« back to all changes in this revision
Viewing changes to ldap/servers/slapd/ssl.c
- browse files at revision 16
- compare with another revision
- download diff
- download tarball
- view history from revision 16
- Committer: Package Import Robot
- Author(s): Timo Aaltonen
- Date: 2014-10-20 09:57:14 UTC
- mfrom: (0.2.6)
- Revision ID: package-import@ubuntu.com-20141020095714-0yysndkl2h6ts0yj
Tags: 1.3.3.5-1
* New upstream bugfix release.
* control: Bump policy, no changes.
* control: Bump policy, no changes.
- files added:
- dirsrvtests/tickets/ticket47900_test.py
- files modified:
- VERSION.sh
added
removed
ldap/servers/slapd/ssl.c
120
120
121
121
/* ----------------------- Multiple cipher support ------------------------ */
122
122
/* cipher set flags */
123
#define CIPHER_SET_ALL 0x1
124
#define CIPHER_SET_NONE 0x0
125
#define CIPHER_SET_DEFAULT 0x2
126
#define CIPHER_SET_CORE (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
127
#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */
123
#define CIPHER_SET_NONE 0x0
124
#define CIPHER_SET_ALL 0x1
125
#define CIPHER_SET_DEFAULT 0x2
126
#define CIPHER_SET_DEFAULTWEAKCIPHER 0x10 /* allowWeakCipher is not set in cn=encryption */
127
#define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */
128
#define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */
128
129
129
130
#define CIPHER_SET_ISDEFAULT(flag) \
130
((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
131
(((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
131
132
#define CIPHER_SET_ISALL(flag) \
132
((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
133
(((flag)&CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
134
135
#define ALLOWWEAK_ISDEFAULT(flag) \
136
(((flag)&CIPHER_SET_DEFAULTWEAKCIPHER) ? PR_TRUE : PR_FALSE)
137
#define ALLOWWEAK_ISON(flag) \
138
(((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
139
#define ALLOWWEAK_ISOFF(flag) \
140
(((flag)&CIPHER_SET_DISALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
141
/*
142
* If ISALL or ISDEFAULT, allowWeakCipher is true only if CIPHER_SET_ALLOWWEAKCIPHER.
143
* Otherwise (user specified cipher list), allowWeakCipher is true
144
* if CIPHER_SET_ALLOWWEAKCIPHER or CIPHER_SET_DEFAULTWEAKCIPHER.
145
*/
133
146
#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
134
(((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
147
((CIPHER_SET_ISDEFAULT(flag)|CIPHER_SET_ISALL(flag)) ? \
148
(ALLOWWEAK_ISON(flag) ? PR_TRUE : PR_FALSE) : \
149
(!ALLOWWEAK_ISOFF(flag) ? PR_TRUE : PR_FALSE))
150
135
151
#define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
136
152
((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
137
153
141
157
#define CIPHER_IS_WEAK 0x4
142
158
#define CIPHER_IS_DEPRECATED 0x8
143
159
static char **cipher_names = NULL;
160
static char **enabled_cipher_names = NULL;
144
161
typedef struct {
145
162
char *name;
146
163
int num;
172
189
{"tls_rsa_3des_sha", "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
173
190
{"rsa_fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
174
191
{"fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
175
{"rsa_des_sha", "SSL_RSA_WITH_DES_CBC_SHA"},
192
{"rsa_des_sha", "TLS_RSA_WITH_DES_CBC_SHA"},
176
193
{"rsa_fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
177
194
{"fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
178
195
{"rsa_rc4_40_md5", "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
249
266
va_end(args);
250
267
}
251
268
252
char ** getSupportedCiphers()
269
char **
270
getSupportedCiphers()
253
271
{
254
272
SSLCipherSuiteInfo info;
255
273
char *sep = "::";
278
296
return cipher_names;
279
297
}
280
298
299
char **
300
getEnabledCiphers()
301
{
302
SSLCipherSuiteInfo info;
303
char *sep = "::";
304
int number_of_ciphers = 0;
305
int x;
306
int idx = 0;
307
PRBool enabled;
308
309
/* We have to wait until the SSL initialization is done. */
310
if (!slapd_ssl_listener_is_initialized()) {
311
return NULL;
312
}
313
if ((enabled_cipher_names == NULL) && _conf_ciphers) {
314
for (x = 0; _conf_ciphers[x].name; x++) {
315
SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
316
if (enabled) {
317
number_of_ciphers++;
318
}
319
}
320
enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
321
for (x = 0; _conf_ciphers[x].name; x++) {
322
SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
323
if (enabled) {
324
SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
325
enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
326
_conf_ciphers[x].name,sep,
327
info.symCipherName,sep,
328
info.macAlgorithmName,sep,
329
info.symKeyBits);
330
}
331
}
332
}
333
334
return enabled_cipher_names;
335
}
336
281
337
static PRBool
282
338
cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
283
339
{
455
511
char *raw = ciphers;
456
512
char **suplist = NULL;
