Update net/third_party/nss to NSS 3.13.3.

net/third_party/nss/patches/ocspstapling.patch

-From 5d8c33901f2b1be41afd1b0211bee5d5236a868d Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Mon, 3 Oct 2011 12:21:00 -0400
-Subject: [PATCH] ocspstapling.patch
-
----
- mozilla/security/nss/lib/ssl/ssl.def    |    1 +
- mozilla/security/nss/lib/ssl/ssl.h      |   18 +++++
- mozilla/security/nss/lib/ssl/ssl3con.c  |  111 +++++++++++++++++++++++++++++++
- mozilla/security/nss/lib/ssl/ssl3ext.c  |   78 +++++++++++++++++++++-
- mozilla/security/nss/lib/ssl/ssl3prot.h |    1 +
- mozilla/security/nss/lib/ssl/sslerr.h   |    2 +
- mozilla/security/nss/lib/ssl/sslimpl.h  |   13 ++++
- mozilla/security/nss/lib/ssl/sslsock.c  |   43 ++++++++++++
- mozilla/security/nss/lib/ssl/sslt.h     |    3 +-
- 9 files changed, 268 insertions(+), 2 deletions(-)
-
-diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def
-index 0fa8777..35cc1e3 100644
---- a/mozilla/security/nss/lib/ssl/ssl.def
-+++ b/mozilla/security/nss/lib/ssl/ssl.def
-@@ -155,6 +155,7 @@ SSL_SNISocketConfigHook;
- ;+NSS_CHROMIUM {
- ;+    global:
- SSL_GetNextProto;
-+SSL_GetStapledOCSPResponse;
- SSL_PeerCertificateChain;
- SSL_SetNextProtoNego;
- ;+    local:
-diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
-index cccb49a..221fe2d 100644
---- a/mozilla/security/nss/lib/ssl/ssl.h
-+++ b/mozilla/security/nss/lib/ssl/ssl.h
-@@ -139,6 +139,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFileDesc *model, PRFileDesc *fd);
- /* occur on RSA or DH ciphersuites where the cipher's key length is >= 80   */
- /* bits. The advantage of False Start is that it saves a round trip for     */
- /* client-speaks-first protocols when performing a full handshake.          */
-+#define SSL_ENABLE_OCSP_STAPLING       23 /* Request OCSP stapling (client) */
+diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-28 18:34:23.263186340 -0800
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-28 18:47:14.683775498 -0800
+@@ -167,6 +167,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
+  * accept fragmented alerts).
+  */
+ #define SSL_CBC_RANDOM_IV 23
++#define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
  
  #ifdef SSL_DEPRECATED_FUNCTION 
  /* Old deprecated function names */
-@@ -274,6 +275,23 @@ SSL_IMPORT CERTCertificate *SSL_PeerCertificate(PRFileDesc *fd);
- SSL_IMPORT SECStatus SSL_PeerCertificateChain(
-        PRFileDesc *fd, CERTCertificate **certs, unsigned int *certs_size);
+@@ -347,6 +348,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate
+        PRFileDesc *fd, CERTCertificate **certs,
+        unsigned int *numCerts, unsigned int maxNumCerts);
  
 +/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by
 + * the TLS server. The resulting data is copied to |out_data|. On entry, |*len|
 + * must contain the size of |out_data|. On exit, |*len| will contain the size
 + * of the OCSP stapled response. If the stapled response is too large to fit in
 + * |out_data| then it will be truncated. If no OCSP response was given by the
 + * server then it has zero length.
 + *
 + * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses
 + * to be provided by a server.
 + *
 + * You can call this function during the certificate verification callback or
 + * any time afterwards.
 + */
 +SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd,
 +                                               unsigned char *out_data,
 +                                               unsigned int *len);
 +
  /*
  ** Authenticate certificate hook. Called when a certificate comes in
  ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index 9830e65..ca2793f 100644
---- a/mozilla/security/nss/lib/ssl/ssl3con.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
-@@ -7803,6 +7803,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *certs, sslSessionID *sid)
+diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
+--- a/src/net/third_party/nss/ssl/ssl3con.c     2012-02-28 17:48:46.326209244 -0800
++++ b/src/net/third_party/nss/ssl/ssl3con.c     2012-02-28 19:12:51.845953454 -0800
+@@ -7887,6 +7887,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce
  }
  
