diff options
| -rw-r--r-- | Makefile.in | 4 | ||||
| -rw-r--r-- | channel.h | 4 | ||||
| -rw-r--r-- | cli-authpubkey.c | 2 | ||||
| -rw-r--r-- | cli-main.c | 13 | ||||
| -rw-r--r-- | cli-session.c | 18 | ||||
| -rw-r--r-- | cli-tcpfwd.c | 16 | ||||
| -rw-r--r-- | common-channel.c | 46 | ||||
| -rw-r--r-- | common-session.c | 13 | ||||
| -rw-r--r-- | dbutil.c | 365 | ||||
| -rw-r--r-- | dbutil.h | 17 | ||||
| -rw-r--r-- | netio.c | 572 | ||||
| -rw-r--r-- | netio.h | 58 | ||||
| -rw-r--r-- | packet.c | 55 | ||||
| -rw-r--r-- | packet.h | 1 | ||||
| -rw-r--r-- | session.h | 6 | ||||
| -rw-r--r-- | signkey.c | 4 | ||||
| -rw-r--r-- | svr-main.c | 17 | ||||
| -rw-r--r-- | svr-tcpfwd.c | 16 | ||||
| -rw-r--r-- | sysoptions.h | 5 |
19 files changed, 733 insertions, 499 deletions
diff --git a/Makefile.in b/Makefile.in index 8ab1a73..b2e7a27 100644 --- a/Makefile.in +++ b/Makefile.in @@ -40,12 +40,12 @@ SVROBJS=svr-kex.o svr-auth.o sshpty.o \ CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ cli-session.o cli-runopts.o cli-chansession.o \ cli-authpubkey.o cli-tcpfwd.o cli-channel.o cli-authinteract.o \ - cli-agentfwd.o list.o + cli-agentfwd.o CLISVROBJS=common-session.o packet.o common-algo.o common-kex.o \ common-channel.o common-chansession.o termcodes.o loginrec.o \ tcp-accept.o listener.o process-packet.o \ - common-runopts.o circbuffer.o curve25519-donna.o + common-runopts.o circbuffer.o curve25519-donna.o list.o netio.o KEYOBJS=dropbearkey.o @@ -73,6 +73,7 @@ struct Channel { * to ensure we don't run it twice (nor type->checkclose()). */ int close_handler_done; + struct dropbear_progress_connection *conn_pending; int initconn; /* used for TCP forwarding, whether the channel has been fully initialised */ @@ -100,6 +101,9 @@ struct ChanType { void (*closehandler)(struct Channel*); }; +/* Callback for connect_remote */ +void channel_connect_done(int result, int sock, void* user_data, const char* errstring); + void chaninitialise(const struct ChanType *chantypes[]); void chancleanup(); void setchannelfds(fd_set *readfd, fd_set *writefd); diff --git a/cli-authpubkey.c b/cli-authpubkey.c index 9fcc256..cdef36e 100644 --- a/cli-authpubkey.c +++ b/cli-authpubkey.c @@ -58,7 +58,7 @@ void recv_msg_userauth_pk_ok() { buffer* keybuf = NULL; char* algotype = NULL; unsigned int algolen; - int keytype; + enum signkey_type keytype; unsigned int remotelen; TRACE(("enter recv_msg_userauth_pk_ok")) @@ -30,6 +30,7 @@ #include "session.h" #include "dbrandom.h" #include "crypto_desc.h" +#include "netio.h" static void cli_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_NORETURN; static void cli_dropbear_log(int priority, const char* format, va_list param); @@ -46,7 +47,7 @@ int main(int argc, char ** argv) { #endif int sock_in, sock_out; - char* error = NULL; + struct dropbear_progress_connection *progress = NULL; _dropbear_exit = cli_dropbear_exit; _dropbear_log = cli_dropbear_log; @@ -72,15 +73,11 @@ int main(int argc, char ** argv) { } else #endif { - int sock = connect_remote(cli_opts.remotehost, cli_opts.remoteport, &error); - sock_in = sock_out = sock; + progress = connect_remote(cli_opts.remotehost, cli_opts.remoteport, cli_connected, &ses); + sock_in = sock_out = -1; } - if (sock_in < 0) { - dropbear_exit("%s", error); - } - - cli_session(sock_in, sock_out); + cli_session(sock_in, sock_out, progress); /* not reached */ return -1; diff --git a/cli-session.c b/cli-session.c index 6be8472..815f5b6 100644 --- a/cli-session.c +++ b/cli-session.c @@ -37,6 +37,7 @@ #include "chansession.h" #include "agentfwd.h" #include "crypto_desc.h" +#include "netio.h" static void cli_remoteclosed() ATTRIB_NORETURN; static void cli_sessionloop(); @@ -93,15 +94,30 @@ static const struct ChanType *cli_chantypes[] = { NULL /* Null termination */ }; -void cli_session(int sock_in, int sock_out) { +void cli_connected(int result, int sock, void* userdata, const char *errstring) +{ + struct sshsession *myses = userdata; + if (result == DROPBEAR_FAILURE) { + dropbear_exit("Connect failed: %s", errstring); + } + myses->sock_in = myses->sock_out = sock; + update_channel_prio(); +} + +void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) { common_session_init(sock_in, sock_out); + if (progress) { + connect_set_writequeue(progress, &ses.writequeue); + } + chaninitialise(cli_chantypes); /* Set up cli_ses vars */ cli_session_init(); + /* Ready to go */ sessinitdone = 1; diff --git a/cli-tcpfwd.c b/cli-tcpfwd.c index 3894044..ec65f41 100644 --- a/cli-tcpfwd.c +++ b/cli-tcpfwd.c @@ -30,6 +30,7 @@ #include "runopts.h" #include "session.h" #include "ssh.h" +#include "netio.h" #ifdef ENABLE_CLI_REMOTETCPFWD static int newtcpforwarded(struct Channel * channel); @@ -215,7 +216,6 @@ static int newtcpforwarded(struct Channel * channel) { m_list_elem * iter = NULL; struct TCPFwdEntry *fwd; char portstring[NI_MAXSERV]; - int sock; int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; origaddr = buf_getstring(ses.payload, NULL); @@ -254,19 +254,7 @@ static int newtcpforwarded(struct Channel * channel) { } snprintf(portstring, sizeof(portstring), "%d", fwd->connectport); - sock = connect_remote(fwd->connectaddr, portstring, NULL); - if (sock < 0) { - TRACE(("leave newtcpdirect: sock failed")) - err = SSH_OPEN_CONNECT_FAILED; - goto out; - } - - ses.maxfd = MAX(ses.maxfd, sock); - - /* We don't set readfd, that will get set after the connection's - * progress succeeds */ - channel->writefd = sock; - channel->initconn = 1; + channel->conn_pending = connect_remote(fwd->connectaddr, portstring, channel_connect_done, channel); channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; diff --git a/common-channel.c b/common-channel.c index a683448..3622729 100644 --- a/common-channel.c +++ b/common-channel.c @@ -35,6 +35,7 @@ #include "ssh.h" #include "listener.h" #include "runopts.h" +#include "netio.h" static void send_msg_channel_open_failure(unsigned int remotechan, int reason, const unsigned char *text, const unsigned char *lang); @@ -48,7 +49,6 @@ static void send_msg_channel_data(struct Channel *channel, int isextended); static void send_msg_channel_eof(struct Channel *channel); static void send_msg_channel_close(struct Channel *channel); static void remove_channel(struct Channel *channel); -static void check_in_progress(struct Channel *channel); static unsigned int write_pending(struct Channel * channel); static void check_close(struct Channel *channel); static void close_chan_fd(struct Channel *channel, int fd, int how); @@ -163,7 +163,6 @@ static struct Channel* newchannel(unsigned int remotechan, newchan->writefd = FD_UNINIT; newchan->readfd = FD_UNINIT; newchan->errfd = FD_CLOSED; /* this isn't always set to start with */ - newchan->initconn = 0; newchan->await_open = 0; newchan->flushing = 0; @@ -242,12 +241,6 @@ void channelio(fd_set *readfds, fd_set *writefds) { /* write to program/pipe stdin */ if (channel->writefd >= 0 && FD_ISSET(channel->writefd, writefds)) { - if (channel->initconn) { - /* XXX should this go somewhere cleaner? */ - check_in_progress(channel); - continue; /* Important not to use the channel after - check_in_progress(), as it may be NULL */ - } writechannel(channel, channel->writefd, channel->writebuf); do_check_close = 1; } @@ -374,27 +367,27 @@ static void check_close(struct Channel *channel) { * if so, set up the channel properly. Otherwise, the channel is cleaned up, so * it is important that the channel reference isn't used after a call to this * function */ -static void check_in_progress(struct Channel *channel) { +void channel_connect_done(int result, int sock, void* user_data, const char* UNUSED(errstring)) { - int val; - socklen_t vallen = sizeof(val); + struct Channel *channel = user_data; - TRACE(("enter check_in_progress")) + TRACE(("enter channel_connect_done")) - if (getsockopt(channel->writefd, SOL_SOCKET, SO_ERROR, &val, &vallen) - || val != 0) { + if (result == DROPBEAR_SUCCESS) + { + channel->readfd = channel->writefd = sock; + channel->conn_pending = NULL; + chan_initwritebuf(channel); + send_msg_channel_open_confirmation(channel, channel->recvwindow, + channel->recvmaxpacket); + TRACE(("leave channel_connect_done: success")) + } + else + { send_msg_channel_open_failure(channel->remotechan, SSH_OPEN_CONNECT_FAILED, "", ""); - close(channel->writefd); remove_channel(channel); TRACE(("leave check_in_progress: fail")) - } else { - chan_initwritebuf(channel); - send_msg_channel_open_confirmation(channel, channel->recvwindow, - channel->recvmaxpacket); - channel->readfd = channel->writefd; - channel->initconn = 0; - TRACE(("leave check_in_progress: success")) } } @@ -514,8 +507,7 @@ void setchannelfds(fd_set *readfds, fd_set *writefds) { } /* Stuff from the wire */ - if (channel->initconn - ||(channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0)) { + if (channel->writefd >= 0 && cbuf_getused(channel->writebuf) > 0) { FD_SET(channel->writefd, writefds); } @@ -599,6 +591,10 @@ static void remove_channel(struct Channel * channel) { channel->close_handler_done = 1; } + if (channel->conn_pending) { + cancel_connect(channel->conn_pending); + } + ses.channels[channel->index] = NULL; m_free(channel); ses.chancount--; @@ -1149,7 +1145,7 @@ struct Channel* get_any_ready_channel() { struct Channel *chan = ses.channels[i]; if (chan && !(chan->sent_eof || chan->recv_eof) - && !(chan->await_open || chan->initconn)) { + && !(chan->await_open)) { return chan; } } diff --git a/common-session.c b/common-session.c index 971955a..19247a8 100644 --- a/common-session.c +++ b/common-session.c @@ -34,6 +34,7 @@ #include "kex.h" #include "channel.h" #include "runopts.h" +#include "netio.h" static void checktimeouts(); static long select_timeout(); @@ -167,6 +168,9 @@ void session_loop(void(*loophandler)()) { /* set up for channels which can be read/written */ setchannelfds(&readfd, &writefd); + /* Pending connections to test */ + set_connect_fds(&writefd); + val = select(ses.maxfd+1, &readfd, &writefd, NULL, &timeout); if (exitflag) { @@ -214,11 +218,13 @@ void session_loop(void(*loophandler)()) { process_packet(); } } - + /* if required, flush out any queued reply packets that were being held up during a KEX */ maybe_flush_reply_queue(); + handle_connect_fds(&writefd); + /* process pipes etc for the channels, ses.dataallowed == 0 * during rekeying ) */ channelio(&readfd, &writefd); @@ -577,6 +583,11 @@ void update_channel_prio() { TRACE(("update_channel_prio")) + if (ses.sock_out < 0) { + TRACE(("leave update_channel_prio: no socket")) + return; + } + new_prio = DROPBEAR_PRIO_BULK; for (i = 0; i < ses.chansize; i++) { struct Channel *channel = ses.channels[i]; @@ -213,183 +213,6 @@ void dropbear_trace2(const char* format, ...) { } #endif /* DEBUG_TRACE */ -void set_sock_nodelay(int sock) { - int val; - - /* disable nagle */ - val = 1; - setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); -} - -void set_sock_priority(int sock, enum dropbear_prio prio) { - - int iptos_val = 0, so_prio_val = 0, rc; - - /* Don't log ENOTSOCK errors so that this can harmlessly be called - * on a client '-J' proxy pipe */ - - /* set the TOS bit for either ipv4 or ipv6 */ -#ifdef IPTOS_LOWDELAY - if (prio == DROPBEAR_PRIO_LOWDELAY) { - iptos_val = IPTOS_LOWDELAY; - } else if (prio == DROPBEAR_PRIO_BULK) { - iptos_val = IPTOS_THROUGHPUT; - } -#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) - rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&iptos_val, sizeof(iptos_val)); - if (rc < 0 && errno != ENOTSOCK) { - TRACE(("Couldn't set IPV6_TCLASS (%s)", strerror(errno))); - } -#endif - rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&iptos_val, sizeof(iptos_val)); - if (rc < 0 && errno != ENOTSOCK) { - TRACE(("Couldn't set IP_TOS (%s)", strerror(errno))); - } -#endif - -#ifdef SO_PRIORITY - if (prio == DROPBEAR_PRIO_LOWDELAY) { - so_prio_val = TC_PRIO_INTERACTIVE; - } else if (prio == DROPBEAR_PRIO_BULK) { - so_prio_val = TC_PRIO_BULK; - } - /* linux specific, sets QoS class. see tc-prio(8) */ - rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &so_prio_val, sizeof(so_prio_val)); - if (rc < 0 && errno != ENOTSOCK) - dropbear_log(LOG_WARNING, "Couldn't set SO_PRIORITY (%s)", - strerror(errno)); -#endif - -} - -/* Listen on address:port. - * Special cases are address of "" listening on everything, - * and address of NULL listening on localhost only. - * Returns the number of sockets bound on success, or -1 on failure. On - * failure, if errstring wasn't NULL, it'll be a newly malloced error - * string.*/ -int dropbear_listen(const char* address, const char* port, - int *socks, unsigned int sockcount, char **errstring, int *maxfd) { - - struct addrinfo hints, *res = NULL, *res0 = NULL; - int err; - unsigned int nsock; - struct linger linger; - int val; - int sock; - - TRACE(("enter dropbear_listen")) - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; /* TODO: let them flag v4 only etc */ - hints.ai_socktype = SOCK_STREAM; - - /* for calling getaddrinfo: - address == NULL and !AI_PASSIVE: local loopback - address == NULL and AI_PASSIVE: all interfaces - address != NULL: whatever the address says */ - if (!address) { - TRACE(("dropbear_listen: local loopback")) - } else { - if (address[0] == '\0') { - TRACE(("dropbear_listen: all interfaces")) - address = NULL; - } - hints.ai_flags = AI_PASSIVE; - } - err = getaddrinfo(address, port, &hints, &res0); - - if (err) { - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(gai_strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error resolving: %s", gai_strerror(err)); - } - if (res0) { - freeaddrinfo(res0); - res0 = NULL; - } - TRACE(("leave dropbear_listen: failed resolving")) - return -1; - } - - - nsock = 0; - for (res = res0; res != NULL && nsock < sockcount; - res = res->ai_next) { - - /* Get a socket */ - socks[nsock] = socket(res->ai_family, res->ai_socktype, - res->ai_protocol); - - sock = socks[nsock]; /* For clarity */ - - if (sock < 0) { - err = errno; - TRACE(("socket() failed")) - continue; - } - - /* Various useful socket options */ - val = 1; - /* set to reuse, quick timeout */ - setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); - linger.l_onoff = 1; - linger.l_linger = 5; - setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger)); - -#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) - if (res->ai_family == AF_INET6) { - int on = 1; - if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, - &on, sizeof(on)) == -1) { - dropbear_log(LOG_WARNING, "Couldn't set IPV6_V6ONLY"); - } - } -#endif - - set_sock_nodelay(sock); - - if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { - err = errno; - close(sock); - TRACE(("bind(%s) failed", port)) - continue; - } - - if (listen(sock, DROPBEAR_LISTEN_BACKLOG) < 0) { - err = errno; - close(sock); - TRACE(("listen() failed")) - continue; - } - - *maxfd = MAX(*maxfd, sock); - - nsock++; - } - - if (res0) { - freeaddrinfo(res0); - res0 = NULL; - } - - if (nsock == 0) { - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error listening: %s", strerror(err)); - } - TRACE(("leave dropbear_listen: failure, %s", strerror(err))) - return -1; - } - - TRACE(("leave dropbear_listen: success, %d socks bound", nsock)) - return nsock; -} - /* Connect to a given unix socket. The socket is blocking */ #ifdef ENABLE_CONNECT_UNIX int connect_unix(const char* path) { @@ -413,111 +236,6 @@ int connect_unix(const char* path) { } #endif -#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) -static void set_piggyback_ack(int sock) { - /* Undocumented Linux feature - set TCP_DEFER_ACCEPT and data will be piggybacked - on the 3rd packet (ack) of the TCP handshake. Saves a IP packet. - http://thread.gmane.org/gmane.linux.network/224627/focus=224727 - "Piggyback the final ACK of the three way TCP connection establishment with the data" */ - int val = 1; - /* No error checking, this is opportunistic */ - int err = setsockopt(sock, IPPROTO_TCP, TCP_DEFER_ACCEPT, (void*)&val, sizeof(val)); - if (err) - { - TRACE(("Failed setsockopt TCP_DEFER_ACCEPT: %s", strerror(errno))) - } -} -#endif - - -/* Connect via TCP to a host. Connection will try ipv4 or ipv6, will - * return immediately if nonblocking is set. On failure, if errstring - * wasn't null, it will be a newly malloced error message */ - -/* TODO: maxfd */ -int connect_remote(const char* remotehost, const char* remoteport, char ** errstring) { - - struct addrinfo *res0 = NULL, *res = NULL, hints; - int sock; - int err; - - TRACE(("enter connect_remote")) - - if (errstring != NULL) { - *errstring = NULL; - } - - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_family = PF_UNSPEC; - - err = getaddrinfo(remotehost, remoteport, &hints, &res0); - if (err) { - if (errstring != NULL && *errstring == NULL) { - int len; - len = 100 + strlen(gai_strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error resolving '%s' port '%s'. %s", - remotehost, remoteport, gai_strerror(err)); - } - TRACE(("Error resolving: %s", gai_strerror(err))) - return -1; - } - - sock = -1; - err = EADDRNOTAVAIL; - for (res = res0; res; res = res->ai_next) { - - sock = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (sock < 0) { - err = errno; - continue; - } - - setnonblocking(sock); - -#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) - set_piggyback_ack(sock); -#endif - - if (connect(sock, res->ai_addr, res->ai_addrlen) < 0) { - if (errno == EINPROGRESS) { - TRACE(("Connect in progress")) - break; - } else { - err = errno; - close(sock); - sock = -1; - continue; - } - } - - break; /* Success */ - } - - if (sock < 0 && !