- More OpenBSD updates:

   [session.c]
   - don't call chan_write_failed() if we are not writing
   [auth-rsa.c auth1.c authfd.c hostfile.c ssh-agent.c]
   - keysize warnings error() -> log()

12 files changed, 368 insertions, 164 deletions

diff --git a/ChangeLog b/ChangeLog
index d5c698b01..ae6348c5c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,11 @@
  - Changed entropy seed code to user per-user seeds only (server seed is 
    saved in root's .ssh directory)
  - Use atexit() and fatal cleanups to save seed on exit
+ - More OpenBSD updates:
+   [session.c]
+   - don't call chan_write_failed() if we are not writing
+   [auth-rsa.c auth1.c authfd.c hostfile.c ssh-agent.c]
+   - keysize warnings error() -> log()
 
 20000429
  - Merge big update to OpenSSH-2.0 from OpenBSD CVS
diff --git a/README.openssh2 b/README.openssh2
index fca3173ae..36d3de6ef 100644
--- a/README.openssh2
+++ b/README.openssh2
@@ -1,4 +1,4 @@
-$Id: README.openssh2,v 1.6 2000/04/27 13:42:58 provos Exp $
+$Id: README.openssh2,v 1.4 2000/04/29 13:57:09 damien Exp $
 
 howto:
         1) generate server key:
@@ -6,7 +6,8 @@ howto:
         2) enable ssh2:
                 server: add 'Protocol 2,1' to /etc/sshd_config
                 client: ssh -o 'Protocol 2,1', or add to .ssh/config
-        3) interop w/ ssh.com dsa-keys:
+        3) DSA authentication similar to RSA (add keys to ~/.ssh/authorized_keys2)
+           interop w/ ssh.com dsa-keys:
                 ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
            and vice versa
                 ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
@@ -18,21 +19,20 @@ works:
                 encryption: blowfish-cbc, 3des-cbc, arcfour, cast128-cbc
                 mac: hmac-md5, hmac-sha1, (hmac-ripemd160)
                 compression: zlib, none
-        secsh-userauth: passwd only
+        secsh-userauth: passwd and pubkey with DSA
         secsh-connection: pty+shell or command, flow control works (window adjust)
-                tcp-forwarding: -L works
-        dss: verification works,
-                key database in ~/.ssh/known_hosts with bits == 0 hack
-        dss: signature works, keygen w/ openssl
+                tcp-forwarding: -L works, -R incomplete
+                x11-fwd
+        dss/dsa: host key database in ~/.ssh/known_hosts2
         client interops w/ sshd2, lshd
         server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT, F-Secure SSH Client 4.0
         server supports multiple concurrent sessions (e.g. with SSH.com Windows client)
 todo:
         re-keying
         secsh-connection features:
-                 tcp-forwarding, agent-fwd, x11-fwd
-        auth other than passwd:
-                 pubkey, keyboard-interactive
+                 tcp-forwarding, agent-fwd
+        auth other than passwd, and DSA-pubkey:
+                 keyboard-interactive, (PGP-pubkey?)
         config
         server-auth w/ old host-keys
         cleanup
@@ -41,4 +41,4 @@ todo:
         sftp
 
 -markus
-$Date: 2000/04/27 13:42:58 $
+$Date: 2000/04/29 13:57:09 $
diff --git a/auth-rsa.c b/auth-rsa.c
index c61eab29a..22e3f01f3 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.18 2000/04/29 13:57:09 damien Exp $");
+RCSID("$Id: auth-rsa.c,v 1.19 2000/04/30 00:00:53 damien Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -256,7 +256,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 
                 /* We have found the desired key. */
 
-
                 /* Perform the challenge-response dialog for this key. */
                 if (!auth_rsa_challenge_dialog(pk)) {
                         /* Wrong response. */
diff --git a/auth1.c b/auth1.c
index ae5f1cd84..dedf898e9 100644
--- a/auth1.c
+++ b/auth1.c
@@ -4,7 +4,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.1 2000/04/26 21:28:32 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.2 2000/04/29 18:11:52 markus Exp $");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -262,8 +262,8 @@ do_authloop(struct passwd * pw)
                         packet_get_bignum(client_host_key->n, &nlen);
 
                         if (bits != BN_num_bits(client_host_key->n))
-                                error("Warning: keysize mismatch for client_host_key: "
-                                      "actual %d, announced %d", BN_num_bits(client_host_key->n), bits);
+                                log("Warning: keysize mismatch for client_host_key: "
+                                    "actual %d, announced %d", BN_num_bits(client_host_key->n), bits);
                         packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
 
                         authenticated = auth_rhosts_rsa(pw, client_user, client_host_key);
diff --git a/authfd.c b/authfd.c
index 3476e799a..36b4d6ce4 100644
--- a/authfd.c
+++ b/authfd.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: authfd.c,v 1.13 2000/04/16 02:31:49 damien Exp $");
+RCSID("$Id: authfd.c,v 1.14 2000/04/30 00:00:53 damien Exp $");
 
