fix for select_backend suggested G. Gombas (ITS 1090)

[openldap] / servers / slapd / starttls.c

diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c
index 6228b5be696d6d00b210db83f1d63aed91568f75..97bbab084ac9dd34cbd9fd11cb3a06b1333133b0 100644 (file)
--- a/servers/slapd/starttls.c
+++ b/servers/slapd/starttls.c
@@ -1,6 +1,6 @@
 /* $OpenLDAP$ */
 /* 
- * Copyright 1999 The OpenLDAP Foundation.
+ * Copyright 1999-2000 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms are permitted only
@@ -20,53 +20,91 @@
 
 int
 starttls_extop (
-       SLAP_EXTOP_CALLBACK_FN cb,
        Connection *conn,
        Operation *op,
-       char * reqoid,
+       const char * reqoid,
        struct berval * reqdata,
        char ** rspoid,
        struct berval ** rspdata,
        LDAPControl ***rspctrls,
-       char ** text,
+       const char ** text,
        struct berval *** refs )
 {
        void *ctx;
+       int rc;
 
        if ( reqdata != NULL ) {
                /* no request data should be provided */
+               *text = "no request data expected";
                return LDAP_PROTOCOL_ERROR;
        }
 
+       /* acquire connection lock */
+       ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+
        /* can't start TLS if it is already started */
-       if (conn->c_is_tls != 0)
-               return(LDAP_OPERATIONS_ERROR);
+       if (conn->c_is_tls != 0) {
+               *text = "TLS already started";
+               rc = LDAP_OPERATIONS_ERROR;
+               goto done;
+       }
+
+       /* can't start TLS if there are other op's around */
+       if (( conn->c_ops != NULL &&
+                       (conn->c_ops != op || op->o_next != NULL)) ||
+               ( conn->c_pending_ops != NULL))
+       {
+               *text = "cannot start TLS when operations our outstanding";
+               rc = LDAP_OPERATIONS_ERROR;
+               goto done;
+       }
+
+       if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+               ( conn->c_dn != NULL ) )
+       {
+               *text = "cannot start TLS after authentication";
+               rc = LDAP_OPERATIONS_ERROR;
+               goto done;
+       }
+
+       if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
+               ( conn->c_dn != NULL ) )
+       {
+               /* force to anonymous */
+               connection2anonymous( conn );
+       }
 
        /* fail if TLS could not be initialized */
        if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
                || ctx == NULL)
        {
                if (default_referral != NULL) {
-                       /* caller will put the referral into the result */
-                       return(LDAP_REFERRAL);
+                       /* caller will put the referral in the result */
+                       rc = LDAP_REFERRAL;
+                       goto done;
                }
-               return(LDAP_UNAVAILABLE);
-       }
 
-       /* can't start TLS if there are other op's around */
-       if (conn->c_ops != NULL) {
-               if (conn->c_ops != op || op->o_next != NULL)
-                       return(LDAP_OPERATIONS_ERROR);
-       }
-       if (conn->c_pending_ops != NULL) {
-               if (conn->c_pending_ops != op || op->o_next != NULL)
-                       return(LDAP_OPERATIONS_ERROR);
+               *text = "Could not initialize TLS";
+               rc = LDAP_UNAVAILABLE;
+               goto done;
        }
 
     conn->c_is_tls = 1;
     conn->c_needs_tls_accept = 1;
 
-    return(LDAP_SUCCESS);
+    rc = LDAP_SUCCESS;
+
+done:
+       /* give up connection lock */
+       ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
+       /*
+        * RACE CONDITION: we give up lock before sending result
+        * Should be resolved by reworking connection state, not
+        * by moving send here (so as to ensure proper TLS sequencing)
+        */
+
+       return rc;
 }
 
 #endif /* HAVE_TLS */