From 28f421f1fe326846b43fb2950c2d4ab868f06b76 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 7 Jan 2015 12:58:32 -0800
Subject: [PATCH 295/305] Ticket #47880 - provide enabled ciphers as search
result
Description: Implemented getEnabledCiphers, with which
ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers
returns enabled cipher list. Example of returned enabled cipher
dn: cn=encryption,cn=config
nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192
Back-ported commit c675243e018a89291760161998944c04ea04b12f
https://fedorahosted.org/389/ticket/47880
(cherry picked from commit 8550aaf90870e75b78bb6f393f9fd4aedb68d612)
---
ldap/servers/slapd/fedse.c | 14 +++++++++++++-
ldap/servers/slapd/ssl.c | 42 +++++++++++++++++++++++++++++++++++++++++-
2 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index f8c95ce..6a8b6e6 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -75,6 +75,7 @@
#endif /* _WIN32 */
extern char ** getSupportedCiphers();
+extern char ** getEnabledCiphers();
/* Note: These DNs are no need to be normalized */
static const char *internal_entries[] =
@@ -1693,11 +1694,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
struct berval *vals[2];
struct berval val;
char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */
+ char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */
vals[0] = &val;
vals[1] = NULL;
attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");
- while (*cipherList) /* iterarate thru each of them and add to the attr value */
+ while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */
{
char *cipher = *cipherList;
val.bv_val = (char* ) cipher;
@@ -1706,6 +1708,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
cipherList++;
}
+ attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");
+ while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */
+ {
+ char *cipher = *enabledCipherList;
+ val.bv_val = (char* ) cipher;
+ val.bv_len = strlen ( val.bv_val );
+ attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);
+ enabledCipherList++;
+ }
+
return SLAPI_DSE_CALLBACK_OK;
}
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 23fa620..c30ebd6 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -128,6 +128,7 @@ static char * configDN = "cn=encryption,cn=config";
static char **cipher_names = NULL;
+static char **enabled_cipher_names = NULL;
typedef struct {
char *version;
char *name;
@@ -220,7 +221,8 @@ slapd_SSL_warn(char *fmt, ...)
va_end(args);
}
-char ** getSupportedCiphers()
+char **
+getSupportedCiphers()
{
SSLCipherSuiteInfo info;
char *sep = "::";
@@ -242,6 +244,44 @@ char ** getSupportedCiphers()
return cipher_names;
}
+char **
+getEnabledCiphers()
+{
+ SSLCipherSuiteInfo info;
+ char *sep = "::";
+ int number_of_ciphers = 0;
+ int x;
+ int idx = 0;
+ PRBool enabled;
+
+ /* We have to wait until the SSL initialization is done. */
+ if (!slapd_ssl_listener_is_initialized()) {
+ return NULL;
+ }
+ if ((enabled_cipher_names == NULL)) {
+ for (x = 0; _conf_ciphers[x].name; x++) {
+ SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+ if (enabled) {
+ number_of_ciphers++;
+ }
+ }
+ enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
+ for (x = 0; _conf_ciphers[x].name; x++) {
+ SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+ if (enabled) {
+ SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
+ enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
+ _conf_ciphers[x].name,sep,
+ info.symCipherName,sep,
+ info.macAlgorithmName,sep,
+ info.symKeyBits);
+ }
+ }
+ }
+
+ return enabled_cipher_names;
+}
+
static PRBool
cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
{
--
1.9.3