From e536c3adbe0121241e314ddfde0140d9c6d6b1e9 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Fri, 20 Jan 2006 21:44:30 +0000 Subject: [PATCH] From HEAD: + Fixed libldap disable DH key exchange with DH params (ITS#4354) + Fixed libldap_r pool destroy hang (ITS#4349) + Fixed slapd(8) solaris select(2) issue (ITS#4357) --- CHANGES | 6 +++++- doc/man/man5/slapd.conf.5 | 6 +++++- libraries/libldap/tls.c | 4 +++- libraries/libldap_r/tpool.c | 6 ++++-- servers/slapd/daemon.c | 24 ++++++++++-------------- 5 files changed, 27 insertions(+), 19 deletions(-) diff --git a/CHANGES b/CHANGES index f2cd5f97a2..a3ab2c296f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,11 @@ OpenLDAP 2.3 Change Log OpenLDAP 2.3.19 Engineering - Fixed slaptools when --disable-debug (ITS#4351) + Fixed libldap disable DH key exchange with DH params (ITS#4354) + Fixed libldap_r pool destroy hang (ITS#4349) + Build environment + Fixed slaptools when --disable-debug (ITS#4351) + Fixed slapd(8) solaris select(2) issue (ITS#4357) OpenLDAP 2.3.18 Release Fixed slapd syncrepl variable used before set bug (ITS#4331) diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 323f338e09..b9c104307b 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -945,7 +945,11 @@ it is of critical importance that it is protected carefully. This directive specifies the file that contains parameters for Diffie-Hellman ephemeral key exchange. This is required in order to use a DSA certificate on the server. If multiple sets of parameters are present in the file, all of -them will be processed. +them will be processed. Note that setting this option may also enable +Anonymous Diffie-Hellman key exchanges in certain non-default cipher suites. +You should append "!ADH" to your cipher suites if you have changed them +from the default, otherwise no certificate exchanges or verification will +be done. .TP .B TLSRandFile Specifies the file to obtain random bits from when /dev/[u]random diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 6739599db6..7bf45805c8 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -382,7 +382,9 @@ ldap_pvt_tls_init_def_ctx( int is_server ) tls_opt_require_cert == LDAP_OPT_X_TLS_ALLOW ? tls_verify_ok : tls_verify_cb ); SSL_CTX_set_tmp_rsa_callback( tls_def_ctx, tls_tmp_rsa_cb ); - SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); + if ( tls_opt_dhfile ) { + SSL_CTX_set_tmp_dh_callback( tls_def_ctx, tls_tmp_dh_cb ); + } #ifdef HAVE_OPENSSL_CRL if ( tls_opt_crlcheck ) { X509_STORE *x509_s = SSL_CTX_get_cert_store( tls_def_ctx ); diff --git a/libraries/libldap_r/tpool.c b/libraries/libldap_r/tpool.c index 355543cd3e..1937589b75 100644 --- a/libraries/libldap_r/tpool.c +++ b/libraries/libldap_r/tpool.c @@ -378,8 +378,10 @@ ldap_pvt_thread_pool_destroy ( ldap_pvt_thread_pool_t *tpool, int run_pending ) ? LDAP_INT_THREAD_POOL_FINISHING : LDAP_INT_THREAD_POOL_STOPPING; - ldap_pvt_thread_cond_broadcast(&pool->ltp_cond); - ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex); + if ( pool->ltp_open_count ) { + ldap_pvt_thread_cond_broadcast(&pool->ltp_cond); + ldap_pvt_thread_cond_wait(&pool->ltp_cond, &pool->ltp_mutex); + } while ((ctx = LDAP_STAILQ_FIRST(&pool->ltp_pending_list)) != NULL) { diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c index 84d6352429..8a6d1fa905 100644 --- a/servers/slapd/daemon.c +++ b/servers/slapd/daemon.c @@ -1857,21 +1857,17 @@ slapd_daemon_task( case -1: { /* failure - try again */ int err = sock_errno(); - if( err == EBADF -#ifdef WSAENOTSOCK - /* you'd think this would be EBADF */ - || err == WSAENOTSOCK -#endif - ) { - if (++ebadf < SLAPD_EBADF_LIMIT) - continue; - } - if( err != EINTR ) { - Debug( LDAP_DEBUG_ANY, - "daemon: select failed (%d): %s\n", - err, sock_errstr(err), 0 ); - slapd_shutdown = 2; + ebadf++; + + /* Don't log unless we got it twice in a row */ + if ( !( ebadf & 1 )) { + Debug( LDAP_DEBUG_ANY, + "daemon: select failed count %d err (%d): %s\n", + ebadf, err, sock_errstr(err) ); + } + if ( ebadf >= SLAPD_EBADF_LIMIT ) + slapd_shutdown = 2; } } continue; -- 2.39.5