dirsrvtests/tickets/ticket47838_test.py | 114 ++++++++++++++++++++++++--------
ldap/servers/slapd/fedse.c | 14 +++
ldap/servers/slapd/ssl.c | 102 +++++++++++++++++++++++-----
3 files changed, 184 insertions(+), 46 deletions(-)
New commits:
commit b922e5d8387535a8bd71bbcea821ba08608d27c2
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Sep 25 14:43:16 2014 -0700
Ticket 47880 - CI test: added test cases for ticket 47880
Description: Ticket #47880 - provide enabled ciphers as search result
https://fedorahosted.org/389/ticket/47880
(cherry picked from commit ce7378990855abe1a5b52cd4fbe78ffc33365dcb)
diff --git a/dirsrvtests/tickets/ticket47838_test.py
b/dirsrvtests/tickets/ticket47838_test.py
index 1575376..c98c36e 100644
--- a/dirsrvtests/tickets/ticket47838_test.py
+++ b/dirsrvtests/tickets/ticket47838_test.py
@@ -216,6 +216,24 @@ def test_ticket47838_init(topology):
'nsSSLToken': 'internal
(software)',
'nsSSLActivation':
'on'})))
+def comp_nsSSLEnableCipherCount(topology, ecount):
+ """
+ Check nsSSLEnabledCipher count with ecount
+ """
+ log.info("Checking nsSSLEnabledCiphers...")
+ msgid = topology.standalone.search_ext(ENCRYPTION_DN, ldap.SCOPE_BASE,
'cn=*', ['nsSSLEnabledCiphers'])
+ enabledciphercnt = 0
+ rtype, rdata, rmsgid = topology.standalone.result2(msgid)
+ topology.standalone.log.info("%d results" % len(rdata))
+
+ topology.standalone.log.info("Results:")
+ for dn, attrs in rdata:
+ topology.standalone.log.info("dn: %s" % dn)
+ if attrs.has_key('nsSSLEnabledCiphers'):
+ enabledciphercnt = len(attrs['nsSSLEnabledCiphers'])
+ topology.standalone.log.info("enabledCipherCount: %d" % enabledciphercnt)
+ assert ecount == enabledciphercnt
+
def test_ticket47838_run_0(topology):
"""
Check nsSSL3Ciphers: +all
@@ -248,6 +266,8 @@ def test_ticket47838_run_0(topology):
log.info("Weak ciphers: %d" % wcount)
assert wcount <= 29
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_1(topology):
"""
Check nsSSL3Ciphers: +all
@@ -287,6 +307,8 @@ def test_ticket47838_run_1(topology):
log.info("Weak ciphers: %d" % wcount)
assert wcount <= 29
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_2(topology):
"""
Check nsSSL3Ciphers: +rsa_aes_128_sha,+rsa_aes_256_sha
@@ -316,6 +338,8 @@ def test_ticket47838_run_2(topology):
assert ecount == 2
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_3(topology):
"""
Check nsSSL3Ciphers: -all
@@ -344,6 +368,8 @@ def test_ticket47838_run_3(topology):
log.info("Disabling SSL message?: %s" % disabledmsg.readline())
assert disabledmsg != ''
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_4(topology):
"""
Check no nsSSL3Ciphers
@@ -377,6 +403,8 @@ def test_ticket47838_run_4(topology):
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_5(topology):
"""
Check nsSSL3Ciphers: default
@@ -410,6 +438,8 @@ def test_ticket47838_run_5(topology):
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_6(topology):
"""
Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5
@@ -441,6 +471,8 @@ def test_ticket47838_run_6(topology):
assert ecount == (plus_all_ecount_noweak - 1)
assert dcount == (plus_all_dcount_noweak + 1)
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_7(topology):
"""
Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5
@@ -470,6 +502,8 @@ def test_ticket47838_run_7(topology):
assert ecount == 1
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_8(topology):
"""
Check nsSSL3Ciphers: default + allowWeakCipher: off
@@ -503,6 +537,8 @@ def test_ticket47838_run_8(topology):
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_9(topology):
"""
Check no nsSSL3Ciphers
@@ -537,6 +573,8 @@ def test_ticket47838_run_9(topology):
