Bug 655073 - proxy tunnel support for LDAP requests is broken
Summary: proxy tunnel support for LDAP requests is broken
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: curl
Version: 5.6
Hardware: All
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On: 655133 655134
Blocks: 670523
TreeView+ depends on / blocked
 
Reported: 2010-11-19 14:45 UTC by Julio Entrena Perez
Modified: 2018-11-14 17:16 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, an attempt to send an LDAP request through an HTTP proxy tunnel ended up with cURL trying to connect to the LDAP server directly using a wrong port number. With this update, the underlying source code has been modified to address this issue, and cURL now works as expected.
Clone Of:
: 655133 655134 (view as bug list)
Environment:
Last Closed: 2012-02-21 06:15:05 UTC
Target Upstream Version:


Attachments (Terms of Use)
Pierre's patch adapted for el5 (2.15 KB, patch)
2010-11-23 12:17 UTC, Kamil Dudka
no flags Details | Diff
less intrusive version of the patch (1.79 KB, patch)
2010-11-23 13:11 UTC, Kamil Dudka
no flags Details | Diff
with a warning if the symbol is not available (1.98 KB, patch)
2010-11-23 14:09 UTC, Pierre Carrier
no flags Details | Diff
resulting patch (2.17 KB, patch)
2011-01-05 18:06 UTC, Kamil Dudka
no flags Details | Diff
resulting patch V2 (2.24 KB, patch)
2011-01-05 19:21 UTC, Kamil Dudka
prc: review+
Details | Diff
resulting patch V3 (2.53 KB, patch)
2011-01-23 15:46 UTC, Kamil Dudka
ovasik: review+
Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0241 normal SHIPPED_LIVE curl bug fix and enhancement update 2012-02-20 15:07:27 UTC

Description Julio Entrena Perez 2010-11-19 14:45:23 UTC
> Description of problem:

When performing an LDAP request using curl through a HTTP proxy in tunnel mode (curl option '-p' or '--proxytunnel'), curl hangs trying to connect directly to the LDAP server using the proxy port.

> Version-Release number of selected component (if applicable):

curl-7.15.5-9.el5

> How reproducible:

100%

> Steps to Reproduce:
1. Install and configure a Squid proxy that allows CONNECT method requests to LDAP ports.
2. Use curl to send a request to an LDAP server using the proxy tunnel option '-p': 
curl -x 1.1.1.1:3128 -p ldap://2.2.2.2/ou=users,dc=example,dc=net??sub?uid=foo

 
> Actual results:

curl hangs trying to connect to the LDAP server using the proxy port:

connect(4, {sa_family=AF_INET, sin_port=htons(3128), sin_addr=inet_addr("2.2.2.2")}, 16) = ? ERESTARTSYS (To be restarted)

> Expected results:

curl should attempt to connect to the proxy server instead of the LDAP server and return the LDAP search result:

DN: uid=foo,ou=Users,dc=example,dc=net

	cn: Foo Bar
	givenName: foo
	sn: bar
	uid: foo
	objectClass: top
	objectClass: person
	objectClass: organizationalperson
	objectClass: inetorgperson
	objectClass: posixAccount
	uidNumber: 12345
	gidNumber: 12345
	homeDirectory: /home/foo
	loginShell: /bin/bash
	mail: foo@example.net

> Additional info:

Fixed upstream in c59dba338ea2c71fa0422a8594928d3c1787469e on 17/09/2010

Comment 2 Kamil Dudka 2010-11-19 17:14:54 UTC
We've discussed the issue with Pierre Carrier.  The upstream patch is not applicable, since it modifies lib/openldap.c, which does not exist in RHEL-5 at all.  A solution to this would be to modify lib/ldap.c, which allows to dlopen openldap library.

The key problem right now seems to be lack of ldap_init_fd() function in RHEL-5.  I'll clone this bug for openldap, in order to get some feedback on the issue from its maintainer.

Comment 3 Kamil Dudka 2010-11-23 12:17:24 UTC
Created attachment 462308 [details]
Pierre's patch adapted for el5

Comment 4 Kamil Dudka 2010-11-23 13:11:36 UTC
Created attachment 462321 [details]
less intrusive version of the patch

I realized we should not require users to update openldap unless they are interested in using LDAP over HTTP proxy.  The improved patch should solve the problem.

Plain LDAP now works with both old and new openldap packages.  Only if user needs LDAP over HTTP proxy, the update of openldap is required.

Comment 6 Pierre Carrier 2010-11-23 14:09:35 UTC
Created attachment 462337 [details]
with a warning if the symbol is not available

Comment 7 Kamil Dudka 2010-11-23 15:34:18 UTC
(In reply to comment #6)
> Created attachment 462337 [details]
> with a warning if the symbol is not available

Sounds like a good idea and the message is clear to me.  We only can't use the original macro for that purpose:

>@@ -316,7 +317,25 @@ CURLcode Curl_ldap(struct connectdata *conn, bool *done)
>   DYNA_GET_FUNCTION(void (__cdecl *)(void *, int), ber_free);
>   DYNA_GET_FUNCTION(int (__cdecl *)(void *, int, void *), ldap_set_option);
> 
>-  server = (*ldap_init)(conn->host.name, (int)conn->port);
>+  if(conn->bits.tunnel_proxy && conn->bits.httpproxy) {
>+    /* for LDAP over HTTP proxy */
>+    status = DYNA_GET_FUNCTION(int (__cdecl *)(int, int, char *, void *), ldap_init_fd)
>+    if(status == CURLE_FUNCTION_NOT_FOUND) {

    ldap_init_fd = (int (__cdecl *)(int, int, char *, void *))
                   DynaGetFunction("ldap_init_fd");
    if(!ldap_init_fd) {

Comment 9 Kamil Dudka 2010-11-26 15:13:51 UTC
available updates for stable Fedora:

curl-7.20.1-5.fc13
curl-7.21.0-6.fc14

Comment 10 Kamil Dudka 2011-01-05 18:06:45 UTC
Created attachment 471918 [details]
resulting patch

Pierre, could you please review final version of the patch?  Thanks in advance!

Comment 11 Pierre Carrier 2011-01-05 18:41:59 UTC
Hello Kamil,


Looks good to me.

Whilst checking the return of dlsym, I realized we should probably go with introducing "probably".

We could even go a step further with:
-        failf(data, "Your openldap version is too old for HTTP proxying", dlerror());
+        failf(data, "Cannot use ldap_init_fd (%s), "
+          "your openldap version is probably too old for HTTP proxying", dlerror());


With best regards,

-- 
Pierre

Comment 12 Kamil Dudka 2011-01-05 19:21:36 UTC
Created attachment 471932 [details]
resulting patch V2

Sounds like a good idea.  An updated patch attached.

Comment 15 RHEL Program Management 2011-01-11 21:16:27 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 16 RHEL Program Management 2011-01-11 22:25:40 UTC
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.

Comment 25 Jaromir Hradilek 2011-01-19 11:11:17 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Previously, an attempt to send an LDAP request through an HTTP proxy tunnel ended up with cURL trying to connect to the LDAP server directly using a wrong port number. With this update, the underlying source code has been modified to address this issue, and cURL now works as expected.

Comment 32 Kamil Dudka 2011-01-23 15:46:23 UTC
Created attachment 474826 [details]
resulting patch V3

Pierre, could you please review the updated patch?

This should fix the crash on i386:

@@ -271,7 +271,7 @@ CURLcode Curl_ldap(struct connectdata *conn, bool *done)
   void   (__cdecl *ber_free)(void *, int);
   int    (__cdecl *ldap_set_option)(void *, int, void *);

-  void *server;
+  void *server = NULL;
   LDAPURLDesc *ludp = NULL;
   const char *mod_name;
   void *result;

Comment 38 errata-xmlrpc 2012-02-21 06:15:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0241.html


Note You need to log in before you can comment on or make changes to this bug.