mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-27 03:20:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#8747 Fix lloadd builds --without-tls

Browse Source
This commit is contained in:
Ondřej Kuzník 2021-01-15 10:53:59 +00:00 committed by Quanah Gibson-Mount
parent a186fd70ab
commit 3802fa9217
6 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
servers/lloadd/bind.c
View File

@ -56,6 +56,7 @@ bind_mech_external(
goto done; goto done;
} }
#ifdef HAVE_TLS
ssl = ldap_pvt_tls_sb_ctx( client->c_sb ); ssl = ldap_pvt_tls_sb_ctx( client->c_sb );
if ( !ssl || ldap_pvt_tls_get_peer_dn( ssl, &binddn, NULL, 0 ) ) { if ( !ssl || ldap_pvt_tls_get_peer_dn( ssl, &binddn, NULL, 0 ) ) {
result = LDAP_INVALID_CREDENTIALS; result = LDAP_INVALID_CREDENTIALS;
@ -74,6 +75,10 @@ bind_mech_external(
if ( !ber_bvstrcasecmp( &client->c_auth, &lloadd_identity ) ) { if ( !ber_bvstrcasecmp( &client->c_auth, &lloadd_identity ) ) {
client->c_type = LLOAD_C_PRIVILEGED; client->c_type = LLOAD_C_PRIVILEGED;
} }
#else /* ! HAVE_TLS */
result = LDAP_AUTH_METHOD_NOT_SUPPORTED;
message = "requested SASL mechanism not supported";
#endif /* ! HAVE_TLS */
done: done:
CONNECTION_UNLOCK(client); CONNECTION_UNLOCK(client);

6
servers/lloadd/client.c
View File

@ -288,6 +288,7 @@ handle_one_request( LloadConnection *c )
return handler( c, op ); return handler( c, op );
} }
#ifdef HAVE_TLS
/* /*
* The connection has a token assigned to it when the callback is set up. * The connection has a token assigned to it when the callback is set up.
*/ */
@ -385,6 +386,7 @@ fail:
CONNECTION_LOCK_DESTROY(c); CONNECTION_LOCK_DESTROY(c);
epoch_leave( epoch ); epoch_leave( epoch );
} }
#endif /* HAVE_TLS */
LloadConnection * LloadConnection *
client_init( client_init(
@ -413,6 +415,7 @@ client_init(
c->c_state = LLOAD_C_READY; c->c_state = LLOAD_C_READY;
if ( flags & CONN_IS_TLS ) { if ( flags & CONN_IS_TLS ) {
#ifdef HAVE_TLS
int rc; int rc;
c->c_is_tls = LLOAD_LDAPS; c->c_is_tls = LLOAD_LDAPS;
@ -430,6 +433,9 @@ client_init(
c->c_read_timeout = lload_timeout_net; c->c_read_timeout = lload_timeout_net;
read_cb = write_cb = client_tls_handshake_cb; read_cb = write_cb = client_tls_handshake_cb;
} }
#else /* ! HAVE_TLS */
assert(0);
#endif /* ! HAVE_TLS */
} }
event = event_new( base, s, EV_READ|EV_PERSIST, read_cb, c ); event = event_new( base, s, EV_READ|EV_PERSIST, read_cb, c );

13
servers/lloadd/config.c
View File

@ -3671,6 +3671,19 @@ backend_cf_gen( ConfigArgs *c )
"invalid starttls configuration" ); "invalid starttls configuration" );
goto fail; goto fail;
} }
#ifndef HAVE_TLS
if ( tlskey[i].mask == LLOAD_STARTTLS_OPTIONAL ) {
Debug( LDAP_DEBUG_ANY, "%s: "
"lloadd compiled without TLS but starttls specified, "
"it will be ignored\n",
c->log );
} else if ( tlskey[i].mask != LLOAD_CLEARTEXT ) {
snprintf( c->cr_msg, sizeof(c->cr_msg),
"invalid starttls configuration when compiled without "
"TLS support" );
goto fail;
}
#endif /* ! HAVE_TLS */
b->b_tls_conf = tlskey[i].mask; b->b_tls_conf = tlskey[i].mask;
} break; } break;
default: default:

4
servers/lloadd/daemon.c
View File

@ -1410,6 +1410,7 @@ backend_conn_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
return 0; return 0;
} }
#ifdef HAVE_TLS
int int
client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg ) client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
{ {
@ -1422,6 +1423,7 @@ client_tls_cb( ldap_pvt_thread_start_t *start, void *startarg, void *arg )
} }
return 0; return 0;
} }
#endif /* HAVE_TLS */
void void
lload_handle_backend_invalidation( LloadChange *change ) lload_handle_backend_invalidation( LloadChange *change )
@ -1648,6 +1650,7 @@ lload_handle_global_invalidation( LloadChange *change )
assert( !feature_diff ); assert( !feature_diff );
} }
#ifdef HAVE_TLS
if ( change->flags.daemon & LLOAD_DAEMON_MOD_TLS ) { if ( change->flags.daemon & LLOAD_DAEMON_MOD_TLS ) {
/* terminate all clients with TLS set up */ /* terminate all clients with TLS set up */
ldap_pvt_thread_pool_walk( ldap_pvt_thread_pool_walk(
@ -1670,6 +1673,7 @@ lload_handle_global_invalidation( LloadChange *change )
} }
} }
} }
#endif /* HAVE_TLS */
if ( change->flags.daemon & LLOAD_DAEMON_MOD_BINDCONF ) { if ( change->flags.daemon & LLOAD_DAEMON_MOD_BINDCONF ) {
LloadBackend *b; LloadBackend *b;

