zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone

Blame SOURCES/0010-Ticket-47908-389-ds-1.3.3.0-does-not-adjust-cipher-s.patch

f92ce9
From 0e32f3731887dbdf9c594a94fee693826f1a96de Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Tue, 23 Sep 2014 14:38:00 -0700
f92ce9
Subject: [PATCH 10/14] Ticket #47908 - 389-ds 1.3.3.0 does not adjust cipher
f92ce9
 suite configuration on upgrade, breaks itself and pki-server
f92ce9
f92ce9
Description:
f92ce9
In the given cipher list:
f92ce9
  nsSSL3Ciphers: +rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
f92ce9
   +rsa_rc4_128_md5,+rsa_des_sha,+rsa_rc2_40_md5,+rsa_rc4_40_md5,
f92ce9
   +fortezza
f92ce9
there were 2 issues.
f92ce9
1) An old cipher suite name rsa_des_sha was not correctly mapped
f92ce9
   to the name supported by NSS (TLS_RSA_WITH_DES_CBC_SHA) in the
f92ce9
   mapping table. And the unsupported cipher name was not gracefully
f92ce9
   skipped but returned an error.  This patch fixes the mapped name
f92ce9
   and the behaviour so that it skips the unknown/unsupported cipher.
f92ce9
2) A cipher "fortezza" is deprecated.  It's now skipped with the
f92ce9
   proper warning message.
f92ce9
f92ce9
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47908
f92ce9
(cherry picked from commit 83a6ceb556e769f0d0a201f4a3d783ae3915c6bc)
f92ce9
(cherry picked from commit 4e347407887589635fe077fb6174d20d3d34c7c8)
f92ce9
---
f92ce9
 ldap/servers/slapd/ssl.c | 25 ++++++++++++++++---------
f92ce9
 1 file changed, 16 insertions(+), 9 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
f92ce9
index 03b5904..4e38308 100644
f92ce9
--- a/ldap/servers/slapd/ssl.c
f92ce9
+++ b/ldap/servers/slapd/ssl.c
f92ce9
@@ -172,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = {
f92ce9
     {"tls_rsa_3des_sha",                    "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
f92ce9
     {"rsa_fips_3des_sha",                   "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
f92ce9
     {"fips_3des_sha",                       "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
f92ce9
-    {"rsa_des_sha",                         "SSL_RSA_WITH_DES_CBC_SHA"},
f92ce9
+    {"rsa_des_sha",                         "TLS_RSA_WITH_DES_CBC_SHA"},
f92ce9
     {"rsa_fips_des_sha",                    "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
f92ce9
     {"fips_des_sha",                        "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
f92ce9
     {"rsa_rc4_40_md5",                      "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
f92ce9
@@ -455,7 +455,7 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
     char *raw = ciphers;
f92ce9
     char **suplist = NULL;
f92ce9
     char **unsuplist = NULL;
f92ce9
-    int lookup;
f92ce9
+    PRBool enabledOne = PR_FALSE;
f92ce9
 
f92ce9
     /* #47838: harden the list of ciphers available by default */
f92ce9
     /* Default is to activate all of them ==> none of them*/
f92ce9
@@ -474,6 +474,7 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
          * from the console
f92ce9
          */
f92ce9
         _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
f92ce9
+        enabledOne = PR_TRUE;
f92ce9
     } else {
f92ce9
         /* If "+all" is not in nsSSL3Ciphers value, disable all first,
f92ce9
          * then enable specified ciphers. */
f92ce9
@@ -499,7 +500,7 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
 
f92ce9
         if (strcasecmp(ciphers, "all")) { /* if not all */
f92ce9
             PRBool enabled = active ? PR_TRUE : PR_FALSE;
f92ce9
-            lookup = 1;
f92ce9
+            int lookup = 1;
f92ce9
             for (x = 0; _conf_ciphers[x].name; x++) {
f92ce9
                 if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
f92ce9
                     if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
f92ce9
@@ -558,6 +559,9 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
                                         enabled = cipher_check_fips(x, NULL, &unsuplist);
f92ce9
                                     }
f92ce9
                                 }
f92ce9
+                                if (enabled) {
f92ce9
+                                    enabledOne = PR_TRUE; /* At least one active cipher is set. */
f92ce9
+                                }
f92ce9
                                 SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
f92ce9
                                 break;
f92ce9
                             }
f92ce9
@@ -566,15 +570,14 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
                     }
f92ce9
                 }
f92ce9
             }
f92ce9
-            if(!_conf_ciphers[x].name) {
f92ce9
-                PR_snprintf(err, sizeof(err), "unknown cipher %s", ciphers);
f92ce9
-                slapi_ch_free((void **)&suplist); /* strings inside are static */
f92ce9
-                slapi_ch_free((void **)&unsuplist); /* strings inside are static */
f92ce9
-                return slapi_ch_strdup(err);
f92ce9
+            if (!lookup && !_conf_ciphers[x].name) { /* If lookup, it's already reported. */
f92ce9
+                slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d.  Ignoring %s",
f92ce9
+                               ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
f92ce9
             }
f92ce9
         }
f92ce9
-        if(t)
f92ce9
+        if(t) {
f92ce9
             ciphers = t;
f92ce9
+        }
f92ce9
     }
f92ce9
     if (unsuplist && *unsuplist) {
f92ce9
         char *strsup = charray2str(suplist, ",");
f92ce9
@@ -592,6 +595,10 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
     slapi_ch_free((void **)&suplist); /* strings inside are static */
f92ce9
     slapi_ch_free((void **)&unsuplist); /* strings inside are static */
f92ce9
 
f92ce9
+    if (!enabledOne) {
f92ce9
+        char *nocipher = PR_smprintf("No active cipher suite is available.");
f92ce9
+        return nocipher;
f92ce9
+    }
f92ce9
     _conf_dumpciphers();
f92ce9
         
f92ce9
     return NULL;
f92ce9
-- 
f92ce9
1.9.3
f92ce9