Commit 76bf5d4c authored by Howard Chu's avatar Howard Chu
Browse files

Use new TLS SSL_CTX support

parent 9693c800
......@@ -2796,8 +2796,9 @@ config_include(ConfigArgs *c) {
static int
config_tls_option(ConfigArgs *c) {
int flag;
LDAP *ld = slap_tls_ld;
switch(c->type) {
case CFG_TLS_RAND: flag = LDAP_OPT_X_TLS_RANDOM_FILE; break;
case CFG_TLS_RAND: flag = LDAP_OPT_X_TLS_RANDOM_FILE; ld = NULL; break;
case CFG_TLS_CIPHER: flag = LDAP_OPT_X_TLS_CIPHER_SUITE; break;
case CFG_TLS_CERT_FILE: flag = LDAP_OPT_X_TLS_CERTFILE; break;
case CFG_TLS_CERT_KEY: flag = LDAP_OPT_X_TLS_KEYFILE; break;
......@@ -2810,12 +2811,12 @@ config_tls_option(ConfigArgs *c) {
return 1;
}
if (c->op == SLAP_CONFIG_EMIT) {
return ldap_pvt_tls_get_option( NULL, flag, &c->value_string );
return ldap_pvt_tls_get_option( ld, flag, &c->value_string );
} else if ( c->op == LDAP_MOD_DELETE ) {
return ldap_pvt_tls_set_option( NULL, flag, NULL );
return ldap_pvt_tls_set_option( ld, flag, NULL );
}
ch_free(c->value_string);
return(ldap_pvt_tls_set_option(NULL, flag, c->argv[1]));
return(ldap_pvt_tls_set_option(ld, flag, c->argv[1]));
}
/* FIXME: this ought to be provided by libldap */
......@@ -2845,7 +2846,7 @@ config_tls_config(ConfigArgs *c) {
return 1;
}
if (c->op == SLAP_CONFIG_EMIT) {
ldap_pvt_tls_get_option( NULL, flag, &c->value_int );
ldap_pvt_tls_get_option( slap_tls_ld, flag, &c->value_int );
for (i=0; !BER_BVISNULL(&keys[i].word); i++) {
if (keys[i].mask == c->value_int) {
c->value_string = ch_strdup( keys[i].word.bv_val );
......@@ -2855,7 +2856,7 @@ config_tls_config(ConfigArgs *c) {
return 1;
} else if ( c->op == LDAP_MOD_DELETE ) {
int i = 0;
return ldap_pvt_tls_set_option( NULL, flag, &i );
return ldap_pvt_tls_set_option( slap_tls_ld, flag, &i );
}
ch_free( c->value_string );
if ( isdigit( (unsigned char)c->argv[1][0] ) ) {
......@@ -2865,9 +2866,9 @@ config_tls_config(ConfigArgs *c) {
c->log, c->argv[0], c->argv[1] );
return 1;
}
return(ldap_pvt_tls_set_option(NULL, flag, &i));
return(ldap_pvt_tls_set_option(slap_tls_ld, flag, &i));
} else {
return(ldap_int_tls_config(NULL, flag, c->argv[1]));
return(ldap_int_tls_config(slap_tls_ld, flag, c->argv[1]));
}
}
#endif
......
......@@ -104,6 +104,7 @@ static int check = CHECK_NONE;
static int version = 0;
void *slap_tls_ctx;
LDAP *slap_tls_ld;
#ifdef LOG_LOCAL4
#define DEFAULT_SYSLOG_USER LOG_LOCAL4
......@@ -706,6 +707,14 @@ unhandled_option:;
lutil_passwd_init();
slap_op_init();
#ifdef HAVE_TLS
rc = ldap_create( &slap_tls_ld );
if ( rc ) {
SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
goto destroy;
}
#endif
rc = slap_init( serverMode, serverName );
if ( rc ) {
SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 18 );
......@@ -776,19 +785,13 @@ unhandled_option:;
}
{
void *def_ctx = NULL;
/* Save existing default ctx, if any */
ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &def_ctx );
int opt = 1;
/* Force new ctx to be created */
ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL );
rc = ldap_pvt_tls_init_def_ctx( 1 );
rc = ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
if( rc == 0 ) {
ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
/* Restore previous ctx */
ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx );
/* The ctx's refcount is bumped up here */
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
load_extop( &slap_EXOP_START_TLS, 0, starttls_extop );
} else if ( rc != LDAP_NOT_SUPPORTED ) {
Debug( LDAP_DEBUG_ANY,
......@@ -957,6 +960,11 @@ stop:
lutil_passwd_destroy();
#ifdef HAVE_TLS
/* Setting it to itself decreases refcount, allowing it to be freed
* when the LD is freed.
*/
ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, slap_tls_ctx );
ldap_ld_free( slap_tls_ld, 0, NULL, NULL );
ldap_pvt_tls_destroy();
#endif
......
......@@ -944,6 +944,7 @@ LDAP_SLAPD_V( const struct berval ) slap_true_bv;
LDAP_SLAPD_V( const struct berval ) slap_false_bv;
LDAP_SLAPD_V( struct slap_sync_cookie_s ) slap_sync_cookie;
LDAP_SLAPD_V( void * ) slap_tls_ctx;
LDAP_SLAPD_V( LDAP * ) slap_tls_ld;
/*
* index.c
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment