#include "netio.h" #include "list.h" #include "dbutil.h" #include "session.h" #include "debug.h" struct dropbear_progress_connection { struct addrinfo *res; struct addrinfo *res_iter; char *remotehost, *remoteport; /* For error reporting */ connect_callback cb; void *cb_data; struct Queue *writequeue; /* A queue of encrypted packets to send with TCP fastopen, or NULL. */ int sock; char* errstring; char *bind_address, *bind_port; enum dropbear_prio prio; }; /* Deallocate a progress connection. Removes from the pending list if iter!=NULL. Does not close sockets */ static void remove_connect(struct dropbear_progress_connection *c, m_list_elem *iter) { if (c->res) { freeaddrinfo(c->res); } m_free(c->remotehost); m_free(c->remoteport); m_free(c->errstring); m_free(c->bind_address); m_free(c->bind_port); m_free(c); if (iter) { list_remove(iter); } } static void cancel_callback(int result, int sock, void* UNUSED(data), const char* UNUSED(errstring)) { if (result == DROPBEAR_SUCCESS) { m_close(sock); } } void cancel_connect(struct dropbear_progress_connection *c) { c->cb = cancel_callback; c->cb_data = NULL; } static void connect_try_next(struct dropbear_progress_connection *c) { struct addrinfo *r; int err; int res = 0; int fastopen = 0; #if DROPBEAR_CLIENT_TCP_FAST_OPEN struct msghdr message; #endif for (r = c->res_iter; r; r = r->ai_next) { dropbear_assert(c->sock == -1); c->sock = socket(r->ai_family, r->ai_socktype, r->ai_protocol); if (c->sock < 0) { continue; } if (c->bind_address || c->bind_port) { /* bind to a source port/address */ struct addrinfo hints; struct addrinfo *bindaddr = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_family = r->ai_family; hints.ai_flags = AI_PASSIVE; err = getaddrinfo(c->bind_address, c->bind_port, &hints, &bindaddr); if (err) { int len = 100 + strlen(gai_strerror(err)); m_free(c->errstring); c->errstring = (char*)m_malloc(len); snprintf(c->errstring, len, "Error resolving bind address '%s' (port %s). %s", c->bind_address, c->bind_port, gai_strerror(err)); TRACE(("Error resolving bind: %s", gai_strerror(err))) close(c->sock); c->sock = -1; continue; } res = bind(c->sock, bindaddr->ai_addr, bindaddr->ai_addrlen); freeaddrinfo(bindaddr); bindaddr = NULL; if (res < 0) { /* failure */ int keep_errno = errno; int len = 300; m_free(c->errstring); c->errstring = m_malloc(len); snprintf(c->errstring, len, "Error binding local address '%s' (port %s). %s", c->bind_address, c->bind_port, strerror(keep_errno)); close(c->sock); c->sock = -1; continue; } } ses.maxfd = MAX(ses.maxfd, c->sock); set_sock_nodelay(c->sock); set_sock_priority(c->sock, c->prio); setnonblocking(c->sock); #if DROPBEAR_CLIENT_TCP_FAST_OPEN fastopen = (c->writequeue != NULL); if (fastopen) { memset(&message, 0x0, sizeof(message)); message.msg_name = r->ai_addr; message.msg_namelen = r->ai_addrlen; /* 6 is arbitrary, enough to hold initial packets */ unsigned int iovlen = 6; /* Linux msg_iovlen is a size_t */ struct iovec iov[6]; packet_queue_to_iovec(c->writequeue, iov, &iovlen); message.msg_iov = iov; message.msg_iovlen = iovlen; res = sendmsg(c->sock, &message, MSG_FASTOPEN); /* Returns EINPROGRESS if FASTOPEN wasn't available */ if (res < 0) { if (errno != EINPROGRESS) { m_free(c->errstring); c->errstring = m_strdup(strerror(errno)); /* Not entirely sure which kind of errors are normal - 2.6.32 seems to return EPIPE for any (nonblocking?) sendmsg(). just fall back */ TRACE(("sendmsg tcp_fastopen