1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 #ifndef __secplcy_h__ 6 #define __secplcy_h__ 7 8 #include "utilrename.h" 9 10 #include "prtypes.h" 11 12 /* 13 ** Cipher policy enforcement. This code isn't very pretty, but it accomplishes 14 ** the purpose of obscuring policy information from potential fortifiers. :-) 15 ** 16 ** The following routines are generic and intended for anywhere where cipher 17 ** policy enforcement is to be done, e.g. SSL and PKCS7&12. 18 */ 19 20 #define SEC_CIPHER_NOT_ALLOWED 0 21 #define SEC_CIPHER_ALLOWED 1 22 #define SEC_CIPHER_RESTRICTED 2 /* cipher is allowed in limited cases \ 23 e.g. step-up */ 24 25 /* The length of the header string for each cipher table. 26 (It's the same regardless of whether we're using md5 strings or not.) */ 27 #define SEC_POLICY_HEADER_LENGTH 48 28 29 /* If we're testing policy stuff, we may want to use the plaintext version */ 30 #define SEC_POLICY_USE_MD5_STRINGS 1 31 32 #define SEC_POLICY_THIS_IS_THE \ 33 "\x2a\x3a\x51\xbf\x2f\x71\xb7\x73\xaa\xca\x6b\x57\x70\xcd\xc8\x9f" 34 #define SEC_POLICY_STRING_FOR_THE \ 35 "\x97\x15\xe2\x70\xd2\x8a\xde\xa9\xe7\xa7\x6a\xe2\x83\xe5\xb1\xf6" 36 #define SEC_POLICY_SSL_TAIL \ 37 "\x70\x16\x25\xc0\x2a\xb2\x4a\xca\xb6\x67\xb1\x89\x20\xdf\x87\xca" 38 #define SEC_POLICY_SMIME_TAIL \ 39 "\xdf\xd4\xe7\x2a\xeb\xc4\x1b\xb5\xd8\xe5\xe0\x2a\x16\x9f\xc4\xb9" 40 #define SEC_POLICY_PKCS12_TAIL \ 41 "\x1c\xf8\xa4\x85\x4a\xc6\x8a\xfe\xe6\xca\x03\x72\x50\x1c\xe2\xc8" 42 43 #if defined(SEC_POLICY_USE_MD5_STRINGS) 44 45 /* We're not testing. 46 Use md5 checksums of the strings. */ 47 48 #define SEC_POLICY_SSL_HEADER \ 49 SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SSL_TAIL 50 51 #define SEC_POLICY_SMIME_HEADER \ 52 SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_SMIME_TAIL 53 54 #define SEC_POLICY_PKCS12_HEADER \ 55 SEC_POLICY_THIS_IS_THE SEC_POLICY_STRING_FOR_THE SEC_POLICY_PKCS12_TAIL 56 57 #else 58 59 /* We're testing. 60 Use plaintext versions of the strings, for testing purposes. */ 61 #define SEC_POLICY_SSL_HEADER \ 62 "This is the string for the SSL policy table. " 63 #define SEC_POLICY_SMIME_HEADER \ 64 "This is the string for the PKCS7 policy table. " 65 #define SEC_POLICY_PKCS12_HEADER \ 66 "This is the string for the PKCS12 policy table. " 67 68 #endif 69 70 /* Local cipher tables have to have these members at the top. */ 71 typedef struct _sec_cp_struct { 72 char policy_string[SEC_POLICY_HEADER_LENGTH]; 73 long unused; /* placeholder for max keybits in pkcs12 struct */ 74 char num_ciphers; 75 char begin_ciphers; 76 /* cipher policy settings follow. each is a char. */ 77 } secCPStruct; 78 79 struct SECCipherFindStr { 80 /* (policy) and (ciphers) are opaque to the outside world */ 81 void *policy; 82 void *ciphers; 83 long index; 84 PRBool onlyAllowed; 85 }; 86 87 typedef struct SECCipherFindStr SECCipherFind; 88 89 SEC_BEGIN_PROTOS 90 91 SECCipherFind *sec_CipherFindInit(PRBool onlyAllowed, 92 secCPStruct *policy, 93 long *ciphers); 94 95 long sec_CipherFindNext(SECCipherFind *find); 96 97 char sec_IsCipherAllowed(long cipher, secCPStruct *policies, 98 long *ciphers); 99 100 void sec_CipherFindEnd(SECCipherFind *find); 101 102 SEC_END_PROTOS 103 104 #endif /* __SECPLCY_H__ */ 105