diff options
| author | Marin Ivanov <[email protected]> | 2019-02-13 05:42:29 +0200 |
|---|---|---|
| committer | Marin Ivanov <[email protected]> | 2019-02-13 05:42:29 +0200 |
| commit | 2433beed9d9365af0a54e376c6b5ce97963d7bc3 (patch) | |
| tree | 5237d1f68c2fd2ffa8b2eb5c5b34c91eecfdb9cf /server.go | |
| parent | 518f72942c1cf751010a532c6189cd0eb0a5323b (diff) | |
| parent | 36ac64bc2b67871d0de16f65a45c7458730e49be (diff) | |
Merge branch 'enforce-tls'
Diffstat (limited to 'server.go')
| -rw-r--r-- | server.go | 31 |
1 files changed, 28 insertions, 3 deletions
@@ -2,6 +2,7 @@ package ldap import ( "crypto/tls" + "errors" "io" "log" "net" @@ -60,7 +61,8 @@ type Server struct { Stats *Stats // If set, server will accept StartTLS. - TLSConfig *tls.Config + TLSConfig *tls.Config + EnforceTLS bool closing chan struct{} } @@ -187,6 +189,10 @@ func (server *Server) ListenAndServe(listenString string) error { } func (server *Server) Serve(ln net.Listener) error { + if server.TLSConfig == nil && server.EnforceTLS { + return errors.New(errorEnforceTLSRequiresTLSConfig) + } + newConn := make(chan net.Conn) go func() { for { @@ -262,6 +268,19 @@ handler: } } + // Enforce TLS + switch conn.(type) { + case *tls.Conn: + default: + if server.EnforceTLS && req.Tag != ApplicationExtendedRequest { + responsePacket := encodeLDAPResponse(messageID, ApplicationExtendedResponse, LDAPResultProtocolError, "Upgrade to TLS is required") + if err = sendPacket(conn, responsePacket); err != nil { + log.Printf("sendPacket error %s", err.Error()) + } + break handler + } + } + //log.Printf("DEBUG: handling operation: %s [%d]", ApplicationMap[req.Tag], req.Tag) //ber.PrintPacket(packet) // DEBUG @@ -318,8 +337,12 @@ handler: } var ldapResultCode LDAPResultCode if tlsConn == nil { - // Wasn't an upgrade. Pass through. - ldapResultCode = HandleExtendedRequest(req, boundDN, server.ExtendedFns, conn) + // Wasn't an upgrade. + if server.EnforceTLS { + ldapResultCode = LDAPResultProtocolError + } else { + ldapResultCode = HandleExtendedRequest(req, boundDN, server.ExtendedFns, conn) + } } else { ldapResultCode = LDAPResultSuccess } @@ -330,6 +353,8 @@ handler: } if tlsConn != nil { conn = tlsConn + } else if server.EnforceTLS { + break handler } case ApplicationAbandonRequest: HandleAbandonRequest(req, boundDN, server.AbandonFns, conn) |