Index: net/third_party/nss/patches/channelid.patch |
diff --git a/net/third_party/nss/patches/channelid.patch b/net/third_party/nss/patches/channelid.patch |
index 670a6faf52010fed3cd117ccf1d142c490e8eaaa..9fc6012b84b7466301379b928db27ed928fdcaaa 100644 |
--- a/net/third_party/nss/patches/channelid.patch |
+++ b/net/third_party/nss/patches/channelid.patch |
@@ -1,7 +1,64 @@ |
-diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
---- a/nss/lib/ssl/ssl3con.c 2014-01-18 10:39:50.799150460 -0800 |
-+++ b/nss/lib/ssl/ssl3con.c 2014-01-18 10:40:15.489552270 -0800 |
-@@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateSta |
+diff --git a/ssl/SSLerrs.h b/ssl/SSLerrs.h |
+index 174037b..81da41c 100644 |
+--- a/ssl/SSLerrs.h |
++++ b/ssl/SSLerrs.h |
+@@ -422,3 +422,12 @@ ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130), |
+ ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131), |
+ "The server rejected the handshake because the client downgraded to a lower " |
+ "TLS version than the server supports.") |
++ |
++ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 132), |
++"SSL received a malformed TLS Channel ID extension.") |
++ |
++ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 133), |
++"The application provided an invalid TLS Channel ID key.") |
++ |
++ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 134), |
++"The application could not get a TLS Channel ID.") |
+diff --git a/ssl/ssl.h b/ssl/ssl.h |
+index 593dd00..716537d 100644 |
+--- a/ssl/ssl.h |
++++ b/ssl/ssl.h |
+@@ -1025,6 +1025,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegotiatedExtension(PRFileDesc * socket, |
+ SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, |
+ PRBool *last_handshake_resumed); |
+ |
++/* See SSL_SetClientChannelIDCallback for usage. If the callback returns |
++ * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in |
++ * the future to restart the handshake. On SECSuccess, the callback must have |
++ * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */ |
++typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)( |
++ void *arg, |
++ PRFileDesc *fd, |
++ SECKEYPublicKey **out_public_key, |
++ SECKEYPrivateKey **out_private_key); |
++ |
++/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake |
++ * after a ChannelID callback returned SECWouldBlock. |
++ * |
++ * This function takes ownership of |channelIDPub| and |channelID|. */ |
++SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq( |
++ PRFileDesc *fd, |
++ SECKEYPublicKey *channelIDPub, |
++ SECKEYPrivateKey *channelID); |
++ |
++/* SSL_SetClientChannelIDCallback sets a callback function that will be called |
++ * once the server's ServerHello has been processed. This is only applicable to |
++ * a client socket and setting this callback causes the TLS Channel ID |
++ * extension to be advertised. */ |
++SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback( |
++ PRFileDesc *fd, |
++ SSLClientChannelIDCallback callback, |
++ void *arg); |
++ |
+ /* |
+ ** How long should we wait before retransmitting the next flight of |
+ ** the DTLS handshake? Returns SECFailure if not DTLS or not in a |
+diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c |
+index 1852806..45c3454 100644 |
+--- a/ssl/ssl3con.c |
++++ b/ssl/ssl3con.c |
+@@ -55,6 +55,7 @@ static SECStatus ssl3_SendCertificateStatus( sslSocket *ss); |
static SECStatus ssl3_SendEmptyCertificate( sslSocket *ss); |
static SECStatus ssl3_SendCertificateRequest(sslSocket *ss); |
