RFC 8305 Happy Eyeballs in OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hello,

I use hosts that are dual stack configured (IPv4 and IPv6) and it
happens that connectivity through one or the other is broken and
timeouts. In these case connection to the SSH server can take quite some
time as ssh waits for the first address to timeout before trying the
next.

So I gave a stab at implementing RFC 8305. This patch implements part of
it in sshconnect.c.

* It does not do section 3 (initiation of asynchronous DNS queries, a
  SHOULD).
* It does not do section 4 (sorting of resolved destination
  addresses). That means it does not do the RFC 6724 address sort
  which is a MUST.  The order is still the one from getaddrinfo(3).
* It implements section 5 (initiation of asynchronous connection
  attempts). It paces the connection attempts 250 milliseconds appart
  as recommended. Once a connection attempt succeeds it cancels all
  other initiated connections and ignores addresses not yet used.
* It does not implement RFC 8305 for channels.c, that is port
  forwardings do not use it.

Comments are welcome.

Kim Minh.

===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshconnect.c,v
retrieving revision 1.296
diff -u -r1.296 sshconnect.c
--- sshconnect.c	23 Feb 2018 04:18:46 -0000	1.296
+++ sshconnect.c	23 Feb 2018 12:26:56 -0000
@@ -453,39 +453,198 @@
 	return -1;
 }
 
+/*
+ * RFC 8305 Happy Eyeballs Version 2: Better Connectivity Using Concurrency
+ *
+ * implementation can have a fixed delay for how long to wait before
+ * starting the next connection attempt [...] recommended value for a
+ * default delay is 250 milliseconds.
+ */
+#define CONNECTION_ATTEMPT_DELAY 250
+
 static int
-timeout_connect(int sockfd, const struct sockaddr *serv_addr,
-    socklen_t addrlen, int *timeoutp)
+ssh_connect_timeout(struct timeval *tv, int timeout_ms)
 {
-	int optval = 0;
-	socklen_t optlen = sizeof(optval);
+	if (timeout_ms <= 0)
+		return 0;
+	ms_subtract_diff(tv, &timeout_ms);
+	return timeout_ms <= 0;
+}
 
