NSS: don't advertise TLS 1.2-only ciphersuites in a TLS 1.1 ClientHello.

net/third_party/nss/patches/ciphersuiteversion.patch

Index: net/third_party/nss/patches/ciphersuiteversion.patch
diff --git a/net/third_party/nss/patches/ciphersuiteversion.patch b/net/third_party/nss/patches/ciphersuiteversion.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3967f17dcd64fbd963aef9ea3d919b87960f9049
--- /dev/null
+++ b/net/third_party/nss/patches/ciphersuiteversion.patch
@@ -0,0 +1,169 @@
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
+index bc54c99..1245393 100644
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -631,8 +631,9 @@ void SSL_AtomicIncrementLong(long * x)
+ }
+ 
+ static PRBool
+-ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
+-				  SSL3ProtocolVersion version)
++ssl3_CipherSuiteAllowedForVersionRange(
++    ssl3CipherSuite cipherSuite,
++    const SSLVersionRange *vrange)
+ {
+     switch (cipherSuite) {
+     /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
+@@ -649,7 +650,9 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
+      *   SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5:     never implemented
+      *   SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:  never implemented
+      */
+-	return version <= SSL_LIBRARY_VERSION_TLS_1_0;
++	return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
++    case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
++    case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
+     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
+     case TLS_RSA_WITH_AES_256_CBC_SHA256:
+     case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
+@@ -661,7 +664,7 @@ ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
+     case TLS_RSA_WITH_AES_128_CBC_SHA256:
+     case TLS_RSA_WITH_AES_128_GCM_SHA256:
+     case TLS_RSA_WITH_NULL_SHA256:
+-	return version >= SSL_LIBRARY_VERSION_TLS_1_2;
++	return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
+     default:
+ 	return PR_TRUE;
+     }
+@@ -804,7 +807,8 @@ ssl3_config_match_init(sslSocket *ss)
+ }
+ 
+ 
+-/* return PR_TRUE if suite matches policy and enabled state */
++/* return PR_TRUE if suite matches policy, enabled state and is applicable to
++ * the given version range. */
+ /* It would be a REALLY BAD THING (tm) if we ever permitted the use
+ ** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
+ ** policy == SSL_NOT_ALLOWED, report no match.
+@@ -812,7 +816,8 @@ ssl3_config_match_init(sslSocket *ss)
+ /* adjust suite enabled to the availability of a token that can do the
+  * cipher suite. */
+ static PRBool
+-config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
++config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
++	     const SSLVersionRange *vrange)
+ {
+     PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
+     if (policy == SSL_NOT_ALLOWED || !enabled)
+@@ -820,10 +825,13 @@ config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled)
+     return (PRBool)(suite->enabled &&
+                     suite->isPresent &&
+ 	            suite->policy != SSL_NOT_ALLOWED &&
+-		    suite->policy <= policy);
++		    suite->policy <= policy &&
++		    ssl3_CipherSuiteAllowedForVersionRange(
++                        suite->cipher_suite, vrange));
+ }
+ 
+-/* return number of cipher suites that match policy and enabled state */
++/* return number of cipher suites that match policy, enabled state and are
++ * applicable for the configured protocol version range. */
+ /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
+ static int
+ count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
+@@ -834,7 +842,7 @@ count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
+     	return 0;
+     }
+     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+-	if (config_match(&ss->cipherSuites[i], policy, enabled))
++	if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
+ 	    count++;
+     }
+     if (count <= 0) {
+@@ -5294,7 +5302,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending)
+     }
+     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+-	if (config_match(suite, ss->ssl3.policy, PR_TRUE)) {
++	if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
+ 	    actual_count++;
+ 	    if (actual_count > num_suites) {
+ 		/* set error card removal/insertion error */
+@@ -6359,15 +6367,19 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+ 	if (temp == suite->cipher_suite) {
+-	    if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
++	    SSLVersionRange vrange = {ss->version, ss->version};
++	    if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
++		/* config_match already checks whether the cipher suite is
++		 * acceptable for the version, but the check is repeated here
++		 * in order to give a more precise error code. */
++		if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) {
++		    desc    = handshake_failure;
++		    errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
++		    goto alert_loser;
++		}
++
+ 		break;	/* failure */
+ 	    }
+-	    if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+-						   ss->version)) {
+-		desc    = handshake_failure;
+-		errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
+-		goto alert_loser;
+-	    }
+ 	
+ 	    suite_found = PR_TRUE;
+ 	    break;	/* success */
+@@ -8008,6 +8020,9 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+     */
+     if (sid) do {
+ 	ssl3CipherSuiteCfg *suite;
++#ifdef PARANOID
++	SSLVersionRange vrange = {ss->version, ss->version};
++#endif
+ 
+ 	/* Check that the cached compression method is still enabled. */
+ 	if (!compressionEnabled(ss, sid->u.ssl3.compression))
+@@ -8036,7 +8051,7 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+ 	 * The product policy won't change during the process lifetime.  
+ 	 * Implemented ("isPresent") shouldn't change for servers.
+ 	 */
+-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
++	if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange))
+ 	    break;
+ #else
+ 	if (!suite->enabled)
+@@ -8084,9 +8099,8 @@ ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
+     */
+     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+ 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
+-	    !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+-					       ss->version)) {
++	SSLVersionRange vrange = {ss->version, ss->version};
++	if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
+ 	    continue;
+ 	}
+ 	for (i = 0; i + 1 < suites.len; i += 2) {
+@@ -8619,9 +8633,8 @@ ssl3_HandleV2ClientHello(sslSocket *ss, unsigned char *buffer, int length)
+     */
+     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
+ 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
+-	if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
+-	    !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+-					       ss->version)) {
++	SSLVersionRange vrange = {ss->version, ss->version};
++	if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
+ 	    continue;
+ 	}
+ 	for (i = 0; i+2 < suite_length; i += 3) {
+@@ -12324,7 +12337,7 @@ ssl3_ConstructV2CipherSpecsHack(sslSocket *ss, unsigned char *cs, int *size)
+     /* ssl3_config_match_init was called by the caller of this function. */
+     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
+ 	ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
+-	if (config_match(suite, SSL_ALLOWED, PR_TRUE)) {
++	if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) {
+ 	    if (cs != NULL) {
+ 		*cs++ = 0x00;
+ 		*cs++ = (suite->cipher_suite >> 8) & 0xFF;