- (bal) Channels.c and Channels.h -- "Merge Functions, simplify" (draged

   out of ssh Attic)

1 files changed, 455 insertions, 441 deletions

diff --git a/channels.c b/channels.c
index 719dbff5..518a071b 100644
--- a/channels.c
+++ b/channels.c
@@ -40,33 +40,24 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: channels.c,v 1.119 2001/05/28 23:25:24 markus Exp $");
-
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
+RCSID("$OpenBSD: channels.c,v 1.121 2001/05/31 10:30:14 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
 #include "packet.h"
 #include "xmalloc.h"
-#include "buffer.h"
-#include "bufaux.h"
 #include "uidswap.h"
 #include "log.h"
 #include "misc.h"
 #include "channels.h"
-#include "nchan.h"
 #include "compat.h"
 #include "canohost.h"
 #include "key.h"
 #include "authfd.h"
 
-/* Maximum number of fake X11 displays to try. */
-#define MAX_DISPLAYS  1000
 
-/* Max len of agent socket */
-#define MAX_SOCKET_NAME 100
+/* -- channel core */
 
 /*
  * Pointer to an array containing all allocated channels.  The array is
@@ -86,23 +77,8 @@ static int channels_alloc = 0;
  */
 static int channel_max_fd = 0;
 
-/* Name and directory of socket for authentication agent forwarding. */
-static char *channel_forwarded_auth_socket_name = NULL;
-static char *channel_forwarded_auth_socket_dir = NULL;
-
-/* Saved X11 authentication protocol name. */
-char *x11_saved_proto = NULL;
-
-/* Saved X11 authentication data.  This is the real data. */
-char *x11_saved_data = NULL;
-u_int x11_saved_data_len = 0;
 
-/*
- * Fake X11 authentication data.  This is what the server will be sending us;
- * we should replace any occurrences of this by the real data.
- */
-char *x11_fake_data = NULL;
-u_int x11_fake_data_len;
+/* -- tcp forwarding */
 
 /*
  * Data structure for storing which hosts are permitted for forward requests.
@@ -118,6 +94,7 @@ typedef struct {
 
 /* List of all permitted host/port pairs to connect. */
 static ForwardPermission permitted_opens[SSH_MAX_FORWARDS_PER_DIRECTION];
+
 /* Number of permitted host/port pairs in the array. */
 static int num_permitted_opens = 0;
 /*
@@ -127,23 +104,43 @@ static int num_permitted_opens = 0;
  */
 static int all_opens_permitted = 0;
 
-/* This is set to true if both sides support SSH_PROTOFLAG_HOST_IN_FWD_OPEN. */
-static int have_hostname_in_open = 0;
 
-/* AF_UNSPEC or AF_INET or AF_INET6 */
-extern int IPv4or6;
+/* -- X11 forwarding */
 
-void	 port_open_helper(Channel *c, char *rtype);
+/* Maximum number of fake X11 displays to try. */
+#define MAX_DISPLAYS  1000
 
-/* Sets specific protocol options. */
+/* Saved X11 authentication protocol name. */
+static char *x11_saved_proto = NULL;
 
-void
-channel_set_options(int hostname_in_open)
-{
-	have_hostname_in_open = hostname_in_open;
-}
+/* Saved X11 authentication data.  This is the real data. */
+static char *x11_saved_data = NULL;
+static u_int x11_saved_data_len = 0;
 
-/* lookup channel by id */
+/*
+ * Fake X11 authentication data.  This is what the server will be sending us;
+ * we should replace any occurrences of this by the real data.
+ */
+static char *x11_fake_data = NULL;
+static u_int x11_fake_data_len;
+
+
+/* -- agent forwarding */
+
+#define	NUM_SOCKS	10
+
+/* Name and directory of socket for authentication agent forwarding. */
+static char *auth_sock_name = NULL;
+static char *auth_sock_dir = NULL;
+
+
+/* AF_UNSPEC or AF_INET or AF_INET6 */
+extern int IPv4or6;
+
+/* helper */
+void	port_open_helper(Channel *c, char *rtype);
+
+/* -- channel core */
 
 Channel *
 channel_lookup(int id)
@@ -337,6 +334,321 @@ channel_free(Channel *c)
 	xfree(c);
 }
 
