1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

r17224: Accept the start-tls extended request. Getting OpenLDAP to recognise

our certificate, and proceed with the connection is left as an
exercise for the reader...

Andrew Bartlett
(This used to be commit 9bd66d4c95)
This commit is contained in:
Andrew Bartlett 2006-07-25 02:57:51 +00:00 committed by Gerald (Jerry) Carter
parent 1ea4f560fc
commit a6629e037a

View File

@ -25,6 +25,10 @@
#include "lib/ldb/include/ldb.h"
#include "lib/ldb/include/ldb_errors.h"
#include "lib/db_wrap.h"
#include "lib/tls/tls.h"
#include "smbd/service_task.h"
#include "smbd/service_stream.h"
#include "smbd/service.h"
#define VALID_DN_SYNTAX(dn,i) do {\
if (!(dn)) {\
@ -731,9 +735,25 @@ static NTSTATUS ldapsrv_AbandonRequest(struct ldapsrv_call *call)
return NT_STATUS_OK;
}
struct ldapsrv_starttls_context {
struct ldapsrv_connection *conn;
struct socket_context *tls_socket;
};
static void ldapsrv_start_tls(void *private)
{
struct ldapsrv_starttls_context *ctx = talloc_get_type(private, struct ldapsrv_starttls_context);
talloc_steal(ctx->conn->connection, ctx->tls_socket);
talloc_unlink(ctx->conn->connection, ctx->conn->connection->socket);
ctx->conn->connection->socket = ctx->tls_socket;
packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket);
}
static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
{
/* struct ldap_ExtendedRequest *req = &call->request.r.ExtendedRequest;*/
struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest;
struct ldapsrv_reply *reply;
DEBUG(10, ("Extended\n"));
@ -745,6 +765,43 @@ static NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call)
ZERO_STRUCT(reply->msg->r);
/* check if we have a START_TLS call */
if (strcmp(req->oid, LDB_EXTENDED_START_TLS_OID) == 0) {
NTSTATUS status;
struct ldapsrv_starttls_context *ctx;
int result = 0;
const char *errstr;
ctx = talloc(call, struct ldapsrv_starttls_context);
if (ctx) {
ctx->conn = call->conn;
ctx->tls_socket = tls_init_server(call->conn->service->tls_params,
call->conn->connection->socket,
call->conn->connection->event.fde,
NULL);
}
if (!ctx || !ctx->tls_socket) {
result = LDAP_OPERATIONS_ERROR;
errstr = talloc_asprintf(reply,
"START-TLS: Failed to setup TLS socket");
} else {
result = LDAP_SUCCESS;
errstr = NULL;
call->send_callback = ldapsrv_start_tls;
call->send_private = ctx;
}
reply->msg->r.ExtendedResponse.response.resultcode = result;
reply->msg->r.ExtendedResponse.response.errormessage = errstr;
reply->msg->r.ExtendedResponse.oid = talloc_strdup(reply, req->oid);
if (!reply->msg->r.ExtendedResponse.oid) {
return NT_STATUS_NO_MEMORY;
}
}
/* TODO: OID not recognized, return a protocol error */
ldapsrv_queue_reply(call, reply);
return NT_STATUS_OK;
}