Update net/third_party/nss to NSS 3.13.3.

net/third_party/nss/patches/secret_exporter.patch

-From a30a1a87579d0a0d2950ee685a41bae428f38284 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Mon, 3 Oct 2011 12:25:44 -0400
-Subject: [PATCH] secret_exporter.patch
-
----
- mozilla/security/nss/lib/ssl/ssl.def   |    1 +
- mozilla/security/nss/lib/ssl/ssl.h     |   13 ++++++
- mozilla/security/nss/lib/ssl/ssl3con.c |   63 ++++++++++++++++++++-----------
- mozilla/security/nss/lib/ssl/sslimpl.h |    6 +++
- mozilla/security/nss/lib/ssl/sslinfo.c |   64 ++++++++++++++++++++++++++++++++
- 5 files changed, 125 insertions(+), 22 deletions(-)
-
-diff --git a/mozilla/security/nss/lib/ssl/ssl.def b/mozilla/security/nss/lib/ssl/ssl.def
-index 7ef15db..1993d3e 100644
---- a/mozilla/security/nss/lib/ssl/ssl.def
-+++ b/mozilla/security/nss/lib/ssl/ssl.def
-@@ -154,6 +154,7 @@ SSL_SNISocketConfigHook;
- ;+};
- ;+NSS_CHROMIUM {
- ;+    global:
-+SSL_ExportKeyingMaterial;
- SSL_GetNextProto;
- SSL_GetStapledOCSPResponse;
- SSL_HandshakeResumedSession;
-diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h
-index 1115fa9..835d3cf 100644
---- a/mozilla/security/nss/lib/ssl/ssl.h
-+++ b/mozilla/security/nss/lib/ssl/ssl.h
-@@ -653,6 +653,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteInfo(PRUint16 cipherSuite,
+diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
+--- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 17:12:15.720044263 -0800
++++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 17:18:04.824794558 -0800
+@@ -774,6 +774,19 @@ SSL_IMPORT SECStatus SSL_GetCipherSuiteI
  /* Returnes negotiated through SNI host info. */
  SSL_IMPORT SECItem *SSL_GetNegotiatedHostInfo(PRFileDesc *fd);
  
 +/* Export keying material according to RFC 5705.
 +** fd must correspond to a TLS 1.0 or higher socket and out must
 +** already be allocated. If contextLen is zero it uses the no-context
 +** construction from the RFC.
 +*/
 +SSL_IMPORT SECStatus SSL_ExportKeyingMaterial(PRFileDesc *fd,
 +                                              const char *label,
 +                                              unsigned int labelLen,
 +                                              const unsigned char *context,
 +                                              unsigned int contextLen,
 +                                              unsigned char *out,
 +                                              unsigned int outLen);
 +
  /*
  ** Return a new reference to the certificate that was most recently sent
  ** to the peer on this SSL/TLS connection, or NULL if none has been sent.
-diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c
-index 2648cbe..f8838d6 100644
---- a/mozilla/security/nss/lib/ssl/ssl3con.c
-+++ b/mozilla/security/nss/lib/ssl/ssl3con.c
-@@ -8371,33 +8371,33 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss)
+diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
+--- a/src/net/third_party/nss/ssl/ssl3con.c     2012-02-28 20:34:50.114663722 -0800
++++ b/src/net/third_party/nss/ssl/ssl3con.c     2012-02-29 17:18:04.824794558 -0800
+@@ -8368,33 +8368,33 @@ done:
      return rv;
  }
  
 -static SECStatus
 -ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
 -                       PRBool          isServer,
 -                const   SSL3Finished *  hashes,
 -                        TLSFinished  *  tlsFinished)
 +/* The calling function must acquire and release the appropriate lock (i.e.,
 + * ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for ss->ssl3.crSpec). Any
@@ skipping 29 matching lines @@
 -                              &len, sizeof tlsFinished->verify_data);
 -       PORT_Assert(rv != SECSuccess || len == sizeof *tlsFinished);
 +       rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
 +       rv |= PK11_DigestOp(prf_context, val, valLen);
 +       rv |= PK11_DigestFinal(prf_context, out,
 +                              &retLen, outLen);
 +       PORT_Assert(rv != SECSuccess || retLen == outLen);
  
