summaryrefslogtreecommitdiff
path: root/security/nss/cmd/listsuites/listsuites.c
blob: 8eb2c3553edf0affccf98ec236bad83ea1b393e1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/* This program demonstrates the use of SSL_GetCipherSuiteInfo to avoid
 * all compiled-in knowledge of SSL cipher suites.
 *
 * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
 */

#include <errno.h>
#include <stdio.h>
#include "nss.h"
#include "secport.h"
#include "secutil.h"
#include "ssl.h"

int
main(int argc, char **argv)
{
    const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
    int i;
    int errCount = 0;
    SECStatus rv;
    PRErrorCode err;
    char *certDir = NULL;

    /* load policy from $SSL_DIR/pkcs11.txt, for testing */
    certDir = SECU_DefaultSSLDir();
    if (certDir) {
        rv = NSS_Init(certDir);
    } else {
        rv = NSS_NoDB_Init(NULL);
    }
    if (rv != SECSuccess) {
        err = PR_GetError();
        ++errCount;
        fprintf(stderr, "NSS_Init failed: %s\n", PORT_ErrorToString(err));
        goto out;
    }

    /* apply policy */
    rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
    if (rv != SECSuccess) {
        err = PR_GetError();
        ++errCount;
        fprintf(stderr, "NSS_SetAlgorithmPolicy failed: %s\n",
                PORT_ErrorToString(err));
        goto out;
    }

    /* update the default cipher suites according to the policy */
    rv = SSL_OptionSetDefault(SSL_SECURITY, PR_TRUE);
    if (rv != SECSuccess) {
        err = PR_GetError();
        ++errCount;
        fprintf(stderr, "SSL_OptionSetDefault failed: %s\n",
                PORT_ErrorToString(err));
        goto out;
    }

    fputs("This version of libSSL supports these cipher suites:\n\n", stdout);

    /* disable all the SSL3 cipher suites */
    for (i = 0; i < SSL_NumImplementedCiphers; i++) {
        PRUint16 suite = cipherSuites[i];
        SECStatus rv;
        PRBool enabled;
        PRErrorCode err;
        SSLCipherSuiteInfo info;

        rv = SSL_CipherPrefGetDefault(suite, &enabled);
        if (rv != SECSuccess) {
            err = PR_GetError();
            ++errCount;
            fprintf(stderr,
                    "SSL_CipherPrefGetDefault didn't like value 0x%04x (i = %d): %s\n",
                    suite, i, PORT_ErrorToString(err));
            continue;
        }
        rv = SSL_GetCipherSuiteInfo(suite, &info, (int)(sizeof info));
        if (rv != SECSuccess) {
            err = PR_GetError();
            ++errCount;
            fprintf(stderr,
                    "SSL_GetCipherSuiteInfo didn't like value 0x%04x (i = %d): %s\n",
                    suite, i, PORT_ErrorToString(err));
            continue;
        }
        fprintf(stdout,
                "%s:\n" /* up to 37 spaces  */
                "  0x%04hx %-5s %-5s %-8s %3hd %-6s %-8s %-4s Domestic %-11s\n",
                info.cipherSuiteName, info.cipherSuite,
                info.keaTypeName, info.authAlgorithmName, info.symCipherName,
                info.effectiveKeyBits, info.macAlgorithmName,
                enabled ? "Enabled" : "Disabled",
                info.isFIPS ? "FIPS" : "",
                info.nonStandard ? "nonStandard" : "");
    }

out:
    rv = NSS_Shutdown();
    if (rv != SECSuccess) {
        err = PR_GetError();
        ++errCount;
        fprintf(stderr, "NSS_Shutdown failed: %s\n", PORT_ErrorToString(err));
    }

    return errCount;
}