blob: 6a85e03f11cfb4509b00b6970a3d72f8dbb314c0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef __secplcy_h__
#define __secplcy_h__
#include "utilrename.h"
#include "prtypes.h"
/*
** Cipher policy enforcement. This code isn't very pretty, but it accomplishes
** the purpose of obscuring policy information from potential fortifiers. :-)
**
** The following routines are generic and intended for anywhere where cipher
** policy enforcement is to be done, e.g. SSL and PKCS7&12.
*/
#define SEC_CIPHER_NOT_ALLOWED 0
#define SEC_CIPHER_ALLOWED 1
#define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases \
e.g. step-up */
/* The length of the header string for each cipher table.
(It's the same regardless of whether we're using md5 strings or not.) */
#define SEC_POLICY_HEADER_LENGTH 48
/* If we're testing policy stuff, we may want to use the plaintext version */
#define SEC_POLICY_USE_MD5_STRINGS 1
#define SEC_POLICY_THIS_IS_THE \
"\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f"
#define SEC_POLICY_STRING_FOR_THE \
"\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6"
#define SEC_POLICY_SSL_TAIL \
"\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca"
#define SEC_POLICY_SMIME_TAIL \
"\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9"
#define SEC_POLICY_PKCS12_TAIL \
"\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8"
#if defined(SEC_POLICY_USE_MD5_STRINGS)
/* We're not testing.
Use md5 checksums of the strings. */
#define SEC_POLICY_SSL_HEADER \
SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL
#define SEC_POLICY_SMIME_HEADER \
SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL
#define SEC_POLICY_PKCS12_HEADER \
SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL
#else
/* We're testing.
Use plaintext versions of the strings, for testing purposes. */
#define SEC_POLICY_SSL_HEADER \
"This is the string for the SSL policy table. "
#define SEC_POLICY_SMIME_HEADER \
"This is the string for the PKCS7 policy table. "
#define SEC_POLICY_PKCS12_HEADER \
"This is the string for the PKCS12 policy table. "
#endif
/* Local cipher tables have to have these members at the top. */
typedef struct _sec_cp_struct {
char policy_string[SEC_POLICY_HEADER_LENGTH];
long unused; /* placeholder for max keybits in pkcs12 struct */
char num_ciphers;
char begin_ciphers;
/* cipher policy settings follow. each is a char. */
} secCPStruct;
struct SECCipherFindStr {
/* (policy) and (ciphers) are opaque to the outside world */
void *policy;
void *ciphers;
long index;
PRBool onlyAllowed;
};
typedef struct SECCipherFindStr SECCipherFind;
SEC_BEGIN_PROTOS
SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
secCPStruct *policy,
long *ciphers);
long sec_CipherFindNext(SECCipherFind *find);
char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
long *ciphers);
void sec_CipherFindEnd(SECCipherFind *find);
SEC_END_PROTOS
#endif /* __SECPLCY_H__ */
|