[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Updating TLS options in client
Hi.
I have a daemon which is a LDAP client, using OpenLDAP (V2.0.23).
My daemon looks like:
while(still_alive){
wait_activity();
do_some_stuff();
if (need_ldap_request){
load_ldapconf(ldapconf);
make_ldap_requests(ldapconf);
free_ldapconf(ldapconf);
}
do_other_stuff();
}
LDAP conf may require SSL connection to the server, and LDAP conf may
be modified while daemon is running.
In most cases, all works well, but some TLS_OPT options won't be
updated if tls_def_ctx is not NULL (in libraries/libldap/tls.c), and
those options can only be set for default context.
So if I set up some TLS options then make a LDAP request, the only way
to change TLS options again is to kill my daemon and start it
again.... and I just can't do that !!!
So I made a small patch to OpenLDAP 2.0.23 (should also commit in
REL_2_1 and HEAD, but not tested).
This patch resets tls_def_ctx each time a tls_set_option modifies a
value used by tls_def_ctx, which forces reinitialisation of tls_def_ctx
for next connection.
I also have to modify ldap_set_option to allow all LDAP_OPT_X_TLS
options to make a call to tls_set_option, even if invalue is NULL.
Note that this check is quite bad (I just check if option is greater
than LDAP_OPT_X_TLS), but I didn't found a better way to make it.
My patch also adds a mutex_lock at the beginning of
ldap_pvt_tls_destroy, and something which looks like a memory leak for
me in tls_set_option, when giving a new tls_def_ctx.
My daemon actually works with a patched version of OpenLDAP 2.0.23
libraries, but I would like to have a confirmation from devel team.
Regards,
VANHULLEBUS Yvan.
*** libraries/libldap/options.c.orig Fri Jun 7 16:13:14 2002
--- libraries/libldap/options.c Fri Jun 7 16:13:18 2002
***************
*** 425,433 ****
lo->ldo_rebindproc = (LDAP_REBIND_PROC *)invalue;
} return LDAP_OPT_SUCCESS;
}
! if(invalue == NULL) {
/* no place to set from */
return LDAP_OPT_ERROR;
}
--- 425,433 ----
lo->ldo_rebindproc = (LDAP_REBIND_PROC *)invalue;
} return LDAP_OPT_SUCCESS;
}
! if(invalue == NULL && option < LDAP_OPT_X_TLS) {
/* no place to set from */
return LDAP_OPT_ERROR;
}
*** libraries/libldap/tls.c.orig Fri Jun 7 16:12:57 2002
--- libraries/libldap/tls.c Fri Jun 7 16:13:06 2002
***************
*** 103,112 ****
--- 103,118 ----
*/
void
ldap_pvt_tls_destroy( void )
{
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
SSL_CTX_free(tls_def_ctx);
tls_def_ctx = NULL;
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
EVP_cleanup();
ERR_free_strings();
***************
*** 1039,1049 ****
return -1;
case LDAP_OPT_X_TLS_CTX:
if ( ld == NULL ) {
tls_def_ctx = (SSL_CTX *) arg;
!
} else {
ld->ld_defconn->lconn_tls_ctx = arg;
}
return 0;
}
--- 1045,1063 ----
return -1;
case LDAP_OPT_X_TLS_CTX:
if ( ld == NULL ) {
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
+ if (tls_def_ctx) SSL_CTX_free(tls_def_ctx);
tls_def_ctx = (SSL_CTX *) arg;
! #ifdef LDAP_R_COMPILE
! ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
! #endif
} else {
+ if(ld->ld_defconn->lconn_tls_ctx)
+ SSL_CTX_free(ld->ld_defconn->lconn_tls_ctx);
ld->ld_defconn->lconn_tls_ctx = arg;
}
return 0;
}
***************
*** 1082,1089 ****
--- 1096,1112 ----
break;
default:
return -1;
}
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+ #endif
+ SSL_CTX_free(tls_def_ctx);
+ tls_def_ctx = NULL;
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
+ #endif
+
return 0;
}
int