Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

378332 update ciphersuite constants and added isFipsCipherSuite method r=neil

Browse Source 
git-svn-id: svn://10.0.0.236/trunk@226165 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
glen.beasley%sun.com 2007-05-09 01:40:14 +00:00
parent 600f520c74
commit 86ecb29a0d
4 changed files with 120 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
mozilla/security/jss/lib/jss.def
View File

@ -312,6 +312,7 @@ Java_org_mozilla_jss_pkcs11_PK11KeyPairGenerator_generateECKeyPair;
;+ global:
Java_org_mozilla_jss_ssl_SSLSocket_setSSLDefaultOptionMode;
Java_org_mozilla_jss_ssl_SocketBase_setSSLOptionMode;
Java_org_mozilla_jss_ssl_SSLSocket_isFipsCipherSuiteNative;
;+ local:
;+ *;
;+};

18
mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.c
View File

@ -91,6 +91,24 @@ finish:
return;
}
JNIEXPORT jboolean JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_isFipsCipherSuiteNative(JNIEnv *env,
jobject self, jint suite)
{
SECStatus status;
PRBool bOption = PR_FALSE;
SSLCipherSuiteInfo info;
status = SSL_GetCipherSuiteInfo(suite, &info, sizeof info);
if( status != SECSuccess ) {
JSSL_throwSSLSocketException(env, "ciphersuite invalid");
}
if (info.isFIPS == 1) bOption = PR_TRUE;
return bOption;
}
JNIEXPORT jint JNICALL
Java_org_mozilla_jss_ssl_SSLSocket_getSSLDefaultOption(JNIEnv *env,
jobject self, jint joption)

63
mozilla/security/jss/org/mozilla/jss/ssl/SSLSocket.java
View File

@ -1131,6 +1131,18 @@ public class SSLSocket extends java.net.Socket {
}
}
/**
* isFipsCipherSuite
*
*@return true if the ciphersuite isFIPS, false otherwise
*/
public static boolean isFipsCipherSuite(int ciphersuite) throws SocketException {
return isFipsCipherSuiteNative(ciphersuite);
}
private static native boolean isFipsCipherSuiteNative(int ciphersuite)
throws SocketException;
/**
* Returns a list of cipher suites that are implemented by NSS.
* Each element in the array will be one of the cipher suite constants
@ -1139,6 +1151,13 @@ public class SSLSocket extends java.net.Socket {
*/
public static native int[] getImplementedCipherSuites();
/**
*
* Note the following cipher-suites constants are not all implemented.
* You need to call getImplementedCiphersuites.
*
*/
public final static int SSL2_RC4_128_WITH_MD5 = 0xFF01;
public final static int SSL2_RC4_128_EXPORT40_WITH_MD5 = 0xFF02;
public final static int SSL2_RC2_128_CBC_WITH_MD5 = 0xFF03;
@ -1213,5 +1232,49 @@ public class SSLSocket extends java.net.Socket {
public final static int TLS_DHE_RSA_WITH_AES_256_CBC_SHA = 0x0039;
public final static int TLS_DH_ANON_WITH_AES_256_CBC_SHA = 0x003A;
public final static int TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0041;
public final static int TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0042;
public final static int TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0043;
public final static int TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = 0x0044;
public final static int TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x0045;
public final static int TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA = 0x0046;
public final static int TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0084;
public final static int TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0085;
public final static int TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0086;
public final static int TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = 0x0087;
public final static int TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x0088;
public final static int TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA = 0x0089;
public final static int TLS_ECDH_ECDSA_WITH_NULL_SHA = 0xc001;
public final static int TLS_ECDH_ECDSA_WITH_RC4_128_SHA = 0xc002;
public final static int TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc003;
public final static int TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = 0xc004;
public final static int TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = 0xc005;
public final static int TLS_ECDHE_ECDSA_WITH_NULL_SHA = 0xc006;
public final static int TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = 0xc007;
public final static int TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = 0xc008;
public final static int TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = 0xc009;
public final static int TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = 0xc00a;
public final static int TLS_ECDH_RSA_WITH_NULL_SHA = 0xc00b;
public final static int TLS_ECDH_RSA_WITH_RC4_128_SHA = 0xc00c;
public final static int TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = 0xc00d;
public final static int TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = 0xc00e;
public final static int TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = 0xc00f;
public final static int TLS_ECDHE_RSA_WITH_NULL_SHA = 0xc010;
public final static int TLS_ECDHE_RSA_WITH_RC4_128_SHA = 0xc011;
public final static int TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = 0xc012;
public final static int TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = 0xc013;
public final static int TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = 0xc014;
public final static int TLS_ECDH_anon_WITH_NULL_SHA = 0xc015;
public final static int TLS_ECDH_anon_WITH_RC4_128_SHA = 0xc016;
public final static int TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = 0xc017;
public final static int TLS_ECDH_anon_WITH_AES_128_CBC_SHA = 0xc018;
public final static int TLS_ECDH_anon_WITH_AES_256_CBC_SHA = 0xc019;
}

