Return to mux.c CVS log

Up to [local] / src / usr.bin / ssh

Annotation of src/usr.bin/ssh/mux.c, Revision 1.95

1.95    ! djm         1: /* $OpenBSD: mux.c,v 1.94 2022/06/03 04:30:47 djm Exp $ */
1.1       djm         2: /*
                      3:  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
                      4:  *
                      5:  * Permission to use, copy, modify, and distribute this software for any
                      6:  * purpose with or without fee is hereby granted, provided that the above
                      7:  * copyright notice and this permission notice appear in all copies.
                      8:  *
                      9:  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
                     10:  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
                     11:  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
                     12:  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
                     13:  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
                     14:  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
                     15:  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
                     16:  */
                     17:
                     18: /* ssh session multiplexing support */
1.2       djm        19:
1.1       djm        20: #include <sys/types.h>
                     21: #include <sys/queue.h>
                     22: #include <sys/stat.h>
                     23: #include <sys/socket.h>
                     24: #include <sys/un.h>
                     25:
                     26: #include <errno.h>
                     27: #include <fcntl.h>
1.10      djm        28: #include <poll.h>
1.1       djm        29: #include <signal.h>
                     30: #include <stdarg.h>
                     31: #include <stddef.h>
                     32: #include <stdlib.h>
                     33: #include <stdio.h>
                     34: #include <string.h>
                     35: #include <unistd.h>
                     36: #include <util.h>
                     37: #include <paths.h>
                     38:
1.10      djm        39: #include "atomicio.h"
1.1       djm        40: #include "xmalloc.h"
                     41: #include "log.h"
                     42: #include "ssh.h"
1.18      markus     43: #include "ssh2.h"
1.1       djm        44: #include "pathnames.h"
                     45: #include "misc.h"
                     46: #include "match.h"
1.73      markus     47: #include "sshbuf.h"
1.1       djm        48: #include "channels.h"
                     49: #include "msg.h"
                     50: #include "packet.h"
                     51: #include "monitor_fdpass.h"
                     52: #include "sshpty.h"
1.74      markus     53: #include "sshkey.h"
1.1       djm        54: #include "readconf.h"
                     55: #include "clientloop.h"
1.62      markus     56: #include "ssherr.h"
1.78      djm        57:
1.1       djm        58: /* from ssh.c */
                     59: extern int tty_flag;
                     60: extern Options options;
                     61: extern char *host;
1.72      markus     62: extern struct sshbuf *command;
1.10      djm        63: extern volatile sig_atomic_t quit_pending;
1.1       djm        64:
1.2       djm        65: /* Context for session open confirmation callback */
                     66: struct mux_session_confirm_ctx {
1.10      djm        67:        u_int want_tty;
                     68:        u_int want_subsys;
                     69:        u_int want_x_fwd;
                     70:        u_int want_agent_fwd;
1.73      markus     71:        struct sshbuf *cmd;
1.2       djm        72:        char *term;
                     73:        struct termios tio;
                     74:        char **env;
1.17      djm        75:        u_int rid;
1.2       djm        76: };
                     77:
1.48      djm        78: /* Context for stdio fwd open confirmation callback */
                     79: struct mux_stdio_confirm_ctx {
                     80:        u_int rid;
                     81: };
                     82:
1.18      markus     83: /* Context for global channel callback */
                     84: struct mux_channel_confirm_ctx {
                     85:        u_int cid;      /* channel id */
                     86:        u_int rid;      /* request id */
                     87:        int fid;        /* forward id */
                     88: };
                     89:
1.1       djm        90: /* fd to control socket */
                     91: int muxserver_sock = -1;
                     92:
1.10      djm        93: /* client request id */
                     94: u_int muxclient_request_id = 0;
                     95:
1.1       djm        96: /* Multiplexing control command */
                     97: u_int muxclient_command = 0;
                     98:
                     99: /* Set when signalled. */
                    100: static volatile sig_atomic_t muxclient_terminate = 0;
                    101:
                    102: /* PID of multiplex server */
                    103: static u_int muxserver_pid = 0;
                    104:
1.10      djm       105: static Channel *mux_listener_channel = NULL;
                    106:
                    107: struct mux_master_state {
                    108:        int hello_rcvd;
                    109: };
1.1       djm       110:
1.10      djm       111: /* mux protocol messages */
                    112: #define MUX_MSG_HELLO          0x00000001
                    113: #define MUX_C_NEW_SESSION      0x10000002
                    114: #define MUX_C_ALIVE_CHECK      0x10000004
                    115: #define MUX_C_TERMINATE                0x10000005
                    116: #define MUX_C_OPEN_FWD         0x10000006
                    117: #define MUX_C_CLOSE_FWD                0x10000007
                    118: #define MUX_C_NEW_STDIO_FWD    0x10000008
1.25      djm       119: #define MUX_C_STOP_LISTENING   0x10000009
1.62      markus    120: #define MUX_C_PROXY            0x1000000f
1.10      djm       121: #define MUX_S_OK               0x80000001
                    122: #define MUX_S_PERMISSION_DENIED        0x80000002
                    123: #define MUX_S_FAILURE          0x80000003
                    124: #define MUX_S_EXIT_MESSAGE     0x80000004
                    125: #define MUX_S_ALIVE            0x80000005
                    126: #define MUX_S_SESSION_OPENED   0x80000006
1.18      markus    127: #define MUX_S_REMOTE_PORT      0x80000007
1.28      djm       128: #define MUX_S_TTY_ALLOC_FAIL   0x80000008
1.62      markus    129: #define MUX_S_PROXY            0x8000000f
1.10      djm       130:
                    131: /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */
                    132: #define MUX_FWD_LOCAL   1
                    133: #define MUX_FWD_REMOTE  2
                    134: #define MUX_FWD_DYNAMIC 3
                    135:
1.66      djm       136: static void mux_session_confirm(struct ssh *, int, int, void *);
                    137: static void mux_stdio_confirm(struct ssh *, int, int, void *);
1.10      djm       138:
1.76      djm       139: static int mux_master_process_hello(struct ssh *, u_int,
1.66      djm       140:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       141: static int mux_master_process_new_session(struct ssh *, u_int,
1.66      djm       142:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       143: static int mux_master_process_alive_check(struct ssh *, u_int,
1.66      djm       144:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       145: static int mux_master_process_terminate(struct ssh *, u_int,
1.66      djm       146:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       147: static int mux_master_process_open_fwd(struct ssh *, u_int,
1.66      djm       148:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       149: static int mux_master_process_close_fwd(struct ssh *, u_int,
1.66      djm       150:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       151: static int mux_master_process_stdio_fwd(struct ssh *, u_int,
1.66      djm       152:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       153: static int mux_master_process_stop_listening(struct ssh *, u_int,
1.66      djm       154:            Channel *, struct sshbuf *, struct sshbuf *);
1.76      djm       155: static int mux_master_process_proxy(struct ssh *, u_int,
1.66      djm       156:            Channel *, struct sshbuf *, struct sshbuf *);
1.10      djm       157:
                    158: static const struct {
                    159:        u_int type;
1.66      djm       160:        int (*handler)(struct ssh *, u_int, Channel *,
                    161:            struct sshbuf *, struct sshbuf *);
1.10      djm       162: } mux_master_handlers[] = {
1.76      djm       163:        { MUX_MSG_HELLO, mux_master_process_hello },
                    164:        { MUX_C_NEW_SESSION, mux_master_process_new_session },
                    165:        { MUX_C_ALIVE_CHECK, mux_master_process_alive_check },
                    166:        { MUX_C_TERMINATE, mux_master_process_terminate },
                    167:        { MUX_C_OPEN_FWD, mux_master_process_open_fwd },
                    168:        { MUX_C_CLOSE_FWD, mux_master_process_close_fwd },
                    169:        { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd },
                    170:        { MUX_C_STOP_LISTENING, mux_master_process_stop_listening },
                    171:        { MUX_C_PROXY, mux_master_process_proxy },
1.10      djm       172:        { 0, NULL }
                    173: };
1.1       djm       174:
1.83      djm       175: /* Cleanup callback fired on closure of mux client _session_ channel */
1.10      djm       176: /* ARGSUSED */
1.42      dtucker   177: static void
1.95    ! djm       178: mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
1.1       djm       179: {
1.66      djm       180:        Channel *cc, *c = channel_by_id(ssh, cid);
1.1       djm       181:
1.85      djm       182:        debug3_f("entering for channel %d", cid);
1.10      djm       183:        if (c == NULL)
1.85      djm       184:                fatal_f("channel_by_id(%i) == NULL", cid);
1.10      djm       185:        if (c->ctl_chan != -1) {
1.66      djm       186:                if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1.85      djm       187:                        fatal_f("channel %d missing control channel %d",
                    188:                            c->self, c->ctl_chan);
1.10      djm       189:                c->ctl_chan = -1;
1.67      djm       190:                cc->remote_id = 0;
                    191:                cc->have_remote_id = 0;
1.66      djm       192:                chan_rcvd_oclose(ssh, cc);
1.1       djm       193:        }
1.66      djm       194:        channel_cancel_cleanup(ssh, c->self);
1.1       djm       195: }
                    196:
1.83      djm       197: /* Cleanup callback fired on closure of mux client _control_ channel */
1.10      djm       198: /* ARGSUSED */
1.1       djm       199: static void
1.95    ! djm       200: mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
1.1       djm       201: {
1.66      djm       202:        Channel *sc, *c = channel_by_id(ssh, cid);
1.1       djm       203:
1.85      djm       204:        debug3_f("entering for channel %d", cid);
1.10      djm       205:        if (c == NULL)
1.85      djm       206:                fatal_f("channel_by_id(%i) == NULL", cid);
1.67      djm       207:        if (c->have_remote_id) {
1.66      djm       208:                if ((sc = channel_by_id(ssh, c->remote_id)) == NULL)
1.85      djm       209:                        fatal_f("channel %d missing session channel %u",
                    210:                            c->self, c->remote_id);
1.67      djm       211:                c->remote_id = 0;
                    212:                c->have_remote_id = 0;
1.10      djm       213:                sc->ctl_chan = -1;
1.39      djm       214:                if (sc->type != SSH_CHANNEL_OPEN &&
                    215:                    sc->type != SSH_CHANNEL_OPENING) {
1.85      djm       216:                        debug2_f("channel %d: not open", sc->self);
1.66      djm       217:                        chan_mark_dead(ssh, sc);
1.12      djm       218:                } else {
1.14      djm       219:                        if (sc->istate == CHAN_INPUT_OPEN)
1.66      djm       220:                                chan_read_failed(ssh, sc);
1.14      djm       221:                        if (sc->ostate == CHAN_OUTPUT_OPEN)
1.66      djm       222:                                chan_write_failed(ssh, sc);
1.12      djm       223:                }
1.1       djm       224:        }
1.66      djm       225:        channel_cancel_cleanup(ssh, c->self);
1.1       djm       226: }
                    227:
1.10      djm       228: /* Check mux client environment variables before passing them to mux master. */
                    229: static int
1.93      djm       230: env_permitted(const char *env)
1.1       djm       231: {
1.94      djm       232:        u_int i;
                    233:        int ret;
1.10      djm       234:        char name[1024], *cp;
1.1       djm       235:
1.10      djm       236:        if ((cp = strchr(env, '=')) == NULL || cp == env)
1.1       djm       237:                return 0;
1.10      djm       238:        ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
                    239:        if (ret <= 0 || (size_t)ret >= sizeof(name)) {
1.85      djm       240:                error_f("name '%.100s...' too long", env);
1.1       djm       241:                return 0;
                    242:        }
                    243:
1.10      djm       244:        for (i = 0; i < options.num_send_env; i++)
                    245:                if (match_pattern(name, options.send_env[i]))
                    246:                        return 1;
1.1       djm       247:
1.10      djm       248:        return 0;
                    249: }
1.1       djm       250:
1.10      djm       251: /* Mux master protocol message handlers */
1.1       djm       252:
1.10      djm       253: static int
1.76      djm       254: mux_master_process_hello(struct ssh *ssh, u_int rid,
1.73      markus    255:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.10      djm       256: {
                    257:        u_int ver;
                    258:        struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
1.73      markus    259:        int r;
1.1       djm       260:
1.10      djm       261:        if (state == NULL)
1.85      djm       262:                fatal_f("channel %d: c->mux_ctx == NULL", c->self);
1.10      djm       263:        if (state->hello_rcvd) {
1.85      djm       264:                error_f("HELLO received twice");
1.10      djm       265:                return -1;
                    266:        }
1.73      markus    267:        if ((r = sshbuf_get_u32(m, &ver)) != 0) {
1.85      djm       268:                error_fr(r, "parse");
1.10      djm       269:                return -1;
                    270:        }
                    271:        if (ver != SSHMUX_VER) {
1.85      djm       272:                error_f("unsupported multiplexing protocol version %u "
                    273:                    "(expected %u)", ver, SSHMUX_VER);
1.10      djm       274:                return -1;
                    275:        }
1.85      djm       276:        debug2_f("channel %d client version %u", c->self, ver);
1.10      djm       277:
                    278:        /* No extensions are presently defined */
1.73      markus    279:        while (sshbuf_len(m) > 0) {
