blob: 11a85102d93cd55141ad4e6091f72d84e89656eb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
Name: Network Security Services (NSS)
URL: http://www.mozilla.org/projects/security/pki/nss/
Version: 3.15.1
Security Critical: Yes
License: MPL 2
License File: NOT_SHIPPED
This directory includes a copy of NSS's libssl from the hg repo at:
https://hg.mozilla.org/projects/nss
The same module appears in crypto/third_party/nss (and third_party/nss on some
platforms), so we don't repeat the license file here.
The snapshot was updated to the hg tag: NSS_3_15_1_RTM
Patches:
* Commenting out a couple of functions because they need NSS symbols
which may not exist in the system NSS library.
patches/versionskew.patch
* Send empty renegotiation info extension instead of SCSV unless TLS is
disabled.
patches/renegoscsv.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=549042
* Cache the peer's intermediate CA certificates in session ID, so that
they're available when we resume a session.
patches/cachecerts.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=731478
* Add the SSL_PeerCertificateChain function
patches/peercertchain.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=731485
* Add support for client auth with native crypto APIs on Mac and Windows
patches/clientauth.patch
ssl/sslplatf.c
* Add a function to export whether the last handshake on a socket resumed a
previous session.
patches/didhandshakeresume.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=731798
* Allow SSL_HandshakeNegotiatedExtension to be called before the handshake
is finished.
https://bugzilla.mozilla.org/show_bug.cgi?id=681839
patches/negotiatedextension.patch
* Add function to retrieve TLS client cert types requested by server.
https://bugzilla.mozilla.org/show_bug.cgi?id=51413
patches/getrequestedclientcerttypes.patch
* Add a function to restart a handshake after a client certificate request.
patches/restartclientauth.patch
* Add support for TLS Channel IDs
patches/channelid.patch
* Add support for extracting the tls-unique channel binding value
patches/tlsunique.patch
https://bugzilla.mozilla.org/show_bug.cgi?id=563276
* Define the EC_POINT_FORM_UNCOMPRESSED macro. In NSS 3.13.2 the macro
definition was moved from the internal header ec.h to blapit.h. When
compiling against older system NSS headers, we need to define the macro.
patches/ecpointform.patch
* SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock.
This change was made in https://chromiumcodereview.appspot.com/10454066.
patches/secretexporterlocks.patch
* Allow the constant-time CBC processing code to be compiled against older
NSS that doesn't contain the CBC constant-time changes.
patches/cbc.patch
https://code.google.com/p/chromium/issues/detail?id=172658#c12
TODO(wtc): remove this patch now that NSS 3.14.3 is the minimum
compile-time and run-time version.
* Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS
versions older than 3.15 report an EC key size range of 112 bits to 571
bits, even when it is compiled to support only the NIST P-256, P-384, and
P-521 curves. Remove this patch when all system NSS softoken packages are
NSS 3.15 or later.
patches/suitebonly.patch
* Define the SECItemArray type and declare the SECItemArray handling
functions, which were added in NSS 3.15. Remove this patch when all system
NSS packages are NSS 3.15 or later.
patches/secitemarray.patch
* Update Chromium-specific code for TLS 1.2.
patches/tls12chromium.patch
* Add the Application Layer Protocol Negotiation extension.
patches/alpn.patch
* Fix an issue with allocating an SSL socket when under memory pressure.
https://bugzilla.mozilla.org/show_bug.cgi?id=903565
patches/sslsock_903565.patch
* Implement the AES GCM cipher suites.
https://bugzilla.mozilla.org/show_bug.cgi?id=880543
patches/aesgcm.patch
* Add Chromium-specific code to detect AES GCM support in the system NSS
libraries at run time.
patches/aesgcmchromium.patch
Apply the patches to NSS by running the patches/applypatches.sh script. Read
the comments at the top of patches/applypatches.sh for instructions.
The ssl/bodge directory contains files taken from the NSS repo that we required
for building libssl outside of its usual build environment.
|