From: Howard Chu <hyc@openldap.org>
Date: Tue, 8 Nov 2005 13:42:10 +0000 (+0000)
Subject: ITS#4082 tls ctx requirements are only applicable to servers, or clients
X-Git-Tag: OPENLDAP_REL_ENG_2_2_MP~63
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=146b2c5389d691dc11959279779fe4a24deee881;p=openldap

ITS#4082 tls ctx requirements are only applicable to servers, or clients
with tls_opt_require_cert = TRY or DEMAND. Ignore requirements for clients.
---

diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 0ed0563b0d..54246b402f 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -235,7 +235,7 @@ LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld,
 
 LDAP_F (void) ldap_pvt_tls_destroy LDAP_P(( void ));
 LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void ));
-LDAP_F (int) ldap_pvt_tls_init_def_ctx LDAP_P(( void ));
+LDAP_F (int) ldap_pvt_tls_init_def_ctx LDAP_P(( int is_server ));
 LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
 LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
 LDAP_F (void *) ldap_pvt_tls_sb_ctx LDAP_P(( Sockbuf *sb ));
diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 8eb01290cd..442db48655 100644
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -200,7 +200,7 @@ ldap_pvt_tls_init( void )
  * initialize the default context
  */
 int
-ldap_pvt_tls_init_def_ctx( void )
+ldap_pvt_tls_init_def_ctx( int is_server )
 {
 	STACK_OF(X509_NAME) *calist;
 	int rc = 0;
@@ -215,7 +215,7 @@ ldap_pvt_tls_init_def_ctx( void )
 	ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
 #endif
 
-	if ( !certfile && !keyfile && !cacertfile && !cacertdir ) {
+	if ( is_server && !certfile && !keyfile && !cacertfile && !cacertdir ) {
 		/* minimum configuration not provided */
 #ifdef LDAP_R_COMPILE
 		ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
@@ -441,7 +441,7 @@ get_ca_list( char * bundle, char * dir )
 }
 
 static SSL *
-alloc_handle( void *ctx_arg )
+alloc_handle( void *ctx_arg, int is_server )
 {
 	SSL_CTX	*ctx;
 	SSL	*ssl;
@@ -449,7 +449,7 @@ alloc_handle( void *ctx_arg )
 	if ( ctx_arg ) {
 		ctx = (SSL_CTX *) ctx_arg;
 	} else {
-		if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL;
+		if ( ldap_pvt_tls_init_def_ctx( is_server ) < 0 ) return NULL;
 		ctx = tls_def_ctx;
 	}
 
@@ -769,7 +769,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 		lo = &ld->ld_options;
 		ctx = lo->ldo_tls_ctx;
 
-		ssl = alloc_handle( ctx );
+		ssl = alloc_handle( ctx, 0 );
 
 		if ( ssl == NULL ) return -1;
 
@@ -842,7 +842,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
 
 	} else {
-		ssl = alloc_handle( ctx_arg );
+		ssl = alloc_handle( ctx_arg, 1 );
 		if ( ssl == NULL ) return -1;
 
 #ifdef LDAP_DEBUG
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index b32e60e4d2..f74bc4f231 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -668,7 +668,7 @@ unhandled_option:;
 		/* Force new ctx to be created */
 		ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL );
 
-		rc = ldap_pvt_tls_init_def_ctx();
+		rc = ldap_pvt_tls_init_def_ctx( 1 );
 		if( rc == 0 ) {
 			ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
 			/* Restore previous ctx */
diff --git a/servers/slurpd/main.c b/servers/slurpd/main.c
index ccd75e7ed0..33dcd9b842 100644
--- a/servers/slurpd/main.c
+++ b/servers/slurpd/main.c
@@ -155,7 +155,7 @@ int main( int argc, char **argv )
     }
 
 #ifdef HAVE_TLS
-	if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
+	if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx( 0 ) ) {
 		rc = 0;
 		/* See if we actually need TLS */
 		for ( i=0; i < sglob->num_replicas; i++ ) {