1/* $OpenBSD: channels.c,v 1.311 2011/06/22 22:08:42 djm Exp $ */
2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 *                    All rights reserved
6 * This file contains functions for generic socket connection forwarding.
7 * There is also code for initiating connection forwarding for X11 connections,
8 * arbitrary tcp/ip connections, and the authentication agent connection.
9 *
10 * As far as I am concerned, the code I have written for this software
11 * can be used freely for any purpose.  Any derived versions of this
12 * software must be clearly marked as such, and if the derived work is
13 * incompatible with the protocol description in the RFC file, it must be
14 * called by a name other than "ssh" or "Secure Shell".
15 *
16 * SSH2 support added by Markus Friedl.
17 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
18 * Copyright (c) 1999 Dug Song.  All rights reserved.
19 * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
20 *
21 * Redistribution and use in source and binary forms, with or without
22 * modification, are permitted provided that the following conditions
23 * are met:
24 * 1. Redistributions of source code must retain the above copyright
25 *    notice, this list of conditions and the following disclaimer.
26 * 2. Redistributions in binary form must reproduce the above copyright
27 *    notice, this list of conditions and the following disclaimer in the
28 *    documentation and/or other materials provided with the distribution.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40 */
41
42#include "includes.h"
43
44#include <sys/types.h>
45#include <sys/ioctl.h>
46#include <sys/un.h>
47#include <sys/socket.h>
48#ifdef HAVE_SYS_TIME_H
49# include <sys/time.h>
50#endif
51
52#include <netinet/in.h>
53#include <arpa/inet.h>
54
55#include <errno.h>
56#include <fcntl.h>
57#include <netdb.h>
58#include <stdio.h>
59#include <stdlib.h>
60#include <string.h>
61#include <termios.h>
62#include <unistd.h>
63#include <stdarg.h>
64
65#include "openbsd-compat/sys-queue.h"
66#include "xmalloc.h"
67#include "ssh.h"
68#include "ssh1.h"
69#include "ssh2.h"
70#include "packet.h"
71#include "log.h"
72#include "misc.h"
73#include "buffer.h"
74#include "channels.h"
75#include "compat.h"
76#include "canohost.h"
77#include "key.h"
78#include "authfd.h"
79#include "pathnames.h"
80
81/* -- channel core */
82
83/*
84 * Pointer to an array containing all allocated channels.  The array is
85 * dynamically extended as needed.
86 */
87static Channel **channels = NULL;
88
89/*
90 * Size of the channel array.  All slots of the array must always be
91 * initialized (at least the type field); unused slots set to NULL
92 */
93static u_int channels_alloc = 0;
94
95/*
96 * Maximum file descriptor value used in any of the channels.  This is
97 * updated in channel_new.
98 */
99static int channel_max_fd = 0;
100
101
102/* -- tcp forwarding */
103
104/*
105 * Data structure for storing which hosts are permitted for forward requests.
106 * The local sides of any remote forwards are stored in this array to prevent
107 * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
108 * network (which might be behind a firewall).
109 */
110typedef struct {
111	char *host_to_connect;		/* Connect to 'host'. */
112	u_short port_to_connect;	/* Connect to 'port'. */
113	u_short listen_port;		/* Remote side should listen port number. */
114} ForwardPermission;
115
116/* List of all permitted host/port pairs to connect by the user. */
117static ForwardPermission *permitted_opens = NULL;
118
119/* List of all permitted host/port pairs to connect by the admin. */
120static ForwardPermission *permitted_adm_opens = NULL;
121
122/* Number of permitted host/port pairs in the array permitted by the user. */
123static int num_permitted_opens = 0;
124
125/* Number of permitted host/port pair in the array permitted by the admin. */
126static int num_adm_permitted_opens = 0;
127
128/*
129 * If this is true, all opens are permitted.  This is the case on the server
130 * on which we have to trust the client anyway, and the user could do
131 * anything after logging in anyway.
132 */
133static int all_opens_permitted = 0;
134
135
136/* -- X11 forwarding */
137
138/* Maximum number of fake X11 displays to try. */
139#define MAX_DISPLAYS  1000
140
141/* Saved X11 local (client) display. */
142static char *x11_saved_display = NULL;
143
144/* Saved X11 authentication protocol name. */
145static char *x11_saved_proto = NULL;
146
147/* Saved X11 authentication data.  This is the real data. */
148static char *x11_saved_data = NULL;
149static u_int x11_saved_data_len = 0;
150
151/*
152 * Fake X11 authentication data.  This is what the server will be sending us;
153 * we should replace any occurrences of this by the real data.
154 */
155static u_char *x11_fake_data = NULL;
156static u_int x11_fake_data_len;
157
158
159/* -- agent forwarding */
160
161#define	NUM_SOCKS	10
162
163/* AF_UNSPEC or AF_INET or AF_INET6 */
164static int IPv4or6 = AF_UNSPEC;
165
166/* helper */
167static void port_open_helper(Channel *c, char *rtype);
168
169/* non-blocking connect helpers */
170static int connect_next(struct channel_connect *);
171static void channel_connect_ctx_free(struct channel_connect *);
172
173/* -- channel core */
174
175Channel *
176channel_by_id(int id)
177{
178	Channel *c;
179
180	if (id < 0 || (u_int)id >= channels_alloc) {
181		logit("channel_by_id: %d: bad id", id);
182		return NULL;
183	}
184	c = channels[id];
185	if (c == NULL) {
186		logit("channel_by_id: %d: bad id: channel free", id);
187		return NULL;
188	}
189	return c;
190}
191
192/*
193 * Returns the channel if it is allowed to receive protocol messages.
194 * Private channels, like listening sockets, may not receive messages.
195 */
196Channel *
197channel_lookup(int id)
198{
199	Channel *c;
200
201	if ((c = channel_by_id(id)) == NULL)
202		return (NULL);
203
204	switch (c->type) {
205	case SSH_CHANNEL_X11_OPEN:
206	case SSH_CHANNEL_LARVAL:
207	case SSH_CHANNEL_CONNECTING:
208	case SSH_CHANNEL_DYNAMIC:
209	case SSH_CHANNEL_OPENING:
210	case SSH_CHANNEL_OPEN:
211	case SSH_CHANNEL_INPUT_DRAINING:
212	case SSH_CHANNEL_OUTPUT_DRAINING:
213		return (c);
214	}
215	logit("Non-public channel %d, type %d.", id, c->type);
216	return (NULL);
217}
218
219/*
220 * Register filedescriptors for a channel, used when allocating a channel or
221 * when the channel consumer/producer is ready, e.g. shell exec'd
222 */
223static void
224channel_register_fds(Channel *c, int rfd, int wfd, int efd,
225    int extusage, int nonblock, int is_tty)
226{
227	/* Update the maximum file descriptor value. */
228	channel_max_fd = MAX(channel_max_fd, rfd);
229	channel_max_fd = MAX(channel_max_fd, wfd);
230	channel_max_fd = MAX(channel_max_fd, efd);
231
232	if (rfd != -1)
233		fcntl(rfd, F_SETFD, FD_CLOEXEC);
234	if (wfd != -1 && wfd != rfd)
235		fcntl(wfd, F_SETFD, FD_CLOEXEC);
236	if (efd != -1 && efd != rfd && efd != wfd)
237		fcntl(efd, F_SETFD, FD_CLOEXEC);
238
239	c->rfd = rfd;
240	c->wfd = wfd;
241	c->sock = (rfd == wfd) ? rfd : -1;
242	c->efd = efd;
243	c->extended_usage = extusage;
244
245	if ((c->isatty = is_tty) != 0)
246		debug2("channel %d: rfd %d isatty", c->self, c->rfd);
247	c->wfd_isatty = is_tty || isatty(c->wfd);
248
249	/* enable nonblocking mode */
250	if (nonblock) {
251		if (rfd != -1)
252			set_nonblock(rfd);
253		if (wfd != -1)
254			set_nonblock(wfd);
255		if (efd != -1)
256			set_nonblock(efd);
257	}
258}
259
260/*
261 * Allocate a new channel object and set its type and socket. This will cause
262 * remote_name to be freed.
263 */
264Channel *
265channel_new(char *ctype, int type, int rfd, int wfd, int efd,
266    u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
267{
268	int found;
269	u_int i;
270	Channel *c;
271
272	/* Do initial allocation if this is the first call. */
273	if (channels_alloc == 0) {
274		channels_alloc = 10;
275		channels = xcalloc(channels_alloc, sizeof(Channel *));
276		for (i = 0; i < channels_alloc; i++)
277			channels[i] = NULL;
278	}
279	/* Try to find a free slot where to put the new channel. */
280	for (found = -1, i = 0; i < channels_alloc; i++)
281		if (channels[i] == NULL) {
282			/* Found a free slot. */
283			found = (int)i;
284			break;
285		}
286	if (found < 0) {
287		/* There are no free slots.  Take last+1 slot and expand the array.  */
288		found = channels_alloc;
289		if (channels_alloc > 10000)
290			fatal("channel_new: internal error: channels_alloc %d "
291			    "too big.", channels_alloc);
292		channels = xrealloc(channels, channels_alloc + 10,
293		    sizeof(Channel *));
294		channels_alloc += 10;
295		debug2("channel: expanding %d", channels_alloc);
296		for (i = found; i < channels_alloc; i++)
297			channels[i] = NULL;
298	}
299	/* Initialize and return new channel. */
300	c = channels[found] = xcalloc(1, sizeof(Channel));
301	buffer_init(&c->input);
302	buffer_init(&c->output);
303	buffer_init(&c->extended);
304	c->path = NULL;
305	c->ostate = CHAN_OUTPUT_OPEN;
306	c->istate = CHAN_INPUT_OPEN;
307	c->flags = 0;
308	channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, 0);
309	c->self = found;
310	c->type = type;
311	c->ctype = ctype;
312	c->local_window = window;
313	c->local_window_max = window;
314	c->local_consumed = 0;
315	c->local_maxpacket = maxpack;
316	c->remote_id = -1;
317	c->remote_name = xstrdup(remote_name);
318	c->remote_window = 0;
319	c->remote_maxpacket = 0;
320	c->force_drain = 0;
321	c->single_connection = 0;
322	c->detach_user = NULL;
323	c->detach_close = 0;
324	c->open_confirm = NULL;
325	c->open_confirm_ctx = NULL;
326	c->input_filter = NULL;
327	c->output_filter = NULL;
328	c->filter_ctx = NULL;
329	c->filter_cleanup = NULL;
330	c->ctl_chan = -1;
331	c->mux_rcb = NULL;
332	c->mux_ctx = NULL;
333	c->mux_pause = 0;
334	c->delayed = 1;		/* prevent call to channel_post handler */
335	TAILQ_INIT(&c->status_confirms);
336	debug("channel %d: new [%s]", found, remote_name);
337	return c;
338}
339
340static int
341channel_find_maxfd(void)
342{
343	u_int i;
344	int max = 0;
345	Channel *c;
346
347	for (i = 0; i < channels_alloc; i++) {
348		c = channels[i];
349		if (c != NULL) {
350			max = MAX(max, c->rfd);
351			max = MAX(max, c->wfd);
352			max = MAX(max, c->efd);
353		}
354	}
355	return max;
356}
357
358int
359channel_close_fd(int *fdp)
360{
361	int ret = 0, fd = *fdp;
362
363	if (fd != -1) {
364		ret = close(fd);
365		*fdp = -1;
366		if (fd == channel_max_fd)
367			channel_max_fd = channel_find_maxfd();
368	}
369	return ret;
370}
371
372/* Close all channel fd/socket. */
373static void
374channel_close_fds(Channel *c)
375{
376	channel_close_fd(&c->sock);
377	channel_close_fd(&c->rfd);
378	channel_close_fd(&c->wfd);
379	channel_close_fd(&c->efd);
380}
381
382/* Free the channel and close its fd/socket. */
383void
384channel_free(Channel *c)
385{
386	char *s;
387	u_int i, n;
388	struct channel_confirm *cc;
389
390	for (n = 0, i = 0; i < channels_alloc; i++)
391		if (channels[i])
392			n++;
393	debug("channel %d: free: %s, nchannels %u", c->self,
394	    c->remote_name ? c->remote_name : "???", n);
395
396	s = channel_open_message();
397	debug3("channel %d: status: %s", c->self, s);
398	xfree(s);
399
400	if (c->sock != -1)
401		shutdown(c->sock, SHUT_RDWR);
402	channel_close_fds(c);
403	buffer_free(&c->input);
404	buffer_free(&c->output);
405	buffer_free(&c->extended);
406	if (c->remote_name) {
407		xfree(c->remote_name);
408		c->remote_name = NULL;
409	}
410	if (c->path) {
411		xfree(c->path);
412		c->path = NULL;
413	}
414	while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
415		if (cc->abandon_cb != NULL)
416			cc->abandon_cb(c, cc->ctx);
417		TAILQ_REMOVE(&c->status_confirms, cc, entry);
418		bzero(cc, sizeof(*cc));
419		xfree(cc);
420	}
421	if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
422		c->filter_cleanup(c->self, c->filter_ctx);
423	channels[c->self] = NULL;
424	xfree(c);
425}
426
427void
428channel_free_all(void)
429{
430	u_int i;
431
432	for (i = 0; i < channels_alloc; i++)
433		if (channels[i] != NULL)
434			channel_free(channels[i]);
435}
436
437/*
438 * Closes the sockets/fds of all channels.  This is used to close extra file
439 * descriptors after a fork.
440 */
441void
442channel_close_all(void)
443{
444	u_int i;
445
446	for (i = 0; i < channels_alloc; i++)
447		if (channels[i] != NULL)
448			channel_close_fds(channels[i]);
449}
450
451/*
452 * Stop listening to channels.
453 */
454void
455channel_stop_listening(void)
456{
457	u_int i;
458	Channel *c;
459
460	for (i = 0; i < channels_alloc; i++) {
461		c = channels[i];
462		if (c != NULL) {
463			switch (c->type) {
464			case SSH_CHANNEL_AUTH_SOCKET:
465			case SSH_CHANNEL_PORT_LISTENER:
466			case SSH_CHANNEL_RPORT_LISTENER:
467			case SSH_CHANNEL_X11_LISTENER:
468				channel_close_fd(&c->sock);
469				channel_free(c);
470				break;
471			}
472		}
473	}
474}
475
476/*
477 * Returns true if no channel has too much buffered data, and false if one or
478 * more channel is overfull.
