From 28f61c8b3a2015fdf07755ed8797a47eb0508887 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sun, 15 Feb 2015 22:34:05 +0800 Subject: [PATCH 01/15] tcp fastopen for the server --HG-- branch : fastopen --- dbutil.c | 10 ++++++++++ dbutil.h | 6 ++++++ svr-main.c | 17 ++++++++++++----- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/dbutil.c b/dbutil.c index ec108bf..03244cb 100644 --- a/dbutil.c +++ b/dbutil.c @@ -221,6 +221,16 @@ void set_sock_nodelay(int sock) { setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); } +#ifdef DROPBEAR_TCP_FAST_OPEN +void set_listen_fast_open(int sock) { + int qlen = MAX(MAX_UNAUTH_PER_IP, 5); + if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) { + TRACE(("set_listen_fast_open failed for socket %d: %s", sock, strerror(errno))) + } +} + +#endif + void set_sock_priority(int sock, enum dropbear_prio prio) { int iptos_val = 0, so_prio_val = 0, rc; diff --git a/dbutil.h b/dbutil.h index 9feec2d..eb630a7 100644 --- a/dbutil.h +++ b/dbutil.h @@ -75,6 +75,12 @@ void getaddrstring(struct sockaddr_storage* addr, char **ret_host, char **ret_port, int host_lookup); void set_sock_nodelay(int sock); void set_sock_priority(int sock, enum dropbear_prio prio); + +#ifdef __linux__ +#define DROPBEAR_TCP_FAST_OPEN +void set_listen_fast_open(int sock); +#endif + int dropbear_listen(const char* address, const char* port, int *socks, unsigned int sockcount, char **errstring, int *maxfd); int spawn_command(void(*exec_fn)(void *user_data), void *exec_data, diff --git a/svr-main.c b/svr-main.c index 284e02d..5234086 100644 --- a/svr-main.c +++ b/svr-main.c @@ -138,7 +138,6 @@ void main_noinetd() { } for (i = 0; i < listensockcount; i++) { - set_sock_priority(listensocks[i], DROPBEAR_PRIO_LOWDELAY); FD_SET(listensocks[i], &fds); } @@ -403,9 +402,9 @@ static void commonsetup() { } /* Set up listening sockets for all the requested ports */ -static size_t listensockets(int *sock, size_t sockcount, int *maxfd) { - - unsigned int i; +static size_t listensockets(int *socks, size_t sockcount, int *maxfd) { + + unsigned int i, n; char* errstring = NULL; size_t sockpos = 0; int nsock; @@ -416,7 +415,7 @@ static size_t listensockets(int *sock, size_t sockcount, int *maxfd) { TRACE(("listening on '%s:%s'", svr_opts.addresses[i], svr_opts.ports[i])) - nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &sock[sockpos], + nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &socks[sockpos], sockcount - sockpos, &errstring, maxfd); @@ -427,6 +426,14 @@ static size_t listensockets(int *sock, size_t sockcount, int *maxfd) { continue; } + for (n = 0; n < (unsigned int)nsock; n++) { + int sock = socks[sockpos + n]; + set_sock_priority(sock, DROPBEAR_PRIO_LOWDELAY); +#ifdef DROPBEAR_TCP_FAST_OPEN + set_listen_fast_open(sock); +#endif + } + sockpos += nsock; } From 8795d733ecd27ef7aa1cc5d9e68b5ecb5a90f64e Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 18 Feb 2015 00:05:27 +0800 Subject: [PATCH 02/15] work in progress for async connect --HG-- branch : fastopen --- configure.ac | 2 +- dbutil.c | 299 ++++++++++++++++++++++++++++++++++++--------------- dbutil.h | 15 ++- packet.c | 21 +++- session.h | 2 + 5 files changed, 246 insertions(+), 93 deletions(-) diff --git a/configure.ac b/configure.ac index b0e85e5..b952d7e 100644 --- a/configure.ac +++ b/configure.ac @@ -632,7 +632,7 @@ fi AC_PROG_GCC_TRADITIONAL AC_FUNC_MEMCMP AC_FUNC_SELECT_ARGTYPES -AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev]) +AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev sendmsg]) AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) diff --git a/dbutil.c b/dbutil.c index 03244cb..edae1af 100644 --- a/dbutil.c +++ b/dbutil.c @@ -439,95 +439,6 @@ static void set_piggyback_ack(int sock) { } #endif - -/* Connect via TCP to a host. Connection will try ipv4 or ipv6, will - * return immediately if nonblocking is set. On failure, if errstring - * wasn't null, it will be a newly malloced error message */ - -/* TODO: maxfd */ -int connect_remote(const char* remotehost, const char* remoteport, char ** errstring) { - - struct addrinfo *res0 = NULL, *res = NULL, hints; - int sock; - int err; - - TRACE(("enter connect_remote")) - - if (errstring != NULL) { - *errstring = NULL; - } - - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - - err = getaddrinfo(remotehost, remoteport, &hints, &res0); - if (err) { - if (errstring != NULL && *errstring == NULL) { - int len; - len = 100 + strlen(gai_strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error resolving '%s' port '%s'. %s", - remotehost, remoteport, gai_strerror(err)); - } - TRACE(("Error resolving: %s", gai_strerror(err))) - return -1; - } - - sock = -1; - err = EADDRNOTAVAIL; - for (res = res0; res; res = res->ai_next) { - - sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (sock < 0) { - err = errno; - continue; - } - - setnonblocking(sock); - -#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) - set_piggyback_ack(sock); -#endif - - if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) { - if (errno == EINPROGRESS) { - TRACE(("Connect in progress")) - break; - } else { - err = errno; - close(sock); - sock = -1; - continue; - } - } - - break; /* Success */ - } - - if (sock < 0 && !(errno == EINPROGRESS)) { - /* Failed */ - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error connecting: %s", strerror(err)); - } - TRACE(("Error connecting: %s", strerror(err))) - } else { - /* Success */ - set_sock_nodelay(sock); - } - - freeaddrinfo(res0); - if (sock > 0 && errstring != NULL && *errstring != NULL) { - m_free(*errstring); - } - - TRACE(("leave connect_remote: sock %d\n", sock)) - return sock; -} - /* Sets up a pipe for a, returning three non-blocking file descriptors * and the pid. exec_fn is the function that will actually execute the child process, * it will be run after the child has fork()ed, and is passed exec_data. @@ -1069,3 +980,213 @@ time_t monotonic_now() { return time(NULL); } + +struct dropbear_progress_connection +{ + struct addrinfo *res; + struct addrinfo *res_iter; + + char *remotehost, *remoteport; /* For error reporting */ + + connect_callback cb; + void *cb_data; + + struct Queue *writequeue; /* A queue of encrypted packets to send with TCP fastopen, + or NULL. */ + + int sock; +}; + +/* Deallocate a progress connection. Removes from the pending list if iter!=NULL. +Does not close sockets */ +static void remove_connect(struct dropbear_progress_connection *c, m_list_elem *iter) { + if (c->res) { + freeaddrinfo(c->res); + } + m_free(c->remotehost); + m_free(c->remoteport); + m_free(c); + + if (iter) { + list_remove(iter); + } +} + +static int connect_try_next(struct dropbear_progress_connection *c) { + int err = EADDRNOTAVAIL; + struct addrinfo *r; + + if (!c->res_iter) { + return DROPBEAR_FAILURE; + } + + for (r = c->res_iter; r; r = r->ai_next) + { + assert(c->sock == -1); + + c->sock = socket(c->res_iter->ai_family, c->res_iter->ai_socktype, c->res_iter->ai_protocol); + if (c->sock < 0) { + err = errno; + continue; + } + + setnonblocking(c->sock); + +#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) + set_piggyback_ack(sock); +#endif + + if (connect(c->sock, r->ai_addr, r->ai_addrlen) < 0) { + if (errno == EINPROGRESS) { + TRACE(("Connect in progress")) + break; + } else { + err = errno; + close(c->sock); + c->sock = -1; + continue; + } + } + + break; /* Success. Treated the same as EINPROGRESS */ + } + + if (r) { + c->res_iter = r->ai_next; + } else { + c->res_iter = NULL; + } + + if (c->sock >= 0 || (errno == EINPROGRESS)) { + /* Success */ + set_sock_nodelay(c->sock); + return DROPBEAR_SUCCESS; + } else { + /* XXX - returning error message through */ +#if 0 + /* Failed */ + if (errstring != NULL && *errstring == NULL) { + int len; + len = 20 + strlen(strerror(err)); + *errstring = (char*)m_malloc(len); + snprintf(*errstring, len, "Error connecting: %s", strerror(err)); + } + TRACE(("Error connecting: %s", strerror(err))) +#endif + return DROPBEAR_FAILURE; + } +} + +/* Connect via TCP to a host. Connection will try ipv4 or ipv6, will + * return immediately if nonblocking is set. On failure, if errstring + * wasn't null, it will be a newly malloced error message */ + +/* TODO: maxfd */ +struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport, + connect_callback cb, void* cb_data) +{ + struct dropbear_progress_connection *c = NULL; + int err; + struct addrinfo hints; + + c = m_malloc(sizeof(*c)); + c->remotehost = m_strdup(remotehost); + c->remoteport = m_strdup(remoteport); + c->sock = -1; + c->cb = cb; + c->cb_data = cb_data; + + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_STREAM; + hints.ai_family = PF_UNSPEC; + + err = getaddrinfo(remotehost, remoteport, &hints, &c->res); + if (err) { + int len; + char *errstring; + len = 100 + strlen(gai_strerror(err)); + errstring = (char*)m_malloc(len); + snprintf(errstring, len, "Error resolving '%s' port '%s'. %s", + remotehost, remoteport, gai_strerror(err)); + c->cb(DROPBEAR_FAILURE, -1, c->cb_data, errstring); + m_free(errstring); + TRACE(("Error resolving: %s", gai_strerror(err))) + remove_connect(c, NULL); + return NULL; + } + + c->res_iter = c->res; + + if (connect_try_next(c) == DROPBEAR_FAILURE) { + /* Should not happen - getaddrinfo() should return failure if there are no addresses */ + c->cb(DROPBEAR_FAILURE, -1, c->cb_data, "No address to try"); + TRACE(("leave handle_connect_fds - failed")) + remove_connect(c, NULL); + return NULL; + } + + list_append(&ses.conn_pending, c); + + return c; +} + + +void set_connect_fds(fd_set *writefd) { + m_list_elem *iter; + TRACE(("enter handle_connect_fds")) + for (iter = ses.conn_pending.first; iter; iter = iter->next) { + struct dropbear_progress_connection *c = iter->item; + if (c->sock >= 0) { + FD_SET(c->sock, writefd); + } + else + { + + } + } +} + +void handle_connect_fds(fd_set *writefd) { + m_list_elem *iter; + TRACE(("enter handle_connect_fds")) + for (iter = ses.conn_pending.first; iter; iter = iter->next) { + int val; + socklen_t vallen = sizeof(val); + struct dropbear_progress_connection *c = iter->item; + + if (!FD_ISSET(c->sock, writefd)) { + continue; + } + + TRACE(("handling %s port %s socket %d", c->remotehost, c->remoteport, c->sock)); + + if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &val, &vallen) != 0) { + TRACE(("handle_connect_fds getsockopt(%d) SO_ERROR failed: %s", c->sock, strerror(errno))) + } else if (val != 0) { + /* Connect failed */ + TRACE(("connect to %s port %s failed.", c->remotehost, c->remoteport)) + m_close(c->sock); + c->sock = -1; + + if (connect_try_next(c) == DROPBEAR_FAILURE) { + c->cb(DROPBEAR_FAILURE, -1, c->cb_data, strerror(val)); + TRACE(("leave handle_connect_fds - failed")) + remove_connect(c, iter); + /* Must return here - remove_connect() invalidates iter */ + return; + } else { + /* new connection try was successfuly started, will be finished by a + later call to handle_connect_fds() */ + TRACE(("leave handle_connect_fds - new try")) + continue; + } + } + /* New connection has been established */ + c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, ""); + remove_connect(c, iter); + TRACE(("leave handle_connect_fds - success")) + /* Must return here - remove_connect() invalidates iter */ + return; + } + TRACE(("leave handle_connect_fds - end iter")) +} diff --git a/dbutil.h b/dbutil.h index eb630a7..3f4f165 100644 --- a/dbutil.h +++ b/dbutil.h @@ -76,7 +76,7 @@ void getaddrstring(struct sockaddr_storage* addr, void set_sock_nodelay(int sock); void set_sock_priority(int sock, enum dropbear_prio prio); -#ifdef __linux__ +#if defined(__linux__) && HAVE_SENDMSG #define DROPBEAR_TCP_FAST_OPEN void set_listen_fast_open(int sock); #endif @@ -89,7 +89,6 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell); #ifdef ENABLE_CONNECT_UNIX int connect_unix(const char* addr); #endif -int connect_remote(const char* remotehost, const char* remoteport, char ** errstring); int buf_readfile(buffer* buf, const char* filename); int buf_getline(buffer * line, FILE * authfile); @@ -118,4 +117,16 @@ time_t monotonic_now(); char * expand_tilde(const char *inpath); +struct dropbear_progress_connection; + +/* result is DROPBEAR_SUCCESS or DROPBEAR_FAILURE. +errstring is only set on DROPBEAR_FAILURE, returns failure message for the last attempted socket */ +typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring); + +struct dropbear_progress_connection * connect_remote (const char* remotehost, const char* remoteport, + connect_callback cb, void *cb_data); + +void set_connect_fds(fd_set *writefd); +void handle_connect_fds(fd_set *writefd); + #endif /* _DBUTIL_H_ */ diff --git a/packet.c b/packet.c index 89b1bcf..10ee88e 100644 --- a/packet.c +++ b/packet.c @@ -52,10 +52,29 @@ static buffer* buf_decompress(buffer* buf, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len); #endif +struct iovec * dropbear_queue_to_iovec(struct Queue *queue) { + + struct iovec *iov = NULL; + struct Link *l; + int iov_max_count; + + #ifndef IOV_MAX + #define IOV_MAX UIO_MAXIOV + #endif + +#error incomplete + +} + +void dropbear_queue_consume(struct Queue *queue, ssize_t written) { + +} + /* non-blocking function writing out a current encrypted packet */ void write_packet() { - int len, written; + ssize_t written; + int len; buffer * writebuf = NULL; unsigned packet_type; #ifdef HAVE_WRITEV diff --git a/session.h b/session.h index ed0f5be..50d8d10 100644 --- a/session.h +++ b/session.h @@ -144,6 +144,8 @@ struct sshsession { int signal_pipe[2]; /* stores endpoints of a self-pipe used for race-free signal handling */ + + m_list conn_pending; /* time of the last packet send/receive, for keepalive. Not real-world clock */ time_t last_packet_time_keepalive_sent; From 755c1458f0197d4da1dcb86ac832a8ffa8d02b27 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 18 Feb 2015 22:46:15 +0800 Subject: [PATCH 03/15] async connections working --HG-- branch : fastopen --- channel.h | 4 ++ cli-main.c | 8 +--- cli-session.c | 9 ++++ cli-tcpfwd.c | 14 +------ common-channel.c | 47 ++++++++++----------- common-session.c | 7 +++- dbutil.c | 104 ++++++++++++++++++++++++++--------------------- dbutil.h | 3 ++ packet.c | 2 + session.h | 1 + svr-tcpfwd.c | 14 +------ 11 files changed, 108 insertions(+), 105 deletions(-) diff --git a/channel.h b/channel.h index a310d44..b543ea1 100644 --- a/channel.h +++ b/channel.h @@ -73,6 +73,7 @@ struct Channel { * to ensure we don't run it twice (nor type->checkclose()). */ int close_handler_done; + struct dropbear_progress_connection *conn_pending; int initconn; /* used for TCP forwarding, whether the channel has been fully initialised */ @@ -100,6 +101,9 @@ struct ChanType { void (*closehandler)(struct Channel*); }; +/* Callback for connect_remote */ +void channel_connect_done(int result, int sock, void* user_data, const char* errstring); + void chaninitialise(const struct ChanType *chantypes[]); void chancleanup(); void setchannelfds(fd_set *readfd, fd_set *writefd); diff --git a/cli-main.c b/cli-main.c index a956721..6834d1d 100644 --- a/cli-main.c +++ b/cli-main.c @@ -72,12 +72,8 @@ int main(int argc, char ** argv) { } else #endif { - int sock = connect_remote(cli_opts.remotehost, cli_opts.remoteport, &error); - sock_in = sock_out = sock; - } - - if (sock_in < 0) { - dropbear_exit("%s", error); + connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, NULL); + sock_in = sock_out = -1; } cli_session(sock_in, sock_out); diff --git a/cli-session.c b/cli-session.c index a484bf7..a5ae728 100644 --- a/cli-session.c +++ b/cli-session.c @@ -93,6 +93,15 @@ static const struct ChanType *cli_chantypes[] = { NULL /* Null termination */ }; +void cli_connected(int result, int sock, void* userdata, const char *errstring) +{ + if (result == DROPBEAR_FAILURE) + { + dropbear_exit("Connect failed: %s", errstring); + } + ses.sock_in = ses.sock_out = sock; +} + void cli_session(int sock_in, int sock_out) { common_session_init(sock_in, sock_out); diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index 3894044..3e87ffd 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -254,19 +254,7 @@ static int newtcpforwarded(struct Channel * channel) { } snprintf(portstring, sizeof(portstring), "%d", fwd->connectport); - sock = connect_remote(fwd->connectaddr, portstring, NULL); - if (sock < 0) { - TRACE(("leave newtcpdirect: sock failed")) - err = SSH_OPEN_CONNECT_FAILED; - goto out; - } - - ses.maxfd = MAX(ses.maxfd, sock); - - /* We don't set readfd, that will get set after the connection's - * progress succeeds */ - channel->writefd = sock; - channel->initconn = 1; + channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel); channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; diff --git a/common-channel.c b/common-channel.c index 049658d..40f8613 100644 --- a/common-channel.c +++ b/common-channel.c @@ -48,7 +48,6 @@ static void send_msg_channel_data(struct Channel *channel, int isextended); static void send_msg_channel_eof(struct Channel *channel); static void send_msg_channel_close(struct Channel *channel); static void remove_channel(struct Channel *channel); -static void check_in_progress(struct Channel *channel); static unsigned int write_pending(struct Channel * channel); static void check_close(struct Channel *channel); static void close_chan_fd(struct Channel *channel, int fd, int how); @@ -163,7 +162,6 @@ static struct Channel* newchannel(unsigned int remotechan, newchan->writefd = FD_UNINIT; newchan->readfd = FD_UNINIT; newchan->errfd = FD_CLOSED; /* this isn't always set to start with */ - newchan->initconn = 0; newchan->await_open = 0; newchan->flushing = 0; @@ -242,12 +240,6 @@ void channelio(fd_set *readfds, fd_set *writefds) { /* write to program/pipe stdin */ if (channel->writefd >= 0 && FD_ISSET(channel->writefd, writefds)) { - if (channel->initconn) { - /* XXX should this go somewhere cleaner? */ - check_in_progress(channel); - continue; /* Important not to use the channel after - check_in_progress(), as it may be NULL */ - } writechannel(channel, channel->writefd, channel->writebuf); do_check_close = 1; } @@ -374,27 +366,27 @@ static void check_close(struct Channel *channel) { * if so, set up the channel properly. Otherwise, the channel is cleaned up, so * it is important that the channel reference isn't used after a call to this * function */ -static void check_in_progress(struct Channel *channel) { +void channel_connect_done(int result, int sock, void* user_data, const char* UNUSED(errstring)) { - int val; - socklen_t vallen = sizeof(val); + struct Channel *channel = user_data; - TRACE(("enter check_in_progress")) + TRACE(("enter channel_connect_done")) - if (getsockopt(channel->writefd, SOL_SOCKET, SO_ERROR, &val, &vallen) - || val != 0) { - send_msg_channel_open_failure(channel->remotechan, - SSH_OPEN_CONNECT_FAILED, "", ""); - close(channel->writefd); - remove_channel(channel); - TRACE(("leave check_in_progress: fail")) - } else { + if (result == DROPBEAR_SUCCESS) + { + channel->readfd = channel->writefd = sock; + channel->conn_pending = NULL; chan_initwritebuf(channel); send_msg_channel_open_confirmation(channel, channel->recvwindow, channel->recvmaxpacket); - channel->readfd = channel->writefd; - channel->initconn = 0; - TRACE(("leave check_in_progress: success")) + TRACE(("leave channel_connect_done: success")) + } + else + { + send_msg_channel_open_failure(channel->remotechan, + SSH_OPEN_CONNECT_FAILED, "", ""); + remove_channel(channel); + TRACE(("leave check_in_progress: fail")) } } @@ -514,8 +506,7 @@ void setchannelfds(fd_set *readfds, fd_set *writefds) { } /* Stuff from the wire */ - if (channel->initconn - ||(channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0)) { + if (channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0) { FD_SET(channel->writefd, writefds); } @@ -599,6 +590,10 @@ static void remove_channel(struct Channel * channel) { channel->close_handler_done = 1; } + if (channel->conn_pending) { + cancel_connect(channel->conn_pending); + } + ses.channels[channel->index] = NULL; m_free(channel); ses.chancount--; @@ -1149,7 +1144,7 @@ struct Channel* get_any_ready_channel() { struct Channel *chan = ses.channels[i]; if (chan && !(chan->sent_eof || chan->recv_eof) - && !(chan->await_open || chan->initconn)) { + && !(chan->await_open)) { return chan; } } diff --git a/common-session.c b/common-session.c index 26ef147..6ca7f54 100644 --- a/common-session.c +++ b/common-session.c @@ -167,6 +167,9 @@ void session_loop(void(*loophandler)()) { /* set up for channels which can be read/written */ setchannelfds(&readfd, &writefd); + /* Pending connections to test */ + set_connect_fds(&writefd); + val = select(ses.maxfd+1, &readfd, &writefd, NULL, &timeout); if (exitflag) { @@ -214,11 +217,13 @@ void session_loop(void(*loophandler)()) { process_packet(); } } - + /* if required, flush out any queued reply packets that were being held up during a KEX */ maybe_flush_reply_queue(); + handle_connect_fds(&writefd); + /* process pipes etc for the channels, ses.dataallowed == 0 * during rekeying ) */ channelio(&readfd, &writefd); diff --git a/dbutil.c b/dbutil.c index edae1af..7b3a664 100644 --- a/dbutil.c +++ b/dbutil.c @@ -995,6 +995,8 @@ struct dropbear_progress_connection or NULL. */ int sock; + + char* errstring; }; /* Deallocate a progress connection. Removes from the pending list if iter!=NULL. @@ -1005,6 +1007,7 @@ static void remove_connect(struct dropbear_progress_connection *c, m_list_elem * } m_free(c->remotehost); m_free(c->remoteport); + m_free(c->errstring); m_free(c); if (iter) { @@ -1012,12 +1015,24 @@ static void remove_connect(struct dropbear_progress_connection *c, m_list_elem * } } -static int connect_try_next(struct dropbear_progress_connection *c) { +static void cancel_callback(int result, int sock, void* UNUSED(data), const char* UNUSED(errstring)) { + if (result == DROPBEAR_SUCCESS) + { + m_close(sock); + } +} + +void cancel_connect(struct dropbear_progress_connection *c) { + c->cb = cancel_callback; + c->cb_data = NULL; +} + +static void connect_try_next(struct dropbear_progress_connection *c) { int err = EADDRNOTAVAIL; struct addrinfo *r; if (!c->res_iter) { - return DROPBEAR_FAILURE; + return; } for (r = c->res_iter; r; r = r->ai_next) @@ -1030,6 +1045,7 @@ static int connect_try_next(struct dropbear_progress_connection *c) { continue; } + ses.maxfd = MAX(ses.maxfd, c->sock); setnonblocking(c->sock); #if defined(__linux__) && defined(TCP_DEFER_ACCEPT) @@ -1060,8 +1076,12 @@ static int connect_try_next(struct dropbear_progress_connection *c) { if (c->sock >= 0 || (errno == EINPROGRESS)) { /* Success */ set_sock_nodelay(c->sock); - return DROPBEAR_SUCCESS; + return; } else { + if (!c->res_iter) + { + + } /* XXX - returning error message through */ #if 0 /* Failed */ @@ -1073,15 +1093,10 @@ static int connect_try_next(struct dropbear_progress_connection *c) { } TRACE(("Error connecting: %s", strerror(err))) #endif - return DROPBEAR_FAILURE; } } -/* Connect via TCP to a host. Connection will try ipv4 or ipv6, will - * return immediately if nonblocking is set. On failure, if errstring - * wasn't null, it will be a newly malloced error message */ - -/* TODO: maxfd */ +/* Connect via TCP to a host. */ struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport, connect_callback cb, void* cb_data) { @@ -1096,6 +1111,8 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons c->cb = cb; c->cb_data = cb_data; + list_append(&ses.conn_pending, c); + memset(&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_family = PF_UNSPEC; @@ -1103,29 +1120,18 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons err = getaddrinfo(remotehost, remoteport, &hints, &c->res); if (err) { int len; - char *errstring; len = 100 + strlen(gai_strerror(err)); - errstring = (char*)m_malloc(len); - snprintf(errstring, len, "Error resolving '%s' port '%s'. %s", + c->errstring = (char*)m_malloc(len); + snprintf(c->errstring, len, "Error resolving '%s' port '%s'. %s", remotehost, remoteport, gai_strerror(err)); - c->cb(DROPBEAR_FAILURE, -1, c->cb_data, errstring); - m_free(errstring); TRACE(("Error resolving: %s", gai_strerror(err))) - remove_connect(c, NULL); return NULL; } c->res_iter = c->res; - if (connect_try_next(c) == DROPBEAR_FAILURE) { - /* Should not happen - getaddrinfo() should return failure if there are no addresses */ - c->cb(DROPBEAR_FAILURE, -1, c->cb_data, "No address to try"); - TRACE(("leave handle_connect_fds - failed")) - remove_connect(c, NULL); - return NULL; - } - - list_append(&ses.conn_pending, c); + /* Set one going */ + connect_try_next(c); return c; } @@ -1136,12 +1142,24 @@ void set_connect_fds(fd_set *writefd) { TRACE(("enter handle_connect_fds")) for (iter = ses.conn_pending.first; iter; iter = iter->next) { struct dropbear_progress_connection *c = iter->item; + /* Set one going */ + while (c->res_iter && c->sock < 0) + { + connect_try_next(c); + } if (c->sock >= 0) { FD_SET(c->sock, writefd); - } - else - { - + } else { + m_list_elem *remove_iter; + /* Final failure */ + if (!c->errstring) { + c->errstring = m_strdup("unexpected failure"); + } + c->cb(DROPBEAR_FAILURE, -1, c->cb_data, c->errstring); + /* Safely remove without invalidating iter */ + remove_iter = iter; + iter = iter->prev; + remove_connect(c, remove_iter); } } } @@ -1162,31 +1180,25 @@ void handle_connect_fds(fd_set *writefd) { if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &val, &vallen) != 0) { TRACE(("handle_connect_fds getsockopt(%d) SO_ERROR failed: %s", c->sock, strerror(errno))) + /* This isn't expected to happen - Unix has surprises though, continue gracefully. */ + m_close(c->sock); + c->sock = -1; } else if (val != 0) { /* Connect failed */ TRACE(("connect to %s port %s failed.", c->remotehost, c->remoteport)) m_close(c->sock); c->sock = -1; - if (connect_try_next(c) == DROPBEAR_FAILURE) { - c->cb(DROPBEAR_FAILURE, -1, c->cb_data, strerror(val)); - TRACE(("leave handle_connect_fds - failed")) - remove_connect(c, iter); - /* Must return here - remove_connect() invalidates iter */ - return; - } else { - /* new connection try was successfuly started, will be finished by a - later call to handle_connect_fds() */ - TRACE(("leave handle_connect_fds - new try")) - continue; - } + m_free(c->errstring); + c->errstring = strerror(val); + } else { + /* New connection has been established */ + c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, NULL); + remove_connect(c, iter); + TRACE(("leave handle_connect_fds - success")) + /* Must return here - remove_connect() invalidates iter */ + return; } - /* New connection has been established */ - c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, ""); - remove_connect(c, iter); - TRACE(("leave handle_connect_fds - success")) - /* Must return here - remove_connect() invalidates iter */ - return; } TRACE(("leave handle_connect_fds - end iter")) } diff --git a/dbutil.h b/dbutil.h index 3f4f165..e05b249 100644 --- a/dbutil.h +++ b/dbutil.h @@ -129,4 +129,7 @@ struct dropbear_progress_connection * connect_remote (const char* remotehost, co void set_connect_fds(fd_set *writefd); void handle_connect_fds(fd_set *writefd); +/* Doesn't actually stop the connect, but adds a dummy callback instead */ +void cancel_connect(struct dropbear_progress_connection *c); + #endif /* _DBUTIL_H_ */ diff --git a/packet.c b/packet.c index 10ee88e..d02ec69 100644 --- a/packet.c +++ b/packet.c @@ -52,6 +52,7 @@ static buffer* buf_decompress(buffer* buf, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len); #endif +#if 0 struct iovec * dropbear_queue_to_iovec(struct Queue *queue) { struct iovec *iov = NULL; @@ -69,6 +70,7 @@ struct iovec * dropbear_queue_to_iovec(struct Queue *queue) { void dropbear_queue_consume(struct Queue *queue, ssize_t written) { } +#endif /* non-blocking function writing out a current encrypted packet */ void write_packet() { diff --git a/session.h b/session.h index 50d8d10..3786346 100644 --- a/session.h +++ b/session.h @@ -61,6 +61,7 @@ void svr_dropbear_log(int priority, const char* format, va_list param); /* Client */ void cli_session(int sock_in, int sock_out); +void cli_connected(int result, int sock, void* userdata, const char *errstring); void cleantext(unsigned char* dirtytext); /* crypto parameters that are stored individually for transmit and receive */ diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index f2c4b93..8f364b5 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -270,19 +270,7 @@ static int newtcpdirect(struct Channel * channel) { } snprintf(portstring, sizeof(portstring), "%d", destport); - sock = connect_remote(desthost, portstring, NULL); - if (sock < 0) { - err = SSH_OPEN_CONNECT_FAILED; - TRACE(("leave newtcpdirect: sock failed")) - goto out; - } - - ses.maxfd = MAX(ses.maxfd, sock); - - /* We don't set readfd, that will get set after the connection's - * progress succeeds */ - channel->writefd = sock; - channel->initconn = 1; + channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel); channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; From 5f0cc969a005757778848a459f924a237a35fc7d Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 18 Feb 2015 23:02:49 +0800 Subject: [PATCH 04/15] generalise write iovec handling --HG-- branch : fastopen --- packet.c | 91 ++++++++++++++++++++++++++------------------------------ 1 file changed, 42 insertions(+), 49 deletions(-) diff --git a/packet.c b/packet.c index d02ec69..7b2b865 100644 --- a/packet.c +++ b/packet.c @@ -52,25 +52,52 @@ static buffer* buf_decompress(buffer* buf, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len); #endif -#if 0 -struct iovec * dropbear_queue_to_iovec(struct Queue *queue) { - +struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count) { struct iovec *iov = NULL; struct Link *l; - int iov_max_count; + unsigned int i, packet_type; + int len; + buffer *writebuf; #ifndef IOV_MAX #define IOV_MAX UIO_MAXIOV #endif -#error incomplete + *ret_iov_count = MIN(queue->count, IOV_MAX); + iov = m_malloc(sizeof(*iov) * *ret_iov_count); + for (l = queue->head, i = 0; l; l = l->link, i++) + { + writebuf = (buffer*)l->item; + packet_type = writebuf->data[writebuf->len-1]; + len = writebuf->len - 1 - writebuf->pos; + dropbear_assert(len > 0); + TRACE2(("write_packet writev #%d type %d len %d/%d", i, packet_type, + len, writebuf->len-1)) + iov[i].iov_base = buf_getptr(writebuf, len); + iov[i].iov_len = len; + } + + return iov; } -void dropbear_queue_consume(struct Queue *queue, ssize_t written) { - +void packet_queue_consume(struct Queue *queue, ssize_t written) { + buffer *writebuf; + int len; + while (written > 0) { + writebuf = (buffer*)examine(queue); + len = writebuf->len - 1 - writebuf->pos; + if (len > written) { + /* partial buffer write */ + buf_incrpos(writebuf, written); + written = 0; + } else { + written -= len; + dequeue(queue); + buf_free(writebuf); + } + } } -#endif /* non-blocking function writing out a current encrypted packet */ void write_packet() { @@ -83,7 +110,7 @@ void write_packet() { struct iovec *iov = NULL; int i; struct Link *l; - int iov_max_count; + int iov_count; #endif TRACE2(("enter write_packet")) @@ -91,62 +118,28 @@ void write_packet() { #if defined(HAVE_WRITEV) && (defined(IOV_MAX) || defined(UIO_MAXIOV)) -#ifndef IOV_MAX -#define IOV_MAX UIO_MAXIOV -#endif - - /* Make sure the size of the iov is below the maximum allowed by the OS. */ - iov_max_count = ses.writequeue.count; - if (iov_max_count > IOV_MAX) - { - iov_max_count = IOV_MAX; - } - - iov = m_malloc(sizeof(*iov) * iov_max_count); - for (l = ses.writequeue.head, i = 0; l; l = l->link, i++) - { - writebuf = (buffer*)l->item; - packet_type = writebuf->data[writebuf->len-1]; - len = writebuf->len - 1 - writebuf->pos; - dropbear_assert(len > 0); - TRACE2(("write_packet writev #%d type %d len %d/%d", i, packet_type, - len, writebuf->len-1)) - iov[i].iov_base = buf_getptr(writebuf, len); - iov[i].iov_len = len; - } + iov = packet_queue_to_iovec(&ses.writequeue, &iov_count); /* This may return EAGAIN. The main loop sometimes calls write_packet() without bothering to test with select() since it's likely to be necessary */ - written = writev(ses.sock_out, iov, iov_max_count); + written = writev(ses.sock_out, iov, iov_count); if (written < 0) { if (errno == EINTR || errno == EAGAIN) { - m_free(iov); TRACE2(("leave write_packet: EINTR")) + m_free(iov); return; } else { dropbear_exit("Error writing: %s", strerror(errno)); } } + m_free(iov); + + packet_queue_consume(&ses.writequeue, written); if (written == 0) { ses.remoteclosed(); } - while (written > 0) { - writebuf = (buffer*)examine(&ses.writequeue); - len = writebuf->len - 1 - writebuf->pos; - if (len > written) { - /* partial buffer write */ - buf_incrpos(writebuf, written); - written = 0; - } else { - written -= len; - dequeue(&ses.writequeue); - buf_free(writebuf); - } - } - - m_free(iov); #else /* No writev () */ /* Get the next buffer in the queue of encrypted packets to write*/ writebuf = (buffer*)examine(&ses.writequeue); From 76a3eb393c021905736f79e7e048017f664b2430 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 19 Feb 2015 00:32:00 +0800 Subject: [PATCH 05/15] In theory TFO should work. Needs platform cleanup and testing --HG-- branch : fastopen --- cli-main.c | 5 +++-- cli-session.c | 7 ++++++- dbutil.c | 46 ++++++++++++++++++++++++++++++++++++++++++---- dbutil.h | 3 +++ packet.c | 2 -- packet.h | 5 +++++ session.h | 2 +- 7 files changed, 60 insertions(+), 10 deletions(-) diff --git a/cli-main.c b/cli-main.c index 6834d1d..80ff557 100644 --- a/cli-main.c +++ b/cli-main.c @@ -47,6 +47,7 @@ int main(int argc, char ** argv) { int sock_in, sock_out; char* error = NULL; + struct dropbear_progress_connection *progress = NULL; _dropbear_exit = cli_dropbear_exit; _dropbear_log = cli_dropbear_log; @@ -72,11 +73,11 @@ int main(int argc, char ** argv) { } else #endif { - connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, NULL); + progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, NULL); sock_in = sock_out = -1; } - cli_session(sock_in, sock_out); + cli_session(sock_in, sock_out, progress); /* not reached */ return -1; diff --git a/cli-session.c b/cli-session.c index a5ae728..c2e4863 100644 --- a/cli-session.c +++ b/cli-session.c @@ -102,15 +102,20 @@ void cli_connected(int result, int sock, void* userdata, const char *errstring) ses.sock_in = ses.sock_out = sock; } -void cli_session(int sock_in, int sock_out) { +void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) { common_session_init(sock_in, sock_out); + if (progress) { + connect_set_writequeue(progress, &ses.writequeue); + } + chaninitialise(cli_chantypes); /* Set up cli_ses vars */ cli_session_init(); + /* Ready to go */ sessinitdone = 1; diff --git a/dbutil.c b/dbutil.c index 7b3a664..01b541c 100644 --- a/dbutil.c +++ b/dbutil.c @@ -1049,9 +1049,11 @@ static void connect_try_next(struct dropbear_progress_connection *c) { setnonblocking(c->sock); #if defined(__linux__) && defined(TCP_DEFER_ACCEPT) - set_piggyback_ack(sock); + //set_piggyback_ack(c->sock); #endif +#ifdef PROGRESS_CONNECT_FALLBACK +#if 0 if (connect(c->sock, r->ai_addr, r->ai_addrlen) < 0) { if (errno == EINPROGRESS) { TRACE(("Connect in progress")) @@ -1065,8 +1067,43 @@ static void connect_try_next(struct dropbear_progress_connection *c) { } break; /* Success. Treated the same as EINPROGRESS */ +#endif +#else + { + struct msghdr message = {0}; + int flags; + int res; + message.msg_name = r->ai_addr; + message.msg_namelen = r->ai_addrlen; + + if (c->writequeue) { + int iovlen; /* Linux msg_iovlen is a size_t */ + message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); + message.msg_iovlen = iovlen; + res = sendmsg(c->sock, &message, MSG_FASTOPEN); + if (res < 0 && errno == EOPNOTSUPP) { + TRACE(("Fastopen not supported")); + /* No kernel MSG_FASTOPEN support. Fall back below */ + c->writequeue = NULL; + } + } + + if (!c->writequeue) { + res = connect(c->sock, r->ai_addr, r->ai_addrlen); + } + if (res < 0 && errno != EINPROGRESS) { + err = errno; + close(c->sock); + c->sock = -1; + continue; + } else { + break; + } + } +#endif } + if (r) { c->res_iter = r->ai_next; } else { @@ -1130,9 +1167,6 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons c->res_iter = c->res; - /* Set one going */ - connect_try_next(c); - return c; } @@ -1202,3 +1236,7 @@ void handle_connect_fds(fd_set *writefd) { } TRACE(("leave handle_connect_fds - end iter")) } + +void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue) { + c->writequeue = writequeue; +} diff --git a/dbutil.h b/dbutil.h index e05b249..c82e494 100644 --- a/dbutil.h +++ b/dbutil.h @@ -28,6 +28,7 @@ #include "includes.h" #include "buffer.h" +#include "queue.h" #ifndef DISABLE_SYSLOG void startsyslog(); @@ -132,4 +133,6 @@ void handle_connect_fds(fd_set *writefd); /* Doesn't actually stop the connect, but adds a dummy callback instead */ void cancel_connect(struct dropbear_progress_connection *c); +void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue); + #endif /* _DBUTIL_H_ */ diff --git a/packet.c b/packet.c index 7b2b865..bdc3613 100644 --- a/packet.c +++ b/packet.c @@ -108,8 +108,6 @@ void write_packet() { unsigned packet_type; #ifdef HAVE_WRITEV struct iovec *iov = NULL; - int i; - struct Link *l; int iov_count; #endif diff --git a/packet.h b/packet.h index 4645b14..ac14eca 100644 --- a/packet.h +++ b/packet.h @@ -27,6 +27,7 @@ #define _PACKET_H_ #include "includes.h" +#include "queue.h" void write_packet(); void read_packet(); @@ -46,4 +47,8 @@ typedef struct PacketType { #define INIT_READBUF 128 +/* TODO: writev #ifdef guard */ +struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count); +void packet_queue_consume(struct Queue *queue, ssize_t written); + #endif /* _PACKET_H_ */ diff --git a/session.h b/session.h index 3786346..28c2cae 100644 --- a/session.h +++ b/session.h @@ -60,7 +60,7 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_N void svr_dropbear_log(int priority, const char* format, va_list param); /* Client */ -void cli_session(int sock_in, int sock_out); +void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress); void cli_connected(int result, int sock, void* userdata, const char *errstring); void cleantext(unsigned char* dirtytext); From 86a717c80c29c6431d90b6c0f3c21d09a1034c09 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 19 Feb 2015 22:33:51 +0800 Subject: [PATCH 06/15] fallback for old glibc and fastopen memset rather than = {0} initialiser --HG-- branch : fastopen --- dbutil.c | 3 ++- dbutil.h | 7 +++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/dbutil.c b/dbutil.c index 01b541c..a0d3f75 100644 --- a/dbutil.c +++ b/dbutil.c @@ -1070,9 +1070,10 @@ static void connect_try_next(struct dropbear_progress_connection *c) { #endif #else { - struct msghdr message = {0}; + struct msghdr message; int flags; int res; + memset(&message, 0x0, sizeof(message)); message.msg_name = r->ai_addr; message.msg_namelen = r->ai_addrlen; diff --git a/dbutil.h b/dbutil.h index c82e494..b4a8f42 100644 --- a/dbutil.h +++ b/dbutil.h @@ -80,6 +80,13 @@ void set_sock_priority(int sock, enum dropbear_prio prio); #if defined(__linux__) && HAVE_SENDMSG #define DROPBEAR_TCP_FAST_OPEN void set_listen_fast_open(int sock); +/* may be supported by kernel but not libc */ +#ifndef TCP_FASTOPEN +#define TCP_FASTOPEN 23 +#endif +#ifndef MSG_FASTOPEN +#define MSG_FASTOPEN 0x20000000 +#endif #endif int dropbear_listen(const char* address, const char* port, From 2e7d468b906488c152afb463226330a0a97aacba Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 19 Feb 2015 22:41:51 +0800 Subject: [PATCH 07/15] Add the missing second half of iov code --HG-- branch : fastopen --- dbutil.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dbutil.c b/dbutil.c index 01b541c..f1a0f19 100644 --- a/dbutil.c +++ b/dbutil.c @@ -1086,6 +1086,10 @@ static void connect_try_next(struct dropbear_progress_connection *c) { /* No kernel MSG_FASTOPEN support. Fall back below */ c->writequeue = NULL; } + m_free(message.msg_iov); + if (res > 0) { + packet_queue_consume(c->writequeue, res); + } } if (!c->writequeue) { From 1b1997bf2da9322c526ec1da4358aae94f7de06e Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 20 Feb 2015 22:13:53 +0800 Subject: [PATCH 08/15] Update priority once the socket is open --HG-- branch : fastopen --- cli-session.c | 1 + common-session.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/cli-session.c b/cli-session.c index c2e4863..8cd75f8 100644 --- a/cli-session.c +++ b/cli-session.c @@ -100,6 +100,7 @@ void cli_connected(int result, int sock, void* userdata, const char *errstring) dropbear_exit("Connect failed: %s", errstring); } ses.sock_in = ses.sock_out = sock; + update_channel_prio(); } void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) { diff --git a/common-session.c b/common-session.c index 6ca7f54..d95c2ee 100644 --- a/common-session.c +++ b/common-session.c @@ -552,6 +552,11 @@ void update_channel_prio() { TRACE(("update_channel_prio")) + if (ses.sock_out < 0) { + TRACE(("leave update_channel_prio: no socket")) + return; + } + new_prio = DROPBEAR_PRIO_BULK; for (i = 0; i < ses.chansize; i++) { struct Channel *channel = ses.channels[i]; From 364a53577eb33f20bed877fc5d4a54de829707d8 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 20 Feb 2015 23:16:38 +0800 Subject: [PATCH 09/15] Move generic network routines to netio.c --HG-- branch : fastopen --- Makefile.in | 4 +- cli-authpubkey.c | 2 +- cli-main.c | 4 +- cli-session.c | 7 +- cli-tcpfwd.c | 2 +- common-channel.c | 1 + common-session.c | 1 + dbutil.c | 549 ------------------------------------------- dbutil.h | 30 --- netio.c | 598 +++++++++++++++++++++++++++++++++++++++++++++++ netio.h | 46 ++++ packet.c | 51 +--- packet.h | 4 - session.h | 1 + signkey.c | 4 +- svr-tcpfwd.c | 2 +- 16 files changed, 661 insertions(+), 645 deletions(-) create mode 100644 netio.c create mode 100644 netio.h diff --git a/Makefile.in b/Makefile.in index 8cde521..452ef8d 100644 --- a/Makefile.in +++ b/Makefile.in @@ -40,12 +40,12 @@ SVROBJS=svr-kex.o svr-auth.o sshpty.o \ CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ cli-session.o cli-runopts.o cli-chansession.o \ cli-authpubkey.o cli-tcpfwd.o cli-channel.o cli-authinteract.o \ - cli-agentfwd.o list.o + cli-agentfwd.o CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \ common-channel.o common-chansession.o termcodes.o loginrec.o \ tcp-accept.o listener.o process-packet.o \ - common-runopts.o circbuffer.o curve25519-donna.o + common-runopts.o circbuffer.o curve25519-donna.o list.o netio.o KEYOBJS=dropbearkey.o diff --git a/cli-authpubkey.c b/cli-authpubkey.c index 9fcc256..cdef36e 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -58,7 +58,7 @@ void recv_msg_userauth_pk_ok() { buffer* keybuf = NULL; char* algotype = NULL; unsigned int algolen; - int keytype; + enum signkey_type keytype; unsigned int remotelen; TRACE(("enter recv_msg_userauth_pk_ok")) diff --git a/cli-main.c b/cli-main.c index 80ff557..ff2b30f 100644 --- a/cli-main.c +++ b/cli-main.c @@ -30,6 +30,7 @@ #include "session.h" #include "dbrandom.h" #include "crypto_desc.h" +#include "netio.h" static void cli_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_NORETURN; static void cli_dropbear_log(int priority, const char* format, va_list param); @@ -46,7 +47,6 @@ int main(int argc, char ** argv) { #endif int sock_in, sock_out; - char* error = NULL; struct dropbear_progress_connection *progress = NULL; _dropbear_exit = cli_dropbear_exit; @@ -73,7 +73,7 @@ int main(int argc, char ** argv) { } else #endif { - progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, NULL); + progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, &ses); sock_in = sock_out = -1; } diff --git a/cli-session.c b/cli-session.c index 8cd75f8..08f4ff5 100644 --- a/cli-session.c +++ b/cli-session.c @@ -37,6 +37,7 @@ #include "chansession.h" #include "agentfwd.h" #include "crypto_desc.h" +#include "netio.h" static void cli_remoteclosed(); static void cli_sessionloop(); @@ -95,11 +96,11 @@ static const struct ChanType *cli_chantypes[] = { void cli_connected(int result, int sock, void* userdata, const char *errstring) { - if (result == DROPBEAR_FAILURE) - { + struct sshsession *myses = userdata; + if (result == DROPBEAR_FAILURE) { dropbear_exit("Connect failed: %s", errstring); } - ses.sock_in = ses.sock_out = sock; + myses->sock_in = myses->sock_out = sock; update_channel_prio(); } diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index 3e87ffd..ec65f41 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -30,6 +30,7 @@ #include "runopts.h" #include "session.h" #include "ssh.h" +#include "netio.h" #ifdef ENABLE_CLI_REMOTETCPFWD static int newtcpforwarded(struct Channel * channel); @@ -215,7 +216,6 @@ static int newtcpforwarded(struct Channel * channel) { m_list_elem * iter = NULL; struct TCPFwdEntry *fwd; char portstring[NI_MAXSERV]; - int sock; int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; origaddr = buf_getstring(ses.payload, NULL); diff --git a/common-channel.c b/common-channel.c index 40f8613..5e32cc3 100644 --- a/common-channel.c +++ b/common-channel.c @@ -35,6 +35,7 @@ #include "ssh.h" #include "listener.h" #include "runopts.h" +#include "netio.h" static void send_msg_channel_open_failure(unsigned int remotechan, int reason, const unsigned char *text, const unsigned char *lang); diff --git a/common-session.c b/common-session.c index d95c2ee..46aef0d 100644 --- a/common-session.c +++ b/common-session.c @@ -34,6 +34,7 @@ #include "kex.h" #include "channel.h" #include "runopts.h" +#include "netio.h" static void checktimeouts(); static long select_timeout(); diff --git a/dbutil.c b/dbutil.c index 7f3fb59..a6463d6 100644 --- a/dbutil.c +++ b/dbutil.c @@ -213,193 +213,6 @@ void dropbear_trace2(const char* format, ...) { } #endif /* DEBUG_TRACE */ -void set_sock_nodelay(int sock) { - int val; - - /* disable nagle */ - val = 1; - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); -} - -#ifdef DROPBEAR_TCP_FAST_OPEN -void set_listen_fast_open(int sock) { - int qlen = MAX(MAX_UNAUTH_PER_IP, 5); - if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) { - TRACE(("set_listen_fast_open failed for socket %d: %s", sock, strerror(errno))) - } -} - -#endif - -void set_sock_priority(int sock, enum dropbear_prio prio) { - - int iptos_val = 0, so_prio_val = 0, rc; - - /* Don't log ENOTSOCK errors so that this can harmlessly be called - * on a client '-J' proxy pipe */ - - /* set the TOS bit for either ipv4 or ipv6 */ -#ifdef IPTOS_LOWDELAY - if (prio == DROPBEAR_PRIO_LOWDELAY) { - iptos_val = IPTOS_LOWDELAY; - } else if (prio == DROPBEAR_PRIO_BULK) { - iptos_val = IPTOS_THROUGHPUT; - } -#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) - rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&iptos_val, sizeof(iptos_val)); - if (rc < 0 && errno != ENOTSOCK) { - TRACE(("Couldn't set IPV6_TCLASS (%s)", strerror(errno))); - } -#endif - rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&iptos_val, sizeof(iptos_val)); - if (rc < 0 && errno != ENOTSOCK) { - TRACE(("Couldn't set IP_TOS (%s)", strerror(errno))); - } -#endif - -#ifdef SO_PRIORITY - if (prio == DROPBEAR_PRIO_LOWDELAY) { - so_prio_val = TC_PRIO_INTERACTIVE; - } else if (prio == DROPBEAR_PRIO_BULK) { - so_prio_val = TC_PRIO_BULK; - } - /* linux specific, sets QoS class. see tc-prio(8) */ - rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &so_prio_val, sizeof(so_prio_val)); - if (rc < 0 && errno != ENOTSOCK) - dropbear_log(LOG_WARNING, "Couldn't set SO_PRIORITY (%s)", - strerror(errno)); -#endif - -} - -/* Listen on address:port. - * Special cases are address of "" listening on everything, - * and address of NULL listening on localhost only. - * Returns the number of sockets bound on success, or -1 on failure. On - * failure, if errstring wasn't NULL, it'll be a newly malloced error - * string.