[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: bug in libldap/tls.c:ldap_start_tls_s() (ITS#685)



This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C00EC4.A68CD440
Content-Type: text/plain;
	charset="iso-8859-1"

> From: Kurt D. Zeilenga [mailto:Kurt@OpenLDAP.org]
> Sent: Friday, August 25, 2000 10:18 AM
> To: acorcoran@vitria.com
> Cc: openldap-its@OpenLDAP.org
> Subject: Re: bug in libldap/tls.c:ldap_start_tls_s() (ITS#685)
> 
> 
> I do not believe this to be a bug.
> 
> At 04:47 PM 8/25/00 +0000, acorcoran@vitria.com wrote:
> >In libldap/tls.c, the method ldap_start_tls_s() has this statement:
> >
> >   if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
> >      return LDAP_OPERATIONS_ERROR;
> 
> 
> This says "If TLS is in place, don't attempt to start it again".

Perhaps the bug is higher up in ldapsearch.

Here's what I'm seeing:
1) ldapsearch calls ldap_start_tls_s() to start TLS.  
2) ldap_start_tls_s() calls ldap_open_defcon(), which sets up the
connection, including TLS.
3) There is only one connection, so the loop iterates once.
4) In the first iteration of the loop, the ldap_pvt_tls_inplace() returns 1
to say TLS is inplace.
5) The if statement says "If TLS is in place, don't attempt to start it
again", so it returns LDAP_OPERATIONS_ERROR.
6) ldapsearch sees return code is not LDAP_SUCCESS.  With -Z, it says it
couldn't start TLS; with -ZZ, aborts with EXIT_FAILURE.

Here's the code from gamma

ldapsearch.c:
   697          if ( use_tls && ldap_start_tls_s( ld, NULL, NULL ) !=
LDAP_SUCCESS ) {
   698                  if ( use_tls > 1 ) {
   699                          ldap_perror( ld, "ldap_start_tls" );
   700                          return EXIT_FAILURE;
   701                  }
   702                  fprintf( stderr, "WARNING: could not start TLS\n" );
   703          }

open.c (gamma) or tls.c (devel):
   243  int
   244  ldap_start_tls_s ( LDAP *ld,
   245                                  LDAPControl **serverctrls,
   246                                  LDAPControl **clientctrls )
   247  {
   248  #ifdef HAVE_TLS
   249          LDAPConn *lc;
   250          int rc;
   251          char *rspoid = NULL;
   252          struct berval *rspdata = NULL;
   253
   254          if (ld->ld_conns == NULL) {
   255                  rc = ldap_open_defconn( ld );
   256                  if (rc != LDAP_SUCCESS)
   257                          return(rc);
   258          }
   259
   260          for (lc = ld->ld_conns; lc != NULL; lc = lc->lconn_next) {
   261                  if (ldap_pvt_tls_inplace(lc->lconn_sb) != 0)
   262                          return LDAP_OPERATIONS_ERROR;
   263
   264                  /* XXYYZ: this initiates operaton only on default
connection! */
   265                  rc = ldap_extended_operation_s(ld,
LDAP_EXOP_START_TLS,
   266                          NULL, serverctrls, clientctrls, &rspoid,
&rspdata);
   267
   268                  if (rc != LDAP_SUCCESS)
   269                          return rc;
   270                  if (rspoid != NULL)
   271                          LDAP_FREE(rspoid);
   272                  if (rspdata != NULL)
   273                          ber_bvfree(rspdata);
   274                  rc = ldap_pvt_tls_start( ld, lc->lconn_sb,
ld->ld_options.ldo_tls_ctx );
   275                  if (rc != LDAP_SUCCESS)
   276                          return rc;
   277          }
   278          return LDAP_SUCCESS;
   279  #else
   280          return LDAP_NOT_SUPPORTED;
   281  #endif
   282  }
 
Art

------_=_NextPart_001_01C00EC4.A68CD440
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2651.75">
<TITLE>RE: bug in libldap/tls.c:ldap_start_tls_s()  (ITS#685)</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>&gt; From: Kurt D. Zeilenga [<A =
HREF=3D"mailto:Kurt@OpenLDAP.org";>mailto:Kurt@OpenLDAP.org</A>]</FONT>
<BR><FONT SIZE=3D2>&gt; Sent: Friday, August 25, 2000 10:18 AM</FONT>
<BR><FONT SIZE=3D2>&gt; To: acorcoran@vitria.com</FONT>
<BR><FONT SIZE=3D2>&gt; Cc: openldap-its@OpenLDAP.org</FONT>
<BR><FONT SIZE=3D2>&gt; Subject: Re: bug in =
libldap/tls.c:ldap_start_tls_s() (ITS#685)</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; I do not believe this to be a bug.</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; At 04:47 PM 8/25/00 +0000, acorcoran@vitria.com =
wrote:</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;In libldap/tls.c, the method =
ldap_start_tls_s() has this statement:</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;&nbsp;&nbsp; if =
(ldap_pvt_tls_inplace(lc-&gt;lconn_sb) !=3D 0)</FONT>
<BR><FONT SIZE=3D2>&gt; &gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
LDAP_OPERATIONS_ERROR;</FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; </FONT>
<BR><FONT SIZE=3D2>&gt; This says &quot;If TLS is in place, don't =
attempt to start it again&quot;.</FONT>
</P>

<P><FONT SIZE=3D2>Perhaps the bug is higher up in ldapsearch.</FONT>
</P>

<P><FONT SIZE=3D2>Here's what I'm seeing:</FONT>
<BR><FONT SIZE=3D2>1) ldapsearch calls ldap_start_tls_s() to start =
TLS.&nbsp; </FONT>
<BR><FONT SIZE=3D2>2) ldap_start_tls_s() calls ldap_open_defcon(), =
which sets up the connection, including TLS.</FONT>
<BR><FONT SIZE=3D2>3) There is only one connection, so the loop =
iterates once.</FONT>
<BR><FONT SIZE=3D2>4) In the first iteration of the loop, the =
ldap_pvt_tls_inplace() returns 1 to say TLS is inplace.</FONT>
<BR><FONT SIZE=3D2>5) The if statement says &quot;If TLS is in place, =
don't attempt to start it again&quot;, so it returns =
LDAP_OPERATIONS_ERROR.</FONT>
<BR><FONT SIZE=3D2>6) ldapsearch sees return code is not =
LDAP_SUCCESS.&nbsp; With -Z, it says it couldn't start TLS; with -ZZ, =
aborts with EXIT_FAILURE.</FONT></P>

<P><FONT SIZE=3D2>Here's the code from gamma</FONT>
</P>

<P><FONT SIZE=3D2>ldapsearch.c:</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
697&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if ( use_tls =
&amp;&amp; ldap_start_tls_s( ld, NULL, NULL ) !=3D LDAP_SUCCESS ) =
{</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
698&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if ( use_tls &gt; 1 ) {</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
699&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; ldap_perror( ld, &quot;ldap_start_tls&quot; );</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
700&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; return EXIT_FAILURE;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
701&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
702&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; fprintf( stderr, &quot;WARNING: could =
not start TLS\n&quot; );</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
703&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</FONT>
</P>

<P><FONT SIZE=3D2>open.c (gamma) or tls.c (devel):</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 243&nbsp; int</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 244&nbsp; ldap_start_tls_s ( LDAP =
*ld,</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
245&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPControl =
**serverctrls,</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
246&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPControl =
**clientctrls )</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 247&nbsp; {</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 248&nbsp; #ifdef HAVE_TLS</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
249&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LDAPConn =
*lc;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
250&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; int =
rc;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
251&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; char *rspoid =
=3D NULL;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
252&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; struct berval =
*rspdata =3D NULL;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 253</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
254&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if =
(ld-&gt;ld_conns =3D=3D NULL) {</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
255&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rc =3D ldap_open_defconn( ld =
);</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
256&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (rc !=3D LDAP_SUCCESS)</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
257&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; return(rc);</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
258&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 259</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
260&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for (lc =3D =
ld-&gt;ld_conns; lc !=3D NULL; lc =3D lc-&gt;lconn_next) {</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
261&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if =
(ldap_pvt_tls_inplace(lc-&gt;lconn_sb) !=3D 0)</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
262&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; return LDAP_OPERATIONS_ERROR;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 263</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
264&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* XXYYZ: this initiates operaton =
only on default connection! */</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
265&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rc =3D ldap_extended_operation_s(ld, =
LDAP_EXOP_START_TLS,</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
266&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; NULL, serverctrls, clientctrls, &amp;rspoid, =
&amp;rspdata);</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 267</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
268&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (rc !=3D LDAP_SUCCESS)</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
269&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; return rc;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
270&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (rspoid !=3D NULL)</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
271&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; LDAP_FREE(rspoid);</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 272&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if =
(rspdata !=3D NULL)</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
273&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; ber_bvfree(rspdata);</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
274&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rc =3D ldap_pvt_tls_start( ld, =
lc-&gt;lconn_sb, ld-&gt;ld_options.ldo_tls_ctx );</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
275&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (rc !=3D LDAP_SUCCESS)</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
276&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; return rc;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
277&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
278&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
LDAP_SUCCESS;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 279&nbsp; #else</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; =
280&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
LDAP_NOT_SUPPORTED;</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 281&nbsp; #endif</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; 282&nbsp; }</FONT>
<BR><FONT SIZE=3D2>&nbsp;</FONT>
<BR><FONT SIZE=3D2>Art</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C00EC4.A68CD440--