479 */
480int
481channel_not_very_much_buffered_data(void)
482{
483	u_int i;
484	Channel *c;
485
486	for (i = 0; i < channels_alloc; i++) {
487		c = channels[i];
488		if (c != NULL && c->type == SSH_CHANNEL_OPEN) {
489#if 0
490			if (!compat20 &&
491			    buffer_len(&c->input) > packet_get_maxsize()) {
492				debug2("channel %d: big input buffer %d",
493				    c->self, buffer_len(&c->input));
494				return 0;
495			}
496#endif
497			if (buffer_len(&c->output) > packet_get_maxsize()) {
498				debug2("channel %d: big output buffer %u > %u",
499				    c->self, buffer_len(&c->output),
500				    packet_get_maxsize());
501				return 0;
502			}
503		}
504	}
505	return 1;
506}
507
508/* Returns true if any channel is still open. */
509int
510channel_still_open(void)
511{
512	u_int i;
513	Channel *c;
514
515	for (i = 0; i < channels_alloc; i++) {
516		c = channels[i];
517		if (c == NULL)
518			continue;
519		switch (c->type) {
520		case SSH_CHANNEL_X11_LISTENER:
521		case SSH_CHANNEL_PORT_LISTENER:
522		case SSH_CHANNEL_RPORT_LISTENER:
523		case SSH_CHANNEL_MUX_LISTENER:
524		case SSH_CHANNEL_CLOSED:
525		case SSH_CHANNEL_AUTH_SOCKET:
526		case SSH_CHANNEL_DYNAMIC:
527		case SSH_CHANNEL_CONNECTING:
528		case SSH_CHANNEL_ZOMBIE:
529			continue;
530		case SSH_CHANNEL_LARVAL:
531			if (!compat20)
532				fatal("cannot happen: SSH_CHANNEL_LARVAL");
533			continue;
534		case SSH_CHANNEL_OPENING:
535		case SSH_CHANNEL_OPEN:
536		case SSH_CHANNEL_X11_OPEN:
537		case SSH_CHANNEL_MUX_CLIENT:
538			return 1;
539		case SSH_CHANNEL_INPUT_DRAINING:
540		case SSH_CHANNEL_OUTPUT_DRAINING:
541			if (!compat13)
542				fatal("cannot happen: OUT_DRAIN");
543			return 1;
544		default:
545			fatal("channel_still_open: bad channel type %d", c->type);
546			/* NOTREACHED */
547		}
548	}
549	return 0;
550}
551
552/* Returns the id of an open channel suitable for keepaliving */
553int
554channel_find_open(void)
555{
556	u_int i;
557	Channel *c;
558
559	for (i = 0; i < channels_alloc; i++) {
560		c = channels[i];
561		if (c == NULL || c->remote_id < 0)
562			continue;
563		switch (c->type) {
564		case SSH_CHANNEL_CLOSED:
565		case SSH_CHANNEL_DYNAMIC:
566		case SSH_CHANNEL_X11_LISTENER:
567		case SSH_CHANNEL_PORT_LISTENER:
568		case SSH_CHANNEL_RPORT_LISTENER:
569		case SSH_CHANNEL_MUX_LISTENER:
570		case SSH_CHANNEL_MUX_CLIENT:
571		case SSH_CHANNEL_OPENING:
572		case SSH_CHANNEL_CONNECTING:
573		case SSH_CHANNEL_ZOMBIE:
574			continue;
575		case SSH_CHANNEL_LARVAL:
576		case SSH_CHANNEL_AUTH_SOCKET:
577		case SSH_CHANNEL_OPEN:
578		case SSH_CHANNEL_X11_OPEN:
579			return i;
580		case SSH_CHANNEL_INPUT_DRAINING:
581		case SSH_CHANNEL_OUTPUT_DRAINING:
582			if (!compat13)
583				fatal("cannot happen: OUT_DRAIN");
584			return i;
585		default:
586			fatal("channel_find_open: bad channel type %d", c->type);
587			/* NOTREACHED */
588		}
589	}
590	return -1;
591}
592
593
594/*
595 * Returns a message describing the currently open forwarded connections,
596 * suitable for sending to the client.  The message contains crlf pairs for
597 * newlines.
598 */
599char *
600channel_open_message(void)
601{
602	Buffer buffer;
603	Channel *c;
604	char buf[1024], *cp;
605	u_int i;
606
607	buffer_init(&buffer);
608	snprintf(buf, sizeof buf, "The following connections are open:\r\n");
609	buffer_append(&buffer, buf, strlen(buf));
610	for (i = 0; i < channels_alloc; i++) {
611		c = channels[i];
612		if (c == NULL)
613			continue;
614		switch (c->type) {
615		case SSH_CHANNEL_X11_LISTENER:
616		case SSH_CHANNEL_PORT_LISTENER:
617		case SSH_CHANNEL_RPORT_LISTENER:
618		case SSH_CHANNEL_CLOSED:
619		case SSH_CHANNEL_AUTH_SOCKET:
620		case SSH_CHANNEL_ZOMBIE:
621		case SSH_CHANNEL_MUX_CLIENT:
622		case SSH_CHANNEL_MUX_LISTENER:
623			continue;
624		case SSH_CHANNEL_LARVAL:
625		case SSH_CHANNEL_OPENING:
626		case SSH_CHANNEL_CONNECTING:
627		case SSH_CHANNEL_DYNAMIC:
628		case SSH_CHANNEL_OPEN:
629		case SSH_CHANNEL_X11_OPEN:
630		case SSH_CHANNEL_INPUT_DRAINING:
631		case SSH_CHANNEL_OUTPUT_DRAINING:
632			snprintf(buf, sizeof buf,
633			    "  #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n",
634			    c->self, c->remote_name,
635			    c->type, c->remote_id,
636			    c->istate, buffer_len(&c->input),
637			    c->ostate, buffer_len(&c->output),
638			    c->rfd, c->wfd, c->ctl_chan);
639			buffer_append(&buffer, buf, strlen(buf));
640			continue;
641		default:
642			fatal("channel_open_message: bad channel type %d", c->type);
643			/* NOTREACHED */
644		}
645	}
646	buffer_append(&buffer, "\0", 1);
647	cp = xstrdup(buffer_ptr(&buffer));
648	buffer_free(&buffer);
649	return cp;
650}
651
652void
653channel_send_open(int id)
654{
655	Channel *c = channel_lookup(id);
656
657	if (c == NULL) {
658		logit("channel_send_open: %d: bad id", id);
659		return;
660	}
661	debug2("channel %d: send open", id);
662	packet_start(SSH2_MSG_CHANNEL_OPEN);
663	packet_put_cstring(c->ctype);
664	packet_put_int(c->self);
665	packet_put_int(c->local_window);
666	packet_put_int(c->local_maxpacket);
667	packet_send();
668}
669
670void
671channel_request_start(int id, char *service, int wantconfirm)
672{
673	Channel *c = channel_lookup(id);
674
675	if (c == NULL) {
676		logit("channel_request_start: %d: unknown channel id", id);
677		return;
678	}
679	debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
680	packet_start(SSH2_MSG_CHANNEL_REQUEST);
681	packet_put_int(c->remote_id);
682	packet_put_cstring(service);
683	packet_put_char(wantconfirm);
684}
685
686void
687channel_register_status_confirm(int id, channel_confirm_cb *cb,
688    channel_confirm_abandon_cb *abandon_cb, void *ctx)
689{
690	struct channel_confirm *cc;
691	Channel *c;
692
693	if ((c = channel_lookup(id)) == NULL)
694		fatal("channel_register_expect: %d: bad id", id);
695
696	cc = xmalloc(sizeof(*cc));
697	cc->cb = cb;
698	cc->abandon_cb = abandon_cb;
699	cc->ctx = ctx;
700	TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
701}
702
703void
704channel_register_open_confirm(int id, channel_open_fn *fn, void *ctx)
705{
706	Channel *c = channel_lookup(id);
707
708	if (c == NULL) {
709		logit("channel_register_open_confirm: %d: bad id", id);
710		return;
711	}
712	c->open_confirm = fn;
713	c->open_confirm_ctx = ctx;
714}
715
716void
717channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
718{
719	Channel *c = channel_by_id(id);
720
721	if (c == NULL) {
722		logit("channel_register_cleanup: %d: bad id", id);
723		return;
724	}
725	c->detach_user = fn;
726	c->detach_close = do_close;
727}
728
729void
730channel_cancel_cleanup(int id)
731{
732	Channel *c = channel_by_id(id);
733
734	if (c == NULL) {
735		logit("channel_cancel_cleanup: %d: bad id", id);
736		return;
737	}
738	c->detach_user = NULL;
739	c->detach_close = 0;
740}
741
742void
743channel_register_filter(int id, channel_infilter_fn *ifn,
744    channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
745{
746	Channel *c = channel_lookup(id);
747
748	if (c == NULL) {
749		logit("channel_register_filter: %d: bad id", id);
750		return;
751	}
752	c->input_filter = ifn;
753	c->output_filter = ofn;
754	c->filter_ctx = ctx;
755	c->filter_cleanup = cfn;
756}
757
758void
759channel_set_fds(int id, int rfd, int wfd, int efd,
760    int extusage, int nonblock, int is_tty, u_int window_max)
761{
762	Channel *c = channel_lookup(id);
763
764	if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
765		fatal("channel_activate for non-larval channel %d.", id);
766	channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty);
767	c->type = SSH_CHANNEL_OPEN;
768	c->local_window = c->local_window_max = window_max;
769	packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
770	packet_put_int(c->remote_id);
771	packet_put_int(c->local_window);
772	packet_send();
773}
774
775/*
776 * 'channel_pre*' are called just before select() to add any bits relevant to
777 * channels in the select bitmasks.
778 */
779/*
780 * 'channel_post*': perform any appropriate operations for channels which
781 * have events pending.
782 */
783typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset);
784chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
785chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
786
787/* ARGSUSED */
788static void
789channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset)
790{
791	FD_SET(c->sock, readset);
792}
793
794/* ARGSUSED */
795static void
796channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset)
797{
798	debug3("channel %d: waiting for connection", c->self);
799	FD_SET(c->sock, writeset);
800}
801
802static void
803channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
804{
805	if (buffer_len(&c->input) < packet_get_maxsize())
806		FD_SET(c->sock, readset);
807	if (buffer_len(&c->output) > 0)
808		FD_SET(c->sock, writeset);
809}
810
811static void
812channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
813{
814	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
815
816	if (c->istate == CHAN_INPUT_OPEN &&
817	    limit > 0 &&
818	    buffer_len(&c->input) < limit &&
819	    buffer_check_alloc(&c->input, CHAN_RBUF))
820		FD_SET(c->rfd, readset);
821	if (c->ostate == CHAN_OUTPUT_OPEN ||
822	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
823		if (buffer_len(&c->output) > 0) {
824			FD_SET(c->wfd, writeset);
825		} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
826			if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
827				debug2("channel %d: obuf_empty delayed efd %d/(%d)",
828				    c->self, c->efd, buffer_len(&c->extended));
829			else
830				chan_obuf_empty(c);
831		}
832	}
833	/** XXX check close conditions, too */
834	if (compat20 && c->efd != -1 &&
835	    !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) {
836		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
837		    buffer_len(&c->extended) > 0)
838			FD_SET(c->efd, writeset);
839		else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
840		    (c->extended_usage == CHAN_EXTENDED_READ ||
841		    c->extended_usage == CHAN_EXTENDED_IGNORE) &&
842		    buffer_len(&c->extended) < c->remote_window)
843			FD_SET(c->efd, readset);
844	}
845	/* XXX: What about efd? races? */
846}
847
848/* ARGSUSED */
849static void
850channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset)
851{
852	if (buffer_len(&c->input) == 0) {
853		packet_start(SSH_MSG_CHANNEL_CLOSE);
854		packet_put_int(c->remote_id);
855		packet_send();
856		c->type = SSH_CHANNEL_CLOSED;
857		debug2("channel %d: closing after input drain.", c->self);
858	}
859}
860
861/* ARGSUSED */
862static void
863channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset)
864{
865	if (buffer_len(&c->output) == 0)
866		chan_mark_dead(c);
867	else
868		FD_SET(c->sock, writeset);
869}
870
871/*
872 * This is a special state for X11 authentication spoofing.  An opened X11
873 * connection (when authentication spoofing is being done) remains in this
874 * state until the first packet has been completely read.  The authentication
875 * data in that packet is then substituted by the real data if it matches the
876 * fake data, and the channel is put into normal mode.
877 * XXX All this happens at the client side.
878 * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
879 */
880static int
881x11_open_helper(Buffer *b)
882{
883	u_char *ucp;
884	u_int proto_len, data_len;
885
886	/* Check if the fixed size part of the packet is in buffer. */
887	if (buffer_len(b) < 12)
888		return 0;
889
890	/* Parse the lengths of variable-length fields. */
891	ucp = buffer_ptr(b);
892	if (ucp[0] == 0x42) {	/* Byte order MSB first. */
893		proto_len = 256 * ucp[6] + ucp[7];
894		data_len = 256 * ucp[8] + ucp[9];
895	} else if (ucp[0] == 0x6c) {	/* Byte order LSB first. */
896		proto_len = ucp[6] + 256 * ucp[7];
897		data_len = ucp[8] + 256 * ucp[9];
898	} else {
899		debug2("Initial X11 packet contains bad byte order byte: 0x%x",
900		    ucp[0]);
901		return -1;
902	}
903
904	/* Check if the whole packet is in buffer. */
905	if (buffer_len(b) <
906	    12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
907		return 0;
908
909	/* Check if authentication protocol matches. */
910	if (proto_len != strlen(x11_saved_proto) ||
911	    memcmp(ucp + 12, x11_saved_proto, proto_len) != 0) {
912		debug2("X11 connection uses different authentication protocol.");
913		return -1;
914	}
915	/* Check if authentication data matches our fake data. */
916	if (data_len != x11_fake_data_len ||
917	    timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
918		x11_fake_data, x11_fake_data_len) != 0) {
919		debug2("X11 auth data does not match fake data.");
920		return -1;
921	}
922	/* Check fake data length */
923	if (x11_fake_data_len != x11_saved_data_len) {
924		error("X11 fake_data_len %d != saved_data_len %d",
925		    x11_fake_data_len, x11_saved_data_len);
926		return -1;
927	}
928	/*
929	 * Received authentication protocol and data match
930	 * our fake data. Substitute the fake data with real
931	 * data.
932	 */
933	memcpy(ucp + 12 + ((proto_len + 3) & ~3),
934	    x11_saved_data, x11_saved_data_len);
935	return 1;
936}
937
938static void
939channel_pre_x11_open_13(Channel *c, fd_set *readset, fd_set *writeset)
940{
941	int ret = x11_open_helper(&c->output);
942
943	if (ret == 1) {
944		/* Start normal processing for the channel. */
945		c->type = SSH_CHANNEL_OPEN;
946		channel_pre_open_13(c, readset, writeset);
947	} else if (ret == -1) {
948		/*
949		 * We have received an X11 connection that has bad
950		 * authentication information.
