X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fstarttls.c;h=4ab33b10365e59da752622f95561d84435deeff1;hb=17f95a3fd30247a0735a3526d85b46178304748d;hp=6228b5be696d6d00b210db83f1d63aed91568f75;hpb=6253e7c278ab9bac233968bd2e1e40748ff3bd02;p=openldap diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index 6228b5be69..4ab33b1036 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -1,6 +1,6 @@ /* $OpenLDAP$ */ /* - * Copyright 1999 The OpenLDAP Foundation. + * Copyright 1999-2003 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms are permitted only @@ -14,59 +14,104 @@ #include #include +#include + #include "slap.h" #ifdef HAVE_TLS int starttls_extop ( - SLAP_EXTOP_CALLBACK_FN cb, Connection *conn, Operation *op, - char * reqoid, + const char * reqoid, struct berval * reqdata, char ** rspoid, struct berval ** rspdata, LDAPControl ***rspctrls, - char ** text, - struct berval *** refs ) + const char ** text, + BerVarray * refs ) { void *ctx; + int rc; if ( reqdata != NULL ) { /* no request data should be provided */ + *text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } + /* acquire connection lock */ + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + /* can't start TLS if it is already started */ - if (conn->c_is_tls != 0) - return(LDAP_OPERATIONS_ERROR); + if (conn->c_is_tls != 0) { + *text = "TLS already started"; + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + + /* can't start TLS if there are other op's around */ + if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) && + (LDAP_STAILQ_FIRST(&conn->c_ops) != op || + LDAP_STAILQ_NEXT(op, o_next) != NULL)) || + ( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) )) + { + *text = "cannot start TLS when operations are outstanding"; + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + + if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) && + ( conn->c_dn.bv_len != 0 ) ) + { + Statslog( LDAP_DEBUG_STATS, + "conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0", + op->o_connid, op->o_opid, 0, 0, 0 ); + + /* force to anonymous */ + connection2anonymous( conn ); + } + + if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && + ( conn->c_dn.bv_len != 0 ) ) + { + *text = "cannot start TLS after authentication"; + rc = LDAP_OPERATIONS_ERROR; + goto done; + } /* fail if TLS could not be initialized */ - if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0 + if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0 || ctx == NULL) { if (default_referral != NULL) { - /* caller will put the referral into the result */ - return(LDAP_REFERRAL); + /* caller will put the referral in the result */ + rc = LDAP_REFERRAL; + goto done; } - return(LDAP_UNAVAILABLE); - } - /* can't start TLS if there are other op's around */ - if (conn->c_ops != NULL) { - if (conn->c_ops != op || op->o_next != NULL) - return(LDAP_OPERATIONS_ERROR); - } - if (conn->c_pending_ops != NULL) { - if (conn->c_pending_ops != op || op->o_next != NULL) - return(LDAP_OPERATIONS_ERROR); + *text = "Could not initialize TLS"; + rc = LDAP_UNAVAILABLE; + goto done; } conn->c_is_tls = 1; conn->c_needs_tls_accept = 1; - return(LDAP_SUCCESS); + rc = LDAP_SUCCESS; + +done: + /* give up connection lock */ + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + + /* + * RACE CONDITION: we give up lock before sending result + * Should be resolved by reworking connection state, not + * by moving send here (so as to ensure proper TLS sequencing) + */ + + return rc; } #endif /* HAVE_TLS */