+ for (i = 0; i < channels_alloc; i++) {
+ c = channels[i];
+ if (c == NULL || c->remote_id < 0)
+ continue;
+ switch (c->type) {
+ case SSH_CHANNEL_CLOSED:
+ case SSH_CHANNEL_DYNAMIC:
+ case SSH_CHANNEL_X11_LISTENER:
+ case SSH_CHANNEL_PORT_LISTENER:
+ case SSH_CHANNEL_RPORT_LISTENER:
+ case SSH_CHANNEL_MUX_LISTENER:
+ case SSH_CHANNEL_MUX_CLIENT:
+ case SSH_CHANNEL_OPENING:
+ case SSH_CHANNEL_CONNECTING:
+ case SSH_CHANNEL_ZOMBIE:
+ continue;
+ case SSH_CHANNEL_LARVAL:
+ case SSH_CHANNEL_AUTH_SOCKET:
+ case SSH_CHANNEL_OPEN:
+ case SSH_CHANNEL_X11_OPEN:
+ return i;
+ case SSH_CHANNEL_INPUT_DRAINING:
+ case SSH_CHANNEL_OUTPUT_DRAINING:
+ if (!compat13)
+ fatal("cannot happen: OUT_DRAIN");
+ return i;
+ default:
+ fatal("channel_find_open: bad channel type %d", c->type);
+ /* NOTREACHED */
+ }
+ }
+ return -1;
+}
+
+
+/*
+ * Returns a message describing the currently open forwarded connections,
+ * suitable for sending to the client. The message contains crlf pairs for
+ * newlines.
+ */
+char *
+channel_open_message(void)
+{
+ Buffer buffer;
+ Channel *c;
+ char buf[1024], *cp;
+ u_int i;
+
+ buffer_init(&buffer);
+ snprintf(buf, sizeof buf, "The following connections are open:\r\n");
+ buffer_append(&buffer, buf, strlen(buf));
+ for (i = 0; i < channels_alloc; i++) {
+ c = channels[i];
+ if (c == NULL)
+ continue;
+ switch (c->type) {
+ case SSH_CHANNEL_X11_LISTENER:
+ case SSH_CHANNEL_PORT_LISTENER:
+ case SSH_CHANNEL_RPORT_LISTENER:
+ case SSH_CHANNEL_CLOSED:
+ case SSH_CHANNEL_AUTH_SOCKET:
+ case SSH_CHANNEL_ZOMBIE:
+ case SSH_CHANNEL_MUX_CLIENT:
+ case SSH_CHANNEL_MUX_LISTENER:
+ continue;
+ case SSH_CHANNEL_LARVAL:
+ case SSH_CHANNEL_OPENING:
+ case SSH_CHANNEL_CONNECTING:
+ case SSH_CHANNEL_DYNAMIC:
+ case SSH_CHANNEL_OPEN:
+ case SSH_CHANNEL_X11_OPEN:
+ case SSH_CHANNEL_INPUT_DRAINING:
+ case SSH_CHANNEL_OUTPUT_DRAINING:
+ snprintf(buf, sizeof buf,
+ " #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n",
+ c->self, c->remote_name,
+ c->type, c->remote_id,
+ c->istate, buffer_len(&c->input),
+ c->ostate, buffer_len(&c->output),
+ c->rfd, c->wfd, c->ctl_chan);
+ buffer_append(&buffer, buf, strlen(buf));
+ continue;
+ default:
+ fatal("channel_open_message: bad channel type %d", c->type);
+ /* NOTREACHED */
+ }
+ }
+ buffer_append(&buffer, "\0", 1);
+ cp = xstrdup(buffer_ptr(&buffer));
+ buffer_free(&buffer);
+ return cp;
+}
+
+void
+channel_send_open(int id)
+{
+ Channel *c = channel_lookup(id);
+
+ if (c == NULL) {
+ logit("channel_send_open: %d: bad id", id);
+ return;
+ }
+ debug2("channel %d: send open", id);
+ packet_start(SSH2_MSG_CHANNEL_OPEN);
+ packet_put_cstring(c->ctype);
+ packet_put_int(c->self);
+ packet_put_int(c->local_window);
+ packet_put_int(c->local_maxpacket);
+ packet_send();
