1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
/*
* The contents of this file are subject to the Mozilla Public
* License Version 1.1 (the "License"); you may not use this file
* except in compliance with the License. You may obtain a copy of
* the License at http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS
* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
* implied. See the License for the specific language governing
* rights and limitations under the License.
*
* The Original Code is the Netscape security libraries.
*
* The Initial Developer of the Original Code is Netscape
* Communications Corporation. Portions created by Netscape are
* Copyright (C) 1994-2000 Netscape Communications Corporation. All
* Rights Reserved.
*
* Contributor(s):
*
* Alternatively, the contents of this file may be used under the
* terms of the GNU General Public License Version 2 or later (the
* "GPL"), in which case the provisions of the GPL are applicable
* instead of those above. If you wish to allow use of your
* version of this file only under the terms of the GPL and not to
* allow others to use your version of this file under the MPL,
* indicate your decision by deleting the provisions above and
* replace them with the notice and other provisions required by
* the GPL. If you do not delete the provisions above, a recipient
* may use your version of this file under either the MPL or the
* GPL.
*/
#ifndef __secplcy_h__
#define __secplcy_h__
#include "prtypes.h"
/*
** Cipher policy enforcement. This code isn't very pretty, but it accomplishes
** the purpose of obscuring policy information from potential fortifiers. :-)
**
** The following routines are generic and intended for anywhere where cipher
** policy enforcement is to be done, e.g. SSL and PKCS7&12.
*/
#define SEC_CIPHER_NOT_ALLOWED 0
#define SEC_CIPHER_ALLOWED 1
#define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases
e.g. step-up */
/* The length of the header string for each cipher table.
(It's the same regardless of whether we're using md5 strings or not.) */
#define SEC_POLICY_HEADER_LENGTH 48
/* If we're testing policy stuff, we may want to use the plaintext version */
#define SEC_POLICY_USE_MD5_STRINGS 1
#define SEC_POLICY_THIS_IS_THE \
"\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f"
#define SEC_POLICY_STRING_FOR_THE \
"\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6"
#define SEC_POLICY_SSL_TAIL \
"\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca"
#define SEC_POLICY_SMIME_TAIL \
"\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9"
#define SEC_POLICY_PKCS12_TAIL \
"\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8"
#if defined(SEC_POLICY_USE_MD5_STRINGS)
/* We're not testing.
Use md5 checksums of the strings. */
#define SEC_POLICY_SSL_HEADER \
SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL
#define SEC_POLICY_SMIME_HEADER \
SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL
#define SEC_POLICY_PKCS12_HEADER \
SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL
#else
/* We're testing.
Use plaintext versions of the strings, for testing purposes. */
#define SEC_POLICY_SSL_HEADER \
"This is the string for the SSL policy table. "
#define SEC_POLICY_SMIME_HEADER \
"This is the string for the PKCS7 policy table. "
#define SEC_POLICY_PKCS12_HEADER \
"This is the string for the PKCS12 policy table. "
#endif
/* Local cipher tables have to have these members at the top. */
typedef struct _sec_cp_struct
{
char policy_string[SEC_POLICY_HEADER_LENGTH];
long unused; /* placeholder for max keybits in pkcs12 struct */
char num_ciphers;
char begin_ciphers;
/* cipher policy settings follow. each is a char. */
} secCPStruct;
struct SECCipherFindStr
{
/* (policy) and (ciphers) are opaque to the outside world */
void *policy;
void *ciphers;
long index;
PRBool onlyAllowed;
};
typedef struct SECCipherFindStr SECCipherFind;
SEC_BEGIN_PROTOS
SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed,
secCPStruct *policy,
long *ciphers);
long sec_CipherFindNext(SECCipherFind *find);
char sec_IsCipherAllowed(long cipher, secCPStruct *policies,
long *ciphers);
void sec_CipherFindEnd(SECCipherFind *find);
SEC_END_PROTOS
#endif /* __SECPLCY_H__ */
|
