1/* 2 Unix SMB/CIFS implementation. 3 LDAP server 4 Copyright (C) Stefan Metzmacher 2004 5 6 This program is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License as published by 8 the Free Software Foundation; either version 3 of the License, or 9 (at your option) any later version. 10 11 This program is distributed in the hope that it will be useful, 12 but WITHOUT ANY WARRANTY; without even the implied warranty of 13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 GNU General Public License for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with this program. If not, see <http://www.gnu.org/licenses/>. 18*/ 19 20#include "includes.h" 21#include "ldap_server/ldap_server.h" 22#include "../lib/util/dlinklist.h" 23#include "libcli/ldap/ldap.h" 24#include "lib/tls/tls.h" 25#include "smbd/service_stream.h" 26 27struct ldapsrv_starttls_context { 28 struct ldapsrv_connection *conn; 29 struct socket_context *tls_socket; 30}; 31 32static void ldapsrv_start_tls(void *private_data) 33{ 34 struct ldapsrv_starttls_context *ctx = talloc_get_type(private_data, struct ldapsrv_starttls_context); 35 talloc_steal(ctx->conn->connection, ctx->tls_socket); 36 37 ctx->conn->sockets.tls = ctx->tls_socket; 38 ctx->conn->connection->socket = ctx->tls_socket; 39 packet_set_socket(ctx->conn->packet, ctx->conn->connection->socket); 40 packet_set_unreliable_select(ctx->conn->packet); 41} 42 43static NTSTATUS ldapsrv_StartTLS(struct ldapsrv_call *call, 44 struct ldapsrv_reply *reply, 45 const char **errstr) 46{ 47 struct ldapsrv_starttls_context *ctx; 48 49 (*errstr) = NULL; 50 51 /* 52 * TODO: give LDAP_OPERATIONS_ERROR also when 53 * there're pending requests or there's 54 * a SASL bind in progress 55 * (see rfc4513 section 3.1.1) 56 */ 57 if (call->conn->sockets.tls) { 58 (*errstr) = talloc_asprintf(reply, "START-TLS: TLS is already enabled on this LDAP session"); 59 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR); 60 } 61 62 ctx = talloc(call, struct ldapsrv_starttls_context); 63 NT_STATUS_HAVE_NO_MEMORY(ctx); 64 65 ctx->conn = call->conn; 66 ctx->tls_socket = tls_init_server(call->conn->service->tls_params, 67 call->conn->connection->socket, 68 call->conn->connection->event.fde, 69 NULL); 70 if (!ctx->tls_socket) { 71 (*errstr) = talloc_asprintf(reply, "START-TLS: Failed to setup TLS socket"); 72 return NT_STATUS_LDAP(LDAP_OPERATIONS_ERROR); 73 } 74 75 call->send_callback = ldapsrv_start_tls; 76 call->send_private = ctx; 77 78 reply->msg->r.ExtendedResponse.response.resultcode = LDAP_SUCCESS; 79 reply->msg->r.ExtendedResponse.response.errormessage = NULL; 80 81 ldapsrv_queue_reply(call, reply); 82 return NT_STATUS_OK; 83} 84 85struct ldapsrv_extended_operation { 86 const char *oid; 87 NTSTATUS (*fn)(struct ldapsrv_call *call, struct ldapsrv_reply *reply, const char **errorstr); 88}; 89 90static struct ldapsrv_extended_operation extended_ops[] = { 91 { 92 .oid = LDB_EXTENDED_START_TLS_OID, 93 .fn = ldapsrv_StartTLS, 94 },{ 95 .oid = NULL, 96 .fn = NULL, 97 } 98}; 99 100NTSTATUS ldapsrv_ExtendedRequest(struct ldapsrv_call *call) 101{ 102 struct ldap_ExtendedRequest *req = &call->request->r.ExtendedRequest; 103 struct ldapsrv_reply *reply; 104 int result = LDAP_PROTOCOL_ERROR; 105 const char *error_str = NULL; 106 NTSTATUS status = NT_STATUS_OK; 107 uint32_t i; 108 109 DEBUG(10, ("Extended\n")); 110 111 reply = ldapsrv_init_reply(call, LDAP_TAG_ExtendedResponse); 112 NT_STATUS_HAVE_NO_MEMORY(reply); 113 114 ZERO_STRUCT(reply->msg->r); 115 reply->msg->r.ExtendedResponse.oid = talloc_steal(reply, req->oid); 116 reply->msg->r.ExtendedResponse.response.resultcode = LDAP_PROTOCOL_ERROR; 117 reply->msg->r.ExtendedResponse.response.errormessage = NULL; 118 119 for (i=0; extended_ops[i].oid; i++) { 120 if (strcmp(extended_ops[i].oid,req->oid) != 0) continue; 121 122 /* 123 * if the backend function returns an error we 124 * need to send the reply otherwise the reply is already 125 * send and we need to return directly 126 */ 127 status = extended_ops[i].fn(call, reply, &error_str); 128 NT_STATUS_IS_OK_RETURN(status); 129 130 if (NT_STATUS_IS_LDAP(status)) { 131 result = NT_STATUS_LDAP_CODE(status); 132 } else { 133 result = LDAP_OPERATIONS_ERROR; 134 error_str = talloc_asprintf(reply, "Extended Operation(%s) failed: %s", 135 req->oid, nt_errstr(status)); 136 } 137 } 138 /* if we haven't found the oid, then status is still NT_STATUS_OK */ 139 if (NT_STATUS_IS_OK(status)) { 140 error_str = talloc_asprintf(reply, "Extended Operation(%s) not supported", 141 req->oid); 142 } 143 144 reply->msg->r.ExtendedResponse.response.resultcode = result; 145 reply->msg->r.ExtendedResponse.response.errormessage = error_str; 146 147 ldapsrv_queue_reply(call, reply); 148 return NT_STATUS_OK; 149} 150