3 * Copyright 1999-2003 The OpenLDAP Foundation.
6 * Redistribution and use in source and binary forms are permitted only
7 * as authorized by the OpenLDAP Public License. A copy of this
8 * license is available at http://www.OpenLDAP.org/license.html or
9 * in file LICENSE in the top-level directory of the distribution.
15 #include <ac/socket.h>
27 struct berval * reqoid,
28 struct berval * reqdata,
30 struct berval ** rspdata,
31 LDAPControl ***rspctrls,
38 if ( reqdata != NULL ) {
39 /* no request data should be provided */
40 *text = "no request data expected";
41 return LDAP_PROTOCOL_ERROR;
44 /* acquire connection lock */
45 ldap_pvt_thread_mutex_lock( &conn->c_mutex );
47 /* can't start TLS if it is already started */
48 if (conn->c_is_tls != 0) {
49 *text = "TLS already started";
50 rc = LDAP_OPERATIONS_ERROR;
54 /* can't start TLS if there are other op's around */
55 if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) &&
56 (LDAP_STAILQ_FIRST(&conn->c_ops) != op ||
57 LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
58 ( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) ))
60 *text = "cannot start TLS when operations are outstanding";
61 rc = LDAP_OPERATIONS_ERROR;
65 if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
66 ( conn->c_dn.bv_len != 0 ) )
68 Statslog( LDAP_DEBUG_STATS,
69 "conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0",
70 op->o_connid, op->o_opid, 0, 0, 0 );
72 /* force to anonymous */
73 connection2anonymous( conn );
76 if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
77 ( conn->c_dn.bv_len != 0 ) )
79 *text = "cannot start TLS after authentication";
80 rc = LDAP_OPERATIONS_ERROR;
84 /* fail if TLS could not be initialized */
85 if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
88 if (default_referral != NULL) {
89 /* caller will put the referral in the result */
94 *text = "Could not initialize TLS";
95 rc = LDAP_UNAVAILABLE;
100 conn->c_needs_tls_accept = 1;
105 /* give up connection lock */
106 ldap_pvt_thread_mutex_unlock( &conn->c_mutex );
109 * RACE CONDITION: we give up lock before sending result
110 * Should be resolved by reworking connection state, not
111 * by moving send here (so as to ensure proper TLS sequencing)
117 #endif /* HAVE_TLS */