diff options
Diffstat (limited to 'security/nss/cmd/sslstrength/sslstrength.c')
-rw-r--r-- | security/nss/cmd/sslstrength/sslstrength.c | 641 |
1 files changed, 0 insertions, 641 deletions
diff --git a/security/nss/cmd/sslstrength/sslstrength.c b/security/nss/cmd/sslstrength/sslstrength.c deleted file mode 100644 index 33cda1372..000000000 --- a/security/nss/cmd/sslstrength/sslstrength.c +++ /dev/null @@ -1,641 +0,0 @@ -/* - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is Netscape - * Communications Corporation. Portions created by Netscape are - * Copyright (C) 1994-2000 Netscape Communications Corporation. All - * Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - */ - -#ifdef SSLTELNET -#include <termios.h> -#endif - -/* Portable layer header files */ -#include "prinit.h" -#include "prprf.h" -#include "prsystem.h" -#include "prmem.h" -#include "plstr.h" -#include "prnetdb.h" -#include "prinrval.h" - -#include "secutil.h" - -/* Security library files */ -#include "cert.h" -#include "cdbhdl.h" -#include "ssl.h" -#include "sslproto.h" - -/* define this if you want telnet capability! */ - -/* #define SSLTELNET 1 */ - -PRInt32 debug; - -#ifdef DEBUG_stevep -#define dbmsg(x) if (verbose) PR_fprintf(PR_STDOUT,x); -#else -#define dbmsg(x) ; -#endif - - -/* Set SSL Policy to Domestic (strong=1) or Export (strong=0) */ - -#define ALLOW(x) SSL_SetPolicy(x,SSL_ALLOWED); SSL_EnableCipher(x,1); -#define DISALLOW(x) SSL_SetPolicy(x,SSL_NOT_ALLOWED); SSL_EnableCipher(x,0); -#define MAYBEALLOW(x) SSL_SetPolicy(x,SSL_RESTRICTED); SSL_EnableCipher(x,1); - -struct CipherPolicy { - char number; - long id; - char *name; - PRInt32 pref; - PRInt32 domestic; - PRInt32 export; -}; - -struct CipherPolicy ciphers[] = { - { 'a',SSL_EN_RC4_128_WITH_MD5, "SSL_EN_RC4_128_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'b',SSL_EN_RC2_128_CBC_WITH_MD5, "SSL_EN_RC2_128_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'c',SSL_EN_DES_192_EDE3_CBC_WITH_MD5, "SSL_EN_DES_192_EDE3_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'd',SSL_EN_DES_64_CBC_WITH_MD5, "SSL_EN_DES_64_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'e',SSL_EN_RC4_128_EXPORT40_WITH_MD5, "SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, - { 'f',SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, -#ifdef FORTEZZA - { 'g',SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",1,SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'h',SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, "SSL_FORTEZZA_DMS_WITH_RC4_128_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, -#endif - { 'i',SSL_RSA_WITH_RC4_128_MD5, "SSL_RSA_WITH_RC4_128_MD5 (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, - { 'j',SSL_RSA_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, - { 'k',SSL_RSA_WITH_DES_CBC_SHA, "SSL_RSA_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'l',SSL_RSA_EXPORT_WITH_RC4_40_MD5, "SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, - { 'm',SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, -#ifdef FORTEZZA - { 'n',SSL_FORTEZZA_DMS_WITH_NULL_SHA, "SSL_FORTEZZA_DMS_WITH_NULL_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, -#endif - { 