X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fstarttls.c;h=4ab33b10365e59da752622f95561d84435deeff1;hb=17f95a3fd30247a0735a3526d85b46178304748d;hp=b5582e765254f2b22f38f0386dea1bdc53dae7d4;hpb=c4f5497ac62e309b3aecf08897908d4f955351f5;p=openldap diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c index b5582e7652..4ab33b1036 100644 --- a/servers/slapd/starttls.c +++ b/servers/slapd/starttls.c @@ -1,6 +1,6 @@ /* $OpenLDAP$ */ /* - * Copyright 1999-2000 The OpenLDAP Foundation. + * Copyright 1999-2003 The OpenLDAP Foundation. * All rights reserved. * * Redistribution and use in source and binary forms are permitted only @@ -14,6 +14,8 @@ #include #include +#include + #include "slap.h" #ifdef HAVE_TLS @@ -28,7 +30,7 @@ starttls_extop ( struct berval ** rspdata, LDAPControl ***rspctrls, const char ** text, - struct berval *** refs ) + BerVarray * refs ) { void *ctx; int rc; @@ -50,30 +52,35 @@ starttls_extop ( } /* can't start TLS if there are other op's around */ - if (( conn->c_ops != NULL && - (conn->c_ops != op || op->o_next != NULL)) || - ( conn->c_pending_ops != NULL)) + if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) && + (LDAP_STAILQ_FIRST(&conn->c_ops) != op || + LDAP_STAILQ_NEXT(op, o_next) != NULL)) || + ( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) )) { - *text = "cannot start TLS when operations our outstanding"; + *text = "cannot start TLS when operations are outstanding"; rc = LDAP_OPERATIONS_ERROR; goto done; } + if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) && + ( conn->c_dn.bv_len != 0 ) ) + { + Statslog( LDAP_DEBUG_STATS, + "conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0", + op->o_connid, op->o_opid, 0, 0, 0 ); + + /* force to anonymous */ + connection2anonymous( conn ); + } + if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) && - ( conn->c_dn != NULL ) ) + ( conn->c_dn.bv_len != 0 ) ) { *text = "cannot start TLS after authentication"; rc = LDAP_OPERATIONS_ERROR; goto done; } - if ( ( global_allows & SLAP_ALLOW_TLS_2_ANON ) && - ( conn->c_dn != NULL ) ) - { - /* force to anonymous */ - connection2anonymous( conn ); - } - /* fail if TLS could not be initialized */ if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0 || ctx == NULL)