From f7e676abdc799fcee5138807447b5e91ab05508f Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 7 Dec 2020 12:53:54 +0000 Subject: Change -K semantics: timeout *during handshake*, not afterwards - the TLS tunnel itself should be transparent so it has no business shutting down the connection no matter how long the app takes - there's still an undetectable situation on some kernels where EOF doesn't get transmitted from the network, and the engine is in the handshake, and it can't do anything but wait forever. A timeout is useful here: dawg, your peer is never going to send any more data, you should just give up. - if the situation happens after the handshake, the *app* should have a timeout and die. The tunnel will follow suit. - libtls has a blocking tls_handshake() blackbox, we cannot give it a timeout. Too bad, use bearssl. --- src/sbearssl/sbearssl_run.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/sbearssl') diff --git a/src/sbearssl/sbearssl_run.c b/src/sbearssl/sbearssl_run.c index 6a350a9..e097698 100644 --- a/src/sbearssl/sbearssl_run.c +++ b/src/sbearssl/sbearssl_run.c @@ -29,7 +29,7 @@ void sbearssl_run (br_ssl_engine_context *ctx, int *fds, tain_t const *tto, uint for (;;) { - tain_t deadline ; + tain_t deadline = tain_infinite_relative ; unsigned int j = 0 ; unsigned int state = br_ssl_engine_current_state(ctx) ; int r ; @@ -76,9 +76,13 @@ void sbearssl_run (br_ssl_engine_context *ctx, int *fds, tain_t const *tto, uint } else xindex[3] = 4 ; - if ((xindex[0] == 4 && xindex[1] == 4 && xindex[3] == 4 && handshake_done) || !j) break ; + if (xindex[0] == 4 && xindex[1] == 4 && xindex[3] == 4) + { + if (!j || handshake_done) break ; + deadline = *tto ; + } - tain_add_g(&deadline, fds[0] >= 0 && fds[2] >= 0 && state & (BR_SSL_SENDAPP | BR_SSL_RECVREC) ? tto : &tain_infinite_relative) ; + tain_add_g(&deadline, &deadline) ; r = iopause_g(x, j, &deadline) ; if (r < 0) strerr_diefu1sys(111, "iopause") ; else if (!r) break ; -- cgit v1.2.3