Revert 138795 - Revert "nss: revert encrypted and origin bound certificates support."

Cleaning up git-svn mess with drover. TBR=agl@chromium.org Review URL: https://chromiumcodereview.appspot.com/10451012 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@138796 0039d316-1c4b-4281-b951-d872f2087c98
author: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-05-24 15:02:51 +0000
committer: agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2012-05-24 15:02:51 +0000
commit: 9123652116e1261111cfb2306709ee305ffb5bf2 (patch)
tree: 7f53febadf5e99e225b308c0c843e53e39c63b64 /net
parent: 478df839eb3260d4b2602c7e6a8f5d6294213eef (diff)
download: chromium_src-9123652116e1261111cfb2306709ee305ffb5bf2.zip
chromium_src-9123652116e1261111cfb2306709ee305ffb5bf2.tar.gz
chromium_src-9123652116e1261111cfb2306709ee305ffb5bf2.tar.bz2
16 files changed, 194 insertions, 889 deletions
diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc
index 9e23cc8..034182b 100644
--- a/net/base/transport_security_state.cc
+++ b/net/base/transport_security_state.cc
@@ -564,6 +564,8 @@ enum SecondLevelDomainName {
 
   DOMAIN_AKAMAIHD_NET,
 
+  DOMAIN_TOR2WEB_ORG,
+
   // Boundary value for UMA_HISTOGRAM_ENUMERATION:
   DOMAIN_NUM_EVENTS
 };
diff --git a/net/base/transport_security_state_static.certs b/net/base/transport_security_state_static.certs
index 0857bfb..20a4901 100644
--- a/net/base/transport_security_state_static.certs
+++ b/net/base/transport_security_state_static.certs
@@ -1105,3 +1105,59 @@ GwnpXtlR22ciYaQqPEh346B8pt5zohQDhT37qw4wxYMWM4ETCJ57NE7fQMh017l9
 3PR2VX2bY1QY6fDq81yx2YtCHrnAlU66+tXifPVoYb+O7AWXX1uw16OFNMQkpw0P
 lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
 -----END CERTIFICATE-----
+
+Tor2web
+-----BEGIN CERTIFICATE-----
+MIIEgjCCA2qgAwIBAgISESHiIwbyj8tbXjvCF3lADzOxMA0GCSqGSIb3DQEBBQUA
+MC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQDExBBbHBoYVNTTCBDQSAtIEcy
+MB4XDTExMTIwNTEyMzYzMVoXDTE2MTIwNTA0NTk1OFowSDELMAkGA1UEBhMCREUx
+ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEWMBQGA1UEAxQNKi50
+b3Iyd2ViLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJZ/olAy
+7o+W0soGoxD5xWXGVKa3cQdv/daqwDyFhGINhVgsm3GS3Oo2XLAYvyvlUFceuy2v
+fRecb431lh7xtLhPpr5nZL/T0cjUxffstxSt5HI5BQ5Q/TFLA4iJQDzJgiNld0DJ
+RYd8gGADwh5cVBjvAtRouUbFw75b1/4hR3kJnQsHutvglLjWHmZtf/ZoZ39CbR1a
+LBJpEPoWkVqJ9LrvgA+aJ1wmi+oKLfSYQkDEn30DBeVxBZBp6tRc93eGqK1skzpG
+2Sof9cmlRNIXp8plYBvtsV3LKrFlBXvQRr+hhpjrqGNib02ynyJdRij7tOCLHfqW
+UitjVQVOWoGs49MCAwEAAaOCAX4wggF6MA4GA1UdDwEB/wQEAwIFoDBNBgNVHSAE
+RjBEMEIGCisGAQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
+YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wJQYDVR0RBB4wHIINKi50b3Iyd2ViLm9y
+Z4ILdG9yMndlYi5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDIuYWxwaGFzc2wu
+Y29tL2dzL2dzYWxwaGFnMi5jcmwwTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzAC
+hjBodHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxwaGFnMi5j
+cnQwHQYDVR0OBBYEFLE3Bo2XTl90LORxYwgr2pPD06tSMB8GA1UdIwQYMBaAFBTq
+GVXwDg0yxh90M7eOZhpMEjEeMA0GCSqGSIb3DQEBBQUAA4IBAQAyOUFr9R7EKzPP
+B8UsWT5ckA/TNlOqbdo6fvqshQfH/FHUQja28IbYcpBiC2XsMov+r7WNiH3lh1CF
+WKT1SwfO6a0I/58CL36pL/asWv/onlDYgAsCwr1j7qcSiROZlpLD+tehiCE70afa
++3VlyoGsbKVZ2A7MrXnxIaYhmhe4Y+238PwyBT74fpBvwoFIcbccwWEST8J2y2YW
+4+SWm4pJtcJxJH/uJ8qzvZLwjzcgFKQbBLVtl+SRAblFSj64YuO9Xu97+nta1HuL
+fmLvlwIO/yvONapjePASH6prPdmWvj3Clqz381mkU1pLpxTgHQqeoP87DYi8z084
++maO9AY4
+-----END CERTIFICATE-----
+
+AlphaSSL_G2
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgILBAAAAAABL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
+MDBaFw0yMjA0MTMxMDAwMDBaMC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQD
+ExBBbHBoYVNTTCBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAw/BliN8b3caChy/JC7pUxmM/RnWsSxQfmHKLHBD/CalSbi9l32WEP1+Bstjx
+T9fwWrvJr9Ax3SZGKpme2KmjtrgHxMlx95WE79LqH1Sg5b7kQSFWMRBkfR5jjpxx
+XDygLt5n3MiaIPB1yLC2J4Hrlw3uIkWlwi80J+zgWRJRsx4F5Tgg0mlZelkXvhpL
+OQgSeTObZGj+WIHdiAxqulm0ryRPYeDK/Bda0jxyq6dMt7nqLeP0P5miTcgdWPh/
+UzWO1yKIt2F2CBMTaWawV1kTMQpwgiuT1/biQBXQHQFyxxNYalrsGYkWPODIjYYq
++jfwNTLd7OX+gI73BWe0i0J1NQIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBTqGVXwDg0yxh90M7eOZhpM
+EjEeMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3
+dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0
+cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8w
+LQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf
+BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUFAAOC
+AQEABjBCm89JAn6J6fWDWj0C87yyRt5KUO65mpBz2qBcJsqCrA6ts5T6KC6y5kk/
+UHcOlS9o82U8nxTyaGCStvwEDfakGKFpYA3jnWhbvJ4LOFmNIdoj+pmKCbkfpy61
+VWxH50Hs5uJ/r1VEOeCsdO5l0/qrUUgw8T53be3kD0CY7kd/jbZYJ82Sb2AjzAKb
+WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ
+OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l
++MPpZqmyIJ3E+LgDYqeF0RhjWw==
+-----END CERTIFICATE-----
diff --git a/net/base/transport_security_state_static.h b/net/base/transport_security_state_static.h
index 743d146..3ff0a18 100644
--- a/net/base/transport_security_state_static.h
+++ b/net/base/transport_security_state_static.h
@@ -1243,6 +1243,68 @@ lZPvy5TYnh+dXIVtx6quTx8itc2VrbqnzPmrC3p/
 static const char kSPKIHash_GTECyberTrustGlobalRoot[] =
     "sha1/WXkS3mF11m/EI7d3E3THlt5viHI=";
 
