From 7c4efde501b8af0469ff15602d8d046657dec4aa Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue, 10 May 2016 14:41:10 -0700
Subject: [PATCH 400/404] Ticket #48816 - (1.2.11 only) add a nsTLS1.0 on or
 off new configuration parameter to cn=encryption,cn=config in RHEL 6
 389-ds-base

Description: 389-ds-base-1.2.11 has no way to disable TLS1.0.  This patch is
adding config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config
so that the definition of nsTLS1 remains intact if the new parameters are not
specified explicitely.  If nsTLS10, nsTLS11 or nsTLS12 appear in the config
entry, nsTLS1 is ignored and the new parameters are added.

Default values:
nsTLS1: on
nsTLS10,nsTLS11,nsTLS12: ignored

Examples:
  cn=encryption,cn=config
  [no SSL version settings]
    ==> sslVersionMin: TLS1.0

  cn=encryption,cn=config
  nsTLS1: on
    ==> sslVersionMin: TLS1.0

  cn=encryption,cn=config
  nsTLS1: on | off
  nsTLS10: on
    ==> sslVersionMin: TLS1.0
    ==> Note: nsTLS1 is ignored.

  cn=encryption,cn=config
  nsTLS11: on
    ==> sslVersionMin: TLS1.1

  cn=encryption,cn=config
  nsTLS12: on
    ==> sslVersionMin: TLS1.2

Special cases:
  If all SSL version config parameters are off, SSL fails to configure.
  cn=encryption,cn=config
  nsTLS10: off
  nsTLS11: off
  nsTLS12: off
  nsTLS1: off
    ==> SSL configuration fails.
    ==> Note: nsSSL3 is off by default.

  cn=encryption,cn=config
  nsTLS10: on
  nsTLS12: off
    ==> sslVersionMin: TLS1.0
    ==> Note: nsTLS12 is ignored.
        Even if off is set to the higher SSL version as in this example,
        it is not used as sslVersionMax, but it is ignored.

https://fedorahosted.org/389/ticket/48816

Thanks so much for the ideas, comments and discussions, William, Ludwig, and Mark!!
Final review was made by wibrown@redhat.com (Thank you, William!!)

(cherry picked from commit 6111400a7b21785823e16b1071fc29bc21542213)
---
 ldap/schema/01core389.ldif |  5 +++-
 ldap/servers/slapd/ssl.c   | 71 +++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 65 insertions(+), 11 deletions(-)

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index c962dc0..afa4ee6 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -119,6 +119,9 @@ attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attribut
 attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
 attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
 attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
 attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
 attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
 attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
@@ -172,5 +175,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
 objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
 objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 090c328..37a176f 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1058,6 +1058,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
     Slapi_Entry *e = NULL;
     PRBool enableSSL2 = PR_FALSE;
     PRBool enableSSL3 = PR_FALSE;
+    int enableTLS10 = -1;
+    int enableTLS11 = -1;
+    int enableTLS12 = -1;
     PRBool enableTLS1 = PR_TRUE;
     PRBool fipsMode = PR_FALSE;
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
@@ -1414,6 +1417,39 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
             }
         }
         slapi_ch_free_string( &val );
+        val = slapi_entry_attr_get_charptr( e, "nsTLS10" );
+        if ( val ) {
+            if ( !strcasecmp( val, "off" ) ) {
+                enableTLS10 = 0;
+            } else if ( !strcasecmp( val, "on" ) ) {
+                enableTLS10 = 1;
+            } else {
+                enableTLS10 = slapi_entry_attr_get_bool(e, "nsTLS10")?1:0;
+            }
+        }
+        slapi_ch_free_string( &val );
+        val = slapi_entry_attr_get_charptr( e, "nsTLS11" );
+        if ( val ) {
+            if ( !strcasecmp( val, "off" ) ) {
+                enableTLS11 = 0;
+            } else if ( !strcasecmp( val, "on" ) ) {
+                enableTLS11 = 1;
+            } else {
+                enableTLS11 = slapi_entry_attr_get_bool(e, "nsTLS11")?1:0;
+            }
+        }
+        slapi_ch_free_string( &val );
+        val = slapi_entry_attr_get_charptr( e, "nsTLS12" );
+        if ( val ) {
+            if ( !strcasecmp( val, "off" ) ) {
+                enableTLS12 = 0;
+            } else if ( !strcasecmp( val, "on" ) ) {
+                enableTLS12 = 1;
+            } else {
+                enableTLS12 = slapi_entry_attr_get_bool(e, "nsTLS12")?1:0;
+            }
+        }
+        slapi_ch_free_string( &val );
         val = slapi_entry_attr_get_charptr( e, "nsTLS1" );
         if ( val ) {
             if ( !strcasecmp( val, "off" ) ) {
@@ -1430,25 +1466,40 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
     if (NSSVersionMin > 0) {
         char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+        NSSVersionMax = enabledNSSVersions.max;
         /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
-        if (enableTLS1) {
+        if ((enableTLS10 >= 0) || (enableTLS11 >= 0) || (enableTLS12 >= 0)) {
+            if (enableTLS10 > 0) {
+                NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
+            } else if (enableTLS11 > 0) {
+                NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_1;
+            } else if (enableTLS12 > 0) {
+                NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_2;
+            } else if (enableTLS1) {
+                NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
+            } else if (enableSSL3) {
+                NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
+                NSSVersionMax = SSL_LIBRARY_VERSION_3_0;
+            } else {
+                slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. "
+                                "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12.");
+                return 0;
+            }
+        } else if (enableTLS1) {
             NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
-        } else {
+        } else if (enableSSL3) {
             NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
             NSSVersionMax = SSL_LIBRARY_VERSION_3_0;
-        }
-        if (enableSSL3) {
-            NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
-        } else if (!enableTLS1) {
-            slapd_SSL_error("SSL Initialization 2: Both nsSSL3 and nsTLS1 are off.  Enabling nsTLS1.");
-            NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
-            NSSVersionMax = enabledNSSVersions.max;
+        } else {
+            slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. "
+                            "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12.");
+            return 0;
         }
         slapdNSSVersions.min = NSSVersionMin;
         slapdNSSVersions.max = NSSVersionMax;
         (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
         (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
-        slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
+        slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
                         "Configured SSL version range: min: %s, max: %s\n",
                         mymin, mymax);
         sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
-- 
2.4.11