Start TLS extension: check that TLS was inited successfully, return default referral on failure as appropriate.

libraries/libldap/tls.c

@@ -110,6 +110,7 @@ ldap_pvt_tls_init( void )
 
 	if ( tls_initialized )
 		return -1;
+	tls_initialized = 1;
 #ifdef LDAP_R_COMPILE
 	tls_init_threads();
 #endif
@@ -211,6 +212,10 @@ ldap_pvt_tls_init_def_ctx( void )
 #endif
 	return 0;
 error_exit:
+	if ( tls_def_ctx != NULL ) {
+		SSL_CTX_free( tls_def_ctx );
+		tls_def_ctx = NULL;
+	}
 #ifdef LDAP_R_COMPILE
 	ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
 #endif

servers/slapd/extended.c

@@ -92,6 +92,7 @@ do_extended(
 	ber_len_t len;
 	extop_list_t *ext;
 	char *text;
+	struct berval **refs;
 	struct berval *rspdata;
 	LDAPControl **rspctrls;
 
@@ -152,8 +153,12 @@ do_extended(
 		oid, reqdata, &rspdata, &rspctrls, &text );
 
 	if( rc != SLAPD_ABANDON ) {
+		refs = NULL;
+		if (rc == LDAP_REFERRAL)
+			refs = default_referral;
+
 		send_ldap_extended( conn, op, rc, NULL, text,
-			oid, rspdata, rspctrls );
+			refs, oid, rspdata, rspctrls );
 	}
 
 	if ( rspdata != NULL )

servers/slapd/proto-slap.h

@@ -387,7 +387,7 @@ LIBSLAPD_F (void) send_ldap_disconnect LDAP_P((
 LIBSLAPD_F (void) send_ldap_extended LDAP_P((
 	Connection *conn, Operation *op,
 	ber_int_t err, const char *matched,
-	const char *text,
+	const char *text, struct berval **refs,
 	char *rspoid, struct berval *rspdata,
 	LDAPControl **ctrls ));
 

servers/slapd/result.c

@@ -493,6 +493,7 @@ send_ldap_extended(
     ber_int_t	err,
     const char	*matched,
     const char	*text,
+    struct berval **refs,
     char		*rspoid,
 	struct berval *rspdata,
 	LDAPControl **ctrls
@@ -522,7 +523,7 @@ send_ldap_extended(
 #endif
 
 	send_ldap_response( conn, op, tag, msgid,
-		err, matched, text, NULL,
+		err, matched, text, refs,
 		rspoid, rspdata, NULL, ctrls );
 }
 

servers/slapd/starttls.c

@@ -29,6 +29,8 @@ starttls_extop (
 	LDAPControl ***rspctrls,
 	char ** text )
 {
+	void *ctx;
+
 	if ( reqdata != NULL ) {
 		/* no request data should be provided */
 		return LDAP_PROTOCOL_ERROR;
@@ -38,6 +40,17 @@ starttls_extop (
 	if (conn->c_is_tls != 0)
 		return(LDAP_OPERATIONS_ERROR);
 
+	/* fail if TLS could not be initialized */
+	if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
+		|| ctx == NULL)
+	{
+		if (default_referral != NULL) {
+			/* caller will put the referral into the result */
+			return(LDAP_REFERRAL);
+		}
+		return(LDAP_UNAVAILABLE);
+	}
+
 	/* can't start TLS if there are other op's around */
 	if (conn->c_ops != NULL) {
 		if (conn->c_ops != op || op->o_next != NULL)
@@ -48,19 +61,6 @@ starttls_extop (
 			return(LDAP_OPERATIONS_ERROR);
 	}
 
-	/* here's some pseudo-code if HAVE_TLS is defined
-	 * but for some reason TLS is not available.
-	 */
-	/*
-		if (tls not really supported) {
-			if (referral exists) {
-				// caller will need to put the referral into the result
-				return(LDAP_REFERRAL);
-			}
-			return(LDAP_UNAVAILABLE);
-		}
-	*/
-
     conn->c_is_tls = 1;
     conn->c_needs_tls_accept = 1;
 

servers/slapd/tools/mimic.c

@@ -46,6 +46,7 @@ send_ldap_extended(
     ber_int_t	err,
     const char	*matched,
     const char	*text,
+	struct berval **refs,
     char	*rspoid,
 	struct berval *rspdata,
 	LDAPControl **ctrls