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 11
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_10(topology):
"""
Check nssSSL3Chiphers: -TLS_RSA_WITH_NULL_MD5,+TLS_RSA_WITH_RC4_128_MD5,
@@ -579,6 +617,8 @@ def test_ticket47838_run_10(topology):
topology.standalone.log.info("ticket47838 was successfully verified.");
+ comp_nsSSLEnableCipherCount(topology, ecount)
+
def test_ticket47838_run_11(topology):
"""
Check nssSSL3Chiphers: +fortezza
@@ -603,6 +643,8 @@ def test_ticket47838_run_11(topology):
log.info("Expected error message was not found")
assert False
+ comp_nsSSLEnableCipherCount(topology, 0)
+
def test_ticket47838_run_last(topology):
"""
Check nssSSL3Chiphers: all <== invalid value
@@ -627,7 +669,9 @@ def test_ticket47838_run_last(topology):
log.info("Expected error message was not found")
assert False
- topology.standalone.log.info("ticket47838 was successfully verified.");
+ comp_nsSSLEnableCipherCount(topology, 0)
+
+ topology.standalone.log.info("ticket47838, 47880, 47908 were successfully
verified.");
def test_ticket47838_final(topology):
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
commit 8de80533cbfdb22166f5595839307a6a6db5a636
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Sep 25 13:34:00 2014 -0700
Ticket #47880 - provide enabled ciphers as search result
Description: Implemented getEnabledCiphers, with which
ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers
returns enabled cipher list. Example of returned enabled cipher
dn: cn=encryption,cn=config
nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
https://fedorahosted.org/389/ticket/47880
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!)
(cherry picked from commit c675243e018a89291760161998944c04ea04b12f)
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 1ffa08d..1f455e5 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -76,6 +76,7 @@
#endif /* _WIN32 */
extern char ** getSupportedCiphers();
+extern char ** getEnabledCiphers();
/* Note: These DNs are no need to be normalized */
static const char *internal_entries[] =
@@ -1695,11 +1696,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry,
Slapi_Entry *entryAfter
struct berval *vals[2];
struct berval val;
char ** cipherList = getSupportedCiphers(); /*Get the string array of supported
ciphers here */
+ char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled
ciphers here */
vals[0] = &val;
vals[1] = NULL;
attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");
- while (*cipherList) /* iterarate thru each of them and add to the attr value */
+ while (cipherList && *cipherList) /* iterarate thru each of them and add to
the attr value */
{
char *cipher = *cipherList;
val.bv_val = (char* ) cipher;
@@ -1708,6 +1710,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry,
Slapi_Entry *entryAfter
cipherList++;
}
+ attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");
+ while (enabledCipherList && *enabledCipherList) /* iterarate thru each of
them and add to the attr value */
+ {
+ char *cipher = *enabledCipherList;
+ val.bv_val = (char* ) cipher;
+ val.bv_len = strlen ( val.bv_val );
+ attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);
+ enabledCipherList++;
+ }
+
return SLAPI_DSE_CALLBACK_OK;
}
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 28ff475..5f9916b 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -157,6 +157,7 @@ static char * configDN = "cn=encryption,cn=config";
#define CIPHER_IS_WEAK 0x4
#define CIPHER_IS_DEPRECATED 0x8
static char **cipher_names = NULL;
+static char **enabled_cipher_names = NULL;
typedef struct {
char *name;
int num;
@@ -265,7 +266,8 @@ slapd_SSL_warn(char *fmt, ...)
