The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
start_tls.c
Go to the documentation of this file.
1/*
2 * This program is is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or (at
5 * your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: 527ba041343b8d0c06061207fc2e4770af26371e $
19 * @file lib/ldap/start_tls.c
20 * @brief Start TLS asynchronously
21 *
22 * @copyright 2017 Arran Cudbard-Bell (a.cudbardb@freeradius.org)
23 */
24RCSID("$Id: 527ba041343b8d0c06061207fc2e4770af26371e $")
25
26USES_APPLE_DEPRECATED_API
27
28#include <freeradius-devel/ldap/base.h>
29#include <freeradius-devel/util/debug.h>
30
31/** Holds arguments for the start_tls operation
32 *
33 */
34typedef struct {
35 fr_ldap_connection_t *c; //!< The current connection.
36 LDAPControl **serverctrls; //!< Controls to pass to the server.
37 LDAPControl **clientctrls; //!< Controls to pass to the client (library).
38
39 int msgid;
40} fr_ldap_start_tls_ctx_t;
41
42/** Error reading from or writing to the file descriptor
43 *
44 * @param[in] el the event occurred in.
45 * @param[in] fd the event occurred on.
46 * @param[in] flags from kevent.
47 * @param[in] fd_errno The error that occurred.
48 * @param[in] uctx Connection config and handle.
49 */
50static void _ldap_start_tls_io_error(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags,
51 UNUSED int fd_errno, void *uctx)
52{
53 fr_ldap_start_tls_ctx_t *tls_ctx = talloc_get_type_abort(uctx, fr_ldap_start_tls_ctx_t);
54 fr_ldap_connection_t *c = tls_ctx->c;
55
56 talloc_free(tls_ctx);
57 fr_ldap_state_error(c); /* Restart the connection state machine */
58}
59
60/** Event handler for the response to the StartTLS extended operation
61 *
62 * Call flow is:
63 *
64 * - ldap_install_tls
65 * - calls ldap_pvt_tls_inplace to check is the Sockbuf for defconn has TLS installed
66 * - If it does (it shouldn't), returns LDAP_LOCAL_ERROR (and we fail).
67 * - calls ldap_int_tls_start.
68 * - calls tls_init (to initialise ssl library - only done once per implementation).
69 * - if net timeout is >= 0, then set the FD to nonblocking mode.
70 * - calls ldap_int_tls_connect
71 * - either gets existing session or
72 * - installs sockbuff shims to do tls encode/decode.
73 * - calls connect callback
74 * - calls ->ti_session_connect (ssl library callback)
75 * - calls tlso_session_connect (openssl shim)
76 * - calls SSL_connect - SSL_connect can be called multiple times
77 * to continue session negotiation.
78 * returns 0 on success, -1 on error.
79 * - on -1, calls update_flags, which calls tlso_session_upflags
80 * - calls SSL_get_error, which returns SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE,
81 * SSL_ERROR_WANT_CONNECT, or another error. If error code is one of the above
82 * returns 1, else returns 0.
83 * Sets sb->sb_trans_needs_read or sb->sb_trans_needs_write.
84 * - if update_flags returns 1 ldap_int_tls_connect returns 1.
85 * - calls ldap_int_poll to check for errors.
86 * - returns LDAP_TIMEOUT if no data is available and we hit the timeout.
87 *
88 * So unfortunately ldap_install_tls is blocking... We need to send patches to OpenLDAP
89 * in order to fix that.
90 *
91 * @param[in] el the event occurred in.
92 * @param[in] fd the event occurred on.
93 * @param[in] flags from kevent.
94 * @param[in] uctx Connection config and handle.
