[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: bug in libldap/tls.c:ldap_start_tls_s() (ITS#685)
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C00EC4.A68CD440
Content-Type: text/plain;
charset="iso-8859-1"
> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Friday, August 25, 2000 10:18 AM
> To: acorcoran@vitria.com
> Cc: openldap-its@OpenLDAP.org
> Subject: Re: bug in libldap/tls.c:ldap_start_tls_s() (ITS#685)
>
>
> I do not believe this to be a bug.
>
> At 04:47 PM 8/25/00 +0000, acorcoran@vitria.com wrote:
> >In libldap/tls.c, the method ldap_start_tls_s() has this statement:
> >
> > if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
> > return LDAP_OPERATIONS_ERROR;
>
>
> This says "If TLS is in place, don't attempt to start it again".
Perhaps the bug is higher up in ldapsearch.
Here's what I'm seeing:
1) ldapsearch calls ldap_start_tls_s() to start TLS.
2) ldap_start_tls_s() calls ldap_open_defcon(), which sets up the
connection, including TLS.
3) There is only one connection, so the loop iterates once.
4) In the first iteration of the loop, the ldap_pvt_tls_inplace() returns 1
to say TLS is inplace.
5) The if statement says "If TLS is in place, don't attempt to start it
again", so it returns LDAP_OPERATIONS_ERROR.
6) ldapsearch sees return code is not LDAP_SUCCESS. With -Z, it says it
couldn't start TLS; with -ZZ, aborts with EXIT_FAILURE.
Here's the code from gamma
ldapsearch.c:
697 if ( use_tls && ldap_start_tls_s( ld, NULL, NULL ) !=
LDAP_SUCCESS ) {
698 if ( use_tls > 1 ) {
699 ldap_perror( ld, "ldap_start_tls" );
700 return EXIT_FAILURE;
701 }
702 fprintf( stderr, "WARNING: could not start TLS\n" );
703 }
open.c (gamma) or tls.c (devel):
243 int
244 ldap_start_tls_s ( LDAP *ld,
245 LDAPControl **serverctrls,
246 LDAPControl **clientctrls )
247 {
248 #ifdef HAVE_TLS
249 LDAPConn *lc;
250 int rc;
251 char *rspoid = NULL;
252 struct berval *rspdata = NULL;
253
254 if (ld->ld_conns == NULL) {
255 rc = ldap_open_defconn( ld );
256 if (rc != LDAP_SUCCESS)
257 return(rc);
258 }
259
260 for (lc = ld->ld_conns; lc != NULL; lc = lc->lconn_next) {
261 if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
262 return LDAP_OPERATIONS_ERROR;
263
264 /* XXYYZ: this initiates operaton only on default
connection! */
265 rc = ldap_extended_operation_s(ld,
LDAP_EXOP_START_TLS,
266 NULL, serverctrls, clientctrls, &rspoid,
&rspdata);
267
268 if (rc != LDAP_SUCCESS)
269 return rc;
270 if (rspoid != NULL)
271 LDAP_FREE(rspoid);
272 if (rspdata != NULL)
273 ber_bvfree(rspdata);
274 rc = ldap_pvt_tls_start( ld, lc->lconn_sb,
ld->ld_options.ldo_tls_ctx );
275 if (rc != LDAP_SUCCESS)
276 return rc;
277 }
278 return LDAP_SUCCESS;
