1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/util/secplcy.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,106 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +#ifndef __secplcy_h__
1.9 +#define __secplcy_h__
1.10 +
1.11 +#include "utilrename.h"
1.12 +
1.13 +#include "prtypes.h"
1.14 +
1.15 +/*
1.16 +** Cipher policy enforcement. This code isn't very pretty, but it accomplishes
1.17 +** the purpose of obscuring policy information from potential fortifiers. :-)
1.18 +**
1.19 +** The following routines are generic and intended for anywhere where cipher
1.20 +** policy enforcement is to be done, e.g. SSL and PKCS7&12.
1.21 +*/
1.22 +
1.23 +#define SEC_CIPHER_NOT_ALLOWED 0
1.24 +#define SEC_CIPHER_ALLOWED 1
1.25 +#define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases
1.26 + e.g. step-up */
1.27 +
1.28 +/* The length of the header string for each cipher table.
1.29 + (It's the same regardless of whether we're using md5 strings or not.) */
1.30 +#define SEC_POLICY_HEADER_LENGTH 48
1.31 +
1.32 +/* If we're testing policy stuff, we may want to use the plaintext version */
1.33 +#define SEC_POLICY_USE_MD5_STRINGS 1
1.34 +
1.35 +#define SEC_POLICY_THIS_IS_THE \
1.36 + "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f"
1.37 +#define SEC_POLICY_STRING_FOR_THE \
1.38 + "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6"
1.39 +#define SEC_POLICY_SSL_TAIL \
1.40 + "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca"
1.41 +#define SEC_POLICY_SMIME_TAIL \
1.42 + "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9"
1.43 +#define SEC_POLICY_PKCS12_TAIL \
1.44 + "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8"
1.45 +
1.46 +#if defined(SEC_POLICY_USE_MD5_STRINGS)
1.47 +
1.48 +/* We're not testing.
1.49 + Use md5 checksums of the strings. */
1.50 +
1.51 +#define SEC_POLICY_SSL_HEADER \
1.52 + SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL
1.53 +
1.54 +#define SEC_POLICY_SMIME_HEADER \
1.55 + SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL
1.56 +
1.57 +#define SEC_POLICY_PKCS12_HEADER \
1.58 + SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL
1.59 +
1.60 +#else
1.61 +
1.62 +/* We're testing.
1.63 + Use plaintext versions of the strings, for testing purposes. */
1.64 +#define SEC_POLICY_SSL_HEADER \
1.65 + "This is the string for the SSL policy table. "
1.66 +#define SEC_POLICY_SMIME_HEADER \
1.67 + "This is the string for the PKCS7 policy table. "
1.68 +#define SEC_POLICY_PKCS12_HEADER \
1.69 + "This is the string for the PKCS12 policy table. "
1.70 +
1.71 +#endif
1.72 +
1.73 +/* Local cipher tables have to have these members at the top. */
1.74 +typedef struct _sec_cp_struct
1.75 +{
1.76 + char policy_string[SEC_POLICY_HEADER_LENGTH];
1.77 + long unused; /* placeholder for max keybits in pkcs12 struct */
1.78 + char num_ciphers;
1.79 + char begin_ciphers;
1.80 + /* cipher policy settings follow. each is a char. */
1.81 +} secCPStruct;
1.82 +
1.83 +struct SECCipherFindStr
1.84 +{
1.85 + /* (policy) and (ciphers) are opaque to the outside world */
1.86 + void *policy;
1.87 + void *ciphers;
1.88 + long index;
1.89 + PRBool onlyAllowed;
1.90 +};
1.91 +
1.92 +typedef struct SECCipherFindStr SECCipherFind;
1.93 +
1.94 +SEC_BEGIN_PROTOS
1.95 +
1.96 +SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
1.97 + secCPStruct *policy,
1.98 + long *ciphers);
1.99 +
1.100 +long sec_CipherFindNext(SECCipherFind *find);
1.101 +
1.102 +char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
1.103 + long *ciphers);
1.104 +
1.105 +void sec_CipherFindEnd(SECCipherFind *find);
1.106 +
1.107 +SEC_END_PROTOS
1.108 +
1.109 +#endif /* __SECPLCY_H__ */
