xref: /freebsd/crypto/openssh/channels.c (revision e9b1dc32c9bd2ebae5f9e140bfa0e0321bc366b5)
1 /* $OpenBSD: channels.c,v 1.384 2018/07/27 12:03:17 markus Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * This file contains functions for generic socket connection forwarding.
7  * There is also code for initiating connection forwarding for X11 connections,
8  * arbitrary tcp/ip connections, and the authentication agent connection.
9  *
10  * As far as I am concerned, the code I have written for this software
11  * can be used freely for any purpose.  Any derived versions of this
12  * software must be clearly marked as such, and if the derived work is
13  * incompatible with the protocol description in the RFC file, it must be
14  * called by a name other than "ssh" or "Secure Shell".
15  *
16  * SSH2 support added by Markus Friedl.
17  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
18  * Copyright (c) 1999 Dug Song.  All rights reserved.
19  * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
20  *
21  * Redistribution and use in source and binary forms, with or without
22  * modification, are permitted provided that the following conditions
23  * are met:
24  * 1. Redistributions of source code must retain the above copyright
25  *    notice, this list of conditions and the following disclaimer.
26  * 2. Redistributions in binary form must reproduce the above copyright
27  *    notice, this list of conditions and the following disclaimer in the
28  *    documentation and/or other materials provided with the distribution.
29  *
30  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
31  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
32  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
33  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
34  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
35  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
36  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
37  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
38  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
39  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40  */
41 
42 #include "includes.h"
43 
44 #include <sys/types.h>
45 #include <sys/stat.h>
46 #include <sys/ioctl.h>
47 #include <sys/un.h>
48 #include <sys/socket.h>
49 #ifdef HAVE_SYS_TIME_H
50 # include <sys/time.h>
51 #endif
52 
53 #include <netinet/in.h>
54 #include <arpa/inet.h>
55 
56 #include <errno.h>
57 #include <fcntl.h>
58 #include <limits.h>
59 #include <netdb.h>
60 #include <stdarg.h>
61 #ifdef HAVE_STDINT_H
62  #include <stdint.h>
63 #endif
64 #include <stdio.h>
65 #include <stdlib.h>
66 #include <string.h>
67 #include <termios.h>
68 #include <unistd.h>
69 
70 #include "openbsd-compat/sys-queue.h"
71 #include "xmalloc.h"
72 #include "ssh.h"
73 #include "ssh2.h"
74 #include "ssherr.h"
75 #include "sshbuf.h"
76 #include "packet.h"
77 #include "log.h"
78 #include "misc.h"
79 #include "channels.h"
80 #include "compat.h"
81 #include "canohost.h"
82 #include "sshkey.h"
83 #include "authfd.h"
84 #include "pathnames.h"
85 #include "match.h"
86 
87 /* -- agent forwarding */
88 #define	NUM_SOCKS	10
89 
90 /* -- tcp forwarding */
91 /* special-case port number meaning allow any port */
92 #define FWD_PERMIT_ANY_PORT	0
93 
94 /* special-case wildcard meaning allow any host */
95 #define FWD_PERMIT_ANY_HOST	"*"
96 
97 /* -- X11 forwarding */
98 /* Maximum number of fake X11 displays to try. */
99 #define MAX_DISPLAYS  1000
100 
101 /* Per-channel callback for pre/post select() actions */
102 typedef void chan_fn(struct ssh *, Channel *c,
103     fd_set *readset, fd_set *writeset);
104 
105 /*
106  * Data structure for storing which hosts are permitted for forward requests.
107  * The local sides of any remote forwards are stored in this array to prevent
108  * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
109  * network (which might be behind a firewall).
110  */
111 /* XXX: streamlocal wants a path instead of host:port */
112 /*      Overload host_to_connect; we could just make this match Forward */
113 /*	XXX - can we use listen_host instead of listen_path? */
114 struct permission {
115 	char *host_to_connect;		/* Connect to 'host'. */
116 	int port_to_connect;		/* Connect to 'port'. */
117 	char *listen_host;		/* Remote side should listen address. */
118 	char *listen_path;		/* Remote side should listen path. */
119 	int listen_port;		/* Remote side should listen port. */
120 	Channel *downstream;		/* Downstream mux*/
121 };
122 
123 /*
124  * Stores the forwarding permission state for a single direction (local or
125  * remote).
126  */
127 struct permission_set {
128 	/*
129 	 * List of all local permitted host/port pairs to allow for the
130 	 * user.
131 	 */
132 	u_int num_permitted_user;
133 	struct permission *permitted_user;
134 
135 	/*
136 	 * List of all permitted host/port pairs to allow for the admin.
137 	 */
138 	u_int num_permitted_admin;
139 	struct permission *permitted_admin;
140 
141 	/*
142 	 * If this is true, all opens/listens are permitted.  This is the
143 	 * case on the server on which we have to trust the client anyway,
144 	 * and the user could do anything after logging in.
145 	 */
146 	int all_permitted;
147 };
148 
149 /* Master structure for channels state */
150 struct ssh_channels {
151 	/*
152 	 * Pointer to an array containing all allocated channels.  The array
153 	 * is dynamically extended as needed.
154 	 */
155 	Channel **channels;
156 
157 	/*
158 	 * Size of the channel array.  All slots of the array must always be
159 	 * initialized (at least the type field); unused slots set to NULL
160 	 */
161 	u_int channels_alloc;
162 
163 	/*
164 	 * Maximum file descriptor value used in any of the channels.  This is
165 	 * updated in channel_new.
166 	 */
167 	int channel_max_fd;
168 
169 	/*
170 	 * 'channel_pre*' are called just before select() to add any bits
171 	 * relevant to channels in the select bitmasks.
172 	 *
173 	 * 'channel_post*': perform any appropriate operations for
174 	 * channels which have events pending.
175 	 */
176 	chan_fn **channel_pre;
177 	chan_fn **channel_post;
178 
179 	/* -- tcp forwarding */
180 	struct permission_set local_perms;
181 	struct permission_set remote_perms;
182 
183 	/* -- X11 forwarding */
184 
185 	/* Saved X11 local (client) display. */
186 	char *x11_saved_display;
187 
188 	/* Saved X11 authentication protocol name. */
189 	char *x11_saved_proto;
190 
191 	/* Saved X11 authentication data.  This is the real data. */
192 	char *x11_saved_data;
193 	u_int x11_saved_data_len;
194 
195 	/* Deadline after which all X11 connections are refused */
196 	u_int x11_refuse_time;
197 
198 	/*
199 	 * Fake X11 authentication data.  This is what the server will be
200 	 * sending us; we should replace any occurrences of this by the
201 	 * real data.
202 	 */
203 	u_char *x11_fake_data;
204 	u_int x11_fake_data_len;
205 
206 	/* AF_UNSPEC or AF_INET or AF_INET6 */
207 	int IPv4or6;
208 };
209 
210 /* helper */
211 static void port_open_helper(struct ssh *ssh, Channel *c, char *rtype);
212 static const char *channel_rfwd_bind_host(const char *listen_host);
213 
214 /* non-blocking connect helpers */
215 static int connect_next(struct channel_connect *);
216 static void channel_connect_ctx_free(struct channel_connect *);
217 static Channel *rdynamic_connect_prepare(struct ssh *, char *, char *);
218 static int rdynamic_connect_finish(struct ssh *, Channel *);
219 
220 /* Setup helper */
221 static void channel_handler_init(struct ssh_channels *sc);
222 
223 /* -- channel core */
224 
225 void
226 channel_init_channels(struct ssh *ssh)
227 {
228 	struct ssh_channels *sc;
229 
230 	if ((sc = calloc(1, sizeof(*sc))) == NULL ||
231 	    (sc->channel_pre = calloc(SSH_CHANNEL_MAX_TYPE,
232 	    sizeof(*sc->channel_pre))) == NULL ||
233 	    (sc->channel_post = calloc(SSH_CHANNEL_MAX_TYPE,
234 	    sizeof(*sc->channel_post))) == NULL)
235 		fatal("%s: allocation failed", __func__);
236 	sc->channels_alloc = 10;
237 	sc->channels = xcalloc(sc->channels_alloc, sizeof(*sc->channels));
238 	sc->IPv4or6 = AF_UNSPEC;
239 	channel_handler_init(sc);
240 
241 	ssh->chanctxt = sc;
242 }
243 
244 Channel *
245 channel_by_id(struct ssh *ssh, int id)
246 {
247 	Channel *c;
248 
249 	if (id < 0 || (u_int)id >= ssh->chanctxt->channels_alloc) {
250 		logit("%s: %d: bad id", __func__, id);
251 		return NULL;
252 	}
253 	c = ssh->chanctxt->channels[id];
254 	if (c == NULL) {
255 		logit("%s: %d: bad id: channel free", __func__, id);
256 		return NULL;
257 	}
258 	return c;
259 }
260 
261 Channel *
262 channel_by_remote_id(struct ssh *ssh, u_int remote_id)
263 {
264 	Channel *c;
265 	u_int i;
266 
267 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
268 		c = ssh->chanctxt->channels[i];
269 		if (c != NULL && c->have_remote_id && c->remote_id == remote_id)
270 			return c;
271 	}
272 	return NULL;
273 }
274 
275 /*
276  * Returns the channel if it is allowed to receive protocol messages.
277  * Private channels, like listening sockets, may not receive messages.
278  */
279 Channel *
280 channel_lookup(struct ssh *ssh, int id)
281 {
282 	Channel *c;
283 
284 	if ((c = channel_by_id(ssh, id)) == NULL)
285 		return NULL;
286 
287 	switch (c->type) {
288 	case SSH_CHANNEL_X11_OPEN:
289 	case SSH_CHANNEL_LARVAL:
290 	case SSH_CHANNEL_CONNECTING:
291 	case SSH_CHANNEL_DYNAMIC:
292 	case SSH_CHANNEL_RDYNAMIC_OPEN:
293 	case SSH_CHANNEL_RDYNAMIC_FINISH:
294 	case SSH_CHANNEL_OPENING:
295 	case SSH_CHANNEL_OPEN:
296 	case SSH_CHANNEL_ABANDONED:
297 	case SSH_CHANNEL_MUX_PROXY:
298 		return c;
299 	}
300 	logit("Non-public channel %d, type %d.", id, c->type);
301 	return NULL;
302 }
303 
304 /*
305  * Register filedescriptors for a channel, used when allocating a channel or
306  * when the channel consumer/producer is ready, e.g. shell exec'd
307  */
308 static void
309 channel_register_fds(struct ssh *ssh, Channel *c, int rfd, int wfd, int efd,
310     int extusage, int nonblock, int is_tty)
311 {
312 	struct ssh_channels *sc = ssh->chanctxt;
313 
314 	/* Update the maximum file descriptor value. */
315 	sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, rfd);
316 	sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, wfd);
317 	sc->channel_max_fd = MAXIMUM(sc->channel_max_fd, efd);
318 
319 	if (rfd != -1)
320 		fcntl(rfd, F_SETFD, FD_CLOEXEC);
321 	if (wfd != -1 && wfd != rfd)
322 		fcntl(wfd, F_SETFD, FD_CLOEXEC);
323 	if (efd != -1 && efd != rfd && efd != wfd)
324 		fcntl(efd, F_SETFD, FD_CLOEXEC);
325 
326 	c->rfd = rfd;
327 	c->wfd = wfd;
328 	c->sock = (rfd == wfd) ? rfd : -1;
329 	c->efd = efd;
330 	c->extended_usage = extusage;
331 
332 	if ((c->isatty = is_tty) != 0)
333 		debug2("channel %d: rfd %d isatty", c->self, c->rfd);
334 #ifdef _AIX
335 	/* XXX: Later AIX versions can't push as much data to tty */
336 	c->wfd_isatty = is_tty || isatty(c->wfd);
337 #endif
338 
339 	/* enable nonblocking mode */
340 	if (nonblock) {
341 		if (rfd != -1)
342 			set_nonblock(rfd);
343 		if (wfd != -1)
344 			set_nonblock(wfd);
345 		if (efd != -1)
346 			set_nonblock(efd);
347 	}
348 }
349 
350 /*
351  * Allocate a new channel object and set its type and socket. This will cause
352  * remote_name to be freed.
353  */
354 Channel *
355 channel_new(struct ssh *ssh, char *ctype, int type, int rfd, int wfd, int efd,
356     u_int window, u_int maxpack, int extusage, char *remote_name, int nonblock)
357 {
358 	struct ssh_channels *sc = ssh->chanctxt;
359 	u_int i, found;
360 	Channel *c;
361 
362 	/* Try to find a free slot where to put the new channel. */
363 	for (i = 0; i < sc->channels_alloc; i++) {
364 		if (sc->channels[i] == NULL) {
365 			/* Found a free slot. */
366 			found = i;
367 			break;
368 		}
369 	}
370 	if (i >= sc->channels_alloc) {
371 		/*
372 		 * There are no free slots. Take last+1 slot and expand
373 		 * the array.
374 		 */
375 		found = sc->channels_alloc;
376 		if (sc->channels_alloc > CHANNELS_MAX_CHANNELS)
377 			fatal("%s: internal error: channels_alloc %d too big",
378 			    __func__, sc->channels_alloc);
379 		sc->channels = xrecallocarray(sc->channels, sc->channels_alloc,
380 		    sc->channels_alloc + 10, sizeof(*sc->channels));
381 		sc->channels_alloc += 10;
382 		debug2("channel: expanding %d", sc->channels_alloc);
383 	}
384 	/* Initialize and return new channel. */
385 	c = sc->channels[found] = xcalloc(1, sizeof(Channel));
386 	if ((c->input = sshbuf_new()) == NULL ||
387 	    (c->output = sshbuf_new()) == NULL ||
388 	    (c->extended = sshbuf_new()) == NULL)
389 		fatal("%s: sshbuf_new failed", __func__);
390 	c->ostate = CHAN_OUTPUT_OPEN;
391 	c->istate = CHAN_INPUT_OPEN;
392 	channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, 0);
393 	c->self = found;
394 	c->type = type;
395 	c->ctype = ctype;
396 	c->local_window = window;
397 	c->local_window_max = window;
398 	c->local_maxpacket = maxpack;
399 	c->remote_name = xstrdup(remote_name);
400 	c->ctl_chan = -1;
401 	c->delayed = 1;		/* prevent call to channel_post handler */
402 	TAILQ_INIT(&c->status_confirms);
403 	debug("channel %d: new [%s]", found, remote_name);
404 	return c;
405 }
406 
407 static void
408 channel_find_maxfd(struct ssh_channels *sc)
409 {
410 	u_int i;
411 	int max = 0;
412 	Channel *c;
413 
414 	for (i = 0; i < sc->channels_alloc; i++) {
415 		c = sc->channels[i];
416 		if (c != NULL) {
417 			max = MAXIMUM(max, c->rfd);
418 			max = MAXIMUM(max, c->wfd);
419 			max = MAXIMUM(max, c->efd);
420 		}
421 	}
422 	sc->channel_max_fd = max;
423 }
424 
425 int
426 channel_close_fd(struct ssh *ssh, int *fdp)
427 {
428 	struct ssh_channels *sc = ssh->chanctxt;
429 	int ret = 0, fd = *fdp;
430 
431 	if (fd != -1) {
432 		ret = close(fd);
433 		*fdp = -1;
434 		if (fd == sc->channel_max_fd)
435 			channel_find_maxfd(sc);
436 	}
437 	return ret;
438 }
439 
440 /* Close all channel fd/socket. */
441 static void
442 channel_close_fds(struct ssh *ssh, Channel *c)
443 {
444 	int sock = c->sock, rfd = c->rfd, wfd = c->wfd, efd = c->efd;
445 
446 	channel_close_fd(ssh, &c->sock);
447 	if (rfd != sock)
448 		channel_close_fd(ssh, &c->rfd);
449 	if (wfd != sock && wfd != rfd)
450 		channel_close_fd(ssh, &c->wfd);
451 	if (efd != sock && efd != rfd && efd != wfd)
452 		channel_close_fd(ssh, &c->efd);
453 }
454 
455 static void
456 fwd_perm_clear(struct permission *perm)
457 {
458 	free(perm->host_to_connect);
459 	free(perm->listen_host);
460 	free(perm->listen_path);
461 	bzero(perm, sizeof(*perm));
462 }
463 
464 /* Returns an printable name for the specified forwarding permission list */
465 static const char *
466 fwd_ident(int who, int where)
467 {
468 	if (who == FORWARD_ADM) {
469 		if (where == FORWARD_LOCAL)
470 			return "admin local";
471 		else if (where == FORWARD_REMOTE)
472 			return "admin remote";
473 	} else if (who == FORWARD_USER) {
474 		if (where == FORWARD_LOCAL)
475 			return "user local";
476 		else if (where == FORWARD_REMOTE)
477 			return "user remote";
478 	}
479 	fatal("Unknown forward permission list %d/%d", who, where);
480 }
481 
482 /* Returns the forwarding permission list for the specified direction */
483 static struct permission_set *
484 permission_set_get(struct ssh *ssh, int where)
485 {
486 	struct ssh_channels *sc = ssh->chanctxt;
487 
488 	switch (where) {
489 	case FORWARD_LOCAL:
490 		return &sc->local_perms;
491 		break;
492 	case FORWARD_REMOTE:
493 		return &sc->remote_perms;
494 		break;
495 	default:
496 		fatal("%s: invalid forwarding direction %d", __func__, where);
497 	}
498 }
499 
500 /* Reutrns pointers to the specified forwarding list and its element count */
501 static void
502 permission_set_get_array(struct ssh *ssh, int who, int where,
503     struct permission ***permpp, u_int **npermpp)
504 {
505 	struct permission_set *pset = permission_set_get(ssh, where);
506 
507 	switch (who) {
508 	case FORWARD_USER:
509 		*permpp = &pset->permitted_user;
510 		*npermpp = &pset->num_permitted_user;
511 		break;
512 	case FORWARD_ADM:
513 		*permpp = &pset->permitted_admin;
514 		*npermpp = &pset->num_permitted_admin;
515 		break;
516 	default:
517 		fatal("%s: invalid forwarding client %d", __func__, who);
518 	}
519 }
520 
521 /* Adds an entry to the spcified forwarding list */
522 static int
523 permission_set_add(struct ssh *ssh, int who, int where,
524     const char *host_to_connect, int port_to_connect,
525     const char *listen_host, const char *listen_path, int listen_port,
526     Channel *downstream)
527 {
528 	struct permission **permp;
529 	u_int n, *npermp;
530 
531 	permission_set_get_array(ssh, who, where, &permp, &npermp);
532 
533 	if (*npermp >= INT_MAX)
534 		fatal("%s: %s overflow", __func__, fwd_ident(who, where));
535 
536 	*permp = xrecallocarray(*permp, *npermp, *npermp + 1, sizeof(**permp));
537 	n = (*npermp)++;
538 #define MAYBE_DUP(s) ((s == NULL) ? NULL : xstrdup(s))
539 	(*permp)[n].host_to_connect = MAYBE_DUP(host_to_connect);
540 	(*permp)[n].port_to_connect = port_to_connect;
541 	(*permp)[n].listen_host = MAYBE_DUP(listen_host);
542 	(*permp)[n].listen_path = MAYBE_DUP(listen_path);
543 	(*permp)[n].listen_port = listen_port;
544 	(*permp)[n].downstream = downstream;
545 #undef MAYBE_DUP
546 	return (int)n;
547 }
548 
549 static void
550 mux_remove_remote_forwardings(struct ssh *ssh, Channel *c)
551 {
552 	struct ssh_channels *sc = ssh->chanctxt;
553 	struct permission_set *pset = &sc->local_perms;
554 	struct permission *perm;
555 	int r;
556 	u_int i;
557 
558 	for (i = 0; i < pset->num_permitted_user; i++) {
559 		perm = &pset->permitted_user[i];
560 		if (perm->downstream != c)
561 			continue;
562 
563 		/* cancel on the server, since mux client is gone */
564 		debug("channel %d: cleanup remote forward for %s:%u",
565 		    c->self, perm->listen_host, perm->listen_port);
566 		if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
567 		    (r = sshpkt_put_cstring(ssh,
568 		    "cancel-tcpip-forward")) != 0 ||
569 		    (r = sshpkt_put_u8(ssh, 0)) != 0 ||
570 		    (r = sshpkt_put_cstring(ssh,
571 		    channel_rfwd_bind_host(perm->listen_host))) != 0 ||
572 		    (r = sshpkt_put_u32(ssh, perm->listen_port)) != 0 ||
573 		    (r = sshpkt_send(ssh)) != 0) {
574 			fatal("%s: channel %i: %s", __func__,
575 			    c->self, ssh_err(r));
576 		}
577 		fwd_perm_clear(perm); /* unregister */
578 	}
579 }
580 
581 /* Free the channel and close its fd/socket. */
582 void
583 channel_free(struct ssh *ssh, Channel *c)
584 {
585 	struct ssh_channels *sc = ssh->chanctxt;
586 	char *s;
587 	u_int i, n;
588 	Channel *other;
589 	struct channel_confirm *cc;
590 
591 	for (n = 0, i = 0; i < sc->channels_alloc; i++) {
592 		if ((other = sc->channels[i]) == NULL)
593 			continue;
594 		n++;
595 		/* detach from mux client and prepare for closing */
596 		if (c->type == SSH_CHANNEL_MUX_CLIENT &&
597 		    other->type == SSH_CHANNEL_MUX_PROXY &&
598 		    other->mux_ctx == c) {
599 			other->mux_ctx = NULL;
600 			other->type = SSH_CHANNEL_OPEN;
601 			other->istate = CHAN_INPUT_CLOSED;
602 			other->ostate = CHAN_OUTPUT_CLOSED;
603 		}
604 	}
605 	debug("channel %d: free: %s, nchannels %u", c->self,
606 	    c->remote_name ? c->remote_name : "???", n);
607 
608 	if (c->type == SSH_CHANNEL_MUX_CLIENT)
609 		mux_remove_remote_forwardings(ssh, c);
610 
611 	if (log_level_get() >= SYSLOG_LEVEL_DEBUG3) {
612 		s = channel_open_message(ssh);
613 		debug3("channel %d: status: %s", c->self, s);
614 		free(s);
615 	}
616 
617 	channel_close_fds(ssh, c);
618 	sshbuf_free(c->input);
619 	sshbuf_free(c->output);
620 	sshbuf_free(c->extended);
621 	c->input = c->output = c->extended = NULL;
622 	free(c->remote_name);
623 	c->remote_name = NULL;
624 	free(c->path);
625 	c->path = NULL;
626 	free(c->listening_addr);
627 	c->listening_addr = NULL;
628 	while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
629 		if (cc->abandon_cb != NULL)
630 			cc->abandon_cb(ssh, c, cc->ctx);
631 		TAILQ_REMOVE(&c->status_confirms, cc, entry);
632 		explicit_bzero(cc, sizeof(*cc));
633 		free(cc);
634 	}
635 	if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
636 		c->filter_cleanup(ssh, c->self, c->filter_ctx);
637 	sc->channels[c->self] = NULL;
638 	explicit_bzero(c, sizeof(*c));
639 	free(c);
640 }
641 
642 void
643 channel_free_all(struct ssh *ssh)
644 {
645 	u_int i;
646 
647 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
648 		if (ssh->chanctxt->channels[i] != NULL)
649 			channel_free(ssh, ssh->chanctxt->channels[i]);
650 }
651 
652 /*
653  * Closes the sockets/fds of all channels.  This is used to close extra file
654  * descriptors after a fork.
655  */
656 void
657 channel_close_all(struct ssh *ssh)
658 {
659 	u_int i;
660 
661 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++)
662 		if (ssh->chanctxt->channels[i] != NULL)
663 			channel_close_fds(ssh, ssh->chanctxt->channels[i]);
664 }
665 
666 /*
667  * Stop listening to channels.