 #include "ssh.h"
 #include "rsa.h"
@@ -217,8 +217,8 @@ ssh_get_next_identity(AuthenticationConnection *auth,
         *comment = buffer_get_string(&auth->identities, NULL);
 
         if (bits != BN_num_bits(n))
-                error("Warning: identity keysize mismatch: actual %d, announced %u",
-                      BN_num_bits(n), bits);
+                log("Warning: identity keysize mismatch: actual %d, announced %u",
+                    BN_num_bits(n), bits);
 
         /* Decrement the number of remaining entries. */
         auth->howmany--;
diff --git a/channels.c b/channels.c
index a0091586b..1f9b515c3 100644
--- a/channels.c
+++ b/channels.c
@@ -17,7 +17,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: channels.c,v 1.26 2000/04/19 06:26:13 damien Exp $");
+RCSID("$Id: channels.c,v 1.27 2000/04/30 00:00:53 damien Exp $");
 
 #include "ssh.h"
 #include "packet.h"
@@ -40,9 +40,11 @@ RCSID("$Id: channels.c,v 1.26 2000/04/19 06:26:13 damien Exp $");
 /* Max len of agent socket */
 #define MAX_SOCKET_NAME 100
 
-/* default buffer for tcp-fwd-channel */
-#define CHAN_WINDOW_DEFAULT      (8*1024)
-#define CHAN_PACKET_DEFAULT      (CHAN_WINDOW_DEFAULT/2)
+/* default window/packet sizes for tcp/x11-fwd-channel */
+#define CHAN_TCP_WINDOW_DEFAULT (8*1024)
+#define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2)
+#define CHAN_X11_WINDOW_DEFAULT (4*1024)
+#define CHAN_X11_PACKET_DEFAULT (CHAN_X11_WINDOW_DEFAULT/2)
 
 /*
  * Pointer to an array containing all allocated channels.  The array is
@@ -204,17 +206,15 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
         c->self = found;
         c->type = type;
         c->ctype = ctype;
-        c->local_window = window;
-        c->local_window_max = window;
-        c->local_consumed = 0;
-        c->local_maxpacket = maxpack;
-        c->remote_window = 0;
-        c->remote_maxpacket = 0;
         c->rfd = rfd;
         c->wfd = wfd;
         c->sock = (rfd == wfd) ? rfd : -1;
         c->efd = efd;
         c->extended_usage = extended_usage;
+        c->local_window = window;
+        c->local_window_max = window;
+        c->local_consumed = 0;
+        c->local_maxpacket = maxpack;
         c->remote_id = -1;
         c->remote_name = remote_name;
         c->remote_window = 0;
@@ -371,6 +371,7 @@ channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
  * state until the first packet has been completely read.  The authentication
  * data in that packet is then substituted by the real data if it matches the
  * fake data, and the channel is put into normal mode.
+ * XXX All this happens at the client side.
  */
 int
 x11_open_helper(Channel *c)
@@ -456,7 +457,7 @@ channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
 }
 
 void
-channel_pre_x11_open_15(Channel *c, fd_set * readset, fd_set * writeset)
+channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
 {
         int ret = x11_open_helper(c);
         if (ret == 1) {
@@ -464,7 +465,7 @@ channel_pre_x11_open_15(Channel *c, fd_set * readset, fd_set * writeset)
                 channel_pre_open_15(c, readset, writeset);
         } else if (ret == -1) {
                 debug("X11 rejected %d i%d/o%d", c->self, c->istate, c->ostate);
-                chan_read_failed(c);
+                chan_read_failed(c);    /** force close? */
                 chan_write_failed(c);
                 debug("X11 closed %d i%d/o%d", c->self, c->istate, c->ostate);
         }
@@ -478,6 +479,7 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
         int newsock, newch;
         socklen_t addrlen;
         char buf[16384], *remote_hostname;
+        int remote_port;
 
         if (FD_ISSET(c->sock, readset)) {
                 debug("X11 connection requested.");
@@ -488,16 +490,32 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
                         return;
                 }
                 remote_hostname = get_remote_hostname(newsock);
+                remote_port = get_peer_port(newsock);
                 snprintf(buf, sizeof buf, "X11 connection from %.200s port %d",
-                remote_hostname, get_peer_port(newsock));
+                    remote_hostname, remote_port);
+
+                newch = channel_new("x11",
+                    SSH_CHANNEL_OPENING, newsock, newsock, -1,
+                    c->local_window_max, c->local_maxpacket,
+                    0, xstrdup(buf));
+                if (compat20) {
+                        packet_start(SSH2_MSG_CHANNEL_OPEN);
+                        packet_put_cstring("x11");
+                        packet_put_int(newch);
+                        packet_put_int(c->local_window_max);
+                        packet_put_int(c->local_maxpacket);
+                        /* originator host and port */
+                        packet_put_cstring(remote_hostname);
+                        packet_put_int(remote_port);
+                        packet_send();
+                } else {
+                        packet_start(SSH_SMSG_X11_OPEN);
+                        packet_put_int(newch);
+                        if (have_hostname_in_open)
+                                packet_put_string(buf, strlen(buf));
+                        packet_send();
+                }
                 xfree(remote_hostname);
-                newch = channel_allocate(SSH_CHANNEL_OPENING, newsock,
-                                         xstrdup(buf));
-                packet_start(SSH_SMSG_X11_OPEN);
-                packet_put_int(newch);
-                if (have_hostname_in_open)
-                        packet_put_string(buf, strlen(buf));
-                packet_send();
         }
 }
 
@@ -597,7 +615,7 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
             FD_ISSET(c->rfd, readset)) {
                 len = read(c->rfd, buf, sizeof(buf));
                 if (len <= 0) {
-                        debug("channel %d: read<0 rfd %d len %d",
+                        debug("channel %d: read<=0 rfd %d len %d",
                             c->self, c->rfd, len);
                         if (compat13) {
                                 buffer_consume(&c->output, buffer_len(&c->output));
@@ -729,10 +747,13 @@ void
 channel_handler_init_20(void)
 {
         channel_pre[SSH_CHANNEL_OPEN] =                 &channel_pre_open_20;
+        channel_pre[SSH_CHANNEL_X11_OPEN] =             &channel_pre_x11_open;
         channel_pre[SSH_CHANNEL_PORT_LISTENER] =        &channel_pre_listener;
+        channel_pre[SSH_CHANNEL_X11_LISTENER] =         &channel_pre_listener;
 
         channel_post[SSH_CHANNEL_OPEN] =                &channel_post_open_2;
         channel_post[SSH_CHANNEL_PORT_LISTENER] =       &channel_post_port_listener;
+        channel_post[SSH_CHANNEL_X11_LISTENER] =        &channel_post_x11_listener;
 }
 
 void
@@ -757,7 +778,7 @@ void
 channel_handler_init_15(void)
 {
         channel_pre[SSH_CHANNEL_OPEN] =                 &channel_pre_open_15;
-        channel_pre[SSH_CHANNEL_X11_OPEN] =             &channel_pre_x11_open_15;
+        channel_pre[SSH_CHANNEL_X11_OPEN] =             &channel_pre_x11_open;
         channel_pre[SSH_CHANNEL_X11_LISTENER] =         &channel_pre_listener;
         channel_pre[SSH_CHANNEL_PORT_LISTENER] =        &channel_pre_listener;
         channel_pre[SSH_CHANNEL_AUTH_SOCKET] =          &channel_pre_listener;
@@ -1428,7 +1449,7 @@ channel_request_local_forwarding(u_short port, const char *host,
                 ch = channel_new(
                     "port listener", SSH_CHANNEL_PORT_LISTENER,
                     sock, sock, -1,
-                    CHAN_WINDOW_DEFAULT, CHAN_PACKET_DEFAULT,
+                    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
                     0, xstrdup("port listener"));
                 strlcpy(channels[ch].path, host, sizeof(channels[ch].path));
                 channels[ch].host_port = host_port;
@@ -1769,8 +1790,10 @@ x11_create_display_inet(int screen_number, int x11_display_offset)
         /* Allocate a channel for each socket. */
         for (n = 0; n < num_socks; n++) {
                 sock = socks[n];
-                (void) channel_allocate(SSH_CHANNEL_X11_LISTENER, sock,
-                                        xstrdup("X11 inet listener"));
+                (void) channel_new("x11 listener",
+                    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+                    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
+                    0, xstrdup("X11 inet listener"));
         }
 
         /* Return a suitable value for the DISPLAY environment variable. */
@@ -1810,44 +1833,21 @@ connect_local_xsocket(unsigned int dnr)
         return -1;
 }
 
-
-/*
- * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
- * the remote channel number.  We should do whatever we want, and respond
- * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
- */
-
-void
-x11_input_open(int type, int plen)
+int
+x11_connect_display(void)
 {
-        int remote_channel, display_number, sock = 0, newch;
+        int display_number, sock = 0;
         const char *display;
-        char buf[1024], *cp, *remote_host;
-        unsigned int remote_len;
+        char buf[1024], *cp;
         struct addrinfo hints, *ai, *aitop;
         char strport[NI_MAXSERV];
         int gaierr;
 
-        /* Get remote channel number. */
-        remote_channel = packet_get_int();
-
-        /* Get remote originator name. */
-        if (have_hostname_in_open) {
-                remote_host = packet_get_string(&remote_len);
-                remote_len += 4;
-        } else {
-                remote_host = xstrdup("unknown (remote did not supply name)");
-                remote_len = 0;
-        }
-
-        debug("Received X11 open request.");
-        packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
-
         /* Try to open a socket for the local X server. */
         display = getenv("DISPLAY");
         if (!display) {
                 error("DISPLAY not set.");
-                goto fail;
+                return -1;
         }
         /*
          * Now we decode the value of the DISPLAY variable and make a
@@ -1864,15 +1864,15 @@ x11_input_open(int type, int plen)
                 if (sscanf(strrchr(display, ':') + 1, "%d", &display_number) != 1) {
                         error("Could not parse display number from DISPLAY: %.100s",
                               display);
-                        goto fail;
+                        return -1;
                 }
                 /* Create a socket. */
                 sock = connect_local_xsocket(display_number);
                 if (sock < 0)
-                        goto fail;
+                        return -1;
 
