Home | History | Annotate | Download | only in nss
      1 Name: Network Security Services (NSS)
      2 URL: http://www.mozilla.org/projects/security/pki/nss/
      3 Version: 3.15.1
      4 Security Critical: Yes
      5 License: MPL 2
      6 License File: NOT_SHIPPED
      7 
      8 This directory includes a copy of NSS's libssl from the hg repo at:
      9   https://hg.mozilla.org/projects/nss
     10 
     11 The same module appears in crypto/third_party/nss (and third_party/nss on some
     12 platforms), so we don't repeat the license file here.
     13 
     14 The snapshot was updated to the hg tag: NSS_3_15_1_RTM
     15 
     16 Patches:
     17 
     18   * Commenting out a couple of functions because they need NSS symbols
     19     which may not exist in the system NSS library.
     20     patches/versionskew.patch
     21 
     22   * Send empty renegotiation info extension instead of SCSV unless TLS is
     23     disabled.
     24     patches/renegoscsv.patch
     25     https://bugzilla.mozilla.org/show_bug.cgi?id=549042
     26 
     27   * Cache the peer's intermediate CA certificates in session ID, so that
     28     they're available when we resume a session.
     29     patches/cachecerts.patch
     30     https://bugzilla.mozilla.org/show_bug.cgi?id=731478
     31 
     32   * Add the SSL_PeerCertificateChain function
     33     patches/peercertchain.patch
     34     https://bugzilla.mozilla.org/show_bug.cgi?id=731485
     35 
     36   * Add support for client auth with native crypto APIs on Mac and Windows
     37     patches/clientauth.patch
     38     ssl/sslplatf.c
     39 
     40   * Add a function to export whether the last handshake on a socket resumed a
     41     previous session.
     42     patches/didhandshakeresume.patch
     43     https://bugzilla.mozilla.org/show_bug.cgi?id=731798
     44 
     45   * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake
     46     is finished.
     47     https://bugzilla.mozilla.org/show_bug.cgi?id=681839
     48     patches/negotiatedextension.patch
     49 
     50   * Add function to retrieve TLS client cert types requested by server.
     51     https://bugzilla.mozilla.org/show_bug.cgi?id=51413
     52     patches/getrequestedclientcerttypes.patch
     53 
     54   * Add a function to restart a handshake after a client certificate request.
     55     patches/restartclientauth.patch
     56 
     57   * Add support for TLS Channel IDs
     58     patches/channelid.patch
     59 
     60   * Add support for extracting the tls-unique channel binding value
     61     patches/tlsunique.patch
     62     https://bugzilla.mozilla.org/show_bug.cgi?id=563276
     63 
     64   * Define the EC_POINT_FORM_UNCOMPRESSED macro. In NSS 3.13.2 the macro
     65     definition was moved from the internal header ec.h to blapit.h. When
     66     compiling against older system NSS headers, we need to define the macro.
     67     patches/ecpointform.patch
     68 
     69   * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock.
     70     This change was made in https://chromiumcodereview.appspot.com/10454066.
     71     patches/secretexporterlocks.patch
     72 
     73   * Allow the constant-time CBC processing code to be compiled against older
     74     NSS that doesn't contain the CBC constant-time changes.
     75     patches/cbc.patch
     76     https://code.google.com/p/chromium/issues/detail?id=172658#c12
     77 
     78   * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS
     79     versions older than 3.15 report an EC key size range of 112 bits to 571
     80     bits, even when it is compiled to support only the NIST P-256, P-384, and
     81     P-521 curves. Remove this patch when all system NSS softoken packages are
     82     NSS 3.15 or later.
     83     patches/suitebonly.patch
     84 
     85   * Define the SECItemArray type and declare the SECItemArray handling
     86     functions, which were added in NSS 3.15. Remove this patch when all system
     87     NSS packages are NSS 3.15 or later.
     88     patches/secitemarray.patch
     89 
     90   * Update Chromium-specific code for TLS 1.2.
     91     patches/tls12chromium.patch
     92 
     93   * Add the Application Layer Protocol Negotiation extension.
     94     patches/alpn.patch
     95 
     96   * Fix an issue with allocating an SSL socket when under memory pressure.
     97     https://bugzilla.mozilla.org/show_bug.cgi?id=903565
     98     patches/sslsock_903565.patch
     99 
    100   * Prefer to generate SHA-1 signatures for TLS 1.2 client authentication if
    101     the client private key is in a CAPI service provider on Windows or if the
    102     client private key is a 1024-bit RSA or DSA key.
    103     patches/tls12backuphash.patch
    104 
    105 Apply the patches to NSS by running the patches/applypatches.sh script.  Read
    106 the comments at the top of patches/applypatches.sh for instructions.
    107 
    108 The ssl/bodge directory contains files taken from the NSS repo that we required
    109 for building libssl outside of its usual build environment.
    110