diff --git a/security/nss/cmd/SSLsample/client.c b/security/nss/cmd/SSLsample/client.c index 44ed34c3167f..a68fcb678a0c 100644 --- a/security/nss/cmd/SSLsample/client.c +++ b/security/nss/cmd/SSLsample/client.c @@ -134,15 +134,15 @@ retry: } /* Set configuration options. */ - secStatus = SSL_Enable(sslSocket, SSL_SECURITY, PR_TRUE); + secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE); if (secStatus != SECSuccess) { - errWarn("SSL_Enable:SSL_SECURITY"); + errWarn("SSL_OptionSet:SSL_SECURITY"); goto loser; } - secStatus = SSL_Enable(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); + secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); if (secStatus != SECSuccess) { - errWarn("SSL_Enable:SSL_HANDSHAKE_AS_CLIENT"); + errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_CLIENT"); goto loser; } @@ -417,29 +417,28 @@ main(int argc, char **argv) /* All cipher suites except RSA_NULL_MD5 are enabled by Domestic Policy. */ NSS_SetDomesticPolicy(); - SSL_EnableCipher(SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED); + SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE); /* all the SSL2 and SSL3 cipher suites are enabled by default. */ if (cipherString) { - int ndx; + int ndx; - /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); + /* disable all the ciphers, then enable the ones we want. */ + disableAllSSLCiphers(); - while (0 != (ndx = *cipherString++)) { - int *cptr; - int cipher; + while (0 != (ndx = *cipherString++)) { + int *cptr; + int cipher; - if (! isalpha(ndx)) - Usage(progName); - cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; - for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) - /* do nothing */; - if (cipher) { - SSL_EnableCipher(cipher, SSL_ALLOWED); - } + if (! isalpha(ndx)) + Usage(progName); + cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; + for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) + /* do nothing */; + if (cipher) { + SSL_CipherPrefSetDefault(cipher, PR_TRUE); } + } } client_main(port, connections, hostName); diff --git a/security/nss/cmd/SSLsample/server.c b/security/nss/cmd/SSLsample/server.c index 22d26144e338..0e85f8cecc11 100644 --- a/security/nss/cmd/SSLsample/server.c +++ b/security/nss/cmd/SSLsample/server.c @@ -223,29 +223,29 @@ setupSSLSocket(PRFileDesc *tcpSocket, int requestCert) goto loser; } - secStatus = SSL_Enable(sslSocket, SSL_SECURITY, PR_TRUE); + secStatus = SSL_OptionSet(sslSocket, SSL_SECURITY, PR_TRUE); if (secStatus != SECSuccess) { - errWarn("SSL_Enable SSL_SECURITY"); + errWarn("SSL_OptionSet SSL_SECURITY"); goto loser; } - secStatus = SSL_Enable(sslSocket, SSL_HANDSHAKE_AS_SERVER, PR_TRUE); + secStatus = SSL_OptionSet(sslSocket, SSL_HANDSHAKE_AS_SERVER, PR_TRUE); if (secStatus != SECSuccess) { - errWarn("SSL_Enable:SSL_HANDSHAKE_AS_SERVER"); + errWarn("SSL_OptionSet:SSL_HANDSHAKE_AS_SERVER"); goto loser; } - secStatus = SSL_Enable(sslSocket, SSL_REQUEST_CERTIFICATE, + secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE, (requestCert >= REQUEST_CERT_ONCE)); if (secStatus != SECSuccess) { - errWarn("SSL_Enable:SSL_REQUEST_CERTIFICATE"); + errWarn("SSL_OptionSet:SSL_REQUEST_CERTIFICATE"); goto loser; } - secStatus = SSL_Enable(sslSocket, SSL_REQUIRE_CERTIFICATE, + secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE, (requestCert == REQUIRE_CERT_ONCE)); if (secStatus != SECSuccess) { - errWarn("SSL_Enable:SSL_REQUIRE_CERTIFICATE"); + errWarn("SSL_OptionSet:SSL_REQUIRE_CERTIFICATE"); goto loser; } @@ -316,24 +316,24 @@ authenticateSocket(PRFileDesc *sslSocket, PRBool requireCert) } /* Request client