+
+/*
+ * Stops listening for channels, and removes any unix domain sockets that we
+ * might have.
+ */
+
+void
+channel_stop_listening()
+{
+	int i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = channels[i];
+		if (c != NULL) {
+			switch (c->type) {
+			case SSH_CHANNEL_AUTH_SOCKET:
+				close(c->sock);
+				unlink(c->path);
+				channel_free(c);
+				break;
+			case SSH_CHANNEL_PORT_LISTENER:
+			case SSH_CHANNEL_RPORT_LISTENER:
+			case SSH_CHANNEL_X11_LISTENER:
+				close(c->sock);
+				channel_free(c);
+				break;
+			default:
+				break;
+			}
+		}
+	}
+}
+
+/*
+ * Closes the sockets/fds of all channels.  This is used to close extra file
+ * descriptors after a fork.
+ */
+
+void
+channel_close_all()
+{
+	int i;
+
+	for (i = 0; i < channels_alloc; i++)
+		if (channels[i] != NULL)
+			channel_close_fds(channels[i]);
+}
+
+/*
+ * Returns true if no channel has too much buffered data, and false if one or
+ * more channel is overfull.
+ */
+
+int
+channel_not_very_much_buffered_data()
+{
+	u_int i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = channels[i];
+		if (c != NULL && c->type == SSH_CHANNEL_OPEN) {
+			if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
+				debug("channel %d: big input buffer %d",
+				    c->self, buffer_len(&c->input));
+				return 0;
+			}
+			if (buffer_len(&c->output) > packet_get_maxsize()) {
+				debug("channel %d: big output buffer %d",
+				    c->self, buffer_len(&c->output));
+				return 0;
+			}
+		}
+	}
+	return 1;
+}
+
+/* Returns true if any channel is still open. */
+
+int
+channel_still_open()
+{
+	int i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = channels[i];
+		if (c == NULL)
+			continue;
+		switch (c->type) {
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_RPORT_LISTENER:
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_AUTH_SOCKET:
+		case SSH_CHANNEL_DYNAMIC:
+		case SSH_CHANNEL_CONNECTING:
+		case SSH_CHANNEL_ZOMBIE:
+			continue;
+		case SSH_CHANNEL_LARVAL:
+			if (!compat20)
+				fatal("cannot happen: SSH_CHANNEL_LARVAL");
+			continue;
+		case SSH_CHANNEL_OPENING:
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+			return 1;
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			if (!compat13)
+				fatal("cannot happen: OUT_DRAIN");
+			return 1;
+		default:
+			fatal("channel_still_open: bad channel type %d", c->type);
+			/* NOTREACHED */
+		}
+	}
+	return 0;
+}
+
+/* Returns the id of an open channel suitable for keepaliving */
+
+int
+channel_find_open()
+{
+	int i;
+	Channel *c;
+
+	for (i = 0; i < channels_alloc; i++) {
+		c = channels[i];
+		if (c == NULL)
+			continue;
+		switch (c->type) {
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_DYNAMIC:
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_RPORT_LISTENER:
+		case SSH_CHANNEL_OPENING:
+		case SSH_CHANNEL_CONNECTING:
+		case SSH_CHANNEL_ZOMBIE:
+			continue;
+		case SSH_CHANNEL_LARVAL:
+		case SSH_CHANNEL_AUTH_SOCKET:
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+			return i;
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			if (!compat13)
+				fatal("cannot happen: OUT_DRAIN");
+			return i;
+		default:
+			fatal("channel_find_open: bad channel type %d", c->type);
+			/* NOTREACHED */
+		}
+	}
+	return -1;
+}
+
+
+/*
+ * Returns a message describing the currently open forwarded connections,
+ * suitable for sending to the client.  The message contains crlf pairs for
+ * newlines.
+ */
+
+char *
+channel_open_message()
+{
+	Buffer buffer;
+	Channel *c;
+	char buf[1024], *cp;
+	int i;
+
+	buffer_init(&buffer);
+	snprintf(buf, sizeof buf, "The following connections are open:\r\n");
+	buffer_append(&buffer, buf, strlen(buf));
+	for (i = 0; i < channels_alloc; i++) {
+		c = channels[i];
+		if (c == NULL)
+			continue;
+		switch (c->type) {
