Fix TLS connection timeout handling
Resolves: RHEL-68773
This commit is contained in:
Simon Pichugin
parent
8759279a74
commit
e879e4a967
100
openldap-fix-TLS-connection-timeout-handling.patch
Normal file
100
openldap-fix-TLS-connection-timeout-handling.patch
Normal file
@ -0,0 +1,100 @@
|
||||
From 5645e37044e77c72f8868ecf62b6c7983c0afc2b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
|
||||
Date: Mon, 21 Oct 2024 11:50:11 +0100
|
||||
Subject: [PATCH 1/6] ITS#8047 Fix TLS connection timeout handling
|
||||
|
||||
The test for async in ldap_int_tls_start was inverted, we already
|
||||
support calling ldap_int_tls_connect repeatedly. And so long as
|
||||
LBER_SB_OPT_NEEDS_* are managed correctly, the application should be
|
||||
able to do the right thing.
|
||||
|
||||
Might require a new result code rather than reporposing
|
||||
LDAP_X_CONNECTING for this.
|
||||
---
|
||||
libraries/libldap/ldap-int.h | 1 +
|
||||
libraries/libldap/tls2.c | 18 +++++++++++++++++-
|
||||
2 files changed, 18 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
||||
index 3ef17643b1..7e754775e8 100644
|
||||
--- a/libraries/libldap/ldap-int.h
|
||||
+++ b/libraries/libldap/ldap-int.h
|
||||
@@ -368,6 +368,7 @@ typedef struct ldap_conn {
|
||||
#define LDAP_CONNST_NEEDSOCKET 1
|
||||
#define LDAP_CONNST_CONNECTING 2
|
||||
#define LDAP_CONNST_CONNECTED 3
|
||||
+#define LDAP_CONNST_TLS_INPROGRESS 4
|
||||
LDAPURLDesc *lconn_server;
|
||||
BerElement *lconn_ber; /* ber receiving on this conn. */
|
||||
|
||||
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||
index dea46de0ad..cf6f4dcf9a 100644
|
||||
--- a/libraries/libldap/tls2.c
|
||||
+++ b/libraries/libldap/tls2.c
|
||||
@@ -383,6 +383,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
|
||||
if ( lo && lo->ldo_tls_connect_cb && lo->ldo_tls_connect_cb !=
|
||||
ld->ld_options.ldo_tls_connect_cb )
|
||||
lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
|
||||
+ conn->lconn_status = LDAP_CONNST_TLS_INPROGRESS;
|
||||
}
|
||||
|
||||
/* pass hostname for SNI, but only if it's an actual name
|
||||
@@ -441,9 +442,11 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
|
||||
ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
|
||||
LBER_SBIOD_LEVEL_TRANSPORT );
|
||||
#endif
|
||||
+ conn->lconn_status = LDAP_CONNST_CONNECTED;
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ conn->lconn_status = LDAP_CONNST_CONNECTED;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -516,8 +519,9 @@ int
|
||||
ldap_tls_inplace( LDAP *ld )
|
||||
{
|
||||
Sockbuf *sb = NULL;
|
||||
+ LDAPConn *lc = ld->ld_defconn;
|
||||
|
||||
- if ( ld->ld_defconn && ld->ld_defconn->lconn_sb ) {
|
||||
+ if ( lc && lc->lconn_sb ) {
|
||||
sb = ld->ld_defconn->lconn_sb;
|
||||
|
||||
} else if ( ld->ld_sb ) {
|
||||
@@ -527,6 +531,10 @@ ldap_tls_inplace( LDAP *ld )
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if ( lc && lc->lconn_status == LDAP_CONNST_TLS_INPROGRESS ) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
return ldap_pvt_tls_inplace( sb );
|
||||
}
|
||||
|
||||
@@ -1159,6 +1167,9 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
||||
*/
|
||||
while ( ret > 0 ) {
|
||||
if ( async ) {
|
||||
+ ld->ld_errno = LDAP_X_CONNECTING;
|
||||
+ return (ld->ld_errno);
|
||||
+ } else {
|
||||
struct timeval curr_time_tv, delta_tv;
|
||||
int wr=0;
|
||||
|
||||
@@ -1217,6 +1228,11 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
||||
ret = ldap_int_tls_connect( ld, conn, host );
|
||||
}
|
||||
|
||||
+ if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
|
||||
+ /* Restore original sb status */
|
||||
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)0 );
|
||||
+ }
|
||||
+
|
||||
if ( ret < 0 ) {
|
||||
if ( ld->ld_errno == LDAP_SUCCESS )
|
||||
ld->ld_errno = LDAP_CONNECT_ERROR;
|
||||
--
|
||||
2.47.1
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
|
||||
Name: openldap
|
||||
Version: 2.6.8
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: LDAP support libraries
|
||||
License: OLDAP-2.8
|
||||
URL: http://www.openldap.org/
|
||||
@ -51,6 +51,7 @@ Patch6: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
|
||||
Patch7: openldap-openssl-manpage-defaultCA.patch
|
||||
Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
|
||||
Patch9: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
|
||||
Patch10: openldap-fix-TLS-connection-timeout-handling.patch
|
||||
|
||||
# check-password module specific patches
|
||||
Patch90: check-password-makefile.patch
|
||||
@ -173,6 +174,7 @@ pushd openldap-%{version}
|
||||
%patch -P7 -p1
|
||||
%patch -P8 -p1
|
||||
%patch -P9 -p1
|
||||
%patch -P10 -p1
|
||||
|
||||
# build smbk5pwd with other overlays
|
||||
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
|
||||
@ -560,6 +562,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Feb 12 2025 Simon Pichugin <spichugi@redhat.com> - 2.6.8-3
|
||||
- Fix TLS connection timeout handling (RHEL-68773)
|
||||
|
||||
* Tue Jan 7 2025 Simon Pichugin <spichugi@redhat.com> - 2.6.8-2
|
||||
- Replace baseos-ci tests with osci (RHEL-71052)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user