Blame SOURCES/0073-Ticket-48194-nsSSL3Ciphers-preference-not-enforced-s.patch

df9752
From 413ac674d497a981b30bdc81b47ea2bb3e14ad57 Mon Sep 17 00:00:00 2001
df9752
From: Noriko Hosoi <nhosoi@redhat.com>
df9752
Date: Thu, 11 Jun 2015 22:25:14 -0700
df9752
Subject: [PATCH] Ticket #48194 - nsSSL3Ciphers preference not enforced server
df9752
 side
df9752
df9752
Description: The fix for ticket 47838 accidentally changed the timing
df9752
of setting default cipher preferences and creating a sslSocket which
df9752
broke setting the default preferences to each sslSocket.
df9752
df9752
https://fedorahosted.org/389/ticket/48194
df9752
df9752
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
df9752
df9752
(cherry picked from commit 53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c)
df9752
(cherry picked from commit 99109e38ca671951c50724018fce71e2e362f0ff)
df9752
---
df9752
 ldap/servers/slapd/ssl.c | 97 +++++++++++++++++++++++++-----------------------
df9752
 1 file changed, 50 insertions(+), 47 deletions(-)
df9752
df9752
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
df9752
index 6b51e0c..36a4788 100644
df9752
--- a/ldap/servers/slapd/ssl.c
df9752
+++ b/ldap/servers/slapd/ssl.c
df9752
@@ -1342,9 +1342,6 @@ slapd_ssl_init()
df9752
         freeConfigEntry( &entry );
df9752
     }
df9752
 
df9752
-    /* ugaston- Cipher preferences must be set before any sslSocket is created
df9752
-     * for such sockets to take preferences into account.
df9752
-     */
df9752
     freeConfigEntry( &entry );
df9752
  
df9752
     /* Introduce a way of knowing whether slapd_ssl_init has
df9752
@@ -1590,6 +1587,45 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
df9752
 
df9752
     errorbuf[0] = '\0';
df9752
 
df9752
+    /*
df9752
+     * Cipher preferences must be set before any sslSocket is created
df9752
+     * for such sockets to take preferences into account.
df9752
+     */
df9752
+    getConfigEntry(configDN, &e);
df9752
+    if (e == NULL) {
df9752
+        slapd_SSL_warn("Security Initialization: Failed get config entry %s", configDN);
df9752
+        return 1;
df9752
+    }
df9752
+    val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
df9752
+    if (val) {
df9752
+        if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
df9752
+                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
df9752
+            allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
df9752
+        } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || 
df9752
+                !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
df9752
+            allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
df9752
+        } else {
df9752
+            slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
df9752
+                           "Ignoring it and set it to default.", val, configDN);
df9752
+        }
df9752
+    }
df9752
+    slapi_ch_free((void **) &val;;
df9752
+
df9752
+    /* Set SSL cipher preferences */
df9752
+    *cipher_string = 0;
df9752
+    if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
df9752
+         PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
df9752
+    slapi_ch_free((void **) &ciphers);
df9752
+
df9752
+    if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
df9752
+        errorCode = PR_GetError();
df9752
+        slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
df9752
+            "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
df9752
+            val, errorCode, slapd_pr_strerror(errorCode));
df9752
+        slapi_ch_free((void **) &val;;
df9752
+    }
df9752
+    freeConfigEntry(&e);
df9752
+
df9752
     /* Import pr fd into SSL */
df9752
     pr_sock = SSL_ImportFD( NULL, sock );
df9752
     if( pr_sock == (PRFileDesc *)NULL ) {
df9752
@@ -1632,8 +1668,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
df9752
         slapd_pk11_setSlotPWValues(slot, 0, 0);
df9752
     }
df9752
 
df9752
-
df9752
-
df9752
     /*
df9752
      * Now, get the complete list of cipher families. Each family
df9752
      * has a token name and personality name which we'll use to find
df9752
@@ -1816,9 +1850,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
df9752
             "out of disk space! Make more room in /tmp "
df9752
             "and try again. (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
df9752
             errorCode, slapd_pr_strerror(errorCode));
df9752
-      }
df9752
-      else {
df9752
-    slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
df9752
+      } else {
df9752
+        slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
df9752
             errorCode, slapd_pr_strerror(errorCode));
df9752
       }
df9752
       return rv;
df9752
@@ -1985,36 +2018,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
df9752
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
df9752
     }
df9752
 #endif
df9752
-    val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
df9752
-    if (val) {
df9752
-        if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
df9752
-                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
df9752
-            allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
df9752
-        } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || 
df9752
-                !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
df9752
-            allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
df9752
-        } else {
df9752
-            slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
df9752
-                           "Ignoring it and set it to default.", val, configDN);
df9752
-        }
df9752
-    }
df9752
-    slapi_ch_free((void **) &val;;
df9752
-
df9752
-    /* Set SSL cipher preferences */
df9752
-    *cipher_string = 0;
df9752
-    if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
df9752
-         PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
df9752
-    slapi_ch_free((void **) &ciphers);
df9752
-
df9752
-    if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
df9752
-        errorCode = PR_GetError();
df9752
-        slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
df9752
-            "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
df9752
-            val, errorCode, slapd_pr_strerror(errorCode));
df9752
-        rv = 3;
df9752
-        slapi_ch_free((void **) &val;;
df9752
-    }
df9752
-
df9752
     freeConfigEntry( &e );
df9752
 
df9752
     if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
df9752
@@ -2059,17 +2062,17 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
df9752
 /* richm 20020227
df9752
    To do LDAP client SSL init, we need to do
df9752
 
df9752
-	static void
df9752
-	ldapssl_basic_init( void )
df9752
-	{
df9752
-    	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
df9752
+    static void
df9752
+    ldapssl_basic_init( void )
df9752
+    {
df9752
+        PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
df9752
 
df9752
-    	PR_SetConcurrency( 4 );
df9752
-	}
df9752
+        PR_SetConcurrency( 4 );
df9752
+    }
df9752
     NSS_Init(certdbpath);
df9752
     SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE);
df9752
-	SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
df9752
-	s = NSS_SetDomesticPolicy(); 
df9752
+    SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
df9752
+    s = NSS_SetDomesticPolicy(); 
df9752
 We already do pr_init, we don't need pr_setconcurrency, we already do nss_init and the rest
df9752
 
df9752
 */   
df9752
@@ -2095,7 +2098,7 @@ slapd_SSL_client_auth (LDAP* ld)
df9752
         char **family;
df9752
         char *personality = NULL;
df9752
         char *activation = NULL;
df9752
-		char *cipher = NULL;
df9752
+        char *cipher = NULL;
df9752
 
df9752
         for (family = family_list; *family; family++) {
df9752
             getConfigEntry( *family, &entry );
df9752
-- 
df9752
1.9.3
df9752