'o',SSL_RSA_WITH_NULL_MD5, "SSL_RSA_WITH_NULL_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, - { 'p',SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'q',SSL_RSA_FIPS_WITH_DES_CBC_SHA, "SSL_RSA_FIPS_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED } - -}; - -void PrintErrString(char *progName,char *msg) { - - PRErrorCode e = PORT_GetError(); - char *s=NULL; - - - if ((e >= PR_NSPR_ERROR_BASE) && (e < PR_MAX_ERROR)) { - - if (e == PR_DIRECTORY_LOOKUP_ERROR) - s = PL_strdup("Hostname Lookup Failed"); - else if (e == PR_NETWORK_UNREACHABLE_ERROR) - s = PL_strdup("Network Unreachable"); - else if (e == PR_CONNECT_TIMEOUT_ERROR) - s = PL_strdup("Connection Timed Out"); - else s = PR_smprintf("%d",e); - - if (!s) return; - } - else { - s = PL_strdup(SECU_ErrorString(e)); - } - - PR_fprintf(PR_STDOUT,"%s: ",progName); - if (s) { - if (strlen(s) > 0) - PR_fprintf(PR_STDOUT, "%s\n", s); - else - PR_fprintf(PR_STDOUT, "\n"); - - PR_Free(s); - } - -} - -void PrintCiphers(int onlyenabled) { - int ciphercount,i; - - if (onlyenabled) { - PR_fprintf(PR_STDOUT,"Your Cipher preference:\n"); - } - - ciphercount = sizeof(ciphers)/sizeof(struct CipherPolicy); - PR_fprintf(PR_STDOUT, - " %s %-45s %-12s %-12s\n","id","CipherName","Domestic","Export"); - - for (i=0;i<ciphercount;i++) { - if ( (onlyenabled ==0) || ((onlyenabled==1)&&(ciphers[i].pref))) { - PR_fprintf(PR_STDOUT, - " %c %-45s %-12s %-12s\n",ciphers[i].number,ciphers[i].name, - (ciphers[i].domestic==SSL_ALLOWED)?"Yes": - ( (ciphers[i].domestic==SSL_NOT_ALLOWED)?"No":"Step-up only"), - (ciphers[i].export==SSL_ALLOWED)?"Yes": - ( (ciphers[i].export==SSL_NOT_ALLOWED)?"No":"Step-up only")); - } - } -} - - -void SetPolicy(char *c,int policy) { /* policy==1 : domestic, policy==0, export */ - int i,j,cpolicy; - /* first, enable all relevant ciphers according to policy */ - for (j=0;j<(sizeof(ciphers)/sizeof(struct CipherPolicy));j++) { - SSL_SetPolicy(ciphers[j].id,policy?ciphers[j].domestic:ciphers[j].export); - SSL_EnableCipher(ciphers[j].id,0); - ciphers[j].pref =0; - } - - - for (i=0;i<PL_strlen(c);i++) { - for (j=0;j<(sizeof(ciphers)/sizeof(struct CipherPolicy));j++) { - if (ciphers[j].number == c[i]) { - cpolicy = policy?ciphers[j].domestic:ciphers[j].export; - if (cpolicy == SSL_NOT_ALLOWED) { - PR_fprintf(PR_STDOUT, "You're trying to enable a cipher (%c:%s) outside of your policy. ignored\n", - c[i],ciphers[j].name); - } - else { - ciphers[j].pref=1; - SSL_EnableCipher(ciphers[j].id,1); - } - } - } - } -} - - -int MyAuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checksig, PRBool isserver) { - return SECSuccess; -} - - -void Usage() { -#ifdef SSLTELNET - PR_fprintf(PR_STDOUT,"SSLTelnet "); -#else - PR_fprintf(PR_STDOUT,"SSLStrength (No telnet functionality) "); -#endif - PR_fprintf(PR_STDOUT,"Version 1.5\n"); - - PR_fprintf(PR_STDOUT,"Usage:\n sslstrength hostname[:port] [ciphers=xyz] [certdir=x] [debug] [verbose] " -#ifdef SSLTELNET -"[telnet]|[servertype]|[querystring=<string>] " -#endif -"[policy=export|domestic]\n sslstrength ciphers\n"); -} - - -PRInt32 debug = 0; -PRInt32 verbose = 0; - -PRInt32 main(PRInt32 argc,char **argv, char **envp) -{ - - - /* defaults for command