+		case SSH_CHANNEL_X11_LISTENER:
+		case SSH_CHANNEL_PORT_LISTENER:
+		case SSH_CHANNEL_RPORT_LISTENER:
+		case SSH_CHANNEL_CLOSED:
+		case SSH_CHANNEL_AUTH_SOCKET:
+		case SSH_CHANNEL_ZOMBIE:
+			continue;
+		case SSH_CHANNEL_LARVAL:
+		case SSH_CHANNEL_OPENING:
+		case SSH_CHANNEL_CONNECTING:
+		case SSH_CHANNEL_DYNAMIC:
+		case SSH_CHANNEL_OPEN:
+		case SSH_CHANNEL_X11_OPEN:
+		case SSH_CHANNEL_INPUT_DRAINING:
+		case SSH_CHANNEL_OUTPUT_DRAINING:
+			snprintf(buf, sizeof buf, "  #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
+			    c->self, c->remote_name,
+			    c->type, c->remote_id,
+			    c->istate, buffer_len(&c->input),
+			    c->ostate, buffer_len(&c->output),
+			    c->rfd, c->wfd);
+			buffer_append(&buffer, buf, strlen(buf));
+			continue;
+		default:
+			fatal("channel_open_message: bad channel type %d", c->type);
+			/* NOTREACHED */
+		}
+	}
+	buffer_append(&buffer, "\0", 1);
+	cp = xstrdup(buffer_ptr(&buffer));
+	buffer_free(&buffer);
+	return cp;
+}
+
+void
+channel_send_open(int id)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_send_open: %d: bad id", id);
+		return;
+	}
+	debug("send channel open %d", id);
+	packet_start(SSH2_MSG_CHANNEL_OPEN);
+	packet_put_cstring(c->ctype);
+	packet_put_int(c->self);
+	packet_put_int(c->local_window);
+	packet_put_int(c->local_maxpacket);
+	packet_send();
+}
+
+void
+channel_request(int id, char *service, int wantconfirm)
+{
+	channel_request_start(id, service, wantconfirm);
+	packet_send();
+	debug("channel request %d: %s", id, service) ;
+}
+void
+channel_request_start(int id, char *service, int wantconfirm)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_request: %d: bad id", id);
+		return;
+	}
+	packet_start(SSH2_MSG_CHANNEL_REQUEST);
+	packet_put_int(c->remote_id);
+	packet_put_cstring(service);
+	packet_put_char(wantconfirm);
+}
+void
+channel_register_callback(int id, int mtype, channel_callback_fn *fn, void *arg)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_callback: %d: bad id", id);
+		return;
+	}
+	c->cb_event = mtype;
+	c->cb_fn = fn;
+	c->cb_arg = arg;
+}
+void
+channel_register_cleanup(int id, channel_callback_fn *fn)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_cleanup: %d: bad id", id);
+		return;
+	}
+	c->dettach_user = fn;
+}
+void
+channel_cancel_cleanup(int id)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_cancel_cleanup: %d: bad id", id);
+		return;
+	}
+	c->dettach_user = NULL;
+}
+void
+channel_register_filter(int id, channel_filter_fn *fn)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL) {
+		log("channel_register_filter: %d: bad id", id);
+		return;
+	}
+	c->input_filter = fn;
+}
+
+void
+channel_set_fds(int id, int rfd, int wfd, int efd,
+    int extusage, int nonblock)
+{
+	Channel *c = channel_lookup(id);
+	if (c == NULL || c->type != SSH_CHANNEL_LARVAL)
+		fatal("channel_activate for non-larval channel %d.", id);
+	channel_register_fds(c, rfd, wfd, efd, extusage, nonblock);
+	c->type = SSH_CHANNEL_OPEN;
+	/* XXX window size? */
+	c->local_window = c->local_window_max = c->local_maxpacket * 2;
+	packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
+	packet_put_int(c->remote_id);
+	packet_put_int(c->local_window);
+	packet_send();
+}
+
 /*
  * 'channel_pre*' are called just before select() to add any bits relevant to
  * channels in the select bitmasks.
@@ -442,19 +754,20 @@ channel_pre_output_draining(Channel *c, fd_set * readset, fd_set * writeset)
  * data in that packet is then substituted by the real data if it matches the
  * fake data, and the channel is put into normal mode.
  * XXX All this happens at the client side.
+ * Returns: 0 = need more data, -1 = wrong cookie, 1 = ok
  */
 int
-x11_open_helper(Channel *c)
+x11_open_helper(Buffer *b)
 {
 	u_char *ucp;
 	u_int proto_len, data_len;
 
