diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index bad5312c5c..ba0a9e6947 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -110,6 +110,7 @@ ldap_pvt_tls_init( void ) if ( tls_initialized ) return -1; + tls_initialized = 1; #ifdef LDAP_R_COMPILE tls_init_threads(); #endif @@ -211,6 +212,10 @@ ldap_pvt_tls_init_def_ctx( void ) #endif return 0; error_exit: + if ( tls_def_ctx != NULL ) { + SSL_CTX_free( tls_def_ctx ); + tls_def_ctx = NULL; + } #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex ); #endif diff --git a/servers/slapd/extended.c b/servers/slapd/extended.c index f907dc808d..d3db89e29b 100644 --- a/servers/slapd/extended.c +++ b/servers/slapd/extended.c @@ -92,6 +92,7 @@ do_extended( ber_len_t len; extop_list_t *ext; char *text; + struct berval **refs; struct berval *rspdata; LDAPControl **rspctrls; @@ -152,8 +153,12 @@ do_extended( oid, reqdata, &rspdata, &rspctrls, &text ); if( rc != SLAPD_ABANDON ) { + refs = NULL; + if (rc == LDAP_REFERRAL) + refs = default_referral; + send_ldap_extended( conn, op, rc, NULL, text, - oid, rspdata, rspctrls ); + refs, oid, rspdata, rspctrls ); } if ( rspdata != NULL ) diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index fe4dc39f5d..3b977a22c0 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -387,7 +387,7 @@ LIBSLAPD_F (void) send_ldap_disconnect LDAP_P(( LIBSLAPD_F (void) send_ldap_extended LDAP_P(( Connection *conn, Operation *op, ber_int_t err, const char *matched, - const char *text, + const char *text, struct berval **refs, char *rspoid, struct berval *rspdata, LDAPControl **ctrls )); diff --git a/servers/slapd/result.c b/servers/slapd/result.c index 204ba41db1..ad3c065ddf 100644 --- a/servers/slapd/result.c +++ b/servers/slapd/result.c @@ -493,6 +493,7 @@ send_ldap_extended( ber_int_t err, const char *matched, const char *text, + struct berval **refs, char *rspoid, struct berval *rspdata, LDAPControl **ctrls @@ -522,7 +523,7 @@ send_ldap_extended( #endif send_ldap_response( conn, op, tag, msgid, - err, matched, text, NULL, + err, matched, text, refs, rspoid, rspdata, NULL, ctrls ); } diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index 410e450733..35767fae39 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -29,6 +29,8 @@ starttls_extop ( LDAPControl ***rspctrls, char ** text ) { + void *ctx; + if ( reqdata != NULL ) { /* no request data should be provided */ return LDAP_PROTOCOL_ERROR; @@ -38,6 +40,17 @@ starttls_extop ( if (conn->c_is_tls != 0) return(LDAP_OPERATIONS_ERROR); + /* fail if TLS could not be initialized */ + if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0 + || ctx == NULL) + { + if (default_referral != NULL) { + /* caller will put the referral into the result */ + return(LDAP_REFERRAL); + } + return(LDAP_UNAVAILABLE); + } + /* can't start TLS if there are other op's around */ if (conn->c_ops != NULL) { if (conn->c_ops != op || op->o_next != NULL) @@ -48,19 +61,6 @@ starttls_extop ( return(LDAP_OPERATIONS_ERROR); } - /* here's some pseudo-code if HAVE_TLS is defined - * but for some reason TLS is not available. - */ - /* - if (tls not really supported) { - if (referral exists) { - // caller will need to put the referral into the result - return(LDAP_REFERRAL); - } - return(LDAP_UNAVAILABLE); - } - */ - conn->c_is_tls = 1; conn->c_needs_tls_accept = 1; diff --git a/servers/slapd/tools/mimic.c b/servers/slapd/tools/mimic.c index a3a7d60309..f1e1a51521 100644 --- a/servers/slapd/tools/mimic.c +++ b/servers/slapd/tools/mimic.c @@ -46,6 +46,7 @@ send_ldap_extended( ber_int_t err, const char *matched, const char *text, + struct berval **refs, char *rspoid, struct berval *rspdata, LDAPControl **ctrls