zrhoffman / rpms / 389-ds-base

Forked from rpms/389-ds-base 3 years ago
Clone
Blob Blame History Raw
From 82cf90789bd34622e2ae7b4584ff75214d1dea47 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 25 Sep 2014 13:34:00 -0700
Subject: [PATCH 13/14] Ticket #47880 - provide enabled ciphers as search
 result

Description: Implemented getEnabledCiphers, with which
  ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers
returns enabled cipher list.  Example of returned enabled cipher
  dn: cn=encryption,cn=config
  nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
  nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192

https://fedorahosted.org/389/ticket/47880

Reviewed by mreynolds@redhat.com (Thank you, Mark!)

(cherry picked from commit c675243e018a89291760161998944c04ea04b12f)
(cherry picked from commit 8de80533cbfdb22166f5595839307a6a6db5a636)
---
 ldap/servers/slapd/fedse.c | 14 +++++++++++++-
 ldap/servers/slapd/ssl.c   | 42 +++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 1ffa08d..1f455e5 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -76,6 +76,7 @@
 #endif  /* _WIN32 */
 
 extern char ** getSupportedCiphers();
+extern char ** getEnabledCiphers();
 
 /* Note: These DNs are no need to be normalized */
 static const char *internal_entries[] =
@@ -1695,11 +1696,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
     struct berval           *vals[2];
     struct berval           val;
     char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */
+    char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */
     vals[0] = &val;
     vals[1] = NULL;
 
     attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");
-    while (*cipherList) /* iterarate thru each of them and add to the attr value */
+    while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */
     {
         char *cipher = *cipherList;
         val.bv_val = (char* ) cipher;
@@ -1708,6 +1710,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
         cipherList++;
     }
 
+    attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");
+    while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */
+    {
+        char *cipher = *enabledCipherList;
+        val.bv_val = (char* ) cipher;
+        val.bv_len = strlen ( val.bv_val );
+        attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);
+        enabledCipherList++;
+    }
+
     return SLAPI_DSE_CALLBACK_OK;
 }
 
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 28ff475..5f9916b 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -157,6 +157,7 @@ static char * configDN = "cn=encryption,cn=config";
 #define CIPHER_IS_WEAK          0x4
 #define CIPHER_IS_DEPRECATED    0x8
 static char **cipher_names = NULL;
+static char **enabled_cipher_names = NULL;
 typedef struct {
     char *name;
     int num;
@@ -265,7 +266,8 @@ slapd_SSL_warn(char *fmt, ...)
     va_end(args);
 }
 
-char ** getSupportedCiphers()
+char **
+getSupportedCiphers()
 {
 	SSLCipherSuiteInfo info;
 	char *sep = "::";
@@ -294,6 +296,44 @@ char ** getSupportedCiphers()
 	return cipher_names;
 }
 
+char **
+getEnabledCiphers()
+{
+    SSLCipherSuiteInfo info;
+    char *sep = "::";
+    int number_of_ciphers = 0;
+    int x;
+    int idx = 0;
+    PRBool enabled;
+
+    /* We have to wait until the SSL initialization is done. */
+    if (!slapd_ssl_listener_is_initialized()) {
+        return NULL;
+    }
+    if ((enabled_cipher_names == NULL) && _conf_ciphers) {
+        for (x = 0; _conf_ciphers[x].name; x++) {
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+            if (enabled) {
+                number_of_ciphers++;
+            }
+        }
+        enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
+        for (x = 0; _conf_ciphers[x].name; x++) {
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+            if (enabled) {
+                SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
+                enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
+                        _conf_ciphers[x].name,sep,
+                        info.symCipherName,sep,
+                        info.macAlgorithmName,sep,
+                        info.symKeyBits);
+            }
+        }
+    }
+
+    return enabled_cipher_names;
+}
+
 static PRBool
 cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
 {
-- 
1.9.3