Update NSS libSSL to NSS_3_15_BETA2.

net/third_party/nss/patches/ocspstapling.patch

-diff -pu -r a/net/third_party/nss/ssl/ssl3con.c b/net/third_party/nss/ssl/ssl3con.c
---- a/net/third_party/nss/ssl/ssl3con.c 2012-11-09 15:21:56.747322689 -0800
-+++ b/net/third_party/nss/ssl/ssl3con.c 2012-11-09 15:28:27.933078020 -0800
-@@ -8365,6 +8365,57 @@ ssl3_CopyPeerCertsToSID(ssl3CertNode *ce
- }
- 
- /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
-+ * ssl3 CertificateStatus message.
-+ * Caller must hold Handshake and RecvBuf locks.
-+ * This is always called before ssl3_HandleCertificate, even if the Certificate
-+ * message is sent first.
-+ */
-+static SECStatus
-+ssl3_HandleCertificateStatus(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
-+{
-+    PRInt32 status, len;
-+    int     errCode;
-+    SSL3AlertDescription desc;
-+
-+    if (!ss->ssl3.hs.may_get_cert_status ||
-+       ss->ssl3.hs.ws != wait_server_cert ||
-+       !ss->ssl3.hs.pending_cert_msg.data ||
-+       ss->ssl3.hs.cert_status.data) {
-+       errCode = SSL_ERROR_RX_UNEXPECTED_CERT_STATUS;
-+       desc = unexpected_message;
-+       goto alert_loser;
-+    }
-+
-+    /* Consume the CertificateStatusType enum */
-+    status = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
-+    if (status != 1 /* ocsp */) {
-+       goto format_loser;
-+    }
-+
-+    len = ssl3_ConsumeHandshakeNumber(ss, 3, &b, &length);
-+    if (len != length) {
-+       goto format_loser;
-+    }
-+
-+    if (SECITEM_AllocItem(NULL, &ss->ssl3.hs.cert_status, length) == NULL) {
-+        return SECFailure;
-+    }
-+    ss->ssl3.hs.cert_status.type = siBuffer;
-+    PORT_Memcpy(ss->ssl3.hs.cert_status.data, b, length);
-+
-+    return SECSuccess;
-+
-+format_loser:
-+    errCode = SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT;
-+    desc = bad_certificate_status_response;
-+
-+alert_loser:
-+    (void)SSL3_SendAlert(ss, alert_fatal, desc);
-+    (void)ssl_MapLowLevelError(errCode);
-+    return SECFailure;
-+}
-+
-+/* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
-  * ssl3 Certificate message.
-  * Caller must hold Handshake and RecvBuf locks.
-  */
-@@ -9248,6 +9299,26 @@ ssl3_FinishHandshake(sslSocket * ss)
-     return SECSuccess;
- }
- 
-+/* This function handles any pending Certificate messages. Certificate messages
-+ * can be pending if we expect a possible CertificateStatus message to follow.
-+ *
-+ * This function must be called immediately after handling the
-+ * CertificateStatus message, and before handling any ServerKeyExchange or
-+ * CertificateRequest messages.
-+ */
-+static SECStatus
-+ssl3_MaybeHandlePendingCertificateMessage(sslSocket *ss)
-+{
-+    SECStatus rv = SECSuccess;
-+
-+    if (ss->ssl3.hs.pending_cert_msg.data) {
-+       rv = ssl3_HandleCertificate(ss, ss->ssl3.hs.pending_cert_msg.data,
-+                                   ss->ssl3.hs.pending_cert_msg.len);
-+       SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
-+    }
-+    return rv;
-+}
-+
- /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
-  * hanshake message.
-  * Caller must hold Handshake and RecvBuf locks.
-@@ -9376,14 +9447,42 @@ ssl3_HandleHandshakeMessage(sslSocket *s
-        rv = dtls_HandleHelloVerifyRequest(ss, b, length);
-        break;
-     case certificate:
-+       if (ss->ssl3.hs.may_get_cert_status) {
-+           /* If we might get a CertificateStatus then we want to postpone the
-+            * processing of the Certificate message until after we have
-+            * processed the CertificateStatus */
-+           if (ss->ssl3.hs.pending_cert_msg.data ||
-+               ss->ssl3.hs.ws != wait_server_cert) {
-+               (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-+               (void)ssl_MapLowLevelError(SSL_ERROR_RX_UNEXPECTED_CERTIFICATE);
-+               return SECFailure;
-+           }
-+           if (SECITEM_AllocItem(NULL, &ss->ssl3.hs.pending_cert_msg,
-+                                 length) == NULL) {
-+               return SECFailure;
-+           }
-+           ss->ssl3.hs.pending_cert_msg.type = siBuffer;
-+           PORT_Memcpy(ss->ssl3.hs.pending_cert_msg.data, b, length);
-+           break;
-+       }
-        rv = ssl3_HandleCertificate(ss, b, length);
-        break;
-+    case certificate_status:
-+       rv = ssl3_HandleCertificateStatus(ss, b, length);
-+       if (rv != SECSuccess)
-+           break;
-+       PORT_Assert(ss->ssl3.hs.pending_cert_msg.data);
-+       rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-+       break;
-     case server_key_exchange:
-        if (ss->sec.isServer) {
-            (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
-            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH);
-            return SECFailure;
-        }
-+       rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-+       if (rv != SECSuccess)
-+           break;
-        rv = ssl3_HandleServerKeyExchange(ss, b, length);
-        break;
-     case certificate_request:
-@@ -9392,6 +9491,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
-            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_REQUEST);
-            return SECFailure;
-        }
-+       rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-+       if (rv != SECSuccess)
-+           break;
-        rv = ssl3_HandleCertificateRequest(ss, b, length);
-        break;
-     case server_hello_done:
-@@ -9405,6 +9507,9 @@ ssl3_HandleHandshakeMessage(sslSocket *s
-            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_DONE);
-            return SECFailure;
-        }
-+       rv = ssl3_MaybeHandlePendingCertificateMessage(ss);
-+       if (rv != SECSuccess)
-+           break;
-        rv = ssl3_HandleServerHelloDone(ss);
-        break;
-     case certificate_verify:
-@@ -10369,6 +10474,12 @@ ssl3_DestroySSL3Info(sslSocket *ss)
-        ss->ssl3.hs.messages.len = 0;
-        ss->ssl3.hs.messages.space = 0;
-     }
-+    if (ss->ssl3.hs.pending_cert_msg.data) {
-+       SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
-+    }
-+    if (ss->ssl3.hs.cert_status.data) {
-+       SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
-+    }
- 
-     /* free the SSL3Buffer (msg_body) */
-     PORT_Free(ss->ssl3.hs.msg_body.buf);
-diff -pu -r a/net/third_party/nss/ssl/ssl3ext.c b/net/third_party/nss/ssl/ssl3ext.c
---- a/net/third_party/nss/ssl/ssl3ext.c 2012-09-20 17:28:05.000000000 -0700
-+++ b/net/third_party/nss/ssl/ssl3ext.c 2012-11-09 15:32:11.606363256 -0800
-@@ -234,6 +234,7 @@ static const ssl3HelloExtensionHandler s
-     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ClientHandleNextProtoNegoXtn },
-     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
-+    { ssl_cert_status_xtn,        &ssl3_ClientHandleStatusRequestXtn },
-     { -1, NULL }
- };
- 
-@@ -258,7 +259,8 @@ ssl3HelloExtensionSender clientHelloSend
- #endif
-     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
-     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
--    { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn }
-+    { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn },
-+    { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn }
-     /* any extra entries will appear as { 0, NULL }    */
- };
- 
-@@ -640,6 +642,80 @@ loser:
-     return -1;
- }
- 
-+SECStatus
-+ssl3_ClientHandleStatusRequestXtn(sslSocket *ss, PRUint16 ex_type,
-+                                 SECItem *data)
-+{
-+    /* If we didn't request this extension, then the server may not echo it. */
-+    if (!ss->opt.enableOCSPStapling)
-+       return SECFailure;
-+
-+    /* The echoed extension must be empty. */
-+    if (data->len != 0)
-+       return SECFailure;
-+
-+    ss->ssl3.hs.may_get_cert_status = PR_TRUE;
-+
-+    /* Keep track of negotiated extensions. */
-+    ss->xtnData.negotiated[ss->xtnData.numNegotiated++] = ex_type;
-+
-+    return SECSuccess;
-+}
-+
-+/* ssl3_ClientSendStatusRequestXtn builds the status_request extension on the
-+ * client side. See RFC 4366 section 3.6. */
-+PRInt32
-+ssl3_ClientSendStatusRequestXtn(sslSocket * ss, PRBool append,
-+                               PRUint32 maxBytes)
-+{
-+    PRInt32 extension_length;
-+
-+    if (!ss->opt.enableOCSPStapling)
-+       return 0;
-+
-+    /* extension_type (2-bytes) +
-+     * length(extension_data) (2-bytes) +
-+     * status_type (1) +
-+     * responder_id_list length (2) +
-+     * request_extensions length (2)
-+     */
-+    extension_length = 9;
-+
-+    if (append && maxBytes >= extension_length) {
-+       SECStatus rv;
-+       TLSExtensionData *xtnData;
-+
-+       /* extension_type */
-+       rv = ssl3_AppendHandshakeNumber(ss, ssl_cert_status_xtn, 2);
-+       if (rv != SECSuccess)
-+           return -1;
-+       rv = ssl3_AppendHandshakeNumber(ss, extension_length - 4, 2);
-+       if (rv != SECSuccess)
-+           return -1;
-+       rv = ssl3_AppendHandshakeNumber(ss, 1 /* status_type ocsp */, 1);
-+       if (rv != SECSuccess)
-+           return -1;
-+       /* A zero length responder_id_list means that the responders are
-+        * implicitly known to the server. */
-+       rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
-+       if (rv != SECSuccess)
-+           return -1;
-+       /* A zero length request_extensions means that there are no extensions.
