X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fstarttls.c;h=97bbab084ac9dd34cbd9fd11cb3a06b1333133b0;hb=a26612bc00bacbc660fa4a26466f609a29a1d072;hp=6228b5be696d6d00b210db83f1d63aed91568f75;hpb=6253e7c278ab9bac233968bd2e1e40748ff3bd02;p=openldap

diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c
index 6228b5be69..97bbab084a 100644
--- a/servers/slapd/starttls.c
+++ b/servers/slapd/starttls.c
@@ -1,6 +1,6 @@
 /* $OpenLDAP$ */
 /* 
- * Copyright 1999 The OpenLDAP Foundation.
+ * Copyright 1999-2000 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms are permitted only
@@ -20,53 +20,91 @@
 
 int
 starttls_extop (
-	SLAP_EXTOP_CALLBACK_FN cb,
 	Connection *conn,
 	Operation *op,
-	char * reqoid,
+	const char * reqoid,
 	struct berval * reqdata,
 	char ** rspoid,
 	struct berval ** rspdata,
 	LDAPControl ***rspctrls,
-	char ** text,
+	const char ** text,
 	struct berval *** refs )
 {
 	void *ctx;
+	int rc;
 
 	if ( reqdata != NULL ) {
 		/* no request data should be provided */
+		*text = "no request data expected";
 		return LDAP_PROTOCOL_ERROR;
 	}
 
+	/* acquire connection lock */
+	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+
 	/* can't start TLS if it is already started */
-	if (conn->c_is_tls != 0)
-		return(LDAP_OPERATIONS_ERROR);
+	if (conn->c_is_tls != 0) {
+		*text = "TLS already started";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	/* can't start TLS if there are other op's around */
+	if (( conn->c_ops != NULL &&
+			(conn->c_ops != op || op->o_next != NULL)) ||
+		( conn->c_pending_ops != NULL))
+	{
+		*text = "cannot start TLS when operations our outstanding";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+		( conn->c_dn != NULL ) )
+	{
+		*text = "cannot start TLS after authentication";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) &&
+		( conn->c_dn != NULL ) )
+	{
+		/* force to anonymous */
+		connection2anonymous( conn );
+	}
 
 	/* fail if TLS could not be initialized */
 	if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
 		|| ctx == NULL)
 	{
 		if (default_referral != NULL) {
-			/* caller will put the referral into the result */
-			return(LDAP_REFERRAL);
+			/* caller will put the referral in the result */
+			rc = LDAP_REFERRAL;
+			goto done;
 		}
-		return(LDAP_UNAVAILABLE);
-	}
 
-	/* can't start TLS if there are other op's around */
-	if (conn->c_ops != NULL) {
-		if (conn->c_ops != op || op->o_next != NULL)
-			return(LDAP_OPERATIONS_ERROR);
-	}
-	if (conn->c_pending_ops != NULL) {
-		if (conn->c_pending_ops != op || op->o_next != NULL)
-			return(LDAP_OPERATIONS_ERROR);
+		*text = "Could not initialize TLS";
+		rc = LDAP_UNAVAILABLE;
+		goto done;
 	}
 
     conn->c_is_tls = 1;
     conn->c_needs_tls_accept = 1;
 
-    return(LDAP_SUCCESS);
+    rc = LDAP_SUCCESS;
+
+done:
+	/* give up connection lock */
+	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+
+	/*
+	 * RACE CONDITION: we give up lock before sending result
+	 * Should be resolved by reworking connection state, not
+	 * by moving send here (so as to ensure proper TLS sequencing)
+	 */
+
+	return rc;
 }
 
 #endif	/* HAVE_TLS */