121
121
/* ----------------------- Multiple cipher support ------------------------ */
122
122
/* cipher set flags */
123
#define CIPHER_SET_ALL 0x1
124
#define CIPHER_SET_NONE 0x0
125
#define CIPHER_SET_DEFAULT 0x2
126
#define CIPHER_SET_CORE (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
127
#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */
123
#define CIPHER_SET_NONE 0x0
124
#define CIPHER_SET_ALL 0x1
125
#define CIPHER_SET_DEFAULT 0x2
126
#define CIPHER_SET_DEFAULTWEAKCIPHER 0x10 /* allowWeakCipher is not set in cn=encryption */
127
#define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */
128
#define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */
129
130
#define CIPHER_SET_ISDEFAULT(flag) \
130
((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
131
(((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
131
132
#define CIPHER_SET_ISALL(flag) \
132
((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
133
(((flag)&CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
135
#define ALLOWWEAK_ISDEFAULT(flag) \
136
(((flag)&CIPHER_SET_DEFAULTWEAKCIPHER) ? PR_TRUE : PR_FALSE)
137
#define ALLOWWEAK_ISON(flag) \
138
(((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
139
#define ALLOWWEAK_ISOFF(flag) \
140
(((flag)&CIPHER_SET_DISALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
142
* If ISALL or ISDEFAULT, allowWeakCipher is true only if CIPHER_SET_ALLOWWEAKCIPHER.
143
* Otherwise (user specified cipher list), allowWeakCipher is true
144
* if CIPHER_SET_ALLOWWEAKCIPHER or CIPHER_SET_DEFAULTWEAKCIPHER.
133
146
#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
134
(((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
147
((CIPHER_SET_ISDEFAULT(flag)|CIPHER_SET_ISALL(flag)) ? \
148
(ALLOWWEAK_ISON(flag) ? PR_TRUE : PR_FALSE) : \
149
(!ALLOWWEAK_ISOFF(flag) ? PR_TRUE : PR_FALSE))
135
151
#define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
136
152
((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
172
189
{"tls_rsa_3des_sha", "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
173
190
{"rsa_fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
174
191
{"fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
175
{"rsa_des_sha", "SSL_RSA_WITH_DES_CBC_SHA"},
192
{"rsa_des_sha", "TLS_RSA_WITH_DES_CBC_SHA"},
176
193
{"rsa_fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
177
194
{"fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
178
195
{"rsa_rc4_40_md5", "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
278
296
return cipher_names;
302
SSLCipherSuiteInfo info;
304
int number_of_ciphers = 0;
309
/* We have to wait until the SSL initialization is done. */
310
if (!slapd_ssl_listener_is_initialized()) {
313
if ((enabled_cipher_names == NULL) && _conf_ciphers) {
314
for (x = 0; _conf_ciphers[x].name; x++) {
315
SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
320
enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
321
for (x = 0; _conf_ciphers[x].name; x++) {
322
SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
324
SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
325
enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
326
_conf_ciphers[x].name,sep,
327
info.symCipherName,sep,
328
info.macAlgorithmName,sep,
334
return enabled_cipher_names;
282
338
cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
455
511
char *raw = ciphers;
456
512
char **suplist = NULL;
457
513
char **unsuplist = NULL;
514
PRBool enabledOne = PR_FALSE;
460
516
/* #47838: harden the list of ciphers available by default */
461
517
/* Default is to activate all of them ==> none of them*/
462
518
if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) {
463
_conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL);
519
_conf_setallciphers((CIPHER_SET_DEFAULT|flags), NULL, NULL);
464
520
slapd_SSL_warn("Security Initialization: Enabling default cipher set.");
465
521
_conf_dumpciphers();
473
529
* set of ciphers in the table. Right now there is no support for this
474
530
* from the console
476
_conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
532
_conf_setallciphers((CIPHER_SET_ALL|flags), &suplist, NULL);
533
enabledOne = PR_TRUE;
478
535
/* If "+all" is not in nsSSL3Ciphers value, disable all first,
479
536
* then enable specified ciphers. */
500
557
if (strcasecmp(ciphers, "all")) { /* if not all */
501
558
PRBool enabled = active ? PR_TRUE : PR_FALSE;
503
560
for (x = 0; _conf_ciphers[x].name; x++) {
504
561
if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
505
562
if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
506
if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
563
if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
507
564
slapd_SSL_warn("Cipher %s is weak. It is enabled since allowWeakCipher is \"on\" "
508
565
"(default setting for the backward compatibility). "
509
566
"We strongly recommend to set it to \"off\". "
522
579
enabled = cipher_check_fips(x, NULL, &unsuplist);
582
enabledOne = PR_TRUE; /* At least one active cipher is set. */
524
584
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
538
598
if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) {
540
600
if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
541
if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
601
if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
542
602
slapd_SSL_warn("Cipher %s is weak. "
543
603
"It is enabled since allowWeakCipher is \"on\" "
544
604
"(default setting for the backward compatibility). "
558
618
enabled = cipher_check_fips(x, NULL, &unsuplist);
622
enabledOne = PR_TRUE; /* At least one active cipher is set. */
561
624
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
569
if(!_conf_ciphers[x].name) {
570
PR_snprintf(err, sizeof(err), "unknown cipher %s", ciphers);
571
slapi_ch_free((void **)&suplist); /* strings inside are static */
572
slapi_ch_free((void **)&unsuplist); /* strings inside are static */
573
return slapi_ch_strdup(err);
632
if (!lookup && !_conf_ciphers[x].name) { /* If lookup, it's already reported. */
633
slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s",
634
ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
579
641
if (unsuplist && *unsuplist) {
580
642
char *strsup = charray2str(suplist, ",");
1100
1166
val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
1101
if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
1102
!PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) {
1103
allowweakcipher = 0;
1168
if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
1169
!PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
1170
allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
1171
} else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
1172
!PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
1173
allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
1175
slapd_SSL_warn("The value of allowWeakCipher \"%s\" in "
1176
"cn=encryption,cn=config is invalid. "
1177
"Ignoring it and set it to default.", val);
1105
1180
slapi_ch_free((void **) &val);