andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0013-Ticket-47880-provide-enabled-ciphers-as-search-resul.patch

f92ce9
From 82cf90789bd34622e2ae7b4584ff75214d1dea47 Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Thu, 25 Sep 2014 13:34:00 -0700
f92ce9
Subject: [PATCH 13/14] Ticket #47880 - provide enabled ciphers as search
f92ce9
 result
f92ce9
f92ce9
Description: Implemented getEnabledCiphers, with which
f92ce9
  ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers
f92ce9
returns enabled cipher list.  Example of returned enabled cipher
f92ce9
  dn: cn=encryption,cn=config
f92ce9
  nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
f92ce9
  nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47880
f92ce9
f92ce9
Reviewed by mreynolds@redhat.com (Thank you, Mark!)
f92ce9
f92ce9
(cherry picked from commit c675243e018a89291760161998944c04ea04b12f)
f92ce9
(cherry picked from commit 8de80533cbfdb22166f5595839307a6a6db5a636)
f92ce9
---
f92ce9
 ldap/servers/slapd/fedse.c | 14 +++++++++++++-
f92ce9
 ldap/servers/slapd/ssl.c   | 42 +++++++++++++++++++++++++++++++++++++++++-
f92ce9
 2 files changed, 54 insertions(+), 2 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
f92ce9
index 1ffa08d..1f455e5 100644
f92ce9
--- a/ldap/servers/slapd/fedse.c
f92ce9
+++ b/ldap/servers/slapd/fedse.c
f92ce9
@@ -76,6 +76,7 @@
f92ce9
 #endif  /* _WIN32 */
f92ce9
 
f92ce9
 extern char ** getSupportedCiphers();
f92ce9
+extern char ** getEnabledCiphers();
f92ce9
 
f92ce9
 /* Note: These DNs are no need to be normalized */
f92ce9
 static const char *internal_entries[] =
f92ce9
@@ -1695,11 +1696,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
f92ce9
     struct berval           *vals[2];
f92ce9
     struct berval           val;
f92ce9
     char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */
f92ce9
+    char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */
f92ce9
     vals[0] = &val;
f92ce9
     vals[1] = NULL;
f92ce9
 
f92ce9
     attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");
f92ce9
-    while (*cipherList) /* iterarate thru each of them and add to the attr value */
f92ce9
+    while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */
f92ce9
     {
f92ce9
         char *cipher = *cipherList;
f92ce9
         val.bv_val = (char* ) cipher;
f92ce9
@@ -1708,6 +1710,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
f92ce9
         cipherList++;
f92ce9
     }
f92ce9
 
f92ce9
+    attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");
f92ce9
+    while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */
f92ce9
+    {
f92ce9
+        char *cipher = *enabledCipherList;
f92ce9
+        val.bv_val = (char* ) cipher;
f92ce9
+        val.bv_len = strlen ( val.bv_val );
f92ce9
+        attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);
f92ce9
+        enabledCipherList++;
f92ce9
+    }
f92ce9
+
f92ce9
     return SLAPI_DSE_CALLBACK_OK;
f92ce9
 }
f92ce9
 
f92ce9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
f92ce9
index 28ff475..5f9916b 100644
f92ce9
--- a/ldap/servers/slapd/ssl.c
f92ce9
+++ b/ldap/servers/slapd/ssl.c
f92ce9
@@ -157,6 +157,7 @@ static char * configDN = "cn=encryption,cn=config";
f92ce9
 #define CIPHER_IS_WEAK          0x4
f92ce9
 #define CIPHER_IS_DEPRECATED    0x8
f92ce9
 static char **cipher_names = NULL;
f92ce9
+static char **enabled_cipher_names = NULL;
f92ce9
 typedef struct {
f92ce9
     char *name;
f92ce9
     int num;
f92ce9
@@ -265,7 +266,8 @@ slapd_SSL_warn(char *fmt, ...)
f92ce9
     va_end(args);
f92ce9
 }
f92ce9
 
f92ce9
-char ** getSupportedCiphers()
f92ce9
+char **
f92ce9
+getSupportedCiphers()
f92ce9
 {
f92ce9
 	SSLCipherSuiteInfo info;
f92ce9
 	char *sep = "::";
f92ce9
@@ -294,6 +296,44 @@ char ** getSupportedCiphers()
f92ce9
 	return cipher_names;
f92ce9
 }
f92ce9
 
f92ce9
+char **
f92ce9
+getEnabledCiphers()
f92ce9
+{
f92ce9
+    SSLCipherSuiteInfo info;
f92ce9
+    char *sep = "::";
f92ce9
+    int number_of_ciphers = 0;
f92ce9
+    int x;
f92ce9
+    int idx = 0;
f92ce9
+    PRBool enabled;
f92ce9
+
f92ce9
+    /* We have to wait until the SSL initialization is done. */
f92ce9
+    if (!slapd_ssl_listener_is_initialized()) {
f92ce9
+        return NULL;
f92ce9
+    }
f92ce9
+    if ((enabled_cipher_names == NULL) && _conf_ciphers) {
f92ce9
+        for (x = 0; _conf_ciphers[x].name; x++) {
f92ce9
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
f92ce9
+            if (enabled) {
f92ce9
+                number_of_ciphers++;
f92ce9
+            }
f92ce9
+        }
f92ce9
+        enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
f92ce9
+        for (x = 0; _conf_ciphers[x].name; x++) {
f92ce9
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
f92ce9
+            if (enabled) {
f92ce9
+                SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
f92ce9
+                enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
f92ce9
+                        _conf_ciphers[x].name,sep,
f92ce9
+                        info.symCipherName,sep,
f92ce9
+                        info.macAlgorithmName,sep,
f92ce9
+                        info.symKeyBits);
f92ce9
+            }
f92ce9
+        }
f92ce9
+    }
f92ce9
+
f92ce9
+    return enabled_cipher_names;
f92ce9
+}
f92ce9
+
f92ce9
 static PRBool
f92ce9
 cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
f92ce9
 {
f92ce9
-- 
f92ce9
1.9.3
f92ce9