Full_Name: Ian Puleston Version: 2.4.40 OS: VxWorks URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (204.118.31.3) I've been using the new non-blocking TLS connect feature added in version 2.4.34 (issue #7428, compiled with LDAP_USE_NON_BLOCKING_TLS) and found a problem that it does not work in a reference/referral. It only works on the default connection, and that can cause a long or permanent hang in SSL_connect as follows, even when a network timeout is set and LDAP_USE_NON_BLOCKING_TLS is on: ldap_result -> ldap_chase_v3referrals ldap_chase_v3referrals -> ldap_send_server_request ldap_send_server_request -> ldap_new_connection ldap_new_connection -> ldap_int_open_connection ldap_int_open_connection -> ldap_int_tls_start ldap_int_tls_start -> ldap_pvt_tls_connect ldap_pvt_tls_connect -> (v0) tlso_session_connect -> SSL_connect The problem is that the calls to ber_sockbuf_ctrl with LBER_SB_OPT_SET_NONBLOCK pass the Sockbuf as ld->ld_sb where they should be passing it as sb, that being the Sockbuf for this connection. The following 3 changes in ldap_int_tls_start fix it: Change: ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); to: ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); Change: ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); to: ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); Change: ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, NULL ); to: ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, NULL )B3B Note I also changed the 3rd argument there from "sb" to "(void*)1" just because I think passing sb there is a little confusing. Either will work fine. Ian
Attached a patch to fix this as outlined above.
Since it seems I can't send the patch file as an attachment, here it is inline instead: ============ Start patch file ============ --- openldap-2.4.40/libraries/libldap/tls2.c 2014-09-18 18:48:50.000000000 -0700 +++ openldap-2.4.40-new/libraries/libldap/tls2.c 2015-06-08 19:40:30.326927300 -0700 @@ -842,7 +842,7 @@ * Use non-blocking io during SSL Handshake when a timeout is configured */ if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { - ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); + ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_FD, &sd ); tv = ld->ld_options.ldo_tm_net; tv0 = tv; @@ -877,7 +877,7 @@ break; } else { /* ldap_int_poll called ldap_pvt_ndelay_off */ - ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); + ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)1 ); ret = ldap_int_tls_connect( ld, conn ); if ( ret > 0 ) { /* need to call tls_connect once more */ struct timeval curr_time_tv, delta_tv; @@ -925,7 +925,7 @@ } } if ( ld->ld_options.ldo_tm_net.tv_sec >= 0 ) { - ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, NULL ); + ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, NULL ); } #endif /* LDAP_USE_NON_BLOCKING_TLS */ ============ End patch file ============
I've now uploaded the patch to the ftp.openldap.org FTP server as "ian-puleston-15069.patch". Ian
changed notes
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
On Wed, Jun 10, 2015 at 12:39:19AM +0000, ipuleston@SonicWALL.com wrote: > I've now uploaded the patch to the ftp.openldap.org FTP server as "ian-pule= > ston-15069.patch". Hi Ian, thank you for your work, the patch has been pushed to master (46c93e41f43da7f16270179c6eff75e450617329) and will also be part (a8cf2fb10047794c83873f5ff5c125ecd0e53168) of the upcoming 2.4.48 release. Thanks, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
fixed in master fixed in RE24 (2.4.48)
changed notes changed state Release to Closed