Update libssl to NSS 3.18 RTM

net/third_party/nss/patches/channelid.patch

-diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c     2014-01-18 10:39:50.799150460 -0800
-+++ b/nss/lib/ssl/ssl3con.c     2014-01-18 10:40:15.489552270 -0800
-@@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta
+diff --git a/ssl/SSLerrs.h b/ssl/SSLerrs.h
+index 174037b..81da41c 100644
+--- a/ssl/SSLerrs.h
++++ b/ssl/SSLerrs.h
+@@ -422,3 +422,12 @@ ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130),
+ ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131),
+ "The server rejected the handshake because the client downgraded to a lower "
+ "TLS version than the server supports.")
++
++ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 132),
++"SSL received a malformed TLS Channel ID extension.")
++
++ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 133),
++"The application provided an invalid TLS Channel ID key.")
++
++ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 134),
++"The application could not get a TLS Channel ID.")
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 593dd00..716537d 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -1025,6 +1025,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
+ SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
+                                                  PRBool *last_handshake_resumed);
+ 
++/* See SSL_SetClientChannelIDCallback for usage. If the callback returns
++ * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in
++ * the future to restart the handshake.  On SECSuccess, the callback must have
++ * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */
++typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)(
++    void *arg,
++    PRFileDesc *fd,
++    SECKEYPublicKey **out_public_key,
++    SECKEYPrivateKey **out_private_key);
++
++/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake
++ * after a ChannelID callback returned SECWouldBlock.
++ *
++ * This function takes ownership of |channelIDPub| and |channelID|. */
++SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq(
++    PRFileDesc *fd,
++    SECKEYPublicKey *channelIDPub,
++    SECKEYPrivateKey *channelID);
++
++/* SSL_SetClientChannelIDCallback sets a callback function that will be called
++ * once the server's ServerHello has been processed. This is only applicable to
++ * a client socket and setting this callback causes the TLS Channel ID
++ * extension to be advertised. */
++SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback(
++    PRFileDesc *fd,
++    SSLClientChannelIDCallback callback,
++    void *arg);
++
+ /*
+ ** How long should we wait before retransmitting the next flight of
+ ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
+diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
+index 1852806..45c3454 100644
+--- a/ssl/ssl3con.c
++++ b/ssl/ssl3con.c
+@@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateStatus( sslSocket *ss);
  static SECStatus ssl3_SendEmptyCertificate(  sslSocket *ss);
  static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
  static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 +static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
  static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
  static SECStatus ssl3_SendServerHello(       sslSocket *ss);
  static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
-@@ -6221,6 +6222,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6281,6 +6282,15 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
      }
  #endif  /* NSS_PLATFORM_CLIENT_AUTH */
  
 +    if (ss->ssl3.channelID != NULL) {
 +       SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
 +       ss->ssl3.channelID = NULL;
 +    }
 +    if (ss->ssl3.channelIDPub != NULL) {
 +       SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
 +       ss->ssl3.channelIDPub = NULL;
 +    }
 +
      temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
      if (temp < 0) {
         goto loser;     /* alert has been sent */
-@@ -6503,7 +6513,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6563,7 +6573,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
         if (rv != SECSuccess) {
             goto alert_loser;   /* err code was set */
         }
 -       return SECSuccess;
 +       goto winner;
      } while (0);
  
      if (sid_match)
-@@ -6529,6 +6539,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS
+@@ -6589,6 +6599,27 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
  
      ss->ssl3.hs.isResuming = PR_FALSE;
      ss->ssl3.hs.ws         = wait_server_cert;
 +
 +winner:
 +    /* If we will need a ChannelID key then we make the callback now. This
 +     * allows the handshake to be restarted cleanly if the callback returns
 +     * SECWouldBlock. */
 +    if (ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
 +       rv = ss->getChannelID(ss->getChannelIDArg, ss->fd,
 +                             &ss->ssl3.channelIDPub, &ss->ssl3.channelID);
 +       if (rv == SECWouldBlock) {
 +           ssl3_SetAlwaysBlock(ss);
 +           return rv;
 +       }
 +       if (rv != SECSuccess ||
 +           ss->ssl3.channelIDPub == NULL ||
 +           ss->ssl3.channelID == NULL) {
 +           PORT_SetError(SSL_ERROR_GET_CHANNEL_ID_FAILED);
 +           desc = internal_error;
 +           goto alert_loser;
 +       }
 +    }
 +
      return SECSuccess;
  
