Name: Network Security Services (NSS) URL: http://www.mozilla.org/projects/security/pki/nss/ Version: 3.15 Beta 2 Security Critical: Yes License: MPL 2 License File: NOT_SHIPPED This directory includes a copy of NSS's libssl from the hg repo at: https://hg.mozilla.org/projects/nss The same module appears in crypto/third_party/nss (and third_party/nss on some platforms), so we don't repeat the license file here. The snapshot was updated to the hg tag: NSS_3_15_BETA2 Patches: * Commenting out a couple of functions because they need NSS symbols which may not exist in the system NSS library. patches/versionskew.patch * Send empty renegotiation info extension instead of SCSV unless TLS is disabled. patches/renegoscsv.patch https://bugzilla.mozilla.org/show_bug.cgi?id=549042 * Cache the peer's intermediate CA certificates in session ID, so that they're available when we resume a session. patches/cachecerts.patch https://bugzilla.mozilla.org/show_bug.cgi?id=731478 * Add the SSL_PeerCertificateChain function patches/peercertchain.patch https://bugzilla.mozilla.org/show_bug.cgi?id=731485 * Add support for client auth with native crypto APIs on Mac and Windows patches/clientauth.patch ssl/sslplatf.c * Add a function to export whether the last handshake on a socket resumed a previous session. patches/didhandshakeresume.patch https://bugzilla.mozilla.org/show_bug.cgi?id=731798 * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished. https://bugzilla.mozilla.org/show_bug.cgi?id=681839 patches/negotiatedextension.patch * Add function to retrieve TLS client cert types requested by server. https://bugzilla.mozilla.org/show_bug.cgi?id=51413 patches/getrequestedclientcerttypes.patch * Add a function to restart a handshake after a client certificate request. patches/restartclientauth.patch * Add support for TLS Channel IDs patches/channelid.patch * Add support for extracting the tls-unique channel binding value patches/tlsunique.patch https://bugzilla.mozilla.org/show_bug.cgi?id=563276 * Define the EC_POINT_FORM_UNCOMPRESSED macro. In NSS 3.13.2 the macro definition was moved from the internal header ec.h to blapit.h. When compiling against older system NSS headers, we need to define the macro. patches/ecpointform.patch * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock. This change was made in https://chromiumcodereview.appspot.com/10454066. patches/secretexporterlocks.patch * Allow the constant-time CBC processing code to be compiled against older NSS that doesn't contain the CBC constant-time changes. patches/cbc.patch https://code.google.com/p/chromium/issues/detail?id=172658#c12 * Define AES_256_KEY_LENGTH if the system blapit.h header doesn't define it. Remove this patch when all system NSS packages are NSS 3.12.10 or later. patches/aes256keylength.patch * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS versions older than 3.15 report an EC key size range of 112 bits to 571 bits, even when it is compiled to support only the NIST P-256, P-384, and P-521 curves. Remove this patch when all system NSS softoken packages are NSS 3.15 or later. patches/suitebonly.patch * Define the SECItemArray type and declare the SECItemArray handling functions, which were added in NSS 3.15. Remove this patch when all system NSS packages are NSS 3.15 or later. patches/secitemarray.patch * Remove unused variables in ssl3_SendCertificateStatus. patches/unusedvariables.patch https://bugzilla.mozilla.org/show_bug.cgi?id=866949 * Fix bugs in the code in ssl3_HandleHandshakeMessage that handles a CertificateStatus message. patches/handlecertstatus.patch https://bugzilla.mozilla.org/show_bug.cgi?id=867795 * Implement TLS 1.2. patches/tls12.patch patches/tls12certrequest.patch patches/tls12hmacsha256.patch patches/tls12handshakehashes.patch https://bugzilla.mozilla.org/show_bug.cgi?id=480514 * Update Chromium-specific code for TLS 1.2. patches/tls12chromium.patch Apply the patches to NSS by running the patches/applypatches.sh script. Read the comments at the top of patches/applypatches.sh for instructions. The ssl/bodge directory contains files taken from the NSS repo that we required for building libssl outside of its usual build environment.