+#if 0
+-----BEGIN CERTIFICATE-----
+MIIEgjCCA2qgAwIBAgISESHiIwbyj8tbXjvCF3lADzOxMA0GCSqGSIb3DQEBBQUA
+MC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQDExBBbHBoYVNTTCBDQSAtIEcy
+MB4XDTExMTIwNTEyMzYzMVoXDTE2MTIwNTA0NTk1OFowSDELMAkGA1UEBhMCREUx
+ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEWMBQGA1UEAxQNKi50
+b3Iyd2ViLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJZ/olAy
+7o+W0soGoxD5xWXGVKa3cQdv/daqwDyFhGINhVgsm3GS3Oo2XLAYvyvlUFceuy2v
+fRecb431lh7xtLhPpr5nZL/T0cjUxffstxSt5HI5BQ5Q/TFLA4iJQDzJgiNld0DJ
+RYd8gGADwh5cVBjvAtRouUbFw75b1/4hR3kJnQsHutvglLjWHmZtf/ZoZ39CbR1a
+LBJpEPoWkVqJ9LrvgA+aJ1wmi+oKLfSYQkDEn30DBeVxBZBp6tRc93eGqK1skzpG
+2Sof9cmlRNIXp8plYBvtsV3LKrFlBXvQRr+hhpjrqGNib02ynyJdRij7tOCLHfqW
+UitjVQVOWoGs49MCAwEAAaOCAX4wggF6MA4GA1UdDwEB/wQEAwIFoDBNBgNVHSAE
+RjBEMEIGCisGAQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xv
+YmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wJQYDVR0RBB4wHIINKi50b3Iyd2ViLm9y
+Z4ILdG9yMndlYi5vcmcwCQYDVR0TBAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybDIuYWxwaGFzc2wu
+Y29tL2dzL2dzYWxwaGFnMi5jcmwwTAYIKwYBBQUHAQEEQDA+MDwGCCsGAQUFBzAC
+hjBodHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxwaGFnMi5j
+cnQwHQYDVR0OBBYEFLE3Bo2XTl90LORxYwgr2pPD06tSMB8GA1UdIwQYMBaAFBTq
+GVXwDg0yxh90M7eOZhpMEjEeMA0GCSqGSIb3DQEBBQUAA4IBAQAyOUFr9R7EKzPP
+B8UsWT5ckA/TNlOqbdo6fvqshQfH/FHUQja28IbYcpBiC2XsMov+r7WNiH3lh1CF
+WKT1SwfO6a0I/58CL36pL/asWv/onlDYgAsCwr1j7qcSiROZlpLD+tehiCE70afa
++3VlyoGsbKVZ2A7MrXnxIaYhmhe4Y+238PwyBT74fpBvwoFIcbccwWEST8J2y2YW
+4+SWm4pJtcJxJH/uJ8qzvZLwjzcgFKQbBLVtl+SRAblFSj64YuO9Xu97+nta1HuL
+fmLvlwIO/yvONapjePASH6prPdmWvj3Clqz381mkU1pLpxTgHQqeoP87DYi8z084
++maO9AY4
+-----END CERTIFICATE-----
+#endif
+static const char kSPKIHash_Tor2web[] =
+    "sha1/GeW1hxvUgy7I9ZSX/sZe+0jjM7E=";
+
+#if 0
+-----BEGIN CERTIFICATE-----
+MIIELzCCAxegAwIBAgILBAAAAAABL07hNwIwDQYJKoZIhvcNAQEFBQAwVzELMAkG
+A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
+b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xMTA0MTMxMDAw
+MDBaFw0yMjA0MTMxMDAwMDBaMC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQD
+ExBBbHBoYVNTTCBDQSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAw/BliN8b3caChy/JC7pUxmM/RnWsSxQfmHKLHBD/CalSbi9l32WEP1+Bstjx
+T9fwWrvJr9Ax3SZGKpme2KmjtrgHxMlx95WE79LqH1Sg5b7kQSFWMRBkfR5jjpxx
+XDygLt5n3MiaIPB1yLC2J4Hrlw3uIkWlwi80J+zgWRJRsx4F5Tgg0mlZelkXvhpL
+OQgSeTObZGj+WIHdiAxqulm0ryRPYeDK/Bda0jxyq6dMt7nqLeP0P5miTcgdWPh/
+UzWO1yKIt2F2CBMTaWawV1kTMQpwgiuT1/biQBXQHQFyxxNYalrsGYkWPODIjYYq
++jfwNTLd7OX+gI73BWe0i0J1NQIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEG
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBTqGVXwDg0yxh90M7eOZhpM
+EjEeMEUGA1UdIAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3
+dy5hbHBoYXNzbC5jb20vcmVwb3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0
+cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8w
+LQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAf
+BgNVHSMEGDAWgBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUFAAOC
+AQEABjBCm89JAn6J6fWDWj0C87yyRt5KUO65mpBz2qBcJsqCrA6ts5T6KC6y5kk/
+UHcOlS9o82U8nxTyaGCStvwEDfakGKFpYA3jnWhbvJ4LOFmNIdoj+pmKCbkfpy61
+VWxH50Hs5uJ/r1VEOeCsdO5l0/qrUUgw8T53be3kD0CY7kd/jbZYJ82Sb2AjzAKb
+WSh4olGd0Eqc5ZNemI/L7z/K/uCvpMlbbkBYpZItvV1lVcW/fARB2aS1gOmUYAIQ
+OGoICNdTHC2Tr8kTe9RsxDrE+4CsuzpOVHrNTrM+7fH8EU6f9fMUvLmxMc72qi+l
++MPpZqmyIJ3E+LgDYqeF0RhjWw==
+-----END CERTIFICATE-----
+#endif
+static const char kSPKIHash_AlphaSSL_G2[] =
+    "sha1/5STpjjF9yPytkFN8kecNpHCTkF8=";
+
 // The following is static data describing the hosts that are hardcoded with
 // certificate pins or HSTS information.
 
@@ -1364,6 +1426,16 @@ static const char* const kTwitterCDNAcceptableCerts[] = {
   kNoRejectedPublicKeys, \
 }
 
+static const char* const kTor2webAcceptableCerts[] = {
+  kSPKIHash_AlphaSSL_G2,
+  kSPKIHash_Tor2web,
+  NULL,
+};
+#define kTor2webPins { \
+  kTor2webAcceptableCerts, \
+  kNoRejectedPublicKeys, \
+}
+
 #define kNoPins {\
   NULL, NULL, \
 }
@@ -1482,6 +1554,8 @@ static const struct HSTSPreload kPreloadedSTS[] = {
   {22, true, "\020braintreegateway\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {23, false, "\021braintreepayments\003com", true, kNoPins, DOMAIN_NOT_PINNED },
   {27, false, "\003www\021braintreepayments\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {24, false, "\022emailprivacytester\003com", true, kNoPins, DOMAIN_NOT_PINNED },
+  {13, true, "\007tor2web\003org", false, kTor2webPins, DOMAIN_TOR2WEB_ORG },
 };
 static const size_t kNumPreloadedSTS = ARRAYSIZE_UNSAFE(kPreloadedSTS);
 
diff --git a/net/base/transport_security_state_static.json b/net/base/transport_security_state_static.json
index c387ceb..9efd38a 100644
--- a/net/base/transport_security_state_static.json
+++ b/net/base/transport_security_state_static.json
@@ -123,6 +123,13 @@
         "UTNUSERFirstObject",
         "GTECyberTrustGlobalRoot"
       ]
+    },
+    {
+      "name": "tor2web",
+      "static_spki_hashes": [
+        "AlphaSSL_G2",
+        "Tor2web"
+      ]
     }
   ],
 
@@ -259,6 +266,7 @@
     { "name": "braintreepayments.com", "mode": "force-https" },
     { "name": "www.braintreepayments.com", "mode": "force-https" },
     { "name": "emailprivacytester.com", "mode": "force-https" },
+    { "name": "tor2web.org", "include_subdomains": true, "pins": "tor2web" },
 
     // Entries that are only valid if the client supports SNI.
     { "name": "gmail.com", "mode": "force-https", "pins": "google", "snionly": true },
diff --git a/net/base/transport_security_state_static_generate.go b/net/base/transport_security_state_static_generate.go
index 03694f9..9b119e8 100644
--- a/net/base/transport_security_state_static_generate.go
+++ b/net/base/transport_security_state_static_generate.go
@@ -38,7 +38,7 @@ type pin struct {
 	name         string
 	cert         *x509.Certificate
 	spkiHash     []byte
-	spkiHashFunc string  // i.e. "sha1"
+	spkiHashFunc string // i.e. "sha1"
 }
 
 // preloaded represents the information contained in the
@@ -59,7 +59,7 @@ type pinset struct {
 type hsts struct {
 	Name       string `json:"name"`
 	Subdomains bool   `json:"include_subdomains"`
-	Mode       string   `json:"mode"`
+	Mode       string `json:"mode"`
 	Pins       string `json:"pins"`
 	SNIOnly    bool   `json:"snionly"`
 }
@@ -283,13 +283,21 @@ func matchNames(name, v string) error {
 	if strings.HasSuffix(firstWord, ",") {
 		firstWord = firstWord[:len(firstWord)-1]
 	}
+	if strings.HasPrefix(firstWord, "*.") {
+		firstWord = firstWord[2:]
+	}
 	if pos := strings.Index(firstWord, "."); pos != -1 {
 		firstWord = firstWord[:pos]
 	}
 	if pos := strings.Index(firstWord, "-"); pos != -1 {
 		firstWord = firstWord[:pos]
 	}
-	if !strings.HasPrefix(v, firstWord) {
+	if len(firstWord) == 0 {
+		return errors.New("first word of certificate name is empty")
+	}
+	firstWord = strings.ToLower(firstWord)
+	lowerV := strings.ToLower(v)
+	if !strings.HasPrefix(lowerV, firstWord) {
 		return errors.New("the first word of the certificate name isn't a prefix of the variable name")
 	}
 
@@ -456,7 +464,7 @@ func toDNS(s string) (string, int) {
 		name += label
 		l += len(label) + 1
 	}
-	l += 1  // For the length of the root label.
+	l += 1 // For the length of the root label.
 
 	return name, l
 }
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index cf15d5e..ed99bbf 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -2083,12 +2083,9 @@ SECStatus SSLClientSocketNSS::OwnAuthCertHandler(void* arg,
 
 // static
 bool SSLClientSocketNSS::DomainBoundCertNegotiated(PRFileDesc* socket) {
-  PRBool xtn_negotiated = PR_FALSE;
-  SECStatus rv = SSL_HandshakeNegotiatedExtension(
-      socket, ssl_ob_cert_xtn, &xtn_negotiated);
-  DCHECK_EQ(SECSuccess, rv);
-
-  return xtn_negotiated ? true : false;
+  // TODO(wtc,mattm): this is temporary while DBC support is changed into
+  // Channel ID.
+  return false;
 }
 
 SECStatus SSLClientSocketNSS::DomainBoundClientAuthHandler(
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 5e80af8..3f14a7a 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -40,11 +40,6 @@ Patches:
     patches/didhandshakeresume.patch
     https://bugzilla.mozilla.org/show_bug.cgi?id=731798
 
-  * Support origin bound certificates.
-    http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt
-    https://bugzilla.mozilla.org/show_bug.cgi?id=680292
-    patches/origin_bound_certs.patch
-
   * Add a function to restart a handshake after a client certificate request.
     patches/restartclientauth.patch
 
@@ -53,10 +48,6 @@ Patches:
     https://bugzilla.mozilla.org/show_bug.cgi?id=681839
     patches/negotiatedextension.patch
 
-  * Support the encrypted client certificates extension.
-    https://bugzilla.mozilla.org/show_bug.cgi?id=692154
-    patches/encryptedclientcerts.patch
-
   * Add function to retrieve TLS client cert types requested by server.
     https://bugzilla.mozilla.org/show_bug.cgi?id=51413
     patches/getrequestedclientcerttypes.patch
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index 55167bf..b713a46 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -24,16 +24,12 @@ patch -p6 < $patches_dir/clientauth.patch
 
 patch -p6 < $patches_dir/didhandshakeresume.patch
 
-patch -p6 < $patches_dir/origin_bound_certs.patch
-
 patch -p6 < $patches_dir/negotiatedextension.patch
 
 patch -p6 < $patches_dir/getrequestedclientcerttypes.patch
 
 patch -p6 < $patches_dir/restartclientauth.patch
 
-patch -p6 < $patches_dir/encryptedclientcerts.patch
-
 patch -p4 < $patches_dir/dtls.patch
 
 patch -p5 < $patches_dir/falsestartnpn.patch
diff --git a/net/third_party/nss/patches/encryptedclientcerts.patch b/net/third_party/nss/patches/encryptedclientcerts.patch
deleted file mode 100644
index 35ea585..0000000
--- a/net/third_party/nss/patches/encryptedclientcerts.patch
+++ /dev/null
@@ -1,390 +0,0 @@
-diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
---- a/src/net/third_party/nss/ssl/ssl.h	2012-03-19 13:49:12.517522610 -0700
-+++ b/src/net/third_party/nss/ssl/ssl.h	2012-03-19 13:49:29.507749795 -0700
-@@ -186,6 +186,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
- #define SSL_CBC_RANDOM_IV 23
- #define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
- #define SSL_ENABLE_OB_CERTS            25 /* Enable origin bound certs.     */
-+#define SSL_ENCRYPT_CLIENT_CERTS       26 /* Enable encrypted client certs. */
- 
- #ifdef SSL_DEPRECATED_FUNCTION 
- /* Old deprecated function names */
-diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
---- a/src/net/third_party/nss/ssl/sslimpl.h	2012-03-19 13:49:12.557523144 -0700
-+++ b/src/net/third_party/nss/ssl/sslimpl.h	2012-03-19 13:49:29.507749795 -0700
-@@ -350,6 +350,7 @@ typedef struct sslOptionsStr {
-     unsigned int cbcRandomIV            : 1;  /* 24 */
-     unsigned int enableOCSPStapling     : 1;  /* 25 */
-     unsigned int enableOBCerts          : 1;  /* 26 */
-+    unsigned int encryptClientCerts     : 1;  /* 27 */
- } sslOptions;
- 
- typedef enum { sslHandshakingUndetermined = 0,
-diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
---- a/src/net/third_party/nss/ssl/ssl3con.c	2012-03-19 13:49:12.527522744 -0700
-+++ b/src/net/third_party/nss/ssl/ssl3con.c	2012-03-19 13:49:29.507749795 -0700
-@@ -2882,7 +2882,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
- 
-     ss->ssl3.prSpec  = ss->ssl3.crSpec;
-     ss->ssl3.crSpec  = prSpec;
--    ss->ssl3.hs.ws   = wait_finished;
-+
-+    if (ss->sec.isServer &&
-+	ss->opt.requestCertificate &&
-+	ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+	ss->ssl3.hs.ws = wait_client_cert;
-+    } else {
-+	ss->ssl3.hs.ws = wait_finished;
-+    }
- 
-     SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
- 		SSL_GETPID(), ss->fd ));
-@@ -4898,10 +4905,11 @@ loser:
- static SECStatus
- ssl3_SendCertificateVerify(sslSocket *ss)
- {
--    SECStatus     rv		= SECFailure;
--    PRBool        isTLS;
--    SECItem       buf           = {siBuffer, NULL, 0};
--    SSL3Hashes    hashes;
-+    SECStatus      rv		= SECFailure;
-+    PRBool         isTLS;
-+    SECItem        buf		= {siBuffer, NULL, 0};
-+    SSL3Hashes     hashes;
-+    ssl3CipherSpec *spec;
- 
-     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
-     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-@@ -4910,13 +4918,17 @@ ssl3_SendCertificateVerify(sslSocket *ss
- 		SSL_GETPID(), ss->fd));
- 
-     ssl_GetSpecReadLock(ss);
--    rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
-+    spec = ss->ssl3.pwSpec;
-+    if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+	spec = ss->ssl3.cwSpec;
-+    }
-+    rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
-     ssl_ReleaseSpecReadLock(ss);
-     if (rv != SECSuccess) {
- 	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
-     }
- 
--    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
-+    isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
-     if (ss->ssl3.platformClientKey) {
- #ifdef NSS_PLATFORM_CLIENT_AUTH
- 	rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
-@@ -5924,6 +5936,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
- {
-     SECStatus rv;
-     PRBool sendClientCert;
-+    PRBool sendEmptyCert;
-+    int n = 0, i;
-+    typedef SECStatus (*SendFunction)(sslSocket*);
-+    SendFunction  send_funcs[5];
- 
-     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-@@ -5970,35 +5986,40 @@ ssl3_SendClientSecondRound(sslSocket *ss
- 
-     ssl_GetXmitBufLock(ss);		/*******************************/
- 
--    if (ss->ssl3.sendEmptyCert) {
--	ss->ssl3.sendEmptyCert = PR_FALSE;
--	rv = ssl3_SendEmptyCertificate(ss);
--	/* Don't send verify */
--	if (rv != SECSuccess) {
--	    goto loser;	/* error code is set. */
--    	}
--    } else if (sendClientCert) {
--	rv = ssl3_SendCertificate(ss);
--	if (rv != SECSuccess) {
--	    goto loser;	/* error code is set. */
--    	}
--    }
-+    sendEmptyCert = ss->ssl3.sendEmptyCert;
-+    ss->ssl3.sendEmptyCert = PR_FALSE;
- 
--    rv = ssl3_SendClientKeyExchange(ss);
--    if (rv != SECSuccess) {
--    	goto loser;	/* err is set. */
-+    if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+	send_funcs[n++] = ssl3_SendClientKeyExchange;
-+	send_funcs[n++] = ssl3_SendChangeCipherSpecs;
-+	if (sendEmptyCert) {
-+	    send_funcs[n++] = ssl3_SendEmptyCertificate;
-+	}
-+	if (sendClientCert) {
-+	    send_funcs[n++] = ssl3_SendCertificate;
-+	    send_funcs[n++] = ssl3_SendCertificateVerify;
-+	}
-+    } else {
-+	if (sendEmptyCert) {
-+	    send_funcs[n++] = ssl3_SendEmptyCertificate;
-+	}
-+	if (sendClientCert) {
-+	    send_funcs[n++] = ssl3_SendCertificate;
-+	}
-+	send_funcs[n++] = ssl3_SendClientKeyExchange;
-+	if (sendClientCert) {
-+	    send_funcs[n++] = ssl3_SendCertificateVerify;
-+	}
-+	send_funcs[n++] = ssl3_SendChangeCipherSpecs;
-     }
- 
--    if (sendClientCert) {
--	rv = ssl3_SendCertificateVerify(ss);
--	if (rv != SECSuccess) {
--	    goto loser;	/* err is set. */
--        }
--    }
-+    PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0]));
- 
--    rv = ssl3_SendChangeCipherSpecs(ss);
--    if (rv != SECSuccess) {
--	goto loser;	/* err code was set. */
-+    for (i = 0; i < n; i++) {
-+	rv = send_funcs[i](ss);
-+	if (rv != SECSuccess) {
-+	    goto loser;	/* err code was set. */
-+	}
-     }
- 
-     /* XXX: If the server's certificate hasn't been authenticated by this
-@@ -6213,8 +6234,13 @@ ssl3_SendServerHelloSequence(sslSocket *
- 	return rv;		/* err code is set. */
-     }
- 
--    ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
--                                               : wait_client_key;
-+    if (ss->opt.requestCertificate &&
-+	!ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+	ss->ssl3.hs.ws = wait_client_cert;
-+    } else {
-+	ss->ssl3.hs.ws = wait_client_key;
-+    }
-+
-     return SECSuccess;
- }
- 
-@@ -7458,7 +7484,11 @@ ssl3_HandleCertificateVerify(sslSocket *
- 	desc    = isTLS ? decode_error : illegal_parameter;
- 	goto alert_loser;	/* malformed */
-     }
--    ss->ssl3.hs.ws = wait_change_cipher;
-+    if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+	ss->ssl3.hs.ws = wait_finished;
-+    } else {
-+	ss->ssl3.hs.ws = wait_change_cipher;
-+    }
-     return SECSuccess;
- 
- alert_loser:
-@@ -8358,7 +8388,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS
- 	}
-     } else {
- server_no_cert:
--	ss->ssl3.hs.ws = wait_client_key;
-+	if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+	    ss->ssl3.hs.ws = wait_cert_verify;
-+	} else {
-+	    ss->ssl3.hs.ws = wait_client_key;
-+	}
-     }
- 
-     PORT_Assert(rv == SECSuccess);
-@@ -8968,6 +9002,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s
- 	if (type == finished) {
- 	    sender = ss->sec.isServer ? sender_client : sender_server;
- 	    rSpec  = ss->ssl3.crSpec;
-+	} else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-+	    rSpec  = ss->ssl3.crSpec;
- 	}
- 	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
-     }
-diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
---- a/src/net/third_party/nss/ssl/ssl3ext.c	2012-03-19 12:50:32.610015524 -0700
-+++ b/src/net/third_party/nss/ssl/ssl3ext.c	2012-03-19 13:49:29.507749795 -0700
-@@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr
- 			PRUint16 ex_type, SECItem *data);
- static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
- 					       PRUint32 maxBytes);
-+static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
-+    PRUint16 ex_type, SECItem *data);
-+static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
-+    PRUint16 ex_type, SECItem *data);
-+static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
-+    PRBool append, PRUint32 maxBytes);
- 
- /*
-  * Write bytes.  Using this function means the SECItem structure
-@@ -240,6 +246,7 @@ static const ssl3HelloExtensionHandler c
-     { ssl_ec_point_formats_xtn,   &ssl3_HandleSupportedPointFormatsXtn },
- #endif
-     { ssl_session_ticket_xtn,     &ssl3_ServerHandleSessionTicketXtn },
-+    { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn },
-     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
-     { ssl_ob_cert_xtn,            &ssl3_ServerHandleOBCertXtn },
-@@ -252,6 +259,7 @@ static const ssl3HelloExtensionHandler s
-     { ssl_server_name_xtn,        &ssl3_HandleServerNameXtn },
-     /* TODO: add a handler for ssl_ec_point_formats_xtn */
-     { ssl_session_ticket_xtn,     &ssl3_ClientHandleSessionTicketXtn },
-+    { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn },
-     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
-     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
-@@ -279,6 +287,7 @@ ssl3HelloExtensionSender clientHelloSend
-     { ssl_ec_point_formats_xtn,   &ssl3_SendSupportedPointFormatsXtn },
- #endif
-     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
-+    { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
-     { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
-     { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn }
-@@ -1082,6 +1091,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc
-     return SECSuccess;
- }
- 
-+static SECStatus
-+ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
-+	                                 SECItem *data)
-+{
-+    if (data->len != 0)
-+	return SECFailure;
-+
-+    /* Keep track of negotiated extensions. */
-+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+    return SECSuccess;
-+}
-+
- SECStatus
- ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
-                                   SECItem *data)
-@@ -1495,6 +1516,24 @@ loser:
-     return rv;
- }
- 
-+static SECStatus
-+ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
-+	                                 SECItem *data)
-+{
-+    SECStatus rv = SECSuccess;
-+
-+    if (data->len != 0)
-+	return SECFailure;
-+
-+    if (ss->opt.encryptClientCerts) {
-+	ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+	rv = ssl3_RegisterServerHelloExtensionSender(
-+	    ss, ex_type, ssl3_SendEncryptedClientCertsXtn);
-+    }
-+
-+    return rv;
-+}
-+
- /*
-  * Read bytes.  Using this function means the SECItem structure
-  * cannot be freed.  The caller is expected to call this function
-@@ -1694,6 +1733,33 @@ ssl3_SendRenegotiationInfoXtn(
-     return needed;
- }
- 
-+static PRInt32
-+ssl3_SendEncryptedClientCertsXtn(
-+			sslSocket * ss,
-+			PRBool      append,
-+			PRUint32    maxBytes)
-+{
-+    PRInt32 needed;
-+
-+    if (!ss->opt.encryptClientCerts)
-+	return 0;
-+
-+    needed = 4; /* two bytes of type and two of length. */
-+    if (append && maxBytes >= needed) {
-+	SECStatus rv;
-+	rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2);
-+	if (rv != SECSuccess)
-+	    return -1;
-+	rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2);
-+	if (rv != SECSuccess)
-+	    return -1;
-+	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-+	    ssl_encrypted_client_certs;
