p11_child: Add timeout parameter #7890
Conversation
thalman
force-pushed
the
p11_child_timeout
branch
2 times, most recently
from
56a725f to
220bbaa
Compare
src/p11_child/p11_child_openssl.c
Outdated
| @@ -582,6 +597,7 @@ errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, | |||
| return ENOMEM; | |||
| } | |||
|
|
|||
| ctx->start_timestamp = time(NULL); | |||
There was a problem hiding this comment.
Hi,
why don't you put timeout into struct p11_ctx as well (it would fit into struct cert_verify_opts as well) ? This would help to avoid adding timeout into all the function headers.
bye,
Sumit
There was a problem hiding this comment.
I was thinking of that too, I have no preference here. But before proceeding with changes I want to do some testing to see if this solves the issue correctly. This is still draft PR.
There was a problem hiding this comment.
I would put this into cert_verify_opts as it would reduce number of changes (this struct is populated already in main()). But I don't insist.
thalman
force-pushed
the
p11_child_timeout
branch
from
220bbaa to
1559bdf
Compare
|
@thalman, could you please rebase? |
p11_child communication with OCSP server may take a long time because of network issues. Then p11_child is killed after `p11_child_timeout` and the authentication fails. This is not desirable when `certificate_verification` is set to `soft_ocsp`. This update will pass the timeout to the child process so it can cancel the OCSP verification before it is terminated. Resolves: SSSD#6601
thalman
force-pushed
the
p11_child_timeout
branch
from
1559bdf to
d1aeb3c
Compare
Rebased |
| @@ -59,7 +60,8 @@ enum pin_mode { | |||
| }; | |||
|
|
|||
| errno_t init_p11_ctx(TALLOC_CTX *mem_ctx, const char *ca_db, | |||
| bool wait_for_card, struct p11_ctx **p11_ctx); | |||
| bool wait_for_card, time_t timeout, | |||
There was a problem hiding this comment.
Any reason to use time_t specifically and not plain int or unsigned?
This arg is just a period (number of seconds?), not a time point.
There was a problem hiding this comment.
Also code parses it as POPT_ARG_LONG, it's better to match types strictly to avoid surprises (especially on non-x86 platforms).
There was a problem hiding this comment.
for parsing I use long int but the rest of the code expects int. I did not have particular reason for using time_t I can change that to int and add check that this parameter fits into it.
There was a problem hiding this comment.
Would it be possible to simply use int everywhere (including parsing)?
There was a problem hiding this comment.
And of course because we use time() to calculate the timeout.
There was a problem hiding this comment.
That's a rabbit hole. Looks like there is no portable way to increment time_t directly.
There was a problem hiding this comment.
Currently it is implicitly cast-ed to time_t from long when provided to do_work(). Maybe that's ok.
|
Ha... It appears |
|
@spoore1, would you like a test build before we merge this? |
src/p11_child/p11_child_openssl.c
Outdated
| /* substract 1 so we finish before child is forcibly terminated */ | ||
| req_timeout = p11_ctx->timeout - 1 - | ||
| (time(NULL) - p11_ctx->start_timestamp); | ||
| if (req_timeout < 0) { |
There was a problem hiding this comment.
Not needed if below condition changed to if (req_timeout <= 0)
There was a problem hiding this comment.
With the one item (deadline) approach this changes a bit but the condition is still needed.
There was a problem hiding this comment.
Only to have a dedicated debug message.
Otherwise instead of two:
if (req_timeout <= 0) {
...
if (req_timeout != 0) {
there could be single
if (req_timeout > 0) { process_responder() }
| @@ -1128,7 +1128,7 @@ ifp_users_find_by_valid_cert_send(TALLOC_CTX *mem_ctx, | |||
| goto done; | |||
| } | |||
|
|
|||
| state->extra_args = talloc_zero_array(state, const char *, 8); | |||
| state->extra_args = talloc_zero_array(state, const char *, 10); | |||
There was a problem hiding this comment.
Do you think it would be possible to factor out a common helper, that prepares p11_child args, out of ifp/pamsrv_p11/ssh to reduce code copy&paste?
If it's ok if I can't test until Tuesday or Wednesday, yes. I can't guarantee I'll be able to test before that. |
| @@ -44,8 +44,7 @@ struct p11_ctx { | |||
| const char *ca_db; | |||
| bool wait_for_card; | |||
| struct cert_verify_opts *cert_verify_opts; | |||
| time_t start_timestamp; | |||
| time_t timeout; | |||
| int ocsp_deadline; | |||
There was a problem hiding this comment.
Unlike timeout, this is a better fit for time_t, actually (see another comment).
| (time(NULL) - p11_ctx->start_timestamp); | ||
| if (req_timeout < 0) { | ||
| if (p11_ctx->ocsp_deadline != -1 && p11_ctx->cert_verify_opts->soft_ocsp) { | ||
| req_timeout = p11_ctx->ocsp_deadline - time(NULL); |
There was a problem hiding this comment.
There is a difftime().
But it returns double.
I now tend to agree to keep everything as time_t and that's it.
p11_child communication with OCSP server may take a long time because of network issues. Then p11_child is killed after
p11_child_timeoutand the authentication fails.This is not desirable when
certificate_verificationis set tosoft_ocsp. This update will pass the timeout to the child process so it can cancel the OCSP verification before it is terminated.Resolves: #6601