andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-armhfp c7-beta c8-beta-stream-1.4 c8-stream-1.4 c8s-stream-1.4 c8s-stream-ds c9 c9-beta
  1.   c6
  2.   0295-Ticket-47880-provide-enabled-ciphers-as-search-resul.patch
Blob Blame History Raw 
From 28f421f1fe326846b43fb2950c2d4ab868f06b76 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 7 Jan 2015 12:58:32 -0800
Subject: [PATCH 295/305] Ticket #47880 - provide enabled ciphers as search
 result

Description: Implemented getEnabledCiphers, with which
  ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers
returns enabled cipher list.  Example of returned enabled cipher
  dn: cn=encryption,cn=config
  nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
  nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192

Back-ported commit c675243e018a89291760161998944c04ea04b12f

https://fedorahosted.org/389/ticket/47880
(cherry picked from commit 8550aaf90870e75b78bb6f393f9fd4aedb68d612)
---
 ldap/servers/slapd/fedse.c | 14 +++++++++++++-
 ldap/servers/slapd/ssl.c   | 42 +++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index f8c95ce..6a8b6e6 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -75,6 +75,7 @@
 #endif  /* _WIN32 */
 
 extern char ** getSupportedCiphers();
+extern char ** getEnabledCiphers();
 
 /* Note: These DNs are no need to be normalized */
 static const char *internal_entries[] =
@@ -1693,11 +1694,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
     struct berval           *vals[2];
     struct berval           val;
     char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */
+    char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */
     vals[0] = &val;
     vals[1] = NULL;
 
     attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");
-    while (*cipherList) /* iterarate thru each of them and add to the attr value */
+    while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */
     {
         char *cipher = *cipherList;
         val.bv_val = (char* ) cipher;
@@ -1706,6 +1708,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
         cipherList++;
     }
 
+    attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");
+	while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */
+	{
+	    char *cipher = *enabledCipherList;
+	    val.bv_val = (char* ) cipher;
+	    val.bv_len = strlen ( val.bv_val );
+	    attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);
+	    enabledCipherList++;
+	}
+
     return SLAPI_DSE_CALLBACK_OK;
 }
 
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 23fa620..c30ebd6 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -128,6 +128,7 @@ static char * configDN = "cn=encryption,cn=config";
 
 
 static char **cipher_names = NULL;
+static char **enabled_cipher_names = NULL;
 typedef struct {
 	char *version;
     char *name;
@@ -220,7 +221,8 @@ slapd_SSL_warn(char *fmt, ...)
     va_end(args);
 }
 
-char ** getSupportedCiphers()
+char **
+getSupportedCiphers()
 {
 	SSLCipherSuiteInfo info;
 	char *sep = "::";
@@ -242,6 +244,44 @@ char ** getSupportedCiphers()
 	return cipher_names;
 }
 
+char **
+getEnabledCiphers()
+{
+    SSLCipherSuiteInfo info;
+    char *sep = "::";
+    int number_of_ciphers = 0;
+    int x;
+    int idx = 0;
+    PRBool enabled;
+
+    /* We have to wait until the SSL initialization is done. */
+    if (!slapd_ssl_listener_is_initialized()) {
+        return NULL;
+    }
+    if ((enabled_cipher_names == NULL)) {
+        for (x = 0; _conf_ciphers[x].name; x++) {
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+            if (enabled) {
+                number_of_ciphers++;
+            }
+        }
+        enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
+        for (x = 0; _conf_ciphers[x].name; x++) {
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+            if (enabled) {
+                SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
+                enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
+                        _conf_ciphers[x].name,sep,
+                        info.symCipherName,sep,
+                        info.macAlgorithmName,sep,
+                        info.symKeyBits);
+            }
+        }
+    }
+
+    return enabled_cipher_names;
+}
+
 static PRBool
 cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
 {
-- 
1.9.3

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation