https://bugs.openldap.org/show_bug.cgi?id=10014
Issue ID: 10014 Summary: TLS handle using MbedTLS Product: OpenLDAP Version: 2.6.4 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: contrib Assignee: bugs@openldap.org Reporter: johan.pascal@linphone.org Target Milestone: ---
Created attachment 950 --> https://bugs.openldap.org/attachment.cgi?id=950&action=edit Add a TLS handle using MbedTLS
Hi, I wrote a TLS handle based on MbedTLS. I attach the patch here but I can also put in on gitlab and make a merge request there. The patch contains the minimal modifications to build openldap using MbedTLS as backend for TLS. You must run aclocal, autoheader amd autoconf to regenerate the archived aclocal.m4, configure and include/portable.hin files.
This contribution was originally written for the linphone project, and copyright belongs to Belledonne Communications SARL.
The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch were developed by Belledonne Communications SARL. Belledonne Communications SARL has not assigned rights and/or interest in this work to any party. I, Johan Pascal am authorized by Belledonne Communications, my employer, to release this work under the following terms.
The attached modifications to OpenLDAP Software are subject to the following notice:
Copyright 2010-2023 Belledonne Communications SARL Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #1 from Howard Chu hyc@openldap.org --- Thanks for the submission. I see you've got #ifdef'd support for older versions (2.x) as well as (3.x). For adding a new feature, I see no reason to support any older versions, particularly if they lack support for TLS1.3. I suggest stripping out all the 2.x support.
There are traces of copy/paste from tls_g.c and tls_o.c scattered around the file, these should be fixed.
I'd consider naming the source file "tls_mt.c" since we already had a "tls_m.c" for MozNSS in the past, and would prefer to avoid any possible confusion.
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #2 from Johan johan.pascal@linphone.org --- Hi, support for version 2.x seems still relevant as MbdeTLS 2.28 branch is still supported and most of the linux distribution are shipping version 2 packages: https://repology.org/project/mbedtls/versions
Let me know if you still want me to strip the version 2 support.
Yes I started from tls_o.c, I'll make another pass to remove anything coming from it and not relevant for this handle.
Ok for the filename, I missed that part of openldap history and was not aware of a previous tls_m.c file.
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #3 from Howard Chu hyc@openldap.org --- re: 2.x, I guess we should hear some other folks' opinions. Just note that this would be a new feature, appearing in OpenLDAP 2.7 later this year. All of those platforms are already well supported by OpenSSL (with TLS 1.3 support) so we need to understand why they would choose to use a backrev mbedTLS library instead.
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #4 from Johan johan.pascal@linphone.org --- I uploaded the code on gitlab, cleaning it a little bit.
https://git.openldap.org/Johan/openldap/-/tree/add/mbedtls_handle
I tried to add a CI run using the mbedtls handle but the CI runner is on debian stable which packages mbedtls-2.16.9 and is not supported by the handle(it requires functions introduced in 2.18.0).
Our use case for OpenLDAP with mbedtls handle, in the linphone project, on debian or distribution supporting openssl is to unify the code base shared on various platform. The same code is built on these platform but also on android or iOS where we rather use mbedtls.
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- On Thu, Feb 23, 2023 at 09:04:15AM +0000, openldap-its@openldap.org wrote:
I uploaded the code on gitlab, cleaning it a little bit.
https://git.openldap.org/Johan/openldap/-/tree/add/mbedtls_handle
I tried to add a CI run using the mbedtls handle but the CI runner is on debian stable which packages mbedtls-2.16.9 and is not supported by the handle(it requires functions introduced in 2.18.0).
Our use case for OpenLDAP with mbedtls handle, in the linphone project, on debian or distribution supporting openssl is to unify the code base shared on various platform. The same code is built on these platform but also on android or iOS where we rather use mbedtls.
Hi Johan, Debian Bookworm (the testing suite at this point) ship 2.28.0, so I think you can tag the job with a Debian testing image for now.
Regards,
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #6 from Johan johan.pascal@linphone.org --- Hi Ondřej,
thanks for your suggestion. I could not find on gitlab any tagged runner, I see 4 of them all on agnesi.openldap.org but none seem to have any tag. Sorry Gitlab is not really my field, can you detail how I can access a debian bookworm runner?
