cli-session.c - third_party/dropbear - Git at Google

 /*
  * Dropbear SSH
  *
  * Copyright (c) 2002,2003 Matt Johnston
  * Copyright (c) 2004 by Mihnea Stoenescu
  * All rights reserved.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
  * in the Software without restriction, including without limitation the rights
  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  * copies of the Software, and to permit persons to whom the Software is
  * furnished to do so, subject to the following conditions:
  *
  * The above copyright notice and this permission notice shall be included in
  * all copies or substantial portions of the Software.
  *
  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE. */

 #include "includes.h"
 #include "session.h"
 #include "dbutil.h"
 #include "kex.h"
 #include "ssh.h"
 #include "packet.h"
 #include "tcpfwd.h"
 #include "channel.h"
 #include "dbrandom.h"
 #include "service.h"
 #include "runopts.h"
 #include "chansession.h"
 #include "agentfwd.h"
 #include "crypto_desc.h"
 #include "netio.h"

 static void cli_remoteclosed(void) ATTRIB_NORETURN;
 static void cli_sessionloop(void);
 static void cli_session_init(pid_t proxy_cmd_pid);
 static void cli_finished(void) ATTRIB_NORETURN;
 static void recv_msg_service_accept(void);
 static void cli_session_cleanup(void);
 static void recv_msg_global_request_cli(void);

 struct clientsession cli_ses; /* GLOBAL */

 /* Sorted in decreasing frequency will be more efficient - data and window
  * should be first */
 static const packettype cli_packettypes[] = {
 	/* TYPE, FUNCTION */
 	{SSH_MSG_CHANNEL_DATA, recv_msg_channel_data},
 	{SSH_MSG_CHANNEL_EXTENDED_DATA, recv_msg_channel_extended_data},
 	{SSH_MSG_CHANNEL_WINDOW_ADJUST, recv_msg_channel_window_adjust},
 	{SSH_MSG_USERAUTH_FAILURE, recv_msg_userauth_failure}, /* client */
 	{SSH_MSG_USERAUTH_SUCCESS, recv_msg_userauth_success}, /* client */
 	{SSH_MSG_KEXINIT, recv_msg_kexinit},
 	{SSH_MSG_KEXDH_REPLY, recv_msg_kexdh_reply}, /* client */
 	{SSH_MSG_NEWKEYS, recv_msg_newkeys},
 	{SSH_MSG_SERVICE_ACCEPT, recv_msg_service_accept}, /* client */
 	{SSH_MSG_CHANNEL_REQUEST, recv_msg_channel_request},
 	{SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open},
 	{SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof},
 	{SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close},
 	{SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
 	{SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
 	{SSH_MSG_USERAUTH_BANNER, recv_msg_userauth_banner}, /* client */
 	{SSH_MSG_USERAUTH_SPECIFIC_60, recv_msg_userauth_specific_60}, /* client */
 	{SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_cli},
 	{SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
 	{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
 #if DROPBEAR_CLI_REMOTETCPFWD
 	{SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */
 	{SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */
 #else
 	/* For keepalive */
 	{SSH_MSG_REQUEST_SUCCESS, ignore_recv_response},
 	{SSH_MSG_REQUEST_FAILURE, ignore_recv_response},
 #endif
 	{0, 0} /* End */
 };

 static const struct ChanType *cli_chantypes[] = {
 #if DROPBEAR_CLI_REMOTETCPFWD
 	&cli_chan_tcpremote,
 #endif
 #if DROPBEAR_CLI_AGENTFWD
 	&cli_chan_agent,
 #endif
 	NULL /* Null termination */
 };

 void cli_connected(int result, int sock, void* userdata, const char *errstring)
 {
 	struct sshsession *myses = userdata;
 	if (result == DROPBEAR_FAILURE) {
 		dropbear_exit("Connect failed: %s", errstring);
 	}
 	myses->sock_in = myses->sock_out = sock;
 	update_channel_prio();
 }

 void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) {

 	common_session_init(sock_in, sock_out);

 	if (progress) {
 		connect_set_writequeue(progress, &ses.writequeue);
 	}

 	chaninitialise(cli_chantypes);

