The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
state.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: fb069a7ef58500950114cb0d5b9b1ad1f912533b $
19 * @file lib/ldap/start_tls.c
20 * @brief Start TLS asynchronously
21 *
22 * @copyright 2017 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 */
24RCSID("$Id: fb069a7ef58500950114cb0d5b9b1ad1f912533b $")
25
26USES_APPLE_DEPRECATED_API
27
28#include <freeradius-devel/ldap/base.h>
29
30#define STATE_TRANSITION(_new) \
31do { \
32 DEBUG4("Changed state %s -> %s", \
33 fr_table_str_by_value(fr_ldap_connection_states, c->state, "<INVALID>"), \
34 fr_table_str_by_value(fr_ldap_connection_states, _new, "<INVALID>")); \
35 c->state = _new; \
36} while (0)
37
38/** Move between LDAP connection states
39 *
40 * Bringing up an LDAP connection is quite complex, as we need to do multiple operations
41 * before we can install the main mux/demux functions which do the work of sending
42 * requests to the directory and processing the responses.
43 *
44 * This function moves the connection through different states, setting different I/O
45 * handlers.
46 *
47 * If any of the states
48 */
49fr_ldap_state_t fr_ldap_state_next(fr_ldap_connection_t *c)
50{
51again:
52 switch (c->state) {
53 /*
54 * Start by negotiating TLS, or binding
55 */
56 case FR_LDAP_STATE_INIT:
57 if (c->config->start_tls) {
58 if (fr_ldap_start_tls_async(c, NULL, NULL) < 0) {
59 STATE_TRANSITION(FR_LDAP_STATE_ERROR);
60 goto again;
61 }
62 STATE_TRANSITION(FR_LDAP_STATE_START_TLS);
63 break;
64 }
65 FALL_THROUGH;
66
67 /*
68 * If we're successful in negotiating TLS,
69 * bind to the server as the credentials
70 * will now be protected.
71 */
72 case FR_LDAP_STATE_START_TLS:
73 STATE_TRANSITION(FR_LDAP_STATE_BIND);
74
75 /*
76 * SASL uses a different (and more complex) codepath
77 */
78#ifdef WITH_SASL
79 if (c->config->admin_sasl.mech) {
80 if (fr_ldap_sasl_bind_async(c,
81 c->config->admin_sasl.mech,
82 c->config->admin_identity,
83 c->config->admin_password,
84 c->config->admin_sasl.proxy,
85 c->config->admin_sasl.realm,
86 NULL, NULL) < 0) {
87 STATE_TRANSITION(FR_LDAP_STATE_ERROR);
88 goto again;
89 }
90 break;
91 }
92#endif
93
94 /*
95 * Normal binds are just a simple request/response pair
96 */
97 if (fr_ldap_bind_async(c,
98 c->config->admin_identity,
99 c->config->admin_password,
100 NULL, NULL) < 0) {
101 STATE_TRANSITION(FR_LDAP_STATE_ERROR);
102 goto again;
103 }
104 break;
105
106 /*
107 * After binding install the mux (write) and
108 * demux (read) I/O functions.
109 */
110 case FR_LDAP_STATE_BIND:
111 STATE_TRANSITION(FR_LDAP_STATE_RUN);
112 connection_signal_connected(c->conn);
113 break;
114
115 /*
116 * Something went wrong
117 */
118 case FR_LDAP_STATE_RUN: /* There's no next state for run, so this an error */
119 case FR_LDAP_STATE_ERROR:
120 STATE_TRANSITION(FR_LDAP_STATE_INIT);
121 connection_signal_reconnect(c->conn, CONNECTION_FAILED);
122 /*
123 * The old connection has been freed, so specifically return the INIT state
124 */
125 return FR_LDAP_STATE_INIT;
126 }
127
128 return c->state;
129}
130
131/** Signal that there's been an error on the connection
132 *
133 */
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:470
RCSID
#define RCSID(id)
Definition build.h:483
FALL_THROUGH
#define FALL_THROUGH
clang 10 doesn't recognised the FALL-THROUGH comment anymore
Definition build.h:322
CONNECTION_FAILED
@ CONNECTION_FAILED
Connection is being reconnected because it failed.
Definition connection.h:84
fr_ldap_sasl_t::mech
char const * mech
SASL mech(s) to try.
Definition base.h:129
fr_ldap_sasl_t::proxy
char const * proxy
Identity to proxy.
Definition base.h:130
fr_ldap_config_t::admin_password
char const * admin_password
Password used in administrative bind.
Definition base.h:231
fr_ldap_connection_t::state
fr_ldap_state_t state
LDAP connection state machine.
Definition base.h:347
fr_ldap_config_t::admin_identity
char const * admin_identity
Identity we bind as when we need to query the LDAP directory.
Definition base.h:229
fr_ldap_bind_async
int fr_ldap_bind_async(fr_ldap_connection_t *c, char const *bind_dn, char const *password, LDAPControl **serverctrls, LDAPControl **clientctrls)
Install I/O handlers for the bind operation.
Definition bind.c:185
fr_ldap_state_t
fr_ldap_state_t
LDAP connection handle states.
Definition base.h:167
FR_LDAP_STATE_ERROR
@ FR_LDAP_STATE_ERROR
Connection is in an error state.
Definition base.h:172
FR_LDAP_STATE_BIND
@ FR_LDAP_STATE_BIND
Connection is being bound.
Definition base.h:170
FR_LDAP_STATE_START_TLS
@ FR_LDAP_STATE_START_TLS
TLS is being negotiated.
Definition base.h:169
FR_LDAP_STATE_RUN
@ FR_LDAP_STATE_RUN
Connection is muxing/demuxing requests.
Definition base.h:171
FR_LDAP_STATE_INIT
@ FR_LDAP_STATE_INIT
Connection uninitialised.
Definition base.h:168
fr_ldap_connection_t::config
fr_ldap_config_t const * config
rlm_ldap connection configuration.
Definition base.h:344
fr_ldap_config_t::start_tls
bool start_tls
Send the Start TLS message to the LDAP directory to start encrypted communications using the standard...
Definition base.h:258
fr_ldap_sasl_t::realm
char const * realm
Kerberos realm.
Definition base.h:131
fr_ldap_config_t::admin_sasl
fr_ldap_sasl_t admin_sasl
SASL parameters used when binding as the admin.
Definition base.h:233
fr_ldap_start_tls_async
int fr_ldap_start_tls_async(fr_ldap_connection_t *c, LDAPControl **serverctrls, LDAPControl **clientctrls)
Install I/O handlers for Start TLS negotiation.
Definition start_tls.c:222
fr_ldap_connection_t::conn
connection_t * conn
Connection state handle.
Definition base.h:345
fr_ldap_connection_t
Tracks the state of a libldap connection handle.
Definition base.h:332
fr_ldap_state_error
void fr_ldap_state_error(fr_ldap_connection_t *c)
Signal that there's been an error on the connection.
Definition state.c:134
fr_ldap_state_next
fr_ldap_state_t fr_ldap_state_next(fr_ldap_connection_t *c)
Move between LDAP connection states.
Definition state.c:49
STATE_TRANSITION
#define STATE_TRANSITION(_new)
Definition state.c:30
fr_ldap_sasl_bind_async
int fr_ldap_sasl_bind_async(fr_ldap_connection_t *c, char const *mechs, char const *identity, char const *password, char const *proxy, char const *realm, LDAPControl **serverctrls, LDAPControl **clientctrls)
Install I/O handlers for the bind operation.
Definition sasl.c:308
connection_signal_reconnect
void connection_signal_reconnect(connection_t *conn, connection_reason_t reason)
Asynchronously signal the connection should be reconnected.
Definition connection.c:1170
connection_signal_connected
void connection_signal_connected(connection_t *conn)
Asynchronously signal that the connection is open.
Definition connection.c:1140
Generated by   doxygen 1.9.8