ITS#10094 libldap/OpenSSL: fix setting ciphersuites

author Howard Chu <hyc@openldap.org>

Thu, 12 Oct 2023 16:22:48 +0000 (17:22 +0100)

committer Quanah Gibson-Mount <quanah@openldap.org>

Thu, 11 Jan 2024 21:56:45 +0000 (21:56 +0000)
author Howard Chu <hyc@openldap.org>
Thu, 12 Oct 2023 16:22:48 +0000 (17:22 +0100)
committer Quanah Gibson-Mount <quanah@openldap.org>
Thu, 11 Jan 2024 21:56:45 +0000 (21:56 +0000)
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c

index d6405bc44c667ecbfdfe705926dc0cc0e236cc7f..4123a9b91a728a3fc9d3117807edb9691bffaea0 100644 (file)
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -294,7 +294,7 @@ tlso_stecpy( char *dst, const char *src, const char *end )
   * Try to find any TLS1.3 ciphers in the given list of suites.
   */
  static void
-tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites )
  {
         char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites);
         char *ptr, *colon, *nptr;
@@ -303,6 +303,8 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
         SSL *s = SSL_new( ctx );
         int ret;
  
+       *oldsuites = NULL;
+
         if ( !s )
                 return;
  
@@ -334,8 +336,15 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
                                         if ( tls13_suites[0] )
                                                 ts = tlso_stecpy( ts, ":", te );
                                         ts = tlso_stecpy( ts, nptr, te );
+                               } else if (! *oldsuites) {
+                                       /* should never happen, set_ciphersuites should
+                                        * only succeed for TLSv1.3 and above
+                                        */
+                                       *oldsuites = ptr;
                                 }
                         }
+               } else if (! *oldsuites) {
+                       *oldsuites = ptr;
                 }
                 if ( !colon || ts >= te )
                         break;
@@ -415,10 +424,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
         }
  
         if ( lo->ldo_tls_ciphersuite ) {
+               char *oldsuites = lt->lt_ciphersuite;
  #if OPENSSL_VERSION_NUMBER >= 0x10101000
-               tlso_ctx_cipher13( ctx, lt->lt_ciphersuite );
+               tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites );
  #endif
-               if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
+               if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) )
                 {
                         Debug1( LDAP_DEBUG_ANY,
                                    "TLS: could not set cipher list %s.\n",
author	Howard Chu <hyc@openldap.org>
	Thu, 12 Oct 2023 16:22:48 +0000 (17:22 +0100)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Thu, 11 Jan 2024 21:56:45 +0000 (21:56 +0000)