From: Howard Chu Date: Sun, 9 Oct 2005 19:55:39 +0000 (+0000) Subject: ITS#4072 ldap_pvt_tls_init_def_ctx() returns LDAP_NO_SUPPORT if not X-Git-Tag: OPENLDAP_REL_ENG_2_2_MP~299 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f54bc2635738dd9ec568367e3d685d9c148055a7;p=openldap ITS#4072 ldap_pvt_tls_init_def_ctx() returns LDAP_NO_SUPPORT if not sufficiently configured. Update slapd/slurpd to act appropriately. --- diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 6b3d998bfd..093d3360ef 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -203,6 +203,12 @@ ldap_pvt_tls_init_def_ctx( void ) char *certfile = tls_opt_certfile; char *keyfile = tls_opt_keyfile; +#ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex ); +#endif + if (( !cacertfile && !cacertdir ) || !certfile || !keyfile ) + return LDAP_NOT_SUPPORTED; + #ifdef HAVE_EBCDIC /* This ASCII/EBCDIC handling is a real pain! */ if ( ciphersuite ) { @@ -226,10 +232,6 @@ ldap_pvt_tls_init_def_ctx( void ) __atoe( keyfile ); } #endif - -#ifdef LDAP_R_COMPILE - ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex ); -#endif if ( tls_def_ctx == NULL ) { int i; tls_def_ctx = SSL_CTX_new( SSLv23_method() ); diff --git a/servers/slapd/extended.c b/servers/slapd/extended.c index 33a8a11807..bef3b96560 100644 --- a/servers/slapd/extended.c +++ b/servers/slapd/extended.c @@ -69,9 +69,6 @@ static struct { { &slap_EXOP_CANCEL, SLAP_EXOP_HIDE, cancel_extop }, { &slap_EXOP_WHOAMI, 0, whoami_extop }, { &slap_EXOP_MODIFY_PASSWD, SLAP_EXOP_WRITES, passwd_extop }, -#ifdef HAVE_TLS - { &slap_EXOP_START_TLS, 0, starttls_extop }, -#endif { NULL, 0, NULL } }; diff --git a/servers/slapd/main.c b/servers/slapd/main.c index 6a7ebec0ff..7de2855ba4 100644 --- a/servers/slapd/main.c +++ b/servers/slapd/main.c @@ -669,7 +669,12 @@ unhandled_option:; ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL ); rc = ldap_pvt_tls_init_def_ctx(); - if( rc != 0) { + if( rc == 0) { + ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx ); + /* Restore previous ctx */ + ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx ); + load_extop( &slap_EXOP_START_TLS, 0, starttls_extop ); + } else if ( rc != LDAP_NOT_SUPPORTED ) { Debug( LDAP_DEBUG_ANY, "main: TLS init def ctx failed: %d\n", rc, 0, 0 ); @@ -677,10 +682,6 @@ unhandled_option:; SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 ); goto destroy; } - /* Retrieve slapd's own ctx */ - ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx ); - /* Restore previous ctx */ - ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx ); } #endif diff --git a/servers/slurpd/main.c b/servers/slurpd/main.c index 4984a6a50f..ccd75e7ed0 100644 --- a/servers/slurpd/main.c +++ b/servers/slurpd/main.c @@ -156,10 +156,20 @@ int main( int argc, char **argv ) #ifdef HAVE_TLS if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) { - fprintf( stderr, "TLS Initialization failed.\n" ); - SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 ); - rc = 1; - goto stop; + rc = 0; + /* See if we actually need TLS */ + for ( i=0; i < sglob->num_replicas; i++ ) { + if ( sglob->replicas[i]->ri_tls || ( sglob->replicas[i]->ri_uri && + !strncmp( sglob->replicas[i]->ri_uri, "ldaps:", 6 ))) { + rc = 1; + break; + } + } + if ( rc ) { + fprintf( stderr, "TLS Initialization failed.\n" ); + SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 ); + goto stop; + } } #endif