Back to index

lightning-sunbird  0.9+nobinonly
sslc.c
Go to the documentation of this file.
00001 /* ***** BEGIN LICENSE BLOCK *****
00002  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
00003  *
00004  * The contents of this file are subject to the Mozilla Public License Version
00005  * 1.1 (the "License"); you may not use this file except in compliance with
00006  * the License. You may obtain a copy of the License at
00007  * http://www.mozilla.org/MPL/
00008  *
00009  * Software distributed under the License is distributed on an "AS IS" basis,
00010  * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
00011  * for the specific language governing rights and limitations under the
00012  * License.
00013  *
00014  * The Original Code is the Netscape security libraries.
00015  *
00016  * The Initial Developer of the Original Code is
00017  * Netscape Communications Corporation.
00018  * Portions created by the Initial Developer are Copyright (C) 1994-2000
00019  * the Initial Developer. All Rights Reserved.
00020  *
00021  * Contributor(s):
00022  *
00023  * Alternatively, the contents of this file may be used under the terms of
00024  * either the GNU General Public License Version 2 or later (the "GPL"), or
00025  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
00026  * in which case the provisions of the GPL or the LGPL are applicable instead
00027  * of those above. If you wish to allow use of your version of this file only
00028  * under the terms of either the GPL or the LGPL, and not to allow others to
00029  * use your version of this file under the terms of the MPL, indicate your
00030  * decision by deleting the provisions above and replace them with the notice
00031  * and other provisions required by the GPL or the LGPL. If you do not delete
00032  * the provisions above, a recipient may use your version of this file under
00033  * the terms of any one of the MPL, the GPL or the LGPL.
00034  *
00035  * ***** END LICENSE BLOCK ***** */
00036 
00037 /* include replacer-generated variables file */
00038 
00039 
00040 #include "ssl.h"
00041 #include "sslproto.h"
00042 
00043 #include "sslt.h"
00044 #include "sslc.h"
00045 #include "ssls.h"
00046 
00047 #include "pk11func.h"
00048 
00049 #define MAX_CIPHERS 100
00050 
00051 struct cipherspec cipher_array[MAX_CIPHERS];
00052 int cipher_array_size=0;
00053 char *password = "";
00054 char *nickname = "SSLServer";
00055 char *client_nick = "SSLClient";
00056 
00057 void InitCiphers() {
00058   int i=0;
00059 
00060 /* These ciphers are listed in priority order. */
00061   DIPHER(2,SSL_ALLOWED,128,40,     "RC2-CBC-Export", EN_RC2_128_CBC_EXPORT40_WITH_MD5)
00062     CIPHER(2,SSL_NOT_ALLOWED,128,128,"RC4",            EN_RC4_128_WITH_MD5)
00063     CIPHER(2,SSL_ALLOWED,128,40,     "RC4-Export",     EN_RC4_128_EXPORT40_WITH_MD5)
00064     DIPHER(2,SSL_NOT_ALLOWED,128,128,"RC2-CBC",        EN_RC2_128_CBC_WITH_MD5)
00065     DIPHER(2,SSL_ALLOWED,128,40,     "RC2-CBC-40", EN_RC2_128_CBC_EXPORT40_WITH_MD5)
00066     DIPHER(2,SSL_NOT_ALLOWED,128,128,"IDEA-CBC",       EN_IDEA_128_CBC_WITH_MD5)
00067     DIPHER(2,SSL_NOT_ALLOWED,56,56,  "DES-CBC",        EN_DES_64_CBC_WITH_MD5)
00068     CIPHER(2,SSL_NOT_ALLOWED,168,168,"DES-EDE3-CBC",   EN_DES_192_EDE3_CBC_WITH_MD5)
00069   /* SSL 3 suites */
00070 
00071     CIPHER(3,SSL_RESTRICTED,128,128, "RC4",            RSA_WITH_RC4_128_MD5)
00072     DIPHER(3,SSL_RESTRICTED,128,128, "RC4",            RSA_WITH_RC4_128_SHA)
00073     CIPHER(3,SSL_RESTRICTED,168,168, "3DES-EDE-CBC",   RSA_WITH_3DES_EDE_CBC_SHA)