  /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
 + * ssl3 CertificateStatus message.
 + * Caller must hold Handshake and RecvBuf locks.
 + * This is always called before ssl3_HandleCertificate, even if the Certificate
 + * message is sent first.
 + */
 +static SECStatus
 +ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
@@ skipping 37 matching lines @@
 +alert_loser:
 +    (void)SSL3_SendAlert(ss, alert_fatal, desc);
 +    (void)ssl_MapLowLevelError(errCode);
 +    return SECFailure;
 +}
 +
 +/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
   * ssl3 Certificate message.
   * Caller must hold Handshake and RecvBuf locks.
   */
-@@ -8605,6 +8656,26 @@ xmit_loser:
+@@ -8679,6 +8730,26 @@ ssl3_FinishHandshake(sslSocket * ss)
      return SECSuccess;
  }
  
 +/* This function handles any pending Certificate messages. Certificate messages
 + * can be pending if we expect a possible CertificateStatus message to follow.
 + *
 + * This function must be called immediately after handling the
 + * CertificateStatus message, and before handling any ServerKeyExchange or
 + * CertificateRequest messages.
 + */
 +static SECStatus
 +ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss)
 +{
 +    SECStatus rv = SECSuccess;
 +
 +    if (ss->ssl3.hs.pending_cert_msg.data) {
 +       rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data,
 +                                   ss->ssl3.hs.pending_cert_msg.len);
 +       SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
 +    }
 +    return rv;
 +}
 +
  /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
   * hanshake message.
   * Caller must hold Handshake and RecvBuf locks.
-@@ -8699,14 +8770,42 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -8773,14 +8844,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s
         rv = ssl3_HandleServerHello(ss, b, length);
         break;
      case certificate:
 +       if (ss->ssl3.hs.may_get_cert_status) {
 +           /* If we might get a CertificateStatus then we want to postpone the
 +            * processing of the Certificate message until after we have
 +            * processed the CertificateStatus */
 +           if (ss->ssl3.hs.pending_cert_msg.data ||
 +               ss->ssl3.hs.ws != wait_server_cert) {
 +               (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
@@ skipping 22 matching lines @@
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
             return SECFailure;
         }
 +       rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
 +       if (rv != SECSuccess)
 +           break;
         rv = ssl3_HandleServerKeyExchange(ss, b, length);
         break;
      case certificate_request:
-@@ -8715,6 +8814,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -8789,6 +8888,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
             return SECFailure;
         }
 +       rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
 +       if (rv != SECSuccess)
 +           break;
         rv = ssl3_HandleCertificateRequest(ss, b, length);
         break;
      case server_hello_done:
-@@ -8728,6 +8830,9 @@ ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+@@ -8802,6 +8904,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
             return SECFailure;
         }
 +       rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
 +       if (rv != SECSuccess)
 +           break;
         rv = ssl3_HandleServerHelloDone(ss);
         break;
      case certificate_verify:
-@@ -9578,6 +9683,12 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -9646,6 +9751,12 @@ ssl3_DestroySSL3Info(sslSocket *ss)
         ss->ssl3.hs.messages.len = 0;
         ss->ssl3.hs.messages.space = 0;
      }
 +    if (ss->ssl3.hs.pending_cert_msg.data) {
 +       SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
 +    }
 +    if (ss->ssl3.hs.cert_status.data) {
 +       SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
 +    }
  