951		 */
952		logit("X11 connection rejected because of wrong authentication.");
953		buffer_clear(&c->input);
954		buffer_clear(&c->output);
955		channel_close_fd(&c->sock);
956		c->sock = -1;
957		c->type = SSH_CHANNEL_CLOSED;
958		packet_start(SSH_MSG_CHANNEL_CLOSE);
959		packet_put_int(c->remote_id);
960		packet_send();
961	}
962}
963
964static void
965channel_pre_x11_open(Channel *c, fd_set *readset, fd_set *writeset)
966{
967	int ret = x11_open_helper(&c->output);
968
969	/* c->force_drain = 1; */
970
971	if (ret == 1) {
972		c->type = SSH_CHANNEL_OPEN;
973		channel_pre_open(c, readset, writeset);
974	} else if (ret == -1) {
975		logit("X11 connection rejected because of wrong authentication.");
976		debug2("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
977		chan_read_failed(c);
978		buffer_clear(&c->input);
979		chan_ibuf_empty(c);
980		buffer_clear(&c->output);
981		/* for proto v1, the peer will send an IEOF */
982		if (compat20)
983			chan_write_failed(c);
984		else
985			c->type = SSH_CHANNEL_OPEN;
986		debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
987	}
988}
989
990static void
991channel_pre_mux_client(Channel *c, fd_set *readset, fd_set *writeset)
992{
993	if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause &&
994	    buffer_check_alloc(&c->input, CHAN_RBUF))
995		FD_SET(c->rfd, readset);
996	if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
997		/* clear buffer immediately (discard any partial packet) */
998		buffer_clear(&c->input);
999		chan_ibuf_empty(c);
1000		/* Start output drain. XXX just kill chan? */
1001		chan_rcvd_oclose(c);
1002	}
1003	if (c->ostate == CHAN_OUTPUT_OPEN ||
1004	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1005		if (buffer_len(&c->output) > 0)
1006			FD_SET(c->wfd, writeset);
1007		else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN)
1008			chan_obuf_empty(c);
1009	}
1010}
1011
1012/* try to decode a socks4 header */
1013/* ARGSUSED */
1014static int
1015channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
1016{
1017	char *p, *host;
1018	u_int len, have, i, found, need;
1019	char username[256];
1020	struct {
1021		u_int8_t version;
1022		u_int8_t command;
1023		u_int16_t dest_port;
1024		struct in_addr dest_addr;
1025	} s4_req, s4_rsp;
1026
1027	debug2("channel %d: decode socks4", c->self);
1028
1029	have = buffer_len(&c->input);
1030	len = sizeof(s4_req);
1031	if (have < len)
1032		return 0;
1033	p = buffer_ptr(&c->input);
1034
1035	need = 1;
1036	/* SOCKS4A uses an invalid IP address 0.0.0.x */
1037	if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1038		debug2("channel %d: socks4a request", c->self);
1039		/* ... and needs an extra string (the hostname) */
1040		need = 2;
1041	}
1042	/* Check for terminating NUL on the string(s) */
1043	for (found = 0, i = len; i < have; i++) {
1044		if (p[i] == '\0') {
1045			found++;
1046			if (found == need)
1047				break;
1048		}
1049		if (i > 1024) {
1050			/* the peer is probably sending garbage */
1051			debug("channel %d: decode socks4: too long",
1052			    c->self);
1053			return -1;
1054		}
1055	}
1056	if (found < need)
1057		return 0;
1058	buffer_get(&c->input, (char *)&s4_req.version, 1);
1059	buffer_get(&c->input, (char *)&s4_req.command, 1);
1060	buffer_get(&c->input, (char *)&s4_req.dest_port, 2);
1061	buffer_get(&c->input, (char *)&s4_req.dest_addr, 4);
1062	have = buffer_len(&c->input);
1063	p = buffer_ptr(&c->input);
1064	len = strlen(p);
1065	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1066	len++;					/* trailing '\0' */
1067	if (len > have)
1068		fatal("channel %d: decode socks4: len %d > have %d",
1069		    c->self, len, have);
1070	strlcpy(username, p, sizeof(username));
1071	buffer_consume(&c->input, len);
1072
1073	if (c->path != NULL) {
1074		xfree(c->path);
1075		c->path = NULL;
1076	}
1077	if (need == 1) {			/* SOCKS4: one string */
1078		host = inet_ntoa(s4_req.dest_addr);
1079		c->path = xstrdup(host);
1080	} else {				/* SOCKS4A: two strings */
1081		have = buffer_len(&c->input);
1082		p = buffer_ptr(&c->input);
1083		len = strlen(p);
1084		debug2("channel %d: decode socks4a: host %s/%d",
1085		    c->self, p, len);
1086		len++;				/* trailing '\0' */
1087		if (len > have)
1088			fatal("channel %d: decode socks4a: len %d > have %d",
1089			    c->self, len, have);
1090		if (len > NI_MAXHOST) {
1091			error("channel %d: hostname \"%.100s\" too long",
1092			    c->self, p);
1093			return -1;
1094		}
1095		c->path = xstrdup(p);
1096		buffer_consume(&c->input, len);
1097	}
1098	c->host_port = ntohs(s4_req.dest_port);
1099
1100	debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1101	    c->self, c->path, c->host_port, s4_req.command);
1102
1103	if (s4_req.command != 1) {
1104		debug("channel %d: cannot handle: %s cn %d",
1105		    c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command);
1106		return -1;
1107	}
1108	s4_rsp.version = 0;			/* vn: 0 for reply */
1109	s4_rsp.command = 90;			/* cd: req granted */
1110	s4_rsp.dest_port = 0;			/* ignored */
1111	s4_rsp.dest_addr.s_addr = INADDR_ANY;	/* ignored */
1112	buffer_append(&c->output, &s4_rsp, sizeof(s4_rsp));
1113	return 1;
1114}
1115
1116/* try to decode a socks5 header */
1117#define SSH_SOCKS5_AUTHDONE	0x1000
1118#define SSH_SOCKS5_NOAUTH	0x00
1119#define SSH_SOCKS5_IPV4		0x01
1120#define SSH_SOCKS5_DOMAIN	0x03
1121#define SSH_SOCKS5_IPV6		0x04
1122#define SSH_SOCKS5_CONNECT	0x01
1123#define SSH_SOCKS5_SUCCESS	0x00
1124
1125/* ARGSUSED */
1126static int
1127channel_decode_socks5(Channel *c, fd_set *readset, fd_set *writeset)
1128{
1129	struct {
1130		u_int8_t version;
1131		u_int8_t command;
1132		u_int8_t reserved;
1133		u_int8_t atyp;
1134	} s5_req, s5_rsp;
1135	u_int16_t dest_port;
1136	u_char *p, dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1137	u_int have, need, i, found, nmethods, addrlen, af;
1138
1139	debug2("channel %d: decode socks5", c->self);
1140	p = buffer_ptr(&c->input);
1141	if (p[0] != 0x05)
1142		return -1;
1143	have = buffer_len(&c->input);
1144	if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
1145		/* format: ver | nmethods | methods */
1146		if (have < 2)
1147			return 0;
1148		nmethods = p[1];
1149		if (have < nmethods + 2)
1150			return 0;
1151		/* look for method: "NO AUTHENTICATION REQUIRED" */
1152		for (found = 0, i = 2; i < nmethods + 2; i++) {
1153			if (p[i] == SSH_SOCKS5_NOAUTH) {
1154				found = 1;
1155				break;
1156			}
1157		}
1158		if (!found) {
1159			debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
1160			    c->self);
1161			return -1;
1162		}
1163		buffer_consume(&c->input, nmethods + 2);
1164		buffer_put_char(&c->output, 0x05);		/* version */
1165		buffer_put_char(&c->output, SSH_SOCKS5_NOAUTH);	/* method */
1166		FD_SET(c->sock, writeset);
1167		c->flags |= SSH_SOCKS5_AUTHDONE;
1168		debug2("channel %d: socks5 auth done", c->self);
1169		return 0;				/* need more */
1170	}
1171	debug2("channel %d: socks5 post auth", c->self);
1172	if (have < sizeof(s5_req)+1)
1173		return 0;			/* need more */
1174	memcpy(&s5_req, p, sizeof(s5_req));
1175	if (s5_req.version != 0x05 ||
1176	    s5_req.command != SSH_SOCKS5_CONNECT ||
1177	    s5_req.reserved != 0x00) {
1178		debug2("channel %d: only socks5 connect supported", c->self);
1179		return -1;
1180	}
1181	switch (s5_req.atyp){
1182	case SSH_SOCKS5_IPV4:
1183		addrlen = 4;
1184		af = AF_INET;
1185		break;
1186	case SSH_SOCKS5_DOMAIN:
1187		addrlen = p[sizeof(s5_req)];
1188		af = -1;
1189		break;
1190	case SSH_SOCKS5_IPV6:
1191		addrlen = 16;
1192		af = AF_INET6;
1193		break;
1194	default:
1195		debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
1196		return -1;
1197	}
1198	need = sizeof(s5_req) + addrlen + 2;
1199	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1200		need++;
1201	if (have < need)
1202		return 0;
1203	buffer_consume(&c->input, sizeof(s5_req));
1204	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1205		buffer_consume(&c->input, 1);    /* host string length */
1206	buffer_get(&c->input, (char *)&dest_addr, addrlen);
1207	buffer_get(&c->input, (char *)&dest_port, 2);
1208	dest_addr[addrlen] = '\0';
1209	if (c->path != NULL) {
1210		xfree(c->path);
1211		c->path = NULL;
1212	}
1213	if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1214		if (addrlen >= NI_MAXHOST) {
1215			error("channel %d: dynamic request: socks5 hostname "
1216			    "\"%.100s\" too long", c->self, dest_addr);
1217			return -1;
1218		}
1219		c->path = xstrdup(dest_addr);
1220	} else {
1221		if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
1222			return -1;
1223		c->path = xstrdup(ntop);
1224	}
1225	c->host_port = ntohs(dest_port);
1226
1227	debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
1228	    c->self, c->path, c->host_port, s5_req.command);
1229
1230	s5_rsp.version = 0x05;
1231	s5_rsp.command = SSH_SOCKS5_SUCCESS;
1232	s5_rsp.reserved = 0;			/* ignored */
1233	s5_rsp.atyp = SSH_SOCKS5_IPV4;
1234	((struct in_addr *)&dest_addr)->s_addr = INADDR_ANY;
1235	dest_port = 0;				/* ignored */
1236
1237	buffer_append(&c->output, &s5_rsp, sizeof(s5_rsp));
1238	buffer_append(&c->output, &dest_addr, sizeof(struct in_addr));
1239	buffer_append(&c->output, &dest_port, sizeof(dest_port));
1240	return 1;
1241}
1242
1243Channel *
1244channel_connect_stdio_fwd(const char *host_to_connect, u_short port_to_connect,
1245    int in, int out)
1246{
1247	Channel *c;
1248
1249	debug("channel_connect_stdio_fwd %s:%d", host_to_connect,
1250	    port_to_connect);
1251
1252	c = channel_new("stdio-forward", SSH_CHANNEL_OPENING, in, out,
1253	    -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1254	    0, "stdio-forward", /*nonblock*/0);
1255
1256	c->path = xstrdup(host_to_connect);
1257	c->host_port = port_to_connect;
1258	c->listening_port = 0;
1259	c->force_drain = 1;
1260
1261	channel_register_fds(c, in, out, -1, 0, 1, 0);
1262	port_open_helper(c, "direct-tcpip");
1263
1264	return c;
1265}
1266
1267/* dynamic port forwarding */
1268static void
1269channel_pre_dynamic(Channel *c, fd_set *readset, fd_set *writeset)
1270{
1271	u_char *p;
1272	u_int have;
1273	int ret;
1274
1275	have = buffer_len(&c->input);
1276	debug2("channel %d: pre_dynamic: have %d", c->self, have);
1277	/* buffer_dump(&c->input); */
1278	/* check if the fixed size part of the packet is in buffer. */
1279	if (have < 3) {
1280		/* need more */
1281		FD_SET(c->sock, readset);
1282		return;
1283	}
1284	/* try to guess the protocol */
1285	p = buffer_ptr(&c->input);
1286	switch (p[0]) {
1287	case 0x04:
1288		ret = channel_decode_socks4(c, readset, writeset);
1289		break;
1290	case 0x05:
1291		ret = channel_decode_socks5(c, readset, writeset);
1292		break;
1293	default:
1294		ret = -1;
1295		break;
1296	}
1297	if (ret < 0) {
1298		chan_mark_dead(c);
1299	} else if (ret == 0) {
1300		debug2("channel %d: pre_dynamic: need more", c->self);
1301		/* need more */
1302		FD_SET(c->sock, readset);
1303	} else {
1304		/* switch to the next state */
1305		c->type = SSH_CHANNEL_OPENING;
1306		port_open_helper(c, "direct-tcpip");
1307	}
1308}
1309
1310/* This is our fake X11 server socket. */
1311/* ARGSUSED */
1312static void
1313channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
1314{
1315	Channel *nc;
1316	struct sockaddr_storage addr;
1317	int newsock;
1318	socklen_t addrlen;
1319	char buf[16384], *remote_ipaddr;
1320	int remote_port;
1321
1322	if (FD_ISSET(c->sock, readset)) {
1323		debug("X11 connection requested.");
1324		addrlen = sizeof(addr);
1325		newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1326		if (c->single_connection) {
1327			debug2("single_connection: closing X11 listener.");
1328			channel_close_fd(&c->sock);
1329			chan_mark_dead(c);
1330		}
1331		if (newsock < 0) {
1332			error("accept: %.100s", strerror(errno));
1333			return;
1334		}
1335		set_nodelay(newsock);
1336		remote_ipaddr = get_peer_ipaddr(newsock);
1337		remote_port = get_peer_port(newsock);
1338		snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1339		    remote_ipaddr, remote_port);
1340
1341		nc = channel_new("accepted x11 socket",
1342		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
1343		    c->local_window_max, c->local_maxpacket, 0, buf, 1);
1344		if (compat20) {
1345			packet_start(SSH2_MSG_CHANNEL_OPEN);
1346			packet_put_cstring("x11");
1347			packet_put_int(nc->self);
1348			packet_put_int(nc->local_window_max);
1349			packet_put_int(nc->local_maxpacket);
1350			/* originator ipaddr and port */
1351			packet_put_cstring(remote_ipaddr);
1352			if (datafellows & SSH_BUG_X11FWD) {
1353				debug2("ssh2 x11 bug compat mode");
1354			} else {
1355				packet_put_int(remote_port);
1356			}
1357			packet_send();
1358		} else {
1359			packet_start(SSH_SMSG_X11_OPEN);
1360			packet_put_int(nc->self);
1361			if (packet_get_protocol_flags() &
1362			    SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
1363				packet_put_cstring(buf);
1364			packet_send();
1365		}
1366		xfree(remote_ipaddr);
1367	}
1368}
1369
1370static void
1371port_open_helper(Channel *c, char *rtype)
1372{
1373	int direct;
1374	char buf[1024];
1375	char *remote_ipaddr = get_peer_ipaddr(c->sock);
1376	int remote_port = get_peer_port(c->sock);
1377
1378	if (remote_port == -1) {
1379		/* Fake addr/port to appease peers that validate it (Tectia) */
1380		xfree(remote_ipaddr);
1381		remote_ipaddr = xstrdup("127.0.0.1");
1382		remote_port = 65535;
1383	}
1384
1385	direct = (strcmp(rtype, "direct-tcpip") == 0);
1386
1387	snprintf(buf, sizeof buf,
1388	    "%s: listening port %d for %.100s port %d, "
1389	    "connect from %.200s port %d",
1390	    rtype, c->listening_port, c->path, c->host_port,
1391	    remote_ipaddr, remote_port);
1392
1393	xfree(c->remote_name);
1394	c->remote_name = xstrdup(buf);
1395
1396	if (compat20) {
1397		packet_start(SSH2_MSG_CHANNEL_OPEN);
1398		packet_put_cstring(rtype);
1399		packet_put_int(c->self);
1400		packet_put_int(c->local_window_max);
1401		packet_put_int(c->local_maxpacket);
1402		if (direct) {
1403			/* target host, port */
1404			packet_put_cstring(c->path);
1405			packet_put_int(c->host_port);
1406		} else {
1407			/* listen address, port */
1408			packet_put_cstring(c->path);
1409			packet_put_int(c->listening_port);
1410		}
1411		/* originator host and port */
1412		packet_put_cstring(remote_ipaddr);
1413		packet_put_int((u_int)remote_port);
1414		packet_send();
1415	} else {
1416		packet_start(SSH_MSG_PORT_OPEN);
1417		packet_put_int(c->self);
1418		packet_put_cstring(c->path);
1419		packet_put_int(c->host_port);
1420		if (packet_get_protocol_flags() &
1421		    SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
1422			packet_put_cstring(c->remote_name);
1423		packet_send();
1424	}
1425	xfree(remote_ipaddr);
1426}
1427
1428static void
1429channel_set_reuseaddr(int fd)
1430{
1431	int on = 1;
1432
1433	/*
1434	 * Set socket options.