 	/* Set up cli_ses vars */
 	cli_session_init(proxy_cmd_pid);

 	/* Ready to go */
 	sessinitdone = 1;

 	/* Exchange identification */
 	send_session_identification();

 	kexfirstinitialise(); /* initialise the kex state */

 	send_msg_kexinit();

 	session_loop(cli_sessionloop);

 	/* Not reached */

 }

 #if DROPBEAR_KEX_FIRST_FOLLOWS
 static void cli_send_kex_first_guess() {
 	send_msg_kexdh_init();
 }
 #endif

 static void cli_session_init(pid_t proxy_cmd_pid) {

 	cli_ses.state = STATE_NOTHING;
 	cli_ses.kex_state = KEX_NOTHING;

 	cli_ses.tty_raw_mode = 0;
 	cli_ses.winchange = 0;

 	/* We store std{in,out,err}'s flags, so we can set them back on exit
 	 * (otherwise busybox's ash isn't happy */
 	cli_ses.stdincopy = dup(STDIN_FILENO);
 	cli_ses.stdinflags = fcntl(STDIN_FILENO, F_GETFL, 0);
 	cli_ses.stdoutcopy = dup(STDOUT_FILENO);
 	cli_ses.stdoutflags = fcntl(STDOUT_FILENO, F_GETFL, 0);
 	cli_ses.stderrcopy = dup(STDERR_FILENO);
 	cli_ses.stderrflags = fcntl(STDERR_FILENO, F_GETFL, 0);

 	cli_ses.retval = EXIT_SUCCESS; /* Assume it's clean if we don't get a
 									  specific exit status */
 	cli_ses.proxy_cmd_pid = proxy_cmd_pid;
 	TRACE(("proxy command PID='%d'", proxy_cmd_pid));

 	/* Auth */
 	cli_ses.lastprivkey = NULL;
 	cli_ses.lastauthtype = 0;

 #if DROPBEAR_NONE_CIPHER
 	cli_ses.cipher_none_after_auth = get_algo_usable(sshciphers, "none");
 	set_algo_usable(sshciphers, "none", 0);
 #else
 	cli_ses.cipher_none_after_auth = 0;
 #endif

 	/* For printing "remote host closed" for the user */
 	ses.remoteclosed = cli_remoteclosed;

 	ses.extra_session_cleanup = cli_session_cleanup;

 	/* packet handlers */
 	ses.packettypes = cli_packettypes;

 	ses.isserver = 0;

 #if DROPBEAR_KEX_FIRST_FOLLOWS
 	ses.send_kex_first_guess = cli_send_kex_first_guess;
 #endif

 }

 static void send_msg_service_request(char* servicename) {

 	TRACE(("enter send_msg_service_request: servicename='%s'", servicename))

 	CHECKCLEARTOWRITE();

 	buf_putbyte(ses.writepayload, SSH_MSG_SERVICE_REQUEST);
 	buf_putstring(ses.writepayload, servicename, strlen(servicename));

 	encrypt_packet();
 	TRACE(("leave send_msg_service_request"))
 }

 static void recv_msg_service_accept(void) {
 	/* do nothing, if it failed then the server MUST have disconnected */
 }

 /* This function drives the progress of the session - it initiates KEX,
  * service, userauth and channel requests */
 static void cli_sessionloop() {

 	TRACE2(("enter cli_sessionloop"))

 	if (ses.lastpacket == 0) {
 		TRACE2(("exit cli_sessionloop: no real packets yet"))
 		return;
 	}

 	if (ses.lastpacket == SSH_MSG_KEXINIT && cli_ses.kex_state == KEX_NOTHING) {
 		/* We initiate the KEXDH. If DH wasn't the correct type, the KEXINIT
 		 * negotiation would have failed. */
 		if (!ses.kexstate.our_first_follows_matches) {
 			send_msg_kexdh_init();
 		}
 		cli_ses.kex_state = KEXDH_INIT_SENT;
 		TRACE(("leave cli_sessionloop: done with KEXINIT_RCVD"))
 		return;
 	}

 	/* A KEX has finished, so we should go back to our KEX_NOTHING state */
 	if (cli_ses.kex_state != KEX_NOTHING && ses.kexstate.sentnewkeys) {
 		cli_ses.kex_state = KEX_NOTHING;
 	}

