Message ID | 1715602845-8547-1-git-send-email-pdoshi@mvista.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,kirkstone,V1] ITS#10094 libldap/OpenSSL: fix setting ciphersuites | expand |
Priyal, What versions of openldap does this affect? Do we need this in other branches like master or scarthgap? - armin On 5/13/24 8:20 AM, Priyal Doshi via lists.openembedded.org wrote: > From: Priyal Doshi <pdoshi@mvista.com> > > Backport-from: https://git.openldap.org/openldap/openldap/-/merge_requests/654/diffs?commit_id=8c482cec9a68e74b3609b1e44738bee352f6577a > > Signed-off-by: Priyal Doshi <pdoshi@mvista.com> > --- > ...-libldap-OpenSSL-fix-setting-ciphersuites.patch | 69 ++++++++++++++++++++++ > .../recipes-support/openldap/openldap_2.5.16.bb | 1 + > 2 files changed, 70 insertions(+) > create mode 100644 meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch > > diff --git a/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch b/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch > new file mode 100644 > index 0000000..211dbe9 > --- /dev/null > +++ b/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch > @@ -0,0 +1,69 @@ > +From 7cee69298857e2393799780ee472dfe0a378ee2d Mon Sep 17 00:00:00 2001 > +From: Howard Chu <hyc@openldap.org> > +Date: Thu, 12 Oct 2023 17:22:48 +0100 > +Subject: [PATCH] ITS#10094 libldap/OpenSSL: fix setting ciphersuites > + > +Don't try old-style ciphersuite list if only v1.3 or newer ciphers were specified > + > +Upstream-Status: Backport from https://git.openldap.org/openldap/openldap/-/merge_requests/654/diffs?commit_id=8c482cec9a68e74b3609b1e44738bee352f6577a > + > +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> > +--- > + libraries/libldap/tls_o.c | 16 +++++++++++++--- > + 1 file changed, 13 insertions(+), 3 deletions(-) > + > +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c > +index d6405bc..4123a9b 100644 > +--- a/libraries/libldap/tls_o.c > ++++ b/libraries/libldap/tls_o.c > +@@ -294,7 +294,7 @@ tlso_stecpy( char *dst, const char *src, const char *end ) > + * Try to find any TLS1.3 ciphers in the given list of suites. > + */ > + static void > +-tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) > ++tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites ) > + { > + char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites); > + char *ptr, *colon, *nptr; > +@@ -303,6 +303,8 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) > + SSL *s = SSL_new( ctx ); > + int ret; > + > ++ *oldsuites = NULL; > ++ > + if ( !s ) > + return; > + > +@@ -334,8 +336,15 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) > + if ( tls13_suites[0] ) > + ts = tlso_stecpy( ts, ":", te ); > + ts = tlso_stecpy( ts, nptr, te ); > ++ } else if (! *oldsuites) { > ++ /* should never happen, set_ciphersuites should > ++ * only succeed for TLSv1.3 and above > ++ */ > ++ *oldsuites = ptr; > + } > + } > ++ } else if (! *oldsuites) { > ++ *oldsuites = ptr; > + } > + if ( !colon || ts >= te ) > + break; > +@@ -415,10 +424,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) > + } > + > + if ( lo->ldo_tls_ciphersuite ) { > ++ char *oldsuites = lt->lt_ciphersuite; > + #if OPENSSL_VERSION_NUMBER >= 0x10101000 > +- tlso_ctx_cipher13( ctx, lt->lt_ciphersuite ); > ++ tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites ); > + #endif > +- if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) ) > ++ if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) ) > + { > + Debug1( LDAP_DEBUG_ANY, > + "TLS: could not set cipher list %s.\n", > +-- > +2.34.1 > + > diff --git a/meta-oe/recipes-support/openldap/openldap_2.5.16.bb b/meta-oe/recipes-support/openldap/openldap_2.5.16.bb > index 9e9d059..7e1c8fd 100644 > --- a/meta-oe/recipes-support/openldap/openldap_2.5.16.bb > +++ b/meta-oe/recipes-support/openldap/openldap_2.5.16.bb > @@ -20,6 +20,7 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$ > file://slapd.service \ > file://remove-user-host-pwd-from-version.patch \ > file://0001-build-top.mk-unset-STRIP_OPTS.patch \ > + file://0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch \ > " > > SRC_URI[sha256sum] = "546ba591822e8bb0e467d40c4d4a30f89d937c3a507fe83a578f582f6a211327" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#110338): https://lists.openembedded.org/g/openembedded-devel/message/110338 > Mute This Topic: https://lists.openembedded.org/mt/106071184/3616698 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [akuster808@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch b/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch new file mode 100644 index 0000000..211dbe9 --- /dev/null +++ b/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch @@ -0,0 +1,69 @@ +From 7cee69298857e2393799780ee472dfe0a378ee2d Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 12 Oct 2023 17:22:48 +0100 +Subject: [PATCH] ITS#10094 libldap/OpenSSL: fix setting ciphersuites + +Don't try old-style ciphersuite list if only v1.3 or newer ciphers were specified + +Upstream-Status: Backport from https://git.openldap.org/openldap/openldap/-/merge_requests/654/diffs?commit_id=8c482cec9a68e74b3609b1e44738bee352f6577a + +Signed-off-by: Priyal Doshi <pdoshi@mvista.com> +--- + libraries/libldap/tls_o.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index d6405bc..4123a9b 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -294,7 +294,7 @@ tlso_stecpy( char *dst, const char *src, const char *end ) + * Try to find any TLS1.3 ciphers in the given list of suites. + */ + static void +-tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) ++tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites ) + { + char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites); + char *ptr, *colon, *nptr; +@@ -303,6 +303,8 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) + SSL *s = SSL_new( ctx ); + int ret; + ++ *oldsuites = NULL; ++ + if ( !s ) + return; + +@@ -334,8 +336,15 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites ) + if ( tls13_suites[0] ) + ts = tlso_stecpy( ts, ":", te ); + ts = tlso_stecpy( ts, nptr, te ); ++ } else if (! *oldsuites) { ++ /* should never happen, set_ciphersuites should ++ * only succeed for TLSv1.3 and above ++ */ ++ *oldsuites = ptr; + } + } ++ } else if (! *oldsuites) { ++ *oldsuites = ptr; + } + if ( !colon || ts >= te ) + break; +@@ -415,10 +424,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + } + + if ( lo->ldo_tls_ciphersuite ) { ++ char *oldsuites = lt->lt_ciphersuite; + #if OPENSSL_VERSION_NUMBER >= 0x10101000 +- tlso_ctx_cipher13( ctx, lt->lt_ciphersuite ); ++ tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites ); + #endif +- if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) ) ++ if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) ) + { + Debug1( LDAP_DEBUG_ANY, + "TLS: could not set cipher list %s.\n", +-- +2.34.1 + diff --git a/meta-oe/recipes-support/openldap/openldap_2.5.16.bb b/meta-oe/recipes-support/openldap/openldap_2.5.16.bb index 9e9d059..7e1c8fd 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.5.16.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.5.16.bb @@ -20,6 +20,7 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$ file://slapd.service \ file://remove-user-host-pwd-from-version.patch \ file://0001-build-top.mk-unset-STRIP_OPTS.patch \ + file://0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch \ " SRC_URI[sha256sum] = "546ba591822e8bb0e467d40c4d4a30f89d937c3a507fe83a578f582f6a211327"