From c6e2a69f2722a540a36fd5bcfb43296b282997e5 Mon Sep 17 00:00:00 2001
From: Pierangelo Masarati <ando@openldap.org>
Date: Thu, 11 Aug 2005 16:01:24 +0000
Subject: [PATCH] fix tls propagation, including rebind

---
 servers/slapd/back-ldap/back-ldap.h |  10 +-
 servers/slapd/back-ldap/bind.c      | 197 +++++++++++++++++++++-------
 2 files changed, 154 insertions(+), 53 deletions(-)

diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h
index 7a62b1dff2..828b55261e 100644
--- a/servers/slapd/back-ldap/back-ldap.h
+++ b/servers/slapd/back-ldap/back-ldap.h
@@ -26,19 +26,19 @@
 
 LDAP_BEGIN_DECL
 
-struct slap_conn;
-struct slap_op;
-struct slap_backend_db;
-
 struct ldapconn {
-	struct slap_conn	*lc_conn;
+	Connection		*lc_conn;
+#define	LDAP_BACK_PRIV_CONN	((void *)0x0)
+#define	LDAP_BACK_PRIV_CONN_TLS	((void *)0x1)
 	LDAP			*lc_ld;
 	struct berval		lc_cred;
 	struct berval 		lc_bound_ndn;
 	struct berval		lc_local_ndn;
 	int			lc_bound;
 	int			lc_ispriv;
+	int			lc_is_tls;
 	unsigned		lc_refcnt;
+	unsigned		lc_flags;
 };
 
 /*
diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c
index d9e395d3ed..2d1131f5aa 100644
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -251,34 +251,25 @@ ldap_back_freeconn( Operation *op, struct ldapconn *lc )
 	return 0;
 }
 
+#ifdef HAVE_TLS
 static int
-ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
+ldap_back_start_tls(
+	LDAP		*ld,
+	int		protocol,
+	int		*is_tls,
+	const char	*url,
+	unsigned	flags,
+	const char	**text )
 {
-	struct ldapinfo	*li = (struct ldapinfo *)op->o_bd->be_private;
-	int		vers = op->o_protocol;
-	LDAP		*ld = NULL;
-
-	assert( lcp != NULL );
+	int		rc = LDAP_SUCCESS;
+	struct ldapinfo	li;
 
-	rs->sr_err = ldap_initialize( &ld, li->url );
-	if ( rs->sr_err != LDAP_SUCCESS ) {
-		goto error_return;
-	}
+	/* this is ridicolous... */
+	li.flags = flags;
 
-	/* Set LDAP version. This will always succeed: If the client
-	 * bound with a particular version, then so can we.
-	 */
-	ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers );
-
-	/* automatically chase referrals ("[dont-]chase-referrals" statement) */
-	if ( LDAP_BACK_CHASE_REFERRALS( li ) ) {
-		ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON );
-	}
-
-#ifdef HAVE_TLS
 	/* start TLS ("tls-[try-]{start,propagate}" statements) */
-	if ( ( LDAP_BACK_USE_TLS( li ) || ( op->o_conn->c_is_tls && LDAP_BACK_PROPAGATE_TLS( li ) ) )
-				&& !ldap_is_ldaps_url( li->url ) )
+	if ( ( LDAP_BACK_USE_TLS( &li ) || ( *is_tls && LDAP_BACK_PROPAGATE_TLS( &li ) ) )
+				&& !ldap_is_ldaps_url( url ) )
 	{
 #ifdef SLAP_STARTTLS_ASYNCHRONOUS
 		/*
@@ -287,16 +278,28 @@ ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, lda
 		 */
 		int		msgid;
 
-		rs->sr_err = ldap_start_tls( ld, NULL, NULL, &msgid );
-		if ( rs->sr_err == LDAP_SUCCESS ) {
+		if ( protocol == 0 ) {
+			ldap_get_option( ld, LDAP_OPT_PROTOCOL_VERSION,
+					(void *)&protocol );
+		}
+
+		if ( protocol < LDAP_VERSION3 ) {
+			protocol = LDAP_VERSION3;
+			/* Set LDAP version */
+			ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION,
+					(const void *)&protocol );
+		}
+
+		rc = ldap_start_tls( ld, NULL, NULL, &msgid );
+		if ( rc == LDAP_SUCCESS ) {
 			LDAPMessage	*res = NULL;
-			int		rc, retries = 1;
+			int		retries = 1;
 			struct timeval	tv = { 0, 0 };
 
 retry:;
 			rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res );
 			if ( rc < 0 ) {
-				rs->sr_err = LDAP_OTHER;
+				rc = LDAP_OTHER;
 
