/*
 * Pseudo-tty backend for pterm.
 */

#define _GNU_SOURCE

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <assert.h>
#include <fcntl.h>
#include <termios.h>
#include <grp.h>
#if HAVE_UTMP_H
#include <utmp.h>
#endif
#include <pwd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <termios.h>

#include "putty.h"
#include "ssh.h"
#include "ssh/server.h" /* to check the prototypes of server-needed things */
#include "tree234.h"

#ifndef OMIT_UTMP
#include <utmpx.h>
#endif

/* updwtmpx() needs the name of the wtmp file.  Try to find it. */
#ifndef WTMPX_FILE
#ifdef _PATH_WTMPX
#define WTMPX_FILE _PATH_WTMPX
#else
#define WTMPX_FILE "/var/log/wtmpx"
#endif
#endif

#ifndef LASTLOG_FILE
#ifdef _PATH_LASTLOG
#define LASTLOG_FILE _PATH_LASTLOG
#else
#define LASTLOG_FILE "/var/log/lastlog"
#endif
#endif

typedef struct Pty Pty;

/*
 * The pty_signal_pipe, along with the SIGCHLD handler, must be
 * process-global rather than session-specific.
 */
static int pty_signal_pipe[2] = { -1, -1 };   /* obviously bogus initial val */

typedef struct PtyFd {
    int fd;
    Pty *pty;
} PtyFd;

struct Pty {
    Conf *conf;

    int master_fd, slave_fd;
    int pipefds[6];
    PtyFd fds[3];
    int master_i, master_o, master_e;

    Seat *seat;
    size_t output_backlog;
    char name[FILENAME_MAX];
    pid_t child_pid;
    int term_width, term_height;
    bool child_dead, finished;
    int exit_code;
    bufchain output_data;
    bool pending_eof;
    Backend backend;
};

#define PTY_MAX_BACKLOG 32768

/*
 * We store all the (active) PtyFd structures in a tree sorted by fd,
 * so that when we get an uxsel notification we know which backend
 * instance is the owner of the pty that caused it, and then we can
 * find out which fd is the relevant one too.
 */
static int ptyfd_compare(void *av, void *bv)
{
    PtyFd *a = (PtyFd *)av;
    PtyFd *b = (PtyFd *)bv;

    if (a->fd < b->fd)
        return -1;
    else if (a->fd > b->fd)
        return +1;
    return 0;
}

static int ptyfd_find(void *av, void *bv)
{
    int a = *(int *)av;
    PtyFd *b = (PtyFd *)bv;

    if (a < b->fd)
        return -1;
    else if (a > b->fd)
        return +1;
    return 0;
}

static tree234 *ptyfds = NULL;

/*
 * We also have a tree of Pty structures themselves, sorted by child
 * pid, so that when we wait() in response to the signal we know which
 * backend instance is the owner of the process that caused the
 * signal.
 */
static int pty_compare_by_pid(void *av, void *bv)
{
    Pty *a = (Pty *)av;
    Pty *b = (Pty *)bv;

    if (a->child_pid < b->child_pid)
        return -1;
    else if (a->child_pid > b->child_pid)
        return +1;
    return 0;
}

static int pty_find_by_pid(void *av, void *bv)
{
    pid_t a = *(pid_t *)av;
    Pty *b = (Pty *)bv;

    if (a < b->child_pid)
        return -1;
    else if (a > b->child_pid)
        return +1;
    return 0;
}

static tree234 *ptys_by_pid = NULL;

/*
 * If we are using pty_pre_init(), it will need to have already
 * allocated a pty structure, which we must then return from
 * pty_init() rather than allocating a new one. Here we store that
 * structure between allocation and use.
 *
 * Note that although most of this module is entirely capable of
 * handling multiple ptys in a single process, pty_pre_init() is
 * fundamentally _dependent_ on there being at most one pty per
 * process, so the normal static-data constraints don't apply.
 *
 * Likewise, since utmp is only used via pty_pre_init, it too must
 * be single-instance, so we can declare utmp-related variables
 * here.
 */
static Pty *single_pty = NULL;

#ifndef OMIT_UTMP
static pid_t pty_utmp_helper_pid = -1;
static int pty_utmp_helper_pipe = -1;
static bool pty_stamped_utmp;
static struct utmpx utmp_entry;
#endif

/*
 * pty_argv is a grievous hack to allow a proper argv to be passed
 * through from the Unix command line. Again, it doesn't really
 * make sense outside a one-pty-per-process setup.
 */
char **pty_argv;

char *pty_osx_envrestore_prefix;

static void pty_close(Pty *pty);
static void pty_try_write(Pty *pty);

#ifndef OMIT_UTMP
static void setup_utmp(char *ttyname, char *location)
{
#if HAVE_LASTLOG
    struct lastlog lastlog_entry;
    FILE *lastlog;
#endif
    struct passwd *pw;
    struct timeval tv;

    pw = getpwuid(getuid());
    if (!pw)
        return; /* can't stamp utmp if we don't have a username */
    memset(&utmp_entry, 0, sizeof(utmp_entry));
    utmp_entry.ut_type = USER_PROCESS;
    utmp_entry.ut_pid = getpid();
#if __GNUC__ >= 8
#   pragma GCC diagnostic push
#   pragma GCC diagnostic ignored "-Wstringop-truncation"
#endif // __GNUC__ >= 8
    strncpy(utmp_entry.ut_line, ttyname+5, lenof(utmp_entry.ut_line));
    strncpy(utmp_entry.ut_id, ttyname+8, lenof(utmp_entry.ut_id));
    strncpy(utmp_entry.ut_user, pw->pw_name, lenof(utmp_entry.ut_user));
    strncpy(utmp_entry.ut_host, location, lenof(utmp_entry.ut_host));
#if __GNUC__ >= 8
#   pragma GCC diagnostic pop
#endif // __GNUC__ >= 8
    /*
     * Apparently there are some architectures where (struct
     * utmpx).ut_tv is not essentially struct timeval (e.g. Linux
     * amd64). Hence the temporary.
     */
    gettimeofday(&tv, NULL);
    utmp_entry.ut_tv.tv_sec = tv.tv_sec;
    utmp_entry.ut_tv.tv_usec = tv.tv_usec;

    setutxent();
    pututxline(&utmp_entry);
    endutxent();

#if HAVE_UPDWTMPX
    /* Reportedly, AIX 5.1 has <utmpx.h> and pututxline(), but no
     * updwtmpx(). */
    updwtmpx(WTMPX_FILE, &utmp_entry);
#endif

#if HAVE_LASTLOG
    memset(&lastlog_entry, 0, sizeof(lastlog_entry));
    strncpy(lastlog_entry.ll_line, ttyname+5, lenof(lastlog_entry.ll_line));
    strncpy(lastlog_entry.ll_host, location, lenof(lastlog_entry.ll_host));
    time(&lastlog_entry.ll_time);
    if ((lastlog = fopen(LASTLOG_FILE, "r+")) != NULL) {
        fseek(lastlog, sizeof(lastlog_entry) * getuid(), SEEK_SET);
        fwrite(&lastlog_entry, 1, sizeof(lastlog_entry), lastlog);
        fclose(lastlog);
    }
#endif

    pty_stamped_utmp = true;

}

static void cleanup_utmp(void)
{
    struct timeval tv;

    if (!pty_stamped_utmp)
        return;

    utmp_entry.ut_type = DEAD_PROCESS;
    memset(utmp_entry.ut_user, 0, lenof(utmp_entry.ut_user));
    gettimeofday(&tv, NULL);
    utmp_entry.ut_tv.tv_sec = tv.tv_sec;
    utmp_entry.ut_tv.tv_usec = tv.tv_usec;

#if HAVE_UPDWTMPX
    updwtmpx(WTMPX_FILE, &utmp_entry);
#endif

    memset(utmp_entry.ut_line, 0, lenof(utmp_entry.ut_line));
    utmp_entry.ut_tv.tv_sec = 0;
    utmp_entry.ut_tv.tv_usec = 0;

    setutxent();
    pututxline(&utmp_entry);
    endutxent();

    pty_stamped_utmp = false;     /* ensure we never double-cleanup */
}
#endif

static void sigchld_handler(int signum)
{
    if (write(pty_signal_pipe[1], "x", 1) <= 0)
        /* not much we can do about it */;
}

static void pty_setup_sigchld_handler(void)
{
    static bool setup = false;
    if (!setup) {
        putty_signal(SIGCHLD, sigchld_handler);
        setup = true;
    }
}

#ifndef OMIT_UTMP
static void fatal_sig_handler(int signum)
{
    putty_signal(signum, SIG_DFL);
    cleanup_utmp();
    raise(signum);
}
#endif

static int pty_open_slave(Pty *pty)
{
    if (pty->slave_fd < 0) {
        pty->slave_fd = open(pty->name, O_RDWR);
        cloexec(pty->slave_fd);
    }

    return pty->slave_fd;
}

static void pty_open_master(Pty *pty)
{
#ifdef BSD_PTYS
    const char chars1[] = "pqrstuvwxyz";
    const char chars2[] = "0123456789abcdef";
    const char *p1, *p2;
    char master_name[20];
    struct group *gp;

    for (p1 = chars1; *p1; p1++)
        for (p2 = chars2; *p2; p2++) {
            sprintf(master_name, "/dev/pty%c%c", *p1, *p2);
            pty->master_fd = open(master_name, O_RDWR);
            if (pty->master_fd >= 0) {
                if (geteuid() == 0 ||
                    access(master_name, R_OK | W_OK) == 0) {
                    /*
                     * We must also check at this point that we are
                     * able to open the slave side of the pty. We
                     * wouldn't want to allocate the wrong master,
                     * get all the way down to forking, and _then_
                     * find we're unable to open the slave.
                     */
                    strcpy(pty->name, master_name);
                    pty->name[5] = 't'; /* /dev/ptyXX -> /dev/ttyXX */

                    cloexec(pty->master_fd);

                    if (pty_open_slave(pty) >= 0 &&
                        access(pty->name, R_OK | W_OK) == 0)
                        goto got_one;
                    if (pty->slave_fd > 0)
                        close(pty->slave_fd);
                    pty->slave_fd = -1;
                }
                close(pty->master_fd);
            }
        }

    /* If we get here, we couldn't get a tty at all. */
    fprintf(stderr, "pterm: unable to open a pseudo-terminal device\n");
    exit(1);

  got_one:

    /* We need to chown/chmod the /dev/ttyXX device. */
    gp = getgrnam("tty");
    chown(pty->name, getuid(), gp ? gp->gr_gid : -1);
    chmod(pty->name, 0600);
#else

    const int flags = O_RDWR
#ifdef O_NOCTTY
        | O_NOCTTY
#endif
        ;

#if HAVE_POSIX_OPENPT
#ifdef SET_NONBLOCK_VIA_OPENPT
    /*
     * OS X, as of 10.10 at least, doesn't permit me to set O_NONBLOCK
     * on pty master fds via the usual fcntl mechanism. Fortunately,
     * it does let me work around this by adding O_NONBLOCK to the
     * posix_openpt flags parameter, which isn't a documented use of
     * the API but seems to work. So we'll do that for now.
     */
    pty->master_fd = posix_openpt(flags | O_NONBLOCK);
#else
    pty->master_fd = posix_openpt(flags);
#endif

    if (pty->master_fd < 0) {
        perror("posix_openpt");
        exit(1);
    }
#else
    pty->master_fd = open("/dev/ptmx", flags);

    if (pty->master_fd < 0) {
        perror("/dev/ptmx: open");
        exit(1);
    }
#endif

    if (grantpt(pty->master_fd) < 0) {
        perror("grantpt");
        exit(1);
    }

    if (unlockpt(pty->master_fd) < 0) {
        perror("unlockpt");
        exit(1);
    }

    cloexec(pty->master_fd);

    pty->name[FILENAME_MAX-1] = '\0';
    strncpy(pty->name, ptsname(pty->master_fd), FILENAME_MAX-1);
#endif

#ifndef SET_NONBLOCK_VIA_OPENPT
    nonblock(pty->master_fd);
#endif
}

static Pty *new_pty_struct(void)
{
    Pty *pty = snew(Pty);
    memset(pty, 0, sizeof(Pty));
    pty->conf = NULL;
    pty->pending_eof = false;
    bufchain_init(&pty->output_data);
    return pty;
}

/*
 * Pre-initialisation. This is here to get around the fact that GTK
 * doesn't like being run in setuid/setgid programs (probably
 * sensibly). So before we initialise GTK - and therefore before we
 * even process the command line - we check to see if we're running
 * set[ug]id. If so, we open our pty master _now_, chown it as
 * necessary, and drop privileges. We can always close it again
 * later. If we're potentially going to be doing utmp as well, we
 * also fork off a utmp helper process and communicate with it by
 * means of a pipe; the utmp helper will keep privileges in order
 * to clean up utmp when we exit (i.e. when its end of our pipe
 * closes).
 */
void pty_pre_init(void)
{
#ifndef NO_PTY_PRE_INIT

    Pty *pty;

#ifndef OMIT_UTMP
    pid_t pid;
    int pipefd[2];
#endif

    pty = single_pty = new_pty_struct();

    /* set the child signal handler straight away; it needs to be set
     * before we ever fork. */
    pty_setup_sigchld_handler();
    pty->master_fd = pty->slave_fd = -1;
#ifndef OMIT_UTMP
    pty_stamped_utmp = false;
#endif

    if (geteuid() != getuid() || getegid() != getgid()) {
        pty_open_master(pty);

#ifndef OMIT_UTMP
        /*
         * Fork off the utmp helper.
         */
        if (pipe(pipefd) < 0) {
            perror("pterm: pipe");
            exit(1);
        }
        cloexec(pipefd[0]);
        cloexec(pipefd[1]);
        pid = fork();
        if (pid < 0) {
            perror("pterm: fork");
            exit(1);
        } else if (pid == 0) {
            char display[128], buffer[128];
            int dlen, ret;

            close(pipefd[1]);
            /*
             * Now sit here until we receive a display name from the
             * other end of the pipe, and then stamp utmp. Unstamp utmp
             * again, and exit, when the pipe closes.
             */

            dlen = 0;
            while (1) {

                ret = read(pipefd[0], buffer, lenof(buffer));
                if (ret <= 0) {
                    cleanup_utmp();
                    _exit(0);
                } else if (!pty_stamped_utmp) {
                    if (dlen < lenof(display))
                        memcpy(display+dlen, buffer,
                               min(ret, lenof(display)-dlen));
                    if (buffer[ret-1] == '\0') {
                        /*
                         * Now we have a display name. NUL-terminate
                         * it, and stamp utmp.
                         */
                        display[lenof(display)-1] = '\0';
                        /*
                         * Trap as many fatal signals as we can in the
                         * hope of having the best possible chance to
                         * clean up utmp before termination. We are
                         * unfortunately unprotected against SIGKILL,
                         * but that's life.
                         */
                        putty_signal(SIGHUP, fatal_sig_handler);
                        putty_signal(SIGINT, fatal_sig_handler);
                        putty_signal(SIGQUIT, fatal_sig_handler);
                        putty_signal(SIGILL, fatal_sig_handler);
                        putty_signal(SIGABRT, fatal_sig_handler);
                        putty_signal(SIGFPE, fatal_sig_handler);
                        putty_signal(SIGPIPE, fatal_sig_handler);
                        putty_signal(SIGALRM, fatal_sig_handler);
                        putty_signal(SIGTERM, fatal_sig_handler);
                        putty_signal(SIGSEGV, fatal_sig_handler);
                        putty_signal(SIGUSR1, fatal_sig_handler);
                        putty_signal(SIGUSR2, fatal_sig_handler);
#ifdef SIGBUS
                        putty_signal(SIGBUS, fatal_sig_handler);
#endif
#ifdef SIGPOLL
                        putty_signal(SIGPOLL, fatal_sig_handler);
#endif
#ifdef SIGPROF
                        putty_signal(SIGPROF, fatal_sig_handler);
#endif
#ifdef SIGSYS
                        putty_signal(SIGSYS, fatal_sig_handler);
#endif
#ifdef SIGTRAP
                        putty_signal(SIGTRAP, fatal_sig_handler);
#endif
#ifdef SIGVTALRM
                        putty_signal(SIGVTALRM, fatal_sig_handler);
#endif
#ifdef SIGXCPU
                        putty_signal(SIGXCPU, fatal_sig_handler);
#endif
#ifdef SIGXFSZ
                        putty_signal(SIGXFSZ, fatal_sig_handler);
#endif
#ifdef SIGIO
                        putty_signal(SIGIO, fatal_sig_handler);
#endif
                        setup_utmp(pty->name, display);
                    }
                }
            }
        } else {
            close(pipefd[0]);
            pty_utmp_helper_pid = pid;
            pty_utmp_helper_pipe = pipefd[1];
        }
#endif
    }

    /* Drop privs. */
    {
#if HAVE_SETRESUID && HAVE_SETRESGID
        int gid = getgid(), uid = getuid();
        int setresgid(gid_t, gid_t, gid_t);
        int setresuid(uid_t, uid_t, uid_t);
        if (setresgid(gid, gid, gid) < 0) {
            perror("setresgid");
            exit(1);
        }
        if (setresuid(uid, uid, uid) < 0) {
            perror("setresuid");
            exit(1);
        }
#else
        if (setgid(getgid()) < 0) {
            perror("setgid");
            exit(1);
        }
        if (setuid(getuid()) < 0) {
            perror("setuid");
            exit(1);
        }
#endif
    }

#endif /* NO_PTY_PRE_INIT */

}

static void pty_try_wait(void);
static void pty_uxsel_setup(Pty *pty);

static void pty_real_select_result(Pty *pty, int fd, int event, int status)
{
    char buf[4096];
    int ret;
    bool finished = false;

    if (event < 0) {
        /*
         * We've been called because our child process did
         * something. `status' tells us what.
         */
        if ((WIFEXITED(status) || WIFSIGNALED(status))) {
            /*
             * The primary child process died.
             */
            pty->child_dead = true;
            del234(ptys_by_pid, pty);
            pty->exit_code = status;

            /*
             * If this is an ordinary pty session, this is also the
             * moment to terminate the whole backend.
             *
             * We _could_ instead keep the terminal open for remaining
             * subprocesses to output to, but conventional wisdom
             * seems to feel that that's the Wrong Thing for an
             * xterm-alike, so we bail out now (though we don't
             * necessarily _close_ the window, depending on the state
             * of Close On Exit). This would be easy enough to change
             * or make configurable if necessary.
             */
            if (pty->master_fd >= 0)
                finished = true;
        }
    } else {
        if (event == SELECT_R) {
            bool is_stdout = (fd == pty->master_o);

            ret = read(fd, buf, sizeof(buf));

            /*
             * Treat EIO on a pty master as equivalent to EOF (because
             * that's how the kernel seems to report the event where
             * the last process connected to the other end of the pty
             * went away).
             */
            if (fd == pty->master_fd && ret < 0 && errno == EIO)
                ret = 0;

            if (ret == 0) {
                /*
                 * EOF on this input fd, so to begin with, we may as
                 * well close it, and remove all references to it in
                 * the pty's fd fields.
                 */
                uxsel_del(fd);
                close(fd);
                if (pty->master_fd == fd)
                    pty->master_fd = -1;
                if (pty->master_o == fd)
                    pty->master_o = -1;
                if (pty->master_e == fd)
                    pty->master_e = -1;

                if (is_stdout) {
                    /*
                     * We assume a clean exit if the pty (or stdout
                     * pipe) has closed, but the actual child process
                     * hasn't. The only way I can imagine this
                     * happening is if it detaches itself from the pty
                     * and goes daemonic - in which case the expected
                     * usage model would precisely _not_ be for the
                     * pterm window to hang around!
                     */
                    finished = true;
                    pty_try_wait(); /* one last effort to collect exit code */
                    if (!pty->child_dead)
                        pty->exit_code = 0;
                }
            } else if (ret < 0) {
                perror("read pty master");
                exit(1);
            } else if (ret > 0) {
                pty->output_backlog = seat_output(
                    pty->seat, !is_stdout, buf, ret);
                pty_uxsel_setup(pty);
            }
        } else if (event == SELECT_W) {
            /*
             * Attempt to send data down the pty.
             */
            pty_try_write(pty);
        }
    }

    if (finished && !pty->finished) {
        int close_on_exit;
        int i;

        for (i = 0; i < 3; i++)
            if (pty->fds[i].fd >= 0)
                uxsel_del(pty->fds[i].fd);

        pty_close(pty);

        pty->finished = true;

        /*
         * This is a slight layering-violation sort of hack: only
         * if we're not closing on exit (COE is set to Never, or to
         * Only On Clean and it wasn't a clean exit) do we output a
         * `terminated' message.
         */
        close_on_exit = conf_get_int(pty->conf, CONF_close_on_exit);
        if (close_on_exit == FORCE_OFF ||
            (close_on_exit == AUTO && pty->exit_code != 0)) {
            char *message;
            if (WIFEXITED(pty->exit_code)) {
                message = dupprintf(
                    "\r\n[pterm: process terminated with exit code %d]\r\n",
                    WEXITSTATUS(pty->exit_code));
            } else if (WIFSIGNALED(pty->exit_code)) {
#if !HAVE_STRSIGNAL
                message = dupprintf(
                    "\r\n[pterm: process terminated on signal %d]\r\n",
                    WTERMSIG(pty->exit_code));
#else
                message = dupprintf(
                    "\r\n[pterm: process terminated on signal %d (%s)]\r\n",
                    WTERMSIG(pty->exit_code),
                    strsignal(WTERMSIG(pty->exit_code)));
#endif
            } else {
                /* _Shouldn't_ happen, but if it does, a vague message
                 * is better than no message at all */
                message = dupprintf("\r\n[pterm: process terminated]\r\n");
            }
            seat_stdout_pl(pty->seat, ptrlen_from_asciz(message));
            sfree(message);
        }

        seat_eof(pty->seat);
        seat_notify_remote_exit(pty->seat);
    }
}

static void pty_try_wait(void)
{
    Pty *pty;
    pid_t pid;
    int status;

    do {
        pid = waitpid(-1, &status, WNOHANG);

        pty = find234(ptys_by_pid, &pid, pty_find_by_pid);

        if (pty)
            pty_real_select_result(pty, -1, -1, status);
    } while (pid > 0);
}

void pty_select_result(int fd, int event)
{
    if (fd == pty_signal_pipe[0]) {
        char c[1];

        if (read(pty_signal_pipe[0], c, 1) <= 0)
            /* ignore error */;
        /* ignore its value; it'll be `x' */

        pty_try_wait();
    } else {
        PtyFd *ptyfd = find234(ptyfds, &fd, ptyfd_find);

        if (ptyfd)
            pty_real_select_result(ptyfd->pty, fd, event, 0);
    }
}

static void pty_uxsel_setup_fd(Pty *pty, int fd)
{
    int rwx = 0;

    if (fd < 0)
        return;

    /* read from standard output and standard error pipes, assuming
     * we're not too backlogged */
    if ((pty->master_o == fd || pty->master_e == fd) &&
        pty->output_backlog < PTY_MAX_BACKLOG)
        rwx |= SELECT_R;
    /* write to standard input pipe if we have any data */
    if (pty->master_i == fd && bufchain_size(&pty->output_data))
        rwx |= SELECT_W;

    uxsel_set(fd, rwx, pty_select_result);
}

static void pty_uxsel_setup(Pty *pty)
{
    /*
     * We potentially have three separate fds here, but on the other
     * hand, some of them might be the same (if they're a pty master).
     * So we can't just call uxsel_set(master_o, SELECT_R) and then
     * uxsel_set(master_i, SELECT_W), without the latter potentially
     * undoing the work of the former if master_o == master_i.
     *
     * Instead, here we call a single uxsel on each one of these fds
     * (if it exists at all), and for each one, check it against all
     * three to see which bits to set.
     */
    pty_uxsel_setup_fd(pty, pty->master_o);
    pty_uxsel_setup_fd(pty, pty->master_e);
    pty_uxsel_setup_fd(pty, pty->master_i);

