The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Data Structures | Functions
start_tls.c File Reference

Start TLS asynchronously. More...

#include <freeradius-devel/ldap/base.h>
#include <freeradius-devel/util/debug.h>
+ Include dependency graph for start_tls.c:

Go to the source code of this file.

Data Structures

struct  fr_ldap_start_tls_ctx_t
 Holds arguments for the start_tls operation. More...
 

Functions

static void _ldap_start_tls_io_error (UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, UNUSED int fd_errno, void *uctx)
 Error reading from or writing to the file descriptor. More...
 
static void _ldap_start_tls_io_read (UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
 Event handler for the response to the StartTLS extended operation. More...
 
static void _ldap_start_tls_io_write (fr_event_list_t *el, int fd, UNUSED int flags, void *uctx)
 Send an extended operation to the LDAP server, requesting a transition to TLS. More...
 
int fr_ldap_start_tls_async (fr_ldap_connection_t *c, LDAPControl **serverctrls, LDAPControl **clientctrls)
 Install I/O handlers for Start TLS negotiation. More...
 

Detailed Description

Start TLS asynchronously.

Id
527ba041343b8d0c06061207fc2e4770af26371e
Copyright
2017 Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)
Id
fb069a7ef58500950114cb0d5b9b1ad1f912533b
Copyright
2017 Arran Cudbard-Bell (a.cud.nosp@m.bard.nosp@m.b@fre.nosp@m.erad.nosp@m.ius.o.nosp@m.rg)

Definition in file start_tls.c.

Data Structure Documentation

◆ fr_ldap_start_tls_ctx_t

struct fr_ldap_start_tls_ctx_t

Holds arguments for the start_tls operation.

Definition at line 34 of file start_tls.c.

+ Collaboration diagram for fr_ldap_start_tls_ctx_t:
Data Fields
fr_ldap_connection_t * c The current connection.
LDAPControl ** clientctrls Controls to pass to the client (library).
int msgid
LDAPControl ** serverctrls Controls to pass to the server.

Function Documentation

◆ _ldap_start_tls_io_error()

static void _ldap_start_tls_io_error ( UNUSED fr_event_list_t el,
UNUSED int  fd,
UNUSED int  flags,
UNUSED int  fd_errno,
void *  uctx 
)
static

Error reading from or writing to the file descriptor.

Parameters
[in]elthe event occurred in.
[in]fdthe event occurred on.
[in]flagsfrom kevent.
[in]fd_errnoThe error that occurred.
[in]uctxConnection config and handle.

Definition at line 50 of file start_tls.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _ldap_start_tls_io_read()

static void _ldap_start_tls_io_read ( UNUSED fr_event_list_t el,
UNUSED int  fd,
UNUSED int  flags,
void *  uctx 
)
static

Event handler for the response to the StartTLS extended operation.

Call flow is:

  • ldap_install_tls
    • calls ldap_pvt_tls_inplace to check is the Sockbuf for defconn has TLS installed
      • If it does (it shouldn't), returns LDAP_LOCAL_ERROR (and we fail).
    • calls ldap_int_tls_start.
      • calls tls_init (to initialise ssl library - only done once per implementation).
      • if net timeout is >= 0, then set the FD to nonblocking mode.
      • calls ldap_int_tls_connect
        • either gets existing session or
          • installs sockbuff shims to do tls encode/decode.
          • calls connect callback
        • calls ->ti_session_connect (ssl library callback)
          • calls tlso_session_connect (openssl shim)
            • calls SSL_connect - SSL_connect can be called multiple times to continue session negotiation. returns 0 on success, -1 on error.
        • on -1, calls update_flags, which calls tlso_session_upflags
          • calls SSL_get_error, which returns SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE, SSL_ERROR_WANT_CONNECT, or another error. If error code is one of the above returns 1, else returns 0. Sets sb->sb_trans_needs_read or sb->sb_trans_needs_write.
        • if update_flags returns 1 ldap_int_tls_connect returns 1.
      • calls ldap_int_poll to check for errors.
    • returns LDAP_TIMEOUT if no data is available and we hit the timeout.

So unfortunately ldap_install_tls is blocking... We need to send patches to OpenLDAP in order to fix that.

Parameters
[in]elthe event occurred in.
[in]fdthe event occurred on.
[in]flagsfrom kevent.
[in]uctxConnection config and handle.

Definition at line 96 of file start_tls.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ _ldap_start_tls_io_write()

static void _ldap_start_tls_io_write ( fr_event_list_t el,
int  fd,
UNUSED int  flags,
void *  uctx 
)
static

Send an extended operation to the LDAP server, requesting a transition to TLS.

Behind the scenes ldap_start_tls calls: 

 ldap_extended_operation(ld, LDAP_EXOP_START_TLS, NULL, serverctrls, clientctrls, msgidp);
Parameters
[in]elthe event occurred in.
[in]fdthe event occurred on.
[in]flagsfrom kevent.
[in]uctxConnection config and handle.

Definition at line 149 of file start_tls.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ fr_ldap_start_tls_async()

int fr_ldap_start_tls_async ( fr_ldap_connection_t c,
LDAPControl **  serverctrls,
LDAPControl **  clientctrls 
)

Install I/O handlers for Start TLS negotiation.

Parameters
[in]cconnection to StartTLS on.
[in]serverctrlsExtra controls to pass to the server.
[in]clientctrlsExtra controls to pass to libldap.
Returns
  • 0 on success.
  • -1 on failure.

Definition at line 222 of file start_tls.c.

+ Here is the call graph for this function:
+ Here is the caller graph for this function:
Generated by   doxygen 1.9.1