console/src/com/netscape/management/client/security CipherPreferenceDialog.java, 1.2, 1.3 securityResource.properties, 1.3, 1.4
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/console/src/com/netscape/management/client/security
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv30767/client/security
Modified Files:
CipherPreferenceDialog.java securityResource.properties
Log Message:
Bug 151705 - Need to update Console Cipher Preferences with new ciphers
https://bugzilla.redhat.com/show_bug.cgi?id=151705
Description:
1) added new ciphers.
rsa_null_sha, tls_rsa_aes_128_sha, tls_rsa_aes_256_sha
2) support 2 cipher names, one for DS and another for AS.
tls_rsa_export1024_with_des_cbc_sha & rsa_des_56_sha
tls_rsa_export1024_with_rc4_56_sha & rsa_rc4_56_sha
tls_rsa_aes_128_sha & rsa_aes_128_sha
tls_rsa_aes_256_sha & rsa_aes_256_sha
rsa_fips_des_sha & fips_des_sha
rsa_fips_3des_sha & fips_3des_sha
3) added CipherPreferenceDialog, which takes tlsonly or (tlsonly
and dsstyle) options.
. tlsonly does not include SSLV3 ciphers in TLS cipher list
if true
. dsstyle returns DS style cipher names if true
Files:
client/security/CipherPreferenceDialog.java
client/security/securityResource.properties
Index: CipherPreferenceDialog.java
===================================================================
RCS file: /cvs/dirsec/console/src/com/netscape/management/client/security/CipherPreferenceDialog.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- CipherPreferenceDialog.java 15 Jul 2008 17:26:58 -0000 1.2
+++ CipherPreferenceDialog.java 3 Feb 2011 18:09:08 -0000 1.3
@@ -55,7 +55,7 @@
Help help;
/*property string */
- String rc2, rc4, des, tripleDes, fips, none, v2, v3, tls, export, enabledTitle;
+ String aes, rc2, rc4, des, tripleDes, fips, none, v2, v3, tls, export, enabledTitle;
String sha, md5, fortezza, cipherLabel, bits, msgAlgo, version, title;
@@ -90,11 +90,21 @@
public final static String RSA_RC2_40_MD5 = "rsa_rc2_40_md5";
/**SSL3 Export - No encryption, only MD5 message authentication*/
public final static String RSA_NULL_MD5 = "rsa_null_md5";
+ /**SSL3 Export - No encryption, only SHA message authentication*/
+ public final static String RSA_NULL_SHA = "rsa_null_sha";
/**TLS Export - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA */
- public final static String TLS_RSA_DES_SHA = "tls_rsa_export1024_with_des_cbc_sha";
+ public final static String TLS_RSA_DES_SHA_AUX = "tls_rsa_export1024_with_des_cbc_sha";
+ public final static String TLS_RSA_DES_SHA = "rsa_des_56_sha";
/**TLS Export - TLS_RSA_EXPORT1024_WITH_RC4_56_SHA */
- public final static String TLS_RSA_RC4_SHA = "tls_rsa_export1024_with_rc4_56_sha";
+ public final static String TLS_RSA_RC4_SHA_AUX = "tls_rsa_export1024_with_rc4_56_sha";
+ public final static String TLS_RSA_RC4_SHA = "rsa_rc4_56_sha";
+ /**TLS - TLS_RSA_WITH_AES_128_CBC_SHA */
+ public final static String TLS_RSA_WITH_AES_128_CBC_SHA_AUX = "tls_rsa_aes_128_sha";
+ public final static String TLS_RSA_WITH_AES_128_CBC_SHA = "rsa_aes_128_sha";
+ /**TLS - TLS_RSA_WITH_AES_256_CBC_SHA */
+ public final static String TLS_RSA_WITH_AES_256_CBC_SHA_AUX = "tls_rsa_aes_256_sha";
+ public final static String TLS_RSA_WITH_AES_256_CBC_SHA = "rsa_aes_256_sha";
// domestic ssl3 cipher
/**SSL3 Domestic - DES with 56 bit encryption and SHA message authentication*/
@@ -115,39 +125,55 @@
public final static String FORTEZZA_NULL = "fortezza_null";
// FIPS ciphers
+ public final static String RSA_FIPS_DES_SHA_AUX = "rsa_fips_des_sha";
public final static String RSA_FIPS_DES_SHA = "fips_des_sha";
+ public final static String RSA_FIPS_3DES_SHA_AUX = "rsa_fips_3des_sha";
public final static String RSA_FIPS_3DES_SHA = "fips_3des_sha";
/* default SSL V2 export ciphers */
- final static String V2EXPORT = "-"+RC4EXPORT+
- ",-"+RC2EXPORT;
+ final static String V2EXPORT = "-"+RC2EXPORT+
+ ",-"+RC4EXPORT;
/* default SSL V2 domestic ciphers */
- final static String V2DOMESTIC = "-"+RC4+
- ",-"+RC2+
+ final static String V2DOMESTIC = "-"+RC2+
+ ",-"+RC4+
",-"+DES+
",-"+DES3;
/* default SSL V3 domestic ciphers */
- final static String V3EXPORT = "+"+RSA_RC4_40_MD5+
- ",+"+RSA_RC2_40_MD5+
- ",-"+RSA_NULL_MD5;
+ final static String V3EXPORT = "-"+RSA_NULL_MD5+
+ ",-"+RSA_NULL_SHA+
+ ",+"+RSA_RC4_40_MD5+
+ ",+"+RSA_RC2_40_MD5;
/* default SSL V3 domestic ciphers */
- final static String V3DOMESTIC = "+"+RSA_DES_SHA+
- ",+"+RSA_RC4_128_MD5+
- ",+"+RSA_3DES_SHA+
- ",+"+RSA_FIPS_DES_SHA+
- ",+"+RSA_FIPS_3DES_SHA;
+ final static String V3DOMESTIC = "+"+RSA_RC4_128_MD5+
+ ",+"+RSA_DES_SHA+
+ ",+"+RSA_FIPS_DES_SHA+
+ ",+"+RSA_3DES_SHA+
+ ",+"+RSA_FIPS_3DES_SHA;
+
+ final static String V3DOMESTIC_AUX = "+"+RSA_RC4_128_MD5+
+ ",+"+RSA_DES_SHA+
+ ",+"+RSA_FIPS_DES_SHA_AUX+
+ ",+"+RSA_3DES_SHA+
+ ",+"+RSA_FIPS_3DES_SHA_AUX;
/* default SSL V3 domestic fortezza ciphers */
final static String V3FORETEZZA = "+"+FORTEZZA+
- ",+"+FORTEZZA_RC4_128_SHA+
- ",-"+FORTEZZA_NULL;
+ ",+"+FORTEZZA_RC4_128_SHA+
+ ",-"+FORTEZZA_NULL;
/* default SSL V3 domestic tls ciphers */
- final static String V3TLS = "+"+TLS_RSA_DES_SHA+
- ",+"+TLS_RSA_RC4_SHA;
+ final static String V3TLS = "+"+TLS_RSA_RC4_SHA+
+ ",+"+TLS_RSA_DES_SHA+
+ ",+"+TLS_RSA_WITH_AES_128_CBC_SHA+
+ ",+"+TLS_RSA_WITH_AES_256_CBC_SHA;
+
+ final static String V3TLS_AUX = "+"+TLS_RSA_RC4_SHA_AUX+
+ ",+"+TLS_RSA_DES_SHA_AUX+
+ ",+"+TLS_RSA_WITH_AES_128_CBC_SHA_AUX+
+ ",+"+TLS_RSA_WITH_AES_256_CBC_SHA_AUX;
class cipherListModel extends AbstractTableModel {
Vector _header;
@@ -333,6 +359,7 @@
help = new Help(resource);
+ aes = resource.getString("CipherPreferenceDialog", "aes");
rc2 = resource.getString("CipherPreferenceDialog", "rc2");
rc4 = resource.getString("CipherPreferenceDialog", "rc4");
des = resource.getString("CipherPreferenceDialog", "des");
@@ -349,8 +376,8 @@
cipherLabel = resource.getString("CipherPreferenceDialog", "cipherLabel");
bits = resource.getString("CipherPreferenceDialog", "bits");
msgAlgo = resource.getString("CipherPreferenceDialog", "msgAlgo");
- version = resource.getString("CipherPreferenceDialog", "sslV");
- title = resource.getString("CipherPreferenceDialog", "title");
+ version = resource.getString("CipherPreferenceDialog", "sslV");
+ title = resource.getString("CipherPreferenceDialog", "title");
enabledTitle = resource.getString("CipherPreferenceDialog", "enabledTitle");
}
@@ -530,8 +557,8 @@
"Unknown SSLv2 cipher: " + cipher);
}
- //V3/TLS Cipher
- } else if (SSLVersion.equals(SSL_TLS) || SSLVersion.equals(SSL_V3)) {
+ //V3 Cipher
+ } else if (SSLVersion.equals(SSL_V3)) {
if (cipher.equals(RSA_RC4_128_MD5)) {
cipherEntry = new CipherEntry(cipher, true, rc4, 128, md5, SSL_V3);
} else if (cipher.equals(RSA_3DES_SHA)) {
@@ -544,10 +571,16 @@
cipherEntry = new CipherEntry(cipher, true, rc2, 40, md5, SSL_V3, true);
} else if (cipher.equals(RSA_NULL_MD5)) {
cipherEntry = new CipherEntry(cipher, false, none, 0, md5, SSL_V3);
+ } else if (cipher.equals(RSA_NULL_SHA)) {
+ cipherEntry = new CipherEntry(cipher, false, none, 0, sha, SSL_V3);
} else if (cipher.equals(RSA_FIPS_DES_SHA)) {
cipherEntry = new CipherEntry(cipher, true, des+" "+fips, 56, sha, SSL_V3);
+ } else if (cipher.equals(RSA_FIPS_DES_SHA_AUX)) {
+ cipherEntry = new CipherEntry(cipher, true, des+" "+fips, 56, sha, SSL_V3);
} else if (cipher.equals(RSA_FIPS_3DES_SHA)) {
cipherEntry = new CipherEntry(cipher, true, tripleDes+" "+fips, 168, sha, SSL_V3);
+ } else if (cipher.equals(RSA_FIPS_3DES_SHA_AUX)) {
+ cipherEntry = new CipherEntry(cipher, true, tripleDes+" "+fips, 168, sha, SSL_V3);
//Fortezza ciphers
} else if ( cipher.equals(FORTEZZA)) {
@@ -561,17 +594,28 @@
"Unknown SSLv3 cipher: " + cipher);
}
- //TLS ciphers
- if (SSLVersion.equals(SSL_TLS)) {
+ //TLS Cipher
+ } else if (SSLVersion.equals(SSL_TLS)) {
if (cipher.equals(TLS_RSA_DES_SHA)) {
cipherEntry = new CipherEntry(cipher, true, des, 56, sha, SSL_V3, true);
+ } else if (cipher.equals(TLS_RSA_DES_SHA_AUX)) {
+ cipherEntry = new CipherEntry(cipher, true, des, 56, sha, SSL_V3, true);
} else if (cipher.equals(TLS_RSA_RC4_SHA)) {
cipherEntry = new CipherEntry(cipher, true, rc4, 56, sha, SSL_V3, true);
+ } else if (cipher.equals(TLS_RSA_RC4_SHA_AUX)) {
+ cipherEntry = new CipherEntry(cipher, true, rc4, 56, sha, SSL_V3, true);
+ } else if (cipher.equals(TLS_RSA_WITH_AES_128_CBC_SHA)) {
+ cipherEntry = new CipherEntry(cipher, true, aes, 128, sha, SSL_V3, false);
+ } else if (cipher.equals(TLS_RSA_WITH_AES_128_CBC_SHA_AUX)) {
+ cipherEntry = new CipherEntry(cipher, true, aes, 128, sha, SSL_V3, false);
+ } else if (cipher.equals(TLS_RSA_WITH_AES_256_CBC_SHA)) {
+ cipherEntry = new CipherEntry(cipher, true, aes, 256, sha, SSL_V3, false);
+ } else if (cipher.equals(TLS_RSA_WITH_AES_256_CBC_SHA_AUX)) {
+ cipherEntry = new CipherEntry(cipher, true, aes, 256, sha, SSL_V3, false);
} else {
Debug.println("CipherPreferenceDialog.createCipherEntry(): " +
"Unknown TLSv1 cipher: " + cipher);
}
- }
}
if (cipherEntry != null) {
@@ -789,6 +833,61 @@
tls?(V3EXPORT+(isDomestic?","+V3DOMESTIC:"")+","+V3TLS):"");
}
+ /**
+ * Create a default cipher preference dialog.
+ *
+ * @param parent the frame from which the dialog is displayed
+ * @param enableSSLV2 enable SSL v2 cipher
+ * @param enableSSLV3 enable SSL v3 cipher
+ * @param tls show TLS ciphers.
+ * @param isDomestic show domestic ciphers if true
+ * @param fortezza show fortezza ciphers. If isDomestic is false or SSL_V3 is not enabled, then fortezza will not show.