95 */
96static void _ldap_start_tls_io_read(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
97{
98 fr_ldap_start_tls_ctx_t *tls_ctx = talloc_get_type_abort(uctx, fr_ldap_start_tls_ctx_t);
99 fr_ldap_connection_t *c = tls_ctx->c;
100 int ret;
101 fr_ldap_rcode_t status;
102
103 /*
104 * We're I/O driven, if there's no data someone lied to us
105 */
106 status = fr_ldap_result(NULL, NULL, c, tls_ctx->msgid, LDAP_MSG_ALL, NULL, fr_time_delta_wrap(0));
107 talloc_free(tls_ctx); /* Free explicitly so we don't accumulate contexts */
108
109 switch (status) {
110 case LDAP_PROC_SUCCESS:
111 /*
112 * If tls_handshake_timeout is NULL ldap_install_tls
113 * will block forever.
114 */
115 fr_ldap_connection_timeout_set(c, c->config->tls_handshake_timeout);
116
117 /*
118 * This call will block for a maximum of tls_handshake_timeout.
119 * Patches to libldap are required to fix this.
120 */
121 ret = ldap_install_tls(c->handle);
122 fr_ldap_connection_timeout_reset(c);
123 if (ret != LDAP_SUCCESS) {
124 ERROR("ldap_install_tls failed: %s", ldap_err2string(ret));
125 fr_ldap_state_error(c); /* Restart the connection state machine */
126 }
127
128 fr_ldap_state_next(c); /* onto the next operation */
129 break;
130
131 default:
132 PERROR("StartTLS failed");
133 fr_ldap_state_error(c); /* Restart the connection state machine */
134 break;
135 }
136}
137
138/** Send an extended operation to the LDAP server, requesting a transition to TLS
139 *
140 * Behind the scenes ldap_start_tls calls:
141 *
142 * ldap_extended_operation(ld, LDAP_EXOP_START_TLS, NULL, serverctrls, clientctrls, msgidp);
143 *
144 * @param[in] el the event occurred in.
145 * @param[in] fd the event occurred on.
146 * @param[in] flags from kevent.
147 * @param[in] uctx Connection config and handle.
148 */
149static void _ldap_start_tls_io_write(fr_event_list_t *el, int fd, UNUSED int flags, void *uctx)
150{
151 fr_ldap_start_tls_ctx_t *tls_ctx = talloc_get_type_abort(uctx, fr_ldap_start_tls_ctx_t);
152 fr_ldap_connection_t *c = tls_ctx->c;
153
154 int ret;
155
156 LDAPControl *our_serverctrls[LDAP_MAX_CONTROLS];
157 LDAPControl *our_clientctrls[LDAP_MAX_CONTROLS];
158
159 fr_ldap_control_merge(our_serverctrls, our_clientctrls,
160 NUM_ELEMENTS(our_serverctrls),
161 NUM_ELEMENTS(our_clientctrls),
162 c, tls_ctx->serverctrls, tls_ctx->clientctrls);
163
164 ret = ldap_start_tls(c->handle, our_serverctrls, our_clientctrls, &tls_ctx->msgid);
165 /*
166 * If the handle was not connected, this operation
167 * can return either LDAP_X_CONNECTING or LDAP_SUCCESS
168 * depending on how fast the connection came up
169 * and whether it was connectionless.
