[Issue 10223] New: tlso_ctx_cipherfree: does not check result of SSL_CTX_set_ciphersuites; can fail with incomplete input provided earlier on in the function
https://bugs.openldap.org/show_bug.cgi?id=10223
Issue ID: 10223 Summary: tlso_ctx_cipherfree: does not check result of SSL_CTX_set_ciphersuites; can fail with incomplete input provided earlier on in the function Product: OpenLDAP Version: 2.6.7 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: libraries Assignee: bugs@openldap.org Reporter: yaneurabeya@gmail.com Target Milestone: ---
The code on line 366 [1] doesn't check the return value of SSL_CTX_set_ciphersuites(..) before returning from the function, if there's leftover data in the tls13_suites buffer, after processing tls13_suites looking for TLS v1.3 compatible ciphers.
OpenSSL doesn't state what specific scenarios could result in a failure with the function, but doing some code inspection [2] it appears that a failure could occur if the value provided in the second parameter (`str` per the manpage [3]) to SSL_CTX_set_ciphersuites(..) is either invalid or an internal memory allocation error occurs.
While this isn't necessarily something that can be easily handled, it would be prudent to either ignore the return code explicitly by casting the result to (void) and clearing the error, or handling the OpenSSL error explicitly, using the ERR_* family APIs.
This issue was reported by Coverity.
1. https://github.com/openldap/openldap/blob/15edb3b30f2b6a3dbdf77cc42d39466d5f... 2. https://github.com/openssl/openssl/blob/5bbdbce856c7ca132e039a24a31561848487... 3. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
https://bugs.openldap.org/show_bug.cgi?id=10223
yaneurabeya@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|tlso_ctx_cipherfree: does |tlso_ctx_cipherfree: does |not check result of |not check result of |SSL_CTX_set_ciphersuites; |SSL_CTX_set_ciphersuites(.. |can fail with incomplete |); can fail with incomplete |input provided earlier on |input provided earlier on |in the function |in the function or due to | |an internal memory error
https://bugs.openldap.org/show_bug.cgi?id=10223
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |TEST
--- Comment #1 from Howard Chu hyc@openldap.org --- Fixed in git 4dfe057b5827bdf0d6f84461dee38c5e938cf382
https://bugs.openldap.org/show_bug.cgi?id=10223
--- Comment #2 from yaneurabeya@gmail.com --- (In reply to Howard Chu from comment #1)
Fixed in git 4dfe057b5827bdf0d6f84461dee38c5e938cf382
Thank you Howard.
https://bugs.openldap.org/show_bug.cgi?id=10223
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.6.9
https://bugs.openldap.org/show_bug.cgi?id=10223
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.9 |2.5.19
https://bugs.openldap.org/show_bug.cgi?id=10223
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|TEST |FIXED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• a45e1fc4 by Howard Chu at 2024-06-28T16:46:13+00:00 ITS#10223 libldap: check for OpenSSL SSL_CTX_set_ciphersuites failure
RE25:
• 248d7402 by Howard Chu at 2024-06-28T16:50:47+00:00 ITS#10223 libldap: check for OpenSSL SSL_CTX_set_ciphersuites failure
-
openldap-its@openldap.org