Add new -E option to test the SSL_NO_STEPDOWN option. r=julien. bug 148452.

author: nelsonb%netscape.com <devnull@localhost> 2005-04-04 17:42:24 +0000
committer: nelsonb%netscape.com <devnull@localhost> 2005-04-04 17:42:24 +0000
commit: 86cd599b229e0e70cc4f55b7160f0d331d106ef3 (patch)
tree: 1e4beaecc83118f4739e706c85c6307e4c84e8e0
parent: fc0f6c96cf7e88e8aa656c3ea26cd8c2d6be1e75 (diff)
download: nss-hg-86cd599b229e0e70cc4f55b7160f0d331d106ef3.tar.gz
1 files changed, 69 insertions, 7 deletions
diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c
index 262009366..d5469ebc1 100644
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -211,6 +211,7 @@ Usage(const char *progName)
 "-S means disable SSL v2\n"
 "-3 means disable SSL v3\n"
 "-D means disable Nagle delays in TCP\n"
+"-E means disable export ciphersuites and SSL step down key gen\n"
 "-T means disable TLS\n"
 "-R means disable detection of rollback from TLS to SSL3\n"
 "-b means try binding to the port and exit\n"
@@ -297,6 +298,7 @@ errExit(char * funcString)
 **
 **************************************************************************/
 
+/* disable all the SSL cipher suites */
 void
 disableAllSSLCiphers(void)
 {
@@ -304,19 +306,59 @@ disableAllSSLCiphers(void)
     int             i            = SSL_NumImplementedCiphers;
     SECStatus       rv;
 
-    /* disable all the SSL3 cipher suites */
     while (--i >= 0) {
 	PRUint16 suite = cipherSuites[i];
         rv = SSL_CipherPrefSetDefault(suite, PR_FALSE);
 	if (rv != SECSuccess) {
-	    printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n",
+	    printf("SSL_CipherPrefSetDefault rejected suite 0x%04x (i = %d)\n",
 	    	   suite, i);
 	    errWarn("SSL_CipherPrefSetDefault");
-	    exit(2);
 	}
     }
 }
 
+/* disable all the export SSL cipher suites */
+SECStatus
+disableExportSSLCiphers(void)
+{
+    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+    int             i            = SSL_NumImplementedCiphers;
+    SECStatus       rv           = SECSuccess;
+    SSLCipherSuiteInfo info;
+
+    while (--i >= 0) {
+	PRUint16 suite = cipherSuites[i];
+	SECStatus status;
+	status = SSL_GetCipherSuiteInfo(suite, &info, sizeof info);
+	if (status != SECSuccess) {
+	    printf("SSL_GetCipherSuiteInfo rejected suite 0x%04x (i = %d)\n",
+		   suite, i);
+	    errWarn("SSL_GetCipherSuiteInfo");
+	    rv = SECFailure;
+	    continue;
+	}
+	if (info.cipherSuite != suite) {
+	    printf(
+"SSL_GetCipherSuiteInfo returned wrong suite! Wanted 0x%04x, Got 0x%04x\n",
+		   suite, i);
+	    PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+	    rv = SECFailure;
+	    continue;
+	}
+	/* should check here that info.length >= offsetof isExportable */
+	if (info.isExportable) {
+	    status = SSL_CipherPolicySet(suite, SSL_NOT_ALLOWED);
+	    if (status != SECSuccess) {
+		printf("SSL_CipherPolicySet rejected suite 0x%04x (i = %d)\n",
+		       suite, i);
+		errWarn("SSL_CipherPolicySet");
+		rv = SECFailure;
+	    }
+	}
+    }
+    return rv;
+}
+
 static SECStatus
 mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
 		     PRBool isServer)
@@ -644,9 +686,10 @@ PRBool useModelSocket  = PR_FALSE;
 PRBool disableSSL2     = PR_FALSE;
 PRBool disableSSL3     = PR_FALSE;
 PRBool disableTLS      = PR_FALSE;
-PRBool disableRollBack  = PR_FALSE;
+PRBool disableRollBack = PR_FALSE;
 PRBool NoReuse         = PR_FALSE;
 PRBool hasSidCache     = PR_FALSE;
+PRBool disableStepDown = PR_FALSE;
 
 static const char stopCmd[] = { "GET /stop " };
 static const char getCmd[]  = { "GET " };
@@ -1359,6 +1402,12 @@ server_main(
     if (rv != SECSuccess) {
 	errExit("error enabling RollBack detection ");
     }
+    if (disableStepDown) {
+	rv = SSL_OptionSet(model_sock, SSL_NO_STEP_DOWN, PR_TRUE);
+	if (rv != SECSuccess) {
+	    errExit("error disabling SSL StepDown ");
+	}
+    }
 
     for (kea = kt_rsa; kea < kt_kea_size; kea++) {
 	if (cert[kea] != NULL) {
@@ -1601,7 +1650,7 @@ main(int argc, char **argv)
     ** numbers, then capital letters, then lower case, alphabetical. 
     */
     optstate = PL_CreateOptState(argc, argv, 
-    	"2:3DL:M:NP:RSTbc:d:e:f:hi:lmn:op:rt:vw:xy");
+    	"2:3DEL:M:NP:RSTbc:d:e:f:hi:lmn:op:rt:vw:xy");
     while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	++optionsFound;
 	switch(optstate->option) {
@@ -1610,6 +1659,7 @@ main(int argc, char **argv)
 	case '3': disableSSL3 = PR_TRUE; break;
 
 	case 'D': noDelay = PR_TRUE; break;
+	case 'E': disableStepDown = PR_TRUE; break;
 
         case 'L':
             logStats = PR_TRUE;
@@ -1809,10 +1859,22 @@ main(int argc, char **argv)
     }
 
     /* set the policy bits true for all the cipher suites. */
-    if (useExportPolicy)
+    if (useExportPolicy) {
 	NSS_SetExportPolicy();
-    else
+	if (disableStepDown) {
+	    fputs("selfserv: -x and -E options may not be used together\n", 
+	          stderr);
+	    exit(98);
+	}
+    } else {
 	NSS_SetDomesticPolicy();
+	if (disableStepDown) {
+	    rv = disableExportSSLCiphers();
+	    if (rv != SECSuccess) {
+		errExit("error disabling export ciphersuites ");
+	    }
+    	}
+    }
 
     /* all the SSL2 and SSL3 cipher suites are enabled by default. */
     if (cipherString) {
author	nelsonb%netscape.com <devnull@localhost>	2005-04-04 17:42:24 +0000
committer	nelsonb%netscape.com <devnull@localhost>	2005-04-04 17:42:24 +0000
commit	86cd599b229e0e70cc4f55b7160f0d331d106ef3 (patch)
tree	1e4beaecc83118f4739e706c85c6307e4c84e8e0
parent	fc0f6c96cf7e88e8aa656c3ea26cd8c2d6be1e75 (diff)
download	nss-hg-86cd599b229e0e70cc4f55b7160f0d331d106ef3.tar.gz