README.chromium - Android社区 - https://www.androidos.net.cn/

Name: Network Security Services (NSS)
URL: http://www.mozilla.org/projects/security/pki/nss/
Version: 3.15.1
Security Critical: Yes
License: MPL 2
License File: NOT_SHIPPED

This directory includes a copy of NSS's libssl from the hg repo at:
  https://hg.mozilla.org/projects/nss

The same module appears in crypto/third_party/nss (and third_party/nss on some
platforms), so we don't repeat the license file here.

The snapshot was updated to the hg tag: NSS_3_15_1_RTM

Patches:

  * Commenting out a couple of functions because they need NSS symbols
    which may not exist in the system NSS library.
    patches/versionskew.patch

  * Send empty renegotiation info extension instead of SCSV unless TLS is
    disabled.
    patches/renegoscsv.patch
    https://bugzilla.mozilla.org/show_bug.cgi?id=549042

  * Cache the peer's intermediate CA certificates in session ID, so that
    they're available when we resume a session.
    patches/cachecerts.patch
    https://bugzilla.mozilla.org/show_bug.cgi?id=731478

  * Add the SSL_PeerCertificateChain function
    patches/peercertchain.patch
    patches/peercertchain2.patch
    https://bugzilla.mozilla.org/show_bug.cgi?id=731485

  * Add support for client auth with native crypto APIs on Mac and Windows
    patches/clientauth.patch
    ssl/sslplatf.c

  * Add a function to export whether the last handshake on a socket resumed a
    previous session.
    patches/didhandshakeresume.patch
    https://bugzilla.mozilla.org/show_bug.cgi?id=731798

  * Allow SSL_HandshakeNegotiatedExtension to be called before the handshake
    is finished.
    https://bugzilla.mozilla.org/show_bug.cgi?id=681839
    patches/negotiatedextension.patch

  * Add function to retrieve TLS client cert types requested by server.
    https://bugzilla.mozilla.org/show_bug.cgi?id=51413
    patches/getrequestedclientcerttypes.patch

  * Add a function to restart a handshake after a client certificate request.
    patches/restartclientauth.patch

  * Add support for TLS Channel IDs
    patches/channelid.patch
    patches/channelid2.patch

  * Add support for extracting the tls-unique channel binding value
    patches/tlsunique.patch
    https://bugzilla.mozilla.org/show_bug.cgi?id=563276

  * Define the EC_POINT_FORM_UNCOMPRESSED macro. In NSS 3.13.2 the macro
    definition was moved from the internal header ec.h to blapit.h. When
    compiling against older system NSS headers, we need to define the macro.
    patches/ecpointform.patch

  * SSL_ExportKeyingMaterial should get the RecvBufLock and SSL3HandshakeLock.
    This change was made in https://chromiumcodereview.appspot.com/10454066.
    patches/secretexporterlocks.patch

  * Allow the constant-time CBC processing code to be compiled against older
    NSS that doesn't contain the CBC constant-time changes.
    patches/cbc.patch
    https://code.google.com/p/chromium/issues/detail?id=172658#c12
    TODO(wtc): remove this patch now that NSS 3.14.3 is the minimum
    compile-time and run-time version.

  * Change ssl3_SuiteBOnly to always return PR_TRUE. The softoken in NSS
    versions older than 3.15 report an EC key size range of 112 bits to 571
    bits, even when it is compiled to support only the NIST P-256, P-384, and
    P-521 curves. Remove this patch when all system NSS softoken packages are
    NSS 3.15 or later.
    patches/suitebonly.patch

  * Define the SECItemArray type and declare the SECItemArray handling
    functions, which were added in NSS 3.15. Remove this patch when all system
    NSS packages are NSS 3.15 or later.
    patches/secitemarray.patch

  * Update Chromium-specific code for TLS 1.2.
    patches/tls12chromium.patch

  * Add the Application Layer Protocol Negotiation extension.
    patches/alpn.patch

  * Fix an issue with allocating an SSL socket when under memory pressure.
    https://bugzilla.mozilla.org/show_bug.cgi?id=903565
    patches/sslsock_903565.patch

  * Implement the AES GCM cipher suites.
    https://bugzilla.mozilla.org/show_bug.cgi?id=880543
    patches/aesgcm.patch

  * Add Chromium-specific code to detect AES GCM support in the system NSS
    libraries at run time.
    patches/aesgcmchromium.patch

  * Support generating SHA-1 signatures for TLS 1.2 client authentication. Use
    SHA-1 instead of SHA-256 if the server's preferences do not allow for
    SHA-256 or if the client private key may only support SHA-1 signatures. The
    latter happens when the key is in a CAPI service provider on Windows or if
    it is a 1024-bit RSA or DSA key.
    patches/tls12backuphash.patch
    patches/tls12backuphash2.patch

  * Support ChaCha20+Poly1305 ciphersuites
    http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01
    patches/chacha20poly1305.patch

  * Fix session cache lock creation race.
    patches/cachelocks.patch
    https://bugzilla.mozilla.org/show_bug.cgi?id=764646

  * Don't advertise TLS 1.2-only cipher suites in a TLS 1.1 ClientHello.
    https://bugzilla.mozilla.org/show_bug.cgi?id=919677
    patches/ciphersuiteversion.patch

  * Don't use record versions greater than 0x0301 in resumption ClientHello
    records either.
    https://bugzilla.mozilla.org/show_bug.cgi?id=923696
    https://code.google.com/p/chromium/issues/detail?id=303398
    patches/resumeclienthelloversion.patch

  * Make SSL False Start work with asynchronous certificate validation.
    https://bugzilla.mozilla.org/show_bug.cgi?id=713933
    patches/canfalsestart.patch

  * Have the Null Cipher limit output to the maximum allowed
    https://bugzilla.mozilla.org/show_bug.cgi?id=934016
    patches/nullcipher_934016.patch

  * In the case that a ClientHello record is between 256 and 511 bytes long,
    add an extension to make it 512 bytes. This works around a bug in F5
    terminators.
    patches/paddingextension.patch
    patches/paddingextensionall.patch

  * Support the Certificate Transparency (RFC 6962) TLS extension
    signed_certificate_timestamp (client only).
    patches/signedcertificatetimestamps.patch

  * Add a function to allow the cipher suites preference order to be set.
    patches/cipherorder.patch

  * Add TLS_FALLBACK_SCSV cipher suite to version fallback connections.
    patches/fallbackscsv.patch

  * Disable session ticket renewal.
    https://bugzilla.mozilla.org/show_bug.cgi?id=930857
    patches/disableticketrenewal.patch

  * Add explicit functions for managing the SSL/TLS session cache.
    This is a temporary workaround until Chromium migrates to NSS's
    asynchronous certificate verification.
    patches/sessioncache.patch

  * Remove static storage qualifier from variables in sslnonce.c. Due to
    a clang codegen bug on Mac, this caused an infinite loop.
    https://code.google.com/p/chromium/issues/detail?id=326011
    patches/sslnoncestatics.patch

Apply the patches to NSS by running the patches/applypatches.sh script.  Read
the comments at the top of patches/applypatches.sh for instructions.

The ssl/bodge directory contains files taken from the NSS repo that we required
for building libssl outside of its usual build environment.