1435	 * Allow local port reuse in TIME_WAIT.
1436	 */
1437	if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1)
1438		error("setsockopt SO_REUSEADDR fd %d: %s", fd, strerror(errno));
1439}
1440
1441/*
1442 * This socket is listening for connections to a forwarded TCP/IP port.
1443 */
1444/* ARGSUSED */
1445static void
1446channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
1447{
1448	Channel *nc;
1449	struct sockaddr_storage addr;
1450	int newsock, nextstate;
1451	socklen_t addrlen;
1452	char *rtype;
1453
1454	if (FD_ISSET(c->sock, readset)) {
1455		debug("Connection to port %d forwarding "
1456		    "to %.100s port %d requested.",
1457		    c->listening_port, c->path, c->host_port);
1458
1459		if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1460			nextstate = SSH_CHANNEL_OPENING;
1461			rtype = "forwarded-tcpip";
1462		} else {
1463			if (c->host_port == 0) {
1464				nextstate = SSH_CHANNEL_DYNAMIC;
1465				rtype = "dynamic-tcpip";
1466			} else {
1467				nextstate = SSH_CHANNEL_OPENING;
1468				rtype = "direct-tcpip";
1469			}
1470		}
1471
1472		addrlen = sizeof(addr);
1473		newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1474		if (newsock < 0) {
1475			error("accept: %.100s", strerror(errno));
1476			return;
1477		}
1478		set_nodelay(newsock);
1479		nc = channel_new(rtype, nextstate, newsock, newsock, -1,
1480		    c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1481		nc->listening_port = c->listening_port;
1482		nc->host_port = c->host_port;
1483		if (c->path != NULL)
1484			nc->path = xstrdup(c->path);
1485
1486		if (nextstate != SSH_CHANNEL_DYNAMIC)
1487			port_open_helper(nc, rtype);
1488	}
1489}
1490
1491/*
1492 * This is the authentication agent socket listening for connections from
1493 * clients.
1494 */
1495/* ARGSUSED */
1496static void
1497channel_post_auth_listener(Channel *c, fd_set *readset, fd_set *writeset)
1498{
1499	Channel *nc;
1500	int newsock;
1501	struct sockaddr_storage addr;
1502	socklen_t addrlen;
1503
1504	if (FD_ISSET(c->sock, readset)) {
1505		addrlen = sizeof(addr);
1506		newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1507		if (newsock < 0) {
1508			error("accept from auth socket: %.100s", strerror(errno));
1509			return;
1510		}
1511		nc = channel_new("accepted auth socket",
1512		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
1513		    c->local_window_max, c->local_maxpacket,
1514		    0, "accepted auth socket", 1);
1515		if (compat20) {
1516			packet_start(SSH2_MSG_CHANNEL_OPEN);
1517			packet_put_cstring("auth-agent@openssh.com");
1518			packet_put_int(nc->self);
1519			packet_put_int(c->local_window_max);
1520			packet_put_int(c->local_maxpacket);
1521		} else {
1522			packet_start(SSH_SMSG_AGENT_OPEN);
1523			packet_put_int(nc->self);
1524		}
1525		packet_send();
1526	}
1527}
1528
1529/* ARGSUSED */
1530static void
1531channel_post_connecting(Channel *c, fd_set *readset, fd_set *writeset)
1532{
1533	int err = 0, sock;
1534	socklen_t sz = sizeof(err);
1535
1536	if (FD_ISSET(c->sock, writeset)) {
1537		if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) {
1538			err = errno;
1539			error("getsockopt SO_ERROR failed");
1540		}
1541		if (err == 0) {
1542			debug("channel %d: connected to %s port %d",
1543			    c->self, c->connect_ctx.host, c->connect_ctx.port);
1544			channel_connect_ctx_free(&c->connect_ctx);
1545			c->type = SSH_CHANNEL_OPEN;
1546			if (compat20) {
1547				packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
1548				packet_put_int(c->remote_id);
1549				packet_put_int(c->self);
1550				packet_put_int(c->local_window);
1551				packet_put_int(c->local_maxpacket);
1552			} else {
1553				packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
1554				packet_put_int(c->remote_id);
1555				packet_put_int(c->self);
1556			}
1557		} else {
1558			debug("channel %d: connection failed: %s",
1559			    c->self, strerror(err));
1560			/* Try next address, if any */
1561			if ((sock = connect_next(&c->connect_ctx)) > 0) {
1562				close(c->sock);
1563				c->sock = c->rfd = c->wfd = sock;
1564				channel_max_fd = channel_find_maxfd();
1565				return;
1566			}
1567			/* Exhausted all addresses */
1568			error("connect_to %.100s port %d: failed.",
1569			    c->connect_ctx.host, c->connect_ctx.port);
1570			channel_connect_ctx_free(&c->connect_ctx);
1571			if (compat20) {
1572				packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
1573				packet_put_int(c->remote_id);
1574				packet_put_int(SSH2_OPEN_CONNECT_FAILED);
1575				if (!(datafellows & SSH_BUG_OPENFAILURE)) {
1576					packet_put_cstring(strerror(err));
1577					packet_put_cstring("");
1578				}
1579			} else {
1580				packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
1581				packet_put_int(c->remote_id);
1582			}
1583			chan_mark_dead(c);
1584		}
1585		packet_send();
1586	}
1587}
1588
1589/* ARGSUSED */
1590static int
1591channel_handle_rfd(Channel *c, fd_set *readset, fd_set *writeset)
1592{
1593	char buf[CHAN_RBUF];
1594	int len, force;
1595
1596	force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
1597	if (c->rfd != -1 && (force || FD_ISSET(c->rfd, readset))) {
1598		errno = 0;
1599		len = read(c->rfd, buf, sizeof(buf));
1600		if (len < 0 && (errno == EINTR ||
1601		    ((errno == EAGAIN || errno == EWOULDBLOCK) && !force)))
1602			return 1;
1603#ifndef PTY_ZEROREAD
1604		if (len <= 0) {
1605#else
1606		if ((!c->isatty && len <= 0) ||
1607		    (c->isatty && (len < 0 || (len == 0 && errno != 0)))) {
1608#endif
1609			debug2("channel %d: read<=0 rfd %d len %d",
1610			    c->self, c->rfd, len);
1611			if (c->type != SSH_CHANNEL_OPEN) {
1612				debug2("channel %d: not open", c->self);
1613				chan_mark_dead(c);
1614				return -1;
1615			} else if (compat13) {
1616				buffer_clear(&c->output);
1617				c->type = SSH_CHANNEL_INPUT_DRAINING;
1618				debug2("channel %d: input draining.", c->self);
1619			} else {
1620				chan_read_failed(c);
1621			}
1622			return -1;
1623		}
1624		if (c->input_filter != NULL) {
1625			if (c->input_filter(c, buf, len) == -1) {
1626				debug2("channel %d: filter stops", c->self);
1627				chan_read_failed(c);
1628			}
1629		} else if (c->datagram) {
1630			buffer_put_string(&c->input, buf, len);
1631		} else {
1632			buffer_append(&c->input, buf, len);
1633		}
1634	}
1635	return 1;
1636}
1637
1638/* ARGSUSED */
1639static int
1640channel_handle_wfd(Channel *c, fd_set *readset, fd_set *writeset)
1641{
1642	struct termios tio;
1643	u_char *data = NULL, *buf;
1644	u_int dlen, olen = 0;
1645	int len;
1646
1647	/* Send buffered output data to the socket. */
1648	if (c->wfd != -1 &&
1649	    FD_ISSET(c->wfd, writeset) &&
1650	    buffer_len(&c->output) > 0) {
1651		olen = buffer_len(&c->output);
1652		if (c->output_filter != NULL) {
1653			if ((buf = c->output_filter(c, &data, &dlen)) == NULL) {
1654				debug2("channel %d: filter stops", c->self);
1655				if (c->type != SSH_CHANNEL_OPEN)
1656					chan_mark_dead(c);
1657				else
1658					chan_write_failed(c);
1659				return -1;
1660			}
1661		} else if (c->datagram) {
1662			buf = data = buffer_get_string(&c->output, &dlen);
1663		} else {
1664			buf = data = buffer_ptr(&c->output);
1665			dlen = buffer_len(&c->output);
1666		}
1667
1668		if (c->datagram) {
1669			/* ignore truncated writes, datagrams might get lost */
1670			len = write(c->wfd, buf, dlen);
1671			xfree(data);
1672			if (len < 0 && (errno == EINTR || errno == EAGAIN ||
1673			    errno == EWOULDBLOCK))
1674				return 1;
1675			if (len <= 0) {
1676				if (c->type != SSH_CHANNEL_OPEN)
1677					chan_mark_dead(c);
1678				else
1679					chan_write_failed(c);
1680				return -1;
1681			}
1682			goto out;
1683		}
1684#ifdef _AIX
1685		/* XXX: Later AIX versions can't push as much data to tty */
1686		if (compat20 && c->wfd_isatty)
1687			dlen = MIN(dlen, 8*1024);
1688#endif
1689
1690		len = write(c->wfd, buf, dlen);
1691		if (len < 0 &&
1692		    (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK))
1693			return 1;
1694		if (len <= 0) {
1695			if (c->type != SSH_CHANNEL_OPEN) {
1696				debug2("channel %d: not open", c->self);
1697				chan_mark_dead(c);
1698				return -1;
1699			} else if (compat13) {
1700				buffer_clear(&c->output);
1701				debug2("channel %d: input draining.", c->self);
1702				c->type = SSH_CHANNEL_INPUT_DRAINING;
1703			} else {
1704				chan_write_failed(c);
1705			}
1706			return -1;
1707		}
1708#ifndef BROKEN_TCGETATTR_ICANON
1709		if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
1710			if (tcgetattr(c->wfd, &tio) == 0 &&
1711			    !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
1712				/*
1713				 * Simulate echo to reduce the impact of
1714				 * traffic analysis. We need to match the
1715				 * size of a SSH2_MSG_CHANNEL_DATA message
1716				 * (4 byte channel id + buf)
1717				 */
1718				packet_send_ignore(4 + len);
1719				packet_send();
1720			}
1721		}
1722#endif
1723		buffer_consume(&c->output, len);
1724	}
1725 out:
1726	if (compat20 && olen > 0)
1727		c->local_consumed += olen - buffer_len(&c->output);
1728	return 1;
1729}
1730
1731static int
1732channel_handle_efd(Channel *c, fd_set *readset, fd_set *writeset)
1733{
1734	char buf[CHAN_RBUF];
1735	int len;
1736
1737/** XXX handle drain efd, too */
1738	if (c->efd != -1) {
1739		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1740		    FD_ISSET(c->efd, writeset) &&
1741		    buffer_len(&c->extended) > 0) {
1742			len = write(c->efd, buffer_ptr(&c->extended),
1743			    buffer_len(&c->extended));
1744			debug2("channel %d: written %d to efd %d",
1745			    c->self, len, c->efd);
1746			if (len < 0 && (errno == EINTR || errno == EAGAIN ||
1747			    errno == EWOULDBLOCK))
1748				return 1;
1749			if (len <= 0) {
1750				debug2("channel %d: closing write-efd %d",
1751				    c->self, c->efd);
1752				channel_close_fd(&c->efd);
1753			} else {
1754				buffer_consume(&c->extended, len);
1755				c->local_consumed += len;
1756			}
1757		} else if (c->efd != -1 &&
1758		    (c->extended_usage == CHAN_EXTENDED_READ ||
1759		    c->extended_usage == CHAN_EXTENDED_IGNORE) &&
1760		    (c->detach_close || FD_ISSET(c->efd, readset))) {
1761			len = read(c->efd, buf, sizeof(buf));
1762			debug2("channel %d: read %d from efd %d",
1763			    c->self, len, c->efd);
1764			if (len < 0 && (errno == EINTR || ((errno == EAGAIN ||
1765			    errno == EWOULDBLOCK) && !c->detach_close)))
1766				return 1;
1767			if (len <= 0) {
1768				debug2("channel %d: closing read-efd %d",
1769				    c->self, c->efd);
1770				channel_close_fd(&c->efd);
1771			} else {
1772				if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
1773					debug3("channel %d: discard efd",
1774					    c->self);
1775				} else
1776					buffer_append(&c->extended, buf, len);
1777			}
1778		}
1779	}
1780	return 1;
1781}
1782
1783static int
1784channel_check_window(Channel *c)
1785{
1786	if (c->type == SSH_CHANNEL_OPEN &&
1787	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
1788	    ((c->local_window_max - c->local_window >
1789	    c->local_maxpacket*3) ||
1790	    c->local_window < c->local_window_max/2) &&
1791	    c->local_consumed > 0) {
1792		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
1793		packet_put_int(c->remote_id);
1794		packet_put_int(c->local_consumed);
1795		packet_send();
1796		debug2("channel %d: window %d sent adjust %d",
1797		    c->self, c->local_window,
1798		    c->local_consumed);
1799		c->local_window += c->local_consumed;
1800		c->local_consumed = 0;
1801	}
1802	return 1;
1803}
1804
1805static void
1806channel_post_open(Channel *c, fd_set *readset, fd_set *writeset)
1807{
1808	channel_handle_rfd(c, readset, writeset);
1809	channel_handle_wfd(c, readset, writeset);
1810	if (!compat20)
1811		return;
1812	channel_handle_efd(c, readset, writeset);
1813	channel_check_window(c);
1814}
1815
1816static u_int
1817read_mux(Channel *c, u_int need)
1818{
1819	char buf[CHAN_RBUF];
1820	int len;
1821	u_int rlen;
1822
1823	if (buffer_len(&c->input) < need) {
1824		rlen = need - buffer_len(&c->input);
1825		len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF));
1826		if (len <= 0) {
1827			if (errno != EINTR && errno != EAGAIN) {
1828				debug2("channel %d: ctl read<=0 rfd %d len %d",
1829				    c->self, c->rfd, len);
1830				chan_read_failed(c);
1831				return 0;
1832			}
1833		} else
1834			buffer_append(&c->input, buf, len);
1835	}
1836	return buffer_len(&c->input);
1837}
1838
1839static void
1840channel_post_mux_client(Channel *c, fd_set *readset, fd_set *writeset)
1841{
1842	u_int need;
1843	ssize_t len;
1844
1845	if (!compat20)
1846		fatal("%s: entered with !compat20", __func__);
1847
1848	if (c->rfd != -1 && !c->mux_pause && FD_ISSET(c->rfd, readset) &&
1849	    (c->istate == CHAN_INPUT_OPEN ||
1850	    c->istate == CHAN_INPUT_WAIT_DRAIN)) {
1851		/*
1852		 * Don't not read past the precise end of packets to
1853		 * avoid disrupting fd passing.