line arguments */ - char *hostnamearg=NULL; - char *portnumarg=NULL; - char *sslversionarg=NULL; - char *keylenarg=NULL; - char *certdir=NULL; - char *hostname; - char *nickname=NULL; - char *progname=NULL; - /* struct sockaddr_in addr; */ - PRNetAddr addr; - - int ss_on; - char *ss_cipher; - int ss_keysize; - int ss_secretsize; - char *ss_issuer; - char *ss_subject; - int policy=1; - char *set_ssl_policy=NULL; - int print_ciphers=0; - - char buf[10]; - char netdbbuf[PR_NETDB_BUF_SIZE]; - PRHostEnt hp; - PRStatus r; - PRNetAddr na; - SECStatus rv; - int portnum=443; /* default https: port */ - PRFileDesc *s,*fd; - - CERTCertDBHandle *handle; - CERTCertificate *c; - PRInt32 i; -#ifdef SSLTELNET - struct termios tmp_tc; - char cb; - int prev_lflag,prev_oflag,prev_iflag; - int t_fin,t_fout; - int servertype=0, telnet=0; - char *querystring=NULL; -#endif - - debug = 0; - - progname = (char *)PL_strrchr(argv[0], '/'); - progname = progname ? progname+1 : argv[0]; - - /* Read in command line args */ - if (argc == 1) { - Usage(); - return(0); - } - - if (! PL_strcmp("ciphers",argv[1])) { - PrintCiphers(0); - exit(0); - } - - hostname = argv[1]; - - if (!PL_strcmp(hostname , "usage") || !PL_strcmp(hostname, "-help") ) { - Usage(); - exit(0); - } - - if ((portnumarg = PL_strchr(hostname,':'))) { - *portnumarg = 0; - portnumarg = &portnumarg[1]; - } - - if (portnumarg) { - if (PL_strlen(portnumarg) == 0) { - PR_fprintf(PR_STDOUT,"malformed port number supplied\n"); - return(1); - } - portnum = atoi(portnumarg); - } - - for (i = 2 ; i < argc; i++) - { - if (!PL_strncmp(argv[i] , "sslversion=",11) ) - sslversionarg=&(argv[i][11]); - else if (!PL_strncmp(argv[i], "certdir=",8) ) - certdir = &(argv[i][8]); - else if (!PL_strncmp(argv[i], "ciphers=",8) ) - { - set_ssl_policy=&(argv[i][8]); - } - else if (!PL_strncmp(argv[i], "policy=",7) ) { - if (!PL_strcmp(&(argv[i][7]),"domestic")) policy=1; - else if (!PL_strcmp(&(argv[i][7]),"export")) policy=0; - else { - PR_fprintf(PR_STDOUT,"sslstrength: invalid argument. policy must be one of (domestic,export)\n"); - } - } - else if (!PL_strcmp(argv[i] , "debug") ) - debug = 1; -#ifdef SSLTELNET - else if (!PL_strcmp(argv[i] , "telnet") ) - telnet = 1; - else if (!PL_strcmp(argv[i] , "servertype") ) - servertype = 1; - else if (!PL_strncmp(argv[i] , "querystring=",11) ) - querystring = &argv[i][12]; -#endif - else if (!PL_strcmp(argv[i] , "verbose") ) - verbose = 1; - } - -#ifdef SSLTELNET - if (telnet && (servertype || querystring)) { - PR_fprintf(PR_STDOUT,"You can't use telnet and (server or querystring) options at the same time\n"); - exit(1); - } -#endif - - PR_fprintf(PR_STDOUT,"Using %s policy\n",policy?"domestic":"export"); - - /* use current directory for certificate database if not set */ - - if (! certdir) { - certdir = PR_smprintf("."); - } - - SECU_ConfigDirectory(certdir); - - - /* allow you to set env var SSLDIR to set the cert directory */ - if (! certdir) certdir = SECU_DefaultSSLDir(); - if (certdir) SECU_ConfigDirectory(certdir); - - /* PR_Init(progname, 1, 1, 0); */ - SECU_PKCS11Init(PR_FALSE /*readOnly==PR_FALSE*/); - - /* Lookup host */ - r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp); - - if (r) { - PrintErrString(progname,"Host Name lookup failed"); - return(1); - } - - /* should the third field really be 0? */ - - PR_EnumerateHostEnt(0,&hp,0,&na); - PR_InitializeNetAddr(PR_IpAddrNull,portnum,&na); - - PR_fprintf(PR_STDOUT,"Connecting to %s:%d\n",hostname, portnum); - - /* Create socket */ - - fd = PR_NewTCPSocket(); - if (fd == NULL) { - PrintErrString(progname, "error creating socket"); - return -1; - } - - s = SSL_ImportFD(NULL,fd); - if (s == NULL) { - PrintErrString(progname, "error creating socket"); - return -1; - } - - /* Initialize all the libsec goodies */ - SEC_Init(); - - dbmsg("10: About to enable security\n"); - - rv = SSL_Enable(s, SSL_SECURITY, 1); - if (rv < 0) { - PrintErrString(progname, "error enabling socket"); - return -1; - } - - if (set_ssl_policy) { - SetPolicy(set_ssl_policy,policy); - } - else { - PR_fprintf(PR_STDOUT,"Using all ciphersuites usually found in client\n"); - if (policy) { - SetPolicy("abcdefghijklmnopqrst",policy); - } - else { - SetPolicy("efghijlmo",policy); - } - } - - PrintCiphers(1); - - rv = SSL_Enable(s, SSL_HANDSHAKE_AS_CLIENT, 1); - if (rv < 0) { - PrintErrString(progname, "error enabling client handshake"); - return -1; - } - - handle = (CERTCertDBHandle *)PORT_ZAlloc(sizeof(CERTCertDBHandle)); - if (!handle) { - PrintErrString(progname, "could not allocate database handle"); - return -1; - } - - dbmsg("20: About to open certificate database\n"); - - - /* Open up the certificate database */ - rv = CERT_OpenCertDBFilename(handle, "cert7.db", PR_TRUE); - if ( rv ) { - PrintErrString(progname, "unable to open cert database"); - rv = CERT_OpenVolatileCertDB(handle); - } - - CERT_SetDefaultCertDB(handle); - - dbmsg("30: About to set AuthCertificateHook\n"); - - - SSL_AuthCertificateHook(s, MyAuthCertificateHook, (void *)handle); - /* SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle); */ - /* SSL_GetClientAuthDataHook(s, GetClientAuthDataHook, (void *)nickname);*/ - - - dbmsg("40: About to SSLConnect\n"); - - /* Try to connect to the server */ - /* now SSL_Connect takes new arguments. */ - - - r = PR_Connect(s, &na, PR_TicksPerSecond()*5); - if (r < 0) { - PrintErrString(progname, "unable to connect"); - return -1; - } - - rv = SSL_ForceHandshake(s); - - if (rv) { - PrintErrString(progname,"SSL Handshake failed. "); - exit(1); - } - - rv = SSL_SecurityStatus(s, &ss_on, &ss_cipher, - &ss_keysize, &ss_secretsize, - &ss_issuer, &ss_subject); - - - dbmsg("60: done with security status, about to print\n"); - - c = SSL_PeerCertificate(s); - if (!c) PR_fprintf(PR_STDOUT,"Couldn't retrieve peers Certificate\n"); - PR_fprintf(PR_STDOUT,"SSL Connection Status\n",rv); - - PR_fprintf(PR_STDOUT," Cipher: %s\n",ss_cipher); - PR_fprintf(PR_STDOUT," Key Size: %d\n",ss_keysize); - PR_fprintf(PR_STDOUT," Secret Key Size: %d\n",ss_secretsize); - PR_fprintf(PR_STDOUT," Issuer: %s\n",ss_issuer); - PR_fprintf(PR_STDOUT," Subject: %s\n",ss_subject); - - PR_fprintf(PR_STDOUT," Valid: from %s to %s\n", - c==NULL?"???":DER_UTCDayToAscii(&c->validity.notBefore), - c==NULL?"