1 --- net/third_party/nss/ssl/ssl3con.c.orig 2013-08-20 12:00:16.742760827 -0700
2 +++ net/third_party/nss/ssl/ssl3con.c 2013-08-20 11:59:56.782463207 -0700
12 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
13 @@ -1819,6 +1822,69 @@ ssl3_BuildRecordPseudoHeader(unsigned ch
17 +typedef SECStatus (*PK11CryptFcn)(
18 + PK11SymKey *symKey, CK_MECHANISM_TYPE mechanism, SECItem *param,
19 + unsigned char *out, unsigned int *outLen, unsigned int maxLen,
20 + const unsigned char *in, unsigned int inLen);
22 +static PK11CryptFcn pk11_encrypt = NULL;
23 +static PK11CryptFcn pk11_decrypt = NULL;
25 +static PRCallOnceType resolvePK11CryptOnce;
28 +ssl3_ResolvePK11CryptFunctions(void)
31 + /* On Linux we use the system NSS libraries. Look up the PK11_Encrypt and
32 + * PK11_Decrypt functions at run time. */
33 + void *handle = dlopen(NULL, RTLD_LAZY);
35 + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
38 + pk11_encrypt = (PK11CryptFcn)dlsym(handle, "PK11_Encrypt");
39 + pk11_decrypt = (PK11CryptFcn)dlsym(handle, "PK11_Decrypt");
43 + /* On other platforms we use our own copy of NSS. PK11_Encrypt and
44 + * PK11_Decrypt are known to be available. */
45 + pk11_encrypt = PK11_Encrypt;
46 + pk11_decrypt = PK11_Decrypt;
52 + * In NSS 3.15, PK11_Encrypt and PK11_Decrypt were added to provide access
53 + * to the AES GCM implementation in the NSS softoken. So the presence of
54 + * these two functions implies the NSS version supports AES GCM.
57 +ssl3_HasGCMSupport(void)
59 + (void)PR_CallOnce(&resolvePK11CryptOnce, ssl3_ResolvePK11CryptFunctions);
60 + return pk11_encrypt != NULL;
63 +/* On this socket, disable the GCM cipher suites */
65 +ssl3_DisableGCMSuites(sslSocket * ss)
69 + for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); i++) {
70 + const ssl3CipherSuiteDef *cipher_def = &cipher_suite_defs[i];
71 + if (cipher_def->bulk_cipher_alg == cipher_aes_128_gcm) {
72 + SECStatus rv = ssl3_CipherPrefSet(ss, cipher_def->cipher_suite,
74 + PORT_Assert(rv == SECSuccess); /* else is coding error */
81 ssl3_AESGCM(ssl3KeyMaterial *keys,
83 @@ -1870,10 +1936,10 @@ ssl3_AESGCM(ssl3KeyMaterial *keys,
84 gcmParams.ulTagBits = tagSize * 8;
87 - rv = PK11_Decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen,
88 + rv = pk11_decrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen,
91 - rv = PK11_Encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen,
92 + rv = pk11_encrypt(keys->write_key, CKM_AES_GCM, ¶m, out, &uOutLen,
95 *outlen += (int) uOutLen;
96 @@ -5023,6 +5089,10 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
97 ssl3_DisableNonDTLSSuites(ss);
100 + if (!ssl3_HasGCMSupport()) {
101 + ssl3_DisableGCMSuites(ss);
104 /* how many suites are permitted by policy and user preference? */
105 num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
107 @@ -7728,6 +7798,10 @@ ssl3_HandleClientHello(sslSocket *ss, SS
108 ssl3_DisableNonDTLSSuites(ss);
111 + if (!ssl3_HasGCMSupport()) {
112 + ssl3_DisableGCMSuites(ss);
116 /* Look for a matching cipher suite. */
117 j = ssl3_config_match_init(ss);