From 7a17da2186c628f0d8e8a43ca34320b0f10d9d8f Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Sun, 19 Jun 2005 11:10:15 +0000
Subject: r7751: only enable tls on the ldaps port in ldap server, and reject
 non-tls connections on that port (This used to be commit
 30da6a1cc41308a16a486111887f45bcf598f064)

---
 source4/ldap_server/ldap_server.c | 5 ++++-
 source4/lib/tls/tls.c             | 9 +++++----
 source4/lib/tls/tls.h             | 3 ++-
 source4/web_server/web_server.c   | 2 +-
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index 5ac50bd514..88df0ed876 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -330,6 +330,7 @@ static void ldapsrv_accept(struct stream_connection *c)
 	struct ldapsrv_service *ldapsrv_service = 
 		talloc_get_type(c->private, struct ldapsrv_service);
 	struct ldapsrv_connection *conn;
+	int port;
 
 	conn = talloc_zero(c, struct ldapsrv_connection);
 	if (conn == NULL) goto failed;
@@ -341,10 +342,12 @@ static void ldapsrv_accept(struct stream_connection *c)
 	conn->service     = talloc_get_type(c->private, struct ldapsrv_service);
 	c->private        = conn;
 
+	port = socket_get_my_port(c->socket);
+
 	/* note that '0' is a ASN1_SEQUENCE(0), which is the first byte on
 	   any ldap connection */
 	conn->tls = tls_init_server(ldapsrv_service->tls_params, c->socket, 
-				    c->event.fde, "0");
+				    c->event.fde, NULL, port != 389);
 	if (conn->tls == NULL) goto failed;
 
 	return;
diff --git a/source4/lib/tls/tls.c b/source4/lib/tls/tls.c
index 559a54a2f0..86a2ca0f0b 100644
--- a/source4/lib/tls/tls.c
+++ b/source4/lib/tls/tls.c
@@ -332,7 +332,8 @@ init_failed:
 struct tls_context *tls_init_server(struct tls_params *params, 
 				    struct socket_context *socket,
 				    struct fd_event *fde, 
-				    const char *plain_chars)
+				    const char *plain_chars,
+				    BOOL tls_enable)
 {
 	struct tls_context *tls;
 	int ret;
@@ -343,7 +344,7 @@ struct tls_context *tls_init_server(struct tls_params *params,
 	tls->socket          = socket;
 	tls->fde             = fde;
 
-	if (!params->tls_enabled) {
+	if (!params->tls_enabled || !tls_enable) {
 		tls->tls_enabled = False;
 		return tls;
 	}
@@ -402,7 +403,6 @@ BOOL tls_support(struct tls_params *params)
 	return params->tls_enabled;
 }
 
-
 #else
 
 /* for systems without tls we just map the tls socket calls to the
@@ -416,7 +416,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx)
 struct tls_context *tls_init_server(struct tls_params *params, 
 				    struct socket_context *sock, 
 				    struct fd_event *fde,
-				    const char *plain_chars)
+				    const char *plain_chars,
+				    BOOL tls_enable)
 {
 	if (plain_chars == NULL) return NULL;
 	return (struct tls_context *)sock;
diff --git a/source4/lib/tls/tls.h b/source4/lib/tls/tls.h
index fe993a3804..3046e35a1c 100644
--- a/source4/lib/tls/tls.h
+++ b/source4/lib/tls/tls.h
@@ -37,7 +37,8 @@ struct tls_params *tls_initialise(TALLOC_CTX *mem_ctx);
 struct tls_context *tls_init_server(struct tls_params *parms,
 				    struct socket_context *sock, 
 				    struct fd_event *fde,
-				    const char *plain_chars);
+				    const char *plain_chars,
+				    BOOL tls_enable);
 
 /*
   call these to send and receive data. They behave like socket_send() and socket_recv()
diff --git a/source4/web_server/web_server.c b/source4/web_server/web_server.c
index e54c0b6e9f..5ccf059b49 100644
--- a/source4/web_server/web_server.c
+++ b/source4/web_server/web_server.c
@@ -191,7 +191,7 @@ static void websrv_accept(struct stream_connection *conn)
 			websrv_timeout, web);
 
 	web->tls = tls_init_server(edata->tls_params, conn->socket, 
-				   conn->event.fde, "GPHO");
+				   conn->event.fde, "GPHO", True);
 	if (web->tls == NULL) goto failed;
 
 	return;
-- 
cgit