Bug 1562773 - Add a preference to enable Delegated Credentials in NSS r=keeler

This patch adds a new pref, "security.tls.enable_delegated_credentials",
default false, which controls the NSS option SSL_ENABLE_DELEGATED_CREDENTIALS.

Tests are in D37918.

Differential Revision: https://phabricator.services.mozilla.com/D37907

--HG--
extra : moz-landing-system : lando

security/manager/ssl/nsNSSComponent.cpp

@@ -1004,6 +1004,7 @@ static const bool ALPN_ENABLED_DEFAULT = false;
 static const bool ENABLED_0RTT_DATA_DEFAULT = false;
 static const bool HELLO_DOWNGRADE_CHECK_DEFAULT = false;
 static const bool ENABLED_POST_HANDSHAKE_AUTH_DEFAULT = false;
+static const bool DELEGATED_CREDENTIALS_ENABLED_DEFAULT = false;
 
 static void ConfigureTLSSessionIdentifiers() {
   bool disableSessionIdentifiers =
@@ -1760,6 +1761,11 @@ nsresult nsNSSComponent::InitializeNSS() {
       Preferences::GetBool("security.tls.enable_post_handshake_auth",
                            ENABLED_POST_HANDSHAKE_AUTH_DEFAULT));
 
+  SSL_OptionSetDefault(
+      SSL_ENABLE_DELEGATED_CREDENTIALS,
+      Preferences::GetBool("security.tls.enable_delegated_credentials",
+                           DELEGATED_CREDENTIALS_ENABLED_DEFAULT));
+
   rv = InitializeCipherSuite();
   MOZ_DIAGNOSTIC_ASSERT(NS_SUCCEEDED(rv));
   if (NS_FAILED(rv)) {
@@ -1936,6 +1942,12 @@ nsNSSComponent::Observe(nsISupports* aSubject, const char* aTopic,
           SSL_ENABLE_POST_HANDSHAKE_AUTH,
           Preferences::GetBool("security.tls.enable_post_handshake_auth",
                                ENABLED_POST_HANDSHAKE_AUTH_DEFAULT));
+    } else if (prefName.EqualsLiteral(
+                   "security.tls.enable_delegated_credentials")) {
+      SSL_OptionSetDefault(
+          SSL_ENABLE_DELEGATED_CREDENTIALS,
+          Preferences::GetBool("security.tls.enable_delegated_credentials",
+                               DELEGATED_CREDENTIALS_ENABLED_DEFAULT));
     } else if (prefName.EqualsLiteral(
                    "security.ssl.disable_session_identifiers")) {
       ConfigureTLSSessionIdentifiers();

security/manager/ssl/security-prefs.js

@@ -16,6 +16,7 @@ pref("security.tls.hello_downgrade_check", false);
 #else
 pref("security.tls.hello_downgrade_check", true);
 #endif
+pref("security.tls.enable_delegated_credentials", false);
 
 pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
 pref("security.ssl.require_safe_negotiation",  false);