From a30a8861ef512a88394517f713f1e66b486e5c7c Mon Sep 17 00:00:00 2001 From: Todd Lyons Date: Wed, 4 Sep 2013 13:22:51 -0700 Subject: [PATCH] Prevent TLS rebinding in LDAP connections Bugzilla 1375 --- doc/doc-txt/ChangeLog | 3 +++ src/src/lookups/ldap.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 9fb00a707..9d9f17d5b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -220,6 +220,9 @@ JH/16 Fix comparisons for 64b. Bugzilla 1385. TL/09 Add expansion variable $authenticated_fail_id to keep track of last id that failed so it may be referenced in subsequent ACL's. +TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by + Alexander Miroch. + Exim version 4.80.1 ------------------- diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index 40345bafc..f121bce61 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -81,6 +81,7 @@ typedef struct ldap_connection { uschar *password; BOOL bound; int port; + BOOL is_start_tls_called; LDAP *ld; } LDAP_CONNECTION; @@ -493,6 +494,7 @@ if (lcp == NULL) lcp->port = port; lcp->ld = ld; lcp->next = ldap_connections; + lcp->is_start_tls_called = FALSE; ldap_connections = lcp; } @@ -519,7 +521,7 @@ if (!lcp->bound || { DEBUG(D_lookup) debug_printf("%sbinding with user=%s password=%s\n", (lcp->bound)? "re-" : "", user, password); - if (eldap_start_tls) + if (eldap_start_tls && !lcp->is_start_tls_called) { #if defined(LDAP_OPT_X_TLS) && !defined(LDAP_LIB_SOLARIS) /* The Oracle LDAP libraries (LDAP_LIB_TYPE=SOLARIS) don't support this. @@ -533,6 +535,7 @@ if (!lcp->bound || " %s", host, porttext, rc, ldap_err2string(rc)); goto RETURN_ERROR; } + lcp->is_start_tls_called = TRUE; #else DEBUG(D_lookup) debug_printf("TLS initiation not supported with this Exim and your LDAP library.\n"); -- 2.25.1