zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone
Blob Blame History Raw
From dd2dc9218ec91589f03c89f4f38fe2927bf5e3ab Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 10 Sep 2014 18:56:43 -0700
Subject: [PATCH 6/7] Ticket #47895 - If no effective ciphers are available,
 disable security setting.

Description: If nsslapd-security is "on" and nsSSL3Ciphers is given
AND none of the ciphers are available or some syntax error is detected,
the server sets nsslapd-security "off" and starts up.

https://fedorahosted.org/389/ticket/47895

Reviewed by nkinder@redhat.com (Thank you, Nathan!!)

(cherry picked from commit 0f1a203a0fe85f3cf0440006685f63409502f093)
(cherry picked from commit cad5b96507caf9e08a12285c52d0353f8e6dcc3b)
---
 ldap/servers/slapd/main.c | 42 ++++++++++++++++++++++++++++++------------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index d577514..6bad2a0 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -3077,6 +3077,24 @@ slapd_debug_level_usage( void )
 }
 #endif /* LDAP_DEBUG */
 
+static int
+force_to_disable_security(const char *what, int *init_ssl, daemon_ports_t *ports_info)
+{
+	char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+	errorbuf[0] = '\0';
+
+    LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: %s Initialization Failed.  Disabling %s.\n", what, what);
+    ports_info->s_socket = SLAPD_INVALID_SOCKET;
+    ports_info->s_port = 0;
+    *init_ssl = 0;
+    if (config_set_security(CONFIG_SECURITY_ATTRIBUTE, "off", errorbuf, 1)) {
+        LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: Failed to disable %s: \"%s\".\n", 
+                       CONFIG_SECURITY_ATTRIBUTE, errorbuf[0]?errorbuf:"no error message");
+        return 1;
+    }
+	return 0;
+}
+
 /*
   This function does all NSS and SSL related initialization
   required during startup.  We use this function rather
@@ -3113,20 +3131,20 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
 	 * modules can assume NSS is available
 	 */
 	if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),
-                        (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
-        LDAPDebug(LDAP_DEBUG_ANY,
-                  "ERROR: NSS Initialization Failed.\n", 0, 0, 0);
-        return 1;
+	                    (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
+	    if (force_to_disable_security("NSS", &init_ssl, ports_info)) {
+	        return 1;
+	    }
 	}
 
 	if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
         client_auth_init();
 	}
 
-	if ( init_ssl && ( 0 != slapd_ssl_init())) {
-		LDAPDebug(LDAP_DEBUG_ANY,
-                  "ERROR: SSL Initialization Failed.\n", 0, 0, 0 );
-		return 1;
+	if (init_ssl && slapd_ssl_init()) {
+	    if (force_to_disable_security("SSL", &init_ssl, ports_info)) {
+	        return 1;
+	    }
 	}
 
 	if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||
@@ -3134,10 +3152,10 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
 		if ( init_ssl ) {
 			PRFileDesc **sock;
 			for (sock = ports_info->s_socket; sock && *sock; sock++) {
-				if ( 0 != slapd_ssl_init2(sock, 0) ) {
-					LDAPDebug(LDAP_DEBUG_ANY,
-                              "ERROR: SSL Initialization phase 2 Failed.\n", 0, 0, 0 );
-					return 1;
+				if ( slapd_ssl_init2(sock, 0) ) {
+				    if (force_to_disable_security("SSL2", &init_ssl, ports_info)) {
+				        return 1;
+				    }
 				}
 			}
 		}
-- 
1.9.3