    /*
     * In principle this only needs calling once for all pty
     * backend instances, but it's simplest just to call it every
     * time; uxsel won't mind.
     */
    uxsel_set(pty_signal_pipe[0], SELECT_R, pty_select_result);
}

static void copy_ttymodes_into_termios(
    struct termios *attrs, struct ssh_ttymodes modes)
{
#define TTYMODE_CHAR(name, ssh_opcode, cc_index) {                      \
        if (modes.have_mode[ssh_opcode]) {                              \
            unsigned value = modes.mode_val[ssh_opcode];                \
            /* normalise wire value of 255 to local _POSIX_VDISABLE */  \
            attrs->c_cc[cc_index] = (value == 255 ?                     \
                                     _POSIX_VDISABLE : value);          \
        }                                                               \
    }

#define TTYMODE_FLAG(flagval, ssh_opcode, field, flagmask) {    \
        if (modes.have_mode[ssh_opcode]) {                      \
            attrs->c_##field##flag &= ~flagmask;                \
            if (modes.mode_val[ssh_opcode])                     \
                attrs->c_##field##flag |= flagval;              \
        }                                                       \
    }

#define TTYMODES_LOCAL_ONLY   /* omit any that this platform doesn't know */
#include "ssh/ttymode-list.h"

#undef TTYMODES_LOCAL_ONLY
#undef TTYMODE_CHAR
#undef TTYMODE_FLAG

    if (modes.have_mode[TTYMODE_ISPEED])
        cfsetispeed(attrs, modes.mode_val[TTYMODE_ISPEED]);
    if (modes.have_mode[TTYMODE_OSPEED])
        cfsetospeed(attrs, modes.mode_val[TTYMODE_OSPEED]);
}

/*
 * The main setup function for the pty back end. This doesn't match
 * the signature of backend_init(), partly because it has to be able
 * to take extra arguments such as an argv array, and also because
 * once we're changing the type signature _anyway_ we can discard the
 * stuff that's not really applicable to this backend like host names
 * and port numbers.
 */
Backend *pty_backend_create(
    Seat *seat, LogContext *logctx, Conf *conf, char **argv, const char *cmd,
    struct ssh_ttymodes ttymodes, bool pipes_instead, const char *dir,
    const char *const *env_vars_to_unset)
{
    int slavefd;
    pid_t pid, pgrp;
#ifndef NOT_X_WINDOWS                  /* for Mac OS X native compilation */
    bool got_windowid;
    long windowid;
#endif
    Pty *pty;
    int i;

    /* No local authentication phase in this protocol */
    seat_set_trust_status(seat, false);

    if (single_pty) {
        pty = single_pty;
        assert(pty->conf == NULL);
    } else {
        pty = new_pty_struct();
        pty->master_fd = pty->slave_fd = -1;
#ifndef OMIT_UTMP
        pty_stamped_utmp = false;
#endif
    }
    for (i = 0; i < 6; i++)
        pty->pipefds[i] = -1;
    for (i = 0; i < 3; i++) {
        pty->fds[i].fd = -1;
        pty->fds[i].pty = pty;
    }

    if (pty_signal_pipe[0] < 0) {
        if (pipe(pty_signal_pipe) < 0) {
            perror("pipe");
            exit(1);
        }
        cloexec(pty_signal_pipe[0]);
        cloexec(pty_signal_pipe[1]);
    }

    pty->seat = seat;
    pty->backend.vt = &pty_backend;

    pty->conf = conf_copy(conf);
    pty->term_width = conf_get_int(conf, CONF_width);
    pty->term_height = conf_get_int(conf, CONF_height);

    if (!ptyfds)
        ptyfds = newtree234(ptyfd_compare);

    if (pipes_instead) {
        if (pty->master_fd >= 0) {
            /* If somehow we've got a pty master already and don't
             * need it, throw it away! */
            close(pty->master_fd);
#ifndef OMIT_UTMP
            if (pty_utmp_helper_pipe >= 0) {
                close(pty_utmp_helper_pipe); /* don't need this either */
                pty_utmp_helper_pipe = -1;
            }
#endif
        }


        for (i = 0; i < 6; i += 2) {
            if (pipe(pty->pipefds + i) < 0) {
                backend_free(&pty->backend);
                return NULL;
            }
        }

        pty->fds[0].fd = pty->master_i = pty->pipefds[1];
        pty->fds[1].fd = pty->master_o = pty->pipefds[2];
        pty->fds[2].fd = pty->master_e = pty->pipefds[4];

        add234(ptyfds, &pty->fds[0]);
        add234(ptyfds, &pty->fds[1]);
        add234(ptyfds, &pty->fds[2]);
    } else {
        if (pty->master_fd < 0)
            pty_open_master(pty);

#ifndef OMIT_UTMP
        /*
         * Stamp utmp (that is, tell the utmp helper process to do so),
         * or not.
         */
        if (pty_utmp_helper_pipe >= 0) {   /* if it's < 0, we can't anyway */
            if (!conf_get_bool(conf, CONF_stamp_utmp)) {
                /* We're not stamping utmp, so just let the child
                 * process die that was waiting to unstamp it later. */
                close(pty_utmp_helper_pipe);
                pty_utmp_helper_pipe = -1;
            } else {
                const char *location = seat_get_x_display(pty->seat);
                int len = strlen(location)+1, pos = 0; /* +1 to include NUL */
                while (pos < len) {
                    int ret = write(pty_utmp_helper_pipe,
                                    location + pos, len - pos);
                    if (ret < 0) {
                        perror("pterm: writing to utmp helper process");
                        close(pty_utmp_helper_pipe); /* arrgh, just give up */
                        pty_utmp_helper_pipe = -1;
                        break;
                    }
                    pos += ret;
                }
            }
        }
#endif

        pty->master_i = pty->master_fd;
        pty->master_o = pty->master_fd;
        pty->master_e = -1;

        pty->fds[0].fd = pty->master_fd;
        add234(ptyfds, &pty->fds[0]);
    }

#ifndef NOT_X_WINDOWS                  /* for Mac OS X native compilation */
    got_windowid = seat_get_windowid(pty->seat, &windowid);
#endif