static SECStatus ssl3_SendNextProto( sslSocket *ss); |
@@ -9,7 +66,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
static SECStatus ssl3_SendFinished( sslSocket *ss, PRInt32 flags); |
static SECStatus ssl3_SendServerHello( sslSocket *ss); |
static SECStatus ssl3_SendServerHelloDone( sslSocket *ss); |
-@@ -6221,6 +6222,15 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
+@@ -6281,6 +6282,15 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
} |
#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
@@ -25,7 +82,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length); |
if (temp < 0) { |
goto loser; /* alert has been sent */ |
-@@ -6503,7 +6513,7 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
+@@ -6563,7 +6573,7 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
if (rv != SECSuccess) { |
goto alert_loser; /* err code was set */ |
} |
@@ -34,7 +91,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
} while (0); |
if (sid_match) |
-@@ -6529,6 +6539,27 @@ ssl3_HandleServerHello(sslSocket *ss, SS |
+@@ -6589,6 +6599,27 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) |
ss->ssl3.hs.isResuming = PR_FALSE; |
ss->ssl3.hs.ws = wait_server_cert; |
@@ -62,22 +119,22 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
return SECSuccess; |
alert_loser: |
-@@ -7490,7 +7521,14 @@ ssl3_SendClientSecondRound(sslSocket *ss |
+@@ -7550,7 +7581,14 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
if (rv != SECSuccess) { |
goto loser; /* err code was set. */ |
} |
+ } |
- |
++ |
+ rv = ssl3_SendEncryptedExtensions(ss); |
+ if (rv != SECSuccess) { |
+ goto loser; /* err code was set. */ |
+ } |
-+ |
+ |
+ if (!ss->firstHsDone) { |
if (ss->opt.enableFalseStart) { |
if (!ss->ssl3.hs.authCertificatePending) { |
/* When we fix bug 589047, we will need to know whether we are |
-@@ -7527,6 +7565,33 @@ ssl3_SendClientSecondRound(sslSocket *ss |
+@@ -7587,6 +7625,33 @@ ssl3_SendClientSecondRound(sslSocket *ss) |
ssl_ReleaseXmitBufLock(ss); /*******************************/ |
@@ -111,7 +168,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) |
ss->ssl3.hs.ws = wait_new_session_ticket; |
else |
-@@ -10494,6 +10559,184 @@ ssl3_RecordKeyLog(sslSocket *ss) |
+@@ -10582,6 +10647,184 @@ ssl3_RecordKeyLog(sslSocket *ss) |
} |
/* called from ssl3_SendClientSecondRound |
@@ -296,7 +353,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
* ssl3_HandleClientHello |
* ssl3_HandleFinished |
*/ |
-@@ -10753,11 +10996,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3O |
+@@ -10841,11 +11084,16 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, |
flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; |
} |
@@ -317,7 +374,7 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
} |
if (IS_DTLS(ss)) { |
-@@ -12237,6 +12485,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
+@@ -12325,6 +12573,11 @@ ssl3_DestroySSL3Info(sslSocket *ss) |
ssl_FreePlatformKey(ss->ssl3.platformClientKey); |
#endif /* NSS_PLATFORM_CLIENT_AUTH */ |
@@ -329,10 +386,11 @@ diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
if (ss->ssl3.peerCertArena != NULL) |
ssl3_CleanupPeerCerts(ss); |
-diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
---- a/nss/lib/ssl/ssl3ext.c 2014-01-18 10:39:50.749149654 -0800 |
-+++ b/nss/lib/ssl/ssl3ext.c 2014-01-18 10:43:52.543083984 -0800 |
-@@ -64,6 +64,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSo |
+diff --git a/ssl/ssl3ext.c b/ssl/ssl3ext.c |
+index 9345be8..b6ed17d 100644 |
