Detect TLS config changes

diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 34ebb1d25cd4df9f5d2a1b2f604439814aeca354..8f8e92ac61c48a01e7c1ab538bdf6757002799ee 100644 (file)
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -1039,6 +1039,9 @@ static slap_cf_aux_table bindkey[] = {
        { BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 0, NULL },
        { BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, NULL },
 #ifdef HAVE_TLS
+
+#define aux_TLS (bindkey+10)   /* beginning of TLS keywords */
+
        { BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL },
        { BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL },
        { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL },
@@ -1055,7 +1058,7 @@ static slap_cf_aux_table bindkey[] = {
 int
 slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, LDAP_CONST char *tabmsg )
 {
-       int rc = 0;
+       int rc = SLAP_CONF_UNKNOWN;
        slap_cf_aux_table *tab;
 
        for (tab = tab0; !BER_BVISNULL(&tab->key); tab++ ) {
@@ -1072,11 +1075,13 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L
                        case 's':
                                cptr = (char **)((char *)dst + tab->off);
                                *cptr = ch_strdup( val );
+                               rc = 0;
                                break;
 
                        case 'b':
                                bptr = (struct berval *)((char *)dst + tab->off);
                                ber_str2bv( val, 0, 1, bptr );
+                               rc = 0;
                                break;
 
                        case 'd':
@@ -1216,6 +1221,13 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0
 int
 bindconf_parse( const char *word, slap_bindconf *bc )
 {
+#ifdef HAVE_TLS
+       /* Detect TLS config changes explicitly */
+       if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) {
+               bc->sb_tls_do_init = 1;
+               return 0;
+       }
+#endif
        return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" );
 }
 
@@ -1315,6 +1327,8 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
        int i, rc, newctx = 0, res = 0;
        char *ptr = (char *)bc, **word;
 
+       bc->sb_tls_do_init = 0;
+
        for (i=0; bindtlsopts[i].opt; i++) {
                word = (char **)(ptr + bindtlsopts[i].offset);
                if ( *word ) {
@@ -1354,6 +1368,11 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 #endif
        if ( newctx ) {
                int opt = 0;
+
+               if ( bc->sb_tls_ctx ) {
+                       SSL_CTX_free( bc->sb_tls_ctx );
+                       bc->sb_tls_ctx = NULL;
+               }
                rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
                if ( rc )
                        res = rc;

diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index c150e339da2d2bf6616c56b43a4471986ec9b390..c600c6d84999135d65c3c50a2528b8ebdb8bf9f3 100644 (file)
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1522,6 +1522,7 @@ typedef struct slap_bindconf {
 #ifdef HAVE_OPENSSL_CRL
        char *sb_tls_crlcheck;
 #endif
+       int sb_tls_do_init;
 #endif
 } slap_bindconf;
 

diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c
index 3afb4e8c1502e4c4f2a63f3031b0a1a65f0d2e7c..19c31ec6e5058ba6ec4f4464ee66449a1c7e8110 100644 (file)
--- a/servers/slapd/syncrepl.c
+++ b/servers/slapd/syncrepl.c
@@ -83,9 +83,6 @@ typedef struct syncinfo_s {
        int                                     si_syncdata;
        int                                     si_logstate;
        int                                     si_conn_setup;
-#ifdef HAVE_TLS
-       int                                     si_check_tls;
-#endif
        Avlnode                         *si_presentlist;
        LDAP                            *si_ld;
        LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist;
@@ -440,8 +437,7 @@ do_syncrep1(
                (const void *)&op->o_protocol );
 
 #ifdef HAVE_TLS
-       if ( si->si_check_tls ) {
-               si->si_check_tls = 0;
+       if ( si->si_bindconf.sb_tls_do_init ) {
                rc = bindconf_tls_set( &si->si_bindconf, si->si_ld );
        } else if ( si->si_bindconf.sb_tls_ctx ) {
                rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX,
@@ -3238,10 +3234,6 @@ add_syncrepl(
        si->si_slimit = 0;
        si->si_conn_setup = 0;
 
-#ifdef HAVE_TLS
-       si->si_check_tls = 1;
-#endif
-
        si->si_presentlist = NULL;
        LDAP_LIST_INIT( &si->si_nonpresentlist );
        ldap_pvt_thread_mutex_init( &si->si_mutex );