| Index: net/third_party/nss/patches/encryptedclientcerts.patch
|
| ===================================================================
|
| --- net/third_party/nss/patches/encryptedclientcerts.patch (revision 127513)
|
| +++ net/third_party/nss/patches/encryptedclientcerts.patch (working copy)
|
| @@ -1,7 +1,7 @@
|
| -diff -up a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
|
| ---- a/src/net/third_party/nss/ssl/ssl.h 2012-02-29 19:15:20.975171099 -0800
|
| -+++ b/src/net/third_party/nss/ssl/ssl.h 2012-02-29 19:18:21.947702106 -0800
|
| -@@ -169,6 +169,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
|
| +diff -pu -r a/src/net/third_party/nss/ssl/ssl.h b/src/net/third_party/nss/ssl/ssl.h
|
| +--- a/src/net/third_party/nss/ssl/ssl.h 2012-03-19 13:49:12.517522610 -0700
|
| ++++ b/src/net/third_party/nss/ssl/ssl.h 2012-03-19 13:49:29.507749795 -0700
|
| +@@ -186,6 +186,7 @@ SSL_IMPORT PRFileDesc *SSL_ImportFD(PRFi
|
| #define SSL_CBC_RANDOM_IV 23
|
| #define SSL_ENABLE_OCSP_STAPLING 24 /* Request OCSP stapling (client) */
|
| #define SSL_ENABLE_OB_CERTS 25 /* Enable origin bound certs. */
|
| @@ -9,9 +9,9 @@
|
|
|
| #ifdef SSL_DEPRECATED_FUNCTION
|
| /* Old deprecated function names */
|
| -diff -up a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
|
| ---- a/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 19:15:20.975171099 -0800
|
| -+++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-02-29 19:19:26.478604857 -0800
|
| +diff -pu -r a/src/net/third_party/nss/ssl/sslimpl.h b/src/net/third_party/nss/ssl/sslimpl.h
|
| +--- a/src/net/third_party/nss/ssl/sslimpl.h 2012-03-19 13:49:12.557523144 -0700
|
| ++++ b/src/net/third_party/nss/ssl/sslimpl.h 2012-03-19 13:49:29.507749795 -0700
|
| @@ -350,6 +350,7 @@ typedef struct sslOptionsStr {
|
| unsigned int cbcRandomIV : 1; /* 24 */
|
| unsigned int enableOCSPStapling : 1; /* 25 */
|
| @@ -20,10 +20,10 @@
|
| } sslOptions;
|
|
|
| typedef enum { sslHandshakingUndetermined = 0,
|
| -diff -up a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
|
| ---- a/src/net/third_party/nss/ssl/ssl3con.c 2012-02-29 19:15:20.975171099 -0800
|
| -+++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-02-29 20:00:15.851981917 -0800
|
| -@@ -2863,7 +2863,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
|
| +diff -pu -r a/src/net/third_party/nss/ssl/ssl3con.c b/src/net/third_party/nss/ssl/ssl3con.c
|
| +--- a/src/net/third_party/nss/ssl/ssl3con.c 2012-03-19 13:49:12.527522744 -0700
|
| ++++ b/src/net/third_party/nss/ssl/ssl3con.c 2012-03-19 13:49:29.507749795 -0700
|
| +@@ -2882,7 +2882,14 @@ ssl3_HandleChangeCipherSpecs(sslSocket *
|
|
|
| ss->ssl3.prSpec = ss->ssl3.crSpec;
|
| ss->ssl3.crSpec = prSpec;
|
| @@ -39,7 +39,7 @@
|
|
|
| SSL_TRC(3, ("%d: SSL3[%d] Set Current Read Cipher Suite to Pending",
|
| SSL_GETPID(), ss->fd ));
|
| -@@ -4877,10 +4884,11 @@ loser:
|
| +@@ -4898,10 +4905,11 @@ loser:
|
| static SECStatus
|
| ssl3_SendCertificateVerify(sslSocket *ss)
|
| {
|
| @@ -55,7 +55,7 @@
|
|
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
| -@@ -4889,13 +4897,17 @@ ssl3_SendCertificateVerify(sslSocket *ss
|
| +@@ -4910,13 +4918,17 @@ ssl3_SendCertificateVerify(sslSocket *ss
|
| SSL_GETPID(), ss->fd));
|
|
|
| ssl_GetSpecReadLock(ss);
|
| @@ -75,7 +75,7 @@
|
| if (ss->ssl3.platformClientKey) {
|
| #ifdef NSS_PLATFORM_CLIENT_AUTH
|
| rv = ssl3_PlatformSignHashes(&hashes, ss->ssl3.platformClientKey,
|
| -@@ -5912,6 +5924,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
|
| +@@ -5924,6 +5936,10 @@ ssl3_SendClientSecondRound(sslSocket *ss
|
| {
|
| SECStatus rv;
|
| PRBool sendClientCert;
|
| @@ -86,7 +86,7 @@
|
|
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
|
| PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
|
| -@@ -5958,35 +5974,40 @@ ssl3_SendClientSecondRound(sslSocket *ss
|
| +@@ -5970,35 +5986,40 @@ ssl3_SendClientSecondRound(sslSocket *ss
|
|
|
| ssl_GetXmitBufLock(ss); /*******************************/
|
|
|
| @@ -152,7 +152,7 @@
|
| }
|
|
|
| /* XXX: If the server's certificate hasn't been authenticated by this
|
| -@@ -6201,8 +6222,13 @@ ssl3_SendServerHelloSequence(sslSocket *
|
| +@@ -6213,8 +6234,13 @@ ssl3_SendServerHelloSequence(sslSocket *
|
| return rv; /* err code is set. */
|
| }
|
|
|
| @@ -168,7 +168,7 @@
|
| return SECSuccess;
|
| }
|
|
|
| -@@ -7446,7 +7472,11 @@ ssl3_HandleCertificateVerify(sslSocket *
|
| +@@ -7458,7 +7484,11 @@ ssl3_HandleCertificateVerify(sslSocket *
|
| desc = isTLS ? decode_error : illegal_parameter;
|
| goto alert_loser; /* malformed */
|
| }
|
| @@ -181,7 +181,7 @@
|
| return SECSuccess;
|
|
|
| alert_loser:
|
| -@@ -8346,7 +8376,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS
|
| +@@ -8358,7 +8388,11 @@ ssl3_HandleCertificate(sslSocket *ss, SS
|
| }
|
| } else {
|
| server_no_cert:
|
| @@ -194,7 +194,7 @@
|
| }
|
|
|
| PORT_Assert(rv == SECSuccess);
|
| -@@ -8959,6 +8993,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s
|
| +@@ -8968,6 +9002,8 @@ ssl3_HandleHandshakeMessage(sslSocket *s
|
| if (type == finished) {
|
| sender = ss->sec.isServer ? sender_client : sender_server;
|
| rSpec = ss->ssl3.crSpec;
|
| @@ -203,9 +203,9 @@
|
| }
|
| rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
|
| }
|
| -diff -up a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
|
| ---- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 17:12:15.720044263 -0800
|
| -+++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-02-29 20:00:15.851981917 -0800
|
| +diff -pu -r a/src/net/third_party/nss/ssl/ssl3ext.c b/src/net/third_party/nss/ssl/ssl3ext.c
|
| +--- a/src/net/third_party/nss/ssl/ssl3ext.c 2012-03-19 12:50:32.610015524 -0700
|
| ++++ b/src/net/third_party/nss/ssl/ssl3ext.c 2012-03-19 13:49:29.507749795 -0700
|
| @@ -84,6 +84,12 @@ static SECStatus ssl3_ServerHandleNextPr
|
| PRUint16 ex_type, SECItem *data);
|
| static PRInt32 ssl3_ClientSendNextProtoNegoXtn(sslSocket *ss, PRBool append,
|
| @@ -243,7 +243,7 @@
|
| { ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn },
|
| { ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn },
|
| { ssl_ob_cert_xtn, &ssl3_SendOBCertXtn }
|
| -@@ -1083,6 +1092,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc
|
| +@@ -1082,6 +1091,18 @@ ssl3_ClientHandleSessionTicketXtn(sslSoc
|
| return SECSuccess;
|
| }
|
|
|
| @@ -262,7 +262,7 @@
|
| SECStatus
|
| ssl3_ServerHandleSessionTicketXtn(sslSocket *ss, PRUint16 ex_type,
|
| SECItem *data)
|
| -@@ -1496,6 +1517,24 @@ loser:
|
| +@@ -1495,6 +1516,24 @@ loser:
|
| return rv;
|
| }
|
|
|
| @@ -287,7 +287,7 @@
|
| /*
|
| * Read bytes. Using this function means the SECItem structure
|
| * cannot be freed. The caller is expected to call this function
|
| -@@ -1695,6 +1734,33 @@ ssl3_SendRenegotiationInfoXtn(
|
| +@@ -1694,6 +1733,33 @@ ssl3_SendRenegotiationInfoXtn(
|
| return needed;
|
| }
|
|
|
| @@ -321,9 +321,9 @@
|
| /* This function runs in both the client and server. */
|
| static SECStatus
|
| ssl3_HandleRenegotiationInfoXtn(sslSocket *ss, PRUint16 ex_type, SECItem *data)
|
| -diff -up a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
|
| ---- a/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 17:49:08.431530583 -0800
|
| -+++ b/src/net/third_party/nss/ssl/sslsock.c 2012-02-29 20:00:15.851981917 -0800
|
| +diff -pu -r a/src/net/third_party/nss/ssl/sslsock.c b/src/net/third_party/nss/ssl/sslsock.c
|
| +--- a/src/net/third_party/nss/ssl/sslsock.c 2012-03-19 12:59:07.586991902 -0700
|
| ++++ b/src/net/third_party/nss/ssl/sslsock.c 2012-03-19 13:49:29.517749929 -0700
|
| @@ -188,6 +188,7 @@ static sslOptions ssl_defaults = {
|
| PR_TRUE, /* cbcRandomIV */
|
| PR_FALSE, /* enableOCSPStapling */
|
| @@ -331,8 +331,8 @@
|
| + PR_FALSE, /* encryptClientCerts */
|
| };
|
|
|
| - sslSessionIDLookupFunc ssl_sid_lookup;
|
| -@@ -755,6 +756,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
| + /*
|
| +@@ -826,6 +827,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
| ss->opt.enableOBCerts = on;
|
| break;
|
|
|
| @@ -343,7 +343,7 @@
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| rv = SECFailure;
|
| -@@ -822,6 +827,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
|
| +@@ -897,6 +902,8 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
|
| case SSL_CBC_RANDOM_IV: on = ss->opt.cbcRandomIV; break;
|
| case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
|
| case SSL_ENABLE_OB_CERTS: on = ss->opt.enableOBCerts; break;
|
| @@ -352,7 +352,7 @@
|
|
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -880,6 +887,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
|
| +@@ -959,6 +966,8 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
|
| on = ssl_defaults.enableOCSPStapling;
|
| break;
|
| case SSL_ENABLE_OB_CERTS: on = ssl_defaults.enableOBCerts; break;
|
| @@ -361,7 +361,7 @@
|
|
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| -@@ -1047,6 +1056,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
|
| +@@ -1126,6 +1135,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
|
| ssl_defaults.enableOBCerts = on;
|
| break;
|
|
|
| @@ -372,10 +372,10 @@
|
| default:
|
| PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
| return SECFailure;
|
| -diff -up a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
|
| ---- a/src/net/third_party/nss/ssl/sslt.h 2012-02-29 17:12:15.780045080 -0800
|
| -+++ b/src/net/third_party/nss/ssl/sslt.h 2012-02-29 19:34:43.921452065 -0800
|
| -@@ -205,10 +205,11 @@ typedef enum {
|
| +diff -pu -r a/src/net/third_party/nss/ssl/sslt.h b/src/net/third_party/nss/ssl/sslt.h
|
| +--- a/src/net/third_party/nss/ssl/sslt.h 2012-03-19 12:50:32.610015524 -0700
|
| ++++ b/src/net/third_party/nss/ssl/sslt.h 2012-03-19 13:49:29.517749929 -0700
|
| +@@ -214,10 +214,11 @@ typedef enum {
|
| #endif
|
| ssl_session_ticket_xtn = 35,
|
| ssl_next_proto_nego_xtn = 13172,
|
|
|