-+    }
-+
-+    return needed;
-+}
-+
- /* This function runs in both the client and server.  */
- static SECStatus
- ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
-diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
---- a/src/net/third_party/nss/ssl/sslsock.c	2012-03-19 12:59:07.586991902 -0700
-+++ b/src/net/third_party/nss/ssl/sslsock.c	2012-03-19 13:49:29.517749929 -0700
-@@ -188,6 +188,7 @@ static sslOptions ssl_defaults = {
-     PR_TRUE,    /* cbcRandomIV        */
-     PR_FALSE,   /* enableOCSPStapling */
-     PR_FALSE,   /* enableOBCerts */
-+    PR_FALSE,   /* encryptClientCerts */
- };
- 
- /*
-@@ -826,6 +827,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- 	ss->opt.enableOBCerts = on;
- 	break;
- 
-+      case SSL_ENCRYPT_CLIENT_CERTS:
-+	ss->opt.encryptClientCerts = on;
-+	break;
-+
-       default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
- 	rv = SECFailure;
-@@ -897,6 +902,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
-     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
-     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
-     case SSL_ENABLE_OB_CERTS:     on = ss->opt.enableOBCerts;      break;
-+    case SSL_ENCRYPT_CLIENT_CERTS:
-+                                  on = ss->opt.encryptClientCerts; break;
- 
-     default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -959,6 +966,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
- 	on = ssl_defaults.enableOCSPStapling;
- 	break;
-     case SSL_ENABLE_OB_CERTS:     on = ssl_defaults.enableOBCerts;      break;
-+    case SSL_ENCRYPT_CLIENT_CERTS:
-+                                  on = ssl_defaults.encryptClientCerts; break;
- 
-     default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1126,6 +1135,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- 	ssl_defaults.enableOBCerts = on;
- 	break;
- 
-+      case SSL_ENCRYPT_CLIENT_CERTS:
-+	ssl_defaults.encryptClientCerts = on;
-+	break;
-+
-       default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
- 	return SECFailure;
-diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
---- a/src/net/third_party/nss/ssl/sslt.h	2012-03-19 12:50:32.610015524 -0700
-+++ b/src/net/third_party/nss/ssl/sslt.h	2012-03-19 13:49:29.517749929 -0700
-@@ -214,10 +214,11 @@ typedef enum {
- #endif
-     ssl_session_ticket_xtn           = 35,
-     ssl_next_proto_nego_xtn          = 13172,
-+    ssl_encrypted_client_certs       = 13180,	/* not IANA assigned.  */
-     ssl_renegotiation_info_xtn       = 0xff01,	/* experimental number */
-     ssl_ob_cert_xtn                  = 13175	/* experimental number */
- } SSLExtensionType;
- 
--#define SSL_MAX_EXTENSIONS             8
-+#define SSL_MAX_EXTENSIONS             9
- 
- #endif /* __sslt_h_ */
diff --git a/net/third_party/nss/patches/origin_bound_certs.patch b/net/third_party/nss/patches/origin_bound_certs.patch
deleted file mode 100644
index 18d60ad..0000000
--- a/net/third_party/nss/patches/origin_bound_certs.patch
+++ /dev/null
@@ -1,219 +0,0 @@
-diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
---- a/src/net/third_party/nss/ssl/ssl.h	2012-02-29 14:41:25.755295547 -0800
-+++ b/src/net/third_party/nss/ssl/ssl.h	2012-02-29 16:45:47.368569394 -0800
-@@ -168,6 +168,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
-  */
- #define SSL_CBC_RANDOM_IV 23
- #define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
-+#define SSL_ENABLE_OB_CERTS            25 /* Enable origin bound certs.     */
- 
- #ifdef SSL_DEPRECATED_FUNCTION 
- /* Old deprecated function names */
-diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
---- a/src/net/third_party/nss/ssl/ssl3ext.c	2012-02-28 20:34:50.114663722 -0800
-+++ b/src/net/third_party/nss/ssl/ssl3ext.c	2012-02-29 17:05:21.684414824 -0800
-@@ -242,6 +242,7 @@ static const ssl3HelloExtensionHandler c
-     { ssl_session_ticket_xtn,     &ssl3_ServerHandleSessionTicketXtn },
-     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
-+    { ssl_ob_cert_xtn,            &ssl3_ServerHandleOBCertXtn },
-     { -1, NULL }
- };
- 
-@@ -254,6 +255,7 @@ static const ssl3HelloExtensionHandler s
-     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
-     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
-+    { ssl_ob_cert_xtn,            &ssl3_ClientHandleOBCertXtn },
-     { -1, NULL }
- };
- 
-@@ -278,7 +280,8 @@ ssl3HelloExtensionSender clientHelloSend
- #endif
-     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
--    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn }
-+    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
-+    { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn }
-     /* any extra entries will appear as { 0, NULL }    */
- };
- 
-@@ -1723,3 +1726,80 @@ ssl3_HandleRenegotiationInfoXtn(sslSocke
-     return rv;
- }
- 
-+/* This sender is used by both the client and server. */
-+PRInt32
-+ssl3_SendOBCertXtn(sslSocket * ss, PRBool append,
-+		   PRUint32 maxBytes)
-+{
-+    SECStatus rv;
-+    PRUint32 extension_length;
-+  
-+    if (!ss)
-+        return 0;
-+    
-+    if (!ss->opt.enableOBCerts)
-+        return 0;
-+
-+    /* extension length = extension_type (2-bytes) +
-+     * length(extension_data) (2-bytes) +
-+     */
-+
-+    extension_length = 4;
-+
-+    if (append && maxBytes >= extension_length) {
-+        /* extension_type */
-+        rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2); 
-+        if (rv != SECSuccess) return -1;
-+        /* length of extension_data */
-+        rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 
-+        if (rv != SECSuccess) return -1;
-+
-+	if (!ss->sec.isServer) {
-+	    TLSExtensionData *xtnData = &ss->xtnData;
-+	    xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn;
-+	}
-+    }
-+
-+    return extension_length;
-+}
-+
-+SECStatus
-+ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
-+			   SECItem *data)
-+{
-+    SECStatus rv;
-+
-+    /* Ignore the OBCert extension if it is disabled. */
-+    if (!ss->opt.enableOBCerts)
-+	return SECSuccess;
-+
-+    /* The echoed extension must be empty. */
-+    if (data->len != 0)
-+	return SECFailure;
-+
-+    /* Keep track of negotiated extensions. */
-+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+
-+    rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
-+						 ssl3_SendOBCertXtn);
-+
-+    return SECSuccess;
-+}
-+
-+SECStatus
-+ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
-+			   SECItem *data)
-+{
-+    /* If we didn't request this extension, then the server may not echo it. */
-+    if (!ss->opt.enableOBCerts)
-+	return SECFailure;
-+
-+    /* The echoed extension must be empty. */
-+    if (data->len != 0)
-+	return SECFailure;
-+
-+    /* Keep track of negotiated extensions. */
-+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+
-+    return SECSuccess;
-+}
-diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
---- a/src/net/third_party/nss/ssl/sslimpl.h	2012-02-28 20:34:50.114663722 -0800
-+++ b/src/net/third_party/nss/ssl/sslimpl.h	2012-02-29 16:57:21.097919853 -0800
-@@ -349,6 +349,7 @@ typedef struct sslOptionsStr {
-     unsigned int enableFalseStart       : 1;  /* 23 */
-     unsigned int cbcRandomIV            : 1;  /* 24 */
-     unsigned int enableOCSPStapling     : 1;  /* 25 */
-+    unsigned int enableOBCerts          : 1;  /* 26 */
- } sslOptions;
- 
- typedef enum { sslHandshakingUndetermined = 0,
-@@ -1563,8 +1564,12 @@ extern SECStatus ssl3_ClientHandleSessio
- 			PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
- 			PRUint16 ex_type, SECItem *data);
-+extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss,
-+			PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
- 			PRUint16 ex_type, SECItem *data);
-+extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss,
-+			PRUint16 ex_type, SECItem *data);
- 
- /* ClientHello and ServerHello extension senders.
-  * Note that not all extension senders are exposed here; only those that
-@@ -1580,6 +1585,8 @@ extern PRInt32 ssl3_ClientSendStatusRequ
-  */
- extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
-                      PRUint32 maxBytes);
-+extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append,
-+			PRUint32 maxBytes);
- 
- /* Assigns new cert, cert chain and keys to ss->serverCerts
-  * struct. If certChain is NULL, tries to find one. Aborts if
-diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
---- a/src/net/third_party/nss/ssl/sslsock.c	2012-02-29 14:41:25.755295547 -0800
-+++ b/src/net/third_party/nss/ssl/sslsock.c	2012-02-29 17:03:16.272715683 -0800
-@@ -187,6 +187,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,   /* enableFalseStart   */
-     PR_TRUE,    /* cbcRandomIV        */
-     PR_FALSE,   /* enableOCSPStapling */
-+    PR_FALSE,   /* enableOBCerts */
- };
- 
- sslSessionIDLookupFunc  ssl_sid_lookup;
-@@ -750,6 +751,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- 	ss->opt.enableOCSPStapling = on;
- 	break;
- 
-+      case SSL_ENABLE_OB_CERTS:
-+	ss->opt.enableOBCerts = on;
-+	break;
-+
-       default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
- 	rv = SECFailure;
-@@ -816,6 +821,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
-     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
-     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
-     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
-+    case SSL_ENABLE_OB_CERTS:     on = ss->opt.enableOBCerts;      break;
- 
-     default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -873,6 +879,7 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
-     case SSL_ENABLE_OCSP_STAPLING:
- 	on = ssl_defaults.enableOCSPStapling;
- 	break;
-+    case SSL_ENABLE_OB_CERTS:     on = ssl_defaults.enableOBCerts;      break;
- 
-     default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1036,6 +1043,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- 	ssl_defaults.enableOCSPStapling = on;
- 	break;
- 
-+      case SSL_ENABLE_OB_CERTS:
-+	ssl_defaults.enableOBCerts = on;
-+	break;
-+
-       default:
- 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
- 	return SECFailure;
-diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
---- a/src/net/third_party/nss/ssl/sslt.h	2012-02-28 19:26:04.057351342 -0800
-+++ b/src/net/third_party/nss/ssl/sslt.h	2012-02-29 17:05:03.744171015 -0800
-@@ -205,9 +205,10 @@ typedef enum {
- #endif
-     ssl_session_ticket_xtn           = 35,
-     ssl_next_proto_nego_xtn          = 13172,
--    ssl_renegotiation_info_xtn       = 0xff01	/* experimental number */
-+    ssl_renegotiation_info_xtn       = 0xff01,	/* experimental number */
-+    ssl_ob_cert_xtn                  = 13175	/* experimental number */
- } SSLExtensionType;
- 
--#define SSL_MAX_EXTENSIONS             7
-+#define SSL_MAX_EXTENSIONS             8
- 
- #endif /* __sslt_h_ */
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index 8885575..1368e2f 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -191,8 +191,6 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
  */
 #define SSL_CBC_RANDOM_IV 23
 #define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
-#define SSL_ENABLE_OB_CERTS            25 /* Enable origin bound certs.     */
-#define SSL_ENCRYPT_CLIENT_CERTS       26 /* Enable encrypted client certs. */
 