va_end(args);
}
-char ** getSupportedCiphers()
+char **
+getSupportedCiphers()
{
SSLCipherSuiteInfo info;
char *sep = "::";
@@ -294,6 +296,44 @@ char ** getSupportedCiphers()
return cipher_names;
}
+char **
+getEnabledCiphers()
+{
+ SSLCipherSuiteInfo info;
+ char *sep = "::";
+ int number_of_ciphers = 0;
+ int x;
+ int idx = 0;
+ PRBool enabled;
+
+ /* We have to wait until the SSL initialization is done. */
+ if (!slapd_ssl_listener_is_initialized()) {
+ return NULL;
+ }
+ if ((enabled_cipher_names == NULL) && _conf_ciphers) {
+ for (x = 0; _conf_ciphers[x].name; x++) {
+ SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+ if (enabled) {
+ number_of_ciphers++;
+ }
+ }
+ enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1),
sizeof(char *));
+ for (x = 0; _conf_ciphers[x].name; x++) {
+ SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+ if (enabled) {
+
SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
+ enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
+ _conf_ciphers[x].name,sep,
+ info.symCipherName,sep,
+ info.macAlgorithmName,sep,
+ info.symKeyBits);
+ }
+ }
+ }
+
+ return enabled_cipher_names;
+}
+
static PRBool
cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
{
commit b5ce880cc7e6df5f2a1d4bd24de2ce107cf1a5fe
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Sep 24 15:47:02 2014 -0700
Ticket 47838 - CI test: adjusted test cases based on the phase 2 fixes for ticket
47838
https://fedorahosted.org/389/ticket/47838
(cherry picked from commit c6c73e674ecf79fc7404758f90f4837f04bdbed0)
diff --git a/dirsrvtests/tickets/ticket47838_test.py
b/dirsrvtests/tickets/ticket47838_test.py
index 0e406f3..1575376 100644
--- a/dirsrvtests/tickets/ticket47838_test.py
+++ b/dirsrvtests/tickets/ticket47838_test.py
@@ -25,6 +25,8 @@ LDAPSPORT = '10636'
SERVERCERT = 'Server-Cert'
plus_all_ecount = 0
plus_all_dcount = 0
+plus_all_ecount_noweak = 0
+plus_all_dcount_noweak = 0
class TopologyStandalone(object):
def __init__(self, standalone):
@@ -220,7 +222,7 @@ def test_ticket47838_run_0(topology):
All ciphers are enabled except null.
Note: allowWeakCipher: on
"""
- _header(topology, 'Test Case 1 - Check the ciphers availability for
"+all"')
+ _header(topology, 'Test Case 1 - Check the ciphers availability for
"+all"; allowWeakCipher: on')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE,
'nsslapd-errorlog-level', '64')])
@@ -235,8 +237,8 @@ def test_ticket47838_run_0(topology):
log.info("Enabled ciphers: %d" % ecount)
log.info("Disabled ciphers: %d" % dcount)
- assert ecount >= 31
- assert dcount <= 36
+ assert ecount >= 60
+ assert dcount <= 7
global plus_all_ecount
global plus_all_dcount
plus_all_ecount = ecount
@@ -250,9 +252,9 @@ def test_ticket47838_run_1(topology):
"""
Check nsSSL3Ciphers: +all
All ciphers are enabled except null.
- Note: allowWeakCipher: off for +all
+ Note: default allowWeakCipher (i.e., off) for +all
"""
- _header(topology, 'Test Case 2 - Check the ciphers availability for
"+all" with not allowing WeakCiphers')
+ _header(topology, 'Test Case 2 - Check the ciphers availability for
"+all" with default allowWeakCiphers')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE,
'nsslapd-errorlog-level', '64')])
@@ -271,6 +273,11 @@ def test_ticket47838_run_1(topology):
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
+ global plus_all_ecount_noweak
+ global plus_all_dcount_noweak
+ plus_all_ecount_noweak = ecount
+ plus_all_dcount_noweak = dcount
+
log.info("Enabled ciphers: %d" % ecount)
log.info("Disabled ciphers: %d" % dcount)
assert ecount >= 31
@@ -284,12 +291,11 @@ def test_ticket47838_run_2(topology):
"""
Check nsSSL3Ciphers: +rsa_aes_128_sha,+rsa_aes_256_sha
rsa_aes_128_sha, tls_rsa_aes_128_sha, rsa_aes_256_sha, tls_rsa_aes_256_sha are
enabled.
