Ticket #47880 - provide enabled ciphers as search result

Description: Implemented getEnabledCiphers, with which
  ldapsearch -b "cn=encryption,cn=config" nsSSLEnabledCiphers
returns enabled cipher list.  Example of returned enabled cipher
  dn: cn=encryption,cn=config
  nsSSLEnabledCiphers: TLS_RSA_WITH_RC4_128_MD5::RC4::MD5::128
  nsSSLEnabledCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5::3DES::MD5::192

https://fedorahosted.org/389/ticket/47880

Reviewed by [email protected] (Thank you, Mark!)

ldap/servers/slapd/fedse.c

@@ -76,6 +76,7 @@
 #endif  /* _WIN32 */
 
 extern char ** getSupportedCiphers();
+extern char ** getEnabledCiphers();
 
 /* Note: These DNs are no need to be normalized */
 static const char *internal_entries[] =
@@ -1695,11 +1696,12 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
     struct berval           *vals[2];
     struct berval           val;
     char ** cipherList = getSupportedCiphers(); /*Get the string array of supported ciphers here */
+    char ** enabledCipherList = getEnabledCiphers(); /*Get the string array of enabled ciphers here */
     vals[0] = &val;
     vals[1] = NULL;
 
     attrlist_delete ( &entry->e_attrs, "nsSSLSupportedCiphers");
-    while (*cipherList) /* iterarate thru each of them and add to the attr value */
+    while (cipherList && *cipherList) /* iterarate thru each of them and add to the attr value */
     {
         char *cipher = *cipherList;
         val.bv_val = (char* ) cipher;
@@ -1708,6 +1710,16 @@ search_encryption( Slapi_PBlock *pb, Slapi_Entry *entry, Slapi_Entry *entryAfter
         cipherList++;
     }
 
+    attrlist_delete ( &entry->e_attrs, "nsSSLEnabledCiphers");
+    while (enabledCipherList && *enabledCipherList) /* iterarate thru each of them and add to the attr value */
+    {
+        char *cipher = *enabledCipherList;
+        val.bv_val = (char* ) cipher;
+        val.bv_len = strlen ( val.bv_val );
+        attrlist_merge ( &entry->e_attrs, "nsSSLEnabledCiphers", vals);
+        enabledCipherList++;
+    }
+
     return SLAPI_DSE_CALLBACK_OK;
 }
 

ldap/servers/slapd/ssl.c

@@ -157,6 +157,7 @@ static char * configDN = "cn=encryption,cn=config";
 #define CIPHER_IS_WEAK          0x4
 #define CIPHER_IS_DEPRECATED    0x8
 static char **cipher_names = NULL;
+static char **enabled_cipher_names = NULL;
 typedef struct {
     char *name;
     int num;
@@ -265,7 +266,8 @@ slapd_SSL_warn(char *fmt, ...)
     va_end(args);
 }
 
-char ** getSupportedCiphers()
+char **
+getSupportedCiphers()
 {
 	SSLCipherSuiteInfo info;
 	char *sep = "::";
@@ -294,6 +296,44 @@ char ** getSupportedCiphers()
 	return cipher_names;
 }
 
+char **
+getEnabledCiphers()
+{
+    SSLCipherSuiteInfo info;
+    char *sep = "::";
+    int number_of_ciphers = 0;
+    int x;
+    int idx = 0;
+    PRBool enabled;
+
+    /* We have to wait until the SSL initialization is done. */
+    if (!slapd_ssl_listener_is_initialized()) {
+        return NULL;
+    }
+    if ((enabled_cipher_names == NULL) && _conf_ciphers) {
+        for (x = 0; _conf_ciphers[x].name; x++) {
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+            if (enabled) {
+                number_of_ciphers++;
+            }
+        }
+        enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
+        for (x = 0; _conf_ciphers[x].name; x++) {
+            SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
+            if (enabled) {
+                SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
+                enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
+                        _conf_ciphers[x].name,sep,
+                        info.symCipherName,sep,
+                        info.macAlgorithmName,sep,
+                        info.symKeyBits);
+            }
+        }
+    }
+
+    return enabled_cipher_names;
+}
+
 static PRBool
 cipher_check_fips(int idx, char ***suplist, char ***unsuplist)
 {