Blame SOURCES/0011-Ticket-47838-harden-the-list-of-ciphers-available-by.patch

f92ce9
From afffe2dde82708b7c4837d5823cbb624a143dd7d Mon Sep 17 00:00:00 2001
f92ce9
From: Noriko Hosoi <nhosoi@redhat.com>
f92ce9
Date: Thu, 25 Sep 2014 13:38:03 -0700
f92ce9
Subject: [PATCH 11/14] Ticket #47838 - harden the list of ciphers available by
f92ce9
 default (phase 2)
f92ce9
f92ce9
Description:
f92ce9
1) By default (i.e., no explicit allowWeakCipher set in cn=encryption,cn=config),
f92ce9
   allowWeakCipher is on for user specified cipher list
f92ce9
   allowWeakCipher is off for "+all" and "default"
f92ce9
2) Fixed enabled allowWeakCipher (explicitly set "on" to it) is
f92ce9
   applied to "+all" and "default".
f92ce9
3) If an invalid value is set to allowWeakCipher, this message is
f92ce9
   logged in the error log and set it to the default value.
f92ce9
     SSL alert: The value of allowWeakCipher "poor" in cn=encryption,
f92ce9
     cn=config is invalid. Ignoring it and set it to default.
f92ce9
f92ce9
https://fedorahosted.org/389/ticket/47838
f92ce9
f92ce9
Reviewed by tbordaz@redhat.com (Thank you, Thierry!)
f92ce9
f92ce9
(cherry picked from commit c6febe325a1b5a0e4f7e7e59bcc076c9e4a3b825)
f92ce9
(cherry picked from commit 411ca8f1cc5aade2fbe7d9f91aff8c658f5e8248)
f92ce9
---
f92ce9
 ldap/servers/slapd/ssl.c | 60 +++++++++++++++++++++++++++++++++++-------------
f92ce9
 1 file changed, 44 insertions(+), 16 deletions(-)
f92ce9
f92ce9
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
f92ce9
index 4e38308..28ff475 100644
f92ce9
--- a/ldap/servers/slapd/ssl.c
f92ce9
+++ b/ldap/servers/slapd/ssl.c
f92ce9
@@ -120,18 +120,34 @@ static char * configDN = "cn=encryption,cn=config";
f92ce9
 
f92ce9
 /* ----------------------- Multiple cipher support ------------------------ */
f92ce9
 /* cipher set flags */
f92ce9
-#define CIPHER_SET_ALL             0x1
f92ce9
-#define CIPHER_SET_NONE            0x0
f92ce9
-#define CIPHER_SET_DEFAULT         0x2
f92ce9
-#define CIPHER_SET_CORE            (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
f92ce9
-#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */
f92ce9
+#define CIPHER_SET_NONE               0x0
f92ce9
+#define CIPHER_SET_ALL                0x1
f92ce9
+#define CIPHER_SET_DEFAULT            0x2
f92ce9
+#define CIPHER_SET_DEFAULTWEAKCIPHER  0x10 /* allowWeakCipher is not set in cn=encryption */
f92ce9
+#define CIPHER_SET_ALLOWWEAKCIPHER    0x20 /* allowWeakCipher is on */
f92ce9
+#define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */
f92ce9
 
f92ce9
 #define CIPHER_SET_ISDEFAULT(flag) \
f92ce9
-  ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
f92ce9
+  (((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
f92ce9
 #define CIPHER_SET_ISALL(flag) \
f92ce9
-  ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
f92ce9
-#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
f92ce9
+  (((flag)&CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
f92ce9
+
f92ce9
+#define ALLOWWEAK_ISDEFAULT(flag) \
f92ce9
+  (((flag)&CIPHER_SET_DEFAULTWEAKCIPHER) ? PR_TRUE : PR_FALSE)
f92ce9
+#define ALLOWWEAK_ISON(flag) \
f92ce9
   (((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
f92ce9
+#define ALLOWWEAK_ISOFF(flag) \
f92ce9
+  (((flag)&CIPHER_SET_DISALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
f92ce9
+/*
f92ce9
+ * If ISALL or ISDEFAULT, allowWeakCipher is true only if CIPHER_SET_ALLOWWEAKCIPHER.
f92ce9
+ * Otherwise (user specified cipher list), allowWeakCipher is true 
f92ce9
+ * if CIPHER_SET_ALLOWWEAKCIPHER or CIPHER_SET_DEFAULTWEAKCIPHER.
f92ce9
+ */
f92ce9
+#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
f92ce9
+  ((CIPHER_SET_ISDEFAULT(flag)|CIPHER_SET_ISALL(flag)) ? \
f92ce9
+   (ALLOWWEAK_ISON(flag) ? PR_TRUE : PR_FALSE) : \
f92ce9
+   (!ALLOWWEAK_ISOFF(flag) ? PR_TRUE : PR_FALSE))
f92ce9
+
f92ce9
 #define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
f92ce9
   ((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
f92ce9
 
