blob: 0f970f79a41b848764d8c7b74f8827c2b46c9f7f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
Name: Network Security Services (NSS)
URL: http://www.mozilla.org/projects/security/pki/nss/
Version: 3.15.4
Security Critical: Yes
License: MPL 2
License File: NOT_SHIPPED
This directory includes a copy of NSS's libssl from the hg repo at:
https://hg.mozilla.org/projects/nss
The same module appears in crypto/third_party/nss (and third_party/nss on some
platforms), so we don't repeat the license file here.
The snapshot was updated to the hg tag: NSS_3_15_4_RTM
Patches:
* Cache the peer's intermediate CA certificates in session ID, so that
they're available when we resume a session.
patches/cachecerts.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=731478
* Add support for client auth with native crypto APIs on Mac and Windows.
patches/clientauth.patch
ssl/sslplatf.c
* Add a function to export whether the last handshake on a socket resumed a
previous session.
patches/didhandshakeresume.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=731798
* Add function to retrieve TLS client cert types requested by server.
https://bugzilla.mozilla.org/show_bug.cgi?id=51413
patches/getrequestedclientcerttypes.patch
* Add a function to restart a handshake after a client certificate request.
patches/restartclientauth.patch
* Add support for TLS Channel IDs
patches/channelid.patch
* Add support for extracting the tls-unique channel binding value
patches/tlsunique.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=563276
* SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock.
This change was made in https://chromiumcodereview.appspot.com/10454066.
patches/secretexporterlocks.patch
* Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS
versions older than 3.15 report an EC key size range of 112 bits to 571
bits, even when it is compiled to support only the NIST P-256, P-384, and
P-521 curves. Remove this patch when all system NSS softoken packages are
NSS 3.15 or later.
patches/suitebonly.patch
* Define the SECItemArray type and declare the SECItemArray handling
functions, which were added in NSS 3.15. Remove this patch when all system
NSS packages are NSS 3.15 or later.
patches/secitemarray.patch
* Update Chromium-specific code for TLS 1.2.
patches/tls12chromium.patch
* Add the Application Layer Protocol Negotiation extension.
patches/alpn.patch
* Add Chromium-specific code to detect AES GCM support in the system NSS
libraries at run time. Remove this patch when all system NSS packages are
NSS 3.15 or later.
patches/aesgcmchromium.patch
* Support ChaCha20+Poly1305 ciphersuites
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01
patches/chacha20poly1305.patch
* Fix session cache lock creation race.
patches/cachelocks.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=764646
* In the case that a ClientHello record is between 256 and 511 bytes long,
add an extension to make it 512 bytes. This works around a bug in F5
terminators.
patches/paddingextension.patch
patches/paddingextensionall.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=944157
* Support the Certificate Transparency (RFC 6962) TLS extension
signed_certificate_timestamp (client only).
patches/signedcertificatetimestamps.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=944175
* Add a function to allow the cipher suites preference order to be set.
patches/cipherorder.patch
* Add TLS_FALLBACK_SCSV cipher suite to version fallback connections.
patches/fallbackscsv.patch
* Add explicit functions for managing the SSL/TLS session cache.
This is a temporary workaround until Chromium migrates to NSS's
asynchronous certificate verification.
patches/sessioncache.patch
* Remove static storage qualifier from variables in sslnonce.c. Due to
a clang codegen bug on Mac, this caused an infinite loop.
https://code.google.com/p/chromium/issues/detail?id=326011
patches/sslnoncestatics.patch
* Use NSSRWLock instead of PRRWLock in sslSessionID. This avoids the bugs
in the lock rank checking code in PRRWLock.
patches/nssrwlock.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=957812
Apply the patches to NSS by running the patches/applypatches.sh script. Read
the comments at the top of patches/applypatches.sh for instructions.
The ssl/bodge directory contains files taken from the NSS repo that we required
for building libssl outside of its usual build environment.
|
