1 /* $OpenBSD: mux.c,v 1.113 2026/04/02 07:39:57 djm Exp $ */
2 /*
3 * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 /* ssh session multiplexing support */
19
20 #include "includes.h"
21
22 #include <sys/types.h>
23 #include <sys/queue.h>
24 #include <sys/stat.h>
25 #include <sys/socket.h>
26 #include <sys/un.h>
27
28 #include <errno.h>
29 #include <poll.h>
30 #include <limits.h>
31 #include <signal.h>
32 #include <stdarg.h>
33 #include <stddef.h>
34 #include <stdlib.h>
35 #include <stdio.h>
36 #include <string.h>
37 #include <unistd.h>
38
39 #include "xmalloc.h"
40 #include "log.h"
41 #include "ssh.h"
42 #include "ssh2.h"
43 #include "misc.h"
44 #include "match.h"
45 #include "sshbuf.h"
46 #include "channels.h"
47 #include "packet.h"
48 #include "monitor_fdpass.h"
49 #include "sshpty.h"
50 #include "readconf.h"
51 #include "clientloop.h"
52
53 /* from ssh.c */
54 extern int tty_flag;
55 extern Options options;
56 extern char *host;
57 extern struct sshbuf *command;
58 extern volatile sig_atomic_t quit_pending;
59
60 /* Context for session open confirmation callback */
61 struct mux_session_confirm_ctx {
62 u_int want_tty;
63 u_int want_subsys;
64 u_int want_x_fwd;
65 u_int want_agent_fwd;
66 struct sshbuf *cmd;
67 char *term;
68 struct termios tio;
69 char **env;
70 u_int rid;
71 };
72
73 /* Context for stdio fwd open confirmation callback */
74 struct mux_stdio_confirm_ctx {
75 u_int rid;
76 };
77
78 /* Context for global channel callback */
79 struct mux_channel_confirm_ctx {
80 u_int cid; /* channel id */
81 u_int rid; /* request id */
82 int fid; /* forward id */
83 };
84
85 /* fd to control socket */
86 int muxserver_sock = -1;
87
88 /* client request id */
89 u_int muxclient_request_id = 0;
90
91 /* Multiplexing control command */
92 u_int muxclient_command = 0;
93
94 /* Set when signalled. */
95 static volatile sig_atomic_t muxclient_terminate = 0;
96
97 /* PID of multiplex server */
98 static u_int muxserver_pid = 0;
99
100 static Channel *mux_listener_channel = NULL;
101
102 struct mux_master_state {
103 int hello_rcvd;
104 };
105
106 /* mux protocol messages */
107 #define MUX_MSG_HELLO 0x00000001
108 #define MUX_C_NEW_SESSION 0x10000002
109 #define MUX_C_ALIVE_CHECK 0x10000004
110 #define MUX_C_TERMINATE 0x10000005
111 #define MUX_C_OPEN_FWD 0x10000006
112 #define MUX_C_CLOSE_FWD 0x10000007
113 #define MUX_C_NEW_STDIO_FWD 0x10000008
114 #define MUX_C_STOP_LISTENING 0x10000009
115 #define MUX_C_PROXY 0x1000000f
116 #define MUX_C_EXT_INFO 0x20000001
117 #define MUX_S_OK 0x80000001
118 #define MUX_S_PERMISSION_DENIED 0x80000002
119 #define MUX_S_FAILURE 0x80000003
120 #define MUX_S_EXIT_MESSAGE 0x80000004
121 #define MUX_S_ALIVE 0x80000005
122 #define MUX_S_SESSION_OPENED 0x80000006
123 #define MUX_S_REMOTE_PORT 0x80000007
124 #define MUX_S_TTY_ALLOC_FAIL 0x80000008
125 #define MUX_S_PROXY 0x8000000f
126 #define MUX_S_EXT_INFO 0x90000001
127
128 /* type codes for MUX_C_OPEN_FWD and MUX_C_CLOSE_FWD */
129 #define MUX_FWD_LOCAL 1
130 #define MUX_FWD_REMOTE 2
131 #define MUX_FWD_DYNAMIC 3
132
133 #define MUX_EXT_INFO 0x00000001
134
135 /* Bitmask of supported extensions */
136 static u_int extensions = 0;
137
138 static void mux_session_confirm(struct ssh *, int, int, void *);
139 static void mux_stdio_confirm(struct ssh *, int, int, void *);
140
141 static int mux_master_process_hello(struct ssh *, u_int,
142 Channel *, struct sshbuf *, struct sshbuf *);
143 static int mux_master_process_new_session(struct ssh *, u_int,
144 Channel *, struct sshbuf *, struct sshbuf *);
145 static int mux_master_process_alive_check(struct ssh *, u_int,
146 Channel *, struct sshbuf *, struct sshbuf *);
147 static int mux_master_process_terminate(struct ssh *, u_int,
148 Channel *, struct sshbuf *, struct sshbuf *);
149 static int mux_master_process_open_fwd(struct ssh *, u_int,
150 Channel *, struct sshbuf *, struct sshbuf *);
151 static int mux_master_process_close_fwd(struct ssh *, u_int,
152 Channel *, struct sshbuf *, struct sshbuf *);
153 static int mux_master_process_stdio_fwd(struct ssh *, u_int,
154 Channel *, struct sshbuf *, struct sshbuf *);
155 static int mux_master_process_stop_listening(struct ssh *, u_int,
156 Channel *, struct sshbuf *, struct sshbuf *);
157 static int mux_master_process_proxy(struct ssh *, u_int,
158 Channel *, struct sshbuf *, struct sshbuf *);
159 static int mux_master_process_ext_info(struct ssh *, u_int,
160 Channel *, struct sshbuf *, struct sshbuf *);
161
162 static const struct {
163 u_int type;
164 int (*handler)(struct ssh *, u_int, Channel *,
165 struct sshbuf *, struct sshbuf *);
166 } mux_master_handlers[] = {
167 { MUX_MSG_HELLO, mux_master_process_hello },
168 { MUX_C_NEW_SESSION, mux_master_process_new_session },
169 { MUX_C_ALIVE_CHECK, mux_master_process_alive_check },
170 { MUX_C_TERMINATE, mux_master_process_terminate },
171 { MUX_C_OPEN_FWD, mux_master_process_open_fwd },
172 { MUX_C_CLOSE_FWD, mux_master_process_close_fwd },
173 { MUX_C_NEW_STDIO_FWD, mux_master_process_stdio_fwd },
174 { MUX_C_STOP_LISTENING, mux_master_process_stop_listening },
175 { MUX_C_PROXY, mux_master_process_proxy },
176 { MUX_C_EXT_INFO, mux_master_process_ext_info },
177 { 0, NULL }
178 };
179
180 /* Cleanup callback fired on closure of mux client _session_ channel */
181 static void
mux_master_session_cleanup_cb(struct ssh * ssh,int cid,int force,void * unused)182 mux_master_session_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
183 {
184 Channel *cc, *c = channel_by_id(ssh, cid);
185
186 debug3_f("entering for channel %d", cid);
187 if (c == NULL)
188 fatal_f("channel_by_id(%i) == NULL", cid);
189 if (c->ctl_chan != -1) {
190 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
191 fatal_f("channel %d missing control channel %d",
192 c->self, c->ctl_chan);
193 c->ctl_chan = -1;
194 cc->ctl_child_id = 0;
195 cc->have_ctl_child_id = 0;
196 chan_rcvd_oclose(ssh, cc);
197 }
198 channel_cancel_cleanup(ssh, c->self);
199 }
200
201 /* Cleanup callback fired on closure of mux client _control_ channel */
202 static void
mux_master_control_cleanup_cb(struct ssh * ssh,int cid,int force,void * unused)203 mux_master_control_cleanup_cb(struct ssh *ssh, int cid, int force, void *unused)
204 {
205 Channel *sc, *c = channel_by_id(ssh, cid);
206
207 debug3_f("entering for channel %d", cid);
208 if (c == NULL)
209 fatal_f("channel_by_id(%i) == NULL", cid);
210 if (c->have_ctl_child_id) {
211 if ((sc = channel_by_id(ssh, c->ctl_child_id)) == NULL)
212 fatal_f("channel %d missing session channel %u",
213 c->self, c->ctl_child_id);
214 c->ctl_child_id = 0;
215 c->have_ctl_child_id = 0;
216 sc->ctl_chan = -1;
217 if (sc->type != SSH_CHANNEL_OPEN &&
218 sc->type != SSH_CHANNEL_OPENING) {
219 debug2_f("channel %d: not open", sc->self);
220 chan_mark_dead(ssh, sc);
221 } else {
222 if (sc->istate == CHAN_INPUT_OPEN)
223 chan_read_failed(ssh, sc);
224 if (sc->ostate == CHAN_OUTPUT_OPEN)
225 chan_write_failed(ssh, sc);
226 }
227 }
228 channel_cancel_cleanup(ssh, c->self);
229 }
230
231 /* Check mux client environment variables before passing them to mux master. */
232 static int
env_permitted(const char * env)233 env_permitted(const char *env)
234 {
235 u_int i;
236 int ret;
237 char name[1024], *cp;
238
239 if ((cp = strchr(env, '=')) == NULL || cp == env)
240 return 0;
241 ret = snprintf(name, sizeof(name), "%.*s", (int)(cp - env), env);
242 if (ret <= 0 || (size_t)ret >= sizeof(name)) {
243 error_f("name '%.100s...' too long", env);
244 return 0;
245 }
246
247 for (i = 0; i < options.num_send_env; i++)
248 if (match_pattern(name, options.send_env[i]))
249 return 1;
250
251 return 0;
252 }
253
254 /* Mux master protocol message handlers */
255
256 static int
mux_master_process_hello(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)257 mux_master_process_hello(struct ssh *ssh, u_int rid,
258 Channel *c, struct sshbuf *m, struct sshbuf *reply)
259 {
260 u_int ver;
261 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
262 int r;
263
264 if (state == NULL)
265 fatal_f("channel %d: c->mux_ctx == NULL", c->self);
266 if (state->hello_rcvd) {
267 error_f("HELLO received twice");
268 return -1;
269 }
270 if ((r = sshbuf_get_u32(m, &ver)) != 0) {
271 error_fr(r, "parse");
272 return -1;
273 }
274 if (ver != SSHMUX_VER) {
275 error_f("unsupported multiplexing protocol version %u "
276 "(expected %u)", ver, SSHMUX_VER);
277 return -1;
278 }
279 debug2_f("channel %d client version %u", c->self, ver);
280
281 /* No extensions are presently defined */
282 while (sshbuf_len(m) > 0) {
283 char *name = NULL;
284 size_t value_len = 0;
285
286 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
287 (r = sshbuf_get_string_direct(m, NULL, &value_len)) != 0) {
288 error_fr(r, "parse extension");
289 return -1;
290 }
291 if (strcmp(name, "info") == 0) {
292 debug_f("Received 'info' extension");
293 extensions |= MUX_EXT_INFO;
294 } else {
295 debug2_f("Unrecognised extension \"%s\" length %zu",
296 name, value_len);
297 }
298 free(name);
299 }
300 state->hello_rcvd = 1;
301 return 0;
302 }
303
304 /* Enqueue a "ok" response to the reply buffer */
305 static void
reply_ok(struct sshbuf * reply,u_int rid)306 reply_ok(struct sshbuf *reply, u_int rid)
307 {
308 int r;
309
310 if ((r = sshbuf_put_u32(reply, MUX_S_OK)) != 0 ||
311 (r = sshbuf_put_u32(reply, rid)) != 0)
312 fatal_fr(r, "reply");
313 }
314
315 /* Enqueue an error response to the reply buffer */
316 static void
reply_error(struct sshbuf * reply,u_int type,u_int rid,const char * msg)317 reply_error(struct sshbuf *reply, u_int type, u_int rid, const char *msg)
318 {
319 int r;
320
321 if ((r = sshbuf_put_u32(reply, type)) != 0 ||
322 (r = sshbuf_put_u32(reply, rid)) != 0 ||
323 (r = sshbuf_put_cstring(reply, msg)) != 0)
324 fatal_fr(r, "reply");
325 }
326
327 static int
mux_master_process_new_session(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)328 mux_master_process_new_session(struct ssh *ssh, u_int rid,
329 Channel *c, struct sshbuf *m, struct sshbuf *reply)
330 {
331 Channel *nc;
332 struct mux_session_confirm_ctx *cctx;
333 char *cmd, *cp;
334 u_int i, j, env_len, escape_char, window, packetmax;
335 int r, new_fd[3];
336
337 /* Reply for SSHMUX_COMMAND_OPEN */
338 cctx = xcalloc(1, sizeof(*cctx));
339 cctx->term = NULL;
340 cctx->rid = rid;
341 cmd = NULL;
342 cctx->env = NULL;
343 env_len = 0;
344 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
345 (r = sshbuf_get_u32(m, &cctx->want_tty)) != 0 ||
346 (r = sshbuf_get_u32(m, &cctx->want_x_fwd)) != 0 ||
347 (r = sshbuf_get_u32(m, &cctx->want_agent_fwd)) != 0 ||
348 (r = sshbuf_get_u32(m, &cctx->want_subsys)) != 0 ||
349 (r = sshbuf_get_u32(m, &escape_char)) != 0 ||
350 (r = sshbuf_get_cstring(m, &cctx->term, NULL)) != 0 ||
351 (r = sshbuf_get_cstring(m, &cmd, NULL)) != 0) {
352 malf:
353 free(cmd);
354 for (j = 0; j < env_len; j++)
355 free(cctx->env[j]);
356 free(cctx->env);
357 free(cctx->term);
358 free(cctx);
359 error_f("malformed message");
360 return -1;
361 }
362
363 #define MUX_MAX_ENV_VARS 4096
364 while (sshbuf_len(m) > 0) {
365 if ((r = sshbuf_get_cstring(m, &cp, NULL)) != 0)
366 goto malf;
367 if (!env_permitted(cp)) {
368 free(cp);
369 continue;
370 }
371 cctx->env = xreallocarray(cctx->env, env_len + 2,
372 sizeof(*cctx->env));
373 cctx->env[env_len++] = cp;
374 cctx->env[env_len] = NULL;
375 if (env_len > MUX_MAX_ENV_VARS) {
376 error_f(">%d environment variables received, "
377 "ignoring additional", MUX_MAX_ENV_VARS);
378 break;
379 }
380 }
381
382 debug2_f("channel %d: request tty %d, X %d, agent %d, subsys %d, "
383 "term \"%s\", cmd \"%s\", env %u", c->self,
384 cctx->want_tty, cctx->want_x_fwd, cctx->want_agent_fwd,
385 cctx->want_subsys, cctx->term, cmd, env_len);
386
387 if ((cctx->cmd = sshbuf_new()) == NULL)
388 fatal_f("sshbuf_new");
389 if ((r = sshbuf_put(cctx->cmd, cmd, strlen(cmd))) != 0)
390 fatal_fr(r, "sshbuf_put");
391 free(cmd);
392 cmd = NULL;
393
394 /* Gather fds from client */
395 for(i = 0; i < 3; i++) {
396 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
397 error_f("failed to receive fd %d from client", i);
398 for (j = 0; j < i; j++)
399 close(new_fd[j]);
400 for (j = 0; j < env_len; j++)
401 free(cctx->env[j]);
402 free(cctx->env);
403 free(cctx->term);
404 sshbuf_free(cctx->cmd);
405 free(cctx);
406 reply_error(reply, MUX_S_FAILURE, rid,
407 "did not receive file descriptors");
408 return -1;
409 }
410 }
411
412 debug3_f("got fds stdin %d, stdout %d, stderr %d",
413 new_fd[0], new_fd[1], new_fd[2]);
414
415 /* XXX support multiple child sessions in future */
416 if (c->have_ctl_child_id) {
417 debug2_f("session already open");
418 reply_error(reply, MUX_S_FAILURE, rid,
419 "Multiple sessions not supported");
420 cleanup:
421 close(new_fd[0]);
422 close(new_fd[1]);
423 close(new_fd[2]);
424 free(cctx->term);
425 if (env_len != 0) {
426 for (i = 0; i < env_len; i++)
427 free(cctx->env[i]);
428 free(cctx->env);
429 }
430 sshbuf_free(cctx->cmd);
431 free(cctx);
432 return 0;
433 }
434
435 if (options.control_master == SSHCTL_MASTER_ASK ||
436 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
437 if (!ask_permission("Allow shared connection to %s? ", host)) {
438 debug2_f("session refused by user");
439 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
440 "Permission denied");
441 goto cleanup;
442 }
443 }
444
445 /* Try to pick up ttymodes from client before it goes raw */
446 if (cctx->want_tty && tcgetattr(new_fd[0], &cctx->tio) == -1)
447 error_f("tcgetattr: %s", strerror(errno));
448
449 window = CHAN_SES_WINDOW_DEFAULT;
450 packetmax = CHAN_SES_PACKET_DEFAULT;
451 if (cctx->want_tty) {
452 window >>= 1;
453 packetmax >>= 1;
454 }
455
456 nc = channel_new(ssh, "session", SSH_CHANNEL_OPENING,
457 new_fd[0], new_fd[1], new_fd[2], window, packetmax,
458 CHAN_EXTENDED_WRITE, "client-session", CHANNEL_NONBLOCK_STDIO);
459 if (cctx->want_tty)
460 channel_set_tty(ssh, nc);
461
462 nc->ctl_chan = c->self; /* link session -> control channel */
463 c->ctl_child_id = nc->self; /* link control -> session channel */
464 c->have_ctl_child_id = 1;
465
466 if (cctx->want_tty && escape_char != 0xffffffff) {
467 channel_register_filter(ssh, nc->self,
468 client_simple_escape_filter, NULL,
469 client_filter_cleanup,
470 client_new_escape_filter_ctx((int)escape_char));
471 }
472
473 debug2_f("channel_new: %d linked to control channel %d",
474 nc->self, nc->ctl_chan);
475
476 channel_send_open(ssh, nc->self);
477 channel_register_open_confirm(ssh, nc->self, mux_session_confirm, cctx);
478 c->mux_pause = 1; /* stop handling messages until open_confirm done */
479 channel_register_cleanup(ssh, nc->self,
480 mux_master_session_cleanup_cb, 1);
481
482 /* reply is deferred, sent by mux_session_confirm */
483 return 0;
484 }
485
486 static int
mux_master_process_alive_check(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)487 mux_master_process_alive_check(struct ssh *ssh, u_int rid,
488 Channel *c, struct sshbuf *m, struct sshbuf *reply)
489 {
490 int r;
491
492 debug2_f("channel %d: alive check", c->self);
493
494 /* prepare reply */
495 if ((r = sshbuf_put_u32(reply, MUX_S_ALIVE)) != 0 ||
496 (r = sshbuf_put_u32(reply, rid)) != 0 ||
497 (r = sshbuf_put_u32(reply, (u_int)getpid())) != 0)
498 fatal_fr(r, "reply");
499
500 return 0;
501 }
502
503 /* The "info" extension. */
504 static int
mux_master_process_ext_info(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)505 mux_master_process_ext_info(struct ssh *ssh, u_int rid,
506 Channel *c, struct sshbuf *m, struct sshbuf *reply)
507 {
508 int r;
509 u_int status = 0;
510 char *name = NULL, *msg = NULL;
511
512 debug2_f("channel %d: info request", c->self);
513
514 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0)
515 fatal_fr(r, "parse");
516
517 if (strcmp(name, "connection") == 0) {
518 if ((msg = connection_info_message(ssh)) == NULL)
519 fatal_f("connection_info_message");
520 status = 1;
521 } else if (strcmp(name, "channels") == 0) {
522 if ((msg = channel_open_message(ssh)) == NULL)
523 fatal_f("channel_open_message");
524 status = 1;
525 } else {
526 msg = xstrdup("info request type not supported");
527 }
528
529 /* prepare reply */
530 if ((r = sshbuf_put_u32(reply, MUX_S_EXT_INFO)) != 0 ||
531 (r = sshbuf_put_u32(reply, rid)) != 0 ||
532 (r = sshbuf_put_u32(reply, status)) != 0 ||
533 (r = sshbuf_put_cstring(reply, msg)) != 0)
534 fatal_fr(r, "reply");
535 free(msg);
536
537 return 0;
538 }
539
540 static int
mux_master_process_terminate(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)541 mux_master_process_terminate(struct ssh *ssh, u_int rid,
542 Channel *c, struct sshbuf *m, struct sshbuf *reply)
543 {
544 debug2_f("channel %d: terminate request", c->self);
545
546 if (options.control_master == SSHCTL_MASTER_ASK ||
547 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
548 if (!ask_permission("Terminate shared connection to %s? ",
549 host)) {
550 debug2_f("termination refused by user");
551 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
552 "Permission denied");
553 return 0;
554 }
555 }
556
557 quit_pending = 1;
558 reply_ok(reply, rid);
559 /* XXX exit happens too soon - message never makes it to client */
560 return 0;
561 }
562
563 static char *
format_forward(u_int ftype,struct Forward * fwd)564 format_forward(u_int ftype, struct Forward *fwd)
565 {
566 char *ret;
567
568 switch (ftype) {
569 case MUX_FWD_LOCAL:
570 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
571 (fwd->listen_path != NULL) ? fwd->listen_path :
572 (fwd->listen_host == NULL) ?
573 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
574 fwd->listen_host, fwd->listen_port,
575 (fwd->connect_path != NULL) ? fwd->connect_path :
576 fwd->connect_host, fwd->connect_port);
577 break;
578 case MUX_FWD_DYNAMIC:
579 xasprintf(&ret, "dynamic forward %.200s:%d -> *",
580 (fwd->listen_host == NULL) ?
581 (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
582 fwd->listen_host, fwd->listen_port);
583 break;
584 case MUX_FWD_REMOTE:
585 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
586 (fwd->listen_path != NULL) ? fwd->listen_path :
587 (fwd->listen_host == NULL) ?