  alert_loser:
-@@ -7490,7 +7521,14 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7550,7 +7581,14 @@ ssl3_SendClientSecondRound(sslSocket *ss)
         if (rv != SECSuccess) {
             goto loser; /* err code was set. */
         }
 +    }
- 
++
 +    rv = ssl3_SendEncryptedExtensions(ss);
 +    if (rv != SECSuccess) {
 +       goto loser; /* err code was set. */
 +    }
-+
+ 
 +    if (!ss->firstHsDone) {
         if (ss->opt.enableFalseStart) {
             if (!ss->ssl3.hs.authCertificatePending) {
                 /* When we fix bug 589047, we will need to know whether we are
-@@ -7527,6 +7565,33 @@ ssl3_SendClientSecondRound(sslSocket *ss
+@@ -7587,6 +7625,33 @@ ssl3_SendClientSecondRound(sslSocket *ss)
  
      ssl_ReleaseXmitBufLock(ss);                /*******************************/
  
 +    if (!ss->ssl3.hs.isResuming &&
 +        ssl3_ExtensionNegotiated(ss, ssl_channel_id_xtn)) {
 +        /* If we are negotiating ChannelID on a full handshake then we record
 +         * the handshake hashes in |sid| at this point. They will be needed in
 +         * the event that we resume this session and use ChannelID on the
 +         * resumption handshake. */
 +        SSL3Hashes hashes;
@@ skipping 13 matching lines @@
 +        originalHandshakeHash->data = PORT_Alloc(hashes.len);
 +        if (!originalHandshakeHash->data)
 +            return SECFailure;
 +        originalHandshakeHash->len = hashes.len;
 +        memcpy(originalHandshakeHash->data, hashes.u.raw, hashes.len);
 +    }
 +
      if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
         ss->ssl3.hs.ws = wait_new_session_ticket;
      else
-@@ -10494,6 +10559,184 @@ ssl3_RecordKeyLog(sslSocket *ss)
+@@ -10582,6 +10647,184 @@ ssl3_RecordKeyLog(sslSocket *ss)
  }
  
  /* called from ssl3_SendClientSecondRound
 + *          ssl3_HandleFinished
 + */
 +static SECStatus
 +ssl3_SendEncryptedExtensions(sslSocket *ss)
 +{
 +    static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
 +    static const char CHANNEL_ID_RESUMPTION_MAGIC[] = "Resumption";
@@ skipping 164 matching lines @@
 +    ss->ssl3.channelID = channelID;
 +    ss->ssl3.channelIDPub = channelIDPub;
 +
 +    return SECSuccess;
 +}
 +
 +/* called from ssl3_SendClientSecondRound
   *             ssl3_HandleClientHello
   *             ssl3_HandleFinished
   */
-@@ -10753,11 +10996,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O
+@@ -10841,11 +11084,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
             flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER;
         }
  
 -       if (!isServer && !ss->firstHsDone) {
 -           rv = ssl3_SendNextProto(ss);
 -           if (rv != SECSuccess) {
 -               goto xmit_loser; /* err code was set. */
 +       if (!isServer) {
 +           if (!ss->firstHsDone) {
 +               rv = ssl3_SendNextProto(ss);
 +               if (rv != SECSuccess) {
 +                   goto xmit_loser; /* err code was set. */
 +               }
             }
 +           rv = ssl3_SendEncryptedExtensions(ss);
 +           if (rv != SECSuccess)
 +               goto xmit_loser; /* err code was set. */
         }
  
         if (IS_DTLS(ss)) {
-@@ -12237,6 +12485,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
+@@ -12325,6 +12573,11 @@ ssl3_DestroySSL3Info(sslSocket *ss)
         ssl_FreePlatformKey(ss->ssl3.platformClientKey);
  #endif /* NSS_PLATFORM_CLIENT_AUTH */
  
 +    if (ss->ssl3.channelID)
 +       SECKEY_DestroyPrivateKey(ss->ssl3.channelID);
 +    if (ss->ssl3.channelIDPub)
 +       SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
 +
      if (ss->ssl3.peerCertArena != NULL)
         ssl3_CleanupPeerCerts(ss);
  
-diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c     2014-01-18 10:39:50.749149654 -0800
-+++ b/nss/lib/ssl/ssl3ext.c     2014-01-18 10:43:52.543083984 -0800
-@@ -64,6 +64,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo
+diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c
+index 9345be8..5fc54c3 100644
+--- a/ssl/ssl3ext.c
++++ b/ssl/ssl3ext.c
+@@ -68,6 +68,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append,
      PRUint32 maxBytes);
  static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type,
      SECItem *data);
 +static SECStatus ssl3_ClientHandleChannelIDXtn(sslSocket *ss,
 +    PRUint16 ex_type, SECItem *data);
 +static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append,
 +    PRUint32 maxBytes);
- static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
+ static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss,
      PRBool append, PRUint32 maxBytes);
  static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss,
-@@ -253,6 +257,7 @@ static const ssl3HelloExtensionHandler s
+@@ -248,6 +252,7 @@ static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
+     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
+     { ssl_app_layer_protocol_xtn, &ssl3_ServerHandleAppProtoXtn },
+     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
++    { ssl_channel_id_xtn,         &ssl3_ClientSendChannelIDXtn },
+     { ssl_cert_status_xtn,        &ssl3_ServerHandleStatusRequestXtn },
+     { ssl_signature_algorithms_xtn, &ssl3_ServerHandleSigAlgsXtn },
+     { ssl_tls13_draft_version_xtn, &ssl3_ServerHandleDraftVersionXtn },
+@@ -264,6 +269,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = {
      { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
      { ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn },
      { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
 +    { ssl_channel_id_xtn,         &ssl3_ClientHandleChannelIDXtn },
      { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
      { -1, NULL }
  };
-@@ -280,6 +285,7 @@ ssl3HelloExtensionSender clientHelloSend
-     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
-     { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
-     { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn },
-+    { ssl_channel_id_xtn,         &ssl3_ClientSendChannelIDXtn },
-     { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
-     { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
-     /* any extra entries will appear as { 0, NULL }    */
-@@ -795,6 +801,61 @@ loser:
-     return -1;
+@@ -910,6 +916,61 @@ ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes)
  }
  
-+static SECStatus
+ static SECStatus
 +ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type,
 +                            SECItem *data)
 +{
 +    PORT_Assert(ss->getChannelID != NULL);
 +
 +    if (data->len) {
 +       PORT_SetError(SSL_ERROR_BAD_CHANNEL_ID_DATA);
 +       return SECFailure;
 +    }
 +    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
@@ skipping 34 matching lines @@
 +       ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
 +               ssl_channel_id_xtn;
 +    }
 +
 +    return extension_length;
 +
 +loser:
 +    return -1;
 +}
 +
- static SECStatus
++static SECStatus
  ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
                                   SECItem *data)
-diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h
---- a/nss/lib/ssl/ssl3prot.h    2014-01-18 10:39:34.278881614 -0800
-+++ b/nss/lib/ssl/ssl3prot.h    2014-01-18 10:40:15.499552430 -0800
-@@ -129,7 +129,8 @@ typedef enum {
-     client_key_exchange        = 16, 
-     finished           = 20,
+ {
+diff --git a/ssl/ssl3prot.h b/ssl/ssl3prot.h
+index 485d7dd..78fbcaa 100644
+--- a/ssl/ssl3prot.h
++++ b/ssl/ssl3prot.h
+@@ -136,7 +136,8 @@ typedef enum {
+     client_key_exchange = 16,
+     finished            = 20,
      certificate_status  = 22,
--    next_proto         = 67
-+    next_proto         = 67,
-+    encrypted_extensions= 203
+-    next_proto          = 67
++    next_proto          = 67,
++    encrypted_extensions = 203,
  } SSL3HandshakeType;
  
  typedef struct {
-diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
---- a/nss/lib/ssl/sslauth.c     2014-01-18 10:39:50.749149654 -0800
-+++ b/nss/lib/ssl/sslauth.c     2014-01-18 10:40:15.499552430 -0800
-@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s,
+diff --git a/ssl/sslauth.c b/ssl/sslauth.c
+index 7f9c43b..c2d9201 100644
+--- a/ssl/sslauth.c
++++ b/ssl/sslauth.c
+@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func,
      return SECSuccess;
  }
  
