diff options
author | Christopher Patton <chrispatton@gmail.com> | 2019-06-25 14:21:59 +1000 |
---|---|---|
committer | Christopher Patton <chrispatton@gmail.com> | 2019-06-25 14:21:59 +1000 |
commit | 62b1e1d91c19c50a5e4c2540fcf49f0d8cf073dd (patch) | |
tree | 0a740fbe2b15a3970fa0c373c74294d8202a68eb /cmd | |
parent | 89715eee6c2dbc17820977e466fb8b52a1e12784 (diff) | |
download | nss-hg-62b1e1d91c19c50a5e4c2540fcf49f0d8cf073dd.tar.gz |
Bug 1540403 - draft-ietf-tls-subcerts-03, r=mt,jcj
Differential Revision: https://phabricator.services.mozilla.com/D25654
Diffstat (limited to 'cmd')
-rw-r--r-- | cmd/selfserv/selfserv.c | 2 | ||||
-rw-r--r-- | cmd/tstclnt/tstclnt.c | 22 |
2 files changed, 20 insertions, 4 deletions
diff --git a/cmd/selfserv/selfserv.c b/cmd/selfserv/selfserv.c index 56b5ec28b..f2b1273b3 100644 --- a/cmd/selfserv/selfserv.c +++ b/cmd/selfserv/selfserv.c @@ -1926,7 +1926,7 @@ server_main( for (i = 0; i < certNicknameIndex; i++) { if (cert[i] != NULL) { const SSLExtraServerCertData ocspData = { - ssl_auth_null, NULL, certStatus[i], NULL + ssl_auth_null, NULL, certStatus[i], NULL, NULL, NULL }; secStatus = SSL_ConfigServerCert(model_sock, cert[i], diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c index bc0cbfa76..12c6df045 100644 --- a/cmd/tstclnt/tstclnt.c +++ b/cmd/tstclnt/tstclnt.c @@ -213,6 +213,9 @@ printSecurityInfo(PRFileDesc *fd) " %u\n", scts->len); } + if (channel.peerDelegCred) { + fprintf(stderr, "Received a Delegated Credential\n"); + } } static void @@ -272,6 +275,7 @@ PrintParameterUsage() fprintf(stderr, "%-20s Enable false start.\n", "-g"); fprintf(stderr, "%-20s Enable the cert_status extension (OCSP stapling).\n", "-T"); fprintf(stderr, "%-20s Enable the signed_certificate_timestamp extension.\n", "-U"); + fprintf(stderr, "%-20s Enable the delegated credentials extension.\n", "-B"); fprintf(stderr, "%-20s Require fresh revocation info from side channel.\n" "%-20s -F once means: require for server cert only\n" "%-20s -F twice means: require for intermediates, too\n" @@ -993,6 +997,7 @@ char *versionString = NULL; PRBool handshakeComplete = PR_FALSE; char *encryptedSNIKeys = NULL; PRBool enablePostHandshakeAuth = PR_FALSE; +PRBool enableDelegatedCredentials = PR_FALSE; static int writeBytesToServer(PRFileDesc *s, const PRUint8 *buf, int nb) @@ -1365,6 +1370,14 @@ run() goto done; } + /* enable negotiation of delegated credentials (draft-ietf-tls-subcerts) */ + rv = SSL_OptionSet(s, SSL_ENABLE_DELEGATED_CREDENTIALS, enableDelegatedCredentials); + if (rv != SECSuccess) { + SECU_PrintError(progName, "error enabling delegated credentials"); + error = 1; + goto done; + } + /* enable extended master secret mode */ if (enableExtendedMasterSecret) { rv = SSL_OptionSet(s, SSL_ENABLE_EXTENDED_MASTER_SECRET, PR_TRUE); @@ -1715,12 +1728,11 @@ main(int argc, char **argv) } } - /* Note: 'B' was used in the past but removed in 3.28 - * 'z' was removed in 3.39 + /* Note: 'z' was removed in 3.39 * Please leave some time before reusing these. */ optstate = PL_CreateOptState(argc, argv, - "46A:CDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:"); + "46A:BCDEFGHI:J:KL:M:N:OP:QR:STUV:W:X:YZa:bc:d:fgh:m:n:op:qr:st:uvw:"); while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { switch (optstate->option) { case '?': @@ -1743,6 +1755,10 @@ main(int argc, char **argv) requestFile = PORT_Strdup(optstate->value); break; + case 'B': + enableDelegatedCredentials = PR_TRUE; + break; + case 'C': ++dumpServerChain; break; |