r15400: Move the TLS code behind the socket interface.

This reduces caller complexity, because the TLS code is now called
just like any other socket.  (A new socket context is returned by the
tls_init_server and tls_init_client routines).

When TLS is not available, the original socket is returned.

Andrew Bartlett
(This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)

3 files changed, 22 insertions, 20 deletions

diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index c33d53f775..6714d68b0e 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -223,7 +223,7 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr
 
 	/* require Kerberos SIGN/SEAL only if we don't use SSL
 	 * Windows seem not to like double encryption */
-	if (conn->tls == NULL || (! tls_enabled(conn->tls))) {
+	if (!tls_enabled(conn->sock)) {
 		gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
 	}
 
diff --git a/source4/libcli/ldap/ldap_client.c b/source4/libcli/ldap/ldap_client.c
index 27cab38916..8d815c7103 100644
--- a/source4/libcli/ldap/ldap_client.c
+++ b/source4/libcli/ldap/ldap_client.c
@@ -32,6 +32,7 @@
 #include "libcli/ldap/ldap_client.h"
 #include "libcli/composite/composite.h"
 #include "lib/stream/packet.h"
+#include "lib/tls/tls.h"
 #include "auth/gensec/gensec.h"
 #include "system/time.h"
 
@@ -85,12 +86,10 @@ static void ldap_connection_dead(struct ldap_connection *conn)
 		if (req->async.fn) {
 			req->async.fn(req);
 		}
-	}	
+	}
 
-	talloc_free(conn->tls);
-/*	talloc_free(conn->sock);  this will also free event.fde */
+	talloc_free(conn->sock);  /* this will also free event.fde */
 	talloc_free(conn->packet);
-	conn->tls = NULL;
 	conn->sock = NULL;
 	conn->event.fde = NULL;
 	conn->packet = NULL;
@@ -270,7 +269,7 @@ static void ldap_io_handler(struct event_context *ev, struct fd_event *fde,
 						       struct ldap_connection);
 	if (flags & EVENT_FD_WRITE) {
 		packet_queue_run(conn->packet);
-		if (conn->tls == NULL) return;
+		if (!tls_enabled(conn->sock)) return;
 	}
 	if (flags & EVENT_FD_READ) {
 		packet_recv(conn->packet);
@@ -339,11 +338,6 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn,
 	struct composite_context *result, *ctx;
 	struct ldap_connect_state *state;
 
-	if (conn->reconnect.url == NULL) {
-		conn->reconnect.url = talloc_strdup(conn, url);
-		if (conn->reconnect.url == NULL) goto failed;
-	}
-
 	result = talloc_zero(NULL, struct composite_context);
 	if (result == NULL) goto failed;
 	result->state = COMPOSITE_STATE_IN_PROGRESS;
@@ -357,6 +351,11 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn,
 
 	state->conn = conn;
 
+	if (conn->reconnect.url == NULL) {
+		conn->reconnect.url = talloc_strdup(conn, url);
+		if (conn->reconnect.url == NULL) goto failed;
+	}
+
 	state->ctx->status = ldap_parse_basic_url(conn, url, &conn->host,
 						  &conn->port, &conn->ldaps);
 	if (!NT_STATUS_IS_OK(state->ctx->status)) {
@@ -379,6 +378,7 @@ struct composite_context *ldap_connect_send(struct ldap_connection *conn,
 
 static void ldap_connect_recv_conn(struct composite_context *ctx)
 {
+	struct socket_context *initial_socket;
 	struct ldap_connect_state *state =
 		talloc_get_type(ctx->async.private_data,
 				struct ldap_connect_state);
@@ -398,21 +398,24 @@ static void ldap_connect_recv_conn(struct composite_context *ctx)
 		return;
 	}
 
-	conn->tls = tls_init_client(conn->sock, conn->event.fde, conn->ldaps);
-	if (conn->tls == NULL) {
-		talloc_free(conn->sock);
-		return;
+	talloc_steal(conn, conn->sock);
+	initial_socket = conn->sock;
+	if (conn->ldaps) {
+		conn->sock = tls_init_client(conn->sock, conn->event.fde);
+		if (conn->sock == NULL) {
+			talloc_free(initial_socket);
+			return;
+		}
 	}
-	talloc_steal(conn, conn->tls);
-	talloc_steal(conn->tls, conn->sock);
 
 	conn->packet = packet_init(conn);
 	if (conn->packet == NULL) {
 		talloc_free(conn->sock);
 		return;
 	}
+
 	packet_set_private(conn->packet, conn);
-	packet_set_tls(conn->packet, conn->tls);
+	packet_set_socket(conn->packet, conn->sock);
 	packet_set_callback(conn->packet, ldap_recv_handler);
 	packet_set_full_request(conn->packet, ldap_complete_packet);
 	packet_set_error_handler(conn->packet, ldap_error_handler);
@@ -535,7 +538,7 @@ struct ldap_request *ldap_request_send(struct ldap_connection *conn,
 	req = talloc_zero(conn, struct ldap_request);
 	if (req == NULL) return NULL;
 
-	if (conn->tls == NULL) {
+	if (conn->sock == NULL) {
 		status = NT_STATUS_INVALID_CONNECTION;
 		goto failed;
 	}
diff --git a/source4/libcli/ldap/ldap_client.h b/source4/libcli/ldap/ldap_client.h
index 7801f8b6bc..28b9f2763c 100644
--- a/source4/libcli/ldap/ldap_client.h
+++ b/source4/libcli/ldap/ldap_client.h
@@ -51,7 +51,6 @@ struct ldap_request {
 
 /* main context for a ldap client connection */
 struct ldap_connection {
-	struct tls_context *tls;
 	struct socket_context *sock;
 	char *host;
 	uint16_t port;