From a6629e037a35c0e36e5bf8c38f88e675e8a40cbd Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 25 Jul 2006 02:57:51 +0000 Subject: r17224: Accept the start-tls extended request. Getting OpenLDAP to recognise our certificate, and proceed with the connection is left as an exercise for the reader... Andrew Bartlett (This used to be commit 9bd66d4c95dd971e2b1b6371ba3ffc6c178c0d4c) --- source4/ldap_server/ldap_backend.c | 59 +++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 6e4df86b88..d6aeedfde8 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -25,6 +25,10 @@ #include "lib/ldb/include/ldb.h" #include "lib/ldb/include/ldb_errors.h" #include "lib/db_wrap.h" +#include "lib/tls/tls.h" +#include "smbd/service_task.h" +#include "smbd/service_stream.h" +#include "smbd/service.h" #define VALID_DN_SYNTAX(dn,i) do {\ if (!(dn)) {\ @@ -731,9 +735,25 @@ static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call) return NT_STATUS_OK; } + +struct ldapsrv_starttls_context { + struct ldapsrv_connection *conn; + struct socket_context *tls_socket; +}; + +static void ldapsrv_start_tls(void *private) +{ + struct ldapsrv_starttls_context *ctx = talloc_get_type(private, struct ldapsrv_starttls_context); + talloc_steal(ctx->conn->connection, ctx->tls_socket); + talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket); + + ctx->conn->connection->socket = ctx->tls_socket; + packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket); +} + static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call) { -/* struct ldap_ExtendedRequest *req = &call->request.r.ExtendedRequest;*/ + struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest; struct ldapsrv_reply *reply; DEBUG(10, ("Extended\n")); @@ -745,6 +765,43 @@ static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call) ZERO_STRUCT(reply->msg->r); + /* check if we have a START_TLS call */ + if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) { + NTSTATUS status; + struct ldapsrv_starttls_context *ctx; + int result = 0; + const char *errstr; + ctx = talloc(call, struct ldapsrv_starttls_context); + + if (ctx) { + ctx->conn = call->conn; + ctx->tls_socket = tls_init_server(call->conn->service->tls_params, + call->conn->connection->socket, + call->conn->connection->event.fde, + NULL); + } + + if (!ctx || !ctx->tls_socket) { + result = LDAP_OPERATIONS_ERROR; + errstr = talloc_asprintf(reply, + "START-TLS: Failed to setup TLS socket"); + } else { + result = LDAP_SUCCESS; + errstr = NULL; + call->send_callback = ldapsrv_start_tls; + call->send_private = ctx; + } + + reply->msg->r.ExtendedResponse.response.resultcode = result; + reply->msg->r.ExtendedResponse.response.errormessage = errstr; + reply->msg->r.ExtendedResponse.oid = talloc_strdup(reply, req->oid); + if (!reply->msg->r.ExtendedResponse.oid) { + return NT_STATUS_NO_MEMORY; + } + } + + /* TODO: OID not recognized, return a protocol error */ + ldapsrv_queue_reply(call, reply); return NT_STATUS_OK; } -- cgit