From: Howard Chu Date: Fri, 7 Apr 2006 01:25:46 +0000 (+0000) Subject: Use new TLS SSL_CTX support X-Git-Tag: OPENLDAP_REL_ENG_2_4_0ALPHA~20 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=76bf5d4c769dc6b6903e80a441794853df779f0c;p=openldap Use new TLS SSL_CTX support --- diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index b390fc990f..bcbed43cb4 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -2796,8 +2796,9 @@ config_include(ConfigArgs *c) { static int config_tls_option(ConfigArgs *c) { int flag; + LDAP *ld = slap_tls_ld; switch(c->type) { - case CFG_TLS_RAND: flag = LDAP_OPT_X_TLS_RANDOM_FILE; break; + case CFG_TLS_RAND: flag = LDAP_OPT_X_TLS_RANDOM_FILE; ld = NULL; break; case CFG_TLS_CIPHER: flag = LDAP_OPT_X_TLS_CIPHER_SUITE; break; case CFG_TLS_CERT_FILE: flag = LDAP_OPT_X_TLS_CERTFILE; break; case CFG_TLS_CERT_KEY: flag = LDAP_OPT_X_TLS_KEYFILE; break; @@ -2810,12 +2811,12 @@ config_tls_option(ConfigArgs *c) { return 1; } if (c->op == SLAP_CONFIG_EMIT) { - return ldap_pvt_tls_get_option( NULL, flag, &c->value_string ); + return ldap_pvt_tls_get_option( ld, flag, &c->value_string ); } else if ( c->op == LDAP_MOD_DELETE ) { - return ldap_pvt_tls_set_option( NULL, flag, NULL ); + return ldap_pvt_tls_set_option( ld, flag, NULL ); } ch_free(c->value_string); - return(ldap_pvt_tls_set_option(NULL, flag, c->argv[1])); + return(ldap_pvt_tls_set_option(ld, flag, c->argv[1])); } /* FIXME: this ought to be provided by libldap */ @@ -2845,7 +2846,7 @@ config_tls_config(ConfigArgs *c) { return 1; } if (c->op == SLAP_CONFIG_EMIT) { - ldap_pvt_tls_get_option( NULL, flag, &c->value_int ); + ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int ); for (i=0; !BER_BVISNULL(&keys[i].word); i++) { if (keys[i].mask == c->value_int) { c->value_string = ch_strdup( keys[i].word.bv_val ); @@ -2855,7 +2856,7 @@ config_tls_config(ConfigArgs *c) { return 1; } else if ( c->op == LDAP_MOD_DELETE ) { int i = 0; - return ldap_pvt_tls_set_option( NULL, flag, &i ); + return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i ); } ch_free( c->value_string ); if ( isdigit( (unsigned char)c->argv[1][0] ) ) { @@ -2865,9 +2866,9 @@ config_tls_config(ConfigArgs *c) { c->log, c->argv[0], c->argv[1] ); return 1; } - return(ldap_pvt_tls_set_option(NULL, flag, &i)); + return(ldap_pvt_tls_set_option(slap_tls_ld, flag, &i)); } else { - return(ldap_int_tls_config(NULL, flag, c->argv[1])); + return(ldap_int_tls_config(slap_tls_ld, flag, c->argv[1])); } } #endif diff --git a/servers/slapd/main.c b/servers/slapd/main.c index 119e24a955..79a83434db 100644 --- a/servers/slapd/main.c +++ b/servers/slapd/main.c @@ -104,6 +104,7 @@ static int check = CHECK_NONE; static int version = 0; void *slap_tls_ctx; +LDAP *slap_tls_ld; #ifdef LOG_LOCAL4 #define DEFAULT_SYSLOG_USER LOG_LOCAL4 @@ -706,6 +707,14 @@ unhandled_option:; lutil_passwd_init(); slap_op_init(); +#ifdef HAVE_TLS + rc = ldap_create( &slap_tls_ld ); + if ( rc ) { + SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 ); + goto destroy; + } +#endif + rc = slap_init( serverMode, serverName ); if ( rc ) { SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 18 ); @@ -776,19 +785,13 @@ unhandled_option:; } { - void *def_ctx = NULL; - - /* Save existing default ctx, if any */ - ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &def_ctx ); + int opt = 1; /* Force new ctx to be created */ - ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL ); - - rc = ldap_pvt_tls_init_def_ctx( 1 ); + rc = ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_NEWCTX, &opt ); if( rc == 0 ) { - ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx ); - /* Restore previous ctx */ - ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx ); + /* The ctx's refcount is bumped up here */ + ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx ); load_extop( &slap_EXOP_START_TLS, 0, starttls_extop ); } else if ( rc != LDAP_NOT_SUPPORTED ) { Debug( LDAP_DEBUG_ANY, @@ -957,6 +960,11 @@ stop: lutil_passwd_destroy(); #ifdef HAVE_TLS + /* Setting it to itself decreases refcount, allowing it to be freed + * when the LD is freed. + */ + ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, slap_tls_ctx ); + ldap_ld_free( slap_tls_ld, 0, NULL, NULL ); ldap_pvt_tls_destroy(); #endif diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h index 30900a9f0d..47969a1d44 100644 --- a/servers/slapd/proto-slap.h +++ b/servers/slapd/proto-slap.h @@ -944,6 +944,7 @@ LDAP_SLAPD_V( const struct berval ) slap_true_bv; LDAP_SLAPD_V( const struct berval ) slap_false_bv; LDAP_SLAPD_V( struct slap_sync_cookie_s ) slap_sync_cookie; LDAP_SLAPD_V( void * ) slap_tls_ctx; +LDAP_SLAPD_V( LDAP * ) slap_tls_ld; /* * index.c