summaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2014-01-21 21:06:48 +0000
committerwtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2014-01-21 21:06:48 +0000
commit063a520f9f53b2d7af8cfb014e93d45a9368ac7c (patch)
treef0956665a1c97984b17dec946c7efc12de5b8849 /net
parent389eaeac5a4e3c785014b0a5ea9742bd3f5abe07 (diff)
downloadchromium_src-063a520f9f53b2d7af8cfb014e93d45a9368ac7c.zip
chromium_src-063a520f9f53b2d7af8cfb014e93d45a9368ac7c.tar.gz
chromium_src-063a520f9f53b2d7af8cfb014e93d45a9368ac7c.tar.bz2
Update net/third_party/nss to NSS 3.15.5 Beta 2.
alpn.patch and paddingextension.patch have been committed in the NSS upstream. In addition to calling SSL_SetNextProtoNego, the SSL_ENABLE_NPN and SSL_ENABLE_ALPN options need to be used to control whether each of NPN and APLN will be negotiated. SSL_ENABLE_NPN is enabled by default, but we enable it explicitly to be safe. R=agl@chromium.org BUG=331625 TEST=none Review URL: https://codereview.chromium.org/142283002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@246110 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
-rw-r--r--net/socket/ssl_client_socket_nss.cc8
-rw-r--r--net/third_party/nss/README.chromium13
-rw-r--r--net/third_party/nss/patches/aesgcmchromium.patch8
-rw-r--r--net/third_party/nss/patches/alpn.patch245
-rwxr-xr-xnet/third_party/nss/patches/applypatches.sh4
-rw-r--r--net/third_party/nss/patches/cachecerts.patch30
-rw-r--r--net/third_party/nss/patches/cachelocks.patch22
-rw-r--r--net/third_party/nss/patches/chacha20poly1305.patch34
-rw-r--r--net/third_party/nss/patches/channelid.patch123
-rw-r--r--net/third_party/nss/patches/cipherorder.patch24
-rw-r--r--net/third_party/nss/patches/clientauth.patch60
-rw-r--r--net/third_party/nss/patches/didhandshakeresume.patch12
-rw-r--r--net/third_party/nss/patches/fallbackscsv.patch94
-rw-r--r--net/third_party/nss/patches/getrequestedclientcerttypes.patch28
-rw-r--r--net/third_party/nss/patches/nssrwlock.patch22
-rw-r--r--net/third_party/nss/patches/paddingextension.patch138
-rw-r--r--net/third_party/nss/patches/paddingextensionall.patch12
-rw-r--r--net/third_party/nss/patches/restartclientauth.patch22
-rw-r--r--net/third_party/nss/patches/secitemarray.patch10
-rw-r--r--net/third_party/nss/patches/secretexporterlocks.patch4
-rw-r--r--net/third_party/nss/patches/sessioncache.patch14
-rw-r--r--net/third_party/nss/patches/signedcertificatetimestamps.patch171
-rw-r--r--net/third_party/nss/patches/tls12chromium.patch16
-rw-r--r--net/third_party/nss/patches/tlsunique.patch24
-rw-r--r--net/third_party/nss/ssl/ssl.h24
-rw-r--r--net/third_party/nss/ssl/ssl3con.c2
-rw-r--r--net/third_party/nss/ssl/ssl3ext.c67
-rw-r--r--net/third_party/nss/ssl/sslenum.c2
-rw-r--r--net/third_party/nss/ssl/sslimpl.h52
-rw-r--r--net/third_party/nss/ssl/sslnonce.c16
-rw-r--r--net/third_party/nss/ssl/sslsock.c42
31 files changed, 474 insertions, 869 deletions
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index b46ebbd..d2c9959 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -1003,7 +1003,13 @@ bool SSLClientSocketNSS::Core::Init(PRFileDesc* socket,
DCHECK_EQ(dst, wire_protos.get() + wire_length);
rv = SSL_SetNextProtoNego(nss_fd_, wire_protos.get(), wire_length);
if (rv != SECSuccess)
- LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoCallback", "");
+ LogFailedNSSFunction(*weak_net_log_, "SSL_SetNextProtoNego", "");
+ rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_ALPN, PR_TRUE);
+ if (rv != SECSuccess)
+ LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_ALPN");
+ rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_NPN, PR_TRUE);
+ if (rv != SECSuccess)
+ LogFailedNSSFunction(*weak_net_log_, "SSL_OptionSet", "SSL_ENABLE_NPN");
}
rv = SSL_AuthCertificateHook(
diff --git a/net/third_party/nss/README.chromium b/net/third_party/nss/README.chromium
index 0f970f7..366da1b 100644
--- a/net/third_party/nss/README.chromium
+++ b/net/third_party/nss/README.chromium
@@ -1,6 +1,6 @@
Name: Network Security Services (NSS)
URL: http://www.mozilla.org/projects/security/pki/nss/
-Version: 3.15.4
+Version: 3.15.5 Beta 2
Security Critical: Yes
License: MPL 2
License File: NOT_SHIPPED
@@ -11,7 +11,7 @@ This directory includes a copy of NSS's libssl from the hg repo at:
The same module appears in crypto/third_party/nss (and third_party/nss on some
platforms), so we don't repeat the license file here.
-The snapshot was updated to the hg tag: NSS_3_15_4_RTM
+The snapshot was updated to the hg tag: NSS_3_15_5_BETA2
Patches:
@@ -62,9 +62,6 @@ Patches:
* Update Chromium-specific code for TLS 1.2.
patches/tls12chromium.patch
- * Add the Application Layer Protocol Negotiation extension.
- patches/alpn.patch
-
* Add Chromium-specific code to detect AES GCM support in the system NSS
libraries at run time. Remove this patch when all system NSS packages are
NSS 3.15 or later.
@@ -78,12 +75,8 @@ Patches:
patches/cachelocks.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=764646
- * In the case that a ClientHello record is between 256 and 511 bytes long,
- add an extension to make it 512 bytes. This works around a bug in F5
- terminators.
- patches/paddingextension.patch
+ * Always add an extension to a ClientHello to make it 512 bytes.
patches/paddingextensionall.patch
- https://bugzilla.mozilla.org/show_bug.cgi?id=944157
* Support the Certificate Transparency (RFC 6962) TLS extension
signed_certificate_timestamp (client only).
diff --git a/net/third_party/nss/patches/aesgcmchromium.patch b/net/third_party/nss/patches/aesgcmchromium.patch
index 7ac40b1..8549c35 100644
--- a/net/third_party/nss/patches/aesgcmchromium.patch
+++ b/net/third_party/nss/patches/aesgcmchromium.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:42:10.424660677 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:42:18.324789858 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:04:43.127747463 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:06:21.919386088 -0800
@@ -44,6 +44,9 @@
#ifdef NSS_ENABLE_ZLIB
#include "zlib.h"
@@ -94,7 +94,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
maxout, in, inlen);
}
*outlen += (int) uOutLen;
-@@ -5102,6 +5168,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
+@@ -5103,6 +5169,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
ssl3_DisableNonDTLSSuites(ss);
}
@@ -105,7 +105,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
/* how many suites are permitted by policy and user preference? */
num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
if (!num_suites) {
-@@ -8057,6 +8127,10 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+@@ -8080,6 +8150,10 @@ ssl3_HandleClientHello(sslSocket *ss, SS
ssl3_DisableNonDTLSSuites(ss);
}
diff --git a/net/third_party/nss/patches/alpn.patch b/net/third_party/nss/patches/alpn.patch
deleted file mode 100644
index e8524ad..0000000
--- a/net/third_party/nss/patches/alpn.patch
+++ /dev/null
@@ -1,245 +0,0 @@
-diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:41:44.744240754 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:41:52.234363230 -0800
-@@ -10458,8 +10458,10 @@ ssl3_SendNextProto(sslSocket *ss)
- int padding_len;
- static const unsigned char padding[32] = {0};
-
-- if (ss->ssl3.nextProto.len == 0)
-+ if (ss->ssl3.nextProto.len == 0 ||
-+ ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
- return SECSuccess;
-+ }
-
- PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
- PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:39:28.442012014 -0800
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:41:52.234363230 -0800
-@@ -52,8 +52,12 @@ static SECStatus ssl3_HandleRenegotiatio
- PRUint16 ex_type, SECItem *data);
- static SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
-+static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss,
-+ PRUint16 ex_type, SECItem *data);
- static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
- PRUint16 ex_type, SECItem *data);
-+static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
-+ PRUint32 maxBytes);
- static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
- PRUint32 maxBytes);
- static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
-@@ -251,6 +255,7 @@ static const ssl3HelloExtensionHandler s
- { ssl_session_ticket_xtn, &ssl3_ClientHandleSessionTicketXtn },
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
-+ { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
- { ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
- { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
- { ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
-@@ -270,18 +275,19 @@ static const ssl3HelloExtensionHandler s
- */
- static const
- ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
-- { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
-- { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
-+ { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
-+ { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
- #ifdef NSS_ENABLE_ECC
-- { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
-- { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
-+ { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
-+ { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
- #endif
-- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
-- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
-- { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
-- { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
-- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
-- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
-+ { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
-+ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
-+ { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
-+ { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
-+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
-+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
-+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
- /* any extra entries will appear as { 0, NULL } */
- };
-
-@@ -614,6 +620,11 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSoc
-
- PORT_Assert(!ss->firstHsDone);
-
-+ if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
-+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-+ return SECFailure;
-+ }
-+
- rv = ssl3_ValidateNextProtoNego(data->data, data->len);
- if (rv != SECSuccess)
- return rv;
-@@ -647,6 +658,44 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSoc
- return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &result);
- }
-
-+static SECStatus
-+ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
-+{
-+ const unsigned char* d = data->data;
-+ PRUint16 name_list_len;
-+ SECItem protocol_name;
-+
-+ if (ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn)) {
-+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-+ return SECFailure;
-+ }
-+
-+ /* The extension data from the server has the following format:
-+ * uint16 name_list_len;
-+ * uint8 len;
-+ * uint8 protocol_name[len]; */
-+ if (data->len < 4 || data->len > 2 + 1 + 255) {
-+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-+ return SECFailure;
-+ }
-+
-+ name_list_len = ((PRUint16) d[0]) << 8 |
-+ ((PRUint16) d[1]);
-+ if (name_list_len != data->len - 2 ||
-+ d[2] != data->len - 3) {
-+ PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
-+ return SECFailure;
-+ }
-+
-+ protocol_name.data = data->data + 3;
-+ protocol_name.len = data->len - 3;
-+
-+ SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
-+ ss->ssl3.nextProtoState = SSL_NEXT_PROTO_SELECTED;
-+ ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+ return SECITEM_CopyItem(NULL, &ss->ssl3.nextProto, &protocol_name);
-+}
-+
- static PRInt32
- ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
- PRUint32 maxBytes)
-@@ -680,6 +729,70 @@ loser:
- return -1;
- }
-
-+static PRInt32
-+ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
-+{
-+ PRInt32 extension_length;
-+ unsigned char *alpn_protos = NULL;
-+
-+ /* Renegotiations do not send this extension. */
-+ if (!ss->opt.nextProtoNego.data || ss->firstHsDone) {
-+ return 0;
-+ }
-+
-+ extension_length = 2 /* extension type */ + 2 /* extension length */ +
-+ 2 /* protocol name list length */ +
-+ ss->opt.nextProtoNego.len;
-+
-+ if (append && maxBytes >= extension_length) {
-+ /* NPN requires that the client's fallback protocol is first in the
-+ * list. However, ALPN sends protocols in preference order. So we
-+ * allocate a buffer and move the first protocol to the end of the
-+ * list. */
-+ SECStatus rv;
-+ const unsigned int len = ss->opt.nextProtoNego.len;
-+
-+ alpn_protos = PORT_Alloc(len);
-+ if (alpn_protos == NULL) {
-+ return SECFailure;
-+ }
-+ if (len > 0) {
-+ /* Each protocol string is prefixed with a single byte length. */
-+ unsigned int i = ss->opt.nextProtoNego.data[0] + 1;
-+ if (i <= len) {
-+ memcpy(alpn_protos, &ss->opt.nextProtoNego.data[i], len - i);
-+ memcpy(alpn_protos + len - i, ss->opt.nextProtoNego.data, i);
-+ } else {
-+ /* This seems to be invalid data so we'll send as-is. */
-+ memcpy(alpn_protos, ss->opt.nextProtoNego.data, len);
-+ }
-+ }
-+
-+ rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
-+ if (rv != SECSuccess)
-+ goto loser;
-+ rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
-+ if (rv != SECSuccess)
-+ goto loser;
-+ rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
-+ PORT_Free(alpn_protos);
-+ alpn_protos = NULL;
-+ if (rv != SECSuccess)
-+ goto loser;
-+ ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-+ ssl_app_layer_protocol_xtn;
-+ } else if (maxBytes < extension_length) {
-+ return 0;
-+ }
-+
-+ return extension_length;
-+
-+loser:
-+ if (alpn_protos)
-+ PORT_Free(alpn_protos);
-+ return -1;
-+}
-+
- static SECStatus
- ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
- SECItem *data)
-diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:40:03.522585625 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:41:52.234363230 -0800
-@@ -206,6 +206,16 @@ SSL_IMPORT SECStatus SSL_SetNextProtoCal
- * protocol in server-preference order. If no matching protocol is found it
- * selects the first supported protocol.
- *
-+ * Using this function also allows the client to transparently support ALPN.
-+ * The same set of protocols will be advertised via ALPN and, if the server
-+ * uses ALPN to select a protocol, SSL_GetNextProto will return
-+ * SSL_NEXT_PROTO_SELECTED as the state.
