Seems there were two bugs in #1070033. The part for OpenLDAP is pretty
simple. When detecting an IPv6 address (via ':' in the string),
the function `ldap_int_tls_connect()` triggers a `break;`, but this
requires `numeric=1` to still be in effect. Since IPv6 addresses are
hexadecimal, this isn't always true.
Patch attached. Given how small it is, any license acceptable to the
Debian project is acceptable to me. I'll let the maintainer forward it
to the OpenLDAP project.
--
(\___(\___(\______ --=> 8-) EHM <=-- ______/)___/)___/)
\BS ( | ehem+sig...@m5p.com PGP 87145445 | ) /
\_CS\ | _____ -O #include <stddisclaimer.h> O- _____ | / _/
8A19\___\_|_/58D2 7E3D DDF4 7BA6 <-PGP-> 41D1 B375 37D0 8714\_|_/___/5445
From: Elliott Mitchell <ehem+openl...@m5p.com>
Date: Sun, 19 May 2024 09:49:36 -0700
Subject: [PATCH] tls: fix handling of numeric IPv6 addresses for SNI
A colon in the SNI is a strong indicator of an IPv6 address. Since IPv6
addresses are hexadecimal, `numeric` may already be false and falling
through to the test doesn't work. Address this by preemptively setting
`sni` to invalid (NULL).
Fixes: b8f34888 ("ITS#9176 check for numeric addrs before passing SNI")
---
libraries/libldap/tls2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index f9dcbfc8d..d433e6508 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -399,8 +399,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
int numeric = 1;
unsigned char *c;
for ( c = (unsigned char *)sni; *c; c++ ) {
- if ( *c == ':' ) /* IPv6 address */
+ if ( *c == ':' ) { /* IPv6 address */
+ sni = NULL;
break;
+ }
if ( *c == '.' )
continue;
if ( !isdigit( *c )) {
--
2.39.2