to authenticate itself. */ - secStatus = SSL_Enable(sslSocket, SSL_REQUEST_CERTIFICATE, PR_TRUE); + secStatus = SSL_OptionSet(sslSocket, SSL_REQUEST_CERTIFICATE, PR_TRUE); if (secStatus != SECSuccess) { - errWarn("SSL_Enable:SSL_REQUEST_CERTIFICATE"); + errWarn("SSL_OptionSet:SSL_REQUEST_CERTIFICATE"); return SECFailure; } /* If desired, require client to authenticate itself. Note * SSL_REQUEST_CERTIFICATE must also be on, as above. */ - secStatus = SSL_Enable(sslSocket, SSL_REQUIRE_CERTIFICATE, requireCert); + secStatus = SSL_OptionSet(sslSocket, SSL_REQUIRE_CERTIFICATE, requireCert); if (secStatus != SECSuccess) { - errWarn("SSL_Enable:SSL_REQUIRE_CERTIFICATE"); + errWarn("SSL_OptionSet:SSL_REQUIRE_CERTIFICATE"); return SECFailure; } /* Having changed socket configuration parameters, redo handshake. */ - secStatus = SSL_RedoHandshake(sslSocket); + secStatus = SSL_ReHandshake(sslSocket, PR_TRUE); if (secStatus != SECSuccess) { - errWarn("SSL_RedoHandshake"); + errWarn("SSL_ReHandshake"); return SECFailure; } @@ -671,9 +671,9 @@ server_main( /* This cipher is not on by default. The Acceptance test * would like it to be. Turn this cipher on. */ - secStatus = SSL_EnableCipher(SSL_RSA_WITH_NULL_MD5, PR_TRUE); + secStatus = SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE); if (secStatus != SECSuccess) { - exitErr("SSL_EnableCipher:SSL_RSA_WITH_NULL_MD5"); + exitErr("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5"); } /* Configure the network connection. */ @@ -772,28 +772,27 @@ main(int argc, char **argv) /* XXX keep this? */ /* all the SSL2 and SSL3 cipher suites are enabled by default. */ if (cipherString) { - int ndx; + int ndx; - /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); + /* disable all the ciphers, then enable the ones we want. */ + disableAllSSLCiphers(); - while (0 != (ndx = *cipherString++)) { - int *cptr; - int cipher; + while (0 != (ndx = *cipherString++)) { + int *cptr; + int cipher; - if (! isalpha(ndx)) - Usage(progName); - cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; - for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) - /* do nothing */; - if (cipher) { - SECStatus status; - status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); - if (status != SECSuccess) - errWarn("SSL_CipherPrefSetDefault()"); - } + if (! isalpha(ndx)) + Usage(progName); + cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; + for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) + /* do nothing */; + if (cipher) { + SECStatus status; + status = SSL_CipherPrefSetDefault(cipher, PR_TRUE); + if (status != SECSuccess) + errWarn("SSL_CipherPrefSetDefault()"); } + } } /* Get own certificate and private key. */ diff --git a/security/nss/cmd/SSLsample/sslsample.c b/security/nss/cmd/SSLsample/sslsample.c index 564a6e78552d..77c543e12a1a 100644 --- a/security/nss/cmd/SSLsample/sslsample.c +++ b/security/nss/cmd/SSLsample/sslsample.c @@ -252,40 +252,40 @@ myGetClientAuthData(void *arg, } } } else { /* no nickname given, automatically find the right cert */ - CERTCertNicknames *names; - int i; + CERTCertNicknames *names; + int i; - names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), - SEC_CERT_NICKNAMES_USER, proto_win); + names = CERT_GetCertNicknames(CERT_GetDefaultCertDB(), + SEC_CERT_NICKNAMES_USER, proto_win); - if (names != NULL) { - for(i = 0; i < names->numnicknames; i++ ) { + if (names != NULL) { + for(i = 0; i < names->numnicknames; i++ ) { - cert = PK11_FindCertFromNickname(names->nicknames[i], - proto_win); - if (!cert) { - continue; - } - - /* Only check unexpired certs */ - if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE) - != secCertTimeValid ) { - CERT_DestroyCertificate(cert); - continue; - } - - secStatus = NSS_CmpCertChainWCANames(cert, caNames); - if (secStatus == SECSuccess) { - privKey = PK11_FindKeyByAnyCert(cert, proto_win); - if (privKey) { - break; - } - secStatus = SECFailure; - break; - } - CERT_FreeNicknames(names); - } /* for loop */ + cert = PK11_FindCertFromNickname(names->nicknames[i], + proto_win); + if (!cert) { + continue; } + + /* Only check unexpired certs */ + if (CERT_CheckCertValidTimes(cert, PR_Now(), PR_FALSE) + != secCertTimeValid ) { + CERT_DestroyCertificate(cert); + continue; + } + + secStatus = NSS_CmpCertChainWCANames(cert, caNames); + if (secStatus == SECSuccess) { + privKey = PK11_FindKeyByAnyCert(cert, proto_win); + if (privKey) { + break; + } + secStatus = SECFailure; + break; + } + CERT_FreeNicknames(names); + } /* for loop */ + } } if (secStatus == SECSuccess) { @@ -301,7 +301,7 @@ myGetClientAuthData(void *arg, * Purpose: Called by SSL to inform application that the handshake is * complete. This function is mostly used on the server side of an SSL * connection, although it is provided for a client as well. - * Useful when a non-blocking SSL_RedoHandshake or SSL_ResetHandshake + * Useful when a non-blocking SSL_ReHandshake or SSL_ResetHandshake * is used to initiate a handshake. * * A typical scenario would be: @@ -334,25 +334,23 @@ myHandshakeCallback(PRFileDesc *socket, void *arg) **************************************************************************/ void -disableSSL2Ciphers(void) +disableAllSSLCiphers(void) { - int i; + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i = SSL_NumImplementedCiphers; + SECStatus rv; - /* disable all the SSL2 cipher suites */ - for (i = 0; ssl2CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl2CipherSuites[i], SSL_NOT_ALLOWED); - } -} - -void -disableSSL3Ciphers(void) -{ - int i; - - /* disable all the SSL3 cipher suites */ - for (i = 0; ssl3CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl3CipherSuites[i], SSL_NOT_ALLOWED); + /* disable all the SSL3 cipher suites */ + while (--i >= 0) { + PRUint16 suite = cipherSuites[i]; + rv = SSL_CipherPrefSetDefault(suite, PR_FALSE); + if (rv != SECSuccess) { + printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n", + suite, i); + errWarn("SSL_CipherPrefSetDefault"); + exit(2); } + } } /************************************************************************** @@ -506,22 +504,22 @@ reap_threads(GlobalThreadMgr *threadMGR) return 0; PR_Lock(threadMGR->threadLock); while (threadMGR->numRunning > 0) { - PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT); - for (i = 0; i < threadMGR->numUsed; ++i) { - slot = &threadMGR->threads[i]; - if (slot->running == rs_zombie) { - /* Handle cleanup of thread here. */ - printf("Thread in slot %d returned %d\n", i, slot->rv); + PR_WaitCondVar(threadMGR->threadEndQ, PR_INTERVAL_NO_TIMEOUT); + for (i = 0; i < threadMGR->numUsed; ++i) { + slot = &threadMGR->threads[i]; + if (slot->running == rs_zombie) { + /* Handle cleanup of thread here. */ + printf("Thread in slot %d returned %d\n", i, slot->rv); - /* Now make sure the thread has ended OK. */ - PR_JoinThread(slot->prThread); - slot->running = rs_idle; - --threadMGR->numRunning; + /* Now make sure the thread has ended OK. */ + PR_JoinThread(slot->prThread); + slot->running = rs_idle; + --threadMGR->numRunning; - /* notify the thread launcher. */ - PR_NotifyCondVar(threadMGR->threadStartQ); - } + /* notify the thread launcher. */ + PR_NotifyCondVar(threadMGR->threadStartQ); } + } } /* Safety Sam sez: make sure count is right. */ diff --git a/security/nss/cmd/SSLsample/sslsample.h b/security/nss/cmd/SSLsample/sslsample.h index ea8071bbf88e..ca6b6a489688 100644 --- a/security/nss/cmd/SSLsample/sslsample.h +++ b/security/nss/cmd/SSLsample/sslsample.h @@ -98,9 +98,8 @@ SECStatus myGetClientAuthData(void *arg, PRFileDesc *socket, /* Disable all v2/v3 SSL ciphers. */ -void disableSSL2Ciphers(void); +void disableAllSSLCiphers(void); -void disableSSL3Ciphers(void); /* Error and information utilities. */ diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index b98fc6e9ed94..fe9e9f795cad 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -210,25 +210,30 @@ errExit(char * funcString) exit(3); } -void -disableSSL2Ciphers(void) -{ - int i; - /* disable all the SSL2 cipher suites */ - for (i = 0; ssl2CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl2CipherSuites[i], SSL_NOT_ALLOWED); - } -} +/************************************************************************** +** +** Routines for disabling SSL ciphers. +** +**************************************************************************/ void -disableSSL3Ciphers(void) +disableAllSSLCiphers(void) { - int i; + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i = SSL_NumImplementedCiphers; + SECStatus rv; /* disable all the SSL3 cipher suites */ - for (i = 0; ssl3CipherSuites[i] != 0; ++i) { - SSL_EnableCipher(ssl3CipherSuites[i], SSL_NOT_ALLOWED); + while (--i >= 0) { + PRUint16 suite = cipherSuites[i]; + rv = SSL_CipherPrefSetDefault(suite, PR_FALSE); + if (rv != SECSuccess) { + printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n", + suite, i); + errWarn("SSL_CipherPrefSetDefault"); + exit(2); + } } } @@ -743,20 +748,20 @@ send_answer: if (cert) { CERT_DestroyCertificate(cert); } else { - rv = SSL_Enable(ssl_sock, SSL_REQUEST_CERTIFICATE, 1); + rv = SSL_OptionSet(ssl_sock, SSL_REQUEST_CERTIFICATE, 1); if (rv < 0) { - errWarn("second SSL_Enable SSL_REQUEST_CERTIFICATE"); + errWarn("second SSL_OptionSet SSL_REQUEST_CERTIFICATE"); break; } - rv = SSL_Enable(ssl_sock, SSL_REQUIRE_CERTIFICATE, + rv = SSL_OptionSet(ssl_sock, SSL_REQUIRE_CERTIFICATE, (requestCert == 4)); if (rv < 0) { - errWarn("second SSL_Enable SSL_REQUIRE_CERTIFICATE"); + errWarn("second SSL_OptionSet SSL_REQUIRE_CERTIFICATE"); break; } - rv = SSL_RedoHandshake(ssl_sock); + rv = SSL_ReHandshake(ssl_sock, PR_TRUE); if (rv != 0) { - errWarn("SSL_RedoHandshake"); + errWarn("SSL_ReHandshake"); break; } rv = SSL_ForceHandshake(ssl_sock); @@ -923,23 +928,23 @@ server_main( ** Setting it explicitly should not be necessary. ** Let's test and make sure that's true. */ - rv = SSL_Enable(model_sock, SSL_SECURITY, 1); + rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); if (rv < 0) { - errExit("SSL_Enable SSL_SECURITY"); + errExit("SSL_OptionSet SSL_SECURITY"); } #endif - rv = SSL_Enable(model_sock, SSL_ENABLE_SSL3, !disableSSL3); + rv = SSL_OptionSet(model_sock, SSL_ENABLE_SSL3, !disableSSL3); if (rv != SECSuccess) { errExit("error enabling SSLv3 "); } - rv = SSL_Enable(model_sock, SSL_ENABLE_TLS, !disableTLS); + rv = SSL_OptionSet(model_sock, SSL_ENABLE_TLS, !disableTLS); if (rv != SECSuccess) { errExit("error enabling TLS "); } - rv = SSL_Enable(model_sock, SSL_ROLLBACK_DETECTION, !disableRollBack); + rv = SSL_OptionSet(model_sock, SSL_ROLLBACK_DETECTION, !disableRollBack); if (rv != SECSuccess) { errExit("error enabling RollBack detection "); } @@ -954,9 +959,9 @@ server_main( } if (bigBuf.data) { /* doing FDX */ - rv = SSL_Enable(model_sock, SSL_ENABLE_FDX, 1); + rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1); if (rv < 0) { - errExit("SSL_Enable SSL_ENABLE_FDX"); + errExit("SSL_OptionSet SSL_ENABLE_FDX"); } } @@ -964,9 +969,9 @@ server_main( * would like it to be. Turn this cipher on. */ - secStatus = SSL_EnableCipher( SSL_RSA_WITH_NULL_MD5, PR_TRUE); + secStatus = SSL_CipherPrefSetDefault( SSL_RSA_WITH_NULL_MD5, PR_TRUE); if ( secStatus != SECSuccess ) { - errExit("SSL_EnableCipher:SSL_RSA_WITH_NULL_MD5"); + errExit("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5"); } @@ -974,14 +979,14 @@ server_main( SSL_AuthCertificateHook(model_sock, mySSLAuthCertificate, (void *)CERT_GetDefaultCertDB()); if (requestCert <= 2) { - rv = SSL_Enable(model_sock, SSL_REQUEST_CERTIFICATE, 1); + rv = SSL_OptionSet(model_sock, SSL_REQUEST_CERTIFICATE, 1); if (rv < 0) { - errExit("first SSL_Enable SSL_REQUEST_CERTIFICATE"); + errExit("first SSL_OptionSet SSL_REQUEST_CERTIFICATE"); } - rv = SSL_Enable(model_sock, SSL_REQUIRE_CERTIFICATE, + rv = SSL_OptionSet(model_sock, SSL_REQUIRE_CERTIFICATE, (requestCert == 2)); if (rv < 0) { - errExit("first SSL_Enable SSL_REQUIRE_CERTIFICATE"); + errExit("first SSL_OptionSet SSL_REQUIRE_CERTIFICATE"); } } } @@ -1208,8 +1213,7 @@ main(int argc, char **argv) int ndx; /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); + disableAllSSLCiphers(); while (0 != (ndx = *cipherString++)) { int *cptr; diff --git a/security/nss/cmd/sslstrength/sslstrength.c b/security/nss/cmd/sslstrength/sslstrength.c index 33cda13729ab..925608f93713 100644 --- a/security/nss/cmd/sslstrength/sslstrength.c +++ b/security/nss/cmd/sslstrength/sslstrength.c @@ -67,9 +67,9 @@ PRInt32 debug; /* Set SSL Policy to Domestic (strong=1) or Export (strong=0) */ -#define ALLOW(x) SSL_SetPolicy(x,SSL_ALLOWED); SSL_EnableCipher(x,1); -#define DISALLOW(x) SSL_SetPolicy(x,SSL_NOT_ALLOWED); SSL_EnableCipher(x,0); -#define MAYBEALLOW(x) SSL_SetPolicy(x,SSL_RESTRICTED); SSL_EnableCipher(x,1); +#define ALLOW(x) SSL_CipherPolicySet(x,SSL_ALLOWED); SSL_CipherPrefSetDefault(x,1); +#define DISALLOW(x) SSL_CipherPolicySet(x,SSL_NOT_ALLOWED); SSL_CipherPrefSetDefault(x,0); +#define MAYBEALLOW(x) SSL_CipherPolicySet(x,SSL_RESTRICTED); SSL_CipherPrefSetDefault(x,1); struct CipherPolicy { char number; @@ -167,8 +167,8 @@ void SetPolicy(char *c,int policy) { /* policy==1 : domestic, policy==0, expo int i,j,cpolicy; /* first, enable all relevant ciphers according to policy */ for (j=0;j<(sizeof(ciphers)/sizeof(struct CipherPolicy));j++) { - SSL_SetPolicy(ciphers[j].id,policy?ciphers[j].domestic:ciphers[j].export); - SSL_EnableCipher(ciphers[j].id,0); + SSL_CipherPolicySet(ciphers[j].id,policy?ciphers[j].domestic:ciphers[j].export); + SSL_CipherPrefSetDefault(ciphers[j].id, PR_FALSE); ciphers[j].pref =0; } @@ -183,7 +183,7 @@ void SetPolicy(char *c,int policy) { /* policy==1 : domestic, policy==0, expo } else { ciphers[j].pref=1; - SSL_EnableCipher(ciphers[j].id,1); + SSL_CipherPrefSetDefault(ciphers[j].id, PR_TRUE); } } } @@ -388,7 +388,7 @@ PRInt32 main(PRInt32 argc,char **argv, char **envp) dbmsg("10: About to enable security\n"); - rv = SSL_Enable(s, SSL_SECURITY, 1); + rv = SSL_OptionSet(s, SSL_SECURITY, PR_TRUE); if (rv < 0) { PrintErrString(progname, "error enabling socket"); return -1; @@ -409,7 +409,7 @@ PRInt32 main(PRInt32 argc,char **argv, char **envp) PrintCiphers(1); - rv = SSL_Enable(s, SSL_HANDSHAKE_AS_CLIENT, 1); + rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); if (rv < 0) { PrintErrString(progname, "error enabling client handshake"); return -1; diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index d826c3a21246..c1a93dd0c9de 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -113,41 +113,6 @@ int NoReuse; SSL3Statistics * ssl3stats; -void -disableSSL2Ciphers(void) -{ - int i; - - /* disable all the SSL2 cipher suites */ - for (i = 0; ssl2CipherSuites[i] != 0; ++i) { - SECStatus rv; - rv = SSL_EnableCipher(ssl2CipherSuites[i], SSL_NOT_ALLOWED); - if (rv != SECSuccess) { - fprintf(stderr, - "strsclnt: SSL_EnableCipher failed with value 0x%04x\n", - ssl2CipherSuites[i]); - exit(1); - } - } -} - -void -disableSSL3Ciphers(void) -{ - int i; - - /* disable all the SSL3 cipher suites */ - for (i = 0; ssl3CipherSuites[i] != 0; ++i) { - SECStatus rv; - rv = SSL_EnableCipher(ssl3CipherSuites[i], SSL_NOT_ALLOWED); - if (rv != SECSuccess) { - fprintf(stderr, - "strsclnt: SSL_EnableCipher failed with value 0x%04x\n", - ssl3CipherSuites[i]); - exit(1); - } - } -} char * ownPasswd( PK11SlotInfo *slot, PRBool retry, void *arg) { @@ -180,49 +145,6 @@ Usage(const char *progName) exit(1); } -static void -networkStart(void) -{ -#if defined(XP_WIN) && !defined(NSPR20) - - WORD wVersionRequested; - WSADATA wsaData; - int err; - wVersionRequested = MAKEWORD(1, 1); - - err = WSAStartup(wVersionRequested, &wsaData); - - if (err != 0) { - /* Tell the user that we couldn't find a useable winsock.dll. */ - fputs("WSAStartup failed!\n", stderr); - exit(1); - } - -/* Confirm that the Windows Sockets DLL supports 1.1.*/ -/* Note that if the DLL supports versions greater */ -/* than 1.1 in addition to 1.1, it will still return */ -/* 1.1 in wVersion since that is the version we */ -/* requested. */ - - if ( LOBYTE( wsaData.wVersion ) != 1 || - HIBYTE( wsaData.wVersion ) != 1 ) { - /* Tell the user that we couldn't find a useable winsock.dll. */ - fputs("wrong winsock version\n", stderr); - WSACleanup(); - exit(1); - } - /* The Windows Sockets DLL is acceptable. Proceed. */ - -#endif -} - -static void -networkEnd(void) -{ -#if defined(XP_WIN) && !defined(NSPR20) - WSACleanup(); -#endif -} static void errWarn(char * funcString) @@ -237,34 +159,36 @@ errWarn(char * funcString) static void errExit(char * funcString) { -#if defined (XP_WIN) && !defined(NSPR20) - int err; - LPVOID lpMsgBuf; - - err = WSAGetLastError(); - - FormatMessage( - FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, - NULL, - err, - MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language - (LPTSTR) &lpMsgBuf, - 0, - NULL - ); - - /* Display the string. */ - /*MessageBox( NULL, lpMsgBuf, "GetLastError", MB_OK|MB_ICONINFORMATION ); */ - fprintf(stderr, "%s\n", lpMsgBuf); - - /* Free the buffer. */ - LocalFree( lpMsgBuf ); -#endif - errWarn(funcString); exit(1); } +/************************************************************************** +** +** Routines for disabling SSL ciphers. +** +**************************************************************************/ + +void +disableAllSSLCiphers(void) +{ + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i = SSL_NumImplementedCiphers; + SECStatus rv; + + /* disable all the SSL3 cipher suites */ + while (--i >= 0) { + PRUint16 suite = cipherSuites[i]; + rv = SSL_CipherPrefSetDefault(suite, PR_FALSE); + if (rv != SECSuccess) { + printf("SSL_CipherPrefSetDefault didn't like value 0x%04x (i = %d)\n", + suite, i); + errWarn("SSL_CipherPrefSetDefault"); + exit(2); + } + } +} + /* This invokes the "default" AuthCert handler in libssl. ** The only reason to use this one is that it prints out info as it goes. */ @@ -833,8 +757,6 @@ client_main( PRUint32 ipAddress; /* in host byte order */ PRNetAddr