ldap: use infinite timeout when using TLS to connect

Using an infinite timeout will make libldap use blocking thread for establishing the TLS connection both when using StartTTLS and when using LDAPS. This leaves the LDAP_OPT_NETWORK_TIMEOUT to its default (-1) when using TLS connection. Related: rhbz#1992551 Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-01-30 19:50:59 +01:00 · 2022-01-30 19:50:59 +01:00 · 4f6ca3e9cc
commit 4f6ca3e9cc
parent 39a61df66f
3 changed files with 40 additions and 52 deletions
--- a/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch
+++ b/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch
@ -1,49 +0,0 @@
-From ab6bbcc41293ae745c1607618f88e5404b98d769 Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Wed, 13 Oct 2021 13:29:02 +0200
-Subject: [PATCH] ldap: allow to connect on partially open handle
-
-The LDAP library returns a partially open connection. Setting the
-'retry' flag to true during the module inst creation and the pool start
-to 0 allows to connect even if the connection is not completely opened
-yet.
-
-Upstream commit: https://github.com/FreeRADIUS/freeradius-server/commit/21d95b268b4cf56e75064898d83123825d673818
-
-Signed-off-by: Antonio Torres <antorres@redhat.com>
---
-diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
-index f25ee9e2e0..4b6ae44afb 100644
--- a/src/modules/rlm_ldap/ldap.c
-+++ b/src/modules/rlm_ldap/ldap.c
-@@ -717,7 +717,8 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
- 	 *	For sanity, for when no connections are viable,
- 	 *	and we can't make a new one.
- 	 */
-	num = retry ? fr_connection_pool_get_num(inst->pool) : 0;
-+	num = 0;
-+	if (inst->pool && retry) num = fr_connection_pool_get_num(inst->pool);
- 	for (i = num; i >= 0; i--) {
- #ifdef WITH_SASL
- 		if (sasl && sasl->mech) {
-@@ -758,7 +759,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle
- 			break;
- 
- 		case LDAP_PROC_RETRY:
-			if (retry) {
-+			if (num) {
- 				*pconn = fr_connection_reconnect(inst->pool, *pconn);
- 				if (*pconn) {
- 					LDAP_DBGW_REQ("Bind with %s to %s failed: %s. Got new socket, retrying...",
-@@ -1563,7 +1564,7 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
- 	}
- 
- 	status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password,
-			       &(conn->inst->admin_sasl), false);
-+			       &(conn->inst->admin_sasl), true);
- 	if (status != LDAP_PROC_SUCCESS) {
- 		goto error;
- 	}
-- 
-2.31.1
-
--- a/freeradius-ldap-infinite-timeout-on-starttls.patch
+++ b/freeradius-ldap-infinite-timeout-on-starttls.patch
@ -0,0 +1,31 @@
+From: Antonio Torres <antorres@redhat.com>
+Date: Fri, 28 Jan 2022
+Subject: Use infinite timeout when using LDAP+start-TLS
+
+This will ensure that the TLS connection to the LDAP server will complete
+before starting FreeRADIUS, as it forces libldap to use a blocking socket during 
+the process. Infinite timeout is the OpenLDAP default.
+Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ src/modules/rlm_ldap/ldap.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c
+index cf7a84e069..841bf888a1 100644
+--- a/src/modules/rlm_ldap/ldap.c
+++ b/src/modules/rlm_ldap/ldap.c
+@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
+ 	}
+ 
+ #ifdef LDAP_OPT_NETWORK_TIMEOUT
+-	if (inst->net_timeout) {
+	bool using_tls = inst->start_tls ||
+					 inst->port == 636 ||
+					 strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0;
+	if (inst->net_timeout && !using_tls) {
+ 		memset(&tv, 0, sizeof(tv));
+ 		tv.tv_sec = inst->net_timeout;
+ 
--- a/freeradius.spec
+++ b/freeradius.spec
@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.21
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/

@ -26,7 +26,7 @@ Patch3: freeradius-bootstrap-create-only.patch
 Patch4: freeradius-no-buildtime-cert-gen.patch
 Patch5: freeradius-bootstrap-make-permissions.patch
 Patch6: freeradius-Fix-resource-hard-limit-error.patch
-Patch7: freeradius-ldap-allow-to-connect-on-partially-open-handle.patch
+Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch
 Patch8: freeradius-Backport-OpenSSL3-fixes.patch

 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -55,7 +55,7 @@ BuildRequires: ykclient-devel

 # Require OpenSSL version we built with, or newer, to avoid startup failures
 # due to runtime OpenSSL version checks.
-Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl)
+Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl)
 Requires(pre): shadow-utils glibc-common
 Requires(post): systemd-sysv
 Requires(post): systemd-units
@ -855,6 +855,12 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Fri Jan 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-25
+- Revert "Allow to connect to partially open LDAP handle"
+- Use infinite timeout (openldap default) when using LDAP+start-TLS
+- Update openssl dependency to not check epoch (was causing detection issues)
+  Related: rhbz#1992551
+
 * Thu Jan 13 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-24
 - Avoid segfault when trying to use MD4 without legacy provider
  Related: rhbz#1978216