Commit b44a7996 authored by Luke Howard's avatar Luke Howard
Browse files

Fix ITS#3131 properly - set operation SSF to MAX(TLS, SASL) SSFs

parent 1bdbb9e4
......@@ -179,6 +179,9 @@ do_syncrep1(
struct sync_cookie *sc = NULL;
struct sync_cookie syncCookie = { NULL, -1, NULL };
struct berval *psub;
#ifdef HAVE_TLS
void *ssl;
#endif
psub = &si->si_be->be_nsuffix[0];
......@@ -303,8 +306,18 @@ do_syncrep1(
}
}
/* set SSF for local authorization */
ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_ssf );
/* Set SSF to strongest of TLS, SASL SSFs */
op->o_sasl_ssf = 0;
op->o_tls_ssf = 0;
#ifdef HAVE_TLS
if ( ldap_get_option( si->si_ld, LDAP_OPT_X_TLS_SSL_CTX, &ssl ) == LDAP_SUCCESS &&
ssl != NULL ) {
op->o_tls_ssf = ldap_pvt_tls_get_strength( ssl );
}
#endif /* HAVE_TLS */
ldap_get_option( si->si_ld, LDAP_OPT_X_SASL_SSF, &op->o_sasl_ssf );
op->o_transport_ssf = op->o_ssf = ( op->o_sasl_ssf > op->o_tls_ssf ) ?
op->o_sasl_ssf : op->o_tls_ssf;
/* get syncrepl cookie of shadow replica from subentry */
assert( si->si_rid < 1000 );
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment