From 4f6ca3e9cc41c996d44a0333255bb0dc73a06868 Mon Sep 17 00:00:00 2001 From: Antonio Torres Date: Sun, 30 Jan 2022 19:50:59 +0100 Subject: [PATCH] ldap: use infinite timeout when using TLS to connect Using an infinite timeout will make libldap use blocking thread for establishing the TLS connection both when using StartTTLS and when using LDAPS. This leaves the LDAP_OPT_NETWORK_TIMEOUT to its default (-1) when using TLS connection. Related: rhbz#1992551 Signed-off-by: Antonio Torres --- ...-to-connect-on-partially-open-handle.patch | 49 ------------------- ...us-ldap-infinite-timeout-on-starttls.patch | 31 ++++++++++++ freeradius.spec | 12 +++-- 3 files changed, 40 insertions(+), 52 deletions(-) delete mode 100644 freeradius-ldap-allow-to-connect-on-partially-open-handle.patch create mode 100644 freeradius-ldap-infinite-timeout-on-starttls.patch diff --git a/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch b/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch deleted file mode 100644 index 41755ee..0000000 --- a/freeradius-ldap-allow-to-connect-on-partially-open-handle.patch +++ /dev/null @@ -1,49 +0,0 @@ -From ab6bbcc41293ae745c1607618f88e5404b98d769 Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Wed, 13 Oct 2021 13:29:02 +0200 -Subject: [PATCH] ldap: allow to connect on partially open handle - -The LDAP library returns a partially open connection. Setting the -'retry' flag to true during the module inst creation and the pool start -to 0 allows to connect even if the connection is not completely opened -yet. - -Upstream commit: https://github.com/FreeRADIUS/freeradius-server/commit/21d95b268b4cf56e75064898d83123825d673818 - -Signed-off-by: Antonio Torres ---- -diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c -index f25ee9e2e0..4b6ae44afb 100644 ---- a/src/modules/rlm_ldap/ldap.c -+++ b/src/modules/rlm_ldap/ldap.c -@@ -717,7 +717,8 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle - * For sanity, for when no connections are viable, - * and we can't make a new one. - */ -- num = retry ? fr_connection_pool_get_num(inst->pool) : 0; -+ num = 0; -+ if (inst->pool && retry) num = fr_connection_pool_get_num(inst->pool); - for (i = num; i >= 0; i--) { - #ifdef WITH_SASL - if (sasl && sasl->mech) { -@@ -758,7 +759,7 @@ ldap_rcode_t rlm_ldap_bind(rlm_ldap_t const *inst, REQUEST *request, ldap_handle - break; - - case LDAP_PROC_RETRY: -- if (retry) { -+ if (num) { - *pconn = fr_connection_reconnect(inst->pool, *pconn); - if (*pconn) { - LDAP_DBGW_REQ("Bind with %s to %s failed: %s. Got new socket, retrying...", -@@ -1563,7 +1564,7 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance) - } - - status = rlm_ldap_bind(inst, NULL, &conn, conn->inst->admin_identity, conn->inst->admin_password, -- &(conn->inst->admin_sasl), false); -+ &(conn->inst->admin_sasl), true); - if (status != LDAP_PROC_SUCCESS) { - goto error; - } --- -2.31.1 - diff --git a/freeradius-ldap-infinite-timeout-on-starttls.patch b/freeradius-ldap-infinite-timeout-on-starttls.patch new file mode 100644 index 0000000..40df134 --- /dev/null +++ b/freeradius-ldap-infinite-timeout-on-starttls.patch @@ -0,0 +1,31 @@ +From: Antonio Torres +Date: Fri, 28 Jan 2022 +Subject: Use infinite timeout when using LDAP+start-TLS + +This will ensure that the TLS connection to the LDAP server will complete +before starting FreeRADIUS, as it forces libldap to use a blocking socket during +the process. Infinite timeout is the OpenLDAP default. +Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551 +Signed-off-by: Antonio Torres +--- + src/modules/rlm_ldap/ldap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c +index cf7a84e069..841bf888a1 100644 +--- a/src/modules/rlm_ldap/ldap.c ++++ b/src/modules/rlm_ldap/ldap.c +@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance) + } + + #ifdef LDAP_OPT_NETWORK_TIMEOUT +- if (inst->net_timeout) { ++ bool using_tls = inst->start_tls || ++ inst->port == 636 || ++ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0; ++ if (inst->net_timeout && !using_tls) { + memset(&tv, 0, sizeof(tv)); + tv.tv_sec = inst->net_timeout; + diff --git a/freeradius.spec b/freeradius.spec index b03f8e4..be504ca 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.21 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freeradius.org/ @@ -26,7 +26,7 @@ Patch3: freeradius-bootstrap-create-only.patch Patch4: freeradius-no-buildtime-cert-gen.patch Patch5: freeradius-bootstrap-make-permissions.patch Patch6: freeradius-Fix-resource-hard-limit-error.patch -Patch7: freeradius-ldap-allow-to-connect-on-partially-open-handle.patch +Patch7: freeradius-ldap-infinite-timeout-on-starttls.patch Patch8: freeradius-Backport-OpenSSL3-fixes.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -55,7 +55,7 @@ BuildRequires: ykclient-devel # Require OpenSSL version we built with, or newer, to avoid startup failures # due to runtime OpenSSL version checks. -Requires: openssl >= %(rpm -q --queryformat '%%{EPOCH}:%%{VERSION}' openssl) +Requires: openssl >= %(rpm -q --queryformat '%%{VERSION}' openssl) Requires(pre): shadow-utils glibc-common Requires(post): systemd-sysv Requires(post): systemd-units @@ -855,6 +855,12 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Fri Jan 28 2022 Antonio Torres - 3.0.21-25 +- Revert "Allow to connect to partially open LDAP handle" +- Use infinite timeout (openldap default) when using LDAP+start-TLS +- Update openssl dependency to not check epoch (was causing detection issues) + Related: rhbz#1992551 + * Thu Jan 13 2022 Antonio Torres - 3.0.21-24 - Avoid segfault when trying to use MD4 without legacy provider Related: rhbz#1978216