Issue #1338 - Part 2: Update NSS to 3.48-RTM

1 files changed, 79 insertions, 6 deletions

diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 520eeff64..6fa154106 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -213,6 +213,9 @@ printSecurityInfo(PRFileDesc *fd)
                         " %u\n",
                 scts->len);
     }
+    if (channel.peerDelegCred) {
+        fprintf(stderr, "Received a Delegated Credential\n");
+    }
 }
 
 static void
@@ -221,7 +224,7 @@ PrintUsageHeader()
     fprintf(stderr,
             "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
             "  [-D | -d certdir] [-C] [-b | -R root-module] \n"
-            "  [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z]\n"
+            "  [-n nickname] [-Bafosvx] [-c ciphers] [-Y] [-Z] [-E]\n"
             "  [-V [min-version]:[max-version]] [-K] [-T] [-U]\n"
             "  [-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n"
             "  [-I groups] [-J signatureschemes]\n"
@@ -272,6 +275,7 @@ PrintParameterUsage()
     fprintf(stderr, "%-20s Enable false start.\n", "-g");
     fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T");
     fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U");
+    fprintf(stderr, "%-20s Enable the delegated credentials extension.\n", "-B");
     fprintf(stderr, "%-20s Require fresh revocation info from side channel.\n"
                     "%-20s -F once means: require for server cert only\n"
                     "%-20s -F twice means: require for intermediates, too\n"
@@ -311,6 +315,16 @@ PrintParameterUsage()
     fprintf(stderr, "%-20s Use DTLS\n", "-P {client, server}");
     fprintf(stderr, "%-20s Exit after handshake\n", "-Q");
     fprintf(stderr, "%-20s Encrypted SNI Keys\n", "-N");
+    fprintf(stderr, "%-20s Enable post-handshake authentication\n"
+                    "%-20s for TLS 1.3; need to specify -n\n",
+            "-E", "");
+    fprintf(stderr, "%-20s Export and print keying material after successful handshake.\n"
+                    "%-20s The argument is a comma separated list of exporters in the form:\n"
+                    "%-20s   LABEL[:OUTPUT-LENGTH[:CONTEXT]]\n"
+                    "%-20s where LABEL and CONTEXT can be either a free-form string or\n"
+                    "%-20s a hex string if it is preceded by \"0x\"; OUTPUT-LENGTH\n"
+                    "%-20s is a decimal integer.\n",
+            "-x", "", "", "", "", "");
 }
 
 static void
@@ -917,7 +931,7 @@ restartHandshakeAfterServerCertIfNeeded(PRFileDesc *fd,
                                         PRBool override)
 {
     SECStatus rv;
-    PRErrorCode error;
+    PRErrorCode error = 0;
 
     if (!serverCertAuth->isPaused)
         return SECSuccess;
@@ -989,6 +1003,10 @@ PRBool requestToExit = PR_FALSE;
 char *versionString = NULL;
 PRBool handshakeComplete = PR_FALSE;
 char *encryptedSNIKeys = NULL;
+PRBool enablePostHandshakeAuth = PR_FALSE;
+PRBool enableDelegatedCredentials = PR_FALSE;
+const secuExporter *enabledExporters = NULL;
+unsigned int enabledExporterCount = 0;
 
 static int
 writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb)
@@ -1084,6 +1102,18 @@ handshakeCallback(PRFileDesc *fd, void *client_data)
         requestToExit = PR_TRUE;
     }
     handshakeComplete = PR_TRUE;
+
+    if (enabledExporters) {
+        SECStatus rv;
+
+        rv = exportKeyingMaterials(fd, enabledExporters, enabledExporterCount);
+        if (rv != SECSuccess) {
+            PRErrorCode err = PR_GetError();
+            FPRINTF(stderr,
+                    "couldn't export keying material: %s\n",
+                    SECU_Strerror(err));
+        }
+    }
 }
 
 static SECStatus
@@ -1304,8 +1334,11 @@ run()
             }
             if (cipher > 0) {
                 rv = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED);
-                if (rv != SECSuccess)
+                if (rv != SECSuccess) {
                     SECU_PrintError(progName, "SSL_CipherPrefSet()");
+                    error = 1;
+                    goto done;
+                }
             } else {
                 Usage();
             }
@@ -1361,6 +1394,14 @@ run()
         goto done;
     }
 
+    /* enable negotiation of delegated credentials (draft-ietf-tls-subcerts) */
+    rv = SSL_OptionSet(s, SSL_ENABLE_DELEGATED_CREDENTIALS, enableDelegatedCredentials);
+    if (rv != SECSuccess) {
+        SECU_PrintError(progName, "error enabling delegated credentials");
+        error = 1;
+        goto done;
+    }
+
     /* enable extended master secret mode */
     if (enableExtendedMasterSecret) {
         rv = SSL_OptionSet(s, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE);
@@ -1410,6 +1451,15 @@ run()
         goto done;
     }
 
+    if (enablePostHandshakeAuth) {
+        rv = SSL_OptionSet(s, SSL_ENABLE_POST_HANDSHAKE_AUTH, PR_TRUE);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "error enabling post-handshake auth");
+            error = 1;
+            goto done;
+        }
+    }
+
     if (enabledGroups) {
         rv = SSL_NamedGroupConfig(s, enabledGroups, enabledGroupsCount);
         if (rv < 0) {
@@ -1702,12 +1752,11 @@ main(int argc, char **argv)
         }
     }
 
-    /* Note: 'B' was used in the past but removed in 3.28
-     *       'z' was removed in 3.39
+    /* Note: 'z' was removed in 3.39
      * Please leave some time before reusing these.
      */
     optstate = PL_CreateOptState(argc, argv,
-                                 "46A:CDFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:");
+                                 "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:x:");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
         switch (optstate->option) {
             case '?':
@@ -1730,6 +1779,10 @@ main(int argc, char **argv)
                 requestFile = PORT_Strdup(optstate->value);
                 break;
 
+            case 'B':
+                enableDelegatedCredentials = PR_TRUE;
+                break;
+
             case 'C':
                 ++dumpServerChain;
                 break;
@@ -1738,6 +1791,10 @@ main(int argc, char **argv)
                 openDB = PR_FALSE;
                 break;
 
+            case 'E':
+                enablePostHandshakeAuth = PR_TRUE;
+                break;
+
             case 'F':
                 if (serverCertAuth.testFreshStatusFromSideChannel) {
                     /* parameter given twice or more */
@@ -1947,6 +2004,17 @@ main(int argc, char **argv)
                     Usage();
                 }
                 break;
+
+            case 'x':
+                rv = parseExporters(optstate->value,
+                                    &enabledExporters,
+                                    &enabledExporterCount);
+                if (rv != SECSuccess) {
+                    PL_DestroyOptState(optstate);
+                    fprintf(stderr, "Bad exporter specified.\n");
+                    Usage();
+                }
+                break;
         }
     }
     PL_DestroyOptState(optstate);
@@ -1988,6 +2056,11 @@ main(int argc, char **argv)
         exit(1);
     }
 
+    if (enablePostHandshakeAuth && !nickname) {
+        fprintf(stderr, "%s: -E requires the use of -n\n", progName);
+        exit(1);
+    }
+
     PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
     PK11_SetPasswordFunc(SECU_GetModulePassword);