588 "LOCALHOST" : fwd->listen_host,
589 fwd->listen_port,
590 (fwd->connect_path != NULL) ? fwd->connect_path :
591 fwd->connect_host, fwd->connect_port);
592 break;
593 default:
594 fatal_f("unknown forward type %u", ftype);
595 }
596 return ret;
597 }
598
599 static int
compare_host(const char * a,const char * b)600 compare_host(const char *a, const char *b)
601 {
602 if (a == NULL && b == NULL)
603 return 1;
604 if (a == NULL || b == NULL)
605 return 0;
606 return strcmp(a, b) == 0;
607 }
608
609 static int
compare_forward(struct Forward * a,struct Forward * b)610 compare_forward(struct Forward *a, struct Forward *b)
611 {
612 if (!compare_host(a->listen_host, b->listen_host))
613 return 0;
614 if (!compare_host(a->listen_path, b->listen_path))
615 return 0;
616 if (a->listen_port != b->listen_port)
617 return 0;
618 if (!compare_host(a->connect_host, b->connect_host))
619 return 0;
620 if (!compare_host(a->connect_path, b->connect_path))
621 return 0;
622 if (a->connect_port != b->connect_port)
623 return 0;
624
625 return 1;
626 }
627
628 static void
mux_confirm_remote_forward(struct ssh * ssh,int type,uint32_t seq,void * ctxt)629 mux_confirm_remote_forward(struct ssh *ssh, int type, uint32_t seq, void *ctxt)
630 {
631 struct mux_channel_confirm_ctx *fctx = ctxt;
632 char *failmsg = NULL;
633 struct Forward *rfwd;
634 Channel *c;
635 struct sshbuf *out;
636 u_int port;
637 int r;
638
639 if ((c = channel_by_id(ssh, fctx->cid)) == NULL) {
640 /* no channel for reply */
641 error_f("unknown channel");
642 return;
643 }
644 if ((out = sshbuf_new()) == NULL)
645 fatal_f("sshbuf_new");
646 if (fctx->fid >= options.num_remote_forwards ||
647 (options.remote_forwards[fctx->fid].connect_path == NULL &&
648 options.remote_forwards[fctx->fid].connect_host == NULL)) {
649 xasprintf(&failmsg, "unknown forwarding id %d", fctx->fid);
650 goto fail;
651 }
652 rfwd = &options.remote_forwards[fctx->fid];
653 debug_f("%s for: listen %d, connect %s:%d",
654 type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
655 rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
656 rfwd->connect_host, rfwd->connect_port);
657 if (type == SSH2_MSG_REQUEST_SUCCESS) {
658 if (rfwd->listen_port == 0) {
659 if ((r = sshpkt_get_u32(ssh, &port)) != 0)
660 fatal_fr(r, "parse port");
661 if (port > 65535) {
662 fatal("Invalid allocated port %u for "
663 "mux remote forward to %s:%d", port,
664 rfwd->connect_host, rfwd->connect_port);
665 }
666 rfwd->allocated_port = (int)port;
667 debug("Allocated port %u for mux remote forward"
668 " to %s:%d", rfwd->allocated_port,
669 rfwd->connect_host, rfwd->connect_port);
670 if ((r = sshbuf_put_u32(out,
671 MUX_S_REMOTE_PORT)) != 0 ||
672 (r = sshbuf_put_u32(out, fctx->rid)) != 0 ||
673 (r = sshbuf_put_u32(out,
674 rfwd->allocated_port)) != 0)
675 fatal_fr(r, "reply");
676 channel_update_permission(ssh, rfwd->handle,
677 rfwd->allocated_port);
678 } else {
679 reply_ok(out, fctx->rid);
680 }
681 goto out;
682 } else {
683 if (rfwd->listen_port == 0)
684 channel_update_permission(ssh, rfwd->handle, -1);
685 if (rfwd->listen_path != NULL)
686 xasprintf(&failmsg, "remote port forwarding failed for "
687 "listen path %s", rfwd->listen_path);
688 else
689 xasprintf(&failmsg, "remote port forwarding failed for "
690 "listen port %d", rfwd->listen_port);
691
692 debug2_f("clearing registered forwarding for listen %d, "
693 "connect %s:%d", rfwd->listen_port,
694 rfwd->connect_path ? rfwd->connect_path :
695 rfwd->connect_host, rfwd->connect_port);
696
697 free(rfwd->listen_host);
698 free(rfwd->listen_path);
699 free(rfwd->connect_host);
700 free(rfwd->connect_path);
701 memset(rfwd, 0, sizeof(*rfwd));
702 }
703 fail:
704 error_f("%s", failmsg);
705 reply_error(out, MUX_S_FAILURE, fctx->rid, failmsg);
706 free(failmsg);
707 out:
708 if ((r = sshbuf_put_stringb(c->output, out)) != 0)
709 fatal_fr(r, "enqueue");
710 sshbuf_free(out);
711 if (c->mux_pause <= 0)
712 fatal_f("mux_pause %d", c->mux_pause);
713 c->mux_pause = 0; /* start processing messages again */
714 free(fctx);
715 }
716
717 static int
mux_master_process_open_fwd(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)718 mux_master_process_open_fwd(struct ssh *ssh, u_int rid,
719 Channel *c, struct sshbuf *m, struct sshbuf *reply)
720 {
721 struct Forward fwd;
722 char *fwd_desc = NULL;
723 char *listen_addr, *connect_addr;
724 u_int ftype;
725 u_int lport, cport;
726 int r, i, ret = 0, freefwd = 1;
727
728 memset(&fwd, 0, sizeof(fwd));
729
730 /* XXX - lport/cport check redundant */
731 if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
732 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
733 (r = sshbuf_get_u32(m, &lport)) != 0 ||
734 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
735 (r = sshbuf_get_u32(m, &cport)) != 0 ||
736 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
737 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
738 error_f("malformed message");
739 ret = -1;
740 goto out;
741 }
742 if (*listen_addr == '\0') {
743 free(listen_addr);
744 listen_addr = NULL;
745 }
746 if (*connect_addr == '\0') {
747 free(connect_addr);
748 connect_addr = NULL;
749 }
750
751 memset(&fwd, 0, sizeof(fwd));
752 fwd.listen_port = lport;
753 if (fwd.listen_port == PORT_STREAMLOCAL)
754 fwd.listen_path = listen_addr;
755 else
756 fwd.listen_host = listen_addr;
757 fwd.connect_port = cport;
758 if (fwd.connect_port == PORT_STREAMLOCAL)
759 fwd.connect_path = connect_addr;
760 else
761 fwd.connect_host = connect_addr;
762
763 debug2_f("channel %d: request %s", c->self,
764 (fwd_desc = format_forward(ftype, &fwd)));
765
766 if (ftype != MUX_FWD_LOCAL && ftype != MUX_FWD_REMOTE &&
767 ftype != MUX_FWD_DYNAMIC) {
768 logit_f("invalid forwarding type %u", ftype);
769 invalid:
770 free(listen_addr);
771 free(connect_addr);
772 reply_error(reply, MUX_S_FAILURE, rid,
773 "Invalid forwarding request");
774 return 0;
775 }
776 if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) {
777 logit_f("streamlocal and dynamic forwards "
778 "are mutually exclusive");
779 goto invalid;
780 }
781 if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) {
782 logit_f("invalid listen port %u", fwd.listen_port);
783 goto invalid;
784 }
785 if ((fwd.connect_port != PORT_STREAMLOCAL &&
786 fwd.connect_port >= 65536) ||
787 (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE &&
788 fwd.connect_port == 0)) {
789 logit_f("invalid connect port %u",
790 fwd.connect_port);
791 goto invalid;
792 }
793 if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL &&
794 fwd.connect_path == NULL) {
795 logit_f("missing connect host");
796 goto invalid;
797 }
798
799 /* Skip forwards that have already been requested */
800 switch (ftype) {
801 case MUX_FWD_LOCAL:
802 case MUX_FWD_DYNAMIC:
803 for (i = 0; i < options.num_local_forwards; i++) {
804 if (compare_forward(&fwd,
805 options.local_forwards + i)) {
806 exists:
807 debug2_f("found existing forwarding");
808 reply_ok(reply, rid);
809 goto out;
810 }
811 }
812 break;
813 case MUX_FWD_REMOTE:
814 for (i = 0; i < options.num_remote_forwards; i++) {
815 if (!compare_forward(&fwd, options.remote_forwards + i))
816 continue;
817 if (fwd.listen_port != 0)
818 goto exists;
819 debug2_f("found allocated port");
820 if ((r = sshbuf_put_u32(reply,
821 MUX_S_REMOTE_PORT)) != 0 ||
822 (r = sshbuf_put_u32(reply, rid)) != 0 ||
823 (r = sshbuf_put_u32(reply,
824 options.remote_forwards[i].allocated_port)) != 0)
825 fatal_fr(r, "reply FWD_REMOTE");
826 goto out;
827 }
828 break;
829 }
830
831 if (options.control_master == SSHCTL_MASTER_ASK ||
832 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
833 if (!ask_permission("Open %s on %s?", fwd_desc, host)) {
834 debug2_f("forwarding refused by user");
835 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
836 "Permission denied");
837 goto out;
838 }
839 }
840
841 if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
842 if (!channel_setup_local_fwd_listener(ssh, &fwd,
843 &options.fwd_opts)) {
844 fail:
845 logit_f("requested %s failed", fwd_desc);
846 reply_error(reply, MUX_S_FAILURE, rid,
847 "Port forwarding failed");
848 goto out;
849 }
850 add_local_forward(&options, &fwd);
851 freefwd = 0;
852 } else {
853 struct mux_channel_confirm_ctx *fctx;
854
855 fwd.handle = channel_request_remote_forwarding(ssh, &fwd);
856 if (fwd.handle < 0)
857 goto fail;
858 add_remote_forward(&options, &fwd);
859 fctx = xcalloc(1, sizeof(*fctx));
860 fctx->cid = c->self;
861 fctx->rid = rid;
862 fctx->fid = options.num_remote_forwards - 1;
863 client_register_global_confirm(mux_confirm_remote_forward,
864 fctx);
865 freefwd = 0;
866 c->mux_pause = 1; /* wait for mux_confirm_remote_forward */
867 /* delayed reply in mux_confirm_remote_forward */
868 goto out;
869 }
870 reply_ok(reply, rid);
871 out:
872 free(fwd_desc);
873 if (freefwd) {
874 free(fwd.listen_host);
875 free(fwd.listen_path);
876 free(fwd.connect_host);
877 free(fwd.connect_path);
878 }
879 return ret;
880 }
881
882 static int
mux_master_process_close_fwd(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)883 mux_master_process_close_fwd(struct ssh *ssh, u_int rid,
884 Channel *c, struct sshbuf *m, struct sshbuf *reply)
885 {
886 struct Forward fwd, *found_fwd;
887 char *fwd_desc = NULL;
888 const char *error_reason = NULL;
889 char *listen_addr = NULL, *connect_addr = NULL;
890 u_int ftype;
891 int r, i, ret = 0;
892 u_int lport, cport;
893
894 memset(&fwd, 0, sizeof(fwd));
895
896 if ((r = sshbuf_get_u32(m, &ftype)) != 0 ||
897 (r = sshbuf_get_cstring(m, &listen_addr, NULL)) != 0 ||
898 (r = sshbuf_get_u32(m, &lport)) != 0 ||
899 (r = sshbuf_get_cstring(m, &connect_addr, NULL)) != 0 ||
900 (r = sshbuf_get_u32(m, &cport)) != 0 ||
901 (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
902 (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
903 error_f("malformed message");
904 ret = -1;
905 goto out;
906 }
907
908 if (*listen_addr == '\0') {
909 free(listen_addr);
910 listen_addr = NULL;
911 }
912 if (*connect_addr == '\0') {
913 free(connect_addr);
914 connect_addr = NULL;
915 }
916
917 memset(&fwd, 0, sizeof(fwd));
918 fwd.listen_port = lport;
919 if (fwd.listen_port == PORT_STREAMLOCAL)
920 fwd.listen_path = listen_addr;
921 else
922 fwd.listen_host = listen_addr;
923 fwd.connect_port = cport;
924 if (fwd.connect_port == PORT_STREAMLOCAL)
925 fwd.connect_path = connect_addr;
926 else
927 fwd.connect_host = connect_addr;
928
929 debug2_f("channel %d: request cancel %s", c->self,
930 (fwd_desc = format_forward(ftype, &fwd)));
931
932 /* make sure this has been requested */
933 found_fwd = NULL;
934 switch (ftype) {
935 case MUX_FWD_LOCAL:
936 case MUX_FWD_DYNAMIC:
937 for (i = 0; i < options.num_local_forwards; i++) {
938 if (compare_forward(&fwd,
939 options.local_forwards + i)) {
940 found_fwd = options.local_forwards + i;
941 break;
942 }
943 }
944 break;
945 case MUX_FWD_REMOTE:
946 for (i = 0; i < options.num_remote_forwards; i++) {
947 if (compare_forward(&fwd,
948 options.remote_forwards + i)) {
949 found_fwd = options.remote_forwards + i;
950 break;
951 }
952 }
953 break;
954 }
955
956 if (found_fwd == NULL)
957 error_reason = "port not forwarded";
958 else if (ftype == MUX_FWD_REMOTE) {
959 /*
960 * This shouldn't fail unless we confused the host/port
961 * between options.remote_forwards and permitted_opens.
962 * However, for dynamic allocated listen ports we need
963 * to use the actual listen port.
964 */
965 if (channel_request_rforward_cancel(ssh, found_fwd) == -1)
966 error_reason = "port not in permitted opens";
967 } else { /* local and dynamic forwards */
968 /* Ditto */
969 if (channel_cancel_lport_listener(ssh, &fwd, fwd.connect_port,
970 &options.fwd_opts) != 1)
971 error_reason = "port not found";
972 }
973
974 if (error_reason != NULL)
975 reply_error(reply, MUX_S_FAILURE, rid, error_reason);
976 else {
977 reply_ok(reply, rid);
978 free(found_fwd->listen_host);
979 free(found_fwd->listen_path);
980 free(found_fwd->connect_host);
981 free(found_fwd->connect_path);
982 found_fwd->listen_host = found_fwd->connect_host = NULL;
983 found_fwd->listen_path = found_fwd->connect_path = NULL;
984 found_fwd->listen_port = found_fwd->connect_port = 0;
985 }
986 out:
987 free(fwd_desc);
988 free(listen_addr);
989 free(connect_addr);
990
991 return ret;
992 }
993
994 static int
mux_master_process_stdio_fwd(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)995 mux_master_process_stdio_fwd(struct ssh *ssh, u_int rid,
996 Channel *c, struct sshbuf *m, struct sshbuf *reply)
997 {
998 Channel *nc;
999 char *chost = NULL;
1000 u_int _cport, i, j;
1001 int ok = 0, cport, r, new_fd[2];
1002 struct mux_stdio_confirm_ctx *cctx;
1003
1004 if ((r = sshbuf_skip_string(m)) != 0 || /* reserved */
1005 (r = sshbuf_get_cstring(m, &chost, NULL)) != 0 ||
1006 (r = sshbuf_get_u32(m, &_cport)) != 0) {
1007 free(chost);
1008 error_f("malformed message");
1009 return -1;
1010 }
1011 if (_cport == (u_int)PORT_STREAMLOCAL)
1012 cport = PORT_STREAMLOCAL;
1013 else if (_cport <= INT_MAX)
1014 cport = (int)_cport;
1015 else {
1016 free(chost);
1017 error_f("invalid port 0x%x", _cport);
1018 return -1;
1019 }
1020
1021 debug2_f("channel %d: stdio fwd to %s:%d", c->self, chost, cport);
1022
1023 /* Gather fds from client */
1024 for(i = 0; i < 2; i++) {
1025 if ((new_fd[i] = mm_receive_fd(c->sock)) == -1) {
1026 error_f("failed to receive fd %d from client", i);
1027 for (j = 0; j < i; j++)
1028 close(new_fd[j]);
1029 free(chost);
1030
1031 /* prepare reply */
1032 reply_error(reply, MUX_S_FAILURE, rid,
1033 "did not receive file descriptors");
1034 return -1;
1035 }
1036 }
1037
1038 debug3_f("got fds stdin %d, stdout %d", new_fd[0], new_fd[1]);
1039
1040 /* XXX support multiple child sessions in future */
1041 if (c->have_ctl_child_id) {
1042 debug2_f("session already open");
1043 reply_error(reply, MUX_S_FAILURE, rid,
1044 "Multiple sessions not supported");
1045 cleanup:
1046 close(new_fd[0]);
1047 close(new_fd[1]);
1048 free(chost);
1049 return 0;
1050 }
1051
1052 if (options.control_master == SSHCTL_MASTER_ASK ||
1053 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1054 if (cport == PORT_STREAMLOCAL) {
1055 ok = ask_permission("Allow forward to path %s", chost);
1056 } else {
1057 ok = ask_permission("Allow forward to [%s]:%d? ",
1058 chost, cport);
1059 }
1060 if (!ok) {
1061 debug2_f("stdio fwd refused by user");
1062 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
1063 "Permission denied");
1064 goto cleanup;
1065 }
1066 }
1067
1068 nc = channel_connect_stdio_fwd(ssh, chost, cport, new_fd[0], new_fd[1],
1069 CHANNEL_NONBLOCK_STDIO);
1070 free(chost);
1071
1072 nc->ctl_chan = c->self; /* link session -> control channel */
1073 c->ctl_child_id = nc->self; /* link control -> session channel */
1074 c->have_ctl_child_id = 1;
1075
1076 debug2_f("channel_new: %d control %d", nc->self, nc->ctl_chan);
1077
1078 channel_register_cleanup(ssh, nc->self,
1079 mux_master_session_cleanup_cb, 1);
1080
1081 cctx = xcalloc(1, sizeof(*cctx));
1082 cctx->rid = rid;
1083 channel_register_open_confirm(ssh, nc->self, mux_stdio_confirm, cctx);
1084 c->mux_pause = 1; /* stop handling messages until open_confirm done */
1085
1086 /* reply is deferred, sent by mux_session_confirm */
1087 return 0;
1088 }
1089
1090 /* Callback on open confirmation in mux master for a mux stdio fwd session. */
1091 static void
mux_stdio_confirm(struct ssh * ssh,int id,int success,void * arg)1092 mux_stdio_confirm(struct ssh *ssh, int id, int success, void *arg)
1093 {
1094 struct mux_stdio_confirm_ctx *cctx = arg;
1095 Channel *c, *cc;
1096 struct sshbuf *reply;
1097 int r;
1098
1099 if (cctx == NULL)
1100 fatal_f("cctx == NULL");
1101 if ((c = channel_by_id(ssh, id)) == NULL)
1102 fatal_f("no channel for id %d", id);
1103 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1104 fatal_f("channel %d lacks control channel %d",
1105 id, c->ctl_chan);
1106 if ((reply = sshbuf_new()) == NULL)
1107 fatal_f("sshbuf_new");
1108
1109 if (!success) {
1110 debug3_f("sending failure reply");
1111 reply_error(reply, MUX_S_FAILURE, cctx->rid,
1112 "Session open refused by peer");
1113 /* prepare reply */
1114 goto done;
1115 }
1116
1117 debug3_f("sending success reply");
1118 /* prepare reply */
1119 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
1120 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
1121 (r = sshbuf_put_u32(reply, c->self)) != 0)
1122 fatal_fr(r, "reply");
1123
1124 done:
1125 /* Send reply */
1126 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1127 fatal_fr(r, "enqueue");
1128 sshbuf_free(reply);
1129
1130 if (cc->mux_pause <= 0)
1131 fatal_f("mux_pause %d", cc->mux_pause);
1132 cc->mux_pause = 0; /* start processing messages again */
1133 c->open_confirm_ctx = NULL;
1134 free(cctx);
1135 }
1136
1137 static int
mux_master_process_stop_listening(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)1138 mux_master_process_stop_listening(struct ssh *ssh, u_int rid,
1139 Channel *c, struct sshbuf *m, struct sshbuf *reply)
1140 {
1141 debug_f("channel %d: stop listening", c->self);
1142
1143 if (options.control_master == SSHCTL_MASTER_ASK ||
1144 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1145 if (!ask_permission("Disable further multiplexing on shared "
1146 "connection to %s? ", host)) {
1147 debug2_f("stop listen refused by user");
1148 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
1149 "Permission denied");
1150 return 0;
1151 }
1152 }
1153
1154 if (mux_listener_channel != NULL) {
1155 channel_free(ssh, mux_listener_channel);
1156 client_stop_mux();
1157 free(options.control_path);
1158 options.control_path = NULL;
1159 mux_listener_channel = NULL;
1160 muxserver_sock = -1;
1161 }
1162
1163 reply_ok(reply, rid);
1164 return 0;
1165 }
1166
1167 static int
mux_master_process_proxy(struct ssh * ssh,u_int rid,Channel * c,struct sshbuf * m,struct sshbuf * reply)1168 mux_master_process_proxy(struct ssh *ssh, u_int rid,
1169 Channel *c, struct sshbuf *m, struct sshbuf *reply)
1170 {
1171 int r;
1172
1173 debug_f("channel %d: proxy request", c->self);
1174
1175 if (options.control_master == SSHCTL_MASTER_ASK ||
1176 options.control_master == SSHCTL_MASTER_AUTO_ASK) {
1177 if (!ask_permission("Allow multiplex proxy connection?")) {
1178 debug2_f("proxy refused by user");
1179 reply_error(reply, MUX_S_PERMISSION_DENIED, rid,
1180 "Permission denied");
1181 return 0;
1182 }
1183 }
1184
1185 c->mux_rcb = channel_proxy_downstream;
1186 if ((r = sshbuf_put_u32(reply, MUX_S_PROXY)) != 0 ||
1187 (r = sshbuf_put_u32(reply, rid)) != 0)
1188 fatal_fr(r, "reply");
1189
1190 return 0;
1191 }
1192
1193 /* Channel callbacks fired on read/write from mux client fd */
1194 static int
mux_master_read_cb(struct ssh * ssh,Channel * c)1195 mux_master_read_cb(struct ssh *ssh, Channel *c)
1196 {
1197 struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
1198 struct sshbuf *in = NULL, *out = NULL;
1199 u_int type, rid, i;
1200 int r, ret = -1;
1201
1202 if ((out = sshbuf_new()) == NULL)
1203 fatal_f("sshbuf_new");
1204
1205 /* Setup ctx and */
1206 if (c->mux_ctx == NULL) {
1207 state = xcalloc(1, sizeof(*state));
1208 c->mux_ctx = state;
1209 channel_register_cleanup(ssh, c->self,
1210 mux_master_control_cleanup_cb, 0);
1211
1212 /* Send hello */
1213 if ((r = sshbuf_put_u32(out, MUX_MSG_HELLO)) != 0 ||
1214 (r = sshbuf_put_u32(out, SSHMUX_VER)) != 0)
1215 fatal_fr(r, "reply");
1216 /* "info" extension */
1217 if ((r = sshbuf_put_cstring(out, "info")) != 0 ||
1218 (r = sshbuf_put_cstring(out, "0")) != 0)
1219 fatal_fr(r, "put info extension");
1220 if ((r = sshbuf_put_stringb(c->output, out)) != 0)
1221 fatal_fr(r, "enqueue");
1222 debug3_f("channel %d: hello sent", c->self);
1223 ret = 0;
1224 goto out;
1225 }
1226
1227 /* Channel code ensures that we receive whole packets */
1228 if ((r = sshbuf_froms(c->input, &in)) != 0) {
1229 malf:
1230 error_f("malformed message");
1231 goto out;
1232 }
1233
1234 if ((r = sshbuf_get_u32(in, &type)) != 0)
1235 goto malf;
1236 debug3_f("channel %d packet type 0x%08x len %zu", c->self,
1237 type, sshbuf_len(in));
1238
1239 if (type == MUX_MSG_HELLO)
1240 rid = 0;
1241 else {
1242 if (!state->hello_rcvd) {
1243 error_f("expected MUX_MSG_HELLO(0x%08x), "
1244 "received 0x%08x", MUX_MSG_HELLO, type);
1245 goto out;
1246 }
1247 if ((r = sshbuf_get_u32(in, &rid)) != 0)
1248 goto malf;
1249 }
1250
1251 for (i = 0; mux_master_handlers[i].handler != NULL; i++) {
1252 if (type == mux_master_handlers[i].type) {
1253 ret = mux_master_handlers[i].handler(ssh, rid,
1254 c, in, out);
1255 break;
1256 }
1257 }
1258 if (mux_master_handlers[i].handler == NULL) {
1259 error_f("unsupported mux message 0x%08x", type);
1260 reply_error(out, MUX_S_FAILURE, rid, "unsupported request");
1261 ret = 0;
1262 }
1263 /* Enqueue reply packet */
1264 if (sshbuf_len(out) != 0 &&
1265 (r = sshbuf_put_stringb(c->output, out)) != 0)
1266 fatal_fr(r, "enqueue");
1267 out:
1268 sshbuf_free(in);
1269 sshbuf_free(out);
1270 return ret;
1271 }
1272
1273 void
mux_exit_message(struct ssh * ssh,Channel * c,int exitval)1274 mux_exit_message(struct ssh *ssh, Channel *c, int exitval)
1275 {
1276 struct sshbuf *m;
1277 Channel *mux_chan;
1278 int r;
1279
1280 debug3_f("channel %d: exit message, exitval %d", c->self, exitval);
1281
1282 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1283 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1284
1285 /* Append exit message packet to control socket output queue */
1286 if ((m = sshbuf_new()) == NULL)
1287 fatal_f("sshbuf_new");
1288 if ((r = sshbuf_put_u32(m, MUX_S_EXIT_MESSAGE)) != 0 ||
1289 (r = sshbuf_put_u32(m, c->self)) != 0 ||
1290 (r = sshbuf_put_u32(m, exitval)) != 0 ||
1291 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1292 fatal_fr(r, "reply");
1293 sshbuf_free(m);
1294 }
1295
1296 void
mux_tty_alloc_failed(struct ssh * ssh,Channel * c)1297 mux_tty_alloc_failed(struct ssh *ssh, Channel *c)
1298 {
1299 struct sshbuf *m;
1300 Channel *mux_chan;
1301 int r;
1302
1303 debug3_f("channel %d: TTY alloc failed", c->self);
1304
1305 if ((mux_chan = channel_by_id(ssh, c->ctl_chan)) == NULL)
1306 fatal_f("channel %d missing mux %d", c->self, c->ctl_chan);
1307
1308 /* Append exit message packet to control socket output queue */
1309 if ((m = sshbuf_new()) == NULL)
1310 fatal_f("sshbuf_new");
1311 if ((r = sshbuf_put_u32(m, MUX_S_TTY_ALLOC_FAIL)) != 0 ||
1312 (r = sshbuf_put_u32(m, c->self)) != 0 ||
1313 (r = sshbuf_put_stringb(mux_chan->output, m)) != 0)
1314 fatal_fr(r, "reply");
1315 sshbuf_free(m);
1316 }
1317
1318 /* Prepare a mux master to listen on a Unix domain socket. */
1319 void
muxserver_listen(struct ssh * ssh)1320 muxserver_listen(struct ssh *ssh)
1321 {
1322 mode_t old_umask;
1323 char *orig_control_path = options.control_path;
1324 char rbuf[16+1];
1325 u_int i, r;
1326 int oerrno;
1327
1328 if (options.control_path == NULL ||
1329 options.control_master == SSHCTL_MASTER_NO)
1330 return;
1331
1332 debug("setting up multiplex master socket");
1333
1334 /*
1335 * Use a temporary path before listen so we can pseudo-atomically
1336 * establish the listening socket in its final location to avoid
1337 * other processes racing in between bind() and listen() and hitting
1338 * an unready socket.
