1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3  *
4  * Copyright 1998-2021 The OpenLDAP Foundation.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted only as authorized by the OpenLDAP
9  * Public License.
10  *
11  * A copy of this license is available in the file LICENSE in the
12  * top-level directory of the distribution or, alternatively, at
13  * <http://www.OpenLDAP.org/license.html>.
14  */
15 
16 #include "portable.h"
17 
18 #include <ac/string.h>
19 
20 #include "lutil.h"
21 #include "lload.h"
22 
23 Avlnode *lload_exop_handlers = NULL;
24 
25 #ifdef HAVE_TLS
26 void *lload_tls_ctx;
27 LDAP *lload_tls_ld, *lload_tls_backend_ld;
28 #ifdef BALANCER_MODULE
29 int lload_use_slap_tls_ctx = 0;
30 #endif
31 #endif /* HAVE_TLS */
32 
33 int
handle_starttls(LloadConnection * c,LloadOperation * op)34 handle_starttls( LloadConnection *c, LloadOperation *op )
35 {
36     struct event_base *base = event_get_base( c->c_read_event );
37     LloadOperation *found;
38     BerElement *output;
39     char *msg = NULL;
40     int rc = LDAP_SUCCESS;
41 
42     CONNECTION_LOCK(c);
43     found = ldap_tavl_delete( &c->c_ops, op, operation_client_cmp );
44     assert( op == found );
45     c->c_n_ops_executing--;
46 
47 #ifdef HAVE_TLS
48     if ( c->c_is_tls == LLOAD_TLS_ESTABLISHED ) {
49         rc = LDAP_OPERATIONS_ERROR;
50         msg = "TLS layer already in effect";
51     } else if ( c->c_state == LLOAD_C_BINDING ) {
52         rc = LDAP_OPERATIONS_ERROR;
53         msg = "bind in progress";
54     } else if ( c->c_ops ) {
55         rc = LDAP_OPERATIONS_ERROR;
56         msg = "cannot start TLS when operations are outstanding";
57     } else if ( !LLOAD_TLS_CTX ) {
58         rc = LDAP_UNAVAILABLE;
59         msg = "Could not initialize TLS";
60     }
61 #else /* ! HAVE_TLS */
62     rc = LDAP_UNAVAILABLE;
63     msg = "Could not initialize TLS";
64 #endif /* ! HAVE_TLS */
65 
66     CONNECTION_UNLOCK(c);
67 
68     Debug( LDAP_DEBUG_STATS, "handle_starttls: "
69             "handling StartTLS exop connid=%lu rc=%d msg=%s\n",
70             c->c_connid, rc, msg );
71 
72     if ( rc ) {
73         /* We've already removed the operation from the queue */
74         operation_send_reject( op, rc, msg, 1 );
75         return LDAP_SUCCESS;
76     }
77 
78 #ifdef HAVE_TLS
79     event_del( c->c_read_event );
80     event_del( c->c_write_event );
81     /*
82      * At this point, we are the only thread handling the connection:
83      * - there are no upstream operations
84      * - the I/O callbacks have been successfully removed
85      *
86      * This means we can safely reconfigure both I/O events now.
