Bugzilla 730146 - SSL handshake picks non-FIPS ciphers in FIPS mode

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2180 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

3 files changed, 61 insertions, 0 deletions

diff --git a/pki/base/tps/apache/conf/nss.conf b/pki/base/tps/apache/conf/nss.conf
index 2e0b0ecae..314df040d 100644
--- a/pki/base/tps/apache/conf/nss.conf
+++ b/pki/base/tps/apache/conf/nss.conf
@@ -92,10 +92,16 @@ TransferLog [SERVER_ROOT]/logs/access_log
 #   Enable/Disable SSL for this virtual host.
 NSSEngine on
 
+#   FIPS Switch:
+#   Enable/Disable FIPS mode
+#   NSSFIPS on
+
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_nss documentation for a complete list.
 NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
+#   SSL cipher suite in FIPS mode:
+#   NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
 
 NSSProtocol SSLv3,TLSv1
 
@@ -187,10 +193,16 @@ TransferLog [SERVER_ROOT]/logs/access_log
 #   Enable/Disable SSL for this virtual host.
 NSSEngine on
 
+#   FIPS Switch:
+#   Enable/Disable FIPS mode
+#   NSSFIPS on
+
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_nss documentation for a complete list.
 NSSCipherSuite -des,-desede3,-rc2,-rc2export,-rc4,-rc4export,+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-fips_des_sha,+fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_sha,+ecdhe_ecdsa_aes_256_sha
+#   SSL cipher suite in FIPS mode:
+#   NSSCipherSuite +rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
 
 NSSProtocol SSLv3,TLSv1
 
diff --git a/pki/base/tps/src/httpClient/engine.cpp b/pki/base/tps/src/httpClient/engine.cpp
index 46efe42d3..621a37244 100644
--- a/pki/base/tps/src/httpClient/engine.cpp
+++ b/pki/base/tps/src/httpClient/engine.cpp
@@ -182,6 +182,24 @@ int ssl3Suites[] = {
     0
 };
 
+int tlsSuites[] = {
+//    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
+//    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
+//    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
+    TLS_RSA_WITH_AES_128_CBC_SHA,
+    TLS_RSA_WITH_AES_256_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
+//    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
+//    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+//    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+};
+
 void disableAllCiphersOnSocket(PRFileDesc* sock) {
     int i;
     int numsuites = SSL_NumImplementedCiphers;
@@ -199,6 +217,13 @@ void __EXPORT EnableAllSSL3Ciphers(PRFileDesc* sock) {
 	}
 }
  
+void __EXPORT EnableAllTLSCiphers(PRFileDesc* sock) {
+	int i =0;
+	while (tlsSuites[i]) {
+        SSL_CipherPrefSet(sock, tlsSuites[i++], SSL_ALLOWED);
+	}
+}
+ 
 PRBool __EXPORT EnableCipher(const char* cipherString) {
      int ndx;
   
@@ -504,6 +529,18 @@ void nodelay(PRFileDesc* fd) {
 }
 
 
+void __EXPORT setDefaultAllTLSCiphers() {
+	int i =0;
+    char alg[256];
+	while (tlsSuites[i]) {
+        PR_snprintf((char *)alg, 256, "%x", tlsSuites[i]);
+        RA::Debug( LL_PER_PDU,
+            "setDefaultAllTLSCiphers",
+            alg);
+        SSL_CipherPrefSetDefault(tlsSuites[i++], PR_TRUE);
+	}
+}
+ 
 /**
  * Returns a file descriptor for I/O if the HTTP connection is successful
  * @param addr PRnetAddr structure which points to the server to connect to
@@ -521,6 +558,7 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn,
 	PRFileDesc *sock = NULL;
 
     SSL_CipherPrefSetDefault(0xC005 /* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA */, PR_TRUE);
+    setDefaultAllTLSCiphers();
 
     tcpsock = PR_OpenTCPSocket(addr->raw.family);
 
@@ -547,6 +585,9 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn,
     nodelay(tcpsock);
 
     if (PR_TRUE == SSLOn) {
+        RA::Debug( LL_PER_PDU,
+                   "Engine::_doConnect: ",
+                   "SSL is ON" );
         sock=SSL_ImportFD(NULL, tcpsock);
         if (!sock) {
             //xxx log
@@ -635,8 +676,15 @@ PRFileDesc * Engine::_doConnect(PRNetAddr *addr, PRBool SSLOn,
             return NULL;
 		}
 
+        RA::Debug( LL_PER_PDU,
+                   "Engine::_doConnect: ",
+                   "end SSL is ON" );
+		//EnableAllTLSCiphers( sock);
 		//EnableAllSSL3Ciphers( sock);
     } else {
+        RA::Debug( LL_PER_PDU,
+                   "Engine::_doConnect: ",
+                   "SSL is OFF" );
         sock = tcpsock;
     }
 
diff --git a/pki/base/tps/src/include/httpClient/httpc/engine.h b/pki/base/tps/src/include/httpClient/httpc/engine.h
index 73881ed81..9a57b024e 100644
--- a/pki/base/tps/src/include/httpClient/httpc/engine.h
+++ b/pki/base/tps/src/include/httpClient/httpc/engine.h
@@ -71,6 +71,7 @@ PRBool __EXPORT InitSecurity(char* dbpath, char* certname, char* certpassword,
 							 char * prefix ,int verify=1);
 PRBool __EXPORT EnableCipher(const char* ciphername);
 void  __EXPORT EnableAllSSL3Ciphers();
+void  __EXPORT EnableAllTLSCiphers();
 __EXPORT const char * nscperror_lookup(int error);
 
 #endif