279 #else
280 return LDAP_NOT_SUPPORTED;
281 #endif
282 }
Art
------_=_NextPart_001_01C00EC4.A68CD440
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2651.75">
<TITLE>RE: bug in libldap/tls.c:ldap_start_tls_s() (ITS#685)</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>> From: Kurt D. Zeilenga [<A =
HREF=3D"mailto:Kurt@OpenLDAP.org";>mailto:Kurt@OpenLDAP.org</A>]</FONT>
<BR><FONT SIZE=3D2>> Sent: Friday, August 25, 2000 10:18 AM</FONT>
<BR><FONT SIZE=3D2>> To: acorcoran@vitria.com</FONT>
<BR><FONT SIZE=3D2>> Cc: openldap-its@OpenLDAP.org</FONT>
<BR><FONT SIZE=3D2>> Subject: Re: bug in =
libldap/tls.c:ldap_start_tls_s() (ITS#685)</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> I do not believe this to be a bug.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> At 04:47 PM 8/25/00 +0000, acorcoran@vitria.com =
wrote:</FONT>
<BR><FONT SIZE=3D2>> >In libldap/tls.c, the method =
ldap_start_tls_s() has this statement:</FONT>
<BR><FONT SIZE=3D2>> ></FONT>
<BR><FONT SIZE=3D2>> > if =
(ldap_pvt_tls_inplace(lc->lconn_sb) !=3D 0)</FONT>
<BR><FONT SIZE=3D2>> > return =
LDAP_OPERATIONS_ERROR;</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> This says "If TLS is in place, don't =
attempt to start it again".</FONT>
</P>
<P><FONT SIZE=3D2>Perhaps the bug is higher up in ldapsearch.</FONT>
</P>
<P><FONT SIZE=3D2>Here's what I'm seeing:</FONT>
<BR><FONT SIZE=3D2>1) ldapsearch calls ldap_start_tls_s() to start =
TLS. </FONT>
<BR><FONT SIZE=3D2>2) ldap_start_tls_s() calls ldap_open_defcon(), =
which sets up the connection, including TLS.</FONT>
<BR><FONT SIZE=3D2>3) There is only one connection, so the loop =
iterates once.</FONT>
<BR><FONT SIZE=3D2>4) In the first iteration of the loop, the =
ldap_pvt_tls_inplace() returns 1 to say TLS is inplace.</FONT>
<BR><FONT SIZE=3D2>5) The if statement says "If TLS is in place, =
don't attempt to start it again", so it returns =
LDAP_OPERATIONS_ERROR.</FONT>
<BR><FONT SIZE=3D2>6) ldapsearch sees return code is not =
LDAP_SUCCESS. With -Z, it says it couldn't start TLS; with -ZZ, =
aborts with EXIT_FAILURE.</FONT></P>
<P><FONT SIZE=3D2>Here's the code from gamma</FONT>
</P>
<P><FONT SIZE=3D2>ldapsearch.c:</FONT>
<BR><FONT SIZE=3D2> =
697 if ( use_tls =
&& ldap_start_tls_s( ld, NULL, NULL ) !=3D LDAP_SUCCESS ) =
{</FONT>
<BR><FONT SIZE=3D2> =
698 &nb=
sp; if ( use_tls > 1 ) {</FONT>
<BR><FONT SIZE=3D2> =
699 &nb=
sp; &nb=
sp; ldap_perror( ld, "ldap_start_tls" );</FONT>
<BR><FONT SIZE=3D2> =
700 &nb=
sp; &nb=
sp; return EXIT_FAILURE;</FONT>
<BR><FONT SIZE=3D2> =
701 &nb=
sp; }</FONT>
<BR><FONT SIZE=3D2> =
702 &nb=
sp; fprintf( stderr, "WARNING: could =
not start TLS\n" );</FONT>
<BR><FONT SIZE=3D2> =
