diff options
| author | Andrew Tridgell <tridge@samba.org> | 2005-06-19 11:10:15 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:18:31 -0500 |
| commit | 7a17da2186c628f0d8e8a43ca34320b0f10d9d8f (patch) | |
| tree | 1a34d26ff6ae6797c3ccdfacb928513c135b00db | |
| parent | 6720bd94b8506d652ddc273bdbe02944e5911e23 (diff) | |
| download | samba-7a17da2186c628f0d8e8a43ca34320b0f10d9d8f.tar.gz samba-7a17da2186c628f0d8e8a43ca34320b0f10d9d8f.tar.bz2 samba-7a17da2186c628f0d8e8a43ca34320b0f10d9d8f.zip | |
r7751: only enable tls on the ldaps port in ldap server, and reject non-tls
connections on that port
(This used to be commit 30da6a1cc41308a16a486111887f45bcf598f064)
| -rw-r--r-- | source4/ldap_server/ldap_server.c | 5 | ||||
| -rw-r--r-- | source4/lib/tls/tls.c | 9 | ||||
| -rw-r--r-- | source4/lib/tls/tls.h | 3 | ||||
| -rw-r--r-- | source4/web_server/web_server.c | 2 |
4 files changed, 12 insertions, 7 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index 5ac50bd514..88df0ed876 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -330,6 +330,7 @@ static void ldapsrv_accept(struct stream_connection *c) struct ldapsrv_service *ldapsrv_service = talloc_get_type(c->private, struct ldapsrv_service); struct ldapsrv_connection *conn; + int port; conn = talloc_zero(c, struct ldapsrv_connection); if (conn == NULL) goto failed; @@ -341,10 +342,12 @@ static void ldapsrv_accept(struct stream_connection *c) conn->service = talloc_get_type(c->private, struct ldapsrv_service); c->private = conn; + port = socket_get_my_port(c->socket); + /* note that '0' is a ASN1_SEQUENCE(0), which is the first byte on any ldap connection */ conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket, - c->event.fde, "0"); + c->event.fde, NULL, port != 389); if (conn->tls == NULL) goto failed; return; diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c index 559a54a2f0..86a2ca0f0b 100644 --- a/source4/lib/tls/tls.c +++ b/source4/lib/tls/tls.c @@ -332,7 +332,8 @@ init_failed: struct tls_context *tls_init_server(struct tls_params *params, struct socket_context *socket, struct fd_event *fde, - const char *plain_chars) + const char *plain_chars, + BOOL tls_enable) { struct tls_context *tls; int ret; @@ -343,7 +344,7 @@ struct tls_context *tls_init_server(struct tls_params *params, tls->socket = socket; tls->fde = fde; - if (!params->tls_enabled) { + if (!params->tls_enabled || !tls_enable) { tls->tls_enabled = False; return tls; } @@ -402,7 +403,6 @@ BOOL tls_support(struct tls_params *params) return params->tls_enabled; } - #else /* for systems without tls we just map the tls socket calls to the @@ -416,7 +416,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx) struct tls_context *tls_init_server(struct tls_params *params, struct socket_context *sock, struct fd_event *fde, - const char *plain_chars) + const char *plain_chars, + BOOL tls_enable) { if (plain_chars == NULL) return NULL; return (struct tls_context *)sock; diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h index fe993a3804..3046e35a1c 100644 --- a/source4/lib/tls/tls.h +++ b/source4/lib/tls/tls.h @@ -37,7 +37,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx); struct tls_context *tls_init_server(struct tls_params *parms, struct socket_context *sock, struct fd_event *fde, - const char *plain_chars); + const char *plain_chars, + BOOL tls_enable); /* call these to send and receive data. They behave like socket_send() and socket_recv() diff --git a/source4/web_server/web_server.c b/source4/web_server/web_server.c index e54c0b6e9f..5ccf059b49 100644 --- a/source4/web_server/web_server.c +++ b/source4/web_server/web_server.c @@ -191,7 +191,7 @@ static void websrv_accept(struct stream_connection *conn) websrv_timeout, web); web->tls = tls_init_server(edata->tls_params, conn->socket, - conn->event.fde, "GPHO"); + conn->event.fde, "GPHO", True); if (web->tls == NULL) goto failed; return; |