From 76bf5d4c769dc6b6903e80a441794853df779f0c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 7 Apr 2006 01:25:46 +0000
Subject: [PATCH] Use new TLS SSL_CTX support

---
 servers/slapd/bconfig.c    | 17 +++++++++--------
 servers/slapd/main.c       | 28 ++++++++++++++++++----------
 servers/slapd/proto-slap.h |  1 +
 3 files changed, 28 insertions(+), 18 deletions(-)

diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index b390fc990f..bcbed43cb4 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -2796,8 +2796,9 @@ config_include(ConfigArgs *c) {
 static int
 config_tls_option(ConfigArgs *c) {
 	int flag;
+	LDAP *ld = slap_tls_ld;
 	switch(c->type) {
-	case CFG_TLS_RAND:	flag = LDAP_OPT_X_TLS_RANDOM_FILE;	break;
+	case CFG_TLS_RAND:	flag = LDAP_OPT_X_TLS_RANDOM_FILE;	ld = NULL; break;
 	case CFG_TLS_CIPHER:	flag = LDAP_OPT_X_TLS_CIPHER_SUITE;	break;
 	case CFG_TLS_CERT_FILE:	flag = LDAP_OPT_X_TLS_CERTFILE;		break;	
 	case CFG_TLS_CERT_KEY:	flag = LDAP_OPT_X_TLS_KEYFILE;		break;
@@ -2810,12 +2811,12 @@ config_tls_option(ConfigArgs *c) {
 		return 1;
 	}
 	if (c->op == SLAP_CONFIG_EMIT) {
-		return ldap_pvt_tls_get_option( NULL, flag, &c->value_string );
+		return ldap_pvt_tls_get_option( ld, flag, &c->value_string );
 	} else if ( c->op == LDAP_MOD_DELETE ) {
-		return ldap_pvt_tls_set_option( NULL, flag, NULL );
+		return ldap_pvt_tls_set_option( ld, flag, NULL );
 	}
 	ch_free(c->value_string);
-	return(ldap_pvt_tls_set_option(NULL, flag, c->argv[1]));
+	return(ldap_pvt_tls_set_option(ld, flag, c->argv[1]));
 }
 
 /* FIXME: this ought to be provided by libldap */
@@ -2845,7 +2846,7 @@ config_tls_config(ConfigArgs *c) {
 		return 1;
 	}
 	if (c->op == SLAP_CONFIG_EMIT) {
-		ldap_pvt_tls_get_option( NULL, flag, &c->value_int );
+		ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int );
 		for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
 			if (keys[i].mask == c->value_int) {
 				c->value_string = ch_strdup( keys[i].word.bv_val );
@@ -2855,7 +2856,7 @@ config_tls_config(ConfigArgs *c) {
 		return 1;
 	} else if ( c->op == LDAP_MOD_DELETE ) {
 		int i = 0;
-		return ldap_pvt_tls_set_option( NULL, flag, &i );
+		return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i );
 	}
 	ch_free( c->value_string );
 	if ( isdigit( (unsigned char)c->argv[1][0] ) ) {
@@ -2865,9 +2866,9 @@ config_tls_config(ConfigArgs *c) {
 				c->log, c->argv[0], c->argv[1] );
 			return 1;
 		}
-		return(ldap_pvt_tls_set_option(NULL, flag, &i));
+		return(ldap_pvt_tls_set_option(slap_tls_ld, flag, &i));
 	} else {
-		return(ldap_int_tls_config(NULL, flag, c->argv[1]));
+		return(ldap_int_tls_config(slap_tls_ld, flag, c->argv[1]));
 	}
 }
 #endif
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index 119e24a955..79a83434db 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -104,6 +104,7 @@ static int check = CHECK_NONE;
 static int version = 0;
 
 void *slap_tls_ctx;
+LDAP *slap_tls_ld;
 
 #ifdef LOG_LOCAL4
 #define DEFAULT_SYSLOG_USER	LOG_LOCAL4
@@ -706,6 +707,14 @@ unhandled_option:;
 	lutil_passwd_init();
 	slap_op_init();
 
+#ifdef HAVE_TLS
+	rc = ldap_create( &slap_tls_ld );
+	if ( rc ) {
+		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
+		goto destroy;
+	}
+#endif
+
 	rc = slap_init( serverMode, serverName );
 	if ( rc ) {
 		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 18 );
@@ -776,19 +785,13 @@ unhandled_option:;
 	}
 
 	{
-		void *def_ctx = NULL;
-
-		/* Save existing default ctx, if any */
-		ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &def_ctx );
+		int opt = 1;
 
 		/* Force new ctx to be created */
-		ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL );
-
-		rc = ldap_pvt_tls_init_def_ctx( 1 );
+		rc = ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
 		if( rc == 0 ) {
-			ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
-			/* Restore previous ctx */
-			ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx );
+			/* The ctx's refcount is bumped up here */
+			ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
 			load_extop( &slap_EXOP_START_TLS, 0, starttls_extop );
 		} else if ( rc != LDAP_NOT_SUPPORTED ) {
 			Debug( LDAP_DEBUG_ANY,
@@ -957,6 +960,11 @@ stop:
 	lutil_passwd_destroy();
 
 #ifdef HAVE_TLS
+	/* Setting it to itself decreases refcount, allowing it to be freed
+	 * when the LD is freed.
+	 */
+	ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, slap_tls_ctx );
+	ldap_ld_free( slap_tls_ld, 0, NULL, NULL );
 	ldap_pvt_tls_destroy();
 #endif
 
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 30900a9f0d..47969a1d44 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -944,6 +944,7 @@ LDAP_SLAPD_V( const struct berval ) slap_true_bv;
 LDAP_SLAPD_V( const struct berval ) slap_false_bv;
 LDAP_SLAPD_V( struct slap_sync_cookie_s ) slap_sync_cookie;
 LDAP_SLAPD_V( void * ) slap_tls_ctx;
+LDAP_SLAPD_V( LDAP * ) slap_tls_ld;
 
 /*
  * index.c
-- 
2.39.5