From 248d740251fbbb42ffa111ac79b83e7d245b0fac Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Fri, 7 Jun 2024 15:26:45 +0100 Subject: [PATCH] ITS#10223 libldap: check for OpenSSL SSL_CTX_set_ciphersuites failure --- libraries/libldap/tls_o.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index 1af87694ff..c93579fd86 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -300,7 +300,7 @@ tlso_stecpy( char *dst, const char *src, const char *end ) /* OpenSSL 1.1.1 uses a separate API for TLS1.3 ciphersuites. * Try to find any TLS1.3 ciphers in the given list of suites. */ -static void +static int tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites ) { char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites); @@ -308,12 +308,12 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites ) char sname[128]; STACK_OF(SSL_CIPHER) *cs; SSL *s = SSL_new( ctx ); - int ret; + int ret = 0; *oldsuites = NULL; if ( !s ) - return; + return ret; *ts = '\0'; @@ -360,8 +360,9 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites ) SSL_free( s ); /* If no TLS1.3 ciphersuites were specified, leave current settings untouched. */ - if ( tls13_suites[0] ) - SSL_CTX_set_ciphersuites( ctx, tls13_suites ); + if ( tls13_suites[0] && !SSL_CTX_set_ciphersuites( ctx, tls13_suites )) + ret = -1; + return ret; } #endif /* OpenSSL 1.1.1 */ @@ -433,7 +434,14 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) if ( lo->ldo_tls_ciphersuite ) { char *oldsuites = lt->lt_ciphersuite; #if OPENSSL_VERSION_NUMBER >= 0x10101000 - tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites ); + if ( tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites )) + { + Debug1( LDAP_DEBUG_ANY, + "TLS: could not set TLSv1.3 cipher list %s.\n", + lo->ldo_tls_ciphersuite ); + tlso_report_error( errmsg ); + return -1; + } #endif if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) ) { -- 2.47.2