gboolean crypto_init (GError **error) { SECStatus ret; if (initialized) return TRUE; PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1); ret = NSS_NoDB_Init (NULL); if (ret != SECSuccess) { g_set_error (error, NM_CRYPTO_ERROR, NM_CRYPTO_ERROR_FAILED, _("Failed to initialize the crypto engine: %d."), PR_GetError ()); PR_Cleanup (); return FALSE; } SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); initialized = TRUE; return TRUE; }
// From the PKCS#12 section of nsNSSComponent::InitializeNSS in // nsNSSComponent.cpp. PKCS12InitSingleton() { // Enable ciphers for PKCS#12 SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); // Set no-op ascii-ucs2 conversion function to work around weird NSS // interface. Thankfully, PKCS12 appears to be the only thing in NSS that // uses PORT_UCS2_ASCIIConversion, so this doesn't break anything else. PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn); }
nsresult InitializeCipherSuite() { NS_ASSERTION(NS_IsMainThread(), "InitializeCipherSuite() can only be accessed in main thread"); if (NSS_SetDomesticPolicy() != SECSuccess) { return NS_ERROR_FAILURE; } // Disable any ciphers that NSS might have enabled by default for (uint16_t i = 0; i < SSL_NumImplementedCiphers; ++i) { uint16_t cipher_id = SSL_ImplementedCiphers[i]; SSL_CipherPrefSetDefault(cipher_id, false); } // Now only set SSL/TLS ciphers we knew about at compile time uint32_t enabledWeakCiphers = 0; const CipherPref* const cp = sCipherPrefs; for (size_t i = 0; cp[i].pref; ++i) { bool cipherEnabled = Preferences::GetBool(cp[i].pref, cp[i].enabledByDefault); if (cp[i].weak) { // Weak ciphers are not used by default. See the comment // in CipherSuiteChangeObserver::Observe for details. if (cipherEnabled) { enabledWeakCiphers |= ((uint32_t)1 << i); } } else { SSL_CipherPrefSetDefault(cp[i].id, cipherEnabled); } } sEnabledWeakCiphers = enabledWeakCiphers; // Enable ciphers for PKCS#12 SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); PORT_SetUCS2_ASCIIConversionFunction(pip_ucs2_ascii_conversion_fn); // Observe preference change around cipher suite setting. return CipherSuiteChangeObserver::StartObserve(); }
/** * xmlSecNssAppInit: * @config: the path to NSS database files. * * General crypto engine initialization. This function is used * by XMLSec command line utility and called before * @xmlSecInit function. * * Returns: 0 on success or a negative value otherwise. */ int xmlSecNssAppInit(const char* config) { SECStatus rv; if(config) { rv = NSS_InitReadWrite(config); if(rv != SECSuccess) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "NSS_InitReadWrite", XMLSEC_ERRORS_R_CRYPTO_FAILED, "config=%s", xmlSecErrorsSafeString(config)); return(-1); } } else { rv = NSS_NoDB_Init(NULL); if(rv != SECSuccess) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "NSS_NoDB_Init", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); return(-1); } } /* configure PKCS11 */ PK11_ConfigurePKCS11("manufacturesID", "libraryDescription", "tokenDescription", "privateTokenDescription", "slotDescription", "privateSlotDescription", "fipsSlotDescription", "fipsPrivateSlotDescription", 0, 0); /* setup for PKCS12 */ PORT_SetUCS2_ASCIIConversionFunction(xmlSecNssAppAscii2UCS2Conv); SEC_PKCS12EnableCipher(PKCS12_RC4_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC4_128, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, 1); SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, 1); SEC_PKCS12EnableCipher(PKCS12_DES_56, 1); SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, 1); SEC_PKCS12SetPreferredCipher(PKCS12_DES_EDE3_168, 1); return(0); }