668  */
669 void
670 channel_stop_listening(struct ssh *ssh)
671 {
672 	u_int i;
673 	Channel *c;
674 
675 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
676 		c = ssh->chanctxt->channels[i];
677 		if (c != NULL) {
678 			switch (c->type) {
679 			case SSH_CHANNEL_AUTH_SOCKET:
680 			case SSH_CHANNEL_PORT_LISTENER:
681 			case SSH_CHANNEL_RPORT_LISTENER:
682 			case SSH_CHANNEL_X11_LISTENER:
683 			case SSH_CHANNEL_UNIX_LISTENER:
684 			case SSH_CHANNEL_RUNIX_LISTENER:
685 				channel_close_fd(ssh, &c->sock);
686 				channel_free(ssh, c);
687 				break;
688 			}
689 		}
690 	}
691 }
692 
693 /*
694  * Returns true if no channel has too much buffered data, and false if one or
695  * more channel is overfull.
696  */
697 int
698 channel_not_very_much_buffered_data(struct ssh *ssh)
699 {
700 	u_int i;
701 	u_int maxsize = ssh_packet_get_maxsize(ssh);
702 	Channel *c;
703 
704 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
705 		c = ssh->chanctxt->channels[i];
706 		if (c == NULL || c->type != SSH_CHANNEL_OPEN)
707 			continue;
708 		if (sshbuf_len(c->output) > maxsize) {
709 			debug2("channel %d: big output buffer %zu > %u",
710 			    c->self, sshbuf_len(c->output), maxsize);
711 			return 0;
712 		}
713 	}
714 	return 1;
715 }
716 
717 /* Returns true if any channel is still open. */
718 int
719 channel_still_open(struct ssh *ssh)
720 {
721 	u_int i;
722 	Channel *c;
723 
724 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
725 		c = ssh->chanctxt->channels[i];
726 		if (c == NULL)
727 			continue;
728 		switch (c->type) {
729 		case SSH_CHANNEL_X11_LISTENER:
730 		case SSH_CHANNEL_PORT_LISTENER:
731 		case SSH_CHANNEL_RPORT_LISTENER:
732 		case SSH_CHANNEL_MUX_LISTENER:
733 		case SSH_CHANNEL_CLOSED:
734 		case SSH_CHANNEL_AUTH_SOCKET:
735 		case SSH_CHANNEL_DYNAMIC:
736 		case SSH_CHANNEL_RDYNAMIC_OPEN:
737 		case SSH_CHANNEL_CONNECTING:
738 		case SSH_CHANNEL_ZOMBIE:
739 		case SSH_CHANNEL_ABANDONED:
740 		case SSH_CHANNEL_UNIX_LISTENER:
741 		case SSH_CHANNEL_RUNIX_LISTENER:
742 			continue;
743 		case SSH_CHANNEL_LARVAL:
744 			continue;
745 		case SSH_CHANNEL_OPENING:
746 		case SSH_CHANNEL_OPEN:
747 		case SSH_CHANNEL_RDYNAMIC_FINISH:
748 		case SSH_CHANNEL_X11_OPEN:
749 		case SSH_CHANNEL_MUX_CLIENT:
750 		case SSH_CHANNEL_MUX_PROXY:
751 			return 1;
752 		default:
753 			fatal("%s: bad channel type %d", __func__, c->type);
754 			/* NOTREACHED */
755 		}
756 	}
757 	return 0;
758 }
759 
760 /* Returns the id of an open channel suitable for keepaliving */
761 int
762 channel_find_open(struct ssh *ssh)
763 {
764 	u_int i;
765 	Channel *c;
766 
767 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
768 		c = ssh->chanctxt->channels[i];
769 		if (c == NULL || !c->have_remote_id)
770 			continue;
771 		switch (c->type) {
772 		case SSH_CHANNEL_CLOSED:
773 		case SSH_CHANNEL_DYNAMIC:
774 		case SSH_CHANNEL_RDYNAMIC_OPEN:
775 		case SSH_CHANNEL_RDYNAMIC_FINISH:
776 		case SSH_CHANNEL_X11_LISTENER:
777 		case SSH_CHANNEL_PORT_LISTENER:
778 		case SSH_CHANNEL_RPORT_LISTENER:
779 		case SSH_CHANNEL_MUX_LISTENER:
780 		case SSH_CHANNEL_MUX_CLIENT:
781 		case SSH_CHANNEL_MUX_PROXY:
782 		case SSH_CHANNEL_OPENING:
783 		case SSH_CHANNEL_CONNECTING:
784 		case SSH_CHANNEL_ZOMBIE:
785 		case SSH_CHANNEL_ABANDONED:
786 		case SSH_CHANNEL_UNIX_LISTENER:
787 		case SSH_CHANNEL_RUNIX_LISTENER:
788 			continue;
789 		case SSH_CHANNEL_LARVAL:
790 		case SSH_CHANNEL_AUTH_SOCKET:
791 		case SSH_CHANNEL_OPEN:
792 		case SSH_CHANNEL_X11_OPEN:
793 			return i;
794 		default:
795 			fatal("%s: bad channel type %d", __func__, c->type);
796 			/* NOTREACHED */
797 		}
798 	}
799 	return -1;
800 }
801 
802 /*
803  * Returns a message describing the currently open forwarded connections,
804  * suitable for sending to the client.  The message contains crlf pairs for
805  * newlines.
806  */
807 char *
808 channel_open_message(struct ssh *ssh)
809 {
810 	struct sshbuf *buf;
811 	Channel *c;
812 	u_int i;
813 	int r;
814 	char *ret;
815 
816 	if ((buf = sshbuf_new()) == NULL)
817 		fatal("%s: sshbuf_new", __func__);
818 	if ((r = sshbuf_putf(buf,
819 	    "The following connections are open:\r\n")) != 0)
820 		fatal("%s: sshbuf_putf: %s", __func__, ssh_err(r));
821 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
822 		c = ssh->chanctxt->channels[i];
823 		if (c == NULL)
824 			continue;
825 		switch (c->type) {
826 		case SSH_CHANNEL_X11_LISTENER:
827 		case SSH_CHANNEL_PORT_LISTENER:
828 		case SSH_CHANNEL_RPORT_LISTENER:
829 		case SSH_CHANNEL_CLOSED:
830 		case SSH_CHANNEL_AUTH_SOCKET:
831 		case SSH_CHANNEL_ZOMBIE:
832 		case SSH_CHANNEL_ABANDONED:
833 		case SSH_CHANNEL_MUX_LISTENER:
834 		case SSH_CHANNEL_UNIX_LISTENER:
835 		case SSH_CHANNEL_RUNIX_LISTENER:
836 			continue;
837 		case SSH_CHANNEL_LARVAL:
838 		case SSH_CHANNEL_OPENING:
839 		case SSH_CHANNEL_CONNECTING:
840 		case SSH_CHANNEL_DYNAMIC:
841 		case SSH_CHANNEL_RDYNAMIC_OPEN:
842 		case SSH_CHANNEL_RDYNAMIC_FINISH:
843 		case SSH_CHANNEL_OPEN:
844 		case SSH_CHANNEL_X11_OPEN:
845 		case SSH_CHANNEL_MUX_PROXY:
846 		case SSH_CHANNEL_MUX_CLIENT:
847 			if ((r = sshbuf_putf(buf, "  #%d %.300s "
848 			    "(t%d %s%u i%u/%zu o%u/%zu fd %d/%d cc %d)\r\n",
849 			    c->self, c->remote_name,
850 			    c->type,
851 			    c->have_remote_id ? "r" : "nr", c->remote_id,
852 			    c->istate, sshbuf_len(c->input),
853 			    c->ostate, sshbuf_len(c->output),
854 			    c->rfd, c->wfd, c->ctl_chan)) != 0)
855 				fatal("%s: sshbuf_putf: %s",
856 				    __func__, ssh_err(r));
857 			continue;
858 		default:
859 			fatal("%s: bad channel type %d", __func__, c->type);
860 			/* NOTREACHED */
861 		}
862 	}
863 	if ((ret = sshbuf_dup_string(buf)) == NULL)
864 		fatal("%s: sshbuf_dup_string", __func__);
865 	sshbuf_free(buf);
866 	return ret;
867 }
868 
869 static void
870 open_preamble(struct ssh *ssh, const char *where, Channel *c, const char *type)
871 {
872 	int r;
873 
874 	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN)) != 0 ||
875 	    (r = sshpkt_put_cstring(ssh, type)) != 0 ||
876 	    (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
877 	    (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
878 	    (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
879 		fatal("%s: channel %i: open: %s", where, c->self, ssh_err(r));
880 	}
881 }
882 
883 void
884 channel_send_open(struct ssh *ssh, int id)
885 {
886 	Channel *c = channel_lookup(ssh, id);
887 	int r;
888 
889 	if (c == NULL) {
890 		logit("channel_send_open: %d: bad id", id);
891 		return;
892 	}
893 	debug2("channel %d: send open", id);
894 	open_preamble(ssh, __func__, c, c->ctype);
895 	if ((r = sshpkt_send(ssh)) != 0)
896 		fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
897 }
898 
899 void
900 channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
901 {
902 	Channel *c = channel_lookup(ssh, id);
903 	int r;
904 
905 	if (c == NULL) {
906 		logit("%s: %d: unknown channel id", __func__, id);
907 		return;
908 	}
909 	if (!c->have_remote_id)
910 		fatal(":%s: channel %d: no remote id", __func__, c->self);
911 
912 	debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
913 	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_REQUEST)) != 0 ||
914 	    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
915 	    (r = sshpkt_put_cstring(ssh, service)) != 0 ||
916 	    (r = sshpkt_put_u8(ssh, wantconfirm)) != 0) {
917 		fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
918 	}
919 }
920 
921 void
922 channel_register_status_confirm(struct ssh *ssh, int id,
923     channel_confirm_cb *cb, channel_confirm_abandon_cb *abandon_cb, void *ctx)
924 {
925 	struct channel_confirm *cc;
926 	Channel *c;
927 
928 	if ((c = channel_lookup(ssh, id)) == NULL)
929 		fatal("%s: %d: bad id", __func__, id);
930 
931 	cc = xcalloc(1, sizeof(*cc));
932 	cc->cb = cb;
933 	cc->abandon_cb = abandon_cb;
934 	cc->ctx = ctx;
935 	TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
936 }
937 
938 void
939 channel_register_open_confirm(struct ssh *ssh, int id,
940     channel_open_fn *fn, void *ctx)
941 {
942 	Channel *c = channel_lookup(ssh, id);
943 
944 	if (c == NULL) {
945 		logit("%s: %d: bad id", __func__, id);
946 		return;
947 	}
948 	c->open_confirm = fn;
949 	c->open_confirm_ctx = ctx;
950 }
951 
952 void
953 channel_register_cleanup(struct ssh *ssh, int id,
954     channel_callback_fn *fn, int do_close)
955 {
956 	Channel *c = channel_by_id(ssh, id);
957 
958 	if (c == NULL) {
959 		logit("%s: %d: bad id", __func__, id);
960 		return;
961 	}
962 	c->detach_user = fn;
963 	c->detach_close = do_close;
964 }
965 
966 void
967 channel_cancel_cleanup(struct ssh *ssh, int id)
968 {
969 	Channel *c = channel_by_id(ssh, id);
970 
971 	if (c == NULL) {
972 		logit("%s: %d: bad id", __func__, id);
973 		return;
974 	}
975 	c->detach_user = NULL;
976 	c->detach_close = 0;
977 }
978 
979 void
980 channel_register_filter(struct ssh *ssh, int id, channel_infilter_fn *ifn,
981     channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
982 {
983 	Channel *c = channel_lookup(ssh, id);
984 
985 	if (c == NULL) {
986 		logit("%s: %d: bad id", __func__, id);
987 		return;
988 	}
989 	c->input_filter = ifn;
990 	c->output_filter = ofn;
991 	c->filter_ctx = ctx;
992 	c->filter_cleanup = cfn;
993 }
994 
995 void
996 channel_set_fds(struct ssh *ssh, int id, int rfd, int wfd, int efd,
997     int extusage, int nonblock, int is_tty, u_int window_max)
998 {
999 	Channel *c = channel_lookup(ssh, id);
1000 	int r;
1001 
1002 	if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
1003 		fatal("channel_activate for non-larval channel %d.", id);
1004 	if (!c->have_remote_id)
1005 		fatal(":%s: channel %d: no remote id", __func__, c->self);
1006 
1007 	channel_register_fds(ssh, c, rfd, wfd, efd, extusage, nonblock, is_tty);
1008 	c->type = SSH_CHANNEL_OPEN;
1009 	c->local_window = c->local_window_max = window_max;
1010 
1011 	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
1012 	    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1013 	    (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1014 	    (r = sshpkt_send(ssh)) != 0)
1015 		fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
1016 }
1017 
1018 static void
1019 channel_pre_listener(struct ssh *ssh, Channel *c,
1020     fd_set *readset, fd_set *writeset)
1021 {
1022 	FD_SET(c->sock, readset);
1023 }
1024 
1025 static void
1026 channel_pre_connecting(struct ssh *ssh, Channel *c,
1027     fd_set *readset, fd_set *writeset)
1028 {
1029 	debug3("channel %d: waiting for connection", c->self);
1030 	FD_SET(c->sock, writeset);
1031 }
1032 
1033 static void
1034 channel_pre_open(struct ssh *ssh, Channel *c,
1035     fd_set *readset, fd_set *writeset)
1036 {
1037 	if (c->istate == CHAN_INPUT_OPEN &&
1038 	    c->remote_window > 0 &&
1039 	    sshbuf_len(c->input) < c->remote_window &&
1040 	    sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1041 		FD_SET(c->rfd, readset);
1042 	if (c->ostate == CHAN_OUTPUT_OPEN ||
1043 	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1044 		if (sshbuf_len(c->output) > 0) {
1045 			FD_SET(c->wfd, writeset);
1046 		} else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1047 			if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
1048 				debug2("channel %d: "
1049 				    "obuf_empty delayed efd %d/(%zu)", c->self,
1050 				    c->efd, sshbuf_len(c->extended));
1051 			else
1052 				chan_obuf_empty(ssh, c);
1053 		}
1054 	}
1055 	/** XXX check close conditions, too */
1056 	if (c->efd != -1 && !(c->istate == CHAN_INPUT_CLOSED &&
1057 	    c->ostate == CHAN_OUTPUT_CLOSED)) {
1058 		if (c->extended_usage == CHAN_EXTENDED_WRITE &&
1059 		    sshbuf_len(c->extended) > 0)
1060 			FD_SET(c->efd, writeset);
1061 		else if (c->efd != -1 && !(c->flags & CHAN_EOF_SENT) &&
1062 		    (c->extended_usage == CHAN_EXTENDED_READ ||
1063 		    c->extended_usage == CHAN_EXTENDED_IGNORE) &&
1064 		    sshbuf_len(c->extended) < c->remote_window)
1065 			FD_SET(c->efd, readset);
1066 	}
1067 	/* XXX: What about efd? races? */
1068 }
1069 
1070 /*
1071  * This is a special state for X11 authentication spoofing.  An opened X11
1072  * connection (when authentication spoofing is being done) remains in this
1073  * state until the first packet has been completely read.  The authentication
1074  * data in that packet is then substituted by the real data if it matches the
1075  * fake data, and the channel is put into normal mode.
1076  * XXX All this happens at the client side.
1077  * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
1078  */
1079 static int
1080 x11_open_helper(struct ssh *ssh, struct sshbuf *b)
1081 {
1082 	struct ssh_channels *sc = ssh->chanctxt;
1083 	u_char *ucp;
1084 	u_int proto_len, data_len;
1085 
1086 	/* Is this being called after the refusal deadline? */
1087 	if (sc->x11_refuse_time != 0 &&
1088 	    (u_int)monotime() >= sc->x11_refuse_time) {
1089 		verbose("Rejected X11 connection after ForwardX11Timeout "
1090 		    "expired");
1091 		return -1;
1092 	}
1093 
1094 	/* Check if the fixed size part of the packet is in buffer. */
1095 	if (sshbuf_len(b) < 12)
1096 		return 0;
1097 
1098 	/* Parse the lengths of variable-length fields. */
1099 	ucp = sshbuf_mutable_ptr(b);
1100 	if (ucp[0] == 0x42) {	/* Byte order MSB first. */
1101 		proto_len = 256 * ucp[6] + ucp[7];
1102 		data_len = 256 * ucp[8] + ucp[9];
1103 	} else if (ucp[0] == 0x6c) {	/* Byte order LSB first. */
1104 		proto_len = ucp[6] + 256 * ucp[7];
1105 		data_len = ucp[8] + 256 * ucp[9];
1106 	} else {
1107 		debug2("Initial X11 packet contains bad byte order byte: 0x%x",
1108 		    ucp[0]);
1109 		return -1;
1110 	}
1111 
1112 	/* Check if the whole packet is in buffer. */
1113 	if (sshbuf_len(b) <
1114 	    12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
1115 		return 0;
1116 
1117 	/* Check if authentication protocol matches. */
1118 	if (proto_len != strlen(sc->x11_saved_proto) ||
1119 	    memcmp(ucp + 12, sc->x11_saved_proto, proto_len) != 0) {
1120 		debug2("X11 connection uses different authentication protocol.");
1121 		return -1;
1122 	}
1123 	/* Check if authentication data matches our fake data. */
1124 	if (data_len != sc->x11_fake_data_len ||
1125 	    timingsafe_bcmp(ucp + 12 + ((proto_len + 3) & ~3),
1126 		sc->x11_fake_data, sc->x11_fake_data_len) != 0) {
1127 		debug2("X11 auth data does not match fake data.");
1128 		return -1;
1129 	}
1130 	/* Check fake data length */
1131 	if (sc->x11_fake_data_len != sc->x11_saved_data_len) {
1132 		error("X11 fake_data_len %d != saved_data_len %d",
1133 		    sc->x11_fake_data_len, sc->x11_saved_data_len);
1134 		return -1;
1135 	}
1136 	/*
1137 	 * Received authentication protocol and data match
1138 	 * our fake data. Substitute the fake data with real
1139 	 * data.
1140 	 */
1141 	memcpy(ucp + 12 + ((proto_len + 3) & ~3),
1142 	    sc->x11_saved_data, sc->x11_saved_data_len);
1143 	return 1;
1144 }
1145 
1146 static void
1147 channel_pre_x11_open(struct ssh *ssh, Channel *c,
1148     fd_set *readset, fd_set *writeset)
1149 {
1150 	int ret = x11_open_helper(ssh, c->output);
1151 
1152 	/* c->force_drain = 1; */
1153 
1154 	if (ret == 1) {
1155 		c->type = SSH_CHANNEL_OPEN;
1156 		channel_pre_open(ssh, c, readset, writeset);
1157 	} else if (ret == -1) {
1158 		logit("X11 connection rejected because of wrong authentication.");
1159 		debug2("X11 rejected %d i%d/o%d",
1160 		    c->self, c->istate, c->ostate);
1161 		chan_read_failed(ssh, c);
1162 		sshbuf_reset(c->input);
1163 		chan_ibuf_empty(ssh, c);
1164 		sshbuf_reset(c->output);
1165 		chan_write_failed(ssh, c);
1166 		debug2("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
1167 	}
1168 }
1169 
1170 static void
1171 channel_pre_mux_client(struct ssh *ssh,
1172     Channel *c, fd_set *readset, fd_set *writeset)
1173 {
1174 	if (c->istate == CHAN_INPUT_OPEN && !c->mux_pause &&
1175 	    sshbuf_check_reserve(c->input, CHAN_RBUF) == 0)
1176 		FD_SET(c->rfd, readset);
1177 	if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
1178 		/* clear buffer immediately (discard any partial packet) */
1179 		sshbuf_reset(c->input);
1180 		chan_ibuf_empty(ssh, c);
1181 		/* Start output drain. XXX just kill chan? */
1182 		chan_rcvd_oclose(ssh, c);
1183 	}
1184 	if (c->ostate == CHAN_OUTPUT_OPEN ||
1185 	    c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
1186 		if (sshbuf_len(c->output) > 0)
1187 			FD_SET(c->wfd, writeset);
1188 		else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN)
1189 			chan_obuf_empty(ssh, c);
1190 	}
1191 }
1192 
1193 /* try to decode a socks4 header */
1194 static int
1195 channel_decode_socks4(Channel *c, struct sshbuf *input, struct sshbuf *output)
1196 {
1197 	const u_char *p;
1198 	char *host;
1199 	u_int len, have, i, found, need;
1200 	char username[256];
1201 	struct {
1202 		u_int8_t version;
1203 		u_int8_t command;
1204 		u_int16_t dest_port;
1205 		struct in_addr dest_addr;
1206 	} s4_req, s4_rsp;
1207 	int r;
1208 
1209 	debug2("channel %d: decode socks4", c->self);
1210 
1211 	have = sshbuf_len(input);
1212 	len = sizeof(s4_req);
1213 	if (have < len)
1214 		return 0;
1215 	p = sshbuf_ptr(input);
1216 
1217 	need = 1;
1218 	/* SOCKS4A uses an invalid IP address 0.0.0.x */
1219 	if (p[4] == 0 && p[5] == 0 && p[6] == 0 && p[7] != 0) {
1220 		debug2("channel %d: socks4a request", c->self);
1221 		/* ... and needs an extra string (the hostname) */
1222 		need = 2;
1223 	}
1224 	/* Check for terminating NUL on the string(s) */
1225 	for (found = 0, i = len; i < have; i++) {
1226 		if (p[i] == '\0') {
1227 			found++;
1228 			if (found == need)
1229 				break;
1230 		}
1231 		if (i > 1024) {
1232 			/* the peer is probably sending garbage */
1233 			debug("channel %d: decode socks4: too long",
1234 			    c->self);
1235 			return -1;
1236 		}
1237 	}
1238 	if (found < need)
1239 		return 0;
1240 	if ((r = sshbuf_get(input, &s4_req.version, 1)) != 0 ||
1241 	    (r = sshbuf_get(input, &s4_req.command, 1)) != 0 ||
1242 	    (r = sshbuf_get(input, &s4_req.dest_port, 2)) != 0 ||
1243 	    (r = sshbuf_get(input, &s4_req.dest_addr, 4)) != 0) {
1244 		debug("channels %d: decode socks4: %s", c->self, ssh_err(r));
1245 		return -1;
1246 	}
1247 	have = sshbuf_len(input);
1248 	p = sshbuf_ptr(input);
1249 	if (memchr(p, '\0', have) == NULL) {
1250 		error("channel %d: decode socks4: user not nul terminated",
1251 		    c->self);
1252 		return -1;
1253 	}
1254 	len = strlen(p);
1255 	debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
1256 	len++; /* trailing '\0' */
1257 	strlcpy(username, p, sizeof(username));
1258 	if ((r = sshbuf_consume(input, len)) != 0) {
1259 		fatal("%s: channel %d: consume: %s", __func__,
1260 		    c->self, ssh_err(r));
1261 	}
1262 	free(c->path);
1263 	c->path = NULL;
1264 	if (need == 1) {			/* SOCKS4: one string */
1265 		host = inet_ntoa(s4_req.dest_addr);
1266 		c->path = xstrdup(host);
1267 	} else {				/* SOCKS4A: two strings */
1268 		have = sshbuf_len(input);
1269 		p = sshbuf_ptr(input);
1270 		if (memchr(p, '\0', have) == NULL) {
1271 			error("channel %d: decode socks4a: host not nul "
1272 			    "terminated", c->self);
1273 			return -1;
1274 		}
1275 		len = strlen(p);
1276 		debug2("channel %d: decode socks4a: host %s/%d",
1277 		    c->self, p, len);
1278 		len++;				/* trailing '\0' */
1279 		if (len > NI_MAXHOST) {
1280 			error("channel %d: hostname \"%.100s\" too long",
1281 			    c->self, p);
1282 			return -1;
1283 		}
1284 		c->path = xstrdup(p);
1285 		if ((r = sshbuf_consume(input, len)) != 0) {
1286 			fatal("%s: channel %d: consume: %s", __func__,
1287 			    c->self, ssh_err(r));
1288 		}
1289 	}
1290 	c->host_port = ntohs(s4_req.dest_port);
1291 
1292 	debug2("channel %d: dynamic request: socks4 host %s port %u command %u",
1293 	    c->self, c->path, c->host_port, s4_req.command);
1294 
1295 	if (s4_req.command != 1) {
1296 		debug("channel %d: cannot handle: %s cn %d",
1297 		    c->self, need == 1 ? "SOCKS4" : "SOCKS4A", s4_req.command);
1298 		return -1;
1299 	}
1300 	s4_rsp.version = 0;			/* vn: 0 for reply */
1301 	s4_rsp.command = 90;			/* cd: req granted */
1302 	s4_rsp.dest_port = 0;			/* ignored */
1303 	s4_rsp.dest_addr.s_addr = INADDR_ANY;	/* ignored */
1304 	if ((r = sshbuf_put(output, &s4_rsp, sizeof(s4_rsp))) != 0) {
1305 		fatal("%s: channel %d: append reply: %s", __func__,
1306 		    c->self, ssh_err(r));
1307 	}
1308 	return 1;
1309 }
1310 
1311 /* try to decode a socks5 header */
1312 #define SSH_SOCKS5_AUTHDONE	0x1000
1313 #define SSH_SOCKS5_NOAUTH	0x00
1314 #define SSH_SOCKS5_IPV4		0x01
1315 #define SSH_SOCKS5_DOMAIN	0x03
1316 #define SSH_SOCKS5_IPV6		0x04
1317 #define SSH_SOCKS5_CONNECT	0x01
1318 #define SSH_SOCKS5_SUCCESS	0x00
1319 
1320 static int
1321 channel_decode_socks5(Channel *c, struct sshbuf *input, struct sshbuf *output)
1322 {
1323 	/* XXX use get/put_u8 instead of trusting struct padding */
1324 	struct {
1325 		u_int8_t version;
1326 		u_int8_t command;
1327 		u_int8_t reserved;
1328 		u_int8_t atyp;
1329 	} s5_req, s5_rsp;
1330 	u_int16_t dest_port;
1331 	char dest_addr[255+1], ntop[INET6_ADDRSTRLEN];
1332 	const u_char *p;
1333 	u_int have, need, i, found, nmethods, addrlen, af;
1334 	int r;
1335 
1336 	debug2("channel %d: decode socks5", c->self);
1337 	p = sshbuf_ptr(input);
1338 	if (p[0] != 0x05)
1339 		return -1;
1340 	have = sshbuf_len(input);
1341 	if (!(c->flags & SSH_SOCKS5_AUTHDONE)) {
1342 		/* format: ver | nmethods | methods */
1343 		if (have < 2)
1344 			return 0;
1345 		nmethods = p[1];
1346 		if (have < nmethods + 2)
1347 			return 0;
1348 		/* look for method: "NO AUTHENTICATION REQUIRED" */
1349 		for (found = 0, i = 2; i < nmethods + 2; i++) {
1350 			if (p[i] == SSH_SOCKS5_NOAUTH) {
1351 				found = 1;
1352 				break;
1353 			}
1354 		}
1355 		if (!found) {
1356 			debug("channel %d: method SSH_SOCKS5_NOAUTH not found",
1357 			    c->self);
1358 			return -1;
1359 		}
1360 		if ((r = sshbuf_consume(input, nmethods + 2)) != 0) {
1361 			fatal("%s: channel %d: consume: %s", __func__,
1362 			    c->self, ssh_err(r));
1363 		}
1364 		/* version, method */
1365 		if ((r = sshbuf_put_u8(output, 0x05)) != 0 ||
1366 		    (r = sshbuf_put_u8(output, SSH_SOCKS5_NOAUTH)) != 0) {
1367 			fatal("%s: channel %d: append reply: %s", __func__,
1368 			    c->self, ssh_err(r));
1369 		}
1370 		c->flags |= SSH_SOCKS5_AUTHDONE;
1371 		debug2("channel %d: socks5 auth done", c->self);
1372 		return 0;				/* need more */
1373 	}
1374 	debug2("channel %d: socks5 post auth", c->self);
1375 	if (have < sizeof(s5_req)+1)
1376 		return 0;			/* need more */
1377 	memcpy(&s5_req, p, sizeof(s5_req));
1378 	if (s5_req.version != 0x05 ||
1379 	    s5_req.command != SSH_SOCKS5_CONNECT ||
1380 	    s5_req.reserved != 0x00) {
1381 		debug2("channel %d: only socks5 connect supported", c->self);
1382 		return -1;
1383 	}
1384 	switch (s5_req.atyp){
1385 	case SSH_SOCKS5_IPV4:
1386 		addrlen = 4;
1387 		af = AF_INET;
1388 		break;
1389 	case SSH_SOCKS5_DOMAIN:
1390 		addrlen = p[sizeof(s5_req)];
1391 		af = -1;
1392 		break;
1393 	case SSH_SOCKS5_IPV6:
1394 		addrlen = 16;
1395 		af = AF_INET6;
1396 		break;
1397 	default:
1398 		debug2("channel %d: bad socks5 atyp %d", c->self, s5_req.atyp);
1399 		return -1;
1400 	}
1401 	need = sizeof(s5_req) + addrlen + 2;
1402 	if (s5_req.atyp == SSH_SOCKS5_DOMAIN)
1403 		need++;
1404 	if (have < need)
1405 		return 0;
1406 	if ((r = sshbuf_consume(input, sizeof(s5_req))) != 0) {
1407 		fatal("%s: channel %d: consume: %s", __func__,
1408 		    c->self, ssh_err(r));
1409 	}
1410 	if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1411 		/* host string length */
1412 		if ((r = sshbuf_consume(input, 1)) != 0) {
1413 			fatal("%s: channel %d: consume: %s", __func__,
1414 			    c->self, ssh_err(r));
1415 		}
1416 	}
1417 	if ((r = sshbuf_get(input, &dest_addr, addrlen)) != 0 ||
1418 	    (r = sshbuf_get(input, &dest_port, 2)) != 0) {
1419 		debug("channel %d: parse addr/port: %s", c->self, ssh_err(r));
1420 		return -1;
1421 	}
1422 	dest_addr[addrlen] = '\0';
1423 	free(c->path);
1424 	c->path = NULL;
1425 	if (s5_req.atyp == SSH_SOCKS5_DOMAIN) {
1426 		if (addrlen >= NI_MAXHOST) {
1427 			error("channel %d: dynamic request: socks5 hostname "
1428 			    "\"%.100s\" too long", c->self, dest_addr);
1429 			return -1;
1430 		}
1431 		c->path = xstrdup(dest_addr);
1432 	} else {
1433 		if (inet_ntop(af, dest_addr, ntop, sizeof(ntop)) == NULL)
1434 			return -1;
1435 		c->path = xstrdup(ntop);
1436 	}
1437 	c->host_port = ntohs(dest_port);
1438 
1439 	debug2("channel %d: dynamic request: socks5 host %s port %u command %u",
1440 	    c->self, c->path, c->host_port, s5_req.command);
1441 
1442 	s5_rsp.version = 0x05;
1443 	s5_rsp.command = SSH_SOCKS5_SUCCESS;
1444 	s5_rsp.reserved = 0;			/* ignored */
1445 	s5_rsp.atyp = SSH_SOCKS5_IPV4;
1446 	dest_port = 0;				/* ignored */
1447 
1448 	if ((r = sshbuf_put(output, &s5_rsp, sizeof(s5_rsp))) != 0 ||
1449 	    (r = sshbuf_put_u32(output, ntohl(INADDR_ANY))) != 0 ||
1450 	    (r = sshbuf_put(output, &dest_port, sizeof(dest_port))) != 0)
1451 		fatal("%s: channel %d: append reply: %s", __func__,
1452 		    c->self, ssh_err(r));
1453 	return 1;
1454 }
1455 
1456 Channel *
1457 channel_connect_stdio_fwd(struct ssh *ssh,
1458     const char *host_to_connect, u_short port_to_connect, int in, int out)
1459 {
1460 	Channel *c;
1461 
1462 	debug("%s %s:%d", __func__, host_to_connect, port_to_connect);
1463 
1464 	c = channel_new(ssh, "stdio-forward", SSH_CHANNEL_OPENING, in, out,
1465 	    -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
1466 	    0, "stdio-forward", /*nonblock*/0);
1467 
1468 	c->path = xstrdup(host_to_connect);
1469 	c->host_port = port_to_connect;
1470 	c->listening_port = 0;
1471 	c->force_drain = 1;
1472 
1473 	channel_register_fds(ssh, c, in, out, -1, 0, 1, 0);
1474 	port_open_helper(ssh, c, "direct-tcpip");
1475 
1476 	return c;
1477 }
1478 
1479 /* dynamic port forwarding */
1480 static void
1481 channel_pre_dynamic(struct ssh *ssh, Channel *c,
1482     fd_set *readset, fd_set *writeset)
1483 {
1484 	const u_char *p;
1485 	u_int have;
1486 	int ret;
1487 
1488 	have = sshbuf_len(c->input);
1489 	debug2("channel %d: pre_dynamic: have %d", c->self, have);
1490 	/* sshbuf_dump(c->input, stderr); */
1491 	/* check if the fixed size part of the packet is in buffer. */
1492 	if (have < 3) {
1493 		/* need more */
1494 		FD_SET(c->sock, readset);
1495 		return;
1496 	}
1497 	/* try to guess the protocol */
1498 	p = sshbuf_ptr(c->input);
1499 	/* XXX sshbuf_peek_u8? */
1500 	switch (p[0]) {
1501 	case 0x04:
1502 		ret = channel_decode_socks4(c, c->input, c->output);
1503 		break;
1504 	case 0x05:
1505 		ret = channel_decode_socks5(c, c->input, c->output);
1506 		break;
1507 	default:
1508 		ret = -1;
1509 		break;
1510 	}
1511 	if (ret < 0) {
1512 		chan_mark_dead(ssh, c);
1513 	} else if (ret == 0) {
1514 		debug2("channel %d: pre_dynamic: need more", c->self);
1515 		/* need more */
1516 		FD_SET(c->sock, readset);
1517 		if (sshbuf_len(c->output))
1518 			FD_SET(c->sock, writeset);
1519 	} else {
1520 		/* switch to the next state */
1521 		c->type = SSH_CHANNEL_OPENING;
1522 		port_open_helper(ssh, c, "direct-tcpip");
1523 	}
1524 }
1525 
1526 /* simulate read-error */
1527 static void
1528 rdynamic_close(struct ssh *ssh, Channel *c)
1529 {
1530 	c->type = SSH_CHANNEL_OPEN;
1531 	chan_read_failed(ssh, c);
1532 	sshbuf_reset(c->input);
1533 	chan_ibuf_empty(ssh, c);
1534 	sshbuf_reset(c->output);
1535 	chan_write_failed(ssh, c);
1536 }
1537 
1538 /* reverse dynamic port forwarding */
1539 static void
1540 channel_before_prepare_select_rdynamic(struct ssh *ssh, Channel *c)
1541 {
1542 	const u_char *p;
1543 	u_int have, len;
1544 	int r, ret;
1545 
1546 	have = sshbuf_len(c->output);
1547 	debug2("channel %d: pre_rdynamic: have %d", c->self, have);
1548 	/* sshbuf_dump(c->output, stderr); */
1549 	/* EOF received */
1550 	if (c->flags & CHAN_EOF_RCVD) {
1551 		if ((r = sshbuf_consume(c->output, have)) != 0) {
1552 			fatal("%s: channel %d: consume: %s",
1553 			    __func__, c->self, ssh_err(r));
1554 		}
1555 		rdynamic_close(ssh, c);
1556 		return;
1557 	}
1558 	/* check if the fixed size part of the packet is in buffer. */
1559 	if (have < 3)
1560 		return;
1561 	/* try to guess the protocol */
1562 	p = sshbuf_ptr(c->output);
1563 	switch (p[0]) {
1564 	case 0x04:
1565 		/* switch input/output for reverse forwarding */
1566 		ret = channel_decode_socks4(c, c->output, c->input);
1567 		break;
1568 	case 0x05:
1569 		ret = channel_decode_socks5(c, c->output, c->input);
1570 		break;
1571 	default:
1572 		ret = -1;
1573 		break;
1574 	}
1575 	if (ret < 0) {
1576 		rdynamic_close(ssh, c);
1577 	} else if (ret == 0) {
1578 		debug2("channel %d: pre_rdynamic: need more", c->self);
1579 		/* send socks request to peer */
1580 		len = sshbuf_len(c->input);
1581 		if (len > 0 && len < c->remote_window) {
1582 			if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
1583 			    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1584 			    (r = sshpkt_put_stringb(ssh, c->input)) != 0 ||
1585 			    (r = sshpkt_send(ssh)) != 0) {
1586 				fatal("%s: channel %i: rdynamic: %s", __func__,
1587 				    c->self, ssh_err(r));
1588 			}
1589 			if ((r = sshbuf_consume(c->input, len)) != 0) {
1590 				fatal("%s: channel %d: consume: %s",
1591 				    __func__, c->self, ssh_err(r));
1592 			}
1593 			c->remote_window -= len;
1594 		}
1595 	} else if (rdynamic_connect_finish(ssh, c) < 0) {
1596 		/* the connect failed */
1597 		rdynamic_close(ssh, c);
1598 	}
1599 }
1600 
1601 /* This is our fake X11 server socket. */
1602 static void
1603 channel_post_x11_listener(struct ssh *ssh, Channel *c,
1604     fd_set *readset, fd_set *writeset)
1605 {
1606 	Channel *nc;
1607 	struct sockaddr_storage addr;
1608 	int r, newsock, oerrno, remote_port;
1609 	socklen_t addrlen;
1610 	char buf[16384], *remote_ipaddr;
1611 
1612 	if (!FD_ISSET(c->sock, readset))
1613 		return;
1614 
1615 	debug("X11 connection requested.");
1616 	addrlen = sizeof(addr);
1617 	newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1618 	if (c->single_connection) {
1619 		oerrno = errno;
1620 		debug2("single_connection: closing X11 listener.");
1621 		channel_close_fd(ssh, &c->sock);
1622 		chan_mark_dead(ssh, c);
1623 		errno = oerrno;
1624 	}
1625 	if (newsock < 0) {
1626 		if (errno != EINTR && errno != EWOULDBLOCK &&
1627 		    errno != ECONNABORTED)
1628 			error("accept: %.100s", strerror(errno));
1629 		if (errno == EMFILE || errno == ENFILE)
1630 			c->notbefore = monotime() + 1;
1631 		return;
1632 	}
1633 	set_nodelay(newsock);
1634 	remote_ipaddr = get_peer_ipaddr(newsock);
1635 	remote_port = get_peer_port(newsock);
1636 	snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
1637 	    remote_ipaddr, remote_port);
1638 
1639 	nc = channel_new(ssh, "accepted x11 socket",
1640 	    SSH_CHANNEL_OPENING, newsock, newsock, -1,
1641 	    c->local_window_max, c->local_maxpacket, 0, buf, 1);
1642 	open_preamble(ssh, __func__, nc, "x11");
1643 	if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1644 	    (r = sshpkt_put_u32(ssh, remote_port)) != 0) {
1645 		fatal("%s: channel %i: reply %s", __func__,
1646 		    c->self, ssh_err(r));
1647 	}
1648 	if ((r = sshpkt_send(ssh)) != 0)
1649 		fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r));
1650 	free(remote_ipaddr);
1651 }
1652 
1653 static void
1654 port_open_helper(struct ssh *ssh, Channel *c, char *rtype)
1655 {
1656 	char *local_ipaddr = get_local_ipaddr(c->sock);
1657 	int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
1658 	char *remote_ipaddr = get_peer_ipaddr(c->sock);
1659 	int remote_port = get_peer_port(c->sock);
1660 	int r;
1661 
1662 	if (remote_port == -1) {
1663 		/* Fake addr/port to appease peers that validate it (Tectia) */
1664 		free(remote_ipaddr);
1665 		remote_ipaddr = xstrdup("127.0.0.1");
1666 		remote_port = 65535;
1667 	}
1668 
1669 	free(c->remote_name);
1670 	xasprintf(&c->remote_name,
1671 	    "%s: listening port %d for %.100s port %d, "
1672 	    "connect from %.200s port %d to %.100s port %d",
1673 	    rtype, c->listening_port, c->path, c->host_port,
1674 	    remote_ipaddr, remote_port, local_ipaddr, local_port);
1675 
1676 	open_preamble(ssh, __func__, c, rtype);
1677 	if (strcmp(rtype, "direct-tcpip") == 0) {
1678 		/* target host, port */
1679 		if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1680 		    (r = sshpkt_put_u32(ssh, c->host_port)) != 0) {
1681 			fatal("%s: channel %i: reply %s", __func__,
1682 			    c->self, ssh_err(r));
1683 		}
1684 	} else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
1685 		/* target path */
1686 		if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) {
1687 			fatal("%s: channel %i: reply %s", __func__,
1688 			    c->self, ssh_err(r));
1689 		}
1690 	} else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1691 		/* listen path */
1692 		if ((r = sshpkt_put_cstring(ssh, c->path)) != 0) {
1693 			fatal("%s: channel %i: reply %s", __func__,
1694 			    c->self, ssh_err(r));
1695 		}
1696 	} else {
1697 		/* listen address, port */
1698 		if ((r = sshpkt_put_cstring(ssh, c->path)) != 0 ||
1699 		    (r = sshpkt_put_u32(ssh, local_port)) != 0) {
1700 			fatal("%s: channel %i: reply %s", __func__,
1701 			    c->self, ssh_err(r));
1702 		}
1703 	}
1704 	if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
1705 		/* reserved for future owner/mode info */
1706 		if ((r = sshpkt_put_cstring(ssh, "")) != 0) {
1707 			fatal("%s: channel %i: reply %s", __func__,
1708 			    c->self, ssh_err(r));
1709 		}
1710 	} else {
1711 		/* originator host and port */
1712 		if ((r = sshpkt_put_cstring(ssh, remote_ipaddr)) != 0 ||
1713 		    (r = sshpkt_put_u32(ssh, (u_int)remote_port)) != 0) {
1714 			fatal("%s: channel %i: reply %s", __func__,
1715 			    c->self, ssh_err(r));
1716 		}
1717 	}
1718 	if ((r = sshpkt_send(ssh)) != 0)
1719 		fatal("%s: channel %i: send %s", __func__, c->self, ssh_err(r));
1720 	free(remote_ipaddr);
1721 	free(local_ipaddr);
1722 }
1723 
1724 void
1725 channel_set_x11_refuse_time(struct ssh *ssh, u_int refuse_time)
1726 {
1727 	ssh->chanctxt->x11_refuse_time = refuse_time;
1728 }
1729 
1730 /*
1731  * This socket is listening for connections to a forwarded TCP/IP port.
1732  */
1733 static void
1734 channel_post_port_listener(struct ssh *ssh, Channel *c,
1735     fd_set *readset, fd_set *writeset)
1736 {
1737 	Channel *nc;
1738 	struct sockaddr_storage addr;
1739 	int newsock, nextstate;
1740 	socklen_t addrlen;
1741 	char *rtype;
1742 
1743 	if (!FD_ISSET(c->sock, readset))
1744 		return;
1745 
1746 	debug("Connection to port %d forwarding to %.100s port %d requested.",
1747 	    c->listening_port, c->path, c->host_port);
1748 
1749 	if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
1750 		nextstate = SSH_CHANNEL_OPENING;
1751 		rtype = "forwarded-tcpip";
1752 	} else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) {
1753 		nextstate = SSH_CHANNEL_OPENING;
1754 		rtype = "forwarded-streamlocal@openssh.com";
1755 	} else if (c->host_port == PORT_STREAMLOCAL) {
1756 		nextstate = SSH_CHANNEL_OPENING;
1757 		rtype = "direct-streamlocal@openssh.com";
1758 	} else if (c->host_port == 0) {
1759 		nextstate = SSH_CHANNEL_DYNAMIC;
1760 		rtype = "dynamic-tcpip";
1761 	} else {
1762 		nextstate = SSH_CHANNEL_OPENING;
1763 		rtype = "direct-tcpip";
1764 	}
1765 
1766 	addrlen = sizeof(addr);
1767 	newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1768 	if (newsock < 0) {
1769 		if (errno != EINTR && errno != EWOULDBLOCK &&
1770 		    errno != ECONNABORTED)
1771 			error("accept: %.100s", strerror(errno));
1772 		if (errno == EMFILE || errno == ENFILE)
1773 			c->notbefore = monotime() + 1;
1774 		return;
1775 	}
1776 	if (c->host_port != PORT_STREAMLOCAL)
1777 		set_nodelay(newsock);
1778 	nc = channel_new(ssh, rtype, nextstate, newsock, newsock, -1,
1779 	    c->local_window_max, c->local_maxpacket, 0, rtype, 1);
1780 	nc->listening_port = c->listening_port;
1781 	nc->host_port = c->host_port;
1782 	if (c->path != NULL)
1783 		nc->path = xstrdup(c->path);
1784 
1785 	if (nextstate != SSH_CHANNEL_DYNAMIC)
1786 		port_open_helper(ssh, nc, rtype);
1787 }
1788 
1789 /*
1790  * This is the authentication agent socket listening for connections from
1791  * clients.