                    280:                char *name = NULL;
1.76      djm       281:                size_t value_len = 0;
1.73      markus    282:
                    283:                if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
1.76      djm       284:                    (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) {
1.85      djm       285:                        error_fr(r, "parse extension");
1.73      markus    286:                        return -1;
1.1       djm       287:                }
1.85      djm       288:                debug2_f("Unrecognised extension \"%s\" length %zu",
                    289:                    name, value_len);
1.41      djm       290:                free(name);
1.1       djm       291:        }
1.10      djm       292:        state->hello_rcvd = 1;
                    293:        return 0;
                    294: }
                    295:
1.73      markus    296: /* Enqueue a "ok" response to the reply buffer */
                    297: static void
                    298: reply_ok(struct sshbuf *reply, u_int rid)
                    299: {
                    300:        int r;
                    301:
                    302:        if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 ||
                    303:            (r = sshbuf_put_u32(reply, rid)) != 0)
1.85      djm       304:                fatal_fr(r, "reply");
1.73      markus    305: }
                    306:
                    307: /* Enqueue an error response to the reply buffer */
                    308: static void
                    309: reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg)
                    310: {
                    311:        int r;
                    312:
                    313:        if ((r = sshbuf_put_u32(reply, type)) != 0 ||
                    314:            (r = sshbuf_put_u32(reply, rid)) != 0 ||
                    315:            (r = sshbuf_put_cstring(reply, msg)) != 0)
1.85      djm       316:                fatal_fr(r, "reply");
1.73      markus    317: }
                    318:
1.10      djm       319: static int
1.76      djm       320: mux_master_process_new_session(struct ssh *ssh, u_int rid,
1.73      markus    321:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.10      djm       322: {
                    323:        Channel *nc;
                    324:        struct mux_session_confirm_ctx *cctx;
1.73      markus    325:        char *cmd, *cp;
                    326:        u_int i, j, env_len, escape_char, window, packetmax;
                    327:        int r, new_fd[3];
1.1       djm       328:
                    329:        /* Reply for SSHMUX_COMMAND_OPEN */
1.10      djm       330:        cctx = xcalloc(1, sizeof(*cctx));
                    331:        cctx->term = NULL;
1.17      djm       332:        cctx->rid = rid;
1.73      markus    333:        cmd = NULL;
1.36      djm       334:        cctx->env = NULL;
                    335:        env_len = 0;
1.73      markus    336:        if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
                    337:            (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 ||
                    338:            (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 ||
                    339:            (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 ||
                    340:            (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 ||
                    341:            (r = sshbuf_get_u32(m, &escape_char)) != 0 ||
                    342:            (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 ||
                    343:            (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) {
1.10      djm       344:  malf:
1.41      djm       345:                free(cmd);
1.36      djm       346:                for (j = 0; j < env_len; j++)
1.41      djm       347:                        free(cctx->env[j]);
                    348:                free(cctx->env);
                    349:                free(cctx->term);
                    350:                free(cctx);
1.85      djm       351:                error_f("malformed message");
1.10      djm       352:                return -1;
1.1       djm       353:        }
                    354:
1.10      djm       355: #define MUX_MAX_ENV_VARS       4096
1.73      markus    356:        while (sshbuf_len(m) > 0) {
                    357:                if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0)
1.10      djm       358:                        goto malf;
                    359:                if (!env_permitted(cp)) {
1.41      djm       360:                        free(cp);
1.10      djm       361:                        continue;
                    362:                }
1.51      deraadt   363:                cctx->env = xreallocarray(cctx->env, env_len + 2,
1.10      djm       364:                    sizeof(*cctx->env));
                    365:                cctx->env[env_len++] = cp;
                    366:                cctx->env[env_len] = NULL;
                    367:                if (env_len > MUX_MAX_ENV_VARS) {
1.85      djm       368:                        error_f(">%d environment variables received, "
                    369:                            "ignoring additional", MUX_MAX_ENV_VARS);
1.10      djm       370:                        break;
                    371:                }
1.1       djm       372:        }
                    373:
1.85      djm       374:        debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, "
                    375:            "term \"%s\", cmd \"%s\", env %u", c->self,
1.10      djm       376:            cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd,
                    377:            cctx->want_subsys, cctx->term, cmd, env_len);
1.1       djm       378:
1.73      markus    379:        if ((cctx->cmd = sshbuf_new()) == NULL)
1.85      djm       380:                fatal_f("sshbuf_new");
1.73      markus    381:        if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0)
1.85      djm       382:                fatal_fr(r, "sshbuf_put");
1.41      djm       383:        free(cmd);
1.11      djm       384:        cmd = NULL;
1.1       djm       385:
                    386:        /* Gather fds from client */
                    387:        for(i = 0; i < 3; i++) {
1.10      djm       388:                if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
1.85      djm       389:                        error_f("failed to receive fd %d from client", i);
1.1       djm       390:                        for (j = 0; j < i; j++)
                    391:                                close(new_fd[j]);
                    392:                        for (j = 0; j < env_len; j++)
1.41      djm       393:                                free(cctx->env[j]);
                    394:                        free(cctx->env);
                    395:                        free(cctx->term);
1.73      markus    396:                        sshbuf_free(cctx->cmd);
1.41      djm       397:                        free(cctx);
1.73      markus    398:                        reply_error(reply, MUX_S_FAILURE, rid,
1.10      djm       399:                            "did not receive file descriptors");
                    400:                        return -1;
1.1       djm       401:                }
                    402:        }
                    403:
1.85      djm       404:        debug3_f("got fds stdin %d, stdout %d, stderr %d",
1.1       djm       405:            new_fd[0], new_fd[1], new_fd[2]);
                    406:
1.10      djm       407:        /* XXX support multiple child sessions in future */
1.67      djm       408:        if (c->have_remote_id) {
1.85      djm       409:                debug2_f("session already open");
1.73      markus    410:                reply_error(reply, MUX_S_FAILURE, rid,
                    411:                    "Multiple sessions not supported");
1.10      djm       412:  cleanup:
1.1       djm       413:                close(new_fd[0]);
                    414:                close(new_fd[1]);
                    415:                close(new_fd[2]);
1.41      djm       416:                free(cctx->term);
1.1       djm       417:                if (env_len != 0) {
                    418:                        for (i = 0; i < env_len; i++)
1.41      djm       419:                                free(cctx->env[i]);
                    420:                        free(cctx->env);
1.1       djm       421:                }
1.73      markus    422:                sshbuf_free(cctx->cmd);
1.41      djm       423:                free(cctx);
1.1       djm       424:                return 0;
                    425:        }
1.10      djm       426:
                    427:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    428:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                    429:                if (!ask_permission("Allow shared connection to %s? ", host)) {
1.85      djm       430:                        debug2_f("session refused by user");
1.73      markus    431:                        reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
                    432:                            "Permission denied");
1.10      djm       433:                        goto cleanup;
                    434:                }
                    435:        }
                    436:
                    437:        /* Try to pick up ttymodes from client before it goes raw */
                    438:        if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
1.85      djm       439:                error_f("tcgetattr: %s", strerror(errno));
1.1       djm       440:
                    441:        window = CHAN_SES_WINDOW_DEFAULT;
                    442:        packetmax = CHAN_SES_PACKET_DEFAULT;
                    443:        if (cctx->want_tty) {
                    444:                window >>= 1;
                    445:                packetmax >>= 1;
                    446:        }
1.10      djm       447:
1.66      djm       448:        nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
1.1       djm       449:            new_fd[0], new_fd[1], new_fd[2], window, packetmax,
1.88      djm       450:            CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
1.1       djm       451:
1.10      djm       452:        nc->ctl_chan = c->self;         /* link session -> control channel */
1.86      djm       453:        c->remote_id = nc->self;        /* link control -> session channel */
1.67      djm       454:        c->have_remote_id = 1;
1.10      djm       455:
1.2       djm       456:        if (cctx->want_tty && escape_char != 0xffffffff) {
1.66      djm       457:                channel_register_filter(ssh, nc->self,
1.2       djm       458:                    client_simple_escape_filter, NULL,
1.4       djm       459:                    client_filter_cleanup,
1.2       djm       460:                    client_new_escape_filter_ctx((int)escape_char));
                    461:        }
1.1       djm       462:
1.85      djm       463:        debug2_f("channel_new: %d linked to control channel %d",
                    464:            nc->self, nc->ctl_chan);
1.10      djm       465:
1.66      djm       466:        channel_send_open(ssh, nc->self);
                    467:        channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx);
1.17      djm       468:        c->mux_pause = 1; /* stop handling messages until open_confirm done */
1.66      djm       469:        channel_register_cleanup(ssh, nc->self,
                    470:            mux_master_session_cleanup_cb, 1);
1.10      djm       471:
1.17      djm       472:        /* reply is deferred, sent by mux_session_confirm */
1.1       djm       473:        return 0;
                    474: }
                    475:
1.10      djm       476: static int
1.76      djm       477: mux_master_process_alive_check(struct ssh *ssh, u_int rid,
1.73      markus    478:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.1       djm       479: {
1.73      markus    480:        int r;
                    481:
1.85      djm       482:        debug2_f("channel %d: alive check", c->self);
1.1       djm       483:
1.10      djm       484:        /* prepare reply */
1.73      markus    485:        if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 ||
                    486:            (r = sshbuf_put_u32(reply, rid)) != 0 ||
                    487:            (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0)
1.85      djm       488:                fatal_fr(r, "reply");
1.1       djm       489:
1.10      djm       490:        return 0;
1.1       djm       491: }
                    492:
                    493: static int
1.76      djm       494: mux_master_process_terminate(struct ssh *ssh, u_int rid,
1.73      markus    495:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.1       djm       496: {
1.85      djm       497:        debug2_f("channel %d: terminate request", c->self);
1.1       djm       498:
1.10      djm       499:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    500:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                    501:                if (!ask_permission("Terminate shared connection to %s? ",
                    502:                    host)) {
1.85      djm       503:                        debug2_f("termination refused by user");
1.73      markus    504:                        reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
                    505:                            "Permission denied");
1.10      djm       506:                        return 0;
                    507:                }
                    508:        }
1.1       djm       509:
1.10      djm       510:        quit_pending = 1;
1.73      markus    511:        reply_ok(reply, rid);
1.10      djm       512:        /* XXX exit happens too soon - message never makes it to client */
                    513:        return 0;
1.1       djm       514: }
                    515:
1.10      djm       516: static char *
1.46      millert   517: format_forward(u_int ftype, struct Forward *fwd)
1.1       djm       518: {
1.10      djm       519:        char *ret;
1.1       djm       520:
1.10      djm       521:        switch (ftype) {
                    522:        case MUX_FWD_LOCAL:
                    523:                xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
1.46      millert   524:                    (fwd->listen_path != NULL) ? fwd->listen_path :
1.10      djm       525:                    (fwd->listen_host == NULL) ?
1.46      millert   526:                    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
1.10      djm       527:                    fwd->listen_host, fwd->listen_port,
1.46      millert   528:                    (fwd->connect_path != NULL) ? fwd->connect_path :
1.10      djm       529:                    fwd->connect_host, fwd->connect_port);
                    530:                break;
                    531:        case MUX_FWD_DYNAMIC:
                    532:                xasprintf(&ret, "dynamic forward %.200s:%d -> *",
                    533:                    (fwd->listen_host == NULL) ?
1.46      millert   534:                    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
1.87      djm       535:                    fwd->listen_host, fwd->listen_port);
1.10      djm       536:                break;
                    537:        case MUX_FWD_REMOTE:
                    538:                xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
1.46      millert   539:                    (fwd->listen_path != NULL) ? fwd->listen_path :
1.10      djm       540:                    (fwd->listen_host == NULL) ?
                    541:                    "LOCALHOST" : fwd->listen_host,
                    542:                    fwd->listen_port,
1.46      millert   543:                    (fwd->connect_path != NULL) ? fwd->connect_path :
1.10      djm       544:                    fwd->connect_host, fwd->connect_port);
1.1       djm       545:                break;
                    546:        default:
1.85      djm       547:                fatal_f("unknown forward type %u", ftype);
1.1       djm       548:        }
1.10      djm       549:        return ret;
                    550: }
1.1       djm       551:
1.10      djm       552: static int
                    553: compare_host(const char *a, const char *b)
                    554: {
                    555:        if (a == NULL && b == NULL)
                    556:                return 1;
                    557:        if (a == NULL || b == NULL)
                    558:                return 0;
                    559:        return strcmp(a, b) == 0;
                    560: }
1.1       djm       561:
1.10      djm       562: static int
1.46      millert   563: compare_forward(struct Forward *a, struct Forward *b)
1.10      djm       564: {
                    565:        if (!compare_host(a->listen_host, b->listen_host))
                    566:                return 0;
1.46      millert   567:        if (!compare_host(a->listen_path, b->listen_path))
                    568:                return 0;
1.10      djm       569:        if (a->listen_port != b->listen_port)
                    570:                return 0;
                    571:        if (!compare_host(a->connect_host, b->connect_host))
                    572:                return 0;
1.46      millert   573:        if (!compare_host(a->connect_path, b->connect_path))
                    574:                return 0;
1.10      djm       575:        if (a->connect_port != b->connect_port)
                    576:                return 0;
1.1       djm       577:
1.10      djm       578:        return 1;
                    579: }
1.1       djm       580:
1.18      markus    581: static void
1.66      djm       582: mux_confirm_remote_forward(struct ssh *ssh, int type, u_int32_t seq, void *ctxt)
1.18      markus    583: {
                    584:        struct mux_channel_confirm_ctx *fctx = ctxt;
                    585:        char *failmsg = NULL;
1.46      millert   586:        struct Forward *rfwd;
1.18      markus    587:        Channel *c;
1.73      markus    588:        struct sshbuf *out;
1.79      djm       589:        u_int port;
1.73      markus    590:        int r;
1.18      markus    591:
1.66      djm       592:        if ((c = channel_by_id(ssh, fctx->cid)) == NULL) {
1.18      markus    593:                /* no channel for reply */
1.85      djm       594:                error_f("unknown channel");
1.18      markus    595:                return;
                    596:        }
1.73      markus    597:        if ((out = sshbuf_new()) == NULL)
1.85      djm       598:                fatal_f("sshbuf_new");
1.53      djm       599:        if (fctx->fid >= options.num_remote_forwards ||
                    600:            (options.remote_forwards[fctx->fid].connect_path == NULL &&
                    601:            options.remote_forwards[fctx->fid].connect_host == NULL)) {
1.18      markus    602:                xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid);
                    603:                goto fail;
                    604:        }
                    605:        rfwd = &options.remote_forwards[fctx->fid];
1.85      djm       606:        debug_f("%s for: listen %d, connect %s:%d",
1.18      markus    607:            type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
1.46      millert   608:            rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
                    609:            rfwd->connect_host, rfwd->connect_port);
1.18      markus    610:        if (type == SSH2_MSG_REQUEST_SUCCESS) {
                    611:                if (rfwd->listen_port == 0) {
1.79      djm       612:                        if ((r = sshpkt_get_u32(ssh, &port)) != 0)
1.85      djm       613:                                fatal_fr(r, "parse port");
1.79      djm       614:                        if (port > 65535) {
                    615:                                fatal("Invalid allocated port %u for "
                    616:                                    "mux remote forward to %s:%d", port,
                    617:                                    rfwd->connect_host, rfwd->connect_port);
                    618:                        }
                    619:                        rfwd->allocated_port = (int)port;
1.52      djm       620:                        debug("Allocated port %u for mux remote forward"
1.18      markus    621:                            " to %s:%d", rfwd->allocated_port,
                    622:                            rfwd->connect_host, rfwd->connect_port);
1.73      markus    623:                        if ((r = sshbuf_put_u32(out,
                    624:                            MUX_S_REMOTE_PORT)) != 0 ||
                    625:                            (r = sshbuf_put_u32(out, fctx->rid)) != 0 ||
                    626:                            (r = sshbuf_put_u32(out,
                    627:                            rfwd->allocated_port)) != 0)
1.85      djm       628:                                fatal_fr(r, "reply");
1.70      djm       629:                        channel_update_permission(ssh, rfwd->handle,
1.87      djm       630:                            rfwd->allocated_port);
1.18      markus    631:                } else {
1.73      markus    632:                        reply_ok(out, fctx->rid);
1.18      markus    633:                }
                    634:                goto out;
                    635:        } else {
1.31      markus    636:                if (rfwd->listen_port == 0)
1.70      djm       637:                        channel_update_permission(ssh, rfwd->handle, -1);
1.46      millert   638:                if (rfwd->listen_path != NULL)
                    639:                        xasprintf(&failmsg, "remote port forwarding failed for "
                    640:                            "listen path %s", rfwd->listen_path);
                    641:                else
                    642:                        xasprintf(&failmsg, "remote port forwarding failed for "
                    643:                            "listen port %d", rfwd->listen_port);
1.53      djm       644:
1.87      djm       645:                debug2_f("clearing registered forwarding for listen %d, "
1.85      djm       646:                    "connect %s:%d", rfwd->listen_port,
1.53      djm       647:                    rfwd->connect_path ? rfwd->connect_path :
                    648:                    rfwd->connect_host, rfwd->connect_port);
                    649:
                    650:                free(rfwd->listen_host);
                    651:                free(rfwd->listen_path);
                    652:                free(rfwd->connect_host);
                    653:                free(rfwd->connect_path);
                    654:                memset(rfwd, 0, sizeof(*rfwd));
1.18      markus    655:        }
                    656:  fail:
1.85      djm       657:        error_f("%s", failmsg);
1.73      markus    658:        reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg);
1.41      djm       659:        free(failmsg);
1.18      markus    660:  out:
1.73      markus    661:        if ((r = sshbuf_put_stringb(c->output, out)) != 0)
1.85      djm       662:                fatal_fr(r, "enqueue");
1.73      markus    663:        sshbuf_free(out);
1.18      markus    664:        if (c->mux_pause <= 0)
1.85      djm       665:                fatal_f("mux_pause %d", c->mux_pause);
1.18      markus    666:        c->mux_pause = 0; /* start processing messages again */
                    667: }
                    668:
1.10      djm       669: static int
1.76      djm       670: mux_master_process_open_fwd(struct ssh *ssh, u_int rid,
1.73      markus    671:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.10      djm       672: {
1.46      millert   673:        struct Forward fwd;
1.10      djm       674:        char *fwd_desc = NULL;
1.46      millert   675:        char *listen_addr, *connect_addr;
1.10      djm       676:        u_int ftype;
1.44      djm       677:        u_int lport, cport;
1.73      markus    678:        int r, i, ret = 0, freefwd = 1;
1.10      djm       679:
1.54      djm       680:        memset(&fwd, 0, sizeof(fwd));
                    681:
1.46      millert   682:        /* XXX - lport/cport check redundant */
1.73      markus    683:        if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
                    684:            (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
                    685:            (r = sshbuf_get_u32(m, &lport)) != 0 ||
                    686:            (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
                    687:            (r = sshbuf_get_u32(m, &cport)) != 0 ||
1.46      millert   688:            (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
                    689:            (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
1.85      djm       690:                error_f("malformed message");
1.10      djm       691:                ret = -1;
                    692:                goto out;
                    693:        }
1.46      millert   694:        if (*listen_addr == '\0') {
                    695:                free(listen_addr);
                    696:                listen_addr = NULL;
                    697:        }
                    698:        if (*connect_addr == '\0') {
                    699:                free(connect_addr);
                    700:                connect_addr = NULL;
                    701:        }
                    702:
                    703:        memset(&fwd, 0, sizeof(fwd));
1.44      djm       704:        fwd.listen_port = lport;
1.46      millert   705:        if (fwd.listen_port == PORT_STREAMLOCAL)
                    706:                fwd.listen_path = listen_addr;
                    707:        else
                    708:                fwd.listen_host = listen_addr;
1.44      djm       709:        fwd.connect_port = cport;
1.46      millert   710:        if (fwd.connect_port == PORT_STREAMLOCAL)
                    711:                fwd.connect_path = connect_addr;
                    712:        else
                    713:                fwd.connect_host = connect_addr;
1.10      djm       714:
1.85      djm       715:        debug2_f("channel %d: request %s", c->self,
1.10      djm       716:            (fwd_desc = format_forward(ftype, &fwd)));
                    717:
                    718:        if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE &&
                    719:            ftype != MUX_FWD_DYNAMIC) {
1.85      djm       720:                logit_f("invalid forwarding type %u", ftype);
1.10      djm       721:  invalid:
1.46      millert   722:                free(listen_addr);
                    723:                free(connect_addr);
1.73      markus    724:                reply_error(reply, MUX_S_FAILURE, rid,
                    725:                    "Invalid forwarding request");
1.10      djm       726:                return 0;
                    727:        }
1.46      millert   728:        if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) {
1.85      djm       729:                logit_f("streamlocal and dynamic forwards "
                    730:                    "are mutually exclusive");
1.46      millert   731:                goto invalid;
                    732:        }
                    733:        if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) {
1.85      djm       734:                logit_f("invalid listen port %u", fwd.listen_port);
1.10      djm       735:                goto invalid;
                    736:        }
1.66      djm       737:        if ((fwd.connect_port != PORT_STREAMLOCAL &&
                    738:            fwd.connect_port >= 65536) ||
                    739:            (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE &&
                    740:            fwd.connect_port == 0)) {
1.85      djm       741:                logit_f("invalid connect port %u",
1.10      djm       742:                    fwd.connect_port);
                    743:                goto invalid;
                    744:        }
1.66      djm       745:        if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL &&
                    746:            fwd.connect_path == NULL) {
1.85      djm       747:                logit_f("missing connect host");
1.10      djm       748:                goto invalid;
                    749:        }
                    750:
                    751:        /* Skip forwards that have already been requested */
                    752:        switch (ftype) {
                    753:        case MUX_FWD_LOCAL:
                    754:        case MUX_FWD_DYNAMIC:
                    755:                for (i = 0; i < options.num_local_forwards; i++) {
                    756:                        if (compare_forward(&fwd,
                    757:                            options.local_forwards + i)) {
                    758:  exists:
1.85      djm       759:                                debug2_f("found existing forwarding");
1.73      markus    760:                                reply_ok(reply, rid);
1.10      djm       761:                                goto out;
                    762:                        }
                    763:                }
                    764:                break;
                    765:        case MUX_FWD_REMOTE:
                    766:                for (i = 0; i < options.num_remote_forwards; i++) {
1.73      markus    767:                        if (!compare_forward(&fwd, options.remote_forwards + i))
                    768:                                continue;
                    769:                        if (fwd.listen_port != 0)
                    770:                                goto exists;
1.85      djm       771:                        debug2_f("found allocated port");
1.73      markus    772:                        if ((r = sshbuf_put_u32(reply,
                    773:                            MUX_S_REMOTE_PORT)) != 0 ||
                    774:                            (r = sshbuf_put_u32(reply, rid)) != 0 ||
                    775:                            (r = sshbuf_put_u32(reply,
                    776:                            options.remote_forwards[i].allocated_port)) != 0)
1.85      djm       777:                                fatal_fr(r, "reply FWD_REMOTE");
1.73      markus    778:                        goto out;
1.10      djm       779:                }
                    780:                break;
                    781:        }
                    782:
                    783:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    784:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                    785:                if (!ask_permission("Open %s on %s?", fwd_desc, host)) {
1.85      djm       786:                        debug2_f("forwarding refused by user");
1.73      markus    787:                        reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
                    788:                            "Permission denied");
1.10      djm       789:                        goto out;
                    790:                }
                    791:        }
                    792:
                    793:        if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
1.66      djm       794:                if (!channel_setup_local_fwd_listener(ssh, &fwd,
1.46      millert   795:                    &options.fwd_opts)) {
1.10      djm       796:  fail:
1.85      djm       797:                        logit_f("requested %s failed", fwd_desc);
1.73      markus    798:                        reply_error(reply, MUX_S_FAILURE, rid,
                    799:                            "Port forwarding failed");
1.10      djm       800:                        goto out;
                    801:                }
                    802:                add_local_forward(&options, &fwd);
                    803:                freefwd = 0;
                    804:        } else {
1.18      markus    805:                struct mux_channel_confirm_ctx *fctx;
                    806:
1.66      djm       807:                fwd.handle = channel_request_remote_forwarding(ssh, &fwd);
1.31      markus    808:                if (fwd.handle < 0)
1.10      djm       809:                        goto fail;
                    810:                add_remote_forward(&options, &fwd);
1.18      markus    811:                fctx = xcalloc(1, sizeof(*fctx));
                    812:                fctx->cid = c->self;
                    813:                fctx->rid = rid;
1.20      djm       814:                fctx->fid = options.num_remote_forwards - 1;
1.18      markus    815:                client_register_global_confirm(mux_confirm_remote_forward,
                    816:                    fctx);
1.10      djm       817:                freefwd = 0;
1.18      markus    818:                c->mux_pause = 1; /* wait for mux_confirm_remote_forward */
                    819:                /* delayed reply in mux_confirm_remote_forward */
                    820:                goto out;
1.10      djm       821:        }
1.73      markus    822:        reply_ok(reply, rid);
1.10      djm       823:  out:
1.41      djm       824:        free(fwd_desc);
1.10      djm       825:        if (freefwd) {
1.41      djm       826:                free(fwd.listen_host);
1.46      millert   827:                free(fwd.listen_path);
1.41      djm       828:                free(fwd.connect_host);
1.46      millert   829:                free(fwd.connect_path);
1.10      djm       830:        }
                    831:        return ret;
                    832: }
                    833:
                    834: static int
1.76      djm       835: mux_master_process_close_fwd(struct ssh *ssh, u_int rid,
1.73      markus    836:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.10      djm       837: {
1.46      millert   838:        struct Forward fwd, *found_fwd;
1.10      djm       839:        char *fwd_desc = NULL;
1.30      djm       840:        const char *error_reason = NULL;
1.46      millert   841:        char *listen_addr = NULL, *connect_addr = NULL;
1.10      djm       842:        u_int ftype;
1.73      markus    843:        int r, i, ret = 0;
1.44      djm       844:        u_int lport, cport;
1.54      djm       845:
                    846:        memset(&fwd, 0, sizeof(fwd));
1.10      djm       847:
1.73      markus    848:        if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
                    849:            (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
                    850:            (r = sshbuf_get_u32(m, &lport)) != 0 ||
                    851:            (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
                    852:            (r = sshbuf_get_u32(m, &cport)) != 0 ||
1.46      millert   853:            (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
                    854:            (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
1.85      djm       855:                error_f("malformed message");
1.10      djm       856:                ret = -1;
                    857:                goto out;
                    858:        }
                    859:
1.46      millert   860:        if (*listen_addr == '\0') {
                    861:                free(listen_addr);
                    862:                listen_addr = NULL;
1.10      djm       863:        }
1.46      millert   864:        if (*connect_addr == '\0') {
                    865:                free(connect_addr);
                    866:                connect_addr = NULL;
1.10      djm       867:        }
                    868:
1.46      millert   869:        memset(&fwd, 0, sizeof(fwd));
                    870:        fwd.listen_port = lport;
                    871:        if (fwd.listen_port == PORT_STREAMLOCAL)
                    872:                fwd.listen_path = listen_addr;
                    873:        else
                    874:                fwd.listen_host = listen_addr;
                    875:        fwd.connect_port = cport;
                    876:        if (fwd.connect_port == PORT_STREAMLOCAL)
                    877:                fwd.connect_path = connect_addr;
                    878:        else
                    879:                fwd.connect_host = connect_addr;
                    880:
1.85      djm       881:        debug2_f("channel %d: request cancel %s", c->self,
1.10      djm       882:            (fwd_desc = format_forward(ftype, &fwd)));
                    883:
1.30      djm       884:        /* make sure this has been requested */
                    885:        found_fwd = NULL;
                    886:        switch (ftype) {
                    887:        case MUX_FWD_LOCAL:
                    888:        case MUX_FWD_DYNAMIC:
                    889:                for (i = 0; i < options.num_local_forwards; i++) {
                    890:                        if (compare_forward(&fwd,
                    891:                            options.local_forwards + i)) {
                    892:                                found_fwd = options.local_forwards + i;
                    893:                                break;
                    894:                        }
                    895:                }
                    896:                break;
                    897:        case MUX_FWD_REMOTE:
                    898:                for (i = 0; i < options.num_remote_forwards; i++) {
                    899:                        if (compare_forward(&fwd,
                    900:                            options.remote_forwards + i)) {
                    901:                                found_fwd = options.remote_forwards + i;
                    902:                                break;
                    903:                        }
                    904:                }
                    905:                break;
                    906:        }
                    907:
                    908:        if (found_fwd == NULL)
                    909:                error_reason = "port not forwarded";
                    910:        else if (ftype == MUX_FWD_REMOTE) {
                    911:                /*
                    912:                 * This shouldn't fail unless we confused the host/port
                    913:                 * between options.remote_forwards and permitted_opens.