+ default allowWeakCipher
"""
- _header(topology, 'Test Case 3 - Check the ciphers availability for
"+rsa_aes_128_sha,+rsa_aes_256_sha"')
+ _header(topology, 'Test Case 3 - Check the ciphers availability for
"+rsa_aes_128_sha,+rsa_aes_256_sha" with default allowWeakCipher')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
- #topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE,
'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha'),
- # (ldap.MOD_REPLACE,
'allowWeakCipher', 'on')])
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE,
'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha')])
log.info("\n######################### Restarting the server
######################\n")
@@ -314,6 +320,7 @@ def test_ticket47838_run_3(topology):
"""
Check nsSSL3Ciphers: -all
All ciphers are disabled.
+ default allowWeakCipher
"""
_header(topology, 'Test Case 4 - Check the ciphers availability for
"-all"')
@@ -327,23 +334,23 @@ def test_ticket47838_run_3(topology):
topology.standalone.start(timeout=120)
enabled = os.popen('egrep "SSL alert:" %s | egrep \":
enabled\" | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep \":
disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
- dcount = int(disabled.readline().rstrip())
log.info("Enabled ciphers: %d" % ecount)
- log.info("Disabled ciphers: %d" % dcount)
global plus_all_ecount
- global plus_all_dcount
assert ecount == 0
- assert dcount == (plus_all_ecount + plus_all_dcount)
+
+ disabledmsg = os.popen('egrep "Disabling SSL" %s' %
topology.standalone.errlog)
+ log.info("Disabling SSL message?: %s" % disabledmsg.readline())
+ assert disabledmsg != ''
def test_ticket47838_run_4(topology):
"""
Check no nsSSL3Ciphers
Default ciphers are enabled.
+ default allowWeakCipher
"""
- _header(topology, 'Test Case 5 - Check no nssSSL3Chiphers (default
setting)')
+ _header(topology, 'Test Case 5 - Check no nssSSL3Chiphers (default setting) with
default allowWeakCipher')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE,
'nsSSL3Ciphers', '-all')])
@@ -374,8 +381,9 @@ def test_ticket47838_run_5(topology):
"""
Check nsSSL3Ciphers: default
Default ciphers are enabled.
+ default allowWeakCipher
"""
- _header(topology, 'Test Case 6 - Check default nssSSL3Chiphers (default
setting)')
+ _header(topology, 'Test Case 6 - Check default nssSSL3Chiphers (default setting)
with default allowWeakCipher')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE,
'nsSSL3Ciphers', 'default')])
@@ -406,8 +414,9 @@ def test_ticket47838_run_6(topology):
"""
Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5
All ciphers are disabled.
+ default allowWeakCipher
"""
- _header(topology, 'Test Case 7 - Check nssSSL3Chiphers:
+all,-tls_dhe_rsa_aes_128_gcm_sha')
+ _header(topology, 'Test Case 7 - Check nssSSL3Chiphers:
+all,-tls_dhe_rsa_aes_128_gcm_sha with default allowWeakCipher')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE,
'nsSSL3Ciphers', '+all,-tls_dhe_rsa_aes_128_gcm_sha')])
@@ -425,19 +434,20 @@ def test_ticket47838_run_6(topology):
log.info("Enabled ciphers: %d" % ecount)
log.info("Disabled ciphers: %d" % dcount)
- global plus_all_ecount
- global plus_all_dcount
- log.info("ALL Ecount: %d" % plus_all_ecount)
- log.info("ALL Dcount: %d" % plus_all_dcount)
- assert ecount == (plus_all_ecount - 1)
- assert dcount == (plus_all_dcount + 1)
+ global plus_all_ecount_noweak
+ global plus_all_dcount_noweak
+ log.info("ALL Ecount: %d" % plus_all_ecount_noweak)
+ log.info("ALL Dcount: %d" % plus_all_dcount_noweak)
+ assert ecount == (plus_all_ecount_noweak - 1)
+ assert dcount == (plus_all_dcount_noweak + 1)
def test_ticket47838_run_7(topology):
"""
Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5
All ciphers are disabled.
