Bug 1875158 - set NSS policy flags based on the value of the security…

….tls.enable_kyber pref. r=keeler Differential Revision: https://phabricator.services.mozilla.com/D198864
dothq · Jan 17, 2024 · 1c596d8 · 1c596d8
1 parent 2adac05
commit 1c596d8
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
@@ -1032,6 +1032,15 @@ void SetDeprecatedTLS1CipherPrefs() {
   }
 }
 
+// static
+void SetKyberPolicy() {
+  if (StaticPrefs::security_tls_enable_kyber()) {
+    NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, NSS_USE_ALG_IN_SSL_KX, 0);
+  } else {
+    NSS_SetAlgorithmPolicy(SEC_OID_XYBER768D00, 0, NSS_USE_ALG_IN_SSL_KX);
+  }
+}
+
 nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
                                             const char* aTopic,
                                             const char16_t* someData) {
@@ -1048,6 +1057,7 @@ nsresult CipherSuiteChangeObserver::Observe(nsISupports* /*aSubject*/,
       }
     }
     SetDeprecatedTLS1CipherPrefs();
+    SetKyberPolicy();
     nsNSSComponent::DoClearSSLExternalAndInternalSessionCache();
   } else if (nsCRT::strcmp(aTopic, NS_XPCOM_SHUTDOWN_OBSERVER_ID) == 0) {
     Preferences::RemoveObserver(this, "security.");
@@ -2485,6 +2495,8 @@ nsresult InitializeCipherSuite() {
   // an override to do so, but they already do for such devices).
   NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 512);
 
+  SetKyberPolicy();
+
   // Observe preference change around cipher suite setting.
   return CipherSuiteChangeObserver::StartObserve();
 }