ITS#9521 Set TLSv1.3 cipher suites for OpenSSL 1.1.1

a48267c2 · Howard Chu · Quanah Gibson-Mount · f42802b5 · a48267c2
Commit a48267c2 authored Apr 09, 2021 by Howard Chu Committed by Quanah Gibson-Mount Apr 09, 2021
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -273,6 +273,53 @@ tlso_ctx_free ( tls_ctx *ctx )
 	SSL_CTX_free( c );
 }

+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+static char *
+tlso_stecpy( char *dst, const char *src, const char *end )
+{
+	while ( dst < end && *src )
+		*dst++ = *src++;
+	if ( dst < end )
+		*dst = '\0';
+	return dst;
+}
+
+/* OpenSSL 1.1.1 uses a separate API for TLS1.3 ciphersuites.
+ * Try to find any TLS1.3 ciphers in the given list of suites.
+ */
+static void
+tlso_ctx_cipher13( tlso_ctx *ctx, char *suites )
+{
+	char tls13_suites[1024], *ts = tls13_suites, *te = tls13_suites + sizeof(tls13_suites);
+	char *ptr, *colon, *nptr;
+	char sname[128];
+	int ret;
+
+	*ts = '\0';
+	for ( ptr = suites;; ) {
+		colon = strchr( ptr, ':' );
+		if ( colon ) {
+			int len = colon - ptr;
+			if ( len > 63 ) len = 63;
+			strncpy( sname, ptr, len );
+			sname[len] = '\0';
+			nptr = sname;
+		} else {
+			nptr = ptr;
+		}
+		if ( SSL_CTX_set_ciphersuites( ctx, nptr )) {
+			if ( tls13_suites[0] )
+				ts = tlso_stecpy( ts, ":", te );
+			ts = tlso_stecpy( ts, sname, te );
+		}
+		if ( !colon || ts >= te )
+			break;
+		ptr = colon+1;
+	}
+	SSL_CTX_set_ciphersuites( ctx, tls13_suites );
+}
+#endif /* OpenSSL 1.1.1 TLS 1.3 */
+
 /*
 * initialize a new TLS context
 */
@@ -311,14 +358,18 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 	else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
 		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );

-	if ( lo->ldo_tls_ciphersuite &&
-		!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
-	{
-		Debug( LDAP_DEBUG_ANY,
-			   "TLS: could not set cipher list %s.\n",
-			   lo->ldo_tls_ciphersuite, 0, 0 );
-		tlso_report_error();
-		return -1;
+	if ( lo->ldo_tls_ciphersuite ) {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000
+		tlso_ctx_cipher13( ctx, lt->lt_ciphersuite );
+#endif /* OpenSSL 1.1.1 */
+		if ( !SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
+		{
+			Debug( LDAP_DEBUG_ANY,
+				   "TLS: could not set cipher list %s.\n",
+				   lo->ldo_tls_ciphersuite, 0, 0 );
+			tlso_report_error();
+			return -1;
+		}
 	}

 	if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {