Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(231)

Unified Diff: cmd/selfserv/selfserv.c

Issue 290970043: Bug 1252849 - Remove export-grade cipher suites
Patch Set: Initialize keyData[] and random[] to zero Created 8 years ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « cmd/listsuites/listsuites.c ('k') | cmd/strsclnt/strsclnt.c » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: cmd/selfserv/selfserv.c
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c
index ca6d0eb10b15acbd5ecbe8f936dd4efc77b4f35a..4954294ab5e3eba639ae948b601503d50dba6660 100644
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -100,14 +100,14 @@ const int ssl3CipherSuites[] = {
TLS_RSA_WITH_RC4_128_MD5, /* c */
TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* d */
TLS_RSA_WITH_DES_CBC_SHA, /* e */
- TLS_RSA_EXPORT_WITH_RC4_40_MD5, /* f */
- TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */
+ -1, /* TLS_RSA_EXPORT_WITH_RC4_40_MD5, * f */
+ -1, /* TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5, * g */
-1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */
TLS_RSA_WITH_NULL_MD5, /* i */
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */
SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */
- TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */
- TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */
+ -1, /* TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, * l */
+ -1, /* TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, * m */
TLS_RSA_WITH_RC4_128_SHA, /* n */
TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */
@@ -173,7 +173,6 @@ PrintParameterUsage()
"-B bypasses the PKCS11 layer for SSL encryption and MACing\n"
"-q checks for bypassability\n"
"-D means disable Nagle delays in TCP\n"
-"-E means disable export ciphersuites and SSL step down key gen\n"
"-R means disable detection of rollback from TLS to SSL3\n"
"-a configure server for SNI.\n"
"-k expected name negotiated on server sockets\n"
@@ -187,7 +186,6 @@ PrintParameterUsage()
"-s means disable SSL socket locking for performance\n"
"-u means enable Session Ticket extension for TLS.\n"
"-v means verbose output\n"
-"-x means use export policy.\n"
"-z means enable compression.\n"
"-L seconds means log statistics every 'seconds' seconds (default=30).\n"
"-M maxProcs tells how many processes to run in a multi-process server\n"
@@ -304,48 +302,6 @@ disableAllSSLCiphers(void)
}
}
-/* disable all the export SSL cipher suites */
-SECStatus
-disableExportSSLCiphers(void)
-{
- const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
- int i = SSL_NumImplementedCiphers;
- SECStatus rv = SECSuccess;
- SSLCipherSuiteInfo info;
-
- while (--i >= 0) {
- PRUint16 suite = cipherSuites[i];
- SECStatus status;
- status = SSL_GetCipherSuiteInfo(suite, &info, sizeof info);
- if (status != SECSuccess) {
- printf("SSL_GetCipherSuiteInfo rejected suite 0x%04x (i = %d)\n",
- suite, i);
- errWarn("SSL_GetCipherSuiteInfo");
- rv = SECFailure;
- continue;
- }
- if (info.cipherSuite != suite) {
- printf(
-"SSL_GetCipherSuiteInfo returned wrong suite! Wanted 0x%04x, Got 0x%04x\n",
- suite, i);
- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- rv = SECFailure;
- continue;
- }
- /* should check here that info.length >= offsetof isExportable */
- if (info.isExportable) {
- status = SSL_CipherPolicySet(suite, SSL_NOT_ALLOWED);
- if (status != SECSuccess) {
- printf("SSL_CipherPolicySet rejected suite 0x%04x (i = %d)\n",
- suite, i);
- errWarn("SSL_CipherPolicySet");
- rv = SECFailure;
- }
- }
- }
- return rv;
-}
-
static SECStatus
mySSLAuthCertificate(void *arg, PRFileDesc *fd, PRBool checkSig,
PRBool isServer)
@@ -814,7 +770,6 @@ static SSLVersionRange enabledVersions;
PRBool disableRollBack = PR_FALSE;
PRBool NoReuse = PR_FALSE;
PRBool hasSidCache = PR_FALSE;
-PRBool disableStepDown = PR_FALSE;
PRBool bypassPKCS11 = PR_FALSE;
PRBool disableLocking = PR_FALSE;
PRBool testbypass = PR_FALSE;
@@ -1861,12 +1816,6 @@ server_main(
if (rv != SECSuccess) {
errExit("error enabling RollBack detection ");
}
- if (disableStepDown) {
- rv = SSL_OptionSet(model_sock, SSL_NO_STEP_DOWN, PR_TRUE);
- if (rv != SECSuccess) {
- errExit("error disabling SSL StepDown ");
- }
- }
if (bypassPKCS11) {
rv = SSL_OptionSet(model_sock, SSL_BYPASS_PKCS11, PR_TRUE);
if (rv != SECSuccess) {
@@ -2178,7 +2127,6 @@ main(int argc, char **argv)
SECStatus rv;
PRStatus prStatus;
PRBool bindOnly = PR_FALSE;
- PRBool useExportPolicy = PR_FALSE;
PRBool useLocalThreads = PR_FALSE;
PLOptState *optstate;
PLOptStatus status;
@@ -2205,7 +2153,7 @@ main(int argc, char **argv)
** numbers, then capital letters, then lower case, alphabetical.
*/
optstate = PL_CreateOptState(argc, argv,
- "2:A:BC:DEGH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:xyz");
+ "2:A:BC:DGH:L:M:NP:RS:T:U:V:W:Ya:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:yz");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch(optstate->option) {
@@ -2218,7 +2166,6 @@ main(int argc, char **argv)
case 'C': if (optstate->value) NumSidCacheEntries = PORT_Atoi(optstate->value); break;
case 'D': noDelay = PR_TRUE; break;
- case 'E': disableStepDown = PR_TRUE; break;
case 'H': configureDHE = (PORT_Atoi(optstate->value) != 0); break;
case 'G': enableExtendedMasterSecret = PR_TRUE; break;
@@ -2340,8 +2287,6 @@ main(int argc, char **argv)
pwdata.data = passwd = PORT_Strdup(optstate->value);
break;
- case 'x': useExportPolicy = PR_TRUE; break;
-
case 'y': debugCache = PR_TRUE; break;
case 'z': enableCompression = PR_TRUE; break;
@@ -2501,24 +2446,6 @@ main(int argc, char **argv)
exit(8);
}
- /* set the policy bits true for all the cipher suites. */
- if (useExportPolicy) {
- NSS_SetExportPolicy();
- if (disableStepDown) {
- fputs("selfserv: -x and -E options may not be used together\n",
- stderr);
- exit(98);
- }
- } else {
- NSS_SetDomesticPolicy();
- if (disableStepDown) {
- rv = disableExportSSLCiphers();
- if (rv != SECSuccess) {
- errExit("error disabling export ciphersuites ");
- }
- }
- }
-
/* all SSL3 cipher suites are enabled by default. */
if (cipherString) {
char *cstringSaved = cipherString;
« no previous file with comments | « cmd/listsuites/listsuites.c ('k') | cmd/strsclnt/strsclnt.c » ('j') | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b