Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 1 | Name: Network Security Services (NSS) |
| 2 | URL: http://www.mozilla.org/projects/security/pki/nss/ |
Torne (Richard Coles) | a36e592 | 2013-08-05 13:57:33 +0100 | [diff] [blame] | 3 | Version: 3.15.1 |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 4 | Security Critical: Yes |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 5 | License: MPL 2 |
Torne (Richard Coles) | c2e0dbd | 2013-05-09 18:35:53 +0100 | [diff] [blame] | 6 | License File: NOT_SHIPPED |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 7 | |
Torne (Richard Coles) | c2e0dbd | 2013-05-09 18:35:53 +0100 | [diff] [blame] | 8 | This directory includes a copy of NSS's libssl from the hg repo at: |
| 9 | https://hg.mozilla.org/projects/nss |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 10 | |
| 11 | The same module appears in crypto/third_party/nss (and third_party/nss on some |
| 12 | platforms), so we don't repeat the license file here. |
| 13 | |
Torne (Richard Coles) | a36e592 | 2013-08-05 13:57:33 +0100 | [diff] [blame] | 14 | The snapshot was updated to the hg tag: NSS_3_15_1_RTM |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 15 | |
| 16 | Patches: |
| 17 | |
| 18 | * Commenting out a couple of functions because they need NSS symbols |
| 19 | which may not exist in the system NSS library. |
| 20 | patches/versionskew.patch |
| 21 | |
| 22 | * Send empty renegotiation info extension instead of SCSV unless TLS is |
| 23 | disabled. |
| 24 | patches/renegoscsv.patch |
| 25 | https://bugzilla.mozilla.org/show_bug.cgi?id=549042 |
| 26 | |
| 27 | * Cache the peer's intermediate CA certificates in session ID, so that |
| 28 | they're available when we resume a session. |
| 29 | patches/cachecerts.patch |
| 30 | https://bugzilla.mozilla.org/show_bug.cgi?id=731478 |
| 31 | |
| 32 | * Add the SSL_PeerCertificateChain function |
| 33 | patches/peercertchain.patch |
| 34 | https://bugzilla.mozilla.org/show_bug.cgi?id=731485 |
| 35 | |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 36 | * Add support for client auth with native crypto APIs on Mac and Windows |
| 37 | patches/clientauth.patch |
| 38 | ssl/sslplatf.c |
| 39 | |
| 40 | * Add a function to export whether the last handshake on a socket resumed a |
| 41 | previous session. |
| 42 | patches/didhandshakeresume.patch |
| 43 | https://bugzilla.mozilla.org/show_bug.cgi?id=731798 |
| 44 | |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 45 | * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake |
| 46 | is finished. |
| 47 | https://bugzilla.mozilla.org/show_bug.cgi?id=681839 |
| 48 | patches/negotiatedextension.patch |
| 49 | |
| 50 | * Add function to retrieve TLS client cert types requested by server. |
| 51 | https://bugzilla.mozilla.org/show_bug.cgi?id=51413 |
| 52 | patches/getrequestedclientcerttypes.patch |
| 53 | |
Torne (Richard Coles) | c2e0dbd | 2013-05-09 18:35:53 +0100 | [diff] [blame] | 54 | * Add a function to restart a handshake after a client certificate request. |
| 55 | patches/restartclientauth.patch |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 56 | |
| 57 | * Add support for TLS Channel IDs |
| 58 | patches/channelid.patch |
| 59 | |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 60 | * Add support for extracting the tls-unique channel binding value |
| 61 | patches/tlsunique.patch |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 62 | https://bugzilla.mozilla.org/show_bug.cgi?id=563276 |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 63 | |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 64 | * Define the EC_POINT_FORM_UNCOMPRESSED macro. In NSS 3.13.2 the macro |
| 65 | definition was moved from the internal header ec.h to blapit.h. When |
| 66 | compiling against older system NSS headers, we need to define the macro. |
| 67 | patches/ecpointform.patch |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 68 | |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 69 | * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock. |
| 70 | This change was made in https://chromiumcodereview.appspot.com/10454066. |
| 71 | patches/secretexporterlocks.patch |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 72 | |
Torne (Richard Coles) | c2e0dbd | 2013-05-09 18:35:53 +0100 | [diff] [blame] | 73 | * Allow the constant-time CBC processing code to be compiled against older |
| 74 | NSS that doesn't contain the CBC constant-time changes. |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 75 | patches/cbc.patch |
Torne (Richard Coles) | c2e0dbd | 2013-05-09 18:35:53 +0100 | [diff] [blame] | 76 | https://code.google.com/p/chromium/issues/detail?id=172658#c12 |
Torne (Richard Coles) | 2a99a7e | 2013-03-28 15:31:22 +0000 | [diff] [blame] | 77 | |
Torne (Richard Coles) | c2e0dbd | 2013-05-09 18:35:53 +0100 | [diff] [blame] | 78 | * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS |
| 79 | versions older than 3.15 report an EC key size range of 112 bits to 571 |
| 80 | bits, even when it is compiled to support only the NIST P-256, P-384, and |
| 81 | P-521 curves. Remove this patch when all system NSS softoken packages are |
| 82 | NSS 3.15 or later. |
| 83 | patches/suitebonly.patch |
| 84 | |
| 85 | * Define the SECItemArray type and declare the SECItemArray handling |
| 86 | functions, which were added in NSS 3.15. Remove this patch when all system |
| 87 | NSS packages are NSS 3.15 or later. |
| 88 | patches/secitemarray.patch |
| 89 | |
Torne (Richard Coles) | 868fa2f | 2013-06-11 10:57:03 +0100 | [diff] [blame] | 90 | * Update Chromium-specific code for TLS 1.2. |
| 91 | patches/tls12chromium.patch |
| 92 | |
Torne (Richard Coles) | a36e592 | 2013-08-05 13:57:33 +0100 | [diff] [blame] | 93 | * Add the Application Layer Protocol Negotiation extension. |
| 94 | patches/alpn.patch |
| 95 | |
Torne (Richard Coles) | 5821806 | 2012-11-14 11:43:16 +0000 | [diff] [blame] | 96 | Apply the patches to NSS by running the patches/applypatches.sh script. Read |
| 97 | the comments at the top of patches/applypatches.sh for instructions. |
| 98 | |
| 99 | The ssl/bodge directory contains files taken from the NSS repo that we required |
| 100 | for building libssl outside of its usual build environment. |