From c9b6de5743e2fd7c965a1b8e99c3942b6734aed7 Mon Sep 17 00:00:00 2001 From: Noriko Hosoi Date: Oct 06 2014 16:15:51 +0000 Subject: Ticket #47493 - Configuration Tab does not work with FIPS mode enabled Bug Description: Admin Server CGI sec-activate retrieves attribute values of dn: cn=encryption,cn=configuration,cn=admin-serv-ID,cn=389 Administration Server,cn=Server Group,cn=FQDN,ou=DOMAIN,o=NetscapeRoot and return them to the client such as Console. The CGI sec-activate was supposed to get the knowledge if the FIPS mode is enabled or not, and return ciphers FIPS compliant, but the code was missing. In this patch, the code is added to check if it is FIPS mode or not and if it is, return just FIPS friendly ciphers in this patch. Plus unnecessary temp buffer and copies from temp to temp_return were removed. https://fedorahosted.org/389/ticket/47493 Reviewed by mreynolds@redhat.com (Thank you, Mark!!) --- diff --git a/admserv/cgi-src40/admpw.c b/admserv/cgi-src40/admpw.c index e695881..1e24423 100644 --- a/admserv/cgi-src40/admpw.c +++ b/admserv/cgi-src40/admpw.c @@ -50,11 +50,6 @@ #include #include -/* NSS - for password hashing */ -#include -#include -#include - #include "libadminutil/resource.h" #include "libadminutil/admutil.h" #include "libadminutil/distadm.h" diff --git a/admserv/cgi-src40/sec-activate.c b/admserv/cgi-src40/sec-activate.c index 6ae70ed..08568ca 100644 --- a/admserv/cgi-src40/sec-activate.c +++ b/admserv/cgi-src40/sec-activate.c @@ -38,6 +38,10 @@ extern "C" { #endif +#include +#include "nspr.h" +#include "pk11func.h" + #include "cert.h" #include "key.h" #include "certdb.h" @@ -213,18 +217,46 @@ int get_cert_nickname(char *buf, size_t bufsize) { } return -1; } + +void +drop_non_fips(char *val) +{ + char *p = NULL; + char *endp = NULL; + if (!val) { + return; + } + p = PL_strchr(val, '+'); + while (p) { + endp = PL_strchr(p, ','); + if (endp) { + *endp = '\0'; + /* E.g., p = "+rsa_rc2_40_md5" or p = "+fips_3des_sha" */ + if (!PL_strcasestr(p, "fips")) { + *p = '-'; + } + *endp = ','; + p = PL_strchr(endp+1, '+'); + } else { + break; + } + } +} + /* * int GetSSLFamilyAttributes * Reads all LDAP entries relating to cipher family information. * Returns return_string, a string of all information found, and * 0 on success, -1 on failure. */ -int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) { - +int +GetSSLFamilyAttributes(PsetHndl pset, char **return_string) +{ AttrNameList family_list; int errorCode; char temp_return[5000]; - char temp[1000]; + char *tmpp = NULL; + size_t tmplen = 0; char **family; char family_attribute[1024]; @@ -233,6 +265,7 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) { char *val; char *family_name; + PRBool isfips = PR_FALSE; *return_string = NULL; strcpy(temp_return, ""); @@ -240,11 +273,9 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) { val = psetGetAttrSingleValue(pset, "configuration.nsServerSecurity", &errorCode); - if(val) - PR_snprintf(temp, sizeof(temp), "security=%s\n", val); - else - PR_snprintf(temp, sizeof(temp), "security=off\n"); - PL_strcatn(temp_return, sizeof(temp_return), temp); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "security=%s\n", val?val:"off"); if((family_list = psetGetChildren(pset, "configuration.Encryption", &errorCode))) { @@ -276,67 +307,75 @@ int GetSSLFamilyAttributes(PsetHndl pset, char **return_string) { family_name = strrchr(*family, '.'); family_name++; - PR_snprintf(temp, sizeof(temp), "familyList=%s\n", family_name); - PL_strcatn(temp_return, sizeof(temp_return), temp); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "familyList=%s\n", family_name); - PR_snprintf(temp, sizeof(temp), "%s-activated=%s\n", family_name, val); - PL_strcatn(temp_return, sizeof(temp_return), temp); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-activated=%s\n", family_name, val); - PR_snprintf(temp, sizeof(temp), "%s-token=%s\n", family_name, token); - PL_strcatn(temp_return, sizeof(temp_return), temp); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-token=%s\n", family_name, token); - PR_snprintf(temp, sizeof(temp), "%s-cert=%s\n", family_name, personality); - PL_strcatn(temp_return, sizeof(temp_return), temp); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "%s-cert=%s\n", family_name, personality); } } PL_strcatn(temp_return, sizeof(temp_return), "familyList=NULL\n"); /* get cipher preferences */ + isfips = PK11_IsFIPS(); val = NULL; val = psetGetAttrSingleValue(pset, "configuration.encryption.nsSSL2", &errorCode); - PL_strcatn(temp_return, sizeof(temp_return), "ssl2-activated="); - if(val) - PL_strcatn(temp_return, sizeof(temp_return), val); - PL_strcatn(temp_return, sizeof(temp_return), "\n"); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl2-activated=%s\n", val?val:""); val = NULL; val = psetGetAttrSingleValue(pset, "configuration.encryption.nsSSL2Ciphers", &errorCode); - PL_strcatn(temp_return, sizeof(temp_return), "ssl2="); - if(val) - PL_strcatn(temp_return, sizeof(temp_return), val); - PL_strcatn(temp_return, sizeof(temp_return), "\n"); + /* If is fips, don't allow ciphers without "fips" */ + if (isfips) { + drop_non_fips(val); + } + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl2=%s\n", val?val:""); val = NULL; val = psetGetAttrSingleValue(pset, "configuration.encryption.nsSSL3", &errorCode); - PL_strcatn(temp_return, sizeof(temp_return), "ssl3-activated="); - if(val) - PL_strcatn(temp_return, sizeof(temp_return), val); - PL_strcatn(temp_return, sizeof(temp_return), "\n"); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl3-activated=%s\n", val?val:""); val = NULL; val = psetGetAttrSingleValue(pset, "configuration.encryption.nsSSL3Ciphers", &errorCode); - PL_strcatn(temp_return, sizeof(temp_return), "ssl3="); - if(val) - PL_strcatn(temp_return, sizeof(temp_return), val); - PL_strcatn(temp_return, sizeof(temp_return), "\n"); + /* If is fips, don't allow ciphers without "fips" */ + if (isfips) { + drop_non_fips(val); + } + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "ssl3=%s\n", val?val:""); val = NULL; val = psetGetAttrSingleValue(pset, "configuration.encryption.nsSSLClientAuth", &errorCode); - PL_strcatn(temp_return, sizeof(temp_return), "clientauth="); - if(val) - PL_strcatn(temp_return, sizeof(temp_return), val); - PL_strcatn(temp_return, sizeof(temp_return), "\n"); + tmplen = strlen(temp_return); + tmpp = temp_return + tmplen; + PR_snprintf(tmpp, sizeof(temp_return) - tmplen, "clientauth=%s\n", val?val:""); *return_string = PORT_Strdup(temp_return); return 0;