 			} else if ( rc == 0 ) {
 				if ( retries ) {
@@ -305,27 +308,27 @@ retry:;
 					tv.tv_usec = 100000;
 					goto retry;
 				}
-				rs->sr_err = LDAP_OTHER;
+				rc = LDAP_OTHER;
 
 			} else if ( rc == LDAP_RES_EXTENDED ) {
 				struct berval	*data = NULL;
 
-				rs->sr_err = ldap_parse_extended_result( ld, res,
+				rc = ldap_parse_extended_result( ld, res,
 						NULL, &data, 0 );
-				if ( rs->sr_err == LDAP_SUCCESS ) {
-					rs->sr_err = ldap_result2error( ld, res, 1 );
+				if ( rc == LDAP_SUCCESS ) {
+					rc = ldap_result2error( ld, res, 1 );
 					res = NULL;
 					
 					/* FIXME: in case a referral 
 					 * is returned, should we try
 					 * using it instead of the 
 					 * configured URI? */
-					if ( rs->sr_err == LDAP_SUCCESS ) {
-						ldap_install_tls( ld );
+					if ( rc == LDAP_SUCCESS ) {
+						rc = ldap_install_tls( ld );
 
-					} else if ( rs->sr_err == LDAP_REFERRAL ) {
-						rs->sr_err = LDAP_OTHER;
-						rs->sr_text = "unwilling to chase referral returned by Start TLS exop";
+					} else if ( rc == LDAP_REFERRAL ) {
+						rc = LDAP_OTHER;
+						*text = "unwilling to chase referral returned by Start TLS exop";
 					}
 
 					if ( data ) {
@@ -337,7 +340,7 @@ retry:;
 				}
 
 			} else {
-				rs->sr_err = LDAP_OTHER;
+				rc = LDAP_OTHER;
 			}
 
 			if ( res != NULL ) {
@@ -348,30 +351,84 @@ retry:;
 		/*
 		 * use synchronous StartTLS
 		 */
-		rs->sr_err = ldap_start_tls_s( ld, NULL, NULL );
+		rc = ldap_start_tls_s( ld, NULL, NULL );
 #endif /* ! SLAP_STARTTLS_ASYNCHRONOUS */
 
 		/* if StartTLS is requested, only attempt it if the URL
 		 * is not "ldaps://"; this may occur not only in case
 		 * of misconfiguration, but also when used in the chain 
 		 * overlay, where the "uri" can be parsed out of a referral */
-		if ( rs->sr_err == LDAP_SERVER_DOWN
-				|| ( rs->sr_err != LDAP_SUCCESS && LDAP_BACK_TLS_CRITICAL( li ) ) )
-		{
-			ldap_unbind_ext( ld, NULL, NULL );
-			goto error_return;
+		switch ( rc ) {
+		case LDAP_SUCCESS:
+			*is_tls = 1;
+			break;
+
+		case LDAP_SERVER_DOWN:
+			break;
+
+		default:
+			if ( LDAP_BACK_TLS_CRITICAL( &li ) ) {
+				*text = "could not start TLS";
+				break;
+			}
+
+			/* in case Start TLS is not critical */
+			*is_tls = 0;
+			rc = LDAP_SUCCESS;
+			break;
 		}
 
-		/* in case Start TLS is not critical */
-		rs->sr_err = LDAP_SUCCESS;
+	} else {
+		*is_tls = 0;
+	}
+
+error_return:;
+	return rc;
+}
+#endif /* HAVE_TLS */
+
+static int
+ldap_back_prepare_conn( struct ldapconn **lcp, Operation *op, SlapReply *rs, ldap_back_send_t sendok )
+{
+	struct ldapinfo	*li = (struct ldapinfo *)op->o_bd->be_private;
+	int		vers = op->o_protocol;
+	LDAP		*ld = NULL;
+	int		is_tls = op->o_conn->c_is_tls;
+
+	assert( lcp != NULL );
+
+	rs->sr_err = ldap_initialize( &ld, li->url );
+	if ( rs->sr_err != LDAP_SUCCESS ) {
+		goto error_return;
+	}
+
+	/* Set LDAP version. This will always succeed: If the client
+	 * bound with a particular version, then so can we.
+	 */
+	ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, (const void *)&vers );
+
+	/* automatically chase referrals ("[dont-]chase-referrals" statement) */
+	if ( LDAP_BACK_CHASE_REFERRALS( li ) ) {
+		ldap_set_option( ld, LDAP_OPT_REFERRALS, LDAP_OPT_ON );
+	}
+
+#ifdef HAVE_TLS
+	rs->sr_err = ldap_back_start_tls( ld,
+			op->o_protocol, &is_tls,
+			li->url, li->flags, &rs->sr_text );
+	if ( rs->sr_err != LDAP_SUCCESS ) {
+		ldap_unbind_ext( ld, NULL, NULL );
+		goto error_return;
 	}
 #endif /* HAVE_TLS */
 
