Don't hard-code the TLS connect timeout, use normal connect timeout.
For sudo_logsrvd, this is the relay connect_timeout setting. For sudoers, this is the log_server_timeout setting.
This commit is contained in:
Todd C. Miller
@@ -285,6 +285,7 @@ connect_relay_tls(struct connection_closure *closure)
|
|||||||
if (tls_client->tls_connect_ev == NULL)
|
if (tls_client->tls_connect_ev == NULL)
|
||||||
goto bad;
|
goto bad;
|
||||||
tls_client->peer_name = &closure->relay_closure->relay_name;
|
tls_client->peer_name = &closure->relay_closure->relay_name;
|
||||||
|
tls_client->connect_timeout = *logsrvd_conf_relay_connect_timeout();
|
||||||
tls_client->start_fn = tls_client_start_fn;
|
tls_client->start_fn = tls_client_start_fn;
|
||||||
if (!tls_ctx_client_setup(ssl_ctx, closure->relay_closure->sock, tls_client))
|
if (!tls_ctx_client_setup(ssl_ctx, closure->relay_closure->sock, tls_client))
|
||||||
goto bad;
|
goto bad;
|
||||||
|
|||||||
@@ -1441,6 +1441,7 @@ client_closure_alloc(int sock, struct sudo_event_base *base,
|
|||||||
closure->tls_client.evbase = base;
|
closure->tls_client.evbase = base;
|
||||||
closure->tls_client.parent_closure = closure;
|
closure->tls_client.parent_closure = closure;
|
||||||
closure->tls_client.peer_name = &server_info;
|
closure->tls_client.peer_name = &server_info;
|
||||||
|
closure->tls_client.connect_timeout.tv_sec = TLS_HANDSHAKE_TIMEO_SEC;
|
||||||
closure->tls_client.start_fn = tls_start_fn;
|
closure->tls_client.start_fn = tls_start_fn;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -50,8 +50,6 @@
|
|||||||
#include "logsrv_util.h"
|
#include "logsrv_util.h"
|
||||||
#include "tls_common.h"
|
#include "tls_common.h"
|
||||||
|
|
||||||
#define TLS_HANDSHAKE_TIMEO_SEC 10
|
|
||||||
|
|
||||||
#if defined(HAVE_OPENSSL)
|
#if defined(HAVE_OPENSSL)
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -104,7 +102,7 @@ tls_connect_cb(int sock, int what, void *v)
|
|||||||
{
|
{
|
||||||
struct tls_client_closure *tls_client = v;
|
struct tls_client_closure *tls_client = v;
|
||||||
struct sudo_event_base *evbase = tls_client->evbase;
|
struct sudo_event_base *evbase = tls_client->evbase;
|
||||||
struct timespec timeo = { TLS_HANDSHAKE_TIMEO_SEC, 0 };
|
const struct timespec *timeout = &tls_client->connect_timeout;
|
||||||
const char *errstr;
|
const char *errstr;
|
||||||
int con_stat;
|
int con_stat;
|
||||||
debug_decl(tls_connect_cb, SUDO_DEBUG_UTIL);
|
debug_decl(tls_connect_cb, SUDO_DEBUG_UTIL);
|
||||||
@@ -134,7 +132,7 @@ tls_connect_cb(int sock, int what, void *v)
|
|||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (sudo_ev_add(evbase, tls_client->tls_connect_ev, &timeo, false) == -1) {
|
if (sudo_ev_add(evbase, tls_client->tls_connect_ev, timeout, false) == -1) {
|
||||||
sudo_warnx("%s", U_("unable to add event to queue"));
|
sudo_warnx("%s", U_("unable to add event to queue"));
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
@@ -150,7 +148,7 @@ tls_connect_cb(int sock, int what, void *v)
|
|||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (sudo_ev_add(evbase, tls_client->tls_connect_ev, &timeo, false) == -1) {
|
if (sudo_ev_add(evbase, tls_client->tls_connect_ev, timeout, false) == -1) {
|
||||||
sudo_warnx("%s", U_("unable to add event to queue"));
|
sudo_warnx("%s", U_("unable to add event to queue"));
