Back to index

openldap  2.4.31
starttls.c
Go to the documentation of this file.
00001 /* $OpenLDAP$ */
00002 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
00003  *
00004  * Copyright 1998-2012 The OpenLDAP Foundation.
00005  * All rights reserved.
00006  *
00007  * Redistribution and use in source and binary forms, with or without
00008  * modification, are permitted only as authorized by the OpenLDAP
00009  * Public License.
00010  *
00011  * A copy of this license is available in the file LICENSE in the
00012  * top-level directory of the distribution or, alternatively, at
00013  * <http://www.OpenLDAP.org/license.html>.
00014  */
00015 
00016 #include "portable.h"
00017 
00018 #include <stdio.h>
00019 #include <ac/socket.h>
00020 #include <ac/string.h>
00021 
00022 #include "slap.h"
00023 #include "lber_pvt.h"
00024 
00025 const struct berval slap_EXOP_START_TLS = BER_BVC(LDAP_EXOP_START_TLS);
00026 
00027 #ifdef HAVE_TLS
00028 int
00029 starttls_extop ( Operation *op, SlapReply *rs )
00030 {
00031        int rc;
00032 
00033        Statslog( LDAP_DEBUG_STATS, "%s STARTTLS\n",
00034            op->o_log_prefix, 0, 0, 0, 0 );
00035 
00036        if ( op->ore_reqdata != NULL ) {
00037               /* no request data should be provided */
00038               rs->sr_text = "no request data expected";
00039               return LDAP_PROTOCOL_ERROR;
00040        }
00041 
00042        /* acquire connection lock */
00043        ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
00044 
00045        /* can't start TLS if it is already started */
00046        if (op->o_conn->c_is_tls != 0) {
00047               rs->sr_text = "TLS already started";
00048               rc = LDAP_OPERATIONS_ERROR;
00049               goto done;
00050        }
00051 
00052        /* can't start TLS if there are other op's around */
00053        if (( !LDAP_STAILQ_EMPTY(&op->o_conn->c_ops) &&
00054                      (LDAP_STAILQ_FIRST(&op->o_conn->c_ops) != op ||
00055                      LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
00056               ( !LDAP_STAILQ_EMPTY(&op->o_conn->c_pending_ops) ))
00057        {
00058               rs->sr_text = "cannot start TLS when operations are outstanding";
00059               rc = LDAP_OPERATIONS_ERROR;
00060               goto done;
00061        }
00062 
00063        if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
00064               ( op->o_conn->c_dn.bv_len != 0 ) )
00065        {
00066               Statslog( LDAP_DEBUG_STATS,
00067                      "%s AUTHZ anonymous mech=starttls ssf=0\n",
00068                      op->o_log_prefix, 0, 0, 0, 0 );
00069 
00070               /* force to anonymous */
00071               connection2anonymous( op->o_conn );
00072        }
00073 
00074        if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
00075               ( op->o_conn->c_dn.bv_len != 0 ) )
00076        {
00077               rs->sr_text = "cannot start TLS after authentication";
00078               rc = LDAP_OPERATIONS_ERROR;
00079               goto done;
00080        }
00081 
00082        /* fail if TLS could not be initialized */
00083        if ( slap_tls_ctx == NULL ) {
00084               if (default_referral != NULL) {
00085                      /* caller will put the referral in the result */
00086                      rc = LDAP_REFERRAL;
00087                      goto done;
00088               }
00089 
00090               rs->sr_text = "Could not initialize TLS";
00091               rc = LDAP_UNAVAILABLE;
00092               goto done;
00093        }
00094 
00095     op->o_conn->c_is_tls = 1;
00096     op->o_conn->c_needs_tls_accept = 1;
00097 
00098     rc = LDAP_SUCCESS;
00099 
00100 done:
00101        /* give up connection lock */
00102        ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
00103 
00104        /* FIXME: RACE CONDITION! we give up lock before sending result
00105         * Should be resolved by reworking connection state, not
00106         * by moving send here (so as to ensure proper TLS sequencing)
00107         */
00108 
00109        return rc;
00110 }
00111 
00112 #endif /* HAVE_TLS */