Recover if the client or relay server closes the TLS connection uncleanly.

The other end of the connection should perform a proper TLS shutdown but as long as we are in the correct state there is no need to treat this as a user-visible error.
2021-04-26 17:05:34 -06:00
parent 66c6edada2
commit 67029f3cc4
2 changed files with 29 additions and 9 deletions
--- a/logsrvd/logsrvd.c
+++ b/logsrvd/logsrvd.c
@@ -122,6 +122,8 @@ connection_closure_free(struct connection_closure *closure)
 #if defined(HAVE_OPENSSL)
 	sudo_ev_free(closure->ssl_accept_ev);
 	if (closure->ssl != NULL) {
+	    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+		"closing down TLS connection from %s", closure->ipaddr);
 	    SSL_shutdown(closure->ssl);
 	    SSL_free(closure->ssl);
 	}
@@ -1268,10 +1270,17 @@ client_msg_cb(int fd, int what, void *v)
 		    closure->read_instead_of_write = true;
                    debug_return;
 		case SSL_ERROR_SYSCALL:
+		    if (nread == 0) {
+			/* EOF, handled below */
+			sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+			    "EOF from %s without proper TLS shutdown",
+			    closure->ipaddr);
+			break;
+		    }
 		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-			"unexpected error during SSL_read(): %d (%s)",
-			err, strerror(errno));
-		    goto close_connection;
+			"SSL_read from %s: %s", closure->ipaddr,
+			strerror(errno));
+                    goto close_connection;
                default:
                    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
                        "unexpected error during SSL_read(): %d (%s)",
--- a/logsrvd/logsrvd_relay.c
+++ b/logsrvd/logsrvd_relay.c
@@ -77,18 +77,21 @@ relay_closure_free(struct relay_closure *relay_closure)
    struct connection_buffer *buf;
    debug_decl(relay_closure_free, SUDO_DEBUG_UTIL);

+#if defined(HAVE_OPENSSL)
+    if (relay_closure->tls_client.ssl != NULL) {
+	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+	    "closing down TLS connection to %s",
+	    relay_closure->relay_name.name);
+	SSL_shutdown(relay_closure->tls_client.ssl);
+	SSL_free(relay_closure->tls_client.ssl);
+    }
+#endif
    if (relay_closure->relays != NULL)
 	address_list_delref(relay_closure->relays);
    sudo_rcstr_delref(relay_closure->relay_name.name);
    sudo_ev_free(relay_closure->read_ev);
    sudo_ev_free(relay_closure->write_ev);
    sudo_ev_free(relay_closure->connect_ev);
-#if defined(HAVE_OPENSSL)
-    if (relay_closure->tls_client.ssl != NULL) {
-	SSL_shutdown(relay_closure->tls_client.ssl);
-	SSL_free(relay_closure->tls_client.ssl);
-    }
-#endif
    free(relay_closure->read_buf.data);
    while ((buf = TAILQ_FIRST(&relay_closure->write_bufs)) != NULL) {
 	TAILQ_REMOVE(&relay_closure->write_bufs, buf, entries);
@@ -752,6 +755,14 @@ relay_server_msg_cb(int fd, int what, void *v)
 			relay_closure->relay_name.ipaddr, errstr);
                    goto close_connection;
                case SSL_ERROR_SYSCALL:
+		    if (nread == 0) {
+			/* EOF, handled below */
+			sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+			    "EOF from %s (%s) without proper TLS shutdown",
+			    relay_closure->relay_name.name,
+			    relay_closure->relay_name.ipaddr);
+			break;
+		    }
                    errstr = strerror(errno);
 		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 			"SSL_read from %s (%s): %s",