457
513
char **unsuplist = NULL;
458
int lookup;
514
PRBool enabledOne = PR_FALSE;
459
515
460
516
/* #47838: harden the list of ciphers available by default */
461
517
/* Default is to activate all of them ==> none of them*/
462
518
if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) {
463
_conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL);
519
_conf_setallciphers((CIPHER_SET_DEFAULT|flags), NULL, NULL);
464
520
slapd_SSL_warn("Security Initialization: Enabling default cipher set.");
465
521
_conf_dumpciphers();
466
522
return NULL;
473
529
* set of ciphers in the table. Right now there is no support for this
474
530
* from the console
475
531
*/
476
_conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
532
_conf_setallciphers((CIPHER_SET_ALL|flags), &suplist, NULL);
533
enabledOne = PR_TRUE;
477
534
} else {
478
535
/* If "+all" is not in nsSSL3Ciphers value, disable all first,
479
536
* then enable specified ciphers. */
499
556
500
557
if (strcasecmp(ciphers, "all")) { /* if not all */
501
558
PRBool enabled = active ? PR_TRUE : PR_FALSE;
502
lookup = 1;
559
int lookup = 1;
503
560
for (x = 0; _conf_ciphers[x].name; x++) {
504
561
if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
505
562
if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
506
if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
563
if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
507
564
slapd_SSL_warn("Cipher %s is weak. It is enabled since allowWeakCipher is \"on\" "
508
565
"(default setting for the backward compatibility). "
509
566
"We strongly recommend to set it to \"off\". "
521
578
check fips. */
522
579
enabled = cipher_check_fips(x, NULL, &unsuplist);
523
580
}
581
if (enabled) {
582
enabledOne = PR_TRUE; /* At least one active cipher is set. */
583
}
524
584
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
525
585
lookup = 0;
526
586
break;
538
598
if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) {
539
599
if (enabled) {
540
600
if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
541
if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
601
if (active && CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
542
602
slapd_SSL_warn("Cipher %s is weak. "
543
603
"It is enabled since allowWeakCipher is \"on\" "
544
604
"(default setting for the backward compatibility). "
558
618
enabled = cipher_check_fips(x, NULL, &unsuplist);
559
619
}
560
620
}
621
if (enabled) {
622
enabledOne = PR_TRUE; /* At least one active cipher is set. */
623
}
561
624
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
562
625
break;
563
626
}
566
629
}
567
630
}
568
631
}
569
if(!_conf_ciphers[x].name) {
570
PR_snprintf(err, sizeof(err), "unknown cipher %s", ciphers);
571
slapi_ch_free((void **)&suplist); /* strings inside are static */
572
slapi_ch_free((void **)&unsuplist); /* strings inside are static */
573
return slapi_ch_strdup(err);
632
if (!lookup && !_conf_ciphers[x].name) { /* If lookup, it's already reported. */
633
slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s",
634
ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
574
635
}
575
636
}
576
if(t)
637
if(t) {
577
638
ciphers = t;
639
}
578
640
}
579
641
if (unsuplist && *unsuplist) {
580
642
char *strsup = charray2str(suplist, ",");
592
654
slapi_ch_free((void **)&suplist); /* strings inside are static */
593
655
slapi_ch_free((void **)&unsuplist); /* strings inside are static */
594
656
657
if (!enabledOne) {
658
char *nocipher = PR_smprintf("No active cipher suite is available.");
659
return nocipher;
660
}
595
661
_conf_dumpciphers();
596
662
597
663
return NULL;
1058
1124
int rv = 0;
1059
1125
PK11SlotInfo *slot;
1060
1126
Slapi_Entry *entry = NULL;
1061
int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
1127
int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
1062
1128
1063
1129
/* Get general information */
1064
1130
1098
1164
}
1099
1165
1100
1166
val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
1101
if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
1102
!PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) {
1103
allowweakcipher = 0;
1167
if (val) {
1168
if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
1169
!PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
1170
allowweakcipher = CIPHER_SET_DISALLOWWEAKCIPHER;
1171
} else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
1172
!PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
1173
allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
1174
} else {
1175
slapd_SSL_warn("The value of allowWeakCipher \"%s\" in "
1176
"cn=encryption,cn=config is invalid. "
1177
"Ignoring it and set it to default.", val);
1178
}
1104
1179
}
1105
1180
slapi_ch_free((void **) &val);
1106
1181
Loggerhead is a web-based interface for Breezy
Version: 2.0.1