1999-12-10 06:41:45 +08:00
|
|
|
/* $OpenLDAP$ */
|
2003-11-27 09:17:14 +08:00
|
|
|
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
|
|
|
*
|
2020-01-10 00:50:21 +08:00
|
|
|
* Copyright 1998-2020 The OpenLDAP Foundation.
|
1999-12-10 06:41:45 +08:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
2003-11-27 09:17:14 +08:00
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted only as authorized by the OpenLDAP
|
|
|
|
* Public License.
|
|
|
|
*
|
|
|
|
* A copy of this license is available in the file LICENSE in the
|
|
|
|
* top-level directory of the distribution or, alternatively, at
|
|
|
|
* <http://www.OpenLDAP.org/license.html>.
|
1999-12-10 06:41:45 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include "portable.h"
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <ac/socket.h>
|
2006-03-07 08:48:14 +08:00
|
|
|
#include <ac/string.h>
|
1999-12-10 06:41:45 +08:00
|
|
|
|
|
|
|
#include "slap.h"
|
2006-03-07 08:48:14 +08:00
|
|
|
#include "lber_pvt.h"
|
1999-12-10 06:41:45 +08:00
|
|
|
|
2006-03-07 08:48:14 +08:00
|
|
|
const struct berval slap_EXOP_START_TLS = BER_BVC(LDAP_EXOP_START_TLS);
|
1999-12-10 06:41:45 +08:00
|
|
|
|
2006-03-07 08:48:14 +08:00
|
|
|
#ifdef HAVE_TLS
|
1999-12-10 06:41:45 +08:00
|
|
|
int
|
2003-03-30 17:03:54 +08:00
|
|
|
starttls_extop ( Operation *op, SlapReply *rs )
|
1999-12-10 06:41:45 +08:00
|
|
|
{
|
2000-03-03 04:36:53 +08:00
|
|
|
int rc;
|
1999-12-11 03:18:33 +08:00
|
|
|
|
2019-02-16 00:49:52 +08:00
|
|
|
Debug( LDAP_DEBUG_STATS, "%s STARTTLS\n",
|
|
|
|
op->o_log_prefix );
|
2005-08-14 08:14:58 +08:00
|
|
|
|
2003-03-31 15:49:34 +08:00
|
|
|
if ( op->ore_reqdata != NULL ) {
|
1999-12-10 07:21:48 +08:00
|
|
|
/* no request data should be provided */
|
2003-03-30 17:03:54 +08:00
|
|
|
rs->sr_text = "no request data expected";
|
1999-12-10 07:21:48 +08:00
|
|
|
return LDAP_PROTOCOL_ERROR;
|
|
|
|
}
|
|
|
|
|
2000-03-03 04:36:53 +08:00
|
|
|
/* acquire connection lock */
|
2003-03-30 17:03:54 +08:00
|
|
|
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
|
2000-03-03 04:36:53 +08:00
|
|
|
|
1999-12-10 06:41:45 +08:00
|
|
|
/* can't start TLS if it is already started */
|
2003-03-30 17:03:54 +08:00
|
|
|
if (op->o_conn->c_is_tls != 0) {
|
|
|
|
rs->sr_text = "TLS already started";
|
2000-03-03 04:36:53 +08:00
|
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
|
|
goto done;
|
|
|
|
}
|
1999-12-10 06:41:45 +08:00
|
|
|
|
2000-08-31 06:24:21 +08:00
|
|
|
/* can't start TLS if there are other op's around */
|
2003-03-30 17:03:54 +08:00
|
|
|
if (( !LDAP_STAILQ_EMPTY(&op->o_conn->c_ops) &&
|
|
|
|
(LDAP_STAILQ_FIRST(&op->o_conn->c_ops) != op ||
|
2002-01-03 08:12:46 +08:00
|
|
|
LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
|
2003-03-30 17:03:54 +08:00
|
|
|
( !LDAP_STAILQ_EMPTY(&op->o_conn->c_pending_ops) ))
|
2000-08-31 06:24:21 +08:00
|
|
|
{
|
2003-03-30 17:03:54 +08:00
|
|
|
rs->sr_text = "cannot start TLS when operations are outstanding";
|
2000-08-31 06:24:21 +08:00
|
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
2004-10-06 13:51:38 +08:00
|
|
|
if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
|
2003-03-30 17:03:54 +08:00
|
|
|
( op->o_conn->c_dn.bv_len != 0 ) )
|
2000-09-09 06:59:01 +08:00
|
|
|
{
|
2019-02-16 00:49:52 +08:00
|
|
|
Debug( LDAP_DEBUG_STATS,
|
2004-09-27 07:00:00 +08:00
|
|
|
"%s AUTHZ anonymous mech=starttls ssf=0\n",
|
2019-02-16 00:49:52 +08:00
|
|
|
op->o_log_prefix );
|
2002-11-12 02:55:45 +08:00
|
|
|
|
2001-12-21 12:44:34 +08:00
|
|
|
/* force to anonymous */
|
2003-03-30 17:03:54 +08:00
|
|
|
connection2anonymous( op->o_conn );
|
2000-09-09 06:59:01 +08:00
|
|
|
}
|
|
|
|
|
2004-10-06 13:51:38 +08:00
|
|
|
if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
|
2003-03-30 17:03:54 +08:00
|
|
|
( op->o_conn->c_dn.bv_len != 0 ) )
|
2000-09-09 06:59:01 +08:00
|
|
|
{
|
2003-03-30 17:03:54 +08:00
|
|
|
rs->sr_text = "cannot start TLS after authentication";
|
2001-12-21 12:44:34 +08:00
|
|
|
rc = LDAP_OPERATIONS_ERROR;
|
|
|
|
goto done;
|
2000-09-09 06:59:01 +08:00
|
|
|
}
|
|
|
|
|
1999-12-11 03:18:33 +08:00
|
|
|
/* fail if TLS could not be initialized */
|
2004-10-06 13:51:38 +08:00
|
|
|
if ( slap_tls_ctx == NULL ) {
|
|
|
|
if (default_referral != NULL) {
|
2000-04-25 21:02:42 +08:00
|
|
|
/* caller will put the referral in the result */
|
2000-03-03 04:36:53 +08:00
|
|
|
rc = LDAP_REFERRAL;
|
|
|
|
goto done;
|
1999-12-11 03:18:33 +08:00
|
|
|
}
|
2000-03-03 04:36:53 +08:00
|
|
|
|
2003-03-30 17:03:54 +08:00
|
|
|
rs->sr_text = "Could not initialize TLS";
|
2000-03-03 04:36:53 +08:00
|
|
|
rc = LDAP_UNAVAILABLE;
|
|
|
|
goto done;
|
1999-12-11 03:18:33 +08:00
|
|
|
}
|
|
|
|
|
2003-03-30 17:03:54 +08:00
|
|
|
op->o_conn->c_is_tls = 1;
|
|
|
|
op->o_conn->c_needs_tls_accept = 1;
|
1999-12-10 12:52:32 +08:00
|
|
|
|
2000-03-03 04:36:53 +08:00
|
|
|
rc = LDAP_SUCCESS;
|
|
|
|
|
|
|
|
done:
|
|
|
|
/* give up connection lock */
|
2003-03-30 17:03:54 +08:00
|
|
|
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
|
2000-03-03 04:36:53 +08:00
|
|
|
|
2004-08-28 09:26:34 +08:00
|
|
|
/* FIXME: RACE CONDITION! we give up lock before sending result
|
2000-03-03 04:36:53 +08:00
|
|
|
* Should be resolved by reworking connection state, not
|
|
|
|
* by moving send here (so as to ensure proper TLS sequencing)
|
|
|
|
*/
|
|
|
|
|
|
|
|
return rc;
|
1999-12-10 06:41:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* HAVE_TLS */
|