170 */
171 switch (ret) {
172 case LDAP_X_CONNECTING: /* Connection in progress - retry later */
173 ret = ldap_get_option(c->handle, LDAP_OPT_DESC, &fd);
174 if (!fr_cond_assert(ret == LDAP_OPT_SUCCESS)) {
175 error:
176 talloc_free(tls_ctx);
177 fr_ldap_connection_timeout_reset(c);
178 fr_ldap_state_error(c); /* Restart the connection state machine */
179 return;
180 }
181
182 ret = fr_event_fd_insert(tls_ctx, NULL, el, fd,
183 NULL,
184 _ldap_start_tls_io_write, /* We'll be called again when the conn is open */
185 _ldap_start_tls_io_error,
186 tls_ctx);
187 if (!fr_cond_assert(ret == 0)) goto error;
188 break;
189
190 case LDAP_SUCCESS:
191 if (fd < 0) {
192 ret = ldap_get_option(c->handle, LDAP_OPT_DESC, &fd);
193 if ((ret != LDAP_OPT_SUCCESS) || (fd < 0)) goto error;
194 }
195 c->fd = fd;
196 ret = fr_event_fd_insert(tls_ctx, NULL, el, fd,
197 _ldap_start_tls_io_read,
198 NULL,
199 _ldap_start_tls_io_error,
200 tls_ctx);
201 if (!fr_cond_assert(ret == 0)) goto error;
202 break;
203
204 default:
205 ERROR("ldap_start_tls failed: %s", ldap_err2string(ret));
206 goto error;
207 }
208
209 fr_ldap_connection_timeout_reset(c);
210}
211
212
213/** Install I/O handlers for Start TLS negotiation
214 *
215 * @param[in] c connection to StartTLS on.
216 * @param[in] serverctrls Extra controls to pass to the server.
217 * @param[in] clientctrls Extra controls to pass to libldap.
218 * @return
219 * - 0 on success.
220 * - -1 on failure.
221 */
222int fr_ldap_start_tls_async(fr_ldap_connection_t *c, LDAPControl **serverctrls, LDAPControl **clientctrls)
223{
224 int fd = -1;
225 fr_ldap_start_tls_ctx_t *tls_ctx;
226 fr_event_list_t *el;
227
228 DEBUG2("Starting TLS negotiation");
229
230 MEM(tls_ctx = talloc_zero(c, fr_ldap_start_tls_ctx_t));
231 tls_ctx->c = c;
232 tls_ctx->serverctrls = serverctrls;
233 tls_ctx->clientctrls = clientctrls;
234
235 el = c->conn->el;
236
237 /*
238 * ldap_get_option can return LDAP_SUCCESS even if the fd is not yet available
239 * - hence the test for fd >= 0
240 */
241 if ((ldap_get_option(c->handle, LDAP_OPT_DESC, &fd) == LDAP_SUCCESS) && (fd >= 0)) {
242 int ret;
243
244 ret = fr_event_fd_insert(tls_ctx, NULL, el, fd,
245 NULL,
246 _ldap_start_tls_io_write,
247 _ldap_start_tls_io_error,
248 tls_ctx);
249 if (!fr_cond_assert(ret == 0)) {
250 talloc_free(tls_ctx);
251 return -1;
252 }
253 } else {
254 _ldap_start_tls_io_write(el, -1, 0, tls_ctx);
255 }
256
257 return 0;
258}
USES_APPLE_DEPRECATED_API
#define USES_APPLE_DEPRECATED_API
Definition build.h:470
RCSID
#define RCSID(id)
Definition build.h:483
UNUSED
#define UNUSED
Definition build.h:315
NUM_ELEMENTS
#define NUM_ELEMENTS(_t)
Definition build.h:337
fr_cond_assert
#define fr_cond_assert(_x)
Calls panic_action ifndef NDEBUG, else logs error and evaluates to value of _x.
Definition debug.h:139
MEM
#define MEM(x)
Definition debug.h:36
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
fr_event_fd_insert
#define fr_event_fd_insert(...)
Definition event.h:232
fr_ldap_connection_t::handle
LDAP * handle
libldap handle.
Definition base.h:333
fr_ldap_control_merge
void fr_ldap_control_merge(LDAPControl *serverctrls_out[], LDAPControl *clientctrls_out[], size_t serverctrls_len, size_t clientctrls_len, fr_ldap_connection_t *conn, LDAPControl *serverctrls_in[], LDAPControl *clientctrls_in[])
Merge connection and call specific client and server controls.
Definition control.c:48
fr_ldap_connection_timeout_set
int fr_ldap_connection_timeout_set(fr_ldap_connection_t const *conn, fr_time_delta_t timeout)
Definition connection.c:409
fr_ldap_connection_t::fd
int fd
File descriptor for this connection.