1.31      markus    914:                 * However, for dynamic allocated listen ports we need
1.46      millert   915:                 * to use the actual listen port.
1.30      djm       916:                 */
1.66      djm       917:                if (channel_request_rforward_cancel(ssh, found_fwd) == -1)
1.30      djm       918:                        error_reason = "port not in permitted opens";
                    919:        } else {        /* local and dynamic forwards */
                    920:                /* Ditto */
1.66      djm       921:                if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port,
1.46      millert   922:                    &options.fwd_opts) == -1)
1.30      djm       923:                        error_reason = "port not found";
                    924:        }
                    925:
1.73      markus    926:        if (error_reason != NULL)
                    927:                reply_error(reply, MUX_S_FAILURE, rid, error_reason);
                    928:        else {
                    929:                reply_ok(reply, rid);
1.41      djm       930:                free(found_fwd->listen_host);
1.46      millert   931:                free(found_fwd->listen_path);
1.41      djm       932:                free(found_fwd->connect_host);
1.46      millert   933:                free(found_fwd->connect_path);
1.30      djm       934:                found_fwd->listen_host = found_fwd->connect_host = NULL;
1.46      millert   935:                found_fwd->listen_path = found_fwd->connect_path = NULL;
1.30      djm       936:                found_fwd->listen_port = found_fwd->connect_port = 0;
                    937:        }
1.10      djm       938:  out:
1.41      djm       939:        free(fwd_desc);
1.46      millert   940:        free(listen_addr);
                    941:        free(connect_addr);
1.10      djm       942:
                    943:        return ret;
                    944: }
                    945:
                    946: static int
1.76      djm       947: mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
1.73      markus    948:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.10      djm       949: {
                    950:        Channel *nc;
1.73      markus    951:        char *chost = NULL;
1.10      djm       952:        u_int cport, i, j;
1.73      markus    953:        int r, new_fd[2];
1.48      djm       954:        struct mux_stdio_confirm_ctx *cctx;
1.10      djm       955:
1.73      markus    956:        if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
                    957:            (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 ||
                    958:            (r = sshbuf_get_u32(m, &cport)) != 0) {
1.41      djm       959:                free(chost);
1.85      djm       960:                error_f("malformed message");
1.10      djm       961:                return -1;
                    962:        }
                    963:
1.85      djm       964:        debug2_f("channel %d: stdio fwd to %s:%u", c->self, chost, cport);
1.10      djm       965:
                    966:        /* Gather fds from client */
                    967:        for(i = 0; i < 2; i++) {
                    968:                if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
1.85      djm       969:                        error_f("failed to receive fd %d from client", i);
1.10      djm       970:                        for (j = 0; j < i; j++)
                    971:                                close(new_fd[j]);
1.41      djm       972:                        free(chost);
1.10      djm       973:
                    974:                        /* prepare reply */
1.73      markus    975:                        reply_error(reply, MUX_S_FAILURE, rid,
1.10      djm       976:                            "did not receive file descriptors");
                    977:                        return -1;
                    978:                }
                    979:        }
                    980:
1.85      djm       981:        debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]);
1.10      djm       982:
                    983:        /* XXX support multiple child sessions in future */
1.67      djm       984:        if (c->have_remote_id) {
1.85      djm       985:                debug2_f("session already open");
1.73      markus    986:                reply_error(reply, MUX_S_FAILURE, rid,
                    987:                    "Multiple sessions not supported");
1.10      djm       988:  cleanup:
                    989:                close(new_fd[0]);
                    990:                close(new_fd[1]);
1.41      djm       991:                free(chost);
1.10      djm       992:                return 0;
                    993:        }
                    994:
                    995:        if (options.control_master == SSHCTL_MASTER_ASK ||
                    996:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1.23      dtucker   997:                if (!ask_permission("Allow forward to %s:%u? ",
1.10      djm       998:                    chost, cport)) {
1.85      djm       999:                        debug2_f("stdio fwd refused by user");
1.73      markus   1000:                        reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
                   1001:                            "Permission denied");
1.10      djm      1002:                        goto cleanup;
                   1003:                }
                   1004:        }
                   1005:
1.88      djm      1006:        nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
                   1007:            CHANNEL_NONBLOCK_STDIO);
1.75      djm      1008:        free(chost);
1.10      djm      1009:
                   1010:        nc->ctl_chan = c->self;         /* link session -> control channel */
1.86      djm      1011:        c->remote_id = nc->self;        /* link control -> session channel */
1.67      djm      1012:        c->have_remote_id = 1;
1.10      djm      1013:
1.85      djm      1014:        debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan);
1.10      djm      1015:
1.66      djm      1016:        channel_register_cleanup(ssh, nc->self,
                   1017:            mux_master_session_cleanup_cb, 1);
1.10      djm      1018:
1.48      djm      1019:        cctx = xcalloc(1, sizeof(*cctx));
                   1020:        cctx->rid = rid;
1.66      djm      1021:        channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx);
1.48      djm      1022:        c->mux_pause = 1; /* stop handling messages until open_confirm done */
                   1023:
                   1024:        /* reply is deferred, sent by mux_session_confirm */
                   1025:        return 0;
                   1026: }
                   1027:
                   1028: /* Callback on open confirmation in mux master for a mux stdio fwd session. */
                   1029: static void
1.66      djm      1030: mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg)
1.48      djm      1031: {
                   1032:        struct mux_stdio_confirm_ctx *cctx = arg;
                   1033:        Channel *c, *cc;
1.73      markus   1034:        struct sshbuf *reply;
                   1035:        int r;
1.48      djm      1036:
                   1037:        if (cctx == NULL)
1.85      djm      1038:                fatal_f("cctx == NULL");
1.66      djm      1039:        if ((c = channel_by_id(ssh, id)) == NULL)
1.85      djm      1040:                fatal_f("no channel for id %d", id);
1.66      djm      1041:        if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1.85      djm      1042:                fatal_f("channel %d lacks control channel %d",
1.48      djm      1043:                    id, c->ctl_chan);
1.73      markus   1044:        if ((reply = sshbuf_new()) == NULL)
1.85      djm      1045:                fatal_f("sshbuf_new");
1.48      djm      1046:
                   1047:        if (!success) {
1.85      djm      1048:                debug3_f("sending failure reply");
1.73      markus   1049:                reply_error(reply, MUX_S_FAILURE, cctx->rid,
                   1050:                    "Session open refused by peer");
1.48      djm      1051:                /* prepare reply */
                   1052:                goto done;
                   1053:        }
                   1054:
1.85      djm      1055:        debug3_f("sending success reply");
1.10      djm      1056:        /* prepare reply */
1.73      markus   1057:        if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
                   1058:            (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
                   1059:            (r = sshbuf_put_u32(reply, c->self)) != 0)
1.85      djm      1060:                fatal_fr(r, "reply");
1.48      djm      1061:
                   1062:  done:
                   1063:        /* Send reply */
1.73      markus   1064:        if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1.85      djm      1065:                fatal_fr(r, "enqueue");
1.73      markus   1066:        sshbuf_free(reply);
1.10      djm      1067:
1.48      djm      1068:        if (cc->mux_pause <= 0)
1.85      djm      1069:                fatal_f("mux_pause %d", cc->mux_pause);
1.48      djm      1070:        cc->mux_pause = 0; /* start processing messages again */
                   1071:        c->open_confirm_ctx = NULL;
                   1072:        free(cctx);
1.10      djm      1073: }
                   1074:
1.25      djm      1075: static int
1.76      djm      1076: mux_master_process_stop_listening(struct ssh *ssh, u_int rid,
1.73      markus   1077:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.25      djm      1078: {
1.85      djm      1079:        debug_f("channel %d: stop listening", c->self);
1.25      djm      1080:
                   1081:        if (options.control_master == SSHCTL_MASTER_ASK ||
                   1082:            options.control_master == SSHCTL_MASTER_AUTO_ASK) {
                   1083:                if (!ask_permission("Disable further multiplexing on shared "
                   1084:                    "connection to %s? ", host)) {
1.85      djm      1085:                        debug2_f("stop listen refused by user");
1.73      markus   1086:                        reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
                   1087:                            "Permission denied");
1.25      djm      1088:                        return 0;
                   1089:                }
                   1090:        }
                   1091:
                   1092:        if (mux_listener_channel != NULL) {
1.66      djm      1093:                channel_free(ssh, mux_listener_channel);
1.25      djm      1094:                client_stop_mux();
1.41      djm      1095:                free(options.control_path);
1.25      djm      1096:                options.control_path = NULL;
                   1097:                mux_listener_channel = NULL;
                   1098:                muxserver_sock = -1;
                   1099:        }
                   1100:
1.73      markus   1101:        reply_ok(reply, rid);
1.25      djm      1102:        return 0;
                   1103: }
                   1104:
1.62      markus   1105: static int
1.76      djm      1106: mux_master_process_proxy(struct ssh *ssh, u_int rid,
1.73      markus   1107:     Channel *c, struct sshbuf *m, struct sshbuf *reply)
1.62      markus   1108: {
1.73      markus   1109:        int r;
                   1110:
1.85      djm      1111:        debug_f("channel %d: proxy request", c->self);
1.62      markus   1112:
                   1113:        c->mux_rcb = channel_proxy_downstream;
1.73      markus   1114:        if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
                   1115:            (r = sshbuf_put_u32(reply, rid)) != 0)
1.85      djm      1116:                fatal_fr(r, "reply");
1.62      markus   1117:
                   1118:        return 0;
                   1119: }
                   1120:
1.83      djm      1121: /* Channel callbacks fired on read/write from mux client fd */
1.10      djm      1122: static int
1.66      djm      1123: mux_master_read_cb(struct ssh *ssh, Channel *c)
1.10      djm      1124: {
                   1125:        struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
1.73      markus   1126:        struct sshbuf *in = NULL, *out = NULL;
                   1127:        u_int type, rid, i;
                   1128:        int r, ret = -1;
                   1129:
                   1130:        if ((out = sshbuf_new()) == NULL)
1.85      djm      1131:                fatal_f("sshbuf_new");
1.10      djm      1132:
                   1133:        /* Setup ctx and  */
                   1134:        if (c->mux_ctx == NULL) {
1.19      djm      1135:                state = xcalloc(1, sizeof(*state));
1.10      djm      1136:                c->mux_ctx = state;
1.66      djm      1137:                channel_register_cleanup(ssh, c->self,
1.10      djm      1138:                    mux_master_control_cleanup_cb, 0);
                   1139:
                   1140:                /* Send hello */
1.73      markus   1141:                if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 ||
                   1142:                    (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0)
1.85      djm      1143:                        fatal_fr(r, "reply");
1.10      djm      1144:                /* no extensions */
1.73      markus   1145:                if ((r = sshbuf_put_stringb(c->output, out)) != 0)
1.85      djm      1146:                        fatal_fr(r, "enqueue");
                   1147:                debug3_f("channel %d: hello sent", c->self);
1.73      markus   1148:                ret = 0;
                   1149:                goto out;
1.10      djm      1150:        }
                   1151:
                   1152:        /* Channel code ensures that we receive whole packets */
1.73      markus   1153:        if ((r = sshbuf_froms(c->input, &in)) != 0) {
1.10      djm      1154:  malf:
1.85      djm      1155:                error_f("malformed message");
1.10      djm      1156:                goto out;
                   1157:        }
                   1158:
1.73      markus   1159:        if ((r = sshbuf_get_u32(in, &type)) != 0)
1.10      djm      1160:                goto malf;
1.85      djm      1161:        debug3_f("channel %d packet type 0x%08x len %zu", c->self,
                   1162:            type, sshbuf_len(in));
1.10      djm      1163:
                   1164:        if (type == MUX_MSG_HELLO)
                   1165:                rid = 0;
                   1166:        else {
                   1167:                if (!state->hello_rcvd) {
1.85      djm      1168:                        error_f("expected MUX_MSG_HELLO(0x%08x), "
                   1169:                            "received 0x%08x", MUX_MSG_HELLO, type);
1.10      djm      1170:                        goto out;
1.1       djm      1171:                }
1.73      markus   1172:                if ((r = sshbuf_get_u32(in, &rid)) != 0)
1.10      djm      1173:                        goto malf;
                   1174:        }
                   1175:
                   1176:        for (i = 0; mux_master_handlers[i].handler != NULL; i++) {
                   1177:                if (type == mux_master_handlers[i].type) {
1.66      djm      1178:                        ret = mux_master_handlers[i].handler(ssh, rid,
1.73      markus   1179:                            c, in, out);
1.10      djm      1180:                        break;
1.1       djm      1181:                }
1.10      djm      1182:        }
                   1183:        if (mux_master_handlers[i].handler == NULL) {
1.85      djm      1184:                error_f("unsupported mux message 0x%08x", type);
1.73      markus   1185:                reply_error(out, MUX_S_FAILURE, rid, "unsupported request");
1.10      djm      1186:                ret = 0;
                   1187:        }
                   1188:        /* Enqueue reply packet */
1.85      djm      1189:        if (sshbuf_len(out) != 0 &&
                   1190:            (r = sshbuf_put_stringb(c->output, out)) != 0)
                   1191:                fatal_fr(r, "enqueue");
1.10      djm      1192:  out:
1.73      markus   1193:        sshbuf_free(in);
                   1194:        sshbuf_free(out);
1.10      djm      1195:        return ret;
                   1196: }
                   1197:
                   1198: void
1.66      djm      1199: mux_exit_message(struct ssh *ssh, Channel *c, int exitval)
1.10      djm      1200: {
1.73      markus   1201:        struct sshbuf *m;
1.10      djm      1202:        Channel *mux_chan;
1.73      markus   1203:        int r;
1.10      djm      1204:
1.85      djm      1205:        debug3_f("channel %d: exit message, exitval %d", c->self, exitval);
1.10      djm      1206:
1.66      djm      1207:        if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1.85      djm      1208:                fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1.10      djm      1209:
                   1210:        /* Append exit message packet to control socket output queue */
1.73      markus   1211:        if ((m = sshbuf_new()) == NULL)
1.85      djm      1212:                fatal_f("sshbuf_new");
1.73      markus   1213:        if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 ||
                   1214:            (r = sshbuf_put_u32(m, c->self)) != 0 ||
                   1215:            (r = sshbuf_put_u32(m, exitval)) != 0 ||
                   1216:            (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1.85      djm      1217:                fatal_fr(r, "reply");
1.73      markus   1218:        sshbuf_free(m);
1.10      djm      1219: }
                   1220:
1.28      djm      1221: void
1.66      djm      1222: mux_tty_alloc_failed(struct ssh *ssh, Channel *c)
1.28      djm      1223: {
1.73      markus   1224:        struct sshbuf *m;
1.28      djm      1225:        Channel *mux_chan;
1.73      markus   1226:        int r;
1.28      djm      1227:
1.85      djm      1228:        debug3_f("channel %d: TTY alloc failed", c->self);
1.28      djm      1229:
1.66      djm      1230:        if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1.85      djm      1231:                fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1.28      djm      1232:
                   1233:        /* Append exit message packet to control socket output queue */
1.73      markus   1234:        if ((m = sshbuf_new()) == NULL)
1.85      djm      1235:                fatal_f("sshbuf_new");
1.73      markus   1236:        if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 ||
                   1237:            (r = sshbuf_put_u32(m, c->self)) != 0 ||
                   1238:            (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1.85      djm      1239:                fatal_fr(r, "reply");
1.73      markus   1240:        sshbuf_free(m);
1.28      djm      1241: }
                   1242:
1.10      djm      1243: /* Prepare a mux master to listen on a Unix domain socket. */
                   1244: void
1.66      djm      1245: muxserver_listen(struct ssh *ssh)
1.10      djm      1246: {
                   1247:        mode_t old_umask;
1.22      djm      1248:        char *orig_control_path = options.control_path;
                   1249:        char rbuf[16+1];
                   1250:        u_int i, r;
1.47      djm      1251:        int oerrno;
1.10      djm      1252:
                   1253:        if (options.control_path == NULL ||
                   1254:            options.control_master == SSHCTL_MASTER_NO)
1.1       djm      1255:                return;
1.10      djm      1256:
                   1257:        debug("setting up multiplex master socket");
                   1258:
1.22      djm      1259:        /*
                   1260:         * Use a temporary path before listen so we can pseudo-atomically
                   1261:         * establish the listening socket in its final location to avoid
                   1262:         * other processes racing in between bind() and listen() and hitting
                   1263:         * an unready socket.
                   1264:         */
                   1265:        for (i = 0; i < sizeof(rbuf) - 1; i++) {
                   1266:                r = arc4random_uniform(26+26+10);
                   1267:                rbuf[i] = (r < 26) ? 'a' + r :
                   1268:                    (r < 26*2) ? 'A' + r - 26 :
                   1269:                    '0' + r - 26 - 26;
                   1270:        }
                   1271:        rbuf[sizeof(rbuf) - 1] = '\0';
                   1272:        options.control_path = NULL;
                   1273:        xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf);
1.85      djm      1274:        debug3_f("temporary control path %s", options.control_path);
1.22      djm      1275:
1.10      djm      1276:        old_umask = umask(0177);
1.46      millert  1277:        muxserver_sock = unix_listener(options.control_path, 64, 0);
1.47      djm      1278:        oerrno = errno;
1.46      millert  1279:        umask(old_umask);
                   1280:        if (muxserver_sock < 0) {
1.47      djm      1281:                if (oerrno == EINVAL || oerrno == EADDRINUSE) {
1.10      djm      1282:                        error("ControlSocket %s already exists, "
                   1283:                            "disabling multiplexing", options.control_path);
1.22      djm      1284:  disable_mux_master:
1.26      djm      1285:                        if (muxserver_sock != -1) {
                   1286:                                close(muxserver_sock);
                   1287:                                muxserver_sock = -1;
                   1288:                        }
1.41      djm      1289:                        free(orig_control_path);
                   1290:                        free(options.control_path);
1.10      djm      1291:                        options.control_path = NULL;
                   1292:                        options.control_master = SSHCTL_MASTER_NO;
                   1293:                        return;
1.46      millert  1294:                } else {
                   1295:                        /* unix_listener() logs the error */
                   1296:                        cleanup_exit(255);
                   1297:                }
1.10      djm      1298:        }
                   1299:
1.22      djm      1300:        /* Now atomically "move" the mux socket into position */
                   1301:        if (link(options.control_path, orig_control_path) != 0) {
                   1302:                if (errno != EEXIST) {
1.85      djm      1303:                        fatal_f("link mux listener %s => %s: %s",
1.22      djm      1304:                            options.control_path, orig_control_path,
                   1305:                            strerror(errno));
                   1306:                }
                   1307:                error("ControlSocket %s already exists, disabling multiplexing",
                   1308:                    orig_control_path);
                   1309:                unlink(options.control_path);
                   1310:                goto disable_mux_master;
                   1311:        }
                   1312:        unlink(options.control_path);
1.41      djm      1313:        free(options.control_path);
1.22      djm      1314:        options.control_path = orig_control_path;
                   1315:
1.10      djm      1316:        set_nonblock(muxserver_sock);
                   1317:
1.66      djm      1318:        mux_listener_channel = channel_new(ssh, "mux listener",
1.10      djm      1319:            SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1,
                   1320:            CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1.22      djm      1321:            0, options.control_path, 1);
1.10      djm      1322:        mux_listener_channel->mux_rcb = mux_master_read_cb;
1.85      djm      1323:        debug3_f("mux listener channel %d fd %d",
1.10      djm      1324:            mux_listener_channel->self, mux_listener_channel->sock);
                   1325: }
                   1326:
                   1327: /* Callback on open confirmation in mux master for a mux client session. */
                   1328: static void
1.66      djm      1329: mux_session_confirm(struct ssh *ssh, int id, int success, void *arg)
1.10      djm      1330: {
                   1331:        struct mux_session_confirm_ctx *cctx = arg;
                   1332:        const char *display;
1.17      djm      1333:        Channel *c, *cc;
1.73      markus   1334:        int i, r;
                   1335:        struct sshbuf *reply;
1.10      djm      1336:
                   1337:        if (cctx == NULL)
1.85      djm      1338:                fatal_f("cctx == NULL");
1.66      djm      1339:        if ((c = channel_by_id(ssh, id)) == NULL)
1.85      djm      1340:                fatal_f("no channel for id %d", id);
1.66      djm      1341:        if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1.85      djm      1342:                fatal_f("channel %d lacks control channel %d",
1.17      djm      1343:                    id, c->ctl_chan);
1.73      markus   1344:        if ((reply = sshbuf_new()) == NULL)
1.85      djm      1345:                fatal_f("sshbuf_new");
1.17      djm      1346:
                   1347:        if (!success) {
1.85      djm      1348:                debug3_f("sending failure reply");
1.73      markus   1349:                reply_error(reply, MUX_S_FAILURE, cctx->rid,
                   1350:                    "Session open refused by peer");
1.17      djm      1351:                goto done;
                   1352:        }
1.10      djm      1353:
                   1354:        display = getenv("DISPLAY");
                   1355:        if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
                   1356:                char *proto, *data;
1.21      djm      1357:
1.10      djm      1358:                /* Get reasonable local authentication information. */
1.66      djm      1359:                if (client_x11_get_proto(ssh, display, options.xauth_location,
1.21      djm      1360:                    options.forward_x11_trusted, options.forward_x11_timeout,
1.58      djm      1361:                    &proto, &data) == 0) {
                   1362:                        /* Request forwarding with authentication spoofing. */
                   1363:                        debug("Requesting X11 forwarding with authentication "
                   1364:                            "spoofing.");
1.66      djm      1365:                        x11_request_forwarding_with_spoofing(ssh, id,
                   1366:                            display, proto, data, 1);
1.58      djm      1367:                        /* XXX exit_on_forward_failure */
1.66      djm      1368:                        client_expect_confirm(ssh, id, "X11 forwarding",
1.58      djm      1369:                            CONFIRM_WARN);
                   1370:                }
1.10      djm      1371:        }
                   1372:
                   1373:        if (cctx->want_agent_fwd && options.forward_agent) {
                   1374:                debug("Requesting authentication agent forwarding.");
1.66      djm      1375:                channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0);
1.79      djm      1376:                if ((r = sshpkt_send(ssh)) != 0)
1.85      djm      1377:                        fatal_fr(r, "send");
1.10      djm      1378:        }
                   1379:
1.66      djm      1380:        client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,
1.73      markus   1381:            cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env);
1.10      djm      1382:
1.85      djm      1383:        debug3_f("sending success reply");
1.17      djm      1384:        /* prepare reply */
1.73      markus   1385:        if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
                   1386:            (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
                   1387:            (r = sshbuf_put_u32(reply, c->self)) != 0)
1.85      djm      1388:                fatal_fr(r, "reply");
1.17      djm      1389:
                   1390:  done:
                   1391:        /* Send reply */
1.73      markus   1392:        if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1.85      djm      1393:                fatal_fr(r, "enqueue");
1.73      markus   1394:        sshbuf_free(reply);
1.17      djm      1395:
                   1396:        if (cc->mux_pause <= 0)
1.85      djm      1397:                fatal_f("mux_pause %d", cc->mux_pause);
1.17      djm      1398:        cc->mux_pause = 0; /* start processing messages again */
1.10      djm      1399:        c->open_confirm_ctx = NULL;
1.73      markus   1400:        sshbuf_free(cctx->cmd);
1.41      djm      1401:        free(cctx->term);
1.10      djm      1402:        if (cctx->env != NULL) {
                   1403:                for (i = 0; cctx->env[i] != NULL; i++)
1.41      djm      1404:                        free(cctx->env[i]);
                   1405:                free(cctx->env);
1.1       djm      1406:        }
1.41      djm      1407:        free(cctx);
1.10      djm      1408: }
                   1409:
                   1410: /* ** Multiplexing client support */
                   1411:
                   1412: /* Exit signal handler */
                   1413: static void
                   1414: control_client_sighandler(int signo)
                   1415: {
                   1416:        muxclient_terminate = signo;
                   1417: }
                   1418:
                   1419: /*
                   1420:  * Relay signal handler - used to pass some signals from mux client to
                   1421:  * mux master.