+--- a/ssl/ssl3ext.c |
++++ b/ssl/ssl3ext.c |
+@@ -68,6 +68,10 @@ static PRInt32 ssl3_SendUseSRTPXtn(sslSocket *ss, PRBool append, |
PRUint32 maxBytes); |
static SECStatus ssl3_HandleUseSRTPXtn(sslSocket * ss, PRUint16 ex_type, |
SECItem *data); |
@@ -340,10 +398,10 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
+ PRUint16 ex_type, SECItem *data); |
+static PRInt32 ssl3_ClientSendChannelIDXtn(sslSocket *ss, PRBool append, |
+ PRUint32 maxBytes); |
- static SECStatus ssl3_ServerSendStatusRequestXtn(sslSocket * ss, |
+ static PRInt32 ssl3_ServerSendStatusRequestXtn(sslSocket * ss, |
PRBool append, PRUint32 maxBytes); |
static SECStatus ssl3_ServerHandleStatusRequestXtn(sslSocket *ss, |
-@@ -253,6 +257,7 @@ static const ssl3HelloExtensionHandler s |
+@@ -264,6 +268,7 @@ static const ssl3HelloExtensionHandler serverHelloHandlersTLS[] = { |
{ ssl_next_proto_nego_xtn, &ssl3_ClientHandleNextProtoNegoXtn }, |
{ ssl_app_layer_protocol_xtn, &ssl3_ClientHandleAppProtoXtn }, |
{ ssl_use_srtp_xtn, &ssl3_HandleUseSRTPXtn }, |
@@ -351,19 +409,18 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
{ ssl_cert_status_xtn, &ssl3_ClientHandleStatusRequestXtn }, |
{ -1, NULL } |
}; |
-@@ -280,6 +285,7 @@ ssl3HelloExtensionSender clientHelloSend |
+@@ -291,6 +296,7 @@ ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = { |
{ ssl_next_proto_nego_xtn, &ssl3_ClientSendNextProtoNegoXtn }, |
{ ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn }, |
{ ssl_use_srtp_xtn, &ssl3_SendUseSRTPXtn }, |
+ { ssl_channel_id_xtn, &ssl3_ClientSendChannelIDXtn }, |
{ ssl_cert_status_xtn, &ssl3_ClientSendStatusRequestXtn }, |
- { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn } |
- /* any extra entries will appear as { 0, NULL } */ |
-@@ -795,6 +801,61 @@ loser: |
- return -1; |
+ { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }, |
+ { ssl_tls13_draft_version_xtn, &ssl3_ClientSendDraftVersionXtn }, |
+@@ -910,6 +916,61 @@ ssl3_ServerSendAppProtoXtn(sslSocket * ss, PRBool append, PRUint32 maxBytes) |
} |
-+static SECStatus |
+ static SECStatus |
+ssl3_ClientHandleChannelIDXtn(sslSocket *ss, PRUint16 ex_type, |
+ SECItem *data) |
+{ |
@@ -418,26 +475,29 @@ diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c |
+ return -1; |
+} |
+ |
- static SECStatus |
++static SECStatus |
ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type, |
SECItem *data) |
-diff -pu a/nss/lib/ssl/ssl3prot.h b/nss/lib/ssl/ssl3prot.h |
---- a/nss/lib/ssl/ssl3prot.h 2014-01-18 10:39:34.278881614 -0800 |
-+++ b/nss/lib/ssl/ssl3prot.h 2014-01-18 10:40:15.499552430 -0800 |
-@@ -129,7 +129,8 @@ typedef enum { |
- client_key_exchange = 16, |
- finished = 20, |
+ { |
+diff --git a/ssl/ssl3prot.h b/ssl/ssl3prot.h |
+index 485d7dd..78fbcaa 100644 |
+--- a/ssl/ssl3prot.h |
++++ b/ssl/ssl3prot.h |
+@@ -136,7 +136,8 @@ typedef enum { |
+ client_key_exchange = 16, |
+ finished = 20, |
certificate_status = 22, |
-- next_proto = 67 |
-+ next_proto = 67, |
-+ encrypted_extensions= 203 |
+- next_proto = 67 |
++ next_proto = 67, |
++ encrypted_extensions = 203, |
} SSL3HandshakeType; |
typedef struct { |
-diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c |
---- a/nss/lib/ssl/sslauth.c 2014-01-18 10:39:50.749149654 -0800 |
-+++ b/nss/lib/ssl/sslauth.c 2014-01-18 10:40:15.499552430 -0800 |
-@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, |
+diff --git a/ssl/sslauth.c b/ssl/sslauth.c |
+index 7f9c43b..c2d9201 100644 |
+--- a/ssl/sslauth.c |
++++ b/ssl/sslauth.c |