 	/* Check if the fixed size part of the packet is in buffer. */
-	if (buffer_len(&c->output) < 12)
+	if (buffer_len(b) < 12)
 		return 0;
 
 	/* Parse the lengths of variable-length fields. */
-	ucp = (u_char *) buffer_ptr(&c->output);
+	ucp = (u_char *) buffer_ptr(b);
 	if (ucp[0] == 0x42) {	/* Byte order MSB first. */
 		proto_len = 256 * ucp[6] + ucp[7];
 		data_len = 256 * ucp[8] + ucp[9];
@@ -468,7 +781,7 @@ x11_open_helper(Channel *c)
 	}
 
 	/* Check if the whole packet is in buffer. */
-	if (buffer_len(&c->output) <
+	if (buffer_len(b) <
 	    12 + ((proto_len + 3) & ~3) + ((data_len + 3) & ~3))
 		return 0;
 
@@ -504,7 +817,7 @@ x11_open_helper(Channel *c)
 void
 channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
 {
-	int ret = x11_open_helper(c);
+	int ret = x11_open_helper(&c->output);
 	if (ret == 1) {
 		/* Start normal processing for the channel. */
 		c->type = SSH_CHANNEL_OPEN;
@@ -529,7 +842,7 @@ channel_pre_x11_open_13(Channel *c, fd_set * readset, fd_set * writeset)
 void
 channel_pre_x11_open(Channel *c, fd_set * readset, fd_set * writeset)
 {
-	int ret = x11_open_helper(c);
+	int ret = x11_open_helper(&c->output);
 	if (ret == 1) {
 		c->type = SSH_CHANNEL_OPEN;
 		if (compat20)
@@ -704,7 +1017,8 @@ channel_post_x11_listener(Channel *c, fd_set * readset, fd_set * writeset)
 		} else {
 			packet_start(SSH_SMSG_X11_OPEN);
 			packet_put_int(nc->self);
-			if (have_hostname_in_open)
+			if (packet_get_protocol_flags() &
+			    SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
 				packet_put_string(buf, strlen(buf));
 			packet_send();
 		}
@@ -755,7 +1069,8 @@ port_open_helper(Channel *c, char *rtype)
 		packet_put_int(c->self);
 		packet_put_cstring(c->path);
 		packet_put_int(c->host_port);
-		if (have_hostname_in_open)
+		if (packet_get_protocol_flags() &
+		    SSH_PROTOFLAG_HOST_IN_FWD_OPEN)
 			packet_put_cstring(c->remote_name);
 		packet_send();
 	}
@@ -817,6 +1132,7 @@ void
 channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
 {
 	Channel *nc;
+	char *name;
 	int newsock;
 	struct sockaddr addr;
 	socklen_t addrlen;
@@ -828,12 +1144,14 @@ channel_post_auth_listener(Channel *c, fd_set * readset, fd_set * writeset)
 			error("accept from auth socket: %.100s", strerror(errno));
 			return;
 		}
+		name = xstrdup("accepted auth socket");
 		nc = channel_new("accepted auth socket",
 		    SSH_CHANNEL_OPENING, newsock, newsock, -1,
 		    c->local_window_max, c->local_maxpacket,
-		    0, xstrdup("accepted auth socket"), 1);
+		    0, name, 1);
 		if (nc == NULL) {
 			error("channel_post_auth_listener: channel_new failed");
+			xfree(name);
 			close(newsock);
 		}
 		if (compat20) {
@@ -918,7 +1236,7 @@ channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
 			} else if (compat13) {
 				buffer_consume(&c->output, buffer_len(&c->output));
 				c->type = SSH_CHANNEL_INPUT_DRAINING;
-				debug("channel %d: status set to input draining.", c->self);
+				debug("channel %d: input draining.", c->self);
 			} else {
 				chan_read_failed(c);
 			}
@@ -956,7 +1274,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset)
 				return -1;
 			} else if (compat13) {
 				buffer_consume(&c->output, buffer_len(&c->output));
-				debug("channel %d: status set to input draining.", c->self);
+				debug("channel %d: input draining.", c->self);
 				c->type = SSH_CHANNEL_INPUT_DRAINING;
 			} else {
 				chan_write_failed(c);
@@ -1196,6 +1514,10 @@ channel_handler(chan_fn *ftab[], fd_set * readset, fd_set * writeset)
 	}
 }
 
+/*
+ * Allocate/update select bitmasks and add any bits relevant to channels in
+ * select bitmasks.
+ */
 void
 channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
     int rekeying)
@@ -1222,12 +1544,17 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
 		channel_handler(channel_pre, *readsetp, *writesetp);
 }
 
+/*
+ * After select, perform any appropriate operations for channels which have
+ * events pending.
+ */
 void
 channel_after_select(fd_set * readset, fd_set * writeset)
 {
 	channel_handler(channel_post, readset, writeset);
 }
 
+
 /* If there is data to send to the connection, enqueue some of it now. */
 
 void
@@ -1237,12 +1564,14 @@ channel_output_poll()
 	Channel *c;
 
 	for (i = 0; i < channels_alloc; i++) {
-
 		c = channels[i];
 		if (c == NULL)
 			continue;
 
