#49727 Ticket 49726 - DS only accepts RSA and Fortezza cipher families
Closed 3 years ago by spichugi. Opened 5 years ago by mreynolds.
mreynolds/389-ds-base ticket49726  into  master

file modified
+20 -116
@@ -31,28 +31,11 @@ 

  #include "fe.h"

  #include "certdb.h"

  

- #if !defined(USE_OPENLDAP)

- #include "ldap_ssl.h"

- #endif

- 

  /* For IRIX... */

  #ifndef MAXPATHLEN

  #define MAXPATHLEN 1024

  #endif

  

- #if NSS_VMAJOR * 100 + NSS_VMINOR >= 315

- /* TLS1.2 is defined in RFC5246. */

- #define NSS_TLS12 1

- #elif NSS_VMAJOR * 100 + NSS_VMINOR >= 314

- /* TLS1.1 is defined in RFC4346. */

- #define NSS_TLS11 1

- #else

- #define NSS_TLS10 1

- #endif

- 

- #if NSS_VMAJOR * 100 + NSS_VMINOR >= 320

- #define HAVE_NSS_DHE 1

- #endif

  

  /******************************************************************************

   * Default SSL Version Rule
@@ -70,10 +53,9 @@ 

  

  extern char *slapd_SSL3ciphers;

  extern symbol_t supported_ciphers[];

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

  static SSLVersionRange enabledNSSVersions;

  static SSLVersionRange slapdNSSVersions;

- #endif

+ 

  

  /* dongle_file_name is set in slapd_nss_init when we set the path for the

     key, cert, and secmod files - the dongle file must be in the same directory
@@ -109,12 +91,10 @@ 

  #define CIPHER_SET_DEFAULTWEAKCIPHER 0x10  /* allowWeakCipher is not set in cn=encryption */

  #define CIPHER_SET_ALLOWWEAKCIPHER 0x20    /* allowWeakCipher is on */

  #define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */

- 

- #ifdef HAVE_NSS_DHE

  #define CIPHER_SET_DEFAULTWEAKDHPARAM 0x100  /* allowWeakDhParam is not set in cn=encryption */

  #define CIPHER_SET_ALLOWWEAKDHPARAM 0x200    /* allowWeakDhParam is on */

  #define CIPHER_SET_DISALLOWWEAKDHPARAM 0x400 /* allowWeakDhParam is off */

- #endif

+ 

  

  #define CIPHER_SET_ISDEFAULT(flag) \

      (((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
@@ -145,10 +125,7 @@ 

  #define CIPHER_IS_WEAK 0x4

  #define CIPHER_IS_DEPRECATED 0x8

  

- #ifdef HAVE_NSS_DHE

  static int allowweakdhparam = CIPHER_SET_DEFAULTWEAKDHPARAM;

- #endif

- 

  

  static char **cipher_names = NULL;

  static char **enabled_cipher_names = NULL;
@@ -225,12 +202,10 @@ 

      /*{"tls_dhe_dss_1024_des_sha",          ""}, */

      {"tls_dhe_dss_1024_rc4_sha", "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"},

      {"tls_dhe_dss_rc4_128_sha", "TLS_DHE_DSS_WITH_RC4_128_SHA"},

- #if defined(NSS_TLS12)

      /* New in NSS 3.15 */

      {"tls_rsa_aes_128_gcm_sha", "TLS_RSA_WITH_AES_128_GCM_SHA256"},

      {"tls_dhe_rsa_aes_128_gcm_sha", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"},

      {"tls_dhe_dss_aes_128_gcm_sha", NULL}, /* not available */

- #endif

      {NULL, NULL}};

  

  /* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */
@@ -317,7 +292,6 @@ 

      SSLCipherSuiteInfo info;

      char *sep = "::";

      int number_of_ciphers = SSL_NumImplementedCiphers;

-     int i;

      int idx = 0;

      PRBool isFIPS = slapd_pk11_isFIPS();

  
@@ -325,7 +299,7 @@ 

  

      if ((cipher_names == NULL) && (_conf_ciphers)) {

          cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));

-         for (i = 0; _conf_ciphers[i].name != NULL; i++) {

+         for (size_t i = 0; _conf_ciphers[i].name != NULL; i++) {

              SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[i].num, &info, sizeof(info));

              /* only support FIPS approved ciphers in FIPS mode */

              if (!isFIPS || info.isFIPS) {
@@ -341,7 +315,6 @@ 

      return cipher_names;

  }

  

- #ifdef HAVE_NSS_DHE

  int

  get_allow_weak_dh_param(Slapi_Entry *e)

  {
@@ -365,7 +338,6 @@ 

      slapi_ch_free((void **)&val);

      return allow;

  }

- #endif

  

  

  char **
@@ -374,7 +346,6 @@ 

      SSLCipherSuiteInfo info;

      char *sep = "::";

      int number_of_ciphers = 0;

-     int x;

      int idx = 0;

      PRBool enabled;

  
@@ -383,14 +354,14 @@ 

          return NULL;

      }

      if ((enabled_cipher_names == NULL) && _conf_ciphers) {

-         for (x = 0; _conf_ciphers[x].name; x++) {

+         for (size_t x = 0; _conf_ciphers[x].name; x++) {

              SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);

              if (enabled) {

                  number_of_ciphers++;

              }

          }

          enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));

-         for (x = 0; _conf_ciphers[x].name; x++) {

+         for (size_t x = 0; _conf_ciphers[x].name; x++) {

              SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);

              if (enabled) {

                  SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num, &info, sizeof(info));
@@ -472,9 +443,6 @@ 

          }

          return -1;

      }

- #if defined(NSS_TLS10)

-     return -1; /* not supported */

- #else          /* NSS_TLS11 or newer */

      if (min) {

          *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);

      }
@@ -482,10 +450,8 @@ 

          *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);

      }

      return 0;

- #endif

  }

  

- #if defined(USE_OPENLDAP)

  void

  getSSLVersionRangeOL(int *min, int *max)

  {
@@ -499,10 +465,7 @@ 

      if (!slapd_ssl_listener_is_initialized()) {

          return;

      }

- #if defined(NSS_TLS10)

-     *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;

-     return;

- #else /* NSS_TLS11 or newer */

+ 

      if (min) {

          switch (slapdNSSVersions.min) {

          case SSL_LIBRARY_VERSION_3_0:
@@ -550,14 +513,11 @@ 

          }

      }

      return;

- #endif

  }

- #endif /* USE_OPENLDAP */

  

  static void

  _conf_init_ciphers(void)

  {

-     int x;

      SECStatus rc;

      SSLCipherSuiteInfo info;

      const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
@@ -568,7 +528,7 @@ 

      }

      _conf_ciphers = (cipherstruct *)slapi_ch_calloc(SSL_NumImplementedCiphers + 1, sizeof(cipherstruct));

  

-     for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {

+     for (size_t x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {

          rc = SSL_GetCipherSuiteInfo(implementedCiphers[x], &info, sizeof info);

          if (SECFailure == rc) {

              slapi_log_err(SLAPI_LOG_ERR, "Security Initialization",
@@ -598,7 +558,6 @@ 

  static void

  _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)

  {

-     int x;

      SECStatus rc;

      PRBool setdefault = CIPHER_SET_ISDEFAULT(flag);

      PRBool enabled = CIPHER_SET_ISALL(flag);
@@ -608,7 +567,7 @@ 

  

      _conf_init_ciphers();

  

-     for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {

+     for (size_t x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {

          if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) {

              /* certainly, not the first time. */

              setme = PR_TRUE;
@@ -663,11 +622,10 @@ 

  void

  _conf_dumpciphers(void)

  {

-     int x;

      PRBool enabled;

      /* {"SSL3","rc4", SSL_EN_RC4_128_WITH_MD5}, */

      slapd_SSL_info("Configured NSS Ciphers");

-     for (x = 0; _conf_ciphers[x].name; x++) {

+     for (size_t x = 0; _conf_ciphers[x].name; x++) {

          SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);

          if (enabled) {

              slapd_SSL_info("\t%s: enabled%s%s%s", _conf_ciphers[x].name,
@@ -687,7 +645,8 @@ 

  _conf_setciphers(char *setciphers, int flags)

  {

      char *t, err[MAGNUS_ERROR_LEN];

-     int x, i, active;

+     int active;

+     size_t x = 0;

      char *raw = setciphers;

      char **suplist = NULL;

      char **unsuplist = NULL;
@@ -772,7 +731,7 @@ 

                  }

              }

              if (lookup) { /* lookup with old cipher name and get NSS cipherSuiteName */

-                 for (i = 0; _lookup_cipher[i].alias; i++) {

+                 for (size_t i = 0; _lookup_cipher[i].alias; i++) {

                      if (!PL_strcasecmp(setciphers, _lookup_cipher[i].alias)) {

                          if (enabled && !_lookup_cipher[i].name[0]) {

                              slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d.  Ignoring %s",
@@ -915,9 +874,8 @@ 

          slapi_pblock_get(new_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result);

          slapi_pblock_get(new_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e);

          if (e != NULL) {

-             int i;

              list = (char **)slapi_ch_malloc(sizeof(*list) * (nEntries + 1));

-             for (i = 0; e[i] != NULL; i++) {

+             for (size_t i = 0; e[i] != NULL; i++) {

                  list[i] = slapi_ch_strdup(slapi_entry_get_dn(e[i]));