1339 */
1340 for (i = 0; i < sizeof(rbuf) - 1; i++) {
1341 r = arc4random_uniform(26+26+10);
1342 rbuf[i] = (r < 26) ? 'a' + r :
1343 (r < 26*2) ? 'A' + r - 26 :
1344 '0' + r - 26 - 26;
1345 }
1346 rbuf[sizeof(rbuf) - 1] = '\0';
1347 options.control_path = NULL;
1348 xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf);
1349 debug3_f("temporary control path %s", options.control_path);
1350
1351 old_umask = umask(0177);
1352 muxserver_sock = unix_listener(options.control_path, 64, 0);
1353 oerrno = errno;
1354 umask(old_umask);
1355 if (muxserver_sock < 0) {
1356 if (oerrno == EINVAL || oerrno == EADDRINUSE) {
1357 error("ControlSocket %s already exists, "
1358 "disabling multiplexing", options.control_path);
1359 disable_mux_master:
1360 if (muxserver_sock != -1) {
1361 close(muxserver_sock);
1362 muxserver_sock = -1;
1363 }
1364 free(orig_control_path);
1365 free(options.control_path);
1366 options.control_path = NULL;
1367 options.control_master = SSHCTL_MASTER_NO;
1368 return;
1369 } else {
1370 /* unix_listener() logs the error */
1371 cleanup_exit(255);
1372 }
1373 }
1374
1375 /* Now atomically "move" the mux socket into position */
1376 if (link(options.control_path, orig_control_path) != 0) {
1377 if (errno != EEXIST) {
1378 fatal_f("link mux listener %s => %s: %s",
1379 options.control_path, orig_control_path,
1380 strerror(errno));
1381 }
1382 error("ControlSocket %s already exists, disabling multiplexing",
1383 orig_control_path);
1384 unlink(options.control_path);
1385 goto disable_mux_master;
1386 }
1387 unlink(options.control_path);
1388 free(options.control_path);
1389 options.control_path = orig_control_path;
1390
1391 set_nonblock(muxserver_sock);
1392
1393 mux_listener_channel = channel_new(ssh, "mux listener",
1394 SSH_CHANNEL_MUX_LISTENER, muxserver_sock, muxserver_sock, -1,
1395 CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1396 0, options.control_path, 1);
1397 mux_listener_channel->mux_rcb = mux_master_read_cb;
1398 debug3_f("mux listener channel %d fd %d",
1399 mux_listener_channel->self, mux_listener_channel->sock);
1400 }
1401
1402 /* Callback on open confirmation in mux master for a mux client session. */
1403 static void
mux_session_confirm(struct ssh * ssh,int id,int success,void * arg)1404 mux_session_confirm(struct ssh *ssh, int id, int success, void *arg)
1405 {
1406 struct mux_session_confirm_ctx *cctx = arg;
1407 const char *display;
1408 Channel *c, *cc;
1409 int i, r;
1410 struct sshbuf *reply;
1411
1412 if (cctx == NULL)
1413 fatal_f("cctx == NULL");
1414 if ((c = channel_by_id(ssh, id)) == NULL)
1415 fatal_f("no channel for id %d", id);
1416 if ((cc = channel_by_id(ssh, c->ctl_chan)) == NULL)
1417 fatal_f("channel %d lacks control channel %d",
1418 id, c->ctl_chan);
1419 if ((reply = sshbuf_new()) == NULL)
1420 fatal_f("sshbuf_new");
1421
1422 if (!success) {
1423 debug3_f("sending failure reply");
1424 reply_error(reply, MUX_S_FAILURE, cctx->rid,
1425 "Session open refused by peer");
1426 goto done;
1427 }
1428
1429 display = getenv("DISPLAY");
1430 if (cctx->want_x_fwd && options.forward_x11 && display != NULL) {
1431 char *proto, *data;
1432
1433 /* Get reasonable local authentication information. */
1434 if (client_x11_get_proto(ssh, display, options.xauth_location,
1435 options.forward_x11_trusted, options.forward_x11_timeout,
1436 &proto, &data) == 0) {
1437 /* Request forwarding with authentication spoofing. */
1438 debug("Requesting X11 forwarding with authentication "
1439 "spoofing.");
1440 x11_request_forwarding_with_spoofing(ssh, id,
1441 display, proto, data, 1);
1442 /* XXX exit_on_forward_failure */
1443 client_expect_confirm(ssh, id, "X11 forwarding",
1444 CONFIRM_WARN);
1445 }
1446 }
1447
1448 if (cctx->want_agent_fwd && options.forward_agent)
1449 client_channel_reqest_agent_forwarding(ssh, id);
1450
1451 client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,
1452 cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env);
1453
1454 debug3_f("sending success reply");
1455 /* prepare reply */
1456 if ((r = sshbuf_put_u32(reply, MUX_S_SESSION_OPENED)) != 0 ||
1457 (r = sshbuf_put_u32(reply, cctx->rid)) != 0 ||
1458 (r = sshbuf_put_u32(reply, c->self)) != 0)
1459 fatal_fr(r, "reply");
1460
1461 done:
1462 /* Send reply */
1463 if ((r = sshbuf_put_stringb(cc->output, reply)) != 0)
1464 fatal_fr(r, "enqueue");
1465 sshbuf_free(reply);
1466
1467 if (cc->mux_pause <= 0)
1468 fatal_f("mux_pause %d", cc->mux_pause);
1469 cc->mux_pause = 0; /* start processing messages again */
1470 c->open_confirm_ctx = NULL;
1471 sshbuf_free(cctx->cmd);
1472 free(cctx->term);
1473 if (cctx->env != NULL) {
1474 for (i = 0; cctx->env[i] != NULL; i++)
1475 free(cctx->env[i]);
1476 free(cctx->env);
1477 }
1478 free(cctx);
1479 }
1480
1481 /* ** Multiplexing client support */
1482
1483 /* Exit signal handler */
1484 static void
control_client_sighandler(int signo)1485 control_client_sighandler(int signo)
1486 {
1487 muxclient_terminate = signo;
1488 }
1489
1490 /*
1491 * Relay signal handler - used to pass some signals from mux client to
1492 * mux master.
1493 */
1494 static void
control_client_sigrelay(int signo)1495 control_client_sigrelay(int signo)
1496 {
1497 int save_errno = errno;
1498
1499 if (muxserver_pid > 1)
1500 kill(muxserver_pid, signo);
1501
1502 errno = save_errno;
1503 }
1504
1505 static int
mux_client_read(int fd,struct sshbuf * b,size_t need,int timeout_ms)1506 mux_client_read(int fd, struct sshbuf *b, size_t need, int timeout_ms)
1507 {
1508 size_t have;
1509 ssize_t len;
1510 u_char *p;
1511 int r;
1512
1513 if ((r = sshbuf_reserve(b, need, &p)) != 0)
1514 fatal_fr(r, "reserve");
1515 for (have = 0; have < need; ) {
1516 if (muxclient_terminate) {
1517 errno = EINTR;
1518 return -1;
1519 }
1520 len = read(fd, p + have, need - have);
1521 if (len == -1) {
1522 switch (errno) {
1523 #if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
1524 case EWOULDBLOCK:
1525 #endif
1526 case EAGAIN:
1527 if (waitrfd(fd, &timeout_ms,
1528 &muxclient_terminate) == -1 &&
1529 errno != EINTR)
1530 return -1; /* timeout */
1531 /* FALLTHROUGH */
1532 case EINTR:
1533 continue;
1534 default:
1535 return -1;
1536 }
1537 }
1538 if (len == 0) {
1539 errno = EPIPE;
1540 return -1;
1541 }
1542 have += (size_t)len;
1543 }
1544 return 0;
1545 }
1546
1547 static int
mux_client_write_packet(int fd,struct sshbuf * m)1548 mux_client_write_packet(int fd, struct sshbuf *m)
1549 {
1550 struct sshbuf *queue;
1551 u_int have, need;
1552 int r, oerrno, len;
1553 const u_char *ptr;
1554 struct pollfd pfd;
1555
1556 pfd.fd = fd;
1557 pfd.events = POLLOUT;
1558 if ((queue = sshbuf_new()) == NULL)
1559 fatal_f("sshbuf_new");
1560 if ((r = sshbuf_put_stringb(queue, m)) != 0)
1561 fatal_fr(r, "enqueue");
1562
1563 need = sshbuf_len(queue);
1564 ptr = sshbuf_ptr(queue);
1565
1566 for (have = 0; have < need; ) {
1567 if (muxclient_terminate) {
1568 sshbuf_free(queue);
1569 errno = EINTR;
1570 return -1;
1571 }
1572 len = write(fd, ptr + have, need - have);
1573 if (len == -1) {
1574 switch (errno) {
1575 #if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
1576 case EWOULDBLOCK:
1577 #endif
1578 case EAGAIN:
1579 (void)poll(&pfd, 1, -1);
1580 /* FALLTHROUGH */
1581 case EINTR:
1582 continue;
1583 default:
1584 oerrno = errno;
1585 sshbuf_free(queue);
1586 errno = oerrno;
1587 return -1;
1588 }
1589 }
1590 if (len == 0) {
1591 sshbuf_free(queue);
1592 errno = EPIPE;
1593 return -1;
1594 }
1595 have += (u_int)len;
1596 }
1597 sshbuf_free(queue);
1598 return 0;
1599 }
1600
1601 static int
mux_client_read_packet_timeout(int fd,struct sshbuf * m,int timeout_ms)1602 mux_client_read_packet_timeout(int fd, struct sshbuf *m, int timeout_ms)
1603 {
1604 struct sshbuf *queue;
1605 size_t need, have;
1606 const u_char *ptr;
1607 int r, oerrno;
1608
1609 if ((queue = sshbuf_new()) == NULL)
1610 fatal_f("sshbuf_new");
1611 if (mux_client_read(fd, queue, 4, timeout_ms) != 0) {
1612 if ((oerrno = errno) == EPIPE)
1613 debug3_f("read header failed: %s",
1614 strerror(errno));
1615 sshbuf_free(queue);
1616 errno = oerrno;
1617 return -1;
1618 }
1619 need = PEEK_U32(sshbuf_ptr(queue));
1620 if (mux_client_read(fd, queue, need, timeout_ms) != 0) {
1621 oerrno = errno;
1622 debug3_f("read body failed: %s", strerror(errno));
1623 sshbuf_free(queue);
1624 errno = oerrno;
1625 return -1;
1626 }
1627 if ((r = sshbuf_get_string_direct(queue, &ptr, &have)) != 0 ||
1628 (r = sshbuf_put(m, ptr, have)) != 0)
1629 fatal_fr(r, "dequeue");
1630 sshbuf_free(queue);
1631 return 0;
1632 }
1633
1634 static int
mux_client_read_packet(int fd,struct sshbuf * m)1635 mux_client_read_packet(int fd, struct sshbuf *m)
1636 {
1637 return mux_client_read_packet_timeout(fd, m, -1);
1638 }
1639
1640 static int
mux_client_hello_exchange(int fd,int timeout_ms)1641 mux_client_hello_exchange(int fd, int timeout_ms)
1642 {
1643 struct sshbuf *m;
1644 u_int type, ver;
1645 int r, ret = -1;
1646
1647 if ((m = sshbuf_new()) == NULL)
1648 fatal_f("sshbuf_new");
1649 if ((r = sshbuf_put_u32(m, MUX_MSG_HELLO)) != 0 ||
1650 (r = sshbuf_put_u32(m, SSHMUX_VER)) != 0)
1651 fatal_fr(r, "assemble hello");
1652 /* no extensions */
1653
1654 if (mux_client_write_packet(fd, m) != 0) {
1655 debug_f("write packet: %s", strerror(errno));
1656 goto out;
1657 }
1658
1659 sshbuf_reset(m);
1660
1661 /* Read their HELLO */
1662 if (mux_client_read_packet_timeout(fd, m, timeout_ms) != 0) {
1663 debug_f("read packet failed");
1664 goto out;
1665 }
1666
1667 if ((r = sshbuf_get_u32(m, &type)) != 0)
1668 fatal_fr(r, "parse type");
1669 if (type != MUX_MSG_HELLO) {
1670 error_f("expected HELLO (%u) got %u", MUX_MSG_HELLO, type);
1671 goto out;
1672 }
1673 if ((r = sshbuf_get_u32(m, &ver)) != 0)
1674 fatal_fr(r, "parse version");
1675 if (ver != SSHMUX_VER) {
1676 error("Unsupported multiplexing protocol version %d "
1677 "(expected %d)", ver, SSHMUX_VER);
1678 goto out;
1679 }
1680 debug2_f("master version %u", ver);
1681 /* No extensions are presently defined */
1682 while (sshbuf_len(m) > 0) {
1683 char *name = NULL;
1684
1685 if ((r = sshbuf_get_cstring(m, &name, NULL)) != 0 ||
1686 (r = sshbuf_skip_string(m)) != 0) { /* value */
1687 error_fr(r, "parse extension");
1688 goto out;
1689 }
1690 /* Process extensions. */
1691 if (strcmp(name, "info") == 0) {
1692 debug("Received 'info' extension");
1693 extensions |= MUX_EXT_INFO;
1694 } else {
1695 debug2("Unrecognised master extension \"%s\"", name);
1696 }
1697 free(name);
1698 }
1699 /* success */
1700 ret = 0;
1701 out:
1702 sshbuf_free(m);
1703 return ret;
1704 }
1705
1706 static u_int
mux_client_request_alive(int fd)1707 mux_client_request_alive(int fd)
1708 {
1709 struct sshbuf *m;
1710 char *e;
1711 u_int pid, type, rid;
1712 int r;
1713
1714 debug3_f("entering");
1715
1716 if ((m = sshbuf_new()) == NULL)
1717 fatal_f("sshbuf_new");
1718 if ((r = sshbuf_put_u32(m, MUX_C_ALIVE_CHECK)) != 0 ||
1719 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1720 fatal_fr(r, "assemble");
1721
1722 if (mux_client_write_packet(fd, m) != 0)
1723 fatal_f("write packet: %s", strerror(errno));
1724
1725 sshbuf_reset(m);
1726
1727 /* Read their reply */
1728 if (mux_client_read_packet(fd, m) != 0) {
1729 sshbuf_free(m);
1730 return 0;
1731 }
1732
1733 if ((r = sshbuf_get_u32(m, &type)) != 0)
1734 fatal_fr(r, "parse type");
1735 if (type != MUX_S_ALIVE) {
1736 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1737 fatal_fr(r, "parse error message");
1738 fatal_f("master returned error: %s", e);
1739 }
1740
1741 if ((r = sshbuf_get_u32(m, &rid)) != 0)
1742 fatal_fr(r, "parse remote ID");
1743 if (rid != muxclient_request_id)
1744 fatal_f("out of sequence reply: my id %u theirs %u",
1745 muxclient_request_id, rid);
1746 if ((r = sshbuf_get_u32(m, &pid)) != 0)
1747 fatal_fr(r, "parse PID");
1748 sshbuf_free(m);
1749
1750 debug3_f("done pid = %u", pid);
1751
1752 muxclient_request_id++;
1753
1754 return pid;
1755 }
1756
1757 static char *
mux_client_request_info(int fd,const char * name)1758 mux_client_request_info(int fd, const char *name)
1759 {
1760 struct sshbuf *m;
1761 char *e, *msg;
1762 u_int type, rid, status;
1763 int r;
1764
1765 debug3_f("entering");
1766
1767 if ((m = sshbuf_new()) == NULL)
1768 fatal_f("sshbuf_new");
1769 if ((r = sshbuf_put_u32(m, MUX_C_EXT_INFO)) != 0 ||
1770 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
1771 (r = sshbuf_put_cstring(m, name)) != 0)
1772 fatal_fr(r, "assemble");
1773
1774 if (mux_client_write_packet(fd, m) != 0)
1775 fatal_f("write packet: %s", strerror(errno));
1776
1777 sshbuf_reset(m);
1778
1779 /* Read their reply */
1780 if (mux_client_read_packet(fd, m) != 0) {
1781 sshbuf_free(m);
1782 return 0;
1783 }
1784
1785 if ((r = sshbuf_get_u32(m, &type)) != 0)
1786 fatal_fr(r, "parse type");
1787 if (type != MUX_S_EXT_INFO) {
1788 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1789 fatal_fr(r, "parse error message");
1790 fatal_f("master returned error: %s", e);
1791 }
1792
1793 if ((r = sshbuf_get_u32(m, &rid)) != 0)
1794 fatal_fr(r, "parse remote ID");
1795 if (rid != muxclient_request_id)
1796 fatal_f("out of sequence reply: my id %u theirs %u",
1797 muxclient_request_id, rid);
1798 if ((r = sshbuf_get_u32(m, &status)) != 0 ||
1799 (r = sshbuf_get_cstring(m, &msg, NULL)) != 0)
1800 fatal_fr(r, "parse connection info");
1801 sshbuf_free(m);
1802
1803 muxclient_request_id++;
1804
1805 return msg;
1806 }
1807
1808 static void
mux_client_request_terminate(int fd)1809 mux_client_request_terminate(int fd)
1810 {
1811 struct sshbuf *m;
1812 char *e;
1813 u_int type, rid;
1814 int r;
1815
1816 debug3_f("entering");
1817
1818 if ((m = sshbuf_new()) == NULL)
1819 fatal_f("sshbuf_new");
1820 if ((r = sshbuf_put_u32(m, MUX_C_TERMINATE)) != 0 ||
1821 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
1822 fatal_fr(r, "request");
1823
1824 if (mux_client_write_packet(fd, m) != 0)
1825 fatal_f("write packet: %s", strerror(errno));
1826
1827 sshbuf_reset(m);
1828
1829 /* Read their reply */
1830 if (mux_client_read_packet(fd, m) != 0) {
1831 /* Remote end exited already */
1832 if (errno == EPIPE) {
1833 sshbuf_free(m);
1834 return;
1835 }
1836 fatal_f("read from master failed: %s", strerror(errno));
1837 }
1838
1839 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1840 (r = sshbuf_get_u32(m, &rid)) != 0)
1841 fatal_fr(r, "parse");
1842 if (rid != muxclient_request_id)
1843 fatal_f("out of sequence reply: my id %u theirs %u",
1844 muxclient_request_id, rid);
1845 switch (type) {
1846 case MUX_S_OK:
1847 break;
1848 case MUX_S_PERMISSION_DENIED:
1849 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1850 fatal_fr(r, "parse error message");
1851 fatal("Master refused termination request: %s", e);
1852 case MUX_S_FAILURE:
1853 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1854 fatal_fr(r, "parse error message");
1855 fatal_f("termination request failed: %s", e);
1856 default:
1857 fatal_f("unexpected response from master 0x%08x", type);
1858 }
1859 sshbuf_free(m);
1860 muxclient_request_id++;
1861 }
1862
1863 static int
mux_client_forward(int fd,int cancel_flag,u_int ftype,struct Forward * fwd)1864 mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
1865 {
1866 struct sshbuf *m;
1867 char *e, *fwd_desc;
1868 const char *lhost, *chost;
1869 u_int type, rid;
1870 int r;
1871
1872 fwd_desc = format_forward(ftype, fwd);
1873 debug("Requesting %s %s",
1874 cancel_flag ? "cancellation of" : "forwarding of", fwd_desc);
1875 free(fwd_desc);
1876
1877 type = cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD;
1878 if (fwd->listen_path != NULL)
1879 lhost = fwd->listen_path;
1880 else if (fwd->listen_host == NULL)
1881 lhost = "";
1882 else if (*fwd->listen_host == '\0')
1883 lhost = "*";
1884 else
1885 lhost = fwd->listen_host;
1886
1887 if (fwd->connect_path != NULL)
1888 chost = fwd->connect_path;
1889 else if (fwd->connect_host == NULL)
1890 chost = "";
1891 else
1892 chost = fwd->connect_host;
1893
1894 if ((m = sshbuf_new()) == NULL)
1895 fatal_f("sshbuf_new");
1896 if ((r = sshbuf_put_u32(m, type)) != 0 ||
1897 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
1898 (r = sshbuf_put_u32(m, ftype)) != 0 ||
1899 (r = sshbuf_put_cstring(m, lhost)) != 0 ||
1900 (r = sshbuf_put_u32(m, fwd->listen_port)) != 0 ||
1901 (r = sshbuf_put_cstring(m, chost)) != 0 ||
1902 (r = sshbuf_put_u32(m, fwd->connect_port)) != 0)
1903 fatal_fr(r, "request");
1904
1905 if (mux_client_write_packet(fd, m) != 0)
1906 fatal_f("write packet: %s", strerror(errno));
1907
1908 sshbuf_reset(m);
1909
1910 /* Read their reply */
1911 if (mux_client_read_packet(fd, m) != 0) {
1912 sshbuf_free(m);
1913 return -1;
1914 }
1915
1916 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
1917 (r = sshbuf_get_u32(m, &rid)) != 0)
1918 fatal_fr(r, "parse");
1919 if (rid != muxclient_request_id)
1920 fatal_f("out of sequence reply: my id %u theirs %u",
1921 muxclient_request_id, rid);
1922
1923 switch (type) {
1924 case MUX_S_OK:
1925 break;
1926 case MUX_S_REMOTE_PORT:
1927 if (cancel_flag)
1928 fatal_f("got MUX_S_REMOTE_PORT for cancel");
1929 if ((r = sshbuf_get_u32(m, &fwd->allocated_port)) != 0)
1930 fatal_fr(r, "parse port");
1931 verbose("Allocated port %u for remote forward to %s:%d",
1932 fwd->allocated_port,
1933 fwd->connect_host ? fwd->connect_host : "",
1934 fwd->connect_port);
1935 if (muxclient_command == SSHMUX_COMMAND_FORWARD)
1936 fprintf(stdout, "%i\n", fwd->allocated_port);
1937 break;
1938 case MUX_S_PERMISSION_DENIED:
1939 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1940 fatal_fr(r, "parse error message");
1941 sshbuf_free(m);
1942 error("Master refused forwarding request: %s", e);
1943 return -1;
1944 case MUX_S_FAILURE:
1945 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
1946 fatal_fr(r, "parse error message");
1947 sshbuf_free(m);
1948 error_f("forwarding request failed: %s", e);
1949 return -1;
1950 default:
1951 fatal_f("unexpected response from master 0x%08x", type);
1952 }
1953 sshbuf_free(m);
1954
1955 muxclient_request_id++;
1956 return 0;
1957 }
1958
1959 static int
mux_client_forwards(int fd,int cancel_flag)1960 mux_client_forwards(int fd, int cancel_flag)
1961 {
1962 int i, ret = 0;
1963
1964 debug3_f("%s forwardings: %d local, %d remote",
1965 cancel_flag ? "cancel" : "request",
1966 options.num_local_forwards, options.num_remote_forwards);
1967
1968 /* XXX ExitOnForwardingFailure */
1969 for (i = 0; i < options.num_local_forwards; i++) {
1970 if (mux_client_forward(fd, cancel_flag,
1971 options.local_forwards[i].connect_port == 0 ?
