===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/channels.c,v
retrieving revision 1.356
retrieving revision 1.357
diff -u -r1.356 -r1.357
--- src/usr.bin/ssh/channels.c	2016/10/18 17:32:54	1.356
+++ src/usr.bin/ssh/channels.c	2017/02/01 02:59:09	1.357
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.356 2016/10/18 17:32:54 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.357 2017/02/01 02:59:09 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -3038,7 +3038,7 @@
 	}
 	packet_check_eom();
 	c = channel_connect_to_port(host, host_port,
-	    "connected socket", originator_string);
+	    "connected socket", originator_string, NULL, NULL);
 	free(originator_string);
 	free(host);
 	if (c == NULL) {
@@ -3993,9 +3993,13 @@
 	memset(cctx, 0, sizeof(*cctx));
 }
 
-/* Return CONNECTING channel to remote host:port or local socket path */
+/*
+ * Return CONNECTING channel to remote host:port or local socket path,
+ * passing back the failure reason if appropriate.
+ */
 static Channel *
-connect_to(const char *name, int port, char *ctype, char *rname)
+connect_to_reason(const char *name, int port, char *ctype, char *rname,
+     int *reason, const char **errmsg)
 {
 	struct addrinfo hints;
 	int gaierr;
@@ -4036,7 +4040,12 @@
 		hints.ai_family = IPv4or6;
 		hints.ai_socktype = SOCK_STREAM;
 		snprintf(strport, sizeof strport, "%d", port);
-		if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) {
+		if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop))
+		    != 0) {
+			if (errmsg != NULL)
+				*errmsg = ssh_gai_strerror(gaierr);
+			if (reason != NULL)
+				*reason = SSH2_OPEN_CONNECT_FAILED;
 			error("connect_to %.100s: unknown host (%s)", name,
 			    ssh_gai_strerror(gaierr));
 			return NULL;
@@ -4059,6 +4068,13 @@
 	return c;
 }
 
+/* Return CONNECTING channel to remote host:port or local socket path */
+static Channel *
+connect_to(const char *name, int port, char *ctype, char *rname)
+{
+	return connect_to_reason(name, port, ctype, rname, NULL, NULL);
+}
+
 /*
  * returns either the newly connected channel or the downstream channel
  * that needs to deal with this connection.
@@ -4103,7 +4119,8 @@
 
 /* Check if connecting to that port is permitted and connect. */
 Channel *
-channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname)
+channel_connect_to_port(const char *host, u_short port, char *ctype,
+    char *rname, int *reason, const char **errmsg)
 {
 	int i, permit, permit_adm = 1;
 
@@ -4128,9 +4145,11 @@
 	if (!permit || !permit_adm) {
 		logit("Received request to connect to host %.100s port %d, "
 		    "but the request was denied.", host, port);
+		if (reason != NULL)
+			*reason = SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED;
 		return NULL;
 	}
-	return connect_to(host, port, ctype, rname);
+	return connect_to_reason(host, port, ctype, rname, reason, errmsg);
 }
 
 /* Check if connecting to that path is permitted and connect. */