From 82cf90789bd34622e2ae7b4584ff75214d1dea47 Mon Sep 17 00:00:00 2001

From: Noriko Hosoi <nhosoi@redhat.com>

Date: Thu, 25 Sep 2014 13:34:00 -0700

Subject: [PATCH 13/14] Ticket #47880 - provide enabled ciphers as search

 result

Description: Implemented getEnabledCiphers, with which

  ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers

returns enabled cipher list.  Example of returned enabled cipher

  dn: cn=encryption,cn=config

  nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128

  nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192

https://fedorahosted.org/389/ticket/47880

Reviewed by mreynolds@redhat.com (Thank you, Mark!)

(cherry picked from commit c675243e018a89291760161998944c04ea04b12f)

(cherry picked from commit 8de80533cbfdb22166f5595839307a6a6db5a636)

---

 ldap/servers/slapd/fedse.c | 14 +++++++++++++-

 ldap/servers/slapd/ssl.c   | 42 +++++++++++++++++++++++++++++++++++++++++-

 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c

index 1ffa08d..1f455e5 100644

--- a/ldap/servers/slapd/fedse.c

+++ b/ldap/servers/slapd/fedse.c

@@ -76,6 +76,7 @@

 #endif  /* _WIN32 */

 extern char ** getSupportedCiphers();

+extern char ** getEnabledCiphers();

 /* Note: These DNs are no need to be normalized */

 static const char *internal_entries[] =

@@ -1695,11 +1696,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter

     struct berval           *vals[2];

     struct berval           val;

     char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */

+    char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */

     vals[0] = &val;

     vals[1] = NULL;

     attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");

-    while (*cipherList) /* iterarate thru each of them and add to the attr value */

+    while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */

     {

         char *cipher = *cipherList;

         val.bv_val = (char* ) cipher;

@@ -1708,6 +1710,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter

         cipherList++;

     }

+    attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");

+    while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */

+    {

+        char *cipher = *enabledCipherList;

+        val.bv_val = (char* ) cipher;

+        val.bv_len = strlen ( val.bv_val );

+        attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);

+        enabledCipherList++;

+    }

+

     return SLAPI_DSE_CALLBACK_OK;

 }

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c

index 28ff475..5f9916b 100644

--- a/ldap/servers/slapd/ssl.c

+++ b/ldap/servers/slapd/ssl.c

@@ -157,6 +157,7 @@ static char * configDN = "cn=encryption,cn=config";

 #define CIPHER_IS_WEAK          0x4

 #define CIPHER_IS_DEPRECATED    0x8

 static char **cipher_names = NULL;

+static char **enabled_cipher_names = NULL;

 typedef struct {

     char *name;

     int num;

@@ -265,7 +266,8 @@ slapd_SSL_warn(char *fmt, ...)

     va_end(args);

 }

-char ** getSupportedCiphers()

+char **

+getSupportedCiphers()

 {

 	SSLCipherSuiteInfo info;

 	char *sep = "::";

@@ -294,6 +296,44 @@ char ** getSupportedCiphers()

 	return cipher_names;

 }

+char **

+getEnabledCiphers()

+{

+    SSLCipherSuiteInfo info;

+    char *sep = "::";

+    int number_of_ciphers = 0;

+    int x;

+    int idx = 0;

+    PRBool enabled;

+

+    /* We have to wait until the SSL initialization is done. */

+    if (!slapd_ssl_listener_is_initialized()) {

+        return NULL;

+    }

+    if ((enabled_cipher_names == NULL) && _conf_ciphers) {

+        for (x = 0; _conf_ciphers[x].name; x++) {

+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);

+            if (enabled) {

+                number_of_ciphers++;

+            }

+        }

+        enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));

+        for (x = 0; _conf_ciphers[x].name; x++) {

+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);

+            if (enabled) {

+                SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));

+                enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",

+                        _conf_ciphers[x].name,sep,

+                        info.symCipherName,sep,

+                        info.macAlgorithmName,sep,

+                        info.symKeyBits);

+            }

+        }

+    }

+

+    return enabled_cipher_names;

+}

+

 static PRBool

 cipher_check_fips(int idx, char ***suplist, char ***unsuplist)

 {

-- 

1.9.3