+ default allowWeakCipher
"""
- _header(topology, 'Test Case 8 - Check nssSSL3Chiphers:
-all,+rsa_rc4_128_md5')
+ _header(topology, 'Test Case 8 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5
with default allowWeakCipher')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE,
'nsSSL3Ciphers', '-all,+rsa_rc4_128_md5')])
@@ -497,8 +507,10 @@ def test_ticket47838_run_9(topology):
"""
Check no nsSSL3Ciphers
Default ciphers are enabled.
+ allowWeakCipher: on
+ nsslapd-errorlog-level: 0
"""
- _header(topology, 'Test Case 10 - Check no nssSSL3Chiphers (default setting) with
no errorlog-level')
+ _header(topology, 'Test Case 10 - Check no nssSSL3Chiphers (default setting) with
no errorlog-level & allowWeakCipher on')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE,
'nsSSL3Ciphers', None),
@@ -518,12 +530,12 @@ def test_ticket47838_run_9(topology):
log.info("Enabled ciphers: %d" % ecount)
log.info("Disabled ciphers: %d" % dcount)
- assert ecount == 12
+ assert ecount == 23
assert dcount == 0
weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\"
| egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
- assert wcount == 0
+ assert wcount == 11
def test_ticket47838_run_10(topology):
"""
@@ -535,8 +547,10 @@ def test_ticket47838_run_10(topology):
-SSL_CK_RC4_128_WITH_MD5,-SSL_CK_RC4_128_EXPORT40_WITH_MD5,
-SSL_CK_RC2_128_CBC_WITH_MD5,-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-SSL_CK_DES_64_CBC_WITH_MD5,-SSL_CK_DES_192_EDE3_CBC_WITH_MD5
+ allowWeakCipher: on
+ nsslapd-errorlog-level: 0
"""
- _header(topology, 'Test Case 11 - Check nssSSL3Chiphers: long list using the NSS
Cipher Suite name')
+ _header(topology, 'Test Case 11 - Check nssSSL3Chiphers: long list using the NSS
Cipher Suite name with allowWeakCipher on')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE,
'nsSSL3Ciphers',
commit 411ca8f1cc5aade2fbe7d9f91aff8c658f5e8248
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Sep 25 13:38:03 2014 -0700
Ticket #47838 - harden the list of ciphers available by default (phase 2)
Description:
1) By default (i.e., no explicit allowWeakCipher set in cn=encryption,cn=config),
allowWeakCipher is on for user specified cipher list
allowWeakCipher is off for "+all" and "default"
2) Fixed enabled allowWeakCipher (explicitly set "on" to it) is
applied to "+all" and "default".
3) If an invalid value is set to allowWeakCipher, this message is
logged in the error log and set it to the default value.
SSL alert: The value of allowWeakCipher "poor" in cn=encryption,
cn=config is invalid. Ignoring it and set it to default.
https://fedorahosted.org/389/ticket/47838
Reviewed by tbordaz(a)redhat.com (Thank you, Thierry!)
(cherry picked from commit c6febe325a1b5a0e4f7e7e59bcc076c9e4a3b825)
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 4e38308..28ff475 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -120,18 +120,34 @@ static char * configDN = "cn=encryption,cn=config";
/* ----------------------- Multiple cipher support ------------------------ */
/* cipher set flags */
-#define CIPHER_SET_ALL 0x1
-#define CIPHER_SET_NONE 0x0
-#define CIPHER_SET_DEFAULT 0x2
-#define CIPHER_SET_CORE (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
-#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags
*/
+#define CIPHER_SET_NONE 0x0
+#define CIPHER_SET_ALL 0x1
+#define CIPHER_SET_DEFAULT 0x2
+#define CIPHER_SET_DEFAULTWEAKCIPHER 0x10 /* allowWeakCipher is not set in cn=encryption
*/
+#define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */
+#define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */
#define CIPHER_SET_ISDEFAULT(flag) \
- ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
+ (((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
#define CIPHER_SET_ISALL(flag) \
- ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
-#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
+ (((flag)&CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
+
+#define ALLOWWEAK_ISDEFAULT(flag) \
+ (((flag)&CIPHER_SET_DEFAULTWEAKCIPHER) ? PR_TRUE : PR_FALSE)
+#define ALLOWWEAK_ISON(flag) \
(((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
+#define ALLOWWEAK_ISOFF(flag) \
+ (((flag)&CIPHER_SET_DISALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
+/*
+ * If ISALL or ISDEFAULT, allowWeakCipher is true only if CIPHER_SET_ALLOWWEAKCIPHER.
