|
 |
dc8c34 |
From 28f421f1fe326846b43fb2950c2d4ab868f06b76 Mon Sep 17 00:00:00 2001
|
|
|
dc8c34 |
From: Noriko Hosoi <nhosoi@redhat.com>
|
|
|
dc8c34 |
Date: Wed, 7 Jan 2015 12:58:32 -0800
|
|
|
dc8c34 |
Subject: [PATCH 295/305] Ticket #47880 - provide enabled ciphers as search
|
|
|
dc8c34 |
result
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Description: Implemented getEnabledCiphers, with which
|
|
|
dc8c34 |
ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers
|
|
|
dc8c34 |
returns enabled cipher list. Example of returned enabled cipher
|
|
|
dc8c34 |
dn: cn=encryption,cn=config
|
|
|
dc8c34 |
nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
|
|
|
dc8c34 |
nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
|
|
|
dc8c34 |
|
|
|
dc8c34 |
Back-ported commit c675243e018a89291760161998944c04ea04b12f
|
|
|
dc8c34 |
|
|
|
dc8c34 |
https://fedorahosted.org/389/ticket/47880
|
|
|
dc8c34 |
(cherry picked from commit 8550aaf90870e75b78bb6f393f9fd4aedb68d612)
|
|
|
dc8c34 |
---
|
|
|
dc8c34 |
ldap/servers/slapd/fedse.c | 14 +++++++++++++-
|
|
|
dc8c34 |
ldap/servers/slapd/ssl.c | 42 +++++++++++++++++++++++++++++++++++++++++-
|
|
|
dc8c34 |
2 files changed, 54 insertions(+), 2 deletions(-)
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
|
|
|
dc8c34 |
index f8c95ce..6a8b6e6 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/fedse.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/fedse.c
|
|
|
dc8c34 |
@@ -75,6 +75,7 @@
|
|
|
dc8c34 |
#endif /* _WIN32 */
|
|
|
dc8c34 |
|
|
|
dc8c34 |
extern char ** getSupportedCiphers();
|
|
|
dc8c34 |
+extern char ** getEnabledCiphers();
|
|
|
dc8c34 |
|
|
|
dc8c34 |
/* Note: These DNs are no need to be normalized */
|
|
|
dc8c34 |
static const char *internal_entries[] =
|
|
|
dc8c34 |
@@ -1693,11 +1694,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
|
|
|
dc8c34 |
struct berval *vals[2];
|
|
|
dc8c34 |
struct berval val;
|
|
|
dc8c34 |
char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */
|
|
|
dc8c34 |
+ char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */
|
|
|
dc8c34 |
vals[0] = &val;
|
|
|
dc8c34 |
vals[1] = NULL;
|
|
|
dc8c34 |
|
|
|
dc8c34 |
attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");
|
|
|
dc8c34 |
- while (*cipherList) /* iterarate thru each of them and add to the attr value */
|
|
|
dc8c34 |
+ while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
char *cipher = *cipherList;
|
|
|
dc8c34 |
val.bv_val = (char* ) cipher;
|
|
|
dc8c34 |
@@ -1706,6 +1708,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
|
|
|
dc8c34 |
cipherList++;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
+ attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");
|
|
|
dc8c34 |
+ while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */
|
|
|
dc8c34 |
+ {
|
|
|
dc8c34 |
+ char *cipher = *enabledCipherList;
|
|
|
dc8c34 |
+ val.bv_val = (char* ) cipher;
|
|
|
dc8c34 |
+ val.bv_len = strlen ( val.bv_val );
|
|
|
dc8c34 |
+ attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);
|
|
|
dc8c34 |
+ enabledCipherList++;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
return SLAPI_DSE_CALLBACK_OK;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
|
|
|
dc8c34 |
index 23fa620..c30ebd6 100644
|
|
|
dc8c34 |
--- a/ldap/servers/slapd/ssl.c
|
|
|
dc8c34 |
+++ b/ldap/servers/slapd/ssl.c
|
|
|
dc8c34 |
@@ -128,6 +128,7 @@ static char * configDN = "cn=encryption,cn=config";
|
|
|
dc8c34 |
|
|
|
dc8c34 |
|
|
|
dc8c34 |
static char **cipher_names = NULL;
|
|
|
dc8c34 |
+static char **enabled_cipher_names = NULL;
|
|
|
dc8c34 |
typedef struct {
|
|
|
dc8c34 |
char *version;
|
|
|
dc8c34 |
char *name;
|
|
|
dc8c34 |
@@ -220,7 +221,8 @@ slapd_SSL_warn(char *fmt, ...)
|
|
|
dc8c34 |
va_end(args);
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
-char ** getSupportedCiphers()
|
|
|
dc8c34 |
+char **
|
|
|
dc8c34 |
+getSupportedCiphers()
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
SSLCipherSuiteInfo info;
|
|
|
dc8c34 |
char *sep = "::";
|
|
|
dc8c34 |
@@ -242,6 +244,44 @@ char ** getSupportedCiphers()
|
|
|
dc8c34 |
return cipher_names;
|
|
|
dc8c34 |
}
|
|
|
dc8c34 |
|
|
|
dc8c34 |
+char **
|
|
|
dc8c34 |
+getEnabledCiphers()
|
|
|
dc8c34 |
+{
|
|
|
dc8c34 |
+ SSLCipherSuiteInfo info;
|
|
|
dc8c34 |
+ char *sep = "::";
|
|
|
dc8c34 |
+ int number_of_ciphers = 0;
|
|
|
dc8c34 |
+ int x;
|
|
|
dc8c34 |
+ int idx = 0;
|
|
|
dc8c34 |
+ PRBool enabled;
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ /* We have to wait until the SSL initialization is done. */
|
|
|
dc8c34 |
+ if (!slapd_ssl_listener_is_initialized()) {
|
|
|
dc8c34 |
+ return NULL;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ if ((enabled_cipher_names == NULL)) {
|
|
|
dc8c34 |
+ for (x = 0; _conf_ciphers[x].name; x++) {
|
|
|
dc8c34 |
+ SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
|
|
|
dc8c34 |
+ if (enabled) {
|
|
|
dc8c34 |
+ number_of_ciphers++;
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
|
|
|
dc8c34 |
+ for (x = 0; _conf_ciphers[x].name; x++) {
|
|
|
dc8c34 |
+ SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
|
|
|
dc8c34 |
+ if (enabled) {
|
|
|
dc8c34 |
+ SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
|
|
|
dc8c34 |
+ enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
|
|
|
dc8c34 |
+ _conf_ciphers[x].name,sep,
|
|
|
dc8c34 |
+ info.symCipherName,sep,
|
|
|
dc8c34 |
+ info.macAlgorithmName,sep,
|
|
|
dc8c34 |
+ info.symKeyBits);
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+ }
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
+ return enabled_cipher_names;
|
|
|
dc8c34 |
+}
|
|
|
dc8c34 |
+
|
|
|
dc8c34 |
static PRBool
|
|
|
dc8c34 |
cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
|
|
|
dc8c34 |
{
|
|
|
dc8c34 |
--
|
|
|
dc8c34 |
1.9.3
|
|
|
dc8c34 |
|