diff options
| author | Marin Ivanov <[email protected]> | 2019-02-13 04:44:35 +0200 |
|---|---|---|
| committer | Marin Ivanov <[email protected]> | 2019-02-13 05:39:06 +0200 |
| commit | 0409e4c6689a5db50a618429e9eb40cdf704df4e (patch) | |
| tree | 800a666a6581906a65290ca03f5c2cb1a3779e80 /server.go | |
| parent | 518f72942c1cf751010a532c6189cd0eb0a5323b (diff) | |
Add option to require TLS upgrade, before serving any requests
Diffstat (limited to 'server.go')
| -rw-r--r-- | server.go | 31 |
1 files changed, 28 insertions, 3 deletions
@@ -2,6 +2,7 @@ package ldap import ( "crypto/tls" + "errors" "io" "log" "net" @@ -60,7 +61,8 @@ type Server struct { Stats *Stats // If set, server will accept StartTLS. - TLSConfig *tls.Config + TLSConfig *tls.Config + EnforceTLS bool closing chan struct{} } @@ -187,6 +189,10 @@ func (server *Server) ListenAndServe(listenString string) error { } func (server *Server) Serve(ln net.Listener) error { + if server.TLSConfig == nil && server.EnforceTLS { + return errors.New(errorEnforceTLSRequiresTLSConfig) + } + newConn := make(chan net.Conn) go func() { for { @@ -262,6 +268,19 @@ handler: } } + // Enforce TLS + switch conn.(type) { + case *tls.Conn: + default: + if server.EnforceTLS && req.Tag != ApplicationExtendedRequest { + responsePacket := encodeLDAPResponse(messageID, ApplicationExtendedResponse, LDAPResultProtocolError, "Upgrade to TLS is required") + if err = sendPacket(conn, responsePacket); err != nil { + log.Printf("sendPacket error %s", err.Error()) + } + break handler + } + } + //log.Printf("DEBUG: handling operation: %s [%d]", ApplicationMap[req.Tag], req.Tag) //ber.PrintPacket(packet) // DEBUG @@ -318,8 +337,12 @@ handler: } var ldapResultCode LDAPResultCode if tlsConn == nil { - // Wasn't an upgrade. Pass through. - ldapResultCode = HandleExtendedRequest(req, boundDN, server.ExtendedFns, conn) + // Wasn't an upgrade. + if server.EnforceTLS { + ldapResultCode = LDAPResultProtocolError + } else { + ldapResultCode = HandleExtendedRequest(req, boundDN, server.ExtendedFns, conn) + } } else { ldapResultCode = LDAPResultSuccess } @@ -330,6 +353,8 @@ handler: } if tlsConn != nil { conn = tlsConn + } else if server.EnforceTLS { + break handler } case ApplicationAbandonRequest: HandleAbandonRequest(req, boundDN, server.AbandonFns, conn) |