      /* free the SSL3Buffer (msg_body) */
      PORT_Free(ss->ssl3.hs.msg_body.buf);
-diff --git a/mozilla/security/nss/lib/ssl/ssl3ext.c b/mozilla/security/nss/lib/ssl/ssl3ext.c
-index fbd5a91..4e3d9cc 100644
---- a/mozilla/security/nss/lib/ssl/ssl3ext.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3ext.c
-@@ -247,6 +247,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
+diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
+--- a/src/net/third_party/nss/ssl/ssl3ext.c     2012-02-15 13:52:08.000000000 -0800
++++ b/src/net/third_party/nss/ssl/ssl3ext.c     2012-02-28 19:14:28.617352538 -0800
+@@ -253,6 +253,7 @@ static const ssl3HelloExtensionHandler s
      { ssl_session_ticket_xtn,     &ssl3_ClientHandleSessionTicketXtn },
      { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
-     { ssl_next_proto_neg_xtn,     &ssl3_ClientHandleNextProtoNegoXtn },
+     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
 +    { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
      { -1, NULL }
  };
  
-@@ -270,7 +271,8 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
+@@ -276,7 +277,8 @@ ssl3HelloExtensionSender clientHelloSend
      { ssl_ec_point_formats_xtn,   &ssl3_SendSupportedPointFormatsXtn },
  #endif
      { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
--    { ssl_next_proto_neg_xtn,     &ssl3_ClientSendNextProtoNegoXtn }
-+    { ssl_next_proto_neg_xtn,     &ssl3_ClientSendNextProtoNegoXtn },
+-    { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn }
++    { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
 +    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn }
      /* any extra entries will appear as { 0, NULL }    */
  };
  
-@@ -654,6 +656,80 @@ ssl3_ClientSendNextProtoNegoXtn(sslSocket * ss,
+@@ -659,6 +661,80 @@ loser:
      return -1;
  }
  
 +SECStatus
 +ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
 +                                 SECItem *data)
 +{
 +    /* If we didn't request this extension, then the server may not echo it. */
 +    if (!ss->opt.enableOCSPStapling)
 +       return SECFailure;
@@ skipping 60 matching lines @@
 +    } else if (maxBytes < extension_length) {
 +       PORT_Assert(0);
 +       return 0;
 +    }
 +    return extension_length;
 +}
 +
  /*
   * NewSessionTicket
   * Called from ssl3_HandleFinished
-diff --git a/mozilla/security/nss/lib/ssl/ssl3prot.h b/mozilla/security/nss/lib/ssl/ssl3prot.h
-index f3c950e..aeaacdd 100644
---- a/mozilla/security/nss/lib/ssl/ssl3prot.h
-+++ b/mozilla/security/nss/lib/ssl/ssl3prot.h
+diff -up a/src/net/third_party/nss/ssl/ssl3prot.h b/src/net/third_party/nss/ssl/ssl3prot.h
+--- a/src/net/third_party/nss/ssl/ssl3prot.h    2011-10-28 17:29:11.000000000 -0700
++++ b/src/net/third_party/nss/ssl/ssl3prot.h    2012-02-28 19:12:51.845953454 -0800
 @@ -158,6 +158,7 @@ typedef enum {
      certificate_verify = 15, 
      client_key_exchange        = 16, 
      finished           = 20,
 +    certificate_status = 22,
      next_proto         = 67
  } SSL3HandshakeType;
  
-diff --git a/mozilla/security/nss/lib/ssl/sslerr.h b/mozilla/security/nss/lib/ssl/sslerr.h
-index a2f6524..c940f95 100644
---- a/mozilla/security/nss/lib/ssl/sslerr.h
-+++ b/mozilla/security/nss/lib/ssl/sslerr.h
-@@ -203,6 +203,8 @@ SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD = (SSL_ERROR_BASE + 114),
+diff -up a/src/net/third_party/nss/ssl/sslerr.h b/src/net/third_party/nss/ssl/sslerr.h
+--- a/src/net/third_party/nss/ssl/sslerr.h      2012-02-11 04:55:58.000000000 -0800
++++ b/src/net/third_party/nss/ssl/sslerr.h      2012-02-28 18:58:06.733056235 -0800
+@@ -211,6 +211,8 @@ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2
+ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SERVERS = (SSL_ERROR_BASE + 118),
+ SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_CLIENTS = (SSL_ERROR_BASE + 119),
  
- SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY  = (SSL_ERROR_BASE + 115),
- 
-+SSL_ERROR_RX_UNEXPECTED_CERT_STATUS    = (SSL_ERROR_BASE + 116),
++SSL_ERROR_RX_UNEXPECTED_CERT_STATUS     = (SSL_ERROR_BASE + 120),
 +
  SSL_ERROR_END_OF_LIST  /* let the c compiler determine the value of this. */
  } SSLErrorCodes;
  #endif /* NO_SECURITY_ERROR_ENUM */
-diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
-index 48d6d83..8e2bd14 100644
---- a/mozilla/security/nss/lib/ssl/sslimpl.h
-+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
+diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
+--- a/src/net/third_party/nss/ssl/sslimpl.h     2012-02-28 17:48:46.326209244 -0800
++++ b/src/net/third_party/nss/ssl/sslimpl.h     2012-02-28 19:05:14.299310096 -0800
 @@ -339,6 +339,7 @@ typedef struct sslOptionsStr {
-     unsigned int enableRenegotiation    : 2;  /* 20-21 */
      unsigned int requireSafeNegotiation : 1;  /* 22 */
      unsigned int enableFalseStart       : 1;  /* 23 */
-+    unsigned int enableOCSPStapling     : 1;  /* 24 */
+     unsigned int cbcRandomIV            : 1;  /* 24 */
++    unsigned int enableOCSPStapling     : 1;  /* 25 */
  } sslOptions;
  
  typedef enum { sslHandshakingUndetermined = 0,
 @@ -782,6 +783,14 @@ const ssl3CipherSuiteDef *suite_def;
-                                         * when this one finishes */
+     PRBool                isResuming;  /* are we resuming a session */
      PRBool                usedStepDownKey;  /* we did a server key exchange. */
      PRBool                sendingSCSV; /* instead of empty RI */
 +    PRBool                may_get_cert_status; /* the server echoed a
 +                                                * status_request extension so
 +                                                * may send a CertificateStatus
 +                                                * handshake message. */
 +    SECItem               pending_cert_msg; /* a Certificate message which we
 +                                             * save temporarily if we may get
 +                                             * a CertificateStatus message */
 +    SECItem               cert_status; /* an OCSP response */
      sslBuffer             msgState;    /* current state for handshake messages*/
                                         /* protected by recvBufLock */
      sslBuffer             messages;    /* Accumulated handshake messages */
-@@ -1515,6 +1524,8 @@ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
+@@ -1527,6 +1536,8 @@ extern SECStatus ssl3_HandleSupportedPoi
                         PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ClientHandleNextProtoNegoXtn(sslSocket *ss,
+ extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
                         PRUint16 ex_type, SECItem *data);
 +extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
 +                       PRUint16 ex_type, SECItem *data);
  extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
                         PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
-@@ -1526,6 +1537,8 @@ extern SECStatus ssl3_ServerHandleNextProtoNegoXtn(sslSocket *ss,
+ 
+@@ -1536,6 +1547,8 @@ extern SECStatus ssl3_ServerHandleSessio
   */
  extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
                         PRUint32 maxBytes);
 +extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
 +                       PRUint32 maxBytes);
  
  /* ClientHello and ServerHello extension senders.
   * The code is in ssl3ext.c.
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index b7e32a2..4c4df3f 100644
---- a/mozilla/security/nss/lib/ssl/sslsock.c
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c
-@@ -185,6 +185,7 @@ static sslOptions ssl_defaults = {
+diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
+--- a/src/net/third_party/nss/ssl/sslsock.c     2012-02-28 16:15:34.790321976 -0800
++++ b/src/net/third_party/nss/ssl/sslsock.c     2012-02-28 19:12:51.845953454 -0800
+@@ -185,7 +185,8 @@ static sslOptions ssl_defaults = {
      2,          /* enableRenegotiation (default: requires extension) */
      PR_FALSE,   /* requireSafeNegotiation */
      PR_FALSE,   /* enableFalseStart   */
+-    PR_TRUE     /* cbcRandomIV        */
++    PR_TRUE,    /* cbcRandomIV        */
 +    PR_FALSE,   /* enableOCSPStapling */
  };
  