         PK11_DestroyContext(prf_context, PR_TRUE);
      } else {
-@@ -8406,17 +8406,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
+@@ -8403,17 +8403,36 @@ ssl3_ComputeTLSFinished(ssl3CipherSpec *
         SECItem outData = { siBuffer, };
         PRBool isFIPS   = PR_FALSE;
  
 -       inData.data  = (unsigned char *)hashes->md5;
 -       inData.len   = sizeof hashes[0];
 -       outData.data = tlsFinished->verify_data;
 -       outData.len  = sizeof tlsFinished->verify_data;
 +       inData.data  = (unsigned char *) val;
 +       inData.len   = valLen;
 +       outData.data = out;
@@ skipping 22 matching lines @@
 +    rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->md5,
 +       sizeof *hashes, tlsFinished->verify_data,
 +       sizeof tlsFinished->verify_data);
 +
 +    return rv;
 +}
 +
  /* called from ssl3_HandleServerHelloDone
   */
  static SECStatus
-diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h
-index 973a3c9..906874a 100644
---- a/mozilla/security/nss/lib/ssl/sslimpl.h
-+++ b/mozilla/security/nss/lib/ssl/sslimpl.h
-@@ -1680,6 +1680,12 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void);
+diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
+--- a/src/net/third_party/nss/ssl/sslimpl.h     2012-02-29 17:12:15.720044263 -0800
++++ b/src/net/third_party/nss/ssl/sslimpl.h     2012-02-29 17:16:59.143900589 -0800
+@@ -1709,6 +1709,11 @@ SECStatus SSL_DisableDefaultExportCipher
  SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
  PRBool    SSL_IsExportCipherSuite(PRUint16 cipherSuite);
  
 +SECStatus ssl3_TLSPRFWithMasterSecret(
 +                       ssl3CipherSpec *spec, const char *label,
 +                       unsigned int labelLen, const unsigned char *val,
 +                       unsigned int valLen, unsigned char *out,
 +                       unsigned int outLen);
-+
- /********************** FNV hash  *********************/
  
- void FNV1A64_Init(PRUint64 *digest);
-diff --git a/mozilla/security/nss/lib/ssl/sslinfo.c b/mozilla/security/nss/lib/ssl/sslinfo.c
-index 96377b0..cf870c7 100644
---- a/mozilla/security/nss/lib/ssl/sslinfo.c
-+++ b/mozilla/security/nss/lib/ssl/sslinfo.c
+ #ifdef TRACE
+ #define SSL_TRACE(msg) ssl_Trace msg
+diff -up a/src/net/third_party/nss/ssl/sslinfo.c b/src/net/third_party/nss/ssl/sslinfo.c
+--- a/src/net/third_party/nss/ssl/sslinfo.c     2010-09-01 18:12:57.000000000 -0700
++++ b/src/net/third_party/nss/ssl/sslinfo.c     2012-02-29 17:18:04.824794558 -0800
 @@ -20,6 +20,7 @@
   *
   * Contributor(s):
   *   Dr Vipul Gupta <vipul.gupta@sun.com>, Sun Microsystems Laboratories
 + *   Douglas Stebila <douglas@stebila.ca>
   *
   * Alternatively, the contents of this file may be used under the terms of
   * either the GNU General Public License Version 2 or later (the "GPL"), or
-@@ -316,6 +317,69 @@ SSL_IsExportCipherSuite(PRUint16 cipherSuite)
+@@ -316,6 +317,69 @@ SSL_IsExportCipherSuite(PRUint16 cipherS
      return PR_FALSE;
  }
  
 +/* Export keying material according to RFC 5705.
 +** fd must correspond to a TLS 1.0 or higher socket, out must
 +** be already allocated.
 +*/
 +SECStatus
 +SSL_ExportKeyingMaterial(PRFileDesc *fd,
 +                        const char *label,
@@ skipping 49 matching lines @@
 +    }
 +    ssl_ReleaseSpecReadLock(ss);
 +
 +    PORT_ZFree(val, valLen);
 +    return rv;
 +}
 +
  SECItem*
  SSL_GetNegotiatedHostInfo(PRFileDesc *fd)
  {