diff options
author | Daiki Ueno <dueno@redhat.com> | 2019-09-27 17:36:35 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2019-09-27 17:36:35 +0200 |
commit | 058733416a418b99efd4b4091fea4d23bdcb6bae (patch) | |
tree | 4d519131bed7520c8888a0952ab17f0726e0ccd3 /cmd/selfserv | |
parent | 6a0599347d881a2b6dee6dd1f996045605da08e2 (diff) | |
download | nss-hg-058733416a418b99efd4b4091fea4d23bdcb6bae.tar.gz |
Bug 1494063, add -x option to tstclnt/selfserv to export keying material, r=mt
Reviewers: rrelyea, mt
Reviewed By: mt
Subscribers: HubertKario
Bug #: 1494063
Differential Revision: https://phabricator.services.mozilla.com/D29166
Diffstat (limited to 'cmd/selfserv')
-rw-r--r-- | cmd/selfserv/selfserv.c | 36 |
1 files changed, 32 insertions, 4 deletions
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index fb2d8d53c..03e39d67b 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -235,7 +235,13 @@ PrintParameterUsage() " rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512,\n" "-Z enable 0-RTT (for TLS 1.3; also use -u)\n" "-E enable post-handshake authentication\n" - " (for TLS 1.3; only has an effect with 3 or more -r options)\n", + " (for TLS 1.3; only has an effect with 3 or more -r options)\n" + "-x Export and print keying material after successful handshake\n" + " The argument is a comma separated list of exporters in the form:\n" + " LABEL[:OUTPUT-LENGTH[:CONTEXT]]\n" + " where LABEL and CONTEXT can be either a free-form string or\n" + " a hex string if it is preceded by \"0x\"; OUTPUT-LENGTH\n" + " is a decimal integer.\n", stderr); } @@ -812,6 +818,8 @@ SSLNamedGroup *enabledGroups = NULL; unsigned int enabledGroupsCount = 0; const SSLSignatureScheme *enabledSigSchemes = NULL; unsigned int enabledSigSchemeCount = 0; +const secuExporter *enabledExporters = NULL; +unsigned int enabledExporterCount = 0; static char *virtServerNameArray[MAX_VIRT_SERVER_NAME_ARRAY_INDEX]; static int virtServerNameIndex = 1; @@ -1822,6 +1830,15 @@ handshakeCallback(PRFileDesc *fd, void *client_data) SECITEM_FreeItem(hostInfo, PR_TRUE); } } + if (enabledExporters) { + SECStatus rv = exportKeyingMaterials(fd, enabledExporters, enabledExporterCount); + if (rv != SECSuccess) { + PRErrorCode err = PR_GetError(); + fprintf(stderr, + "couldn't export keying material: %s\n", + SECU_Strerror(err)); + } + } } void @@ -2012,7 +2029,7 @@ server_main( errExit("SSL_CipherPrefSetDefault:TLS_RSA_WITH_NULL_MD5"); } - if (expectedHostNameVal) { + if (expectedHostNameVal || enabledExporters) { SSL_HandshakeCallback(model_sock, handshakeCallback, (void *)expectedHostNameVal); } @@ -2246,11 +2263,11 @@ main(int argc, char **argv) /* please keep this list of options in ASCII collating sequence. ** numbers, then capital letters, then lower case, alphabetical. - ** XXX: 'B', 'E', 'q', and 'x' were used in the past but removed + ** XXX: 'B', and 'q' were used in the past but removed ** in 3.28, please leave some time before resuing those. ** 'z' was removed in 3.39. */ optstate = PL_CreateOptState(argc, argv, - "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:y"); + "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:x:y"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++optionsFound; switch (optstate->option) { @@ -2496,6 +2513,17 @@ main(int argc, char **argv) } break; + case 'x': + rv = parseExporters(optstate->value, + &enabledExporters, &enabledExporterCount); + if (rv != SECSuccess) { + PL_DestroyOptState(optstate); + fprintf(stderr, "Bad exporter specified.\n"); + fprintf(stderr, "Run '%s -h' for usage information.\n", progName); + exit(5); + } + break; + default: case '?': fprintf(stderr, "Unrecognized or bad option specified.\n"); |