-+ *
-+ * Since NPN uses the first protocol as the fallback protocol, when sending an
-+ * ALPN extension, the first protocol is moved to the end of the list. This
-+ * indicates that the fallback protocol is the least preferred. The other
-+ * protocols should be in preference order.
-+ *
- * The supported protocols are specified in |data| in wire-format (8-bit
- * length-prefixed). For example: "\010http/1.1\006spdy/2". */
- SSL_IMPORT SECStatus SSL_SetNextProtoNego(PRFileDesc *fd,
-@@ -215,7 +225,8 @@ SSL_IMPORT SECStatus SSL_SetNextProtoNeg
- typedef enum SSLNextProtoState {
- SSL_NEXT_PROTO_NO_SUPPORT = 0, /* No peer support */
- SSL_NEXT_PROTO_NEGOTIATED = 1, /* Mutual agreement */
-- SSL_NEXT_PROTO_NO_OVERLAP = 2 /* No protocol overlap found */
-+ SSL_NEXT_PROTO_NO_OVERLAP = 2, /* No protocol overlap found */
-+ SSL_NEXT_PROTO_SELECTED = 3 /* Server selected proto (ALPN) */
- } SSLNextProtoState;
-
- /* SSL_GetNextProto can be used in the HandshakeCallback or any time after
-diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h 2014-01-03 19:41:26.443941511 -0800
-+++ b/nss/lib/ssl/sslt.h 2014-01-03 19:41:52.234363230 -0800
-@@ -200,12 +200,13 @@ typedef enum {
- #endif
- ssl_signature_algorithms_xtn = 13,
- ssl_use_srtp_xtn = 14,
-+ ssl_app_layer_protocol_xtn = 16,
- ssl_session_ticket_xtn = 35,
- ssl_next_proto_nego_xtn = 13172,
- ssl_channel_id_xtn = 30032,
- ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
- } SSLExtensionType;
-
--#define SSL_MAX_EXTENSIONS 10
-+#define SSL_MAX_EXTENSIONS 11
-
- #endif /* __sslt_h_ */
diff --git a/net/third_party/nss/patches/applypatches.sh b/net/third_party/nss/patches/applypatches.sh
index 2b45728..448eaac 100755
--- a/net/third_party/nss/patches/applypatches.sh
+++ b/net/third_party/nss/patches/applypatches.sh
@@ -31,16 +31,12 @@ patch -p4 < $patches_dir/secitemarray.patch
patch -p4 < $patches_dir/tls12chromium.patch
-patch -p4 < $patches_dir/alpn.patch
-
patch -p4 < $patches_dir/aesgcmchromium.patch
patch -p4 < $patches_dir/chacha20poly1305.patch
patch -p4 < $patches_dir/cachelocks.patch
-patch -p4 < $patches_dir/paddingextension.patch
-
patch -p4 < $patches_dir/paddingextensionall.patch
patch -p4 < $patches_dir/signedcertificatetimestamps.patch
diff --git a/net/third_party/nss/patches/cachecerts.patch b/net/third_party/nss/patches/cachecerts.patch
index 8e5362a..fce438b 100644
--- a/net/third_party/nss/patches/cachecerts.patch
+++ b/net/third_party/nss/patches/cachecerts.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:30:09.722877211 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:49:26.062517203 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:51:23.974478249 -0800
@@ -43,6 +43,7 @@
static SECStatus ssl3_AuthCertificate(sslSocket *ss);
@@ -9,7 +9,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
PK11SlotInfo * serverKeySlot);
static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
-@@ -6451,6 +6452,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6474,6 +6475,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
/* copy the peer cert from the SID */
if (sid->peerCert != NULL) {
ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
@@ -17,7 +17,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
}
/* NULL value for PMS signifies re-use of the old MS */
-@@ -8025,6 +8027,7 @@ compression_found:
+@@ -8048,6 +8050,7 @@ compression_found:
ss->sec.ci.sid = sid;
if (sid->peerCert != NULL) {
ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
@@ -25,7 +25,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
}
/*
-@@ -9639,6 +9642,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
+@@ -9662,6 +9665,44 @@ ssl3_CleanupPeerCerts(sslSocket *ss)
ss->ssl3.peerCertChain = NULL;
}
@@ -70,7 +70,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
* ssl3 CertificateStatus message.
* Caller must hold Handshake and RecvBuf locks.
-@@ -9917,6 +9958,7 @@ ssl3_AuthCertificate(sslSocket *ss)
+@@ -9940,6 +9981,7 @@ ssl3_AuthCertificate(sslSocket *ss)
}
ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert);
@@ -79,9 +79,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (!ss->sec.isServer) {
CERTCertificate *cert = ss->sec.peerCert;
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:30:09.722877211 -0800
-@@ -586,6 +586,8 @@ typedef enum { never_cached,
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:51:23.984478418 -0800
+@@ -595,6 +595,8 @@ typedef enum { never_cached,
invalid_cache /* no longer in any cache. */
} Cached;
@@ -90,7 +90,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
struct sslSessionIDStr {
/* The global cache lock must be held when accessing these members when the
* sid is in any cache.
-@@ -600,6 +602,7 @@ struct sslSessionIDStr {
+@@ -609,6 +611,7 @@ struct sslSessionIDStr {
*/
CERTCertificate * peerCert;
@@ -99,17 +99,17 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
const char * peerID; /* client only */
const char * urlSvrName; /* client only */
diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
---- a/nss/lib/ssl/sslnonce.c 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/sslnonce.c 2014-01-03 19:30:09.782878192 -0800
+--- a/nss/lib/ssl/sslnonce.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslnonce.c 2014-01-17 17:51:23.984478418 -0800
@@ -164,6 +164,7 @@ lock_cache(void)
static void
ssl_DestroySID(sslSessionID *sid)
{
+ int i;
SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
- PORT_Assert((sid->references == 0));
-
-@@ -196,6 +197,9 @@ ssl_DestroySID(sslSessionID *sid)
+ PORT_Assert(sid->references == 0);
+ PORT_Assert(sid->cached != in_client_cache);
+@@ -194,6 +195,9 @@ ssl_DestroySID(sslSessionID *sid)
if ( sid->peerCert ) {
CERT_DestroyCertificate(sid->peerCert);
}
diff --git a/net/third_party/nss/patches/cachelocks.patch b/net/third_party/nss/patches/cachelocks.patch
index 4084e95..d52bf53 100644
--- a/net/third_party/nss/patches/cachelocks.patch
+++ b/net/third_party/nss/patches/cachelocks.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:02:30.135754914 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:03:07.266361523 -0800
-@@ -5655,7 +5655,6 @@ SSL3_ShutdownServerCache(void)
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:10:16.783281701 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:11:03.734060469 -0800
+@@ -5678,7 +5678,6 @@ SSL3_ShutdownServerCache(void)
}
PZ_Unlock(symWrapKeysLock);
@@ -9,7 +9,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
return SECSuccess;
}
-@@ -5707,7 +5706,7 @@ getWrappingKey( sslSocket * ss,
+@@ -5730,7 +5729,7 @@ getWrappingKey( sslSocket * ss,
pSymWrapKey = &symWrapKeys[symWrapMechIndex].symWrapKey[exchKeyType];
@@ -19,9 +19,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
PZ_Lock(symWrapKeysLock);
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:02:30.135754914 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:03:07.266361523 -0800
-@@ -1904,9 +1904,7 @@ extern SECStatus ssl_InitSymWrapKeysLock
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:10:16.793281867 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:11:03.734060469 -0800
+@@ -1913,9 +1913,7 @@ extern SECStatus ssl_InitSymWrapKeysLock
extern SECStatus ssl_FreeSymWrapKeysLock(void);
@@ -33,8 +33,8 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/***************** platform client auth ****************/
diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
---- a/nss/lib/ssl/sslnonce.c 2014-01-03 18:54:48.638219358 -0800
-+++ b/nss/lib/ssl/sslnonce.c 2014-01-03 19:03:07.276361687 -0800
+--- a/nss/lib/ssl/sslnonce.c 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/sslnonce.c 2014-01-17 18:11:03.754060801 -0800
@@ -35,91 +35,55 @@ static PZLock * cacheLock = NULL;
#define LOCK_CACHE lock_cache()
#define UNLOCK_CACHE PZ_Unlock(cacheLock)
@@ -202,8 +202,8 @@ diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
}
diff -pu a/nss/lib/ssl/sslsnce.c b/nss/lib/ssl/sslsnce.c
---- a/nss/lib/ssl/sslsnce.c 2014-01-03 18:38:48.402575652 -0800
-+++ b/nss/lib/ssl/sslsnce.c 2014-01-03 19:03:07.276361687 -0800
+--- a/nss/lib/ssl/sslsnce.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslsnce.c 2014-01-17 18:11:03.774061133 -0800
@@ -1353,7 +1353,7 @@ SSL_ConfigServerSessionIDCache( int
PRUint32 ssl3_timeout,
const char * directory)
diff --git a/net/third_party/nss/patches/chacha20poly1305.patch b/net/third_party/nss/patches/chacha20poly1305.patch
index ef3d9fe..028ed70 100644
--- a/net/third_party/nss/patches/chacha20poly1305.patch
+++ b/net/third_party/nss/patches/chacha20poly1305.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-06 14:58:15.904992214 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-06 14:58:25.635150408 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:06:41.659713513 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:07:10.270188062 -0800
@@ -40,6 +40,21 @@
#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
#endif
@@ -134,8 +134,8 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
}
diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
---- a/nss/lib/ssl/ssl3ecc.c 2014-01-06 14:57:50.984587086 -0800
-+++ b/nss/lib/ssl/ssl3ecc.c 2014-01-06 14:58:25.635150408 -0800
+--- a/nss/lib/ssl/ssl3ecc.c 2014-01-17 18:04:43.127747463 -0800
++++ b/nss/lib/ssl/ssl3ecc.c 2014-01-17 18:07:10.270188062 -0800
@@ -904,6 +904,7 @@ static const ssl3CipherSuite ecdhe_ecdsa
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -169,8 +169,8 @@ diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
TLS_ECDHE_RSA_WITH_RC4_128_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
diff -pu a/nss/lib/ssl/sslenum.c b/nss/lib/ssl/sslenum.c
---- a/nss/lib/ssl/sslenum.c 2014-01-06 14:53:43.540566574 -0800
-+++ b/nss/lib/ssl/sslenum.c 2014-01-06 15:11:13.167642594 -0800
+--- a/nss/lib/ssl/sslenum.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslenum.c 2014-01-17 18:08:43.791739267 -0800
@@ -37,17 +37,21 @@
*
* Exception: Because some servers ignore the high-order byte of the cipher
@@ -180,7 +180,7 @@ diff -pu a/nss/lib/ssl/sslenum.c b/nss/lib/ssl/sslenum.c
* suites, with the MSB zeroed, look like:
+ * TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 }
+ * TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }
- * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 {0x00,0x2B }
+ * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B }
* TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
* TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
* TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
@@ -197,8 +197,8 @@ diff -pu a/nss/lib/ssl/sslenum.c b/nss/lib/ssl/sslenum.c
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-06 14:57:46.654516696 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-06 14:58:25.635150408 -0800
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:03:47.906831535 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:07:10.270188062 -0800
@@ -65,6 +65,7 @@ typedef SSLSignType SSL3SignType;
#define calg_camellia ssl_calg_camellia
#define calg_seed ssl_calg_seed
@@ -207,7 +207,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
#define mac_null ssl_mac_null
#define mac_md5 ssl_mac_md5
-@@ -292,7 +293,7 @@ typedef struct {
+@@ -299,7 +300,7 @@ typedef struct {
} ssl3CipherSuiteCfg;
#ifdef NSS_ENABLE_ECC
@@ -216,7 +216,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
#else
#define ssl_V3_SUITES_IMPLEMENTED 37
#endif /* NSS_ENABLE_ECC */
-@@ -474,6 +475,7 @@ typedef enum {
+@@ -483,6 +484,7 @@ typedef enum {
cipher_camellia_256,
cipher_seed,
cipher_aes_128_gcm,
@@ -225,8 +225,8 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/* This enum must match ssl3_cipherName[] in ssl3con.c. */
} SSL3BulkCipher;
diff -pu a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c
---- a/nss/lib/ssl/sslinfo.c 2014-01-06 14:57:21.444106895 -0800
-+++ b/nss/lib/ssl/sslinfo.c 2014-01-06 14:58:25.635150408 -0800
+--- a/nss/lib/ssl/sslinfo.c 2014-01-17 18:00:45.503806125 -0800
++++ b/nss/lib/ssl/sslinfo.c 2014-01-17 18:07:10.270188062 -0800
@@ -110,6 +110,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLCh
#define C_NULL "NULL", calg_null
#define C_SJ "SKIPJACK", calg_sj
@@ -251,8 +251,8 @@ diff -pu a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c
{0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA), S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
