Add TLS connection error callback function.

For sendlog, this will just break out of the event loop.  For a
logsrvd relay, it will try the next relay server (if any) and return
an error to the client if no connection succeeds.  Note that this
only affects TLS negotiation (which may happen asynchronously) after
the actual socket has been connected.

Found by the ZeroPath AI Security Engineer <https://zeropath.com>

Author: millert

logsrvd/logsrvd_relay.c

@@ -62,6 +62,7 @@ static void relay_client_msg_cb(int fd, int what, void *v);
 static void relay_server_msg_cb(int fd, int what, void *v);
 static void connect_cb(int sock, int what, void *v);
 static bool start_relay(int sock, struct connection_closure *closure);
+static void tls_connect_error_fn(struct tls_client_closure *tls_client);
 
 /*
  * Free a struct relay_closure container and its contents.
@@ -286,6 +287,7 @@ connect_relay_tls(struct connection_closure *closure)
 	sudo_timespecclear(&tls_client->connect_timeout);
     }
     tls_client->start_fn = tls_client_start_fn;
+    tls_client->connect_error_fn = tls_connect_error_fn;
     if (!tls_ctx_client_setup(ssl_ctx, closure->relay_closure->sock, tls_client))
         goto bad;
 
@@ -498,6 +500,27 @@ connect_relay(struct connection_closure *closure)
     debug_return_bool(true);
 }
 
+/* Called on TLS connection error. */
+static void
+tls_connect_error_fn(struct tls_client_closure *tls_client)
+{
+    struct connection_closure *closure = tls_client->parent_closure;
+    int res;
+
+    /* TLS connection failed, try next relay (if any). */
+    while ((res = connect_relay_next(closure)) == -1) {
+	if (errno == ENOENT || errno == EINPROGRESS) {
+	    /* Out of relays or connecting asynchronously. */
+	    break;
+	}
+    }
+    if (res == -1 && errno != EINPROGRESS) {
+	closure->errstr = _("unable to connect to relay host");
+	if (!schedule_error_message(closure->errstr, closure))
+	    connection_close(closure);
+    }
+}
+
 /*
  * Respond to a ServerHello message from the relay.
  * Returns true on success, false on error.

logsrvd/sendlog.c

@@ -394,6 +394,13 @@ tls_start_fn(struct tls_client_closure *tls_client)
 {
     return fmt_client_hello(tls_client->parent_closure);
 }
+
+/* Called on TLS connection error. */
+static void
+tls_connect_error_fn(struct tls_client_closure *tls_client)
+{
+    sudo_ev_loopbreak(tls_client->evbase);
+}
 #endif /* HAVE_OPENSSL */
 
 static void
@@ -1688,6 +1695,7 @@ client_closure_alloc(int sock, struct sudo_event_base *base,
 	closure->tls_client.peer_name = &server_info;
 	closure->tls_client.connect_timeout.tv_sec = TLS_HANDSHAKE_TIMEO_SEC;
 	closure->tls_client.start_fn = tls_start_fn;
+	closure->tls_client.connect_error_fn = tls_connect_error_fn;
     }
 #endif
 

logsrvd/tls_client.c

@@ -187,7 +187,7 @@ tls_connect_cb(int sock, int what, void *v)
     debug_return;
 
 bad:
-    sudo_ev_loopbreak(evbase);
+    tls_client->connect_error_fn(tls_client);
     debug_return;
 }
 
@@ -199,6 +199,7 @@ tls_ctx_client_setup(SSL_CTX *ssl_ctx, int sock,
     bool ret = false;
     debug_decl(tls_ctx_client_setup, SUDO_DEBUG_UTIL);
 
+    SSL_free(closure->ssl);
     if ((closure->ssl = SSL_new(ssl_ctx)) == NULL) {
 	errstr = ERR_reason_error_string(ERR_get_error());
         sudo_warnx(U_("unable to allocate ssl object: %s"),

logsrvd/tls_common.h

@@ -34,9 +34,10 @@ struct tls_client_closure {
     void *parent_closure;
     struct sudo_event_base *evbase;	/* duplicated */
     struct sudo_event *tls_connect_ev;
-    struct peer_info *peer_name;
+    struct peer_info *peer_name;	/* duplicated */
     struct timespec connect_timeout;
     bool (*start_fn)(struct tls_client_closure *);
+    void (*connect_error_fn)(struct tls_client_closure *);
     bool tls_connect_state;
 };