 	/* We shouldn't do anything else if a KEX is in progress */
 	if (cli_ses.kex_state != KEX_NOTHING) {
 		TRACE(("leave cli_sessionloop: kex_state != KEX_NOTHING"))
 		return;
 	}

 	if (ses.kexstate.donefirstkex == 0) {
 		/* We might reach here if we have partial packet reads or have
 		 * received SSG_MSG_IGNORE etc. Just skip it */
 		TRACE2(("donefirstkex false\n"))
 		return;
 	}

 	switch (cli_ses.state) {

 		case STATE_NOTHING:
 			/* We've got the transport layer sorted, we now need to request
 			 * userauth */
 			send_msg_service_request(SSH_SERVICE_USERAUTH);
 			cli_auth_getmethods();
 			cli_ses.state = USERAUTH_REQ_SENT;
 			TRACE(("leave cli_sessionloop: sent userauth methods req"))
 			return;

 		case USERAUTH_REQ_SENT:
 			TRACE(("leave cli_sessionloop: waiting, req_sent"))
 			return;

 		case USERAUTH_FAIL_RCVD:
 			if (cli_auth_try() == DROPBEAR_FAILURE) {
 				dropbear_exit("No auth methods could be used.");
 			}
 			cli_ses.state = USERAUTH_REQ_SENT;
 			TRACE(("leave cli_sessionloop: cli_auth_try"))
 			return;

 		case USERAUTH_SUCCESS_RCVD:
 #ifndef DISABLE_SYSLOG
 			if (opts.usingsyslog) {
 				dropbear_log(LOG_INFO, "Authentication succeeded.");
 			}
 #endif

 #if DROPBEAR_NONE_CIPHER
 			if (cli_ses.cipher_none_after_auth)
 			{
 				set_algo_usable(sshciphers, "none", 1);
 				send_msg_kexinit();
 			}
 #endif

 			if (cli_opts.backgrounded) {
 				int devnull;
 				/* keeping stdin open steals input from the terminal and
 				   is confusing, though stdout/stderr could be useful. */
 				devnull = open(_PATH_DEVNULL, O_RDONLY);
 				if (devnull < 0) {
 					dropbear_exit("Opening /dev/null: %d %s",
 							errno, strerror(errno));
 				}
 				dup2(devnull, STDIN_FILENO);
 				if (daemon(0, 1) < 0) {
 					dropbear_exit("Backgrounding failed: %d %s",
 							errno, strerror(errno));
 				}
 			}

 #if DROPBEAR_CLI_NETCAT
 			if (cli_opts.netcat_host) {
 				cli_send_netcat_request();
 			} else
 #endif
 			if (!cli_opts.no_cmd) {
 				cli_send_chansess_request();
 			}

 #if DROPBEAR_CLI_LOCALTCPFWD
 			setup_localtcp();
 #endif
 #if DROPBEAR_CLI_REMOTETCPFWD
 			setup_remotetcp();
 #endif

 			TRACE(("leave cli_sessionloop: running"))
 			cli_ses.state = SESSION_RUNNING;
 			return;

 		case SESSION_RUNNING:
 			if (ses.chancount < 1 && !cli_opts.no_cmd) {
 				cli_finished();
 			}

 			if (cli_ses.winchange) {
 				cli_chansess_winchange();
 			}
 			return;

 		/* XXX more here needed */


 	default:
 		break;
 	}

 	TRACE2(("leave cli_sessionloop: fell out"))

 }

 void kill_proxy_command(void) {
 	/*
 	 * Send SIGHUP to proxy command if used. We don't wait() in
 	 * case it hangs and instead rely on init to reap the child
 	 */
 	if (cli_ses.proxy_cmd_pid > 1) {
 		TRACE(("killing proxy command with PID='%d'", cli_ses.proxy_cmd_pid));
 		kill(cli_ses.proxy_cmd_pid, SIGHUP);
 	}
 }

 static void cli_session_cleanup(void) {

 	if (!sessinitdone) {
 		return;
 	}

 	kill_proxy_command();