*/ -int dropbear_listen(const char* address, const char* port, - int *socks, unsigned int sockcount, char **errstring, int *maxfd) { - - struct addrinfo hints, *res = NULL, *res0 = NULL; - int err; - unsigned int nsock; - struct linger linger; - int val; - int sock; - - TRACE(("enter dropbear_listen")) - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; /* TODO: let them flag v4 only etc */ - hints.ai_socktype = SOCK_STREAM; - - /* for calling getaddrinfo: - address == NULL and !AI_PASSIVE: local loopback - address == NULL and AI_PASSIVE: all interfaces - address != NULL: whatever the address says */ - if (!address) { - TRACE(("dropbear_listen: local loopback")) - } else { - if (address[0] == '\0') { - TRACE(("dropbear_listen: all interfaces")) - address = NULL; - } - hints.ai_flags = AI_PASSIVE; - } - err = getaddrinfo(address, port, &hints, &res0); - - if (err) { - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(gai_strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error resolving: %s", gai_strerror(err)); - } - if (res0) { - freeaddrinfo(res0); - res0 = NULL; - } - TRACE(("leave dropbear_listen: failed resolving")) - return -1; - } - - - nsock = 0; - for (res = res0; res != NULL && nsock < sockcount; - res = res->ai_next) { - - /* Get a socket */ - socks[nsock] = socket(res->ai_family, res->ai_socktype, - res->ai_protocol); - - sock = socks[nsock]; /* For clarity */ - - if (sock < 0) { - err = errno; - TRACE(("socket() failed")) - continue; - } - - /* Various useful socket options */ - val = 1; - /* set to reuse, quick timeout */ - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger)); - -#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) - if (res->ai_family == AF_INET6) { - int on = 1; - if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, - &on, sizeof(on)) == -1) { - dropbear_log(LOG_WARNING, "Couldn't set IPV6_V6ONLY"); - } - } -#endif - - set_sock_nodelay(sock); - - if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { - err = errno; - close(sock); - TRACE(("bind(%s) failed", port)) - continue; - } - - if (listen(sock, DROPBEAR_LISTEN_BACKLOG) < 0) { - err = errno; - close(sock); - TRACE(("listen() failed")) - continue; - } - - *maxfd = MAX(*maxfd, sock); - - nsock++; - } - - if (res0) { - freeaddrinfo(res0); - res0 = NULL; - } - - if (nsock == 0) { - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error listening: %s", strerror(err)); - } - TRACE(("leave dropbear_listen: failure, %s", strerror(err))) - return -1; - } - - TRACE(("leave dropbear_listen: success, %d socks bound", nsock)) - return nsock; -} - /* Connect to a given unix socket. The socket is blocking */ #ifdef ENABLE_CONNECT_UNIX int connect_unix(const char* path) { @@ -423,22 +236,6 @@ int connect_unix(const char* path) { } #endif -#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) -static void set_piggyback_ack(int sock) { - /* Undocumented Linux feature - set TCP_DEFER_ACCEPT and data will be piggybacked - on the 3rd packet (ack) of the TCP handshake. Saves a IP packet. - http://thread.gmane.org/gmane.linux.network/224627/focus=224727 - "Piggyback the final ACK of the three way TCP connection establishment with the data" */ - int val = 1; - /* No error checking, this is opportunistic */ - int err = setsockopt(sock, IPPROTO_TCP, TCP_DEFER_ACCEPT, (void*)&val, sizeof(val)); - if (err) - { - TRACE(("Failed setsockopt TCP_DEFER_ACCEPT: %s", strerror(errno))) - } -} -#endif - /* Sets up a pipe for a, returning three non-blocking file descriptors * and the pid. exec_fn is the function that will actually execute the child process, * it will be run after the child has fork()ed, and is passed exec_data. @@ -574,88 +371,6 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) { execv(usershell, argv); } -void get_socket_address(int fd, char **local_host, char **local_port, - char **remote_host, char **remote_port, int host_lookup) -{ - struct sockaddr_storage addr; - socklen_t addrlen; - - if (local_host || local_port) { - addrlen = sizeof(addr); - if (getsockname(fd, (struct sockaddr*)&addr, &addrlen) < 0) { - dropbear_exit("Failed socket address: %s", strerror(errno)); - } - getaddrstring(&addr, local_host, local_port, host_lookup); - } - if (remote_host || remote_port) { - addrlen = sizeof(addr); - if (getpeername(fd, (struct sockaddr*)&addr, &addrlen) < 0) { - dropbear_exit("Failed socket address: %s", strerror(errno)); - } - getaddrstring(&addr, remote_host, remote_port, host_lookup); - } -} - -/* Return a string representation of the socket address passed. The return - * value is allocated with malloc() */ -void getaddrstring(struct sockaddr_storage* addr, - char **ret_host, char **ret_port, - int host_lookup) { - - char host[NI_MAXHOST+1], serv[NI_MAXSERV+1]; - unsigned int len; - int ret; - - int flags = NI_NUMERICSERV | NI_NUMERICHOST; - -#ifndef DO_HOST_LOOKUP - host_lookup = 0; -#endif - - if (host_lookup) { - flags = NI_NUMERICSERV; - } - - len = sizeof(struct sockaddr_storage); - /* Some platforms such as Solaris 8 require that len is the length - * of the specific structure. Some older linux systems (glibc 2.1.3 - * such as debian potato) have sockaddr_storage.__ss_family instead - * but we'll ignore them */ -#ifdef HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY - if (addr->ss_family == AF_INET) { - len = sizeof(struct sockaddr_in); - } -#ifdef AF_INET6 - if (addr->ss_family == AF_INET6) { - len = sizeof(struct sockaddr_in6); - } -#endif -#endif - - ret = getnameinfo((struct sockaddr*)addr, len, host, sizeof(host)-1, - serv, sizeof(serv)-1, flags); - - if (ret != 0) { - if (host_lookup) { - /* On some systems (Darwin does it) we get EINTR from getnameinfo - * somehow. Eew. So we'll just return the IP, since that doesn't seem - * to exhibit that behaviour. */ - getaddrstring(addr, ret_host, ret_port, 0); - return; - } else { - /* if we can't do a numeric lookup, something's gone terribly wrong */ - dropbear_exit("Failed lookup: %s", gai_strerror(ret)); - } - } - - if (ret_host) { - *ret_host = m_strdup(host); - } - if (ret_port) { - *ret_port = m_strdup(serv); - } -} - #ifdef DEBUG_TRACE void printhex(const char * label, const unsigned char * buf, int len) { @@ -981,267 +696,3 @@ time_t monotonic_now() { } -struct dropbear_progress_connection -{ - struct addrinfo *res; - struct addrinfo *res_iter; - - char *remotehost, *remoteport; /* For error reporting */ - - connect_callback cb; - void *cb_data; - - struct Queue *writequeue; /* A queue of encrypted packets to send with TCP fastopen, - or NULL. */ - - int sock; - - char* errstring; -}; - -/* Deallocate a progress connection. Removes from the pending list if iter!=NULL. -Does not close sockets */ -static void remove_connect(struct dropbear_progress_connection *c, m_list_elem *iter) { - if (c->res) { - freeaddrinfo(c->res); - } - m_free(c->remotehost); - m_free(c->remoteport); - m_free(c->errstring); - m_free(c); - - if (iter) { - list_remove(iter); - } -} - -static void cancel_callback(int result, int sock, void* UNUSED(data), const char* UNUSED(errstring)) { - if (result == DROPBEAR_SUCCESS) - { - m_close(sock); - } -} - -void cancel_connect(struct dropbear_progress_connection *c) { - c->cb = cancel_callback; - c->cb_data = NULL; -} - -static void connect_try_next(struct dropbear_progress_connection *c) { - int err = EADDRNOTAVAIL; - struct addrinfo *r; - - if (!c->res_iter) { - return; - } - - for (r = c->res_iter; r; r = r->ai_next) - { - assert(c->sock == -1); - - c->sock = socket(c->res_iter->ai_family, c->res_iter->ai_socktype, c->res_iter->ai_protocol); - if (c->sock < 0) { - err = errno; - continue; - } - - ses.maxfd = MAX(ses.maxfd, c->sock); - setnonblocking(c->sock); - -#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) - //set_piggyback_ack(c->sock); -#endif - -#ifdef PROGRESS_CONNECT_FALLBACK -#if 0 - if (connect(c->sock, r->ai_addr, r->ai_addrlen) < 0) { - if (errno == EINPROGRESS) { - TRACE(("Connect in progress")) - break; - } else { - err = errno; - close(c->sock); - c->sock = -1; - continue; - } - } - - break; /* Success. Treated the same as EINPROGRESS */ -#endif -#else - { - struct msghdr message; - int flags; - int res; - memset(&message, 0x0, sizeof(message)); - message.msg_name = r->ai_addr; - message.msg_namelen = r->ai_addrlen; - - if (c->writequeue) { - int iovlen; /* Linux msg_iovlen is a size_t */ - message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); - message.msg_iovlen = iovlen; - res = sendmsg(c->sock, &message, MSG_FASTOPEN); - if (res < 0 && errno == EOPNOTSUPP) { - TRACE(("Fastopen not supported")); - /* No kernel MSG_FASTOPEN support. Fall back below */ - c->writequeue = NULL; - } - m_free(message.msg_iov); - if (res > 0) { - packet_queue_consume(c->writequeue, res); - } - } - - if (!c->writequeue) { - res = connect(c->sock, r->ai_addr, r->ai_addrlen); - } - if (res < 0 && errno != EINPROGRESS) { - err = errno; - close(c->sock); - c->sock = -1; - continue; - } else { - break; - } - } -#endif - } - - - if (r) { - c->res_iter = r->ai_next; - } else { - c->res_iter = NULL; - } - - if (c->sock >= 0 || (errno == EINPROGRESS)) { - /* Success */ - set_sock_nodelay(c->sock); - return; - } else { - if (!c->res_iter) - { - - } - /* XXX - returning error message through */ -#if 0 - /* Failed */ - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error connecting: %s", strerror(err)); - } - TRACE(("Error connecting: %s", strerror(err))) -#endif - } -} - -/* Connect via TCP to a host. */ -struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport, - connect_callback cb, void* cb_data) -{ - struct dropbear_progress_connection *c = NULL; - int err; - struct addrinfo hints; - - c = m_malloc(sizeof(*c)); - c->remotehost = m_strdup(remotehost); - c->remoteport = m_strdup(remoteport); - c->sock = -1; - c->cb = cb; - c->cb_data = cb_data; - - list_append(&ses.conn_pending, c); - - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - - err = getaddrinfo(remotehost, remoteport, &hints, &c->res); - if (err) { - int len; - len = 100 + strlen(gai_strerror(err)); - c->errstring = (char*)m_malloc(len); - snprintf(c->errstring, len, "Error resolving '%s' port '%s'. %s", - remotehost, remoteport, gai_strerror(err)); - TRACE(("Error resolving: %s", gai_strerror(err))) - return NULL; - } - - c->res_iter = c->res; - - return c; -} - - -void set_connect_fds(fd_set *writefd) { - m_list_elem *iter; - TRACE(("enter handle_connect_fds")) - for (iter = ses.conn_pending.first; iter; iter = iter->next) { - struct dropbear_progress_connection *c = iter->item; - /* Set one going */ - while (c->res_iter && c->sock < 0) - { - connect_try_next(c); - } - if (c->sock >= 0) { - FD_SET(c->sock, writefd); - } else { - m_list_elem *remove_iter; - /* Final failure */ - if (!c->errstring) { - c->errstring = m_strdup("unexpected failure"); - } - c->cb(DROPBEAR_FAILURE, -1, c->cb_data, c->errstring); - /* Safely remove without invalidating iter */ - remove_iter = iter; - iter = iter->prev; - remove_connect(c, remove_iter); - } - } -} - -void handle_connect_fds(fd_set *writefd) { - m_list_elem *iter; - TRACE(("enter handle_connect_fds")) - for (iter = ses.conn_pending.first; iter; iter = iter->next) { - int val; - socklen_t vallen = sizeof(val); - struct dropbear_progress_connection *c = iter->item; - - if (!FD_ISSET(c->sock, writefd)) { - continue; - } - - TRACE(("handling %s port %s socket %d", c->remotehost, c->remoteport, c->sock)); - - if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &val, &vallen) != 0) { - TRACE(("handle_connect_fds getsockopt(%d) SO_ERROR failed: %s", c->sock, strerror(errno))) - /* This isn't expected to happen - Unix has surprises though, continue gracefully. */ - m_close(c->sock); - c->sock = -1; - } else if (val != 0) { - /* Connect failed */ - TRACE(("connect to %s port %s failed.", c->remotehost, c->remoteport)) - m_close(c->sock); - c->sock = -1; - - m_free(c->errstring); - c->errstring = strerror(val); - } else { - /* New connection has been established */ - c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, NULL); - remove_connect(c, iter); - TRACE(("leave handle_connect_fds - success")) - /* Must return here - remove_connect() invalidates iter */ - return; - } - } - TRACE(("leave handle_connect_fds - end iter")) -} - -void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue) { - c->writequeue = writequeue; -} diff --git a/dbutil.h b/dbutil.h index b4a8f42..a7b6897 100644 --- a/dbutil.h +++ b/dbutil.h @@ -63,19 +63,7 @@ void debug_start_net(); extern int debug_trace; #endif -enum dropbear_prio { - DROPBEAR_PRIO_DEFAULT = 10, - DROPBEAR_PRIO_LOWDELAY = 11, - DROPBEAR_PRIO_BULK = 12, -}; - char * stripcontrol(const char * text); -void get_socket_address(int fd, char **local_host, char **local_port, - char **remote_host, char **remote_port, int host_lookup); -void getaddrstring(struct sockaddr_storage* addr, - char **ret_host, char **ret_port, int host_lookup); -void set_sock_nodelay(int sock); -void set_sock_priority(int sock, enum dropbear_prio prio); #if defined(__linux__) && HAVE_SENDMSG #define DROPBEAR_TCP_FAST_OPEN @@ -89,8 +77,6 @@ void set_listen_fast_open(int sock); #endif #endif -int dropbear_listen(const char* address, const char* port, - int *socks, unsigned int sockcount, char **errstring, int *maxfd); int spawn_command(void(*exec_fn)(void *user_data), void *exec_data, int *writefd, int *readfd, int *errfd, pid_t *pid); void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell); @@ -125,21 +111,5 @@ time_t monotonic_now(); char * expand_tilde(const char *inpath); -struct dropbear_progress_connection; - -/* result is DROPBEAR_SUCCESS or DROPBEAR_FAILURE. -errstring is only set on DROPBEAR_FAILURE, returns failure message for the last attempted socket */ -typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring); - -struct dropbear_progress_connection * connect_remote (const char* remotehost, const char* remoteport, - connect_callback cb, void *cb_data); - -void set_connect_fds(fd_set *writefd); -void handle_connect_fds(fd_set *writefd); - -/* Doesn't actually stop the connect, but adds a dummy callback instead */ -void cancel_connect(struct dropbear_progress_connection *c); - -void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue); #endif /* _DBUTIL_H_ */ diff --git a/netio.c b/netio.c new file mode 100644 index 0000000..8dd8060 --- /dev/null +++ b/netio.c @@ -0,0 +1,598 @@ +#include "netio.h" +#include "list.h" +#include "dbutil.h" +#include "session.h" +#include "debug.h" + +struct dropbear_progress_connection { + struct addrinfo *res; + struct addrinfo *res_iter; + + char *remotehost, *remoteport; /* For error reporting */ + + connect_callback cb; + void *cb_data; + + struct Queue *writequeue; /* A queue of encrypted packets to send with TCP fastopen, + or NULL. */ + + int sock; + + char* errstring; +}; + +#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) +static void set_piggyback_ack(int sock) { + /* Undocumented Linux feature - set TCP_DEFER_ACCEPT and data will be piggybacked + on the 3rd packet (ack) of the TCP handshake. Saves a IP packet. + http://thread.gmane.org/gmane.linux.network/224627/focus=224727 + "Piggyback the final ACK of the three way TCP connection establishment with the data" */ + int val = 1; + /* No error checking, this is opportunistic */ + int err = setsockopt(sock, IPPROTO_TCP, TCP_DEFER_ACCEPT, (void*)&val, sizeof(val)); + if (err) + { + TRACE(("Failed setsockopt TCP_DEFER_ACCEPT: %s", strerror(errno))) + } +} +#endif + + +/* Deallocate a progress connection. Removes from the pending list if iter!=NULL. +Does not close sockets */ +static void remove_connect(struct dropbear_progress_connection *c, m_list_elem *iter) { + if (c->res) { + freeaddrinfo(c->res); + } + m_free(c->remotehost); + m_free(c->remoteport); + m_free(c->errstring); + m_free(c); + + if (iter) { + list_remove(iter); + } +} + +static void cancel_callback(int result, int sock, void* UNUSED(data), const char* UNUSED(errstring)) { + if (result == DROPBEAR_SUCCESS) + { + m_close(sock); + } +} + +void cancel_connect(struct dropbear_progress_connection *c) { + c->cb = cancel_callback; + c->cb_data = NULL; +} + +static void connect_try_next(struct dropbear_progress_connection *c) { + struct addrinfo *r; + + if (!c->res_iter) { + return; + } + + for (r = c->res_iter; r; r = r->ai_next) + { + assert(c->sock == -1); + + c->sock = socket(c->res_iter->ai_family, c->res_iter->ai_socktype, c->res_iter->ai_protocol); + if (c->sock < 0) { + continue; + } + + ses.maxfd = MAX(ses.maxfd, c->sock); + setnonblocking(c->sock); + +#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) + set_piggyback_ack(c->sock); +#endif + +#ifdef PROGRESS_CONNECT_FALLBACK +#if 0 + if (connect(c->sock, r->ai_addr, r->ai_addrlen) < 0) { + if (errno == EINPROGRESS) { + TRACE(("Connect in progress")) + break; + } else { + close(c->sock); + c->sock = -1; + continue; + } + } + + break; /* Success. Treated the same as EINPROGRESS */ +#endif +#else + { + struct msghdr message; + int res = 0; + memset(&message, 0x0, sizeof(message)); + message.msg_name = r->ai_addr; + message.msg_namelen = r->ai_addrlen; + + if (c->writequeue) { + int iovlen; /* Linux msg_iovlen is a size_t */ + message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); + message.msg_iovlen = iovlen; + res = sendmsg(c->sock, &message, MSG_FASTOPEN); + if (res < 0 && errno == EOPNOTSUPP) { + TRACE(("Fastopen not supported")); + /* No kernel MSG_FASTOPEN support. Fall back below */ + c->writequeue = NULL; + } + m_free(message.msg_iov); + if (res > 0) { + packet_queue_consume(c->writequeue, res); + } + } + + if (!c->writequeue) { + res = connect(c->sock, r->ai_addr, r->ai_addrlen); + } + if (res < 0 && errno != EINPROGRESS) { + close(c->sock); + c->sock = -1; + continue; + } else { + break; + } + } +#endif + } + + + if (r) { + c->res_iter = r->ai_next; + } else { + c->res_iter = NULL; + } + + if (c->sock >= 0 || (errno == EINPROGRESS)) { + /* Success */ + set_sock_nodelay(c->sock); + return; + } else { + if (!c->res_iter) + { + + } + /* XXX - returning error message through */ +#if 0 + /* Failed */ + if (errstring != NULL && *errstring == NULL) { + int len; + len = 20 + strlen(strerror(err)); + *errstring = (char*)m_malloc(len); + snprintf(*errstring, len, "Error connecting: %s", strerror(err)); + } + TRACE(("Error connecting: %s", strerror(err))) +#endif + } +} + +/* Connect via TCP to a host. */ +struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport, + connect_callback cb, void* cb_data) +{ + struct dropbear_progress_connection *c = NULL; + int err; + struct addrinfo hints; + + c = m_malloc(sizeof(*c)); + c->remotehost = m_strdup(remotehost); + c->remoteport = m_strdup(remoteport); + c->sock = -1; + c->cb = cb; + c->cb_data = cb_data; + + list_append(&ses.conn_pending, c); + + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_STREAM; + hints.ai_family = PF_UNSPEC; + + err = getaddrinfo(remotehost, remoteport, &hints, &c->res); + if (err) { + int len; + len = 100 + strlen(gai_strerror(err)); + c->errstring = (char*)m_malloc(len); + snprintf(c->errstring, len, "Error resolving '%s' port '%s'. %s", + remotehost, remoteport, gai_strerror(err)); + TRACE(("Error resolving: %s", gai_strerror(err))) + return NULL; + } + + c->res_iter = c->res; + + return c; +} + + +void set_connect_fds(fd_set *writefd) { + m_list_elem *iter; + TRACE(("enter handle_connect_fds")) + for (iter = ses.conn_pending.first; iter; iter = iter->next) { + struct dropbear_progress_connection *c = iter->item; + /* Set one going */ + while (c->res_iter && c->sock < 0) + { + connect_try_next(c); + } + if (c->sock >= 0) { + FD_SET(c->sock, writefd); + } else { + m_list_elem *remove_iter; + /* Final failure */ + if (!c->errstring) { + c->errstring = m_strdup("unexpected failure"); + } + c->cb(DROPBEAR_FAILURE, -1, c->cb_data, c->errstring); + /* Safely remove without invalidating iter */ + remove_iter = iter; + iter = iter->prev; + remove_connect(c, remove_iter); + } + } +} + +void handle_connect_fds(fd_set *writefd) { + m_list_elem *iter; + TRACE(("enter handle_connect_fds")) + for (iter = ses.conn_pending.first; iter; iter = iter->next) { + int val; + socklen_t vallen = sizeof(val); + struct dropbear_progress_connection *c = iter->item; + + if (!FD_ISSET(c->sock, writefd)) { + continue; + } + + TRACE(("handling %s port %s socket %d", c->remotehost, c->remoteport, c->sock)); + + if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &val, &vallen) != 0) { + TRACE(("handle_connect_fds getsockopt(%d) SO_ERROR failed: %s", c->sock, strerror(errno))) + /* This isn't expected to happen - Unix has surprises though, continue gracefully. */ + m_close(c->sock); + c->sock = -1; + } else if (val != 0) { + /* Connect failed */ + TRACE(("connect to %s port %s failed.", c->remotehost, c->remoteport)) + m_close(c->sock); + c->sock = -1; + + m_free(c->errstring); + c->errstring = strerror(val); + } else { + /* New connection has been established */ + c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, NULL); + remove_connect(c, iter); + TRACE(("leave handle_connect_fds - success")) + /* Must return here - remove_connect() invalidates iter */ + return; + } + } + TRACE(("leave handle_connect_fds - end iter")) +} + +void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue) { + c->writequeue = writequeue; +} + +struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count) { + struct iovec *iov = NULL; + struct Link *l; + unsigned int i, packet_type; + int len; + buffer *writebuf; + + #ifndef IOV_MAX + #define IOV_MAX UIO_MAXIOV + #endif + + *ret_iov_count = MIN(queue->count, IOV_MAX); + + iov = m_malloc(sizeof(*iov) * *ret_iov_count); + for (l = queue->head, i = 0; l; l = l->link, i++) + { + writebuf = (buffer*)l->item; + packet_type = writebuf->data[writebuf->len-1]; + len = writebuf->len - 1 - writebuf->pos; + dropbear_assert(len > 0); + TRACE2(("write_packet writev #%d type %d len %d/%d", i, packet_type, + len, writebuf->len-1)) + iov[i].iov_base = buf_getptr(writebuf, len); + iov[i].iov_len = len; + } + + return iov; +} + +void packet_queue_consume(struct Queue *queue, ssize_t written) { + buffer *writebuf; + int len; + while (written > 0) { + writebuf = (buffer*)examine(queue); + len = writebuf->len - 1 - writebuf->pos; + if (len > written) { + /* partial buffer write */ + buf_incrpos(writebuf, written); + written = 0; + } else { + written -= len; + dequeue(queue); + buf_free(writebuf); + } + } +} + +void set_sock_nodelay(int sock) { + int val; + + /* disable nagle */ + val = 1; + setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); +} + +#ifdef DROPBEAR_TCP_FAST_OPEN +void set_listen_fast_open(int sock) { + int qlen = MAX(MAX_UNAUTH_PER_IP, 5); + if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) { + TRACE(("set_listen_fast_open failed for socket %d: %s", sock, strerror(errno))) + } +} + +#endif + +void set_sock_priority(int sock, enum dropbear_prio prio) { + + int iptos_val = 0, so_prio_val = 0, rc; + + /* Don't log ENOTSOCK errors so that this can harmlessly be called + * on a client '-J' proxy pipe */ + + /* set the TOS bit for either ipv4 or ipv6 */ +#ifdef IPTOS_LOWDELAY + if (prio == DROPBEAR_PRIO_LOWDELAY) { + iptos_val = IPTOS_LOWDELAY; + } else if (prio == DROPBEAR_PRIO_BULK) { + iptos_val = IPTOS_THROUGHPUT; + } +#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) + rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&iptos_val, sizeof(iptos_val)); + if (rc < 0 && errno != ENOTSOCK) { + TRACE(("Couldn't set IPV6_TCLASS (%s)", strerror(errno))); + } +#endif + rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&iptos_val, sizeof(iptos_val)); + if (rc < 0 && errno != ENOTSOCK) { + TRACE(("Couldn't set IP_TOS (%s)", strerror(errno))); + } +#endif + +#ifdef SO_PRIORITY + if (prio == DROPBEAR_PRIO_LOWDELAY) { + so_prio_val = TC_PRIO_INTERACTIVE; + } else if (prio == DROPBEAR_PRIO_BULK) { + so_prio_val = TC_PRIO_BULK; + } + /* linux specific, sets QoS class. see tc-prio(8) */ + rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &so_prio_val, sizeof(so_prio_val)); + if (rc < 0 && errno != ENOTSOCK) + dropbear_log(LOG_WARNING, "Couldn't set SO_PRIORITY (%s)", + strerror(errno)); +#endif + +} + +/* Listen on address:port. + * Special cases are address of "" listening on everything, + * and address of NULL listening on localhost only. + * Returns the number of sockets bound on success, or -1 on failure. On + * failure, if errstring wasn't NULL, it'll be a newly malloced error + * string.