                   1422:  */
                   1423: static void
                   1424: control_client_sigrelay(int signo)
                   1425: {
                   1426:        int save_errno = errno;
                   1427:
                   1428:        if (muxserver_pid > 1)
                   1429:                kill(muxserver_pid, signo);
                   1430:
                   1431:        errno = save_errno;
                   1432: }
1.1       djm      1433:
1.10      djm      1434: static int
1.73      markus   1435: mux_client_read(int fd, struct sshbuf *b, size_t need)
1.10      djm      1436: {
1.73      markus   1437:        size_t have;
1.10      djm      1438:        ssize_t len;
                   1439:        u_char *p;
                   1440:        struct pollfd pfd;
1.73      markus   1441:        int r;
1.10      djm      1442:
                   1443:        pfd.fd = fd;
                   1444:        pfd.events = POLLIN;
1.73      markus   1445:        if ((r = sshbuf_reserve(b, need, &p)) != 0)
1.85      djm      1446:                fatal_fr(r, "reserve");
1.10      djm      1447:        for (have = 0; have < need; ) {
                   1448:                if (muxclient_terminate) {
                   1449:                        errno = EINTR;
                   1450:                        return -1;
                   1451:                }
                   1452:                len = read(fd, p + have, need - have);
1.80      deraadt  1453:                if (len == -1) {
1.10      djm      1454:                        switch (errno) {
                   1455:                        case EAGAIN:
                   1456:                                (void)poll(&pfd, 1, -1);
                   1457:                                /* FALLTHROUGH */
                   1458:                        case EINTR:
                   1459:                                continue;
                   1460:                        default:
                   1461:                                return -1;
                   1462:                        }
                   1463:                }
                   1464:                if (len == 0) {
                   1465:                        errno = EPIPE;
                   1466:                        return -1;
                   1467:                }
1.73      markus   1468:                have += (size_t)len;
1.1       djm      1469:        }
1.10      djm      1470:        return 0;
                   1471: }
1.1       djm      1472:
1.10      djm      1473: static int
1.73      markus   1474: mux_client_write_packet(int fd, struct sshbuf *m)
1.10      djm      1475: {
1.73      markus   1476:        struct sshbuf *queue;
1.10      djm      1477:        u_int have, need;
1.73      markus   1478:        int r, oerrno, len;
                   1479:        const u_char *ptr;
1.10      djm      1480:        struct pollfd pfd;
                   1481:
                   1482:        pfd.fd = fd;
                   1483:        pfd.events = POLLOUT;
1.73      markus   1484:        if ((queue = sshbuf_new()) == NULL)
1.85      djm      1485:                fatal_f("sshbuf_new");
1.73      markus   1486:        if ((r = sshbuf_put_stringb(queue, m)) != 0)
1.85      djm      1487:                fatal_fr(r, "enqueue");
1.10      djm      1488:
1.73      markus   1489:        need = sshbuf_len(queue);
                   1490:        ptr = sshbuf_ptr(queue);
1.10      djm      1491:
                   1492:        for (have = 0; have < need; ) {
                   1493:                if (muxclient_terminate) {
1.73      markus   1494:                        sshbuf_free(queue);
1.10      djm      1495:                        errno = EINTR;
                   1496:                        return -1;
                   1497:                }
                   1498:                len = write(fd, ptr + have, need - have);
1.80      deraadt  1499:                if (len == -1) {
1.10      djm      1500:                        switch (errno) {
                   1501:                        case EAGAIN:
                   1502:                                (void)poll(&pfd, 1, -1);
                   1503:                                /* FALLTHROUGH */
                   1504:                        case EINTR:
                   1505:                                continue;
                   1506:                        default:
                   1507:                                oerrno = errno;
1.73      markus   1508:                                sshbuf_free(queue);
1.10      djm      1509:                                errno = oerrno;
                   1510:                                return -1;
                   1511:                        }
                   1512:                }
                   1513:                if (len == 0) {
1.73      markus   1514:                        sshbuf_free(queue);
1.10      djm      1515:                        errno = EPIPE;
                   1516:                        return -1;
                   1517:                }
                   1518:                have += (u_int)len;
                   1519:        }
1.73      markus   1520:        sshbuf_free(queue);
1.10      djm      1521:        return 0;
                   1522: }
1.1       djm      1523:
1.10      djm      1524: static int
1.73      markus   1525: mux_client_read_packet(int fd, struct sshbuf *m)
1.10      djm      1526: {
1.73      markus   1527:        struct sshbuf *queue;
                   1528:        size_t need, have;
1.45      djm      1529:        const u_char *ptr;
1.73      markus   1530:        int r, oerrno;
1.10      djm      1531:
1.73      markus   1532:        if ((queue = sshbuf_new()) == NULL)
1.85      djm      1533:                fatal_f("sshbuf_new");
1.73      markus   1534:        if (mux_client_read(fd, queue, 4) != 0) {
1.10      djm      1535:                if ((oerrno = errno) == EPIPE)
1.85      djm      1536:                        debug3_f("read header failed: %s",
1.43      dtucker  1537:                            strerror(errno));
1.73      markus   1538:                sshbuf_free(queue);
1.10      djm      1539:                errno = oerrno;
                   1540:                return -1;
                   1541:        }
1.73      markus   1542:        need = PEEK_U32(sshbuf_ptr(queue));
                   1543:        if (mux_client_read(fd, queue, need) != 0) {
1.10      djm      1544:                oerrno = errno;
1.85      djm      1545:                debug3_f("read body failed: %s", strerror(errno));
1.73      markus   1546:                sshbuf_free(queue);
1.10      djm      1547:                errno = oerrno;
                   1548:                return -1;
                   1549:        }
1.73      markus   1550:        if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 ||
                   1551:            (r = sshbuf_put(m, ptr, have)) != 0)
1.85      djm      1552:                fatal_fr(r, "dequeue");
1.73      markus   1553:        sshbuf_free(queue);
1.10      djm      1554:        return 0;
                   1555: }
1.1       djm      1556:
1.10      djm      1557: static int
                   1558: mux_client_hello_exchange(int fd)
                   1559: {
1.73      markus   1560:        struct sshbuf *m;
1.10      djm      1561:        u_int type, ver;
1.73      markus   1562:        int r, ret = -1;
1.1       djm      1563:
1.73      markus   1564:        if ((m = sshbuf_new()) == NULL)
1.85      djm      1565:                fatal_f("sshbuf_new");
1.73      markus   1566:        if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 ||
                   1567:            (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0)
1.85      djm      1568:                fatal_fr(r, "assemble hello");
1.10      djm      1569:        /* no extensions */
                   1570:
1.73      markus   1571:        if (mux_client_write_packet(fd, m) != 0) {
1.85      djm      1572:                debug_f("write packet: %s", strerror(errno));
1.65      djm      1573:                goto out;
                   1574:        }
1.1       djm      1575:
1.73      markus   1576:        sshbuf_reset(m);
1.10      djm      1577:
                   1578:        /* Read their HELLO */
1.73      markus   1579:        if (mux_client_read_packet(fd, m) != 0) {
1.85      djm      1580:                debug_f("read packet failed");
1.65      djm      1581:                goto out;
1.10      djm      1582:        }
                   1583:
1.73      markus   1584:        if ((r = sshbuf_get_u32(m, &type)) != 0)
1.85      djm      1585:                fatal_fr(r, "parse type");
1.65      djm      1586:        if (type != MUX_MSG_HELLO) {
1.85      djm      1587:                error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type);
1.65      djm      1588:                goto out;
                   1589:        }
1.73      markus   1590:        if ((r = sshbuf_get_u32(m, &ver)) != 0)
1.85      djm      1591:                fatal_fr(r, "parse version");
1.65      djm      1592:        if (ver != SSHMUX_VER) {
                   1593:                error("Unsupported multiplexing protocol version %d "
1.10      djm      1594:                    "(expected %d)", ver, SSHMUX_VER);
1.65      djm      1595:                goto out;
                   1596:        }
1.85      djm      1597:        debug2_f("master version %u", ver);
1.10      djm      1598:        /* No extensions are presently defined */
1.73      markus   1599:        while (sshbuf_len(m) > 0) {
                   1600:                char *name = NULL;
1.10      djm      1601:
1.73      markus   1602:                if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
                   1603:                    (r = sshbuf_skip_string(m)) != 0) { /* value */
1.85      djm      1604:                        error_fr(r, "parse extension");
1.73      markus   1605:                        goto out;
                   1606:                }
1.10      djm      1607:                debug2("Unrecognised master extension \"%s\"", name);
1.41      djm      1608:                free(name);
1.5       djm      1609:        }
1.65      djm      1610:        /* success */
                   1611:        ret = 0;
                   1612:  out:
1.73      markus   1613:        sshbuf_free(m);
1.65      djm      1614:        return ret;
1.10      djm      1615: }
                   1616:
                   1617: static u_int
                   1618: mux_client_request_alive(int fd)
                   1619: {
1.73      markus   1620:        struct sshbuf *m;
1.10      djm      1621:        char *e;
                   1622:        u_int pid, type, rid;
1.73      markus   1623:        int r;
1.10      djm      1624:
1.85      djm      1625:        debug3_f("entering");
1.10      djm      1626:
1.73      markus   1627:        if ((m = sshbuf_new()) == NULL)
1.85      djm      1628:                fatal_f("sshbuf_new");
1.73      markus   1629:        if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 ||
                   1630:            (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1.85      djm      1631:                fatal_fr(r, "assemble");
1.10      djm      1632:
1.73      markus   1633:        if (mux_client_write_packet(fd, m) != 0)
1.85      djm      1634:                fatal_f("write packet: %s", strerror(errno));
1.10      djm      1635:
1.73      markus   1636:        sshbuf_reset(m);
1.1       djm      1637:
1.10      djm      1638:        /* Read their reply */
1.73      markus   1639:        if (mux_client_read_packet(fd, m) != 0) {
                   1640:                sshbuf_free(m);
1.10      djm      1641:                return 0;
                   1642:        }
                   1643:
1.73      markus   1644:        if ((r = sshbuf_get_u32(m, &type)) != 0)
1.85      djm      1645:                fatal_fr(r, "parse type");
1.10      djm      1646:        if (type != MUX_S_ALIVE) {
1.73      markus   1647:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      1648:                        fatal_fr(r, "parse error message");
                   1649:                fatal_f("master returned error: %s", e);
1.5       djm      1650:        }
1.10      djm      1651:
1.73      markus   1652:        if ((r = sshbuf_get_u32(m, &rid)) != 0)
1.85      djm      1653:                fatal_fr(r, "parse remote ID");
1.73      markus   1654:        if (rid != muxclient_request_id)
1.85      djm      1655:                fatal_f("out of sequence reply: my id %u theirs %u",
                   1656:                    muxclient_request_id, rid);
1.73      markus   1657:        if ((r = sshbuf_get_u32(m, &pid)) != 0)
1.85      djm      1658:                fatal_fr(r, "parse PID");
1.73      markus   1659:        sshbuf_free(m);
1.10      djm      1660:
1.85      djm      1661:        debug3_f("done pid = %u", pid);
1.10      djm      1662:
                   1663:        muxclient_request_id++;
                   1664:
                   1665:        return pid;
                   1666: }
                   1667:
                   1668: static void
                   1669: mux_client_request_terminate(int fd)
                   1670: {
1.73      markus   1671:        struct sshbuf *m;
1.10      djm      1672:        char *e;
                   1673:        u_int type, rid;
1.73      markus   1674:        int r;
1.10      djm      1675:
1.85      djm      1676:        debug3_f("entering");
1.10      djm      1677:
1.73      markus   1678:        if ((m = sshbuf_new()) == NULL)
1.85      djm      1679:                fatal_f("sshbuf_new");
1.73      markus   1680:        if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 ||
                   1681:            (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1.85      djm      1682:                fatal_fr(r, "request");
1.10      djm      1683:
1.73      markus   1684:        if (mux_client_write_packet(fd, m) != 0)
1.85      djm      1685:                fatal_f("write packet: %s", strerror(errno));
1.1       djm      1686:
1.73      markus   1687:        sshbuf_reset(m);
1.1       djm      1688:
1.10      djm      1689:        /* Read their reply */
1.73      markus   1690:        if (mux_client_read_packet(fd, m) != 0) {
1.10      djm      1691:                /* Remote end exited already */
                   1692:                if (errno == EPIPE) {
1.73      markus   1693:                        sshbuf_free(m);
1.10      djm      1694:                        return;
1.2       djm      1695:                }
1.85      djm      1696:                fatal_f("read from master failed: %s", strerror(errno));
1.10      djm      1697:        }
                   1698:
1.73      markus   1699:        if ((r = sshbuf_get_u32(m, &type)) != 0 ||
                   1700:            (r = sshbuf_get_u32(m, &rid)) != 0)
1.85      djm      1701:                fatal_fr(r, "parse");
1.73      markus   1702:        if (rid != muxclient_request_id)
1.85      djm      1703:                fatal_f("out of sequence reply: my id %u theirs %u",
                   1704:                    muxclient_request_id, rid);
1.10      djm      1705:        switch (type) {
                   1706:        case MUX_S_OK:
                   1707:                break;
                   1708:        case MUX_S_PERMISSION_DENIED:
1.73      markus   1709:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      1710:                        fatal_fr(r, "parse error message");
1.10      djm      1711:                fatal("Master refused termination request: %s", e);
                   1712:        case MUX_S_FAILURE:
1.73      markus   1713:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      1714:                        fatal_fr(r, "parse error message");
                   1715:                fatal_f("termination request failed: %s", e);
1.10      djm      1716:        default:
1.85      djm      1717:                fatal_f("unexpected response from master 0x%08x", type);
1.10      djm      1718:        }
1.73      markus   1719:        sshbuf_free(m);
1.10      djm      1720:        muxclient_request_id++;
                   1721: }
                   1722:
                   1723: static int
1.46      millert  1724: mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
1.10      djm      1725: {
1.73      markus   1726:        struct sshbuf *m;
1.10      djm      1727:        char *e, *fwd_desc;
1.73      markus   1728:        const char *lhost, *chost;
1.10      djm      1729:        u_int type, rid;
1.73      markus   1730:        int r;
1.10      djm      1731:
                   1732:        fwd_desc = format_forward(ftype, fwd);
1.30      djm      1733:        debug("Requesting %s %s",
                   1734:            cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
1.41      djm      1735:        free(fwd_desc);
1.10      djm      1736:
1.73      markus   1737:        type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD;
                   1738:        if (fwd->listen_path != NULL)
                   1739:                lhost = fwd->listen_path;
                   1740:        else if (fwd->listen_host == NULL)
                   1741:                lhost = "";
                   1742:        else if (*fwd->listen_host == '\0')
                   1743:                lhost = "*";
                   1744:        else
                   1745:                lhost = fwd->listen_host;
                   1746:
                   1747:        if (fwd->connect_path != NULL)
                   1748:                chost = fwd->connect_path;
                   1749:        else if (fwd->connect_host == NULL)
                   1750:                chost = "";
                   1751:        else
                   1752:                chost = fwd->connect_host;
                   1753:
                   1754:        if ((m = sshbuf_new()) == NULL)
1.85      djm      1755:                fatal_f("sshbuf_new");
1.73      markus   1756:        if ((r = sshbuf_put_u32(m, type)) != 0 ||
                   1757:            (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
                   1758:            (r = sshbuf_put_u32(m, ftype)) != 0 ||
                   1759:            (r = sshbuf_put_cstring(m, lhost)) != 0 ||
                   1760:            (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 ||
                   1761:            (r = sshbuf_put_cstring(m, chost)) != 0 ||
                   1762:            (r = sshbuf_put_u32(m, fwd->connect_port)) != 0)
1.85      djm      1763:                fatal_fr(r, "request");
1.10      djm      1764:
1.73      markus   1765:        if (mux_client_write_packet(fd, m) != 0)
1.85      djm      1766:                fatal_f("write packet: %s", strerror(errno));
1.10      djm      1767:
1.73      markus   1768:        sshbuf_reset(m);
1.10      djm      1769:
                   1770:        /* Read their reply */
1.73      markus   1771:        if (mux_client_read_packet(fd, m) != 0) {
                   1772:                sshbuf_free(m);
1.10      djm      1773:                return -1;
                   1774:        }
                   1775:
1.73      markus   1776:        if ((r = sshbuf_get_u32(m, &type)) != 0 ||
                   1777:            (r = sshbuf_get_u32(m, &rid)) != 0)
1.85      djm      1778:                fatal_fr(r, "parse");
1.73      markus   1779:        if (rid != muxclient_request_id)
1.85      djm      1780:                fatal_f("out of sequence reply: my id %u theirs %u",
                   1781:                    muxclient_request_id, rid);
1.73      markus   1782:
1.10      djm      1783:        switch (type) {
                   1784:        case MUX_S_OK:
1.1       djm      1785:                break;
1.18      markus   1786:        case MUX_S_REMOTE_PORT:
1.30      djm      1787:                if (cancel_flag)
1.85      djm      1788:                        fatal_f("got MUX_S_REMOTE_PORT for cancel");
1.73      markus   1789:                if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0)
1.85      djm      1790:                        fatal_fr(r, "parse port");
1.52      djm      1791:                verbose("Allocated port %u for remote forward to %s:%d",
1.18      markus   1792:                    fwd->allocated_port,
                   1793:                    fwd->connect_host ? fwd->connect_host : "",
                   1794:                    fwd->connect_port);
                   1795:                if (muxclient_command == SSHMUX_COMMAND_FORWARD)
1.55      djm      1796:                        fprintf(stdout, "%i\n", fwd->allocated_port);
1.18      markus   1797:                break;
1.10      djm      1798:        case MUX_S_PERMISSION_DENIED:
1.73      markus   1799:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      1800:                        fatal_fr(r, "parse error message");
1.73      markus   1801:                sshbuf_free(m);
1.10      djm      1802:                error("Master refused forwarding request: %s", e);
                   1803:                return -1;
                   1804:        case MUX_S_FAILURE:
1.73      markus   1805:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      1806:                        fatal_fr(r, "parse error message");
1.73      markus   1807:                sshbuf_free(m);
1.85      djm      1808:                error_f("forwarding request failed: %s", e);
1.10      djm      1809:                return -1;
1.1       djm      1810:        default:
1.85      djm      1811:                fatal_f("unexpected response from master 0x%08x", type);
1.10      djm      1812:        }
1.73      markus   1813:        sshbuf_free(m);
1.10      djm      1814:
                   1815:        muxclient_request_id++;
                   1816:        return 0;
                   1817: }
                   1818:
                   1819: static int
1.30      djm      1820: mux_client_forwards(int fd, int cancel_flag)
1.10      djm      1821: {
1.30      djm      1822:        int i, ret = 0;
1.10      djm      1823:
1.85      djm      1824:        debug3_f("%s forwardings: %d local, %d remote",
1.30      djm      1825:            cancel_flag ? "cancel" : "request",
1.10      djm      1826:            options.num_local_forwards, options.num_remote_forwards);
                   1827:
                   1828:        /* XXX ExitOnForwardingFailure */
                   1829:        for (i = 0; i < options.num_local_forwards; i++) {
1.30      djm      1830:                if (mux_client_forward(fd, cancel_flag,
1.10      djm      1831:                    options.local_forwards[i].connect_port == 0 ?