1792  */
1793 static void
1794 channel_post_auth_listener(struct ssh *ssh, Channel *c,
1795     fd_set *readset, fd_set *writeset)
1796 {
1797 	Channel *nc;
1798 	int r, newsock;
1799 	struct sockaddr_storage addr;
1800 	socklen_t addrlen;
1801 
1802 	if (!FD_ISSET(c->sock, readset))
1803 		return;
1804 
1805 	addrlen = sizeof(addr);
1806 	newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
1807 	if (newsock < 0) {
1808 		error("accept from auth socket: %.100s", strerror(errno));
1809 		if (errno == EMFILE || errno == ENFILE)
1810 			c->notbefore = monotime() + 1;
1811 		return;
1812 	}
1813 	nc = channel_new(ssh, "accepted auth socket",
1814 	    SSH_CHANNEL_OPENING, newsock, newsock, -1,
1815 	    c->local_window_max, c->local_maxpacket,
1816 	    0, "accepted auth socket", 1);
1817 	open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
1818 	if ((r = sshpkt_send(ssh)) != 0)
1819 		fatal("%s: channel %i: %s", __func__, c->self, ssh_err(r));
1820 }
1821 
1822 static void
1823 channel_post_connecting(struct ssh *ssh, Channel *c,
1824     fd_set *readset, fd_set *writeset)
1825 {
1826 	int err = 0, sock, isopen, r;
1827 	socklen_t sz = sizeof(err);
1828 
1829 	if (!FD_ISSET(c->sock, writeset))
1830 		return;
1831 	if (!c->have_remote_id)
1832 		fatal(":%s: channel %d: no remote id", __func__, c->self);
1833 	/* for rdynamic the OPEN_CONFIRMATION has been sent already */
1834 	isopen = (c->type == SSH_CHANNEL_RDYNAMIC_FINISH);
1835 	if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &err, &sz) < 0) {
1836 		err = errno;
1837 		error("getsockopt SO_ERROR failed");
1838 	}
1839 	if (err == 0) {
1840 		debug("channel %d: connected to %s port %d",
1841 		    c->self, c->connect_ctx.host, c->connect_ctx.port);
1842 		channel_connect_ctx_free(&c->connect_ctx);
1843 		c->type = SSH_CHANNEL_OPEN;
1844 		if (isopen) {
1845 			/* no message necessary */
1846 		} else {
1847 			if ((r = sshpkt_start(ssh,
1848 			    SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
1849 			    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1850 			    (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
1851 			    (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
1852 			    (r = sshpkt_put_u32(ssh, c->local_maxpacket))
1853 			    != 0)
1854 				fatal("%s: channel %i: confirm: %s", __func__,
1855 				    c->self, ssh_err(r));
1856 			if ((r = sshpkt_send(ssh)) != 0)
1857 				fatal("%s: channel %i: %s", __func__, c->self,
1858 				    ssh_err(r));
1859 		}
1860 	} else {
1861 		debug("channel %d: connection failed: %s",
1862 		    c->self, strerror(err));
1863 		/* Try next address, if any */
1864 		if ((sock = connect_next(&c->connect_ctx)) > 0) {
1865 			close(c->sock);
1866 			c->sock = c->rfd = c->wfd = sock;
1867 			channel_find_maxfd(ssh->chanctxt);
1868 			return;
1869 		}
1870 		/* Exhausted all addresses */
1871 		error("connect_to %.100s port %d: failed.",
1872 		    c->connect_ctx.host, c->connect_ctx.port);
1873 		channel_connect_ctx_free(&c->connect_ctx);
1874 		if (isopen) {
1875 			rdynamic_close(ssh, c);
1876 		} else {
1877 			if ((r = sshpkt_start(ssh,
1878 			    SSH2_MSG_CHANNEL_OPEN_FAILURE)) != 0 ||
1879 			    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
1880 			    (r = sshpkt_put_u32(ssh,
1881 			    SSH2_OPEN_CONNECT_FAILED)) != 0 ||
1882 			    (r = sshpkt_put_cstring(ssh, strerror(err))) != 0 ||
1883 			    (r = sshpkt_put_cstring(ssh, "")) != 0) {
1884 				fatal("%s: channel %i: failure: %s", __func__,
1885 				    c->self, ssh_err(r));
1886 			}
1887 			if ((r = sshpkt_send(ssh)) != 0)
1888 				fatal("%s: channel %i: %s", __func__, c->self,
1889 				    ssh_err(r));
1890 			chan_mark_dead(ssh, c);
1891 		}
1892 	}
1893 }
1894 
1895 static int
1896 channel_handle_rfd(struct ssh *ssh, Channel *c,
1897     fd_set *readset, fd_set *writeset)
1898 {
1899 	char buf[CHAN_RBUF];
1900 	ssize_t len;
1901 	int r, force;
1902 
1903 	force = c->isatty && c->detach_close && c->istate != CHAN_INPUT_CLOSED;
1904 
1905 	if (c->rfd == -1 || (!force && !FD_ISSET(c->rfd, readset)))
1906 		return 1;
1907 
1908 	errno = 0;
1909 	len = read(c->rfd, buf, sizeof(buf));
1910 	if (len < 0 && (errno == EINTR ||
1911 	    ((errno == EAGAIN || errno == EWOULDBLOCK) && !force)))
1912 		return 1;
1913 #ifndef PTY_ZEROREAD
1914  	if (len <= 0) {
1915 #else
1916 	if ((!c->isatty && len <= 0) ||
1917 	    (c->isatty && (len < 0 || (len == 0 && errno != 0)))) {
1918 #endif
1919 		debug2("channel %d: read<=0 rfd %d len %zd",
1920 		    c->self, c->rfd, len);
1921 		if (c->type != SSH_CHANNEL_OPEN) {
1922 			debug2("channel %d: not open", c->self);
1923 			chan_mark_dead(ssh, c);
1924 			return -1;
1925 		} else {
1926 			chan_read_failed(ssh, c);
1927 		}
1928 		return -1;
1929 	}
1930 	if (c->input_filter != NULL) {
1931 		if (c->input_filter(ssh, c, buf, len) == -1) {
1932 			debug2("channel %d: filter stops", c->self);
1933 			chan_read_failed(ssh, c);
1934 		}
1935 	} else if (c->datagram) {
1936 		if ((r = sshbuf_put_string(c->input, buf, len)) != 0)
1937 			fatal("%s: channel %d: put datagram: %s", __func__,
1938 			    c->self, ssh_err(r));
1939 	} else if ((r = sshbuf_put(c->input, buf, len)) != 0) {
1940 		fatal("%s: channel %d: put data: %s", __func__,
1941 		    c->self, ssh_err(r));
1942 	}
1943 	return 1;
1944 }
1945 
1946 static int
1947 channel_handle_wfd(struct ssh *ssh, Channel *c,
1948    fd_set *readset, fd_set *writeset)
1949 {
1950 	struct termios tio;
1951 	u_char *data = NULL, *buf; /* XXX const; need filter API change */
1952 	size_t dlen, olen = 0;
1953 	int r, len;
1954 
1955 	if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) ||
1956 	    sshbuf_len(c->output) == 0)
1957 		return 1;
1958 
1959 	/* Send buffered output data to the socket. */
1960 	olen = sshbuf_len(c->output);
1961 	if (c->output_filter != NULL) {
1962 		if ((buf = c->output_filter(ssh, c, &data, &dlen)) == NULL) {
1963 			debug2("channel %d: filter stops", c->self);
1964 			if (c->type != SSH_CHANNEL_OPEN)
1965 				chan_mark_dead(ssh, c);
1966 			else
1967 				chan_write_failed(ssh, c);
1968 			return -1;
1969 		}
1970 	} else if (c->datagram) {
1971 		if ((r = sshbuf_get_string(c->output, &data, &dlen)) != 0)
1972 			fatal("%s: channel %d: get datagram: %s", __func__,
1973 			    c->self, ssh_err(r));
1974 		buf = data;
1975 	} else {
1976 		buf = data = sshbuf_mutable_ptr(c->output);
1977 		dlen = sshbuf_len(c->output);
1978 	}
1979 
1980 	if (c->datagram) {
1981 		/* ignore truncated writes, datagrams might get lost */
1982 		len = write(c->wfd, buf, dlen);
1983 		free(data);
1984 		if (len < 0 && (errno == EINTR || errno == EAGAIN ||
1985 		    errno == EWOULDBLOCK))
1986 			return 1;
1987 		if (len <= 0)
1988 			goto write_fail;
1989 		goto out;
1990 	}
1991 
1992 #ifdef _AIX
1993 	/* XXX: Later AIX versions can't push as much data to tty */
1994 	if (c->wfd_isatty)
1995 		dlen = MIN(dlen, 8*1024);
1996 #endif
1997 
1998 	len = write(c->wfd, buf, dlen);
1999 	if (len < 0 &&
2000 	    (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK))
2001 		return 1;
2002 	if (len <= 0) {
2003  write_fail:
2004 		if (c->type != SSH_CHANNEL_OPEN) {
2005 			debug2("channel %d: not open", c->self);
2006 			chan_mark_dead(ssh, c);
2007 			return -1;
2008 		} else {
2009 			chan_write_failed(ssh, c);
2010 		}
2011 		return -1;
2012 	}
2013 #ifndef BROKEN_TCGETATTR_ICANON
2014 	if (c->isatty && dlen >= 1 && buf[0] != '\r') {
2015 		if (tcgetattr(c->wfd, &tio) == 0 &&
2016 		    !(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
2017 			/*
2018 			 * Simulate echo to reduce the impact of
2019 			 * traffic analysis. We need to match the
2020 			 * size of a SSH2_MSG_CHANNEL_DATA message
2021 			 * (4 byte channel id + buf)
2022 			 */
2023 			if ((r = sshpkt_msg_ignore(ssh, 4+len)) != 0 ||
2024 			    (r = sshpkt_send(ssh)) != 0)
2025 				fatal("%s: channel %d: ignore: %s",
2026 				    __func__, c->self, ssh_err(r));
2027 		}
2028 	}
2029 #endif /* BROKEN_TCGETATTR_ICANON */
2030 	if ((r = sshbuf_consume(c->output, len)) != 0) {
2031 		fatal("%s: channel %d: consume: %s",
2032 		    __func__, c->self, ssh_err(r));
2033 	}
2034  out:
2035 	c->local_consumed += olen - sshbuf_len(c->output);
2036 
2037 	return 1;
2038 }
2039 
2040 static int
2041 channel_handle_efd_write(struct ssh *ssh, Channel *c,
2042     fd_set *readset, fd_set *writeset)
2043 {
2044 	int r;
2045 	ssize_t len;
2046 
2047 	if (!FD_ISSET(c->efd, writeset) || sshbuf_len(c->extended) == 0)
2048 		return 1;
2049 
2050 	len = write(c->efd, sshbuf_ptr(c->extended),
2051 	    sshbuf_len(c->extended));
2052 	debug2("channel %d: written %zd to efd %d", c->self, len, c->efd);
2053 	if (len < 0 && (errno == EINTR || errno == EAGAIN ||
2054 	    errno == EWOULDBLOCK))
2055 		return 1;
2056 	if (len <= 0) {
2057 		debug2("channel %d: closing write-efd %d", c->self, c->efd);
2058 		channel_close_fd(ssh, &c->efd);
2059 	} else {
2060 		if ((r = sshbuf_consume(c->extended, len)) != 0) {
2061 			fatal("%s: channel %d: consume: %s",
2062 			    __func__, c->self, ssh_err(r));
2063 		}
2064 		c->local_consumed += len;
2065 	}
2066 	return 1;
2067 }
2068 
2069 static int
2070 channel_handle_efd_read(struct ssh *ssh, Channel *c,
2071     fd_set *readset, fd_set *writeset)
2072 {
2073 	char buf[CHAN_RBUF];
2074 	int r;
2075 	ssize_t len;
2076 
2077 	if (!c->detach_close && !FD_ISSET(c->efd, readset))
2078 		return 1;
2079 
2080 	len = read(c->efd, buf, sizeof(buf));
2081 	debug2("channel %d: read %zd from efd %d", c->self, len, c->efd);
2082 	if (len < 0 && (errno == EINTR || ((errno == EAGAIN ||
2083 	    errno == EWOULDBLOCK) && !c->detach_close)))
2084 		return 1;
2085 	if (len <= 0) {
2086 		debug2("channel %d: closing read-efd %d",
2087 		    c->self, c->efd);
2088 		channel_close_fd(ssh, &c->efd);
2089 	} else {
2090 		if (c->extended_usage == CHAN_EXTENDED_IGNORE) {
2091 			debug3("channel %d: discard efd",
2092 			    c->self);
2093 		} else if ((r = sshbuf_put(c->extended, buf, len)) != 0) {
2094 			fatal("%s: channel %d: append: %s",
2095 			    __func__, c->self, ssh_err(r));
2096 		}
2097 	}
2098 	return 1;
2099 }
2100 
2101 static int
2102 channel_handle_efd(struct ssh *ssh, Channel *c,
2103     fd_set *readset, fd_set *writeset)
2104 {
2105 	if (c->efd == -1)
2106 		return 1;
2107 
2108 	/** XXX handle drain efd, too */
2109 
2110 	if (c->extended_usage == CHAN_EXTENDED_WRITE)
2111 		return channel_handle_efd_write(ssh, c, readset, writeset);
2112 	else if (c->extended_usage == CHAN_EXTENDED_READ ||
2113 	    c->extended_usage == CHAN_EXTENDED_IGNORE)
2114 		return channel_handle_efd_read(ssh, c, readset, writeset);
2115 
2116 	return 1;
2117 }
2118 
2119 static int
2120 channel_check_window(struct ssh *ssh, Channel *c)
2121 {
2122 	int r;
2123 
2124 	if (c->type == SSH_CHANNEL_OPEN &&
2125 	    !(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
2126 	    ((c->local_window_max - c->local_window >
2127 	    c->local_maxpacket*3) ||
2128 	    c->local_window < c->local_window_max/2) &&
2129 	    c->local_consumed > 0) {
2130 		if (!c->have_remote_id)
2131 			fatal(":%s: channel %d: no remote id",
2132 			    __func__, c->self);
2133 		if ((r = sshpkt_start(ssh,
2134 		    SSH2_MSG_CHANNEL_WINDOW_ADJUST)) != 0 ||
2135 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2136 		    (r = sshpkt_put_u32(ssh, c->local_consumed)) != 0 ||
2137 		    (r = sshpkt_send(ssh)) != 0) {
2138 			fatal("%s: channel %i: %s", __func__,
2139 			    c->self, ssh_err(r));
2140 		}
2141 		debug2("channel %d: window %d sent adjust %d",
2142 		    c->self, c->local_window,
2143 		    c->local_consumed);
2144 		c->local_window += c->local_consumed;
2145 		c->local_consumed = 0;
2146 	}
2147 	return 1;
2148 }
2149 
2150 static void
2151 channel_post_open(struct ssh *ssh, Channel *c,
2152     fd_set *readset, fd_set *writeset)
2153 {
2154 	channel_handle_rfd(ssh, c, readset, writeset);
2155 	channel_handle_wfd(ssh, c, readset, writeset);
2156 	channel_handle_efd(ssh, c, readset, writeset);
2157 	channel_check_window(ssh, c);
2158 }
2159 
2160 static u_int
2161 read_mux(struct ssh *ssh, Channel *c, u_int need)
2162 {
2163 	char buf[CHAN_RBUF];
2164 	ssize_t len;
2165 	u_int rlen;
2166 	int r;
2167 
2168 	if (sshbuf_len(c->input) < need) {
2169 		rlen = need - sshbuf_len(c->input);
2170 		len = read(c->rfd, buf, MINIMUM(rlen, CHAN_RBUF));
2171 		if (len < 0 && (errno == EINTR || errno == EAGAIN))
2172 			return sshbuf_len(c->input);
2173 		if (len <= 0) {
2174 			debug2("channel %d: ctl read<=0 rfd %d len %zd",
2175 			    c->self, c->rfd, len);
2176 			chan_read_failed(ssh, c);
2177 			return 0;
2178 		} else if ((r = sshbuf_put(c->input, buf, len)) != 0) {
2179 			fatal("%s: channel %d: append: %s",
2180 			    __func__, c->self, ssh_err(r));
2181 		}
2182 	}
2183 	return sshbuf_len(c->input);
2184 }
2185 
2186 static void
2187 channel_post_mux_client_read(struct ssh *ssh, Channel *c,
2188     fd_set *readset, fd_set *writeset)
2189 {
2190 	u_int need;
2191 
2192 	if (c->rfd == -1 || !FD_ISSET(c->rfd, readset))
2193 		return;
2194 	if (c->istate != CHAN_INPUT_OPEN && c->istate != CHAN_INPUT_WAIT_DRAIN)
2195 		return;
2196 	if (c->mux_pause)
2197 		return;
2198 
2199 	/*
2200 	 * Don't not read past the precise end of packets to
2201 	 * avoid disrupting fd passing.
2202 	 */
2203 	if (read_mux(ssh, c, 4) < 4) /* read header */
2204 		return;
2205 	/* XXX sshbuf_peek_u32 */
2206 	need = PEEK_U32(sshbuf_ptr(c->input));
2207 #define CHANNEL_MUX_MAX_PACKET	(256 * 1024)
2208 	if (need > CHANNEL_MUX_MAX_PACKET) {
2209 		debug2("channel %d: packet too big %u > %u",
2210 		    c->self, CHANNEL_MUX_MAX_PACKET, need);
2211 		chan_rcvd_oclose(ssh, c);
2212 		return;
2213 	}
2214 	if (read_mux(ssh, c, need + 4) < need + 4) /* read body */
2215 		return;
2216 	if (c->mux_rcb(ssh, c) != 0) {
2217 		debug("channel %d: mux_rcb failed", c->self);
2218 		chan_mark_dead(ssh, c);
2219 		return;
2220 	}
2221 }
2222 
2223 static void
2224 channel_post_mux_client_write(struct ssh *ssh, Channel *c,
2225     fd_set *readset, fd_set *writeset)
2226 {
2227 	ssize_t len;
2228 	int r;
2229 
2230 	if (c->wfd == -1 || !FD_ISSET(c->wfd, writeset) ||
2231 	    sshbuf_len(c->output) == 0)
2232 		return;
2233 
2234 	len = write(c->wfd, sshbuf_ptr(c->output), sshbuf_len(c->output));
2235 	if (len < 0 && (errno == EINTR || errno == EAGAIN))
2236 		return;
2237 	if (len <= 0) {
2238 		chan_mark_dead(ssh, c);
2239 		return;
2240 	}
2241 	if ((r = sshbuf_consume(c->output, len)) != 0)
2242 		fatal("%s: channel %d: consume: %s", __func__,
2243 		    c->self, ssh_err(r));
2244 }
2245 
2246 static void
2247 channel_post_mux_client(struct ssh *ssh, Channel *c,
2248     fd_set *readset, fd_set *writeset)
2249 {
2250 	channel_post_mux_client_read(ssh, c, readset, writeset);
2251 	channel_post_mux_client_write(ssh, c, readset, writeset);
2252 }
2253 
2254 static void
2255 channel_post_mux_listener(struct ssh *ssh, Channel *c,
2256     fd_set *readset, fd_set *writeset)
2257 {
2258 	Channel *nc;
2259 	struct sockaddr_storage addr;
2260 	socklen_t addrlen;
2261 	int newsock;
2262 	uid_t euid;
2263 	gid_t egid;
2264 
2265 	if (!FD_ISSET(c->sock, readset))
2266 		return;
2267 
2268 	debug("multiplexing control connection");
2269 
2270 	/*
2271 	 * Accept connection on control socket
2272 	 */
2273 	memset(&addr, 0, sizeof(addr));
2274 	addrlen = sizeof(addr);
2275 	if ((newsock = accept(c->sock, (struct sockaddr*)&addr,
2276 	    &addrlen)) == -1) {
2277 		error("%s accept: %s", __func__, strerror(errno));
2278 		if (errno == EMFILE || errno == ENFILE)
2279 			c->notbefore = monotime() + 1;
2280 		return;
2281 	}
2282 
2283 	if (getpeereid(newsock, &euid, &egid) < 0) {
2284 		error("%s getpeereid failed: %s", __func__,
2285 		    strerror(errno));
2286 		close(newsock);
2287 		return;
2288 	}
2289 	if ((euid != 0) && (getuid() != euid)) {
2290 		error("multiplex uid mismatch: peer euid %u != uid %u",
2291 		    (u_int)euid, (u_int)getuid());
2292 		close(newsock);
2293 		return;
2294 	}
2295 	nc = channel_new(ssh, "multiplex client", SSH_CHANNEL_MUX_CLIENT,
2296 	    newsock, newsock, -1, c->local_window_max,
2297 	    c->local_maxpacket, 0, "mux-control", 1);
2298 	nc->mux_rcb = c->mux_rcb;
2299 	debug3("%s: new mux channel %d fd %d", __func__, nc->self, nc->sock);
2300 	/* establish state */
2301 	nc->mux_rcb(ssh, nc);
2302 	/* mux state transitions must not elicit protocol messages */
2303 	nc->flags |= CHAN_LOCAL;
2304 }
2305 
2306 static void
2307 channel_handler_init(struct ssh_channels *sc)
2308 {
2309 	chan_fn **pre, **post;
2310 
2311 	if ((pre = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*pre))) == NULL ||
2312 	   (post = calloc(SSH_CHANNEL_MAX_TYPE, sizeof(*post))) == NULL)
2313 		fatal("%s: allocation failed", __func__);
2314 
2315 	pre[SSH_CHANNEL_OPEN] =			&channel_pre_open;
2316 	pre[SSH_CHANNEL_X11_OPEN] =		&channel_pre_x11_open;
2317 	pre[SSH_CHANNEL_PORT_LISTENER] =	&channel_pre_listener;
2318 	pre[SSH_CHANNEL_RPORT_LISTENER] =	&channel_pre_listener;
2319 	pre[SSH_CHANNEL_UNIX_LISTENER] =	&channel_pre_listener;
2320 	pre[SSH_CHANNEL_RUNIX_LISTENER] =	&channel_pre_listener;
2321 	pre[SSH_CHANNEL_X11_LISTENER] =		&channel_pre_listener;
2322 	pre[SSH_CHANNEL_AUTH_SOCKET] =		&channel_pre_listener;
2323 	pre[SSH_CHANNEL_CONNECTING] =		&channel_pre_connecting;
2324 	pre[SSH_CHANNEL_DYNAMIC] =		&channel_pre_dynamic;
2325 	pre[SSH_CHANNEL_RDYNAMIC_FINISH] =	&channel_pre_connecting;
2326 	pre[SSH_CHANNEL_MUX_LISTENER] =		&channel_pre_listener;
2327 	pre[SSH_CHANNEL_MUX_CLIENT] =		&channel_pre_mux_client;
2328 
2329 	post[SSH_CHANNEL_OPEN] =		&channel_post_open;
2330 	post[SSH_CHANNEL_PORT_LISTENER] =	&channel_post_port_listener;
2331 	post[SSH_CHANNEL_RPORT_LISTENER] =	&channel_post_port_listener;
2332 	post[SSH_CHANNEL_UNIX_LISTENER] =	&channel_post_port_listener;
2333 	post[SSH_CHANNEL_RUNIX_LISTENER] =	&channel_post_port_listener;
2334 	post[SSH_CHANNEL_X11_LISTENER] =	&channel_post_x11_listener;
2335 	post[SSH_CHANNEL_AUTH_SOCKET] =		&channel_post_auth_listener;
2336 	post[SSH_CHANNEL_CONNECTING] =		&channel_post_connecting;
2337 	post[SSH_CHANNEL_DYNAMIC] =		&channel_post_open;
2338 	post[SSH_CHANNEL_RDYNAMIC_FINISH] =	&channel_post_connecting;
2339 	post[SSH_CHANNEL_MUX_LISTENER] =	&channel_post_mux_listener;
2340 	post[SSH_CHANNEL_MUX_CLIENT] =		&channel_post_mux_client;
2341 
2342 	sc->channel_pre = pre;
2343 	sc->channel_post = post;
2344 }
2345 
2346 /* gc dead channels */
2347 static void
2348 channel_garbage_collect(struct ssh *ssh, Channel *c)
2349 {
2350 	if (c == NULL)
2351 		return;
2352 	if (c->detach_user != NULL) {
2353 		if (!chan_is_dead(ssh, c, c->detach_close))
2354 			return;
2355 		debug2("channel %d: gc: notify user", c->self);
2356 		c->detach_user(ssh, c->self, NULL);
2357 		/* if we still have a callback */
2358 		if (c->detach_user != NULL)
2359 			return;
2360 		debug2("channel %d: gc: user detached", c->self);
2361 	}
2362 	if (!chan_is_dead(ssh, c, 1))
2363 		return;
2364 	debug2("channel %d: garbage collecting", c->self);
2365 	channel_free(ssh, c);
2366 }
2367 
2368 enum channel_table { CHAN_PRE, CHAN_POST };
2369 
2370 static void
2371 channel_handler(struct ssh *ssh, int table,
2372     fd_set *readset, fd_set *writeset, time_t *unpause_secs)
2373 {
2374 	struct ssh_channels *sc = ssh->chanctxt;
2375 	chan_fn **ftab = table == CHAN_PRE ? sc->channel_pre : sc->channel_post;
2376 	u_int i, oalloc;
2377 	Channel *c;
2378 	time_t now;
2379 
2380 	now = monotime();
2381 	if (unpause_secs != NULL)
2382 		*unpause_secs = 0;
2383 	for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2384 		c = sc->channels[i];
2385 		if (c == NULL)
2386 			continue;
2387 		if (c->delayed) {
2388 			if (table == CHAN_PRE)
2389 				c->delayed = 0;
2390 			else
2391 				continue;
2392 		}
2393 		if (ftab[c->type] != NULL) {
2394 			/*
2395 			 * Run handlers that are not paused.
2396 			 */
2397 			if (c->notbefore <= now)
2398 				(*ftab[c->type])(ssh, c, readset, writeset);
2399 			else if (unpause_secs != NULL) {
2400 				/*
2401 				 * Collect the time that the earliest
2402 				 * channel comes off pause.
2403 				 */
2404 				debug3("%s: chan %d: skip for %d more seconds",
2405 				    __func__, c->self,
2406 				    (int)(c->notbefore - now));
2407 				if (*unpause_secs == 0 ||
2408 				    (c->notbefore - now) < *unpause_secs)
2409 					*unpause_secs = c->notbefore - now;
2410 			}
2411 		}
2412 		channel_garbage_collect(ssh, c);
2413 	}
2414 	if (unpause_secs != NULL && *unpause_secs != 0)
2415 		debug3("%s: first channel unpauses in %d seconds",
2416 		    __func__, (int)*unpause_secs);
2417 }
2418 
2419 /*
2420  * Create sockets before allocating the select bitmasks.
