httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s.@apache.org
Subject svn commit: r1209604 - in /httpd/httpd/branches/2.4.x: ./ CHANGES modules/ldap/util_ldap.c
Date Fri, 02 Dec 2011 17:50:02 GMT
Author: sf
Date: Fri Dec  2 17:50:02 2011
New Revision: 1209604

URL: http://svn.apache.org/viewvc?rev=1209604&view=rev
Log:
Merge r1209601:

Fix segfault with Solaris LDAP SDK when enabling ldaps.

Enable SSL by passing secure=1 to apr_ldap_init instead of calling
apr_ldap_set_option(... APR_LDAP_OPT_TLS ...).

This change carefully avoids any change of behavior on non-Solaris LDAP SDKs.

PR: 42682

Modified:
    httpd/httpd/branches/2.4.x/   (props changed)
    httpd/httpd/branches/2.4.x/CHANGES
    httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c

Propchange: httpd/httpd/branches/2.4.x/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Dec  2 17:50:02 2011
@@ -1,3 +1,3 @@
 /httpd/httpd/branches/revert-ap-ldap:1150158-1150173
 /httpd/httpd/branches/wombat-integration:723609-723841
-/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461
+/httpd/httpd/trunk:1201042,1201111,1201194,1201198,1201202,1202456,1202886,1203859,1204630,1204968,1204990,1205061,1205075,1205379,1205885,1206291,1206587,1207719,1208753,1208835,1209053,1209085,1209417,1209432,1209461,1209601

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1209604&r1=1209603&r2=1209604&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Fri Dec  2 17:50:02 2011
@@ -1,6 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.0
 
+  *) mod_ldap: Fix segfault with Solaris LDAP when enabling ldaps. This
+     requires an apr-util fix in which is available in apr-util >= 1.4.0.
+     PR 42682. [Stefan Fritsch]
+
   *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible
      for RewriteRules to be placed in .htaccess files that match the directory
      with no trailing slash. PR 48304.

Modified: httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c?rev=1209604&r1=1209603&r2=1209604&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c (original)
+++ httpd/httpd/branches/2.4.x/modules/ldap/util_ldap.c Fri Dec  2 17:50:02 2011
@@ -262,6 +262,23 @@ static int uldap_connection_init(request
     util_ldap_state_t *st =
         (util_ldap_state_t *)ap_get_module_config(r->server->module_config,
         &ldap_module);
+    int have_client_certs = !apr_is_empty_array(ldc->client_certs);
+#if !APR_HAS_SOLARIS_LDAPSDK
+    /*
+     * Normally we enable SSL/TLS with apr_ldap_set_option(), except
+     * with Solaris LDAP, where this is broken.
+     */
+    int secure = APR_LDAP_NONE;
+#else
+    /*
+     * With Solaris LDAP, we enable TSL via the secure argument
+     * to apr_ldap_init(). This requires a fix from apr-util >= 1.4.0.
+     *
+     * Just in case client certificates ever get supported, we
+     * handle those as with the other LDAP SDKs.
+     */
+    int secure = have_client_certs ? APR_LDAP_NONE : ldc->secure;
+#endif
 
     /* Since the host will include a port if the default port is not used,
      * always specify the default ports for the port parameter.  This will
@@ -272,8 +289,7 @@ static int uldap_connection_init(request
     apr_ldap_init(r->pool, &(ldc->ldap),
                   ldc->host,
                   APR_LDAP_SSL == ldc->secure ? LDAPS_PORT : LDAP_PORT,
-                  APR_LDAP_NONE,
-                  &(result));
+                  secure, &(result));
 
     if (NULL == result) {
         /* something really bad happened */
@@ -318,7 +334,7 @@ static int uldap_connection_init(request
     ldap_set_option(ldc->ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
 
     /* set client certificates */
-    if (!apr_is_empty_array(ldc->client_certs)) {
+    if (have_client_certs) {
         apr_ldap_set_option(r->pool, ldc->ldap, APR_LDAP_OPT_TLS_CERT,
                             ldc->client_certs, &(result));
         if (LDAP_SUCCESS != result->rc) {
@@ -329,7 +345,12 @@ static int uldap_connection_init(request
     }
 
     /* switch on SSL/TLS */
-    if (APR_LDAP_NONE != ldc->secure) {
+    if (APR_LDAP_NONE != ldc->secure
+#if APR_HAS_SOLARIS_LDAPSDK
+        /* See comments near apr_ldap_init() above */
+        && have_client_certs
+#endif
+       ) {
         apr_ldap_set_option(r->pool, ldc->ldap,
                             APR_LDAP_OPT_TLS, &ldc->secure, &(result));
         if (LDAP_SUCCESS != result->rc) {



Mime
View raw message