+ * @param tlsonly does not include SSLV3 ciphers in TLS cipher list if true
+ *
+ */
+ public CipherPreferenceDialog(Frame parent,
+ boolean enableSSLV2,
+ boolean enableSSLV3,
+ boolean tls,
+ boolean isDomestic,
+ boolean fortezza,
+ boolean tlsonly) {
+
+ this(parent,
+ (enableSSLV2 ? V2EXPORT+(isDomestic?","+V2DOMESTIC:""):""),
+ (enableSSLV3 ? V3EXPORT+(isDomestic?","+V3DOMESTIC:""):"")+
+ ((enableSSLV3 & isDomestic & fortezza)?","+V3FORETEZZA:""),
+ tls?(tlsonly?V3TLS:(V3EXPORT+(isDomestic?","+V3DOMESTIC:"")+","+V3TLS)):"");
+ }
+
+ /**
+ * Create a default cipher preference dialog.
+ *
+ * @param parent the frame from which the dialog is displayed
+ * @param enableSSLV2 enable SSL v2 cipher
+ * @param enableSSLV3 enable SSL v3 cipher
+ * @param tls show TLS ciphers.
+ * @param isDomestic show domestic ciphers if true
+ * @param fortezza show fortezza ciphers. If isDomestic is false or SSL_V3 is not enabled, then fortezza will not show.
+ * @param tlsonly does not include SSLV3 ciphers in TLS cipher list if true
+ * @param dsstyle returns DS style cipher names (search _AUX in this file) if true
+ *
+ */
+ public CipherPreferenceDialog(Frame parent,
+ boolean enableSSLV2,
+ boolean enableSSLV3,
+ boolean tls,
+ boolean isDomestic,
+ boolean fortezza,
+ boolean tlsonly,
+ boolean dsstyle) {
+
+ this(parent,
+ (enableSSLV2 ? V2EXPORT+(isDomestic?","+V2DOMESTIC:""):""),
+ (enableSSLV3 ? V3EXPORT+(isDomestic?","+V3DOMESTIC_AUX:""):"")+
+ ((enableSSLV3 & isDomestic & fortezza)?","+V3FORETEZZA:""),
+ tls?(tlsonly?V3TLS_AUX:(V3EXPORT+(isDomestic?","+V3DOMESTIC_AUX:"")+","+V3TLS_AUX)):"");
+ }
//for testing purpose
/*public static void main(String args[]) {
Index: securityResource.properties
===================================================================
RCS file: /cvs/dirsec/console/src/com/netscape/management/client/security/securityResource.properties,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- securityResource.properties 16 Dec 2008 19:07:15 -0000 1.3
+++ securityResource.properties 3 Feb 2011 18:09:08 -0000 1.4
@@ -133,6 +133,7 @@
CipherPreferenceDialog-bits=Bits
CipherPreferenceDialog-msgAlgo=Message Digest
CipherPreferenceDialog-sslV=Version
+CipherPreferenceDialog-aes=AES
CipherPreferenceDialog-rc2=RC2
CipherPreferenceDialog-rc4=RC4
CipherPreferenceDialog-des=DES
13 years, 4 months
admserv/cgi-src40
by Noriko Hosoi
admserv/cgi-src40/sec-activate.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
New commits:
commit 9e3d76254a5bfd2a3d431c4b0069a68d8f007367
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Feb 2 18:14:46 2011 -0800
Bug 151705 - Need to update Console Cipher Preferences with new ciphers
https://bugzilla.redhat.com/show_bug.cgi?id=151705
Description: When a cipher is updated on the Admin Console | Cipher
Preference dialog, NSSCipherSuite value in console.conf is updated
based on the modification. If the cipher is on the TLS list, it
was ignored in sec-activate.c. This patch merges the tls list
into the ssl3 list. Then, the TLS ciphers are also written to
console.conf.
diff --git a/admserv/cgi-src40/sec-activate.c b/admserv/cgi-src40/sec-activate.c
index 921f584..52bd41d 100644
--- a/admserv/cgi-src40/sec-activate.c
+++ b/admserv/cgi-src40/sec-activate.c
@@ -486,6 +486,8 @@ int main(int argc, char *argv[])
char *security = NULL;
char *ssl2 = NULL;
char *ssl3 = NULL;
+ char *tls = NULL;
+ char *merged_ssl3 = NULL;
char *ssl2_act = NULL;
char *ssl3_act = NULL;
char *clientauth = NULL;
@@ -607,6 +609,7 @@ int main(int argc, char *argv[])
security = get_cgi_var("security", "", "");
ssl2 = get_cgi_var("ssl2", "", "");
ssl3 = get_cgi_var("ssl3", "", "");
+ tls = get_cgi_var("tls", "", "");
ssl2_act = get_cgi_var("ssl2-activated", "", "");
ssl3_act = get_cgi_var("ssl3-activated", "", "");
clientauth = get_cgi_var("clientauth", "", "");
@@ -630,7 +633,20 @@ int main(int argc, char *argv[])
get_family_input(&family_head);
/* set cipher family info */
- SetSSLFamilyAttributes(pset, family_head, ssl2, ssl3, ssl2_act, ssl3_act);
+ if (ssl3 && (strlen(ssl3) > 0)) {
+ if (tls && (strlen(tls) > 0)) {
+ merged_ssl3 = PR_smprintf("%s,%s", ssl3, tls);
+ } else {
+ merged_ssl3 = strdup(ssl3);
+ }
+ } else {
+ if (tls && (strlen(tls) > 0)) {
+ merged_ssl3 = strdup(tls);
+ } else {
+ merged_ssl3 = strdup("");
+ }
+ }
+ SetSSLFamilyAttributes(pset, family_head, ssl2, merged_ssl3, ssl2_act, ssl3_act);
set_attribute(pset, "configuration.encryption.nsSSLClientAuth", clientauth);
@@ -655,7 +671,8 @@ int main(int argc, char *argv[])
rv = update_conf(configdir, "console.conf", "NSSProtocol", protocols);
- snprintf(ciphers, sizeof(ciphers), "%s,%s", ssl2, ssl3);
+ snprintf(ciphers, sizeof(ciphers), "%s,%s", ssl2, merged_ssl3);
+ PR_smprintf_free(merged_ssl3);
ciphers[sizeof(ciphers)-1] = 0;
rv = update_conf(configdir, "console.conf", "NSSCipherSuite", ciphers);
13 years, 4 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/ssl.c | 8 ++++++++
1 file changed, 8 insertions(+)
New commits:
commit b7bf3cb02ff55cdb6bd71120531be08eed4744db
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Feb 2 17:41:09 2011 -0800
Bug 151705 - Need to update Console Cipher Preferences with new ciphers
https://bugzilla.redhat.com/show_bug.cgi?id=151705
Description: Added new ciphers:
SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_NULL_SHA
Also, added cipher names used by the Admin Server/mod_nss:
fips_3des_sha for SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
fips_des_sha for SSL_RSA_FIPS_WITH_DES_CBC_SHA
rsa_rc4_56_sha for TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
rsa_des_56_sha for TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 0866dc7..c1f8728 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -126,15 +126,21 @@ static cipherstruct _conf_ciphers[] = {
{"SSL3","des", SSL_EN_DES_64_CBC_WITH_MD5},
{"SSL3","desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5},
{"SSL3","rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5},
+ {"SSL3","rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA},
{"SSL3","rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA},
{"SSL3","rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA},
{"SSL3","rsa_fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA},
+ {"SSL3","fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA}, /* ditto */
{"SSL3","rsa_fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA},
+ {"SSL3","fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA}, /* ditto */
{"SSL3","rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5},
{"SSL3","rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5},