Definition base.h:349
fr_ldap_state_error
void fr_ldap_state_error(fr_ldap_connection_t *c)
Signal that there's been an error on the connection.
Definition state.c:134
fr_ldap_config_t::tls_handshake_timeout
fr_time_delta_t tls_handshake_timeout
How long we wait for the TLS handshake to complete.
Definition base.h:309
fr_ldap_connection_t::config
fr_ldap_config_t const * config
rlm_ldap connection configuration.
Definition base.h:344
fr_ldap_state_next
fr_ldap_state_t fr_ldap_state_next(fr_ldap_connection_t *c)
Move between LDAP connection states.
Definition state.c:49
LDAP_MAX_CONTROLS
#define LDAP_MAX_CONTROLS
Maximum number of client/server controls.
Definition base.h:94
fr_ldap_connection_timeout_reset
int fr_ldap_connection_timeout_reset(fr_ldap_connection_t const *conn)
Definition connection.c:431
fr_ldap_connection_t::conn
connection_t * conn
Connection state handle.
Definition base.h:345
fr_ldap_rcode_t
fr_ldap_rcode_t
Codes returned by fr_ldap internal functions.
Definition base.h:582
LDAP_PROC_SUCCESS
@ LDAP_PROC_SUCCESS
Operation was successful.
Definition base.h:585
fr_ldap_connection_t
Tracks the state of a libldap connection handle.
Definition base.h:332
fr_ldap_result
fr_ldap_rcode_t fr_ldap_result(LDAPMessage **result, LDAPControl ***ctrls, fr_ldap_connection_t const *conn, int msgid, int all, char const *dn, fr_time_delta_t timeout)
Parse response from LDAP server dealing with any errors.
Definition base.c:450
PERROR
#define PERROR(_fmt,...)
Definition log.h:228
talloc_free
talloc_free(reap)
fr_event_list
Stores all information relating to an event list.
Definition event.c:411
DEBUG2
#define DEBUG2(fmt,...)
Definition radclient.h:43
_ldap_start_tls_io_error
static void _ldap_start_tls_io_error(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, UNUSED int fd_errno, void *uctx)
Error reading from or writing to the file descriptor.
Definition start_tls.c:50
_ldap_start_tls_io_read
static void _ldap_start_tls_io_read(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int flags, void *uctx)
Event handler for the response to the StartTLS extended operation.
Definition start_tls.c:96
fr_ldap_start_tls_ctx_t::msgid
int msgid
Definition start_tls.c:39
fr_ldap_start_tls_ctx_t::c
fr_ldap_connection_t * c
The current connection.
Definition start_tls.c:35
_ldap_start_tls_io_write
static void _ldap_start_tls_io_write(fr_event_list_t *el, int fd, UNUSED int flags, void *uctx)
Send an extended operation to the LDAP server, requesting a transition to TLS.
Definition start_tls.c:149
fr_ldap_start_tls_async
int fr_ldap_start_tls_async(fr_ldap_connection_t *c, LDAPControl **serverctrls, LDAPControl **clientctrls)
Install I/O handlers for Start TLS negotiation.
Definition start_tls.c:222
fr_ldap_start_tls_ctx_t::serverctrls
LDAPControl ** serverctrls
Controls to pass to the server.
Definition start_tls.c:36
fr_ldap_start_tls_ctx_t::clientctrls
LDAPControl ** clientctrls
Controls to pass to the client (library).
Definition start_tls.c:37
fr_ldap_start_tls_ctx_t
Holds arguments for the start_tls operation.
Definition start_tls.c:34
fr_time_delta_wrap
#define fr_time_delta_wrap(_time)
Definition time.h:152
el
static fr_event_list_t * el
Definition unit_test_attribute.c:270
Generated by   doxygen 1.9.8