{0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA), S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
---- a/nss/lib/ssl/sslproto.h 2014-01-06 14:53:43.540566574 -0800
-+++ b/nss/lib/ssl/sslproto.h 2014-01-06 14:58:25.635150408 -0800
+--- a/nss/lib/ssl/sslproto.h 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslproto.h 2014-01-17 18:07:10.270188062 -0800
@@ -213,6 +213,9 @@
#define TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F
#define TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031
@@ -264,8 +264,8 @@ diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
#define SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA 0xffe0
#define SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA 0xffe1
diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h 2014-01-06 14:58:13.034945554 -0800
-+++ b/nss/lib/ssl/sslt.h 2014-01-06 14:58:25.635150408 -0800
+--- a/nss/lib/ssl/sslt.h 2014-01-17 18:03:47.906831535 -0800
++++ b/nss/lib/ssl/sslt.h 2014-01-17 18:07:10.270188062 -0800
@@ -94,7 +94,8 @@ typedef enum {
ssl_calg_aes = 7,
ssl_calg_camellia = 8,
diff --git a/net/third_party/nss/patches/channelid.patch b/net/third_party/nss/patches/channelid.patch
index 716c48b..670a6fa 100644
--- a/net/third_party/nss/patches/channelid.patch
+++ b/net/third_party/nss/patches/channelid.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:36:09.938766379 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:37:50.360408300 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-18 10:39:50.799150460 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-18 10:40:15.489552270 -0800
@@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta
static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss);
static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
@@ -9,7 +9,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags);
static SECStatus ssl3_SendServerHello( sslSocket *ss);
static SECStatus ssl3_SendServerHelloDone( sslSocket *ss);
-@@ -6198,6 +6199,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6221,6 +6222,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS
}
#endif /* NSS_PLATFORM_CLIENT_AUTH */
@@ -25,7 +25,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) {
goto loser; /* alert has been sent */
-@@ -6480,7 +6490,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6503,7 +6513,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
if (rv != SECSuccess) {
goto alert_loser; /* err code was set */
}
@@ -34,7 +34,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
} while (0);
if (sid_match)
-@@ -6506,6 +6516,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6529,6 +6539,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS
ss->ssl3.hs.isResuming = PR_FALSE;
ss->ssl3.hs.ws = wait_server_cert;
@@ -62,7 +62,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
return SECSuccess;
alert_loser:
-@@ -7467,7 +7498,14 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7490,7 +7521,14 @@ ssl3_SendClientSecondRound(sslSocket *ss
if (rv != SECSuccess) {
goto loser; /* err code was set. */
}
@@ -77,7 +77,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (ss->opt.enableFalseStart) {
if (!ss->ssl3.hs.authCertificatePending) {
/* When we fix bug 589047, we will need to know whether we are
-@@ -7504,6 +7542,33 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7527,6 +7565,33 @@ ssl3_SendClientSecondRound(sslSocket *ss
ssl_ReleaseXmitBufLock(ss); /*******************************/
@@ -111,7 +111,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
ss->ssl3.hs.ws = wait_new_session_ticket;
else
-@@ -10469,6 +10534,184 @@ ssl3_RecordKeyLog(sslSocket *ss)
+@@ -10494,6 +10559,184 @@ ssl3_RecordKeyLog(sslSocket *ss)
}
/* called from ssl3_SendClientSecondRound
@@ -296,7 +296,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
* ssl3_HandleClientHello
* ssl3_HandleFinished
*/
-@@ -10728,11 +10971,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
+@@ -10753,11 +10996,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
}
@@ -317,7 +317,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
}
if (IS_DTLS(ss)) {
-@@ -12212,6 +12460,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -12237,6 +12485,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
ssl_FreePlatformKey(ss->ssl3.platformClientKey);
#endif /* NSS_PLATFORM_CLIENT_AUTH */
@@ -330,9 +330,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
ssl3_CleanupPeerCerts(ss);
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:31:09.783859095 -0800
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:36:25.379018825 -0800
-@@ -60,6 +60,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo
+--- a/nss/lib/ssl/ssl3ext.c 2014-01-18 10:39:50.749149654 -0800
++++ b/nss/lib/ssl/ssl3ext.c 2014-01-18 10:43:52.543083984 -0800
+@@ -64,6 +64,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo
PRUint32 maxBytes);
static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
SECItem *data);
@@ -343,31 +343,26 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
PRBool append, PRUint32 maxBytes);
static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
-@@ -248,6 +252,7 @@ static const ssl3HelloExtensionHandler s
- { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
+@@ -253,6 +257,7 @@ static const ssl3HelloExtensionHandler s
{ ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn },
+ { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn },
+ { ssl_channel_id_xtn, &ssl3_ClientHandleChannelIDXtn },
{ ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn },
{ -1, NULL }
};
-@@ -274,6 +279,7 @@ ssl3HelloExtensionSender clientHelloSend
- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
+@@ -280,6 +285,7 @@ ssl3HelloExtensionSender clientHelloSend
{ ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
+ { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
{ ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
{ ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
{ ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
/* any extra entries will appear as { 0, NULL } */
-@@ -669,6 +675,61 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocke
- }
+@@ -795,6 +801,61 @@ loser:
+ return -1;
+ }
- return extension_length;
-+
-+loser:
-+ return -1;
-+}
-+
+static SECStatus
+ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
+ SECItem *data)
@@ -418,12 +413,17 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
+ }
+
+ return extension_length;
-
- loser:
- return -1;
++
++loser:
++ return -1;
++}
++
+ static SECStatus
+ ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
+ SECItem *data)
diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
---- a/nss/lib/ssl/ssl3prot.h 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/ssl3prot.h 2014-01-03 19:36:25.379018825 -0800
+--- a/nss/lib/ssl/ssl3prot.h 2014-01-18 10:39:34.278881614 -0800
++++ b/nss/lib/ssl/ssl3prot.h 2014-01-18 10:40:15.499552430 -0800
@@ -129,7 +129,8 @@ typedef enum {
client_key_exchange = 16,
finished = 20,
@@ -435,8 +435,8 @@ diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
typedef struct {
diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
---- a/nss/lib/ssl/sslauth.c 2014-01-03 19:31:09.783859095 -0800
-+++ b/nss/lib/ssl/sslauth.c 2014-01-03 19:36:25.379018825 -0800
+--- a/nss/lib/ssl/sslauth.c 2014-01-18 10:39:50.749149654 -0800
++++ b/nss/lib/ssl/sslauth.c 2014-01-18 10:40:15.499552430 -0800
@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
return SECSuccess;
}
@@ -463,8 +463,8 @@ diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
/* NEED LOCKS IN HERE. */
SECStatus
diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
---- a/nss/lib/ssl/sslerr.h 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/sslerr.h 2014-01-03 19:36:25.379018825 -0800
+--- a/nss/lib/ssl/sslerr.h 2014-01-18 10:39:34.288881780 -0800
++++ b/nss/lib/ssl/sslerr.h 2014-01-18 10:40:15.499552430 -0800
@@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (
SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127),
SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
@@ -477,8 +477,8 @@ diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
} SSLErrorCodes;
#endif /* NO_SECURITY_ERROR_ENUM */
diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
---- a/nss/lib/ssl/SSLerrs.h 2014-01-03 19:28:03.540814444 -0800
-+++ b/nss/lib/ssl/SSLerrs.h 2014-01-03 19:36:25.379018825 -0800
+--- a/nss/lib/ssl/SSLerrs.h 2014-01-18 10:39:34.238880964 -0800
++++ b/nss/lib/ssl/SSLerrs.h 2014-01-18 10:40:15.499552430 -0800
@@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR
ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
@@ -493,9 +493,9 @@ diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
+ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
+"The application could not get a TLS Channel ID.")
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:36:09.938766379 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:36:25.379018825 -0800
-@@ -985,6 +985,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
+--- a/nss/lib/ssl/ssl.h 2014-01-18 10:39:50.799150460 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-18 10:40:15.499552430 -0800
+@@ -1015,6 +1015,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
PRBool *last_handshake_resumed);
@@ -531,9 +531,9 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
** How long should we wait before retransmitting the next flight of
** the DTLS handshake? Returns SECFailure if not DTLS or not in a
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:36:09.938766379 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:36:25.379018825 -0800
-@@ -700,6 +700,14 @@ struct sslSessionIDStr {
+--- a/nss/lib/ssl/sslimpl.h 2014-01-18 10:39:50.799150460 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-18 10:40:15.499552430 -0800
+@@ -709,6 +709,14 @@ struct sslSessionIDStr {
SECItem srvName;
@@ -548,7 +548,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/* This lock is lazily initialized by CacheSID when a sid is first
* cached. Before then, there is no need to lock anything because
* the sid isn't being shared by anything.
-@@ -969,6 +977,9 @@ struct ssl3StateStr {
+@@ -978,6 +986,9 @@ struct ssl3StateStr {
CERTCertificateList *clientCertChain; /* used by client */
PRBool sendEmptyCert; /* used by client */
@@ -558,7 +558,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
int policy;
/* This says what cipher suites we can do, and should
* be either SSL_ALLOWED or SSL_RESTRICTED
-@@ -1246,6 +1257,8 @@ const unsigned char * preferredCipher;
+@@ -1255,6 +1266,8 @@ const unsigned char * preferredCipher;
void *pkcs11PinArg;
SSLNextProtoCallback nextProtoCallback;
void *nextProtoArg;
@@ -567,7 +567,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
PRIntervalTime rTimeout; /* timeout for NSPR I/O */
PRIntervalTime wTimeout; /* timeout for NSPR I/O */
-@@ -1590,6 +1603,11 @@ extern SECStatus ssl3_RestartHandshakeAf
+@@ -1599,6 +1612,11 @@ extern SECStatus ssl3_RestartHandshakeAf
SECKEYPrivateKey * key,
CERTCertificateList *certChain);
@@ -580,9 +580,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/*
diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
---- a/nss/lib/ssl/sslnonce.c 2014-01-03 19:30:40.073373382 -0800
-+++ b/nss/lib/ssl/sslnonce.c 2014-01-03 19:36:25.379018825 -0800
-@@ -182,6 +182,9 @@ ssl_DestroySID(sslSessionID *sid)
+--- a/nss/lib/ssl/sslnonce.c 2014-01-18 10:39:50.739149486 -0800
++++ b/nss/lib/ssl/sslnonce.c 2014-01-18 10:40:15.499552430 -0800
+@@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid)
if (sid->u.ssl3.srvName.data) {
SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
}
@@ -593,8 +593,8 @@ diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
if (sid->u.ssl3.lock) {
PR_DestroyRWLock(sid->u.ssl3.lock);
diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
---- a/nss/lib/ssl/sslsecur.c 2014-01-03 19:36:09.938766379 -0800
-+++ b/nss/lib/ssl/sslsecur.c 2014-01-03 19:36:25.379018825 -0800
+--- a/nss/lib/ssl/sslsecur.c 2014-01-18 10:39:50.799150460 -0800
++++ b/nss/lib/ssl/sslsecur.c 2014-01-18 10:40:15.499552430 -0800
@@ -1584,6 +1584,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD
return ret;
}
@@ -639,9 +639,9 @@ diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
* this implementation exists to maintain link-time compatibility.
*/
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 19:32:06.914793097 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:36:25.379018825 -0800
-@@ -274,6 +274,8 @@ ssl_DupSocket(sslSocket *os)
+--- a/nss/lib/ssl/sslsock.c 2014-01-18 10:39:50.769149984 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-18 10:40:15.499552430 -0800
+@@ -276,6 +276,8 @@ ssl_DupSocket(sslSocket *os)
ss->canFalseStartCallback = os->canFalseStartCallback;
ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
ss->pkcs11PinArg = os->pkcs11PinArg;
@@ -650,7 +650,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
/* Create security data */
rv = ssl_CopySecurityInfo(ss, os);
-@@ -1669,6 +1671,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+@@ -1691,6 +1693,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
ss->handshakeCallbackData = sm->handshakeCallbackData;
if (sm->pkcs11PinArg)
ss->pkcs11PinArg = sm->pkcs11PinArg;
@@ -661,7 +661,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
return fd;
loser:
return NULL;
-@@ -2946,6 +2952,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+@@ -2968,6 +2974,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
ss->badCertArg = NULL;
ss->pkcs11PinArg = NULL;
ss->ephemeralECDHKeyPair = NULL;
@@ -671,17 +671,18 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
ssl_ChooseOps(ss);
ssl2_InitSocketPolicy(ss);
diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h 2014-01-03 19:28:03.560814773 -0800
-+++ b/nss/lib/ssl/sslt.h 2014-01-03 19:36:25.379018825 -0800
-@@ -189,9 +189,10 @@ typedef enum {
- ssl_use_srtp_xtn = 14,
+--- a/nss/lib/ssl/sslt.h 2014-01-18 10:39:34.328882426 -0800
++++ b/nss/lib/ssl/sslt.h 2014-01-18 10:40:15.499552430 -0800
+@@ -190,10 +190,11 @@ typedef enum {
+ ssl_app_layer_protocol_xtn = 16,
ssl_session_ticket_xtn = 35,
ssl_next_proto_nego_xtn = 13172,
+ ssl_channel_id_xtn = 30032,
+ ssl_padding_xtn = 35655,
ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
} SSLExtensionType;
--#define SSL_MAX_EXTENSIONS 9
-+#define SSL_MAX_EXTENSIONS 10
+-#define SSL_MAX_EXTENSIONS 10 /* doesn't include ssl_padding_xtn. */
++#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */
#endif /* __sslt_h_ */
diff --git a/net/third_party/nss/patches/cipherorder.patch b/net/third_party/nss/patches/cipherorder.patch
index dde3448..36f0191 100644
--- a/net/third_party/nss/patches/cipherorder.patch
+++ b/net/third_party/nss/patches/cipherorder.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:44:16.406720764 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:44:24.516853386 -0800
-@@ -12539,6 +12539,46 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3Ci
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:45:24.378132013 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:46:29.929216162 -0800
+@@ -12540,6 +12540,46 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3Ci
return rv;
}
@@ -49,9 +49,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
void
ssl3_InitSocketPolicy(sslSocket *ss)
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:44:16.416720928 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:44:24.516853386 -0800
-@@ -265,6 +265,13 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDe
+--- a/nss/lib/ssl/ssl.h 2014-01-17 18:45:24.378132013 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 18:46:29.929216162 -0800
+@@ -285,6 +285,13 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDe
SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
@@ -66,9 +66,9 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
* values. See RFC 5929. */
typedef enum SSLChannelBindingType {
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:44:16.416720928 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:44:24.516853386 -0800
-@@ -1741,6 +1741,8 @@ extern SECStatus ssl3_CipherPrefSet(sslS
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:45:24.378132013 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:46:29.929216162 -0800
+@@ -1743,6 +1743,8 @@ extern SECStatus ssl3_CipherPrefSet(sslS
extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
@@ -78,9 +78,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 19:44:16.416720928 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:44:24.516853386 -0800
-@@ -1256,6 +1256,19 @@ SSL_CipherPrefSet(PRFileDesc *fd, PRInt3
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 18:45:24.378132013 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:46:29.929216162 -0800
+@@ -1278,6 +1278,19 @@ SSL_CipherPrefSet(PRFileDesc *fd, PRInt3
return rv;
}
diff --git a/net/third_party/nss/patches/clientauth.patch b/net/third_party/nss/patches/clientauth.patch
index f6bc070..9283676 100644
--- a/net/third_party/nss/patches/clientauth.patch
+++ b/net/third_party/nss/patches/clientauth.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:30:40.073373382 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:30:52.653579045 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:00.295082288 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:19.745405758 -0800
@@ -2471,6 +2471,9 @@ ssl3_ClientAuthTokenPresent(sslSessionID
PRBool isPresent = PR_TRUE;
@@ -11,7 +11,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (!sid || !sid->u.ssl3.clAuthValid) {
return PR_TRUE;
}
-@@ -6080,25 +6083,36 @@ ssl3_SendCertificateVerify(sslSocket *ss
+@@ -6103,25 +6106,36 @@ ssl3_SendCertificateVerify(sslSocket *ss
isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
@@ -65,7 +65,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (rv != SECSuccess) {
goto done; /* err code was set by ssl3_SignHashes */
}
-@@ -6177,6 +6191,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6200,6 +6214,12 @@ ssl3_HandleServerHello(sslSocket *ss, SS
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
ss->ssl3.clientPrivateKey = NULL;
}
@@ -78,7 +78,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
if (temp < 0) {
-@@ -6804,6 +6824,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss,
+@@ -6827,6 +6847,18 @@ ssl3_ExtractClientKeyInfo(sslSocket *ss,
goto done;
}
@@ -97,7 +97,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
/* If the key is a 1024-bit RSA or DSA key, assume conservatively that
* it may be unable to sign SHA-256 hashes. This is the case for older
* Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
-@@ -6902,6 +6934,10 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -6925,6 +6957,10 @@ ssl3_HandleCertificateRequest(sslSocket
SECItem cert_types = {siBuffer, NULL, 0};
SECItem algorithms = {siBuffer, NULL, 0};
CERTDistNames ca_list;
@@ -108,7 +108,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_request handshake",
SSL_GETPID(), ss->fd));
-@@ -6918,6 +6954,7 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -6941,6 +6977,7 @@ ssl3_HandleCertificateRequest(sslSocket
PORT_Assert(ss->ssl3.clientCertChain == NULL);
PORT_Assert(ss->ssl3.clientCertificate == NULL);
PORT_Assert(ss->ssl3.clientPrivateKey == NULL);
@@ -116,7 +116,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
-@@ -6997,6 +7034,18 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -7020,6 +7057,18 @@ ssl3_HandleCertificateRequest(sslSocket
desc = no_certificate;
ss->ssl3.hs.ws = wait_hello_done;
@@ -135,7 +135,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (ss->getClientAuthData != NULL) {
/* XXX Should pass cert_types and algorithms in this call!! */
rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
-@@ -7006,12 +7055,55 @@ ssl3_HandleCertificateRequest(sslSocket
+@@ -7029,12 +7078,55 @@ ssl3_HandleCertificateRequest(sslSocket
} else {
rv = SECFailure; /* force it to send a no_certificate alert */
}
@@ -191,7 +191,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
/* check what the callback function returned */
if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
/* we are missing either the key or cert */
-@@ -7073,6 +7165,10 @@ loser:
+@@ -7096,6 +7188,10 @@ loser:
done:
if (arena != NULL)
PORT_FreeArena(arena, PR_FALSE);
@@ -202,7 +202,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
return rv;
}
-@@ -7190,7 +7286,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7213,7 +7309,8 @@ ssl3_SendClientSecondRound(sslSocket *ss
sendClientCert = !ss->ssl3.sendEmptyCert &&
ss->ssl3.clientCertChain != NULL &&
@@ -212,7 +212,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (!sendClientCert &&
ss->ssl3.hs.hashType == handshake_hash_single &&
-@@ -12027,6 +12124,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -12052,6 +12149,10 @@ ssl3_DestroySSL3Info(sslSocket *ss)
if (ss->ssl3.clientPrivateKey != NULL)
SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
@@ -224,8 +224,8 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (ss->ssl3.peerCertArena != NULL)
ssl3_CleanupPeerCerts(ss);
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:30:52.653579045 -0800
+--- a/nss/lib/ssl/ssl3ext.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/ssl3ext.c 2014-01-17 17:52:19.745405758 -0800
@@ -10,8 +10,8 @@
#include "nssrenam.h"
#include "nss.h"
@@ -237,8 +237,8 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
#ifdef NO_PKCS11_BYPASS
#include "blapit.h"
diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
---- a/nss/lib/ssl/sslauth.c 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/sslauth.c 2014-01-03 19:30:52.653579045 -0800
+--- a/nss/lib/ssl/sslauth.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslauth.c 2014-01-17 17:52:19.755405924 -0800
@@ -216,6 +216,28 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
return SECSuccess;
}
@@ -269,9 +269,9 @@ diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
SECStatus
SSL_SetPKCS11PinArg(PRFileDesc *s, void *arg)
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:28:03.540814444 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:30:52.653579045 -0800
-@@ -503,6 +503,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
+--- a/nss/lib/ssl/ssl.h 2014-01-17 17:49:26.062517203 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 17:52:19.755405924 -0800
+@@ -533,6 +533,48 @@ typedef SECStatus (PR_CALLBACK *SSLGetCl
SSL_IMPORT SECStatus SSL_GetClientAuthDataHook(PRFileDesc *fd,
SSLGetClientAuthData f, void *a);
@@ -321,8 +321,8 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
/*
** SNI extension processing callback function.
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:30:40.073373382 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:30:52.653579045 -0800
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:00.295082288 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:19.755405924 -0800
@@ -20,6 +20,7 @@
#include "sslerr.h"
#include "ssl3prot.h"
@@ -347,7 +347,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/* to make some of these old enums public without namespace pollution,
** it was necessary to prepend ssl_ to the names.
** These #defines preserve compatibility with the old code here in libssl.
-@@ -432,6 +442,14 @@ struct sslGatherStr {
+@@ -441,6 +451,14 @@ struct sslGatherStr {
#define GS_DATA 3
#define GS_PAD 4
@@ -362,7 +362,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/*
-@@ -944,6 +962,10 @@ struct ssl3StateStr {
+@@ -953,6 +971,10 @@ struct ssl3StateStr {
CERTCertificate * clientCertificate; /* used by client */
SECKEYPrivateKey * clientPrivateKey; /* used by client */
@@ -373,7 +373,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
CERTCertificateList *clientCertChain; /* used by client */
PRBool sendEmptyCert; /* used by client */
-@@ -1205,6 +1227,10 @@ const unsigned char * preferredCipher;
+@@ -1214,6 +1236,10 @@ const unsigned char * preferredCipher;
void *authCertificateArg;
SSLGetClientAuthData getClientAuthData;
void *getClientAuthDataArg;
@@ -384,7 +384,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
SSLSNISocketConfig sniSocketConfig;
void *sniSocketConfigArg;
SSLBadCertHandler handleBadCert;
-@@ -1843,6 +1869,26 @@ extern SECStatus ssl_InitSessionCacheLoc
+@@ -1852,6 +1878,26 @@ extern SECStatus ssl_InitSessionCacheLoc
extern SECStatus ssl_FreeSessionCacheLocks(void);
@@ -412,9 +412,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/**************** DTLS-specific functions **************/
extern void dtls_FreeQueuedMessage(DTLSQueuedMessage *msg);
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 19:28:03.560814773 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:30:52.653579045 -0800
-@@ -261,6 +261,10 @@ ssl_DupSocket(sslSocket *os)
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 17:49:40.942764689 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 17:52:19.755405924 -0800
+@@ -263,6 +263,10 @@ ssl_DupSocket(sslSocket *os)
ss->authCertificateArg = os->authCertificateArg;
ss->getClientAuthData = os->getClientAuthData;
ss->getClientAuthDataArg = os->getClientAuthDataArg;
@@ -425,7 +425,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
ss->sniSocketConfig = os->sniSocketConfig;
ss->sniSocketConfigArg = os->sniSocketConfigArg;
ss->handleBadCert = os->handleBadCert;
-@@ -1645,6 +1649,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+@@ -1667,6 +1671,12 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
ss->getClientAuthData = sm->getClientAuthData;
if (sm->getClientAuthDataArg)
ss->getClientAuthDataArg = sm->getClientAuthDataArg;
@@ -438,7 +438,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
if (sm->sniSocketConfig)
ss->sniSocketConfig = sm->sniSocketConfig;
if (sm->sniSocketConfigArg)
-@@ -2899,6 +2909,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+@@ -2921,6 +2931,10 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
ss->sniSocketConfig = NULL;
ss->sniSocketConfigArg = NULL;
ss->getClientAuthData = NULL;
diff --git a/net/third_party/nss/patches/didhandshakeresume.patch b/net/third_party/nss/patches/didhandshakeresume.patch
index 74bba10..70f878d 100644
--- a/net/third_party/nss/patches/didhandshakeresume.patch
+++ b/net/third_party/nss/patches/didhandshakeresume.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:31:09.783859095 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:31:19.214013263 -0800
-@@ -967,6 +967,9 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
+--- a/nss/lib/ssl/ssl.h 2014-01-17 17:52:46.715854283 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 17:53:20.876422375 -0800
+@@ -997,6 +997,9 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
SSLExtensionType extId,
PRBool *yes);
@@ -12,9 +12,9 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
** How long should we wait before retransmitting the next flight of
** the DTLS handshake? Returns SECFailure if not DTLS or not in a
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 19:31:09.783859095 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:31:19.214013263 -0800
-@@ -1833,6 +1833,20 @@ SSL_PeerStapledOCSPResponses(PRFileDesc
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 17:52:46.715854283 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 17:53:20.876422375 -0800
+@@ -1855,6 +1855,20 @@ SSL_PeerStapledOCSPResponses(PRFileDesc
return &ss->sec.ci.sid->peerCertStatus;
}
diff --git a/net/third_party/nss/patches/fallbackscsv.patch b/net/third_party/nss/patches/fallbackscsv.patch
index 48565b8..005132c 100644
--- a/net/third_party/nss/patches/fallbackscsv.patch
+++ b/net/third_party/nss/patches/fallbackscsv.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:44:44.807185186 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:44:54.857349534 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:46:51.999581198 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:47:05.509804656 -0800
@@ -3473,6 +3473,9 @@ ssl3_HandleAlert(sslSocket *ss, sslBuffe
case certificate_unknown: error = SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT;
break;
@@ -60,15 +60,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
-@@ -5416,6 +5437,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
-
- extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
- if (extLen < 0) {
-+ if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
- return SECFailure;
- }
- maxBytes -= extLen;
-@@ -8083,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS
+@@ -8084,6 +8105,19 @@ ssl3_HandleClientHello(sslSocket *ss, SS
goto loser; /* malformed */
}
@@ -89,8 +81,8 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
rv = ssl3_ConsumeHandshakeVariable(ss, &comps, 1, &b, &length);
if (rv != SECSuccess) {
diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
---- a/nss/lib/ssl/ssl3prot.h 2014-01-03 19:39:28.442012014 -0800
-+++ b/nss/lib/ssl/ssl3prot.h 2014-01-03 19:44:54.857349534 -0800
+--- a/nss/lib/ssl/ssl3prot.h 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/ssl3prot.h 2014-01-17 18:47:05.509804656 -0800
@@ -98,6 +98,7 @@ typedef enum {
protocol_version = 70,
insufficient_security = 71,
@@ -100,8 +92,8 @@ diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
no_renegotiation = 100,
diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
---- a/nss/lib/ssl/sslerr.h 2014-01-03 19:39:28.442012014 -0800
-+++ b/nss/lib/ssl/sslerr.h 2014-01-03 19:44:54.877349862 -0800
+--- a/nss/lib/ssl/sslerr.h 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/sslerr.h 2014-01-17 18:47:05.509804656 -0800
@@ -196,6 +196,7 @@ SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM
SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129),
SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130),
@@ -111,8 +103,8 @@ diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */
} SSLErrorCodes;
diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
---- a/nss/lib/ssl/SSLerrs.h 2014-01-03 19:39:28.442012014 -0800
-+++ b/nss/lib/ssl/SSLerrs.h 2014-01-03 19:44:54.907350351 -0800
+--- a/nss/lib/ssl/SSLerrs.h 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/SSLerrs.h 2014-01-17 18:47:05.509804656 -0800
@@ -421,3 +421,8 @@ ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (S
ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
@@ -123,31 +115,31 @@ diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
+" handshake failure, but the server indicated that it should not have been"
+" needed.")
