Add support to listsuites to list ciphers allowed by policy

2016-07-08 12:07:05 -07:00 · 2016-07-08 12:07:05 -07:00 · 90700e6be2
parent e666a29edf
commit 90700e6be2
2 changed files with 117 additions and 1 deletions
--- a/listsuites-do-queries.patch
+++ b/listsuites-do-queries.patch
@ -0,0 +1,111 @@
+--- ./cmd/listsuites/listsuites.c.do_queries	2016-05-17 00:58:45.000000000 -0700
+++ ./cmd/listsuites/listsuites.c	2016-06-23 09:39:10.563925342 -0700
+@@ -7,19 +7,48 @@
+  *
+  * Try: ./listsuites | grep -v : | sort -b +4rn -5 +1 -2 +2 -3 +3 -4 +5r -6
+  */
+ 
+ #include <errno.h>
+ #include <stdio.h>
+ #include "secport.h"
+ #include "ssl.h"
+#include "plgetopt.h"
+#include "secutil.h"
+#include "utilpars.h"
+#include "nspr.h"
+#include "nss.h"
+
+static const char *progName = "listsuites";
+char *ignoreVar;
+
+static char *policy_file_path(char *path)
+{
+    return (PR_Access(path, PR_ACCESS_READ_OK) == PR_SUCCESS) ? path : "";
+}
+
+static char *ignore_system_policy_value(char *var)
+{
+    ignoreVar = PR_GetEnvSecure(var);
+    return ignoreVar != NULL ? ignoreVar : "";
+}
+
+void Usage(const char *progName)
+{
+    fprintf(stderr,
+            "\nList cipher suites or parse a policy file or query\n"
+            "Usage: %s [-i policy_file] file to parse (default is list)\n",
+            progName);
+    exit(1);
+}
+
+ 
+ int
+-main(int argc, char **argv)
+list_suites(void)
+ {
+     const PRUint16 *cipherSuites = SSL_ImplementedCiphers;
+     int i;
+     int errCount = 0;
+ 
+     fputs("This version of libSSL supports these cipher suites:\n\n", stdout);
+ 
+     /* disable all the SSL3 cipher suites */
+@@ -56,8 +85,58 @@
+                 info.effectiveKeyBits, info.macAlgorithmName,
+                 enabled ? "Enabled" : "Disabled",
+                 info.isFIPS ? "FIPS" : "",
+                 info.isExportable ? "Export" : "Domestic",
+                 info.nonStandard ? "nonStandard" : "");
+     }
+     return errCount;
+ }
+
+int
+main(int argc, char **argv)
+{
+    PLOptState *optstate = NULL;
+    PLOptStatus status;
+    SECStatus rv;
+    FILE *inFile;
+    char *ev, *path;
+
+    optstate = PL_CreateOptState(argc, argv, "?hi:p:q:lL");
+    while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
+        switch (optstate->option) {
+            case '?':
+            case 'h':
+                Usage(progName);
+                break;
+            case 'p':
+                path = (char *)optstate->value;
+                fprintf(stdout, "%s=%s\n", path, policy_file_path(path));
+                break;
+            case 'q':
+                ev = (char *)optstate->value;
+                fprintf(stdout, "%s=%s\n", ev, ignore_system_policy_value(ev));
+                break;
+            case 'i':
+                rv = SECSuccess;
+                inFile = fopen(optstate->value, "r");
+                if (!inFile) {
+                    fprintf(stderr,
+                            "%s: unable to open \"%s\" for reading\n",
+                            progName, optstate->value);
+                            return -1;
+                }
+                rv = SECFailure;/*ParseCryptoPolicy(optstate->value);*/
+                fclose(inFile);
+                return (rv == SECSuccess) ? 0 : 1;
+                break;
+            case 'l':
+            case 'L':
+                return list_suites();
+                break;
+            default:
+                Usage(progName);
+             break;
+        }
+    }
+
+    return 0;
+}
--- a/nss.spec
+++ b/nss.spec
@ -21,7 +21,7 @@ Name:             nss
 Version:          3.25.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          5%{?dist}
+Release:          6%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -100,6 +100,7 @@ Patch60: nss-conditionally-ignore-system-policy.patch
 Patch62: nss-skip-util-gtest.patch
 # TODO: file a bug upstream similar to the one for rsaperf
 Patch70: nss-skip-ecperf.patch
+Patch71: listsuites-do-queries.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -185,6 +186,7 @@ pushd nss
 %patch60 -p1 -b .cond_ignore
 %patch62 -p0 -b .skip_util_gtest
 %patch70 -p1 -b .skip_ecperf
+%patch71 -p1 -b .do_queries
 popd

 #########################################################
@ -794,6 +796,9 @@ fi


 %changelog
+* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+- Add support to listsuites to list ciphers allowed by policy
+
 * Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
 - Add support for conditionally ignoring the system policy (#1157720)
 - Remove unneeded test scripts patches in order to run more tests