(errno == EINPROGRESS)) { - /* Failed */ - if (errstring != NULL && *errstring == NULL) { - int len; - len = 20 + strlen(strerror(err)); - *errstring = (char*)m_malloc(len); - snprintf(*errstring, len, "Error connecting: %s", strerror(err)); - } - TRACE(("Error connecting: %s", strerror(err))) - } else { - /* Success */ - set_sock_nodelay(sock); - } - - freeaddrinfo(res0); - if (sock > 0 && errstring != NULL && *errstring != NULL) { - m_free(*errstring); - } - - TRACE(("leave connect_remote: sock %d\n", sock)) - return sock; -} - /* Sets up a pipe for a, returning three non-blocking file descriptors * and the pid. exec_fn is the function that will actually execute the child process, * it will be run after the child has fork()ed, and is passed exec_data. @@ -653,88 +371,6 @@ void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell) { execv(usershell, argv); } -void get_socket_address(int fd, char **local_host, char **local_port, - char **remote_host, char **remote_port, int host_lookup) -{ - struct sockaddr_storage addr; - socklen_t addrlen; - - if (local_host || local_port) { - addrlen = sizeof(addr); - if (getsockname(fd, (struct sockaddr*)&addr, &addrlen) < 0) { - dropbear_exit("Failed socket address: %s", strerror(errno)); - } - getaddrstring(&addr, local_host, local_port, host_lookup); - } - if (remote_host || remote_port) { - addrlen = sizeof(addr); - if (getpeername(fd, (struct sockaddr*)&addr, &addrlen) < 0) { - dropbear_exit("Failed socket address: %s", strerror(errno)); - } - getaddrstring(&addr, remote_host, remote_port, host_lookup); - } -} - -/* Return a string representation of the socket address passed. The return - * value is allocated with malloc() */ -void getaddrstring(struct sockaddr_storage* addr, - char **ret_host, char **ret_port, - int host_lookup) { - - char host[NI_MAXHOST+1], serv[NI_MAXSERV+1]; - unsigned int len; - int ret; - - int flags = NI_NUMERICSERV | NI_NUMERICHOST; - -#ifndef DO_HOST_LOOKUP - host_lookup = 0; -#endif - - if (host_lookup) { - flags = NI_NUMERICSERV; - } - - len = sizeof(struct sockaddr_storage); - /* Some platforms such as Solaris 8 require that len is the length - * of the specific structure. Some older linux systems (glibc 2.1.3 - * such as debian potato) have sockaddr_storage.__ss_family instead - * but we'll ignore them */ -#ifdef HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY - if (addr->ss_family == AF_INET) { - len = sizeof(struct sockaddr_in); - } -#ifdef AF_INET6 - if (addr->ss_family == AF_INET6) { - len = sizeof(struct sockaddr_in6); - } -#endif -#endif - - ret = getnameinfo((struct sockaddr*)addr, len, host, sizeof(host)-1, - serv, sizeof(serv)-1, flags); - - if (ret != 0) { - if (host_lookup) { - /* On some systems (Darwin does it) we get EINTR from getnameinfo - * somehow. Eew. So we'll just return the IP, since that doesn't seem - * to exhibit that behaviour. */ - getaddrstring(addr, ret_host, ret_port, 0); - return; - } else { - /* if we can't do a numeric lookup, something's gone terribly wrong */ - dropbear_exit("Failed lookup: %s", gai_strerror(ret)); - } - } - - if (ret_host) { - *ret_host = m_strdup(host); - } - if (ret_port) { - *ret_port = m_strdup(serv); - } -} - #ifdef DEBUG_TRACE void printhex(const char * label, const unsigned char * buf, int len) { @@ -1059,3 +695,4 @@ time_t monotonic_now() { return time(NULL); } + @@ -28,6 +28,7 @@ #include "includes.h" #include "buffer.h" +#include "queue.h" #ifndef DISABLE_SYSLOG void startsyslog(); @@ -62,28 +63,14 @@ void debug_start_net(); extern int debug_trace; #endif -enum dropbear_prio { - DROPBEAR_PRIO_DEFAULT = 10, - DROPBEAR_PRIO_LOWDELAY = 11, - DROPBEAR_PRIO_BULK = 12, -}; - char * stripcontrol(const char * text); -void get_socket_address(int fd, char **local_host, char **local_port, - char **remote_host, char **remote_port, int host_lookup); -void getaddrstring(struct sockaddr_storage* addr, - char **ret_host, char **ret_port, int host_lookup); -void set_sock_nodelay(int sock); -void set_sock_priority(int sock, enum dropbear_prio prio); -int dropbear_listen(const char* address, const char* port, - int *socks, unsigned int sockcount, char **errstring, int *maxfd); + int spawn_command(void(*exec_fn)(void *user_data), void *exec_data, int *writefd, int *readfd, int *errfd, pid_t *pid); void run_shell_command(const char* cmd, unsigned int maxfd, char* usershell); #ifdef ENABLE_CONNECT_UNIX int connect_unix(const char* addr); #endif -int connect_remote(const char* remotehost, const char* remoteport, char ** errstring); int buf_readfile(buffer* buf, const char* filename); int buf_getline(buffer * line, FILE * authfile); @@ -0,0 +1,572 @@ +#include "netio.h" +#include "list.h" +#include "dbutil.h" +#include "session.h" +#include "debug.h" + +struct dropbear_progress_connection { + struct addrinfo *res; + struct addrinfo *res_iter; + + char *remotehost, *remoteport; /* For error reporting */ + + connect_callback cb; + void *cb_data; + + struct Queue *writequeue; /* A queue of encrypted packets to send with TCP fastopen, + or NULL. */ + + int sock; + + char* errstring; +}; + +#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) +static void set_piggyback_ack(int sock) { + /* Undocumented Linux feature - set TCP_DEFER_ACCEPT and data will be piggybacked + on the 3rd packet (ack) of the TCP handshake. Saves a IP packet. + http://thread.gmane.org/gmane.linux.network/224627/focus=224727 + "Piggyback the final ACK of the three way TCP connection establishment with the data" */ + int val = 1; + /* No error checking, this is opportunistic */ + int err = setsockopt(sock, IPPROTO_TCP, TCP_DEFER_ACCEPT, (void*)&val, sizeof(val)); + if (err) + { + TRACE(("Failed setsockopt TCP_DEFER_ACCEPT: %s", strerror(errno))) + } +} +#endif + + +/* Deallocate a progress connection. Removes from the pending list if iter!