1972 MUX_FWD_DYNAMIC : MUX_FWD_LOCAL,
1973 options.local_forwards + i) != 0)
1974 ret = -1;
1975 }
1976 for (i = 0; i < options.num_remote_forwards; i++) {
1977 if (mux_client_forward(fd, cancel_flag, MUX_FWD_REMOTE,
1978 options.remote_forwards + i) != 0)
1979 ret = -1;
1980 }
1981 return ret;
1982 }
1983
1984 static int
mux_client_request_session(int fd)1985 mux_client_request_session(int fd)
1986 {
1987 struct sshbuf *m;
1988 char *e;
1989 const char *term = NULL;
1990 u_int i, echar, rid, sid, esid, exitval, type, exitval_seen;
1991 extern char **environ;
1992 int r, rawmode = 0;
1993
1994 debug3_f("entering");
1995
1996 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
1997 error_f("master alive request failed");
1998 return -1;
1999 }
2000
2001 ssh_signal(SIGPIPE, SIG_IGN);
2002
2003 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
2004 fatal_f("stdfd_devnull failed");
2005
2006 if ((term = lookup_env_in_list("TERM", options.setenv,
2007 options.num_setenv)) == NULL || *term == '\0')
2008 term = getenv("TERM");
2009
2010 echar = 0xffffffff;
2011 if (options.escape_char != SSH_ESCAPECHAR_NONE)
2012 echar = (u_int)options.escape_char;
2013
2014 if ((m = sshbuf_new()) == NULL)
2015 fatal_f("sshbuf_new");
2016 if ((r = sshbuf_put_u32(m, MUX_C_NEW_SESSION)) != 0 ||
2017 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
2018 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
2019 (r = sshbuf_put_u32(m, tty_flag)) != 0 ||
2020 (r = sshbuf_put_u32(m, options.forward_x11)) != 0 ||
2021 (r = sshbuf_put_u32(m, options.forward_agent)) != 0 ||
2022 (r = sshbuf_put_u32(m, options.session_type == SESSION_TYPE_SUBSYSTEM)) != 0 ||
2023 (r = sshbuf_put_u32(m, echar)) != 0 ||
2024 (r = sshbuf_put_cstring(m, term == NULL ? "" : term)) != 0 ||
2025 (r = sshbuf_put_stringb(m, command)) != 0)
2026 fatal_fr(r, "request");
2027
2028 /* Pass environment */
2029 if (options.num_send_env > 0 && environ != NULL) {
2030 for (i = 0; environ[i] != NULL; i++) {
2031 if (!env_permitted(environ[i]))
2032 continue;
2033 if ((r = sshbuf_put_cstring(m, environ[i])) != 0)
2034 fatal_fr(r, "request sendenv");
2035 }
2036 }
2037 for (i = 0; i < options.num_setenv; i++) {
2038 if ((r = sshbuf_put_cstring(m, options.setenv[i])) != 0)
2039 fatal_fr(r, "request setenv");
2040 }
2041
2042 if (mux_client_write_packet(fd, m) != 0)
2043 fatal_f("write packet: %s", strerror(errno));
2044
2045 /* Send the stdio file descriptors */
2046 if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
2047 mm_send_fd(fd, STDOUT_FILENO) == -1 ||
2048 mm_send_fd(fd, STDERR_FILENO) == -1)
2049 fatal_f("send fds failed");
2050
2051 debug3_f("session request sent");
2052
2053 /* Read their reply */
2054 sshbuf_reset(m);
2055 if (mux_client_read_packet(fd, m) != 0) {
2056 error_f("read from master failed: %s", strerror(errno));
2057 sshbuf_free(m);
2058 return -1;
2059 }
2060
2061 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2062 (r = sshbuf_get_u32(m, &rid)) != 0)
2063 fatal_fr(r, "parse");
2064 if (rid != muxclient_request_id)
2065 fatal_f("out of sequence reply: my id %u theirs %u",
2066 muxclient_request_id, rid);
2067
2068 switch (type) {
2069 case MUX_S_SESSION_OPENED:
2070 if ((r = sshbuf_get_u32(m, &sid)) != 0)
2071 fatal_fr(r, "parse session ID");
2072 debug_f("master session id: %u", sid);
2073 break;
2074 case MUX_S_PERMISSION_DENIED:
2075 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2076 fatal_fr(r, "parse error message");
2077 error("Master refused session request: %s", e);
2078 sshbuf_free(m);
2079 return -1;
2080 case MUX_S_FAILURE:
2081 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2082 fatal_fr(r, "parse error message");
2083 error_f("session request failed: %s", e);
2084 sshbuf_free(m);
2085 return -1;
2086 default:
2087 sshbuf_free(m);
2088 error_f("unexpected response from master 0x%08x", type);
2089 return -1;
2090 }
2091 muxclient_request_id++;
2092
2093 if (pledge("stdio proc tty", NULL) == -1)
2094 fatal_f("pledge(): %s", strerror(errno));
2095 platform_pledge_mux();
2096
2097 ssh_signal(SIGHUP, control_client_sighandler);
2098 ssh_signal(SIGINT, control_client_sighandler);
2099 ssh_signal(SIGTERM, control_client_sighandler);
2100 ssh_signal(SIGWINCH, control_client_sigrelay);
2101
2102 if (options.fork_after_authentication)
2103 daemon(1, 1);
2104 else {
2105 rawmode = tty_flag;
2106 if (tty_flag) {
2107 enter_raw_mode(
2108 options.request_tty == REQUEST_TTY_FORCE);
2109 }
2110 }
2111
2112 /*
2113 * Stick around until the controlee closes the client_fd.
2114 * Before it does, it is expected to write an exit message.
2115 * This process must read the value and wait for the closure of
2116 * the client_fd; if this one closes early, the multiplex master will
2117 * terminate early too (possibly losing data).
