lib/libadminutil/admutil.c | 63 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 48 insertions(+), 15 deletions(-)
New commits: commit 4fbee55d45376a344f3d01d82ba933399fc7f3cf Author: Mark Reynolds mreynolds@redhat.com Date: Mon Dec 1 15:38:33 2014 -0500
Ticket 47929 - adminutil - future proof getSSLVersion
Bug Description: Currently all the SSL versions are hardcoded, so as new versions are released the code will also need to be updated.
FIx Description: Take a version string and convert it to the SSL version identifier. Also verify that the max and min versions are within the acceptable ranges, if not adjust them.
https://fedorahosted.org/389/ticket/47929
Reviewed by: rmeggins(Thanks!)
diff --git a/lib/libadminutil/admutil.c b/lib/libadminutil/admutil.c index c8e4f6f..88552e4 100644 --- a/lib/libadminutil/admutil.c +++ b/lib/libadminutil/admutil.c @@ -63,6 +63,7 @@ #include <time.h> #include <string.h> #include <stdlib.h> +#include <errno.h> #include <ctype.h> #include "version.h" #include "admutil_pvt.h" @@ -1529,37 +1530,63 @@ destroyAdmldap(AdmldapInfo info) } }
+/* + * Take a version string: ssl3, tls1.2, ..., tls2.1, etc, + * and return the NSS version number. + */ static int getSSLVersion(char *version) { - if(version == NULL){ - return 0; + if( version == NULL ){ + return 0; } - - if (!strcasecmp(version, "ssl3")){ + if( !strcasecmp(version, "ssl3") ){ return SSL_LIBRARY_VERSION_3_0; - } else if (!strcasecmp(version, "tls1.0")){ - return SSL_LIBRARY_VERSION_TLS_1_0; - } else if (!strcasecmp(version, "tls1.1")){ - return SSL_LIBRARY_VERSION_TLS_1_1; - } else if (!strcasecmp(version, "tls1.2")){ - return SSL_LIBRARY_VERSION_TLS_1_2; - } else if (!strcasecmp(version, "tls1.3")){ - return SSL_LIBRARY_VERSION_TLS_1_3; } else { - return 0; + char *copy = strdup(version); + char *iter = NULL; + char *comp; + char *endp = NULL; + PRUint16 major, minor, ssl_version = 0; + + if( strncasecmp(version,"tls",3) == 0 ){ + char *m = copy + 3; + if((comp = strtok_r(m, ".", &iter))) { + major = strtol(comp, &endp, 10); + if( major > 0 ){ + major = (major + 2) << 8; + if (( comp = strtok_r(NULL, ".", &iter) )){ + minor = strtol(comp, &endp, 10); + if( minor >= 0 && errno != ERANGE ){ + minor = (minor & 0xff); + ssl_version = major + minor; + if( (ssl_version & SSL_LIBRARY_VERSION_3_0) == SSL_LIBRARY_VERSION_3_0 ){ + ssl_version++; + } + } + } + } + } + } + PL_strfree(copy); + return ssl_version; } }
PR_IMPLEMENT(int) admldapGetSSLMin(AdmldapInfo info) { + SSLVersionRange range; AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info; int version = getSSLVersion(treeFindValueAt(admInfo->configInfo, "sslVersionMin", 0));
if(!version){ - return SSL_LIBRARY_VERSION_TLS_1_1; + return SSL_LIBRARY_VERSION_TLS_1_0; } else { + SSL_VersionRangeGetSupported(ssl_variant_stream, &range); + if (version < range.min){ + version = range.min; + } return version; } } @@ -1567,12 +1594,18 @@ admldapGetSSLMin(AdmldapInfo info) PR_IMPLEMENT(int) admldapGetSSLMax(AdmldapInfo info) { + SSLVersionRange range; AdmldapHdnlPtr admInfo = (AdmldapHdnlPtr)info; int version = getSSLVersion(treeFindValueAt(admInfo->configInfo, "sslVersionMax", 0));
+ SSL_VersionRangeGetSupported(ssl_variant_stream, &range); if(!version){ - return SSL_LIBRARY_VERSION_TLS_1_2; + return range.max; } else { + SSL_VersionRangeGetSupported(ssl_variant_stream, &range); + if (version > range.max){ + version = range.max; + } return version; } }
389-commits@lists.fedoraproject.org