From 966c47e5b4327ea847eaaad0a434525f9c32be6a Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Wed, 3 May 2006 02:48:23 +0000 Subject: [PATCH] Detect TLS config changes --- servers/slapd/config.c | 21 ++++++++++++++++++++- servers/slapd/slap.h | 1 + servers/slapd/syncrepl.c | 10 +--------- 3 files changed, 22 insertions(+), 10 deletions(-) diff --git a/servers/slapd/config.c b/servers/slapd/config.c index 34ebb1d25c..8f8e92ac61 100644 --- a/servers/slapd/config.c +++ b/servers/slapd/config.c @@ -1039,6 +1039,9 @@ static slap_cf_aux_table bindkey[] = { { BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 0, NULL }, { BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, NULL }, #ifdef HAVE_TLS + +#define aux_TLS (bindkey+10) /* beginning of TLS keywords */ + { BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL }, { BER_BVC("tls_key="), offsetof(slap_bindconf, sb_tls_key), 's', 1, NULL }, { BER_BVC("tls_cacert="), offsetof(slap_bindconf, sb_tls_cacert), 's', 1, NULL }, @@ -1055,7 +1058,7 @@ static slap_cf_aux_table bindkey[] = { int slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, LDAP_CONST char *tabmsg ) { - int rc = 0; + int rc = SLAP_CONF_UNKNOWN; slap_cf_aux_table *tab; for (tab = tab0; !BER_BVISNULL(&tab->key); tab++ ) { @@ -1072,11 +1075,13 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L case 's': cptr = (char **)((char *)dst + tab->off); *cptr = ch_strdup( val ); + rc = 0; break; case 'b': bptr = (struct berval *)((char *)dst + tab->off); ber_str2bv( val, 0, 1, bptr ); + rc = 0; break; case 'd': @@ -1216,6 +1221,13 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0 int bindconf_parse( const char *word, slap_bindconf *bc ) { +#ifdef HAVE_TLS + /* Detect TLS config changes explicitly */ + if ( slap_cf_aux_table_parse( word, bc, aux_TLS, "tls config" ) == 0 ) { + bc->sb_tls_do_init = 1; + return 0; + } +#endif return slap_cf_aux_table_parse( word, bc, bindkey, "bind config" ); } @@ -1315,6 +1327,8 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) int i, rc, newctx = 0, res = 0; char *ptr = (char *)bc, **word; + bc->sb_tls_do_init = 0; + for (i=0; bindtlsopts[i].opt; i++) { word = (char **)(ptr + bindtlsopts[i].offset); if ( *word ) { @@ -1354,6 +1368,11 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld ) #endif if ( newctx ) { int opt = 0; + + if ( bc->sb_tls_ctx ) { + SSL_CTX_free( bc->sb_tls_ctx ); + bc->sb_tls_ctx = NULL; + } rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt ); if ( rc ) res = rc; diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h index c150e339da..c600c6d849 100644 --- a/servers/slapd/slap.h +++ b/servers/slapd/slap.h @@ -1522,6 +1522,7 @@ typedef struct slap_bindconf { #ifdef HAVE_OPENSSL_CRL char *sb_tls_crlcheck; #endif + int sb_tls_do_init; #endif } slap_bindconf; diff --git a/servers/slapd/syncrepl.c b/servers/slapd/syncrepl.c index 3afb4e8c15..19c31ec6e5 100644 --- a/servers/slapd/syncrepl.c +++ b/servers/slapd/syncrepl.c @@ -83,9 +83,6 @@ typedef struct syncinfo_s { int si_syncdata; int si_logstate; int si_conn_setup; -#ifdef HAVE_TLS - int si_check_tls; -#endif Avlnode *si_presentlist; LDAP *si_ld; LDAP_LIST_HEAD(np, nonpresent_entry) si_nonpresentlist; @@ -440,8 +437,7 @@ do_syncrep1( (const void *)&op->o_protocol ); #ifdef HAVE_TLS - if ( si->si_check_tls ) { - si->si_check_tls = 0; + if ( si->si_bindconf.sb_tls_do_init ) { rc = bindconf_tls_set( &si->si_bindconf, si->si_ld ); } else if ( si->si_bindconf.sb_tls_ctx ) { rc = ldap_set_option( si->si_ld, LDAP_OPT_X_TLS_CTX, @@ -3238,10 +3234,6 @@ add_syncrepl( si->si_slimit = 0; si->si_conn_setup = 0; -#ifdef HAVE_TLS - si->si_check_tls = 1; -#endif - si->si_presentlist = NULL; LDAP_LIST_INIT( &si->si_nonpresentlist ); ldap_pvt_thread_mutex_init( &si->si_mutex ); -- 2.39.5