-		/* We are only interested in channels that can have buffered incoming data. */
+		/*
+		 * We are only interested in channels that can have buffered
+		 * incoming data.
+		 */
 		if (compat13) {
 			if (c->type != SSH_CHANNEL_OPEN &&
 			    c->type != SSH_CHANNEL_INPUT_DRAINING)
@@ -1262,7 +1591,10 @@ channel_output_poll()
 		if ((c->istate == CHAN_INPUT_OPEN ||
 		    c->istate == CHAN_INPUT_WAIT_DRAIN) &&
 		    (len = buffer_len(&c->input)) > 0) {
-			/* Send some data for the other side over the secure connection. */
+			/*
+			 * Send some data for the other side over the secure
+			 * connection.
+			 */
 			if (compat20) {
 				if (len > c->remote_window)
 					len = c->remote_window;
@@ -1320,11 +1652,8 @@ channel_output_poll()
 	}
 }
 
-/*
- * This is called when a packet of type CHANNEL_DATA has just been received.
- * The message type has already been consumed, but channel number and data is
- * still there.
- */
+
+/* -- protocol input */
 
 void
 channel_input_data(int type, int plen, void *ctxt)
@@ -1371,6 +1700,7 @@ channel_input_data(int type, int plen, void *ctxt)
 	buffer_append(&c->output, data, data_len);
 	xfree(data);
 }
+
 void
 channel_input_extended_data(int type, int plen, void *ctxt)
 {
@@ -1411,36 +1741,6 @@ channel_input_extended_data(int type, int plen, void *ctxt)
 	xfree(data);
 }
 
-
-/*
- * Returns true if no channel has too much buffered data, and false if one or
- * more channel is overfull.
- */
-
-int
-channel_not_very_much_buffered_data()
-{
-	u_int i;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c != NULL && c->type == SSH_CHANNEL_OPEN) {
-			if (!compat20 && buffer_len(&c->input) > packet_get_maxsize()) {
-				debug("channel %d: big input buffer %d",
-				    c->self, buffer_len(&c->input));
-				return 0;
-			}
-			if (buffer_len(&c->output) > packet_get_maxsize()) {
-				debug("channel %d: big output buffer %d",
-				    c->self, buffer_len(&c->output));
-				return 0;
-			}
-		}
-	}
-	return 1;
-}
-
 void
 channel_input_ieof(int type, int plen, void *ctxt)
 {
@@ -1655,193 +1955,46 @@ channel_input_window_adjust(int type, int plen, void *ctxt)
 	c->remote_window += adjust;
 }
 
-/*
- * Stops listening for channels, and removes any unix domain sockets that we
- * might have.
- */
-
-void
-channel_stop_listening()
-{
-	int i;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c != NULL) {
-			switch (c->type) {
-			case SSH_CHANNEL_AUTH_SOCKET:
-				close(c->sock);
-				unlink(c->path);
-				channel_free(c);
-				break;
-			case SSH_CHANNEL_PORT_LISTENER:
-			case SSH_CHANNEL_RPORT_LISTENER:
-			case SSH_CHANNEL_X11_LISTENER:
-				close(c->sock);
-				channel_free(c);
-				break;
-			default:
-				break;
-			}
-		}
-	}
-}
-
-/*
- * Closes the sockets/fds of all channels.  This is used to close extra file
- * descriptors after a fork.
- */
-
 void
-channel_close_all()
+channel_input_port_open(int type, int plen, void *ctxt)
 {
-	int i;
-
-	for (i = 0; i < channels_alloc; i++)
-		if (channels[i] != NULL)
-			channel_close_fds(channels[i]);
-}
-
-/* Returns true if any channel is still open. */
+	Channel *c = NULL;
+	u_short host_port;
+	char *host, *originator_string;
+	int remote_id, sock = -1;
 
-int
-channel_still_open()
-{
-	int i;
-	Channel *c;
+	remote_id = packet_get_int();
+	host = packet_get_string(NULL);
+	host_port = packet_get_int();
 
