michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #ifndef __secplcy_h__ michael@0: #define __secplcy_h__ michael@0: michael@0: #include "utilrename.h" michael@0: michael@0: #include "prtypes.h" michael@0: michael@0: /* michael@0: ** Cipher policy enforcement. This code isn't very pretty, but it accomplishes michael@0: ** the purpose of obscuring policy information from potential fortifiers. :-) michael@0: ** michael@0: ** The following routines are generic and intended for anywhere where cipher michael@0: ** policy enforcement is to be done, e.g. SSL and PKCS7&12. michael@0: */ michael@0: michael@0: #define SEC_CIPHER_NOT_ALLOWED 0 michael@0: #define SEC_CIPHER_ALLOWED 1 michael@0: #define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases michael@0: e.g. step-up */ michael@0: michael@0: /* The length of the header string for each cipher table. michael@0: (It's the same regardless of whether we're using md5 strings or not.) */ michael@0: #define SEC_POLICY_HEADER_LENGTH 48 michael@0: michael@0: /* If we're testing policy stuff, we may want to use the plaintext version */ michael@0: #define SEC_POLICY_USE_MD5_STRINGS 1 michael@0: michael@0: #define SEC_POLICY_THIS_IS_THE \ michael@0: "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f" michael@0: #define SEC_POLICY_STRING_FOR_THE \ michael@0: "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6" michael@0: #define SEC_POLICY_SSL_TAIL \ michael@0: "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca" michael@0: #define SEC_POLICY_SMIME_TAIL \ michael@0: "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9" michael@0: #define SEC_POLICY_PKCS12_TAIL \ michael@0: "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8" michael@0: michael@0: #if defined(SEC_POLICY_USE_MD5_STRINGS) michael@0: michael@0: /* We're not testing. michael@0: Use md5 checksums of the strings. */ michael@0: michael@0: #define SEC_POLICY_SSL_HEADER \ michael@0: SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL michael@0: michael@0: #define SEC_POLICY_SMIME_HEADER \ michael@0: SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL michael@0: michael@0: #define SEC_POLICY_PKCS12_HEADER \ michael@0: SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL michael@0: michael@0: #else michael@0: michael@0: /* We're testing. michael@0: Use plaintext versions of the strings, for testing purposes. */ michael@0: #define SEC_POLICY_SSL_HEADER \ michael@0: "This is the string for the SSL policy table. " michael@0: #define SEC_POLICY_SMIME_HEADER \ michael@0: "This is the string for the PKCS7 policy table. " michael@0: #define SEC_POLICY_PKCS12_HEADER \ michael@0: "This is the string for the PKCS12 policy table. " michael@0: michael@0: #endif michael@0: michael@0: /* Local cipher tables have to have these members at the top. */ michael@0: typedef struct _sec_cp_struct michael@0: { michael@0: char policy_string[SEC_POLICY_HEADER_LENGTH]; michael@0: long unused; /* placeholder for max keybits in pkcs12 struct */ michael@0: char num_ciphers; michael@0: char begin_ciphers; michael@0: /* cipher policy settings follow. each is a char. */ michael@0: } secCPStruct; michael@0: michael@0: struct SECCipherFindStr michael@0: { michael@0: /* (policy) and (ciphers) are opaque to the outside world */ michael@0: void *policy; michael@0: void *ciphers; michael@0: long index; michael@0: PRBool onlyAllowed; michael@0: }; michael@0: michael@0: typedef struct SECCipherFindStr SECCipherFind; michael@0: michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed, michael@0: secCPStruct *policy, michael@0: long *ciphers); michael@0: michael@0: long sec_CipherFindNext(SECCipherFind *find); michael@0: michael@0: char sec_IsCipherAllowed(long cipher, secCPStruct *policies, michael@0: long *ciphers); michael@0: michael@0: void sec_CipherFindEnd(SECCipherFind *find); michael@0: michael@0: SEC_END_PROTOS michael@0: michael@0: #endif /* __SECPLCY_H__ */