
                   1155:                kill(muxserver_pid, signo);
                   1156:
                   1157:        errno = save_errno;
                   1158: }
1.1       djm      1159:
1.10      djm      1160: static int
                   1161: mux_client_read(int fd, Buffer *b, u_int need)
                   1162: {
                   1163:        u_int have;
                   1164:        ssize_t len;
                   1165:        u_char *p;
                   1166:        struct pollfd pfd;
                   1167:
                   1168:        pfd.fd = fd;
                   1169:        pfd.events = POLLIN;
                   1170:        p = buffer_append_space(b, need);
                   1171:        for (have = 0; have < need; ) {
                   1172:                if (muxclient_terminate) {
                   1173:                        errno = EINTR;
                   1174:                        return -1;
                   1175:                }
                   1176:                len = read(fd, p + have, need - have);
                   1177:                if (len < 0) {
                   1178:                        switch (errno) {
                   1179:                        case EAGAIN:
                   1180:                                (void)poll(&pfd, 1, -1);
                   1181:                                /* FALLTHROUGH */
                   1182:                        case EINTR:
                   1183:                                continue;
                   1184:                        default:
                   1185:                                return -1;
                   1186:                        }
                   1187:                }
                   1188:                if (len == 0) {
                   1189:                        errno = EPIPE;
                   1190:                        return -1;
                   1191:                }
                   1192:                have += (u_int)len;
1.1       djm      1193:        }
1.10      djm      1194:        return 0;
                   1195: }
1.1       djm      1196:
1.10      djm      1197: static int
                   1198: mux_client_write_packet(int fd, Buffer *m)
                   1199: {
                   1200:        Buffer queue;
                   1201:        u_int have, need;
                   1202:        int oerrno, len;
                   1203:        u_char *ptr;
                   1204:        struct pollfd pfd;
                   1205:
                   1206:        pfd.fd = fd;
                   1207:        pfd.events = POLLOUT;
                   1208:        buffer_init(&queue);
                   1209:        buffer_put_string(&queue, buffer_ptr(m), buffer_len(m));
                   1210:
                   1211:        need = buffer_len(&queue);
                   1212:        ptr = buffer_ptr(&queue);
                   1213:
                   1214:        for (have = 0; have < need; ) {
                   1215:                if (muxclient_terminate) {
                   1216:                        buffer_free(&queue);
                   1217:                        errno = EINTR;
                   1218:                        return -1;
                   1219:                }
                   1220:                len = write(fd, ptr + have, need - have);
                   1221:                if (len < 0) {
                   1222:                        switch (errno) {
                   1223:                        case EAGAIN:
                   1224:                                (void)poll(&pfd, 1, -1);
                   1225:                                /* FALLTHROUGH */
                   1226:                        case EINTR:
                   1227:                                continue;
                   1228:                        default:
                   1229:                                oerrno = errno;
                   1230:                                buffer_free(&queue);
                   1231:                                errno = oerrno;
                   1232:                                return -1;
                   1233:                        }
                   1234:                }
                   1235:                if (len == 0) {
                   1236:                        buffer_free(&queue);
                   1237:                        errno = EPIPE;
                   1238:                        return -1;
                   1239:                }
