Implement TLS 1.2.

net/third_party/nss/ssl/sslsock.c

Index: net/third_party/nss/ssl/sslsock.c
===================================================================
--- net/third_party/nss/ssl/sslsock.c	(revision 199250)
+++ net/third_party/nss/ssl/sslsock.c	(working copy)
@@ -18,6 +18,7 @@
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
+#include "pk11pub.h"
 #include "nss.h"
 
 #define SET_ERROR_CODE   /* reminder */
@@ -782,6 +783,16 @@
 	    rv = SECFailure;
 	} else {
             if (PR_FALSE != on) {
+		/* TLS 1.2 isn't supported in bypass mode. */
+		if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) {
+		    /* If the user requested a minimum version of TLS 1.2 then
+		     * we don't silently downgrade. */
+		    PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+		    rv = SECFailure;
+		}
+		if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) {
+		    ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
+		}
                 if (PR_SUCCESS == SSL_BypassSetup() ) {
 #ifdef NO_PKCS11_BYPASS
                     ss->opt.bypassPKCS11   = PR_FALSE;
@@ -1915,6 +1926,22 @@
     ssl_GetSSL3HandshakeLock(ss);
 
     ss->vrange = *vrange;
+    /* If we don't have a sufficiently up-to-date library then we cannot do TLS
+     * 1.2. */
+    if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 &&
+        !PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) {
+	/* If the user requested a minimum version of 1.2, then we don't
+	 * silently downgrade. */
+	if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) {
+	    PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE);
+	    return SECFailure;
+	}
+	ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1;
+    }
+    /* PKCS#11 bypass is not supported with TLS 1.2. */
+    if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2) {
+	ss->opt.bypassPKCS11 = PR_FALSE;
+    }
 
     ssl_ReleaseSSL3HandshakeLock(ss);
     ssl_Release1stHandshakeLock(ss);