  sslSessionIDLookupFunc  ssl_sid_lookup;
-@@ -738,6 +739,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 which, PRBool on)
-        ss->opt.enableFalseStart = on;
+@@ -741,6 +742,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+        ss->opt.cbcRandomIV = on;
         break;
  
 +      case SSL_ENABLE_OCSP_STAPLING:
 +       ss->opt.enableOCSPStapling = on;
 +       break;
 +
        default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
-@@ -802,6 +807,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 which, PRBool *pOn)
-     case SSL_REQUIRE_SAFE_NEGOTIATION: 
+@@ -806,6 +811,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
                                    on = ss->opt.requireSafeNegotiation; break;
      case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
+     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
 +    case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
  
      default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -853,6 +859,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBool *pOn)
-                                   on = ssl_defaults.requireSafeNegotiation; 
+@@ -860,6 +866,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
                                   break;
      case SSL_ENABLE_FALSE_START:  on = ssl_defaults.enableFalseStart;   break;
+     case SSL_CBC_RANDOM_IV:       on = ssl_defaults.cbcRandomIV;        break;
 +    case SSL_ENABLE_OCSP_STAPLING:
 +       on = ssl_defaults.enableOCSPStapling;
 +       break;
  
      default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1000,6 +1009,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBool on)
-        ssl_defaults.enableFalseStart = on;
+@@ -1019,6 +1028,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
+        ssl_defaults.cbcRandomIV = on;
         break;
  
 +      case SSL_ENABLE_OCSP_STAPLING:
 +       ssl_defaults.enableOCSPStapling = on;
 +       break;
 +
        default:
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
-@@ -1453,6 +1466,36 @@ loser:
+@@ -1537,6 +1550,36 @@ loser:
  #endif
  }
  
 +SECStatus
 +SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data,
 +                          unsigned int *len) {
 +    sslSocket *ss = ssl_FindSocket(fd);
 +
 +    if (!ss) {
 +       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse",
@@ skipping 16 matching lines @@
 +
 +    ssl_ReleaseSSL3HandshakeLock(ss);
 +    ssl_Release1stHandshakeLock(ss);
 +
 +    return SECSuccess;
 +}
 +
  /************************************************************************/
  /* The following functions are the TOP LEVEL SSL functions.
  ** They all get called through the NSPRIOMethods table below.
-diff --git a/mozilla/security/nss/lib/ssl/sslt.h b/mozilla/security/nss/lib/ssl/sslt.h
-index f6e0b62..917c093 100644
---- a/mozilla/security/nss/lib/ssl/sslt.h
-+++ b/mozilla/security/nss/lib/ssl/sslt.h
+diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
+--- a/src/net/third_party/nss/ssl/sslt.h        2012-02-15 13:52:08.000000000 -0800
++++ b/src/net/third_party/nss/ssl/sslt.h        2012-02-28 19:12:51.845953454 -0800
 @@ -198,6 +198,7 @@ typedef enum {
  /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
  typedef enum {
      ssl_server_name_xtn              = 0,
 +    ssl_cert_status_xtn              = 5,
  #ifdef NSS_ENABLE_ECC
      ssl_elliptic_curves_xtn          = 10,
      ssl_ec_point_formats_xtn         = 11,
 @@ -207,6 +208,6 @@ typedef enum {
      ssl_renegotiation_info_xtn       = 0xff01  /* experimental number */
  } SSLExtensionType;
  
 -#define SSL_MAX_EXTENSIONS             6
 +#define SSL_MAX_EXTENSIONS             7
  
  #endif /* __sslt_h_ */