Bug 1406953, listsuites: Respect policy configuration, r=kaie

author: Daiki Ueno <dueno@redhat.com> 2017-10-18 22:32:09 +0200
committer: Daiki Ueno <dueno@redhat.com> 2017-10-18 22:32:09 +0200
commit: 8ff9758fd79084639cdb54a3e9faa9ba49d31a6d (patch)
tree: 03db466fbff68006913ac025c4cc99c16cefff4c /cmd/listsuites/listsuites.c
parent: 2528ba143836ddde078a12ccef6f62aaa9cfe8ae (diff)
download: nss-hg-8ff9758fd79084639cdb54a3e9faa9ba49d31a6d.tar.gz
1 files changed, 48 insertions, 0 deletions
diff --git a/cmd/listsuites/listsuites.c b/cmd/listsuites/listsuites.c
index 458130e5e..8eb2c3553 100644
--- a/cmd/listsuites/listsuites.c
+++ b/cmd/listsuites/listsuites.c
@@ -10,7 +10,9 @@
 
 #include <errno.h>
 #include <stdio.h>
+#include "nss.h"
 #include "secport.h"
+#include "secutil.h"
 #include "ssl.h"
 
 int
@@ -19,6 +21,43 @@ main(int argc, char **argv)
     const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
     int i;
     int errCount = 0;
+    SECStatus rv;
+    PRErrorCode err;
+    char *certDir = NULL;
+
+    /* load policy from $SSL_DIR/pkcs11.txt, for testing */
+    certDir = SECU_DefaultSSLDir();
+    if (certDir) {
+        rv = NSS_Init(certDir);
+    } else {
+        rv = NSS_NoDB_Init(NULL);
+    }
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err));
+        goto out;
+    }
+
+    /* apply policy */
+    rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n",
+                PORT_ErrorToString(err));
+        goto out;
+    }
+
+    /* update the default cipher suites according to the policy */
+    rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "SSL_OptionSetDefault failed: %s\n",
+                PORT_ErrorToString(err));
+        goto out;
+    }
 
     fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
 
@@ -58,5 +97,14 @@ main(int argc, char **argv)
                 info.isFIPS ? "FIPS" : "",
                 info.nonStandard ? "nonStandard" : "");
     }
+
+out:
+    rv = NSS_Shutdown();
+    if (rv != SECSuccess) {
+        err = PR_GetError();
+        ++errCount;
+        fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err));
+    }
+
     return errCount;
 }
author	Daiki Ueno <dueno@redhat.com>	2017-10-18 22:32:09 +0200
committer	Daiki Ueno <dueno@redhat.com>	2017-10-18 22:32:09 +0200
commit	8ff9758fd79084639cdb54a3e9faa9ba49d31a6d (patch)
tree	03db466fbff68006913ac025c4cc99c16cefff4c /cmd/listsuites/listsuites.c
parent	2528ba143836ddde078a12ccef6f62aaa9cfe8ae (diff)
download	nss-hg-8ff9758fd79084639cdb54a3e9faa9ba49d31a6d.tar.gz