security/nss/lib/util/secplcy.h@b8a032363ba2 (annotated)
security/nss/lib/util/secplcy.h
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 4 | |
| michael@0 | 5 | #ifndef __secplcy_h__ |
| michael@0 | 6 | #define __secplcy_h__ |
| michael@0 | 7 | |
| michael@0 | 8 | #include "utilrename.h" |
| michael@0 | 9 | |
| michael@0 | 10 | #include "prtypes.h" |
| michael@0 | 11 | |
| michael@0 | 12 | /* |
| michael@0 | 13 | ** Cipher policy enforcement. This code isn't very pretty, but it accomplishes |
| michael@0 | 14 | ** the purpose of obscuring policy information from potential fortifiers. :-) |
| michael@0 | 15 | ** |
| michael@0 | 16 | ** The following routines are generic and intended for anywhere where cipher |
| michael@0 | 17 | ** policy enforcement is to be done, e.g. SSL and PKCS7&12. |
| michael@0 | 18 | */ |
| michael@0 | 19 | |
| michael@0 | 20 | #define SEC_CIPHER_NOT_ALLOWED 0 |
| michael@0 | 21 | #define SEC_CIPHER_ALLOWED 1 |
| michael@0 | 22 | #define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases |
| michael@0 | 23 | e.g. step-up */ |
| michael@0 | 24 | |
| michael@0 | 25 | /* The length of the header string for each cipher table. |
| michael@0 | 26 | (It's the same regardless of whether we're using md5 strings or not.) */ |
| michael@0 | 27 | #define SEC_POLICY_HEADER_LENGTH 48 |
| michael@0 | 28 | |
| michael@0 | 29 | /* If we're testing policy stuff, we may want to use the plaintext version */ |
| michael@0 | 30 | #define SEC_POLICY_USE_MD5_STRINGS 1 |
| michael@0 | 31 | |
| michael@0 | 32 | #define SEC_POLICY_THIS_IS_THE \ |
| michael@0 | 33 | "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f" |
| michael@0 | 34 | #define SEC_POLICY_STRING_FOR_THE \ |
| michael@0 | 35 | "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6" |
| michael@0 | 36 | #define SEC_POLICY_SSL_TAIL \ |
| michael@0 | 37 | "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca" |
| michael@0 | 38 | #define SEC_POLICY_SMIME_TAIL \ |
| michael@0 | 39 | "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9" |
| michael@0 | 40 | #define SEC_POLICY_PKCS12_TAIL \ |
| michael@0 | 41 | "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8" |
| michael@0 | 42 | |
| michael@0 | 43 | #if defined(SEC_POLICY_USE_MD5_STRINGS) |
| michael@0 | 44 | |
| michael@0 | 45 | /* We're not testing. |
| michael@0 | 46 | Use md5 checksums of the strings. */ |
| michael@0 | 47 | |
| michael@0 | 48 | #define SEC_POLICY_SSL_HEADER \ |
| michael@0 | 49 | SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL |
| michael@0 | 50 | |
| michael@0 | 51 | #define SEC_POLICY_SMIME_HEADER \ |
| michael@0 | 52 | SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL |
| michael@0 | 53 | |
| michael@0 | 54 | #define SEC_POLICY_PKCS12_HEADER \ |
| michael@0 | 55 | SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL |
| michael@0 | 56 | |
| michael@0 | 57 | #else |
| michael@0 | 58 | |
| michael@0 | 59 | /* We're testing. |
| michael@0 | 60 | Use plaintext versions of the strings, for testing purposes. */ |
| michael@0 | 61 | #define SEC_POLICY_SSL_HEADER \ |
| michael@0 | 62 | "This is the string for the SSL policy table. " |
| michael@0 | 63 | #define SEC_POLICY_SMIME_HEADER \ |
| michael@0 | 64 | "This is the string for the PKCS7 policy table. " |
| michael@0 | 65 | #define SEC_POLICY_PKCS12_HEADER \ |
| michael@0 | 66 | "This is the string for the PKCS12 policy table. " |
| michael@0 | 67 | |
| michael@0 | 68 | #endif |
| michael@0 | 69 | |
| michael@0 | 70 | /* Local cipher tables have to have these members at the top. */ |
| michael@0 | 71 | typedef struct _sec_cp_struct |
| michael@0 | 72 | { |
| michael@0 | 73 | char policy_string[SEC_POLICY_HEADER_LENGTH]; |
| michael@0 | 74 | long unused; /* placeholder for max keybits in pkcs12 struct */ |
| michael@0 | 75 | char num_ciphers; |
| michael@0 | 76 | char begin_ciphers; |
| michael@0 | 77 | /* cipher policy settings follow. each is a char. */ |
| michael@0 | 78 | } secCPStruct; |
| michael@0 | 79 | |
| michael@0 | 80 | struct SECCipherFindStr |
| michael@0 | 81 | { |
| michael@0 | 82 | /* (policy) and (ciphers) are opaque to the outside world */ |
| michael@0 | 83 | void *policy; |
| michael@0 | 84 | void *ciphers; |
| michael@0 | 85 | long index; |
| michael@0 | 86 | PRBool onlyAllowed; |
| michael@0 | 87 | }; |
| michael@0 | 88 | |
| michael@0 | 89 | typedef struct SECCipherFindStr SECCipherFind; |
| michael@0 | 90 | |
| michael@0 | 91 | SEC_BEGIN_PROTOS |
| michael@0 | 92 | |
| michael@0 | 93 | SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed, |
| michael@0 | 94 | secCPStruct *policy, |
| michael@0 | 95 | long *ciphers); |
| michael@0 | 96 | |
| michael@0 | 97 | long sec_CipherFindNext(SECCipherFind *find); |
| michael@0 | 98 | |
| michael@0 | 99 | char sec_IsCipherAllowed(long cipher, secCPStruct *policies, |
| michael@0 | 100 | long *ciphers); |
| michael@0 | 101 | |
| michael@0 | 102 | void sec_CipherFindEnd(SECCipherFind *find); |
| michael@0 | 103 | |
| michael@0 | 104 | SEC_END_PROTOS |
| michael@0 | 105 | |
| michael@0 | 106 | #endif /* __SECPLCY_H__ */ |
