net/third_party/nss/patches/tls12chromium.patch

   1 diff --git a/ssl/ssl3con.c b/ssl/ssl3con.c
   2 index 7c06815..1167d6d 100644
   3 --- a/ssl/ssl3con.c
   4 +++ b/ssl/ssl3con.c
   5 @@ -31,6 +31,15 @@
   6  #include "blapi.h"
   7  #endif
   8
   9 +/* This is a bodge to allow this code to be compiled against older NSS headers
  10 + * that don't contain the TLS 1.2 changes. */
  11 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
  12 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
  13 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
  14 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
  15 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  16 +#endif
  17 +
  18  #include <stdio.h>
  19  #ifdef NSS_ENABLE_ZLIB
  20  #include "zlib.h"
  21 diff --git a/ssl/ssl3ecc.c b/ssl/ssl3ecc.c
  22 index dac7a9e..9b91270 100644
  23 --- a/ssl/ssl3ecc.c
  24 +++ b/ssl/ssl3ecc.c
  25 @@ -31,6 +31,12 @@
  26
  27  #include <stdio.h>
  28
  29 +/* This is a bodge to allow this code to be compiled against older NSS headers
  30 + * that don't contain the TLS 1.2 changes. */
  31 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256
  32 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  33 +#endif
  34 +
  35  #ifndef NSS_DISABLE_ECC
  36
  37  #ifndef PK11_SETATTRS
  38 diff --git a/ssl/sslsock.c b/ssl/sslsock.c
  39 index 14ff328..6a6c8d1 100644
  40 --- a/ssl/sslsock.c
  41 +++ b/ssl/sslsock.c
  42 @@ -17,8 +17,15 @@
  43  #ifndef NO_PKCS11_BYPASS
  44  #include "blapi.h"
  45  #endif
  46 +#include "pk11pub.h"
  47  #include "nss.h"
  48
  49 +/* This is a bodge to allow this code to be compiled against older NSS headers
  50 + * that don't contain the TLS 1.2 changes. */
  51 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256
  52 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  53 +#endif
  54 +
  55  #define SET_ERROR_CODE   /* reminder */
  56
  57  static const sslSocketOps ssl_default_ops = {   /* No SSL. */
  58 @@ -1878,6 +1885,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLVersionRange *vrange)
  59      return SECSuccess;
  60  }
  61
  62 +static PRCallOnceType checkTLS12TokenOnce;
  63 +static PRBool tls12TokenExists;
  64 +
  65 +static PRStatus
  66 +ssl_CheckTLS12Token(void)
  67 +{
  68 +    tls12TokenExists =
  69 +       PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256);
  70 +    return PR_SUCCESS;
  71 +}
  72 +
  73 +static PRBool
  74 +ssl_TLS12TokenExists(void)
  75 +{
  76 +    (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token);
  77 +    return tls12TokenExists;
  78 +}
  79 +
  80  SECStatus
  81  SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
  82  {
  83 @@ -1898,6 +1923,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
  84      ssl_GetSSL3HandshakeLock(ss);
  85
  86      ss->vrange = *vrange;
  87 +    /* If we don't have a sufficiently up-to-date softoken then we cannot do
  88 +     * TLS 1.2. */
  89 +    if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 &&
  90 +        !ssl_TLS12TokenExists()) {
  91 +       /* If the user requested a minimum version of 1.2, then we don't
  92 +        * silently downgrade. */
  93 +       if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) {
  94 +           ssl_ReleaseSSL3HandshakeLock(ss);
  95 +           ssl_Release1stHandshakeLock(ss);
  96 +           PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
  97 +           return SECFailure;
  98 +       }
  99 +       ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
 100 +    }
 101
 102      ssl_ReleaseSSL3HandshakeLock(ss);
 103      ssl_Release1stHandshakeLock(ss);