+@@ -216,6 +216,24 @@ SSL_GetClientAuthDataHook(PRFileDesc *s, SSLGetClientAuthData func, |
return SECSuccess; |
} |
@@ -462,78 +522,26 @@ diff -pu a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c |
#ifdef NSS_PLATFORM_CLIENT_AUTH |
/* NEED LOCKS IN HERE. */ |
SECStatus |
-diff -pu a/nss/lib/ssl/sslerr.h b/nss/lib/ssl/sslerr.h |
---- a/nss/lib/ssl/sslerr.h 2014-01-18 10:39:34.288881780 -0800 |
-+++ b/nss/lib/ssl/sslerr.h 2014-01-18 10:40:15.499552430 -0800 |
-@@ -193,6 +193,10 @@ SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM = ( |
- SSL_ERROR_DIGEST_FAILURE = (SSL_ERROR_BASE + 127), |
- SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM = (SSL_ERROR_BASE + 128), |
+diff --git a/ssl/sslerr.h b/ssl/sslerr.h |
+index 12dbb1d..24bf893 100644 |
+--- a/ssl/sslerr.h |
++++ b/ssl/sslerr.h |
+@@ -198,6 +198,10 @@ SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL = (SSL_ERROR_BASE + 130), |
+ |
+ SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT = (SSL_ERROR_BASE + 131), |
-+SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 129), |
-+SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 130), |
-+SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 131), |
++SSL_ERROR_BAD_CHANNEL_ID_DATA = (SSL_ERROR_BASE + 132), |
++SSL_ERROR_INVALID_CHANNEL_ID_KEY = (SSL_ERROR_BASE + 133), |
++SSL_ERROR_GET_CHANNEL_ID_FAILED = (SSL_ERROR_BASE + 134), |
+ |
- SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ |
+ SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ |
} SSLErrorCodes; |
#endif /* NO_SECURITY_ERROR_ENUM */ |
-diff -pu a/nss/lib/ssl/SSLerrs.h b/nss/lib/ssl/SSLerrs.h |
---- a/nss/lib/ssl/SSLerrs.h 2014-01-18 10:39:34.238880964 -0800 |
-+++ b/nss/lib/ssl/SSLerrs.h 2014-01-18 10:40:15.499552430 -0800 |
-@@ -412,3 +412,12 @@ ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR |
- |
- ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128), |
- "Incorrect signature algorithm specified in a digitally-signed element.") |
-+ |
-+ER3(SSL_ERROR_BAD_CHANNEL_ID_DATA, (SSL_ERROR_BASE + 129), |
-+"SSL received a malformed TLS Channel ID extension.") |
-+ |
-+ER3(SSL_ERROR_INVALID_CHANNEL_ID_KEY, (SSL_ERROR_BASE + 130), |
-+"The application provided an invalid TLS Channel ID key.") |
-+ |
-+ER3(SSL_ERROR_GET_CHANNEL_ID_FAILED, (SSL_ERROR_BASE + 131), |
-+"The application could not get a TLS Channel ID.") |
-diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
---- a/nss/lib/ssl/ssl.h 2014-01-18 10:39:50.799150460 -0800 |
-+++ b/nss/lib/ssl/ssl.h 2014-01-18 10:40:15.499552430 -0800 |
-@@ -1015,6 +1015,34 @@ SSL_IMPORT SECStatus SSL_HandshakeNegoti |
- SSL_IMPORT SECStatus SSL_HandshakeResumedSession(PRFileDesc *fd, |
- PRBool *last_handshake_resumed); |
- |
-+/* See SSL_SetClientChannelIDCallback for usage. If the callback returns |
-+ * SECWouldBlock then SSL_RestartHandshakeAfterChannelIDReq should be called in |
-+ * the future to restart the handshake. On SECSuccess, the callback must have |
-+ * written a P-256, EC key pair to |*out_public_key| and |*out_private_key|. */ |
-+typedef SECStatus (PR_CALLBACK *SSLClientChannelIDCallback)( |
-+ void *arg, |
-+ PRFileDesc *fd, |
-+ SECKEYPublicKey **out_public_key, |
-+ SECKEYPrivateKey **out_private_key); |
-+ |
-+/* SSL_RestartHandshakeAfterChannelIDReq attempts to restart the handshake |
-+ * after a ChannelID callback returned SECWouldBlock. |
-+ * |
-+ * This function takes ownership of |channelIDPub| and |channelID|. */ |
-+SSL_IMPORT SECStatus SSL_RestartHandshakeAfterChannelIDReq( |