2421  * This is necessary for things that need to happen after reading
2422  * the network-input but before channel_prepare_select().
2423  */
2424 static void
2425 channel_before_prepare_select(struct ssh *ssh)
2426 {
2427 	struct ssh_channels *sc = ssh->chanctxt;
2428 	Channel *c;
2429 	u_int i, oalloc;
2430 
2431 	for (i = 0, oalloc = sc->channels_alloc; i < oalloc; i++) {
2432 		c = sc->channels[i];
2433 		if (c == NULL)
2434 			continue;
2435 		if (c->type == SSH_CHANNEL_RDYNAMIC_OPEN)
2436 			channel_before_prepare_select_rdynamic(ssh, c);
2437 	}
2438 }
2439 
2440 /*
2441  * Allocate/update select bitmasks and add any bits relevant to channels in
2442  * select bitmasks.
2443  */
2444 void
2445 channel_prepare_select(struct ssh *ssh, fd_set **readsetp, fd_set **writesetp,
2446     int *maxfdp, u_int *nallocp, time_t *minwait_secs)
2447 {
2448 	u_int n, sz, nfdset;
2449 
2450 	channel_before_prepare_select(ssh); /* might update channel_max_fd */
2451 
2452 	n = MAXIMUM(*maxfdp, ssh->chanctxt->channel_max_fd);
2453 
2454 	nfdset = howmany(n+1, NFDBITS);
2455 	/* Explicitly test here, because xrealloc isn't always called */
2456 	if (nfdset && SIZE_MAX / nfdset < sizeof(fd_mask))
2457 		fatal("channel_prepare_select: max_fd (%d) is too large", n);
2458 	sz = nfdset * sizeof(fd_mask);
2459 
2460 	/* perhaps check sz < nalloc/2 and shrink? */
2461 	if (*readsetp == NULL || sz > *nallocp) {
2462 		*readsetp = xreallocarray(*readsetp, nfdset, sizeof(fd_mask));
2463 		*writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask));
2464 		*nallocp = sz;
2465 	}
2466 	*maxfdp = n;
2467 	memset(*readsetp, 0, sz);
2468 	memset(*writesetp, 0, sz);
2469 
2470 	if (!ssh_packet_is_rekeying(ssh))
2471 		channel_handler(ssh, CHAN_PRE, *readsetp, *writesetp,
2472 		    minwait_secs);
2473 }
2474 
2475 /*
2476  * After select, perform any appropriate operations for channels which have
2477  * events pending.
2478  */
2479 void
2480 channel_after_select(struct ssh *ssh, fd_set *readset, fd_set *writeset)
2481 {
2482 	channel_handler(ssh, CHAN_POST, readset, writeset, NULL);
2483 }
2484 
2485 /*
2486  * Enqueue data for channels with open or draining c->input.
2487  */
2488 static void
2489 channel_output_poll_input_open(struct ssh *ssh, Channel *c)
2490 {
2491 	size_t len, plen;
2492 	const u_char *pkt;
2493 	int r;
2494 
2495 	if ((len = sshbuf_len(c->input)) == 0) {
2496 		if (c->istate == CHAN_INPUT_WAIT_DRAIN) {
2497 			/*
2498 			 * input-buffer is empty and read-socket shutdown:
2499 			 * tell peer, that we will not send more data:
2500 			 * send IEOF.
2501 			 * hack for extended data: delay EOF if EFD still
2502 			 * in use.
2503 			 */
2504 			if (CHANNEL_EFD_INPUT_ACTIVE(c))
2505 				debug2("channel %d: "
2506 				    "ibuf_empty delayed efd %d/(%zu)",
2507 				    c->self, c->efd, sshbuf_len(c->extended));
2508 			else
2509 				chan_ibuf_empty(ssh, c);
2510 		}
2511 		return;
2512 	}
2513 
2514 	if (!c->have_remote_id)
2515 		fatal(":%s: channel %d: no remote id", __func__, c->self);
2516 
2517 	if (c->datagram) {
2518 		/* Check datagram will fit; drop if not */
2519 		if ((r = sshbuf_get_string_direct(c->input, &pkt, &plen)) != 0)
2520 			fatal("%s: channel %d: get datagram: %s", __func__,
2521 			    c->self, ssh_err(r));
2522 		/*
2523 		 * XXX this does tail-drop on the datagram queue which is
2524 		 * usually suboptimal compared to head-drop. Better to have
2525 		 * backpressure at read time? (i.e. read + discard)
2526 		 */
2527 		if (plen > c->remote_window || plen > c->remote_maxpacket) {
2528 			debug("channel %d: datagram too big", c->self);
2529 			return;
2530 		}
2531 		/* Enqueue it */
2532 		if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2533 		    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2534 		    (r = sshpkt_put_string(ssh, pkt, plen)) != 0 ||
2535 		    (r = sshpkt_send(ssh)) != 0) {
2536 			fatal("%s: channel %i: datagram: %s", __func__,
2537 			    c->self, ssh_err(r));
2538 		}
2539 		c->remote_window -= plen;
2540 		return;
2541 	}
2542 
2543 	/* Enqueue packet for buffered data. */
2544 	if (len > c->remote_window)
2545 		len = c->remote_window;
2546 	if (len > c->remote_maxpacket)
2547 		len = c->remote_maxpacket;
2548 	if (len == 0)
2549 		return;
2550 	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_DATA)) != 0 ||
2551 	    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2552 	    (r = sshpkt_put_string(ssh, sshbuf_ptr(c->input), len)) != 0 ||
2553 	    (r = sshpkt_send(ssh)) != 0) {
2554 		fatal("%s: channel %i: data: %s", __func__,
2555 		    c->self, ssh_err(r));
2556 	}
2557 	if ((r = sshbuf_consume(c->input, len)) != 0)
2558 		fatal("%s: channel %i: consume: %s", __func__,
2559 		    c->self, ssh_err(r));
2560 	c->remote_window -= len;
2561 }
2562 
2563 /*
2564  * Enqueue data for channels with open c->extended in read mode.
2565  */
2566 static void
2567 channel_output_poll_extended_read(struct ssh *ssh, Channel *c)
2568 {
2569 	size_t len;
2570 	int r;
2571 
2572 	if ((len = sshbuf_len(c->extended)) == 0)
2573 		return;
2574 
2575 	debug2("channel %d: rwin %u elen %zu euse %d", c->self,
2576 	    c->remote_window, sshbuf_len(c->extended), c->extended_usage);
2577 	if (len > c->remote_window)
2578 		len = c->remote_window;
2579 	if (len > c->remote_maxpacket)
2580 		len = c->remote_maxpacket;
2581 	if (len == 0)
2582 		return;
2583 	if (!c->have_remote_id)
2584 		fatal(":%s: channel %d: no remote id", __func__, c->self);
2585 	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_EXTENDED_DATA)) != 0 ||
2586 	    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
2587 	    (r = sshpkt_put_u32(ssh, SSH2_EXTENDED_DATA_STDERR)) != 0 ||
2588 	    (r = sshpkt_put_string(ssh, sshbuf_ptr(c->extended), len)) != 0 ||
2589 	    (r = sshpkt_send(ssh)) != 0) {
2590 		fatal("%s: channel %i: data: %s", __func__,
2591 		    c->self, ssh_err(r));
2592 	}
2593 	if ((r = sshbuf_consume(c->extended, len)) != 0)
2594 		fatal("%s: channel %i: consume: %s", __func__,
2595 		    c->self, ssh_err(r));
2596 	c->remote_window -= len;
2597 	debug2("channel %d: sent ext data %zu", c->self, len);
2598 }
2599 
2600 /* If there is data to send to the connection, enqueue some of it now. */
2601 void
2602 channel_output_poll(struct ssh *ssh)
2603 {
2604 	struct ssh_channels *sc = ssh->chanctxt;
2605 	Channel *c;
2606 	u_int i;
2607 
2608 	for (i = 0; i < sc->channels_alloc; i++) {
2609 		c = sc->channels[i];
2610 		if (c == NULL)
2611 			continue;
2612 
2613 		/*
2614 		 * We are only interested in channels that can have buffered
2615 		 * incoming data.
2616 		 */
2617 		if (c->type != SSH_CHANNEL_OPEN)
2618 			continue;
2619 		if ((c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD))) {
2620 			/* XXX is this true? */
2621 			debug3("channel %d: will not send data after close",
2622 			    c->self);
2623 			continue;
2624 		}
2625 
2626 		/* Get the amount of buffered data for this channel. */
2627 		if (c->istate == CHAN_INPUT_OPEN ||
2628 		    c->istate == CHAN_INPUT_WAIT_DRAIN)
2629 			channel_output_poll_input_open(ssh, c);
2630 		/* Send extended data, i.e. stderr */
2631 		if (!(c->flags & CHAN_EOF_SENT) &&
2632 		    c->extended_usage == CHAN_EXTENDED_READ)
2633 			channel_output_poll_extended_read(ssh, c);
2634 	}
2635 }
2636 
2637 /* -- mux proxy support  */
2638 
2639 /*
2640  * When multiplexing channel messages for mux clients we have to deal
2641  * with downstream messages from the mux client and upstream messages
2642  * from the ssh server:
2643  * 1) Handling downstream messages is straightforward and happens
2644  *    in channel_proxy_downstream():
2645  *    - We forward all messages (mostly) unmodified to the server.
2646  *    - However, in order to route messages from upstream to the correct
2647  *      downstream client, we have to replace the channel IDs used by the
2648  *      mux clients with a unique channel ID because the mux clients might
2649  *      use conflicting channel IDs.
2650  *    - so we inspect and change both SSH2_MSG_CHANNEL_OPEN and
2651  *      SSH2_MSG_CHANNEL_OPEN_CONFIRMATION messages, create a local
2652  *      SSH_CHANNEL_MUX_PROXY channel and replace the mux clients ID
2653  *      with the newly allocated channel ID.
2654  * 2) Upstream messages are received by matching SSH_CHANNEL_MUX_PROXY
2655  *    channels and processed by channel_proxy_upstream(). The local channel ID
2656  *    is then translated back to the original mux client ID.
2657  * 3) In both cases we need to keep track of matching SSH2_MSG_CHANNEL_CLOSE
2658  *    messages so we can clean up SSH_CHANNEL_MUX_PROXY channels.
2659  * 4) The SSH_CHANNEL_MUX_PROXY channels also need to closed when the
2660  *    downstream mux client are removed.
2661  * 5) Handling SSH2_MSG_CHANNEL_OPEN messages from the upstream server
2662  *    requires more work, because they are not addressed to a specific
2663  *    channel. E.g. client_request_forwarded_tcpip() needs to figure
2664  *    out whether the request is addressed to the local client or a
2665  *    specific downstream client based on the listen-address/port.
2666  * 6) Agent and X11-Forwarding have a similar problem and are currently
2667  *    not supported as the matching session/channel cannot be identified
2668  *    easily.
2669  */
2670 
2671 /*
2672  * receive packets from downstream mux clients:
2673  * channel callback fired on read from mux client, creates
2674  * SSH_CHANNEL_MUX_PROXY channels and translates channel IDs
2675  * on channel creation.
2676  */
2677 int
2678 channel_proxy_downstream(struct ssh *ssh, Channel *downstream)
2679 {
2680 	Channel *c = NULL;
2681 	struct sshbuf *original = NULL, *modified = NULL;
2682 	const u_char *cp;
2683 	char *ctype = NULL, *listen_host = NULL;
2684 	u_char type;
2685 	size_t have;
2686 	int ret = -1, r;
2687 	u_int id, remote_id, listen_port;
2688 
2689 	/* sshbuf_dump(downstream->input, stderr); */
2690 	if ((r = sshbuf_get_string_direct(downstream->input, &cp, &have))
2691 	    != 0) {
2692 		error("%s: malformed message: %s", __func__, ssh_err(r));
2693 		return -1;
2694 	}
2695 	if (have < 2) {
2696 		error("%s: short message", __func__);
2697 		return -1;
2698 	}
2699 	type = cp[1];
2700 	/* skip padlen + type */
2701 	cp += 2;
2702 	have -= 2;
2703 	if (ssh_packet_log_type(type))
2704 		debug3("%s: channel %u: down->up: type %u", __func__,
2705 		    downstream->self, type);
2706 
2707 	switch (type) {
2708 	case SSH2_MSG_CHANNEL_OPEN:
2709 		if ((original = sshbuf_from(cp, have)) == NULL ||
2710 		    (modified = sshbuf_new()) == NULL) {
2711 			error("%s: alloc", __func__);
2712 			goto out;
2713 		}
2714 		if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0 ||
2715 		    (r = sshbuf_get_u32(original, &id)) != 0) {
2716 			error("%s: parse error %s", __func__, ssh_err(r));
2717 			goto out;
2718 		}
2719 		c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
2720 		   -1, -1, -1, 0, 0, 0, ctype, 1);
2721 		c->mux_ctx = downstream;	/* point to mux client */
2722 		c->mux_downstream_id = id;	/* original downstream id */
2723 		if ((r = sshbuf_put_cstring(modified, ctype)) != 0 ||
2724 		    (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2725 		    (r = sshbuf_putb(modified, original)) != 0) {
2726 			error("%s: compose error %s", __func__, ssh_err(r));
2727 			channel_free(ssh, c);
2728 			goto out;
2729 		}
2730 		break;
2731 	case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2732 		/*
2733 		 * Almost the same as SSH2_MSG_CHANNEL_OPEN, except then we
2734 		 * need to parse 'remote_id' instead of 'ctype'.
2735 		 */
2736 		if ((original = sshbuf_from(cp, have)) == NULL ||
2737 		    (modified = sshbuf_new()) == NULL) {
2738 			error("%s: alloc", __func__);
2739 			goto out;
2740 		}
2741 		if ((r = sshbuf_get_u32(original, &remote_id)) != 0 ||
2742 		    (r = sshbuf_get_u32(original, &id)) != 0) {
2743 			error("%s: parse error %s", __func__, ssh_err(r));
2744 			goto out;
2745 		}
2746 		c = channel_new(ssh, "mux proxy", SSH_CHANNEL_MUX_PROXY,
2747 		   -1, -1, -1, 0, 0, 0, "mux-down-connect", 1);
2748 		c->mux_ctx = downstream;	/* point to mux client */
2749 		c->mux_downstream_id = id;
2750 		c->remote_id = remote_id;
2751 		c->have_remote_id = 1;
2752 		if ((r = sshbuf_put_u32(modified, remote_id)) != 0 ||
2753 		    (r = sshbuf_put_u32(modified, c->self)) != 0 ||
2754 		    (r = sshbuf_putb(modified, original)) != 0) {
2755 			error("%s: compose error %s", __func__, ssh_err(r));
2756 			channel_free(ssh, c);
2757 			goto out;
2758 		}
2759 		break;
2760 	case SSH2_MSG_GLOBAL_REQUEST:
2761 		if ((original = sshbuf_from(cp, have)) == NULL) {
2762 			error("%s: alloc", __func__);
2763 			goto out;
2764 		}
2765 		if ((r = sshbuf_get_cstring(original, &ctype, NULL)) != 0) {
2766 			error("%s: parse error %s", __func__, ssh_err(r));
2767 			goto out;
2768 		}
2769 		if (strcmp(ctype, "tcpip-forward") != 0) {
2770 			error("%s: unsupported request %s", __func__, ctype);
2771 			goto out;
2772 		}
2773 		if ((r = sshbuf_get_u8(original, NULL)) != 0 ||
2774 		    (r = sshbuf_get_cstring(original, &listen_host, NULL)) != 0 ||
2775 		    (r = sshbuf_get_u32(original, &listen_port)) != 0) {
2776 			error("%s: parse error %s", __func__, ssh_err(r));
2777 			goto out;
2778 		}
2779 		if (listen_port > 65535) {
2780 			error("%s: tcpip-forward for %s: bad port %u",
2781 			    __func__, listen_host, listen_port);
2782 			goto out;
2783 		}
2784 		/* Record that connection to this host/port is permitted. */
2785 		permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL, "<mux>", -1,
2786 		    listen_host, NULL, (int)listen_port, downstream);
2787 		listen_host = NULL;
2788 		break;
2789 	case SSH2_MSG_CHANNEL_CLOSE:
2790 		if (have < 4)
2791 			break;
2792 		remote_id = PEEK_U32(cp);
2793 		if ((c = channel_by_remote_id(ssh, remote_id)) != NULL) {
2794 			if (c->flags & CHAN_CLOSE_RCVD)
2795 				channel_free(ssh, c);
2796 			else
2797 				c->flags |= CHAN_CLOSE_SENT;
2798 		}
2799 		break;
2800 	}
2801 	if (modified) {
2802 		if ((r = sshpkt_start(ssh, type)) != 0 ||
2803 		    (r = sshpkt_putb(ssh, modified)) != 0 ||
2804 		    (r = sshpkt_send(ssh)) != 0) {
2805 			error("%s: send %s", __func__, ssh_err(r));
2806 			goto out;
2807 		}
2808 	} else {
2809 		if ((r = sshpkt_start(ssh, type)) != 0 ||
2810 		    (r = sshpkt_put(ssh, cp, have)) != 0 ||
2811 		    (r = sshpkt_send(ssh)) != 0) {
2812 			error("%s: send %s", __func__, ssh_err(r));
2813 			goto out;
2814 		}
2815 	}
2816 	ret = 0;
2817  out:
2818 	free(ctype);
2819 	free(listen_host);
2820 	sshbuf_free(original);
2821 	sshbuf_free(modified);
2822 	return ret;
2823 }
2824 
2825 /*
2826  * receive packets from upstream server and de-multiplex packets
2827  * to correct downstream:
2828  * implemented as a helper for channel input handlers,
2829  * replaces local (proxy) channel ID with downstream channel ID.
2830  */
2831 int
2832 channel_proxy_upstream(Channel *c, int type, u_int32_t seq, struct ssh *ssh)
2833 {
2834 	struct sshbuf *b = NULL;
2835 	Channel *downstream;
2836 	const u_char *cp = NULL;
2837 	size_t len;
2838 	int r;
2839 
2840 	/*
2841 	 * When receiving packets from the peer we need to check whether we
2842 	 * need to forward the packets to the mux client. In this case we
2843 	 * restore the original channel id and keep track of CLOSE messages,
2844 	 * so we can cleanup the channel.
2845 	 */
2846 	if (c == NULL || c->type != SSH_CHANNEL_MUX_PROXY)
2847 		return 0;
2848 	if ((downstream = c->mux_ctx) == NULL)
2849 		return 0;
2850 	switch (type) {
2851 	case SSH2_MSG_CHANNEL_CLOSE:
2852 	case SSH2_MSG_CHANNEL_DATA:
2853 	case SSH2_MSG_CHANNEL_EOF:
2854 	case SSH2_MSG_CHANNEL_EXTENDED_DATA:
2855 	case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2856 	case SSH2_MSG_CHANNEL_OPEN_FAILURE:
2857 	case SSH2_MSG_CHANNEL_WINDOW_ADJUST:
2858 	case SSH2_MSG_CHANNEL_SUCCESS:
2859 	case SSH2_MSG_CHANNEL_FAILURE:
2860 	case SSH2_MSG_CHANNEL_REQUEST:
2861 		break;
2862 	default:
2863 		debug2("%s: channel %u: unsupported type %u", __func__,
2864 		    c->self, type);
2865 		return 0;
2866 	}
2867 	if ((b = sshbuf_new()) == NULL) {
2868 		error("%s: alloc reply", __func__);
2869 		goto out;
2870 	}
2871 	/* get remaining payload (after id) */
2872 	cp = sshpkt_ptr(ssh, &len);
2873 	if (cp == NULL) {
2874 		error("%s: no packet", __func__);
2875 		goto out;
2876 	}
2877 	/* translate id and send to muxclient */
2878 	if ((r = sshbuf_put_u8(b, 0)) != 0 ||	/* padlen */
2879 	    (r = sshbuf_put_u8(b, type)) != 0 ||
2880 	    (r = sshbuf_put_u32(b, c->mux_downstream_id)) != 0 ||
2881 	    (r = sshbuf_put(b, cp, len)) != 0 ||
2882 	    (r = sshbuf_put_stringb(downstream->output, b)) != 0) {
2883 		error("%s: compose for muxclient %s", __func__, ssh_err(r));
2884 		goto out;
2885 	}
2886 	/* sshbuf_dump(b, stderr); */
2887 	if (ssh_packet_log_type(type))
2888 		debug3("%s: channel %u: up->down: type %u", __func__, c->self,
2889 		    type);
2890  out:
2891 	/* update state */
2892 	switch (type) {
2893 	case SSH2_MSG_CHANNEL_OPEN_CONFIRMATION:
2894 		/* record remote_id for SSH2_MSG_CHANNEL_CLOSE */
2895 		if (cp && len > 4) {
2896 			c->remote_id = PEEK_U32(cp);
2897 			c->have_remote_id = 1;
2898 		}
2899 		break;
2900 	case SSH2_MSG_CHANNEL_CLOSE:
2901 		if (c->flags & CHAN_CLOSE_SENT)
2902 			channel_free(ssh, c);
2903 		else
2904 			c->flags |= CHAN_CLOSE_RCVD;
2905 		break;
2906 	}
2907 	sshbuf_free(b);
2908 	return 1;
2909 }
2910 
2911 /* -- protocol input */
2912 
2913 /* Parse a channel ID from the current packet */
2914 static int
2915 channel_parse_id(struct ssh *ssh, const char *where, const char *what)
2916 {
2917 	u_int32_t id;
2918 	int r;
2919 
2920 	if ((r = sshpkt_get_u32(ssh, &id)) != 0) {
2921 		error("%s: parse id: %s", where, ssh_err(r));
2922 		ssh_packet_disconnect(ssh, "Invalid %s message", what);
2923 	}
2924 	if (id > INT_MAX) {
2925 		error("%s: bad channel id %u: %s", where, id, ssh_err(r));
2926 		ssh_packet_disconnect(ssh, "Invalid %s channel id", what);
2927 	}
2928 	return (int)id;
2929 }
2930 
2931 /* Lookup a channel from an ID in the current packet */
2932 static Channel *
2933 channel_from_packet_id(struct ssh *ssh, const char *where, const char *what)
2934 {
2935 	int id = channel_parse_id(ssh, where, what);
2936 	Channel *c;
2937 
2938 	if ((c = channel_lookup(ssh, id)) == NULL) {
2939 		ssh_packet_disconnect(ssh,
2940 		    "%s packet referred to nonexistent channel %d", what, id);
2941 	}
2942 	return c;
2943 }
2944 
2945 int
2946 channel_input_data(int type, u_int32_t seq, struct ssh *ssh)
2947 {
2948 	const u_char *data;
2949 	size_t data_len, win_len;
2950 	Channel *c = channel_from_packet_id(ssh, __func__, "data");
2951 	int r;
2952 
2953 	if (channel_proxy_upstream(c, type, seq, ssh))
2954 		return 0;
2955 
2956 	/* Ignore any data for non-open channels (might happen on close) */
2957 	if (c->type != SSH_CHANNEL_OPEN &&
2958 	    c->type != SSH_CHANNEL_RDYNAMIC_OPEN &&
2959 	    c->type != SSH_CHANNEL_RDYNAMIC_FINISH &&
2960 	    c->type != SSH_CHANNEL_X11_OPEN)
2961 		return 0;
2962 
2963 	/* Get the data. */
2964 	if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0)
2965 		fatal("%s: channel %d: get data: %s", __func__,
2966 		    c->self, ssh_err(r));
2967 	ssh_packet_check_eom(ssh);
2968 
2969 	win_len = data_len;
2970 	if (c->datagram)
2971 		win_len += 4;  /* string length header */
2972 
2973 	/*
2974 	 * The sending side reduces its window as it sends data, so we
2975 	 * must 'fake' consumption of the data in order to ensure that window
2976 	 * updates are sent back. Otherwise the connection might deadlock.