                   1240:                have += (u_int)len;
                   1241:        }
                   1242:        buffer_free(&queue);
                   1243:        return 0;
                   1244: }
1.1       djm      1245:
1.10      djm      1246: static int
                   1247: mux_client_read_packet(int fd, Buffer *m)
                   1248: {
                   1249:        Buffer queue;
                   1250:        u_int need, have;
                   1251:        void *ptr;
                   1252:        int oerrno;
                   1253:
                   1254:        buffer_init(&queue);
                   1255:        if (mux_client_read(fd, &queue, 4) != 0) {
                   1256:                if ((oerrno = errno) == EPIPE)
                   1257:                debug3("%s: read header failed: %s", __func__, strerror(errno));
                   1258:                errno = oerrno;
                   1259:                return -1;
                   1260:        }
                   1261:        need = get_u32(buffer_ptr(&queue));
                   1262:        if (mux_client_read(fd, &queue, need) != 0) {
                   1263:                oerrno = errno;
                   1264:                debug3("%s: read body failed: %s", __func__, strerror(errno));
                   1265:                errno = oerrno;
                   1266:                return -1;
                   1267:        }
                   1268:        ptr = buffer_get_string_ptr(&queue, &have);
                   1269:        buffer_append(m, ptr, have);
                   1270:        buffer_free(&queue);
                   1271:        return 0;
                   1272: }
1.1       djm      1273:
1.10      djm      1274: static int
                   1275: mux_client_hello_exchange(int fd)
                   1276: {
                   1277:        Buffer m;
                   1278:        u_int type, ver;
1.1       djm      1279:
                   1280:        buffer_init(&m);
1.10      djm      1281:        buffer_put_int(&m, MUX_MSG_HELLO);
                   1282:        buffer_put_int(&m, SSHMUX_VER);
                   1283:        /* no extensions */
                   1284:
                   1285:        if (mux_client_write_packet(fd, &m) != 0)
                   1286:                fatal("%s: write packet: %s", __func__, strerror(errno));
1.1       djm      1287:
1.10      djm      1288:        buffer_clear(&m);
                   1289:
                   1290:        /* Read their HELLO */
                   1291:        if (mux_client_read_packet(fd, &m) != 0) {
1.5       djm      1292:                buffer_free(&m);
1.10      djm      1293:                return -1;
                   1294:        }
                   1295:
                   1296:        type = buffer_get_int(&m);
                   1297:        if (type != MUX_MSG_HELLO)
                   1298:                fatal("%s: expected HELLO (%u) received %u",
                   1299:                    __func__, MUX_MSG_HELLO, type);
                   1300:        ver = buffer_get_int(&m);
                   1301:        if (ver != SSHMUX_VER)
                   1302:                fatal("Unsupported multiplexing protocol version %d "
                   1303:                    "(expected %d)", ver, SSHMUX_VER);
                   1304:        debug2("%s: master version %u", __func__, ver);
                   1305:        /* No extensions are presently defined */
                   1306:        while (buffer_len(&m) > 0) {
                   1307:                char *name = buffer_get_string(&m, NULL);
                   1308:                char *value = buffer_get_string(&m, NULL);
                   1309:
                   1310:                debug2("Unrecognised master extension \"%s\"", name);
                   1311:                xfree(name);
                   1312:                xfree(value);
1.5       djm      1313:        }
1.10      djm      1314:        buffer_free(&m);
                   1315:        return 0;
                   1316: }
                   1317:
                   1318: static u_int
                   1319: mux_client_request_alive(int fd)
                   1320: {
                   1321:        Buffer m;
                   1322:        char *e;
                   1323:        u_int pid, type, rid;
                   1324:
                   1325:        debug3("%s: entering", __func__);
                   1326:
                   1327:        buffer_init(&m);
                   1328:        buffer_put_int(&m, MUX_C_ALIVE_CHECK);
