From 09d0c36e33a24ae97e71d6e021ce6fc7509a8945 Mon Sep 17 00:00:00 2001
From: Aman Gupta <aman@tmm1.net>
Date: Wed, 15 Jun 2016 16:37:48 -0700
Subject: [PATCH 1/5] use connect_timeout when establishing an openssl
 connection

---
 lib/net/ldap/connection.rb | 34 +++++++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
index f8ba0b61..5a38bba9 100644
--- a/lib/net/ldap/connection.rb
+++ b/lib/net/ldap/connection.rb
@@ -31,26 +31,27 @@ def socket_class=(socket_class)
     @socket_class = socket_class
   end
 
-  def prepare_socket(server)
+  def prepare_socket(server, timeout=nil)
     socket = server[:socket]
     encryption = server[:encryption]
 
     @conn = socket
-    setup_encryption encryption if encryption
+    setup_encryption(encryption, timeout) if encryption
   end
 
   def open_connection(server)
     hosts = server[:hosts]
     encryption = server[:encryption]
 
+    timeout = server[:connect_timeout] || DefaultConnectTimeout
     socket_opts = {
-      connect_timeout: server[:connect_timeout] || DefaultConnectTimeout,
+      connect_timeout: timeout,
     }
 
     errors = []
     hosts.each do |host, port|
       begin
-        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)))
+        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout)
         return
       rescue Net::LDAP::Error, SocketError, SystemCallError,
              OpenSSL::SSL::SSLError => e
@@ -76,7 +77,7 @@ def close
     end
   end
 
-  def self.wrap_with_ssl(io, tls_options = {})
+  def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
     raise Net::LDAP::NoOpenSSLError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL
 
     ctx = OpenSSL::SSL::SSLContext.new
@@ -86,7 +87,22 @@ def self.wrap_with_ssl(io, tls_options = {})
     ctx.set_params(tls_options) unless tls_options.empty?
 
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
-    conn.connect
+
+    begin
+      conn.connect_nonblock
+    rescue IO::WaitReadable
+      if IO.select([conn], nil, nil, timeout)
+        retry
+      else
+        raise Net::LDAP::LdapError, "OpenSSL connection read timeout"
+      end
+    rescue IO::WaitWritable
+      if IO.select(nil, [conn], nil, timeout)
+        retry
+      else
+        raise Net::LDAP::LdapError, "OpenSSL connection write timeout"
+      end
+    end
 
     # Doesn't work:
     # conn.sync_close = true
@@ -123,11 +139,11 @@ def self.wrap_with_ssl(io, tls_options = {})
   # communications, as with simple_tls. Thanks for Kouhei Sutou for
   # generously contributing the :start_tls path.
   #++
-  def setup_encryption(args)
+  def setup_encryption(args, timeout=nil)
     args[:tls_options] ||= {}
     case args[:method]
     when :simple_tls
-      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
       # additional branches requiring server validation and peer certs, etc.
       # go here.
     when :start_tls
@@ -144,7 +160,7 @@ def setup_encryption(args)
       end
 
       if pdu.result_code.zero?
-        @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
+        @conn = self.class.wrap_with_ssl(@conn, args[:tls_options], timeout)
       else
         raise Net::LDAP::StartTLSError, "start_tls failed: #{pdu.result_code}"
       end

From b5b6d5a41dcb900a9c109cf75452f75fea534f56 Mon Sep 17 00:00:00 2001
From: Aman Gupta <aman@tmm1.net>
Date: Wed, 15 Jun 2016 17:49:39 -0700
Subject: [PATCH 2/5] fix test mock

---
 test/test_ldap_connection.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/test_ldap_connection.rb b/test/test_ldap_connection.rb
index 6bb027ac..ba6289b3 100644
--- a/test/test_ldap_connection.rb
+++ b/test/test_ldap_connection.rb
@@ -291,7 +291,7 @@ def test_queued_read_setup_encryption_with_start_tls
       and_return(result2)
     mock.should_receive(:write)
     conn = Net::LDAP::Connection.new(:socket => mock)
-    flexmock(Net::LDAP::Connection).should_receive(:wrap_with_ssl).with(mock, {}).
+    flexmock(Net::LDAP::Connection).should_receive(:wrap_with_ssl).with(mock, {}, nil).
       and_return(mock)
 
     conn.next_msgid # simulates ongoing query

From 8ba479633cb23e18d36b2cff16ede33b60637caf Mon Sep 17 00:00:00 2001
From: Aman Gupta <aman@tmm1.net>
Date: Wed, 15 Jun 2016 18:09:50 -0700
Subject: [PATCH 3/5] use non-blocking connect only when timeout is set

---
 lib/net/ldap/connection.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
index 5a38bba9..e3b51427 100644
--- a/lib/net/ldap/connection.rb
+++ b/lib/net/ldap/connection.rb
@@ -89,7 +89,11 @@ def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
 
     begin
-      conn.connect_nonblock
+      if timeout
+        conn.connect_nonblock
+      else
+        conn.connect
+      end
     rescue IO::WaitReadable
       if IO.select([conn], nil, nil, timeout)
         retry

From 21ffe8f38a3b6074ade886531072ea8c4cdfb0a5 Mon Sep 17 00:00:00 2001
From: Aman Gupta <aman@tmm1.net>
Date: Thu, 16 Jun 2016 11:11:13 -0700
Subject: [PATCH 4/5] use Net::LDAP::SocketError on openssl timeouts

---
 lib/net/ldap/connection.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
index e3b51427..6f54b4ab 100644
--- a/lib/net/ldap/connection.rb
+++ b/lib/net/ldap/connection.rb
@@ -98,13 +98,13 @@ def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
       if IO.select([conn], nil, nil, timeout)
         retry
       else
-        raise Net::LDAP::LdapError, "OpenSSL connection read timeout"
+        raise Net::LDAP::SocketError, "OpenSSL connection read timeout"
       end
     rescue IO::WaitWritable
       if IO.select(nil, [conn], nil, timeout)
         retry
       else
-        raise Net::LDAP::LdapError, "OpenSSL connection write timeout"
+        raise Net::LDAP::SocketError, "OpenSSL connection write timeout"
       end
     end
 

From 749c22b4e5514ead10c92bcaec1c5a1eb49db455 Mon Sep 17 00:00:00 2001
From: Aman Gupta <aman@tmm1.net>
Date: Fri, 17 Jun 2016 12:24:26 -0700
Subject: [PATCH 5/5] use ETIMEDOUT for openssl timeouts

---
 lib/net/ldap/connection.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
index 6f54b4ab..1cbcbb67 100644
--- a/lib/net/ldap/connection.rb
+++ b/lib/net/ldap/connection.rb
@@ -98,13 +98,13 @@ def self.wrap_with_ssl(io, tls_options = {}, timeout=nil)
       if IO.select([conn], nil, nil, timeout)
         retry
       else
-        raise Net::LDAP::SocketError, "OpenSSL connection read timeout"
+        raise Errno::ETIMEDOUT, "OpenSSL connection read timeout"
       end
     rescue IO::WaitWritable
       if IO.select(nil, [conn], nil, timeout)
         retry
       else
-        raise Net::LDAP::SocketError, "OpenSSL connection write timeout"
+        raise Errno::ETIMEDOUT, "OpenSSL connection write timeout"
       end
     end