*/ +int dropbear_listen(const char* address, const char* port, + int *socks, unsigned int sockcount, char **errstring, int *maxfd) { + + struct addrinfo hints, *res = NULL, *res0 = NULL; + int err; + unsigned int nsock; + struct linger linger; + int val; + int sock; + + TRACE(("enter dropbear_listen")) + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; /* TODO: let them flag v4 only etc */ + hints.ai_socktype = SOCK_STREAM; + + /* for calling getaddrinfo: + address == NULL and !AI_PASSIVE: local loopback + address == NULL and AI_PASSIVE: all interfaces + address != NULL: whatever the address says */ + if (!address) { + TRACE(("dropbear_listen: local loopback")) + } else { + if (address[0] == '\0') { + TRACE(("dropbear_listen: all interfaces")) + address = NULL; + } + hints.ai_flags = AI_PASSIVE; + } + err = getaddrinfo(address, port, &hints, &res0); + + if (err) { + if (errstring != NULL && *errstring == NULL) { + int len; + len = 20 + strlen(gai_strerror(err)); + *errstring = (char*)m_malloc(len); + snprintf(*errstring, len, "Error resolving: %s", gai_strerror(err)); + } + if (res0) { + freeaddrinfo(res0); + res0 = NULL; + } + TRACE(("leave dropbear_listen: failed resolving")) + return -1; + } + + + nsock = 0; + for (res = res0; res != NULL && nsock < sockcount; + res = res->ai_next) { + + /* Get a socket */ + socks[nsock] = socket(res->ai_family, res->ai_socktype, + res->ai_protocol); + + sock = socks[nsock]; /* For clarity */ + + if (sock < 0) { + err = errno; + TRACE(("socket() failed")) + continue; + } + + /* Various useful socket options */ + val = 1; + /* set to reuse, quick timeout */ + setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); + linger.l_onoff = 1; + linger.l_linger = 5; + setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger)); + +#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) + if (res->ai_family == AF_INET6) { + int on = 1; + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, + &on, sizeof(on)) == -1) { + dropbear_log(LOG_WARNING, "Couldn't set IPV6_V6ONLY"); + } + } +#endif + + set_sock_nodelay(sock); + + if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { + err = errno; + close(sock); + TRACE(("bind(%s) failed", port)) + continue; + } + + if (listen(sock, DROPBEAR_LISTEN_BACKLOG) < 0) { + err = errno; + close(sock); + TRACE(("listen() failed")) + continue; + } + + *maxfd = MAX(*maxfd, sock); + + nsock++; + } + + if (res0) { + freeaddrinfo(res0); + res0 = NULL; + } + + if (nsock == 0) { + if (errstring != NULL && *errstring == NULL) { + int len; + len = 20 + strlen(strerror(err)); + *errstring = (char*)m_malloc(len); + snprintf(*errstring, len, "Error listening: %s", strerror(err)); + } + TRACE(("leave dropbear_listen: failure, %s", strerror(err))) + return -1; + } + + TRACE(("leave dropbear_listen: success, %d socks bound", nsock)) + return nsock; +} + +void get_socket_address(int fd, char **local_host, char **local_port, + char **remote_host, char **remote_port, int host_lookup) +{ + struct sockaddr_storage addr; + socklen_t addrlen; + + if (local_host || local_port) { + addrlen = sizeof(addr); + if (getsockname(fd, (struct sockaddr*)&addr, &addrlen) < 0) { + dropbear_exit("Failed socket address: %s", strerror(errno)); + } + getaddrstring(&addr, local_host, local_port, host_lookup); + } + if (remote_host || remote_port) { + addrlen = sizeof(addr); + if (getpeername(fd, (struct sockaddr*)&addr, &addrlen) < 0) { + dropbear_exit("Failed socket address: %s", strerror(errno)); + } + getaddrstring(&addr, remote_host, remote_port, host_lookup); + } +} + +/* Return a string representation of the socket address passed. The return + * value is allocated with malloc() */ +void getaddrstring(struct sockaddr_storage* addr, + char **ret_host, char **ret_port, + int host_lookup) { + + char host[NI_MAXHOST+1], serv[NI_MAXSERV+1]; + unsigned int len; + int ret; + + int flags = NI_NUMERICSERV | NI_NUMERICHOST; + +#ifndef DO_HOST_LOOKUP + host_lookup = 0; +#endif + + if (host_lookup) { + flags = NI_NUMERICSERV; + } + + len = sizeof(struct sockaddr_storage); + /* Some platforms such as Solaris 8 require that len is the length + * of the specific structure. Some older linux systems (glibc 2.1.3 + * such as debian potato) have sockaddr_storage.__ss_family instead + * but we'll ignore them */ +#ifdef HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY + if (addr->ss_family == AF_INET) { + len = sizeof(struct sockaddr_in); + } +#ifdef AF_INET6 + if (addr->ss_family == AF_INET6) { + len = sizeof(struct sockaddr_in6); + } +#endif +#endif + + ret = getnameinfo((struct sockaddr*)addr, len, host, sizeof(host)-1, + serv, sizeof(serv)-1, flags); + + if (ret != 0) { + if (host_lookup) { + /* On some systems (Darwin does it) we get EINTR from getnameinfo + * somehow. Eew. So we'll just return the IP, since that doesn't seem + * to exhibit that behaviour. */ + getaddrstring(addr, ret_host, ret_port, 0); + return; + } else { + /* if we can't do a numeric lookup, something's gone terribly wrong */ + dropbear_exit("Failed lookup: %s", gai_strerror(ret)); + } + } + + if (ret_host) { + *ret_host = m_strdup(host); + } + if (ret_port) { + *ret_port = m_strdup(serv); + } +} + diff --git a/netio.h b/netio.h new file mode 100644 index 0000000..3c98d6c --- /dev/null +++ b/netio.h @@ -0,0 +1,46 @@ +#ifndef DROPBEAR_NETIO_H +#define DROPBEAR_NETIO_H + +#include "includes.h" +#include "buffer.h" +#include "queue.h" + +enum dropbear_prio { + DROPBEAR_PRIO_DEFAULT = 10, + DROPBEAR_PRIO_LOWDELAY = 11, + DROPBEAR_PRIO_BULK = 12, +}; + +void set_sock_nodelay(int sock); +void set_sock_priority(int sock, enum dropbear_prio prio); + +void get_socket_address(int fd, char **local_host, char **local_port, + char **remote_host, char **remote_port, int host_lookup); +void getaddrstring(struct sockaddr_storage* addr, + char **ret_host, char **ret_port, int host_lookup); +int dropbear_listen(const char* address, const char* port, + int *socks, unsigned int sockcount, char **errstring, int *maxfd); + +struct dropbear_progress_connection; + +/* result is DROPBEAR_SUCCESS or DROPBEAR_FAILURE. +errstring is only set on DROPBEAR_FAILURE, returns failure message for the last attempted socket */ +typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring); + +struct dropbear_progress_connection * connect_remote (const char* remotehost, const char* remoteport, + connect_callback cb, void *cb_data); + +void set_connect_fds(fd_set *writefd); +void handle_connect_fds(fd_set *writefd); + +/* Doesn't actually stop the connect, but adds a dummy callback instead */ +void cancel_connect(struct dropbear_progress_connection *c); + +void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue); + +/* TODO: writev #ifdef guard */ +struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count); +void packet_queue_consume(struct Queue *queue, ssize_t written); + +#endif + diff --git a/packet.c b/packet.c index bdc3613..b477a07 100644 --- a/packet.c +++ b/packet.c @@ -34,6 +34,7 @@ #include "service.h" #include "auth.h" #include "channel.h" +#include "netio.h" static int read_packet_init(); static void make_mac(unsigned int seqno, const struct key_context_directional * key_state, @@ -52,60 +53,10 @@ static buffer* buf_decompress(buffer* buf, unsigned int len); static void buf_compress(buffer * dest, buffer * src, unsigned int len); #endif -struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count) { - struct iovec *iov = NULL; - struct Link *l; - unsigned int i, packet_type; - int len; - buffer *writebuf; - - #ifndef IOV_MAX - #define IOV_MAX UIO_MAXIOV - #endif - - *ret_iov_count = MIN(queue->count, IOV_MAX); - - iov = m_malloc(sizeof(*iov) * *ret_iov_count); - for (l = queue->head, i = 0; l; l = l->link, i++) - { - writebuf = (buffer*)l->item; - packet_type = writebuf->data[writebuf->len-1]; - len = writebuf->len - 1 - writebuf->pos; - dropbear_assert(len > 0); - TRACE2(("write_packet writev #%d type %d len %d/%d", i, packet_type, - len, writebuf->len-1)) - iov[i].iov_base = buf_getptr(writebuf, len); - iov[i].iov_len = len; - } - - return iov; -} - -void packet_queue_consume(struct Queue *queue, ssize_t written) { - buffer *writebuf; - int len; - while (written > 0) { - writebuf = (buffer*)examine(queue); - len = writebuf->len - 1 - writebuf->pos; - if (len > written) { - /* partial buffer write */ - buf_incrpos(writebuf, written); - written = 0; - } else { - written -= len; - dequeue(queue); - buf_free(writebuf); - } - } -} - /* non-blocking function writing out a current encrypted packet */ void write_packet() { ssize_t written; - int len; - buffer * writebuf = NULL; - unsigned packet_type; #ifdef HAVE_WRITEV struct iovec *iov = NULL; int iov_count; diff --git a/packet.h b/packet.h index ac14eca..c1d255e 100644 --- a/packet.h +++ b/packet.h @@ -47,8 +47,4 @@ typedef struct PacketType { #define INIT_READBUF 128 -/* TODO: writev #ifdef guard */ -struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count); -void packet_queue_consume(struct Queue *queue, ssize_t written); - #endif /* _PACKET_H_ */ diff --git a/session.h b/session.h index 28c2cae..beec245 100644 --- a/session.h +++ b/session.h @@ -38,6 +38,7 @@ #include "tcpfwd.h" #include "chansession.h" #include "dbutil.h" +#include "netio.h" extern int sessinitdone; /* Is set to 0 somewhere */ extern int exitflag; diff --git a/signkey.c b/signkey.c index ea7c67d..f033e86 100644 --- a/signkey.c +++ b/signkey.c @@ -140,7 +140,7 @@ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) { unsigned char* ident; unsigned int len; - int keytype; + enum signkey_type keytype; int ret = DROPBEAR_FAILURE; TRACE2(("enter buf_get_pub_key")) @@ -210,7 +210,7 @@ int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) { unsigned char* ident; unsigned int len; - int keytype; + enum signkey_type keytype; int ret = DROPBEAR_FAILURE; TRACE2(("enter buf_get_priv_key")) diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index 8f364b5..b3928bc 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -33,6 +33,7 @@ #include "listener.h" #include "runopts.h" #include "auth.h" +#include "netio.h" #ifndef ENABLE_SVR_REMOTETCPFWD @@ -236,7 +237,6 @@ static int newtcpdirect(struct Channel * channel) { unsigned char* orighost = NULL; unsigned int origport; char portstring[NI_MAXSERV]; - int sock; int len; int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; From f04a3a2cfa6a2787e84b07d6d22cb1e9837ff6af Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 20 Feb 2015 23:38:05 +0800 Subject: [PATCH 10/15] Fixes for backwards compatibility --HG-- branch : fastopen --- configure.ac | 2 +- dbutil.h | 12 -------- netio.c | 83 +++++++++++++++++++++++----------------------------- netio.h | 12 ++++++++ sysoptions.h | 5 ++++ 5 files changed, 55 insertions(+), 59 deletions(-) diff --git a/configure.ac b/configure.ac index b952d7e..b0e85e5 100644 --- a/configure.ac +++ b/configure.ac @@ -632,7 +632,7 @@ fi AC_PROG_GCC_TRADITIONAL AC_FUNC_MEMCMP AC_FUNC_SELECT_ARGTYPES -AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev sendmsg]) +AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork writev]) AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) diff --git a/dbutil.h b/dbutil.h index a7b6897..f5c57b3 100644 --- a/dbutil.h +++ b/dbutil.h @@ -65,18 +65,6 @@ extern int debug_trace; char * stripcontrol(const char * text); -#if defined(__linux__) && HAVE_SENDMSG -#define DROPBEAR_TCP_FAST_OPEN -void set_listen_fast_open(int sock); -/* may be supported by kernel but not libc */ -#ifndef TCP_FASTOPEN -#define TCP_FASTOPEN 23 -#endif -#ifndef MSG_FASTOPEN -#define MSG_FASTOPEN 0x20000000 -#endif -#endif - int spawn_command(void(*exec_fn)(void *user_data), void *exec_data, int *writefd, int *readfd, int *errfd, pid_t *pid); void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell); diff --git a/netio.c b/netio.c index 8dd8060..b86c85b 100644 --- a/netio.c +++ b/netio.c @@ -68,6 +68,11 @@ void cancel_connect(struct dropbear_progress_connection *c) { static void connect_try_next(struct dropbear_progress_connection *c) { struct addrinfo *r; + int res = 0; + int fastopen = 0; +#ifdef DROPBEAR_TCP_FAST_OPEN + struct msghdr message; +#endif if (!c->res_iter) { return; @@ -89,60 +94,46 @@ static void connect_try_next(struct dropbear_progress_connection *c) { set_piggyback_ack(c->sock); #endif -#ifdef PROGRESS_CONNECT_FALLBACK -#if 0 - if (connect(c->sock, r->ai_addr, r->ai_addrlen) < 0) { - if (errno == EINPROGRESS) { - TRACE(("Connect in progress")) - break; - } else { - close(c->sock); - c->sock = -1; - continue; - } - } +#ifdef DROPBEAR_TCP_FAST_OPEN + fastopen = (c->writequeue != NULL); - break; /* Success. Treated the same as EINPROGRESS */ -#endif -#else - { - struct msghdr message; - int res = 0; - memset(&message, 0x0, sizeof(message)); - message.msg_name = r->ai_addr; - message.msg_namelen = r->ai_addrlen; + memset(&message, 0x0, sizeof(message)); + message.msg_name = r->ai_addr; + message.msg_namelen = r->ai_addrlen; - if (c->writequeue) { - int iovlen; /* Linux msg_iovlen is a size_t */ - message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); - message.msg_iovlen = iovlen; - res = sendmsg(c->sock, &message, MSG_FASTOPEN); - if (res < 0 && errno == EOPNOTSUPP) { - TRACE(("Fastopen not supported")); - /* No kernel MSG_FASTOPEN support. Fall back below */ - c->writequeue = NULL; - } - m_free(message.msg_iov); - if (res > 0) { - packet_queue_consume(c->writequeue, res); - } + if (c->writequeue) { + int iovlen; /* Linux msg_iovlen is a size_t */ + message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); + message.msg_iovlen = iovlen; + res = sendmsg(c->sock, &message, MSG_FASTOPEN); + if (res < 0 && errno == EOPNOTSUPP) { + TRACE(("Fastopen not supported")); + /* No kernel MSG_FASTOPEN support. Fall back below */ + fastopen = 0; + /* Set to NULL to avoid trying again */ + c->writequeue = NULL; } - - if (!c->writequeue) { - res = connect(c->sock, r->ai_addr, r->ai_addrlen); - } - if (res < 0 && errno != EINPROGRESS) { - close(c->sock); - c->sock = -1; - continue; - } else { - break; + m_free(message.msg_iov); + if (res > 0) { + packet_queue_consume(c->writequeue, res); } } #endif + + /* Normal connect(), used as fallback for TCP fastopen too */ + if (!fastopen) { + res = connect(c->sock, r->ai_addr, r->ai_addrlen); + } + + if (res < 0 && errno != EINPROGRESS) { + close(c->sock); + c->sock = -1; + continue; + } else { + break; + } } - if (r) { c->res_iter = r->ai_next; } else { diff --git a/netio.h b/netio.h index 3c98d6c..280ccaf 100644 --- a/netio.h +++ b/netio.h @@ -42,5 +42,17 @@ void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count); void packet_queue_consume(struct Queue *queue, ssize_t written); +#ifdef DROPBEAR_TCP_FAST_OPEN +/* Try for any Linux builds, will fall back if the kernel doesn't support it */ +void set_listen_fast_open(int sock); +/* Define values which may be supported by the kernel even if the libc is too old */ +#ifndef TCP_FASTOPEN +#define TCP_FASTOPEN 23 +#endif +#ifndef MSG_FASTOPEN +#define MSG_FASTOPEN 0x20000000 +#endif +#endif + #endif diff --git a/sysoptions.h b/sysoptions.h index bec7246..092eb7e 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -259,4 +259,9 @@ /* Use this string since some implementations might special-case it */ #define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com" +/* Linux will attempt TCP fast open, falling back if not supported by the kernel */ +#ifdef __linux__ +#define DROPBEAR_TCP_FAST_OPEN 1 +#endif + /* no include guard for this file */ From c53ca6ebc09bc94cb463d93beeb9640021190753 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 20 Feb 2015 23:43:59 +0800 Subject: [PATCH 11/15] avoid some warnings --HG-- branch : fastopen --- netio.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/netio.c b/netio.c index b86c85b..43f69d1 100644 --- a/netio.c +++ b/netio.c @@ -274,7 +274,7 @@ void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count) { struct iovec *iov = NULL; struct Link *l; - unsigned int i, packet_type; + unsigned int i; int len; buffer *writebuf; @@ -288,10 +288,9 @@ struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count) { for (l = queue->head, i = 0; l; l = l->link, i++) { writebuf = (buffer*)l->item; - packet_type = writebuf->data[writebuf->len-1]; len = writebuf->len - 1 - writebuf->pos; dropbear_assert(len > 0); - TRACE2(("write_packet writev #%d type %d len %d/%d", i, packet_type, + TRACE2(("write_packet writev #%d type %d len %d/%d", i, writebuf->data[writebuf->len-1], len, writebuf->len-1)) iov[i].iov_base = buf_getptr(writebuf, len); iov[i].iov_len = len; @@ -338,7 +337,14 @@ void set_listen_fast_open(int sock) { void set_sock_priority(int sock, enum dropbear_prio prio) { - int iptos_val = 0, so_prio_val = 0, rc; + int rc; +#ifdef IPTOS_LOWDELAY + int iptos_val = 0; +#endif +#ifdef SO_PRIORITY + int so_prio_val = 0; +#endif + /* Don't log ENOTSOCK errors so that this can harmlessly be called * on a client '-J' proxy pipe */ From 46845fd3e8fb121ccba6a51510063935f03d8225 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sat, 21 Feb 2015 00:43:32 +0800 Subject: [PATCH 12/15] get rid of some unnecessary code --HG-- branch : fastopen --- netio.c | 35 +++++------------------------------ 1 file changed, 5 insertions(+), 30 deletions(-) diff --git a/netio.c b/netio.c index 43f69d1..5b97e4d 100644 --- a/netio.c +++ b/netio.c @@ -71,13 +71,9 @@ static void connect_try_next(struct dropbear_progress_connection *c) { int res = 0; int fastopen = 0; #ifdef DROPBEAR_TCP_FAST_OPEN - struct msghdr message; + struct msghdr message; #endif - if (!c->res_iter) { - return; - } - for (r = c->res_iter; r; r = r->ai_next) { assert(c->sock == -1); @@ -88,6 +84,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { } ses.maxfd = MAX(ses.maxfd, c->sock); + set_sock_nodelay(c->sock); setnonblocking(c->sock); #if defined(__linux__) && defined(TCP_DEFER_ACCEPT) @@ -114,9 +111,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { c->writequeue = NULL; } m_free(message.msg_iov); - if (res > 0) { - packet_queue_consume(c->writequeue, res); - } + packet_queue_consume(c->writequeue, res); } #endif @@ -126,10 +121,12 @@ static void connect_try_next(struct dropbear_progress_connection *c) { } if (res < 0 && errno != EINPROGRESS) { + /* failure */ close(c->sock); c->sock = -1; continue; } else { + /* new connection was successful, wait for it to complete */ break; } } @@ -139,28 +136,6 @@ static void connect_try_next(struct dropbear_progress_connection *c) { } else { c->res_iter = NULL; } - - if (c->sock >= 0 || (errno == EINPROGRESS)) { - /* Success */ - set_sock_nodelay(c->sock); - return; - } else { - if (!c->res_iter) - { - - } - /* XXX - returning error message through */ -#if 0 - /* Failed */ - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error connecting: %s", strerror(err)); - } - TRACE(("Error connecting: %s", strerror(err))) -#endif - } } /* Connect via TCP to a host. */ From 2a90c1ca7ed415811b2e063e7c62e15cdc7b2a4b Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Thu, 26 Feb 2015 23:43:12 +0800 Subject: [PATCH 13/15] ignore any sendmsg() errors --HG-- branch : fastopen --- netio.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/netio.c b/netio.c index 5b97e4d..d1a05f3 100644 --- a/netio.c +++ b/netio.c @@ -103,8 +103,10 @@ static void connect_try_next(struct dropbear_progress_connection *c) { message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); message.msg_iovlen = iovlen; res = sendmsg(c->sock, &message, MSG_FASTOPEN); - if (res < 0 && errno == EOPNOTSUPP) { - TRACE(("Fastopen not supported")); + if (res < 0) { + /* Not entirely sure which kind of errors are normal - 2.6.32 seems to + return EPIPE for any (nonblocking?) sendmsg(). just fall back */ + TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); /* No kernel MSG_FASTOPEN support. Fall back below */ fastopen = 0; /* Set to NULL to avoid trying again */ From 843953379c1f6ce56e993c82d97c268e31a86e6e Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Fri, 27 Feb 2015 00:02:48 +0800 Subject: [PATCH 14/15] EINPROGRESS for sendmsg() means it's working OK --HG-- branch : fastopen --- netio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netio.c b/netio.c index d1a05f3..9aa7ae5 100644 --- a/netio.c +++ b/netio.c @@ -103,7 +103,7 @@ static void connect_try_next(struct dropbear_progress_connection *c) { message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); message.msg_iovlen = iovlen; res = sendmsg(c->sock, &message, MSG_FASTOPEN); - if (res < 0) { + if (res < 0 && errno != EINPROGRESS) { /* Not entirely sure which kind of errors are normal - 2.6.32 seems to return EPIPE for any (nonblocking?) sendmsg(). just fall back */ TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); From 89c0b2a6d863e54bd0253355146f09b92edeccda Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Sat, 28 Feb 2015 23:15:23 +0800 Subject: [PATCH 15/15] Add cleanup --HG-- branch : fastopen --- common-session.c | 2 ++ netio.c | 7 +++++++ netio.h | 4 ++++ 3 files changed, 13 insertions(+) diff --git a/common-session.c b/common-session.c index 19247a8..be8f776 100644 --- a/common-session.c +++ b/common-session.c @@ -281,6 +281,8 @@ void session_cleanup() { other session state is freed. */ remove_all_listeners(); + remove_connect_pending(); + while (!isempty(&ses.writequeue)) { buf_free(dequeue(&ses.writequeue)); } diff --git a/netio.c b/netio.c index 9aa7ae5..42d1b32 100644 --- a/netio.c +++ b/netio.c @@ -177,6 +177,13 @@ struct dropbear_progress_connection *connect_remote(const char* remotehost, cons return c; } +void remove_connect_pending() { + while (ses.conn_pending.first) { + struct dropbear_progress_connection *c = ses.conn_pending.first->item; + remove_connect(c, ses.conn_pending.first); + } +} + void set_connect_fds(fd_set *writefd) { m_list_elem *iter; diff --git a/netio.h b/netio.h index 280ccaf..1bf08ce 100644 --- a/netio.h +++ b/netio.h @@ -30,8 +30,12 @@ typedef void(*connect_callback)(int result, int sock, void* data, const char* er struct dropbear_progress_connection * connect_remote (const char* remotehost, const char* remoteport, connect_callback cb, void *cb_data); +/* Sets up for select() */ void set_connect_fds(fd_set *writefd); +/* Handles ready sockets after select() */ void handle_connect_fds(fd_set *writefd); +/* Cleanup */ +void remove_connect_pending(); /* Doesn't actually stop the connect, but adds a dummy callback instead */ void cancel_connect(struct dropbear_progress_connection *c);