From afffe2dde82708b7c4837d5823cbb624a143dd7d Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Thu, 25 Sep 2014 13:38:03 -0700 Subject: [PATCH 11/14] Ticket #47838 - harden the list of ciphers available by default (phase 2) Description: 1) By default (i.e., no explicit allowWeakCipher set in cn=encryption,cn=config), allowWeakCipher is on for user specified cipher list allowWeakCipher is off for "+all" and "default" 2) Fixed enabled allowWeakCipher (explicitly set "on" to it) is applied to "+all" and "default". 3) If an invalid value is set to allowWeakCipher, this message is logged in the error log and set it to the default value. SSL alert: The value of allowWeakCipher "poor" in cn=encryption, cn=config is invalid. Ignoring it and set it to default. https://fedorahosted.org/389/ticket/47838 Reviewed by tbordaz@redhat.com (Thank you, Thierry!) (cherry picked from commit c6febe325a1b5a0e4f7e7e59bcc076c9e4a3b825) (cherry picked from commit 411ca8f1cc5aade2fbe7d9f91aff8c658f5e8248) --- ldap/servers/slapd/ssl.c | 60 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 16 deletions(-) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 4e38308..28ff475 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -120,18 +120,34 @@ static char * configDN = "cn=encryption,cn=config"; /* ----------------------- Multiple cipher support ------------------------ */ /* cipher set flags */ -#define CIPHER_SET_ALL 0x1 -#define CIPHER_SET_NONE 0x0 -#define CIPHER_SET_DEFAULT 0x2 -#define CIPHER_SET_CORE (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE) -#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */ +#define CIPHER_SET_NONE 0x0 +#define CIPHER_SET_ALL 0x1 +#define CIPHER_SET_DEFAULT 0x2 +#define CIPHER_SET_DEFAULTWEAKCIPHER 0x10 /* allowWeakCipher is not set in cn=encryption */ +#define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */ +#define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */ #define CIPHER_SET_ISDEFAULT(flag) \ - ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE) + (((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE) #define CIPHER_SET_ISALL(flag) \ - ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE) -#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \ + (((flag)&CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE) + +#define ALLOWWEAK_ISDEFAULT(flag) \ + (((flag)&CIPHER_SET_DEFAULTWEAKCIPHER) ? PR_TRUE : PR_FALSE) +#define ALLOWWEAK_ISON(flag) \ (((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE) +#define ALLOWWEAK_ISOFF(flag) \ + (((flag)&CIPHER_SET_DISALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE) +/* + * If ISALL or ISDEFAULT, allowWeakCipher is true only if CIPHER_SET_ALLOWWEAKCIPHER. + * Otherwise (user specified cipher list), allowWeakCipher is true + * if CIPHER_SET_ALLOWWEAKCIPHER or CIPHER_SET_DEFAULTWEAKCIPHER. + */ +#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \ + ((CIPHER_SET_ISDEFAULT(flag)|CIPHER_SET_ISALL(flag)) ? \ + (ALLOWWEAK_ISON(flag) ? PR_TRUE : PR_FALSE) : \ + (!ALLOWWEAK_ISOFF(flag) ? PR_TRUE : PR_FALSE)) + #define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \ ((flag)&~CIPHER_SET_ALLOWWEAKCIPHER) @@ -460,7 +476,7 @@ _conf_setciphers(char *ciphers, int flags) /* #47838: harden the list of ciphers available by default */ /* Default is to activate all of them ==> none of them*/ if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) { - _conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL); + _conf_setallciphers((CIPHER_SET_DEFAULT|flags), NULL, NULL); slapd_SSL_warn("Security Initialization: Enabling default cipher set."); _conf_dumpciphers(); return NULL; @@ -473,7 +489,7 @@ _conf_setciphers(char *ciphers, int flags) * set of ciphers in the table. Right now there is no support for this * from the console */ - _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL); + _conf_setallciphers((CIPHER_SET_ALL|flags), &suplist, NULL); enabledOne = PR_TRUE; } else { /* If "+all" is not in nsSSL3Ciphers value, disable all first, @@ -504,7 +520,7 @@ _conf_setciphers(char *ciphers, int flags) for (x = 0; _conf_ciphers[x].name; x++) { if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) { if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) { - if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) { + if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) { slapd_SSL_warn("Cipher %s is weak. It is enabled since allowWeakCipher is \"on\" " "(default setting for the backward compatibility). " "We strongly recommend to set it to \"off\". " @@ -522,6 +538,9 @@ _conf_setciphers(char *ciphers, int flags) check fips. */ enabled = cipher_check_fips(x, NULL, &unsuplist); } + if (enabled) { + enabledOne = PR_TRUE; /* At least one active cipher is set. */ + } SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled); lookup = 0; break; @@ -539,7 +558,7 @@ _conf_setciphers(char *ciphers, int flags) if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) { if (enabled) { if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) { - if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) { + if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) { slapd_SSL_warn("Cipher %s is weak. " "It is enabled since allowWeakCipher is \"on\" " "(default setting for the backward compatibility). " @@ -1065,7 +1084,7 @@ slapd_ssl_init() int rv = 0; PK11SlotInfo *slot; Slapi_Entry *entry = NULL; - int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER; + int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER; /* Get general information */ @@ -1105,9 +1124,18 @@ slapd_ssl_init() } val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher"); - if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || - !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) { - allowweakcipher = 0; + if (val) { + if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || + !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) { + allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER; + } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || + !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) { + allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER; + } else { + slapd_SSL_warn("The value of allowWeakCipher \"%s\" in " + "cn=encryption,cn=config is invalid. " + "Ignoring it and set it to default.", val); + } } slapi_ch_free((void **) &val); -- 1.9.3