2118 */
2119 for (exitval = 255, exitval_seen = 0;;) {
2120 sshbuf_reset(m);
2121 if (mux_client_read_packet(fd, m) != 0)
2122 break;
2123 if ((r = sshbuf_get_u32(m, &type)) != 0)
2124 fatal_fr(r, "parse type");
2125 switch (type) {
2126 case MUX_S_TTY_ALLOC_FAIL:
2127 if ((r = sshbuf_get_u32(m, &esid)) != 0)
2128 fatal_fr(r, "parse session ID");
2129 if (esid != sid)
2130 fatal_f("tty alloc fail on unknown session: "
2131 "my id %u theirs %u", sid, esid);
2132 leave_raw_mode(options.request_tty ==
2133 REQUEST_TTY_FORCE);
2134 rawmode = 0;
2135 continue;
2136 case MUX_S_EXIT_MESSAGE:
2137 if ((r = sshbuf_get_u32(m, &esid)) != 0)
2138 fatal_fr(r, "parse session ID");
2139 if (esid != sid)
2140 fatal_f("exit on unknown session: "
2141 "my id %u theirs %u", sid, esid);
2142 if (exitval_seen)
2143 fatal_f("exitval sent twice");
2144 if ((r = sshbuf_get_u32(m, &exitval)) != 0)
2145 fatal_fr(r, "parse exitval");
2146 exitval_seen = 1;
2147 continue;
2148 default:
2149 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2150 fatal_fr(r, "parse error message");
2151 fatal_f("master returned error: %s", e);
2152 }
2153 }
2154
2155 close(fd);
2156 if (rawmode)
2157 leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
2158
2159 if (muxclient_terminate) {
2160 debug2("Exiting on signal: %s", strsignal(muxclient_terminate));
2161 exitval = 255;
2162 } else if (!exitval_seen) {
2163 debug2("Control master terminated unexpectedly");
2164 exitval = 255;
2165 } else
2166 debug2("Received exit status from master %d", exitval);
2167
2168 if (tty_flag && options.log_level >= SYSLOG_LEVEL_INFO)
2169 fprintf(stderr, "Shared connection to %s closed.\r\n", host);
2170
2171 exit(exitval);
2172 }
2173
2174 static int
mux_client_proxy(int fd)2175 mux_client_proxy(int fd)
2176 {
2177 struct sshbuf *m;
2178 char *e;
2179 u_int type, rid;
2180 int r;
2181
2182 if ((m = sshbuf_new()) == NULL)
2183 fatal_f("sshbuf_new");
2184 if ((r = sshbuf_put_u32(m, MUX_C_PROXY)) != 0 ||
2185 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
2186 fatal_fr(r, "request");
2187 if (mux_client_write_packet(fd, m) != 0)
2188 fatal_f("write packet: %s", strerror(errno));
2189
2190 sshbuf_reset(m);
2191
2192 /* Read their reply */
2193 if (mux_client_read_packet(fd, m) != 0) {
2194 sshbuf_free(m);
2195 return 0;
2196 }
2197 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2198 (r = sshbuf_get_u32(m, &rid)) != 0)
2199 fatal_fr(r, "parse");
2200 if (rid != muxclient_request_id)
2201 fatal_f("out of sequence reply: my id %u theirs %u",
2202 muxclient_request_id, rid);
2203 if (type != MUX_S_PROXY) {
2204 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2205 fatal_fr(r, "parse error message");
2206 fatal_f("master returned error: %s", e);
2207 }
2208 sshbuf_free(m);
2209
2210 debug3_f("done");
2211 muxclient_request_id++;
2212 return 0;
2213 }
2214
2215 static int
mux_client_request_stdio_fwd(int fd)2216 mux_client_request_stdio_fwd(int fd)
2217 {
2218 struct sshbuf *m;
2219 char *e;
2220 u_int type, rid, sid;
2221 int r;
2222
2223 debug3_f("entering");
2224
2225 if ((muxserver_pid = mux_client_request_alive(fd)) == 0) {
2226 error_f("master alive request failed");
2227 return -1;
2228 }
2229
2230 ssh_signal(SIGPIPE, SIG_IGN);
2231
2232 if (options.stdin_null && stdfd_devnull(1, 0, 0) == -1)
2233 fatal_f("stdfd_devnull failed");
2234
2235 if ((m = sshbuf_new()) == NULL)
2236 fatal_f("sshbuf_new");
2237 if ((r = sshbuf_put_u32(m, MUX_C_NEW_STDIO_FWD)) != 0 ||
2238 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0 ||
2239 (r = sshbuf_put_string(m, NULL, 0)) != 0 || /* reserved */
2240 (r = sshbuf_put_cstring(m, options.stdio_forward_host)) != 0 ||
2241 (r = sshbuf_put_u32(m, options.stdio_forward_port)) != 0)
2242 fatal_fr(r, "request");
2243
2244 if (mux_client_write_packet(fd, m) != 0)
2245 fatal_f("write packet: %s", strerror(errno));
2246
2247 /* Send the stdio file descriptors */
2248 if (mm_send_fd(fd, STDIN_FILENO) == -1 ||
2249 mm_send_fd(fd, STDOUT_FILENO) == -1)
2250 fatal_f("send fds failed");
2251
2252 if (pledge("stdio proc tty", NULL) == -1)
2253 fatal_f("pledge(): %s", strerror(errno));
2254 platform_pledge_mux();
2255
2256 debug3_f("stdio forward request sent");
2257
2258 /* Read their reply */
2259 sshbuf_reset(m);
2260
2261 if (mux_client_read_packet(fd, m) != 0) {
2262 error_f("read from master failed: %s", strerror(errno));
2263 sshbuf_free(m);
2264 return -1;
2265 }
2266
2267 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2268 (r = sshbuf_get_u32(m, &rid)) != 0)
2269 fatal_fr(r, "parse");
2270 if (rid != muxclient_request_id)
2271 fatal_f("out of sequence reply: my id %u theirs %u",
2272 muxclient_request_id, rid);
2273 switch (type) {
2274 case MUX_S_SESSION_OPENED:
2275 if ((r = sshbuf_get_u32(m, &sid)) != 0)
2276 fatal_fr(r, "parse session ID");
2277 debug_f("master session id: %u", sid);
2278 break;
2279 case MUX_S_PERMISSION_DENIED:
2280 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2281 fatal_fr(r, "parse error message");
2282 sshbuf_free(m);
2283 fatal("Master refused stdio forwarding request: %s", e);
2284 case MUX_S_FAILURE:
2285 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2286 fatal_fr(r, "parse error message");
2287 sshbuf_free(m);
2288 fatal("Stdio forwarding request failed: %s", e);
2289 default:
2290 sshbuf_free(m);
2291 error_f("unexpected response from master 0x%08x", type);
2292 return -1;
2293 }
2294 muxclient_request_id++;
2295
2296 ssh_signal(SIGHUP, control_client_sighandler);
2297 ssh_signal(SIGINT, control_client_sighandler);
2298 ssh_signal(SIGTERM, control_client_sighandler);
2299 ssh_signal(SIGWINCH, control_client_sigrelay);
2300
2301 /*
2302 * Stick around until the controlee closes the client_fd.
2303 */
2304 sshbuf_reset(m);
2305 if (mux_client_read_packet(fd, m) != 0) {
2306 if (errno == EPIPE ||
2307 (errno == EINTR && muxclient_terminate != 0)) {
2308 sshbuf_free(m);
2309 return 0;
2310 }
2311 fatal_f("mux_client_read_packet: %s", strerror(errno));
2312 }
2313 fatal_f("master returned unexpected message %u", type);
2314 }
2315
2316 static void
mux_client_request_stop_listening(int fd)2317 mux_client_request_stop_listening(int fd)
2318 {
2319 struct sshbuf *m;
2320 char *e;
2321 u_int type, rid;
2322 int r;
2323
2324 debug3_f("entering");
2325
2326 if ((m = sshbuf_new()) == NULL)
2327 fatal_f("sshbuf_new");
2328 if ((r = sshbuf_put_u32(m, MUX_C_STOP_LISTENING)) != 0 ||
2329 (r = sshbuf_put_u32(m, muxclient_request_id)) != 0)
2330 fatal_fr(r, "request");
2331
2332 if (mux_client_write_packet(fd, m) != 0)
2333 fatal_f("write packet: %s", strerror(errno));
2334
2335 sshbuf_reset(m);
2336
2337 /* Read their reply */
2338 if (mux_client_read_packet(fd, m) != 0)
2339 fatal_f("read from master failed: %s", strerror(errno));
2340
2341 if ((r = sshbuf_get_u32(m, &type)) != 0 ||
2342 (r = sshbuf_get_u32(m, &rid)) != 0)
2343 fatal_fr(r, "parse");
2344 if (rid != muxclient_request_id)
2345 fatal_f("out of sequence reply: my id %u theirs %u",
2346 muxclient_request_id, rid);
2347
2348 switch (type) {
2349 case MUX_S_OK:
2350 break;
2351 case MUX_S_PERMISSION_DENIED:
2352 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2353 fatal_fr(r, "parse error message");
2354 fatal("Master refused stop listening request: %s", e);
2355 case MUX_S_FAILURE:
2356 if ((r = sshbuf_get_cstring(m, &e, NULL)) != 0)
2357 fatal_fr(r, "parse error message");
2358 fatal_f("stop listening request failed: %s", e);
2359 default:
2360 fatal_f("unexpected response from master 0x%08x", type);
2361 }
2362 sshbuf_free(m);
2363 muxclient_request_id++;
2364 }
2365
2366 /* Multiplex client main loop. */
2367 int
muxclient(const char * path)2368 muxclient(const char *path)
2369 {
2370 struct sockaddr_un addr;
2371 int sock, timeout = options.connection_timeout, timeout_ms = -1;
2372 u_int pid;
2373 char *info = NULL;
2374
2375 if (muxclient_command == 0) {
2376 if (options.stdio_forward_host != NULL)
2377 muxclient_command = SSHMUX_COMMAND_STDIO_FWD;
2378 else
2379 muxclient_command = SSHMUX_COMMAND_OPEN;
2380 }
2381
2382 switch (options.control_master) {
2383 case SSHCTL_MASTER_AUTO:
2384 case SSHCTL_MASTER_AUTO_ASK:
2385 debug("auto-mux: Trying existing master at '%s'", path);
2386 /* FALLTHROUGH */
2387 case SSHCTL_MASTER_NO:
2388 break;
2389 default:
2390 return -1;
2391 }
2392
2393 memset(&addr, '\0', sizeof(addr));
2394 addr.sun_family = AF_UNIX;
2395
2396 if (strlcpy(addr.sun_path, path,
2397 sizeof(addr.sun_path)) >= sizeof(addr.sun_path))
2398 fatal("ControlPath too long ('%s' >= %u bytes)", path,
2399 (unsigned int)sizeof(addr.sun_path));
2400
2401 if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
2402 fatal_f("socket(): %s", strerror(errno));
2403
2404 if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
2405 switch (muxclient_command) {
2406 case SSHMUX_COMMAND_OPEN:
2407 case SSHMUX_COMMAND_STDIO_FWD:
2408 break;
2409 default:
2410 fatal("Control socket connect(%.100s): %s", path,
2411 strerror(errno));
2412 }
2413 if (errno == ECONNREFUSED &&
2414 options.control_master != SSHCTL_MASTER_NO) {
2415 debug("Stale control socket %.100s, unlinking", path);
2416 unlink(path);
2417 } else if (errno == ENOENT) {
2418 debug("Control socket \"%.100s\" does not exist", path);
2419 } else {
2420 error("Control socket connect(%.100s): %s", path,
2421 strerror(errno));
2422 }
2423 close(sock);
2424 return -1;
2425 }
2426 set_nonblock(sock);
2427
2428 /* Timeout on initial connection only. */
2429 if (timeout > 0 && timeout < INT_MAX / 1000)
2430 timeout_ms = timeout * 1000;
2431
2432 if (mux_client_hello_exchange(sock, timeout_ms) != 0) {
2433 error_f("master hello exchange failed");
2434 close(sock);
2435 return -1;
2436 }
2437
2438 switch (muxclient_command) {
2439 case SSHMUX_COMMAND_ALIVE_CHECK:
2440 if ((pid = mux_client_request_alive(sock)) == 0)
2441 fatal_f("master alive check failed");
2442 fprintf(stderr, "Master running (pid=%u)\r\n", pid);
2443 exit(0);
2444 case SSHMUX_COMMAND_CONNINFO:
2445 case SSHMUX_COMMAND_CHANINFO:
2446 if (!(extensions & MUX_EXT_INFO))
2447 fatal("mux server does not support info request");
2448 info = mux_client_request_info(sock,
2449 muxclient_command == SSHMUX_COMMAND_CONNINFO ?
2450 "connection" : "channels");
2451 if (info == NULL)
2452 fatal_f("info request failed");
2453 printf("%s", info);
2454 exit(0);
2455 case SSHMUX_COMMAND_TERMINATE:
2456 mux_client_request_terminate(sock);
2457 if (options.log_level != SYSLOG_LEVEL_QUIET)
2458 fprintf(stderr, "Exit request sent.\r\n");
2459 exit(0);
2460 case SSHMUX_COMMAND_FORWARD:
2461 if (mux_client_forwards(sock, 0) != 0)
2462 fatal_f("master forward request failed");
2463 exit(0);
2464 case SSHMUX_COMMAND_OPEN:
2465 if (mux_client_forwards(sock, 0) != 0) {
2466 error_f("master forward request failed");
2467 return -1;
2468 }
2469 mux_client_request_session(sock);
2470 return -1;
2471 case SSHMUX_COMMAND_STDIO_FWD:
2472 mux_client_request_stdio_fwd(sock);
2473 exit(0);
2474 case SSHMUX_COMMAND_STOP:
2475 mux_client_request_stop_listening(sock);
2476 if (options.log_level != SYSLOG_LEVEL_QUIET)
2477 fprintf(stderr, "Stop listening request sent.\r\n");
2478 exit(0);
2479 case SSHMUX_COMMAND_CANCEL_FWD:
2480 if (mux_client_forwards(sock, 1) != 0)
2481 error_f("master cancel forward request failed");
2482 exit(0);
2483 case SSHMUX_COMMAND_PROXY:
2484 mux_client_proxy(sock);
2485 return (sock);
2486 default:
2487 fatal("unrecognised muxclient_command %d", muxclient_command);
2488 }
2489 }
2490