1854		 */
1855		if (read_mux(c, 4) < 4) /* read header */
1856			return;
1857		need = get_u32(buffer_ptr(&c->input));
1858#define CHANNEL_MUX_MAX_PACKET	(256 * 1024)
1859		if (need > CHANNEL_MUX_MAX_PACKET) {
1860			debug2("channel %d: packet too big %u > %u",
1861			    c->self, CHANNEL_MUX_MAX_PACKET, need);
1862			chan_rcvd_oclose(c);
1863			return;
1864		}
1865		if (read_mux(c, need + 4) < need + 4) /* read body */
1866			return;
1867		if (c->mux_rcb(c) != 0) {
1868			debug("channel %d: mux_rcb failed", c->self);
1869			chan_mark_dead(c);
1870			return;
1871		}
1872	}
1873
1874	if (c->wfd != -1 && FD_ISSET(c->wfd, writeset) &&
1875	    buffer_len(&c->output) > 0) {
1876		len = write(c->wfd, buffer_ptr(&c->output),
1877		    buffer_len(&c->output));
1878		if (len < 0 && (errno == EINTR || errno == EAGAIN))
1879			return;
1880		if (len <= 0) {
1881			chan_mark_dead(c);
1882			return;
1883		}
1884		buffer_consume(&c->output, len);
1885	}
1886}
1887
1888static void
1889channel_post_mux_listener(Channel *c, fd_set *readset, fd_set *writeset)
1890{
1891	Channel *nc;
1892	struct sockaddr_storage addr;
1893	socklen_t addrlen;
1894	int newsock;
1895	uid_t euid;
1896	gid_t egid;
1897
1898	if (!FD_ISSET(c->sock, readset))
1899		return;
1900
1901	debug("multiplexing control connection");
1902
1903	/*
1904	 * Accept connection on control socket
1905	 */
1906	memset(&addr, 0, sizeof(addr));
1907	addrlen = sizeof(addr);
1908	if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
1909	    &addrlen)) == -1) {
1910		error("%s accept: %s", __func__, strerror(errno));
1911		return;
1912	}
1913
1914	if (getpeereid(newsock, &euid, &egid) < 0) {
1915		error("%s getpeereid failed: %s", __func__,
1916		    strerror(errno));
1917		close(newsock);
1918		return;
1919	}
1920	if ((euid != 0) && (getuid() != euid)) {
1921		error("multiplex uid mismatch: peer euid %u != uid %u",
1922		    (u_int)euid, (u_int)getuid());
1923		close(newsock);
1924		return;
1925	}
1926	nc = channel_new("multiplex client", SSH_CHANNEL_MUX_CLIENT,
1927	    newsock, newsock, -1, c->local_window_max,
1928	    c->local_maxpacket, 0, "mux-control", 1);
1929	nc->mux_rcb = c->mux_rcb;
1930	debug3("%s: new mux channel %d fd %d", __func__,
1931	    nc->self, nc->sock);
1932	/* establish state */
1933	nc->mux_rcb(nc);
1934	/* mux state transitions must not elicit protocol messages */
1935	nc->flags |= CHAN_LOCAL;
1936}
1937
1938/* ARGSUSED */
1939static void
1940channel_post_output_drain_13(Channel *c, fd_set *readset, fd_set *writeset)
1941{
1942	int len;
1943
1944	/* Send buffered output data to the socket. */
1945	if (FD_ISSET(c->sock, writeset) && buffer_len(&c->output) > 0) {
1946		len = write(c->sock, buffer_ptr(&c->output),
1947			    buffer_len(&c->output));
1948		if (len <= 0)
1949			buffer_clear(&c->output);
1950		else
1951			buffer_consume(&c->output, len);
1952	}
1953}
1954
1955static void
1956channel_handler_init_20(void)
1957{
1958	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open;
1959	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
1960	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
1961	channel_pre[SSH_CHANNEL_RPORT_LISTENER] =	&channel_pre_listener;
1962	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
1963	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
1964	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
1965	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
1966	channel_pre[SSH_CHANNEL_MUX_LISTENER] =		&channel_pre_listener;
1967	channel_pre[SSH_CHANNEL_MUX_CLIENT] =		&channel_pre_mux_client;
1968
1969	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
1970	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
1971	channel_post[SSH_CHANNEL_RPORT_LISTENER] =	&channel_post_port_listener;
1972	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
1973	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
1974	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
1975	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
1976	channel_post[SSH_CHANNEL_MUX_LISTENER] =	&channel_post_mux_listener;
1977	channel_post[SSH_CHANNEL_MUX_CLIENT] =		&channel_post_mux_client;
1978}
1979
1980static void
1981channel_handler_init_13(void)
1982{
1983	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open_13;
1984	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open_13;
1985	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
1986	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
1987	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
1988	channel_pre[SSH_CHANNEL_INPUT_DRAINING] =	&channel_pre_input_draining;
1989	channel_pre[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_pre_output_draining;
1990	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
1991	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
1992
1993	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
1994	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
1995	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
1996	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
1997	channel_post[SSH_CHANNEL_OUTPUT_DRAINING] =	&channel_post_output_drain_13;
1998	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
1999	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
2000}
2001
2002static void
2003channel_handler_init_15(void)
2004{
2005	channel_pre[SSH_CHANNEL_OPEN] =			&channel_pre_open;
2006	channel_pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
2007	channel_pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
2008	channel_pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
2009	channel_pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
2010	channel_pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
2011	channel_pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
2012
2013	channel_post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
2014	channel_post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
2015	channel_post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
2016	channel_post[SSH_CHANNEL_OPEN] =		&channel_post_open;
2017	channel_post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
2018	channel_post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
2019}
2020
2021static void
2022channel_handler_init(void)
2023{
2024	int i;
2025
2026	for (i = 0; i < SSH_CHANNEL_MAX_TYPE; i++) {
2027		channel_pre[i] = NULL;
2028		channel_post[i] = NULL;
2029	}
2030	if (compat20)
2031		channel_handler_init_20();
2032	else if (compat13)
2033		channel_handler_init_13();
2034	else
2035		channel_handler_init_15();
2036}
2037
2038/* gc dead channels */
2039static void
2040channel_garbage_collect(Channel *c)
2041{
2042	if (c == NULL)
2043		return;
2044	if (c->detach_user != NULL) {
2045		if (!chan_is_dead(c, c->detach_close))
2046			return;
2047		debug2("channel %d: gc: notify user", c->self);
2048		c->detach_user(c->self, NULL);
2049		/* if we still have a callback */
2050		if (c->detach_user != NULL)
2051			return;
2052		debug2("channel %d: gc: user detached", c->self);
2053	}
2054	if (!chan_is_dead(c, 1))
2055		return;
2056	debug2("channel %d: garbage collecting", c->self);
2057	channel_free(c);
2058}
2059
2060static void
2061channel_handler(chan_fn *ftab[], fd_set *readset, fd_set *writeset)
2062{
2063	static int did_init = 0;
2064	u_int i, oalloc;
2065	Channel *c;
2066
2067	if (!did_init) {
2068		channel_handler_init();
2069		did_init = 1;
2070	}
2071	for (i = 0, oalloc = channels_alloc; i < oalloc; i++) {
2072		c = channels[i];
2073		if (c == NULL)
2074			continue;
2075		if (c->delayed) {
2076			if (ftab == channel_pre)
2077				c->delayed = 0;
2078			else
2079				continue;
2080		}
2081		if (ftab[c->type] != NULL)
2082			(*ftab[c->type])(c, readset, writeset);
2083		channel_garbage_collect(c);
2084	}
2085}
2086
2087/*
2088 * Allocate/update select bitmasks and add any bits relevant to channels in
2089 * select bitmasks.
2090 */
2091void
2092channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
2093    u_int *nallocp, int rekeying)
2094{
2095	u_int n, sz, nfdset;
2096
2097	n = MAX(*maxfdp, channel_max_fd);
2098
2099	nfdset = howmany(n+1, NFDBITS);
2100	/* Explicitly test here, because xrealloc isn't always called */
2101	if (nfdset && SIZE_T_MAX / nfdset < sizeof(fd_mask))
2102		fatal("channel_prepare_select: max_fd (%d) is too large", n);
2103	sz = nfdset * sizeof(fd_mask);
2104
2105	/* perhaps check sz < nalloc/2 and shrink? */
2106	if (*readsetp == NULL || sz > *nallocp) {
2107		*readsetp = xrealloc(*readsetp, nfdset, sizeof(fd_mask));
2108		*writesetp = xrealloc(*writesetp, nfdset, sizeof(fd_mask));
2109		*nallocp = sz;
2110	}
2111	*maxfdp = n;
2112	memset(*readsetp, 0, sz);
2113	memset(*writesetp, 0, sz);
2114
2115	if (!rekeying)
2116		channel_handler(channel_pre, *readsetp, *writesetp);
2117}
2118
2119/*
2120 * After select, perform any appropriate operations for channels which have
2121 * events pending.
2122 */
2123void
2124channel_after_select(fd_set *readset, fd_set *writeset)
2125{
2126	channel_handler(channel_post, readset, writeset);
2127}
2128
2129
2130/* If there is data to send to the connection, enqueue some of it now. */
2131void
2132channel_output_poll(void)
2133{
2134	Channel *c;
2135	u_int i, len;
2136
2137	for (i = 0; i < channels_alloc; i++) {
2138		c = channels[i];
2139		if (c == NULL)
2140			continue;
2141
2142		/*
2143		 * We are only interested in channels that can have buffered
2144		 * incoming data.
2145		 */
2146		if (compat13) {
2147			if (c->type != SSH_CHANNEL_OPEN &&
2148			    c->type != SSH_CHANNEL_INPUT_DRAINING)
2149				continue;
2150		} else {
2151			if (c->type != SSH_CHANNEL_OPEN)
2152				continue;
2153		}
2154		if (compat20 &&
2155		    (c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
2156			/* XXX is this true? */
2157			debug3("channel %d: will not send data after close", c->self);
2158			continue;
2159		}
2160
2161		/* Get the amount of buffered data for this channel. */
2162		if ((c->istate == CHAN_INPUT_OPEN ||
2163		    c->istate == CHAN_INPUT_WAIT_DRAIN) &&
2164		    (len = buffer_len(&c->input)) > 0) {
2165			if (c->datagram) {
2166				if (len > 0) {
2167					u_char *data;
2168					u_int dlen;
2169
2170					data = buffer_get_string(&c->input,
2171					    &dlen);
2172					if (dlen > c->remote_window ||
2173					    dlen > c->remote_maxpacket) {
2174						debug("channel %d: datagram "
2175						    "too big for channel",
2176						    c->self);
2177						xfree(data);
2178						continue;
2179					}
2180					packet_start(SSH2_MSG_CHANNEL_DATA);
2181					packet_put_int(c->remote_id);
2182					packet_put_string(data, dlen);
2183					packet_send();
2184					c->remote_window -= dlen + 4;
2185					xfree(data);
2186				}
2187				continue;
2188			}
2189			/*
2190			 * Send some data for the other side over the secure
2191			 * connection.
2192			 */
2193			if (compat20) {
2194				if (len > c->remote_window)
2195					len = c->remote_window;
2196				if (len > c->remote_maxpacket)
2197					len = c->remote_maxpacket;
2198			} else {
2199				if (packet_is_interactive()) {
2200					if (len > 1024)
2201						len = 512;
2202				} else {
2203					/* Keep the packets at reasonable size. */
2204					if (len > packet_get_maxsize()/2)
2205						len = packet_get_maxsize()/2;
2206				}
2207			}
2208			if (len > 0) {
2209				packet_start(compat20 ?
2210				    SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
2211				packet_put_int(c->remote_id);
2212				packet_put_string(buffer_ptr(&c->input), len);
2213				packet_send();
2214				buffer_consume(&c->input, len);
2215				c->remote_window -= len;
2216			}
2217		} else if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
2218			if (compat13)
2219				fatal("cannot happen: istate == INPUT_WAIT_DRAIN for proto 1.3");
2220			/*
2221			 * input-buffer is empty and read-socket shutdown:
2222			 * tell peer, that we will not send more data: send IEOF.
2223			 * hack for extended data: delay EOF if EFD still in use.
2224			 */
2225			if (CHANNEL_EFD_INPUT_ACTIVE(c))
2226				debug2("channel %d: ibuf_empty delayed efd %d/(%d)",
2227				    c->self, c->efd, buffer_len(&c->extended));
2228			else
2229				chan_ibuf_empty(c);
2230		}
2231		/* Send extended data, i.e. stderr */
2232		if (compat20 &&
2233		    !(c->flags & CHAN_EOF_SENT) &&
2234		    c->remote_window > 0 &&
2235		    (len = buffer_len(&c->extended)) > 0 &&
2236		    c->extended_usage == CHAN_EXTENDED_READ) {
2237			debug2("channel %d: rwin %u elen %u euse %d",
2238			    c->self, c->remote_window, buffer_len(&c->extended),
2239			    c->extended_usage);
2240			if (len > c->remote_window)
2241				len = c->remote_window;
2242			if (len > c->remote_maxpacket)
2243				len = c->remote_maxpacket;
2244			packet_start(SSH2_MSG_CHANNEL_EXTENDED_DATA);
2245			packet_put_int(c->remote_id);
2246			packet_put_int(SSH2_EXTENDED_DATA_STDERR);
2247			packet_put_string(buffer_ptr(&c->extended), len);
2248			packet_send();
2249			buffer_consume(&c->extended, len);
2250			c->remote_window -= len;
2251			debug2("channel %d: sent ext data %d", c->self, len);
2252		}
2253	}
2254}
2255
2256
2257/* -- protocol input */
2258
2259/* ARGSUSED */
2260void
2261channel_input_data(int type, u_int32_t seq, void *ctxt)
2262{
2263	int id;
2264	char *data;
2265	u_int data_len, win_len;
2266	Channel *c;
2267
2268	/* Get the channel number and verify it. */
2269	id = packet_get_int();
2270	c = channel_lookup(id);
2271	if (c == NULL)
2272		packet_disconnect("Received data for nonexistent channel %d.", id);
2273
2274	/* Ignore any data for non-open channels (might happen on close) */
2275	if (c->type != SSH_CHANNEL_OPEN &&
2276	    c->type != SSH_CHANNEL_X11_OPEN)
2277		return;
2278
2279	/* Get the data. */
2280	data = packet_get_string_ptr(&data_len);
2281	win_len = data_len;
2282	if (c->datagram)
2283		win_len += 4;  /* string length header */
2284
2285	/*
2286	 * Ignore data for protocol > 1.3 if output end is no longer open.
