0b59ee7dde
- rebase to upstream NSS 3.124 - backport ml-dsa support that is not upstream yet. - pick up in process patches upstream including eddsa
117 lines
2.9 KiB
Diff
117 lines
2.9 KiB
Diff
# HG changeset patch
|
|
# User Robert Relyea <rrelyea@redhat.com>
|
|
# Date 1780431402 25200
|
|
# Tue Jun 02 13:16:42 2026 -0700
|
|
# Branch NSS_3_124_BRANCH
|
|
# Node ID b9532ef80e57a3656a1cf077e751b5e1988c52b7
|
|
# Parent adcfeed46df897fe20ab59d2a40d8150915707fe
|
|
nss-3.112-disable-ech.patch
|
|
|
|
diff --git a/gtests/ssl_gtest/manifest.mn b/gtests/ssl_gtest/manifest.mn
|
|
--- a/gtests/ssl_gtest/manifest.mn
|
|
+++ b/gtests/ssl_gtest/manifest.mn
|
|
@@ -51,17 +51,16 @@ CPPSRCS = \
|
|
ssl_timers_unittest.cc \
|
|
ssl_tls13compat_unittest.cc \
|
|
ssl_v2_client_hello_unittest.cc \
|
|
ssl_version_unittest.cc \
|
|
ssl_versionpolicy_unittest.cc \
|
|
test_io.cc \
|
|
tls_agent.cc \
|
|
tls_connect.cc \
|
|
- tls_ech_unittest.cc \
|
|
tls_filter.cc \
|
|
tls_hkdf_unittest.cc \
|
|
tls_mlkem_unittest.cc \
|
|
tls_protect.cc \
|
|
tls_psk_unittest.cc \
|
|
tls_subcerts_unittest.cc \
|
|
$(XYBER_FILES) \
|
|
$(SSLKEYLOGFILE_FILES) \
|
|
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
|
--- a/lib/ssl/sslsock.c
|
|
+++ b/lib/ssl/sslsock.c
|
|
@@ -4466,62 +4466,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
|
|
}
|
|
PORT_Free(cursor);
|
|
}
|
|
}
|
|
|
|
SECStatus
|
|
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
|
|
{
|
|
+#ifdef notdef
|
|
sslSocket *ss = ssl_FindSocket(fd);
|
|
if (!ss) {
|
|
return SECFailure;
|
|
}
|
|
ss->opt.enableTls13GreaseEch = enabled;
|
|
return SECSuccess;
|
|
+#else
|
|
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
|
+ return SECFailure;
|
|
+#endif
|
|
}
|
|
|
|
SECStatus
|
|
SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size)
|
|
{
|
|
+#ifdef notdef
|
|
sslSocket *ss = ssl_FindSocket(fd);
|
|
if (!ss || size == 0) {
|
|
return SECFailure;
|
|
}
|
|
ssl_Get1stHandshakeLock(ss);
|
|
ssl_GetSSL3HandshakeLock(ss);
|
|
|
|
ss->ssl3.hs.greaseEchSize = size;
|
|
|
|
ssl_ReleaseSSL3HandshakeLock(ss);
|
|
ssl_Release1stHandshakeLock(ss);
|
|
|
|
return SECSuccess;
|
|
+#else
|
|
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
|
+ return SECFailure;
|
|
+#endif
|
|
}
|
|
|
|
SECStatus
|
|
SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled)
|
|
{
|
|
+#ifdef notdef
|
|
sslSocket *ss = ssl_FindSocket(fd);
|
|
if (!ss) {
|
|
return SECFailure;
|
|
}
|
|
ss->opt.enableTls13BackendEch = enabled;
|
|
return SECSuccess;
|
|
+#else
|
|
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
|
+ return SECFailure;
|
|
+#endif
|
|
}
|
|
|
|
SECStatus
|
|
SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled)
|
|
{
|
|
+#ifdef notdef
|
|
sslSocket *ss = ssl_FindSocket(fd);
|
|
if (!ss) {
|
|
return SECFailure;
|
|
}
|
|
ss->opt.callExtensionWriterOnEchInner = enabled;
|
|
return SECSuccess;
|
|
+#else
|
|
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
|
+ return SECFailure;
|
|
+#endif
|
|
}
|
|
|
|
SECStatus
|
|
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
|
|
{
|
|
sslSocket *ss = ssl_FindSocket(fd);
|
|
if (!ss) {
|
|
return SECFailure;
|