X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=servers%2Fslapd%2Fstarttls.c;h=4ab33b10365e59da752622f95561d84435deeff1;hb=17f95a3fd30247a0735a3526d85b46178304748d;hp=bd12f32c73d0be0c140d9c0b4cd10dad23ce2ef5;hpb=563fd083e9c566e356f95862c12448d52aa60e40;p=openldap

diff --git a/servers/slapd/starttls.c b/servers/slapd/starttls.c
index bd12f32c73..4ab33b1036 100644
--- a/servers/slapd/starttls.c
+++ b/servers/slapd/starttls.c
@@ -1,6 +1,6 @@
 /* $OpenLDAP$ */
 /* 
- * Copyright 1999-2000 The OpenLDAP Foundation.
+ * Copyright 1999-2003 The OpenLDAP Foundation.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms are permitted only
@@ -14,6 +14,8 @@
 #include <stdio.h>
 #include <ac/socket.h>
 
+#include <ldap_pvt.h>
+
 #include "slap.h"
 
 #ifdef HAVE_TLS
@@ -28,7 +30,7 @@ starttls_extop (
 	struct berval ** rspdata,
 	LDAPControl ***rspctrls,
 	const char ** text,
-	struct berval *** refs )
+	BerVarray * refs )
 {
 	void *ctx;
 	int rc;
@@ -50,17 +52,37 @@ starttls_extop (
 	}
 
 	/* can't start TLS if there are other op's around */
-	if (( conn->c_ops != NULL &&
-			(conn->c_ops != op || op->o_next != NULL)) ||
-		( conn->c_pending_ops != NULL))
+	if (( !LDAP_STAILQ_EMPTY(&conn->c_ops) &&
+			(LDAP_STAILQ_FIRST(&conn->c_ops) != op ||
+			LDAP_STAILQ_NEXT(op, o_next) != NULL)) ||
+		( !LDAP_STAILQ_EMPTY(&conn->c_pending_ops) ))
+	{
+		*text = "cannot start TLS when operations are outstanding";
+		rc = LDAP_OPERATIONS_ERROR;
+		goto done;
+	}
+
+	if ( !( global_disallows & SLAP_DISALLOW_TLS_2_ANON ) &&
+		( conn->c_dn.bv_len != 0 ) )
+	{
+		Statslog( LDAP_DEBUG_STATS,
+			"conn=%lu op=%lu AUTHZ anonymous mech=starttls ssf=0",
+			op->o_connid, op->o_opid, 0, 0, 0 );
+
+		/* force to anonymous */
+		connection2anonymous( conn );
+	}
+
+	if ( ( global_disallows & SLAP_DISALLOW_TLS_AUTHC ) &&
+		( conn->c_dn.bv_len != 0 ) )
 	{
-		*text = "cannot start TLS when operations our outstanding";
+		*text = "cannot start TLS after authentication";
 		rc = LDAP_OPERATIONS_ERROR;
 		goto done;
 	}
 
 	/* fail if TLS could not be initialized */
-	if (ldap_pvt_tls_get_option(NULL, LDAP_OPT_X_TLS_CERT, &ctx) != 0
+	if (ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &ctx ) != 0
 		|| ctx == NULL)
 	{
 		if (default_referral != NULL) {