From: pdoshi@mvista.com
To: openembedded-devel@lists.openembedded.org
Cc: Priyal Doshi <pdoshi@mvista.com>
Subject: [oe] [meta-oe][kirkstone][PATCH V1] ITS#10094 libldap/OpenSSL: fix setting ciphersuites
Date: Mon, 13 May 2024 17:50:45 +0530 [thread overview]
Message-ID: <1715602845-8547-1-git-send-email-pdoshi@mvista.com> (raw)
From: Priyal Doshi <pdoshi@mvista.com>
Backport-from: https://git.openldap.org/openldap/openldap/-/merge_requests/654/diffs?commit_id=8c482cec9a68e74b3609b1e44738bee352f6577a
Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
---
...-libldap-OpenSSL-fix-setting-ciphersuites.patch | 69 ++++++++++++++++++++++
.../recipes-support/openldap/openldap_2.5.16.bb | 1 +
2 files changed, 70 insertions(+)
create mode 100644 meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch
diff --git a/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch b/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch
new file mode 100644
index 0000000..211dbe9
--- /dev/null
+++ b/meta-oe/recipes-support/openldap/openldap/0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch
@@ -0,0 +1,69 @@
+From 7cee69298857e2393799780ee472dfe0a378ee2d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 12 Oct 2023 17:22:48 +0100
+Subject: [PATCH] ITS#10094 libldap/OpenSSL: fix setting ciphersuites
+
+Don't try old-style ciphersuite list if only v1.3 or newer ciphers were specified
+
+Upstream-Status: Backport from https://git.openldap.org/openldap/openldap/-/merge_requests/654/diffs?commit_id=8c482cec9a68e74b3609b1e44738bee352f6577a
+
+Signed-off-by: Priyal Doshi <pdoshi@mvista.com>
+---
+ libraries/libldap/tls_o.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index d6405bc..4123a9b 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -294,7 +294,7 @@ tlso_stecpy( char *dst, const char *src, const char *end )
+ * Try to find any TLS1.3 ciphers in the given list of suites.
+ */
+ static void
+-tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
++tlso_ctx_cipher13( tlso_ctx *ctx, char *suites, char **oldsuites )
+ {
+ char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites);
+ char *ptr, *colon, *nptr;
+@@ -303,6 +303,8 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+ SSL *s = SSL_new( ctx );
+ int ret;
+
++ *oldsuites = NULL;
++
+ if ( !s )
+ return;
+
+@@ -334,8 +336,15 @@ tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+ if ( tls13_suites[0] )
+ ts = tlso_stecpy( ts, ":", te );
+ ts = tlso_stecpy( ts, nptr, te );
++ } else if (! *oldsuites) {
++ /* should never happen, set_ciphersuites should
++ * only succeed for TLSv1.3 and above
++ */
++ *oldsuites = ptr;
+ }
+ }
++ } else if (! *oldsuites) {
++ *oldsuites = ptr;
+ }
+ if ( !colon || ts >= te )
+ break;
+@@ -415,10 +424,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ }
+
+ if ( lo->ldo_tls_ciphersuite ) {
++ char *oldsuites = lt->lt_ciphersuite;
+ #if OPENSSL_VERSION_NUMBER >= 0x10101000
+- tlso_ctx_cipher13( ctx, lt->lt_ciphersuite );
++ tlso_ctx_cipher13( ctx, lt->lt_ciphersuite, &oldsuites );
+ #endif
+- if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
++ if ( oldsuites && !SSL_CTX_set_cipher_list( ctx, oldsuites ) )
+ {
+ Debug1( LDAP_DEBUG_ANY,
+ "TLS: could not set cipher list %s.\n",
+--
+2.34.1
+
diff --git a/meta-oe/recipes-support/openldap/openldap_2.5.16.bb b/meta-oe/recipes-support/openldap/openldap_2.5.16.bb
index 9e9d059..7e1c8fd 100644
--- a/meta-oe/recipes-support/openldap/openldap_2.5.16.bb
+++ b/meta-oe/recipes-support/openldap/openldap_2.5.16.bb
@@ -20,6 +20,7 @@ SRC_URI = "http://www.openldap.org/software/download/OpenLDAP/openldap-release/$
file://slapd.service \
file://remove-user-host-pwd-from-version.patch \
file://0001-build-top.mk-unset-STRIP_OPTS.patch \
+ file://0001-ITS-10094-libldap-OpenSSL-fix-setting-ciphersuites.patch \
"
SRC_URI[sha256sum] = "546ba591822e8bb0e467d40c4d4a30f89d937c3a507fe83a578f582f6a211327"
--
2.7.4
next reply other threads:[~2024-05-13 12:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-13 12:20 pdoshi [this message]
2024-05-14 11:44 ` [oe] [meta-oe][kirkstone][PATCH V1] ITS#10094 libldap/OpenSSL: fix setting ciphersuites akuster808
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1715602845-8547-1-git-send-email-pdoshi@mvista.com \
--to=pdoshi@mvista.com \
--cc=openembedded-devel@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).