ldap/servers/slapd/fedse.c | 14 +++++++++++++- ldap/servers/slapd/ssl.c | 42 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 54 insertions(+), 2 deletions(-)

New commits: commit d598ed59179748f9f8a0ddda37ff3d714e063de0 Author: Noriko Hosoi nhosoi@redhat.com Date: Wed Jan 7 12:58:32 2015 -0800

Ticket #47880 - provide enabled ciphers as search result

Description: Implemented getEnabledCiphers, with which ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers returns enabled cipher list. Example of returned enabled cipher dn: cn=encryption,cn=config nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128 nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192

Back-ported commit c675243e018a89291760161998944c04ea04b12f

https://fedorahosted.org/389/ticket/47880 (cherry picked from commit 8550aaf90870e75b78bb6f393f9fd4aedb68d612) (cherry picked from commit 51714d8768c335617abbb06d0a6f5023a985c616)

diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c index c23e124..907c604 100644 --- a/ldap/servers/slapd/fedse.c +++ b/ldap/servers/slapd/fedse.c @@ -76,6 +76,7 @@ #endif /* _WIN32 */

extern char ** getSupportedCiphers(); +extern char ** getEnabledCiphers();

/* Note: These DNs are no need to be normalized */ static const char *internal_entries[] = @@ -1696,11 +1697,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter struct berval *vals[2]; struct berval val; char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */ + char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */ vals[0] = &val; vals[1] = NULL;

attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers"); - while (*cipherList) /* iterarate thru each of them and add to the attr value */ + while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */ { char *cipher = *cipherList; val.bv_val = (char* ) cipher; @@ -1709,6 +1711,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter cipherList++; }

+ attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers"); + while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */ + { + char *cipher = *enabledCipherList; + val.bv_val = (char* ) cipher; + val.bv_len = strlen ( val.bv_val ); + attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals); + enabledCipherList++; + } + return SLAPI_DSE_CALLBACK_OK; }

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index 23fa620..c30ebd6 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -128,6 +128,7 @@ static char * configDN = "cn=encryption,cn=config";

static char **cipher_names = NULL; +static char **enabled_cipher_names = NULL; typedef struct { char *version; char *name; @@ -220,7 +221,8 @@ slapd_SSL_warn(char *fmt, ...) va_end(args); }

-char ** getSupportedCiphers() +char ** +getSupportedCiphers() { SSLCipherSuiteInfo info; char *sep = "::"; @@ -242,6 +244,44 @@ char ** getSupportedCiphers() return cipher_names; }

+char ** +getEnabledCiphers() +{ + SSLCipherSuiteInfo info; + char *sep = "::"; + int number_of_ciphers = 0; + int x; + int idx = 0; + PRBool enabled; + + /* We have to wait until the SSL initialization is done. */ + if (!slapd_ssl_listener_is_initialized()) { + return NULL; + } + if ((enabled_cipher_names == NULL)) { + for (x = 0; _conf_ciphers[x].name; x++) { + SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled); + if (enabled) { + number_of_ciphers++; + } + } + enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *)); + for (x = 0; _conf_ciphers[x].name; x++) { + SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled); + if (enabled) { + SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info)); + enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d", + _conf_ciphers[x].name,sep, + info.symCipherName,sep, + info.macAlgorithmName,sep, + info.symKeyBits); + } + } + } + + return enabled_cipher_names; +} + static PRBool cipher_check_fips(int idx, char ***suplist, char ***unsuplist) {