tldap_tls: Remove tldap_[gs]et_starttls_needed()

The caller setting up a tldap connection is aware of whether to use
starttls, which is one single ldap extended operation before the tls
crypto starts. There is no complex logic behind this that is
worthwhile to be hidden behind a flag and an API. If there was more to
it than just a simple call to tldap_extended(), I would all be for
passing down that flag, but for this case I would argue the logic
after this patch is simpler.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

source3/include/tldap.h

@@ -124,8 +124,6 @@ bool tevent_req_is_ldap_error(struct tevent_req *req, TLDAPRC *perr);
 
 struct tldap_context *tldap_context_create(TALLOC_CTX *mem_ctx, int fd);
 struct tstream_context *tldap_get_plain_tstream(struct tldap_context *ld);
-void tldap_set_starttls_needed(struct tldap_context *ld, bool needed);
-bool tldap_get_starttls_needed(struct tldap_context *ld);
 bool tldap_has_tls_tstream(struct tldap_context *ld);
 const DATA_BLOB *tldap_tls_channel_bindings(struct tldap_context *ld);
 void tldap_set_tls_tstream(struct tldap_context *ld,

source3/lib/tldap.c

@@ -86,7 +86,6 @@ struct tldap_ctx_attribute {
 struct tldap_context {
 	int ld_version;
 	struct tstream_context *plain;
-	bool starttls_needed;
 	struct tstream_context *tls;
 	struct tstream_context *gensec;
 	struct tstream_context *active;
@@ -230,24 +229,6 @@ struct tstream_context *tldap_get_plain_tstream(struct tldap_context *ld)
 	return ld->plain;
 }
 
-void tldap_set_starttls_needed(struct tldap_context *ld, bool needed)
-{
-	if (ld == NULL) {
-		return;
-	}
-
-	ld->starttls_needed = needed;
-}
-
-bool tldap_get_starttls_needed(struct tldap_context *ld)
-{
-	if (ld == NULL) {
-		return false;
-	}
-
-	return ld->starttls_needed;
-}
-
 bool tldap_has_tls_tstream(struct tldap_context *ld)
 {
 	return ld->tls != NULL && ld->active == ld->tls;

source3/lib/tldap_tls_connect.c

@@ -32,8 +32,6 @@ struct tldap_tls_connect_state {
 	struct tstream_tls_params *tls_params;
 };
 
-static void tldap_tls_connect_starttls_done(struct tevent_req *subreq);
-static void tldap_tls_connect_crypto_start(struct tevent_req *req);
 static void tldap_tls_connect_crypto_done(struct tevent_req *subreq);
 
 struct tevent_req *tldap_tls_connect_send(TALLOC_CTX *mem_ctx,
@@ -41,8 +39,9 @@ struct tevent_req *tldap_tls_connect_send(TALLOC_CTX *mem_ctx,
 					  struct tldap_context *ctx,
 					  struct tstream_tls_params *tls_params)
 {
-	struct tevent_req *req = NULL;
+	struct tevent_req *req = NULL, *subreq = NULL;
 	struct tldap_tls_connect_state *state = NULL;
+	struct tstream_context *plain_stream = NULL;
 
