make TCP waiting time configurable

Currently there is a hardcoded 10s waiting time for TCP connections
before other KDCs or connection types are tried.

With this patch a new libdefaults option 'tcp_default_waiting_time' is
introduced to make this hardcode timeout configurable to either wait
longer for the KDC to reply or switch faster to other options if a KDC
is not responsive.

src/include/k5-int.h

@@ -297,6 +297,7 @@ typedef unsigned char   u_char;
 #define KRB5_CONF_SPAKE_PREAUTH_INDICATOR      "spake_preauth_indicator"
 #define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE  "spake_preauth_kdc_challenge"
 #define KRB5_CONF_SPAKE_PREAUTH_GROUPS         "spake_preauth_groups"
+#define KRB5_CONF_TCP_DEFAULT_WAITING_TIME     "tcp_default_waiting_time"
 #define KRB5_CONF_TICKET_LIFETIME              "ticket_lifetime"
 #define KRB5_CONF_UDP_PREFERENCE_LIMIT         "udp_preference_limit"
 #define KRB5_CONF_UNLOCKITER                   "unlockiter"

src/include/k5-trace.h

@@ -425,6 +425,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
     TRACE(c, "Sending initial UDP request to {raddr}", raddr)
 #define TRACE_SENDTO_KDC_UDP_SEND_RETRY(c, raddr)               \
     TRACE(c, "Sending retry UDP request to {raddr}", raddr)
+#define TRACE_TCP_WAITING_TIME(c, wait_time)                    \
+    TRACE(c, "Using TCP waiting time {int} ms", wait_time)
 
 #define TRACE_SEND_TGS_ETYPES(c, etypes)                                \
     TRACE(c, "etypes requested in TGS request: {etypes}", etypes)

src/lib/krb5/os/sendto_kdc.c

@@ -1086,11 +1086,14 @@ service_dispatch(krb5_context context, const krb5_data *realm,
     }
 }
 
+#define DEFAULT_TCP_DEFAULT_WAITING_TIME 10000
 /* Initialize TCP transport. */
 static krb5_boolean
 service_tcp_connect(krb5_context context, const krb5_data *realm,
                     struct conn_state *conn, struct select_state *selstate)
 {
+    krb5_error_code retval;
+    int tmp;
     /* Check whether the connection succeeded. */
     int e = get_so_error(conn->fd);
 
@@ -1103,8 +1106,17 @@ service_tcp_connect(krb5_context context, const krb5_data *realm,
     conn->state = WRITING;
 
     /* Record this connection's timeout for service_fds. */
-    if (get_curtime_ms(&conn->endtime) == 0)
-        conn->endtime += 10000;
+    if (get_curtime_ms(&conn->endtime) == 0) {
+        retval = profile_get_integer(context->profile,
+                                     KRB5_CONF_LIBDEFAULTS,
+                                     KRB5_CONF_TCP_DEFAULT_WAITING_TIME, NULL,
+                                     DEFAULT_TCP_DEFAULT_WAITING_TIME, &tmp);
+        if (retval != 0) {
+            tmp = DEFAULT_TCP_DEFAULT_WAITING_TIME;
+        }
+        conn->endtime += tmp;
+        TRACE_TCP_WAITING_TIME(context, tmp);
+    }
 
     return conn->service_write(context, realm, conn, selstate);
 }

src/man/krb5.conf.man

@@ -482,6 +482,12 @@ _
 The default value for the client is \fBedwards25519\fP\&.  The default
 value for the KDC is empty.  New in release 1.17.
 .TP
+\fBtcp_default_waiting_time\fP
+Sets the default waiting time for TCP connection in milli-seconds. If a client
+is connected by TCP to a KDC this timeout has to pass before the client will
+try other connection types or KDCs.  The default value is 10000 (10s).
+New in release 1.22.
+.TP
 \fBticket_lifetime\fP
 (duration string.)  Sets the default lifetime for initial
 ticket requests.  The default value is 1 day.