 #ifdef SSL_DEPRECATED_FUNCTION 
 /* Old deprecated function names */
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index 55e4901..db9fad3 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -2991,14 +2991,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf)
 
     ss->ssl3.prSpec  = ss->ssl3.crSpec;
     ss->ssl3.crSpec  = prSpec;
-
-    if (ss->sec.isServer &&
-	ss->opt.requestCertificate &&
-	ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-	ss->ssl3.hs.ws = wait_client_cert;
-    } else {
-	ss->ssl3.hs.ws = wait_finished;
-    }
+    ss->ssl3.hs.ws   = wait_finished;
 
     SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
 		SSL_GETPID(), ss->fd ));
@@ -5087,11 +5080,10 @@ loser:
 static SECStatus
 ssl3_SendCertificateVerify(sslSocket *ss)
 {
-    SECStatus      rv		= SECFailure;
-    PRBool         isTLS;
-    SECItem        buf		= {siBuffer, NULL, 0};
-    SSL3Hashes     hashes;
-    ssl3CipherSpec *spec;
+    SECStatus     rv		= SECFailure;
+    PRBool        isTLS;
+    SECItem       buf           = {siBuffer, NULL, 0};
+    SSL3Hashes    hashes;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ -5100,17 +5092,13 @@ ssl3_SendCertificateVerify(sslSocket *ss)
 		SSL_GETPID(), ss->fd));
 
     ssl_GetSpecReadLock(ss);
-    spec = ss->ssl3.pwSpec;
-    if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-	spec = ss->ssl3.cwSpec;
-    }
-    rv = ssl3_ComputeHandshakeHashes(ss, spec, &hashes, 0);
+    rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
     ssl_ReleaseSpecReadLock(ss);
     if (rv != SECSuccess) {
 	goto done;	/* err code was set by ssl3_ComputeHandshakeHashes */
     }
 