                   1329:        buffer_put_int(&m, muxclient_request_id);
                   1330:
                   1331:        if (mux_client_write_packet(fd, &m) != 0)
                   1332:                fatal("%s: write packet: %s", __func__, strerror(errno));
                   1333:
1.1       djm      1334:        buffer_clear(&m);
                   1335:
1.10      djm      1336:        /* Read their reply */
                   1337:        if (mux_client_read_packet(fd, &m) != 0) {
                   1338:                buffer_free(&m);
                   1339:                return 0;
                   1340:        }
                   1341:
                   1342:        type = buffer_get_int(&m);
                   1343:        if (type != MUX_S_ALIVE) {
                   1344:                e = buffer_get_string(&m, NULL);
                   1345:                fatal("%s: master returned error: %s", __func__, e);
1.5       djm      1346:        }
1.10      djm      1347:
                   1348:        if ((rid = buffer_get_int(&m)) != muxclient_request_id)
                   1349:                fatal("%s: out of sequence reply: my id %u theirs %u",
                   1350:                    __func__, muxclient_request_id, rid);
                   1351:        pid = buffer_get_int(&m);
                   1352:        buffer_free(&m);
                   1353:
                   1354:        debug3("%s: done pid = %u", __func__, pid);
                   1355:
                   1356:        muxclient_request_id++;
                   1357:
                   1358:        return pid;
                   1359: }
                   1360:
                   1361: static void
                   1362: mux_client_request_terminate(int fd)
                   1363: {
                   1364:        Buffer m;
                   1365:        char *e;
                   1366:        u_int type, rid;
                   1367:
                   1368:        debug3("%s: entering", __func__);
                   1369:
                   1370:        buffer_init(&m);
                   1371:        buffer_put_int(&m, MUX_C_TERMINATE);
                   1372:        buffer_put_int(&m, muxclient_request_id);
                   1373:
                   1374:        if (mux_client_write_packet(fd, &m) != 0)
                   1375:                fatal("%s: write packet: %s", __func__, strerror(errno));
1.1       djm      1376:
                   1377:        buffer_clear(&m);
                   1378:
1.10      djm      1379:        /* Read their reply */
                   1380:        if (mux_client_read_packet(fd, &m) != 0) {
                   1381:                /* Remote end exited already */
                   1382:                if (errno == EPIPE) {
                   1383:                        buffer_free(&m);
                   1384:                        return;
1.2       djm      1385:                }
1.10      djm      1386:                fatal("%s: read from master failed: %s",
                   1387:                    __func__, strerror(errno));
                   1388:        }
                   1389:
                   1390:        type = buffer_get_int(&m);
                   1391:        if ((rid = buffer_get_int(&m)) != muxclient_request_id)
                   1392:                fatal("%s: out of sequence reply: my id %u theirs %u",
                   1393:                    __func__, muxclient_request_id, rid);
                   1394:        switch (type) {
                   1395:        case MUX_S_OK:
                   1396:                break;
                   1397:        case MUX_S_PERMISSION_DENIED:
                   1398:                e = buffer_get_string(&m, NULL);
                   1399:                fatal("Master refused termination request: %s", e);
                   1400:        case MUX_S_FAILURE:
                   1401:                e = buffer_get_string(&m, NULL);
                   1402:                fatal("%s: termination request failed: %s", __func__, e);
                   1403:        default:
                   1404:                fatal("%s: unexpected response from master 0x%08x",
                   1405:                    __func__, type);
                   1406:        }
                   1407:        buffer_free(&m);
                   1408:        muxclient_request_id++;
                   1409: }
                   1410:
                   1411: static int
                   1412: mux_client_request_forward(int fd, u_int ftype, Forward *fwd)
                   1413: {