 	if ( *lcp == NULL ) {
 		*lcp = (struct ldapconn *)ch_calloc( 1, sizeof( struct ldapconn ) );
+		(*lcp)->lc_flags= li->flags;
 	}
 	(*lcp)->lc_ld = ld;
 	(*lcp)->lc_refcnt = 1;
+	(*lcp)->lc_is_tls = is_tls;
 
 error_return:;
 	if ( rs->sr_err != LDAP_SUCCESS ) {
@@ -407,14 +464,16 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 		lc_curr.lc_conn = op->o_conn;
 
 	} else {
-		lc_curr.lc_conn = NULL;
+		lc_curr.lc_conn = op->o_conn->c_is_tls ? 
+			LDAP_BACK_PRIV_CONN_TLS : LDAP_BACK_PRIV_CONN;
 	}
 	
 	/* Internal searches are privileged and shared. So is root. */
 	/* FIXME: there seem to be concurrency issues */
 	if ( op->o_do_not_cache || be_isroot( op ) ) {
 		lc_curr.lc_local_ndn = op->o_bd->be_rootndn;
-		lc_curr.lc_conn = NULL;
+		lc_curr.lc_conn = op->o_conn->c_is_tls ? 
+			LDAP_BACK_PRIV_CONN_TLS : LDAP_BACK_PRIV_CONN;
 		lc_curr.lc_ispriv = 1;
 
 	} else {
@@ -454,6 +513,31 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 			}
 		}
 
+		/* if start TLS failed but it was not mandatory,
+		 * check if the non-TLS connection was already
+		 * in cache; in case, destroy the newly created
+		 * connection and use the existing one */
+		if ( lc->lc_conn == LDAP_BACK_PRIV_CONN_TLS
+				&& !ldap_tls_inplace( lc->lc_ld ) )
+		{
+			struct ldapconn *tmplc;
+			
+			lc_curr.lc_conn = LDAP_BACK_PRIV_CONN;
+			ldap_pvt_thread_mutex_lock( &li->conn_mutex );
+			tmplc = (struct ldapconn *)avl_find( li->conntree, 
+					(caddr_t)&lc_curr, ldap_back_conn_cmp );
+			if ( tmplc != NULL ) {
+				refcnt = ++tmplc->lc_refcnt;
+				ldap_back_conn_free( lc );
+				lc = tmplc;
+			}
+			ldap_pvt_thread_mutex_unlock( &li->conn_mutex );
+
+			if ( tmplc != NULL ) {
+				goto done;
+			}
+		}
+
 		lc->lc_bound = 0;
 
 		/* Inserts the newly created ldapconn in the avl tree */
@@ -489,7 +573,8 @@ ldap_back_getconn( Operation *op, SlapReply *rs, ldap_back_send_t sendok )
 			"=>ldap_back_getconn: conn %p fetched (refcnt=%u)\n",
 			(void *)lc, refcnt, 0 );
 	}
-	
+
+done:;
 	return lc;
 }
 
@@ -673,6 +758,22 @@ ldap_back_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request,
 {
 	struct ldapconn *lc = (struct ldapconn *)params;
 
+#ifdef HAVE_TLS
+	/* ... otherwise we couldn't get here */
+	assert( lc != NULL );
+
+	if ( !ldap_tls_inplace( ld ) ) {
+		int		is_tls = lc->lc_is_tls,
+				rc;
+		const char	*text = NULL;
+
+		rc = ldap_back_start_tls( ld, 0, &is_tls, url, lc->lc_flags, &text );
+		if ( rc != LDAP_SUCCESS ) {
+			return rc;
+		}
+	}
+#endif /* HAVE_TLS */
+
 	/* FIXME: add checks on the URL/identity? */
 
 	return ldap_sasl_bind_s( ld, lc->lc_bound_ndn.bv_val,
-- 
2.39.2