-    isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     if (ss->ssl3.platformClientKey) {
 #ifdef NSS_PLATFORM_CLIENT_AUTH
 	rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
@@ -6165,10 +6153,6 @@ ssl3_SendClientSecondRound(sslSocket *ss)
 {
     SECStatus rv;
     PRBool sendClientCert;
-    PRBool sendEmptyCert;
-    int n = 0, i;
-    typedef SECStatus (*SendFunction)(sslSocket*);
-    SendFunction  send_funcs[5];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
@@ -6215,40 +6199,35 @@ ssl3_SendClientSecondRound(sslSocket *ss)
 
     ssl_GetXmitBufLock(ss);		/*******************************/
 
-    sendEmptyCert = ss->ssl3.sendEmptyCert;
-    ss->ssl3.sendEmptyCert = PR_FALSE;
-
-    if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-	send_funcs[n++] = ssl3_SendClientKeyExchange;
-	send_funcs[n++] = ssl3_SendChangeCipherSpecs;
-	if (sendEmptyCert) {
-	    send_funcs[n++] = ssl3_SendEmptyCertificate;
-	}
-	if (sendClientCert) {
-	    send_funcs[n++] = ssl3_SendCertificate;
-	    send_funcs[n++] = ssl3_SendCertificateVerify;
-	}
-    } else {
-	if (sendEmptyCert) {
-	    send_funcs[n++] = ssl3_SendEmptyCertificate;
-	}
-	if (sendClientCert) {
-	    send_funcs[n++] = ssl3_SendCertificate;
-	}
-	send_funcs[n++] = ssl3_SendClientKeyExchange;
-	if (sendClientCert) {
-	    send_funcs[n++] = ssl3_SendCertificateVerify;
-	}
-	send_funcs[n++] = ssl3_SendChangeCipherSpecs;
+    if (ss->ssl3.sendEmptyCert) {
+	ss->ssl3.sendEmptyCert = PR_FALSE;
+	rv = ssl3_SendEmptyCertificate(ss);
+	/* Don't send verify */
+	if (rv != SECSuccess) {
+	    goto loser;	/* error code is set. */
+    	}
+    } else if (sendClientCert) {
+	rv = ssl3_SendCertificate(ss);
+	if (rv != SECSuccess) {
+	    goto loser;	/* error code is set. */
+    	}
     }
 
-    PORT_Assert(n <= sizeof(send_funcs)/sizeof(send_funcs[0]));
+    rv = ssl3_SendClientKeyExchange(ss);
+    if (rv != SECSuccess) {
+    	goto loser;	/* err is set. */
+    }
 
-    for (i = 0; i < n; i++) {
-	rv = send_funcs[i](ss);
+    if (sendClientCert) {
+	rv = ssl3_SendCertificateVerify(ss);
 	if (rv != SECSuccess) {
-	    goto loser;	/* err code was set. */
-	}
+	    goto loser;	/* err is set. */
+        }
+    }
+
+    rv = ssl3_SendChangeCipherSpecs(ss);
+    if (rv != SECSuccess) {
+	goto loser;	/* err code was set. */
     }
 
     /* XXX: If the server's certificate hasn't been authenticated by this
@@ -6463,13 +6442,8 @@ ssl3_SendServerHelloSequence(sslSocket *ss)
 	return rv;		/* err code is set. */
     }
 
-    if (ss->opt.requestCertificate &&
-	!ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-	ss->ssl3.hs.ws = wait_client_cert;
-    } else {
-	ss->ssl3.hs.ws = wait_client_key;
-    }
-
+    ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
+                                               : wait_client_key;
     return SECSuccess;
 }
 
@@ -7766,11 +7740,7 @@ ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
 	desc    = isTLS ? decode_error : illegal_parameter;
 	goto alert_loser;	/* malformed */
     }
-    if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-	ss->ssl3.hs.ws = wait_finished;
-    } else {
-	ss->ssl3.hs.ws = wait_change_cipher;
-    }
+    ss->ssl3.hs.ws = wait_change_cipher;
     return SECSuccess;
 
 alert_loser:
@@ -8683,11 +8653,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	}
     } else {
 server_no_cert:
-	if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-	    ss->ssl3.hs.ws = wait_cert_verify;
-	} else {
-	    ss->ssl3.hs.ws = wait_client_key;
-	}
+	ss->ssl3.hs.ws = wait_client_key;
     }
 
     PORT_Assert(rv == SECSuccess);
@@ -9302,8 +9268,6 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 	if (type == finished) {
 	    sender = ss->sec.isServer ? sender_client : sender_server;
 	    rSpec  = ss->ssl3.crSpec;
-	} else if (ssl3_ExtensionNegotiated(ss, ssl_encrypted_client_certs)) {
-	    rSpec  = ss->ssl3.crSpec;
 	}
 	rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
     }
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
index 6d5866b..b9fd6e7 100644
--- a/net/third_party/nss/ssl/ssl3ext.c
+++ b/net/third_party/nss/ssl/ssl3ext.c
@@ -84,12 +84,6 @@ static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
 static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
 					       PRUint32 maxBytes);
-static SECStatus ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss,
-    PRUint16 ex_type, SECItem *data);
-static SECStatus ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss,
-    PRUint16 ex_type, SECItem *data);
-static PRInt32 ssl3_SendEncryptedClientCertsXtn(sslSocket *ss,
-    PRBool append, PRUint32 maxBytes);
 
 /*
  * Write bytes.  Using this function means the SECItem structure
@@ -246,10 +240,8 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
     { ssl_ec_point_formats_xtn,   &ssl3_HandleSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,     &ssl3_ServerHandleSessionTicketXtn },
-    { ssl_encrypted_client_certs, &ssl3_ServerHandleEncryptedClientCertsXtn },
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
-    { ssl_ob_cert_xtn,            &ssl3_ServerHandleOBCertXtn },
     { -1, NULL }
 };
 
@@ -259,11 +251,9 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
     { ssl_server_name_xtn,        &ssl3_HandleServerNameXtn },
     /* TODO: add a handler for ssl_ec_point_formats_xtn */
     { ssl_session_ticket_xtn,     &ssl3_ClientHandleSessionTicketXtn },
-    { ssl_encrypted_client_certs, &ssl3_ClientHandleEncryptedClientCertsXtn },
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
-    { ssl_ob_cert_xtn,            &ssl3_ClientHandleOBCertXtn },
     { -1, NULL }
 };
 
@@ -287,10 +277,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_ec_point_formats_xtn,   &ssl3_SendSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
-    { ssl_encrypted_client_certs, &ssl3_SendEncryptedClientCertsXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
-    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
-    { ssl_ob_cert_xtn,            &ssl3_SendOBCertXtn }
+    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn }
     /* any extra entries will appear as { 0, NULL }    */
 };
 
@@ -1099,18 +1087,6 @@ ssl3_ClientHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
     return SECSuccess;
 }
 
-static SECStatus
-ssl3_ClientHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
-	                                 SECItem *data)
-{
-    if (data->len != 0)
-	return SECFailure;
-
-    /* Keep track of negotiated extensions. */
-    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-    return SECSuccess;
-}
-
 SECStatus
 ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
                                   SECItem *data)
@@ -1524,24 +1500,6 @@ loser:
     return rv;
 }
 
-static SECStatus
-ssl3_ServerHandleEncryptedClientCertsXtn(sslSocket *ss, PRUint16 ex_type,
-	                                 SECItem *data)
-{
-    SECStatus rv = SECSuccess;
-
-    if (data->len != 0)
-	return SECFailure;
-
-    if (ss->opt.encryptClientCerts) {
-	ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-	rv = ssl3_RegisterServerHelloExtensionSender(
-	    ss, ex_type, ssl3_SendEncryptedClientCertsXtn);
-    }
-
-    return rv;
-}
-
 /*
  * Read bytes.  Using this function means the SECItem structure
  * cannot be freed.  The caller is expected to call this function
@@ -1741,33 +1699,6 @@ ssl3_SendRenegotiationInfoXtn(
     return needed;
 }
 
