From: Luke Howard <lukeh@openldap.org>
Date: Thu, 6 May 2004 03:27:45 +0000 (+0000)
Subject: Fix ITS#3131 properly - set operation SSF to MAX(TLS, SASL) SSFs
X-Git-Tag: OPENDLAP_REL_ENG_2_2_MP~404
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=b44a79965e3faa67e74733765eb3117a093c4748;p=openldap

Fix ITS#3131 properly - set operation SSF to MAX(TLS, SASL) SSFs
---

diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
index 62b0cd309a..5309636963 100644
--- a/servers/slapd/syncrepl.c
+++ b/servers/slapd/syncrepl.c
@@ -179,6 +179,9 @@ do_syncrep1(
 	struct sync_cookie	*sc = NULL;
 	struct sync_cookie	syncCookie = { NULL, -1, NULL };
 	struct berval	*psub;
+#ifdef HAVE_TLS
+	void	*ssl;
+#endif
 
 	psub = &si->si_be->be_nsuffix[0];
 
@@ -303,8 +306,18 @@ do_syncrep1(
 		}
 	}
 
-	/* set SSF for local authorization */
-	ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_ssf );
+	/* Set SSF to strongest of TLS, SASL SSFs */
+	op->o_sasl_ssf = 0;
+	op->o_tls_ssf = 0;
+#ifdef HAVE_TLS
+	if ( ldap_get_option( si->si_ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl ) == LDAP_SUCCESS &&
+	     ssl != NULL ) {
+		op->o_tls_ssf = ldap_pvt_tls_get_strength( ssl );
+	}
+#endif /* HAVE_TLS */
+	ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_sasl_ssf );
+	op->o_transport_ssf = op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf ) ?
+		op->o_sasl_ssf : op->o_tls_ssf;
 
 	/* get syncrepl cookie of shadow replica from subentry */
 	assert( si->si_rid < 1000 );