addr; - networkStart(); - /* Assemble NetAddr struct for connections. */ ipAddress = getIPAddress(hostName); @@ -845,13 +767,12 @@ client_main( /* all suites except RSA_NULL_MD5 are enabled by Domestic Policy */ NSS_SetDomesticPolicy(); -/* all the SSL2 and SSL3 cipher suites are enabled by default. */ + /* all the SSL2 and SSL3 cipher suites are enabled by default. */ if (cipherString) { int ndx; /* disable all the ciphers, then enable the ones we want. */ - disableSSL2Ciphers(); - disableSSL3Ciphers(); + disableAllSSLCiphers(); while (0 != (ndx = *cipherString++)) { int *cptr; @@ -864,10 +785,10 @@ client_main( /* do nothing */; if (cipher) { SECStatus rv; - rv = SSL_EnableCipher(cipher, SSL_ALLOWED); + rv = SSL_CipherPrefSetDefault(cipher, PR_TRUE); if (rv != SECSuccess) { fprintf(stderr, - "strsclnt: SSL_EnableCipher failed with value 0x%04x\n", + "strsclnt: SSL_CipherPrefSetDefault failed with value 0x%04x\n", cipher); exit(1); } @@ -889,22 +810,22 @@ client_main( /* do SSL configuration. */ - rv = SSL_Enable(model_sock, SSL_SECURITY, 1); + rv = SSL_OptionSet(model_sock, SSL_SECURITY, 1); if (rv < 0) { - errExit("SSL_Enable SSL_SECURITY"); + errExit("SSL_OptionSet SSL_SECURITY"); } if (bigBuf.data) { /* doing FDX */ - rv = SSL_Enable(model_sock, SSL_ENABLE_FDX, 1); + rv = SSL_OptionSet(model_sock, SSL_ENABLE_FDX, 1); if (rv < 0) { - errExit("SSL_Enable SSL_ENABLE_FDX"); + errExit("SSL_OptionSet SSL_ENABLE_FDX"); } } if (NoReuse) { - rv = SSL_Enable(model_sock, SSL_NO_CACHE, 1); + rv = SSL_OptionSet(model_sock, SSL_NO_CACHE, 1); if (rv < 0) { - errExit("SSL_Enable SSL_NO_CACHE"); + errExit("SSL_OptionSet SSL_NO_CACHE"); } } @@ -941,7 +862,6 @@ client_main( PR_Close(model_sock); - networkEnd(); } SECStatus diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 33a0910ec58e..5cc6b9959be3 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -209,7 +209,7 @@ disableAllSSLCiphers(void) /* disable all the SSL3 cipher suites */ while (--i >= 0) { PRUint16 suite = cipherSuites[i]; - rv = SSL_CipherPrefSetDefault(suite, SSL_NOT_ALLOWED); + rv = SSL_CipherPrefSetDefault(suite, PR_FALSE); if (rv != SECSuccess) { PRErrorCode err = PR_GetError(); printf("SSL_CipherPrefSet didn't like value 0x%04x (i = %d): %s\n", @@ -437,13 +437,13 @@ int main(int argc, char **argv) return -1; } - rv = SSL_Enable(s, SSL_SECURITY, 1); + rv = SSL_OptionSet(s, SSL_SECURITY, 1); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling socket"); return -1; } - rv = SSL_Enable(s, SSL_HANDSHAKE_AS_CLIENT, 1); + rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, 1); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling client handshake"); return -1; @@ -471,26 +471,26 @@ int main(int argc, char **argv) } } - rv = SSL_Enable(s, SSL_ENABLE_SSL2, !disableSSL2); + rv = SSL_OptionSet(s, SSL_ENABLE_SSL2, !disableSSL2); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling SSLv2 "); return -1; } - rv = SSL_Enable(s, SSL_ENABLE_SSL3, !disableSSL3); + rv = SSL_OptionSet(s, SSL_ENABLE_SSL3, !disableSSL3); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling SSLv3 "); return -1; } - rv = SSL_Enable(s, SSL_ENABLE_TLS, !disableTLS); + rv = SSL_OptionSet(s, SSL_ENABLE_TLS, !disableTLS); if (rv != SECSuccess) { SECU_PrintError(progName, "error enabling TLS "); return -1; } /* disable ssl2 and ssl2-compatible client hellos. */ - rv = SSL_Enable(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2); + rv = SSL_OptionSet(s, SSL_V2_COMPATIBLE_HELLO, !disableSSL2); if (rv != SECSuccess) { SECU_PrintError(progName, "error disabling v2 compatibility"); return -1;