00074     CIPHER(3,SSL_NOT_ALLOWED,56,56,"DES-CBC",        RSA_WITH_DES_CBC_SHA)
00075     CIPHER(3,SSL_ALLOWED,128,40,     "RC4-40",         RSA_EXPORT_WITH_RC4_40_MD5)
00076     CIPHER(3,SSL_ALLOWED,128,40,     "RC2-CBC-40",     RSA_EXPORT_WITH_RC2_CBC_40_MD5)
00077 
00078     DIPHER(3,SSL_ALLOWED,0,0,        "NULL",           NULL_WITH_NULL_NULL)
00079     DIPHER(3,SSL_ALLOWED,0,0,        "NULL",           RSA_WITH_NULL_MD5)
00080     DIPHER(3,SSL_ALLOWED,0,0,        "NULL",           RSA_WITH_NULL_SHA)
00081 
00082 #if 0
00083     DIPHER(3,SSL_NOT_ALLOWED,0,0,    "IDEA-CBC",       RSA_WITH_IDEA_CBC_SHA)
00084     DIPHER(3,SSL_ALLOWED,128,40,     "DES-CBC-40",     RSA_EXPORT_WITH_DES40_CBC_SHA)
00085 #endif
00086 
00087   /*
00088     
00089   CIPHER(DH_DSS_EXPORT_WITH_DES40_CBC_SHA),
00090   CIPHER(DH_DSS_WITH_DES_CBC_SHA),
00091   CIPHER(DH_DSS_WITH_3DES_EDE_CBC_SHA),
00092   CIPHER(DH_RSA_EXPORT_WITH_DES40_CBC_SHA),
00093   CIPHER(DH_RSA_WITH_DES_CBC_SHA),
00094   CIPHER(DH_RSA_WITH_3DES_EDE_CBC_SHA),
00095   CIPHER(DHE_DSS_EXPORT_WITH_DES40_CBC_SHA),
00096   CIPHER(DHE_DSS_WITH_DES_CBC_SHA),
00097   CIPHER(DHE_DSS_WITH_3DES_EDE_CBC_SHA),
00098   CIPHER(DHE_RSA_EXPORT_WITH_DES40_CBC_SHA),
00099   CIPHER(DHE_RSA_WITH_DES_CBC_SHA),
00100   CIPHER(DHE_RSA_WITH_3DES_EDE_CBC_SHA),
00101 
00102   CIPHER(DH_ANON_EXPORT_WITH_RC4_40_MD5),
00103   CIPHER(DH_ANON_WITH_RC4_128_MD5),
00104   CIPHER(DH_ANON_WITH_DES_CBC_SHA),
00105   CIPHER(DH_ANON_WITH_3DES_EDE_CBC_SHA),
00106 
00107   CIPHER(3,SSL_NOT_ALLOWED,0,0,"Fortezza",        FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),
00108   CIPHER(3,SSL_NOT_ALLOWED,0,0,"Fortezza",        FORTEZZA_DMS_WITH_RC4_128_SHA),
00109 
00110   */
00111 
00112     DIPHER(3,SSL_NOT_ALLOWED,192,192,"3DES-EDE-CBC",RSA_FIPS_WITH_3DES_EDE_CBC_SHA)
00113     DIPHER(3,SSL_NOT_ALLOWED,64,64,  "DES-CBC",       RSA_FIPS_WITH_DES_CBC_SHA)
00114     
00115     cipher_array_size =i;
00116 }
00117 
00118 
00119 
00120 /* ClearCiphers()
00121  *   Clear out all ciphers */
00122 
00123 void ClearCiphers(struct ThreadData *td) {
00124 int i;
00125 
00126 for (i=0;i<cipher_array_size;i++) {
00127 SSL_EnableCipher(cipher_array[i].enableid,0);
00128 }
00129 }
00130 
00131 
00132 /* EnableCiphers
00133  *   enable only those ciphers set for this test */
00134 
00135 void EnableCiphers(struct ThreadData *td) {
00136   int i;
00137 
00138   for (i=0;i<cipher_array_size;i++) {
00139     if (cipher_array[i].on) {
00140       SSL_EnableCipher(cipher_array[i].enableid,1);
00141     }
00142   }
00143 }
00144 
00145 /* SetPolicy */
00146 
00147 void SetPolicy() {
00148   int i;
00149 
00150   for (i=0;i<cipher_array_size;i++) {
00151     if (REP_Policy == POLICY_DOMESTIC) {
00152       SSL_SetPolicy(cipher_array[i].enableid,SSL_ALLOWED);
00153     }
00154     else {
00155       SSL_SetPolicy(cipher_array[i].enableid,cipher_array[i].exportable);
00156     }
00157   }
00158 }
00159 
00160 char *MyPWFunc(PK11SlotInfo *slot, PRBool retry, void *arg)
00161 {
00162     static PRBool called=PR_FALSE;
00163     if(called) {
00164        return NULL;
00165     } else {
00166        called = PR_TRUE;
00167        return PL_strdup(password);
00168     }
00169 }
00170 
00171 /* 
00172  * VersionEnables
00173  *  errors (40-49)
00174  */
00175 
00176 int Version2Enable(PRFileDesc *s, int v) {
00177   if (SSL_Enable(s, SSL_ENABLE_SSL2, 1) <0) return Error(43);
00178   else return 0;
00179 }
00180 
00181 int Version3Enable(PRFileDesc *s) {
00182     if (SSL_Enable(s, SSL_ENABLE_SSL3, 1) <0) return Error(42);