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:44:44.807185186 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:44:54.907350351 -0800
-@@ -163,6 +163,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
- #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
+--- a/nss/lib/ssl/ssl.h 2014-01-17 18:46:51.999581198 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 18:48:54.971613341 -0800
+@@ -183,6 +183,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
+
/* Request Signed Certificate Timestamps via TLS extension (client) */
- #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
-+#define SSL_ENABLE_FALLBACK_SCSV 26 /* Send fallback SCSV in
+ #define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27
++#define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in
+ * handshakes. */
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:44:44.807185186 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:44:54.907350351 -0800
-@@ -336,6 +336,7 @@ typedef struct sslOptionsStr {
- unsigned int cbcRandomIV : 1; /* 24 */
- unsigned int enableOCSPStapling : 1; /* 25 */
- unsigned int enableSignedCertTimestamps : 1; /* 26 */
-+ unsigned int enableFallbackSCSV : 1; /* 27 */
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:46:51.999581198 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:51:17.963962287 -0800
+@@ -338,6 +338,7 @@ typedef struct sslOptionsStr {
+ unsigned int enableNPN : 1; /* 26 */
+ unsigned int enableALPN : 1; /* 27 */
+ unsigned int enableSignedCertTimestamps : 1; /* 28 */
++ unsigned int enableFallbackSCSV : 1; /* 29 */
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
---- a/nss/lib/ssl/sslproto.h 2014-01-03 19:43:07.025586219 -0800
-+++ b/nss/lib/ssl/sslproto.h 2014-01-03 19:44:54.907350351 -0800
+--- a/nss/lib/ssl/sslproto.h 2014-01-17 18:10:16.793281867 -0800
++++ b/nss/lib/ssl/sslproto.h 2014-01-17 18:47:05.509804656 -0800
@@ -172,6 +172,11 @@
*/
#define TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0x00FF
@@ -161,21 +153,21 @@ diff -pu a/nss/lib/ssl/sslproto.h b/nss/lib/ssl/sslproto.h
* RFCs.
*/
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 19:44:44.807185186 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:44:54.907350351 -0800
-@@ -86,7 +86,8 @@ static sslOptions ssl_defaults = {
- PR_FALSE, /* enableFalseStart */
- PR_TRUE, /* cbcRandomIV */
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 18:46:52.009581364 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:59:17.931852364 -0800
+@@ -88,7 +88,8 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* enableOCSPStapling */
+ PR_TRUE, /* enableNPN */
+ PR_FALSE, /* enableALPN */
- PR_FALSE /* enableSignedCertTimestamps */
+ PR_FALSE, /* enableSignedCertTimestamps */
+ PR_FALSE /* enableFallbackSCSV */
};
/*
-@@ -782,6 +783,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- ss->opt.enableSignedCertTimestamps = on;
- break;
+@@ -792,6 +793,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ ss->opt.enableSignedCertTimestamps = on;
+ break;
+ case SSL_ENABLE_FALLBACK_SCSV:
+ ss->opt.enableFallbackSCSV = on;
@@ -184,27 +176,27 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
-@@ -855,6 +860,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
+@@ -867,6 +872,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- on = ss->opt.enableSignedCertTimestamps;
- break;
+ on = ss->opt.enableSignedCertTimestamps;
+ break;
+ case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -919,6 +925,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
+@@ -933,6 +939,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- on = ssl_defaults.enableSignedCertTimestamps;
- break;
+ on = ssl_defaults.enableSignedCertTimestamps;
+ break;
+ case SSL_ENABLE_FALLBACK_SCSV:
-+ on = ssl_defaults.enableFallbackSCSV;
-+ break;
++ on = ssl_defaults.enableFallbackSCSV;
++ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1090,6 +1099,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- ssl_defaults.enableSignedCertTimestamps = on;
- break;
+@@ -1112,6 +1121,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ ssl_defaults.enableSignedCertTimestamps = on;
+ break;
+ case SSL_ENABLE_FALLBACK_SCSV:
+ ssl_defaults.enableFallbackSCSV = on;
diff --git a/net/third_party/nss/patches/getrequestedclientcerttypes.patch b/net/third_party/nss/patches/getrequestedclientcerttypes.patch
index 870719e..9ca8abd 100644
--- a/net/third_party/nss/patches/getrequestedclientcerttypes.patch
+++ b/net/third_party/nss/patches/getrequestedclientcerttypes.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:31:09.783859095 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:31:49.664511081 -0800
-@@ -6962,6 +6962,9 @@ ssl3_HandleCertificateRequest(sslSocket
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:52:46.705854118 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:54:27.087523439 -0800
+@@ -6985,6 +6985,9 @@ ssl3_HandleCertificateRequest(sslSocket
if (rv != SECSuccess)
goto loser; /* malformed, alert has been sent */
@@ -11,7 +11,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (isTLS12) {
rv = ssl3_ConsumeHandshakeVariable(ss, &algorithms, 2, &b, &length);
if (rv != SECSuccess)
-@@ -7163,6 +7166,7 @@ loser:
+@@ -7186,6 +7189,7 @@ loser:
PORT_SetError(errCode);
rv = SECFailure;
done:
@@ -20,9 +20,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
PORT_FreeArena(arena, PR_FALSE);
#ifdef NSS_PLATFORM_CLIENT_AUTH
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:31:36.454295113 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:31:49.664511081 -0800
-@@ -763,6 +763,16 @@ SSL_IMPORT SECStatus SSL_ReHandshakeWith
+--- a/nss/lib/ssl/ssl.h 2014-01-17 17:53:39.726735852 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 17:54:27.087523439 -0800
+@@ -793,6 +793,16 @@ SSL_IMPORT SECStatus SSL_ReHandshakeWith
PRBool flushCache,
PRIntervalTime timeout);
@@ -40,9 +40,9 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
#ifdef SSL_DEPRECATED_FUNCTION
/* deprecated!
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:31:09.783859095 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:31:49.684511406 -0800
-@@ -1220,6 +1220,10 @@ struct sslSocketStr {
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:52:46.715854283 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:54:27.087523439 -0800
+@@ -1229,6 +1229,10 @@ struct sslSocketStr {
unsigned int sizeCipherSpecs;
const unsigned char * preferredCipher;
@@ -54,9 +54,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/* Callbacks */
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 19:31:36.454295113 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:31:49.704511734 -0800
-@@ -1847,6 +1847,20 @@ SSL_HandshakeResumedSession(PRFileDesc *
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 17:53:39.726735852 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 17:54:27.097523605 -0800
+@@ -1869,6 +1869,20 @@ SSL_HandshakeResumedSession(PRFileDesc *
return SECSuccess;
}
@@ -77,7 +77,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
/************************************************************************/
/* The following functions are the TOP LEVEL SSL functions.
** They all get called through the NSPRIOMethods table below.
-@@ -2914,6 +2928,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
+@@ -2936,6 +2950,7 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
sc->serverKeyBits = 0;
ss->certStatusArray[i] = NULL;
}
diff --git a/net/third_party/nss/patches/nssrwlock.patch b/net/third_party/nss/patches/nssrwlock.patch
index 854a594..2f10a4f 100644
--- a/net/third_party/nss/patches/nssrwlock.patch
+++ b/net/third_party/nss/patches/nssrwlock.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-07 14:31:44.537621503 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-08 15:00:02.814706742 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 19:01:58.104487211 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 19:02:38.965159506 -0800
@@ -5211,7 +5211,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
* the lock across the calls to ssl3_CallHelloExtensionSenders.
*/
@@ -184,9 +184,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
if (ss->xtnData.sentSessionTicketInClientHello) {
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-07 14:31:44.537621503 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-08 15:00:02.804706578 -0800
-@@ -728,7 +728,7 @@ struct sslSessionIDStr {
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 19:00:52.843413560 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 19:02:38.965159506 -0800
+@@ -730,7 +730,7 @@ struct sslSessionIDStr {
* cached. Before then, there is no need to lock anything because
* the sid isn't being shared by anything.
*/
@@ -196,9 +196,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/* The lock must be held while reading or writing these members
* because they change while the sid is cached.
diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
---- a/nss/lib/ssl/sslnonce.c 2014-01-07 14:31:44.547621666 -0800
-+++ b/nss/lib/ssl/sslnonce.c 2014-01-08 15:00:02.814706742 -0800
-@@ -138,7 +138,7 @@ ssl_DestroySID(sslSessionID *sid)
+--- a/nss/lib/ssl/sslnonce.c 2014-01-17 19:02:25.844943628 -0800
++++ b/nss/lib/ssl/sslnonce.c 2014-01-17 19:02:38.965159506 -0800
+@@ -136,7 +136,7 @@ ssl_DestroySID(sslSessionID *sid)
}
if (sid->u.ssl3.lock) {
@@ -207,7 +207,7 @@ diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
}
}
-@@ -314,7 +314,7 @@ CacheSID(sslSessionID *sid)
+@@ -308,7 +308,7 @@ CacheSID(sslSessionID *sid)
PRINT_BUF(8, (0, "sessionID:",
sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength));
@@ -216,7 +216,7 @@ diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
if (!sid->u.ssl3.lock) {
return;
}
-@@ -454,7 +454,7 @@ ssl3_SetSIDSessionTicket(sslSessionID *s
+@@ -448,7 +448,7 @@ ssl3_SetSIDSessionTicket(sslSessionID *s
* yet, so no locking is needed.
*/
if (sid->u.ssl3.lock) {
@@ -225,7 +225,7 @@ diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
/* A server might have sent us an empty ticket, which has the
* effect of clearing the previously known ticket.
-@@ -473,6 +473,6 @@ ssl3_SetSIDSessionTicket(sslSessionID *s
+@@ -467,6 +467,6 @@ ssl3_SetSIDSessionTicket(sslSessionID *s
newSessionTicket->ticket.len = 0;
if (sid->u.ssl3.lock) {
diff --git a/net/third_party/nss/patches/paddingextension.patch b/net/third_party/nss/patches/paddingextension.patch
deleted file mode 100644
index 22b1826..0000000
--- a/net/third_party/nss/patches/paddingextension.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:03:25.346656907 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:03:36.916845935 -0800
-@@ -4987,6 +4987,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
- int actual_count = 0;
- PRBool isTLS = PR_FALSE;
- PRInt32 total_exten_len = 0;
-+ unsigned paddingExtensionLen;
- unsigned numCompressionMethods;
- PRInt32 flags;
-
-@@ -5264,6 +5265,20 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
- length += 1 + ss->ssl3.hs.cookieLen;
- }
-
-+ /* A padding extension may be included to ensure that the record containing
-+ * the ClientHello doesn't have a length between 256 and 511 bytes
-+ * (inclusive). Initial, ClientHello records with such lengths trigger bugs
-+ * in F5 devices.
-+ *
-+ * This is not done for DTLS nor for renegotiation. */
-+ if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) {
-+ paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
-+ total_exten_len += paddingExtensionLen;
-+ length += paddingExtensionLen;
-+ } else {
-+ paddingExtensionLen = 0;
-+ }
-+
- rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
- if (rv != SECSuccess) {
- if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
-@@ -5398,6 +5413,13 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
- return SECFailure;
- }
- maxBytes -= extLen;
-+
-+ extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
-+ if (extLen < 0) {
-+ return SECFailure;
-+ }
-+ maxBytes -= extLen;
-+
- PORT_Assert(!maxBytes);
- }
-
-diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 18:58:03.661401846 -0800
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:03:36.916845935 -0800
-@@ -2315,3 +2315,56 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss
- loser:
- return -1;
- }
-+
-+unsigned int
-+ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
-+{
-+ unsigned int recordLength = 1 /* handshake message type */ +
-+ 3 /* handshake message length */ +
-+ clientHelloLength;
-+ unsigned int extensionLength;
-+
-+ if (recordLength < 256 || recordLength >= 512) {
-+ return 0;
-+ }
-+
-+ extensionLength = 512 - recordLength;
-+ /* Extensions take at least four bytes to encode. */
-+ if (extensionLength < 4) {
-+ extensionLength = 4;
-+ }
-+
-+ return extensionLength;
-+}
-+
-+/* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a
-+ * ClientHello record is either < 256 bytes or is >= 512 bytes. This ensures
-+ * that we don't trigger bugs in F5 products. */
-+PRInt32
-+ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
-+ PRUint32 maxBytes)
-+{
-+ unsigned int paddingLen = extensionLen - 4;
-+ unsigned char padding[256];
-+
-+ if (extensionLen == 0) {
-+ return 0;
-+ }
-+
-+ if (extensionLen < 4 ||
-+ extensionLen > maxBytes ||
-+ paddingLen > sizeof(padding)) {
-+ PORT_Assert(0);
-+ return -1;
-+ }
-+
-+ if (SECSuccess != ssl3_AppendHandshakeNumber(ss, ssl_padding_xtn, 2))
-+ return -1;
-+ if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
-+ return -1;
-+ memset(padding, 0, paddingLen);
-+ if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
-+ return -1;
-+
-+ return extensionLen;
-+}
-diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:03:25.346656907 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:03:36.916845935 -0800
-@@ -237,6 +237,13 @@ extern PRInt32
- ssl3_CallHelloExtensionSenders(sslSocket *ss, PRBool append, PRUint32 maxBytes,
- const ssl3HelloExtensionSender *sender);
-
-+extern unsigned int
-+ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength);
-+
-+extern PRInt32
-+ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
-+ PRUint32 maxBytes);
-+
- /* Socket ops */
- struct sslSocketOpsStr {
- int (*connect) (sslSocket *, const PRNetAddr *);
-diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h 2014-01-03 19:02:30.135754914 -0800
-+++ b/nss/lib/ssl/sslt.h 2014-01-03 19:03:36.916845935 -0800
-@@ -205,9 +205,10 @@ typedef enum {
- ssl_session_ticket_xtn = 35,
- ssl_next_proto_nego_xtn = 13172,
- ssl_channel_id_xtn = 30032,
-+ ssl_padding_xtn = 35655,
- ssl_renegotiation_info_xtn = 0xff01 /* experimental number */
- } SSLExtensionType;
-
--#define SSL_MAX_EXTENSIONS 11
-+#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */
-
- #endif /* __sslt_h_ */
diff --git a/net/third_party/nss/patches/paddingextensionall.patch b/net/third_party/nss/patches/paddingextensionall.patch
index 6e70910..c292664 100644
--- a/net/third_party/nss/patches/paddingextensionall.patch
+++ b/net/third_party/nss/patches/paddingextensionall.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:03:55.557150476 -0800
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:04:04.597298171 -0800
-@@ -2324,7 +2324,11 @@ ssl3_CalculatePaddingExtensionLength(uns
+--- a/nss/lib/ssl/ssl3ext.c 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/ssl3ext.c 2014-01-17 18:17:39.630620563 -0800
+@@ -2332,7 +2332,11 @@ ssl3_CalculatePaddingExtensionLength(uns
clientHelloLength;
unsigned int extensionLength;
@@ -14,12 +14,12 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
return 0;
}
-@@ -2345,7 +2349,7 @@ ssl3_AppendPaddingExtension(sslSocket *s
+@@ -2353,7 +2357,7 @@ ssl3_AppendPaddingExtension(sslSocket *s
PRUint32 maxBytes)
{
unsigned int paddingLen = extensionLen - 4;
-- unsigned char padding[256];
-+ unsigned char padding[512];
+- static unsigned char padding[256];
++ static unsigned char padding[512];
if (extensionLen == 0) {
return 0;
diff --git a/net/third_party/nss/patches/restartclientauth.patch b/net/third_party/nss/patches/restartclientauth.patch
index 41fae31..5056cad 100644
--- a/net/third_party/nss/patches/restartclientauth.patch
+++ b/net/third_party/nss/patches/restartclientauth.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:32:06.914793097 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:35:08.237757576 -0800
-@@ -7176,6 +7176,85 @@ done:
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:55:01.518095989 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:55:19.158389328 -0800
+@@ -7199,6 +7199,85 @@ done:
return rv;
}
@@ -88,9 +88,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
ssl3_CheckFalseStart(sslSocket *ss)
{
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:32:06.914793097 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:32:19.164993372 -0800
-@@ -369,6 +369,11 @@ SSL_IMPORT SECStatus SSL_ForceHandshake(
+--- a/nss/lib/ssl/ssl.h 2014-01-17 17:55:01.538096321 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 17:55:19.158389328 -0800
+@@ -399,6 +399,11 @@ SSL_IMPORT SECStatus SSL_ForceHandshake(
SSL_IMPORT SECStatus SSL_ForceHandshakeWithTimeout(PRFileDesc *fd,
PRIntervalTime timeout);
@@ -103,9 +103,9 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
** Query security status of socket. *on is set to one if security is
** enabled. *keySize will contain the stream key size used. *issuer will
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:32:06.914793097 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:32:19.164993372 -0800
-@@ -1579,16 +1579,17 @@ extern SECStatus ssl3_MasterKeyDeriveBy
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:55:01.538096321 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:55:19.158389328 -0800
+@@ -1588,16 +1588,17 @@ extern SECStatus ssl3_MasterKeyDeriveBy
/* These functions are called from secnav, even though they're "private". */
extern int ssl2_SendErrorMessage(struct sslSocketStr *ss, int error);
@@ -128,8 +128,8 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/*
diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
---- a/nss/lib/ssl/sslsecur.c 2014-01-03 19:28:03.560814773 -0800
-+++ b/nss/lib/ssl/sslsecur.c 2014-01-03 19:32:19.174993536 -0800
+--- a/nss/lib/ssl/sslsecur.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslsecur.c 2014-01-17 17:55:19.158389328 -0800
@@ -1518,17 +1518,70 @@ SSL_CertDBHandleSet(PRFileDesc *fd, CERT
return SECSuccess;
}
diff --git a/net/third_party/nss/patches/secitemarray.patch b/net/third_party/nss/patches/secitemarray.patch
index 8e3b537..5c48f5b 100644
--- a/net/third_party/nss/patches/secitemarray.patch
+++ b/net/third_party/nss/patches/secitemarray.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 18:55:44.669133500 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 18:56:54.570274011 -0800
-@@ -1355,6 +1355,15 @@ extern sslSessionIDUncacheFunc ssl_sid_u
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:00:11.213237373 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:03:29.176520864 -0800
+@@ -1364,6 +1364,15 @@ extern sslSessionIDUncacheFunc ssl_sid_u
SEC_BEGIN_PROTOS
@@ -18,8 +18,8 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
extern SECStatus ssl_Init(void);
extern SECStatus ssl_InitializePRErrorTable(void);
diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h 2014-01-03 18:54:48.638219358 -0800
-+++ b/nss/lib/ssl/sslt.h 2014-01-03 18:56:54.570274011 -0800
+--- a/nss/lib/ssl/sslt.h 2014-01-17 17:59:03.252110162 -0800
++++ b/nss/lib/ssl/sslt.h 2014-01-17 18:03:29.186521030 -0800
@@ -10,6 +10,19 @@
#include "prtypes.h"
diff --git a/net/third_party/nss/patches/secretexporterlocks.patch b/net/third_party/nss/patches/secretexporterlocks.patch
index c9c4ff8..85d98df 100644
--- a/net/third_party/nss/patches/secretexporterlocks.patch
+++ b/net/third_party/nss/patches/secretexporterlocks.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c
---- a/nss/lib/ssl/sslinfo.c 2014-01-03 19:28:03.550814608 -0800
-+++ b/nss/lib/ssl/sslinfo.c 2014-01-03 19:40:13.512748975 -0800
+--- a/nss/lib/ssl/sslinfo.c 2014-01-17 17:49:26.072517368 -0800
++++ b/nss/lib/ssl/sslinfo.c 2014-01-17 18:00:29.773545219 -0800
@@ -350,8 +350,13 @@ SSL_ExportKeyingMaterial(PRFileDesc *fd,
return SECFailure;
}
diff --git a/net/third_party/nss/patches/sessioncache.patch b/net/third_party/nss/patches/sessioncache.patch
index 6cde719..1564648 100644
--- a/net/third_party/nss/patches/sessioncache.patch
+++ b/net/third_party/nss/patches/sessioncache.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:45:10.857611184 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:45:18.457735467 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 19:00:52.843413560 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 19:01:36.374129696 -0800
@@ -11318,7 +11318,7 @@ ssl3_FinishHandshake(sslSocket * ss)
ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
}
@@ -11,9 +11,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
(*ss->sec.cache)(ss->sec.ci.sid);
ss->ssl3.hs.cacheSID = PR_FALSE;
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:45:10.857611184 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:45:18.457735467 -0800
-@@ -872,6 +872,18 @@ SSL_IMPORT int SSL_DataPending(PRFileDes
+--- a/nss/lib/ssl/ssl.h 2014-01-17 19:00:52.843413560 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 19:01:36.374129696 -0800
+@@ -892,6 +892,18 @@ SSL_IMPORT int SSL_DataPending(PRFileDes
SSL_IMPORT SECStatus SSL_InvalidateSession(PRFileDesc *fd);
/*
@@ -33,8 +33,8 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
*/
SSL_IMPORT SECItem *SSL_GetSessionID(PRFileDesc *fd);
diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
---- a/nss/lib/ssl/sslsecur.c 2014-01-03 19:39:28.452012178 -0800
-+++ b/nss/lib/ssl/sslsecur.c 2014-01-03 19:45:18.467735631 -0800
+--- a/nss/lib/ssl/sslsecur.c 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/sslsecur.c 2014-01-17 19:01:36.374129696 -0800
@@ -1469,6 +1469,49 @@ SSL_InvalidateSession(PRFileDesc *fd)
return rv;
}
diff --git a/net/third_party/nss/patches/signedcertificatetimestamps.patch b/net/third_party/nss/patches/signedcertificatetimestamps.patch
index 4ce0d67..9864372 100644
--- a/net/third_party/nss/patches/signedcertificatetimestamps.patch
+++ b/net/third_party/nss/patches/signedcertificatetimestamps.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:03:55.547150312 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:04:31.257733748 -0800
-@@ -6681,10 +6681,22 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:11:28.314468184 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:23:17.946207727 -0800
+@@ -6682,10 +6682,22 @@ ssl3_HandleServerHello(sslSocket *ss, SS
sid->u.ssl3.sessionIDLength = sidBytes.len;
PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
@@ -24,7 +24,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
/* If we will need a ChannelID key then we make the callback now. This
* allows the handshake to be restarted cleanly if the callback returns
* SECWouldBlock. */
-@@ -6710,6 +6722,9 @@ alert_loser:
+@@ -6711,6 +6723,9 @@ alert_loser:
(void)SSL3_SendAlert(ss, alert_fatal, desc);
loser:
@@ -35,8 +35,8 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
return SECFailure;
}
diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c 2014-01-03 19:04:20.207553209 -0800
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-03 19:04:31.257733748 -0800
+--- a/nss/lib/ssl/ssl3ext.c 2014-01-17 18:22:54.945827814 -0800
++++ b/nss/lib/ssl/ssl3ext.c 2014-01-17 18:35:21.798168722 -0800
@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn
PRUint32 maxBytes);
static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
@@ -60,17 +60,17 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
};
@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSend
- { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
- { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
-- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
-+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
+ { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
+- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
++ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
+ { ssl_signed_certificate_timestamp_xtn,
+ &ssl3_ClientSendSignedCertTimestampXtn }
/* any extra entries will appear as { 0, NULL } */
};
-@@ -2372,3 +2382,65 @@ ssl3_AppendPaddingExtension(sslSocket *s
+@@ -2379,3 +2389,65 @@ ssl3_AppendPaddingExtension(sslSocket *s
return extensionLen;
}
@@ -137,18 +137,19 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
+ return SECSuccess;
+}
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 18:58:03.661401846 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:04:31.257733748 -0800
-@@ -161,6 +161,8 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
+--- a/nss/lib/ssl/ssl.h 2014-01-17 18:00:11.213237373 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 18:38:15.791045050 -0800
+@@ -181,6 +181,9 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
*/
- #define SSL_CBC_RANDOM_IV 23
- #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
-+/* Request Signed Certificate Timestamps via TLS extension (client) */
-+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
+ #define SSL_ENABLE_ALPN 26
++/* Request Signed Certificate Timestamps via TLS extension (client) */
++#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27
++
#ifdef SSL_DEPRECATED_FUNCTION
/* Old deprecated function names */
-@@ -464,6 +466,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertifi
+ SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
+@@ -483,6 +486,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertifi
*/
SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
@@ -173,63 +174,17 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
* in the fd's data, which may be sent as part of a server side cert_status
* handshake message. Parameter |responses| is for the server certificate of
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:03:55.557150476 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:04:31.257733748 -0800
-@@ -312,29 +312,30 @@ typedef struct sslOptionsStr {
- * list of supported protocols. */
- SECItem nextProtoNego;
-
-- unsigned int useSecurity : 1; /* 1 */
-- unsigned int useSocks : 1; /* 2 */
-- unsigned int requestCertificate : 1; /* 3 */
-- unsigned int requireCertificate : 2; /* 4-5 */
-- unsigned int handshakeAsClient : 1; /* 6 */
-- unsigned int handshakeAsServer : 1; /* 7 */
-- unsigned int enableSSL2 : 1; /* 8 */
-- unsigned int unusedBit9 : 1; /* 9 */
-- unsigned int unusedBit10 : 1; /* 10 */
-- unsigned int noCache : 1; /* 11 */
-- unsigned int fdx : 1; /* 12 */
-- unsigned int v2CompatibleHello : 1; /* 13 */
-- unsigned int detectRollBack : 1; /* 14 */
-- unsigned int noStepDown : 1; /* 15 */
-- unsigned int bypassPKCS11 : 1; /* 16 */
-- unsigned int noLocks : 1; /* 17 */
-- unsigned int enableSessionTickets : 1; /* 18 */
-- unsigned int enableDeflate : 1; /* 19 */
-- unsigned int enableRenegotiation : 2; /* 20-21 */
-- unsigned int requireSafeNegotiation : 1; /* 22 */
-- unsigned int enableFalseStart : 1; /* 23 */
-- unsigned int cbcRandomIV : 1; /* 24 */
-- unsigned int enableOCSPStapling : 1; /* 25 */
-+ unsigned int useSecurity : 1; /* 1 */
-+ unsigned int useSocks : 1; /* 2 */
-+ unsigned int requestCertificate : 1; /* 3 */
-+ unsigned int requireCertificate : 2; /* 4-5 */
-+ unsigned int handshakeAsClient : 1; /* 6 */
-+ unsigned int handshakeAsServer : 1; /* 7 */
-+ unsigned int enableSSL2 : 1; /* 8 */
-+ unsigned int unusedBit9 : 1; /* 9 */
-+ unsigned int unusedBit10 : 1; /* 10 */
-+ unsigned int noCache : 1; /* 11 */
-+ unsigned int fdx : 1; /* 12 */
-+ unsigned int v2CompatibleHello : 1; /* 13 */
-+ unsigned int detectRollBack : 1; /* 14 */
-+ unsigned int noStepDown : 1; /* 15 */
-+ unsigned int bypassPKCS11 : 1; /* 16 */
-+ unsigned int noLocks : 1; /* 17 */
-+ unsigned int enableSessionTickets : 1; /* 18 */
-+ unsigned int enableDeflate : 1; /* 19 */
-+ unsigned int enableRenegotiation : 2; /* 20-21 */
-+ unsigned int requireSafeNegotiation : 1; /* 22 */
-+ unsigned int enableFalseStart : 1; /* 23 */
-+ unsigned int cbcRandomIV : 1; /* 24 */
-+ unsigned int enableOCSPStapling : 1; /* 25 */
-+ unsigned int enableSignedCertTimestamps : 1; /* 26 */
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 18:11:28.314468184 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 18:27:22.540248428 -0800
+@@ -337,6 +337,7 @@ typedef struct sslOptionsStr {
+ unsigned int enableOCSPStapling : 1; /* 25 */
+ unsigned int enableNPN : 1; /* 26 */
+ unsigned int enableALPN : 1; /* 27 */
++ unsigned int enableSignedCertTimestamps : 1; /* 28 */
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
-@@ -717,6 +718,11 @@ struct sslSessionIDStr {
+@@ -719,6 +720,11 @@ struct sslSessionIDStr {
* resumption handshake to the original handshake. */
SECItem originalHandshakeHash;
@@ -241,7 +196,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
/* This lock is lazily initialized by CacheSID when a sid is first
* cached. Before then, there is no need to lock anything because
* the sid isn't being shared by anything.
