summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-06-19 11:10:15 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:18:31 -0500
commit7a17da2186c628f0d8e8a43ca34320b0f10d9d8f (patch)
tree1a34d26ff6ae6797c3ccdfacb928513c135b00db
parent6720bd94b8506d652ddc273bdbe02944e5911e23 (diff)
downloadsamba-7a17da2186c628f0d8e8a43ca34320b0f10d9d8f.tar.gz
samba-7a17da2186c628f0d8e8a43ca34320b0f10d9d8f.tar.bz2
samba-7a17da2186c628f0d8e8a43ca34320b0f10d9d8f.zip
r7751: only enable tls on the ldaps port in ldap server, and reject non-tls
connections on that port (This used to be commit 30da6a1cc41308a16a486111887f45bcf598f064)
-rw-r--r--source4/ldap_server/ldap_server.c5
-rw-r--r--source4/lib/tls/tls.c9
-rw-r--r--source4/lib/tls/tls.h3
-rw-r--r--source4/web_server/web_server.c2
4 files changed, 12 insertions, 7 deletions
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index 5ac50bd514..88df0ed876 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -330,6 +330,7 @@ static void ldapsrv_accept(struct stream_connection *c)
struct ldapsrv_service *ldapsrv_service =
talloc_get_type(c->private, struct ldapsrv_service);
struct ldapsrv_connection *conn;
+ int port;
conn = talloc_zero(c, struct ldapsrv_connection);
if (conn == NULL) goto failed;
@@ -341,10 +342,12 @@ static void ldapsrv_accept(struct stream_connection *c)
conn->service = talloc_get_type(c->private, struct ldapsrv_service);
c->private = conn;
+ port = socket_get_my_port(c->socket);
+
/* note that '0' is a ASN1_SEQUENCE(0), which is the first byte on
any ldap connection */
conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket,
- c->event.fde, "0");
+ c->event.fde, NULL, port != 389);
if (conn->tls == NULL) goto failed;
return;
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 559a54a2f0..86a2ca0f0b 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -332,7 +332,8 @@ init_failed:
struct tls_context *tls_init_server(struct tls_params *params,
struct socket_context *socket,
struct fd_event *fde,
- const char *plain_chars)
+ const char *plain_chars,
+ BOOL tls_enable)
{
struct tls_context *tls;
int ret;
@@ -343,7 +344,7 @@ struct tls_context *tls_init_server(struct tls_params *params,
tls->socket = socket;
tls->fde = fde;
- if (!params->tls_enabled) {
+ if (!params->tls_enabled || !tls_enable) {
tls->tls_enabled = False;
return tls;
}
@@ -402,7 +403,6 @@ BOOL tls_support(struct tls_params *params)
return params->tls_enabled;
}
-
#else
/* for systems without tls we just map the tls socket calls to the
@@ -416,7 +416,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx)
struct tls_context *tls_init_server(struct tls_params *params,
struct socket_context *sock,
struct fd_event *fde,
- const char *plain_chars)
+ const char *plain_chars,
+ BOOL tls_enable)
{
if (plain_chars == NULL) return NULL;
return (struct tls_context *)sock;
diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h
index fe993a3804..3046e35a1c 100644
--- a/source4/lib/tls/tls.h
+++ b/source4/lib/tls/tls.h
@@ -37,7 +37,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx);
struct tls_context *tls_init_server(struct tls_params *parms,
struct socket_context *sock,
struct fd_event *fde,
- const char *plain_chars);
+ const char *plain_chars,
+ BOOL tls_enable);
/*
call these to send and receive data. They behave like socket_send() and socket_recv()
diff --git a/source4/web_server/web_server.c b/source4/web_server/web_server.c
index e54c0b6e9f..5ccf059b49 100644
--- a/source4/web_server/web_server.c
+++ b/source4/web_server/web_server.c
@@ -191,7 +191,7 @@ static void websrv_accept(struct stream_connection *conn)
websrv_timeout, web);
web->tls = tls_init_server(edata->tls_params, conn->socket,
- conn->event.fde, "GPHO");
+ conn->event.fde, "GPHO", True);
if (web->tls == NULL) goto failed;
return;