 	req = tevent_req_create(mem_ctx, &state,
 				struct tldap_tls_connect_state);
@@ -65,72 +64,11 @@ struct tevent_req *tldap_tls_connect_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	if (tldap_get_starttls_needed(ctx)) {
-		struct tevent_req *subreq = NULL;
-		static const char *start_tls_oid = "1.3.6.1.4.1.1466.20037";
-
-		subreq = tldap_extended_send(state,
-					     state->ev,
-					     state->ctx,
-					     start_tls_oid,
-					     NULL, /* in_blob */
-					     NULL, /* sctrls */
-					     0, /* num_sctrls */
-					     NULL, /* cctrls */
-					     0); /* num_cctrls */
-		if (tevent_req_nomem(subreq, req)) {
-			return tevent_req_post(req, ev);
-		}
-		tevent_req_set_callback(subreq,
-					tldap_tls_connect_starttls_done,
-					req);
-
-		return req;
-	}
-
-	tldap_tls_connect_crypto_start(req);
-	if (!tevent_req_is_in_progress(req)) {
-		return tevent_req_post(req, ev);
-	}
-
-	return req;
-}
-
-static void tldap_tls_connect_starttls_done(struct tevent_req *subreq)
-{
-	struct tevent_req *req = tevent_req_callback_data(
-		subreq, struct tevent_req);
-	struct tldap_tls_connect_state *state = tevent_req_data(
-		req, struct tldap_tls_connect_state);
-	TLDAPRC rc;
-
-	rc = tldap_extended_recv(subreq, state, NULL, NULL);
-	TALLOC_FREE(subreq);
-	if (!TLDAP_RC_IS_SUCCESS(rc)) {
-		DBG_ERR("tldap_extended_recv(STARTTLS, %s): %s\n",
-			tstream_tls_params_peer_name(state->tls_params),
-			tldap_rc2string(rc));
-		tevent_req_ldap_error(req, rc);
-		return;
-	}
-
-	tldap_set_starttls_needed(state->ctx, false);
-
-	tldap_tls_connect_crypto_start(req);
-}
-
-static void tldap_tls_connect_crypto_start(struct tevent_req *req)
-{
-	struct tldap_tls_connect_state *state = tevent_req_data(
-		req, struct tldap_tls_connect_state);
-	struct tstream_context *plain_stream = NULL;
-	struct tevent_req *subreq = NULL;
-
 	plain_stream = tldap_get_plain_tstream(state->ctx);
 	if (plain_stream == NULL) {
 		DBG_ERR("tldap_get_plain_tstream() = NULL\n");
 		tevent_req_ldap_error(req, TLDAP_LOCAL_ERROR);
-		return;
+		return req;
 	}
 
 	subreq = tstream_tls_connect_send(state,
@@ -138,11 +76,12 @@ static void tldap_tls_connect_crypto_start(struct tevent_req *req)
 					  plain_stream,
 					  state->tls_params);
 	if (tevent_req_nomem(subreq, req)) {
-		return;
+		return tevent_req_post(req, ev);
 	}
 	tevent_req_set_callback(subreq,
 				tldap_tls_connect_crypto_done,
 				req);
+	return req;
 }
 
 static void tldap_tls_connect_crypto_done(struct tevent_req *subreq)

source3/torture/torture.c

@@ -56,6 +56,7 @@
 #include "source3/lib/substitute.h"
 #include "ads.h"
 #include "source4/lib/tls/tls.h"
+#include <ldb.h>
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
@@ -12430,7 +12431,24 @@ static bool run_tldap(int dummy)
 	if (use_tls && !tldap_has_tls_tstream(ld)) {
 		struct tstream_tls_params *tls_params = NULL;
 
-		tldap_set_starttls_needed(ld, use_starttls);
+		if (use_starttls) {
+			rc = tldap_extended(ld,
+					    LDB_EXTENDED_START_TLS_OID,
+					    NULL,
+					    NULL,
+					    0,
+					    NULL,
+					    0,
+					    NULL,
+					    NULL,
+					    NULL);
+			if (!TLDAP_RC_IS_SUCCESS(rc)) {
+				DBG_ERR("tldap_extended(%s) failed: %s\n",
+					LDB_EXTENDED_START_TLS_OID,
+					tldap_errstr(talloc_tos(), ld, rc));
+				return false;
+			}
+		}
 
 		status = tstream_tls_params_client_lpcfg(talloc_tos(),
 							 lp_ctx,

source3/winbindd/idmap_ad.c

@@ -431,7 +431,24 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 	if (use_tls && !tldap_has_tls_tstream(ld)) {
 		struct tstream_tls_params *tls_params = NULL;
 
-		tldap_set_starttls_needed(ld, use_starttls);
+		if (use_starttls) {
+		       rc = tldap_extended(ld,
+					   LDB_EXTENDED_START_TLS_OID,
+					   NULL,
+					   NULL,
+					   0,
+					   NULL,
+					   0,
+					   NULL,
+					   NULL,
+					   NULL);
+		       if (!TLDAP_RC_IS_SUCCESS(rc)) {
+				DBG_ERR("tldap_extended(%s) failed: %s\n",
+					LDB_EXTENDED_START_TLS_OID,
+					tldap_errstr(talloc_tos(), ld, rc));
+				return NT_STATUS_LDAP(TLDAP_RC_V(rc));
+		       }
+		}
 
 		status = tstream_tls_params_client_lpcfg(talloc_tos(),
 							 lp_ctx,