+ * Otherwise (user specified cipher list), allowWeakCipher is true
+ * if CIPHER_SET_ALLOWWEAKCIPHER or CIPHER_SET_DEFAULTWEAKCIPHER.
+ */
+#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
+ ((CIPHER_SET_ISDEFAULT(flag)|CIPHER_SET_ISALL(flag)) ? \
+ (ALLOWWEAK_ISON(flag) ? PR_TRUE : PR_FALSE) : \
+ (!ALLOWWEAK_ISOFF(flag) ? PR_TRUE : PR_FALSE))
+
#define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
@@ -460,7 +476,7 @@ _conf_setciphers(char *ciphers, int flags)
/* #47838: harden the list of ciphers available by default */
/* Default is to activate all of them ==> none of them*/
if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers,
"default")) {
-
_conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL,
NULL);
+ _conf_setallciphers((CIPHER_SET_DEFAULT|flags), NULL, NULL);
slapd_SSL_warn("Security Initialization: Enabling default cipher
set.");
_conf_dumpciphers();
return NULL;
@@ -473,7 +489,7 @@ _conf_setciphers(char *ciphers, int flags)
* set of ciphers in the table. Right now there is no support for this
* from the console
*/
- _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags),
&suplist, NULL);
+ _conf_setallciphers((CIPHER_SET_ALL|flags), &suplist, NULL);
enabledOne = PR_TRUE;
} else {
/* If "+all" is not in nsSSL3Ciphers value, disable all first,
@@ -504,7 +520,7 @@ _conf_setciphers(char *ciphers, int flags)
for (x = 0; _conf_ciphers[x].name; x++) {
if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
- if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
+ if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
slapd_SSL_warn("Cipher %s is weak. It is enabled since
allowWeakCipher is \"on\" "
"(default setting for the backward
compatibility). "
"We strongly recommend to set it to
\"off\". "
@@ -522,6 +538,9 @@ _conf_setciphers(char *ciphers, int flags)
check fips. */
enabled = cipher_check_fips(x, NULL, &unsuplist);
}
+ if (enabled) {
+ enabledOne = PR_TRUE; /* At least one active cipher is set. */
+ }
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
lookup = 0;
break;
@@ -539,7 +558,7 @@ _conf_setciphers(char *ciphers, int flags)
if (!PL_strcasecmp(_lookup_cipher[i].name,
_conf_ciphers[x].name)) {
if (enabled) {
if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
- if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
+ if (active &&
CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
slapd_SSL_warn("Cipher %s is weak.
"
"It is enabled since
allowWeakCipher is \"on\" "
"(default setting for the
backward compatibility). "
@@ -1065,7 +1084,7 @@ slapd_ssl_init()
int rv = 0;
PK11SlotInfo *slot;
Slapi_Entry *entry = NULL;
- int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
+ int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
/* Get general information */
@@ -1105,9 +1124,18 @@ slapd_ssl_init()
}
val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
- if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val,
"false") ||
- !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")))
{
- allowweakcipher = 0;
+ if (val) {
+ if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val,
"false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
+ allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
+ } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val,
"true") ||
+ !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes"))
{
+ allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
+ } else {
+ slapd_SSL_warn("The value of allowWeakCipher \"%s\" in "
+ "cn=encryption,cn=config is invalid. "
+ "Ignoring it and set it to default.", val);
+ }
}
slapi_ch_free((void **) &val);