2287	 * For protocol 2 the sending side is reducing its window as it sends
2288	 * data, so we must 'fake' consumption of the data in order to ensure
2289	 * that window updates are sent back.  Otherwise the connection might
2290	 * deadlock.
2291	 */
2292	if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) {
2293		if (compat20) {
2294			c->local_window -= win_len;
2295			c->local_consumed += win_len;
2296		}
2297		return;
2298	}
2299
2300	if (compat20) {
2301		if (win_len > c->local_maxpacket) {
2302			logit("channel %d: rcvd big packet %d, maxpack %d",
2303			    c->self, win_len, c->local_maxpacket);
2304		}
2305		if (win_len > c->local_window) {
2306			logit("channel %d: rcvd too much data %d, win %d",
2307			    c->self, win_len, c->local_window);
2308			return;
2309		}
2310		c->local_window -= win_len;
2311	}
2312	if (c->datagram)
2313		buffer_put_string(&c->output, data, data_len);
2314	else
2315		buffer_append(&c->output, data, data_len);
2316	packet_check_eom();
2317}
2318
2319/* ARGSUSED */
2320void
2321channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
2322{
2323	int id;
2324	char *data;
2325	u_int data_len, tcode;
2326	Channel *c;
2327
2328	/* Get the channel number and verify it. */
2329	id = packet_get_int();
2330	c = channel_lookup(id);
2331
2332	if (c == NULL)
2333		packet_disconnect("Received extended_data for bad channel %d.", id);
2334	if (c->type != SSH_CHANNEL_OPEN) {
2335		logit("channel %d: ext data for non open", id);
2336		return;
2337	}
2338	if (c->flags & CHAN_EOF_RCVD) {
2339		if (datafellows & SSH_BUG_EXTEOF)
2340			debug("channel %d: accepting ext data after eof", id);
2341		else
2342			packet_disconnect("Received extended_data after EOF "
2343			    "on channel %d.", id);
2344	}
2345	tcode = packet_get_int();
2346	if (c->efd == -1 ||
2347	    c->extended_usage != CHAN_EXTENDED_WRITE ||
2348	    tcode != SSH2_EXTENDED_DATA_STDERR) {
2349		logit("channel %d: bad ext data", c->self);
2350		return;
2351	}
2352	data = packet_get_string(&data_len);
2353	packet_check_eom();
2354	if (data_len > c->local_window) {
2355		logit("channel %d: rcvd too much extended_data %d, win %d",
2356		    c->self, data_len, c->local_window);
2357		xfree(data);
2358		return;
2359	}
2360	debug2("channel %d: rcvd ext data %d", c->self, data_len);
2361	c->local_window -= data_len;
2362	buffer_append(&c->extended, data, data_len);
2363	xfree(data);
2364}
2365
2366/* ARGSUSED */
2367void
2368channel_input_ieof(int type, u_int32_t seq, void *ctxt)
2369{
2370	int id;
2371	Channel *c;
2372
2373	id = packet_get_int();
2374	packet_check_eom();
2375	c = channel_lookup(id);
2376	if (c == NULL)
2377		packet_disconnect("Received ieof for nonexistent channel %d.", id);
2378	chan_rcvd_ieof(c);
2379
2380	/* XXX force input close */
2381	if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
2382		debug("channel %d: FORCE input drain", c->self);
2383		c->istate = CHAN_INPUT_WAIT_DRAIN;
2384		if (buffer_len(&c->input) == 0)
2385			chan_ibuf_empty(c);
2386	}
2387
2388}
2389
2390/* ARGSUSED */
2391void
2392channel_input_close(int type, u_int32_t seq, void *ctxt)
2393{
2394	int id;
2395	Channel *c;
2396
2397	id = packet_get_int();
2398	packet_check_eom();
2399	c = channel_lookup(id);
2400	if (c == NULL)
2401		packet_disconnect("Received close for nonexistent channel %d.", id);
2402
2403	/*
2404	 * Send a confirmation that we have closed the channel and no more
2405	 * data is coming for it.
2406	 */
2407	packet_start(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION);
2408	packet_put_int(c->remote_id);
2409	packet_send();
2410
2411	/*
2412	 * If the channel is in closed state, we have sent a close request,
2413	 * and the other side will eventually respond with a confirmation.
2414	 * Thus, we cannot free the channel here, because then there would be
2415	 * no-one to receive the confirmation.  The channel gets freed when
2416	 * the confirmation arrives.
2417	 */
2418	if (c->type != SSH_CHANNEL_CLOSED) {
2419		/*
2420		 * Not a closed channel - mark it as draining, which will
2421		 * cause it to be freed later.
2422		 */
2423		buffer_clear(&c->input);
2424		c->type = SSH_CHANNEL_OUTPUT_DRAINING;
2425	}
2426}
2427
2428/* proto version 1.5 overloads CLOSE_CONFIRMATION with OCLOSE */
2429/* ARGSUSED */
2430void
2431channel_input_oclose(int type, u_int32_t seq, void *ctxt)
2432{
2433	int id = packet_get_int();
2434	Channel *c = channel_lookup(id);
2435
2436	packet_check_eom();
2437	if (c == NULL)
2438		packet_disconnect("Received oclose for nonexistent channel %d.", id);
2439	chan_rcvd_oclose(c);
2440}
2441
2442/* ARGSUSED */
2443void
2444channel_input_close_confirmation(int type, u_int32_t seq, void *ctxt)
2445{
2446	int id = packet_get_int();
2447	Channel *c = channel_lookup(id);
2448
2449	packet_check_eom();
2450	if (c == NULL)
2451		packet_disconnect("Received close confirmation for "
2452		    "out-of-range channel %d.", id);
2453	if (c->type != SSH_CHANNEL_CLOSED)
2454		packet_disconnect("Received close confirmation for "
2455		    "non-closed channel %d (type %d).", id, c->type);
2456	channel_free(c);
2457}
2458
2459/* ARGSUSED */
2460void
2461channel_input_open_confirmation(int type, u_int32_t seq, void *ctxt)
2462{
2463	int id, remote_id;
2464	Channel *c;
2465
2466	id = packet_get_int();
2467	c = channel_lookup(id);
2468
2469	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
2470		packet_disconnect("Received open confirmation for "
2471		    "non-opening channel %d.", id);
2472	remote_id = packet_get_int();
2473	/* Record the remote channel number and mark that the channel is now open. */
2474	c->remote_id = remote_id;
2475	c->type = SSH_CHANNEL_OPEN;
2476
2477	if (compat20) {
2478		c->remote_window = packet_get_int();
2479		c->remote_maxpacket = packet_get_int();
2480		if (c->open_confirm) {
2481			debug2("callback start");
2482			c->open_confirm(c->self, 1, c->open_confirm_ctx);
2483			debug2("callback done");
2484		}
2485		debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
2486		    c->remote_window, c->remote_maxpacket);
2487	}
2488	packet_check_eom();
2489}
2490
2491static char *
2492reason2txt(int reason)
2493{
2494	switch (reason) {
2495	case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
2496		return "administratively prohibited";
2497	case SSH2_OPEN_CONNECT_FAILED:
2498		return "connect failed";
2499	case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
2500		return "unknown channel type";
2501	case SSH2_OPEN_RESOURCE_SHORTAGE:
2502		return "resource shortage";
2503	}
2504	return "unknown reason";
2505}
2506
2507/* ARGSUSED */
2508void
2509channel_input_open_failure(int type, u_int32_t seq, void *ctxt)
2510{
2511	int id, reason;
2512	char *msg = NULL, *lang = NULL;
2513	Channel *c;
2514
2515	id = packet_get_int();
2516	c = channel_lookup(id);
2517
2518	if (c==NULL || c->type != SSH_CHANNEL_OPENING)
2519		packet_disconnect("Received open failure for "
2520		    "non-opening channel %d.", id);
2521	if (compat20) {
2522		reason = packet_get_int();
2523		if (!(datafellows & SSH_BUG_OPENFAILURE)) {
2524			msg  = packet_get_string(NULL);
2525			lang = packet_get_string(NULL);
2526		}
2527		logit("channel %d: open failed: %s%s%s", id,
2528		    reason2txt(reason), msg ? ": ": "", msg ? msg : "");
2529		if (msg != NULL)
2530			xfree(msg);
2531		if (lang != NULL)
2532			xfree(lang);
2533		if (c->open_confirm) {
2534			debug2("callback start");
2535			c->open_confirm(c->self, 0, c->open_confirm_ctx);
2536			debug2("callback done");
2537		}
2538	}
2539	packet_check_eom();
2540	/* Schedule the channel for cleanup/deletion. */
2541	chan_mark_dead(c);
2542}
2543
2544/* ARGSUSED */
2545void
2546channel_input_window_adjust(int type, u_int32_t seq, void *ctxt)
2547{
2548	Channel *c;
2549	int id;
2550	u_int adjust;
2551
2552	if (!compat20)
2553		return;
2554
2555	/* Get the channel number and verify it. */
2556	id = packet_get_int();
2557	c = channel_lookup(id);
2558
2559	if (c == NULL) {
2560		logit("Received window adjust for non-open channel %d.", id);
2561		return;
2562	}
2563	adjust = packet_get_int();
2564	packet_check_eom();
2565	debug2("channel %d: rcvd adjust %u", id, adjust);
2566	c->remote_window += adjust;
2567}
2568
2569/* ARGSUSED */
2570void
2571channel_input_port_open(int type, u_int32_t seq, void *ctxt)
2572{
2573	Channel *c = NULL;
2574	u_short host_port;
2575	char *host, *originator_string;
2576	int remote_id;
2577
2578	remote_id = packet_get_int();
2579	host = packet_get_string(NULL);
2580	host_port = packet_get_int();
2581
2582	if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
2583		originator_string = packet_get_string(NULL);
2584	} else {
2585		originator_string = xstrdup("unknown (remote did not supply name)");
2586	}
2587	packet_check_eom();
2588	c = channel_connect_to(host, host_port,
2589	    "connected socket", originator_string);
2590	xfree(originator_string);
2591	xfree(host);
2592	if (c == NULL) {
2593		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
2594		packet_put_int(remote_id);
2595		packet_send();
2596	} else
2597		c->remote_id = remote_id;
2598}
2599
2600/* ARGSUSED */
2601void
2602channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
2603{
2604	Channel *c;
2605	struct channel_confirm *cc;
2606	int id;
2607
2608	/* Reset keepalive timeout */
2609	packet_set_alive_timeouts(0);
2610
2611	id = packet_get_int();
2612	packet_check_eom();
2613
2614	debug2("channel_input_status_confirm: type %d id %d", type, id);
2615
2616	if ((c = channel_lookup(id)) == NULL) {
2617		logit("channel_input_status_confirm: %d: unknown", id);
2618		return;
2619	}
2620	;
2621	if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
2622		return;
2623	cc->cb(type, c, cc->ctx);
2624	TAILQ_REMOVE(&c->status_confirms, cc, entry);
2625	bzero(cc, sizeof(*cc));
2626	xfree(cc);
2627}
2628
2629/* -- tcp forwarding */
2630
2631void
2632channel_set_af(int af)
2633{
2634	IPv4or6 = af;
2635}
2636
2637static int
2638channel_setup_fwd_listener(int type, const char *listen_addr,
2639    u_short listen_port, int *allocated_listen_port,
2640    const char *host_to_connect, u_short port_to_connect, int gateway_ports)
2641{
2642	Channel *c;
2643	int sock, r, success = 0, wildcard = 0, is_client;
2644	struct addrinfo hints, *ai, *aitop;
2645	const char *host, *addr;
2646	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
2647	in_port_t *lport_p;
2648
2649	host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
2650	    listen_addr : host_to_connect;
2651	is_client = (type == SSH_CHANNEL_PORT_LISTENER);
2652
2653	if (host == NULL) {
2654		error("No forward host name.");
2655		return 0;
2656	}
2657	if (strlen(host) >= NI_MAXHOST) {
2658		error("Forward host name too long.");
2659		return 0;
2660	}
2661
2662	/*
2663	 * Determine whether or not a port forward listens to loopback,
2664	 * specified address or wildcard. On the client, a specified bind
2665	 * address will always override gateway_ports. On the server, a
2666	 * gateway_ports of 1 (``yes'') will override the client's
2667	 * specification and force a wildcard bind, whereas a value of 2
2668	 * (``clientspecified'') will bind to whatever address the client
2669	 * asked for.
2670	 *
2671	 * Special-case listen_addrs are:
2672	 *
2673	 * "0.0.0.0"               -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
2674	 * "" (empty string), "*"  -> wildcard v4/v6
2675	 * "localhost"             -> loopback v4/v6
2676	 */
2677	addr = NULL;
2678	if (listen_addr == NULL) {
2679		/* No address specified: default to gateway_ports setting */
2680		if (gateway_ports)
2681			wildcard = 1;
2682	} else if (gateway_ports || is_client) {
2683		if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
2684		    strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
2685		    *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
2686		    (!is_client && gateway_ports == 1))
2687			wildcard = 1;
2688		else if (strcmp(listen_addr, "localhost") != 0)
2689			addr = listen_addr;
2690	}
2691
2692	debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
2693	    type, wildcard, (addr == NULL) ? "NULL" : addr);
2694
2695	/*
2696	 * getaddrinfo returns a loopback address if the hostname is
2697	 * set to NULL and hints.ai_flags is not AI_PASSIVE
2698	 */
2699	memset(&hints, 0, sizeof(hints));
2700	hints.ai_family = IPv4or6;
2701	hints.ai_flags = wildcard ? AI_PASSIVE : 0;
2702	hints.ai_socktype = SOCK_STREAM;
2703	snprintf(strport, sizeof strport, "%d", listen_port);
2704	if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
2705		if (addr == NULL) {
2706			/* This really shouldn't happen */
2707			packet_disconnect("getaddrinfo: fatal error: %s",
2708			    ssh_gai_strerror(r));
2709		} else {
2710			error("channel_setup_fwd_listener: "
2711			    "getaddrinfo(%.64s): %s", addr,
2712			    ssh_gai_strerror(r));
2713		}
2714		return 0;
2715	}
2716	if (allocated_listen_port != NULL)
2717		*allocated_listen_port = 0;
2718	for (ai = aitop; ai; ai = ai->ai_next) {
2719		switch (ai->ai_family) {
2720		case AF_INET:
2721			lport_p = &((struct sockaddr_in *)ai->ai_addr)->
2722			    sin_port;
2723			break;
2724		case AF_INET6:
2725			lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
2726			    sin6_port;
2727			break;
2728		default:
2729			continue;
2730		}
2731		/*
2732		 * If allocating a port for -R forwards, then use the
2733		 * same port for all address families.