              }

              list[nEntries] = NULL;
@@ -935,8 +893,7 @@ 

  freeChildren(char **list)

  {

      if (list != NULL) {

-         int i;

-         for (i = 0; list[i] != NULL; i++) {

+         for (size_t i = 0; list[i] != NULL; i++) {

              slapi_ch_free((void **)(&list[i]));

          }

          slapi_ch_free((void **)(&list));
@@ -1017,7 +974,6 @@ 

      return ret;

  }

  

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

  /*

   * If non NULL buf and positive bufsize is given,

   * the memory is used to store the version string.
@@ -1183,7 +1139,6 @@ 

          }

      }

  }

- #endif

  

  /*

   * slapd_nss_init() is always called from main(), even if we do not
@@ -1206,7 +1161,6 @@ 

      int create_certdb = 0;

      PRUint32 nssFlags = 0;

      char *certdir;

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

      char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];

      /* Get the range of the supported SSL version */

      SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
@@ -1216,7 +1170,6 @@ 

      slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization",

                    "slapd_nss_init - Supported range by NSS: min: %s, max: %s\n",

                    emin, emax);

- #endif

  

      /* set in slapd_bootstrap_config,

         thus certdir is available even if config_available is false */
@@ -1385,9 +1338,7 @@ 

      char *val = NULL;

      PK11SlotInfo *slot;

      Slapi_Entry *entry = NULL;

- #ifdef HAVE_NSS_DHE

      SECStatus rv = SECFailure;

- #endif

  

      /* Get general information */

  
@@ -1396,7 +1347,6 @@ 

      val = slapi_entry_attr_get_charptr(entry, "nssslSessionTimeout");

      ciphers = slapi_entry_attr_get_charptr(entry, "nsssl3ciphers");

  

- #ifdef HAVE_NSS_DHE

      allowweakdhparam = get_allow_weak_dh_param(entry);

      if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {

          slapd_SSL_warn("notice, generating new WEAK DH param");
@@ -1405,7 +1355,6 @@ 

              slapd_SSL_error("Warning, unable to generate weak dh parameters");

          }

      }

- #endif

  

      /* We are currently using the value of sslSessionTimeout

         for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
@@ -1527,7 +1476,6 @@ 

      return 0;

  }

  

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

  /*

   * val:   sslVersionMin/Max value set in cn=encription,cn=config (INPUT)

   * rval:  Corresponding value to set SSLVersionRange (OUTPUT)
@@ -1541,7 +1489,7 @@ 

  set_NSS_version(char *val, PRUint16 *rval, int ismin)

  {

      char *vp, *endp;

-     int vnum;

+     int64_t vnum;

      char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];

  

      if (NULL == rval) {
@@ -1662,7 +1610,6 @@ 

                  }

              }

          } else if (tlsv < 1.3) { /* TLS1.2 */

- #if defined(NSS_TLS12)

              if (ismin) {

                  if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {

                      slapd_SSL_warn("The value of sslVersionMin "
@@ -1685,7 +1632,6 @@ 

                      (*rval) = SSL_LIBRARY_VERSION_TLS_1_2;

                  }

              }

- #endif

          } else { /* Specified TLS is newer than supported */

              if (ismin) {

                  slapd_SSL_warn("The value of sslVersionMin "
@@ -1720,7 +1666,6 @@ 

  #undef SSLLEN

  #undef TLSSTR

  #undef TLSLEN

- #endif

  

  int

  slapd_ssl_init2(PRFileDesc **fd, int startTLS)
@@ -1740,12 +1685,10 @@ 

      char *tmpDir;

      Slapi_Entry *e = NULL;

      PRBool fipsMode = PR_FALSE;

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

      PRUint16 NSSVersionMin = enabledNSSVersions.min;

      PRUint16 NSSVersionMax = enabledNSSVersions.max;

      char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];

      char newmax[VERSION_STR_LENGTH];

- #endif

      char cipher_string[1024];

      int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;

      int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN;
@@ -1964,15 +1907,13 @@ 

                  }

  

                  if (SECSuccess == rv) {

+                     SSLKEAType certKEA;

  

- #ifdef HAVE_NSS_DHE

-                     /* Step If we want weak dh params, flag it on the socket now! */

- 

+                     /* If we want weak dh params, flag it on the socket now! */

                      rv = SSL_OptionSet(*fd, SSL_ENABLE_SERVER_DHE, PR_TRUE);

                      if (rv != SECSuccess) {

                          slapd_SSL_warn("Warning, unable to start DHE");

                      }

- 

                      if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {

                          slapd_SSL_warn("notice, allowing weak parameters on socket.");

