X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fstarttls.c;h=4ab33b10365e59da752622f95561d84435deeff1;hb=17f95a3fd30247a0735a3526d85b46178304748d;hp=6cee1c2964527616f365aba3453c3f1e290d4d7f;hpb=0c8fdd5b20b40ae0fe9d23afc654b300f2898ce9;p=openldap diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index 6cee1c2964..4ab33b1036 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -1,6 +1,6 @@ /* $OpenLDAP$ */ /* - * Copyright 1999 The OpenLDAP Foundation. + * Copyright 1999-2003 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms are permitted only @@ -14,55 +14,104 @@ #include #include +#include + #include "slap.h" #ifdef HAVE_TLS int starttls_extop ( - SLAP_EXTOP_CALLBACK_FN cb, Connection *conn, Operation *op, - char * oid, + const char * reqoid, struct berval * reqdata, + char ** rspoid, struct berval ** rspdata, - char ** text ) + LDAPControl ***rspctrls, + const char ** text, + BerVarray * refs ) { + void *ctx; + int rc; + if ( reqdata != NULL ) { /* no request data should be provided */ + *text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } + /* acquire connection lock */ + ldap_pvt_thread_mutex_lock( &conn->c_mutex ); + /* can't start TLS if it is already started */ - if (conn->c_is_tls != 0) - return(LDAP_OPERATIONS_ERROR); + if (conn->c_is_tls != 0) { + *text = "TLS already started"; + rc = LDAP_OPERATIONS_ERROR; + goto done; + } /* can't start TLS if there are other op's around */ - if (conn->c_ops != NULL) { - if (conn->c_ops != op || op->o_next != NULL) - return(LDAP_OPERATIONS_ERROR); + if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) && + (LDAP_STAILQ_FIRST(&conn->c_ops) != op || + LDAP_STAILQ_NEXT(op, o_next) != NULL)) || + ( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) )) + { + *text = "cannot start TLS when operations are outstanding"; + rc = LDAP_OPERATIONS_ERROR; + goto done; } - if (conn->c_pending_ops != NULL) { - if (conn->c_pending_ops != op || op->o_next != NULL) - return(LDAP_OPERATIONS_ERROR); + + if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) && + ( conn->c_dn.bv_len != 0 ) ) + { + Statslog( LDAP_DEBUG_STATS, + "conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0", + op->o_connid, op->o_opid, 0, 0, 0 ); + + /* force to anonymous */ + connection2anonymous( conn ); } - /* here's some pseudo-code if HAVE_TLS is defined - * but for some reason TLS is not available. - */ - /* - if (tls not really supported) { - if (referral exists) { - // caller will need to put the referral into the result - return(LDAP_REFERRAL); - } - return(LDAP_UNAVAILABLE); + if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && + ( conn->c_dn.bv_len != 0 ) ) + { + *text = "cannot start TLS after authentication"; + rc = LDAP_OPERATIONS_ERROR; + goto done; + } + + /* fail if TLS could not be initialized */ + if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0 + || ctx == NULL) + { + if (default_referral != NULL) { + /* caller will put the referral in the result */ + rc = LDAP_REFERRAL; + goto done; } - */ + + *text = "Could not initialize TLS"; + rc = LDAP_UNAVAILABLE; + goto done; + } conn->c_is_tls = 1; conn->c_needs_tls_accept = 1; - return(LDAP_SUCCESS); + + rc = LDAP_SUCCESS; + +done: + /* give up connection lock */ + ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); + + /* + * RACE CONDITION: we give up lock before sending result + * Should be resolved by reworking connection state, not + * by moving send here (so as to ensure proper TLS sequencing) + */ + + return rc; } #endif /* HAVE_TLS */