From b910c465d3adfa3c9258a6519b1afd77dd4db22f Mon Sep 17 00:00:00 2001 From: Antonio Torres Date: Apr 22 2022 13:28:38 +0000 Subject: Use infinite timeout when using LDAP+start-TLS This will ensure that the TLS connection to the LDAP server will complete before starting FreeRADIUS, as it forces libldap to use a blocking socket during the process. Infinite timeout is the OpenLDAP default. Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134 Related: #1983063 Signed-off-by: Antonio Torres --- diff --git a/freeradius-ldap-infinite-timeout-on-starttls.patch b/freeradius-ldap-infinite-timeout-on-starttls.patch new file mode 100644 index 0000000..40df134 --- /dev/null +++ b/freeradius-ldap-infinite-timeout-on-starttls.patch @@ -0,0 +1,31 @@ +From: Antonio Torres +Date: Fri, 28 Jan 2022 +Subject: Use infinite timeout when using LDAP+start-TLS + +This will ensure that the TLS connection to the LDAP server will complete +before starting FreeRADIUS, as it forces libldap to use a blocking socket during +the process. Infinite timeout is the OpenLDAP default. +Avoids this: https://git.openldap.org/openldap/openldap/-/blob/87ffc60006298069a5a044b8e63dab27a61d3fdf/libraries/libldap/tls2.c#L1134 + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1992551 +Signed-off-by: Antonio Torres +--- + src/modules/rlm_ldap/ldap.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/modules/rlm_ldap/ldap.c b/src/modules/rlm_ldap/ldap.c +index cf7a84e069..841bf888a1 100644 +--- a/src/modules/rlm_ldap/ldap.c ++++ b/src/modules/rlm_ldap/ldap.c +@@ -1472,7 +1472,10 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance) + } + + #ifdef LDAP_OPT_NETWORK_TIMEOUT +- if (inst->net_timeout) { ++ bool using_tls = inst->start_tls || ++ inst->port == 636 || ++ strncmp(inst->server, "ldaps://", strlen("ldaps://")) == 0; ++ if (inst->net_timeout && !using_tls) { + memset(&tv, 0, sizeof(tv)); + tv.tv_sec = inst->net_timeout; + diff --git a/freeradius.spec b/freeradius.spec index 75112a4..15bf545 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.25 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freeradius.org/ @@ -25,6 +25,7 @@ Patch2: freeradius-Use-system-crypto-policy-by-default.patch Patch3: freeradius-bootstrap-create-only.patch Patch4: freeradius-no-buildtime-cert-gen.patch Patch5: freeradius-bootstrap-make-permissions.patch +Patch6: freeradius-ldap-infinite-timeout-on-starttls.patch %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} @@ -207,6 +208,7 @@ This plugin provides the REST support for the FreeRADIUS server project. %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build # Force compile/link options, extra security for network facing daemon @@ -897,6 +899,10 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Fri Apr 22 2022 Antonio Torres - 3.0.25-4 +- Use infinite timeout when using LDAP+start-TLS + Related: #1983063 + * Thu Jan 20 2022 Fedora Release Engineering - 3.0.25-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild