1 /* $OpenLDAP$ */
2 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
3 *
4 * Copyright 1998-2021 The OpenLDAP Foundation.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted only as authorized by the OpenLDAP
9 * Public License.
10 *
11 * A copy of this license is available in the file LICENSE in the
12 * top-level directory of the distribution or, alternatively, at
13 * <http://www.OpenLDAP.org/license.html>.
14 */
15
16 #include "portable.h"
17
18 #include <ac/string.h>
19
20 #include "lutil.h"
21 #include "lload.h"
22
23 Avlnode *lload_exop_handlers = NULL;
24
25 #ifdef HAVE_TLS
26 void *lload_tls_ctx;
27 LDAP *lload_tls_ld, *lload_tls_backend_ld;
28 #ifdef BALANCER_MODULE
29 int lload_use_slap_tls_ctx = 0;
30 #endif
31 #endif /* HAVE_TLS */
32
33 int
handle_starttls(LloadConnection * c,LloadOperation * op)34 handle_starttls( LloadConnection *c, LloadOperation *op )
35 {
36 struct event_base *base = event_get_base( c->c_read_event );
37 LloadOperation *found;
38 BerElement *output;
39 char *msg = NULL;
40 int rc = LDAP_SUCCESS;
41
42 CONNECTION_LOCK(c);
43 found = ldap_tavl_delete( &c->c_ops, op, operation_client_cmp );
44 assert( op == found );
45 c->c_n_ops_executing--;
46
47 #ifdef HAVE_TLS
48 if ( c->c_is_tls == LLOAD_TLS_ESTABLISHED ) {
49 rc = LDAP_OPERATIONS_ERROR;
50 msg = "TLS layer already in effect";
51 } else if ( c->c_state == LLOAD_C_BINDING ) {
52 rc = LDAP_OPERATIONS_ERROR;
53 msg = "bind in progress";
54 } else if ( c->c_ops ) {
55 rc = LDAP_OPERATIONS_ERROR;
56 msg = "cannot start TLS when operations are outstanding";
57 } else if ( !LLOAD_TLS_CTX ) {
58 rc = LDAP_UNAVAILABLE;
59 msg = "Could not initialize TLS";
60 }
61 #else /* ! HAVE_TLS */
62 rc = LDAP_UNAVAILABLE;
63 msg = "Could not initialize TLS";
64 #endif /* ! HAVE_TLS */
65
66 CONNECTION_UNLOCK(c);
67
68 Debug( LDAP_DEBUG_STATS, "handle_starttls: "
69 "handling StartTLS exop connid=%lu rc=%d msg=%s\n",
70 c->c_connid, rc, msg );
71
72 if ( rc ) {
73 /* We've already removed the operation from the queue */
74 operation_send_reject( op, rc, msg, 1 );
75 return LDAP_SUCCESS;
76 }
77
78 #ifdef HAVE_TLS
79 event_del( c->c_read_event );
80 event_del( c->c_write_event );
81 /*
82 * At this point, we are the only thread handling the connection:
83 * - there are no upstream operations
84 * - the I/O callbacks have been successfully removed
85 *
86 * This means we can safely reconfigure both I/O events now.
87 */
88
89 checked_lock( &c->c_io_mutex );
90 output = c->c_pendingber;
91 if ( output == NULL && (output = ber_alloc()) == NULL ) {
92 checked_unlock( &c->c_io_mutex );
93 operation_unlink( op );
94 CONNECTION_LOCK_DESTROY(c);
95 return -1;
96 }
97 c->c_pendingber = output;
98 ber_printf( output, "t{tit{ess}}", LDAP_TAG_MESSAGE,
99 LDAP_TAG_MSGID, op->o_client_msgid,
100 LDAP_RES_EXTENDED, LDAP_SUCCESS, "", "" );
101 c->c_io_state &= ~LLOAD_C_READ_HANDOVER;
102 checked_unlock( &c->c_io_mutex );
103
104 CONNECTION_LOCK(c);
105 c->c_read_timeout = lload_timeout_net;
106 event_assign( c->c_read_event, base, c->c_fd, EV_READ|EV_PERSIST,
107 client_tls_handshake_cb, c );
108 event_add( c->c_read_event, c->c_read_timeout );
109
110 event_assign( c->c_write_event, base, c->c_fd, EV_WRITE,
111 client_tls_handshake_cb, c );
112 /* We already have something to write */
113 event_add( c->c_write_event, lload_write_timeout );
114
115 op->o_res = LLOAD_OP_COMPLETED;
116 CONNECTION_UNLOCK(c);
117
118 operation_unlink( op );
119
120 return -1;
121 #endif /* HAVE_TLS */
122 }
123
124 int
request_extended(LloadConnection * c,LloadOperation * op)125 request_extended( LloadConnection *c, LloadOperation *op )
126 {
127 ExopHandler *handler, needle = {};
128 struct restriction_entry *restriction, rneedle = {};
129 BerElement *copy;
130 struct berval bv;
131 ber_tag_t tag;
132
133 if ( (copy = ber_alloc()) == NULL ) {
134 operation_send_reject( op, LDAP_OTHER, "internal error", 0 );
135 CONNECTION_LOCK_DESTROY(c);
136 return -1;
137 }
138
139 ber_init2( copy, &op->o_request, 0 );
140
141 tag = ber_skip_element( copy, &bv );
142 if ( tag != LDAP_TAG_EXOP_REQ_OID ) {
143 Debug( LDAP_DEBUG_STATS, "request_extended: "
144 "no OID present in extended request\n" );
145 operation_send_reject( op, LDAP_PROTOCOL_ERROR, "decoding error", 0 );
146 CONNECTION_LOCK_DESTROY(c);
147 return -1;
148 }
149
150 needle.oid = bv;
151
152 handler = ldap_avl_find( lload_exop_handlers, &needle, exop_handler_cmp );
153 if ( handler ) {
154 Debug( LDAP_DEBUG_TRACE, "request_extended: "
155 "handling exop OID %.*s internally\n",
156 (int)bv.bv_len, bv.bv_val );
157 ber_free( copy, 0 );
158 return handler->func( c, op );
159 }
160 ber_free( copy, 0 );
161
162 rneedle.oid = bv;
163 restriction = ldap_tavl_find( lload_exop_actions, &rneedle,
164 lload_restriction_cmp );
165 if ( restriction ) {
166 op->o_restricted = restriction->action;
167 } else {
168 op->o_restricted = lload_default_exop_action;
169 }
170
171 return request_process( c, op );
172 }
173
174 ExopHandler lload_exops[] = {
175 { BER_BVC(LDAP_EXOP_START_TLS), handle_starttls },
176 { BER_BVNULL }
177 };
178
179 int
exop_handler_cmp(const void * left,const void * right)180 exop_handler_cmp( const void *left, const void *right )
181 {
182 const struct lload_exop_handlers_t *l = left, *r = right;
183 return ber_bvcmp( &l->oid, &r->oid );
184 }
185
186 int
lload_register_exop_handlers(struct lload_exop_handlers_t * handler)187 lload_register_exop_handlers( struct lload_exop_handlers_t *handler )
188 {
189 for ( ; !BER_BVISNULL( &handler->oid ); handler++ ) {
190 Debug( LDAP_DEBUG_TRACE, "lload_register_exop_handlers: "
191 "registering handler for exop oid=%s\n",
192 handler->oid.bv_val );
193 if ( ldap_avl_insert( &lload_exop_handlers, handler, exop_handler_cmp,
194 ldap_avl_dup_error ) ) {
195 Debug( LDAP_DEBUG_ANY, "lload_register_exop_handlers: "
196 "failed to register handler for exop oid=%s\n",
197 handler->oid.bv_val );
198 return -1;
199 }
200 }
201
202 return LDAP_SUCCESS;
203 }
204
205 int
lload_exop_init(void)206 lload_exop_init( void )
207 {
208 if ( lload_register_exop_handlers( lload_exops ) ) {
209 return -1;
210 }
211
212 return LDAP_SUCCESS;
213 }
214