703 }</FONT>
</P>
<P><FONT SIZE=3D2>open.c (gamma) or tls.c (devel):</FONT>
<BR><FONT SIZE=3D2> 243 int</FONT>
<BR><FONT SIZE=3D2> 244 ldap_start_tls_s ( LDAP =
*ld,</FONT>
<BR><FONT SIZE=3D2> =
245 &nb=
sp; &nb=
sp; LDAPControl =
**serverctrls,</FONT>
<BR><FONT SIZE=3D2> =
246 &nb=
sp; &nb=
sp; LDAPControl =
**clientctrls )</FONT>
<BR><FONT SIZE=3D2> 247 {</FONT>
<BR><FONT SIZE=3D2> 248 #ifdef HAVE_TLS</FONT>
<BR><FONT SIZE=3D2> =
249 LDAPConn =
*lc;</FONT>
<BR><FONT SIZE=3D2> =
250 int =
rc;</FONT>
<BR><FONT SIZE=3D2> =
251 char *rspoid =
=3D NULL;</FONT>
<BR><FONT SIZE=3D2> =
252 struct berval =
*rspdata =3D NULL;</FONT>
<BR><FONT SIZE=3D2> 253</FONT>
<BR><FONT SIZE=3D2> =
254 if =
(ld->ld_conns =3D=3D NULL) {</FONT>
<BR><FONT SIZE=3D2> =
255 &nb=
sp; rc =3D ldap_open_defconn( ld =
);</FONT>
<BR><FONT SIZE=3D2> =
256 &nb=
sp; if (rc !=3D LDAP_SUCCESS)</FONT>
<BR><FONT SIZE=3D2> =
257 &nb=
sp; &nb=
sp; return(rc);</FONT>
<BR><FONT SIZE=3D2> =
258 }</FONT>
<BR><FONT SIZE=3D2> 259</FONT>
<BR><FONT SIZE=3D2> =
260 for (lc =3D =
ld->ld_conns; lc !=3D NULL; lc =3D lc->lconn_next) {</FONT>
<BR><FONT SIZE=3D2> =
261 &nb=
sp; if =
(ldap_pvt_tls_inplace(lc->lconn_sb) !=3D 0)</FONT>
<BR><FONT SIZE=3D2> =
262 &nb=
sp; &nb=
sp; return LDAP_OPERATIONS_ERROR;</FONT>
<BR><FONT SIZE=3D2> 263</FONT>
<BR><FONT SIZE=3D2> =
264 &nb=
sp; /* XXYYZ: this initiates operaton =
only on default connection! */</FONT>
<BR><FONT SIZE=3D2> =
265 &nb=
sp; rc =3D ldap_extended_operation_s(ld, =
LDAP_EXOP_START_TLS,</FONT>
<BR><FONT SIZE=3D2> =
266 &nb=
sp; &nb=
sp; NULL, serverctrls, clientctrls, &rspoid, =
&rspdata);</FONT>
<BR><FONT SIZE=3D2> 267</FONT>
<BR><FONT SIZE=3D2> =
268 &nb=
sp; if (rc !=3D LDAP_SUCCESS)</FONT>
<BR><FONT SIZE=3D2> =
269 &nb=
sp; &nb=
sp; return rc;</FONT>
<BR><FONT SIZE=3D2> =
270 &nb=
sp; if (rspoid !=3D NULL)</FONT>
<BR><FONT SIZE=3D2> =
271 &nb=
sp; &nb=
sp; LDAP_FREE(rspoid);</FONT>
<BR><FONT SIZE=3D2> 272 &=
nbsp; if =
(rspdata !=3D NULL)</FONT>
<BR><FONT SIZE=3D2> =
273 &nb=
sp; &nb=
sp; ber_bvfree(rspdata);</FONT>
<BR><FONT SIZE=3D2> =
274 &nb=
sp; rc =3D ldap_pvt_tls_start( ld, =
lc->lconn_sb, ld->ld_options.ldo_tls_ctx );</FONT>
<BR><FONT SIZE=3D2> =
275 &nb=
sp; if (rc !=3D LDAP_SUCCESS)</FONT>
<BR><FONT SIZE=3D2> =
276 &nb=
sp; &nb=
sp; return rc;</FONT>
<BR><FONT SIZE=3D2> =
277 }</FONT>
<BR><FONT SIZE=3D2> =
278 return =
LDAP_SUCCESS;</FONT>
<BR><FONT SIZE=3D2> 279 #else</FONT>
<BR><FONT SIZE=3D2> =
280 return =
LDAP_NOT_SUPPORTED;</FONT>
<BR><FONT SIZE=3D2> 281 #endif</FONT>
<BR><FONT SIZE=3D2> 282 }</FONT>
<BR><FONT SIZE=3D2> </FONT>
<BR><FONT SIZE=3D2>Art</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C00EC4.A68CD440--