net: add NSS support for RFC 5705

net/third_party/nss/ssl/ssl.h

Index: net/third_party/nss/ssl/ssl.h
diff --git a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
index 53ca30172f4ec3f3a95c7417759105e291fae5f9..1537aae543f921707e73fd4e99f78720ed90cc49 100644
--- a/net/third_party/nss/ssl/ssl.h
+++ b/net/third_party/nss/ssl/ssl.h
@@ -686,6 +686,17 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
 /* Returnes negotiated through SNI host info. */
 SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd);
 
+/* Export keying material according to RFC 5705.
+** fd must correspond to a TLS 1.0 or higher socket and out must
+** already be allocated.
+*/
+SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd,
+                                              const char *label,
+                                              const unsigned char *context,
+                                              unsigned int contextlen,
+                                              unsigned char *out,
+                                              unsigned int outlen);

[wtc, 2011/07/22 17:33:17]

I suggest that we specify the label as
    const char *label,
    unsigned int labellen,

Not requiring the string be null-terminated is more
friendly to std::string and StringPiece.

Note: the RFC defines labels as:

   Labels here have the same definition as in TLS, i.e., an ASCII string
   with no terminating NULL.

The RFC also recommends that labels begin with "EXPORTER"
or "EXPERIMENTAL" (for private use).

+
 /*
 ** Return a new reference to the certificate that was most recently sent
 ** to the peer on this SSL/TLS connection, or NULL if none has been sent.