+}
+
+void
+channel_request_start(int id, char *service, int wantconfirm)
+{
+ Channel *c = channel_lookup(id);
+
+ if (c == NULL) {
+ logit("channel_request_start: %d: unknown channel id", id);
+ return;
+ }
+ debug2("channel %d: request %s confirm %d", id, service, wantconfirm);
+ packet_start(SSH2_MSG_CHANNEL_REQUEST);
+ packet_put_int(c->remote_id);
+ packet_put_cstring(service);
+ packet_put_char(wantconfirm);
+}
+
+void
+channel_register_status_confirm(int id, channel_confirm_cb *cb,
+ channel_confirm_abandon_cb *abandon_cb, void *ctx)
+{
+ struct channel_confirm *cc;
+ Channel *c;
+
+ if ((c = channel_lookup(id)) == NULL)
+ fatal("channel_register_expect: %d: bad id", id);
+
+ cc = xmalloc(sizeof(*cc));
+ cc->cb = cb;
+ cc->abandon_cb = abandon_cb;
+ cc->ctx = ctx;
+ TAILQ_INSERT_TAIL(&c->status_confirms, cc, entry);
+}
+
+void
+channel_register_open_confirm(int id, channel_callback_fn *fn, void *ctx)
+{
+ Channel *c = channel_lookup(id);
+
+ if (c == NULL) {
+ logit("channel_register_open_confirm: %d: bad id", id);
+ return;
+ }
+ c->open_confirm = fn;
+ c->open_confirm_ctx = ctx;
+}
+
+void
+channel_register_cleanup(int id, channel_callback_fn *fn, int do_close)
+{
+ Channel *c = channel_by_id(id);
+
+ if (c == NULL) {
+ logit("channel_register_cleanup: %d: bad id", id);
+ return;
+ }
+ c->detach_user = fn;
+ c->detach_close = do_close;
+}
+
+void
+channel_cancel_cleanup(int id)
+{
+ Channel *c = channel_by_id(id);
+
+ if (c == NULL) {
+ logit("channel_cancel_cleanup: %d: bad id", id);
+ return;
+ }
+ c->detach_user = NULL;
+ c->detach_close = 0;
+}
+
+void
+channel_register_filter(int id, channel_infilter_fn *ifn,
+ channel_outfilter_fn *ofn, channel_filter_cleanup_fn *cfn, void *ctx)
+{
+ Channel *c = channel_lookup(id);
+
+ if (c == NULL) {
+ logit("channel_register_filter: %d: bad id", id);
+ return;
+ }
+ c->input_filter = ifn;
+ c->output_filter = ofn;
+ c->filter_ctx = ctx;
+ c->filter_cleanup = cfn;
+}
+
+void
+channel_set_fds(int id, int rfd, int wfd, int efd,
+ int extusage, int nonblock, int is_tty, u_int window_max)
+{
+ Channel *c = channel_lookup(id);
+
+ if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
+ fatal("channel_activate for non-larval channel %d.", id);
+ channel_register_fds(c, rfd, wfd, efd, extusage, nonblock, is_tty);
+ c->type = SSH_CHANNEL_OPEN;
+ c->local_window = c->local_window_max = window_max;
+ packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+ packet_put_int(c->remote_id);
+ packet_put_int(c->local_window);
+ packet_send();
+}
+
+/*
+ * 'channel_pre*' are called just before select() to add any bits relevant to
+ * channels in the select bitmasks.
+ */
+/*
+ * 'channel_post*': perform any appropriate operations for channels which
+ * have events pending.