                 /* OK, we now have a connection to the display. */
-                goto success;
+                return sock;
         }
         /*
          * Connect to an inet socket.  The DISPLAY value is supposedly
@@ -1883,14 +1883,14 @@ x11_input_open(int type, int plen)
         cp = strchr(buf, ':');
         if (!cp) {
                 error("Could not find ':' in DISPLAY: %.100s", display);
-                goto fail;
+                return -1;
         }
         *cp = 0;
         /* buf now contains the host name.  But first we parse the display number. */
         if (sscanf(cp + 1, "%d", &display_number) != 1) {
                 error("Could not parse display number from DISPLAY: %.100s",
                       display);
-                goto fail;
+                return -1;
         }
 
         /* Look up the host address */
@@ -1900,7 +1900,7 @@ x11_input_open(int type, int plen)
         snprintf(strport, sizeof strport, "%d", 6000 + display_number);
         if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) {
                 error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr));
-                goto fail;
+                return -1;
         }
         for (ai = aitop; ai; ai = ai->ai_next) {
                 /* Create a socket. */
@@ -1923,31 +1923,60 @@ x11_input_open(int type, int plen)
         if (!ai) {
                 error("connect %.100s port %d: %.100s", buf, 6000 + display_number,
                     strerror(errno));
-                goto fail;
+                return -1;
         }
-success:
-        /* We have successfully obtained a connection to the real X display. */
+        return sock;
+}
 
-        /* Allocate a channel for this connection. */
-        if (x11_saved_proto == NULL)
-                newch = channel_allocate(SSH_CHANNEL_OPEN, sock, remote_host);
-        else
-                newch = channel_allocate(SSH_CHANNEL_X11_OPEN, sock, remote_host);
-        channels[newch].remote_id = remote_channel;
+/*
+ * This is called when SSH_SMSG_X11_OPEN is received.  The packet contains
+ * the remote channel number.  We should do whatever we want, and respond
+ * with either SSH_MSG_OPEN_CONFIRMATION or SSH_MSG_OPEN_FAILURE.
+ */
 
-        /* Send a confirmation to the remote host. */
-        packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
-        packet_put_int(remote_channel);
-        packet_put_int(newch);
-        packet_send();
+void
+x11_input_open(int type, int plen)
+{
+        int remote_channel, sock = 0, newch;
+        char *remote_host;
+        unsigned int remote_len;
 
-        return;
+        /* Get remote channel number. */
+        remote_channel = packet_get_int();
 
-fail:
-        /* Send refusal to the remote host. */
-        packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
-        packet_put_int(remote_channel);
-        packet_send();
+        /* Get remote originator name. */
+        if (have_hostname_in_open) {
+                remote_host = packet_get_string(&remote_len);
+                remote_len += 4;
+        } else {
+                remote_host = xstrdup("unknown (remote did not supply name)");
+                remote_len = 0;
+        }
+
+        debug("Received X11 open request.");
+        packet_integrity_check(plen, 4 + remote_len, SSH_SMSG_X11_OPEN);
+
+        /* Obtain a connection to the real X display. */
+        sock = x11_connect_display();
+        if (sock == -1) {
+                /* Send refusal to the remote host. */
+                packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+                packet_put_int(remote_channel);
+                packet_send();
+        } else {
+                /* Allocate a channel for this connection. */
+                newch = channel_allocate(
+                     (x11_saved_proto == NULL) ?
+                     SSH_CHANNEL_OPEN : SSH_CHANNEL_X11_OPEN,
+                     sock, remote_host);
+                channels[newch].remote_id = remote_channel;
+
+                /* Send a confirmation to the remote host. */
+                packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION);
+                packet_put_int(remote_channel);
+                packet_put_int(newch);
+                packet_send();
+        }
 }
 
 /*
@@ -1956,7 +1985,8 @@ fail:
  */
 
 void
-x11_request_forwarding_with_spoofing(const char *proto, const char *data)
+x11_request_forwarding_with_spoofing(int client_session_id,
+    const char *proto, const char *data)
 {
         unsigned int data_len = (unsigned int) strlen(data) / 2;
         unsigned int i, value;
@@ -2002,9 +2032,14 @@ x11_request_forwarding_with_spoofing(const char *proto, const char *data)
                 sprintf(new_data + 2 * i, "%02x", (unsigned char) x11_fake_data[i]);
 