-static PRInt32
-ssl3_SendEncryptedClientCertsXtn(
-			sslSocket * ss,
-			PRBool      append,
-			PRUint32    maxBytes)
-{
-    PRInt32 needed;
-
-    if (!ss->opt.encryptClientCerts)
-	return 0;
-
-    needed = 4; /* two bytes of type and two of length. */
-    if (append && maxBytes >= needed) {
-	SECStatus rv;
-	rv = ssl3_AppendHandshakeNumber(ss, ssl_encrypted_client_certs, 2);
-	if (rv != SECSuccess)
-	    return -1;
-	rv = ssl3_AppendHandshakeNumber(ss, 0 /* length */, 2);
-	if (rv != SECSuccess)
-	    return -1;
-	ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-	    ssl_encrypted_client_certs;
-    }
-
-    return needed;
-}
-
 /* This function runs in both the client and server.  */
 static SECStatus
 ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
@@ -1799,80 +1730,3 @@ ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
     return rv;
 }
 
-/* This sender is used by both the client and server. */
-PRInt32
-ssl3_SendOBCertXtn(sslSocket * ss, PRBool append,
-		   PRUint32 maxBytes)
-{
-    SECStatus rv;
-    PRUint32 extension_length;
-  
-    if (!ss)
-        return 0;
-    
-    if (!ss->opt.enableOBCerts)
-        return 0;
-
-    /* extension length = extension_type (2-bytes) +
-     * length(extension_data) (2-bytes) +
-     */
-
-    extension_length = 4;
-
-    if (append && maxBytes >= extension_length) {
-        /* extension_type */
-        rv = ssl3_AppendHandshakeNumber(ss, ssl_ob_cert_xtn, 2); 
-        if (rv != SECSuccess) return -1;
-        /* length of extension_data */
-        rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2); 
-        if (rv != SECSuccess) return -1;
-
-	if (!ss->sec.isServer) {
-	    TLSExtensionData *xtnData = &ss->xtnData;
-	    xtnData->advertised[xtnData->numAdvertised++] = ssl_ob_cert_xtn;
-	}
-    }
-
-    return extension_length;
-}
-
-SECStatus
-ssl3_ServerHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
-			   SECItem *data)
-{
-    SECStatus rv;
-
-    /* Ignore the OBCert extension if it is disabled. */
-    if (!ss->opt.enableOBCerts)
-	return SECSuccess;
-
-    /* The echoed extension must be empty. */
-    if (data->len != 0)
-	return SECFailure;
-
-    /* Keep track of negotiated extensions. */
-    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-
-    rv = ssl3_RegisterServerHelloExtensionSender(ss, ex_type,
-						 ssl3_SendOBCertXtn);
-
-    return SECSuccess;
-}
-
-SECStatus
-ssl3_ClientHandleOBCertXtn(sslSocket *ss, PRUint16 ex_type,
-			   SECItem *data)
-{
-    /* If we didn't request this extension, then the server may not echo it. */
-    if (!ss->opt.enableOBCerts)
-	return SECFailure;
-
-    /* The echoed extension must be empty. */
-    if (data->len != 0)
-	return SECFailure;
-
-    /* Keep track of negotiated extensions. */
-    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-
-    return SECSuccess;
-}
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 4991aca..8ab865a 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -356,8 +356,6 @@ typedef struct sslOptionsStr {
     unsigned int enableFalseStart       : 1;  /* 23 */
     unsigned int cbcRandomIV            : 1;  /* 24 */
     unsigned int enableOCSPStapling     : 1;  /* 25 */
-    unsigned int enableOBCerts          : 1;  /* 26 */
-    unsigned int encryptClientCerts     : 1;  /* 27 */
 } sslOptions;
 
 typedef enum { sslHandshakingUndetermined = 0,
@@ -1702,12 +1700,8 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
 extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
-extern SECStatus ssl3_ClientHandleOBCertXtn(sslSocket *ss,
-			PRUint16 ex_type, SECItem *data);
 extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
 			PRUint16 ex_type, SECItem *data);
-extern SECStatus ssl3_ServerHandleOBCertXtn(sslSocket *ss,
-			PRUint16 ex_type, SECItem *data);
 
 /* ClientHello and ServerHello extension senders.
  * Note that not all extension senders are exposed here; only those that
@@ -1723,8 +1717,6 @@ extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
  */
 extern PRInt32 ssl3_SendServerNameXtn(sslSocket *ss, PRBool append,
                      PRUint32 maxBytes);
-extern PRInt32 ssl3_SendOBCertXtn(sslSocket *ss, PRBool append,
-			PRUint32 maxBytes);
 
 /* Assigns new cert, cert chain and keys to ss->serverCerts
  * struct. If certChain is NULL, tries to find one. Aborts if
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
index 3364902..ebc245a 100644
--- a/net/third_party/nss/ssl/sslsock.c
+++ b/net/third_party/nss/ssl/sslsock.c
@@ -187,8 +187,6 @@ static sslOptions ssl_defaults = {
     PR_FALSE,   /* enableFalseStart   */
     PR_TRUE,    /* cbcRandomIV        */
     PR_FALSE,   /* enableOCSPStapling */
-    PR_FALSE,   /* enableOBCerts */
-    PR_FALSE,   /* encryptClientCerts */
 };
 
 /*
@@ -866,14 +864,6 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
 	ss->opt.enableOCSPStapling = on;
 	break;
 
-      case SSL_ENABLE_OB_CERTS:
-	ss->opt.enableOBCerts = on;
-	break;
-
-      case SSL_ENCRYPT_CLIENT_CERTS:
-	ss->opt.encryptClientCerts = on;
-	break;
-
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	rv = SECFailure;
@@ -944,9 +934,6 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
-    case SSL_ENABLE_OB_CERTS:     on = ss->opt.enableOBCerts;      break;
-    case SSL_ENCRYPT_CLIENT_CERTS:
-                                  on = ss->opt.encryptClientCerts; break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1008,9 +995,6 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
     case SSL_ENABLE_OCSP_STAPLING:
 	on = ssl_defaults.enableOCSPStapling;
 	break;
-    case SSL_ENABLE_OB_CERTS:     on = ssl_defaults.enableOBCerts;      break;
-    case SSL_ENCRYPT_CLIENT_CERTS:
-                                  on = ssl_defaults.encryptClientCerts; break;
 
     default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1174,14 +1158,6 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
 	ssl_defaults.enableOCSPStapling = on;
 	break;
 
-      case SSL_ENABLE_OB_CERTS:
-	ssl_defaults.enableOBCerts = on;
-	break;
-
-      case SSL_ENCRYPT_CLIENT_CERTS:
-	ssl_defaults.encryptClientCerts = on;
-	break;
-
       default:
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
diff --git a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
index eddfffd..0636570 100644
--- a/net/third_party/nss/ssl/sslt.h
+++ b/net/third_party/nss/ssl/sslt.h
@@ -215,11 +215,9 @@ typedef enum {
 #endif
     ssl_session_ticket_xtn           = 35,
     ssl_next_proto_nego_xtn          = 13172,
-    ssl_encrypted_client_certs       = 13180,	/* not IANA assigned.  */
-    ssl_renegotiation_info_xtn       = 0xff01,	/* experimental number */
-    ssl_ob_cert_xtn                  = 13175	/* experimental number */
+    ssl_renegotiation_info_xtn       = 0xff01	/* experimental number */
 } SSLExtensionType;
 
-#define SSL_MAX_EXTENSIONS             9
+#define SSL_MAX_EXTENSIONS             7
 
 #endif /* __sslt_h_ */
author	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-05-24 15:02:51 +0000
committer	agl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2012-05-24 15:02:51 +0000
commit	9123652116e1261111cfb2306709ee305ffb5bf2 (patch)
tree	7f53febadf5e99e225b308c0c843e53e39c63b64 /net
parent	478df839eb3260d4b2602c7e6a8f5d6294213eef (diff)
download	chromium_src-9123652116e1261111cfb2306709ee305ffb5bf2.zip chromium_src-9123652116e1261111cfb2306709ee305ffb5bf2.tar.gz chromium_src-9123652116e1261111cfb2306709ee305ffb5bf2.tar.bz2