2734		 */
2735		if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 &&
2736		    allocated_listen_port != NULL && *allocated_listen_port > 0)
2737			*lport_p = htons(*allocated_listen_port);
2738
2739		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
2740		    strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
2741			error("channel_setup_fwd_listener: getnameinfo failed");
2742			continue;
2743		}
2744		/* Create a port to listen for the host. */
2745		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2746		if (sock < 0) {
2747			/* this is no error since kernel may not support ipv6 */
2748			verbose("socket: %.100s", strerror(errno));
2749			continue;
2750		}
2751
2752		channel_set_reuseaddr(sock);
2753		if (ai->ai_family == AF_INET6)
2754			sock_set_v6only(sock);
2755
2756		debug("Local forwarding listening on %s port %s.",
2757		    ntop, strport);
2758
2759		/* Bind the socket to the address. */
2760		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2761			/* address can be in use ipv6 address is already bound */
2762			if (!ai->ai_next)
2763				error("bind: %.100s", strerror(errno));
2764			else
2765				verbose("bind: %.100s", strerror(errno));
2766
2767			close(sock);
2768			continue;
2769		}
2770		/* Start listening for connections on the socket. */
2771		if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
2772			error("listen: %.100s", strerror(errno));
2773			close(sock);
2774			continue;
2775		}
2776
2777		/*
2778		 * listen_port == 0 requests a dynamically allocated port -
2779		 * record what we got.
2780		 */
2781		if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 &&
2782		    allocated_listen_port != NULL &&
2783		    *allocated_listen_port == 0) {
2784			*allocated_listen_port = get_sock_port(sock, 1);
2785			debug("Allocated listen port %d",
2786			    *allocated_listen_port);
2787		}
2788
2789		/* Allocate a channel number for the socket. */
2790		c = channel_new("port listener", type, sock, sock, -1,
2791		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
2792		    0, "port listener", 1);
2793		c->path = xstrdup(host);
2794		c->host_port = port_to_connect;
2795		c->listening_port = listen_port;
2796		success = 1;
2797	}
2798	if (success == 0)
2799		error("channel_setup_fwd_listener: cannot listen to port: %d",
2800		    listen_port);
2801	freeaddrinfo(aitop);
2802	return success;
2803}
2804
2805int
2806channel_cancel_rport_listener(const char *host, u_short port)
2807{
2808	u_int i;
2809	int found = 0;
2810
2811	for (i = 0; i < channels_alloc; i++) {
2812		Channel *c = channels[i];
2813
2814		if (c != NULL && c->type == SSH_CHANNEL_RPORT_LISTENER &&
2815		    strcmp(c->path, host) == 0 && c->listening_port == port) {
2816			debug2("%s: close channel %d", __func__, i);
2817			channel_free(c);
2818			found = 1;
2819		}
2820	}
2821
2822	return (found);
2823}
2824
2825/* protocol local port fwd, used by ssh (and sshd in v1) */
2826int
2827channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port,
2828    const char *host_to_connect, u_short port_to_connect, int gateway_ports)
2829{
2830	return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER,
2831	    listen_host, listen_port, NULL, host_to_connect, port_to_connect,
2832	    gateway_ports);
2833}
2834
2835/* protocol v2 remote port fwd, used by sshd */
2836int
2837channel_setup_remote_fwd_listener(const char *listen_address,
2838    u_short listen_port, int *allocated_listen_port, int gateway_ports)
2839{
2840	return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER,
2841	    listen_address, listen_port, allocated_listen_port,
2842	    NULL, 0, gateway_ports);
2843}
2844
2845/*
2846 * Initiate forwarding of connections to port "port" on remote host through
2847 * the secure channel to host:port from local side.
2848 */
2849
2850int
2851channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
2852    const char *host_to_connect, u_short port_to_connect)
2853{
2854	int type, success = 0;
2855
2856	/* Send the forward request to the remote side. */
2857	if (compat20) {
2858		const char *address_to_bind;
2859		if (listen_host == NULL) {
2860			if (datafellows & SSH_BUG_RFWD_ADDR)
2861				address_to_bind = "127.0.0.1";
2862			else
2863				address_to_bind = "localhost";
2864		} else if (*listen_host == '\0' ||
2865			   strcmp(listen_host, "*") == 0) {
2866			if (datafellows & SSH_BUG_RFWD_ADDR)
2867				address_to_bind = "0.0.0.0";
2868			else
2869				address_to_bind = "";
2870		} else
2871			address_to_bind = listen_host;
2872
2873		packet_start(SSH2_MSG_GLOBAL_REQUEST);
2874		packet_put_cstring("tcpip-forward");
2875		packet_put_char(1);			/* boolean: want reply */
2876		packet_put_cstring(address_to_bind);
2877		packet_put_int(listen_port);
2878		packet_send();
2879		packet_write_wait();
2880		/* Assume that server accepts the request */
2881		success = 1;
2882	} else {
2883		packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
2884		packet_put_int(listen_port);
2885		packet_put_cstring(host_to_connect);
2886		packet_put_int(port_to_connect);
2887		packet_send();
2888		packet_write_wait();
2889
2890		/* Wait for response from the remote side. */
2891		type = packet_read();
2892		switch (type) {
2893		case SSH_SMSG_SUCCESS:
2894			success = 1;
2895			break;
2896		case SSH_SMSG_FAILURE:
2897			break;
2898		default:
2899			/* Unknown packet */
2900			packet_disconnect("Protocol error for port forward request:"
2901			    "received packet type %d.", type);
2902		}
2903	}
2904	if (success) {
2905		/* Record that connection to this host/port is permitted. */
2906		permitted_opens = xrealloc(permitted_opens,
2907		    num_permitted_opens + 1, sizeof(*permitted_opens));
2908		permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect);
2909		permitted_opens[num_permitted_opens].port_to_connect = port_to_connect;
2910		permitted_opens[num_permitted_opens].listen_port = listen_port;
2911		num_permitted_opens++;
2912	}
2913	return (success ? 0 : -1);
2914}
2915
2916/*
2917 * Request cancellation of remote forwarding of connection host:port from
2918 * local side.
2919 */
2920void
2921channel_request_rforward_cancel(const char *host, u_short port)
2922{
2923	int i;
2924
2925	if (!compat20)
2926		return;
2927
2928	for (i = 0; i < num_permitted_opens; i++) {
2929		if (permitted_opens[i].host_to_connect != NULL &&
2930		    permitted_opens[i].listen_port == port)
2931			break;
2932	}
2933	if (i >= num_permitted_opens) {
2934		debug("%s: requested forward not found", __func__);
2935		return;
2936	}
2937	packet_start(SSH2_MSG_GLOBAL_REQUEST);
2938	packet_put_cstring("cancel-tcpip-forward");
2939	packet_put_char(0);
2940	packet_put_cstring(host == NULL ? "" : host);
2941	packet_put_int(port);
2942	packet_send();
2943
2944	permitted_opens[i].listen_port = 0;
2945	permitted_opens[i].port_to_connect = 0;
2946	xfree(permitted_opens[i].host_to_connect);
2947	permitted_opens[i].host_to_connect = NULL;
2948}
2949
2950/*
2951 * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
2952 * listening for the port, and sends back a success reply (or disconnect
2953 * message if there was an error).
2954 */
2955int
2956channel_input_port_forward_request(int is_root, int gateway_ports)
2957{
2958	u_short port, host_port;
2959	int success = 0;
2960	char *hostname;
2961
2962	/* Get arguments from the packet. */
2963	port = packet_get_int();
2964	hostname = packet_get_string(NULL);
2965	host_port = packet_get_int();
2966
2967#ifndef HAVE_CYGWIN
2968	/*
2969	 * Check that an unprivileged user is not trying to forward a
2970	 * privileged port.
2971	 */
2972	if (port < IPPORT_RESERVED && !is_root)
2973		packet_disconnect(
2974		    "Requested forwarding of port %d but user is not root.",
2975		    port);
2976	if (host_port == 0)
2977		packet_disconnect("Dynamic forwarding denied.");
2978#endif
2979
2980	/* Initiate forwarding */
2981	success = channel_setup_local_fwd_listener(NULL, port, hostname,
2982	    host_port, gateway_ports);
2983
2984	/* Free the argument string. */
2985	xfree(hostname);
2986
2987	return (success ? 0 : -1);
2988}
2989
2990/*
2991 * Permits opening to any host/port if permitted_opens[] is empty.  This is
2992 * usually called by the server, because the user could connect to any port
2993 * anyway, and the server has no way to know but to trust the client anyway.
2994 */
2995void
2996channel_permit_all_opens(void)
2997{
2998	if (num_permitted_opens == 0)
2999		all_opens_permitted = 1;
3000}
3001
3002void
3003channel_add_permitted_opens(char *host, int port)
3004{
3005	debug("allow port forwarding to host %s port %d", host, port);
3006
3007	permitted_opens = xrealloc(permitted_opens,
3008	    num_permitted_opens + 1, sizeof(*permitted_opens));
3009	permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
3010	permitted_opens[num_permitted_opens].port_to_connect = port;
3011	num_permitted_opens++;
3012
3013	all_opens_permitted = 0;
3014}
3015
3016int
3017channel_add_adm_permitted_opens(char *host, int port)
3018{
3019	debug("config allows port forwarding to host %s port %d", host, port);
3020
3021	permitted_adm_opens = xrealloc(permitted_adm_opens,
3022	    num_adm_permitted_opens + 1, sizeof(*permitted_adm_opens));
3023	permitted_adm_opens[num_adm_permitted_opens].host_to_connect
3024	     = xstrdup(host);
3025	permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
3026	return ++num_adm_permitted_opens;
3027}
3028
3029void
3030channel_clear_permitted_opens(void)
3031{
3032	int i;
3033
3034	for (i = 0; i < num_permitted_opens; i++)
3035		if (permitted_opens[i].host_to_connect != NULL)
3036			xfree(permitted_opens[i].host_to_connect);
3037	if (num_permitted_opens > 0) {
3038		xfree(permitted_opens);
3039		permitted_opens = NULL;
3040	}
3041	num_permitted_opens = 0;
3042}
3043
3044void
3045channel_clear_adm_permitted_opens(void)
3046{
3047	int i;
3048
3049	for (i = 0; i < num_adm_permitted_opens; i++)
3050		if (permitted_adm_opens[i].host_to_connect != NULL)
3051			xfree(permitted_adm_opens[i].host_to_connect);
3052	if (num_adm_permitted_opens > 0) {
3053		xfree(permitted_adm_opens);
3054		permitted_adm_opens = NULL;
3055	}
3056	num_adm_permitted_opens = 0;
3057}
3058
3059void
3060channel_print_adm_permitted_opens(void)
3061{
3062	int i;
3063
3064	printf("permitopen");
3065	if (num_adm_permitted_opens == 0) {
3066		printf(" any\n");
3067		return;
3068	}
3069	for (i = 0; i < num_adm_permitted_opens; i++)
3070		if (permitted_adm_opens[i].host_to_connect != NULL)
3071			printf(" %s:%d", permitted_adm_opens[i].host_to_connect,
3072			    permitted_adm_opens[i].port_to_connect);
3073	printf("\n");
3074}
3075
3076/* Try to start non-blocking connect to next host in cctx list */
3077static int
3078connect_next(struct channel_connect *cctx)
3079{
3080	int sock, saved_errno;
3081	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
3082
3083	for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
3084		if (cctx->ai->ai_family != AF_INET &&
3085		    cctx->ai->ai_family != AF_INET6)
3086			continue;
3087		if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
3088		    ntop, sizeof(ntop), strport, sizeof(strport),
3089		    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
3090			error("connect_next: getnameinfo failed");
3091			continue;
3092		}
3093		if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
3094		    cctx->ai->ai_protocol)) == -1) {
3095			if (cctx->ai->ai_next == NULL)
3096				error("socket: %.100s", strerror(errno));
3097			else
3098				verbose("socket: %.100s", strerror(errno));
3099			continue;
3100		}
3101		if (set_nonblock(sock) == -1)
3102			fatal("%s: set_nonblock(%d)", __func__, sock);
3103		if (connect(sock, cctx->ai->ai_addr,
3104		    cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
3105			debug("connect_next: host %.100s ([%.100s]:%s): "
3106			    "%.100s", cctx->host, ntop, strport,
3107			    strerror(errno));
3108			saved_errno = errno;
3109			close(sock);
3110			errno = saved_errno;
3111			continue;	/* fail -- try next */
3112		}
3113		debug("connect_next: host %.100s ([%.100s]:%s) "
3114		    "in progress, fd=%d", cctx->host, ntop, strport, sock);
3115		cctx->ai = cctx->ai->ai_next;
3116		set_nodelay(sock);
3117		return sock;
3118	}
3119	return -1;
3120}
3121
3122static void
3123channel_connect_ctx_free(struct channel_connect *cctx)
3124{
3125	xfree(cctx->host);
3126	if (cctx->aitop)
3127		freeaddrinfo(cctx->aitop);
3128	bzero(cctx, sizeof(*cctx));
3129	cctx->host = NULL;
3130	cctx->ai = cctx->aitop = NULL;
3131}
3132
3133/* Return CONNECTING channel to remote host, port */
3134static Channel *
3135connect_to(const char *host, u_short port, char *ctype, char *rname)
3136{
3137	struct addrinfo hints;
3138	int gaierr;
3139	int sock = -1;
3140	char strport[NI_MAXSERV];
3141	struct channel_connect cctx;
3142	Channel *c;
3143
3144	memset(&cctx, 0, sizeof(cctx));
3145	memset(&hints, 0, sizeof(hints));
3146	hints.ai_family = IPv4or6;
3147	hints.ai_socktype = SOCK_STREAM;
3148	snprintf(strport, sizeof strport, "%d", port);
3149	if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) {
3150		error("connect_to %.100s: unknown host (%s)", host,
3151		    ssh_gai_strerror(gaierr));
3152		return NULL;
3153	}
3154
3155	cctx.host = xstrdup(host);
3156	cctx.port = port;
3157	cctx.ai = cctx.aitop;
3158
3159	if ((sock = connect_next(&cctx)) == -1) {
3160		error("connect to %.100s port %d failed: %s",
3161		    host, port, strerror(errno));
3162		channel_connect_ctx_free(&cctx);
3163		return NULL;
3164	}
3165	c = channel_new(ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
3166	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
3167	c->connect_ctx = cctx;
3168	return c;
3169}
3170
3171Channel *
3172channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname)
3173{
3174	int i;
3175
3176	for (i = 0; i < num_permitted_opens; i++) {
3177		if (permitted_opens[i].host_to_connect != NULL &&
3178		    permitted_opens[i].listen_port == listen_port) {
3179			return connect_to(
3180			    permitted_opens[i].host_to_connect,
3181			    permitted_opens[i].port_to_connect, ctype, rname);
3182		}
3183	}
3184	error("WARNING: Server requests forwarding for unknown listen_port %d",
3185	    listen_port);
3186	return NULL;
3187}
3188
3189/* Check if connecting to that port is permitted and connect. */
3190Channel *
3191channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
3192{
3193	int i, permit, permit_adm = 1;
3194
3195	permit = all_opens_permitted;
3196	if (!permit) {
3197		for (i = 0; i < num_permitted_opens; i++)
3198			if (permitted_opens[i].host_to_connect != NULL &&
3199			    permitted_opens[i].port_to_connect == port &&
3200			    strcmp(permitted_opens[i].host_to_connect, host) == 0)
3201				permit = 1;
3202	}
3203
3204	if (num_adm_permitted_opens > 0) {
3205		permit_adm = 0;
3206		for (i = 0; i < num_adm_permitted_opens; i++)
3207			if (permitted_adm_opens[i].host_to_connect != NULL &&
3208			    permitted_adm_opens[i].port_to_connect == port &&
3209			    strcmp(permitted_adm_opens[i].host_to_connect, host)
3210			    == 0)
3211				permit_adm = 1;
3212	}
3213
3214	if (!permit || !permit_adm) {
3215		logit("Received request to connect to host %.100s port %d, "
3216		    "but the request was denied.", host, port);
3217		return NULL;
3218	}
3219	return connect_to(host, port, ctype, rname);
3220}
3221
3222void
3223channel_send_window_changes(void)
3224{
3225	u_int i;
3226	struct winsize ws;
3227
3228	for (i = 0; i < channels_alloc; i++) {
3229		if (channels[i] == NULL || !channels[i]->client_tty ||
3230		    channels[i]->type != SSH_CHANNEL_OPEN)
3231			continue;
3232		if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
3233			continue;
3234		channel_request_start(i, "window-change", 0);
3235		packet_put_int((u_int)ws.ws_col);
3236		packet_put_int((u_int)ws.ws_row);
3237		packet_put_int((u_int)ws.ws_xpixel);
3238		packet_put_int((u_int)ws.ws_ypixel);
3239		packet_send();
3240	}
3241}
3242
3243/* -- X11 forwarding */
3244
3245/*
3246 * Creates an internet domain socket for listening for X11 connections.