87      */
88 
89     checked_lock( &c->c_io_mutex );
90     output = c->c_pendingber;
91     if ( output == NULL && (output = ber_alloc()) == NULL ) {
92         checked_unlock( &c->c_io_mutex );
93         operation_unlink( op );
94         CONNECTION_LOCK_DESTROY(c);
95         return -1;
96     }
97     c->c_pendingber = output;
98     ber_printf( output, "t{tit{ess}}", LDAP_TAG_MESSAGE,
99             LDAP_TAG_MSGID, op->o_client_msgid,
100             LDAP_RES_EXTENDED, LDAP_SUCCESS, "", "" );
101     c->c_io_state &= ~LLOAD_C_READ_HANDOVER;
102     checked_unlock( &c->c_io_mutex );
103 
104     CONNECTION_LOCK(c);
105     c->c_read_timeout = lload_timeout_net;
106     event_assign( c->c_read_event, base, c->c_fd, EV_READ|EV_PERSIST,
107             client_tls_handshake_cb, c );
108     event_add( c->c_read_event, c->c_read_timeout );
109 
110     event_assign( c->c_write_event, base, c->c_fd, EV_WRITE,
111             client_tls_handshake_cb, c );
112     /* We already have something to write */
113     event_add( c->c_write_event, lload_write_timeout );
114 
115     op->o_res = LLOAD_OP_COMPLETED;
116     CONNECTION_UNLOCK(c);
117 
118     operation_unlink( op );
119 
120     return -1;
121 #endif /* HAVE_TLS */
122 }
123 
124 int
request_extended(LloadConnection * c,LloadOperation * op)125 request_extended( LloadConnection *c, LloadOperation *op )
126 {
127     ExopHandler *handler, needle = {};
128     struct restriction_entry *restriction, rneedle = {};
129     BerElement *copy;
130     struct berval bv;
131     ber_tag_t tag;
132 
133     if ( (copy = ber_alloc()) == NULL ) {
134         operation_send_reject( op, LDAP_OTHER, "internal error", 0 );
135         CONNECTION_LOCK_DESTROY(c);
136         return -1;
137     }
138 
139     ber_init2( copy, &op->o_request, 0 );
140 
141     tag = ber_skip_element( copy, &bv );
142     if ( tag != LDAP_TAG_EXOP_REQ_OID ) {
143         Debug( LDAP_DEBUG_STATS, "request_extended: "
144                 "no OID present in extended request\n" );
145         operation_send_reject( op, LDAP_PROTOCOL_ERROR, "decoding error", 0 );
146         CONNECTION_LOCK_DESTROY(c);
147         return -1;
148     }
149 
150     needle.oid = bv;
151 
152     handler = ldap_avl_find( lload_exop_handlers, &needle, exop_handler_cmp );
153     if ( handler ) {
154         Debug( LDAP_DEBUG_TRACE, "request_extended: "
155                 "handling exop OID %.*s internally\n",
156                 (int)bv.bv_len, bv.bv_val );
157         ber_free( copy, 0 );
158         return handler->func( c, op );
159     }
160     ber_free( copy, 0 );
161 
162     rneedle.oid = bv;
163     restriction = ldap_tavl_find( lload_exop_actions, &rneedle,
164             lload_restriction_cmp );
165     if ( restriction ) {
166         op->o_restricted = restriction->action;
167     } else {
168         op->o_restricted = lload_default_exop_action;
169     }
170 
171     return request_process( c, op );
172 }
173 
174 ExopHandler lload_exops[] = {
175         { BER_BVC(LDAP_EXOP_START_TLS), handle_starttls },
176         { BER_BVNULL }
177 };
178 
179 int
exop_handler_cmp(const void * left,const void * right)180 exop_handler_cmp( const void *left, const void *right )
181 {
182     const struct lload_exop_handlers_t *l = left, *r = right;
183     return ber_bvcmp( &l->oid, &r->oid );
184 }
185 
186 int
lload_register_exop_handlers(struct lload_exop_handlers_t * handler)187 lload_register_exop_handlers( struct lload_exop_handlers_t *handler )
188 {
189     for ( ; !BER_BVISNULL( &handler->oid ); handler++ ) {
190         Debug( LDAP_DEBUG_TRACE, "lload_register_exop_handlers: "
191                 "registering handler for exop oid=%s\n",
192                 handler->oid.bv_val );
193         if ( ldap_avl_insert( &lload_exop_handlers, handler, exop_handler_cmp,
194                      ldap_avl_dup_error ) ) {
195             Debug( LDAP_DEBUG_ANY, "lload_register_exop_handlers: "
196                     "failed to register handler for exop oid=%s\n",
197                     handler->oid.bv_val );
198             return -1;
199         }
200     }
201 
202     return LDAP_SUCCESS;
203 }
204 
205 int
lload_exop_init(void)206 lload_exop_init( void )
207 {
208     if ( lload_register_exop_handlers( lload_exops ) ) {
209         return -1;
210     }
211 
212     return LDAP_SUCCESS;
213 }
214