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ struct tls_client_closure {
|
|||||||
struct sudo_event_base *evbase; /* duplicated */
|
struct sudo_event_base *evbase; /* duplicated */
|
||||||
struct sudo_event *tls_connect_ev;
|
struct sudo_event *tls_connect_ev;
|
||||||
struct peer_info *peer_name;
|
struct peer_info *peer_name;
|
||||||
|
struct timespec connect_timeout;
|
||||||
bool (*start_fn)(struct tls_client_closure *);
|
bool (*start_fn)(struct tls_client_closure *);
|
||||||
bool tls_connect_state;
|
bool tls_connect_state;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -89,7 +89,7 @@ connect_cb(int sock, int what, void *v)
|
|||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
timed_connect(int sock, const struct sockaddr *addr, socklen_t addrlen,
|
timed_connect(int sock, const struct sockaddr *addr, socklen_t addrlen,
|
||||||
const struct timespec *timo)
|
const struct timespec *timeout)
|
||||||
{
|
{
|
||||||
struct sudo_event_base *evbase = NULL;
|
struct sudo_event_base *evbase = NULL;
|
||||||
struct sudo_event *connect_event = NULL;
|
struct sudo_event *connect_event = NULL;
|
||||||
@@ -105,7 +105,7 @@ timed_connect(int sock, const struct sockaddr *addr, socklen_t addrlen,
|
|||||||
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
if (sudo_ev_add(evbase, connect_event, timo, false) == -1) {
|
if (sudo_ev_add(evbase, connect_event, timeout, false) == -1) {
|
||||||
sudo_warnx("%s", U_("unable to add event to queue"));
|
sudo_warnx("%s", U_("unable to add event to queue"));
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@@ -280,6 +280,7 @@ struct tls_connect_closure {
|
|||||||
SSL *ssl;
|
SSL *ssl;
|
||||||
const char *host;
|
const char *host;
|
||||||
const char *port;
|
const char *port;
|
||||||
|
const struct timespec *timeout;
|
||||||
struct sudo_event_base *evbase;
|
struct sudo_event_base *evbase;
|
||||||
struct sudo_event *tls_connect_ev;
|
struct sudo_event *tls_connect_ev;
|
||||||
};
|
};
|
||||||
@@ -288,7 +289,7 @@ static void
|
|||||||
tls_connect_cb(int sock, int what, void *v)
|
tls_connect_cb(int sock, int what, void *v)
|
||||||
{
|
{
|
||||||
struct tls_connect_closure *closure = v;
|
struct tls_connect_closure *closure = v;
|
||||||
struct timespec timeo = { 10, 0 };
|
const struct timespec *timeout = closure->timeout;
|
||||||
int tls_con;
|
int tls_con;
|
||||||
debug_decl(tls_connect_cb, SUDOERS_DEBUG_UTIL);
|
debug_decl(tls_connect_cb, SUDOERS_DEBUG_UTIL);
|
||||||
|
|
||||||
@@ -320,7 +321,7 @@ tls_connect_cb(int sock, int what, void *v)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (sudo_ev_add(closure->evbase, closure->tls_connect_ev,
|
if (sudo_ev_add(closure->evbase, closure->tls_connect_ev,
|
||||||
&timeo, false) == -1) {
|
timeout, false) == -1) {
|
||||||
sudo_warnx("%s", U_("unable to add event to queue"));
|
sudo_warnx("%s", U_("unable to add event to queue"));
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
@@ -336,7 +337,7 @@ tls_connect_cb(int sock, int what, void *v)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (sudo_ev_add(closure->evbase, closure->tls_connect_ev,
|
if (sudo_ev_add(closure->evbase, closure->tls_connect_ev,
|
||||||
&timeo, false) == -1) {
|
timeout, false) == -1) {
|
||||||
sudo_warnx("%s", U_("unable to add event to queue"));
|
sudo_warnx("%s", U_("unable to add event to queue"));
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