 +SECStatus
 +SSL_SetClientChannelIDCallback(PRFileDesc *fd,
 +                              SSLClientChannelIDCallback callback,
 +                              void *arg) {
 +    sslSocket *ss = ssl_FindSocket(fd);
 +
 +    if (!ss) {
 +       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetClientChannelIDCallback",
 +                SSL_GETPID(), fd));
 +       return SECFailure;
 +    }
 +
 +    ss->getChannelID = callback;
 +    ss->getChannelIDArg = arg;
 +
 +    return SECSuccess;
 +}
 +
  #ifdef NSS_PLATFORM_CLIENT_AUTH
  /* NEED LOCKS IN HERE.  */
  SECStatus 
-diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h
---- a/nss/lib/ssl/sslerr.h      2014-01-18 10:39:34.288881780 -0800
-+++ b/nss/lib/ssl/sslerr.h      2014-01-18 10:40:15.499552430 -0800
-@@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = (
- SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127),
- SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128),
+diff --git a/ssl/sslerr.h b/ssl/sslerr.h
+index 12dbb1d..24bf893 100644
+--- a/ssl/sslerr.h
++++ b/ssl/sslerr.h
+@@ -198,6 +198,10 @@ SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL     = (SSL_ERROR_BASE + 130),
  
-+SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129),
-+SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130),
-+SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131),
+ SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT  = (SSL_ERROR_BASE + 131),
+ 
++SSL_ERROR_BAD_CHANNEL_ID_DATA           = (SSL_ERROR_BASE + 132),
++SSL_ERROR_INVALID_CHANNEL_ID_KEY        = (SSL_ERROR_BASE + 133),
++SSL_ERROR_GET_CHANNEL_ID_FAILED         = (SSL_ERROR_BASE + 134),
 +
- SSL_ERROR_END_OF_LIST  /* let the c compiler determine the value of this. */
+ SSL_ERROR_END_OF_LIST   /* let the c compiler determine the value of this. */
  } SSLErrorCodes;
  #endif /* NO_SECURITY_ERROR_ENUM */
-diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h
---- a/nss/lib/ssl/SSLerrs.h     2014-01-18 10:39:34.238880964 -0800
-+++ b/nss/lib/ssl/SSLerrs.h     2014-01-18 10:40:15.499552430 -0800
-@@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR
- 
- ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
- "Incorrect signature algorithm specified in a digitally-signed element.")
-+
-+ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 129),
-+"SSL received a malformed TLS Channel ID extension.")
-+
-+ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130),
-+"The application provided an invalid TLS Channel ID key.")
-+
-+ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131),
-+"The application could not get a TLS Channel ID.")
-diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-18 10:39:50.799150460 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-18 10:40:15.499552430 -0800
-@@ -1015,6 +1015,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti
- SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd,
-                                                  PRBool *last_handshake_resumed);
- 
-+/* See SSL_SetClientChannelIDCallback for usage. If the callback returns
-+ * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in
-+ * the future to restart the handshake.  On SECSuccess, the callback must have
-+ * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */
-+typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)(
-+    void *arg,
-+    PRFileDesc *fd,
-+    SECKEYPublicKey **out_public_key,
-+    SECKEYPrivateKey **out_private_key);
-+
-+/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake
-+ * after a ChannelID callback returned SECWouldBlock.
-+ *
-+ * This function takes ownership of |channelIDPub| and |channelID|. */
-+SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq(
-+    PRFileDesc *fd,
-+    SECKEYPublicKey *channelIDPub,
-+    SECKEYPrivateKey *channelID);
-+
-+/* SSL_SetClientChannelIDCallback sets a callback function that will be called
-+ * once the server's ServerHello has been processed. This is only applicable to
-+ * a client socket and setting this callback causes the TLS Channel ID
-+ * extension to be advertised. */
-+SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback(
-+    PRFileDesc *fd,
-+    SSLClientChannelIDCallback callback,
-+    void *arg);
-+
- /*
- ** How long should we wait before retransmitting the next flight of
- ** the DTLS handshake? Returns SECFailure if not DTLS or not in a
-diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h     2014-01-18 10:39:50.799150460 -0800
-+++ b/nss/lib/ssl/sslimpl.h     2014-01-18 10:40:15.499552430 -0800
-@@ -709,6 +709,14 @@ struct sslSessionIDStr {
+diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h
+index c6ac398..57346cb 100644
+--- a/ssl/sslimpl.h
++++ b/ssl/sslimpl.h
+@@ -711,6 +711,14 @@ struct sslSessionIDStr {
  
             SECItem           srvName;
  
 +            /* originalHandshakeHash contains the hash of the original, full
 +             * handshake prior to the server's final flow. This is either a
 +             * SHA-1/MD5 combination (for TLS < 1.2) or the TLS PRF hash (for
 +             * TLS 1.2). This is recorded and used only when ChannelID is
 +             * negotiated as it's used to bind the ChannelID signature on the
 +             * resumption handshake to the original handshake. */
 +           SECItem           originalHandshakeHash;
 +
             /* This lock is lazily initialized by CacheSID when a sid is first
              * cached. Before then, there is no need to lock anything because
              * the sid isn't being shared by anything.
-@@ -978,6 +986,9 @@ struct ssl3StateStr {
+@@ -980,6 +988,9 @@ struct ssl3StateStr {
      CERTCertificateList *clientCertChain;    /* used by client */
      PRBool               sendEmptyCert;      /* used by client */
  
 +    SECKEYPrivateKey    *channelID;          /* used by client */
 +    SECKEYPublicKey     *channelIDPub;       /* used by client */
 +
      int                  policy;
                         /* This says what cipher suites we can do, and should 
                          * be either SSL_ALLOWED or SSL_RESTRICTED 
-@@ -1255,6 +1266,8 @@ const unsigned char *  preferredCipher;
+@@ -1257,6 +1268,8 @@ const unsigned char *  preferredCipher;
      void                     *pkcs11PinArg;
      SSLNextProtoCallback      nextProtoCallback;
      void                     *nextProtoArg;
 +    SSLClientChannelIDCallback getChannelID;
 +    void                     *getChannelIDArg;
  
      PRIntervalTime            rTimeout; /* timeout for NSPR I/O */
      PRIntervalTime            wTimeout; /* timeout for NSPR I/O */
-@@ -1599,6 +1612,11 @@ extern SECStatus ssl3_RestartHandshakeAf
+@@ -1603,6 +1616,11 @@ extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket *    ss,
                                              SECKEYPrivateKey *   key,
                                              CERTCertificateList *certChain);
  
 +extern SECStatus ssl3_RestartHandshakeAfterChannelIDReq(
 +    sslSocket *ss,
 +    SECKEYPublicKey *channelIDPub,
 +    SECKEYPrivateKey *channelID);
 +
  extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error);
  
  /*
-diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
---- a/nss/lib/ssl/sslnonce.c    2014-01-18 10:39:50.739149486 -0800
-+++ b/nss/lib/ssl/sslnonce.c    2014-01-18 10:40:15.499552430 -0800
+diff --git a/ssl/sslnonce.c b/ssl/sslnonce.c
+index be11008..1326a8b 100644
+--- a/ssl/sslnonce.c
++++ b/ssl/sslnonce.c
 @@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid)
          if (sid->u.ssl3.srvName.data) {
              SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE);
          }
 +        if (sid->u.ssl3.originalHandshakeHash.data) {
 +            SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
 +        }
  
          if (sid->u.ssl3.lock) {
              PR_DestroyRWLock(sid->u.ssl3.lock);
-diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
---- a/nss/lib/ssl/sslsecur.c    2014-01-18 10:39:50.799150460 -0800
-+++ b/nss/lib/ssl/sslsecur.c    2014-01-18 10:40:15.499552430 -0800
-@@ -1584,6 +1584,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD
+diff --git a/ssl/sslsecur.c b/ssl/sslsecur.c
+index d44336e..5c6751a 100644
+--- a/ssl/sslsecur.c
++++ b/ssl/sslsecur.c
+@@ -1582,6 +1582,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileDesc *        fd,
      return ret;
  }
  
