Blob Blame Raw
From 413ac674d497a981b30bdc81b47ea2bb3e14ad57 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 11 Jun 2015 22:25:14 -0700
Subject: [PATCH] Ticket #48194 - nsSSL3Ciphers preference not enforced server
 side

Description: The fix for ticket 47838 accidentally changed the timing
of setting default cipher preferences and creating a sslSocket which
broke setting the default preferences to each sslSocket.

https://fedorahosted.org/389/ticket/48194

Reviewed by rmeggins@redhat.com (Thank you, Rich!!)

(cherry picked from commit 53c9c4e84e3bcbc40de87b1e7cf7634d14599e1c)
(cherry picked from commit 99109e38ca671951c50724018fce71e2e362f0ff)
---
 ldap/servers/slapd/ssl.c | 97 +++++++++++++++++++++++++-----------------------
 1 file changed, 50 insertions(+), 47 deletions(-)

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 6b51e0c..36a4788 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1342,9 +1342,6 @@ slapd_ssl_init()
         freeConfigEntry( &entry );
     }
 
-    /* ugaston- Cipher preferences must be set before any sslSocket is created
-     * for such sockets to take preferences into account.
-     */
     freeConfigEntry( &entry );
  
     /* Introduce a way of knowing whether slapd_ssl_init has
@@ -1590,6 +1587,45 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
 
     errorbuf[0] = '\0';
 
+    /*
+     * Cipher preferences must be set before any sslSocket is created
+     * for such sockets to take preferences into account.
+     */
+    getConfigEntry(configDN, &e);
+    if (e == NULL) {
+        slapd_SSL_warn("Security Initialization: Failed get config entry %s", configDN);
+        return 1;
+    }
+    val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
+    if (val) {
+        if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
+                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
+            allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
+        } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || 
+                !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
+            allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
+        } else {
+            slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
+                           "Ignoring it and set it to default.", val, configDN);
+        }
+    }
+    slapi_ch_free((void **) &val);
+
+    /* Set SSL cipher preferences */
+    *cipher_string = 0;
+    if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
+         PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
+    slapi_ch_free((void **) &ciphers);
+
+    if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
+        errorCode = PR_GetError();
+        slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
+            "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
+            val, errorCode, slapd_pr_strerror(errorCode));
+        slapi_ch_free((void **) &val);
+    }
+    freeConfigEntry(&e);
+
     /* Import pr fd into SSL */
     pr_sock = SSL_ImportFD( NULL, sock );
     if( pr_sock == (PRFileDesc *)NULL ) {
@@ -1632,8 +1668,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
         slapd_pk11_setSlotPWValues(slot, 0, 0);
     }
 
-
-
     /*
      * Now, get the complete list of cipher families. Each family
      * has a token name and personality name which we'll use to find
@@ -1816,9 +1850,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
             "out of disk space! Make more room in /tmp "
             "and try again. (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
             errorCode, slapd_pr_strerror(errorCode));
-      }
-      else {
-    slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
+      } else {
+        slapd_SSL_error("Config of server nonce cache failed (error %d - %s)",
             errorCode, slapd_pr_strerror(errorCode));
       }
       return rv;
@@ -1985,36 +2018,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
 #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
     }
 #endif
-    val = slapi_entry_attr_get_charptr(e, "allowWeakCipher");
-    if (val) {
-        if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") || 
-                !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
-            allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
-        } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") || 
-                !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
-            allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
-        } else {
-            slapd_SSL_warn("The value of allowWeakCipher \"%s\" in %s is invalid.",
-                           "Ignoring it and set it to default.", val, configDN);
-        }
-    }
-    slapi_ch_free((void **) &val);
-
-    /* Set SSL cipher preferences */
-    *cipher_string = 0;
-    if(ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
-         PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
-    slapi_ch_free((void **) &ciphers);
-
-    if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
-        errorCode = PR_GetError();
-        slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
-            "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", 
-            val, errorCode, slapd_pr_strerror(errorCode));
-        rv = 3;
-        slapi_ch_free((void **) &val);
-    }
-
     freeConfigEntry( &e );
 
     if(( slapd_SSLclientAuth = config_get_SSLclientAuth()) != SLAPD_SSLCLIENTAUTH_OFF ) {
@@ -2059,17 +2062,17 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
 /* richm 20020227
    To do LDAP client SSL init, we need to do
 
-	static void
-	ldapssl_basic_init( void )
-	{
-    	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
+    static void
+    ldapssl_basic_init( void )
+    {
+        PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);
 
-    	PR_SetConcurrency( 4 );
-	}
+        PR_SetConcurrency( 4 );
+    }
     NSS_Init(certdbpath);
     SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE);
-	SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
-	s = NSS_SetDomesticPolicy(); 
+    SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE);
+    s = NSS_SetDomesticPolicy(); 
 We already do pr_init, we don't need pr_setconcurrency, we already do nss_init and the rest
 
 */   
@@ -2095,7 +2098,7 @@ slapd_SSL_client_auth (LDAP* ld)
         char **family;
         char *personality = NULL;
         char *activation = NULL;
-		char *cipher = NULL;
+        char *cipher = NULL;
 
         for (family = family_list; *family; family++) {
             getConfigEntry( *family, &entry );
-- 
1.9.3