OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Archive.Software Bugs/5341
Full headers

From: quanah@OpenLDAP.org
Subject: Invalid TLSCipherSuite causes hang
Compose comment
Download message
State:
0 replies:
5 followups: 1 2 3 4 5

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 29 Jan 2008 19:28:39 GMT
From: quanah@OpenLDAP.org
To: openldap-its@openldap.org
Subject: Invalid TLSCipherSuite causes hang
Full_Name: Quanah Gibson-Mount
Version: 2.4.7
OS: NA
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (24.23.156.219)


Setting TLSCipherSuite to "cipher1 cipher2" rather than "cipher1:cipher2" causes
slapd to hang on startup (at least when using GnuTLS).

It appears to be hanging indefinitely in ldap_pvt_tls_set_option()

--Quanah


Followup 1

Download message
Date: Tue, 29 Jan 2008 11:55:24 -0800
From: Steve Langasek <vorlon@debian.org>
To: Quanah Gibson-Mount <quanah@zimbra.com>, 462588@bugs.debian.org
Cc: openldap-its@openldap.org
Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote:
> --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek 
> <vorlon@debian.org> wrote:

> > Anyway, the documented syntax for TLSCipherSuite is
"$cipher1:$cipher2",
> > not "$cipher1 $cipher2"; but setting such values gives me a hang on
> > startup (which should be investigated).

> Filed upstream:

> <http://www.OpenLDAP.org/its/index.cgi?findid=5341>

Sorry, the description of this ITS is inverted.  It's *valid* ciphersuite
values (i.e., "cipher1:cipher2") that cause the hang; invalid
space-separated values are merely truncated after the first cipher in the
list, which doesn't cause a hang, it just prevents the cipher list from
being useful.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org



Followup 2

Download message
Date: Thu, 31 Jan 2008 00:29:32 -0500
From: "Kyle Moffett" <kyle@moffetthome.net>
To: openldap-its@OpenLDAP.org, quanah@OpenLDAP.org
Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
------=_Part_20332_23395431.1201757372670
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

I ran into this problem a little while ago and scribbled up the
attached patch to fix it.  It's trivial enough and it works in my
testing here.

Cheers,
Kyle Moffett

------=_Part_20332_23395431.1201757372670
Content-Type: application/octet-stream; name=tls.patch
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fc2v9vtn0
Content-Disposition: attachment; filename=tls.patch

LS0tIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9saWJsZGFwL3Rscy5jLm9yaWcJMjAwNy0xMi0y
MSAxOToyNDowOC4wMDAwMDAwMDAgLTA1MDAKKysrIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9s
aWJsZGFwL3Rscy5jCTIwMDctMTItMjEgMTk6MzY6MDIuMDAwMDAwMDAwIC0wNTAwCkBAIC0zMDAs
NiArMzAwLDcgQEAKIAkJZm9yIChpPTA7IGk8bl9jaXBoZXJzOyBpKyspIHsKIAkJCWlmICggIXN0
cm5jYXNlY21wKCBjaXBoZXJzW2ldLm5hbWUsIHB0ciwgbGVuICkpIHsKIAkJCQludW0rKzsKKwkJ
CQlwdHIgPSBlbmQgKyAxOwogCQkJCWJyZWFrOwogCQkJfQogCQl9CkBAIC0zMzAsNiArMzMxLDcg
QEAKIAkJCSAqIG9ubHkgYXBwZWFyIG9uY2UgaW4gZWFjaCBsaXN0LgogCQkJICovCiAJCQlpZiAo
ICFzdHJuY2FzZWNtcCggY2lwaGVyc1tpXS5uYW1lLCBwdHIsIGxlbiApKSB7CisJCQkJcHRyID0g
ZW5kICsgMTsKIAkJCQlmb3IgKGo9MDsgajxua3g7IGorKykKIAkJCQkJaWYgKCBreFtqXSA9PSBj
aXBoZXJzW2ldLmt4ICkKIAkJCQkJCWJyZWFrOwo=
------=_Part_20332_23395431.1201757372670--



Followup 3

Download message
Date: Thu, 31 Jan 2008 07:43:33 -0500
From: "Kyle Moffett" <kyle@moffetthome.net>
To: openldap-its@openldap.org, quanah@openldap.org
Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
------=_Part_21408_16591909.1201783413748
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Jan 31, 2008 12:29 AM, Kyle Moffett <kyle@moffetthome.net> wrote:
> I ran into this problem a little while ago and scribbled up the
> attached patch to fix it.  It's trivial enough and it works in my
> testing here.