                   1414:        Buffer m;
                   1415:        char *e, *fwd_desc;
                   1416:        u_int type, rid;
                   1417:
                   1418:        fwd_desc = format_forward(ftype, fwd);
                   1419:        debug("Requesting %s", fwd_desc);
                   1420:        xfree(fwd_desc);
                   1421:
                   1422:        buffer_init(&m);
                   1423:        buffer_put_int(&m, MUX_C_OPEN_FWD);
                   1424:        buffer_put_int(&m, muxclient_request_id);
                   1425:        buffer_put_int(&m, ftype);
                   1426:        buffer_put_cstring(&m,
                   1427:            fwd->listen_host == NULL ? "" : fwd->listen_host);
                   1428:        buffer_put_int(&m, fwd->listen_port);
                   1429:        buffer_put_cstring(&m,
                   1430:            fwd->connect_host == NULL ? "" : fwd->connect_host);
                   1431:        buffer_put_int(&m, fwd->connect_port);
                   1432:
                   1433:        if (mux_client_write_packet(fd, &m) != 0)
                   1434:                fatal("%s: write packet: %s", __func__, strerror(errno));
                   1435:
                   1436:        buffer_clear(&m);
                   1437:
                   1438:        /* Read their reply */
                   1439:        if (mux_client_read_packet(fd, &m) != 0) {
                   1440:                buffer_free(&m);
                   1441:                return -1;
                   1442:        }
                   1443:
                   1444:        type = buffer_get_int(&m);
                   1445:        if ((rid = buffer_get_int(&m)) != muxclient_request_id)
                   1446:                fatal("%s: out of sequence reply: my id %u theirs %u",
                   1447:                    __func__, muxclient_request_id, rid);
                   1448:        switch (type) {
                   1449:        case MUX_S_OK:
1.1       djm      1450:                break;
1.18      markus   1451:        case MUX_S_REMOTE_PORT:
                   1452:                fwd->allocated_port = buffer_get_int(&m);
                   1453:                logit("Allocated port %u for remote forward to %s:%d",
                   1454:                    fwd->allocated_port,
                   1455:                    fwd->connect_host ? fwd->connect_host : "",
                   1456:                    fwd->connect_port);
                   1457:                if (muxclient_command == SSHMUX_COMMAND_FORWARD)
                   1458:                        fprintf(stdout, "%u\n", fwd->allocated_port);
                   1459:                break;
1.10      djm      1460:        case MUX_S_PERMISSION_DENIED:
                   1461:                e = buffer_get_string(&m, NULL);
                   1462:                buffer_free(&m);
                   1463:                error("Master refused forwarding request: %s", e);
                   1464:                return -1;
                   1465:        case MUX_S_FAILURE:
                   1466:                e = buffer_get_string(&m, NULL);
                   1467:                buffer_free(&m);
                   1468:                error("%s: session request failed: %s", __func__, e);
                   1469:                return -1;
1.1       djm      1470:        default:
1.10      djm      1471:                fatal("%s: unexpected response from master 0x%08x",
                   1472:                    __func__, type);
                   1473:        }
                   1474:        buffer_free(&m);
                   1475:
                   1476:        muxclient_request_id++;
                   1477:        return 0;
                   1478: }
                   1479:
                   1480: static int
                   1481: mux_client_request_forwards(int fd)
                   1482: {
                   1483:        int i;
                   1484:
                   1485:        debug3("%s: requesting forwardings: %d local, %d remote", __func__,
                   1486:            options.num_local_forwards, options.num_remote_forwards);
                   1487:
                   1488:        /* XXX ExitOnForwardingFailure */
                   1489:        for (i = 0; i < options.num_local_forwards; i++) {
                   1490:                if (mux_client_request_forward(fd,
                   1491:                    options.local_forwards[i].connect_port == 0 ?
                   1492:                    MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
                   1493:                    options.local_forwards + i) != 0)
                   1494:                        return -1;
                   1495:        }
                   1496:        for (i = 0; i < options.num_remote_forwards; i++) {
                   1497:                if (mux_client_request_forward(fd, MUX_FWD_REMOTE,
                   1498:                    options.remote_forwards + i) != 0)
                   1499:                        return -1;
                   1500:        }
                   1501:        return 0;
                   1502: }
                   1503:
                   1504: static int
                   1505: mux_client_request_session(int fd)
                   1506: {
                   1507:        Buffer m;
                   1508:        char *e, *term;
                   1509:        u_int i, rid, sid, esid, exitval, type, exitval_seen;
                   1510:        extern char **environ;
                   1511:        int devnull;
                   1512:
                   1513:        debug3("%s: entering", __func__);
                   1514:
                   1515:        if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
                   1516:                error("%s: master alive request failed", __func__);
                   1517:                return -1;
1.1       djm      1518:        }
                   1519:
1.10      djm      1520:        signal(SIGPIPE, SIG_IGN);
                   1521:
                   1522:        if (stdin_null_flag) {
                   1523:                if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1)
                   1524:                        fatal("open(/dev/null): %s", strerror(errno));
                   1525:                if (dup2(devnull, STDIN_FILENO) == -1)
                   1526:                        fatal("dup2: %s", strerror(errno));
                   1527:                if (devnull > STDERR_FILENO)
                   1528:                        close(devnull);
1.5       djm      1529:        }
1.1       djm      1530:
1.10      djm      1531:        term = getenv("TERM");
                   1532:
                   1533:        buffer_init(&m);
                   1534:        buffer_put_int(&m, MUX_C_NEW_SESSION);
                   1535:        buffer_put_int(&m, muxclient_request_id);
                   1536:        buffer_put_cstring(&m, ""); /* reserved */
                   1537:        buffer_put_int(&m, tty_flag);
                   1538:        buffer_put_int(&m, options.forward_x11);
                   1539:        buffer_put_int(&m, options.forward_agent);
                   1540:        buffer_put_int(&m, subsystem_flag);
                   1541:        buffer_put_int(&m, options.escape_char == SSH_ESCAPECHAR_NONE ?
                   1542:            0xffffffff : (u_int)options.escape_char);
                   1543:        buffer_put_cstring(&m, term == NULL ? "" : term);
                   1544:        buffer_put_string(&m, buffer_ptr(&command), buffer_len(&command));
                   1545:
                   1546:        if (options.num_send_env > 0 && environ != NULL) {
                   1547:                /* Pass environment */
                   1548:                for (i = 0; environ[i] != NULL; i++) {
                   1549:                        if (env_permitted(environ[i])) {
                   1550:                                buffer_put_cstring(&m, environ[i]);
                   1551:                        }
                   1552:                }
1.5       djm      1553:        }
                   1554:
1.10      djm      1555:        if (mux_client_write_packet(fd, &m) != 0)
                   1556:                fatal("%s: write packet: %s", __func__, strerror(errno));
                   1557:
                   1558:        /* Send the stdio file descriptors */
                   1559:        if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
                   1560:            mm_send_fd(fd, STDOUT_FILENO) == -1 ||
                   1561:            mm_send_fd(fd, STDERR_FILENO) == -1)
                   1562:                fatal("%s: send fds failed", __func__);
                   1563:
                   1564:        debug3("%s: session request sent", __func__);
1.1       djm      1565:
1.10      djm      1566:        /* Read their reply */
1.1       djm      1567:        buffer_clear(&m);
1.10      djm      1568:        if (mux_client_read_packet(fd, &m) != 0) {
                   1569:                error("%s: read from master failed: %s",
                   1570:                    __func__, strerror(errno));
                   1571:                buffer_free(&m);
                   1572:                return -1;
                   1573:        }
                   1574:
                   1575:        type = buffer_get_int(&m);
                   1576:        if ((rid = buffer_get_int(&m)) != muxclient_request_id)
                   1577:                fatal("%s: out of sequence reply: my id %u theirs %u",
                   1578:                    __func__, muxclient_request_id, rid);
                   1579:        switch (type) {
                   1580:        case MUX_S_SESSION_OPENED:
                   1581:                sid = buffer_get_int(&m);
                   1582:                debug("%s: master session id: %u", __func__, sid);
                   1583:                break;
                   1584:        case MUX_S_PERMISSION_DENIED:
                   1585:                e = buffer_get_string(&m, NULL);
                   1586:                buffer_free(&m);
                   1587:                error("Master refused forwarding request: %s", e);
                   1588:                return -1;
                   1589:        case MUX_S_FAILURE:
                   1590:                e = buffer_get_string(&m, NULL);
                   1591:                buffer_free(&m);
                   1592:                error("%s: forwarding request failed: %s", __func__, e);
                   1593:                return -1;
                   1594:        default:
                   1595:                buffer_free(&m);
                   1596:                error("%s: unexpected response from master 0x%08x",
                   1597:                    __func__, type);
                   1598:                return -1;
                   1599:        }
                   1600:        muxclient_request_id++;
1.1       djm      1601:
                   1602:        signal(SIGHUP, control_client_sighandler);
                   1603:        signal(SIGINT, control_client_sighandler);
                   1604:        signal(SIGTERM, control_client_sighandler);
                   1605:        signal(SIGWINCH, control_client_sigrelay);
                   1606:
                   1607:        if (tty_flag)
1.9       djm      1608:                enter_raw_mode(force_tty_flag);
1.1       djm      1609:
                   1610:        /*
                   1611:         * Stick around until the controlee closes the client_fd.
1.10      djm      1612:         * Before it does, it is expected to write an exit message.
                   1613:         * This process must read the value and wait for the closure of
                   1614:         * the client_fd; if this one closes early, the multiplex master will
                   1615:         * terminate early too (possibly losing data).
1.1       djm      1616:         */
1.10      djm      1617:        for (exitval = 255, exitval_seen = 0;;) {
                   1618:                buffer_clear(&m);
                   1619:                if (mux_client_read_packet(fd, &m) != 0)
1.1       djm      1620:                        break;
1.10      djm      1621:                type = buffer_get_int(&m);
                   1622:                if (type != MUX_S_EXIT_MESSAGE) {
                   1623:                        e = buffer_get_string(&m, NULL);
                   1624:                        fatal("%s: master returned error: %s", __func__, e);
1.1       djm      1625:                }
1.10      djm      1626:                if ((esid = buffer_get_int(&m)) != sid)
                   1627:                        fatal("%s: exit on unknown session: my id %u theirs %u",
                   1628:                            __func__, sid, esid);
                   1629:                debug("%s: master session id: %u", __func__, sid);
                   1630:                if (exitval_seen)
                   1631:                        fatal("%s: exitval sent twice", __func__);
                   1632:                exitval = buffer_get_int(&m);
                   1633:                exitval_seen = 1;
1.1       djm      1634:        }
                   1635:
1.10      djm      1636:        close(fd);
1.9       djm      1637:        leave_raw_mode(force_tty_flag);
1.10      djm      1638:
1.1       djm      1639:        if (muxclient_terminate) {
                   1640:                debug2("Exiting on signal %d", muxclient_terminate);
1.10      djm      1641:                exitval = 255;
                   1642:        } else if (!exitval_seen) {
1.1       djm      1643:                debug2("Control master terminated unexpectedly");
1.10      djm      1644:                exitval = 255;
1.1       djm      1645:        } else
1.10      djm      1646:                debug2("Received exit status from master %d", exitval);
1.1       djm      1647:
                   1648:        if (tty_flag && options.log_level != SYSLOG_LEVEL_QUIET)
                   1649:                fprintf(stderr, "Shared connection to %s closed.\r\n", host);
                   1650:
1.10      djm      1651:        exit(exitval);
                   1652: }
                   1653:
                   1654: static int
                   1655: mux_client_request_stdio_fwd(int fd)
                   1656: {
                   1657:        Buffer m;
                   1658:        char *e;
                   1659:        u_int type, rid, sid;
                   1660:        int devnull;
                   1661:
                   1662:        debug3("%s: entering", __func__);
                   1663:
                   1664:        if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
                   1665:                error("%s: master alive request failed", __func__);
                   1666:                return -1;
                   1667:        }
                   1668:
                   1669:        signal(SIGPIPE, SIG_IGN);
                   1670:
                   1671:        if (stdin_null_flag) {
                   1672:                if ((devnull = open(_PATH_DEVNULL, O_RDONLY)) == -1)
                   1673:                        fatal("open(/dev/null): %s", strerror(errno));
                   1674:                if (dup2(devnull, STDIN_FILENO) == -1)
                   1675:                        fatal("dup2: %s", strerror(errno));