=NULL. +Does not close sockets */ +static void remove_connect(struct dropbear_progress_connection *c, m_list_elem *iter) { + if (c->res) { + freeaddrinfo(c->res); + } + m_free(c->remotehost); + m_free(c->remoteport); + m_free(c->errstring); + m_free(c); + + if (iter) { + list_remove(iter); + } +} + +static void cancel_callback(int result, int sock, void* UNUSED(data), const char* UNUSED(errstring)) { + if (result == DROPBEAR_SUCCESS) + { + m_close(sock); + } +} + +void cancel_connect(struct dropbear_progress_connection *c) { + c->cb = cancel_callback; + c->cb_data = NULL; +} + +static void connect_try_next(struct dropbear_progress_connection *c) { + struct addrinfo *r; + int res = 0; + int fastopen = 0; +#ifdef DROPBEAR_TCP_FAST_OPEN + struct msghdr message; +#endif + + for (r = c->res_iter; r; r = r->ai_next) + { + assert(c->sock == -1); + + c->sock = socket(c->res_iter->ai_family, c->res_iter->ai_socktype, c->res_iter->ai_protocol); + if (c->sock < 0) { + continue; + } + + ses.maxfd = MAX(ses.maxfd, c->sock); + set_sock_nodelay(c->sock); + setnonblocking(c->sock); + +#if defined(__linux__) && defined(TCP_DEFER_ACCEPT) + set_piggyback_ack(c->sock); +#endif + +#ifdef DROPBEAR_TCP_FAST_OPEN + fastopen = (c->writequeue != NULL); + + memset(&message, 0x0, sizeof(message)); + message.msg_name = r->ai_addr; + message.msg_namelen = r->ai_addrlen; + + if (c->writequeue) { + int iovlen; /* Linux msg_iovlen is a size_t */ + message.msg_iov = packet_queue_to_iovec(c->writequeue, &iovlen); + message.msg_iovlen = iovlen; + res = sendmsg(c->sock, &message, MSG_FASTOPEN); + if (res < 0 && errno != EINPROGRESS) { + /* Not entirely sure which kind of errors are normal - 2.6.32 seems to + return EPIPE for any (nonblocking?) sendmsg(). just fall back */ + TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); + /* No kernel MSG_FASTOPEN support. Fall back below */ + fastopen = 0; + /* Set to NULL to avoid trying again */ + c->writequeue = NULL; + } + m_free(message.msg_iov); + packet_queue_consume(c->writequeue, res); + } +#endif + + /* Normal connect(), used as fallback for TCP fastopen too */ + if (!fastopen) { + res = connect(c->sock, r->ai_addr, r->ai_addrlen); + } + + if (res < 0 && errno != EINPROGRESS) { + /* failure */ + close(c->sock); + c->sock = -1; + continue; + } else { + /* new connection was successful, wait for it to complete */ + break; + } + } + + if (r) { + c->res_iter = r->ai_next; + } else { + c->res_iter = NULL; + } +} + +/* Connect via TCP to a host. */ +struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport, + connect_callback cb, void* cb_data) +{ + struct dropbear_progress_connection *c = NULL; + int err; + struct addrinfo hints; + + c = m_malloc(sizeof(*c)); + c->remotehost = m_strdup(remotehost); + c->remoteport = m_strdup(remoteport); + c->sock = -1; + c->cb = cb; + c->cb_data = cb_data; + + list_append(&ses.conn_pending, c); + + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_STREAM; + hints.ai_family = PF_UNSPEC; + + err = getaddrinfo(remotehost, remoteport, &hints, &c->res); + if (err) { + int len; + len = 100 + strlen(gai_strerror(err)); + c->errstring = (char*)m_malloc(len); + snprintf(c->errstring, len, "Error resolving '%s' port '%s'. %s", + remotehost, remoteport, gai_strerror(err)); + TRACE(("Error resolving: %s", gai_strerror(err))) + return NULL; + } + + c->res_iter = c->res; + + return c; +} + + +void set_connect_fds(fd_set *writefd) { + m_list_elem *iter; + TRACE(("enter handle_connect_fds")) + for (iter = ses.conn_pending.first; iter; iter = iter->next) { + struct dropbear_progress_connection *c = iter->item; + /* Set one going */ + while (c->res_iter && c->sock < 0) + { + connect_try_next(c); + } + if (c->sock >= 0) { + FD_SET(c->sock, writefd); + } else { + m_list_elem *remove_iter; + /* Final failure */ + if (!c->errstring) { + c->errstring = m_strdup("unexpected failure"); + } + c->cb(DROPBEAR_FAILURE, -1, c->cb_data, c->errstring); + /* Safely remove without invalidating iter */ + remove_iter = iter; + iter = iter->prev; + remove_connect(c, remove_iter); + } + } +} + +void handle_connect_fds(fd_set *writefd) { + m_list_elem *iter; + TRACE(("enter handle_connect_fds")) + for (iter = ses.conn_pending.first; iter; iter = iter->next) { + int val; + socklen_t vallen = sizeof(val); + struct dropbear_progress_connection *c = iter->item; + + if (!FD_ISSET(c->sock, writefd)) { + continue; + } + + TRACE(("handling %s port %s socket %d", c->remotehost, c->remoteport, c->sock)); + + if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &val, &vallen) != 0) { + TRACE(("handle_connect_fds getsockopt(%d) SO_ERROR failed: %s", c->sock, strerror(errno))) + /* This isn't expected to happen - Unix has surprises though, continue gracefully. */ + m_close(c->sock); + c->sock = -1; + } else if (val != 0) { + /* Connect failed */ + TRACE(("connect to %s port %s failed.", c->remotehost, c->remoteport)) + m_close(c->sock); + c->sock = -1; + + m_free(c->errstring); + c->errstring = strerror(val); + } else { + /* New connection has been established */ + c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, NULL); + remove_connect(c, iter); + TRACE(("leave handle_connect_fds - success")) + /* Must return here - remove_connect() invalidates iter */ + return; + } + } + TRACE(("leave handle_connect_fds - end iter")) +} + +void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue) { + c->writequeue = writequeue; +} + +struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count) { + struct iovec *iov = NULL; + struct Link *l; + unsigned int i; + int len; + buffer *writebuf; + + #ifndef IOV_MAX + #define IOV_MAX UIO_MAXIOV + #endif + + *ret_iov_count = MIN(queue->count, IOV_MAX); + + iov = m_malloc(sizeof(*iov) * *ret_iov_count); + for (l = queue->head, i = 0; l; l = l->link, i++) + { + writebuf = (buffer*)l->item; + len = writebuf->len - 1 - writebuf->pos; + dropbear_assert(len > 0); + TRACE2(("write_packet writev #%d type %d len %d/%d", i, writebuf->data[writebuf->len-1], + len, writebuf->len-1)) + iov[i].iov_base = buf_getptr(writebuf, len); + iov[i].iov_len = len; + } + + return iov; +} + +void packet_queue_consume(struct Queue *queue, ssize_t written) { + buffer *writebuf; + int len; + while (written > 0) { + writebuf = (buffer*)examine(queue); + len = writebuf->len - 1 - writebuf->pos; + if (len > written) { + /* partial buffer write */ + buf_incrpos(writebuf, written); + written = 0; + } else { + written -= len; + dequeue(queue); + buf_free(writebuf); + } + } +} + +void set_sock_nodelay(int sock) { + int val; + + /* disable nagle */ + val = 1; + setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); +} + +#ifdef DROPBEAR_TCP_FAST_OPEN +void set_listen_fast_open(int sock) { + int qlen = MAX(MAX_UNAUTH_PER_IP, 5); + if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) { + TRACE(("set_listen_fast_open failed for socket %d: %s", sock, strerror(errno))) + } +} + +#endif + +void set_sock_priority(int sock, enum dropbear_prio prio) { + + int rc; +#ifdef IPTOS_LOWDELAY + int iptos_val = 0; +#endif +#ifdef SO_PRIORITY + int so_prio_val = 0; +#endif + + + /* Don't log ENOTSOCK errors so that this can harmlessly be called + * on a client '-J' proxy pipe */ + + /* set the TOS bit for either ipv4 or ipv6 */ +#ifdef IPTOS_LOWDELAY + if (prio == DROPBEAR_PRIO_LOWDELAY) { + iptos_val = IPTOS_LOWDELAY; + } else if (prio == DROPBEAR_PRIO_BULK) { + iptos_val = IPTOS_THROUGHPUT; + } +#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) + rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&iptos_val, sizeof(iptos_val)); + if (rc < 0 && errno != ENOTSOCK) { + TRACE(("Couldn't set IPV6_TCLASS (%s)", strerror(errno))); + } +#endif + rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&iptos_val, sizeof(iptos_val)); + if (rc < 0 && errno != ENOTSOCK) { + TRACE(("Couldn't set IP_TOS (%s)", strerror(errno))); + } +#endif + +#ifdef SO_PRIORITY + if (prio == DROPBEAR_PRIO_LOWDELAY) { + so_prio_val = TC_PRIO_INTERACTIVE; + } else if (prio == DROPBEAR_PRIO_BULK) { + so_prio_val = TC_PRIO_BULK; + } + /* linux specific, sets QoS class. see tc-prio(8) */ + rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &so_prio_val, sizeof(so_prio_val)); + if (rc < 0 && errno != ENOTSOCK) + dropbear_log(LOG_WARNING, "Couldn't set SO_PRIORITY (%s)", + strerror(errno)); +#endif + +} + +/* Listen on address:port. + * Special cases are address of "" listening on everything, + * and address of NULL listening on localhost only. + * Returns the number of sockets bound on success, or -1 on failure. On + * failure, if errstring wasn't NULL, it'll be a newly malloced error + * string.*/ +int dropbear_listen(const char* address, const char* port, + int *socks, unsigned int sockcount, char **errstring, int *maxfd) { + + struct addrinfo hints, *res = NULL, *res0 = NULL; + int err; + unsigned int nsock; + struct linger linger; + int val; + int sock; + + TRACE(("enter dropbear_listen")) + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; /* TODO: let them flag v4 only etc */ + hints.ai_socktype = SOCK_STREAM; + + /* for calling getaddrinfo: + address == NULL and !AI_PASSIVE: local loopback + address == NULL and AI_PASSIVE: all interfaces + address != NULL: whatever the address says */ + if (!address) { + TRACE(("dropbear_listen: local loopback")) + } else { + if (address[0] == '\0') { + TRACE(("dropbear_listen: all interfaces")) + address = NULL; + } + hints.ai_flags = AI_PASSIVE; + } + err = getaddrinfo(address, port, &hints, &res0); + + if (err) { + if (errstring != NULL && *errstring == NULL) { + int len; + len = 20 + strlen(gai_strerror(err)); + *errstring = (char*)m_malloc(len); + snprintf(*errstring, len, "Error resolving: %s", gai_strerror(err)); + } + if (res0) { + freeaddrinfo(res0); + res0 = NULL; + } + TRACE(("leave dropbear_listen: failed resolving")) + return -1; + } + + + nsock = 0; + for (res = res0; res != NULL && nsock < sockcount; + res = res->ai_next) { + + /* Get a socket */ + socks[nsock] = socket(res->ai_family, res->ai_socktype, + res->ai_protocol); + + sock = socks[nsock]; /* For clarity */ + + if (sock < 0) { + err = errno; + TRACE(("socket() failed")) + continue; + } + + /* Various useful socket options */ + val = 1; + /* set to reuse, quick timeout */ + setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); + linger.l_onoff = 1; + linger.l_linger = 5; + setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger)); + +#if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) + if (res->ai_family == AF_INET6) { + int on = 1; + if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, + &on, sizeof(on)) == -1) { + dropbear_log(LOG_WARNING, "Couldn't set IPV6_V6ONLY"); + } + } +#endif + + set_sock_nodelay(sock); + + if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { + err = errno; + close(sock); + TRACE(("bind(%s) failed", port)) + continue; + } + + if (listen(sock, DROPBEAR_LISTEN_BACKLOG) < 0) { + err = errno; + close(sock); + TRACE(("listen() failed")) + continue; + } + + *maxfd = MAX(*maxfd, sock); + + nsock++; + } + + if (res0) { + freeaddrinfo(res0); + res0 = NULL; + } + + if (nsock == 0) { + if (errstring != NULL && *errstring == NULL) { + int len; + len = 20 + strlen(strerror(err)); + *errstring = (char*)m_malloc(len); + snprintf(*errstring, len, "Error listening: %s", strerror(err)); + } + TRACE(("leave dropbear_listen: failure, %s", strerror(err))) + return -1; + } + + TRACE(("leave dropbear_listen: success, %d socks bound", nsock)) + return nsock; +} + +void get_socket_address(int fd, char **local_host, char **local_port, + char **remote_host, char **remote_port, int host_lookup) +{ + struct sockaddr_storage addr; + socklen_t addrlen; + + if (local_host || local_port) { + addrlen = sizeof(addr); + if (getsockname(fd, (struct sockaddr*)&addr, &addrlen) < 0) { + dropbear_exit("Failed socket address: %s", strerror(errno)); + } + getaddrstring(&addr, local_host, local_port, host_lookup); + } + if (remote_host || remote_port) { + addrlen = sizeof(addr); + if (getpeername(fd, (struct sockaddr*)&addr, &addrlen) < 0) { + dropbear_exit("Failed socket address: %s", strerror(errno)); + } + getaddrstring(&addr, remote_host, remote_port, host_lookup); + } +} + +/* Return a string representation of the socket address passed. The return + * value is allocated with malloc() */ +void getaddrstring(struct sockaddr_storage* addr, + char **ret_host, char **ret_port, + int host_lookup) { + + char host[NI_MAXHOST+1], serv[NI_MAXSERV+1]; + unsigned int len; + int ret; + + int flags = NI_NUMERICSERV | NI_NUMERICHOST; + +#ifndef DO_HOST_LOOKUP + host_lookup = 0; +#endif + + if (host_lookup) { + flags = NI_NUMERICSERV; + } + + len = sizeof(struct sockaddr_storage); + /* Some platforms such as Solaris 8 require that len is the length + * of the specific structure. Some older linux systems (glibc 2.1.3 + * such as debian potato) have sockaddr_storage.__ss_family instead + * but we'll ignore them */ +#ifdef HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY + if (addr->ss_family == AF_INET) { + len = sizeof(struct sockaddr_in); + } +#ifdef AF_INET6 + if (addr->ss_family == AF_INET6) { + len = sizeof(struct sockaddr_in6); + } +#endif +#endif + + ret = getnameinfo((struct sockaddr*)addr, len, host, sizeof(host)-1, + serv, sizeof(serv)-1, flags); + + if (ret != 0) { + if (host_lookup) { + /* On some systems (Darwin does it) we get EINTR from getnameinfo + * somehow. Eew. So we'll just return the IP, since that doesn't seem + * to exhibit that behaviour. */ + getaddrstring(addr, ret_host, ret_port, 0); + return; + } else { + /* if we can't do a numeric lookup, something's gone terribly wrong */ + dropbear_exit("Failed lookup: %s", gai_strerror(ret)); + } + } + + if (ret_host) { + *ret_host = m_strdup(host); + } + if (ret_port) { + *ret_port = m_strdup(serv); + } +} + @@ -0,0 +1,58 @@ +#ifndef DROPBEAR_NETIO_H +#define DROPBEAR_NETIO_H + +#include "includes.h" +#include "buffer.h" +#include "queue.h" + +enum dropbear_prio { + DROPBEAR_PRIO_DEFAULT = 10, + DROPBEAR_PRIO_LOWDELAY = 11, + DROPBEAR_PRIO_BULK = 12, +}; + +void set_sock_nodelay(int sock); +void set_sock_priority(int sock, enum dropbear_prio prio); + +void get_socket_address(int fd, char **local_host, char **local_port, + char **remote_host, char **remote_port, int host_lookup); +void getaddrstring(struct sockaddr_storage* addr, + char **ret_host, char **ret_port, int host_lookup); +int dropbear_listen(const char* address, const char* port, + int *socks, unsigned int sockcount, char **errstring, int *maxfd); + +struct dropbear_progress_connection; + +/* result is DROPBEAR_SUCCESS or DROPBEAR_FAILURE. +errstring is only set on DROPBEAR_FAILURE, returns failure message for the last attempted socket */ +typedef void(*connect_callback)(int result, int sock, void* data, const char* errstring); + +struct dropbear_progress_connection * connect_remote (const char* remotehost, const char* remoteport, + connect_callback cb, void *cb_data); + +void set_connect_fds(fd_set *writefd); +void handle_connect_fds(fd_set *writefd); + +/* Doesn't actually stop the connect, but adds a dummy callback instead */ +void cancel_connect(struct dropbear_progress_connection *c); + +void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue); + +/* TODO: writev #ifdef guard */ +struct iovec * packet_queue_to_iovec(struct Queue *queue, int *ret_iov_count); +void packet_queue_consume(struct Queue *queue, ssize_t written); + +#ifdef DROPBEAR_TCP_FAST_OPEN +/* Try for any Linux builds, will fall back if the kernel doesn't support it */ +void set_listen_fast_open(int sock); +/* Define values which may be supported by the kernel even if the libc is too old */ +#ifndef TCP_FASTOPEN +#define TCP_FASTOPEN 23 +#endif +#ifndef MSG_FASTOPEN +#define MSG_FASTOPEN 0x20000000 +#endif +#endif + +#endif + @@ -34,6 +34,7 @@ #include "service.h" #include "auth.h" #include "channel.h" +#include "netio.h" static int read_packet_init(); static void make_mac(unsigned int seqno, const struct key_context_directional * key_state, @@ -55,14 +56,10 @@ static void buf_compress(buffer * dest, buffer * src, unsigned int len); /* non-blocking function writing out a current encrypted packet */ void write_packet() { - int len, written; - buffer * writebuf = NULL; - unsigned packet_type; + ssize_t written; #ifdef HAVE_WRITEV struct iovec *iov = NULL; - int i; - struct Link *l; - int iov_max_count; + int iov_count; #endif TRACE2(("enter write_packet")) @@ -70,62 +67,28 @@ void write_packet() { #if defined(HAVE_WRITEV) && (defined(IOV_MAX) || defined(UIO_MAXIOV)) -#ifndef IOV_MAX -#define IOV_MAX UIO_MAXIOV -#endif - - /* Make sure the size of the iov is below the maximum allowed by the OS. */ - iov_max_count = ses.writequeue.count; - if (iov_max_count > IOV_MAX) - { - iov_max_count = IOV_MAX; - } - - iov = m_malloc(sizeof(*iov) * iov_max_count); - for (l = ses.writequeue.head, i = 0; l; l = l->link, i++) - { - writebuf = (buffer*)l->item; - packet_type = writebuf->data[writebuf->len-1]; - len = writebuf->len - 1 - writebuf->pos; - dropbear_assert(len > 0); - TRACE2(("write_packet writev #%d type %d len %d/%d", i, packet_type, - len, writebuf->len-1)) - iov[i].iov_base = buf_getptr(writebuf, len); - iov[i].iov_len = len; - } + iov = packet_queue_to_iovec(&ses.writequeue, &iov_count); /* This may return EAGAIN. The main loop sometimes calls write_packet() without bothering to test with select() since it's likely to be necessary */ - written = writev(ses.sock_out, iov, iov_max_count); + written = writev(ses.sock_out, iov, iov_count); if (written < 0) { if (errno == EINTR || errno == EAGAIN) { - m_free(iov); TRACE2(("leave write_packet: EINTR")) + m_free(iov); return; } else { dropbear_exit("Error writing: %s", strerror(errno)); } } + m_free(iov); + + packet_queue_consume(&ses.writequeue, written); if (written == 0) { ses.remoteclosed(); } - while (written > 0) { - writebuf = (buffer*)examine(&ses.writequeue); - len = writebuf->len - 1 - writebuf->pos; - if (len > written) { - /* partial buffer write */ - buf_incrpos(writebuf, written); - written = 0; - } else { - written -= len; - dequeue(&ses.writequeue); - buf_free(writebuf); - } - } - - m_free(iov); #else /* No writev () */ /* Get the next buffer in the queue of encrypted packets to write*/ writebuf = (buffer*)examine(&ses.writequeue); @@ -27,6 +27,7 @@ #define DROPBEAR_PACKET_H_ #include "includes.h" +#include "queue.h" void write_packet(); void read_packet(); @@ -38,6 +38,7 @@ #include "tcpfwd.h" #include "chansession.h" #include "dbutil.h" +#include "netio.h" extern int sessinitdone; /* Is set to 0 somewhere */ extern int exitflag; @@ -60,7 +61,8 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) ATTRIB_N void svr_dropbear_log(int priority, const char* format, va_list param); /* Client */ -void cli_session(int sock_in, int sock_out) ATTRIB_NORETURN; +void cli_session(int sock_in, int sock_out, struct dropbear_progress_connection *progress) ATTRIB_NORETURN; +void cli_connected(int result, int sock, void* userdata, const char *errstring); void cleantext(unsigned char* dirtytext); /* crypto parameters that are stored individually for transmit and receive */ @@ -144,6 +146,8 @@ struct sshsession { int signal_pipe[2]; /* stores endpoints of a self-pipe used for race-free signal handling */ + + m_list conn_pending; /* time of the last packet send/receive, for keepalive. Not real-world clock */ time_t last_packet_time_keepalive_sent; @@ -140,7 +140,7 @@ int buf_get_pub_key(buffer *buf, sign_key *key, enum signkey_type *type) { unsigned char* ident; unsigned int len; - int keytype; + enum signkey_type keytype; int ret = DROPBEAR_FAILURE; TRACE2(("enter buf_get_pub_key")) @@ -210,7 +210,7 @@ int buf_get_priv_key(buffer *buf, sign_key *key, enum signkey_type *type) { unsigned char* ident; unsigned int len; - int keytype; + enum signkey_type keytype; int ret = DROPBEAR_FAILURE; TRACE2(("enter buf_get_priv_key")) @@ -138,7 +138,6 @@ void main_noinetd() { } for (i = 0; i < listensockcount; i++) { - set_sock_priority(listensocks[i], DROPBEAR_PRIO_LOWDELAY); FD_SET(listensocks[i], &fds); } @@ -403,9 +402,9 @@ static void commonsetup() { } /* Set up listening sockets for all the requested ports */ -static size_t listensockets(int *sock, size_t sockcount, int *maxfd) { - - unsigned int i; +static size_t listensockets(int *socks, size_t sockcount, int *maxfd) { + + unsigned int i, n; char* errstring = NULL; size_t sockpos = 0; int nsock; @@ -416,7 +415,7 @@ static size_t listensockets(int *sock, size_t sockcount, int *maxfd) { TRACE(("listening on '%s:%s'", svr_opts.addresses[i], svr_opts.ports[i])) - nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &sock[sockpos], + nsock = dropbear_listen(svr_opts.addresses[i], svr_opts.ports[i], &socks[sockpos], sockcount - sockpos, &errstring, maxfd); @@ -427,6 +426,14 @@ static size_t listensockets(int *sock, size_t sockcount, int *maxfd) { continue; } + for (n = 0; n < (unsigned int)nsock; n++) { + int sock = socks[sockpos + n]; + set_sock_priority(sock, DROPBEAR_PRIO_LOWDELAY); +#ifdef DROPBEAR_TCP_FAST_OPEN + set_listen_fast_open(sock); +#endif + } + sockpos += nsock; } diff --git a/svr-tcpfwd.c b/svr-tcpfwd.c index f2c4b93..b3928bc 100644 --- a/svr-tcpfwd.c +++ b/svr-tcpfwd.c @@ -33,6 +33,7 @@ #include "listener.h" #include "runopts.h" #include "auth.h" +#include "netio.h" #ifndef ENABLE_SVR_REMOTETCPFWD @@ -236,7 +237,6 @@ static int newtcpdirect(struct Channel * channel) { unsigned char* orighost = NULL; unsigned int origport; char portstring[NI_MAXSERV]; - int sock; int len; int err = SSH_OPEN_ADMINISTRATIVELY_PROHIBITED; @@ -270,19 +270,7 @@ static int newtcpdirect(struct Channel * channel) { } snprintf(portstring, sizeof(portstring), "%d", destport); - sock = connect_remote(desthost, portstring, NULL); - if (sock < 0) { - err = SSH_OPEN_CONNECT_FAILED; - TRACE(("leave newtcpdirect: sock failed")) - goto out; - } - - ses.maxfd = MAX(ses.maxfd, sock); - - /* We don't set readfd, that will get set after the connection's - * progress succeeds */ - channel->writefd = sock; - channel->initconn = 1; + channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done, channel); channel->prio = DROPBEAR_CHANNEL_PRIO_UNKNOWABLE; diff --git a/sysoptions.h b/sysoptions.h index 03f4076..11dc10d 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -262,4 +262,9 @@ /* Use this string since some implementations might special-case it */ #define DROPBEAR_KEEPALIVE_STRING "keepalive@openssh.com" +/* Linux will attempt TCP fast open, falling back if not supported by the kernel */ +#ifdef __linux__ +#define DROPBEAR_TCP_FAST_OPEN 1 +#endif + /* no include guard for this file */ |