X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fstarttls.c;h=f2593e74742469769f873096d428acb45374a984;hb=161574b00d68456a0f24d5e364853d923ef5ba8b;hp=225aa60dd43185cf0a2960215bf8cbaa32d6bb33;hpb=10961151ef251aae8fd0e8e304879f260d6b5c79;p=openldap

diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c
index 225aa60dd4..f2593e7474 100644
--- a/servers/slapd/starttls.c
+++ b/servers/slapd/starttls.c
@@ -1,108 +1,107 @@
 /* $OpenLDAP$ */
-/* 
- * Copyright 1999-2000 The OpenLDAP Foundation.
+/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
+ *
+ * Copyright 1998-2006 The OpenLDAP Foundation.
  * All rights reserved.
  *
- * Redistribution and use in source and binary forms are permitted only
- * as authorized by the OpenLDAP Public License.  A copy of this
- * license is available at http://www.OpenLDAP.org/license.html or
- * in file LICENSE in the top-level directory of the distribution.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted only as authorized by the OpenLDAP
+ * Public License.
+ *
+ * A copy of this license is available in the file LICENSE in the
+ * top-level directory of the distribution or, alternatively, at
+ * <http://www.OpenLDAP.org/license.html>.
  */
 
 #include "portable.h"
 
 #include <stdio.h>
 #include <ac/socket.h>
-
-#include <ldap_pvt.h>
+#include <ac/string.h>
 
 #include "slap.h"
+#include "lber_pvt.h"
 
-#ifdef HAVE_TLS
+const struct berval slap_EXOP_START_TLS = BER_BVC(LDAP_EXOP_START_TLS);
 
+#ifdef HAVE_TLS
 int
-starttls_extop (
-	Connection *conn,
-	Operation *op,
-	const char * reqoid,
-	struct berval * reqdata,
-	char ** rspoid,
-	struct berval ** rspdata,
-	LDAPControl ***rspctrls,
-	const char ** text,
-	struct berval *** refs )
+starttls_extop ( Operation *op, SlapReply *rs )
 {
-	void *ctx;
 	int rc;
 
-	if ( reqdata != NULL ) {
+	Statslog( LDAP_DEBUG_STATS, "%s STARTTLS\n",
+	    op->o_log_prefix, 0, 0, 0, 0 );
+
+	if ( op->ore_reqdata != NULL ) {
 		/* no request data should be provided */
-		*text = "no request data expected";
+		rs->sr_text = "no request data expected";
 		return LDAP_PROTOCOL_ERROR;
 	}
 
 	/* acquire connection lock */
-	ldap_pvt_thread_mutex_lock( &conn->c_mutex );
+	ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
 
 	/* can't start TLS if it is already started */
-	if (conn->c_is_tls != 0) {
-		*text = "TLS already started";
+	if (op->o_conn->c_is_tls != 0) {
+		rs->sr_text = "TLS already started";
 		rc = LDAP_OPERATIONS_ERROR;
 		goto done;
 	}
 
 	/* can't start TLS if there are other op's around */
-	if (( !STAILQ_EMPTY(&conn->c_ops) &&
-			(STAILQ_FIRST(&conn->c_ops) != op ||
-			STAILQ_NEXT(op, o_next) != NULL)) ||
-		( !STAILQ_EMPTY(&conn->c_pending_ops) ))
+	if (( !LDAP_STAILQ_EMPTY(&op->o_conn->c_ops) &&
+			(LDAP_STAILQ_FIRST(&op->o_conn->c_ops) != op ||
+			LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
+		( !LDAP_STAILQ_EMPTY(&op->o_conn->c_pending_ops) ))
 	{
-		*text = "cannot start TLS when operations are outstanding";
+		rs->sr_text = "cannot start TLS when operations are outstanding";
 		rc = LDAP_OPERATIONS_ERROR;
 		goto done;
 	}
 
 	if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
-		( conn->c_dn.bv_len != 0 ) )
+		( op->o_conn->c_dn.bv_len != 0 ) )
 	{
+		Statslog( LDAP_DEBUG_STATS,
+			"%s AUTHZ anonymous mech=starttls ssf=0\n",
+			op->o_log_prefix, 0, 0, 0, 0 );
+
 		/* force to anonymous */
-		connection2anonymous( conn );
+		connection2anonymous( op->o_conn );
 	}
 
 	if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
-		( conn->c_dn.bv_len != 0 ) )
+		( op->o_conn->c_dn.bv_len != 0 ) )
 	{
-		*text = "cannot start TLS after authentication";
+		rs->sr_text = "cannot start TLS after authentication";
 		rc = LDAP_OPERATIONS_ERROR;
 		goto done;
 	}
 
 	/* fail if TLS could not be initialized */
-	if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
-		|| ctx == NULL)
-	{
+	if ( slap_tls_ctx == NULL ) {
 		if (default_referral != NULL) {
 			/* caller will put the referral in the result */
 			rc = LDAP_REFERRAL;
 			goto done;
 		}
 
-		*text = "Could not initialize TLS";
+		rs->sr_text = "Could not initialize TLS";
 		rc = LDAP_UNAVAILABLE;
 		goto done;
 	}
 
-    conn->c_is_tls = 1;
-    conn->c_needs_tls_accept = 1;
+    op->o_conn->c_is_tls = 1;
+    op->o_conn->c_needs_tls_accept = 1;
 
     rc = LDAP_SUCCESS;
 
 done:
 	/* give up connection lock */
-	ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
+	ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
 
-	/*
-	 * RACE CONDITION: we give up lock before sending result
+	/* FIXME: RACE CONDITION! we give up lock before sending result
 	 * Should be resolved by reworking connection state, not
 	 * by moving send here (so as to ensure proper TLS sequencing)
 	 */