 	/* Set std{in,out,err} back to non-blocking - busybox ash dies nastily if
 	 * we don't revert the flags */
 	/* Ignore return value since there's nothing we can do */
 	(void)fcntl(cli_ses.stdincopy, F_SETFL, cli_ses.stdinflags);
 	(void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags);
 	(void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags);

 	cli_tty_cleanup();

 }

 static void cli_finished() {

 	session_cleanup();
 	fprintf(stderr, "Connection to %s@%s:%s closed.\n", cli_opts.username,
 			cli_opts.remotehost, cli_opts.remoteport);
 	exit(cli_ses.retval);
 }


 /* called when the remote side closes the connection */
 static void cli_remoteclosed() {

 	/* XXX TODO perhaps print a friendlier message if we get this but have
 	 * already sent/received disconnect message(s) ??? */
 	m_close(ses.sock_in);
 	m_close(ses.sock_out);
 	ses.sock_in = -1;
 	ses.sock_out = -1;
 	dropbear_exit("Remote closed the connection");
 }

 /* Operates in-place turning dirty (untrusted potentially containing control
  * characters) text into clean text.
  * Note: this is safe only with ascii - other charsets could have problems. */
 void cleantext(char* dirtytext) {

 	unsigned int i, j;
 	char c;

 	j = 0;
 	for (i = 0; dirtytext[i] != '\0'; i++) {

 		c = dirtytext[i];
 		/* We can ignore '\r's */
 		if ( (c >= ' ' && c <= '~') || c == '\n' || c == '\t') {
 			dirtytext[j] = c;
 			j++;
 		}
 	}
 	/* Null terminate */
 	dirtytext[j] = '\0';
 }

 static void recv_msg_global_request_cli(void) {
 	TRACE(("recv_msg_global_request_cli"))
 	/* Send a proper rejection */
 	send_msg_request_failure();
 }
	/*
	* Dropbear SSH
	*
	* Copyright (c) 2002,2003 Matt Johnston
	* Copyright (c) 2004 by Mihnea Stoenescu
	* All rights reserved.
	*
	* Permission is hereby granted, free of charge, to any person obtaining a copy
	* of this software and associated documentation files (the "Software"), to deal
	* in the Software without restriction, including without limitation the rights
	* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
	* copies of the Software, and to permit persons to whom the Software is
	* furnished to do so, subject to the following conditions:
	*
	* The above copyright notice and this permission notice shall be included in
	* all copies or substantial portions of the Software.
	*
	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	* SOFTWARE. */

	#include "includes.h"
	#include "session.h"
	#include "dbutil.h"
	#include "kex.h"
	#include "ssh.h"
	#include "packet.h"
	#include "tcpfwd.h"
	#include "channel.h"
	#include "dbrandom.h"
	#include "service.h"
	#include "runopts.h"
	#include "chansession.h"
	#include "agentfwd.h"
	#include "crypto_desc.h"
	#include "netio.h"

	static void cli_remoteclosed(void) ATTRIB_NORETURN;
	static void cli_sessionloop(void);
	static void cli_session_init(pid_t proxy_cmd_pid);
	static void cli_finished(void) ATTRIB_NORETURN;
	static void recv_msg_service_accept(void);
	static void cli_session_cleanup(void);
	static void recv_msg_global_request_cli(void);

	struct clientsession cli_ses; /* GLOBAL */

	/* Sorted in decreasing frequency will be more efficient - data and window
	* should be first */
	static const packettype cli_packettypes[] = {
	/* TYPE, FUNCTION */
	{SSH_MSG_CHANNEL_DATA, recv_msg_channel_data},
	{SSH_MSG_CHANNEL_EXTENDED_DATA, recv_msg_channel_extended_data},
	{SSH_MSG_CHANNEL_WINDOW_ADJUST, recv_msg_channel_window_adjust},
	{SSH_MSG_USERAUTH_FAILURE, recv_msg_userauth_failure}, /* client */
	{SSH_MSG_USERAUTH_SUCCESS, recv_msg_userauth_success}, /* client */
	{SSH_MSG_KEXINIT, recv_msg_kexinit},
	{SSH_MSG_KEXDH_REPLY, recv_msg_kexdh_reply}, /* client */
	{SSH_MSG_NEWKEYS, recv_msg_newkeys},
	{SSH_MSG_SERVICE_ACCEPT, recv_msg_service_accept}, /* client */
	{SSH_MSG_CHANNEL_REQUEST, recv_msg_channel_request},
	{SSH_MSG_CHANNEL_OPEN, recv_msg_channel_open},
	{SSH_MSG_CHANNEL_EOF, recv_msg_channel_eof},
	{SSH_MSG_CHANNEL_CLOSE, recv_msg_channel_close},
	{SSH_MSG_CHANNEL_OPEN_CONFIRMATION, recv_msg_channel_open_confirmation},
	{SSH_MSG_CHANNEL_OPEN_FAILURE, recv_msg_channel_open_failure},
	{SSH_MSG_USERAUTH_BANNER, recv_msg_userauth_banner}, /* client */
	{SSH_MSG_USERAUTH_SPECIFIC_60, recv_msg_userauth_specific_60}, /* client */
	{SSH_MSG_GLOBAL_REQUEST, recv_msg_global_request_cli},
	{SSH_MSG_CHANNEL_SUCCESS, ignore_recv_response},
	{SSH_MSG_CHANNEL_FAILURE, ignore_recv_response},
	#if DROPBEAR_CLI_REMOTETCPFWD
	{SSH_MSG_REQUEST_SUCCESS, cli_recv_msg_request_success}, /* client */
	{SSH_MSG_REQUEST_FAILURE, cli_recv_msg_request_failure}, /* client */
	#else
	/* For keepalive */
	{SSH_MSG_REQUEST_SUCCESS, ignore_recv_response},
	{SSH_MSG_REQUEST_FAILURE, ignore_recv_response},
	#endif
	{0, 0} /* End */
	};

	static const struct ChanType *cli_chantypes[] = {
	#if DROPBEAR_CLI_REMOTETCPFWD
	&cli_chan_tcpremote,
	#endif
	#if DROPBEAR_CLI_AGENTFWD
	&cli_chan_agent,
	#endif
	NULL /* Null termination */
	};

	void cli_connected(int result, int sock, void* userdata, const char *errstring)
	{
	struct sshsession *myses = userdata;
	if (result == DROPBEAR_FAILURE) {
	dropbear_exit("Connect failed: %s", errstring);
	}
	myses->sock_in = myses->sock_out = sock;
	update_channel_prio();
	}

	void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress, pid_t proxy_cmd_pid) {

	common_session_init(sock_in, sock_out);

	if (progress) {
	connect_set_writequeue(progress, &ses.writequeue);
	}

	chaninitialise(cli_chantypes);

	/* Set up cli_ses vars */
	cli_session_init(proxy_cmd_pid);

	/* Ready to go */
	sessinitdone = 1;

	/* Exchange identification */
	send_session_identification();

	kexfirstinitialise(); /* initialise the kex state */

	send_msg_kexinit();

	session_loop(cli_sessionloop);

	/* Not reached */

	}

	#if DROPBEAR_KEX_FIRST_FOLLOWS
	static void cli_send_kex_first_guess() {
	send_msg_kexdh_init();
	}
	#endif

	static void cli_session_init(pid_t proxy_cmd_pid) {

	cli_ses.state = STATE_NOTHING;
	cli_ses.kex_state = KEX_NOTHING;

	cli_ses.tty_raw_mode = 0;
	cli_ses.winchange = 0;

	/* We store std{in,out,err}'s flags, so we can set them back on exit
	* (otherwise busybox's ash isn't happy */
	cli_ses.stdincopy = dup(STDIN_FILENO);
	cli_ses.stdinflags = fcntl(STDIN_FILENO, F_GETFL, 0);
	cli_ses.stdoutcopy = dup(STDOUT_FILENO);
	cli_ses.stdoutflags = fcntl(STDOUT_FILENO, F_GETFL, 0);
	cli_ses.stderrcopy = dup(STDERR_FILENO);
	cli_ses.stderrflags = fcntl(STDERR_FILENO, F_GETFL, 0);

	cli_ses.retval = EXIT_SUCCESS; /* Assume it's clean if we don't get a
	specific exit status */
	cli_ses.proxy_cmd_pid = proxy_cmd_pid;
	TRACE(("proxy command PID='%d'", proxy_cmd_pid));

