Remove //net (except for Android test stuff) and sdch

net/third_party/nss/patches/signedcertificatetimestamps.patch

-diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
---- a/nss/lib/ssl/ssl3con.c     2014-01-17 18:11:28.314468184 -0800
-+++ b/nss/lib/ssl/ssl3con.c     2014-01-17 18:23:17.946207727 -0800
-@@ -6682,10 +6682,22 @@ ssl3_HandleServerHello(sslSocket *ss, SS
-     sid->u.ssl3.sessionIDLength = sidBytes.len;
-     PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
- 
-+    /* Copy Signed Certificate Timestamps, if any. */
-+    if (ss->xtnData.signedCertTimestamps.data) {
-+       rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
-+                             &ss->xtnData.signedCertTimestamps);
-+       if (rv != SECSuccess)
-+           goto loser;
-+    }
-+
-     ss->ssl3.hs.isResuming = PR_FALSE;
-     ss->ssl3.hs.ws         = wait_server_cert;
- 
- winner:
-+    /* Clean up the temporary pointer to the handshake buffer. */
-+    ss->xtnData.signedCertTimestamps.data = NULL;
-+    ss->xtnData.signedCertTimestamps.len = 0;
-+
-     /* If we will need a ChannelID key then we make the callback now. This
-      * allows the handshake to be restarted cleanly if the callback returns
-      * SECWouldBlock. */
-@@ -6711,6 +6723,9 @@ alert_loser:
-     (void)SSL3_SendAlert(ss, alert_fatal, desc);
- 
- loser:
-+    /* Clean up the temporary pointer to the handshake buffer. */
-+    ss->xtnData.signedCertTimestamps.data = NULL;
-+    ss->xtnData.signedCertTimestamps.len = 0;
-     errCode = ssl_MapLowLevelError(errCode);
-     return SECFailure;
- }
-diff -pu a/nss/lib/ssl/ssl3ext.c b/nss/lib/ssl/ssl3ext.c
---- a/nss/lib/ssl/ssl3ext.c     2014-01-17 18:22:54.945827814 -0800
-+++ b/nss/lib/ssl/ssl3ext.c     2014-01-17 18:35:21.798168722 -0800
-@@ -81,6 +81,12 @@ static PRInt32 ssl3_ClientSendSigAlgsXtn
-                                          PRUint32 maxBytes);
- static SECStatus ssl3_ServerHandleSigAlgsXtn(sslSocket *ss, PRUint16 ex_type,
-                                              SECItem *data);
-+static PRInt32 ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss,
-+                                                    PRBool append,
-+                                                    PRUint32 maxBytes);
-+static SECStatus ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss,
-+                                                        PRUint16 ex_type,
-+                                                        SECItem *data);
- 
- /*
-  * Write bytes.  Using this function means the SECItem structure
-@@ -259,6 +265,8 @@ static const ssl3HelloExtensionHandler s
-     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
-     { ssl_channel_id_xtn,         &ssl3_ClientHandleChannelIDXtn },
-     { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
-+    { ssl_signed_certificate_timestamp_xtn,
-+      &ssl3_ClientHandleSignedCertTimestampXtn },
-     { -1, NULL }
- };
- 
-@@ -287,7 +295,9 @@ ssl3HelloExtensionSender clientHelloSend
-     { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn },
-     { ssl_channel_id_xtn,         &ssl3_ClientSendChannelIDXtn },
-     { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
--    { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn }
-+    { ssl_signature_algorithms_xtn, &ssl3_ClientSendSigAlgsXtn },
-+    { ssl_signed_certificate_timestamp_xtn,
-+      &ssl3_ClientSendSignedCertTimestampXtn }
-     /* any extra entries will appear as { 0, NULL }    */
- };
- 
-@@ -2379,3 +2389,65 @@ ssl3_AppendPaddingExtension(sslSocket *s
- 
-     return extensionLen;
- }
-+
