From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- security/nss/cmd/listsuites/listsuites.c | 108 +++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 security/nss/cmd/listsuites/listsuites.c (limited to 'security/nss/cmd/listsuites/listsuites.c') diff --git a/security/nss/cmd/listsuites/listsuites.c b/security/nss/cmd/listsuites/listsuites.c new file mode 100644 index 0000000000..b49f2d8cf4 --- /dev/null +++ b/security/nss/cmd/listsuites/listsuites.c @@ -0,0 +1,108 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* This program demonstrates the use of SSL_GetCipherSuiteInfo to avoid + * all compiled-in knowledge of SSL cipher suites. + * + * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6 + */ + +#include +#include +#include "nss.h" +#include "secport.h" +#include "secutil.h" +#include "ssl.h" + +int +main(int argc, char **argv) +{ + const PRUint16 *cipherSuites = SSL_ImplementedCiphers; + int i; + int errCount = 0; + SECStatus rv; + PRErrorCode err; + char *certDir = NULL; + + /* load policy from $SSL_DIR/pkcs11.txt, for testing */ + certDir = SECU_DefaultSSLDir(); + if (certDir) { + rv = NSS_Init(certDir); + } else { + rv = NSS_NoDB_Init(NULL); + } + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err)); + goto out; + } + + /* apply policy */ + rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n", + PORT_ErrorToString(err)); + goto out; + } + + /* update the default cipher suites according to the policy */ + rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "SSL_OptionSetDefault failed: %s\n", + PORT_ErrorToString(err)); + goto out; + } + + fputs("This version of libSSL supports these cipher suites:\n\n", stdout); + + /* disable all the SSL3 cipher suites */ + for (i = 0; i < SSL_NumImplementedCiphers; i++) { + PRUint16 suite = cipherSuites[i]; + PRBool enabled; + SSLCipherSuiteInfo info; + + rv = SSL_CipherPrefGetDefault(suite, &enabled); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, + "SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n", + suite, i, PORT_ErrorToString(err)); + continue; + } + rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info)); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, + "SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n", + suite, i, PORT_ErrorToString(err)); + continue; + } + fprintf(stdout, + "%s:\n" /* up to 37 spaces */ + " 0x%04hx %-5s %-5s %-8s %3hd %-6s %-8s %-4s Domestic %-11s\n", + info.cipherSuiteName, info.cipherSuite, + info.keaTypeName, info.authAlgorithmName, info.symCipherName, + info.effectiveKeyBits, info.macAlgorithmName, + enabled ? "Enabled" : "Disabled", + info.isFIPS ? "FIPS" : "", + info.nonStandard ? "nonStandard" : ""); + } + +out: + rv = NSS_Shutdown(); + if (rv != SECSuccess) { + err = PR_GetError(); + ++errCount; + fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err)); + } + + return errCount; +} -- cgit v1.2.3