2977 	 */
2978 	if (c->ostate != CHAN_OUTPUT_OPEN) {
2979 		c->local_window -= win_len;
2980 		c->local_consumed += win_len;
2981 		return 0;
2982 	}
2983 
2984 	if (win_len > c->local_maxpacket) {
2985 		logit("channel %d: rcvd big packet %zu, maxpack %u",
2986 		    c->self, win_len, c->local_maxpacket);
2987 		return 0;
2988 	}
2989 	if (win_len > c->local_window) {
2990 		logit("channel %d: rcvd too much data %zu, win %u",
2991 		    c->self, win_len, c->local_window);
2992 		return 0;
2993 	}
2994 	c->local_window -= win_len;
2995 
2996 	if (c->datagram) {
2997 		if ((r = sshbuf_put_string(c->output, data, data_len)) != 0)
2998 			fatal("%s: channel %d: append datagram: %s",
2999 			    __func__, c->self, ssh_err(r));
3000 	} else if ((r = sshbuf_put(c->output, data, data_len)) != 0)
3001 		fatal("%s: channel %d: append data: %s",
3002 		    __func__, c->self, ssh_err(r));
3003 
3004 	return 0;
3005 }
3006 
3007 int
3008 channel_input_extended_data(int type, u_int32_t seq, struct ssh *ssh)
3009 {
3010 	const u_char *data;
3011 	size_t data_len;
3012 	u_int32_t tcode;
3013 	Channel *c = channel_from_packet_id(ssh, __func__, "extended data");
3014 	int r;
3015 
3016 	if (channel_proxy_upstream(c, type, seq, ssh))
3017 		return 0;
3018 	if (c->type != SSH_CHANNEL_OPEN) {
3019 		logit("channel %d: ext data for non open", c->self);
3020 		return 0;
3021 	}
3022 	if (c->flags & CHAN_EOF_RCVD) {
3023 		if (datafellows & SSH_BUG_EXTEOF)
3024 			debug("channel %d: accepting ext data after eof",
3025 			    c->self);
3026 		else
3027 			ssh_packet_disconnect(ssh, "Received extended_data "
3028 			    "after EOF on channel %d.", c->self);
3029 	}
3030 
3031 	if ((r = sshpkt_get_u32(ssh, &tcode)) != 0) {
3032 		error("%s: parse tcode: %s", __func__, ssh_err(r));
3033 		ssh_packet_disconnect(ssh, "Invalid extended_data message");
3034 	}
3035 	if (c->efd == -1 ||
3036 	    c->extended_usage != CHAN_EXTENDED_WRITE ||
3037 	    tcode != SSH2_EXTENDED_DATA_STDERR) {
3038 		logit("channel %d: bad ext data", c->self);
3039 		return 0;
3040 	}
3041 	if ((r = sshpkt_get_string_direct(ssh, &data, &data_len)) != 0) {
3042 		error("%s: parse data: %s", __func__, ssh_err(r));
3043 		ssh_packet_disconnect(ssh, "Invalid extended_data message");
3044 	}
3045 	ssh_packet_check_eom(ssh);
3046 
3047 	if (data_len > c->local_window) {
3048 		logit("channel %d: rcvd too much extended_data %zu, win %u",
3049 		    c->self, data_len, c->local_window);
3050 		return 0;
3051 	}
3052 	debug2("channel %d: rcvd ext data %zu", c->self, data_len);
3053 	/* XXX sshpkt_getb? */
3054 	if ((r = sshbuf_put(c->extended, data, data_len)) != 0)
3055 		error("%s: append: %s", __func__, ssh_err(r));
3056 	c->local_window -= data_len;
3057 	return 0;
3058 }
3059 
3060 int
3061 channel_input_ieof(int type, u_int32_t seq, struct ssh *ssh)
3062 {
3063 	Channel *c = channel_from_packet_id(ssh, __func__, "ieof");
3064 
3065 	ssh_packet_check_eom(ssh);
3066 
3067 	if (channel_proxy_upstream(c, type, seq, ssh))
3068 		return 0;
3069 	chan_rcvd_ieof(ssh, c);
3070 
3071 	/* XXX force input close */
3072 	if (c->force_drain && c->istate == CHAN_INPUT_OPEN) {
3073 		debug("channel %d: FORCE input drain", c->self);
3074 		c->istate = CHAN_INPUT_WAIT_DRAIN;
3075 		if (sshbuf_len(c->input) == 0)
3076 			chan_ibuf_empty(ssh, c);
3077 	}
3078 	return 0;
3079 }
3080 
3081 int
3082 channel_input_oclose(int type, u_int32_t seq, struct ssh *ssh)
3083 {
3084 	Channel *c = channel_from_packet_id(ssh, __func__, "oclose");
3085 
3086 	if (channel_proxy_upstream(c, type, seq, ssh))
3087 		return 0;
3088 	ssh_packet_check_eom(ssh);
3089 	chan_rcvd_oclose(ssh, c);
3090 	return 0;
3091 }
3092 
3093 int
3094 channel_input_open_confirmation(int type, u_int32_t seq, struct ssh *ssh)
3095 {
3096 	Channel *c = channel_from_packet_id(ssh, __func__, "open confirmation");
3097 	u_int32_t remote_window, remote_maxpacket;
3098 	int r;
3099 
3100 	if (channel_proxy_upstream(c, type, seq, ssh))
3101 		return 0;
3102 	if (c->type != SSH_CHANNEL_OPENING)
3103 		packet_disconnect("Received open confirmation for "
3104 		    "non-opening channel %d.", c->self);
3105 	/*
3106 	 * Record the remote channel number and mark that the channel
3107 	 * is now open.
3108 	 */
3109 	if ((r = sshpkt_get_u32(ssh, &c->remote_id)) != 0 ||
3110 	    (r = sshpkt_get_u32(ssh, &remote_window)) != 0 ||
3111 	    (r = sshpkt_get_u32(ssh, &remote_maxpacket)) != 0) {
3112 		error("%s: window/maxpacket: %s", __func__, ssh_err(r));
3113 		packet_disconnect("Invalid open confirmation message");
3114 	}
3115 	ssh_packet_check_eom(ssh);
3116 
3117 	c->have_remote_id = 1;
3118 	c->remote_window = remote_window;
3119 	c->remote_maxpacket = remote_maxpacket;
3120 	c->type = SSH_CHANNEL_OPEN;
3121 	if (c->open_confirm) {
3122 		debug2("%s: channel %d: callback start", __func__, c->self);
3123 		c->open_confirm(ssh, c->self, 1, c->open_confirm_ctx);
3124 		debug2("%s: channel %d: callback done", __func__, c->self);
3125 	}
3126 	debug2("channel %d: open confirm rwindow %u rmax %u", c->self,
3127 	    c->remote_window, c->remote_maxpacket);
3128 	return 0;
3129 }
3130 
3131 static char *
3132 reason2txt(int reason)
3133 {
3134 	switch (reason) {
3135 	case SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED:
3136 		return "administratively prohibited";
3137 	case SSH2_OPEN_CONNECT_FAILED:
3138 		return "connect failed";
3139 	case SSH2_OPEN_UNKNOWN_CHANNEL_TYPE:
3140 		return "unknown channel type";
3141 	case SSH2_OPEN_RESOURCE_SHORTAGE:
3142 		return "resource shortage";
3143 	}
3144 	return "unknown reason";
3145 }
3146 
3147 int
3148 channel_input_open_failure(int type, u_int32_t seq, struct ssh *ssh)
3149 {
3150 	Channel *c = channel_from_packet_id(ssh, __func__, "open failure");
3151 	u_int32_t reason;
3152 	char *msg = NULL;
3153 	int r;
3154 
3155 	if (channel_proxy_upstream(c, type, seq, ssh))
3156 		return 0;
3157 	if (c->type != SSH_CHANNEL_OPENING)
3158 		packet_disconnect("Received open failure for "
3159 		    "non-opening channel %d.", c->self);
3160 	if ((r = sshpkt_get_u32(ssh, &reason)) != 0) {
3161 		error("%s: reason: %s", __func__, ssh_err(r));
3162 		packet_disconnect("Invalid open failure message");
3163 	}
3164 	/* skip language */
3165 	if ((r = sshpkt_get_cstring(ssh, &msg, NULL)) != 0 ||
3166 	    (r = sshpkt_get_string_direct(ssh, NULL, NULL)) != 0) {
3167 		error("%s: message/lang: %s", __func__, ssh_err(r));
3168 		packet_disconnect("Invalid open failure message");
3169 	}
3170 	ssh_packet_check_eom(ssh);
3171 	logit("channel %d: open failed: %s%s%s", c->self,
3172 	    reason2txt(reason), msg ? ": ": "", msg ? msg : "");
3173 	free(msg);
3174 	if (c->open_confirm) {
3175 		debug2("%s: channel %d: callback start", __func__, c->self);
3176 		c->open_confirm(ssh, c->self, 0, c->open_confirm_ctx);
3177 		debug2("%s: channel %d: callback done", __func__, c->self);
3178 	}
3179 	/* Schedule the channel for cleanup/deletion. */
3180 	chan_mark_dead(ssh, c);
3181 	return 0;
3182 }
3183 
3184 int
3185 channel_input_window_adjust(int type, u_int32_t seq, struct ssh *ssh)
3186 {
3187 	int id = channel_parse_id(ssh, __func__, "window adjust");
3188 	Channel *c;
3189 	u_int32_t adjust;
3190 	u_int new_rwin;
3191 	int r;
3192 
3193 	if ((c = channel_lookup(ssh, id)) == NULL) {
3194 		logit("Received window adjust for non-open channel %d.", id);
3195 		return 0;
3196 	}
3197 
3198 	if (channel_proxy_upstream(c, type, seq, ssh))
3199 		return 0;
3200 	if ((r = sshpkt_get_u32(ssh, &adjust)) != 0) {
3201 		error("%s: adjust: %s", __func__, ssh_err(r));
3202 		packet_disconnect("Invalid window adjust message");
3203 	}
3204 	ssh_packet_check_eom(ssh);
3205 	debug2("channel %d: rcvd adjust %u", c->self, adjust);
3206 	if ((new_rwin = c->remote_window + adjust) < c->remote_window) {
3207 		fatal("channel %d: adjust %u overflows remote window %u",
3208 		    c->self, adjust, c->remote_window);
3209 	}
3210 	c->remote_window = new_rwin;
3211 	return 0;
3212 }
3213 
3214 int
3215 channel_input_status_confirm(int type, u_int32_t seq, struct ssh *ssh)
3216 {
3217 	int id = channel_parse_id(ssh, __func__, "status confirm");
3218 	Channel *c;
3219 	struct channel_confirm *cc;
3220 
3221 	/* Reset keepalive timeout */
3222 	packet_set_alive_timeouts(0);
3223 
3224 	debug2("%s: type %d id %d", __func__, type, id);
3225 
3226 	if ((c = channel_lookup(ssh, id)) == NULL) {
3227 		logit("%s: %d: unknown", __func__, id);
3228 		return 0;
3229 	}
3230 	if (channel_proxy_upstream(c, type, seq, ssh))
3231 		return 0;
3232 	ssh_packet_check_eom(ssh);
3233 	if ((cc = TAILQ_FIRST(&c->status_confirms)) == NULL)
3234 		return 0;
3235 	cc->cb(ssh, type, c, cc->ctx);
3236 	TAILQ_REMOVE(&c->status_confirms, cc, entry);
3237 	explicit_bzero(cc, sizeof(*cc));
3238 	free(cc);
3239 	return 0;
3240 }
3241 
3242 /* -- tcp forwarding */
3243 
3244 void
3245 channel_set_af(struct ssh *ssh, int af)
3246 {
3247 	ssh->chanctxt->IPv4or6 = af;
3248 }
3249 
3250 
3251 /*
3252  * Determine whether or not a port forward listens to loopback, the
3253  * specified address or wildcard. On the client, a specified bind
3254  * address will always override gateway_ports. On the server, a
3255  * gateway_ports of 1 (``yes'') will override the client's specification
3256  * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
3257  * will bind to whatever address the client asked for.
3258  *
3259  * Special-case listen_addrs are:
3260  *
3261  * "0.0.0.0"               -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
3262  * "" (empty string), "*"  -> wildcard v4/v6
3263  * "localhost"             -> loopback v4/v6
3264  * "127.0.0.1" / "::1"     -> accepted even if gateway_ports isn't set
3265  */
3266 static const char *
3267 channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
3268     int is_client, struct ForwardOptions *fwd_opts)
3269 {
3270 	const char *addr = NULL;
3271 	int wildcard = 0;
3272 
3273 	if (listen_addr == NULL) {
3274 		/* No address specified: default to gateway_ports setting */
3275 		if (fwd_opts->gateway_ports)
3276 			wildcard = 1;
3277 	} else if (fwd_opts->gateway_ports || is_client) {
3278 		if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
3279 		    strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
3280 		    *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
3281 		    (!is_client && fwd_opts->gateway_ports == 1)) {
3282 			wildcard = 1;
3283 			/*
3284 			 * Notify client if they requested a specific listen
3285 			 * address and it was overridden.
3286 			 */
3287 			if (*listen_addr != '\0' &&
3288 			    strcmp(listen_addr, "0.0.0.0") != 0 &&
3289 			    strcmp(listen_addr, "*") != 0) {
3290 				packet_send_debug("Forwarding listen address "
3291 				    "\"%s\" overridden by server "
3292 				    "GatewayPorts", listen_addr);
3293 			}
3294 		} else if (strcmp(listen_addr, "localhost") != 0 ||
3295 		    strcmp(listen_addr, "127.0.0.1") == 0 ||
3296 		    strcmp(listen_addr, "::1") == 0) {
3297 			/* Accept localhost address when GatewayPorts=yes */
3298 			addr = listen_addr;
3299 		}
3300 	} else if (strcmp(listen_addr, "127.0.0.1") == 0 ||
3301 	    strcmp(listen_addr, "::1") == 0) {
3302 		/*
3303 		 * If a specific IPv4/IPv6 localhost address has been
3304 		 * requested then accept it even if gateway_ports is in
3305 		 * effect. This allows the client to prefer IPv4 or IPv6.
3306 		 */
3307 		addr = listen_addr;
3308 	}
3309 	if (wildcardp != NULL)
3310 		*wildcardp = wildcard;
3311 	return addr;
3312 }
3313 
3314 static int
3315 channel_setup_fwd_listener_tcpip(struct ssh *ssh, int type,
3316     struct Forward *fwd, int *allocated_listen_port,
3317     struct ForwardOptions *fwd_opts)
3318 {
3319 	Channel *c;
3320 	int sock, r, success = 0, wildcard = 0, is_client;
3321 	struct addrinfo hints, *ai, *aitop;
3322 	const char *host, *addr;
3323 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
3324 	in_port_t *lport_p;
3325 
3326 	is_client = (type == SSH_CHANNEL_PORT_LISTENER);
3327 
3328 	if (is_client && fwd->connect_path != NULL) {
3329 		host = fwd->connect_path;
3330 	} else {
3331 		host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
3332 		    fwd->listen_host : fwd->connect_host;
3333 		if (host == NULL) {
3334 			error("No forward host name.");
3335 			return 0;
3336 		}
3337 		if (strlen(host) >= NI_MAXHOST) {
3338 			error("Forward host name too long.");
3339 			return 0;
3340 		}
3341 	}
3342 
3343 	/* Determine the bind address, cf. channel_fwd_bind_addr() comment */
3344 	addr = channel_fwd_bind_addr(fwd->listen_host, &wildcard,
3345 	    is_client, fwd_opts);
3346 	debug3("%s: type %d wildcard %d addr %s", __func__,
3347 	    type, wildcard, (addr == NULL) ? "NULL" : addr);
3348 
3349 	/*
3350 	 * getaddrinfo returns a loopback address if the hostname is
3351 	 * set to NULL and hints.ai_flags is not AI_PASSIVE
3352 	 */
3353 	memset(&hints, 0, sizeof(hints));
3354 	hints.ai_family = ssh->chanctxt->IPv4or6;
3355 	hints.ai_flags = wildcard ? AI_PASSIVE : 0;
3356 	hints.ai_socktype = SOCK_STREAM;
3357 	snprintf(strport, sizeof strport, "%d", fwd->listen_port);
3358 	if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
3359 		if (addr == NULL) {
3360 			/* This really shouldn't happen */
3361 			packet_disconnect("getaddrinfo: fatal error: %s",
3362 			    ssh_gai_strerror(r));
3363 		} else {
3364 			error("%s: getaddrinfo(%.64s): %s", __func__, addr,
3365 			    ssh_gai_strerror(r));
3366 		}
3367 		return 0;
3368 	}
3369 	if (allocated_listen_port != NULL)
3370 		*allocated_listen_port = 0;
3371 	for (ai = aitop; ai; ai = ai->ai_next) {
3372 		switch (ai->ai_family) {
3373 		case AF_INET:
3374 			lport_p = &((struct sockaddr_in *)ai->ai_addr)->
3375 			    sin_port;
3376 			break;
3377 		case AF_INET6:
3378 			lport_p = &((struct sockaddr_in6 *)ai->ai_addr)->
3379 			    sin6_port;
3380 			break;
3381 		default:
3382 			continue;
3383 		}
3384 		/*
3385 		 * If allocating a port for -R forwards, then use the
3386 		 * same port for all address families.
3387 		 */
3388 		if (type == SSH_CHANNEL_RPORT_LISTENER &&
3389 		    fwd->listen_port == 0 && allocated_listen_port != NULL &&
3390 		    *allocated_listen_port > 0)
3391 			*lport_p = htons(*allocated_listen_port);
3392 
3393 		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
3394 		    strport, sizeof(strport),
3395 		    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
3396 			error("%s: getnameinfo failed", __func__);
3397 			continue;
3398 		}
3399 		/* Create a port to listen for the host. */
3400 		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
3401 		if (sock < 0) {
3402 			/* this is no error since kernel may not support ipv6 */
3403 			verbose("socket [%s]:%s: %.100s", ntop, strport,
3404 			    strerror(errno));
3405 			continue;
3406 		}
3407 
3408 		set_reuseaddr(sock);
3409 		if (ai->ai_family == AF_INET6)
3410 			sock_set_v6only(sock);
3411 
3412 		debug("Local forwarding listening on %s port %s.",
3413 		    ntop, strport);
3414 
3415 		/* Bind the socket to the address. */
3416 		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
3417 			/*
3418 			 * address can be in if use ipv6 address is
3419 			 * already bound
3420 			 */
3421 			if (!ai->ai_next)
3422 				error("bind [%s]:%s: %.100s",
3423 				    ntop, strport, strerror(errno));
3424 			else
3425 				verbose("bind [%s]:%s: %.100s",
3426 				    ntop, strport, strerror(errno));
3427 
3428 			close(sock);
3429 			continue;
3430 		}
3431 		/* Start listening for connections on the socket. */
3432 		if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
3433 			error("listen: %.100s", strerror(errno));
3434 			error("listen [%s]:%s: %.100s", ntop, strport,
3435 			    strerror(errno));
3436 			close(sock);
3437 			continue;
3438 		}
3439 
3440 		/*
3441 		 * fwd->listen_port == 0 requests a dynamically allocated port -
3442 		 * record what we got.