Thanks
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #7 from Ondřej Kuzník ondra@mistotebe.net --- On Thu, Feb 23, 2023 at 12:54:37PM +0000, openldap-its@openldap.org wrote:
Hi Ondřej,
thanks for your suggestion. I could not find on gitlab any tagged runner, I see 4 of them all on agnesi.openldap.org but none seem to have any tag. Sorry Gitlab is not really my field, can you detail how I can access a debian bookworm runner?
I meant setting https://docs.gitlab.com/ee/ci/yaml/index.html#image in a job which would give you a different Docker image on the existing runners.
Regards,
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #8 from Johan johan.pascal@linphone.org --- (In reply to Ondřej Kuzník from comment #7)
On Thu, Feb 23, 2023 at 12:54:37PM +0000, openldap-its@openldap.org wrote:
Hi Ondřej,
thanks for your suggestion. I could not find on gitlab any tagged runner, I see 4 of them all on agnesi.openldap.org but none seem to have any tag. Sorry Gitlab is not really my field, can you detail how I can access a debian bookworm runner?
I meant setting https://docs.gitlab.com/ee/ci/yaml/index.html#image in a job which would give you a different Docker image on the existing runners.
Regards,
Thanks it worked and now I can see that I missed several files where the crypto library is used.
I'll correct that soon.
https://bugs.openldap.org/show_bug.cgi?id=10014
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #9 from Johan johan.pascal@linphone.org --- It seems to pass the tests now. I made a merge request to make code review easier.
https://git.openldap.org/openldap/openldap/-/merge_requests/608
Johan
https://bugs.openldap.org/show_bug.cgi?id=10014
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED
--- Comment #10 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • f7e6c71e by johan pascal at 2023-03-31T05:19:30+00:00 ITS#10014: Add TLS handle using MbedTLS
https://bugs.openldap.org/show_bug.cgi?id=10014
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #11 from Ondřej Kuzník ondra@mistotebe.net --- I've just noticed that tlsmt_session_accept busy loops on non-blocking connections.
This is a problem for lloadd which wants non-blocking operation where possible, rescheduling callbacks based LBER_SB_OPT_NEEDS_WRITE/READ.
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #12 from Johan johan.pascal@linphone.org --- (In reply to Ondřej Kuzník from comment #11)
I've just noticed that tlsmt_session_accept busy loops on non-blocking connections.
This is a problem for lloadd which wants non-blocking operation where possible, rescheduling callbacks based LBER_SB_OPT_NEEDS_WRITE/READ.
Hi Ondřej, you're right I completely missed the loop through session_upflags to manage the non blocking I/O. Just removing the loop and directly returning
mbedtls_ssl_handshake( &(s->ssl_ctx) )
in tlsmt_session_accept shall work.
I'll do a MR by the end of week
regards, Johan
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #13 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Johan from comment #12)
Hi Ondřej, you're right I completely missed the loop through session_upflags to manage the non blocking I/O. Just removing the loop and directly returning
mbedtls_ssl_handshake( &(s->ssl_ctx) )
in tlsmt_session_accept shall work.
I'll do a MR by the end of week
Hi Johan,
Any luck on getting this MR put together? It's almost been a year.
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #14 from Johan johan.pascal@linphone.org --- (In reply to Quanah Gibson-Mount from comment #13)
Hi Johan,
Any luck on getting this MR put together? It's almost been a year.
Hi,
sorry for the delay, I completely forgot about it :-(
I just made a MR that should fix the problem: https://git.openldap.org/openldap/openldap/-/merge_requests/675
Johan
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #15 from Quanah Gibson-Mount quanah@openldap.org --- (In reply to Johan from comment #14)
(In reply to Quanah Gibson-Mount from comment #13)
Hi Johan,
Any luck on getting this MR put together? It's almost been a year.
Hi,
sorry for the delay, I completely forgot about it :-(
I just made a MR that should fix the problem: https://git.openldap.org/openldap/openldap/-/merge_requests/675
Johan
Thanks so much!
https://bugs.openldap.org/show_bug.cgi?id=10014
--- Comment #16 from Quanah Gibson-Mount quanah@openldap.org --- head:
• 5a45cf60 by johan pascal at 2024-01-30T16:25:41+00:00 ITS#10014 Non blocking TLS session accept for mbedtls handle
-
openldap-its@openldap.org