         /* Send the request packet. */
-        packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
-        packet_put_string(proto, strlen(proto));
-        packet_put_string(new_data, strlen(new_data));
+        if (compat20) {
+                channel_request_start(client_session_id, "x11-req", 0);
+                packet_put_char(0);     /* XXX bool single connection */
+        } else {
+                packet_start(SSH_CMSG_X11_REQUEST_FORWARDING);
+        }
+        packet_put_cstring(proto);
+        packet_put_cstring(new_data);
         packet_put_int(screen_number);
         packet_send();
         packet_write_wait();
@@ -2154,20 +2189,26 @@ auth_input_open_request(int type, int plen)
 }
 
 void
-channel_open(int id)
+channel_start_open(int id)
 {
         Channel *c = channel_lookup(id);
         if (c == NULL) {
                 log("channel_open: %d: bad id", id);
                 return;
         }
+        debug("send channel open %d", id);
         packet_start(SSH2_MSG_CHANNEL_OPEN);
         packet_put_cstring(c->ctype);
         packet_put_int(c->self);
         packet_put_int(c->local_window);
         packet_put_int(c->local_maxpacket);
+}
+void
+channel_open(int id)
+{
+        /* XXX REMOVE ME */
+        channel_start_open(id);
         packet_send();
-        debug("channel open %d", id);
 }
 void
 channel_request(int id, char *service, int wantconfirm)
diff --git a/channels.h b/channels.h
index cab796440..263934265 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* RCSID("$Id: channels.h,v 1.7 2000/04/16 01:18:41 damien Exp $"); */
+/* RCSID("$Id: channels.h,v 1.8 2000/04/30 00:00:54 damien Exp $"); */
 
 #ifndef CHANNELS_H
 #define CHANNELS_H
@@ -207,7 +207,9 @@ void    x11_request_forwarding(void);
  * Requests forwarding for X11 connections, with authentication spoofing.
  * This should be called in the client only.
  */
-void    x11_request_forwarding_with_spoofing(const char *proto, const char *data);
+void
+x11_request_forwarding_with_spoofing(int client_session_id,
+    const char *proto, const char *data);
 
 /* Sends a message to the server to request authentication fd forwarding. */
 void    auth_request_forwarding(void);
@@ -230,5 +232,6 @@ void    auth_input_open_request(int type, int plen);
 
 /* XXX */
 int     channel_connect_to(const char *host, u_short host_port);
+int     x11_connect_display(void);
 
 #endif
diff --git a/clientloop.c b/clientloop.c
index 0296dac77..0ee9fc32a 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: clientloop.c,v 1.12 2000/04/19 21:42:21 damien Exp $");
+RCSID("$Id: clientloop.c,v 1.13 2000/04/30 00:00:54 damien Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -954,6 +954,69 @@ client_input_exit_status(int type, int plen)
         quit_pending = 1;
 }
 
+/* XXXX move to generic input handler */
+void
+client_input_channel_open(int type, int plen)
+{
+        Channel *c = NULL;
+        char *ctype;
+        int id;
+        unsigned int len;
+        int rchan;
+        int rmaxpack;
+        int rwindow;
+
+        ctype = packet_get_string(&len);
+        rchan = packet_get_int();
+        rwindow = packet_get_int();
+        rmaxpack = packet_get_int();
+
+        log("server_input_open: ctype %s rchan %d win %d max %d",
+            ctype, rchan, rwindow, rmaxpack);
+
+        if (strcmp(ctype, "x11") == 0) {
+                int sock;
+                char *originator;
+                int originator_port;
+                originator = packet_get_string(NULL);
+                originator_port = packet_get_int();
+                packet_done();
+                /* XXX check permission */
+                xfree(originator);
+                /* XXX move to channels.c */
+                sock = x11_connect_display();
+                if (sock >= 0) {
+                        id = channel_new("x11", SSH_CHANNEL_X11_OPEN,
+                            sock, sock, -1, 4*1024, 32*1024, 0,
+                            xstrdup("x11"));
+                        c = channel_lookup(id);
+                }
+        }
+/* XXX duplicate : */
+        if (c != NULL) {
+                debug("confirm %s", ctype);
+                c->remote_id = rchan;
+                c->remote_window = rwindow;
+                c->remote_maxpacket = rmaxpack;
+
+                packet_start(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION);
+                packet_put_int(c->remote_id);
+                packet_put_int(c->self);
+                packet_put_int(c->local_window);
+                packet_put_int(c->local_maxpacket);
+                packet_send();
+        } else {
+                debug("failure %s", ctype);
+                packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE);
+                packet_put_int(rchan);
+                packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED);
+                packet_put_cstring("bla bla");
+                packet_put_cstring("");
+                packet_send();
+        }
+        xfree(ctype);
+}
+
 void
 client_init_dispatch_20()
 {
@@ -962,6 +1025,7 @@ client_init_dispatch_20()
         dispatch_set(SSH2_MSG_CHANNEL_DATA, &channel_input_data);
         dispatch_set(SSH2_MSG_CHANNEL_EOF, &channel_input_ieof);
         dispatch_set(SSH2_MSG_CHANNEL_EXTENDED_DATA, &channel_input_extended_data);
+        dispatch_set(SSH2_MSG_CHANNEL_OPEN, &client_input_channel_open);
         dispatch_set(SSH2_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
         dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
         dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request);
@@ -974,7 +1038,6 @@ client_init_dispatch_13()
         dispatch_set(SSH_MSG_CHANNEL_CLOSE, &channel_input_close);
         dispatch_set(SSH_MSG_CHANNEL_CLOSE_CONFIRMATION, &channel_input_close_confirmation);
         dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
-        dispatch_set(SSH_MSG_CHANNEL_DATA, &channel_input_data);
         dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
         dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
         dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
diff --git a/hostfile.c b/hostfile.c
index e1c2429bd..bac285da5 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -14,7 +14,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: hostfile.c,v 1.17 2000/04/26 20:56:29 markus Exp $");
+RCSID("$OpenBSD: hostfile.c,v 1.18 2000/04/29 18:11:52 markus Exp $");
 
 #include "packet.h"
 #include "match.h"
@@ -70,10 +70,10 @@ hostfile_check_key(int bits, Key *key, const char *host, const char *filename, i
         if (key == NULL || key->type != KEY_RSA || key->rsa == NULL)
                 return 1;
         if (bits != BN_num_bits(key->rsa->n)) {
-                error("Warning: %s, line %d: keysize mismatch for host %s: "
+                log("Warning: %s, line %d: keysize mismatch for host %s: "
                     "actual %d vs. announced %d.",
                     filename, linenum, host, BN_num_bits(key->rsa->n), bits);
-                error("Warning: replace %d with %d in %s, line %d.",
+                log("Warning: replace %d with %d in %s, line %d.",
                     bits, BN_num_bits(key->rsa->n), filename, linenum);
         }
         return 1;
diff --git a/session.c b/session.c
index d5c53f11f..de39d8844 100644
--- a/session.c
+++ b/session.c
@@ -34,6 +34,7 @@ typedef struct Session Session;
 struct Session {
         int     used;
         int     self;
+        int     extended;
         struct  passwd *pw;
         pid_t   pid;
         /* tty */
@@ -46,6 +47,7 @@ struct Session {
         int     screen;
         char    *auth_proto;
         char    *auth_data;
+        int     single_connection;
         /* proto 2 */
         int     chanid;
 };
@@ -170,6 +172,7 @@ do_authenticated(struct passwd * pw)
                 channel_permit_all_opens();
 
         s = session_new();
+        s->pw = pw;
 
         /*
          * We stay in this loop until the client requests to execute a shell
@@ -279,6 +282,7 @@ do_authenticated(struct passwd * pw)
                                     xauthfile, strerror(errno));
                                 xfree(xauthfile);
                                 xauthfile = NULL;
+                                /* XXXX remove listening channels */
                                 break;
                         }
                         strlcat(xauthfile, "/cookies", MAXPATHLEN);
@@ -462,7 +466,7 @@ do_exec_no_pty(Session *s, const char *command, struct passwd * pw)
         close(perr[1]);
 
         if (compat20) {
-                session_set_fds(s, pin[1], pout[0], perr[0]);
+                session_set_fds(s, pin[1], pout[0], s->extended ? perr[0] : -1);
         } else {
                 /* Enter the interactive session. */
                 server_loop(pid, pin[1], pout[0], perr[0]);
@@ -478,7 +482,7 @@ do_exec_no_pty(Session *s, const char *command, struct passwd * pw)
          * handle the case that fdin and fdout are the same.
          */
         if (compat20) {
-                session_set_fds(s, inout[1], inout[1], err[1]);
+                session_set_fds(s, inout[1], inout[1], s->extended ? err[1] : -1);
         } else {
                 server_loop(pid, inout[1], inout[1], err[1]);
                 /* server_loop has closed inout[1] and err[1]. */
@@ -1119,6 +1123,7 @@ session_new(void)
                 Session *s = &sessions[i];
                 if (! s->used) {
                         s->pid = 0;
+                        s->extended = 0;
                         s->chanid = -1;
                         s->ptyfd = -1;
                         s->ttyfd = -1;
@@ -1129,6 +1134,7 @@ session_new(void)
                         s->auth_data = NULL;
                         s->auth_proto = NULL;
                         s->used = 1;
+                        s->pw = NULL;
                         debug("session_new: session %d", i);
                         return s;
                 }
@@ -1160,12 +1166,11 @@ session_open(int chanid)
                 error("no more sessions");
                 return 0;
         }
-        debug("session_open: session %d: link with channel %d", s->self, chanid);
-        s->chanid = chanid;
         s->pw = auth_get_user();
         if (s->pw == NULL)
-                fatal("no user for session %i channel %d",
-                    s->self, s->chanid);
+                fatal("no user for session %i", s->self);
+        debug("session_open: session %d: link with channel %d", s->self, chanid);
+        s->chanid = chanid;
         return 1;
 }
 
@@ -1257,6 +1262,69 @@ session_pty_req(Session *s)
         return 1;
 }
 
+int
+session_subsystem_req(Session *s)
+{
+        unsigned int len;
+        int success = 0;
+        char *subsys = packet_get_string(&len);
+
+        packet_done();
+        log("subsystem request for %s", subsys);
+
+        xfree(subsys);
+        return success;
+}
+
+int
+session_x11_req(Session *s)
+{
+        if (!options.x11_forwarding) {
+                debug("X11 forwarding disabled in server configuration file.");
+                return 0;
+        }
+        if (xauthfile != NULL) {
+                debug("X11 fwd already started.");
+                return 0;
+        }
+
+        debug("Received request for X11 forwarding with auth spoofing.");
+        if (s->display != NULL)
+                packet_disconnect("Protocol error: X11 display already set.");
+
+        s->single_connection = packet_get_char();
+        s->auth_proto = packet_get_string(NULL);
+        s->auth_data = packet_get_string(NULL);
+        s->screen = packet_get_int();
+        packet_done();
+
+        s->display = x11_create_display_inet(s->screen, options.x11_display_offset);
+        if (s->display == NULL) {
+                xfree(s->auth_proto);
+                xfree(s->auth_data);
+                return 0;
+        }
+        xauthfile = xmalloc(MAXPATHLEN);
+        strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
+        temporarily_use_uid(s->pw->pw_uid);
+        if (mkdtemp(xauthfile) == NULL) {
+                restore_uid();
+                error("private X11 dir: mkdtemp %s failed: %s",
+                    xauthfile, strerror(errno));
+                xfree(xauthfile);
+                xauthfile = NULL;
+                xfree(s->auth_proto);
+                xfree(s->auth_data);
+                /* XXXX remove listening channels */
+                return 0;
+        }
+        strlcat(xauthfile, "/cookies", MAXPATHLEN);
+        open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600);
+        restore_uid();
+        fatal_add_cleanup(xauthfile_cleanup_proc, s);
+        return 1;
+}
+
 void
 session_input_channel_req(int id, void *arg)
 {
@@ -1294,6 +1362,8 @@ session_input_channel_req(int id, void *arg)
                 } else if (strcmp(rtype, "exec") == 0) {
                         char *command = packet_get_string(&len);
                         packet_done();
+                        s->extended = 1;
+                        s->extended = 1;
                         if (s->ttyfd == -1)
                                 do_exec_no_pty(s, command, s->pw);
                         else
@@ -1302,6 +1372,10 @@ session_input_channel_req(int id, void *arg)
                         success = 1;
                 } else if (strcmp(rtype, "pty-req") == 0) {
                         success =  session_pty_req(s);
+                } else if (strcmp(rtype, "x11-req") == 0) {
+                        success = session_x11_req(s);
+                } else if (strcmp(rtype, "subsystem") == 0) {
+                        success = session_subsystem_req(s);
                 }
         }
         if (strcmp(rtype, "window-change") == 0) {
@@ -1399,7 +1473,8 @@ session_exit_message(Session *s, int status)
          * Note that we must not call 'chan_read_failed', since there could
          * be some more data waiting in the pipe.
          */
-        chan_write_failed(c);
+        if (c->ostate != CHAN_OUTPUT_CLOSED)
+                chan_write_failed(c);
         s->chanid = -1;
 }
 
@@ -1475,4 +1550,6 @@ do_authenticated2(void)
          */
         alarm(0);
         server_loop2();
+        if (xauthfile)
+                xauthfile_cleanup_proc(NULL);
 }
diff --git a/ssh-agent.c b/ssh-agent.c
index fb13ce7e1..e9f6b8062 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssh-agent.c,v 1.30 2000/04/21 00:27:11 djm Exp $      */
+/*      $OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $   */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -9,7 +9,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-agent.c,v 1.30 2000/04/21 00:27:11 djm Exp $");
+RCSID("$OpenBSD: ssh-agent.c,v 1.31 2000/04/29 18:11:52 markus Exp $");
 
 #include "ssh.h"
 #include "rsa.h"
@@ -178,7 +178,7 @@ process_remove_identity(SocketEntry *e)
         buffer_get_bignum(&e->input, n);
 
         if (bits != BN_num_bits(n))
-                error("Warning: identity keysize mismatch: actual %d, announced %d",
+                log("Warning: identity keysize mismatch: actual %d, announced %d",
                       BN_num_bits(n), bits);
 
         /* Check if we have the key. */
diff --git a/ssh.c b/ssh.c
index bdf6180c8..cffd56676 100644
--- a/ssh.c
+++ b/ssh.c
@@ -11,7 +11,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: ssh.c,v 1.27 2000/04/29 13:57:12 damien Exp $");
+RCSID("$Id: ssh.c,v 1.28 2000/04/30 00:00:54 damien Exp $");
 