                   1832:                    MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
                   1833:                    options.local_forwards + i) != 0)
1.30      djm      1834:                        ret = -1;
1.10      djm      1835:        }
                   1836:        for (i = 0; i < options.num_remote_forwards; i++) {
1.30      djm      1837:                if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE,
1.10      djm      1838:                    options.remote_forwards + i) != 0)
1.30      djm      1839:                        ret = -1;
1.10      djm      1840:        }
1.30      djm      1841:        return ret;
1.10      djm      1842: }
                   1843:
                   1844: static int
                   1845: mux_client_request_session(int fd)
                   1846: {
1.73      markus   1847:        struct sshbuf *m;
                   1848:        char *e;
1.89      djm      1849:        const char *term = NULL;
1.94      djm      1850:        u_int i, echar, rid, sid, esid, exitval, type, exitval_seen;
1.10      djm      1851:        extern char **environ;
1.94      djm      1852:        int r, rawmode;
1.10      djm      1853:
1.85      djm      1854:        debug3_f("entering");
1.10      djm      1855:
                   1856:        if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
1.85      djm      1857:                error_f("master alive request failed");
1.10      djm      1858:                return -1;
1.1       djm      1859:        }
                   1860:
1.81      dtucker  1861:        ssh_signal(SIGPIPE, SIG_IGN);
1.10      djm      1862:
1.91      djm      1863:        if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
1.85      djm      1864:                fatal_f("stdfd_devnull failed");
1.1       djm      1865:
1.89      djm      1866:        if ((term = lookup_env_in_list("TERM", options.setenv,
                   1867:            options.num_setenv)) == NULL || *term == '\0')
                   1868:                term = getenv("TERM");
                   1869:
1.73      markus   1870:        echar = 0xffffffff;
                   1871:        if (options.escape_char != SSH_ESCAPECHAR_NONE)
                   1872:            echar = (u_int)options.escape_char;
                   1873:
                   1874:        if ((m = sshbuf_new()) == NULL)
1.85      djm      1875:                fatal_f("sshbuf_new");
1.73      markus   1876:        if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 ||
                   1877:            (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
                   1878:            (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
                   1879:            (r = sshbuf_put_u32(m, tty_flag)) != 0 ||
                   1880:            (r = sshbuf_put_u32(m, options.forward_x11)) != 0 ||
                   1881:            (r = sshbuf_put_u32(m, options.forward_agent)) != 0 ||
1.90      djm      1882:            (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 ||
1.73      markus   1883:            (r = sshbuf_put_u32(m, echar)) != 0 ||
1.89      djm      1884:            (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 ||
1.73      markus   1885:            (r = sshbuf_put_stringb(m, command)) != 0)
1.85      djm      1886:                fatal_fr(r, "request");
1.10      djm      1887:
1.71      djm      1888:        /* Pass environment */
1.10      djm      1889:        if (options.num_send_env > 0 && environ != NULL) {
                   1890:                for (i = 0; environ[i] != NULL; i++) {
1.73      markus   1891:                        if (!env_permitted(environ[i]))
                   1892:                                continue;
                   1893:                        if ((r = sshbuf_put_cstring(m, environ[i])) != 0)
1.85      djm      1894:                                fatal_fr(r, "request sendenv");
1.10      djm      1895:                }
1.5       djm      1896:        }
1.73      markus   1897:        for (i = 0; i < options.num_setenv; i++) {
                   1898:                if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0)
1.85      djm      1899:                        fatal_fr(r, "request setenv");
1.73      markus   1900:        }
1.5       djm      1901:
1.73      markus   1902:        if (mux_client_write_packet(fd, m) != 0)
1.85      djm      1903:                fatal_f("write packet: %s", strerror(errno));
1.10      djm      1904:
                   1905:        /* Send the stdio file descriptors */
                   1906:        if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
                   1907:            mm_send_fd(fd, STDOUT_FILENO) == -1 ||
                   1908:            mm_send_fd(fd, STDERR_FILENO) == -1)
1.85      djm      1909:                fatal_f("send fds failed");
1.10      djm      1910:
1.85      djm      1911:        debug3_f("session request sent");
1.1       djm      1912:
1.10      djm      1913:        /* Read their reply */
1.73      markus   1914:        sshbuf_reset(m);
                   1915:        if (mux_client_read_packet(fd, m) != 0) {
1.85      djm      1916:                error_f("read from master failed: %s", strerror(errno));
1.73      markus   1917:                sshbuf_free(m);
1.10      djm      1918:                return -1;
                   1919:        }
                   1920:
1.73      markus   1921:        if ((r = sshbuf_get_u32(m, &type)) != 0 ||
                   1922:            (r = sshbuf_get_u32(m, &rid)) != 0)
1.85      djm      1923:                fatal_fr(r, "parse");
1.73      markus   1924:        if (rid != muxclient_request_id)
1.85      djm      1925:                fatal_f("out of sequence reply: my id %u theirs %u",
                   1926:                    muxclient_request_id, rid);
1.73      markus   1927:
1.10      djm      1928:        switch (type) {
                   1929:        case MUX_S_SESSION_OPENED:
1.73      markus   1930:                if ((r = sshbuf_get_u32(m, &sid)) != 0)
1.85      djm      1931:                        fatal_fr(r, "parse session ID");
                   1932:                debug_f("master session id: %u", sid);
1.10      djm      1933:                break;
                   1934:        case MUX_S_PERMISSION_DENIED:
1.73      markus   1935:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      1936:                        fatal_fr(r, "parse error message");
1.24      djm      1937:                error("Master refused session request: %s", e);
1.73      markus   1938:                sshbuf_free(m);
1.10      djm      1939:                return -1;
                   1940:        case MUX_S_FAILURE:
1.73      markus   1941:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      1942:                        fatal_fr(r, "parse error message");
                   1943:                error_f("session request failed: %s", e);
1.73      markus   1944:                sshbuf_free(m);
1.10      djm      1945:                return -1;
                   1946:        default:
1.73      markus   1947:                sshbuf_free(m);
1.85      djm      1948:                error_f("unexpected response from master 0x%08x", type);
1.10      djm      1949:                return -1;
                   1950:        }
                   1951:        muxclient_request_id++;
1.1       djm      1952:
1.57      semarie  1953:        if (pledge("stdio proc tty", NULL) == -1)
1.85      djm      1954:                fatal_f("pledge(): %s", strerror(errno));
1.57      semarie  1955:
1.81      dtucker  1956:        ssh_signal(SIGHUP, control_client_sighandler);
                   1957:        ssh_signal(SIGINT, control_client_sighandler);
                   1958:        ssh_signal(SIGTERM, control_client_sighandler);
                   1959:        ssh_signal(SIGWINCH, control_client_sigrelay);
1.1       djm      1960:
1.28      djm      1961:        rawmode = tty_flag;
1.1       djm      1962:        if (tty_flag)
1.27      djm      1963:                enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
1.1       djm      1964:
                   1965:        /*
                   1966:         * Stick around until the controlee closes the client_fd.
1.10      djm      1967:         * Before it does, it is expected to write an exit message.
                   1968:         * This process must read the value and wait for the closure of
                   1969:         * the client_fd; if this one closes early, the multiplex master will
                   1970:         * terminate early too (possibly losing data).