3443 		 */
3444 		if (type == SSH_CHANNEL_RPORT_LISTENER &&
3445 		    fwd->listen_port == 0 &&
3446 		    allocated_listen_port != NULL &&
3447 		    *allocated_listen_port == 0) {
3448 			*allocated_listen_port = get_local_port(sock);
3449 			debug("Allocated listen port %d",
3450 			    *allocated_listen_port);
3451 		}
3452 
3453 		/* Allocate a channel number for the socket. */
3454 		c = channel_new(ssh, "port listener", type, sock, sock, -1,
3455 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3456 		    0, "port listener", 1);
3457 		c->path = xstrdup(host);
3458 		c->host_port = fwd->connect_port;
3459 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
3460 		if (fwd->listen_port == 0 && allocated_listen_port != NULL &&
3461 		    !(datafellows & SSH_BUG_DYNAMIC_RPORT))
3462 			c->listening_port = *allocated_listen_port;
3463 		else
3464 			c->listening_port = fwd->listen_port;
3465 		success = 1;
3466 	}
3467 	if (success == 0)
3468 		error("%s: cannot listen to port: %d", __func__,
3469 		    fwd->listen_port);
3470 	freeaddrinfo(aitop);
3471 	return success;
3472 }
3473 
3474 static int
3475 channel_setup_fwd_listener_streamlocal(struct ssh *ssh, int type,
3476     struct Forward *fwd, struct ForwardOptions *fwd_opts)
3477 {
3478 	struct sockaddr_un sunaddr;
3479 	const char *path;
3480 	Channel *c;
3481 	int port, sock;
3482 	mode_t omask;
3483 
3484 	switch (type) {
3485 	case SSH_CHANNEL_UNIX_LISTENER:
3486 		if (fwd->connect_path != NULL) {
3487 			if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
3488 				error("Local connecting path too long: %s",
3489 				    fwd->connect_path);
3490 				return 0;
3491 			}
3492 			path = fwd->connect_path;
3493 			port = PORT_STREAMLOCAL;
3494 		} else {
3495 			if (fwd->connect_host == NULL) {
3496 				error("No forward host name.");
3497 				return 0;
3498 			}
3499 			if (strlen(fwd->connect_host) >= NI_MAXHOST) {
3500 				error("Forward host name too long.");
3501 				return 0;
3502 			}
3503 			path = fwd->connect_host;
3504 			port = fwd->connect_port;
3505 		}
3506 		break;
3507 	case SSH_CHANNEL_RUNIX_LISTENER:
3508 		path = fwd->listen_path;
3509 		port = PORT_STREAMLOCAL;
3510 		break;
3511 	default:
3512 		error("%s: unexpected channel type %d", __func__, type);
3513 		return 0;
3514 	}
3515 
3516 	if (fwd->listen_path == NULL) {
3517 		error("No forward path name.");
3518 		return 0;
3519 	}
3520 	if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
3521 		error("Local listening path too long: %s", fwd->listen_path);
3522 		return 0;
3523 	}
3524 
3525 	debug3("%s: type %d path %s", __func__, type, fwd->listen_path);
3526 
3527 	/* Start a Unix domain listener. */
3528 	omask = umask(fwd_opts->streamlocal_bind_mask);
3529 	sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
3530 	    fwd_opts->streamlocal_bind_unlink);
3531 	umask(omask);
3532 	if (sock < 0)
3533 		return 0;
3534 
3535 	debug("Local forwarding listening on path %s.", fwd->listen_path);
3536 
3537 	/* Allocate a channel number for the socket. */
3538 	c = channel_new(ssh, "unix listener", type, sock, sock, -1,
3539 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
3540 	    0, "unix listener", 1);
3541 	c->path = xstrdup(path);
3542 	c->host_port = port;
3543 	c->listening_port = PORT_STREAMLOCAL;
3544 	c->listening_addr = xstrdup(fwd->listen_path);
3545 	return 1;
3546 }
3547 
3548 static int
3549 channel_cancel_rport_listener_tcpip(struct ssh *ssh,
3550     const char *host, u_short port)
3551 {
3552 	u_int i;
3553 	int found = 0;
3554 
3555 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3556 		Channel *c = ssh->chanctxt->channels[i];
3557 		if (c == NULL || c->type != SSH_CHANNEL_RPORT_LISTENER)
3558 			continue;
3559 		if (strcmp(c->path, host) == 0 && c->listening_port == port) {
3560 			debug2("%s: close channel %d", __func__, i);
3561 			channel_free(ssh, c);
3562 			found = 1;
3563 		}
3564 	}
3565 
3566 	return found;
3567 }
3568 
3569 static int
3570 channel_cancel_rport_listener_streamlocal(struct ssh *ssh, const char *path)
3571 {
3572 	u_int i;
3573 	int found = 0;
3574 
3575 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3576 		Channel *c = ssh->chanctxt->channels[i];
3577 		if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER)
3578 			continue;
3579 		if (c->path == NULL)
3580 			continue;
3581 		if (strcmp(c->path, path) == 0) {
3582 			debug2("%s: close channel %d", __func__, i);
3583 			channel_free(ssh, c);
3584 			found = 1;
3585 		}
3586 	}
3587 
3588 	return found;
3589 }
3590 
3591 int
3592 channel_cancel_rport_listener(struct ssh *ssh, struct Forward *fwd)
3593 {
3594 	if (fwd->listen_path != NULL) {
3595 		return channel_cancel_rport_listener_streamlocal(ssh,
3596 		    fwd->listen_path);
3597 	} else {
3598 		return channel_cancel_rport_listener_tcpip(ssh,
3599 		    fwd->listen_host, fwd->listen_port);
3600 	}
3601 }
3602 
3603 static int
3604 channel_cancel_lport_listener_tcpip(struct ssh *ssh,
3605     const char *lhost, u_short lport, int cport,
3606     struct ForwardOptions *fwd_opts)
3607 {
3608 	u_int i;
3609 	int found = 0;
3610 	const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, fwd_opts);
3611 
3612 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3613 		Channel *c = ssh->chanctxt->channels[i];
3614 		if (c == NULL || c->type != SSH_CHANNEL_PORT_LISTENER)
3615 			continue;
3616 		if (c->listening_port != lport)
3617 			continue;
3618 		if (cport == CHANNEL_CANCEL_PORT_STATIC) {
3619 			/* skip dynamic forwardings */
3620 			if (c->host_port == 0)
3621 				continue;
3622 		} else {
3623 			if (c->host_port != cport)
3624 				continue;
3625 		}
3626 		if ((c->listening_addr == NULL && addr != NULL) ||
3627 		    (c->listening_addr != NULL && addr == NULL))
3628 			continue;
3629 		if (addr == NULL || strcmp(c->listening_addr, addr) == 0) {
3630 			debug2("%s: close channel %d", __func__, i);
3631 			channel_free(ssh, c);
3632 			found = 1;
3633 		}
3634 	}
3635 
3636 	return found;
3637 }
3638 
3639 static int
3640 channel_cancel_lport_listener_streamlocal(struct ssh *ssh, const char *path)
3641 {
3642 	u_int i;
3643 	int found = 0;
3644 
3645 	if (path == NULL) {
3646 		error("%s: no path specified.", __func__);
3647 		return 0;
3648 	}
3649 
3650 	for (i = 0; i < ssh->chanctxt->channels_alloc; i++) {
3651 		Channel *c = ssh->chanctxt->channels[i];
3652 		if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER)
3653 			continue;
3654 		if (c->listening_addr == NULL)
3655 			continue;
3656 		if (strcmp(c->listening_addr, path) == 0) {
3657 			debug2("%s: close channel %d", __func__, i);
3658 			channel_free(ssh, c);
3659 			found = 1;
3660 		}
3661 	}
3662 
3663 	return found;
3664 }
3665 
3666 int
3667 channel_cancel_lport_listener(struct ssh *ssh,
3668     struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts)
3669 {
3670 	if (fwd->listen_path != NULL) {
3671 		return channel_cancel_lport_listener_streamlocal(ssh,
3672 		    fwd->listen_path);
3673 	} else {
3674 		return channel_cancel_lport_listener_tcpip(ssh,
3675 		    fwd->listen_host, fwd->listen_port, cport, fwd_opts);
3676 	}
3677 }
3678 
3679 /* protocol local port fwd, used by ssh */
3680 int
3681 channel_setup_local_fwd_listener(struct ssh *ssh,
3682     struct Forward *fwd, struct ForwardOptions *fwd_opts)
3683 {
3684 	if (fwd->listen_path != NULL) {
3685 		return channel_setup_fwd_listener_streamlocal(ssh,
3686 		    SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts);
3687 	} else {
3688 		return channel_setup_fwd_listener_tcpip(ssh,
3689 		    SSH_CHANNEL_PORT_LISTENER, fwd, NULL, fwd_opts);
3690 	}
3691 }
3692 
3693 /* Matches a remote forwarding permission against a requested forwarding */
3694 static int
3695 remote_open_match(struct permission *allowed_open, struct Forward *fwd)
3696 {
3697 	int ret;
3698 	char *lhost;
3699 
3700 	/* XXX add ACLs for streamlocal */
3701 	if (fwd->listen_path != NULL)
3702 		return 1;
3703 
3704 	if (fwd->listen_host == NULL || allowed_open->listen_host == NULL)
3705 		return 0;
3706 
3707 	if (allowed_open->listen_port != FWD_PERMIT_ANY_PORT &&
3708 	    allowed_open->listen_port != fwd->listen_port)
3709 		return 0;
3710 
3711 	/* Match hostnames case-insensitively */
3712 	lhost = xstrdup(fwd->listen_host);
3713 	lowercase(lhost);
3714 	ret = match_pattern(lhost, allowed_open->listen_host);
3715 	free(lhost);
3716 
3717 	return ret;
3718 }
3719 
3720 /* Checks whether a requested remote forwarding is permitted */
3721 static int
3722 check_rfwd_permission(struct ssh *ssh, struct Forward *fwd)
3723 {
3724 	struct ssh_channels *sc = ssh->chanctxt;
3725 	struct permission_set *pset = &sc->remote_perms;
3726 	u_int i, permit, permit_adm = 1;
3727 	struct permission *perm;
3728 
3729 	/* XXX apply GatewayPorts override before checking? */
3730 
3731 	permit = pset->all_permitted;
3732 	if (!permit) {
3733 		for (i = 0; i < pset->num_permitted_user; i++) {
3734 			perm = &pset->permitted_user[i];
3735 			if (remote_open_match(perm, fwd)) {
3736 				permit = 1;
3737 				break;
3738 			}
3739 		}
3740 	}
3741 
3742 	if (pset->num_permitted_admin > 0) {
3743 		permit_adm = 0;
3744 		for (i = 0; i < pset->num_permitted_admin; i++) {
3745 			perm = &pset->permitted_admin[i];
3746 			if (remote_open_match(perm, fwd)) {
3747 				permit_adm = 1;
3748 				break;
3749 			}
3750 		}
3751 	}
3752 
3753 	return permit && permit_adm;
3754 }
3755 
3756 /* protocol v2 remote port fwd, used by sshd */
3757 int
3758 channel_setup_remote_fwd_listener(struct ssh *ssh, struct Forward *fwd,
3759     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
3760 {
3761 	if (!check_rfwd_permission(ssh, fwd)) {
3762 		packet_send_debug("port forwarding refused");
3763 		return 0;
3764 	}
3765 	if (fwd->listen_path != NULL) {
3766 		return channel_setup_fwd_listener_streamlocal(ssh,
3767 		    SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);
3768 	} else {
3769 		return channel_setup_fwd_listener_tcpip(ssh,
3770 		    SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,
3771 		    fwd_opts);
3772 	}
3773 }
3774 
3775 /*
3776  * Translate the requested rfwd listen host to something usable for
3777  * this server.
3778  */
3779 static const char *
3780 channel_rfwd_bind_host(const char *listen_host)
3781 {
3782 	if (listen_host == NULL) {
3783 		return "localhost";
3784 	} else if (*listen_host == '\0' || strcmp(listen_host, "*") == 0) {
3785 		return "";
3786 	} else
3787 		return listen_host;
3788 }
3789 
3790 /*
3791  * Initiate forwarding of connections to port "port" on remote host through
3792  * the secure channel to host:port from local side.
3793  * Returns handle (index) for updating the dynamic listen port with
3794  * channel_update_permission().
3795  */
3796 int
3797 channel_request_remote_forwarding(struct ssh *ssh, struct Forward *fwd)
3798 {
3799 	int r, success = 0, idx = -1;
3800 	char *host_to_connect, *listen_host, *listen_path;
3801 	int port_to_connect, listen_port;
3802 
3803 	/* Send the forward request to the remote side. */
3804 	if (fwd->listen_path != NULL) {
3805 		if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3806 		    (r = sshpkt_put_cstring(ssh,
3807 		    "streamlocal-forward@openssh.com")) != 0 ||
3808 		    (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3809 		    (r = sshpkt_put_cstring(ssh, fwd->listen_path)) != 0 ||
3810 		    (r = sshpkt_send(ssh)) != 0 ||
3811 		    (r = ssh_packet_write_wait(ssh)) != 0)
3812 			fatal("%s: request streamlocal: %s",
3813 			    __func__, ssh_err(r));
3814 	} else {
3815 		if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3816 		    (r = sshpkt_put_cstring(ssh, "tcpip-forward")) != 0 ||
3817 		    (r = sshpkt_put_u8(ssh, 1)) != 0 || /* want reply */
3818 		    (r = sshpkt_put_cstring(ssh,
3819 		    channel_rfwd_bind_host(fwd->listen_host))) != 0 ||
3820 		    (r = sshpkt_put_u32(ssh, fwd->listen_port)) != 0 ||
3821 		    (r = sshpkt_send(ssh)) != 0 ||
3822 		    (r = ssh_packet_write_wait(ssh)) != 0)
3823 			fatal("%s: request tcpip-forward: %s",
3824 			    __func__, ssh_err(r));
3825 	}
3826 	/* Assume that server accepts the request */
3827 	success = 1;
3828 	if (success) {
3829 		/* Record that connection to this host/port is permitted. */
3830 		host_to_connect = listen_host = listen_path = NULL;
3831 		port_to_connect = listen_port = 0;
3832 		if (fwd->connect_path != NULL) {
3833 			host_to_connect = xstrdup(fwd->connect_path);
3834 			port_to_connect = PORT_STREAMLOCAL;
3835 		} else {
3836 			host_to_connect = xstrdup(fwd->connect_host);
3837 			port_to_connect = fwd->connect_port;
3838 		}
3839 		if (fwd->listen_path != NULL) {
3840 			listen_path = xstrdup(fwd->listen_path);
3841 			listen_port = PORT_STREAMLOCAL;
3842 		} else {
3843 			if (fwd->listen_host != NULL)
3844 				listen_host = xstrdup(fwd->listen_host);
3845 			listen_port = fwd->listen_port;
3846 		}
3847 		idx = permission_set_add(ssh, FORWARD_USER, FORWARD_LOCAL,
3848 		    host_to_connect, port_to_connect,
3849 		    listen_host, listen_path, listen_port, NULL);
3850 	}
3851 	return idx;
3852 }
3853 
3854 static int
3855 open_match(struct permission *allowed_open, const char *requestedhost,
3856     int requestedport)
3857 {
3858 	if (allowed_open->host_to_connect == NULL)
3859 		return 0;
3860 	if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
3861 	    allowed_open->port_to_connect != requestedport)
3862 		return 0;
3863 	if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
3864 	    strcmp(allowed_open->host_to_connect, requestedhost) != 0)
3865 		return 0;
3866 	return 1;
3867 }
3868 
3869 /*
3870  * Note that in the listen host/port case
3871  * we don't support FWD_PERMIT_ANY_PORT and
3872  * need to translate between the configured-host (listen_host)
3873  * and what we've sent to the remote server (channel_rfwd_bind_host)
3874  */
3875 static int
3876 open_listen_match_tcpip(struct permission *allowed_open,
3877     const char *requestedhost, u_short requestedport, int translate)
3878 {
3879 	const char *allowed_host;
3880 
3881 	if (allowed_open->host_to_connect == NULL)
3882 		return 0;
3883 	if (allowed_open->listen_port != requestedport)
3884 		return 0;
3885 	if (!translate && allowed_open->listen_host == NULL &&
3886 	    requestedhost == NULL)
3887 		return 1;
3888 	allowed_host = translate ?
3889 	    channel_rfwd_bind_host(allowed_open->listen_host) :
3890 	    allowed_open->listen_host;
3891 	if (allowed_host == NULL || requestedhost == NULL ||
3892 	    strcmp(allowed_host, requestedhost) != 0)
3893 		return 0;
3894 	return 1;
3895 }
3896 
3897 static int
3898 open_listen_match_streamlocal(struct permission *allowed_open,
3899     const char *requestedpath)
3900 {
3901 	if (allowed_open->host_to_connect == NULL)
3902 		return 0;
3903 	if (allowed_open->listen_port != PORT_STREAMLOCAL)
3904 		return 0;
3905 	if (allowed_open->listen_path == NULL ||
3906 	    strcmp(allowed_open->listen_path, requestedpath) != 0)
3907 		return 0;
3908 	return 1;
3909 }
3910 
3911 /*
3912  * Request cancellation of remote forwarding of connection host:port from
3913  * local side.
3914  */
3915 static int
3916 channel_request_rforward_cancel_tcpip(struct ssh *ssh,
3917     const char *host, u_short port)
3918 {
3919 	struct ssh_channels *sc = ssh->chanctxt;
3920 	struct permission_set *pset = &sc->local_perms;
3921 	int r;
3922 	u_int i;
3923 	struct permission *perm;
3924 
3925 	for (i = 0; i < pset->num_permitted_user; i++) {
3926 		perm = &pset->permitted_user[i];
3927 		if (open_listen_match_tcpip(perm, host, port, 0))
3928 			break;
3929 		perm = NULL;
3930 	}
3931 	if (perm == NULL) {
3932 		debug("%s: requested forward not found", __func__);
3933 		return -1;
3934 	}
3935 	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3936 	    (r = sshpkt_put_cstring(ssh, "cancel-tcpip-forward")) != 0 ||
3937 	    (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
3938 	    (r = sshpkt_put_cstring(ssh, channel_rfwd_bind_host(host))) != 0 ||
3939 	    (r = sshpkt_put_u32(ssh, port)) != 0 ||
3940 	    (r = sshpkt_send(ssh)) != 0)
3941 		fatal("%s: send cancel: %s", __func__, ssh_err(r));
3942 
3943 	fwd_perm_clear(perm); /* unregister */
3944 
3945 	return 0;
3946 }
3947 
3948 /*
3949  * Request cancellation of remote forwarding of Unix domain socket
3950  * path from local side.
3951  */
3952 static int
3953 channel_request_rforward_cancel_streamlocal(struct ssh *ssh, const char *path)
3954 {
3955 	struct ssh_channels *sc = ssh->chanctxt;
3956 	struct permission_set *pset = &sc->local_perms;
3957 	int r;
3958 	u_int i;
3959 	struct permission *perm;
3960 
3961 	for (i = 0; i < pset->num_permitted_user; i++) {
3962 		perm = &pset->permitted_user[i];
3963 		if (open_listen_match_streamlocal(perm, path))
3964 			break;
3965 		perm = NULL;
3966 	}
3967 	if (perm == NULL) {
3968 		debug("%s: requested forward not found", __func__);
3969 		return -1;
3970 	}
3971 	if ((r = sshpkt_start(ssh, SSH2_MSG_GLOBAL_REQUEST)) != 0 ||
3972 	    (r = sshpkt_put_cstring(ssh,
3973 	    "cancel-streamlocal-forward@openssh.com")) != 0 ||
3974 	    (r = sshpkt_put_u8(ssh, 0)) != 0 || /* want reply */
3975 	    (r = sshpkt_put_cstring(ssh, path)) != 0 ||
3976 	    (r = sshpkt_send(ssh)) != 0)
3977 		fatal("%s: send cancel: %s", __func__, ssh_err(r));
3978 
3979 	fwd_perm_clear(perm); /* unregister */
3980 
3981 	return 0;
3982 }
3983 
3984 /*
3985  * Request cancellation of remote forwarding of a connection from local side.
3986  */
3987 int
3988 channel_request_rforward_cancel(struct ssh *ssh, struct Forward *fwd)
3989 {
3990 	if (fwd->listen_path != NULL) {
3991 		return channel_request_rforward_cancel_streamlocal(ssh,
3992 		    fwd->listen_path);
3993 	} else {
3994 		return channel_request_rforward_cancel_tcpip(ssh,
3995 		    fwd->listen_host,
3996 		    fwd->listen_port ? fwd->listen_port : fwd->allocated_port);
3997 	}
3998 }
3999 
4000 /*
4001  * Permits opening to any host/port if permitted_user[] is empty.  This is
4002  * usually called by the server, because the user could connect to any port
4003  * anyway, and the server has no way to know but to trust the client anyway.
4004  */
4005 void
4006 channel_permit_all(struct ssh *ssh, int where)
4007 {
4008 	struct permission_set *pset = permission_set_get(ssh, where);
4009 
4010 	if (pset->num_permitted_user == 0)
4011 		pset->all_permitted = 1;
4012 }
4013 
4014 /*
4015  * Permit the specified host/port for forwarding.
4016  */
4017 void
4018 channel_add_permission(struct ssh *ssh, int who, int where,
4019     char *host, int port)
4020 {
4021 	int local = where == FORWARD_LOCAL;
4022 	struct permission_set *pset = permission_set_get(ssh, where);
4023 
4024 	debug("allow %s forwarding to host %s port %d",
4025 	    fwd_ident(who, where), host, port);
4026 	/*
4027 	 * Remote forwards set listen_host/port, local forwards set
4028 	 * host/port_to_connect.
4029 	 */
4030 	permission_set_add(ssh, who, where,
4031 	    local ? host : 0, local ? port : 0,
4032 	    local ? NULL : host, NULL, local ? 0 : port, NULL);
4033 	pset->all_permitted = 0;
4034 }
4035 
4036 /*
4037  * Administratively disable forwarding.
4038  */
4039 void
4040 channel_disable_admin(struct ssh *ssh, int where)
4041 {
4042 	channel_clear_permission(ssh, FORWARD_ADM, where);
4043 	permission_set_add(ssh, FORWARD_ADM, where,
4044 	    NULL, 0, NULL, NULL, 0, NULL);
4045 }
4046 
4047 /*
4048  * Clear a list of permitted opens.
4049  */
4050 void
4051 channel_clear_permission(struct ssh *ssh, int who, int where)
4052 {
4053 	struct permission **permp;
4054 	u_int *npermp;
4055 
4056 	permission_set_get_array(ssh, who, where, &permp, &npermp);
4057 	*permp = xrecallocarray(*permp, *npermp, 0, sizeof(**permp));
4058 	*npermp = 0;
4059 }
4060 
4061 /*
4062  * Update the listen port for a dynamic remote forward, after
4063  * the actual 'newport' has been allocated. If 'newport' < 0 is
4064  * passed then they entry will be invalidated.
4065  */
4066 void
4067 channel_update_permission(struct ssh *ssh, int idx, int newport)
4068 {
4069 	struct permission_set *pset = &ssh->chanctxt->local_perms;
4070 
4071 	if (idx < 0 || (u_int)idx >= pset->num_permitted_user) {
4072 		debug("%s: index out of range: %d num_permitted_user %d",
4073 		    __func__, idx, pset->num_permitted_user);
4074 		return;
4075 	}
4076 	debug("%s allowed port %d for forwarding to host %s port %d",
4077 	    newport > 0 ? "Updating" : "Removing",
4078 	    newport,
4079 	    pset->permitted_user[idx].host_to_connect,
4080 	    pset->permitted_user[idx].port_to_connect);
4081 	if (newport <= 0)
4082 		fwd_perm_clear(&pset->permitted_user[idx]);
4083 	else {
4084 		pset->permitted_user[idx].listen_port =
4085 		    (datafellows & SSH_BUG_DYNAMIC_RPORT) ? 0 : newport;
4086 	}
4087 }
4088 
4089 /* returns port number, FWD_PERMIT_ANY_PORT or -1 on error */
4090 int
4091 permitopen_port(const char *p)
4092 {
4093 	int port;
4094 
4095 	if (strcmp(p, "*") == 0)
4096 		return FWD_PERMIT_ANY_PORT;
4097 	if ((port = a2port(p)) > 0)
4098 		return port;
4099 	return -1;
4100 }
4101 
4102 /* Try to start non-blocking connect to next host in cctx list */
4103 static int
4104 connect_next(struct channel_connect *cctx)
4105 {
4106 	int sock, saved_errno;
4107 	struct sockaddr_un *sunaddr;
4108 	char ntop[NI_MAXHOST];
4109 	char strport[MAXIMUM(NI_MAXSERV, sizeof(sunaddr->sun_path))];
4110 
4111 	for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
4112 		switch (cctx->ai->ai_family) {
4113 		case AF_UNIX:
4114 			/* unix:pathname instead of host:port */
4115 			sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
4116 			strlcpy(ntop, "unix", sizeof(ntop));
4117 			strlcpy(strport, sunaddr->sun_path, sizeof(strport));
4118 			break;
4119 		case AF_INET:
4120 		case AF_INET6:
4121 			if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
4122 			    ntop, sizeof(ntop), strport, sizeof(strport),
4123 			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
4124 				error("connect_next: getnameinfo failed");
4125 				continue;
4126 			}
4127 			break;
4128 		default:
4129 			continue;
4130 		}
4131 		if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
4132 		    cctx->ai->ai_protocol)) == -1) {
4133 			if (cctx->ai->ai_next == NULL)
4134 				error("socket: %.100s", strerror(errno));
4135 			else
4136 				verbose("socket: %.100s", strerror(errno));
4137 			continue;
4138 		}
4139 		if (set_nonblock(sock) == -1)
4140 			fatal("%s: set_nonblock(%d)", __func__, sock);
4141 		if (connect(sock, cctx->ai->ai_addr,
4142 		    cctx->ai->ai_addrlen) == -1 && errno != EINPROGRESS) {
4143 			debug("connect_next: host %.100s ([%.100s]:%s): "
4144 			    "%.100s", cctx->host, ntop, strport,
4145 			    strerror(errno));
4146 			saved_errno = errno;
4147 			close(sock);
4148 			errno = saved_errno;
4149 			continue;	/* fail -- try next */
4150 		}
4151 		if (cctx->ai->ai_family != AF_UNIX)
4152 			set_nodelay(sock);
4153 		debug("connect_next: host %.100s ([%.100s]:%s) "
4154 		    "in progress, fd=%d", cctx->host, ntop, strport, sock);
4155 		cctx->ai = cctx->ai->ai_next;
4156 		return sock;
4157 	}
4158 	return -1;
4159 }
4160 
4161 static void
4162 channel_connect_ctx_free(struct channel_connect *cctx)
4163 {
4164 	free(cctx->host);
4165 	if (cctx->aitop) {
4166 		if (cctx->aitop->ai_family == AF_UNIX)
4167 			free(cctx->aitop);
4168 		else
4169 			freeaddrinfo(cctx->aitop);
4170 	}
4171 	memset(cctx, 0, sizeof(*cctx));
4172 }
4173 
4174 /*
4175  * Return connecting socket to remote host:port or local socket path,
4176  * passing back the failure reason if appropriate.
4177  */
4178 static int
4179 connect_to_helper(struct ssh *ssh, const char *name, int port, int socktype,
4180     char *ctype, char *rname, struct channel_connect *cctx,
4181     int *reason, const char **errmsg)
4182 {
4183 	struct addrinfo hints;
4184 	int gaierr;
4185 	int sock = -1;
4186 	char strport[NI_MAXSERV];
4187 
4188 	if (port == PORT_STREAMLOCAL) {
4189 		struct sockaddr_un *sunaddr;
4190 		struct addrinfo *ai;
4191 
4192 		if (strlen(name) > sizeof(sunaddr->sun_path)) {
4193 			error("%.100s: %.100s", name, strerror(ENAMETOOLONG));
4194 			return -1;
4195 		}
4196 
4197 		/*
4198 		 * Fake up a struct addrinfo for AF_UNIX connections.
4199 		 * channel_connect_ctx_free() must check ai_family
4200 		 * and use free() not freeaddirinfo() for AF_UNIX.
4201 		 */
4202 		ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr));
4203 		memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr));
4204 		ai->ai_addr = (struct sockaddr *)(ai + 1);
4205 		ai->ai_addrlen = sizeof(*sunaddr);
4206 		ai->ai_family = AF_UNIX;
4207 		ai->ai_socktype = socktype;
4208 		ai->ai_protocol = PF_UNSPEC;
4209 		sunaddr = (struct sockaddr_un *)ai->ai_addr;
4210 		sunaddr->sun_family = AF_UNIX;
4211 		strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
4212 		cctx->aitop = ai;
4213 	} else {
4214 		memset(&hints, 0, sizeof(hints));
4215 		hints.ai_family = ssh->chanctxt->IPv4or6;
4216 		hints.ai_socktype = socktype;
4217 		snprintf(strport, sizeof strport, "%d", port);
4218 		if ((gaierr = getaddrinfo(name, strport, &hints, &cctx->aitop))
4219 		    != 0) {
4220 			if (errmsg != NULL)
4221 				*errmsg = ssh_gai_strerror(gaierr);
4222 			if (reason != NULL)
4223 				*reason = SSH2_OPEN_CONNECT_FAILED;
4224 			error("connect_to %.100s: unknown host (%s)", name,
4225 			    ssh_gai_strerror(gaierr));
4226 			return -1;
4227 		}
4228 	}
4229 
4230 	cctx->host = xstrdup(name);
4231 	cctx->port = port;
4232 	cctx->ai = cctx->aitop;
4233 
4234 	if ((sock = connect_next(cctx)) == -1) {
4235 		error("connect to %.100s port %d failed: %s",
4236 		    name, port, strerror(errno));
4237 		return -1;
4238 	}
4239 
4240 	return sock;
4241 }
4242 
4243 /* Return CONNECTING channel to remote host:port or local socket path */
4244 static Channel *
4245 connect_to(struct ssh *ssh, const char *host, int port,
4246     char *ctype, char *rname)
4247 {
4248 	struct channel_connect cctx;
4249 	Channel *c;
4250 	int sock;
4251 
4252 	memset(&cctx, 0, sizeof(cctx));
4253 	sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4254 	    &cctx, NULL, NULL);
4255 	if (sock == -1) {
4256 		channel_connect_ctx_free(&cctx);
4257 		return NULL;
4258 	}
4259 	c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4260 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4261 	c->host_port = port;
4262 	c->path = xstrdup(host);
4263 	c->connect_ctx = cctx;
4264 
4265 	return c;
4266 }
4267 
4268 /*
4269  * returns either the newly connected channel or the downstream channel
4270  * that needs to deal with this connection.
4271  */
4272 Channel *
4273 channel_connect_by_listen_address(struct ssh *ssh, const char *listen_host,
4274     u_short listen_port, char *ctype, char *rname)
4275 {
4276 	struct ssh_channels *sc = ssh->chanctxt;
4277 	struct permission_set *pset = &sc->local_perms;
4278 	u_int i;
4279 	struct permission *perm;
4280 
4281 	for (i = 0; i < pset->num_permitted_user; i++) {
4282 		perm = &pset->permitted_user[i];
4283 		if (open_listen_match_tcpip(perm,
4284 		    listen_host, listen_port, 1)) {
4285 			if (perm->downstream)
4286 				return perm->downstream;
4287 			if (perm->port_to_connect == 0)
4288 				return rdynamic_connect_prepare(ssh,
4289 				    ctype, rname);
4290 			return connect_to(ssh,
4291 			    perm->host_to_connect, perm->port_to_connect,
4292 			    ctype, rname);
4293 		}
4294 	}
4295 	error("WARNING: Server requests forwarding for unknown listen_port %d",
4296 	    listen_port);
4297 	return NULL;
4298 }
4299 
4300 Channel *
4301 channel_connect_by_listen_path(struct ssh *ssh, const char *path,
4302     char *ctype, char *rname)
4303 {
4304 	struct ssh_channels *sc = ssh->chanctxt;
4305 	struct permission_set *pset = &sc->local_perms;
4306 	u_int i;
4307 	struct permission *perm;
4308 
4309 	for (i = 0; i < pset->num_permitted_user; i++) {
4310 		perm = &pset->permitted_user[i];
4311 		if (open_listen_match_streamlocal(perm, path)) {
4312 			return connect_to(ssh,
4313 			    perm->host_to_connect, perm->port_to_connect,
4314 			    ctype, rname);
4315 		}
4316 	}
4317 	error("WARNING: Server requests forwarding for unknown path %.100s",
4318 	    path);
4319 	return NULL;
4320 }
4321 
4322 /* Check if connecting to that port is permitted and connect. */
4323 Channel *
4324 channel_connect_to_port(struct ssh *ssh, const char *host, u_short port,
4325     char *ctype, char *rname, int *reason, const char **errmsg)
4326 {
4327 	struct ssh_channels *sc = ssh->chanctxt;
4328 	struct permission_set *pset = &sc->local_perms;
4329 	struct channel_connect cctx;
4330 	Channel *c;
4331 	u_int i, permit, permit_adm = 1;
4332 	int sock;
4333 	struct permission *perm;
4334 
4335 	permit = pset->all_permitted;
4336 	if (!permit) {
4337 		for (i = 0; i < pset->num_permitted_user; i++) {
4338 			perm = &pset->permitted_user[i];
4339 			if (open_match(perm, host, port)) {
4340 				permit = 1;
4341 				break;
4342 			}
4343 		}
4344 	}
4345 
4346 	if (pset->num_permitted_admin > 0) {
4347 		permit_adm = 0;
4348 		for (i = 0; i < pset->num_permitted_admin; i++) {
4349 			perm = &pset->permitted_admin[i];
4350 			if (open_match(perm, host, port)) {
4351 				permit_adm = 1;
4352 				break;
4353 			}
4354 		}
4355 	}
4356 
4357 	if (!permit || !permit_adm) {
4358 		logit("Received request to connect to host %.100s port %d, "
4359 		    "but the request was denied.", host, port);
4360 		if (reason != NULL)
4361 			*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
4362 		return NULL;
4363 	}
4364 
4365 	memset(&cctx, 0, sizeof(cctx));
4366 	sock = connect_to_helper(ssh, host, port, SOCK_STREAM, ctype, rname,
4367 	    &cctx, reason, errmsg);
4368 	if (sock == -1) {
4369 		channel_connect_ctx_free(&cctx);
4370 		return NULL;
4371 	}
4372 
4373 	c = channel_new(ssh, ctype, SSH_CHANNEL_CONNECTING, sock, sock, -1,
4374 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4375 	c->host_port = port;
4376 	c->path = xstrdup(host);
4377 	c->connect_ctx = cctx;
4378 
4379 	return c;
4380 }
4381 
4382 /* Check if connecting to that path is permitted and connect. */
4383 Channel *
4384 channel_connect_to_path(struct ssh *ssh, const char *path,
4385     char *ctype, char *rname)
4386 {
4387 	struct ssh_channels *sc = ssh->chanctxt;
4388 	struct permission_set *pset = &sc->local_perms;
4389 	u_int i, permit, permit_adm = 1;
4390 	struct permission *perm;
4391 
4392 	permit = pset->all_permitted;
4393 	if (!permit) {
4394 		for (i = 0; i < pset->num_permitted_user; i++) {
4395 			perm = &pset->permitted_user[i];
4396 			if (open_match(perm, path, PORT_STREAMLOCAL)) {
4397 				permit = 1;
4398 				break;
4399 			}
4400 		}
4401 	}
4402 
4403 	if (pset->num_permitted_admin > 0) {
4404 		permit_adm = 0;
4405 		for (i = 0; i < pset->num_permitted_admin; i++) {
4406 			perm = &pset->permitted_admin[i];
4407 			if (open_match(perm, path, PORT_STREAMLOCAL)) {
4408 				permit_adm = 1;
4409 				break;
4410 			}
4411 		}
4412 	}
4413 
4414 	if (!permit || !permit_adm) {
4415 		logit("Received request to connect to path %.100s, "
4416 		    "but the request was denied.", path);
4417 		return NULL;
4418 	}
4419 	return connect_to(ssh, path, PORT_STREAMLOCAL, ctype, rname);
4420 }
4421 
4422 void
4423 channel_send_window_changes(struct ssh *ssh)
4424 {
4425 	struct ssh_channels *sc = ssh->chanctxt;
4426 	struct winsize ws;
4427 	int r;
4428 	u_int i;
4429 
4430 	for (i = 0; i < sc->channels_alloc; i++) {
4431 		if (sc->channels[i] == NULL || !sc->channels[i]->client_tty ||
4432 		    sc->channels[i]->type != SSH_CHANNEL_OPEN)
4433 			continue;
4434 		if (ioctl(sc->channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
4435 			continue;
4436 		channel_request_start(ssh, i, "window-change", 0);
4437 		if ((r = sshpkt_put_u32(ssh, (u_int)ws.ws_col)) != 0 ||
4438 		    (r = sshpkt_put_u32(ssh, (u_int)ws.ws_row)) != 0 ||
4439 		    (r = sshpkt_put_u32(ssh, (u_int)ws.ws_xpixel)) != 0 ||
4440 		    (r = sshpkt_put_u32(ssh, (u_int)ws.ws_ypixel)) != 0 ||
4441 		    (r = sshpkt_send(ssh)) != 0)
4442 			fatal("%s: channel %u: send window-change: %s",
4443 			    __func__, i, ssh_err(r));
4444 	}
4445 }
4446 
4447 /* Return RDYNAMIC_OPEN channel: channel allows SOCKS, but is not connected */
4448 static Channel *
4449 rdynamic_connect_prepare(struct ssh *ssh, char *ctype, char *rname)
4450 {
4451 	Channel *c;
4452 	int r;
4453 
4454 	c = channel_new(ssh, ctype, SSH_CHANNEL_RDYNAMIC_OPEN, -1, -1, -1,
4455 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, rname, 1);
4456 	c->host_port = 0;
4457 	c->path = NULL;
4458 
4459 	/*
4460 	 * We need to open the channel before we have a FD,
4461 	 * so that we can get SOCKS header from peer.
4462 	 */
4463 	if ((r = sshpkt_start(ssh, SSH2_MSG_CHANNEL_OPEN_CONFIRMATION)) != 0 ||
4464 	    (r = sshpkt_put_u32(ssh, c->remote_id)) != 0 ||
4465 	    (r = sshpkt_put_u32(ssh, c->self)) != 0 ||
4466 	    (r = sshpkt_put_u32(ssh, c->local_window)) != 0 ||
4467 	    (r = sshpkt_put_u32(ssh, c->local_maxpacket)) != 0) {
4468 		fatal("%s: channel %i: confirm: %s", __func__,
4469 		    c->self, ssh_err(r));
4470 	}
4471 	return c;
4472 }
4473 
4474 /* Return CONNECTING socket to remote host:port or local socket path */
4475 static int
4476 rdynamic_connect_finish(struct ssh *ssh, Channel *c)
4477 {
4478 	struct channel_connect cctx;
4479 	int sock;
4480 
4481 	memset(&cctx, 0, sizeof(cctx));
4482 	sock = connect_to_helper(ssh, c->path, c->host_port, SOCK_STREAM, NULL,
4483 	    NULL, &cctx, NULL, NULL);
4484 	if (sock == -1)
4485 		channel_connect_ctx_free(&cctx);
4486 	else {
4487 		/* similar to SSH_CHANNEL_CONNECTING but we've already sent the open */
4488 		c->type = SSH_CHANNEL_RDYNAMIC_FINISH;
4489 		c->connect_ctx = cctx;
4490 		channel_register_fds(ssh, c, sock, sock, -1, 0, 1, 0);
4491 	}
4492 	return sock;
4493 }
4494 
4495 /* -- X11 forwarding */
4496 
4497 /*
4498  * Creates an internet domain socket for listening for X11 connections.
4499  * Returns 0 and a suitable display number for the DISPLAY variable
4500  * stored in display_numberp , or -1 if an error occurs.
4501  */
4502 int
4503 x11_create_display_inet(struct ssh *ssh, int x11_display_offset,
4504     int x11_use_localhost, int single_connection,
4505     u_int *display_numberp, int **chanids)
4506 {
4507 	Channel *nc = NULL;
4508 	int display_number, sock;
4509 	u_short port;
4510 	struct addrinfo hints, *ai, *aitop;
4511 	char strport[NI_MAXSERV];
4512 	int gaierr, n, num_socks = 0, socks[NUM_SOCKS];
4513 
4514 	if (chanids == NULL)
4515 		return -1;
4516 
4517 	for (display_number = x11_display_offset;
4518 	    display_number < MAX_DISPLAYS;
4519 	    display_number++) {
4520 		port = 6000 + display_number;
4521 		memset(&hints, 0, sizeof(hints));
4522 		hints.ai_family = ssh->chanctxt->IPv4or6;
4523 		hints.ai_flags = x11_use_localhost ? 0: AI_PASSIVE;
4524 		hints.ai_socktype = SOCK_STREAM;
4525 		snprintf(strport, sizeof strport, "%d", port);
4526 		if ((gaierr = getaddrinfo(NULL, strport,
4527 		    &hints, &aitop)) != 0) {
4528 			error("getaddrinfo: %.100s", ssh_gai_strerror(gaierr));
4529 			return -1;
4530 		}
4531 		for (ai = aitop; ai; ai = ai->ai_next) {
4532 			if (ai->ai_family != AF_INET &&
4533 			    ai->ai_family != AF_INET6)
4534 				continue;
4535 			sock = socket(ai->ai_family, ai->ai_socktype,
4536 			    ai->ai_protocol);
4537 			if (sock < 0) {
4538 				if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
4539 #ifdef EPFNOSUPPORT
4540 				    && (errno != EPFNOSUPPORT)
4541 #endif
4542 				    ) {
4543 					error("socket: %.100s", strerror(errno));
4544 					freeaddrinfo(aitop);
4545 					return -1;
4546 				} else {
4547 					debug("x11_create_display_inet: Socket family %d not supported",
4548 						 ai->ai_family);
4549 					continue;
4550 				}
4551 			}
4552 			if (ai->ai_family == AF_INET6)
4553 				sock_set_v6only(sock);
4554 			if (x11_use_localhost)
4555 				set_reuseaddr(sock);
4556 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
4557 				debug2("%s: bind port %d: %.100s", __func__,
4558 				    port, strerror(errno));
4559 				close(sock);
4560 				for (n = 0; n < num_socks; n++)
4561 					close(socks[n]);
4562 				num_socks = 0;
4563 				break;
4564 			}
4565 			socks[num_socks++] = sock;
4566 			if (num_socks == NUM_SOCKS)
4567 				break;
4568 		}
4569 		freeaddrinfo(aitop);
4570 		if (num_socks > 0)
4571 			break;
4572 	}
4573 	if (display_number >= MAX_DISPLAYS) {
4574 		error("Failed to allocate internet-domain X11 display socket.");
4575 		return -1;
4576 	}
4577 	/* Start listening for connections on the socket. */
4578 	for (n = 0; n < num_socks; n++) {
4579 		sock = socks[n];
4580 		if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
4581 			error("listen: %.100s", strerror(errno));
4582 			close(sock);
4583 			return -1;
4584 		}
4585 	}
4586 
4587 	/* Allocate a channel for each socket. */
4588 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
4589 	for (n = 0; n < num_socks; n++) {
4590 		sock = socks[n];
4591 		nc = channel_new(ssh, "x11 listener",
4592 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
4593 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
4594 		    0, "X11 inet listener", 1);
4595 		nc->single_connection = single_connection;
4596 		(*chanids)[n] = nc->self;
4597 	}
4598 	(*chanids)[n] = -1;
4599 
4600 	/* Return the display number for the DISPLAY environment variable. */
4601 	*display_numberp = display_number;
4602 	return 0;
4603 }
4604 
4605 static int
4606 connect_local_xsocket_path(const char *pathname)
4607 {
4608 	int sock;
4609 	struct sockaddr_un addr;
4610 
4611 	sock = socket(AF_UNIX, SOCK_STREAM, 0);
4612 	if (sock < 0)
4613 		error("socket: %.100s", strerror(errno));
4614 	memset(&addr, 0, sizeof(addr));
4615 	addr.sun_family = AF_UNIX;
4616 	strlcpy(addr.sun_path, pathname, sizeof addr.sun_path);
4617 	if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == 0)
4618 		return sock;
4619 	close(sock);
4620 	error("connect %.100s: %.100s", addr.sun_path, strerror(errno));
4621 	return -1;
4622 }
4623 
4624 static int
4625 connect_local_xsocket(u_int dnr)
4626 {
4627 	char buf[1024];
4628 	snprintf(buf, sizeof buf, _PATH_UNIX_X, dnr);
4629 	return connect_local_xsocket_path(buf);
4630 }
4631 
4632 #ifdef __APPLE__
4633 static int
4634 is_path_to_xsocket(const char *display, char *path, size_t pathlen)
4635 {
4636 	struct stat sbuf;
4637 
4638 	if (strlcpy(path, display, pathlen) >= pathlen) {
4639 		error("%s: display path too long", __func__);
4640 		return 0;
4641 	}
4642 	if (display[0] != '/')
4643 		return 0;
4644 	if (stat(path, &sbuf) == 0) {
4645 		return 1;
4646 	} else {
4647 		char *dot = strrchr(path, '.');
4648 		if (dot != NULL) {
4649 			*dot = '\0';
4650 			if (stat(path, &sbuf) == 0) {
4651 				return 1;
4652 			}
4653 		}
4654 	}
4655 	return 0;
4656 }
4657 #endif
4658 
4659 int
4660 x11_connect_display(struct ssh *ssh)
4661 {
4662 	u_int display_number;
4663 	const char *display;
4664 	char buf[1024], *cp;
4665 	struct addrinfo hints, *ai, *aitop;
4666 	char strport[NI_MAXSERV];
4667 	int gaierr, sock = 0;
4668 
4669 	/* Try to open a socket for the local X server. */
4670 	display = getenv("DISPLAY");
4671 	if (!display) {
4672 		error("DISPLAY not set.");
4673 		return -1;
4674 	}
4675 	/*
4676 	 * Now we decode the value of the DISPLAY variable and make a
4677 	 * connection to the real X server.
4678 	 */
4679 
4680 #ifdef __APPLE__
4681 	/* Check if display is a path to a socket (as set by launchd). */
4682 	{
4683 		char path[PATH_MAX];
4684 
4685 		if (is_path_to_xsocket(display, path, sizeof(path))) {
4686 			debug("x11_connect_display: $DISPLAY is launchd");
4687 
4688 			/* Create a socket. */
4689 			sock = connect_local_xsocket_path(path);
4690 			if (sock < 0)
4691 				return -1;
4692 
4693 			/* OK, we now have a connection to the display. */
4694 			return sock;
4695 		}
4696 	}
4697 #endif
4698 	/*
4699 	 * Check if it is a unix domain socket.  Unix domain displays are in
4700 	 * one of the following formats: unix:d[.s], :d[.s], ::d[.s]
4701 	 */
4702 	if (strncmp(display, "unix:", 5) == 0 ||
4703 	    display[0] == ':') {
4704 		/* Connect to the unix domain socket. */
4705 		if (sscanf(strrchr(display, ':') + 1, "%u",
4706 		    &display_number) != 1) {
4707 			error("Could not parse display number from DISPLAY: "
4708 			    "%.100s", display);
4709 			return -1;
4710 		}
4711 		/* Create a socket. */
4712 		sock = connect_local_xsocket(display_number);
4713 		if (sock < 0)
4714 			return -1;
4715 
4716 		/* OK, we now have a connection to the display. */
4717 		return sock;
4718 	}
4719 	/*
4720 	 * Connect to an inet socket.  The DISPLAY value is supposedly
4721 	 * hostname:d[.s], where hostname may also be numeric IP address.
4722 	 */
4723 	strlcpy(buf, display, sizeof(buf));
4724 	cp = strchr(buf, ':');
4725 	if (!cp) {
4726 		error("Could not find ':' in DISPLAY: %.100s", display);
4727 		return -1;
4728 	}
4729 	*cp = 0;
4730 	/*
4731 	 * buf now contains the host name.  But first we parse the
4732 	 * display number.
4733 	 */
4734 	if (sscanf(cp + 1, "%u", &display_number) != 1) {
4735 		error("Could not parse display number from DISPLAY: %.100s",
4736 		    display);
4737 		return -1;
4738 	}
4739 
4740 	/* Look up the host address */
4741 	memset(&hints, 0, sizeof(hints));
4742 	hints.ai_family = ssh->chanctxt->IPv4or6;
4743 	hints.ai_socktype = SOCK_STREAM;
4744 	snprintf(strport, sizeof strport, "%u", 6000 + display_number);
4745 	if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
4746 		error("%.100s: unknown host. (%s)", buf,
4747 		ssh_gai_strerror(gaierr));
4748 		return -1;
4749 	}
4750 	for (ai = aitop; ai; ai = ai->ai_next) {
4751 		/* Create a socket. */
4752 		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
4753 		if (sock < 0) {
4754 			debug2("socket: %.100s", strerror(errno));
4755 			continue;
4756 		}
4757 		/* Connect it to the display. */
4758 		if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
4759 			debug2("connect %.100s port %u: %.100s", buf,
4760 			    6000 + display_number, strerror(errno));
4761 			close(sock);
4762 			continue;
4763 		}
4764 		/* Success */
4765 		break;
4766 	}
4767 	freeaddrinfo(aitop);
4768 	if (!ai) {
4769 		error("connect %.100s port %u: %.100s", buf,
4770 		    6000 + display_number, strerror(errno));
4771 		return -1;
4772 	}
4773 	set_nodelay(sock);
4774 	return sock;
4775 }
4776 
4777 /*
4778  * Requests forwarding of X11 connections, generates fake authentication
4779  * data, and enables authentication spoofing.
4780  * This should be called in the client only.
4781  */
4782 void
4783 x11_request_forwarding_with_spoofing(struct ssh *ssh, int client_session_id,
4784     const char *disp, const char *proto, const char *data, int want_reply)
4785 {
4786 	struct ssh_channels *sc = ssh->chanctxt;
4787 	u_int data_len = (u_int) strlen(data) / 2;
4788 	u_int i, value;
4789 	const char *cp;
4790 	char *new_data;
4791 	int r, screen_number;
4792 
4793 	if (sc->x11_saved_display == NULL)
4794 		sc->x11_saved_display = xstrdup(disp);
4795 	else if (strcmp(disp, sc->x11_saved_display) != 0) {
4796 		error("x11_request_forwarding_with_spoofing: different "
4797 		    "$DISPLAY already forwarded");
4798 		return;
4799 	}
4800 
4801 	cp = strchr(disp, ':');
4802 	if (cp)
4803 		cp = strchr(cp, '.');
4804 	if (cp)
4805 		screen_number = (u_int)strtonum(cp + 1, 0, 400, NULL);
4806 	else
4807 		screen_number = 0;
4808 
4809 	if (sc->x11_saved_proto == NULL) {
4810 		/* Save protocol name. */
4811 		sc->x11_saved_proto = xstrdup(proto);
4812 
4813 		/* Extract real authentication data. */
4814 		sc->x11_saved_data = xmalloc(data_len);
4815 		for (i = 0; i < data_len; i++) {
4816 			if (sscanf(data + 2 * i, "%2x", &value) != 1)
4817 				fatal("x11_request_forwarding: bad "
4818 				    "authentication data: %.100s", data);
4819 			sc->x11_saved_data[i] = value;
4820 		}
4821 		sc->x11_saved_data_len = data_len;
4822 
4823 		/* Generate fake data of the same length. */
4824 		sc->x11_fake_data = xmalloc(data_len);
4825 		arc4random_buf(sc->x11_fake_data, data_len);
4826 		sc->x11_fake_data_len = data_len;
4827 	}
4828 
4829 	/* Convert the fake data into hex. */
4830 	new_data = tohex(sc->x11_fake_data, data_len);
4831 
4832 	/* Send the request packet. */
4833 	channel_request_start(ssh, client_session_id, "x11-req", want_reply);
4834 	if ((r = sshpkt_put_u8(ssh, 0)) != 0 || /* bool: single connection */
4835 	    (r = sshpkt_put_cstring(ssh, proto)) != 0 ||
4836 	    (r = sshpkt_put_cstring(ssh, new_data)) != 0 ||
4837 	    (r = sshpkt_put_u32(ssh, screen_number)) != 0 ||
4838 	    (r = sshpkt_send(ssh)) != 0 ||
4839 	    (r = ssh_packet_write_wait(ssh)) != 0)
4840 		fatal("%s: send x11-req: %s", __func__, ssh_err(r));
4841 	free(new_data);
4842 }
4843