-+/* ssl3_ClientSendSignedCertTimestampXtn sends the signed_certificate_timestamp
-+ * extension for TLS ClientHellos. */
-+static PRInt32
-+ssl3_ClientSendSignedCertTimestampXtn(sslSocket *ss, PRBool append,
-+                                     PRUint32 maxBytes)
-+{
-+    PRInt32 extension_length = 2 /* extension_type */ +
-+           2 /* length(extension_data) */;
-+
-+    /* Only send the extension if processing is enabled. */
-+    if (!ss->opt.enableSignedCertTimestamps)
-+       return 0;
-+
-+    if (append && maxBytes >= extension_length) {
-+       SECStatus rv;
-+       /* extension_type */
-+       rv = ssl3_AppendHandshakeNumber(ss,
-+                                       ssl_signed_certificate_timestamp_xtn,
-+                                       2);
-+       if (rv != SECSuccess)
-+           goto loser;
-+       /* zero length */
-+       rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
-+       if (rv != SECSuccess)
-+           goto loser;
-+       ss->xtnData.advertised[ss->xtnData.numAdvertised++] =
-+               ssl_signed_certificate_timestamp_xtn;
-+    } else if (maxBytes < extension_length) {
-+       PORT_Assert(0);
-+       return 0;
-+    }
-+
-+    return extension_length;
-+loser:
-+    return -1;
-+}
-+
-+static SECStatus
-+ssl3_ClientHandleSignedCertTimestampXtn(sslSocket *ss, PRUint16 ex_type,
-+                                       SECItem *data)
-+{
-+    /* We do not yet know whether we'll be resuming a session or creating
-+     * a new one, so we keep a pointer to the data in the TLSExtensionData
-+     * structure. This pointer is only valid in the scope of
-+     * ssl3_HandleServerHello, and, if not resuming a session, the data is
-+     * copied once a new session structure has been set up.
-+     * All parsing is currently left to the application and we accept
-+     * everything, including empty data.
-+     */
-+    SECItem *scts = &ss->xtnData.signedCertTimestamps;
-+    PORT_Assert(!scts->data && !scts->len);
-+
-+    if (!data->len) {
-+       /* Empty extension data: RFC 6962 mandates non-empty contents. */
-+       return SECFailure;
-+    }
-+    *scts = *data;
-+    /* Keep track of negotiated extensions. */
-+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+    return SECSuccess;
-+}
-diff -pu a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
---- a/nss/lib/ssl/ssl.h 2014-01-17 18:00:11.213237373 -0800
-+++ b/nss/lib/ssl/ssl.h 2014-01-17 18:38:15.791045050 -0800
-@@ -181,6 +181,9 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
-  */
- #define SSL_ENABLE_ALPN 26
- 
-+/* Request Signed Certificate Timestamps via TLS extension (client) */
-+#define SSL_ENABLE_SIGNED_CERT_TIMESTAMPS 27
-+
- #ifdef SSL_DEPRECATED_FUNCTION 
- /* Old deprecated function names */
- SSL_IMPORT SECStatus SSL_Enable(PRFileDesc *fd, int option, PRBool on);
-@@ -483,6 +486,23 @@ SSL_IMPORT CERTCertList *SSL_PeerCertifi
-  */
- SSL_IMPORT const SECItemArray * SSL_PeerStapledOCSPResponses(PRFileDesc *fd);
- 
-+/* SSL_PeerSignedCertTimestamps returns the signed_certificate_timestamp
-+ * extension data provided by the TLS server. The return value is a pointer
-+ * to an internal SECItem that contains the returned response (as a serialized
-+ * SignedCertificateTimestampList, see RFC 6962). The returned pointer is only
-+ * valid until the callback function that calls SSL_PeerSignedCertTimestamps
-+ * (e.g. the authenticate certificate hook, or the handshake callback) returns.
-+ *
-+ * If no Signed Certificate Timestamps were given by the server then the result
-+ * will be empty. If there was an error, then the result will be NULL.
-+ *
-+ * You must set the SSL_ENABLE_SIGNED_CERT_TIMESTAMPS option to indicate support
-+ * for Signed Certificate Timestamps to a server.
-+ *
-+ * libssl does not do any parsing or validation of the response itself.
-+ */
-+SSL_IMPORT const SECItem * SSL_PeerSignedCertTimestamps(PRFileDesc *fd);
-+
- /* SSL_SetStapledOCSPResponses stores an array of one or multiple OCSP responses
-  * in the fd's data, which may be sent as part of a server side cert_status
-  * handshake message. Parameter |responses| is for the server certificate of
-diff -pu a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
---- a/nss/lib/ssl/sslimpl.h     2014-01-17 18:11:28.314468184 -0800
-+++ b/nss/lib/ssl/sslimpl.h     2014-01-17 18:27:22.540248428 -0800
-@@ -337,6 +337,7 @@ typedef struct sslOptionsStr {
-     unsigned int enableOCSPStapling     : 1;  /* 25 */
-     unsigned int enableNPN              : 1;  /* 26 */
-     unsigned int enableALPN             : 1;  /* 27 */
-+    unsigned int enableSignedCertTimestamps : 1;  /* 28 */
- } sslOptions;
- 
- typedef enum { sslHandshakingUndetermined = 0,
-@@ -719,6 +720,11 @@ struct sslSessionIDStr {
-              * resumption handshake to the original handshake. */
-            SECItem           originalHandshakeHash;
- 
-+           /* Signed certificate timestamps received in a TLS extension.
-+           ** (used only in client).
-+           */
-+           SECItem           signedCertTimestamps;
-+
-            /* This lock is lazily initialized by CacheSID when a sid is first
-             * cached. Before then, there is no need to lock anything because
-             * the sid isn't being shared by anything.
-@@ -827,6 +833,18 @@ struct TLSExtensionDataStr {
-      * is beyond ssl3_HandleClientHello function. */
-     SECItem *sniNameArr;
-     PRUint32 sniNameArrSize;
-+
-+    /* Signed Certificate Timestamps extracted from the TLS extension.
-+     * (client only).
-+     * This container holds a temporary pointer to the extension data,
-+     * until a session structure (the sec.ci.sid of an sslSocket) is setup
-+     * that can hold a permanent copy of the data
-+     * (in sec.ci.sid.u.ssl3.signedCertTimestamps).
-+     * The data pointed to by this structure is neither explicitly allocated
-+     * nor copied: the pointer points to the handshake message buffer and is
-+     * only valid in the scope of ssl3_HandleServerHello.
-+     */
-+    SECItem signedCertTimestamps;
- };
- 
- typedef SECStatus (*sslRestartTarget)(sslSocket *);
-diff -pu a/nss/lib/ssl/sslnonce.c b/nss/lib/ssl/sslnonce.c
---- a/nss/lib/ssl/sslnonce.c    2014-01-17 18:11:28.314468184 -0800
-+++ b/nss/lib/ssl/sslnonce.c    2014-01-17 18:23:17.956207890 -0800
-@@ -131,6 +131,9 @@ ssl_DestroySID(sslSessionID *sid)
-         if (sid->u.ssl3.originalHandshakeHash.data) {
-             SECITEM_FreeItem(&sid->u.ssl3.originalHandshakeHash, PR_FALSE);
-         }
-+        if (sid->u.ssl3.signedCertTimestamps.data) {
-+            SECITEM_FreeItem(&sid->u.ssl3.signedCertTimestamps, PR_FALSE);
-+        }
- 
-         if (sid->u.ssl3.lock) {
-             PR_DestroyRWLock(sid->u.ssl3.lock);
-diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
---- a/nss/lib/ssl/sslsock.c     2014-01-17 18:04:43.127747463 -0800
-+++ b/nss/lib/ssl/sslsock.c     2014-01-17 18:44:09.246889487 -0800
-@@ -87,7 +87,8 @@ static sslOptions ssl_defaults = {
-     PR_TRUE,    /* cbcRandomIV        */
-     PR_FALSE,   /* enableOCSPStapling */
-     PR_TRUE,    /* enableNPN          */
--    PR_FALSE    /* enableALPN         */
-+    PR_FALSE,   /* enableALPN         */
-+    PR_FALSE    /* enableSignedCertTimestamps */
- };
- 
- /*
-@@ -787,6 +788,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
-        ss->opt.enableALPN = on;
-        break;
- 
-+      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+       ss->opt.enableSignedCertTimestamps = on;
-+       break;
-+
-       default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        rv = SECFailure;
-@@ -859,6 +864,9 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
-     case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
-     case SSL_ENABLE_NPN:          on = ss->opt.enableNPN;          break;
-     case SSL_ENABLE_ALPN:         on = ss->opt.enableALPN;         break;
-+    case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+       on = ss->opt.enableSignedCertTimestamps;
-+       break;
- 
-     default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -922,6 +930,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
-        break;
-     case SSL_ENABLE_NPN:          on = ssl_defaults.enableNPN;          break;
-     case SSL_ENABLE_ALPN:         on = ssl_defaults.enableALPN;         break;
-+    case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+       on = ssl_defaults.enableSignedCertTimestamps;
-+       break;
- 
-     default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1097,6 +1108,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
-        ssl_defaults.enableALPN = on;
-        break;
- 
-+      case SSL_ENABLE_SIGNED_CERT_TIMESTAMPS:
-+       ssl_defaults.enableSignedCertTimestamps = on;
-+       break;
-+
-       default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-@@ -1921,6 +1936,29 @@ SSL_PeerStapledOCSPResponses(PRFileDesc
-     return &ss->sec.ci.sid->peerCertStatus;
- }
- 
-+const SECItem *
-+SSL_PeerSignedCertTimestamps(PRFileDesc *fd)
-+{
-+    sslSocket *ss = ssl_FindSocket(fd);
-+
-+    if (!ss) {
-+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_PeerSignedCertTimestamps",
-+               SSL_GETPID(), fd));
-+       return NULL;
-+    }
-+
-+    if (!ss->sec.ci.sid) {
-+       PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
-+       return NULL;
-+    }
-+
-+    if (ss->sec.ci.sid->version < SSL_LIBRARY_VERSION_3_0) {
-+       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
-+       return NULL;
-+    }
-+    return &ss->sec.ci.sid->u.ssl3.signedCertTimestamps;
-+}
-+
- SECStatus
- SSL_HandshakeResumedSession(PRFileDesc *fd, PRBool *handshake_resumed) {
-     sslSocket *ss = ssl_FindSocket(fd);
-diff -pu a/nss/lib/ssl/sslt.h b/nss/lib/ssl/sslt.h
---- a/nss/lib/ssl/sslt.h        2014-01-17 18:10:16.793281867 -0800
-+++ b/nss/lib/ssl/sslt.h        2014-01-17 18:23:17.956207890 -0800
-@@ -202,6 +202,7 @@ typedef enum {
-     ssl_signature_algorithms_xtn     = 13,
-     ssl_use_srtp_xtn                 = 14,
-     ssl_app_layer_protocol_xtn       = 16,
-+    ssl_signed_certificate_timestamp_xtn = 18,   /* RFC 6962 */
-     ssl_session_ticket_xtn           = 35,
-     ssl_next_proto_nego_xtn          = 13172,
-     ssl_channel_id_xtn               = 30032,
-@@ -209,6 +210,6 @@ typedef enum {
-     ssl_renegotiation_info_xtn       = 0xff01  /* experimental number */
- } SSLExtensionType;
- 
--#define SSL_MAX_EXTENSIONS             11 /* doesn't include ssl_padding_xtn. */
-+#define SSL_MAX_EXTENSIONS             12 /* doesn't include ssl_padding_xtn. */
- 
- #endif /* __sslt_h_ */