 #include <openssl/evp.h>
 #include <openssl/dsa.h>
@@ -664,6 +664,45 @@ main(int ac, char **av)
         return exit_status;
 }
 
+void
+x11_get_proto(char *proto, int proto_len, char *data, int data_len)
+{
+        char line[512];
+        FILE *f;
+        int got_data = 0, i;
+
+#ifdef XAUTH_PATH
+        /* Try to get Xauthority information for the display. */
+        snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
+                 XAUTH_PATH, getenv("DISPLAY"));
+        f = popen(line, "r");
+        if (f && fgets(line, sizeof(line), f) &&
+            sscanf(line, "%*s %s %s", proto, data) == 2)
+                got_data = 1;
+        if (f)
+                pclose(f);
+#endif /* XAUTH_PATH */
+        /*
+         * If we didn't get authentication data, just make up some
+         * data.  The forwarding code will check the validity of the
+         * response anyway, and substitute this data.  The X11
+         * server, however, will ignore this fake data and use
+         * whatever authentication mechanisms it was using otherwise
+         * for the local connection.
+         */
+        if (!got_data) {
+                u_int32_t rand = 0;
+
+                strlcpy(proto, "MIT-MAGIC-COOKIE-1", proto_len);
+                for (i = 0; i < 16; i++) {
+                        if (i % 4 == 0)
+                                rand = arc4random();
+                        snprintf(data + 2 * i, data_len - 2 * i, "%02x", rand & 0xff);
+                        rand >>= 8;
+                }
+        }
+}
+
 int
 ssh_session(void)
 {
@@ -737,56 +776,22 @@ ssh_session(void)
         }
         /* Request X11 forwarding if enabled and DISPLAY is set. */
         if (options.forward_x11 && getenv("DISPLAY") != NULL) {
-                char line[512], proto[512], data[512];
-                FILE *f;
-                int forwarded = 0, got_data = 0, i;
-
-#ifdef XAUTH_PATH
-                /* Try to get Xauthority information for the display. */
-                snprintf(line, sizeof line, "%.100s list %.200s 2>/dev/null",
-                         XAUTH_PATH, getenv("DISPLAY"));
-                f = popen(line, "r");
-                if (f && fgets(line, sizeof(line), f) &&
-                    sscanf(line, "%*s %s %s", proto, data) == 2)
-                        got_data = 1;
-                if (f)
-                        pclose(f);
-#endif /* XAUTH_PATH */
-                /*
-                 * If we didn't get authentication data, just make up some
-                 * data.  The forwarding code will check the validity of the
-                 * response anyway, and substitute this data.  The X11
-                 * server, however, will ignore this fake data and use
-                 * whatever authentication mechanisms it was using otherwise
-                 * for the local connection.
-                 */
-                if (!got_data) {
-                        u_int32_t rand = 0;
-
-                        strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto);
-                        for (i = 0; i < 16; i++) {
-                                if (i % 4 == 0)
-                                        rand = arc4random();
-                                snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff);
-                                rand >>= 8;
-                        }
-                }
-                /*
-                 * Got local authentication reasonable information. Request
-                 * forwarding with authentication spoofing.
-                 */
+                char proto[512], data[512];
+                /* Get reasonable local authentication information. */
+                x11_get_proto(proto, sizeof proto, data, sizeof data);
+                /* Request forwarding with authentication spoofing. */
                 debug("Requesting X11 forwarding with authentication spoofing.");
-                x11_request_forwarding_with_spoofing(proto, data);
+                x11_request_forwarding_with_spoofing(0, proto, data);
 
                 /* Read response from the server. */
                 type = packet_read(&plen);
                 if (type == SSH_SMSG_SUCCESS) {
-                        forwarded = 1;
                         interactive = 1;
-                } else if (type == SSH_SMSG_FAILURE)
+                } else if (type == SSH_SMSG_FAILURE) {
                         log("Warning: Remote host denied X11 forwarding.");
-                else
+                } else {
                         packet_disconnect("Protocol error waiting for X11 forwarding");
+                }
         }
         /* Tell the packet module whether this is an interactive session. */
         packet_set_interactive(interactive, options.keepalives);
@@ -909,6 +914,17 @@ client_init(int id, void *arg)
                 packet_send();
                 /* XXX wait for reply */
         }
+        if (options.forward_x11 &&
+            getenv("DISPLAY") != NULL) {
+                char proto[512], data[512];
+                /* Get reasonable local authentication information. */
+                x11_get_proto(proto, sizeof proto, data, sizeof data);
+                /* Request forwarding with authentication spoofing. */
+                debug("Requesting X11 forwarding with authentication spoofing.");
+                x11_request_forwarding_with_spoofing(id, proto, data);
+                /* XXX wait for reply */
+        }
+
         len = buffer_len(&command);
         if (len > 0) {
                 if (len > 900)