3247 * Returns 0 and a suitable display number for the DISPLAY variable
3248 * stored in display_numberp , or -1 if an error occurs.
3249 */
3250int
3251x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
3252    int single_connection, u_int *display_numberp, int **chanids)
3253{
3254	Channel *nc = NULL;
3255	int display_number, sock;
3256	u_short port;
3257	struct addrinfo hints, *ai, *aitop;
3258	char strport[NI_MAXSERV];
3259	int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
3260
3261	if (chanids == NULL)
3262		return -1;
3263
3264	for (display_number = x11_display_offset;
3265	    display_number < MAX_DISPLAYS;
3266	    display_number++) {
3267		port = 6000 + display_number;
3268		memset(&hints, 0, sizeof(hints));
3269		hints.ai_family = IPv4or6;
3270		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
3271		hints.ai_socktype = SOCK_STREAM;
3272		snprintf(strport, sizeof strport, "%d", port);
3273		if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) {
3274			error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
3275			return -1;
3276		}
3277		for (ai = aitop; ai; ai = ai->ai_next) {
3278			if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
3279				continue;
3280			sock = socket(ai->ai_family, ai->ai_socktype,
3281			    ai->ai_protocol);
3282			if (sock < 0) {
3283				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
3284#ifdef EPFNOSUPPORT
3285				    && (errno != EPFNOSUPPORT)
3286#endif
3287				    ) {
3288					error("socket: %.100s", strerror(errno));
3289					freeaddrinfo(aitop);
3290					return -1;
3291				} else {
3292					debug("x11_create_display_inet: Socket family %d not supported",
3293						 ai->ai_family);
3294					continue;
3295				}
3296			}
3297			if (ai->ai_family == AF_INET6)
3298				sock_set_v6only(sock);
3299			if (x11_use_localhost)
3300				channel_set_reuseaddr(sock);
3301			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
3302				debug2("bind port %d: %.100s", port, strerror(errno));
3303				close(sock);
3304
3305				for (n = 0; n < num_socks; n++) {
3306					close(socks[n]);
3307				}
3308				num_socks = 0;
3309				break;
3310			}
3311			socks[num_socks++] = sock;
3312			if (num_socks == NUM_SOCKS)
3313				break;
3314		}
3315		freeaddrinfo(aitop);
3316		if (num_socks > 0)
3317			break;
3318	}
3319	if (display_number >= MAX_DISPLAYS) {
3320		error("Failed to allocate internet-domain X11 display socket.");
3321		return -1;
3322	}
3323	/* Start listening for connections on the socket. */
3324	for (n = 0; n < num_socks; n++) {
3325		sock = socks[n];
3326		if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
3327			error("listen: %.100s", strerror(errno));
3328			close(sock);
3329			return -1;
3330		}
3331	}
3332
3333	/* Allocate a channel for each socket. */
3334	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
3335	for (n = 0; n < num_socks; n++) {
3336		sock = socks[n];
3337		nc = channel_new("x11 listener",
3338		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
3339		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
3340		    0, "X11 inet listener", 1);
3341		nc->single_connection = single_connection;
3342		(*chanids)[n] = nc->self;
3343	}
3344	(*chanids)[n] = -1;
3345
3346	/* Return the display number for the DISPLAY environment variable. */
3347	*display_numberp = display_number;
3348	return (0);
3349}
3350
3351static int
3352connect_local_xsocket_path(const char *pathname)
3353{
3354	int sock;
3355	struct sockaddr_un addr;
3356
3357	sock = socket(AF_UNIX, SOCK_STREAM, 0);
3358	if (sock < 0)
3359		error("socket: %.100s", strerror(errno));
3360	memset(&addr, 0, sizeof(addr));
3361	addr.sun_family = AF_UNIX;
3362	strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
3363	if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
3364		return sock;
3365	close(sock);
3366	error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
3367	return -1;
3368}
3369
3370static int
3371connect_local_xsocket(u_int dnr)
3372{
3373	char buf[1024];
3374	snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);
3375	return connect_local_xsocket_path(buf);
3376}
3377
3378int
3379x11_connect_display(void)
3380{
3381	u_int display_number;
3382	const char *display;
3383	char buf[1024], *cp;
3384	struct addrinfo hints, *ai, *aitop;
3385	char strport[NI_MAXSERV];
3386	int gaierr, sock = 0;
3387
3388	/* Try to open a socket for the local X server. */
3389	display = getenv("DISPLAY");
3390	if (!display) {
3391		error("DISPLAY not set.");
3392		return -1;
3393	}
3394	/*
3395	 * Now we decode the value of the DISPLAY variable and make a
3396	 * connection to the real X server.
3397	 */
3398
3399	/* Check if the display is from launchd. */
3400#ifdef __APPLE__
3401	if (strncmp(display, "/tmp/launch", 11) == 0) {
3402		sock = connect_local_xsocket_path(display);
3403		if (sock < 0)
3404			return -1;
3405
3406		/* OK, we now have a connection to the display. */
3407		return sock;
3408	}
3409#endif
3410	/*
3411	 * Check if it is a unix domain socket.  Unix domain displays are in
3412	 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
3413	 */
3414	if (strncmp(display, "unix:", 5) == 0 ||
3415	    display[0] == ':') {
3416		/* Connect to the unix domain socket. */
3417		if (sscanf(strrchr(display, ':') + 1, "%u", &display_number) != 1) {
3418			error("Could not parse display number from DISPLAY: %.100s",
3419			    display);
3420			return -1;
3421		}
3422		/* Create a socket. */
3423		sock = connect_local_xsocket(display_number);
3424		if (sock < 0)
3425			return -1;
3426
3427		/* OK, we now have a connection to the display. */
3428		return sock;
3429	}
3430	/*
3431	 * Connect to an inet socket.  The DISPLAY value is supposedly
3432	 * hostname:d[.s], where hostname may also be numeric IP address.
3433	 */
3434	strlcpy(buf, display, sizeof(buf));
3435	cp = strchr(buf, ':');
3436	if (!cp) {
3437		error("Could not find ':' in DISPLAY: %.100s", display);
3438		return -1;
3439	}
3440	*cp = 0;
3441	/* buf now contains the host name.  But first we parse the display number. */
3442	if (sscanf(cp + 1, "%u", &display_number) != 1) {
3443		error("Could not parse display number from DISPLAY: %.100s",
3444		    display);
3445		return -1;
3446	}
3447
3448	/* Look up the host address */
3449	memset(&hints, 0, sizeof(hints));
3450	hints.ai_family = IPv4or6;
3451	hints.ai_socktype = SOCK_STREAM;
3452	snprintf(strport, sizeof strport, "%u", 6000 + display_number);
3453	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
3454		error("%.100s: unknown host. (%s)", buf,
3455		ssh_gai_strerror(gaierr));
3456		return -1;
3457	}
3458	for (ai = aitop; ai; ai = ai->ai_next) {
3459		/* Create a socket. */
3460		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3461		if (sock < 0) {
3462			debug2("socket: %.100s", strerror(errno));
3463			continue;
3464		}
3465		/* Connect it to the display. */
3466		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
3467			debug2("connect %.100s port %u: %.100s", buf,
3468			    6000 + display_number, strerror(errno));
3469			close(sock);
3470			continue;
3471		}
3472		/* Success */
3473		break;
3474	}
3475	freeaddrinfo(aitop);
3476	if (!ai) {
3477		error("connect %.100s port %u: %.100s", buf, 6000 + display_number,
3478		    strerror(errno));
3479		return -1;
3480	}
3481	set_nodelay(sock);
3482	return sock;
3483}
3484
3485/*
3486 * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
3487 * the remote channel number.  We should do whatever we want, and respond
3488 * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
3489 */
3490
3491/* ARGSUSED */
3492void
3493x11_input_open(int type, u_int32_t seq, void *ctxt)
3494{
3495	Channel *c = NULL;
3496	int remote_id, sock = 0;
3497	char *remote_host;
3498
3499	debug("Received X11 open request.");
3500
3501	remote_id = packet_get_int();
3502
3503	if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
3504		remote_host = packet_get_string(NULL);
3505	} else {
3506		remote_host = xstrdup("unknown (remote did not supply name)");
3507	}
3508	packet_check_eom();
3509
3510	/* Obtain a connection to the real X display. */
3511	sock = x11_connect_display();
3512	if (sock != -1) {
3513		/* Allocate a channel for this connection. */
3514		c = channel_new("connected x11 socket",
3515		    SSH_CHANNEL_X11_OPEN, sock, sock, -1, 0, 0, 0,
3516		    remote_host, 1);
3517		c->remote_id = remote_id;
3518		c->force_drain = 1;
3519	}
3520	xfree(remote_host);
3521	if (c == NULL) {
3522		/* Send refusal to the remote host. */
3523		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
3524		packet_put_int(remote_id);
3525	} else {
3526		/* Send a confirmation to the remote host. */
3527		packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
3528		packet_put_int(remote_id);
3529		packet_put_int(c->self);
3530	}
3531	packet_send();
3532}
3533
3534/* dummy protocol handler that denies SSH-1 requests (agent/x11) */
3535/* ARGSUSED */
3536void
3537deny_input_open(int type, u_int32_t seq, void *ctxt)
3538{
3539	int rchan = packet_get_int();
3540
3541	switch (type) {
3542	case SSH_SMSG_AGENT_OPEN:
3543		error("Warning: ssh server tried agent forwarding.");
3544		break;
3545	case SSH_SMSG_X11_OPEN:
3546		error("Warning: ssh server tried X11 forwarding.");
3547		break;
3548	default:
3549		error("deny_input_open: type %d", type);
3550		break;
3551	}
3552	error("Warning: this is probably a break-in attempt by a malicious server.");
3553	packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
3554	packet_put_int(rchan);
3555	packet_send();
3556}
3557
3558/*
3559 * Requests forwarding of X11 connections, generates fake authentication
3560 * data, and enables authentication spoofing.
3561 * This should be called in the client only.
3562 */
3563void
3564x11_request_forwarding_with_spoofing(int client_session_id, const char *disp,
3565    const char *proto, const char *data, int want_reply)
3566{
3567	u_int data_len = (u_int) strlen(data) / 2;
3568	u_int i, value;
3569	char *new_data;
3570	int screen_number;
3571	const char *cp;
3572	u_int32_t rnd = 0;
3573
3574	if (x11_saved_display == NULL)
3575		x11_saved_display = xstrdup(disp);
3576	else if (strcmp(disp, x11_saved_display) != 0) {
3577		error("x11_request_forwarding_with_spoofing: different "
3578		    "$DISPLAY already forwarded");
3579		return;
3580	}
3581
3582	cp = strchr(disp, ':');
3583	if (cp)
3584		cp = strchr(cp, '.');
3585	if (cp)
3586		screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
3587	else
3588		screen_number = 0;
3589
3590	if (x11_saved_proto == NULL) {
3591		/* Save protocol name. */
3592		x11_saved_proto = xstrdup(proto);
3593		/*
3594		 * Extract real authentication data and generate fake data
3595		 * of the same length.
3596		 */
3597		x11_saved_data = xmalloc(data_len);
3598		x11_fake_data = xmalloc(data_len);
3599		for (i = 0; i < data_len; i++) {
3600			if (sscanf(data + 2 * i, "%2x", &value) != 1)
3601				fatal("x11_request_forwarding: bad "
3602				    "authentication data: %.100s", data);
3603			if (i % 4 == 0)
3604				rnd = arc4random();
3605			x11_saved_data[i] = value;
3606			x11_fake_data[i] = rnd & 0xff;
3607			rnd >>= 8;
3608		}
3609		x11_saved_data_len = data_len;
3610		x11_fake_data_len = data_len;
3611	}
3612
3613	/* Convert the fake data into hex. */
3614	new_data = tohex(x11_fake_data, data_len);
3615
3616	/* Send the request packet. */
3617	if (compat20) {
3618		channel_request_start(client_session_id, "x11-req", want_reply);
3619		packet_put_char(0);	/* XXX bool single connection */
3620	} else {
3621		packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
3622	}
3623	packet_put_cstring(proto);
3624	packet_put_cstring(new_data);
3625	packet_put_int(screen_number);
3626	packet_send();
3627	packet_write_wait();
3628	xfree(new_data);
3629}
3630
3631
3632/* -- agent forwarding */
3633
3634/* Sends a message to the server to request authentication fd forwarding. */
3635
3636void
3637auth_request_forwarding(void)
3638{
3639	packet_start(SSH_CMSG_AGENT_REQUEST_FORWARDING);
3640	packet_send();
3641	packet_write_wait();
3642}
3643