-@@ -825,6 +831,18 @@ struct TLSExtensionDataStr {
+@@ -827,6 +833,18 @@ struct TLSExtensionDataStr {
* is beyond ssl3_HandleClientHello function. */
SECItem *sniNameArr;
PRUint32 sniNameArrSize;
@@ -261,9 +216,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
typedef SECStatus (*sslRestartTarget)(sslSocket *);
diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
---- a/nss/lib/ssl/sslnonce.c 2014-01-03 19:03:25.356657071 -0800
-+++ b/nss/lib/ssl/sslnonce.c 2014-01-03 19:05:48.568996889 -0800
-@@ -133,6 +133,9 @@ ssl_DestroySID(sslSessionID *sid)
+--- a/nss/lib/ssl/sslnonce.c 2014-01-17 18:11:28.314468184 -0800
++++ b/nss/lib/ssl/sslnonce.c 2014-01-17 18:23:17.956207890 -0800
+@@ -131,6 +131,9 @@ ssl_DestroySID(sslSessionID *sid)
if (sid->u.ssl3.originalHandshakeHash.data) {
SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
}
@@ -274,61 +229,61 @@ diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
if (sid->u.ssl3.lock) {
PR_DestroyRWLock(sid->u.ssl3.lock);
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 18:57:38.240986619 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:06:53.560058775 -0800
-@@ -85,7 +85,8 @@ static sslOptions ssl_defaults = {
- PR_FALSE, /* requireSafeNegotiation */
- PR_FALSE, /* enableFalseStart */
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 18:04:43.127747463 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:44:09.246889487 -0800
+@@ -87,7 +87,8 @@ static sslOptions ssl_defaults = {
PR_TRUE, /* cbcRandomIV */
-- PR_FALSE /* enableOCSPStapling */
-+ PR_FALSE, /* enableOCSPStapling */
+ PR_FALSE, /* enableOCSPStapling */
+ PR_TRUE, /* enableNPN */
+- PR_FALSE /* enableALPN */
++ PR_FALSE, /* enableALPN */
+ PR_FALSE /* enableSignedCertTimestamps */
};
/*
-@@ -777,6 +778,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
- ss->opt.enableOCSPStapling = on;
- break;
+@@ -787,6 +788,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ ss->opt.enableALPN = on;
+ break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+ ss->opt.enableSignedCertTimestamps = on;
-+ break;
++ ss->opt.enableSignedCertTimestamps = on;
++ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
-@@ -847,6 +852,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
- case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
- case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
+@@ -859,6 +864,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
+ case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break;
+ case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+ on = ss->opt.enableSignedCertTimestamps;
-+ break;
++ on = ss->opt.enableSignedCertTimestamps;
++ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -908,6 +916,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
- case SSL_ENABLE_OCSP_STAPLING:
- on = ssl_defaults.enableOCSPStapling;
+@@ -922,6 +930,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
break;
+ case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break;
+ case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+ on = ssl_defaults.enableSignedCertTimestamps;
-+ break;
++ on = ssl_defaults.enableSignedCertTimestamps;
++ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1075,6 +1086,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
- ssl_defaults.enableOCSPStapling = on;
- break;
+@@ -1097,6 +1108,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+ ssl_defaults.enableALPN = on;
+ break;
+ case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+ ssl_defaults.enableSignedCertTimestamps = on;
-+ break;
++ ssl_defaults.enableSignedCertTimestamps = on;
++ break;
+
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
-@@ -1899,6 +1914,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc
+@@ -1921,6 +1936,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc
return &ss->sec.ci.sid->peerCertStatus;
}
@@ -359,8 +314,8 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
sslSocket *ss = ssl_FindSocket(fd);
diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h 2014-01-03 19:03:55.557150476 -0800
-+++ b/nss/lib/ssl/sslt.h 2014-01-03 19:04:31.257733748 -0800
+--- a/nss/lib/ssl/sslt.h 2014-01-17 18:10:16.793281867 -0800
++++ b/nss/lib/ssl/sslt.h 2014-01-17 18:23:17.956207890 -0800
@@ -202,6 +202,7 @@ typedef enum {
ssl_signature_algorithms_xtn = 13,
ssl_use_srtp_xtn = 14,
diff --git a/net/third_party/nss/patches/tls12chromium.patch b/net/third_party/nss/patches/tls12chromium.patch
index cc10c1e..0d6d407 100644
--- a/net/third_party/nss/patches/tls12chromium.patch
+++ b/net/third_party/nss/patches/tls12chromium.patch
@@ -1,6 +1,6 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 18:55:44.659133336 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 18:57:20.390695317 -0800
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 18:00:11.213237373 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 18:04:22.497405273 -0800
@@ -31,6 +31,15 @@
#include "blapi.h"
#endif
@@ -18,8 +18,8 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
#ifdef NSS_ENABLE_ZLIB
#include "zlib.h"
diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
---- a/nss/lib/ssl/ssl3ecc.c 2014-01-03 18:56:43.300090124 -0800
-+++ b/nss/lib/ssl/ssl3ecc.c 2014-01-03 18:57:20.390695317 -0800
+--- a/nss/lib/ssl/ssl3ecc.c 2014-01-17 18:01:31.474568608 -0800
++++ b/nss/lib/ssl/ssl3ecc.c 2014-01-17 18:04:22.497405273 -0800
@@ -30,6 +30,12 @@
#include <stdio.h>
@@ -34,8 +34,8 @@ diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
#ifndef PK11_SETATTRS
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 18:55:44.669133500 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 18:57:20.400695477 -0800
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 18:00:11.213237373 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 18:04:22.497405273 -0800
@@ -17,8 +17,15 @@
#ifndef NO_PKCS11_BYPASS
#include "blapi.h"
@@ -52,7 +52,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
#define SET_ERROR_CODE /* reminder */
static const sslSocketOps ssl_default_ops = { /* No SSL. */
-@@ -1814,6 +1821,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV
+@@ -1836,6 +1843,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV
return SECSuccess;
}
@@ -77,7 +77,7 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
SECStatus
SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
{
-@@ -1834,6 +1859,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons
+@@ -1856,6 +1881,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons
ssl_GetSSL3HandshakeLock(ss);
ss->vrange = *vrange;
diff --git a/net/third_party/nss/patches/tlsunique.patch b/net/third_party/nss/patches/tlsunique.patch
index 55e44ce..5b094a7 100644
--- a/net/third_party/nss/patches/tlsunique.patch
+++ b/net/third_party/nss/patches/tlsunique.patch
@@ -1,7 +1,7 @@
diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c 2014-01-03 19:39:28.442012014 -0800
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-03 19:39:45.052283611 -0800
-@@ -12358,6 +12358,68 @@ ssl3_InitSocketPolicy(sslSocket *ss)
+--- a/nss/lib/ssl/ssl3con.c 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/ssl3con.c 2014-01-17 17:59:45.862816905 -0800
+@@ -12383,6 +12383,68 @@ ssl3_InitSocketPolicy(sslSocket *ss)
PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
}
@@ -71,9 +71,9 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
* the caller of this function.
*/
diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-03 19:39:28.442012014 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-03 19:39:45.052283611 -0800
-@@ -252,6 +252,27 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDe
+--- a/nss/lib/ssl/ssl.h 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/ssl.h 2014-01-17 17:59:45.862816905 -0800
+@@ -282,6 +282,27 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDe
SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
@@ -102,9 +102,9 @@ diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
**
** This API should be used to control SSL 3.0 & TLS support instead of the
diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h 2014-01-03 19:39:28.452012178 -0800
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-03 19:39:45.072283939 -0800
-@@ -1844,6 +1844,11 @@ extern PRBool ssl_GetSessionTicketKeysPK
+--- a/nss/lib/ssl/sslimpl.h 2014-01-17 17:59:03.242109996 -0800
++++ b/nss/lib/ssl/sslimpl.h 2014-01-17 17:59:45.862816905 -0800
+@@ -1853,6 +1853,11 @@ extern PRBool ssl_GetSessionTicketKeysPK
extern SECStatus ssl3_ValidateNextProtoNego(const unsigned char* data,
unsigned int length);
@@ -117,9 +117,9 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
extern PRFileDesc *ssl_NewPRSocket(sslSocket *ss, PRFileDesc *fd);
extern void ssl_FreePRSocket(PRFileDesc *fd);
diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c 2014-01-03 19:39:28.452012178 -0800
-+++ b/nss/lib/ssl/sslsock.c 2014-01-03 19:39:45.092284267 -0800
-@@ -1286,6 +1286,27 @@ NSS_SetFrancePolicy(void)
+--- a/nss/lib/ssl/sslsock.c 2014-01-17 17:59:03.252110162 -0800
++++ b/nss/lib/ssl/sslsock.c 2014-01-17 17:59:45.872817074 -0800
+@@ -1308,6 +1308,27 @@ NSS_SetFrancePolicy(void)
return NSS_SetDomesticPolicy();
}
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index 44081f0..51b557a 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -161,9 +161,29 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
*/
#define SSL_CBC_RANDOM_IV 23
#define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
+
+/* SSL_ENABLE_NPN controls whether the NPN extension is enabled for the initial
+ * handshake when protocol negotiation is used. SSL_SetNextProtoCallback
+ * or SSL_SetNextProtoNego must be used to control the protocol negotiation;
+ * otherwise, the NPN extension will not be negotiated. SSL_ENABLE_NPN is
+ * currently enabled by default but this may change in future versions.
+ */
+#define SSL_ENABLE_NPN 25
+
+/* SSL_ENABLE_ALPN controls whether the ALPN extension is enabled for the
+ * initial handshake when protocol negotiation is used. SSL_SetNextProtoNego
+ * (not SSL_SetNextProtoCallback) must be used to control the protocol
+ * negotiation; otherwise, the ALPN extension will not be negotiated. ALPN is
+ * not negotiated for renegotiation handshakes, even though the ALPN
+ * specification defines a way to use ALPN during renegotiations.
+ * SSL_ENABLE_ALPN is currently disabled by default, but this may change in
+ * future versions.