Sorry, the patch seems to have gone out MIME-encoded and mostly
useless to people who want to download it from the bug-tracker.  Let
me try again... (Sorry, still getting used to a new email client)

Cheers,
Kyle Moffett

------=_Part_21408_16591909.1201783413748
Content-Type: text/plain; name=tls.patch.txt
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fc3apr6s1
Content-Disposition: attachment; filename=tls.patch.txt

LS0tIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9saWJsZGFwL3Rscy5jLm9yaWcJMjAwNy0xMi0y
MSAxOToyNDowOC4wMDAwMDAwMDAgLTA1MDAKKysrIG9wZW5sZGFwLTIuNC43L2xpYnJhcmllcy9s
aWJsZGFwL3Rscy5jCTIwMDctMTItMjEgMTk6MzY6MDIuMDAwMDAwMDAwIC0wNTAwCkBAIC0zMDAs
NiArMzAwLDcgQEAKIAkJZm9yIChpPTA7IGk8bl9jaXBoZXJzOyBpKyspIHsKIAkJCWlmICggIXN0
cm5jYXNlY21wKCBjaXBoZXJzW2ldLm5hbWUsIHB0ciwgbGVuICkpIHsKIAkJCQludW0rKzsKKwkJ
CQlwdHIgPSBlbmQgKyAxOwogCQkJCWJyZWFrOwogCQkJfQogCQl9CkBAIC0zMzAsNiArMzMxLDcg
QEAKIAkJCSAqIG9ubHkgYXBwZWFyIG9uY2UgaW4gZWFjaCBsaXN0LgogCQkJICovCiAJCQlpZiAo
ICFzdHJuY2FzZWNtcCggY2lwaGVyc1tpXS5uYW1lLCBwdHIsIGxlbiApKSB7CisJCQkJcHRyID0g
ZW5kICsgMTsKIAkJCQlmb3IgKGo9MDsgajxua3g7IGorKykKIAkJCQkJaWYgKCBreFtqXSA9PSBj
aXBoZXJzW2ldLmt4ICkKIAkJCQkJCWJyZWFrOwo=
------=_Part_21408_16591909.1201783413748--



Followup 4

Download message
Date: Thu, 31 Jan 2008 07:46:07 -0500
From: "Kyle Moffett" <kyle@moffetthome.net>
To: openldap-its@openldap.org, quanah@openldap.org
Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
On Jan 31, 2008 7:43 AM, Kyle Moffett <kyle@moffetthome.net> wrote:
> On Jan 31, 2008 12:29 AM, Kyle Moffett <kyle@moffetthome.net> wrote:
> > I ran into this problem a little while ago and scribbled up the
> > attached patch to fix it.  It's trivial enough and it works in my
> > testing here.
>
> Sorry, the patch seems to have gone out MIME-encoded and mostly
> useless to people who want to download it from the bug-tracker.  Let
> me try again... (Sorry, still getting used to a new email client)

Well damn, it still didn't work.  Hopefully gmail won't mangle a
pasted patch.  Again, my apologies for the mess.

Cheers,
Kyle Moffett

--- openldap-2.4.7/libraries/libldap/tls.c.orig	2007-12-21
19:24:08.000000000 -0500
+++ openldap-2.4.7/libraries/libldap/tls.c	2007-12-21 19:36:02.000000000 -0500
@@ -300,6 +300,7 @@
 		for (i=0; i<n_ciphers; i++) {
 			if ( !strncasecmp( ciphers[i].name, ptr, len )) {
 				num++;
+				ptr = end + 1;
 				break;
 			}
 		}
@@ -330,6 +331,7 @@
 			 * only appear once in each list.
 			 */
 			if ( !strncasecmp( ciphers[i].name, ptr, len )) {
+				ptr = end + 1;
 				for (j=0; j<nkx; j++)
 					if ( kx[j] == ciphers[i].kx )
 						break;



Followup 5

Download message
Date: Fri, 1 Feb 2008 13:22:37 -0800
From: Steve Langasek <vorlon@debian.org>
To: Kyle Moffett <kyle@moffetthome.net>, openldap-its@openldap.org
Cc: 462588@bugs.debian.org
Subject: Re: (ITS#5341) Invalid TLSCipherSuite causes hang
Hi Kyle,

On Fri, Feb 01, 2008 at 12:15:52AM -0500, Kyle Moffett wrote:
> On Jan 29, 2008 2:55 PM, Steve Langasek <vorlon@debian.org> wrote:
> > On Tue, Jan 29, 2008 at 11:31:43AM -0800, Quanah Gibson-Mount wrote:
> > > --On Tuesday, January 29, 2008 11:09 AM -0800 Steve Langasek
<vorlon@debian.org> wrote:
> > > > Anyway, the documented syntax for TLSCipherSuite is
"$cipher1:$cipher2",
> > > > not "$cipher1 $cipher2"; but setting such values gives me a
hang on
> > > > startup (which should be investigated).

> > > Filed upstream:
> > > <http://www.OpenLDAP.org/its/index.cgi?findid=5341>

> > Sorry, the description of this ITS is inverted.  It's *valid*
ciphersuite
> > values (i.e., "cipher1:cipher2") that cause the hang; invalid
> > space-separated values are merely truncated after the first cipher in
the
> > list, which doesn't cause a hang, it just prevents the cipher list
from
> > being useful.

> Steve, would you mind testing the patch I posted there?  It fixed the
> problem for me when I wrote it a month or two ago, hopefully it will
> fix the problem for you too.

Thanks, I can confirm this fixes the problem here.  I'm able to set multiple
ciphers in a TLSCipherSuite list, and able to connect appropriately with
ldapsearch and gnutls-cli after the change.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org