net/third_party/nss/patches/tls12chromium.patch

   1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
   2 --- a/nss/lib/ssl/ssl3con.c     2014-01-03 18:55:44.659133336 -0800
   3 +++ b/nss/lib/ssl/ssl3con.c     2014-01-03 18:57:20.390695317 -0800
   4 @@ -31,6 +31,15 @@
   5  #include "blapi.h"
   6  #endif
   7
   8 +/* This is a bodge to allow this code to be compiled against older NSS headers
   9 + * that don't contain the TLS 1.2 changes. */
  10 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
  11 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256          (CKM_NSS + 21)
  12 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256    (CKM_NSS + 22)
  13 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256   (CKM_NSS + 23)
  14 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  15 +#endif
  16 +
  17  #include <stdio.h>
  18  #ifdef NSS_ENABLE_ZLIB
  19  #include "zlib.h"
  20 diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c
  21 --- a/nss/lib/ssl/ssl3ecc.c     2014-01-03 18:56:43.300090124 -0800
  22 +++ b/nss/lib/ssl/ssl3ecc.c     2014-01-03 18:57:20.390695317 -0800
  23 @@ -30,6 +30,12 @@
  24
  25  #include <stdio.h>
  26
  27 +/* This is a bodge to allow this code to be compiled against older NSS headers
  28 + * that don't contain the TLS 1.2 changes. */
  29 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256
  30 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  31 +#endif
  32 +
  33  #ifdef NSS_ENABLE_ECC
  34
  35  #ifndef PK11_SETATTRS
  36 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
  37 --- a/nss/lib/ssl/sslsock.c     2014-01-03 18:55:44.669133500 -0800
  38 +++ b/nss/lib/ssl/sslsock.c     2014-01-03 18:57:20.400695477 -0800
  39 @@ -17,8 +17,15 @@
  40  #ifndef NO_PKCS11_BYPASS
  41  #include "blapi.h"
  42  #endif
  43 +#include "pk11pub.h"
  44  #include "nss.h"
  45
  46 +/* This is a bodge to allow this code to be compiled against older NSS headers
  47 + * that don't contain the TLS 1.2 changes. */
  48 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256
  49 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24)
  50 +#endif
  51 +
  52  #define SET_ERROR_CODE   /* reminder */
  53
  54  static const sslSocketOps ssl_default_ops = {  /* No SSL. */
  55 @@ -1814,6 +1821,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV
  56      return SECSuccess;
  57  }
  58
  59 +static PRCallOnceType checkTLS12TokenOnce;
  60 +static PRBool tls12TokenExists;
  61 +
  62 +static PRStatus
  63 +ssl_CheckTLS12Token(void)
  64 +{
  65 +    tls12TokenExists =
  66 +       PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256);
  67 +    return PR_SUCCESS;
  68 +}
  69 +
  70 +static PRBool
  71 +ssl_TLS12TokenExists(void)
  72 +{
  73 +    (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token);
  74 +    return tls12TokenExists;
  75 +}
  76 +
  77  SECStatus
  78  SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange)
  79  {
  80 @@ -1834,6 +1859,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons
  81      ssl_GetSSL3HandshakeLock(ss);
  82
  83      ss->vrange = *vrange;
  84 +    /* If we don't have a sufficiently up-to-date softoken then we cannot do
  85 +     * TLS 1.2. */
  86 +    if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 &&
  87 +        !ssl_TLS12TokenExists()) {
  88 +       /* If the user requested a minimum version of 1.2, then we don't
  89 +        * silently downgrade. */
  90 +       if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) {
  91 +           ssl_ReleaseSSL3HandshakeLock(ss);
  92 +           ssl_Release1stHandshakeLock(ss);
  93 +           PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
  94 +           return SECFailure;
  95 +       }
  96 +       ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
  97 +    }
  98
  99      ssl_ReleaseSSL3HandshakeLock(ss);
 100      ssl_Release1stHandshakeLock(ss);