-+        * Specifically, we don't set the id-pkix-ocsp-nonce extension. This
-+        * means that the server can replay a cached OCSP response to us. */
-+       rv = ssl3_AppendHandshakeNumber(ss, 0, 2);
-+       if (rv != SECSuccess)
-+           return -1;
-+
-+       xtnData = &ss->xtnData;
-+       xtnData->advertised[xtnData->numAdvertised++] = ssl_cert_status_xtn;
-+    } else if (maxBytes < extension_length) {
-+       PORT_Assert(0);
-+       return 0;
-+    }
-+    return extension_length;
-+}
-+
- /*
-  * NewSessionTicket
-  * Called from ssl3_HandleFinished
-diff -pu -r a/net/third_party/nss/ssl/ssl3prot.h b/net/third_party/nss/ssl/ssl3prot.h
---- a/net/third_party/nss/ssl/ssl3prot.h        2012-04-25 07:50:12.000000000 -0700
-+++ b/net/third_party/nss/ssl/ssl3prot.h        2012-11-09 15:28:27.933078020 -0800
-@@ -129,6 +129,7 @@ typedef enum {
-     certificate_verify = 15, 
-     client_key_exchange        = 16, 
-     finished           = 20,
-+    certificate_status = 22,
-     next_proto         = 67
- } SSL3HandshakeType;
- 
-diff -pu -r a/net/third_party/nss/ssl/sslerr.h b/net/third_party/nss/ssl/sslerr.h
---- a/net/third_party/nss/ssl/sslerr.h  2012-07-12 17:51:57.000000000 -0700
-+++ b/net/third_party/nss/ssl/sslerr.h  2012-11-09 15:30:36.804971319 -0800
-@@ -188,6 +188,8 @@ SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQ
- 
- SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION = (SSL_ERROR_BASE + 124),
- 
-+SSL_ERROR_RX_UNEXPECTED_CERT_STATUS     = (SSL_ERROR_BASE + 125),
-+
- SSL_ERROR_END_OF_LIST  /* let the c compiler determine the value of this. */
- } SSLErrorCodes;
- #endif /* NO_SECURITY_ERROR_ENUM */
-diff -pu -r a/net/third_party/nss/ssl/SSLerrs.h b/net/third_party/nss/ssl/SSLerrs.h
---- a/net/third_party/nss/ssl/SSLerrs.h 2012-07-12 17:51:57.000000000 -0700
-+++ b/net/third_party/nss/ssl/SSLerrs.h 2012-11-09 15:30:19.924723400 -0800
-@@ -400,3 +400,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY
- 
- ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124),
- "SSL feature not supported for the protocol version.")
-+
-+ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS,       (SSL_ERROR_BASE + 125),
-+"SSL received an unexpected Certificate Status handshake message.")
-diff -pu -r a/net/third_party/nss/ssl/ssl.h b/net/third_party/nss/ssl/ssl.h
---- a/net/third_party/nss/ssl/ssl.h     2012-11-09 15:27:15.952019947 -0800
-+++ b/net/third_party/nss/ssl/ssl.h     2012-11-09 15:28:27.933078020 -0800
-@@ -158,6 +158,7 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRF
-  * accept fragmented alerts).
