Blob Blame Raw
From 0e32f3731887dbdf9c594a94fee693826f1a96de Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue, 23 Sep 2014 14:38:00 -0700
Subject: [PATCH 10/14] Ticket #47908 - 389-ds 1.3.3.0 does not adjust cipher
 suite configuration on upgrade, breaks itself and pki-server

Description:
In the given cipher list:
  nsSSL3Ciphers: +rsa_fips_3des_sha,+rsa_fips_des_sha,+rsa_3des_sha,
   +rsa_rc4_128_md5,+rsa_des_sha,+rsa_rc2_40_md5,+rsa_rc4_40_md5,
   +fortezza
there were 2 issues.
1) An old cipher suite name rsa_des_sha was not correctly mapped
   to the name supported by NSS (TLS_RSA_WITH_DES_CBC_SHA) in the
   mapping table. And the unsupported cipher name was not gracefully
   skipped but returned an error.  This patch fixes the mapped name
   and the behaviour so that it skips the unknown/unsupported cipher.
2) A cipher "fortezza" is deprecated.  It's now skipped with the
   proper warning message.

Reviewed by rmeggins@redhat.com (Thank you, Rich!!)

https://fedorahosted.org/389/ticket/47908
(cherry picked from commit 83a6ceb556e769f0d0a201f4a3d783ae3915c6bc)
(cherry picked from commit 4e347407887589635fe077fb6174d20d3d34c7c8)
---
 ldap/servers/slapd/ssl.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 03b5904..4e38308 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -172,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = {
     {"tls_rsa_3des_sha",                    "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
     {"rsa_fips_3des_sha",                   "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
     {"fips_3des_sha",                       "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
-    {"rsa_des_sha",                         "SSL_RSA_WITH_DES_CBC_SHA"},
+    {"rsa_des_sha",                         "TLS_RSA_WITH_DES_CBC_SHA"},
     {"rsa_fips_des_sha",                    "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
     {"fips_des_sha",                        "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
     {"rsa_rc4_40_md5",                      "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
@@ -455,7 +455,7 @@ _conf_setciphers(char *ciphers, int flags)
     char *raw = ciphers;
     char **suplist = NULL;
     char **unsuplist = NULL;
-    int lookup;
+    PRBool enabledOne = PR_FALSE;
 
     /* #47838: harden the list of ciphers available by default */
     /* Default is to activate all of them ==> none of them*/
@@ -474,6 +474,7 @@ _conf_setciphers(char *ciphers, int flags)
          * from the console
          */
         _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
+        enabledOne = PR_TRUE;
     } else {
         /* If "+all" is not in nsSSL3Ciphers value, disable all first,
          * then enable specified ciphers. */
@@ -499,7 +500,7 @@ _conf_setciphers(char *ciphers, int flags)
 
         if (strcasecmp(ciphers, "all")) { /* if not all */
             PRBool enabled = active ? PR_TRUE : PR_FALSE;
-            lookup = 1;
+            int lookup = 1;
             for (x = 0; _conf_ciphers[x].name; x++) {
                 if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
                     if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
@@ -558,6 +559,9 @@ _conf_setciphers(char *ciphers, int flags)
                                         enabled = cipher_check_fips(x, NULL, &unsuplist);
                                     }
                                 }
+                                if (enabled) {
+                                    enabledOne = PR_TRUE; /* At least one active cipher is set. */
+                                }
                                 SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
                                 break;
                             }
@@ -566,15 +570,14 @@ _conf_setciphers(char *ciphers, int flags)
                     }
                 }
             }
-            if(!_conf_ciphers[x].name) {
-                PR_snprintf(err, sizeof(err), "unknown cipher %s", ciphers);
-                slapi_ch_free((void **)&suplist); /* strings inside are static */
-                slapi_ch_free((void **)&unsuplist); /* strings inside are static */
-                return slapi_ch_strdup(err);
+            if (!lookup && !_conf_ciphers[x].name) { /* If lookup, it's already reported. */
+                slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d.  Ignoring %s",
+                               ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
             }
         }
-        if(t)
+        if(t) {
             ciphers = t;
+        }
     }
     if (unsuplist && *unsuplist) {
         char *strsup = charray2str(suplist, ",");
@@ -592,6 +595,10 @@ _conf_setciphers(char *ciphers, int flags)
     slapi_ch_free((void **)&suplist); /* strings inside are static */
     slapi_ch_free((void **)&unsuplist); /* strings inside are static */
 
+    if (!enabledOne) {
+        char *nocipher = PR_smprintf("No active cipher suite is available.");
+        return nocipher;
+    }
     _conf_dumpciphers();
         
     return NULL;
-- 
1.9.3