                          rv = SSL_EnableWeakDHEPrimeGroup(*fd, PR_TRUE);
@@ -1980,13 +1921,9 @@ 

                              slapd_SSL_warn("Warning, unable to allow weak DH params on socket.");

                          }

                      }

- #endif

  

-                     if (slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE) {

-                         rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza);

-                     } else {

-                         rv = SSL_ConfigSecureServer(*fd, cert, key, kt_rsa);

-                     }

+                     certKEA = NSS_FindCertKEAType(cert);

+                     rv = SSL_ConfigSecureServer(*fd, cert, key, certKEA);

                      if (SECSuccess != rv) {

                          errorCode = PR_GetError();

                          slapd_SSL_warn("ConfigSecureServer: "
@@ -2140,7 +2077,6 @@ 

              enableTLS1 = PR_TRUE; /* If available, enable TLS1 */

          }

          slapi_ch_free_string(&val);

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

          val = slapi_entry_attr_get_charptr(e, "sslVersionMin");

          if (val) {

              (void)set_NSS_version(val, &NSSVersionMin, 1);
@@ -2161,9 +2097,8 @@ 

                             mymax, newmax);

              NSSVersionMax = enabledNSSVersions.max;

          }

- #endif

      }

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

+ 

      if (NSSVersionMin > 0) {

          /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */

          slapdNSSVersions.min = NSSVersionMin;
@@ -2183,7 +2118,6 @@ 

                              mymin, mymax);

          }

      } else {

- #endif

          /* deprecated code */

          sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3);

          if (sslStatus != SECSuccess) {
@@ -2202,9 +2136,7 @@ 

                             enableTLS1 ? "enable" : "disable",

                             errorCode, slapd_pr_strerror(errorCode));

          }

- #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */

      }

- #endif

  

      val = NULL;

      if (e != NULL) {
@@ -2382,12 +2314,8 @@ 

                               */

                              token = slapi_ch_strdup(internalTokenName);

                          }

- #if defined(USE_OPENLDAP)

                          /* openldap needs tokenname:certnick */

                          PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);

- #else

-                         PL_strncpyz(cert_name, personality, sizeof(cert_name));

- #endif

                          slapi_ch_free_string(&ssltoken);

                      } else {

                          /* external PKCS #11 token - attach token name */
@@ -2461,7 +2389,6 @@ 

                             "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",

                             errorCode, slapd_pr_strerror(errorCode));

          } else {

- #if defined(USE_OPENLDAP)

              if (slapi_client_uses_non_nss(ld)  && config_get_extract_pem()) {

                  char *certdir = config_get_certdir();

                  char *keyfile = NULL;
@@ -2532,29 +2459,6 @@ 

                                     cert_name);

                  }

              }

- /*

-              * not sure what else needs to be done for client auth - don't

-              * currently have a way to pass in the password to use to unlock

-              * the keydb - nor a way to disable caching

-              */

- #else /* !USE_OPENLDAP */

-             rc = ldapssl_enable_clientauth(ld, SERVER_KEY_NAME, pw, cert_name);

-             if (rc != 0) {

-                 errorCode = PR_GetError();

-                 slapd_SSL_error("ldapssl_enable_clientauth(%s, %s) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",

-                                 SERVER_KEY_NAME, cert_name, rc,

-                                 errorCode, slapd_pr_strerror(errorCode));

-             } else {

-                 /*

-                  * We cannot allow NSS to cache outgoing client auth connections -

-                  * each client auth connection must have it's own non-shared SSL

-                  * connection to the peer so that it will go through the

-                  * entire handshake protocol every time including the use of its

-                  * own unique client cert - see bug 605457

-                  */

-                 ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);

-             }

- #endif

          }

      }

  

Bug Description: Currently DS only accepts fortezza and RSA cipher families.
This prevents things like ECC certificates from being used.

Fix Description: Instead of hardcoding the cipher families, just grab the
current type and use it.

              Also cleaned up code: removed unncessary "ifdefs", and switched
              for loops to use size_t.

https://pagure.io/389-ds-base/issue/49726

Reviewed by: ?

You got my ACK for the fix itself.

I noticed the PR drops checks for USE_OPENLDAP. For that, we should also remove the #include "ldap_ssl.h" at the top of the file. ldap_ssl.h does not even seem to be in the tree. Other than that, it looks all right to me.

Additionally, I guess it makes sense to get rid of --with-openldap build flag altogether. @mreynolds, should we file a ticket?

Yeah we need a different ticket to "remove openldap ifdefs" completely and make openldap the default. I just like to cleanup code when I touch files. Anyway changes applied

rebased onto 27a16a0

5 years ago

Pull-Request has been merged by mreynolds

5 years ago

Created issue #49730 for "remove openldap ifdefs".

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/2786

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

3 years ago
Metadata