???":DER_UTCDayToAscii(&c->validity.notAfter)); - -#ifdef SSLTELNET - - - - - if (servertype || querystring) { - char buffer[1024]; - char ch; - char qs[] = "HEAD / HTTP/1.0"; - - - - - if (!querystring) querystring = qs; - PR_fprintf(PR_STDOUT,"\nServer query mode\n>>Sending:\n%s\n",querystring); - - PR_fprintf(PR_STDOUT,"\n*** Server said:\n"); - ch = querystring[PL_strlen(querystring)-1]; - if (ch == '"' || ch == '\'') { - PR_fprintf(PR_STDOUT,"Warning: I'm not smart enough to cope with quotes mid-string like that\n"); - } - - rv = PR_Write(s,querystring,PL_strlen(querystring)); - if ((rv < 1) ) { - PR_fprintf(PR_STDOUT,"Oh dear - couldn't send servertype query\n"); - goto closedown; - } - - rv = PR_Write(s,"\r\n\r\n",4); - rv = PR_Read(s,buffer,1024); - if ((rv < 1) ) { - PR_fprintf(PR_STDOUT,"Oh dear - couldn't read server repsonse\n"); - goto closedown; - } - PR_Write(PR_STDOUT,buffer,rv); - } - - - if (telnet) { - - PR_fprintf(PR_STDOUT,"---------------------------\n" - "telnet mode. CTRL-C to exit\n" - "---------------------------\n"); - - - - /* fudge terminal attributes */ - t_fin = PR_FileDesc2NativeHandle(PR_STDIN); - t_fout = PR_FileDesc2NativeHandle(PR_STDOUT); - - tcgetattr(t_fin,&tmp_tc); - prev_lflag = tmp_tc.c_lflag; - prev_oflag = tmp_tc.c_oflag; - prev_iflag = tmp_tc.c_iflag; - tmp_tc.c_lflag &= ~ECHO; - /* tmp_tc.c_oflag &= ~ONLCR; */ - tmp_tc.c_lflag &= ~ICANON; - tmp_tc.c_iflag &= ~ICRNL; - tmp_tc.c_cflag |= CS8; - tmp_tc.c_cc[VMIN] = 1; - tmp_tc.c_cc[VTIME] = 0; - - tcsetattr(t_fin, TCSANOW, &tmp_tc); - /* ioctl(tin, FIONBIO, (char *)&onoff); - ioctl(tout, FIONBIO, (char *)&onoff);*/ - - - { - PRPollDesc pds[2]; - char buffer[1024]; - int amt,amtwritten; - char *x; - - /* STDIN */ - pds[0].fd = PR_STDIN; - pds[0].in_flags = PR_POLL_READ; - pds[1].fd = s; - pds[1].in_flags = PR_POLL_READ | PR_POLL_EXCEPT; - - while (1) { - int nfds; - - nfds = PR_Poll(pds,2,PR_SecondsToInterval(2)); - if (nfds == 0) continue; - - /** read input from keyboard*/ - /* note: this is very inefficient if reading from a file */ - - if (pds[0].out_flags & PR_POLL_READ) { - amt = PR_Read(PR_STDIN,&buffer,1); - /* PR_fprintf(PR_STDOUT,"fd[0]:%d=%d\r\n",amt,buffer[0]); */ - if (amt == 0) { - PR_fprintf(PR_STDOUT,"\n"); - goto loser; - } - - if (buffer[0] == '\r') { - buffer[0] = '\r'; - buffer[1] = '\n'; - amt = 2; - } - rv = PR_Write(PR_STDOUT,buffer,amt); - - - rv = PR_Write(s,buffer,amt); - if (rv == -1) { - PR_fprintf(PR_STDOUT,"Error writing to socket: %d\n",PR_GetError()); - } - } - - /***/ - - - /***/ - if (pds[1].out_flags & PR_POLL_EXCEPT) { - PR_fprintf(PR_STDOUT,"\r\nServer closed connection\r\n"); - goto loser; - } - if (pds[1].out_flags & PR_POLL_READ) { - amt = PR_Read(s,&buffer,1024); - - if (amt == 0) { - PR_fprintf(PR_STDOUT,"\r\nServer closed connection\r\n"); - goto loser; - } - rv = PR_Write(PR_STDOUT,buffer,amt); - } - /***/ - - } - } - loser: - - /* set terminal back to normal */ - tcgetattr(t_fin,&tmp_tc); - - tmp_tc.c_lflag = prev_lflag; - tmp_tc.c_oflag = prev_oflag; - tmp_tc.c_iflag = prev_iflag; - tcsetattr(t_fin, TCSANOW, &tmp_tc); - - /* ioctl(tin, FIONBIO, (char *)&onoff); - ioctl(tout, FIONBIO, (char *)&onoff); */ - } - -#endif - /* SSLTELNET */ - - closedown: - - PR_Close(s); - - return(0); - -} /* main */ - -/*EOF*/ - |