47
mozilla/security/jss/org/mozilla/jss/tests/SSLClientAuth.java
View File

@ -55,9 +55,11 @@ import java.io.PrintWriter;
import java.io.BufferedWriter;
import java.io.OutputStreamWriter;
import java.io.*;
import java.net.SocketException;
public class SSLClientAuth implements Runnable {
private CryptoManager cm;
public static final SignatureAlgorithm sigAlg =
SignatureAlgorithm.RSASignatureWithSHA1Digest;
@ -141,7 +143,7 @@ public class SSLClientAuth implements Runnable {
}
CryptoManager.initialize(args[0]);
CryptoManager cm = CryptoManager.getInstance();
cm = CryptoManager.getInstance();
CryptoToken tok = cm.getInternalKeyStorageToken();
PasswordCallback cb = new FilePasswordCallback(args[1]);
@ -207,13 +209,7 @@ public class SSLClientAuth implements Runnable {
clientCertNick = "clientcertnick"+rand;
nssClientCert = cm.importCertPackage(
ASN1Util.encode(clientCert), clientCertNick);
//Disable SSL2 and SSL3 ciphers
SSLSocket.enableSSL2Default(false);
SSLSocket.enableSSL3Default(false);
//The cipher TLS_RSA_WITH_AES_128_CBC_SHA is chosen since
//it works when the NSS database is FIPS mode and also non FIPS mode
SSLSocket.setCipherPreferenceDefault(
SSLSocket.TLS_RSA_WITH_AES_128_CBC_SHA, true);
configureDefaultSSLoptions();
useNickname = false;
testConnection();
@ -229,6 +225,38 @@ public class SSLClientAuth implements Runnable {
}
private boolean useNickname;
private void configureDefaultSSLoptions() {
try {
//Disable SSL2 and SSL3 ciphers
SSLSocket.enableSSL2Default(false);
SSLSocket.enableSSL3Default(false);
/* TLS is enabled by default */
/* if FIPS is enabled, configure only FIPS ciphersuites */
if (cm.FIPSEnabled()) {
System.out.println("The NSS database is confirued in FIPS" +
"mode.");
System.out.println("Enable ony FIPS ciphersuites.");
int ciphers[] =
org.mozilla.jss.ssl.SSLSocket.getImplementedCipherSuites();
for (int i = 0; i < ciphers.length; ++i) {
if (SSLSocket.isFipsCipherSuite(ciphers[i])) {
/* enable the FIPS ciphersuite */
SSLSocket.setCipherPreferenceDefault(ciphers[i], true);
} else if (SSLSocket.getCipherPreferenceDefault(
ciphers[i])) {
/* disable the non fips ciphersuite */
SSLSocket.setCipherPreferenceDefault(ciphers[i], false);
}
}
}
} catch (SocketException ex) {
System.out.println("Error configuring default SSL options.");
ex.printStackTrace();
System.exit(1);
}
}
private void testConnection() throws Exception {
serverReady = false;
@ -260,7 +288,8 @@ public class SSLClientAuth implements Runnable {
// force the handshake
sock.forceHandshake();
System.out.println("client forced handshake");
String cipher = sock.getStatus().getCipher();
System.out.println("client forced handshake. ciphersuite: " + cipher);
sock.close();
// wait for the server to finish