-	/* No timeout: just do a blocking connect() */
-	if (*timeoutp <= 0)
-		return connect(sockfd, serv_addr, addrlen);
-
-	set_nonblock(sockfd);
-	if (connect(sockfd, serv_addr, addrlen) == 0) {
-		/* Succeeded already? */
-		unset_nonblock(sockfd);
+/*
+ * Return 0 if the addrinfo was not tried. Return -1 if using it
+ * failed. Return 1 if it was used.
+ */
+static int
+ssh_connect_happy_eyeballs_initiate(const char *host, struct addrinfo *ai,
+				    int *timeout_ms, int needpriv,
+				    struct timeval *initiate,
+				    int *nfds, fd_set *fds,
+				    struct addrinfo *fd_ai[])
+{
+	int oerrno, sock;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+
+	memset(ntop, 0, sizeof(ntop));
+	memset(strport, 0, sizeof(strport));
+	/* If *nfds != 0 then *initiate is initialised. */
+	if (*nfds &&
+	    (ai == NULL ||
+	      !ssh_connect_timeout(initiate, CONNECTION_ATTEMPT_DELAY)))
+		/* Do not initiate new connections yet */
 		return 0;
-	} else if (errno != EINPROGRESS)
+	if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) {
+		errno = EAFNOSUPPORT;
 		return -1;
-
-	if (waitrfd(sockfd, timeoutp) == -1)
+	}
+	if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
+			ntop, sizeof(ntop),
+			strport, sizeof(strport),
+			NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+		oerrno = errno;
+		error("%s: getnameinfo failed", __func__);
+		errno = oerrno;
 		return -1;
-
-	/* Completed or failed */
-	if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) {
-		debug("getsockopt: %s", strerror(errno));
+	}
+	debug("Connecting to %.200s [%.100s] port %s.",
+	      host, ntop, strport);
+	/* Create a socket for connecting */
+	sock = ssh_create_socket(needpriv, ai);
+	if (sock < 0) {
+		/* Any error is already output */
+		errno = 0;
+		return -1;
+	}
+	if (sock >= FD_SETSIZE) {
+		error("socket number to big for select: %d", sock);
+		close(sock);
 		return -1;
 	}
-	if (optval != 0) {
-		errno = optval;
+	fd_ai[sock] = ai;
+	set_nonblock(sock);
+	if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0 &&
+	    errno != EINPROGRESS) {
+		error("connect to address %s port %s: %s",
+		      ntop, strport, strerror(errno));
+		errno = 0;
+		close(sock);
 		return -1;
 	}
-	unset_nonblock(sockfd);
-	return 0;
+	monotime_tv(initiate);
+	FD_SET(sock, fds);
+	*nfds = MAXIMUM(*nfds, sock + 1);
+	return 1;
+}
+
+static int
+ssh_connect_happy_eyeballs_process(int *nfds, fd_set *fds,
+				   struct addrinfo *fd_ai[],
+				   int ready, fd_set *wfds)
+{
+	socklen_t optlen;
+	int sock, optval = 0;
+	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	for (sock = *nfds - 1; ready > 0 && sock >= 0; sock--) {
+		if (FD_ISSET(sock, wfds)) {
+			ready--;
+			optlen = sizeof(optval);
+			if (getsockopt(sock, SOL_SOCKET, SO_ERROR,
+				       &optval, &optlen) < 0) {
+				optval = errno;
+				error("getsockopt failed: %s",
+				      strerror(errno));
+			} else if (optval != 0) {
+				memset(ntop, 0, sizeof(ntop));
+				memset(strport, 0, sizeof(strport));
+				if (getnameinfo(fd_ai[sock]->ai_addr,
+						fd_ai[sock]->ai_addrlen,
+						ntop, sizeof(ntop),
+						strport, sizeof(strport),
+						NI_NUMERICHOST|NI_NUMERICSERV) != 0)
+					error("connect finally failed: %s",
+					      strerror(optval));
+				else
+					error("connect to address %s port %s finally: %s",
+					      ntop, strport, strerror(optval));
+			}
+			FD_CLR(sock, fds);
+			while (*nfds > 0 && ! FD_ISSET(*nfds - 1, fds))
+				--*nfds;
+			if (optval == 0) {
+				unset_nonblock(sock);
+				return sock;
+			}
+			close(sock);
+			errno = optval;
+		}
+	}
+	return -1;
+}
+
+static int
+ssh_connect_happy_eyeballs(const char * host, struct addrinfo *ai,
+			   struct sockaddr_storage *hostaddr, int *timeout_ms,
+			   int needpriv)
+{
+	struct addrinfo *fd_ai[FD_SETSIZE];
+	struct timeval initiate_tv, start_tv, select_tv, *tv;
+	fd_set fds, wfds;
+	int res, oerrno, diff, diff0, nfds = 0, sock = -1;
+	FD_ZERO(&fds);
+	if (*timeout_ms > 0)
+		monotime_tv(&start_tv);
+	while ((ai != NULL || nfds > 0) &&
+	       ! ssh_connect_timeout(&start_tv, *timeout_ms)) {
+		res = ssh_connect_happy_eyeballs_initiate(host, ai,
+							  timeout_ms, needpriv,
+							  &initiate_tv,
+							  &nfds, &fds, fd_ai);
+		if (res != 0)
+			ai = ai->ai_next;
+		if (res == -1)
+			continue;
+		tv = NULL;
+		if (ai != NULL || *timeout_ms > 0) {
+			tv = &select_tv;
+			if (ai != NULL) {
+				diff = CONNECTION_ATTEMPT_DELAY;
+				ms_subtract_diff(&initiate_tv, &diff);
+				if (*timeout_ms > 0) {
+					diff0 = *timeout_ms;
+					ms_subtract_diff(&start_tv, &diff0);
+					diff = MINIMUM(diff, diff0);
+				}
+			} else {
+				diff = *timeout_ms;
+				ms_subtract_diff(&start_tv, &diff);
+			}
+			ms_to_timeval(tv, diff);
+		}
+		wfds = fds;
+		res = select(nfds, NULL, &wfds, NULL, tv);
+		oerrno = errno;
+		if (res < 0) {
+			error("select failed: %s", strerror(errno));
+			errno = oerrno;
+			continue;
+		}
+		sock = ssh_connect_happy_eyeballs_process(&nfds, &fds, fd_ai,
+							  res, &wfds);
+		if (sock >= 0) {
+			memcpy(hostaddr, fd_ai[sock]->ai_addr,
+			       fd_ai[sock]->ai_addrlen);
+			break;
+		}
+	}
+	oerrno = errno;
+	while (nfds-- > 0)
+		if (FD_ISSET(nfds, &fds))
+			close(nfds);
+	if (ssh_connect_timeout(&start_tv, *timeout_ms))
+		errno = ETIMEDOUT;
+	else
+		errno = oerrno;
+	return sock;
 }
 
 /*
@@ -505,13 +664,9 @@
     int connection_attempts, int *timeout_ms, int want_keepalive, int needpriv)
 {
 	int on = 1;
-	int oerrno, sock = -1, attempt;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
-	struct addrinfo *ai;
+	int sock = -1, attempt;
 
 	debug2("%s: needpriv %d", __func__, needpriv);
-	memset(ntop, 0, sizeof(ntop));
-	memset(strport, 0, sizeof(strport));
 
 	for (attempt = 0; attempt < connection_attempts; attempt++) {
 		if (attempt > 0) {
@@ -519,57 +674,16 @@
 			sleep(1);
 			debug("Trying again...");
 		}
-		/*
-		 * Loop through addresses for this host, and try each one in
-		 * sequence until the connection succeeds.
-		 */
-		for (ai = aitop; ai; ai = ai->ai_next) {
-			if (ai->ai_family != AF_INET &&
-			    ai->ai_family != AF_INET6) {
-				errno = EAFNOSUPPORT;
-				continue;
-			}
-			if (getnameinfo(ai->ai_addr, ai->ai_addrlen,
-			    ntop, sizeof(ntop), strport, sizeof(strport),
-			    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-				oerrno = errno;
-				error("%s: getnameinfo failed", __func__);
-				errno = oerrno;
-				continue;
-			}
-			debug("Connecting to %.200s [%.100s] port %s.",
-				host, ntop, strport);
-
-			/* Create a socket for connecting. */
-			sock = ssh_create_socket(needpriv, ai);
-			if (sock < 0) {
-				/* Any error is already output */
-				errno = 0;
-				continue;
-			}
-
-			if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen,
-			    timeout_ms) >= 0) {
-				/* Successful connection. */
-				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
-				break;
-			} else {
-				oerrno = errno;
-				debug("connect to address %s port %s: %s",
-				    ntop, strport, strerror(errno));
-				close(sock);
-				sock = -1;
-				errno = oerrno;
-			}
-		}
+		sock = ssh_connect_happy_eyeballs(host, aitop, hostaddr,
+						  timeout_ms, needpriv);
 		if (sock != -1)
 			break;	/* Successful connection. */
 	}
 
 	/* Return failure if we didn't get a successful connection. */
 	if (sock == -1) {
-		error("ssh: connect to host %s port %s: %s",
-		    host, strport, errno == 0 ? "failure" : strerror(errno));
+		error("ssh: connect to host %s port %hu: %s",
+		    host, port, errno == 0 ? "failure" : strerror(errno));
 		return -1;
 	}
 
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux