From: Michael R Sweet Date: Wed, 21 Feb 2018 01:18:05 +0000 (-0500) Subject: Setting the timeout should also timeout the TLS negotiation X-Git-Tag: v2.3b4~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7aabde8fee21c62795eba831fc2bc965c6e0149;p=thirdparty%2Fcups.git Setting the timeout should also timeout the TLS negotiation (rdar://34938533) --- diff --git a/cups/http.c b/cups/http.c index 9af77c1c58..4d0a2a78e1 100644 --- a/cups/http.c +++ b/cups/http.c @@ -4027,7 +4027,7 @@ http_read(http_t *http, /* I - HTTP connection */ DEBUG_printf(("http_read(http=%p, buffer=%p, length=" CUPS_LLFMT ")", (void *)http, (void *)buffer, CUPS_LLCAST length)); - if (!http->blocking) + if (!http->blocking || http->timeout_value > 0.0) { while (!httpWait(http, http->wait_value)) { @@ -4626,7 +4626,7 @@ http_write(http_t *http, /* I - HTTP connection */ { DEBUG_printf(("3http_write: About to write %d bytes.", (int)length)); - if (http->timeout_cb) + if (http->timeout_value > 0.0) { #ifdef HAVE_POLL struct pollfd pfd; /* Polled file descriptor */ @@ -4670,7 +4670,7 @@ http_write(http_t *http, /* I - HTTP connection */ http->error = errno; return (-1); } - else if (nfds == 0 && !(*http->timeout_cb)(http, http->timeout_data)) + else if (nfds == 0 && (!http->timeout_cb || !(*http->timeout_cb)(http, http->timeout_data))) { #ifdef WIN32 http->error = WSAEWOULDBLOCK; diff --git a/cups/tls-darwin.c b/cups/tls-darwin.c index 9a9e0eb5f4..1192b86758 100644 --- a/cups/tls-darwin.c +++ b/cups/tls-darwin.c @@ -1,8 +1,8 @@ /* * TLS support code for CUPS on macOS. * - * Copyright 2007-2018 by Apple Inc. - * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * Copyright © 2007-2018 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. * * Licensed under Apache License v2.0. See the file "LICENSE" for more information. */ @@ -1532,7 +1532,28 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ if (!error) { - int done = 0; /* Are we done yet? */ + int done = 0; /* Are we done yet? */ + double old_timeout; /* Old timeout value */ + http_timeout_cb_t old_cb; /* Old timeout callback */ + void *old_data; /* Old timeout data */ + + /* + * Enforce a minimum timeout of 10 seconds for the TLS handshake... + */ + + old_timeout = http->timeout_value; + old_cb = http->timeout_cb; + old_data = http->timeout_data; + + if (!old_cb || old_timeout < 10.0) + { + DEBUG_puts("4_httpTLSStart: Setting timeout to 10 seconds."); + httpSetTimeout(http, 10.0, NULL, NULL); + } + + /* + * Do the TLS handshake... + */ while (!error && !done) { @@ -1653,6 +1674,12 @@ _httpTLSStart(http_t *http) /* I - HTTP connection */ break; } } + + /* + * Restore the previous timeout settings... + */ + + httpSetTimeout(http, old_timeout, old_cb, old_data); } if (error) @@ -2085,7 +2112,7 @@ http_cdsa_read( http = (http_t *)connection; - if (!http->blocking) + if (!http->blocking || http->timeout_value > 0.0) { /* * Make sure we have data before we read... diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c index 0f0cd0028e..bc3cdd07d7 100644 --- a/cups/tls-gnutls.c +++ b/cups/tls-gnutls.c @@ -1,8 +1,8 @@ /* * TLS support code for CUPS using GNU TLS. * - * Copyright 2007-2018 by Apple Inc. - * Copyright 1997-2007 by Easy Software Products, all rights reserved. + * Copyright © 2007-2018 by Apple Inc. + * Copyright © 1997-2007 by Easy Software Products, all rights reserved. * * Licensed under Apache License v2.0. See the file "LICENSE" for more information. */ @@ -1087,7 +1087,7 @@ http_gnutls_read( http = (http_t *)ptr; - if (!http->blocking) + if (!http->blocking || http->timeout_value > 0.0) { /* * Make sure we have data before we read... @@ -1245,6 +1245,9 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ char priority_string[2048]; /* Priority string */ int version; /* Current version */ + double old_timeout; /* Old timeout value */ + http_timeout_cb_t old_cb; /* Old timeout callback */ + void *old_data; /* Old timeout data */ static const char * const versions[] =/* SSL/TLS versions */ { "VERS-SSL3.0", @@ -1578,6 +1581,24 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ #endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */ gnutls_transport_set_push_function(http->tls, http_gnutls_write); + /* + * Enforce a minimum timeout of 10 seconds for the TLS handshake... + */ + + old_timeout = http->timeout_value; + old_cb = http->timeout_cb; + old_data = http->timeout_data; + + if (!old_cb || old_timeout < 10.0) + { + DEBUG_puts("4_httpTLSStart: Setting timeout to 10 seconds."); + httpSetTimeout(http, 10.0, NULL, NULL); + } + + /* + * Do the TLS handshake... + */ + while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS) { DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)", @@ -1595,10 +1616,18 @@ _httpTLSStart(http_t *http) /* I - Connection to server */ free(credentials); http->tls = NULL; + httpSetTimeout(http, old_timeout, old_cb, old_data); + return (-1); } } + /* + * Restore the previous timeout settings... + */ + + httpSetTimeout(http, old_timeout, old_cb, old_data); + http->tls_credentials = credentials; return (0); diff --git a/cups/tls.c b/cups/tls.c index e8874004fa..278439db2e 100644 --- a/cups/tls.c +++ b/cups/tls.c @@ -30,7 +30,7 @@ /* - * Local functions... + * Include platform-specific TLS code... */ #ifdef HAVE_SSL