10
servers/lloadd/extended.c
View File

@ -22,11 +22,13 @@
Avlnode *lload_exop_handlers = NULL; Avlnode *lload_exop_handlers = NULL;
#ifdef HAVE_TLS
void *lload_tls_ctx; void *lload_tls_ctx;
LDAP *lload_tls_ld, *lload_tls_backend_ld; LDAP *lload_tls_ld, *lload_tls_backend_ld;
#ifdef BALANCER_MODULE #ifdef BALANCER_MODULE
int lload_use_slap_tls_ctx = 0; int lload_use_slap_tls_ctx = 0;
#endif #endif
#endif /* HAVE_TLS */
int int
handle_starttls( LloadConnection *c, LloadOperation *op ) handle_starttls( LloadConnection *c, LloadOperation *op )
@ -42,6 +44,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
assert( op == found ); assert( op == found );
c->c_n_ops_executing--; c->c_n_ops_executing--;
#ifdef HAVE_TLS
if ( c->c_is_tls == LLOAD_TLS_ESTABLISHED ) { if ( c->c_is_tls == LLOAD_TLS_ESTABLISHED ) {
rc = LDAP_OPERATIONS_ERROR; rc = LDAP_OPERATIONS_ERROR;
msg = "TLS layer already in effect"; msg = "TLS layer already in effect";
@ -55,6 +58,11 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
rc = LDAP_UNAVAILABLE; rc = LDAP_UNAVAILABLE;
msg = "Could not initialize TLS"; msg = "Could not initialize TLS";
} }
#else /* ! HAVE_TLS */
rc = LDAP_UNAVAILABLE;
msg = "Could not initialize TLS";
#endif /* ! HAVE_TLS */
CONNECTION_UNLOCK(c); CONNECTION_UNLOCK(c);
Debug( LDAP_DEBUG_STATS, "handle_starttls: " Debug( LDAP_DEBUG_STATS, "handle_starttls: "
@ -67,6 +75,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
return LDAP_SUCCESS; return LDAP_SUCCESS;
} }
#ifdef HAVE_TLS
event_del( c->c_read_event ); event_del( c->c_read_event );
event_del( c->c_write_event ); event_del( c->c_write_event );
/* /*
@ -109,6 +118,7 @@ handle_starttls( LloadConnection *c, LloadOperation *op )
operation_unlink( op ); operation_unlink( op );
return -1; return -1;
#endif /* HAVE_TLS */
} }
int int

10
servers/lloadd/upstream.c
View File

@ -281,7 +281,9 @@ sasl_bind_step( LloadConnection *c, BerValue *scred, BerValue *ccred )
if ( !ctx ) { if ( !ctx ) {
const char *mech = NULL; const char *mech = NULL;
#ifdef HAVE_TLS
void *ssl; void *ssl;
#endif /* HAVE_TLS */
if ( sasl_client_new( "ldap", b->b_host, NULL, NULL, client_callbacks, if ( sasl_client_new( "ldap", b->b_host, NULL, NULL, client_callbacks,
0, &ctx ) != SASL_OK ) { 0, &ctx ) != SASL_OK ) {
@ -688,6 +690,7 @@ upstream_finish( LloadConnection *c )
return LDAP_SUCCESS; return LDAP_SUCCESS;
} }
#ifdef HAVE_TLS
static void static void
upstream_tls_handshake_cb( evutil_socket_t s, short what, void *arg ) upstream_tls_handshake_cb( evutil_socket_t s, short what, void *arg )
{ {
@ -872,6 +875,7 @@ fail:
CONNECTION_DESTROY(c); CONNECTION_DESTROY(c);
return -1; return -1;
} }
#endif /* HAVE_TLS */
/* /*
* We must already hold b->b_mutex when called. * We must already hold b->b_mutex when called.
@ -893,7 +897,9 @@ upstream_init( ber_socket_t s, LloadBackend *b )
CONNECTION_LOCK(c); CONNECTION_LOCK(c);
c->c_private = b; c->c_private = b;
#ifdef HAVE_TLS
c->c_is_tls = b->b_tls; c->c_is_tls = b->b_tls;
#endif
c->c_pdu_cb = handle_one_response; c->c_pdu_cb = handle_one_response;
LDAP_CIRCLEQ_INSERT_HEAD( &b->b_preparing, c, c_next ); LDAP_CIRCLEQ_INSERT_HEAD( &b->b_preparing, c, c_next );
@ -924,10 +930,13 @@ upstream_init( ber_socket_t s, LloadBackend *b )
c->c_destroy = upstream_destroy; c->c_destroy = upstream_destroy;
c->c_unlink = upstream_unlink; c->c_unlink = upstream_unlink;
#ifdef HAVE_TLS
if ( c->c_is_tls == LLOAD_CLEARTEXT ) { if ( c->c_is_tls == LLOAD_CLEARTEXT ) {
#endif /* HAVE_TLS */
if ( upstream_finish( c ) ) { if ( upstream_finish( c ) ) {
goto fail; goto fail;
} }
#ifdef HAVE_TLS
} else if ( c->c_is_tls == LLOAD_LDAPS ) { } else if ( c->c_is_tls == LLOAD_LDAPS ) {
event_assign( c->c_read_event, base, s, EV_READ|EV_PERSIST, event_assign( c->c_read_event, base, s, EV_READ|EV_PERSIST,
upstream_tls_handshake_cb, c ); upstream_tls_handshake_cb, c );
@ -958,6 +967,7 @@ upstream_init( ber_socket_t s, LloadBackend *b )
event_add( c->c_read_event, c->c_read_timeout ); event_add( c->c_read_event, c->c_read_timeout );
} }
} }
#endif /* HAVE_TLS */
CONNECTION_UNLOCK(c); CONNECTION_UNLOCK(c);
return c; return c;