+ */
+#define SSL_ENABLE_ALPN 26
+
/* Request Signed Certificate Timestamps via TLS extension (client) */
-#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 25
-#define SSL_ENABLE_FALLBACK_SCSV 26 /* Send fallback SCSV in
+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27
+#define SSL_ENABLE_FALLBACK_SCSV 28 /* Send fallback SCSV in
* handshakes. */
#ifdef SSL_DEPRECATED_FUNCTION
diff --git a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
index ba370a5..e96ae8c 100644
--- a/net/third_party/nss/ssl/ssl3con.c
+++ b/net/third_party/nss/ssl/ssl3con.c
@@ -10671,7 +10671,7 @@ ssl3_SendNextProto(sslSocket *ss)
static const unsigned char padding[32] = {0};
if (ss->ssl3.nextProto.len == 0 ||
- ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
+ ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
return SECSuccess;
}
diff --git a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
index 019f2b6..6827ee7 100644
--- a/net/third_party/nss/ssl/ssl3ext.c
+++ b/net/third_party/nss/ssl/ssl3ext.c
@@ -57,7 +57,7 @@ static SECStatus ssl3_ClientHandleAppProtoXtn(sslSocket *ss,
static SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
PRUint16 ex_type, SECItem *data);
static PRInt32 ssl3_ClientSendAppProtoXtn(sslSocket *ss, PRBool append,
- PRUint32 maxBytes);
+ PRUint32 maxBytes);
static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
PRUint32 maxBytes);
static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
@@ -283,19 +283,19 @@ static const ssl3HelloExtensionHandler serverHelloHandlersSSL3[] = {
*/
static const
ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
- { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
- { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
+ { ssl_server_name_xtn, &ssl3_SendServerNameXtn },
+ { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
#ifdef NSS_ENABLE_ECC
- { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
- { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
+ { ssl_elliptic_curves_xtn, &ssl3_SendSupportedCurvesXtn },
+ { ssl_ec_point_formats_xtn, &ssl3_SendSupportedPointFormatsXtn },
#endif
- { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
- { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
- { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
- { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
- { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
- { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
+ { ssl_session_ticket_xtn, &ssl3_SendSessionTicketXtn },
+ { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
+ { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
+ { ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn },
+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn },
+ { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
{ ssl_signed_certificate_timestamp_xtn,
&ssl3_ClientSendSignedCertTimestampXtn }
/* any extra entries will appear as { 0, NULL } */
@@ -631,6 +631,11 @@ ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss, PRUint16 ex_type,
PORT_Assert(!ss->firstHsDone);
if (ssl3_ExtensionNegotiated(ss, ssl_app_layer_protocol_xtn)) {
+ /* If the server negotiated ALPN then it has already told us what protocol
+ * to use, so it doesn't make sense for us to try to negotiate a different
+ * one by sending the NPN handshake message. However, if we've negotiated
+ * NPN then we're required to send the NPN handshake message. Thus, these
+ * two extensions cannot both be negotiated on the same connection. */
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
@@ -691,8 +696,7 @@ ssl3_ClientHandleAppProtoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
name_list_len = ((PRUint16) d[0]) << 8 |
((PRUint16) d[1]);
- if (name_list_len != data->len - 2 ||
- d[2] != data->len - 3) {
+ if (name_list_len != data->len - 2 || d[2] != data->len - 3) {
PORT_SetError(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID);
return SECFailure;
}
@@ -713,7 +717,7 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss, PRBool append,
PRInt32 extension_length;
/* Renegotiations do not send this extension. */
- if (!ss->nextProtoCallback || ss->firstHsDone) {
+ if (!ss->opt.enableNPN || !ss->nextProtoCallback || ss->firstHsDone) {
return 0;
}
@@ -746,13 +750,13 @@ ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
unsigned char *alpn_protos = NULL;
/* Renegotiations do not send this extension. */
- if (!ss->opt.nextProtoNego.data || ss->firstHsDone) {
+ if (!ss->opt.enableALPN || !ss->opt.nextProtoNego.data || ss->firstHsDone) {
return 0;
}
extension_length = 2 /* extension type */ + 2 /* extension length */ +
- 2 /* protocol name list length */ +
- ss->opt.nextProtoNego.len;
+ 2 /* protocol name list length */ +
+ ss->opt.nextProtoNego.len;
if (append && maxBytes >= extension_length) {
/* NPN requires that the client's fallback protocol is first in the
@@ -779,16 +783,19 @@ ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
}
rv = ssl3_AppendHandshakeNumber(ss, ssl_app_layer_protocol_xtn, 2);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
goto loser;
+ }
rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
goto loser;
+ }
rv = ssl3_AppendHandshakeVariable(ss, alpn_protos, len, 2);
PORT_Free(alpn_protos);
alpn_protos = NULL;
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
goto loser;
+ }
ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
ssl_app_layer_protocol_xtn;
} else if (maxBytes < extension_length) {
@@ -798,8 +805,9 @@ ssl3_ClientSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
return extension_length;
loser:
- if (alpn_protos)
+ if (alpn_protos) {
PORT_Free(alpn_protos);
+ }
return -1;
}
@@ -2342,13 +2350,13 @@ ssl3_CalculatePaddingExtensionLength(unsigned int clientHelloLength)
return 0;
}
- extensionLength = 512 - recordLength;
- /* Extensions take at least four bytes to encode. */
- if (extensionLength < 4) {
- extensionLength = 4;
- }
+ extensionLength = 512 - recordLength;
+ /* Extensions take at least four bytes to encode. */
+ if (extensionLength < 4) {
+ extensionLength = 4;
+ }
- return extensionLength;
+ return extensionLength;
}
/* ssl3_AppendPaddingExtension possibly adds an extension which ensures that a
@@ -2359,7 +2367,7 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
PRUint32 maxBytes)
{
unsigned int paddingLen = extensionLen - 4;
- unsigned char padding[512];
+ static unsigned char padding[512];
if (extensionLen == 0) {
return 0;
@@ -2376,7 +2384,6 @@ ssl3_AppendPaddingExtension(sslSocket *ss, unsigned int extensionLen,
return -1;
if (SECSuccess != ssl3_AppendHandshakeNumber(ss, paddingLen, 2))
return -1;
- memset(padding, 0, paddingLen);
if (SECSuccess != ssl3_AppendHandshake(ss, padding, paddingLen))
return -1;
diff --git a/net/third_party/nss/ssl/sslenum.c b/net/third_party/nss/ssl/sslenum.c
index eaba1f5..d601207 100644
--- a/net/third_party/nss/ssl/sslenum.c
+++ b/net/third_party/nss/ssl/sslenum.c
@@ -41,7 +41,7 @@
* suites, with the MSB zeroed, look like:
* TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA { 0x00,0x14 }
* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA { 0x00,0x13 }
- * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 {0x00,0x2B }
+ * TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B }
* TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
* TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
* TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
diff --git a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
index 89a3b8e..8754e16 100644
--- a/net/third_party/nss/ssl/sslimpl.h
+++ b/net/third_party/nss/ssl/sslimpl.h
@@ -312,31 +312,33 @@ typedef struct sslOptionsStr {
* list of supported protocols. */
SECItem nextProtoNego;
- unsigned int useSecurity : 1; /* 1 */
- unsigned int useSocks : 1; /* 2 */
- unsigned int requestCertificate : 1; /* 3 */
- unsigned int requireCertificate : 2; /* 4-5 */
- unsigned int handshakeAsClient : 1; /* 6 */
- unsigned int handshakeAsServer : 1; /* 7 */
- unsigned int enableSSL2 : 1; /* 8 */
- unsigned int unusedBit9 : 1; /* 9 */
- unsigned int unusedBit10 : 1; /* 10 */
- unsigned int noCache : 1; /* 11 */
- unsigned int fdx : 1; /* 12 */
- unsigned int v2CompatibleHello : 1; /* 13 */
- unsigned int detectRollBack : 1; /* 14 */
- unsigned int noStepDown : 1; /* 15 */
- unsigned int bypassPKCS11 : 1; /* 16 */
- unsigned int noLocks : 1; /* 17 */
- unsigned int enableSessionTickets : 1; /* 18 */
- unsigned int enableDeflate : 1; /* 19 */
- unsigned int enableRenegotiation : 2; /* 20-21 */
- unsigned int requireSafeNegotiation : 1; /* 22 */
- unsigned int enableFalseStart : 1; /* 23 */
- unsigned int cbcRandomIV : 1; /* 24 */
- unsigned int enableOCSPStapling : 1; /* 25 */
- unsigned int enableSignedCertTimestamps : 1; /* 26 */
- unsigned int enableFallbackSCSV : 1; /* 27 */
+ unsigned int useSecurity : 1; /* 1 */
+ unsigned int useSocks : 1; /* 2 */
+ unsigned int requestCertificate : 1; /* 3 */
+ unsigned int requireCertificate : 2; /* 4-5 */
+ unsigned int handshakeAsClient : 1; /* 6 */
+ unsigned int handshakeAsServer : 1; /* 7 */
+ unsigned int enableSSL2 : 1; /* 8 */
+ unsigned int unusedBit9 : 1; /* 9 */
+ unsigned int unusedBit10 : 1; /* 10 */
+ unsigned int noCache : 1; /* 11 */
+ unsigned int fdx : 1; /* 12 */
+ unsigned int v2CompatibleHello : 1; /* 13 */
+ unsigned int detectRollBack : 1; /* 14 */
+ unsigned int noStepDown : 1; /* 15 */
+ unsigned int bypassPKCS11 : 1; /* 16 */
+ unsigned int noLocks : 1; /* 17 */
+ unsigned int enableSessionTickets : 1; /* 18 */
+ unsigned int enableDeflate : 1; /* 19 */
+ unsigned int enableRenegotiation : 2; /* 20-21 */
+ unsigned int requireSafeNegotiation : 1; /* 22 */
+ unsigned int enableFalseStart : 1; /* 23 */
+ unsigned int cbcRandomIV : 1; /* 24 */
+ unsigned int enableOCSPStapling : 1; /* 25 */
+ unsigned int enableNPN : 1; /* 26 */
+ unsigned int enableALPN : 1; /* 27 */
+ unsigned int enableSignedCertTimestamps : 1; /* 28 */
+ unsigned int enableFallbackSCSV : 1; /* 29 */
} sslOptions;
typedef enum { sslHandshakingUndetermined = 0,
diff --git a/net/third_party/nss/ssl/sslnonce.c b/net/third_party/nss/ssl/sslnonce.c
index 105ce9f..bef0931 100644
--- a/net/third_party/nss/ssl/sslnonce.c
+++ b/net/third_party/nss/ssl/sslnonce.c
@@ -114,10 +114,8 @@ ssl_DestroySID(sslSessionID *sid)
{
int i;
SSL_TRC(8, ("SSL: destroy sid: sid=0x%x cached=%d", sid, sid->cached));
- PORT_Assert((sid->references == 0));
-
- if (sid->cached == in_client_cache)
- return; /* it will get taken care of next time cache is traversed. */
+ PORT_Assert(sid->references == 0);
+ PORT_Assert(sid->cached != in_client_cache);
if (sid->version < SSL_LIBRARY_VERSION_3_0) {
SECITEM_ZfreeItem(&sid->u.ssl2.masterKey, PR_FALSE);
@@ -222,9 +220,9 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
SSL_TRC(8, ("SSL: Lookup1: sid=0x%x", sid));
- if (sid->expirationTime < now || !sid->references) {
+ if (sid->expirationTime < now) {
/*
- ** This session-id timed out, or was orphaned.
+ ** This session-id timed out.
** Don't even care who it belongs to, blow it out of our cache.
*/
SSL_TRC(7, ("SSL: lookup1, throwing sid out, age=%d refs=%d",
@@ -232,11 +230,7 @@ ssl_LookupSID(const PRIPv6Addr *addr, PRUint16 port, const char *peerID,
*sidp = sid->next; /* delink it from the list. */
sid->cached = invalid_cache; /* mark not on list. */
- if (!sid->references)
- ssl_DestroySID(sid);
- else
- ssl_FreeLockedSID(sid); /* drop ref count, free. */
-
+ ssl_FreeLockedSID(sid); /* drop ref count, free. */
} else if (!memcmp(&sid->addr, addr, sizeof(PRIPv6Addr)) && /* server IP addr matches */
(sid->port == port) && /* server port matches */
/* proxy (peerID) matches */
diff --git a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
index 58d36c1..028cd98 100644
--- a/net/third_party/nss/ssl/sslsock.c
+++ b/net/third_party/nss/ssl/sslsock.c
@@ -86,6 +86,8 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* enableFalseStart */
PR_TRUE, /* cbcRandomIV */
PR_FALSE, /* enableOCSPStapling */
+ PR_TRUE, /* enableNPN */
+ PR_FALSE, /* enableALPN */
PR_FALSE, /* enableSignedCertTimestamps */
PR_FALSE /* enableFallbackSCSV */
};
@@ -779,9 +781,17 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
ss->opt.enableOCSPStapling = on;
break;
+ case SSL_ENABLE_NPN:
+ ss->opt.enableNPN = on;
+ break;
+
+ case SSL_ENABLE_ALPN:
+ ss->opt.enableALPN = on;
+ break;
+
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- ss->opt.enableSignedCertTimestamps = on;
- break;
+ ss->opt.enableSignedCertTimestamps = on;
+ break;
case SSL_ENABLE_FALLBACK_SCSV:
ss->opt.enableFallbackSCSV = on;
@@ -857,9 +867,11 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
case SSL_ENABLE_FALSE_START: on = ss->opt.enableFalseStart; break;
case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
+ case SSL_ENABLE_NPN: on = ss->opt.enableNPN; break;
+ case SSL_ENABLE_ALPN: on = ss->opt.enableALPN; break;
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- on = ss->opt.enableSignedCertTimestamps;
- break;
+ on = ss->opt.enableSignedCertTimestamps;
+ break;
case SSL_ENABLE_FALLBACK_SCSV: on = ss->opt.enableFallbackSCSV; break;
default:
@@ -922,12 +934,14 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
case SSL_ENABLE_OCSP_STAPLING:
on = ssl_defaults.enableOCSPStapling;
break;
+ case SSL_ENABLE_NPN: on = ssl_defaults.enableNPN; break;
+ case SSL_ENABLE_ALPN: on = ssl_defaults.enableALPN; break;
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- on = ssl_defaults.enableSignedCertTimestamps;
- break;
+ on = ssl_defaults.enableSignedCertTimestamps;
+ break;
case SSL_ENABLE_FALLBACK_SCSV:
- on = ssl_defaults.enableFallbackSCSV;
- break;
+ on = ssl_defaults.enableFallbackSCSV;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1095,9 +1109,17 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
ssl_defaults.enableOCSPStapling = on;
break;
+ case SSL_ENABLE_NPN:
+ ssl_defaults.enableNPN = on;
+ break;
+
+ case SSL_ENABLE_ALPN:
+ ssl_defaults.enableALPN = on;
+ break;
+
case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
- ssl_defaults.enableSignedCertTimestamps = on;
- break;
+ ssl_defaults.enableSignedCertTimestamps = on;
+ break;
case SSL_ENABLE_FALLBACK_SCSV:
ssl_defaults.enableFallbackSCSV = on;
generated by cgit v1.1 at 2025-04-01 01:39:27 +0000