-+ PRFileDesc *fd, |
-+ SECKEYPublicKey *channelIDPub, |
-+ SECKEYPrivateKey *channelID); |
-+ |
-+/* SSL_SetClientChannelIDCallback sets a callback function that will be called |
-+ * once the server's ServerHello has been processed. This is only applicable to |
-+ * a client socket and setting this callback causes the TLS Channel ID |
-+ * extension to be advertised. */ |
-+SSL_IMPORT SECStatus SSL_SetClientChannelIDCallback( |
-+ PRFileDesc *fd, |
-+ SSLClientChannelIDCallback callback, |
-+ void *arg); |
-+ |
- /* |
- ** How long should we wait before retransmitting the next flight of |
- ** the DTLS handshake? Returns SECFailure if not DTLS or not in a |
-diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
---- a/nss/lib/ssl/sslimpl.h 2014-01-18 10:39:50.799150460 -0800 |
-+++ b/nss/lib/ssl/sslimpl.h 2014-01-18 10:40:15.499552430 -0800 |
-@@ -709,6 +709,14 @@ struct sslSessionIDStr { |
+diff --git a/ssl/sslimpl.h b/ssl/sslimpl.h |
+index c6ac398..57346cb 100644 |
+--- a/ssl/sslimpl.h |
++++ b/ssl/sslimpl.h |
+@@ -711,6 +711,14 @@ struct sslSessionIDStr { |
SECItem srvName; |
@@ -548,7 +556,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
/* This lock is lazily initialized by CacheSID when a sid is first |
* cached. Before then, there is no need to lock anything because |
* the sid isn't being shared by anything. |
-@@ -978,6 +986,9 @@ struct ssl3StateStr { |
+@@ -980,6 +988,9 @@ struct ssl3StateStr { |
CERTCertificateList *clientCertChain; /* used by client */ |
PRBool sendEmptyCert; /* used by client */ |
@@ -558,7 +566,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
int policy; |
/* This says what cipher suites we can do, and should |
* be either SSL_ALLOWED or SSL_RESTRICTED |
-@@ -1255,6 +1266,8 @@ const unsigned char * preferredCipher; |
+@@ -1257,6 +1268,8 @@ const unsigned char * preferredCipher; |
void *pkcs11PinArg; |
SSLNextProtoCallback nextProtoCallback; |
void *nextProtoArg; |
@@ -567,7 +575,7 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
PRIntervalTime rTimeout; /* timeout for NSPR I/O */ |
PRIntervalTime wTimeout; /* timeout for NSPR I/O */ |
-@@ -1599,6 +1612,11 @@ extern SECStatus ssl3_RestartHandshakeAf |
+@@ -1603,6 +1616,11 @@ extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, |
SECKEYPrivateKey * key, |
CERTCertificateList *certChain); |
@@ -579,9 +587,10 @@ diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
extern SECStatus ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error); |
/* |
-diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c |
---- a/nss/lib/ssl/sslnonce.c 2014-01-18 10:39:50.739149486 -0800 |
-+++ b/nss/lib/ssl/sslnonce.c 2014-01-18 10:40:15.499552430 -0800 |
+diff --git a/ssl/sslnonce.c b/ssl/sslnonce.c |
+index be11008..1326a8b 100644 |
+--- a/ssl/sslnonce.c |
++++ b/ssl/sslnonce.c |
@@ -180,6 +180,9 @@ ssl_DestroySID(sslSessionID *sid) |
if (sid->u.ssl3.srvName.data) { |
SECITEM_FreeItem(&sid->u.ssl3.srvName, PR_FALSE); |
@@ -592,10 +601,11 @@ diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c |
if (sid->u.ssl3.lock) { |
PR_DestroyRWLock(sid->u.ssl3.lock); |
-diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c |
---- a/nss/lib/ssl/sslsecur.c 2014-01-18 10:39:50.799150460 -0800 |
-+++ b/nss/lib/ssl/sslsecur.c 2014-01-18 10:40:15.499552430 -0800 |
-@@ -1584,6 +1584,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileD |
+diff --git a/ssl/sslsecur.c b/ssl/sslsecur.c |
+index d44336e..5c6751a 100644 |
+--- a/ssl/sslsecur.c |
++++ b/ssl/sslsecur.c |
+@@ -1582,6 +1582,42 @@ SSL_RestartHandshakeAfterCertReq(PRFileDesc * fd, |
return ret; |
} |
@@ -638,19 +648,20 @@ diff -pu a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c |
/* DO NOT USE. This function was exported in ssl.def with the wrong signature; |
* this implementation exists to maintain link-time compatibility. |
*/ |
-diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
---- a/nss/lib/ssl/sslsock.c 2014-01-18 10:39:50.769149984 -0800 |
-+++ b/nss/lib/ssl/sslsock.c 2014-01-18 10:40:15.499552430 -0800 |
-@@ -276,6 +276,8 @@ ssl_DupSocket(sslSocket *os) |
- ss->canFalseStartCallback = os->canFalseStartCallback; |
- ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
- ss->pkcs11PinArg = os->pkcs11PinArg; |
-+ ss->getChannelID = os->getChannelID; |
-+ ss->getChannelIDArg = os->getChannelIDArg; |
- |
- /* Create security data */ |
- rv = ssl_CopySecurityInfo(ss, os); |
-@@ -1691,6 +1693,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFile |
+diff --git a/ssl/sslsock.c b/ssl/sslsock.c |
+index a939781..d3f3bf4 100644 |
+--- a/ssl/sslsock.c |
++++ b/ssl/sslsock.c |
+@@ -288,6 +288,8 @@ ssl_DupSocket(sslSocket *os) |
+ ss->canFalseStartCallback = os->canFalseStartCallback; |
+ ss->canFalseStartCallbackData = os->canFalseStartCallbackData; |
+ ss->pkcs11PinArg = os->pkcs11PinArg; |
++ ss->getChannelID = os->getChannelID; |
++ ss->getChannelIDArg = os->getChannelIDArg; |
+ |
+ /* Create security data */ |
+ rv = ssl_CopySecurityInfo(ss, os); |
+@@ -1733,6 +1735,10 @@ SSL_ReconfigFD(PRFileDesc *model, PRFileDesc *fd) |
ss->handshakeCallbackData = sm->handshakeCallbackData; |
if (sm->pkcs11PinArg) |
ss->pkcs11PinArg = sm->pkcs11PinArg; |
@@ -661,28 +672,29 @@ diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
return fd; |
loser: |
return NULL; |
-@@ -2968,6 +2974,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProto |
- ss->badCertArg = NULL; |
- ss->pkcs11PinArg = NULL; |
- ss->ephemeralECDHKeyPair = NULL; |
-+ ss->getChannelID = NULL; |
-+ ss->getChannelIDArg = NULL; |
+@@ -3021,6 +3027,8 @@ ssl_NewSocket(PRBool makeLocks, SSLProtocolVariant protocolVariant) |
+ ss->badCertArg = NULL; |
+ ss->pkcs11PinArg = NULL; |
+ ss->ephemeralECDHKeyPair = NULL; |
++ ss->getChannelID = NULL; |
++ ss->getChannelIDArg = NULL; |
- ssl_ChooseOps(ss); |
- ssl2_InitSocketPolicy(ss); |
-diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h |
---- a/nss/lib/ssl/sslt.h 2014-01-18 10:39:34.328882426 -0800 |
-+++ b/nss/lib/ssl/sslt.h 2014-01-18 10:40:15.499552430 -0800 |
-@@ -190,10 +190,11 @@ typedef enum { |
- ssl_app_layer_protocol_xtn = 16, |
+ ssl_ChooseOps(ss); |
+ ssl2_InitSocketPolicy(ss); |
+diff --git a/ssl/sslt.h b/ssl/sslt.h |
+index 1d28feb..0900f28 100644 |
+--- a/ssl/sslt.h |
++++ b/ssl/sslt.h |
+@@ -191,10 +191,11 @@ typedef enum { |
+ ssl_padding_xtn = 21, |
ssl_session_ticket_xtn = 35, |
ssl_next_proto_nego_xtn = 13172, |
+ ssl_channel_id_xtn = 30032, |
- ssl_padding_xtn = 35655, |
- ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
+ ssl_renegotiation_info_xtn = 0xff01, |
+ ssl_tls13_draft_version_xtn = 0xff02 /* experimental number */ |
} SSLExtensionType; |
--#define SSL_MAX_EXTENSIONS 10 /* doesn't include ssl_padding_xtn. */ |
-+#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ |
+-#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. */ |
++#define SSL_MAX_EXTENSIONS 12 /* doesn't include ssl_padding_xtn. */ |
#endif /* __sslt_h_ */ |