{"SSL3","rsa_null_md5", SSL_RSA_WITH_NULL_MD5},
+ {"SSL3","rsa_null_sha", SSL_RSA_WITH_NULL_SHA},
{"TLS","tls_rsa_export1024_with_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
+ {"TLS","rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, /* ditto */
{"TLS","tls_rsa_export1024_with_des_cbc_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
+ {"TLS","rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, /* ditto */
{"SSL3","fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA},
{"SSL3","fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA},
{"SSL3","fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA},
@@ -148,10 +154,12 @@ static cipherstruct _conf_ciphers[] = {
{"SSL3","dhe_rsa_3des_sha", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA},
{"TLS","tls_rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA},
+ {"TLS","rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, /* ditto */
{"TLS","tls_dhe_dss_aes_128_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA},
{"TLS","tls_dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
{"TLS","tls_rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA},
+ {"TLS","rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, /* ditto */
{"TLS","tls_dhe_dss_aes_256_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA},
{"TLS","tls_dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
/*{"TLS","tls_dhe_dss_1024_des_sha", TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA}, */
13 years, 4 months
mod_nss gencert.8, NONE, 1.1 Makefile.am, 1.14, 1.15 Makefile.in, 1.21, 1.22
by Rob Crittenden
Author: rcritten
Update of /cvs/dirsec/mod_nss
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv6370
Modified Files:
Makefile.am Makefile.in
Added Files:
gencert.8
Log Message:
Add man page for gencert
--- NEW FILE gencert.8 ---
.\" A man page for gencert
.\"
.\" Licensed under the Apache License, Version 2.0 (the "License");
.\" you may not use this file except in compliance with the License.
.\" You may obtain a copy of the License at
.\"
.\" http://www.apache.org/licenses/LICENSE-2.0
.\"
.\" Unless required by applicable law or agreed to in writing, software
.\" distributed under the License is distributed on an "AS IS" BASIS,
.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
.\" See the License for the specific language governing permissions and
.\" limitations under the License.
.\"
.\" Author: Rob Crittenden <rcritten(a)redhat.com>
.\"
.TH "gencert" "8" "Feb 2 2011" "Rob Crittenden" ""
.SH "NAME"
gencert \- Generate a test NSS database for mod_nss
.SH "SYNOPSIS"
gencert \fIDIRECTORY\fR
.SH "DESCRIPTION"
A tool to generate self\-signed CA as well as server and user certificates for mod_nss testing.
This is used to generate a default NSS database for the mod_nss Apache module. It does not test to see if an existing database already exists so use with care.
gencert will generate a new NSS database and set an empty database password.
It generates a self\-signed CA with the subject "CN=Certificate Shack, O=example.com, C=US"
It also generates a certificate suitable for servers with the subject "CN=FQDN, O=example.com, C=US" and a user certificate with the subject "E=alpha@FQDN, CN=Frank Alpha, UID=alpha, OU=People, O=example.com, C=US".
The nicknames it uses are:
CA: cacert
Server certificate: Server\-Cert
User cert: alpha
Index: Makefile.am
===================================================================
RCS file: /cvs/dirsec/mod_nss/Makefile.am,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- Makefile.am 26 Aug 2008 20:43:48 -0000 1.14
+++ Makefile.am 3 Feb 2011 02:43:38 -0000 1.15
@@ -5,6 +5,13 @@
nss_pcache_SOURCES = nss_pcache.c
+man8_MANS = \
+ gencert.8 \
+ $(NULL)
+
+install-data-hook:
+ @for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
+
## Define the source file for the module
libmodnss_la_SOURCES = mod_nss.c nss_engine_config.c nss_engine_init.c nss_engine_io.c nss_engine_kernel.c nss_engine_log.c nss_engine_pphrase.c nss_engine_vars.c nss_expr.c nss_expr_eval.c nss_expr_parse.y nss_expr_scan.l nss_util.c nss_engine_rand.c
libmodnss_la_LDFLAGS = -module -avoid-version
Index: Makefile.in
===================================================================
RCS file: /cvs/dirsec/mod_nss/Makefile.in,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- Makefile.in 26 Aug 2008 20:43:48 -0000 1.21
+++ Makefile.in 3 Feb 2011 02:43:38 -0000 1.22
@@ -116,6 +116,11 @@
nss_pcache_SOURCES = nss_pcache.c
+man8_MANS = \
+ gencert.8 \
+ $(NULL)
+
+
libmodnss_la_SOURCES = mod_nss.c nss_engine_config.c nss_engine_init.c nss_engine_io.c nss_engine_kernel.c nss_engine_log.c nss_engine_pphrase.c nss_engine_vars.c nss_expr.c nss_expr_eval.c nss_expr_parse.y nss_expr_scan.l nss_util.c nss_engine_rand.c
libmodnss_la_LDFLAGS = -module -avoid-version
@@ -182,6 +187,9 @@
YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
LTYACCCOMPILE = $(LIBTOOL) --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
DIST_SOURCES = $(libmodnss_la_SOURCES) $(nss_pcache_SOURCES)
+
+NROFF = nroff
+MANS = $(man8_MANS)
DIST_COMMON = README AUTHORS COPYING ChangeLog INSTALL Makefile.am \
Makefile.in NEWS TODO aclocal.m4 config.guess config.sub \
configure configure.in depcomp gencert.in install-sh ltmain.sh \
@@ -332,6 +340,49 @@
-rm -f libtool
uninstall-info-am:
+man8dir = $(mandir)/man8
+install-man8: $(man8_MANS) $(man_MANS)
+ @$(NORMAL_INSTALL)
+ $(mkinstalldirs) $(DESTDIR)$(man8dir)
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+ else file=$$i; fi; \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ case "$$ext" in \
+ 8*) ;; \
+ *) ext='8' ;; \
+ esac; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+ $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+ done
+uninstall-man8:
+ @$(NORMAL_UNINSTALL)
+ @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
+ l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
+ for i in $$l2; do \
+ case "$$i" in \
+ *.8*) list="$$list $$i" ;; \
+ esac; \
+ done; \
+ for i in $$list; do \
+ ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+ inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+ inst=`echo $$inst | sed -e 's/^.*\///'`; \
+ inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+ echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+ rm -f $(DESTDIR)$(man8dir)/$$inst; \
+ done
+
ETAGS = etags
ETAGSFLAGS =
@@ -458,12 +509,12 @@
exit 1; } >&2
check-am: all-am
check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS)
+all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS)
install-binPROGRAMS: install-libLTLIBRARIES
installdirs:
- $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(bindir)
+ $(mkinstalldirs) $(DESTDIR)$(libdir) $(DESTDIR)$(bindir) $(DESTDIR)$(man8dir)
install: install-am
install-exec: install-exec-am
@@ -508,13 +559,15 @@
info-am:
-install-data-am:
+install-data-am: install-man
+ @$(NORMAL_INSTALL)
+ $(MAKE) $(AM_MAKEFLAGS) install-data-hook
install-exec-am: install-binPROGRAMS install-libLTLIBRARIES
install-info: install-info-am
-install-man:
+install-man: install-man8
installcheck-am:
@@ -529,7 +582,9 @@
mostlyclean-libtool
uninstall-am: uninstall-binPROGRAMS uninstall-info-am \
- uninstall-libLTLIBRARIES
+ uninstall-libLTLIBRARIES uninstall-man
+
+uninstall-man: uninstall-man8
.PHONY: GTAGS all all-am check check-am clean clean-binPROGRAMS \
clean-generic clean-libLTLIBRARIES clean-libtool dist dist-all \
@@ -538,13 +593,17 @@
distclean-tags distcleancheck distdir dvi dvi-am info info-am \
install install-am install-binPROGRAMS install-data \
install-data-am install-exec install-exec-am install-info \
- install-info-am install-libLTLIBRARIES install-man \
+ install-info-am install-libLTLIBRARIES install-man install-man8 \
install-strip installcheck installcheck-am installdirs \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
tags uninstall uninstall-am uninstall-binPROGRAMS \
- uninstall-info-am uninstall-libLTLIBRARIES
+ uninstall-info-am uninstall-libLTLIBRARIES uninstall-man \
+ uninstall-man8
+
+install-data-hook:
+ @for i in $(man8_MANS) ; do gzip -f $(DESTDIR)$(man8dir)/$$i ; done
install-libLTLIBRARIES: libmodnss.la
@APXS@ -i -a -n nss libmodnss.la
13 years, 4 months
coolkey/src/libckyapplet cky_card.c,1.5,1.6
by Jack Magne
Author: jmagne
Update of /cvs/dirsec/coolkey/src/libckyapplet
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv4615
Modified Files:
cky_card.c
Log Message:
Define LPSCARD_READERSTATE only for the Mac.
Index: cky_card.c
===================================================================
RCS file: /cvs/dirsec/coolkey/src/libckyapplet/cky_card.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- cky_card.c 8 Sep 2010 22:10:26 -0000 1.5
+++ cky_card.c 2 Feb 2011 00:52:50 -0000 1.6
@@ -27,6 +27,12 @@
#ifndef WINAPI
#define WINAPI
+/*
+ * The Mac needs this typedef to compile.
+*/
+#ifdef MAC
+typedef SCARD_READERSTATE *LPSCARD_READERSTATE;
+#endif
#endif
#ifndef SCARD_E_NO_READERS_AVAILABLE
13 years, 4 months
wrappers/initscript.in wrappers/ldap-agent-initscript.in
by Nathan Kinder
wrappers/initscript.in | 36 +++++++++++++++++++++++++++++++-----
wrappers/ldap-agent-initscript.in | 20 +++++++++++++++++---
2 files changed, 48 insertions(+), 8 deletions(-)
New commits:
commit 5a41728cf75eea021b73b166aea12a00f39eebd8
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Feb 1 15:00:40 2011 -0800
Bug 668862 - init scripts return wrong error code
The dirsrv init script returns an exit code of 0 when no instances
are configured or if an invalid instance name is specified. This
patch makes the dirsrv init script return the proper exit codes.
The exit codes for the status action are different than the codes
for non-status actions per the Fedora SysV init script packaging
guidelines.
In addition, the dirsrv and dirsrv-snmp inistscripts need to return
a non-0 exit code when networking is disabled or if the binaries
do not exist. This patch handles those cases as well.
diff --git a/wrappers/initscript.in b/wrappers/initscript.in
index 65874d6..147b2d6 100644
--- a/wrappers/initscript.in
+++ b/wrappers/initscript.in
@@ -23,7 +23,13 @@ fi
if [ "${NETWORKING}" = "no" ]
then
echo "Networking is down"
- exit 0
+ if [ "$1" = "status" ]; then
+ # exit code 4 means unknown status for status action
+ exit 4
+ else
+ # exit code 1 means unspecified error for non-status actions
+ exit 1
+ fi
fi
# figure out which echo we're using
@@ -87,8 +93,16 @@ piddir="@localstatedir@/run/@package_name@"
# Instance basedir
instbase="@instconfigdir@"
-
-[ -f $exec ] || exit 0
+# Check that ns-slapd exists
+if [ ! -f $exec ] ; then
+ if [ "$1" = "status" ]; then
+ # exit code 4 means unknown status for status action
+ exit 4
+ else
+ # exit code 5 means program is not installed for non-status actions
+ exit 5
+ fi
+fi
umask 077
@@ -107,7 +121,13 @@ done
if [ -z "$INSTANCES" ]; then
echo " *** Error: no $prog instances configured"
- exit 0
+ if [ "$1" = "status" ]; then
+ # exit code 4 means unknown status for status action
+ exit 4
+ else
+ # exit code 6 means program is not configured for non-status actions
+ exit 6
+ fi
fi
if [ -n "$2" ]; then
@@ -119,7 +139,13 @@ if [ -n "$2" ]; then
if [ "$2" != "$INSTANCES" ]; then
echo_n "$2 is an invalid @package_name@ instance"
failure; echo
- exit 1
+ if [ "$1" = "status" ]; then
+ # exit code 4 means unknown status for status action
+ exit 4
+ else
+ # exit code 2 means invalid argument for non-status actions
+ exit 2
+ fi
fi
fi
diff --git a/wrappers/ldap-agent-initscript.in b/wrappers/ldap-agent-initscript.in
index d4e791f..dd8ee97 100644
--- a/wrappers/ldap-agent-initscript.in
+++ b/wrappers/ldap-agent-initscript.in
@@ -22,7 +22,13 @@ fi
if [ "${NETWORKING}" = "no" ]
then
echo "Networking is down"
- exit 0
+ if [ "$1" = "status" ]; then
+ # exit code 4 means unknown status for status action
+ exit 4
+ else
+ # exit code 1 means unspecified error for non-status actions
+ exit 1
+ fi
fi
# figure out which echo we're using
@@ -61,8 +67,16 @@ pidfile="@localstatedir(a)/run/ldap-agent.pid"
configfile="@sysconfdir@/@package_name(a)/config/ldap-agent.conf"
-
-[ -f $exec ] || exit 0
+# Check if ldap-agent exists
+if [ ! -f $exec ]; then
+ if [ "$1" = "status" ]; then
+ # exit code 4 means unknown status for status action
+ exit 4
+ else
+ # exit code 5 means program is not installed for non-status actions
+ exit 5
+ fi
+fi
umask 077
13 years, 4 months
ldap/admin ldap/ldif ldap/servers
by Nathan Kinder
ldap/admin/src/scripts/DSMigration.pm.in | 1
ldap/ldif/template-dse.ldif.in | 1
ldap/servers/slapd/bind.c | 12 +++++-
ldap/servers/slapd/connection.c | 24 ++++++++-----
ldap/servers/slapd/daemon.c | 1
ldap/servers/slapd/extendop.c | 3 +
ldap/servers/slapd/libglobs.c | 57 +++++++++++++++++++++++++++++++
ldap/servers/slapd/passwd_extop.c | 12 +++++-
ldap/servers/slapd/pblock.c | 10 +++++
ldap/servers/slapd/proto-slap.h | 2 +
ldap/servers/slapd/slap.h | 4 ++
ldap/servers/slapd/slapi-plugin.h | 1
12 files changed, 114 insertions(+), 14 deletions(-)
New commits:
commit b5bee52888069417aa780ab79b897d0736f306c9
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Tue Feb 1 11:54:08 2011 -0800
Bug 670616 - Allow SSF to be set for local (ldapi) connections
This patch adds a new config parameter named nsslapd-localssf.