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL)
-			continue;
-		switch (c->type) {
-		case SSH_CHANNEL_X11_LISTENER:
-		case SSH_CHANNEL_PORT_LISTENER:
-		case SSH_CHANNEL_RPORT_LISTENER:
-		case SSH_CHANNEL_CLOSED:
-		case SSH_CHANNEL_AUTH_SOCKET:
-		case SSH_CHANNEL_DYNAMIC:
-		case SSH_CHANNEL_CONNECTING:
-		case SSH_CHANNEL_ZOMBIE:
-			continue;
-		case SSH_CHANNEL_LARVAL:
-			if (!compat20)
-				fatal("cannot happen: SSH_CHANNEL_LARVAL");
-			continue;
-		case SSH_CHANNEL_OPENING:
-		case SSH_CHANNEL_OPEN:
-		case SSH_CHANNEL_X11_OPEN:
-			return 1;
-		case SSH_CHANNEL_INPUT_DRAINING:
-		case SSH_CHANNEL_OUTPUT_DRAINING:
-			if (!compat13)
-				fatal("cannot happen: OUT_DRAIN");
-			return 1;
-		default:
-			fatal("channel_still_open: bad channel type %d", c->type);
-			/* NOTREACHED */
-		}
+	if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
+		originator_string = packet_get_string(NULL);
+	} else {
+		originator_string = xstrdup("unknown (remote did not supply name)");
 	}
-	return 0;
-}
-
-/* Returns the id of an open channel suitable for keepaliving */
-
-int
-channel_find_open()
-{
-	int i;
-	Channel *c;
-
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL)
-			continue;
-		switch (c->type) {
-		case SSH_CHANNEL_CLOSED:
-		case SSH_CHANNEL_DYNAMIC:
-		case SSH_CHANNEL_X11_LISTENER:
-		case SSH_CHANNEL_PORT_LISTENER:
-		case SSH_CHANNEL_RPORT_LISTENER:
-		case SSH_CHANNEL_OPENING:
-		case SSH_CHANNEL_CONNECTING:
-		case SSH_CHANNEL_ZOMBIE:
-			continue;
-		case SSH_CHANNEL_LARVAL:
-		case SSH_CHANNEL_AUTH_SOCKET:
-		case SSH_CHANNEL_OPEN:
-		case SSH_CHANNEL_X11_OPEN:
-			return i;
-		case SSH_CHANNEL_INPUT_DRAINING:
-		case SSH_CHANNEL_OUTPUT_DRAINING:
-			if (!compat13)
-				fatal("cannot happen: OUT_DRAIN");
-			return i;
-		default:
-			fatal("channel_find_open: bad channel type %d", c->type);
-			/* NOTREACHED */
+	packet_done();
+	sock = channel_connect_to(host, host_port);
+	if (sock != -1) {
+		c = channel_new("connected socket",
+		    SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0,
+		    originator_string, 1);
+		if (c == NULL) {
+			error("channel_input_port_open: channel_new failed");
+			close(sock);
+		} else {
+			c->remote_id = remote_id;
 		}
 	}
-	return -1;
+	if (c == NULL) {
+		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
+		packet_put_int(remote_id);
+		packet_send();
+	}
+	xfree(host);
 }
 
 
-/*
- * Returns a message describing the currently open forwarded connections,
- * suitable for sending to the client.  The message contains crlf pairs for
- * newlines.
- */
-
-char *
-channel_open_message()
-{
-	Buffer buffer;
-	Channel *c;
-	char buf[1024], *cp;
-	int i;
-
-	buffer_init(&buffer);
-	snprintf(buf, sizeof buf, "The following connections are open:\r\n");
-	buffer_append(&buffer, buf, strlen(buf));
-	for (i = 0; i < channels_alloc; i++) {
-		c = channels[i];
-		if (c == NULL)
-			continue;
-		switch (c->type) {
-		case SSH_CHANNEL_X11_LISTENER:
-		case SSH_CHANNEL_PORT_LISTENER:
-		case SSH_CHANNEL_RPORT_LISTENER:
-		case SSH_CHANNEL_CLOSED:
-		case SSH_CHANNEL_AUTH_SOCKET:
-		case SSH_CHANNEL_ZOMBIE:
-			continue;
-		case SSH_CHANNEL_LARVAL:
-		case SSH_CHANNEL_OPENING:
-		case SSH_CHANNEL_CONNECTING:
-		case SSH_CHANNEL_DYNAMIC:
-		case SSH_CHANNEL_OPEN:
-		case SSH_CHANNEL_X11_OPEN:
-		case SSH_CHANNEL_INPUT_DRAINING:
-		case SSH_CHANNEL_OUTPUT_DRAINING:
-			snprintf(buf, sizeof buf, "  #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d)\r\n",
-			    c->self, c->remote_name,
-			    c->type, c->remote_id,
-			    c->istate, buffer_len(&c->input),
-			    c->ostate, buffer_len(&c->output),
-			    c->rfd, c->wfd);
-			buffer_append(&buffer, buf, strlen(buf));
-			continue;
-		default:
-			fatal("channel_open_message: bad channel type %d", c->type);
-			/* NOTREACHED */
-		}
-	}
-	buffer_append(&buffer, "\0", 1);
-	cp = xstrdup(buffer_ptr(&buffer));
-	buffer_free(&buffer);
-	return cp;
-}
+/* -- tcp forwarding */
 
 /*
  * Initiate forwarding of connections to local port "port" through the secure
@@ -1868,7 +2021,7 @@ channel_request_forwarding(
     int gateway_ports, int remote_fwd)
 {
 	Channel *c;
-	int success, sock, on = 1, ctype;
+	int success, sock, on = 1, type;
 	struct addrinfo hints, *ai, *aitop;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
 	const char *host;
@@ -1878,10 +2031,10 @@ channel_request_forwarding(
 
 	if (remote_fwd) {
 		host = listen_address;
-		ctype = SSH_CHANNEL_RPORT_LISTENER;
+		type = SSH_CHANNEL_RPORT_LISTENER;
 	} else {
 		host = host_to_connect;
-		ctype  =SSH_CHANNEL_PORT_LISTENER;
+		type = SSH_CHANNEL_PORT_LISTENER;
 	}
 
 	if (strlen(host) > SSH_CHANNEL_PATH_LEN - 1) {
@@ -1945,7 +2098,7 @@ channel_request_forwarding(
 			continue;
 		}
 		/* Allocate a channel number for the socket. */
-		c = channel_new("port listener", ctype, sock, sock, -1,
+		c = channel_new("port listener", type, sock, sock, -1,
 		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
 		    0, xstrdup("port listener"), 1);
 		if (c == NULL) {
@@ -2183,58 +2336,13 @@ channel_connect_to(const char *host, u_short port)
 	return connect_to(host, port);
 }
 
-/*
- * This is called after receiving PORT_OPEN message.  This attempts to
- * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION
- * or CHANNEL_OPEN_FAILURE.
- */
-
-void
-channel_input_port_open(int type, int plen, void *ctxt)
-{
-	Channel *c = NULL;
-	u_short host_port;
-	char *host, *originator_string;
-	int remote_id, sock = -1;
-
-	remote_id = packet_get_int();
-	host = packet_get_string(NULL);
-	host_port = packet_get_int();
-
-	if (have_hostname_in_open) {
-		originator_string = packet_get_string(NULL);
-	} else {
-		originator_string = xstrdup("unknown (remote did not supply name)");
-	}
-	packet_done();
-	sock = channel_connect_to(host, host_port);
-	if (sock != -1) {
-		c = channel_new("connected socket",
-		    SSH_CHANNEL_CONNECTING, sock, sock, -1, 0, 0, 0,
-		    originator_string, 1);
-		if (c == NULL) {
-			error("channel_input_port_open: channel_new failed");
-			close(sock);
-		} else {
-			c->remote_id = remote_id;
-		}
-	}
-	if (c == NULL) {
-		packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE);
-		packet_put_int(remote_id);
-		packet_send();
-	}
-	xfree(host);
-}
+/* -- X11 forwarding */
 
 /*
  * Creates an internet domain socket for listening for X11 connections.
  * Returns a suitable value for the DISPLAY variable, or NULL if an error
  * occurs.
  */
-
-#define	NUM_SOCKS	10
-
 char *
 x11_create_display_inet(int screen_number, int x11_display_offset)
 {
@@ -2515,7 +2623,8 @@ x11_input_open(int type, int plen, void *ctxt)
 	debug("Received X11 open request.");
 
 	remote_id = packet_get_int();
-	if (have_hostname_in_open) {
+
+	if (packet_get_protocol_flags() & SSH_PROTOFLAG_HOST_IN_FWD_OPEN) {
 		remote_host = packet_get_string(NULL);
 	} else {
 		remote_host = xstrdup("unknown (remote did not supply name)");
@@ -2574,8 +2683,8 @@ deny_input_open(int type, int plen, void *ctxt)
 /*
  * Requests forwarding of X11 connections, generates fake authentication
  * data, and enables authentication spoofing.
+ * This should be called in the client only.
  */
-
 void
 x11_request_forwarding_with_spoofing(int client_session_id,
     const char *proto, const char *data)
@@ -2640,6 +2749,9 @@ x11_request_forwarding_with_spoofing(int client_session_id,
 	xfree(new_data);
 }
 
+
+/* -- agent forwarding */
+
 /* Sends a message to the server to request authentication fd forwarding. */
 
 void
@@ -2659,7 +2771,7 @@ auth_request_forwarding()
 char *
 auth_get_socket_name()
 {
-	return channel_forwarded_auth_socket_name;
+	return auth_sock_name;
 }
 
