Adding time out in Azure dcap in case local agent does not respond. (#…

…185) * Adding time out in Azure dcap in case local agent does not respond. * Updating linux header file. * Resolving comments from first iteration. * updating timeout to 1 sec. * Updating comment. * Empty commit to retrigger PR checks --------- Co-authored-by: FranciscoJavierOrtegaPalacios <[email protected]>
microsoft · Jul 12, 2023 · bc7b484 · bc7b484
1 parent 4c8035e
commit bc7b484
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 8 deletions.
diff --git a/src/Linux/curl_easy.cpp b/src/Linux/curl_easy.cpp
@@ -86,7 +86,11 @@ char const* curl_easy::error::what() const noexcept
 ///////////////////////////////////////////////////////////////////////////////
 // curl_easy implementation
 ///////////////////////////////////////////////////////////////////////////////
-std::unique_ptr<curl_easy> curl_easy::create(const std::string& url, const std::string* const p_body, unsigned long dwflag)
+std::unique_ptr<curl_easy> curl_easy::create(
+    const std::string& url,
+    const std::string* const p_body,
+    unsigned long dwflag,
+    bool fetchingFromLocalAgent)
 {
     std::unique_ptr<curl_easy> easy(new curl_easy);
 
@@ -106,6 +110,13 @@ std::unique_ptr<curl_easy> curl_easy::create(const std::string& url, const std::
     easy->set_opt_or_throw(CURLOPT_FAILONERROR, 1L);
     easy->set_opt_or_throw(CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
 
+    // If request is routed to THIM agent for SGX certificate fetch, set
+    // response timeout to 1 s 
+    if (fetchingFromLocalAgent)
+    {
+        easy->set_opt_or_throw(CURLOPT_SERVER_RESPONSE_TIMEOUT, 1L);
+    }
+
     if (p_body != nullptr && !p_body->empty())
     {
         easy->set_opt_or_throw(CURLOPT_CUSTOMREQUEST, "GET");

diff --git a/src/Linux/curl_easy.h b/src/Linux/curl_easy.h
@@ -36,7 +36,11 @@ class curl_easy
         char function[128]{};
     };
 
-    static std::unique_ptr<curl_easy> create(const std::string& url, const std::string* const p_body, unsigned long dwFlags = 0);
+    static std::unique_ptr<curl_easy> create(
+        const std::string& url,
+        const std::string* const p_body,
+        unsigned long dwFlags = 0,
+        bool fetchingFromLocalAgent = false);
 
     ~curl_easy();
 

diff --git a/src/Windows/curl_easy.cpp b/src/Windows/curl_easy.cpp
@@ -129,7 +129,8 @@ std::wstring UnicodeStringFromUtf8String(_In_ const std::string& ansiString)
 std::unique_ptr<curl_easy> curl_easy::create(
     const std::string& url,
     const std::string* const p_body,
-    unsigned long dwFlags)
+    unsigned long dwFlags,
+    bool fetchingFromLocalAgent)
 {
     struct make_unique_enabler : public curl_easy
     {
@@ -217,6 +218,18 @@ std::unique_ptr<curl_easy> curl_easy::create(
             "curl_easy::create/WinHttpSetOption(RedirectPolicy)");
     }
 
+    if (fetchingFromLocalAgent)
+    {
+        // Setting nResolveTimeout = 0. this is default value. Since we directly
+        // connect to IP, DNS resolution doesnot make sense.
+        // Setting nConnectTimeout = 60000 ms. This is the default value.
+        // Setting nSendTimeout = 1 s.
+        // Setting nReceiveTimeout = 1 s.
+        if (!WinHttpSetTimeouts(
+                curl->sessionHandle.get(), 0, 60000, 1000, 1000))
+            throw_on_error(GetLastError(), "Error %u in WinHttpSetTimeouts.\n");
+    }
+
     // Specify TLS 1.2
     DWORD protocolOptions =
         WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 | WINHTTP_FLAG_SECURE_PROTOCOL_SSL3;

diff --git a/src/Windows/curl_easy.h b/src/Windows/curl_easy.h
@@ -40,7 +40,8 @@ class curl_easy
     static std::unique_ptr<curl_easy> create(
         const std::string& url,
         const std::string* const p_body,
-        unsigned long dwFlags = WINHTTP_FLAG_SECURE);
+        unsigned long dwFlags = WINHTTP_FLAG_SECURE,
+        bool fetchingFromLocalAgent = false);
 
     ~curl_easy();
 

diff --git a/src/dcap_provider.cpp b/src/dcap_provider.cpp
@@ -283,7 +283,7 @@ static bool get_region_url_from_service(std::string& url)
 
 	log(SGX_QL_LOG_INFO, "Retrieving region url from '%s'.", azure_instance_metadata_service_url.c_str());
 
-    const auto curl_operation = curl_easy::create(azure_instance_metadata_service_url, nullptr, 0);
+    const auto curl_operation = curl_easy::create(azure_instance_metadata_service_url, nullptr, 0, true);
 
 	curl_operation->set_headers(headers::localhost_metadata);
 
@@ -1706,12 +1706,14 @@ bool fetch_response(
     std::unique_ptr<curl_easy>& curl,
     std::map<std::string, std::string> header_value,
     quote3_error_t &retval,
-    unsigned long dwFlags = 0x00800000)
+    unsigned long dwFlags = 0x00800000,
+    bool fetchingFromLocalAgent = false)
 {
     bool fetch_response = false;
     try
     {
-        curl = curl_easy::create(base_url, nullptr, dwFlags);
+        curl =
+            curl_easy::create(base_url, nullptr, dwFlags, fetchingFromLocalAgent);
         log(SGX_QL_LOG_INFO,
             "Fetching certificate from: '%s'.",
             base_url.c_str());
@@ -1789,7 +1791,8 @@ extern "C" quote3_error_t sgx_ql_get_quote_config(
                     curl,
                     headers::localhost_metadata,
                     retval,
-                    0);
+                    0,
+                    true);
             }
 #endif
             if (recieved_certificate)