/* $OpenLDAP$ */ /* This work is part of OpenLDAP Software . * * Copyright 1998-2003 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted only as authorized by the OpenLDAP * Public License. * * A copy of this license is available in the file LICENSE in the * top-level directory of the distribution or, alternatively, at * . */ #include "portable.h" #include #include #include #include "slap.h" #ifdef HAVE_TLS int starttls_extop ( Operation *op, SlapReply *rs ) { void *ctx; int rc; if ( op->ore_reqdata != NULL ) { /* no request data should be provided */ rs->sr_text = "no request data expected"; return LDAP_PROTOCOL_ERROR; } /* acquire connection lock */ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); /* can't start TLS if it is already started */ if (op->o_conn->c_is_tls != 0) { rs->sr_text = "TLS already started"; rc = LDAP_OPERATIONS_ERROR; goto done; } /* can't start TLS if there are other op's around */ if (( !LDAP_STAILQ_EMPTY(&op->o_conn->c_ops) && (LDAP_STAILQ_FIRST(&op->o_conn->c_ops) != op || LDAP_STAILQ_NEXT(op, o_next) != NULL)) || ( !LDAP_STAILQ_EMPTY(&op->o_conn->c_pending_ops) )) { rs->sr_text = "cannot start TLS when operations are outstanding"; rc = LDAP_OPERATIONS_ERROR; goto done; } if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) && ( op->o_conn->c_dn.bv_len != 0 ) ) { Statslog( LDAP_DEBUG_STATS, "conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0\n", op->o_connid, op->o_opid, 0, 0, 0 ); /* force to anonymous */ connection2anonymous( op->o_conn ); } if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && ( op->o_conn->c_dn.bv_len != 0 ) ) { rs->sr_text = "cannot start TLS after authentication"; rc = LDAP_OPERATIONS_ERROR; goto done; } /* fail if TLS could not be initialized */ if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0 || ctx == NULL) { if (default_referral != NULL) { /* caller will put the referral in the result */ rc = LDAP_REFERRAL; goto done; } rs->sr_text = "Could not initialize TLS"; rc = LDAP_UNAVAILABLE; goto done; } op->o_conn->c_is_tls = 1; op->o_conn->c_needs_tls_accept = 1; rc = LDAP_SUCCESS; done: /* give up connection lock */ ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); /* * RACE CONDITION: we give up lock before sending result * Should be resolved by reworking connection state, not * by moving send here (so as to ensure proper TLS sequencing) */ return rc; } #endif /* HAVE_TLS */