This parameter can be set to the SSF that one wants to apply for
ocal (LDAPI) connections. This SSF will be used with the minssf
global and ACI settings. The local SSF can also be used to satisfy
the confidentiality requirements for secure binds and password
modify extended operations.
diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in
index 5434075..7d1c48f 100644
--- a/ldap/admin/src/scripts/DSMigration.pm.in
+++ b/ldap/admin/src/scripts/DSMigration.pm.in
@@ -103,6 +103,7 @@ my %ignoreOld =
# these are new attrs that we should just pass through
'nsslapd-allow-unauthenticated-binds' => 'nsslapd-allow-unauthenticated-binds',
'nsslapd-allow-anonymous-access' => 'nsslapd-allow-anonymous-access',
+ 'nsslapd-localssf' => 'nsslapd-localssf',
'nsslapd-minssf' => 'nsslapd-minssf',
'nsslapd-saslpath' => 'nsslapd-saslpath',
'nsslapd-rundir' => 'nsslapd-rundir',
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index f607f44..cd98d16 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -32,6 +32,7 @@ nsslapd-ssl-check-hostname: on
nsslapd-allow-unauthenticated-binds: off
nsslapd-require-secure-binds: off
nsslapd-allow-anonymous-access: on
+nsslapd-localssf: 71
nsslapd-minssf: 0
nsslapd-port: %ds_port%
nsslapd-localuser: %ds_user%
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 8b666f1..679cbff 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -499,7 +499,8 @@ do_bind( Slapi_PBlock *pb )
/* Check if the minimum SSF requirement has been met. */
minssf = config_get_minssf();
- if ((pb->pb_conn->c_sasl_ssf < minssf) && (pb->pb_conn->c_ssl_ssf < minssf)) {
+ if ((pb->pb_conn->c_sasl_ssf < minssf) && (pb->pb_conn->c_ssl_ssf < minssf) &&
+ (pb->pb_conn->c_local_ssf < minssf)) {
send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Minimum SSF not met.", 0, NULL);
/* increment BindSecurityErrorcount */
@@ -569,6 +570,7 @@ do_bind( Slapi_PBlock *pb )
} else if (config_get_require_secure_binds() == 1) {
Connection *conn = NULL;
int sasl_ssf = 0;
+ int local_ssf = 0;
/* Allow simple binds only for SSL/TLS established connections
* or connections using SASL privacy layers */
@@ -579,8 +581,14 @@ do_bind( Slapi_PBlock *pb )
sasl_ssf = 0;
}
+ if ( slapi_pblock_get(pb, SLAPI_CONN_LOCAL_SSF, &local_ssf) != 0) {
+ slapi_log_error( SLAPI_LOG_PLUGIN, "do_bind",
+ "Could not get local SSF from connection\n" );
+ local_ssf = 0;
+ }
+
if (((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) &&
- (sasl_ssf <= 1) ) {
+ (sasl_ssf <= 1) && (local_ssf <= 1)) {
send_ldap_result(pb, LDAP_CONFIDENTIALITY_REQUIRED, NULL,
"Operation requires a secure connection",
0, NULL);
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index 7b00a21..7f93a0f 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -196,6 +196,7 @@ connection_cleanup(Connection *conn)
conn->c_prev= NULL;
conn->c_extension= NULL;
conn->c_ssl_ssf = 0;
+ conn->c_local_ssf = 0;
conn->c_unix_local = 0;
/* destroy any sasl context */
sasl_dispose((sasl_conn_t**)&conn->c_sasl_conn);
@@ -388,6 +389,7 @@ connection_reset(Connection* conn, int ns, PRNetAddr * from, int fromLen, int is
/* Just initialize the SSL SSF to 0 now since the handshake isn't complete
* yet, which prevents us from getting the effective key length. */
conn->c_ssl_ssf = 0;
+ conn->c_local_ssf = 0;
}
/* Create a pool of threads for handling the operations */
@@ -507,12 +509,14 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb)
* allowed, which gives the connection a chance to meet the
* SSF requirements. We also allow UNBIND and ABANDON.*/
if ((conn->c_sasl_ssf < minssf) && (conn->c_ssl_ssf < minssf) &&
- (op->o_tag != LDAP_REQ_BIND) && (op->o_tag != LDAP_REQ_EXTENDED) &&
- (op->o_tag != LDAP_REQ_UNBIND) && (op->o_tag != LDAP_REQ_ABANDON)) {
+ (conn->c_local_ssf < minssf) &&(op->o_tag != LDAP_REQ_BIND) &&
+ (op->o_tag != LDAP_REQ_EXTENDED) && (op->o_tag != LDAP_REQ_UNBIND) &&
+ (op->o_tag != LDAP_REQ_ABANDON)) {
slapi_log_access( LDAP_DEBUG_STATS,
"conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION"
- " - Insufficient SSF (sasl_ssf=%d ssl_ssf=%d)\n",
- conn->c_connid, op->o_opid, conn->c_sasl_ssf, conn->c_ssl_ssf );
+ " - Insufficient SSF (local_ssf=%d sasl_ssf=%d ssl_ssf=%d)\n",
+ conn->c_connid, op->o_opid, conn->c_local_ssf,
+ conn->c_sasl_ssf, conn->c_ssl_ssf );
send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Minimum SSF not met.", 0, NULL );
return;
@@ -2631,15 +2635,17 @@ op_copy_identity(Connection *conn, Operation *op)
/* copy isroot flag as well so root DN privileges are preserved */
op->o_isroot = conn->c_isroot;
- /* copy the highest SSF (between SASL and SSL/TLS) into the
- * operation for use by access control. */
- if (conn->c_sasl_ssf >= conn->c_ssl_ssf) {
+ /* copy the highest SSF (between local, SASL, and SSL/TLS)
+ * into the operation for use by access control. */
+ if ((conn->c_sasl_ssf >= conn->c_ssl_ssf) && (conn->c_sasl_ssf >= conn->c_local_ssf)) {
op->o_ssf = conn->c_sasl_ssf;
- } else {
+ } else if ((conn->c_ssl_ssf >= conn->c_sasl_ssf) && (conn->c_ssl_ssf >= conn->c_local_ssf)){
op->o_ssf = conn->c_ssl_ssf;
+ } else {
+ op->o_ssf = conn->c_local_ssf;
}
- PR_Unlock( conn->c_mutex );
+ PR_Unlock( conn->c_mutex );
}
/* Sets the SSL SSF in the connection struct. */
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 6678269..cda4a04 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -2207,6 +2207,7 @@ handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, i
if( local )
{
conn->c_unix_local = 1;
+ conn->c_local_ssf = config_get_localssf();
slapd_identify_local_user(conn);