00183     else return 0;
00184 }
00185 
00186 int Version23Clear(PRFileDesc *s) {
00187   if (SSL_Enable(s,SSL_ENABLE_SSL2,0) <0) return Error(40);
00188   if (SSL_Enable(s,SSL_ENABLE_SSL3,0) <0) return Error(41);
00189   return 0;
00190 }
00191 
00192 
00193 
00194 char *nicknames[MAX_NICKNAME];
00195 
00196 void SetupNickNames() {
00197   nicknames[CLIENT_CERT_VERISIGN]        = "CLIENT_CERT_VERISIGN";
00198   nicknames[CLIENT_CERT_HARDCOREII_1024] = "CLIENT_CERT_HARDCOREII_1024";
00199   nicknames[CLIENT_CERT_HARDCOREII_512]  = "CLIENT_CERT_HARDCOREII_512";
00200   nicknames[CLIENT_CERT_SPARK]           = "CLIENT_CERT_SPARK";
00201   nicknames[SERVER_CERT_HARDCOREII_512]  = nickname;
00202   /* nicknames[SERVER_CERT_HARDCOREII_512]  = "SERVER_CERT_HARDCOREII_512"; */
00203   nicknames[SERVER_CERT_VERISIGN_REGULAR]= "SERVER_CERT_VERISIGN_REGULAR";
00204   nicknames[SERVER_CERT_VERISIGN_STEPUP] = "SERVER_CERT_VERISIGN_STEPUP";
00205   nicknames[SERVER_CERT_SPARK]           = "SERVER_CERT_SPARK";
00206 }
00207 
00208 
00209 
00210 
00211 
00212 
00213 
00214 /* 
00215  * SetServerSecParms
00216  * errors(10-19)
00217  */
00218 
00219 int SetServerSecParms(struct ThreadData *td) {
00220   int rv;
00221   SECKEYPrivateKey *privKey;
00222   PRFileDesc *s;
00223 
00224   s = td->r;
00225 
00226   rv = SSL_Enable(s, SSL_SECURITY, 1);     /* Enable security on this socket */
00227   if (rv < 0)  return Error(10);
00228 
00229   if (SSLT_CLIENTAUTH_INITIAL == REP_ServerDoClientAuth) {
00230     rv = SSL_Enable(s, SSL_REQUEST_CERTIFICATE, 1);
00231     if (rv < 0)  return Error(11);
00232     }
00233 
00234   ClearCiphers(td);
00235   EnableCiphers(td);
00236 
00237   PK11_SetPasswordFunc(MyPWFunc);
00238   SSL_SetPKCS11PinArg(s,(void*) MyPWFunc);
00239 
00240 
00241   /* Find the certificates we are going to use from the database */
00242 
00243 
00244   /* Test for dummy certificate, which shouldn't exist */
00245   td->cert = PK11_FindCertFromNickname("XXXXXX_CERT_HARDCOREII_1024",NULL);
00246   if (td->cert != NULL) return Error(16);
00247 
00248 
00249   td->cert = NULL;
00250   if (NO_CERT != REP_ServerCert) {
00251     td->cert = PK11_FindCertFromNickname(nicknames[REP_ServerCert],NULL);
00252   }
00253 
00254 
00255   /* Note: if we're set to use NO_CERT as the server cert, then we'll
00256    * just essentially skip the rest of this (except for session ID cache setup)
00257    */
00258 
00259   
00260   if ( (NULL == td->cert)  && ( NO_CERT != REP_ServerCert )) {
00261     PR_fprintf(PR_STDERR, "Can't find certificate %s\n", nicknames[REP_ServerCert]);
00262     PR_fprintf(PR_STDERR, "Server: Seclib error: %s\n",
00263               SECU_ErrorString ((int16) PR_GetError()));
00264     return Error(12);
00265   }
00266   
00267 
00268   if ((NO_CERT != REP_ServerCert)) {
00269     privKey = PK11_FindKeyByAnyCert(td->cert, NULL);
00270     if (privKey == NULL) {
00271       dbmsg((PR_STDERR, "Can't find key for this certificate\n"));
00272       return Error(13);
00273     }
00274     
00275     rv = SSL_ConfigSecureServer(s,td->cert,privKey, kt_rsa);
00276     if (rv != PR_SUCCESS) {
00277       dbmsg((PR_STDERR, "Can't config server error(%d) \n",rv));
00278       return Error(14);
00279     }
00280   }
00281   
00282   rv = SSL_ConfigServerSessionIDCache(10, 0, 0, ".");
00283   if (rv != 0) {    
00284     dbmsg((PR_STDERR, "Can't config server session ID cache (%d) \n",rv));
00285     return Error(15);
00286   }
00287 
00288   return 0;
00289 }
00290 
00291 
00292 
00293 
00294 
00295 
00296