Chromium Code Reviews Chromium Code Reviews
Issue 9558017:
Update net/third_party/nss to NSS 3.13.3. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 Name: Network Security Services (NSS) | 1 Name: Network Security Services (NSS) |
| 2 URL: http://www.mozilla.org/projects/security/pki/nss/ | 2 URL: http://www.mozilla.org/projects/security/pki/nss/ |
| 3 | 3 |
|
Ryan Sleevi
2012/03/02 01:30:18
Version: 3.13.3
Security Critical: Yes
| |
| 4 This directory includes a copy of NSS's libssl from the CVS repo at: | 4 This directory includes a copy of NSS's libssl from the CVS repo at: |
| 5 :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot | 5 :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot |
| 6 | 6 |
| 7 The snapshot was updated to the CVS tag: NSS_3_12_9_RTM | 7 The snapshot was updated to the CVS tag: NSS_3_13_3_RTM |
| 8 | 8 |
| 9 Patches: | 9 Patches: |
| 10 | 10 |
| 11 * Next protocol negotiation support. | |
| 12 patches/nextproto.patch | |
| 13 http://codereview.chromium.org/415005 | |
| 14 | |
| 15 * Commenting out a couple of functions because they need NSS symbols | 11 * Commenting out a couple of functions because they need NSS symbols |
| 16 which may not exist in the system NSS library. | 12 which may not exist in the system NSS library. |
| 17 patches/versionskew.patch | 13 patches/versionskew.patch |
| 18 | 14 |
| 19 * Send empty renegotiation info extension instead of SCSV unless TLS is | 15 * Send empty renegotiation info extension instead of SCSV unless TLS is |
| 20 disabled. | 16 disabled. |
| 21 patches/renegoscsv.patch | 17 patches/renegoscsv.patch |
| 22 https://bugzilla.mozilla.org/show_bug.cgi?id=549042 | 18 https://bugzilla.mozilla.org/show_bug.cgi?id=549042 |
| 23 | 19 |
| 24 * Cache the peer's intermediate CA certificates in session ID, so that | 20 * Cache the peer's intermediate CA certificates in session ID, so that |
| 25 they're available when we resume a session. Add certificates to | 21 they're available when we resume a session. |
| 26 ss->ssl3.peerCertChain in the right order. | |
| 27 patches/cachecerts.patch | 22 patches/cachecerts.patch |
| 28 https://bugzilla.mozilla.org/show_bug.cgi?id=606049 | 23 https://bugzilla.mozilla.org/show_bug.cgi?id=731478 |
| 29 | 24 |
| 30 * Add the SSL_PeerCertificateChain function | 25 * Add the SSL_PeerCertificateChain function |
| 31 patches/peercertchain.patch | 26 patches/peercertchain.patch |
| 27 https://bugzilla.mozilla.org/show_bug.cgi?id=731485 | |
| 32 | 28 |
| 33 * Add OCSP stapling support | 29 * Add OCSP stapling support |
| 34 patches/ocspstapling.patch | 30 patches/ocspstapling.patch |
| 35 | 31 |
| 36 * Add support for client auth with native crypto APIs on Mac and Windows | 32 * Add support for client auth with native crypto APIs on Mac and Windows |
| 37 patches/clientauth.patch | 33 patches/clientauth.patch |
| 38 ssl/sslplatf.c | 34 ssl/sslplatf.c |
| 39 | 35 |
| 40 * Don't send a client certificate when renegotiating if the peer does not | |
| 41 request one. This only happened if the previous key exchange algorithm | |
| 42 was non-RSA. | |
| 43 patches/clientauth.patch | |
| 44 https://bugzilla.mozilla.org/show_bug.cgi?id=616757 | |
| 45 | |
| 46 * Add support for TLS cached info extension. | |
| 47 patches/cachedinfo.patch | |
| 48 https://bugzilla.mozilla.org/show_bug.cgi?id=665739 | |
| 49 | |
| 50 * Add a function to export whether the last handshake on a socket resumed a | 36 * Add a function to export whether the last handshake on a socket resumed a |
| 51 previous session. | 37 previous session. |
| 52 patches/didhandshakeresume.patch | 38 patches/didhandshakeresume.patch |
| 53 | 39 https://bugzilla.mozilla.org/show_bug.cgi?id=731798 |
| 54 * Start each set of CBC encrypted application data records, resulting from | |
| 55 a single call to ssl3_SendApplicationData, with a one-byte application | |
| 56 data record in order to randomize the IV in a backward compatible manner. | |
| 57 https://bugzilla.mozilla.org/show_bug.cgi?id=665814 | |
| 58 patches/cbcrandomiv.patch | |
| 59 | 40 |
| 60 * Support origin bound certificates. | 41 * Support origin bound certificates. |
| 61 http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt | 42 http://balfanz.github.com/tls-obc-spec/draft-balfanz-tls-obc-00.txt |
| 62 patches/origin_bound_certs.patch | 43 patches/origin_bound_certs.patch |
| 63 | 44 |
| 64 * Add a function to implement RFC 5705: Keying Material Exporters for TLS | 45 * Add a function to implement RFC 5705: Keying Material Exporters for TLS |
| 65 This is a reworked version of the patch from | 46 This is a reworked version of the patch from |
| 66 https://bugzilla.mozilla.org/show_bug.cgi?id=507359 | 47 https://bugzilla.mozilla.org/show_bug.cgi?id=507359 |
| 67 patches/secret_exporter.patch | 48 patches/secret_exporter.patch |
| 68 | 49 |
| 69 * Send saved write data in the SSL socket in SSL_ForceHandshake. | |
| 70 patches/handshakeshortwrite.patch | |
| 71 https://bugzilla.mozilla.org/show_bug.cgi?id=676729 | |
| 72 | |
| 73 * Add a function to restart a handshake after a client certificate request. | |
| 74 patches/restartclientauth.patch | |
| 75 | |
| 76 * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake | 50 * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake |
| 77 is finished. | 51 is finished. |
| 78 https://bugzilla.mozilla.org/show_bug.cgi?id=681839 | 52 https://bugzilla.mozilla.org/show_bug.cgi?id=681839 |
| 79 patches/negotiatedextension.patch | 53 patches/negotiatedextension.patch |
| 80 | 54 |
| 55 * Add a function to restart a handshake after a client certificate request. | |
| 56 patches/restartclientauth.patch | |
|
Ryan Sleevi
2012/03/02 01:30:18
I thought bsmith upstreamed this already?
wtc
2012/03/02 23:06:17
No. What bsmith implemented is the related functi
| |
| 57 | |
| 81 * Support the encrypted client certificates extension. | 58 * Support the encrypted client certificates extension. |
| 82 https://bugzilla.mozilla.org/show_bug.cgi?id=691991 | 59 https://bugzilla.mozilla.org/show_bug.cgi?id=691991 |
| 83 patches/encryptedclientcerts.patch | 60 patches/encryptedclientcerts.patch |
| 84 | 61 |
| 85 * Add function to retrieve TLS client cert types requested by server. | 62 * Add function to retrieve TLS client cert types requested by server. |
| 86 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 | 63 https://bugzilla.mozilla.org/show_bug.cgi?id=51413 |
| 87 patches/getrequestedclientcerttypes.patch | 64 patches/getrequestedclientcerttypes.patch |
| 88 | 65 |
| 89 * Fixed a clang warning in sslcon.c. | 66 * Fixed a clang warning in sslcon.c. |
| 90 https://bugzilla.mozilla.org/show_bug.cgi?id=728919 | 67 https://bugzilla.mozilla.org/show_bug.cgi?id=728919 |
| 91 patches/clang-sslcon.patch | 68 patches/clang-sslcon.patch |
| 92 | 69 |
| 93 Apply the patches to NSS by running the patches/applypatches.sh script. Read | 70 Apply the patches to NSS by running the patches/applypatches.sh script. Read |
| 94 the comments at the top of patches/applypatches.sh for instructions. | 71 the comments at the top of patches/applypatches.sh for instructions. |
| 95 | 72 |
| 96 The ssl/bodge directory contains files taken from the NSS repo that we required | 73 The ssl/bodge directory contains files taken from the NSS repo that we required |
| 97 for building libssl outside of its usual build environment. | 74 for building libssl outside of its usual build environment. |
| OLD | NEW |