	/* Auth */
	cli_ses.lastprivkey = NULL;
	cli_ses.lastauthtype = 0;

	#if DROPBEAR_NONE_CIPHER
	cli_ses.cipher_none_after_auth = get_algo_usable(sshciphers, "none");
	set_algo_usable(sshciphers, "none", 0);
	#else
	cli_ses.cipher_none_after_auth = 0;
	#endif

	/* For printing "remote host closed" for the user */
	ses.remoteclosed = cli_remoteclosed;

	ses.extra_session_cleanup = cli_session_cleanup;

	/* packet handlers */
	ses.packettypes = cli_packettypes;

	ses.isserver = 0;

	#if DROPBEAR_KEX_FIRST_FOLLOWS
	ses.send_kex_first_guess = cli_send_kex_first_guess;
	#endif

	}

	static void send_msg_service_request(char* servicename) {

	TRACE(("enter send_msg_service_request: servicename='%s'", servicename))

	CHECKCLEARTOWRITE();

	buf_putbyte(ses.writepayload, SSH_MSG_SERVICE_REQUEST);
	buf_putstring(ses.writepayload, servicename, strlen(servicename));

	encrypt_packet();
	TRACE(("leave send_msg_service_request"))
	}

	static void recv_msg_service_accept(void) {
	/* do nothing, if it failed then the server MUST have disconnected */
	}

	/* This function drives the progress of the session - it initiates KEX,
	* service, userauth and channel requests */
	static void cli_sessionloop() {

	TRACE2(("enter cli_sessionloop"))

	if (ses.lastpacket == 0) {
	TRACE2(("exit cli_sessionloop: no real packets yet"))
	return;
	}

	if (ses.lastpacket == SSH_MSG_KEXINIT && cli_ses.kex_state == KEX_NOTHING) {
	/* We initiate the KEXDH. If DH wasn't the correct type, the KEXINIT
	* negotiation would have failed. */
	if (!ses.kexstate.our_first_follows_matches) {
	send_msg_kexdh_init();
	}
	cli_ses.kex_state = KEXDH_INIT_SENT;
	TRACE(("leave cli_sessionloop: done with KEXINIT_RCVD"))
	return;
	}

	/* A KEX has finished, so we should go back to our KEX_NOTHING state */
	if (cli_ses.kex_state != KEX_NOTHING && ses.kexstate.sentnewkeys) {
	cli_ses.kex_state = KEX_NOTHING;
	}

	/* We shouldn't do anything else if a KEX is in progress */
	if (cli_ses.kex_state != KEX_NOTHING) {
	TRACE(("leave cli_sessionloop: kex_state != KEX_NOTHING"))
	return;
	}

	if (ses.kexstate.donefirstkex == 0) {
	/* We might reach here if we have partial packet reads or have
	* received SSG_MSG_IGNORE etc. Just skip it */
	TRACE2(("donefirstkex false\n"))
	return;
	}

	switch (cli_ses.state) {

	case STATE_NOTHING:
	/* We've got the transport layer sorted, we now need to request
	* userauth */
	send_msg_service_request(SSH_SERVICE_USERAUTH);
	cli_auth_getmethods();
	cli_ses.state = USERAUTH_REQ_SENT;
	TRACE(("leave cli_sessionloop: sent userauth methods req"))
	return;

	case USERAUTH_REQ_SENT:
	TRACE(("leave cli_sessionloop: waiting, req_sent"))
	return;

	case USERAUTH_FAIL_RCVD:
	if (cli_auth_try() == DROPBEAR_FAILURE) {
	dropbear_exit("No auth methods could be used.");
	}
	cli_ses.state = USERAUTH_REQ_SENT;
	TRACE(("leave cli_sessionloop: cli_auth_try"))
	return;

	case USERAUTH_SUCCESS_RCVD:
	#ifndef DISABLE_SYSLOG
	if (opts.usingsyslog) {
	dropbear_log(LOG_INFO, "Authentication succeeded.");
	}
	#endif