failed, falling back. %s", strerror(errno))); /* No kernel MSG_FASTOPEN support. Fall back below */ fastopen = 0; /* Set to NULL to avoid trying again */ c->writequeue = NULL; } } else { packet_queue_consume(c->writequeue, res); } } #endif /* Normal connect(), used as fallback for TCP fastopen too */ if (!fastopen) { res = connect(c->sock, r->ai_addr, r->ai_addrlen); } if (res < 0 && errno != EINPROGRESS) { /* failure */ m_free(c->errstring); c->errstring = m_strdup(strerror(errno)); close(c->sock); c->sock = -1; continue; } else { /* new connection was successful, wait for it to complete */ break; } } if (r) { c->res_iter = r->ai_next; } else { c->res_iter = NULL; } } /* Connect via TCP to a host. */ struct dropbear_progress_connection *connect_remote(const char* remotehost, const char* remoteport, connect_callback cb, void* cb_data, const char* bind_address, const char* bind_port, enum dropbear_prio prio) { struct dropbear_progress_connection *c = NULL; int err; struct addrinfo hints; c = m_malloc(sizeof(*c)); c->remotehost = m_strdup(remotehost); c->remoteport = m_strdup(remoteport); c->sock = -1; c->cb = cb; c->cb_data = cb_data; c->prio = prio; list_append(&ses.conn_pending, c); #if DROPBEAR_FUZZ if (fuzz.fuzzing) { c->errstring = m_strdup("fuzzing connect_remote always fails"); return c; } #endif memset(&hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; hints.ai_family = AF_UNSPEC; err = getaddrinfo(remotehost, remoteport, &hints, &c->res); if (err) { int len; len = 100 + strlen(gai_strerror(err)); c->errstring = (char*)m_malloc(len); snprintf(c->errstring, len, "Error resolving '%s' port '%s'. %s", remotehost, remoteport, gai_strerror(err)); TRACE(("Error resolving: %s", gai_strerror(err))) } else { c->res_iter = c->res; } if (bind_address) { c->bind_address = m_strdup(bind_address); } if (bind_port) { c->bind_port = m_strdup(bind_port); } return c; } void remove_connect_pending() { while (ses.conn_pending.first) { struct dropbear_progress_connection *c = ses.conn_pending.first->item; remove_connect(c, ses.conn_pending.first); } } void set_connect_fds(fd_set *writefd) { m_list_elem *iter; iter = ses.conn_pending.first; while (iter) { m_list_elem *next_iter = iter->next; struct dropbear_progress_connection *c = iter->item; /* Set one going */ while (c->res_iter && c->sock < 0) { connect_try_next(c); } if (c->sock >= 0) { FD_SET(c->sock, writefd); } else { /* Final failure */ if (!c->errstring) { c->errstring = m_strdup("unexpected failure"); } c->cb(DROPBEAR_FAILURE, -1, c->cb_data, c->errstring); remove_connect(c, iter); } iter = next_iter; } } void handle_connect_fds(const fd_set *writefd) { m_list_elem *iter; for (iter = ses.conn_pending.first; iter; iter = iter->next) { int val; socklen_t vallen = sizeof(val); struct dropbear_progress_connection *c = iter->item; if (c->sock < 0 || !FD_ISSET(c->sock, writefd)) { continue; } TRACE(("handling %s port %s socket %d", c->remotehost, c->remoteport, c->sock)); if (getsockopt(c->sock, SOL_SOCKET, SO_ERROR, &val, &vallen) != 0) { TRACE(("handle_connect_fds getsockopt(%d) SO_ERROR failed: %s", c->sock, strerror(errno))) /* This isn't expected to happen - Unix has surprises though, continue gracefully. */ m_close(c->sock); c->sock = -1; } else if (val != 0) { /* Connect failed */ TRACE(("connect to %s port %s failed.", c->remotehost, c->remoteport)) m_close(c->sock); c->sock = -1; m_free(c->errstring); c->errstring = m_strdup(strerror(val)); } else { /* New connection has been established */ c->cb(DROPBEAR_SUCCESS, c->sock, c->cb_data, NULL); remove_connect(c, iter); TRACE(("leave handle_connect_fds - success")) /* Must return here - remove_connect() invalidates iter */ return; } } } void connect_set_writequeue(struct dropbear_progress_connection *c, struct Queue *writequeue) { c->writequeue = writequeue; } void packet_queue_to_iovec(const struct Queue *queue, struct iovec *iov, unsigned int *iov_count) { struct Link *l; unsigned int i; int len; buffer *writebuf; #ifndef IOV_MAX #if defined(__CYGWIN__) && !defined(UIO_MAXIOV) #define IOV_MAX 1024 #elif defined(__sgi) #define IOV_MAX 512 #else #define IOV_MAX UIO_MAXIOV #endif #endif *iov_count = MIN(MIN(queue->count, IOV_MAX), *iov_count); for (l = queue->head, i = 0; i < *iov_count; l = l->link, i++) { writebuf = (buffer*)l->item; len = writebuf->len - writebuf->pos; dropbear_assert(len > 0); TRACE2(("write_packet writev #%d len %d/%d", i, len, writebuf->len)) iov[i].iov_base = buf_getptr(writebuf, len); iov[i].iov_len = len; } } void packet_queue_consume(struct Queue *queue, ssize_t written) { buffer *writebuf; int len; while (written > 0) { writebuf = (buffer*)examine(queue); len = writebuf->len - writebuf->pos; if (len > written) { /* partial buffer write */ buf_incrpos(writebuf, written); written = 0; } else { written -= len; dequeue(queue); buf_free(writebuf); } } } void set_sock_nodelay(int sock) { int val; /* disable nagle */ val = 1; setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); } #if DROPBEAR_SERVER_TCP_FAST_OPEN void set_listen_fast_open(int sock) { int qlen = MAX(MAX_UNAUTH_PER_IP, 5); if (setsockopt(sock, SOL_TCP, TCP_FASTOPEN, &qlen, sizeof(qlen)) != 0) { TRACE(("set_listen_fast_open failed for socket %d: %s", sock, strerror(errno))) } } #endif void set_sock_priority(int sock, enum dropbear_prio prio) { int rc; int val; #if DROPBEAR_FUZZ if (fuzz.fuzzing) { TRACE(("fuzzing skips set_sock_prio")) return; } #endif /* Don't log ENOTSOCK errors so that this can harmlessly be called * on a client '-J' proxy pipe */ #ifdef IP_TOS /* Set the DSCP field for outbound IP packet priority. rfc4594 has some guidance to meanings. We set AF21 as "Low-Latency" class for interactive (tty session, also handshake/setup packets). Other traffic is left at the default. OpenSSH at present uses AF21/CS1, rationale https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 Old Dropbear/OpenSSH and Debian/Ubuntu OpenSSH (at Jan 2022) use IPTOS_LOWDELAY/IPTOS_THROUGHPUT DSCP constants are from Linux headers, applicable to other platforms such as macos. */ if (prio == DROPBEAR_PRIO_LOWDELAY) { val = 0x48; /* IPTOS_DSCP_AF21 */ } else { val = 0; /* default */ } #if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&val, sizeof(val)); if (rc < 0 && errno != ENOTSOCK) { TRACE(("Couldn't set IPV6_TCLASS (%s)", strerror(errno))); } #endif rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&val, sizeof(val)); if (rc < 0 && errno != ENOTSOCK) { TRACE(("Couldn't set IP_TOS (%s)", strerror(errno))); } #endif /* IP_TOS */ #ifdef HAVE_LINUX_PKT_SCHED_H /* Set scheduling priority within the local Linux network stack */ if (prio == DROPBEAR_PRIO_LOWDELAY) { val = TC_PRIO_INTERACTIVE; } else { val = 0; } /* linux specific, sets QoS class. see tc-prio(8) */ rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &val, sizeof(val)); if (rc < 0 && errno != ENOTSOCK) { TRACE(("Couldn't set SO_PRIORITY (%s)", strerror(errno))) } #endif } /* from openssh/canohost.c avoid premature-optimization */ int get_sock_port(int sock) { struct sockaddr_storage from; socklen_t fromlen; char strport[NI_MAXSERV]; int r; /* Get IP address of client. */ fromlen = sizeof(from); memset(&from, 0, sizeof(from)); if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { TRACE(("getsockname failed: %d", errno)) return 0; } /* Work around Linux IPv6 weirdness */ if (from.ss_family == AF_INET6) fromlen = sizeof(struct sockaddr_in6); /* Non-inet sockets don't have a port number. */ if (from.ss_family != AF_INET && from.ss_family != AF_INET6) return 0; /* Return port number. */ if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0, strport, sizeof(strport), NI_NUMERICSERV)) != 0) { TRACE(("netio.c/get_sock_port/getnameinfo NI_NUMERICSERV failed: %d", r)) } return atoi(strport); } /* Listen on address:port. * Special cases are address of "" listening on everything, * and address of NULL listening on localhost only. * Returns the number of sockets bound on success, or -1 on failure. On * failure, if errstring wasn't NULL, it'll be a newly malloced error * string.*/ int dropbear_listen(const char* address, const char* port, int *socks, unsigned int sockcount, char **errstring, int *maxfd) { struct addrinfo hints, *res = NULL, *res0 = NULL; int err; unsigned int nsock; struct linger linger; int val; int sock; uint16_t *allocated_lport_p = NULL; int allocated_lport = 0; TRACE(("enter dropbear_listen")) #if DROPBEAR_FUZZ if (fuzz.fuzzing) { return fuzz_dropbear_listen(address, port, socks, sockcount, errstring, maxfd); } #endif memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; /* TODO: let them flag v4 only etc */ hints.ai_socktype = SOCK_STREAM; /* for calling getaddrinfo: address == NULL and !AI_PASSIVE: local loopback address == NULL and AI_PASSIVE: all interfaces address != NULL: whatever the address says */ if (!address) { TRACE(("dropbear_listen: local loopback")) } else { if (address[0] == '\0') { TRACE(("dropbear_listen: all interfaces")) address = NULL; } hints.ai_flags = AI_PASSIVE; } err = getaddrinfo(address, port, &hints, &res0); if (err) { if (errstring != NULL && *errstring == NULL) { int len; len = 20 + strlen(gai_strerror(err)); *errstring = (char*)m_malloc(len); snprintf(*errstring, len, "Error resolving: %s", gai_strerror(err)); } if (res0) { freeaddrinfo(res0); res0 = NULL; } TRACE(("leave dropbear_listen: failed resolving")) return -1; } /* When listening on server-assigned-port 0 * the assigned ports may differ for address families (v4/v6) * causing problems for tcpip-forward. * Caller can do a get_socket_address to discover assigned-port * hence, use same port for all address families */ allocated_lport = 0; nsock = 0; for (res = res0; res != NULL && nsock < sockcount; res = res->ai_next) { if (allocated_lport > 0) { if (AF_INET == res->ai_family) { allocated_lport_p = &((struct sockaddr_in *)res->ai_addr)->sin_port; } else if (AF_INET6 == res->ai_family) { allocated_lport_p = &((struct sockaddr_in6 *)res->ai_addr)->sin6_port; } *allocated_lport_p = htons(allocated_lport); } /* Get a socket */ socks[nsock] = socket(res->ai_family, res->ai_socktype, res->ai_protocol); sock = socks[nsock]; /* For clarity */ if (sock < 0) { err = errno; TRACE(("socket() failed")) continue; } /* Various useful socket options */ val = 1; /* set to reuse, quick timeout */ setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void*) &val, sizeof(val)); linger.l_onoff = 1; linger.l_linger = 5; setsockopt(sock, SOL_SOCKET, SO_LINGER, (void*)&linger, sizeof(linger)); #if defined(IPPROTO_IPV6) && defined(IPV6_V6ONLY) if (res->ai_family == AF_INET6) { int on = 1; if (setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) == -1) { dropbear_log(LOG_WARNING, "Couldn't set IPV6_V6ONLY"); } } #endif set_sock_nodelay(sock); if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { err = errno; close(sock); TRACE(("bind(%s) failed", port)) continue; } if (listen(sock, DROPBEAR_LISTEN_BACKLOG) < 0) { err = errno; close(sock); TRACE(("listen() failed")) continue; } if (0 == allocated_lport) { allocated_lport = get_sock_port(sock); } *maxfd = MAX(*maxfd, sock); nsock++; } if (res0) { freeaddrinfo(res0); res0 = NULL; } if (nsock == 0) { if (errstring != NULL && *errstring == NULL) { int len; len = 20 + strlen(strerror(err)); *errstring = (char*)m_malloc(len); snprintf(*errstring, len, "Error listening: %s", strerror(err)); } TRACE(("leave dropbear_listen: failure, %s", strerror(err))) return -1; } TRACE(("leave dropbear_listen: success, %d socks bound", nsock)) return nsock; } void get_socket_address(int fd, char **local_host, char **local_port, char **remote_host, char **remote_port, int host_lookup) { struct sockaddr_storage addr; socklen_t addrlen; #if DROPBEAR_FUZZ if (fuzz.fuzzing) { fuzz_get_socket_address(fd, local_host, local_port, remote_host, remote_port, host_lookup); return; } #endif if (local_host || local_port) { addrlen = sizeof(addr); if (getsockname(fd, (struct sockaddr*)&addr, &addrlen) < 0) { dropbear_exit("Failed socket address: %s", strerror(errno)); } getaddrstring(&addr, local_host, local_port, host_lookup); } if (remote_host || remote_port) { addrlen = sizeof(addr); if (getpeername(fd, (struct sockaddr*)&addr, &addrlen) < 0) { dropbear_exit("Failed socket address: %s", strerror(errno)); } getaddrstring(&addr, remote_host, remote_port, host_lookup); } } /* Return a string representation of the socket address passed. The return * value is allocated with malloc() */ void getaddrstring(struct sockaddr_storage* addr, char **ret_host, char **ret_port, int host_lookup) { char host[NI_MAXHOST+1], serv[NI_MAXSERV+1]; unsigned int len; int ret; int flags = NI_NUMERICSERV | NI_NUMERICHOST; #if !DO_HOST_LOOKUP host_lookup = 0; #endif if (host_lookup) { flags = NI_NUMERICSERV; } len = sizeof(struct sockaddr_storage); /* Some platforms such as Solaris 8 require that len is the length * of the specific structure. Some older linux systems (glibc 2.1.3 * such as debian potato) have sockaddr_storage.__ss_family instead * but we'll ignore them */ #ifdef HAVE_STRUCT_SOCKADDR_STORAGE_SS_FAMILY if (addr->ss_family == AF_INET) { len = sizeof(struct sockaddr_in); } #ifdef AF_INET6 if (addr->ss_family == AF_INET6) { len = sizeof(struct sockaddr_in6); } #endif #endif ret = getnameinfo((struct sockaddr*)addr, len, host, sizeof(host)-1, serv, sizeof(serv)-1, flags); if (ret != 0) { if (host_lookup) { /* On some systems (Darwin does it) we get EINTR from getnameinfo * somehow. Eew. So we'll just return the IP, since that doesn't seem * to exhibit that behaviour. */ getaddrstring(addr, ret_host, ret_port, 0); return; } else { /* if we can't do a numeric lookup, something's gone terribly wrong */ dropbear_exit("Failed lookup: %s", gai_strerror(ret)); } } if (ret_host) { *ret_host = m_strdup(host); } if (ret_port) { *ret_port = m_strdup(serv); } }