+ */
+typedef void chan_fn(Channel *c, fd_set *readset, fd_set *writeset);
+chan_fn *channel_pre[SSH_CHANNEL_MAX_TYPE];
+chan_fn *channel_post[SSH_CHANNEL_MAX_TYPE];
+
+/* ARGSUSED */
+static void
+channel_pre_listener(Channel *c, fd_set *readset, fd_set *writeset)
+{
+ FD_SET(c->sock, readset);
+}
+
+/* ARGSUSED */
+static void
+channel_pre_connecting(Channel *c, fd_set *readset, fd_set *writeset)
+{
+ debug3("channel %d: waiting for connection", c->self);
+ FD_SET(c->sock, writeset);
+}
+
+static void
+channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
+{
+ if (buffer_len(&c->input) < packet_get_maxsize())
+ FD_SET(c->sock, readset);
+ if (buffer_len(&c->output) > 0)
+ FD_SET(c->sock, writeset);
+}
+
+static void
+channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
+{
+ u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
+
+ if (c->istate == CHAN_INPUT_OPEN &&
+ limit > 0 &&
+ buffer_len(&c->input) < limit &&
+ buffer_check_alloc(&c->input, CHAN_RBUF))
+ FD_SET(c->rfd, readset);
+ if (c->ostate == CHAN_OUTPUT_OPEN ||
+ c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+ if (buffer_len(&c->output) > 0) {
+ FD_SET(c->wfd, writeset);
+ } else if (c->ostate == CHAN_OUTPUT_WAIT_DRAIN) {
+ if (CHANNEL_EFD_OUTPUT_ACTIVE(c))
+ debug2("channel %d: obuf_empty delayed efd %d/(%d)",
+ c->self, c->efd, buffer_len(&c->extended));
+ else
+ chan_obuf_empty(c);
+ }
+ }
+ /** XXX check close conditions, too */
+ if (compat20 && c->efd != -1 &&
+ !(c->istate == CHAN_INPUT_CLOSED && c->ostate == CHAN_OUTPUT_CLOSED)) {
+ if (c->extended_usage == CHAN_EXTENDED_WRITE &&
+ buffer_len(&c->extended) > 0)
+ FD_SET(c->efd, writeset);
+ else if (!(c->flags & CHAN_EOF_SENT) &&
+ c->extended_usage == CHAN_EXTENDED_READ &&
+ buffer_len(&c->extended) < c->remote_window)
+ FD_SET(c->efd, readset);
+ }
+ /* XXX: What about efd? races? */
+}
+
+/* ARGSUSED */
+static void
+channel_pre_input_draining(Channel *c, fd_set *readset, fd_set *writeset)
+{
+ if (buffer_len(&c->input) == 0) {
+ packet_start(SSH_MSG_CHANNEL_CLOSE);
+ packet_put_int(c->remote_id);
+ packet_send();
+ c->type = SSH_CHANNEL_CLOSED;
+ debug2("channel %d: closing after input drain.", c->self);
+ }
+}
+
+/* ARGSUSED */
+static void
+channel_pre_output_draining(Channel *c, fd_set *readset, fd_set *writeset)
+{
+ if (buffer_len(&c->output) == 0)
+ chan_mark_dead(c);
+ else
+ FD_SET(c->sock, writeset);
+}
+
+/*
+ * This is a special state for X11 authentication spoofing. An opened X11
+ * connection (when authentication spoofing is being done) remains in this
+ * state until the first packet has been completely read. The authentication
+ * data in that packet is then substituted by the real data if it matches the
+ * fake data, and the channel is put into normal mode.
+ * XXX All this happens at the client side.
+ * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
+ */
+static int
+x11_open_helper(Buffer *b)
+{
+ u_char *ucp;
+ u_int proto_len, data_len;
+
+ /* Check if the fixed size part of the packet is in buffer. */
+ if (buffer_len(b) < 12)
+ return 0;
+
+ /* Parse the lengths of variable-length fields. */
+ ucp = buffer_ptr(b);
+ if (ucp[0] == 0x42) { /* Byte order MSB first. */
+ proto_len = 256 * ucp[6] + ucp[7];