Fix ITS#3131 properly - set operation SSF to MAX(TLS, SASL) SSFs

diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
index 62b0cd309a49c82adec8e415380b044ba98e2706..530963696356eae10c37646fb7d36022c35878ca 100644 (file)
--- a/servers/slapd/syncrepl.c
+++ b/servers/slapd/syncrepl.c
@@ -179,6 +179,9 @@ do_syncrep1(
        struct sync_cookie      *sc = NULL;
        struct sync_cookie      syncCookie = { NULL, -1, NULL };
        struct berval   *psub;
+#ifdef HAVE_TLS
+       void    *ssl;
+#endif
 
        psub = &si->si_be->be_nsuffix[0];
 
@@ -303,8 +306,18 @@ do_syncrep1(
                }
        }
 
-       /* set SSF for local authorization */
-       ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_ssf );
+       /* Set SSF to strongest of TLS, SASL SSFs */
+       op->o_sasl_ssf = 0;
+       op->o_tls_ssf = 0;
+#ifdef HAVE_TLS
+       if ( ldap_get_option( si->si_ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl ) == LDAP_SUCCESS &&
+            ssl != NULL ) {
+               op->o_tls_ssf = ldap_pvt_tls_get_strength( ssl );
+       }
+#endif /* HAVE_TLS */
+       ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_sasl_ssf );
+       op->o_transport_ssf = op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf ) ?
+               op->o_sasl_ssf : op->o_tls_ssf;
 
        /* get syncrepl cookie of shadow replica from subentry */
        assert( si->si_rid < 1000 );