@@ -364,7 +365,7 @@ bad:
|
|||||||
|
|
||||||
static bool
|
static bool
|
||||||
tls_timed_connect(SSL *ssl, const char *host, const char *port,
|
tls_timed_connect(SSL *ssl, const char *host, const char *port,
|
||||||
const struct timespec *timo)
|
const struct timespec *timeout)
|
||||||
{
|
{
|
||||||
struct tls_connect_closure closure;
|
struct tls_connect_closure closure;
|
||||||
debug_decl(tls_timed_connect, SUDOERS_DEBUG_UTIL);
|
debug_decl(tls_timed_connect, SUDOERS_DEBUG_UTIL);
|
||||||
@@ -373,6 +374,7 @@ tls_timed_connect(SSL *ssl, const char *host, const char *port,
|
|||||||
closure.ssl = ssl;
|
closure.ssl = ssl;
|
||||||
closure.host = host;
|
closure.host = host;
|
||||||
closure.port = port;
|
closure.port = port;
|
||||||
|
closure.timeout = timeout;
|
||||||
closure.evbase = sudo_ev_base_alloc();
|
closure.evbase = sudo_ev_base_alloc();
|
||||||
closure.tls_connect_ev = sudo_ev_alloc(SSL_get_fd(ssl),
|
closure.tls_connect_ev = sudo_ev_alloc(SSL_get_fd(ssl),
|
||||||
SUDO_PLUGIN_EV_WRITE, tls_connect_cb, &closure);
|
SUDO_PLUGIN_EV_WRITE, tls_connect_cb, &closure);
|
||||||
@@ -382,7 +384,7 @@ tls_timed_connect(SSL *ssl, const char *host, const char *port,
|
|||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sudo_ev_add(closure.evbase, closure.tls_connect_ev, timo, false) == -1) {
|
if (sudo_ev_add(closure.evbase, closure.tls_connect_ev, timeout, false) == -1) {
|
||||||
sudo_warnx("%s", U_("unable to add event to queue"));
|
sudo_warnx("%s", U_("unable to add event to queue"));
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
@@ -410,7 +412,7 @@ static int
|
|||||||
connect_server(const char *host, const char *port, bool tls,
|
connect_server(const char *host, const char *port, bool tls,
|
||||||
struct client_closure *closure, const char **reason)
|
struct client_closure *closure, const char **reason)
|
||||||
{
|
{
|
||||||
const struct timespec *timo = &closure->log_details->server_timeout;
|
const struct timespec *timeout = &closure->log_details->server_timeout;
|
||||||
struct addrinfo hints, *res, *res0;
|
struct addrinfo hints, *res, *res0;
|
||||||
const char *addr, *cause = NULL;
|
const char *addr, *cause = NULL;
|
||||||
int error, sock = -1;
|
int error, sock = -1;
|
||||||
@@ -471,7 +473,7 @@ connect_server(const char *host, const char *port, bool tls,
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (timed_connect(sock, res->ai_addr, res->ai_addrlen, timo) == -1) {
|
if (timed_connect(sock, res->ai_addr, res->ai_addrlen, timeout) == -1) {
|
||||||
/* No need to set cause, caller's error message is sufficient. */
|
/* No need to set cause, caller's error message is sufficient. */
|
||||||
save_errno = errno;
|
save_errno = errno;
|
||||||
close(sock);
|
close(sock);
|
||||||
@@ -524,7 +526,7 @@ connect_server(const char *host, const char *port, bool tls,
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
/* Perform TLS handshake. */
|
/* Perform TLS handshake. */
|
||||||
if (!tls_timed_connect(closure->ssl, host, port, timo)) {
|
if (!tls_timed_connect(closure->ssl, host, port, timeout)) {
|
||||||
cause = U_("TLS handshake was unsuccessful");
|
cause = U_("TLS handshake was unsuccessful");
|
||||||
save_errno = errno;
|
save_errno = errno;
|
||||||
close(sock);
|
close(sock);
|
||||||
|
|||||||
Reference in New Issue
Block a user