From 3802fa9217e05d3ca86e728b908fd4095e6c577c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>
Date: Fri, 15 Jan 2021 10:53:59 +0000
Subject: [PATCH] ITS#8747 Fix lloadd builds --without-tls

---
 servers/lloadd/bind.c     |  5 +++++
 servers/lloadd/client.c   |  6 ++++++
 servers/lloadd/config.c   | 13 +++++++++++++
 servers/lloadd/daemon.c   |  4 ++++
 servers/lloadd/extended.c | 10 ++++++++++
 servers/lloadd/upstream.c | 10 ++++++++++
 6 files changed, 48 insertions(+)

diff --git a/servers/lloadd/bind.c b/servers/lloadd/bind.c
index 25d383868c..12db80415e 100644
--- a/servers/lloadd/bind.c
+++ b/servers/lloadd/bind.c
@@ -56,6 +56,7 @@ bind_mech_external(
         goto done;
     }
 
+#ifdef HAVE_TLS
     ssl = ldap_pvt_tls_sb_ctx( client->c_sb );
     if ( !ssl || ldap_pvt_tls_get_peer_dn( ssl, &binddn, NULL, 0 ) ) {
         result = LDAP_INVALID_CREDENTIALS;
@@ -74,6 +75,10 @@ bind_mech_external(
     if ( !ber_bvstrcasecmp( &client->c_auth, &lloadd_identity ) ) {
         client->c_type = LLOAD_C_PRIVILEGED;
     }
+#else /* ! HAVE_TLS */
+    result = LDAP_AUTH_METHOD_NOT_SUPPORTED;
+    message = "requested SASL mechanism not supported";
+#endif /* ! HAVE_TLS */
 
 done:
     CONNECTION_UNLOCK(client);
diff --git a/servers/lloadd/client.c b/servers/lloadd/client.c
index 3d080a77a1..e4e1682bb1 100644
--- a/servers/lloadd/client.c
+++ b/servers/lloadd/client.c
@@ -288,6 +288,7 @@ handle_one_request( LloadConnection *c )
     return handler( c, op );
 }
 
+#ifdef HAVE_TLS
 /*
  * The connection has a token assigned to it when the callback is set up.
  */
@@ -385,6 +386,7 @@ fail:
     CONNECTION_LOCK_DESTROY(c);
     epoch_leave( epoch );
 }
+#endif /* HAVE_TLS */
 
 LloadConnection *
 client_init(
@@ -413,6 +415,7 @@ client_init(
     c->c_state = LLOAD_C_READY;
 
     if ( flags & CONN_IS_TLS ) {
+#ifdef HAVE_TLS
         int rc;
 
         c->c_is_tls = LLOAD_LDAPS;
@@ -430,6 +433,9 @@ client_init(
             c->c_read_timeout = lload_timeout_net;
             read_cb = write_cb = client_tls_handshake_cb;
         }
+#else /* ! HAVE_TLS */
+        assert(0);
+#endif /* ! HAVE_TLS */
     }
 
     event = event_new( base, s, EV_READ|EV_PERSIST, read_cb, c );
diff --git a/servers/lloadd/config.c b/servers/lloadd/config.c
index dad2670b5e..91e54e8519 100644
--- a/servers/lloadd/config.c
+++ b/servers/lloadd/config.c
@@ -3671,6 +3671,19 @@ backend_cf_gen( ConfigArgs *c )
                         "invalid starttls configuration" );
                 goto fail;
             }
+#ifndef HAVE_TLS
+            if ( tlskey[i].mask == LLOAD_STARTTLS_OPTIONAL ) {
+                Debug( LDAP_DEBUG_ANY, "%s: "
+                        "lloadd compiled without TLS but starttls specified, "
+                        "it will be ignored\n",
+                        c->log );
+            } else if ( tlskey[i].mask != LLOAD_CLEARTEXT ) {
+                snprintf( c->cr_msg, sizeof(c->cr_msg),
+                        "invalid starttls configuration when compiled without "
+                        "TLS support" );
+                goto fail;
+            }
+#endif /* ! HAVE_TLS */
             b->b_tls_conf = tlskey[i].mask;
         } break;
         default:
diff --git a/servers/lloadd/daemon.c b/servers/lloadd/daemon.c
index 3ddee5dee4..b88571a13a 100644
--- a/servers/lloadd/daemon.c
+++ b/servers/lloadd/daemon.c
@@ -1410,6 +1410,7 @@ backend_conn_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
     return 0;
 }
 
+#ifdef HAVE_TLS
 int
 client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
 {
@@ -1422,6 +1423,7 @@ client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
     }
     return 0;
 }
+#endif /* HAVE_TLS */
 
 void
 lload_handle_backend_invalidation( LloadChange *change )
@@ -1648,6 +1650,7 @@ lload_handle_global_invalidation( LloadChange *change )
         assert( !feature_diff );
     }
 
+#ifdef HAVE_TLS
     if ( change->flags.daemon & LLOAD_DAEMON_MOD_TLS ) {
         /* terminate all clients with TLS set up */
         ldap_pvt_thread_pool_walk(
@@ -1670,6 +1673,7 @@ lload_handle_global_invalidation( LloadChange *change )
             }
         }
     }
+#endif /* HAVE_TLS */
 
     if ( change->flags.daemon & LLOAD_DAEMON_MOD_BINDCONF ) {
         LloadBackend *b;
diff --git a/servers/lloadd/extended.c b/servers/lloadd/extended.c
index 89f8afaad9..5fbdf5e11c 100644
--- a/servers/lloadd/extended.c
+++ b/servers/lloadd/extended.c
@@ -22,11 +22,13 @@
 
 Avlnode *lload_exop_handlers = NULL;
 
+#ifdef HAVE_TLS
 void *lload_tls_ctx;
 LDAP *lload_tls_ld, *lload_tls_backend_ld;
 #ifdef BALANCER_MODULE
 int lload_use_slap_tls_ctx = 0;
 #endif
+#endif /* HAVE_TLS */
 
 int
 handle_starttls( LloadConnection *c, LloadOperation *op )
@@ -42,6 +44,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
     assert( op == found );
     c->c_n_ops_executing--;
 
+#ifdef HAVE_TLS
     if ( c->c_is_tls == LLOAD_TLS_ESTABLISHED ) {
         rc = LDAP_OPERATIONS_ERROR;
         msg = "TLS layer already in effect";
@@ -55,6 +58,11 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
         rc = LDAP_UNAVAILABLE;
         msg = "Could not initialize TLS";
     }
+#else /* ! HAVE_TLS */
+    rc = LDAP_UNAVAILABLE;
+    msg = "Could not initialize TLS";
+#endif /* ! HAVE_TLS */
+
     CONNECTION_UNLOCK(c);
 
     Debug( LDAP_DEBUG_STATS, "handle_starttls: "
@@ -67,6 +75,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
         return LDAP_SUCCESS;
     }
 
+#ifdef HAVE_TLS
     event_del( c->c_read_event );
     event_del( c->c_write_event );
     /*
@@ -109,6 +118,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
     operation_unlink( op );
 
     return -1;
+#endif /* HAVE_TLS */
 }
 
 int
diff --git a/servers/lloadd/upstream.c b/servers/lloadd/upstream.c
index 7a450aab80..1f0ee18eeb 100644
--- a/servers/lloadd/upstream.c
+++ b/servers/lloadd/upstream.c
@@ -281,7 +281,9 @@ sasl_bind_step( LloadConnection *c, BerValue *scred, BerValue *ccred )
 
     if ( !ctx ) {
         const char *mech = NULL;
+#ifdef HAVE_TLS
         void *ssl;
+#endif /* HAVE_TLS */
 
         if ( sasl_client_new( "ldap", b->b_host, NULL, NULL, client_callbacks,
                      0, &ctx ) != SASL_OK ) {
@@ -688,6 +690,7 @@ upstream_finish( LloadConnection *c )
     return LDAP_SUCCESS;
 }
 
+#ifdef HAVE_TLS
 static void
 upstream_tls_handshake_cb( evutil_socket_t s, short what, void *arg )
 {
@@ -872,6 +875,7 @@ fail:
     CONNECTION_DESTROY(c);
     return -1;
 }
+#endif /* HAVE_TLS */
 
 /*
  * We must already hold b->b_mutex when called.
@@ -893,7 +897,9 @@ upstream_init( ber_socket_t s, LloadBackend *b )
 
     CONNECTION_LOCK(c);
     c->c_private = b;
+#ifdef HAVE_TLS
     c->c_is_tls = b->b_tls;
+#endif
     c->c_pdu_cb = handle_one_response;
 
     LDAP_CIRCLEQ_INSERT_HEAD( &b->b_preparing, c, c_next );
@@ -924,10 +930,13 @@ upstream_init( ber_socket_t s, LloadBackend *b )
     c->c_destroy = upstream_destroy;
     c->c_unlink = upstream_unlink;
 
+#ifdef HAVE_TLS
     if ( c->c_is_tls == LLOAD_CLEARTEXT ) {
+#endif /* HAVE_TLS */
         if ( upstream_finish( c ) ) {
             goto fail;
         }
+#ifdef HAVE_TLS
     } else if ( c->c_is_tls == LLOAD_LDAPS ) {
         event_assign( c->c_read_event, base, s, EV_READ|EV_PERSIST,
                 upstream_tls_handshake_cb, c );
@@ -958,6 +967,7 @@ upstream_init( ber_socket_t s, LloadBackend *b )
             event_add( c->c_read_event, c->c_read_timeout );
         }
     }
+#endif /* HAVE_TLS */
     CONNECTION_UNLOCK(c);
 
     return c;