                   1676:                if (devnull > STDERR_FILENO)
                   1677:                        close(devnull);
                   1678:        }
                   1679:
                   1680:        buffer_init(&m);
                   1681:        buffer_put_int(&m, MUX_C_NEW_STDIO_FWD);
                   1682:        buffer_put_int(&m, muxclient_request_id);
                   1683:        buffer_put_cstring(&m, ""); /* reserved */
                   1684:        buffer_put_cstring(&m, stdio_forward_host);
                   1685:        buffer_put_int(&m, stdio_forward_port);
                   1686:
                   1687:        if (mux_client_write_packet(fd, &m) != 0)
                   1688:                fatal("%s: write packet: %s", __func__, strerror(errno));
                   1689:
                   1690:        /* Send the stdio file descriptors */
                   1691:        if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
                   1692:            mm_send_fd(fd, STDOUT_FILENO) == -1)
                   1693:                fatal("%s: send fds failed", __func__);
                   1694:
                   1695:        debug3("%s: stdio forward request sent", __func__);
                   1696:
                   1697:        /* Read their reply */
                   1698:        buffer_clear(&m);
                   1699:
                   1700:        if (mux_client_read_packet(fd, &m) != 0) {
                   1701:                error("%s: read from master failed: %s",
                   1702:                    __func__, strerror(errno));
                   1703:                buffer_free(&m);
                   1704:                return -1;
                   1705:        }
                   1706:
                   1707:        type = buffer_get_int(&m);
                   1708:        if ((rid = buffer_get_int(&m)) != muxclient_request_id)
                   1709:                fatal("%s: out of sequence reply: my id %u theirs %u",
                   1710:                    __func__, muxclient_request_id, rid);
                   1711:        switch (type) {
                   1712:        case MUX_S_SESSION_OPENED:
                   1713:                sid = buffer_get_int(&m);
                   1714:                debug("%s: master session id: %u", __func__, sid);
                   1715:                break;
                   1716:        case MUX_S_PERMISSION_DENIED:
                   1717:                e = buffer_get_string(&m, NULL);
                   1718:                buffer_free(&m);
                   1719:                fatal("Master refused forwarding request: %s", e);
                   1720:        case MUX_S_FAILURE:
                   1721:                e = buffer_get_string(&m, NULL);
                   1722:                buffer_free(&m);
                   1723:                fatal("%s: stdio forwarding request failed: %s", __func__, e);
                   1724:        default:
                   1725:                buffer_free(&m);
                   1726:                error("%s: unexpected response from master 0x%08x",
                   1727:                    __func__, type);
                   1728:                return -1;
                   1729:        }
                   1730:        muxclient_request_id++;
                   1731:
                   1732:        signal(SIGHUP, control_client_sighandler);
                   1733:        signal(SIGINT, control_client_sighandler);
                   1734:        signal(SIGTERM, control_client_sighandler);
                   1735:        signal(SIGWINCH, control_client_sigrelay);
                   1736:
                   1737:        /*
                   1738:         * Stick around until the controlee closes the client_fd.
                   1739:         */
                   1740:        buffer_clear(&m);
                   1741:        if (mux_client_read_packet(fd, &m) != 0) {
                   1742:                if (errno == EPIPE ||
                   1743:                    (errno == EINTR && muxclient_terminate != 0))
                   1744:                        return 0;
                   1745:                fatal("%s: mux_client_read_packet: %s",
                   1746:                    __func__, strerror(errno));
                   1747:        }
                   1748:        fatal("%s: master returned unexpected message %u", __func__, type);
                   1749: }
                   1750:
                   1751: /* Multiplex client main loop. */
                   1752: void
                   1753: muxclient(const char *path)
                   1754: {
                   1755:        struct sockaddr_un addr;
                   1756:        int sock;
                   1757:        u_int pid;
                   1758:
                   1759:        if (muxclient_command == 0) {
                   1760:                if (stdio_forward_host != NULL)
                   1761:                        muxclient_command = SSHMUX_COMMAND_STDIO_FWD;
                   1762:                else
                   1763:                        muxclient_command = SSHMUX_COMMAND_OPEN;
                   1764:        }
                   1765:
                   1766:        switch (options.control_master) {
                   1767:        case SSHCTL_MASTER_AUTO:
                   1768:        case SSHCTL_MASTER_AUTO_ASK:
                   1769:                debug("auto-mux: Trying existing master");
                   1770:                /* FALLTHROUGH */
                   1771:        case SSHCTL_MASTER_NO:
                   1772:                break;
                   1773:        default:
                   1774:                return;
                   1775:        }
                   1776:
                   1777:        memset(&addr, '\0', sizeof(addr));
                   1778:        addr.sun_family = AF_UNIX;
                   1779:        addr.sun_len = offsetof(struct sockaddr_un, sun_path) +
                   1780:            strlen(path) + 1;
                   1781:
                   1782:        if (strlcpy(addr.sun_path, path,
                   1783:            sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
                   1784:                fatal("ControlPath too long");
                   1785:
                   1786:        if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
                   1787:                fatal("%s socket(): %s", __func__, strerror(errno));
                   1788:
                   1789:        if (connect(sock, (struct sockaddr *)&addr, addr.sun_len) == -1) {
                   1790:                switch (muxclient_command) {
                   1791:                case SSHMUX_COMMAND_OPEN:
                   1792:                case SSHMUX_COMMAND_STDIO_FWD:
                   1793:                        break;
                   1794:                default:
                   1795:                        fatal("Control socket connect(%.100s): %s", path,
                   1796:                            strerror(errno));
                   1797:                }
                   1798:                if (errno == ENOENT)
                   1799:                        debug("Control socket \"%.100s\" does not exist", path);
                   1800:                else {
                   1801:                        error("Control socket connect(%.100s): %s", path,
                   1802:                            strerror(errno));
                   1803:                }
                   1804:                close(sock);
                   1805:                return;
                   1806:        }
                   1807:        set_nonblock(sock);
                   1808:
                   1809:        if (mux_client_hello_exchange(sock) != 0) {
                   1810:                error("%s: master hello exchange failed", __func__);
                   1811:                close(sock);
                   1812:                return;
                   1813:        }
                   1814:
                   1815:        switch (muxclient_command) {
                   1816:        case SSHMUX_COMMAND_ALIVE_CHECK:
                   1817:                if ((pid = mux_client_request_alive(sock)) == 0)
                   1818:                        fatal("%s: master alive check failed", __func__);
                   1819:                fprintf(stderr, "Master running (pid=%d)\r\n", pid);
                   1820:                exit(0);
                   1821:        case SSHMUX_COMMAND_TERMINATE:
                   1822:                mux_client_request_terminate(sock);
                   1823:                fprintf(stderr, "Exit request sent.\r\n");
1.18      markus   1824:                exit(0);
                   1825:        case SSHMUX_COMMAND_FORWARD:
                   1826:                if (mux_client_request_forwards(sock) != 0)
                   1827:                        fatal("%s: master forward request failed", __func__);
1.10      djm      1828:                exit(0);
                   1829:        case SSHMUX_COMMAND_OPEN:
                   1830:                if (mux_client_request_forwards(sock) != 0) {
                   1831:                        error("%s: master forward request failed", __func__);
                   1832:                        return;
                   1833:                }
                   1834:                mux_client_request_session(sock);
                   1835:                return;
                   1836:        case SSHMUX_COMMAND_STDIO_FWD:
                   1837:                mux_client_request_stdio_fwd(sock);
                   1838:                exit(0);
                   1839:        default:
                   1840:                fatal("unrecognised muxclient_command %d", muxclient_command);
                   1841:        }
1.1       djm      1842: }