    /*
     * Set up the signal handler to catch SIGCHLD, if pty_pre_init
     * didn't already do it.
     */
    pty_setup_sigchld_handler();

    /*
     * Fork and execute the command.
     */
    pid = fork();
    if (pid < 0) {
        perror("fork");
        exit(1);
    }

    if (pid == 0) {
        struct termios attrs;

        /*
         * We are the child.
         */

        if (pty_osx_envrestore_prefix) {
            int plen = strlen(pty_osx_envrestore_prefix);
            extern char **environ;
            char **ep;

          restart_osx_env_restore:
            for (ep = environ; *ep; ep++) {
                char *e = *ep;

                if (!strncmp(e, pty_osx_envrestore_prefix, plen)) {
                    bool unset = (e[plen] == 'u');
                    char *pname = dupprintf("%.*s", (int)strcspn(e, "="), e);
                    char *name = pname + plen + 1;
                    char *value = e + strcspn(e, "=");
                    if (*value) value++;
                    value = dupstr(value);
                    if (unset)
                        unsetenv(name);
                    else
                        setenv(name, value, 1);
                    unsetenv(pname);
                    sfree(pname);
                    sfree(value);
                    goto restart_osx_env_restore;
                }
            }
        }

        pgrp = getpid();

        if (pipes_instead) {
            int i;
            dup2(pty->pipefds[0], 0);
            dup2(pty->pipefds[3], 1);
            dup2(pty->pipefds[5], 2);
            for (i = 0; i < 6; i++)
                close(pty->pipefds[i]);

            setsid();
        } else {
            slavefd = pty_open_slave(pty);
            if (slavefd < 0) {
                perror("slave pty: open");
                _exit(1);
            }

            close(pty->master_fd);
            noncloexec(slavefd);
            dup2(slavefd, 0);
            dup2(slavefd, 1);
            dup2(slavefd, 2);
            close(slavefd);
            setsid();
#ifdef TIOCSCTTY
            ioctl(0, TIOCSCTTY, 1);
#endif
            tcsetpgrp(0, pgrp);

            /*
             * Set up configuration-dependent termios settings on the new
             * pty. Linux would have let us do this on the pty master
             * before we forked, but that fails on OS X, so we do it here
             * instead.
             */
            if (tcgetattr(0, &attrs) == 0) {
                /*
                 * Set the backspace character to be whichever of ^H and
                 * ^? is specified by bksp_is_delete.
                 */
                attrs.c_cc[VERASE] = conf_get_bool(conf, CONF_bksp_is_delete)
                    ? '\177' : '\010';

                /*
                 * Set the IUTF8 bit iff the character set is UTF-8.
                 */
#ifdef IUTF8
                if (seat_is_utf8(seat))
                    attrs.c_iflag |= IUTF8;
                else
                    attrs.c_iflag &= ~IUTF8;
#endif

                copy_ttymodes_into_termios(&attrs, ttymodes);

                tcsetattr(0, TCSANOW, &attrs);
            }
        }

        setpgid(pgrp, pgrp);
        if (!pipes_instead) {
            int ptyfd = open(pty->name, O_WRONLY, 0);
            if (ptyfd >= 0)
                close(ptyfd);
        }
        setpgid(pgrp, pgrp);

        if (env_vars_to_unset)
            for (const char *const *p = env_vars_to_unset; *p; p++)
                unsetenv(*p);

        if (!pipes_instead) {
            char *term_env_var = dupprintf("TERM=%s",
                                           conf_get_str(conf, CONF_termtype));
            putenv(term_env_var);
            /* We mustn't free term_env_var, as putenv links it into the
             * environment in place.
             */
        }
#ifndef NOT_X_WINDOWS                  /* for Mac OS X native compilation */
        if (got_windowid) {
            char *windowid_env_var = dupprintf("WINDOWID=%ld", windowid);
            putenv(windowid_env_var);
            /* We mustn't free windowid_env_var, as putenv links it into the
             * environment in place.
             */
        }
        {
            /*
             * In case we were invoked with a --display argument that
             * doesn't match DISPLAY in our actual environment, we
             * should set DISPLAY for processes running inside the
             * terminal to match the display the terminal itself is
             * on.
             */
            const char *x_display = seat_get_x_display(pty->seat);
            if (x_display) {
                char *x_display_env_var = dupprintf("DISPLAY=%s", x_display);
                putenv(x_display_env_var);
                /* As above, we don't free this. */
            } else {
                unsetenv("DISPLAY");
            }
        }
#endif
        {
            char *key, *val;

            for (val = conf_get_str_strs(conf, CONF_environmt, NULL, &key);
                 val != NULL;
                 val = conf_get_str_strs(conf, CONF_environmt, key, &key)) {
                char *varval = dupcat(key, "=", val);
                putenv(varval);
                /*
                 * We must not free varval, since putenv links it
                 * into the environment _in place_. Weird, but
                 * there we go. Memory usage will be rationalised
                 * as soon as we exec anyway.
                 */
            }
        }

        if (dir) {
            if (chdir(dir) < 0) {
                /* Ignore the error - nothing we can sensibly do about it,
                 * and our existing cwd is as good a fallback as any. */
            }
        }

        /*
         * SIGINT, SIGQUIT and SIGPIPE may have been set to ignored by
         * our parent, particularly by things like sh -c 'pterm &' and
         * some window or session managers. SIGPIPE was also
         * (potentially) blocked by us during startup. Reverse all
         * this for our child process.
         */
        putty_signal(SIGINT, SIG_DFL);
        putty_signal(SIGQUIT, SIG_DFL);
        putty_signal(SIGPIPE, SIG_DFL);
        block_signal(SIGPIPE, false);
        if (argv || cmd) {
            /*
             * If we were given a separated argument list, try to exec
             * it.
             */
            if (argv) {
                execvp(argv[0], argv);
            }
            /*
             * Otherwise, if we were given a single command string,
             * try passing that to $SHELL -c.
             *
             * In the case of pterm, this system of fallbacks arranges
             * that we can _either_ follow 'pterm -e' with a list of
             * argv elements to be fed directly to exec, _or_ with a
             * single argument containing a command to be parsed by a
             * shell (but, in cases of doubt, the former is more
             * reliable). We arrange this by setting argv to the full
             * argument list, and also setting cmd to the single
             * element of argv if it's a length-1 list.
             *
             * A quick survey of other terminal emulators' -e options
             * (as of Debian squeeze) suggests that:
             *
             *  - xterm supports both modes, more or less like this
             *  - gnome-terminal will only accept a one-string shell command
             *  - Eterm, kterm and rxvt will only accept a list of
             *    argv elements (as did older versions of pterm).
             *
             * It therefore seems important to support both usage
             * modes in order to be a drop-in replacement for either
             * xterm or gnome-terminal, and hence for anyone's
             * plausible uses of the Debian-style alias
             * 'x-terminal-emulator'.
             *
             * In other use cases, a caller can set only one of argv
             * and cmd to get a fixed handling of the input.
             */
            if (cmd) {
                char *shell = getenv("SHELL");
                if (shell)
                    execl(shell, shell, "-c", cmd, (void *)NULL);
            }
        } else {
            const char *shell = getenv("SHELL");
            if (!shell)
                shell = "/bin/sh";
            char *shellname;
            if (conf_get_bool(conf, CONF_login_shell)) {
                const char *p = strrchr(shell, '/');
                p = p ? p+1 : shell;
                shellname = dupprintf("-%s", p);
            } else
                shellname = (char *)shell;
            execl(shell, shellname, (void *)NULL);
        }

        /*
         * If we're here, exec has gone badly foom.
         */
        perror("exec");
        _exit(127);
    } else {
        pty->child_pid = pid;
        pty->child_dead = false;
        pty->finished = false;
        if (pty->slave_fd > 0)
            close(pty->slave_fd);
        if (!ptys_by_pid)
            ptys_by_pid = newtree234(pty_compare_by_pid);
        if (pty->pipefds[0] >= 0) {
            close(pty->pipefds[0]);
            pty->pipefds[0] = -1;
        }
        if (pty->pipefds[3] >= 0) {
            close(pty->pipefds[3]);
            pty->pipefds[3] = -1;
        }
        if (pty->pipefds[5] >= 0) {
            close(pty->pipefds[5]);
            pty->pipefds[5] = -1;
        }
        add234(ptys_by_pid, pty);
    }

    pty_uxsel_setup(pty);

    return &pty->backend;
}

/*
 * This is the pty backend's _official_ init method, for BackendVtable
 * purposes. Its job is just to be an API converter, ignoring the
 * irrelevant input parameters and making up auxiliary outputs. Also
 * it gets the argv array from the global variable pty_argv, expecting
 * that it will have been invoked by pterm.
 */
static char *pty_init(const BackendVtable *vt, Seat *seat,
                      Backend **backend_handle, LogContext *logctx,
                      Conf *conf, const char *host, int port,
                      char **realhost, bool nodelay, bool keepalive)
{
    const char *cmd = NULL;
    struct ssh_ttymodes modes;

    memset(&modes, 0, sizeof(modes));

    if (pty_argv && pty_argv[0] && !pty_argv[1])
        cmd = pty_argv[0];

    assert(vt == &pty_backend);
    *backend_handle = pty_backend_create(
        seat, logctx, conf, pty_argv, cmd, modes, false, NULL, NULL);
    *realhost = dupstr("");
    return NULL;
}

static void pty_reconfig(Backend *be, Conf *conf)
{
    Pty *pty = container_of(be, Pty, backend);
    /*
     * We don't have much need to reconfigure this backend, but
     * unfortunately we do need to pick up the setting of Close On
     * Exit so we know whether to give a `terminated' message.
     */
    conf_copy_into(pty->conf, conf);
}

/*
 * Stub routine (never called in pterm).
 */
static void pty_free(Backend *be)
{
    Pty *pty = container_of(be, Pty, backend);
    int i;

    pty_close(pty);

    /* Either of these may fail `not found'. That's fine with us. */
    del234(ptys_by_pid, pty);
    for (i = 0; i < 3; i++)
        if (pty->fds[i].fd >= 0)
            del234(ptyfds, &pty->fds[i]);

    bufchain_clear(&pty->output_data);

    conf_free(pty->conf);
    pty->conf = NULL;

    if (pty == single_pty) {
        /*
         * Leave this structure around in case we need to Restart
         * Session.
         */
    } else {
        sfree(pty);
    }
}

static void pty_try_write(Pty *pty)
{
    ssize_t ret;

    assert(pty->master_i >= 0);

    while (bufchain_size(&pty->output_data) > 0) {
        ptrlen data = bufchain_prefix(&pty->output_data);
        ret = write(pty->master_i, data.ptr, data.len);

        if (ret < 0 && (errno == EWOULDBLOCK)) {
            /*
             * We've sent all we can for the moment.
             */
            break;
        }
        if (ret < 0) {
            perror("write pty master");
            exit(1);
        }
        bufchain_consume(&pty->output_data, ret);
    }

    if (pty->pending_eof && bufchain_size(&pty->output_data) == 0) {
        /* This should only happen if pty->master_i is a pipe that
         * doesn't alias either output fd */
        assert(pty->master_i != pty->master_o);
        assert(pty->master_i != pty->master_e);
        uxsel_del(pty->master_i);
        close(pty->master_i);
        pty->master_i = -1;
        pty->pending_eof = false;
    }

    pty_uxsel_setup(pty);
}

/*
 * Called to send data down the pty.
 */
static void pty_send(Backend *be, const char *buf, size_t len)
{
    Pty *pty = container_of(be, Pty, backend);

    if (pty->master_i < 0 || pty->pending_eof)
        return;                   /* ignore all writes if fd closed */

    bufchain_add(&pty->output_data, buf, len);
    pty_try_write(pty);
}

static void pty_close(Pty *pty)
{
    int i;

    if (pty->master_o >= 0)
        uxsel_del(pty->master_o);
    if (pty->master_e >= 0)
        uxsel_del(pty->master_e);
    if (pty->master_i >= 0)
        uxsel_del(pty->master_i);

    if (pty->master_fd >= 0) {
        close(pty->master_fd);
        pty->master_fd = -1;
    }
    for (i = 0; i < 6; i++) {
        if (pty->pipefds[i] >= 0)
            close(pty->pipefds[i]);
        pty->pipefds[i] = -1;
    }
    pty->master_i = pty->master_o = pty->master_e = -1;
#ifndef OMIT_UTMP
    if (pty_utmp_helper_pipe >= 0) {
        close(pty_utmp_helper_pipe);   /* this causes utmp to be cleaned up */
        pty_utmp_helper_pipe = -1;
    }
#endif
}

/*
 * Called to query the current socket sendability status.
 */
static size_t pty_sendbuffer(Backend *be)
{
    Pty *pty = container_of(be, Pty, backend);
    return bufchain_size(&pty->output_data);
}

/*
 * Called to set the size of the window
 */
static void pty_size(Backend *be, int width, int height)
{
    Pty *pty = container_of(be, Pty, backend);
    struct winsize size;
    int xpixel = 0, ypixel = 0;

    pty->term_width = width;
    pty->term_height = height;

    if (pty->master_fd < 0)
        return;

    seat_get_window_pixel_size(pty->seat, &xpixel, &ypixel);

    size.ws_row = (unsigned short)pty->term_height;
    size.ws_col = (unsigned short)pty->term_width;
    size.ws_xpixel = (unsigned short)xpixel;
    size.ws_ypixel = (unsigned short)ypixel;
    ioctl(pty->master_fd, TIOCSWINSZ, (void *)&size);
    return;
}

/*
 * Send special codes.
 */
static void pty_special(Backend *be, SessionSpecialCode code, int arg)
{
    Pty *pty = container_of(be, Pty, backend);

    if (code == SS_BRK) {
        if (pty->master_fd >= 0)
            tcsendbreak(pty->master_fd, 0);
        return;
    }

    if (code == SS_EOF) {
        if (pty->master_i >= 0 && pty->master_i != pty->master_fd) {
            pty->pending_eof = true;
            pty_try_write(pty);
        }
        return;
    }

    {
        int sig = -1;

        #define SIGNAL_SUB(name) if (code == SS_SIG ## name) sig = SIG ## name;
        #define SIGNAL_MAIN(name, text) SIGNAL_SUB(name)
        #define SIGNALS_LOCAL_ONLY
        #include "ssh/signal-list.h"
        #undef SIGNAL_SUB
        #undef SIGNAL_MAIN
        #undef SIGNALS_LOCAL_ONLY

        if (sig != -1) {
            if (!pty->child_dead)
                kill(pty->child_pid, sig);
            return;
        }
    }

    return;
}

/*
 * Return a list of the special codes that make sense in this
 * protocol.
 */
static const SessionSpecial *pty_get_specials(Backend *be)
{
    /* Pty *pty = container_of(be, Pty, backend); */
    /*
     * Hmm. When I get round to having this actually usable, it
     * might be quite nice to have the ability to deliver a few
     * well chosen signals to the child process - SIGINT, SIGTERM,
     * SIGKILL at least.
     */
    return NULL;
}

static bool pty_connected(Backend *be)
{
    /* Pty *pty = container_of(be, Pty, backend); */
    return true;
}

static bool pty_sendok(Backend *be)
{
    /* Pty *pty = container_of(be, Pty, backend); */
    return true;
}

static void pty_unthrottle(Backend *be, size_t backlog)
{
    Pty *pty = container_of(be, Pty, backend);
    pty->output_backlog = backlog;
    pty_uxsel_setup(pty);
}

static bool pty_ldisc(Backend *be, int option)
{
    /* Pty *pty = container_of(be, Pty, backend); */
    return false;                    /* neither editing nor echoing */
}

static void pty_provide_ldisc(Backend *be, Ldisc *ldisc)
{
    /* Pty *pty = container_of(be, Pty, backend); */
    /* This is a stub. */
}

static int pty_exitcode(Backend *be)
{
    Pty *pty = container_of(be, Pty, backend);
    if (!pty->finished)
        return -1;                     /* not dead yet */
    else if (WIFSIGNALED(pty->exit_code))
        return 128 + WTERMSIG(pty->exit_code);
    else
        return WEXITSTATUS(pty->exit_code);
}

int pty_backend_exit_signum(Backend *be)
{
    Pty *pty = container_of(be, Pty, backend);

    if (!pty->finished || !WIFSIGNALED(pty->exit_code))
        return -1;

    return WTERMSIG(pty->exit_code);
}

ptrlen pty_backend_exit_signame(Backend *be, char **aux_msg)
{
    *aux_msg = NULL;

    int sig = pty_backend_exit_signum(be);
    if (sig < 0)
        return PTRLEN_LITERAL("");

    #define SIGNAL_SUB(s) {                             \
        if (sig == SIG ## s)                            \
            return PTRLEN_LITERAL(#s);                  \
    }
    #define SIGNAL_MAIN(s, desc) SIGNAL_SUB(s)
    #define SIGNALS_LOCAL_ONLY
    #include "ssh/signal-list.h"
    #undef SIGNAL_MAIN
    #undef SIGNAL_SUB
    #undef SIGNALS_LOCAL_ONLY

    *aux_msg = dupprintf("untranslatable signal number %d: %s",
                         sig, strsignal(sig));
    return PTRLEN_LITERAL("HUP");      /* need some kind of default */
}

static int pty_cfg_info(Backend *be)
{
    /* Pty *pty = container_of(be, Pty, backend); */
    return 0;
}

const BackendVtable pty_backend = {
    .init = pty_init,
    .free = pty_free,
    .reconfig = pty_reconfig,
    .send = pty_send,
    .sendbuffer = pty_sendbuffer,
    .size = pty_size,
    .special = pty_special,
    .get_specials = pty_get_specials,
    .connected = pty_connected,
    .exitcode = pty_exitcode,
    .sendok = pty_sendok,
    .ldisc_option_state = pty_ldisc,
    .provide_ldisc = pty_provide_ldisc,
    .unthrottle = pty_unthrottle,
    .cfg_info = pty_cfg_info,
    .id = "pty",
    .displayname_tc = "pty",
    .displayname_lc = "pty",
    .protocol = -1,
};