admserv/cgi-src40/admpw.c | 5 -
admserv/cgi-src40/sec-activate.c | 111 ++++++++++++++++++++++++++-------------
2 files changed, 75 insertions(+), 41 deletions(-)
New commits:
commit c9b6de5743e2fd7c965a1b8e99c3942b6734aed7
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Sat Oct 4 21:53:29 2014 -0700
Ticket #47493 - Configuration Tab does not work with FIPS mode enabled
Bug Description: Admin Server CGI sec-activate retrieves attribute
values of
dn: cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration
Server,cn=Server Group,cn=FQDN,ou=DOMAIN,o=NetscapeRoot
and return them to the client such as Console. The CGI sec-activate
was supposed to get the knowledge if the FIPS mode is enabled or not,
and return ciphers FIPS compliant, but the code was missing.
In this patch, the code is added to check if it is FIPS mode or not
and if it is, return just FIPS friendly ciphers in this patch.
Plus unnecessary temp buffer and copies from temp to temp_return were
removed.
https://fedorahosted.org/389/ticket/47493
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/admserv/cgi-src40/admpw.c b/admserv/cgi-src40/admpw.c
index e695881..1e24423 100644
--- a/admserv/cgi-src40/admpw.c
+++ b/admserv/cgi-src40/admpw.c
@@ -50,11 +50,6 @@
#include <pk11pqg.h>
#include <base64.h>
-/* NSS - for password hashing */
-#include <pk11func.h>
-#include <pk11pqg.h>
-#include <base64.h>
-
#include "libadminutil/resource.h"
#include "libadminutil/admutil.h"
#include "libadminutil/distadm.h"
diff --git a/admserv/cgi-src40/sec-activate.c b/admserv/cgi-src40/sec-activate.c
index 6ae70ed..08568ca 100644
--- a/admserv/cgi-src40/sec-activate.c
+++ b/admserv/cgi-src40/sec-activate.c
@@ -38,6 +38,10 @@
extern "C" {
#endif
+#include <string.h>
+#include "nspr.h"
+#include "pk11func.h"
+
#include "cert.h"
#include "key.h"
#include "certdb.h"
@@ -213,18 +217,46 @@ int get_cert_nickname(char *buf, size_t bufsize) {
}
return -1;
}
+
+void
+drop_non_fips(char *val)
+{
+ char *p = NULL;
+ char *endp = NULL;
+ if (!val) {
+ return;
+ }
+ p = PL_strchr(val, '+');
+ while (p) {
+ endp = PL_strchr(p, ',');
+ if (endp) {
+ *endp = '\0';
+ /* E.g., p = "+rsa_rc2_40_md5" or p = "+fips_3des_sha"
*/
+ if (!PL_strcasestr(p, "fips")) {
+ *p = '-';
+ }
+ *endp = ',';
+ p = PL_strchr(endp+1, '+');
+ } else {
+ break;
+ }
+ }
+}
+
/*
* int GetSSLFamilyAttributes
* Reads all LDAP entries relating to cipher family information.
* Returns return_string, a string of all information found, and
* 0 on success, -1 on failure.
*/
-int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
-
+int
+GetSSLFamilyAttributes(PsetHndl pset, char **return_string)
+{
AttrNameList family_list;
int errorCode;
char temp_return[5000];
- char temp[1000];
+ char *tmpp = NULL;
+ size_t tmplen = 0;
char **family;
char family_attribute[1024];
@@ -233,6 +265,7 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
char *val;
char *family_name;
+ PRBool isfips = PR_FALSE;
*return_string = NULL;
strcpy(temp_return, "");
@@ -240,11 +273,9 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
val = psetGetAttrSingleValue(pset,
"configuration.nsServerSecurity",
&errorCode);
- if(val)
- PR_snprintf(temp, sizeof(temp), "security=%s\n", val);
- else
- PR_snprintf(temp, sizeof(temp), "security=off\n");
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "security=%s\n",
val?val:"off");
if((family_list = psetGetChildren(pset, "configuration.Encryption",
&errorCode))) {
@@ -276,67 +307,75 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) {
family_name = strrchr(*family, '.');
family_name++;
- PR_snprintf(temp, sizeof(temp), "familyList=%s\n", family_name);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "familyList=%s\n",
family_name);
- PR_snprintf(temp, sizeof(temp), "%s-activated=%s\n", family_name, val);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-activated=%s\n",
family_name, val);
- PR_snprintf(temp, sizeof(temp), "%s-token=%s\n", family_name, token);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-token=%s\n",
family_name, token);
- PR_snprintf(temp, sizeof(temp), "%s-cert=%s\n", family_name,
personality);
- PL_strcatn(temp_return, sizeof(temp_return), temp);
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-cert=%s\n",
family_name, personality);
}
}
PL_strcatn(temp_return, sizeof(temp_return), "familyList=NULL\n");
/* get cipher preferences */
+ isfips = PK11_IsFIPS();
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL2",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl2-activated=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl2-activated=%s\n",
val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL2Ciphers",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl2=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ /* If is fips, don't allow ciphers without "fips" */
+ if (isfips) {
+ drop_non_fips(val);
+ }
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl2=%s\n",
val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL3",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl3-activated=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl3-activated=%s\n",
val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSL3Ciphers",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "ssl3=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ /* If is fips, don't allow ciphers without "fips" */
+ if (isfips) {
+ drop_non_fips(val);
+ }
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl3=%s\n",
val?val:"");
val = NULL;
val = psetGetAttrSingleValue(pset,
"configuration.encryption.nsSSLClientAuth",
&errorCode);
- PL_strcatn(temp_return, sizeof(temp_return), "clientauth=");
- if(val)
- PL_strcatn(temp_return, sizeof(temp_return), val);
- PL_strcatn(temp_return, sizeof(temp_return), "\n");
+ tmplen = strlen(temp_return);
+ tmpp = temp_return + tmplen;
+ PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "clientauth=%s\n",
val?val:"");
*return_string = PORT_Strdup(temp_return);
return 0;