1.1       djm      1971:         */
1.10      djm      1972:        for (exitval = 255, exitval_seen = 0;;) {
1.73      markus   1973:                sshbuf_reset(m);
                   1974:                if (mux_client_read_packet(fd, m) != 0)
1.1       djm      1975:                        break;
1.73      markus   1976:                if ((r = sshbuf_get_u32(m, &type)) != 0)
1.85      djm      1977:                        fatal_fr(r, "parse type");
1.28      djm      1978:                switch (type) {
                   1979:                case MUX_S_TTY_ALLOC_FAIL:
1.73      markus   1980:                        if ((r = sshbuf_get_u32(m, &esid)) != 0)
1.85      djm      1981:                                fatal_fr(r, "parse session ID");
1.73      markus   1982:                        if (esid != sid)
1.85      djm      1983:                                fatal_f("tty alloc fail on unknown session: "
                   1984:                                    "my id %u theirs %u", sid, esid);
1.28      djm      1985:                        leave_raw_mode(options.request_tty ==
                   1986:                            REQUEST_TTY_FORCE);
                   1987:                        rawmode = 0;
                   1988:                        continue;
                   1989:                case MUX_S_EXIT_MESSAGE:
1.73      markus   1990:                        if ((r = sshbuf_get_u32(m, &esid)) != 0)
1.85      djm      1991:                                fatal_fr(r, "parse session ID");
1.73      markus   1992:                        if (esid != sid)
1.85      djm      1993:                                fatal_f("exit on unknown session: "
                   1994:                                    "my id %u theirs %u", sid, esid);
1.28      djm      1995:                        if (exitval_seen)
1.85      djm      1996:                                fatal_f("exitval sent twice");
1.73      markus   1997:                        if ((r = sshbuf_get_u32(m, &exitval)) != 0)
1.85      djm      1998:                                fatal_fr(r, "parse exitval");
1.28      djm      1999:                        exitval_seen = 1;
                   2000:                        continue;
                   2001:                default:
1.73      markus   2002:                        if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      2003:                                fatal_fr(r, "parse error message");
                   2004:                        fatal_f("master returned error: %s", e);
1.1       djm      2005:                }
                   2006:        }
                   2007:
1.10      djm      2008:        close(fd);
1.28      djm      2009:        if (rawmode)
                   2010:                leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
1.10      djm      2011:
1.1       djm      2012:        if (muxclient_terminate) {
1.69      dtucker  2013:                debug2("Exiting on signal: %s", strsignal(muxclient_terminate));
1.10      djm      2014:                exitval = 255;
                   2015:        } else if (!exitval_seen) {
1.1       djm      2016:                debug2("Control master terminated unexpectedly");
1.10      djm      2017:                exitval = 255;
1.1       djm      2018:        } else
1.10      djm      2019:                debug2("Received exit status from master %d", exitval);
1.1       djm      2020:
1.92      djm      2021:        if (tty_flag && options.log_level >= SYSLOG_LEVEL_INFO)
1.1       djm      2022:                fprintf(stderr, "Shared connection to %s closed.\r\n", host);
                   2023:
1.10      djm      2024:        exit(exitval);
                   2025: }
                   2026:
                   2027: static int
1.62      markus   2028: mux_client_proxy(int fd)
                   2029: {
1.73      markus   2030:        struct sshbuf *m;
1.62      markus   2031:        char *e;
                   2032:        u_int type, rid;
1.73      markus   2033:        int r;
1.62      markus   2034:
1.73      markus   2035:        if ((m = sshbuf_new()) == NULL)
1.85      djm      2036:                fatal_f("sshbuf_new");
1.73      markus   2037:        if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 ||
                   2038:            (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1.85      djm      2039:                fatal_fr(r, "request");
1.73      markus   2040:        if (mux_client_write_packet(fd, m) != 0)
1.85      djm      2041:                fatal_f("write packet: %s", strerror(errno));
1.62      markus   2042:
1.73      markus   2043:        sshbuf_reset(m);
1.62      markus   2044:
                   2045:        /* Read their reply */
1.73      markus   2046:        if (mux_client_read_packet(fd, m) != 0) {
                   2047:                sshbuf_free(m);
1.62      markus   2048:                return 0;
                   2049:        }
1.73      markus   2050:        if ((r = sshbuf_get_u32(m, &type)) != 0 ||
                   2051:            (r = sshbuf_get_u32(m, &rid)) != 0)
1.85      djm      2052:                fatal_fr(r, "parse");
1.73      markus   2053:        if (rid != muxclient_request_id)
1.85      djm      2054:                fatal_f("out of sequence reply: my id %u theirs %u",
                   2055:                    muxclient_request_id, rid);
1.62      markus   2056:        if (type != MUX_S_PROXY) {
1.73      markus   2057:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      2058:                        fatal_fr(r, "parse error message");
                   2059:                fatal_f("master returned error: %s", e);
1.62      markus   2060:        }
1.73      markus   2061:        sshbuf_free(m);
1.62      markus   2062:
1.85      djm      2063:        debug3_f("done");
1.62      markus   2064:        muxclient_request_id++;
                   2065:        return 0;
                   2066: }
                   2067:
                   2068: static int
1.10      djm      2069: mux_client_request_stdio_fwd(int fd)
                   2070: {
1.73      markus   2071:        struct sshbuf *m;
1.10      djm      2072:        char *e;
                   2073:        u_int type, rid, sid;
1.84      djm      2074:        int r;
1.10      djm      2075:
1.85      djm      2076:        debug3_f("entering");
1.10      djm      2077:
                   2078:        if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
1.85      djm      2079:                error_f("master alive request failed");
1.10      djm      2080:                return -1;
                   2081:        }
                   2082:
1.81      dtucker  2083:        ssh_signal(SIGPIPE, SIG_IGN);
1.10      djm      2084:
1.91      djm      2085:        if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
1.85      djm      2086:                fatal_f("stdfd_devnull failed");
1.10      djm      2087:
1.73      markus   2088:        if ((m = sshbuf_new()) == NULL)
1.85      djm      2089:                fatal_f("sshbuf_new");
1.73      markus   2090:        if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 ||
                   2091:            (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
                   2092:            (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
                   2093:            (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 ||
                   2094:            (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0)
1.85      djm      2095:                fatal_fr(r, "request");
1.10      djm      2096:
1.73      markus   2097:        if (mux_client_write_packet(fd, m) != 0)
1.85      djm      2098:                fatal_f("write packet: %s", strerror(errno));
1.10      djm      2099:
                   2100:        /* Send the stdio file descriptors */
                   2101:        if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
                   2102:            mm_send_fd(fd, STDOUT_FILENO) == -1)
1.85      djm      2103:                fatal_f("send fds failed");
1.10      djm      2104:
1.56      semarie  2105:        if (pledge("stdio proc tty", NULL) == -1)
1.85      djm      2106:                fatal_f("pledge(): %s", strerror(errno));
1.56      semarie  2107:
1.85      djm      2108:        debug3_f("stdio forward request sent");
1.10      djm      2109:
                   2110:        /* Read their reply */
1.73      markus   2111:        sshbuf_reset(m);
1.10      djm      2112:
1.73      markus   2113:        if (mux_client_read_packet(fd, m) != 0) {
1.85      djm      2114:                error_f("read from master failed: %s", strerror(errno));
1.73      markus   2115:                sshbuf_free(m);
1.10      djm      2116:                return -1;
                   2117:        }
                   2118:
1.73      markus   2119:        if ((r = sshbuf_get_u32(m, &type)) != 0 ||
                   2120:            (r = sshbuf_get_u32(m, &rid)) != 0)
1.85      djm      2121:                fatal_fr(r, "parse");
1.73      markus   2122:        if (rid != muxclient_request_id)
1.85      djm      2123:                fatal_f("out of sequence reply: my id %u theirs %u",
                   2124:                    muxclient_request_id, rid);
1.10      djm      2125:        switch (type) {
                   2126:        case MUX_S_SESSION_OPENED:
1.73      markus   2127:                if ((r = sshbuf_get_u32(m, &sid)) != 0)
1.85      djm      2128:                        fatal_fr(r, "parse session ID");
                   2129:                debug_f("master session id: %u", sid);
1.10      djm      2130:                break;
                   2131:        case MUX_S_PERMISSION_DENIED:
1.73      markus   2132:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      2133:                        fatal_fr(r, "parse error message");
1.73      markus   2134:                sshbuf_free(m);
1.24      djm      2135:                fatal("Master refused stdio forwarding request: %s", e);
1.10      djm      2136:        case MUX_S_FAILURE:
1.73      markus   2137:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      2138:                        fatal_fr(r, "parse error message");
1.73      markus   2139:                sshbuf_free(m);
1.48      djm      2140:                fatal("Stdio forwarding request failed: %s", e);
1.10      djm      2141:        default:
1.73      markus   2142:                sshbuf_free(m);
1.85      djm      2143:                error_f("unexpected response from master 0x%08x", type);
1.10      djm      2144:                return -1;
                   2145:        }
                   2146:        muxclient_request_id++;
                   2147:
1.81      dtucker  2148:        ssh_signal(SIGHUP, control_client_sighandler);
                   2149:        ssh_signal(SIGINT, control_client_sighandler);
                   2150:        ssh_signal(SIGTERM, control_client_sighandler);
                   2151:        ssh_signal(SIGWINCH, control_client_sigrelay);
1.10      djm      2152:
                   2153:        /*
                   2154:         * Stick around until the controlee closes the client_fd.
                   2155:         */
1.73      markus   2156:        sshbuf_reset(m);
                   2157:        if (mux_client_read_packet(fd, m) != 0) {
1.10      djm      2158:                if (errno == EPIPE ||
                   2159:                    (errno == EINTR && muxclient_terminate != 0))
                   2160:                        return 0;
1.85      djm      2161:                fatal_f("mux_client_read_packet: %s", strerror(errno));
1.10      djm      2162:        }
1.85      djm      2163:        fatal_f("master returned unexpected message %u", type);
1.10      djm      2164: }
                   2165:
1.25      djm      2166: static void
                   2167: mux_client_request_stop_listening(int fd)
                   2168: {
1.73      markus   2169:        struct sshbuf *m;
1.25      djm      2170:        char *e;
                   2171:        u_int type, rid;
1.73      markus   2172:        int r;
1.25      djm      2173:
1.85      djm      2174:        debug3_f("entering");
1.25      djm      2175:
1.73      markus   2176:        if ((m = sshbuf_new()) == NULL)
1.85      djm      2177:                fatal_f("sshbuf_new");
1.73      markus   2178:        if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 ||
                   2179:            (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1.85      djm      2180:                fatal_fr(r, "request");
1.25      djm      2181:
1.73      markus   2182:        if (mux_client_write_packet(fd, m) != 0)
1.85      djm      2183:                fatal_f("write packet: %s", strerror(errno));
1.25      djm      2184:
1.73      markus   2185:        sshbuf_reset(m);
1.25      djm      2186:
                   2187:        /* Read their reply */
1.73      markus   2188:        if (mux_client_read_packet(fd, m) != 0)
1.85      djm      2189:                fatal_f("read from master failed: %s", strerror(errno));
1.25      djm      2190:
1.73      markus   2191:        if ((r = sshbuf_get_u32(m, &type)) != 0 ||
                   2192:            (r = sshbuf_get_u32(m, &rid)) != 0)
1.85      djm      2193:                fatal_fr(r, "parse");
1.73      markus   2194:        if (rid != muxclient_request_id)
1.85      djm      2195:                fatal_f("out of sequence reply: my id %u theirs %u",
                   2196:                    muxclient_request_id, rid);
1.73      markus   2197:
1.25      djm      2198:        switch (type) {
                   2199:        case MUX_S_OK:
                   2200:                break;
                   2201:        case MUX_S_PERMISSION_DENIED:
1.73      markus   2202:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      2203:                        fatal_fr(r, "parse error message");
1.25      djm      2204:                fatal("Master refused stop listening request: %s", e);
                   2205:        case MUX_S_FAILURE:
1.73      markus   2206:                if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1.85      djm      2207:                        fatal_fr(r, "parse error message");
                   2208:                fatal_f("stop listening request failed: %s", e);
1.25      djm      2209:        default:
1.85      djm      2210:                fatal_f("unexpected response from master 0x%08x", type);
1.25      djm      2211:        }
1.73      markus   2212:        sshbuf_free(m);
1.25      djm      2213:        muxclient_request_id++;
                   2214: }
                   2215:
1.10      djm      2216: /* Multiplex client main loop. */
1.62      markus   2217: int
1.10      djm      2218: muxclient(const char *path)
                   2219: {
                   2220:        struct sockaddr_un addr;
                   2221:        int sock;
                   2222:        u_int pid;
                   2223:
                   2224:        if (muxclient_command == 0) {
1.60      dtucker  2225:                if (options.stdio_forward_host != NULL)
1.10      djm      2226:                        muxclient_command = SSHMUX_COMMAND_STDIO_FWD;
                   2227:                else
                   2228:                        muxclient_command = SSHMUX_COMMAND_OPEN;
                   2229:        }
                   2230:
                   2231:        switch (options.control_master) {
                   2232:        case SSHCTL_MASTER_AUTO:
                   2233:        case SSHCTL_MASTER_AUTO_ASK:
                   2234:                debug("auto-mux: Trying existing master");
                   2235:                /* FALLTHROUGH */
                   2236:        case SSHCTL_MASTER_NO:
                   2237:                break;
                   2238:        default:
1.62      markus   2239:                return -1;
1.10      djm      2240:        }
                   2241:
                   2242:        memset(&addr, '\0', sizeof(addr));
                   2243:        addr.sun_family = AF_UNIX;
                   2244:
                   2245:        if (strlcpy(addr.sun_path, path,
                   2246:            sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
1.61      dtucker  2247:                fatal("ControlPath too long ('%s' >= %u bytes)", path,
1.87      djm      2248:                    (unsigned int)sizeof(addr.sun_path));
1.10      djm      2249:
1.80      deraadt  2250:        if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
1.85      djm      2251:                fatal_f("socket(): %s", strerror(errno));
1.10      djm      2252:
1.64      guenther 2253:        if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
1.10      djm      2254:                switch (muxclient_command) {
                   2255:                case SSHMUX_COMMAND_OPEN:
                   2256:                case SSHMUX_COMMAND_STDIO_FWD:
                   2257:                        break;
                   2258:                default:
                   2259:                        fatal("Control socket connect(%.100s): %s", path,
                   2260:                            strerror(errno));
                   2261:                }
1.22      djm      2262:                if (errno == ECONNREFUSED &&
                   2263:                    options.control_master != SSHCTL_MASTER_NO) {
                   2264:                        debug("Stale control socket %.100s, unlinking", path);
                   2265:                        unlink(path);
                   2266:                } else if (errno == ENOENT) {
1.10      djm      2267:                        debug("Control socket \"%.100s\" does not exist", path);
1.22      djm      2268:                } else {
1.10      djm      2269:                        error("Control socket connect(%.100s): %s", path,
                   2270:                            strerror(errno));
                   2271:                }
                   2272:                close(sock);
1.62      markus   2273:                return -1;
1.10      djm      2274:        }
                   2275:        set_nonblock(sock);
                   2276:
                   2277:        if (mux_client_hello_exchange(sock) != 0) {
1.85      djm      2278:                error_f("master hello exchange failed");
1.10      djm      2279:                close(sock);
1.62      markus   2280:                return -1;
1.10      djm      2281:        }
                   2282:
                   2283:        switch (muxclient_command) {
                   2284:        case SSHMUX_COMMAND_ALIVE_CHECK:
                   2285:                if ((pid = mux_client_request_alive(sock)) == 0)
1.85      djm      2286:                        fatal_f("master alive check failed");
1.55      djm      2287:                fprintf(stderr, "Master running (pid=%u)\r\n", pid);
1.10      djm      2288:                exit(0);
                   2289:        case SSHMUX_COMMAND_TERMINATE:
                   2290:                mux_client_request_terminate(sock);
1.63      dtucker  2291:                if (options.log_level != SYSLOG_LEVEL_QUIET)
                   2292:                        fprintf(stderr, "Exit request sent.\r\n");
1.18      markus   2293:                exit(0);
                   2294:        case SSHMUX_COMMAND_FORWARD:
1.30      djm      2295:                if (mux_client_forwards(sock, 0) != 0)
1.85      djm      2296:                        fatal_f("master forward request failed");
1.10      djm      2297:                exit(0);
                   2298:        case SSHMUX_COMMAND_OPEN:
1.30      djm      2299:                if (mux_client_forwards(sock, 0) != 0) {
1.85      djm      2300:                        error_f("master forward request failed");
1.62      markus   2301:                        return -1;
1.10      djm      2302:                }
                   2303:                mux_client_request_session(sock);
1.62      markus   2304:                return -1;
1.10      djm      2305:        case SSHMUX_COMMAND_STDIO_FWD:
                   2306:                mux_client_request_stdio_fwd(sock);
1.25      djm      2307:                exit(0);
                   2308:        case SSHMUX_COMMAND_STOP:
                   2309:                mux_client_request_stop_listening(sock);
1.63      dtucker  2310:                if (options.log_level != SYSLOG_LEVEL_QUIET)
                   2311:                        fprintf(stderr, "Stop listening request sent.\r\n");
1.30      djm      2312:                exit(0);
                   2313:        case SSHMUX_COMMAND_CANCEL_FWD:
                   2314:                if (mux_client_forwards(sock, 1) != 0)
1.85      djm      2315:                        error_f("master cancel forward request failed");
1.10      djm      2316:                exit(0);
1.62      markus   2317:        case SSHMUX_COMMAND_PROXY:
                   2318:                mux_client_proxy(sock);
                   2319:                return (sock);
1.10      djm      2320:        default:
                   2321:                fatal("unrecognised muxclient_command %d", muxclient_command);
                   2322:        }
1.1       djm      2323: }