-  */
- #define SSL_CBC_RANDOM_IV 23
-+#define SSL_ENABLE_OCSP_STAPLING       24 /* Request OCSP stapling (client) */
- 
- #ifdef SSL_DEPRECATED_FUNCTION 
- /* Old deprecated function names */
-@@ -409,6 +410,23 @@ SSL_IMPORT SECStatus SSL_PeerCertificate
-        PRFileDesc *fd, CERTCertificate **certs,
-        unsigned int *numCerts, unsigned int maxNumCerts);
- 
-+/* SSL_GetStapledOCSPResponse returns the OCSP response that was provided by
-+ * the TLS server. The resulting data is copied to |out_data|. On entry, |*len|
-+ * must contain the size of |out_data|. On exit, |*len| will contain the size
-+ * of the OCSP stapled response. If the stapled response is too large to fit in
-+ * |out_data| then it will be truncated. If no OCSP response was given by the
-+ * server then it has zero length.
-+ *
-+ * You must set the SSL_ENABLE_OCSP_STAPLING option in order for OCSP responses
-+ * to be provided by a server.
-+ *
-+ * You can call this function during the certificate verification callback or
-+ * any time afterwards.
-+ */
-+SSL_IMPORT SECStatus SSL_GetStapledOCSPResponse(PRFileDesc *fd,
-+                                               unsigned char *out_data,
-+                                               unsigned int *len);
-+
- /*
- ** Authenticate certificate hook. Called when a certificate comes in
- ** (because of SSL_REQUIRE_CERTIFICATE in SSL_Enable) to authenticate the
-diff -pu -r a/net/third_party/nss/ssl/sslimpl.h b/net/third_party/nss/ssl/sslimpl.h
---- a/net/third_party/nss/ssl/sslimpl.h 2012-11-09 15:21:56.747322689 -0800
-+++ b/net/third_party/nss/ssl/sslimpl.h 2012-11-09 15:28:27.943078167 -0800
-@@ -316,6 +316,7 @@ typedef struct sslOptionsStr {
-     unsigned int requireSafeNegotiation : 1;  /* 22 */
-     unsigned int enableFalseStart       : 1;  /* 23 */
-     unsigned int cbcRandomIV            : 1;  /* 24 */
-+    unsigned int enableOCSPStapling     : 1;  /* 25 */
- } sslOptions;
- 
- typedef enum { sslHandshakingUndetermined = 0,
-@@ -795,6 +796,14 @@ const ssl3CipherSuiteDef *suite_def;
-     PRBool                isResuming;  /* are we resuming a session */
-     PRBool                usedStepDownKey;  /* we did a server key exchange. */
-     PRBool                sendingSCSV; /* instead of empty RI */
-+    PRBool                may_get_cert_status; /* the server echoed a
-+                                                * status_request extension so
-+                                                * may send a CertificateStatus
-+                                                * handshake message. */
-+    SECItem               pending_cert_msg; /* a Certificate message which we
-+                                             * save temporarily if we may get
-+                                             * a CertificateStatus message */
-+    SECItem               cert_status; /* an OCSP response */
-     sslBuffer             msgState;    /* current state for handshake messages*/
-                                        /* protected by recvBufLock */
-     sslBuffer             messages;    /* Accumulated handshake messages */
-@@ -1625,6 +1634,8 @@ extern SECStatus ssl3_HandleSupportedPoi
-                        PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ClientHandleSessionTicketXtn(sslSocket *ss,
-                        PRUint16 ex_type, SECItem *data);
-+extern SECStatus ssl3_ClientHandleStatusRequestXtn(sslSocket *ss,
-+                       PRUint16 ex_type, SECItem *data);
- extern SECStatus ssl3_ServerHandleSessionTicketXtn(sslSocket *ss,
-                        PRUint16 ex_type, SECItem *data);
- 
-@@ -1634,6 +1645,8 @@ extern SECStatus ssl3_ServerHandleSessio
-  */
- extern PRInt32 ssl3_SendSessionTicketXtn(sslSocket *ss, PRBool append,
-                        PRUint32 maxBytes);
-+extern PRInt32 ssl3_ClientSendStatusRequestXtn(sslSocket *ss, PRBool append,
-+                       PRUint32 maxBytes);
- 
- /* ClientHello and ServerHello extension senders.
-  * The code is in ssl3ext.c.
-diff -pu -r a/net/third_party/nss/ssl/sslsock.c b/net/third_party/nss/ssl/sslsock.c
---- a/net/third_party/nss/ssl/sslsock.c 2012-11-09 15:17:00.432983977 -0800
-+++ b/net/third_party/nss/ssl/sslsock.c 2012-11-09 15:28:27.943078167 -0800
-@@ -153,7 +153,8 @@ static sslOptions ssl_defaults = {
-     2,          /* enableRenegotiation (default: requires extension) */
-     PR_FALSE,   /* requireSafeNegotiation */
-     PR_FALSE,   /* enableFalseStart   */
--    PR_TRUE     /* cbcRandomIV        */
-+    PR_TRUE,    /* cbcRandomIV        */
-+    PR_FALSE,   /* enableOCSPStapling */
- };
- 
- /*
-@@ -827,6 +828,10 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
-        ss->opt.cbcRandomIV = on;
-        break;
- 
-+      case SSL_ENABLE_OCSP_STAPLING:
-+       ss->opt.enableOCSPStapling = on;
-+       break;
-+
-       default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        rv = SECFailure;
-@@ -896,6 +901,7 @@ SSL_OptionGet(PRFileDesc *fd, PRInt32 wh
-                                   on = ss->opt.requireSafeNegotiation; break;
-     case SSL_ENABLE_FALSE_START:  on = ss->opt.enableFalseStart;   break;
-     case SSL_CBC_RANDOM_IV:       on = ss->opt.cbcRandomIV;        break;
-+    case SSL_ENABLE_OCSP_STAPLING: on = ss->opt.enableOCSPStapling; break;
- 
-     default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -954,6 +960,9 @@ SSL_OptionGetDefault(PRInt32 which, PRBo
-                                  break;
-     case SSL_ENABLE_FALSE_START:  on = ssl_defaults.enableFalseStart;   break;
-     case SSL_CBC_RANDOM_IV:       on = ssl_defaults.cbcRandomIV;        break;
-+    case SSL_ENABLE_OCSP_STAPLING:
-+       on = ssl_defaults.enableOCSPStapling;
-+       break;
- 
-     default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -1117,6 +1126,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
-        ssl_defaults.cbcRandomIV = on;
-        break;
- 
-+      case SSL_ENABLE_OCSP_STAPLING:
-+       ssl_defaults.enableOCSPStapling = on;
-+       break;
-+
-       default:
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-        return SECFailure;
-@@ -1859,6 +1872,36 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons
-     return SECSuccess;
- }
- 
-+SECStatus
-+SSL_GetStapledOCSPResponse(PRFileDesc *fd, unsigned char *out_data,
-+                          unsigned int *len) {
-+    sslSocket *ss = ssl_FindSocket(fd);
-+
-+    if (!ss) {
-+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_GetStapledOCSPResponse",
-+                SSL_GETPID(), fd));
-+       return SECFailure;
-+    }
-+
-+    ssl_Get1stHandshakeLock(ss);
-+    ssl_GetSSL3HandshakeLock(ss);
-+
-+    if (ss->ssl3.hs.cert_status.data) {
-+       unsigned int todo = ss->ssl3.hs.cert_status.len;
-+       if (todo > *len)
-+           todo = *len;
-+       *len = ss->ssl3.hs.cert_status.len;
-+       PORT_Memcpy(out_data, ss->ssl3.hs.cert_status.data, todo);
-+    } else {
-+       *len = 0;
-+    }
-+
-+    ssl_ReleaseSSL3HandshakeLock(ss);
-+    ssl_Release1stHandshakeLock(ss);
-+
-+    return SECSuccess;
-+}
-+
- /************************************************************************/
- /* The following functions are the TOP LEVEL SSL functions.
- ** They all get called through the NSPRIOMethods table below.
-diff -pu -r a/net/third_party/nss/ssl/sslt.h b/net/third_party/nss/ssl/sslt.h
---- a/net/third_party/nss/ssl/sslt.h    2012-06-06 19:06:19.000000000 -0700
-+++ b/net/third_party/nss/ssl/sslt.h    2012-11-09 15:29:10.333701086 -0800
-@@ -175,6 +175,7 @@ typedef enum {
- /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
- typedef enum {
-     ssl_server_name_xtn              = 0,
-+    ssl_cert_status_xtn              = 5,
- #ifdef NSS_ENABLE_ECC
-     ssl_elliptic_curves_xtn          = 10,
-     ssl_ec_point_formats_xtn         = 11,
-@@ -185,6 +186,6 @@ typedef enum {
-     ssl_renegotiation_info_xtn       = 0xff01  /* experimental number */
- } SSLExtensionType;
- 
--#define SSL_MAX_EXTENSIONS             7
-+#define SSL_MAX_EXTENSIONS             8
- 
- #endif /* __sslt_h_ */