 +SECStatus
 +SSL_RestartHandshakeAfterChannelIDReq(PRFileDesc *      fd,
 +                                     SECKEYPublicKey * channelIDPub,
 +                                     SECKEYPrivateKey *channelID)
 +{
 +    sslSocket *   ss = ssl_FindSocket(fd);
 +    SECStatus     ret;
@@ skipping 22 matching lines @@
 +
 +loser:
 +    SECKEY_DestroyPublicKey(channelIDPub);
 +    SECKEY_DestroyPrivateKey(channelID);
 +    return SECFailure;
 +}
 +
  /* DO NOT USE. This function was exported in ssl.def with the wrong signature;
   * this implementation exists to maintain link-time compatibility.
   */
-diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c     2014-01-18 10:39:50.769149984 -0800
-+++ b/nss/lib/ssl/sslsock.c     2014-01-18 10:40:15.499552430 -0800
-@@ -276,6 +276,8 @@ ssl_DupSocket(sslSocket *os)
-            ss->canFalseStartCallback = os->canFalseStartCallback;
-            ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
-            ss->pkcs11PinArg          = os->pkcs11PinArg;
-+           ss->getChannelID          = os->getChannelID;
-+           ss->getChannelIDArg       = os->getChannelIDArg;
-     
-            /* Create security data */
-            rv = ssl_CopySecurityInfo(ss, os);
-@@ -1691,6 +1693,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile
+diff --git a/ssl/sslsock.c b/ssl/sslsock.c
+index a939781..d3f3bf4 100644
+--- a/ssl/sslsock.c
++++ b/ssl/sslsock.c
+@@ -288,6 +288,8 @@ ssl_DupSocket(sslSocket *os)
+             ss->canFalseStartCallback = os->canFalseStartCallback;
+             ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
+             ss->pkcs11PinArg          = os->pkcs11PinArg;
++            ss->getChannelID          = os->getChannelID;
++            ss->getChannelIDArg       = os->getChannelIDArg;
+ 
+             /* Create security data */
+             rv = ssl_CopySecurityInfo(ss, os);
+@@ -1733,6 +1735,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd)
          ss->handshakeCallbackData = sm->handshakeCallbackData;
      if (sm->pkcs11PinArg)
          ss->pkcs11PinArg          = sm->pkcs11PinArg;
 +    if (sm->getChannelID)
 +        ss->getChannelID          = sm->getChannelID;
 +    if (sm->getChannelIDArg)
 +        ss->getChannelIDArg       = sm->getChannelIDArg;
      return fd;
  loser:
      return NULL;
-@@ -2968,6 +2974,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
-        ss->badCertArg         = NULL;
-        ss->pkcs11PinArg       = NULL;
-        ss->ephemeralECDHKeyPair = NULL;
-+       ss->getChannelID       = NULL;
-+       ss->getChannelIDArg    = NULL;
+@@ -3021,6 +3027,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant)
+         ss->badCertArg         = NULL;
+         ss->pkcs11PinArg       = NULL;
+         ss->ephemeralECDHKeyPair = NULL;
++        ss->getChannelID       = NULL;
++        ss->getChannelIDArg    = NULL;
  
-        ssl_ChooseOps(ss);
-        ssl2_InitSocketPolicy(ss);
-diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h        2014-01-18 10:39:34.328882426 -0800
-+++ b/nss/lib/ssl/sslt.h        2014-01-18 10:40:15.499552430 -0800
-@@ -190,10 +190,11 @@ typedef enum {
-     ssl_app_layer_protocol_xtn       = 16,
+         ssl_ChooseOps(ss);
+         ssl2_InitSocketPolicy(ss);
+diff --git a/ssl/sslt.h b/ssl/sslt.h
+index 1d28feb..0900f28 100644
+--- a/ssl/sslt.h
++++ b/ssl/sslt.h
+@@ -191,10 +191,11 @@ typedef enum {
+     ssl_padding_xtn                  = 21,
      ssl_session_ticket_xtn           = 35,
      ssl_next_proto_nego_xtn          = 13172,
 +    ssl_channel_id_xtn               = 30032,
-     ssl_padding_xtn                  = 35655,
-     ssl_renegotiation_info_xtn       = 0xff01  /* experimental number */
+     ssl_renegotiation_info_xtn       = 0xff01,
+     ssl_tls13_draft_version_xtn      = 0xff02   /* experimental number */
  } SSLExtensionType;
  
--#define SSL_MAX_EXTENSIONS             10 /* doesn't include ssl_padding_xtn. */
-+#define SSL_MAX_EXTENSIONS             11 /* doesn't include ssl_padding_xtn. */
+-#define SSL_MAX_EXTENSIONS             11 /* doesn't include ssl_padding_xtn. */
++#define SSL_MAX_EXTENSIONS             12 /* doesn't include ssl_padding_xtn. */
  
  #endif /* __sslt_h_ */