}
#endif
diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c
index f7e6ebe..17b2f7b 100644
--- a/ldap/servers/slapd/extendop.c
+++ b/ldap/servers/slapd/extendop.c
@@ -335,7 +335,8 @@ do_extended( Slapi_PBlock *pb )
}
/* If the minssf is not met, only allow startTLS. */
- if ((pb->pb_conn->c_sasl_ssf < minssf) && (pb->pb_conn->c_ssl_ssf < minssf)) {
+ if ((pb->pb_conn->c_sasl_ssf < minssf) && (pb->pb_conn->c_ssl_ssf < minssf) &&
+ (pb->pb_conn->c_local_ssf < minssf)) {
send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Minimum SSF not met.", 0, NULL );
goto free_and_return;
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 15f2aca..c3047bf 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -619,6 +619,9 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.allow_anon_access, CONFIG_SPECIAL_ANON_ACCESS_SWITCH,
(ConfigGetFunc)config_get_anon_access_switch},
+ {CONFIG_LOCALSSF_ATTRIBUTE, config_set_localssf,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.localssf, CONFIG_INT, NULL},
{CONFIG_MINSSF_ATTRIBUTE, config_set_minssf,
NULL, 0,
(void**)&global_slapdFrontendConfig.minssf, CONFIG_INT, NULL},
@@ -900,6 +903,7 @@ FrontendConfig_init () {
cfg->outbound_ldap_io_timeout = SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT;
cfg->max_filter_nest_level = SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL;
cfg->maxsasliosize = SLAPD_DEFAULT_MAX_SASLIO_SIZE;
+ cfg->localssf = SLAPD_DEFAULT_LOCAL_SSF;
cfg->minssf = SLAPD_DEFAULT_MIN_SSF;
#ifdef _WIN32
@@ -4710,6 +4714,48 @@ config_get_maxsasliosize()
}
int
+config_set_localssf( const char *attrname, char *value, char *errorbuf, int apply )
+{
+ int retVal = LDAP_SUCCESS;
+ int localssf;
+ char *endptr;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+ return LDAP_OPERATIONS_ERROR;
+ }
+
+ localssf = (int) strtol(value, &endptr, 10);
+
+ /* Check for non-numeric garbage in the value */
+ if (*endptr != '\0') {
+ retVal = LDAP_OPERATIONS_ERROR;
+ }
+
+ /* Check for a value overflow */
+ if (((localssf == INT_MAX) || (localssf == INT_MIN)) && (errno == ERANGE)){
+ retVal = LDAP_OPERATIONS_ERROR;
+ }
+
+ /* Don't allow negative values. */
+ if (localssf < 0) {
+ retVal = LDAP_OPERATIONS_ERROR;
+ }
+
+ if (retVal != LDAP_SUCCESS) {
+ PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ "%s: \"%s\" is invalid. Value must range from 0 to %d",
+ attrname, value, INT_MAX );
+ } else if (apply) {
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapdFrontendConfig->localssf = localssf;
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+ }
+
+ return retVal;
+}
+
+int
config_set_minssf( const char *attrname, char *value, char *errorbuf, int apply )
{
int retVal = LDAP_SUCCESS;
@@ -4752,6 +4798,17 @@ config_set_minssf( const char *attrname, char *value, char *errorbuf, int apply
}
int
+config_get_localssf()
+{
+ int localssf;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ localssf = slapdFrontendConfig->localssf;
+
+ return localssf;
+}
+
+int
config_get_minssf()
{
int minssf;
diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c
index e22a52d..c1f00d2 100644
--- a/ldap/servers/slapd/passwd_extop.c
+++ b/ldap/servers/slapd/passwd_extop.c
@@ -462,7 +462,7 @@ passwd_modify_extop( Slapi_PBlock *pb )
char *oldPasswd = NULL;
char *newPasswd = NULL;
char *errMesg = NULL;
- int ret=0, rc=0, sasl_ssf=0, need_pwpolicy_ctrl=0;
+ int ret=0, rc=0, sasl_ssf=0, local_ssf=0, need_pwpolicy_ctrl=0;
ber_tag_t tag=0;
ber_len_t len=(ber_len_t)-1;
struct berval *extop_value = NULL;
@@ -517,8 +517,16 @@ passwd_modify_extop( Slapi_PBlock *pb )
goto free_and_return;
}
+ if ( slapi_pblock_get(pb, SLAPI_CONN_LOCAL_SSF, &local_ssf) != 0) {
+ errMesg = "Could not get local SSF from connection\n";
+ rc = LDAP_OPERATIONS_ERROR;
+ slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
+ errMesg );
+ goto free_and_return;
+ }
+
if ( ((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) &&
- (sasl_ssf <= 1) ) {
+ (sasl_ssf <= 1) && (local_ssf <= 1)) {
errMesg = "Operation requires a secure connection.\n";
rc = LDAP_CONFIDENTIALITY_REQUIRED;
goto free_and_return;
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 3d945cd..6bc2375 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -362,6 +362,16 @@ slapi_pblock_get( Slapi_PBlock *pblock, int arg, void *value )
(*(int *)value) = pblock->pb_conn->c_ssl_ssf;
PR_Unlock( pblock->pb_conn->c_mutex );
break;
+ case SLAPI_CONN_LOCAL_SSF:
+ if (pblock->pb_conn == NULL) {
+ LDAPDebug( LDAP_DEBUG_ANY,
+ "Connection is NULL and hence cannot access SLAPI_CONN_LOCAL_SSF \n", 0, 0, 0 );
+ return (-1);
+ }
+ PR_Lock( pblock->pb_conn->c_mutex );
+ (*(int *)value) = pblock->pb_conn->c_local_ssf;
+ PR_Unlock( pblock->pb_conn->c_mutex );
+ break;
case SLAPI_CONN_CERT:
if (pblock->pb_conn == NULL) {
LDAPDebug( LDAP_DEBUG_ANY,
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index dd7ec88..3d22da5 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -367,6 +367,7 @@ int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_anon_access_switch(const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_localssf(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_minssf(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
@@ -504,6 +505,7 @@ int config_get_outbound_ldap_io_timeout(void);
int config_get_unauth_binds_switch(void);
int config_get_require_secure_binds(void);
int config_get_anon_access_switch(void);
+int config_get_localssf(void);
int config_get_minssf(void);
int config_get_csnlogging();
#ifdef MEMPOOL_EXPERIMENTAL