f92ce9
@@ -460,7 +476,7 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
     /* #47838: harden the list of ciphers available by default */
f92ce9
     /* Default is to activate all of them ==> none of them*/
f92ce9
     if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) {
f92ce9
-        _conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL);
f92ce9
+        _conf_setallciphers((CIPHER_SET_DEFAULT|flags), NULL, NULL);
f92ce9
         slapd_SSL_warn("Security Initialization: Enabling default cipher set.");
f92ce9
         _conf_dumpciphers();
f92ce9
         return NULL;
f92ce9
@@ -473,7 +489,7 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
          * set of ciphers in the table. Right now there is no support for this
f92ce9
          * from the console
f92ce9
          */
f92ce9
-        _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
f92ce9
+        _conf_setallciphers((CIPHER_SET_ALL|flags), &suplist, NULL);
f92ce9
         enabledOne = PR_TRUE;
f92ce9
     } else {
f92ce9
         /* If "+all" is not in nsSSL3Ciphers value, disable all first,
f92ce9
@@ -504,7 +520,7 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
             for (x = 0; _conf_ciphers[x].name; x++) {
f92ce9
                 if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
f92ce9
                     if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
f92ce9
-                        if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
f92ce9
+                        if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) { 
f92ce9
                             slapd_SSL_warn("Cipher %s is weak.  It is enabled since allowWeakCipher is \"on\" "
f92ce9
                                            "(default setting for the backward compatibility). "
f92ce9
                                            "We strongly recommend to set it to \"off\".  "
f92ce9
@@ -522,6 +538,9 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
                            check fips. */
f92ce9
                         enabled = cipher_check_fips(x, NULL, &unsuplist);
f92ce9
                     }
f92ce9
+                    if (enabled) {
f92ce9
+                        enabledOne = PR_TRUE; /* At least one active cipher is set. */
f92ce9
+                    }
f92ce9
                     SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
f92ce9
                     lookup = 0;
f92ce9
                     break;
f92ce9
@@ -539,7 +558,7 @@ _conf_setciphers(char *ciphers, int flags)
f92ce9
                             if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) {
f92ce9
                                 if (enabled) {
f92ce9
                                     if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
f92ce9
-                                        if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
f92ce9
+                                        if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
f92ce9
                                             slapd_SSL_warn("Cipher %s is weak. "
f92ce9
                                                            "It is enabled since allowWeakCipher is \"on\" "
f92ce9
                                                            "(default setting for the backward compatibility). "
f92ce9
@@ -1065,7 +1084,7 @@ slapd_ssl_init()
f92ce9
     int rv = 0;
f92ce9
     PK11SlotInfo *slot;
f92ce9
     Slapi_Entry *entry = NULL;
f92ce9
-    int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
f92ce9
+    int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
f92ce9
 
f92ce9
     /* Get general information */
f92ce9
 
f92ce9
@@ -1105,9 +1124,18 @@ slapd_ssl_init()
f92ce9
     }
f92ce9
 
f92ce9
     val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
f92ce9
-    if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
f92ce9
-                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) {
f92ce9
-        allowweakcipher = 0;
f92ce9
+    if (val) {
f92ce9
+        if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
f92ce9
+                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
f92ce9
+            allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
f92ce9
+        } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || 
f92ce9
+                !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
f92ce9
+            allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
f92ce9
+        } else {
f92ce9
+            slapd_SSL_warn("The value of allowWeakCipher \"%s\" in "
f92ce9
+                           "cn=encryption,cn=config is invalid. "
f92ce9
+                           "Ignoring it and set it to default.", val);
f92ce9
+        }
f92ce9
     }
f92ce9
     slapi_ch_free((void **) &val;;
f92ce9
  
f92ce9
-- 
f92ce9
1.9.3
f92ce9