	#if DROPBEAR_NONE_CIPHER
	if (cli_ses.cipher_none_after_auth)
	{
	set_algo_usable(sshciphers, "none", 1);
	send_msg_kexinit();
	}
	#endif

	if (cli_opts.backgrounded) {
	int devnull;
	/* keeping stdin open steals input from the terminal and
	is confusing, though stdout/stderr could be useful. */
	devnull = open(_PATH_DEVNULL, O_RDONLY);
	if (devnull < 0) {
	dropbear_exit("Opening /dev/null: %d %s",
	errno, strerror(errno));
	}
	dup2(devnull, STDIN_FILENO);
	if (daemon(0, 1) < 0) {
	dropbear_exit("Backgrounding failed: %d %s",
	errno, strerror(errno));
	}
	}

	#if DROPBEAR_CLI_NETCAT
	if (cli_opts.netcat_host) {
	cli_send_netcat_request();
	} else
	#endif
	if (!cli_opts.no_cmd) {
	cli_send_chansess_request();
	}

	#if DROPBEAR_CLI_LOCALTCPFWD
	setup_localtcp();
	#endif
	#if DROPBEAR_CLI_REMOTETCPFWD
	setup_remotetcp();
	#endif

	TRACE(("leave cli_sessionloop: running"))
	cli_ses.state = SESSION_RUNNING;
	return;

	case SESSION_RUNNING:
	if (ses.chancount < 1 && !cli_opts.no_cmd) {
	cli_finished();
	}

	if (cli_ses.winchange) {
	cli_chansess_winchange();
	}
	return;

	/* XXX more here needed */


	default:
	break;
	}

	TRACE2(("leave cli_sessionloop: fell out"))

	}

	void kill_proxy_command(void) {
	/*
	* Send SIGHUP to proxy command if used. We don't wait() in
	* case it hangs and instead rely on init to reap the child
	*/
	if (cli_ses.proxy_cmd_pid > 1) {
	TRACE(("killing proxy command with PID='%d'", cli_ses.proxy_cmd_pid));
	kill(cli_ses.proxy_cmd_pid, SIGHUP);
	}
	}

	static void cli_session_cleanup(void) {

	if (!sessinitdone) {
	return;
	}

	kill_proxy_command();

	/* Set std{in,out,err} back to non-blocking - busybox ash dies nastily if
	* we don't revert the flags */
	/* Ignore return value since there's nothing we can do */
	(void)fcntl(cli_ses.stdincopy, F_SETFL, cli_ses.stdinflags);
	(void)fcntl(cli_ses.stdoutcopy, F_SETFL, cli_ses.stdoutflags);
	(void)fcntl(cli_ses.stderrcopy, F_SETFL, cli_ses.stderrflags);

	cli_tty_cleanup();

	}

	static void cli_finished() {

	session_cleanup();
	fprintf(stderr, "Connection to %s@%s:%s closed.\n", cli_opts.username,
	cli_opts.remotehost, cli_opts.remoteport);
	exit(cli_ses.retval);
	}


	/* called when the remote side closes the connection */
	static void cli_remoteclosed() {

	/* XXX TODO perhaps print a friendlier message if we get this but have
	* already sent/received disconnect message(s) ??? */
	m_close(ses.sock_in);
	m_close(ses.sock_out);
	ses.sock_in = -1;
	ses.sock_out = -1;
	dropbear_exit("Remote closed the connection");
	}

	/* Operates in-place turning dirty (untrusted potentially containing control
	* characters) text into clean text.
	* Note: this is safe only with ascii - other charsets could have problems. */
	void cleantext(char* dirtytext) {

	unsigned int i, j;
	char c;

	j = 0;
	for (i = 0; dirtytext[i] != '\0'; i++) {

	c = dirtytext[i];
	/* We can ignore '\r's */
	if ( (c >= ' ' && c <= '~') \|\| c == '\n' \|\| c == '\t') {
	dirtytext[j] = c;
	j++;
	}
	}
	/* Null terminate */
	dirtytext[j] = '\0';
	}

	static void recv_msg_global_request_cli(void) {
	TRACE(("recv_msg_global_request_cli"))
	/* Send a proper rejection */
	send_msg_request_failure();
	}