 /* removes the agent forwarding socket */
@@ -2667,8 +2779,8 @@ auth_get_socket_name()
 void
 cleanup_socket(void)
 {
-	unlink(channel_forwarded_auth_socket_name);
-	rmdir(channel_forwarded_auth_socket_dir);
+	unlink(auth_sock_name);
+	rmdir(auth_sock_dir);
 }
 
 /*
@@ -2683,30 +2795,32 @@ auth_input_request_forwarding(struct passwd * pw)
 	int sock;
 	struct sockaddr_un sunaddr;
 
-	if (auth_get_socket_name() != NULL)
-		fatal("Protocol error: authentication forwarding requested twice.");
+	if (auth_get_socket_name() != NULL) {
+		error("authentication forwarding requested twice.");
+		return 0;
+	}
 
 	/* Temporarily drop privileged uid for mkdir/bind. */
 	temporarily_use_uid(pw);
 
 	/* Allocate a buffer for the socket name, and format the name. */
-	channel_forwarded_auth_socket_name = xmalloc(MAX_SOCKET_NAME);
-	channel_forwarded_auth_socket_dir = xmalloc(MAX_SOCKET_NAME);
-	strlcpy(channel_forwarded_auth_socket_dir, "/tmp/ssh-XXXXXXXX", MAX_SOCKET_NAME);
+	auth_sock_name = xmalloc(MAXPATHLEN);
+	auth_sock_dir = xmalloc(MAXPATHLEN);
+	strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN);
 
 	/* Create private directory for socket */
-	if (mkdtemp(channel_forwarded_auth_socket_dir) == NULL) {
-		packet_send_debug("Agent forwarding disabled: mkdtemp() failed: %.100s",
-		    strerror(errno));
+	if (mkdtemp(auth_sock_dir) == NULL) {
+		packet_send_debug("Agent forwarding disabled: "
+		    "mkdtemp() failed: %.100s", strerror(errno));
 		restore_uid();
-		xfree(channel_forwarded_auth_socket_name);
-		xfree(channel_forwarded_auth_socket_dir);
-		channel_forwarded_auth_socket_name = NULL;
-		channel_forwarded_auth_socket_dir = NULL;
+		xfree(auth_sock_name);
+		xfree(auth_sock_dir);
+		auth_sock_name = NULL;
+		auth_sock_dir = NULL;
 		return 0;
 	}
-	snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d",
-		 channel_forwarded_auth_socket_dir, (int) getpid());
+	snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%d",
+		 auth_sock_dir, (int) getpid());
 
 	if (atexit(cleanup_socket) < 0) {
 		int saved = errno;
@@ -2721,7 +2835,7 @@ auth_input_request_forwarding(struct passwd * pw)
 	/* Bind it to the name. */
 	memset(&sunaddr, 0, sizeof(sunaddr));
 	sunaddr.sun_family = AF_UNIX;
-	strncpy(sunaddr.sun_path, channel_forwarded_auth_socket_name,
+	strncpy(sunaddr.sun_path, auth_sock_name,
 		sizeof(sunaddr.sun_path));
 
 	if (bind(sock, (struct sockaddr *) & sunaddr, sizeof(sunaddr)) < 0)
@@ -2744,7 +2858,7 @@ auth_input_request_forwarding(struct passwd * pw)
 		close(sock);
 		return 0;
 	}
-	strlcpy(nc->path, channel_forwarded_auth_socket_name, sizeof(nc->path));
+	strlcpy(nc->path, auth_sock_name, sizeof(nc->path));
 	return 1;
 }
 
@@ -2755,7 +2869,7 @@ auth_input_open_request(int type, int plen, void *ctxt)
 {
 	Channel *c = NULL;
 	int remote_id, sock;
-	char *dummyname;
+	char *name;
 
 	packet_integrity_check(plen, 4, type);
 
@@ -2775,10 +2889,12 @@ auth_input_open_request(int type, int plen, void *ctxt)
 	 * agent.
 	 */
 	if (sock >= 0) {
-		dummyname = xstrdup("authentication agent connection");
-		c = channel_new("", SSH_CHANNEL_OPEN, sock, sock, -1, 0, 0, 0, dummyname, 1);
+		name = xstrdup("authentication agent connection");
+		c = channel_new("", SSH_CHANNEL_OPEN, sock, sock,
+		    -1, 0, 0, 0, name, 1);
 		if (c == NULL) {
 			error("auth_input_open_request: channel_new failed");
+			xfree(name);
 			close(sock);
 		} else {
 			c->remote_id = remote_id;
@@ -2796,105 +2912,3 @@ auth_input_open_request(int type, int plen, void *ctxt)
 	}
 	packet_send();
 }
-
-void
-channel_start_open(int id)
-{
-	Channel *c = channel_