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 9c655ef..65ee8ce 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -285,6 +285,7 @@ typedef void (*VFP0)(void);
#define SLAPD_DEFAULT_MAX_THREADS 30 /* connection pool threads */
#define SLAPD_DEFAULT_MAX_THREADS_PER_CONN 5 /* allowed per connection */
#define SLAPD_DEFAULT_SCHEMA_IGNORE_TRAILING_SPACES LDAP_OFF
+#define SLAPD_DEFAULT_LOCAL_SSF 71 /* assume local connections are secure */
#define SLAPD_DEFAULT_MIN_SSF 0 /* allow unsecured connections (no privacy or integrity) */
/* We'd like this number to be prime for
@@ -1358,6 +1359,7 @@ typedef struct conn {
Slapi_Backend *c_bi_backend; /* which backend is doing the import */
void *c_extension; /* plugins are able to extend the Connection object */
void *c_sasl_conn; /* sasl library connection sasl_conn_t */
+ int c_local_ssf; /* flag to tell us the local SSF */
int c_sasl_ssf; /* flag to tell us the SASL SSF */
int c_ssl_ssf; /* flag to tell us the SSL/TLS SSF */
int c_unix_local; /* flag true for LDAPI */
@@ -1820,6 +1822,7 @@ typedef struct _slapdEntryPoints {
#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
#define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
#define CONFIG_ANON_ACCESS_ATTRIBUTE "nsslapd-allow-anonymous-access"
+#define CONFIG_LOCALSSF_ATTRIBUTE "nsslapd-localssf"
#define CONFIG_MINSSF_ATTRIBUTE "nsslapd-minssf"
#ifndef _WIN32
#define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
@@ -2123,6 +2126,7 @@ typedef struct _slapdFrontendConfig {
int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */
int require_secure_binds; /* switch to require simple binds to use a secure channel */
int allow_anon_access; /* switch to enable/disable anonymous access */
+ int localssf; /* the security strength factor to assign to local conns (ldapi) */
int minssf; /* minimum security strength factor (for SASL and SSL/TLS) */
size_t maxsasliosize; /* limit incoming SASL IO packet size */
char *anon_limits_dn; /* template entry for anonymous resource limits */
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 821b911..e2c7750 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -5630,6 +5630,7 @@ int slapi_reslimit_get_integer_limit( Slapi_Connection *conn, int handle,
#define SLAPI_CONN_AUTHMETHOD 746
#define SLAPI_CONN_SASL_SSF 748
#define SLAPI_CONN_SSL_SSF 749
+#define SLAPI_CONN_LOCAL_SSF 751
/*
* Types of authentication for SLAPI_CONN_AUTHMETHOD
13 years, 4 months
ldap/admin
by Richard Allen Megginson
ldap/admin/src/scripts/ds-logpipe.py | 3 ++-
ldap/admin/src/scripts/logregex.py | 16 ++++------------
2 files changed, 6 insertions(+), 13 deletions(-)
New commits:
commit 3c2d82e345522ae0eb349759a96b01e5efe9eff1
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Jan 31 19:08:40 2011 -0700
Bug 667935 - DS pipe log script's logregex.py plugin is not redirecting the log output to the text file
https://bugzilla.redhat.com/show_bug.cgi?id=667935
Resolves: bug 667935
Bug Description: DS pipe log script's logregex.py plugin is not redirecting the log output to the text file
Reviewed by: nkinder (Thanks!)
Branch: master
Fix Description: The logregex plugin function is really just a thin wrapper
around the builtin plugin - the only difference is that logregex will only
store those lines that match the given regexes. The fix is to just remove
the post function, and make the plugin just call the main plugin function
with the line if it matches the regexes. The only tricky part is that we
have to increment total lines in the logregex plugin and decrement it when
we call the main pluginfunction, in order to keep an accurate count of the
total number of lines read. I also cleaned up an error message and made
the print out flush.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
diff --git a/ldap/admin/src/scripts/ds-logpipe.py b/ldap/admin/src/scripts/ds-logpipe.py
index 5c60557..4a6053f 100644
--- a/ldap/admin/src/scripts/ds-logpipe.py
+++ b/ldap/admin/src/scripts/ds-logpipe.py
@@ -30,6 +30,7 @@ def printbuffer():
sys.stdout.writelines(buffer)
print "Read %d total lines" % totallines
print logfname, "=" * 60
+ sys.stdout.flush()
def defaultpost(): printbuffer()
@@ -179,7 +180,7 @@ def read_and_process_line(logf, plgfuncs):
if line: # read something
for plgfunc in plgfuncs:
if not plgfunc(line):
- print "Aborting processing due to function %s" % str(plgfunc)
+ print "Aborting processing due to function %s.%s" % (plgfunc.__module__, plgfunc.__name__)
finish()
done = True
break
diff --git a/ldap/admin/src/scripts/logregex.py b/ldap/admin/src/scripts/logregex.py
index ac32922..7537953 100644
--- a/ldap/admin/src/scripts/logregex.py
+++ b/ldap/admin/src/scripts/logregex.py
@@ -5,7 +5,6 @@ import __main__ # to use globals
# supports more than one regex - multiple regex are combined using AND logic
# OR logic is easily supported with the '|' regex modifier
regex_regex_ary = []
-buffer = []
def pre(plgargs):
global regex_regex_ary
@@ -19,18 +18,11 @@ def pre(plgargs):
regex_regex_ary.append(re.compile(regexary))
return True
-def post():
- global buffer
- sys.stdout.writelines(buffer)
- buffer = []
-
def plugin(line):
- global buffer
+ __main__.totallines = __main__.totallines + 1
for rx in regex_regex_ary:
if not rx.search(line):
- break # must match all regex
+ return True # regex did not match - get next line
else: # all regexes matched
- buffer.append(line)
- if len(buffer) > __main__.maxlines:
- del buffer[0]
- return True
+ __main__.totallines = __main__.totallines - 1
+ return __main__.defaultplugin(line)
13 years, 4 months