Add TLS-SRP (RFC 5054) support

net/socket/nss_ssl_util.cc

Index: net/socket/nss_ssl_util.cc
diff --git a/net/socket/nss_ssl_util.cc b/net/socket/nss_ssl_util.cc
index 53318a6669968995fd5441f226079940efeaf1f0..b38f018ca5d8906dd0f402d754801e458b405d29 100644
--- a/net/socket/nss_ssl_util.cc
+++ b/net/socket/nss_ssl_util.cc
@@ -46,13 +46,15 @@ class NSSSSLInitSingleton {
 #define pSSL_ImplementedCiphers SSL_ImplementedCiphers
 #endif
 
-    // Explicitly enable exactly those ciphers with keys of at least 80 bits
+    // Explicitly enable exactly those ciphers with keys of at least 80 bits,
+    // except for SRP ciphers.
     for (int i = 0; i < SSL_NumImplementedCiphers; i++) {
       SSLCipherSuiteInfo info;
       if (SSL_GetCipherSuiteInfo(pSSL_ImplementedCiphers[i], &info,
                                  sizeof(info)) == SECSuccess) {
         SSL_CipherPrefSetDefault(pSSL_ImplementedCiphers[i],
-                                 (info.effectiveKeyBits >= 80));
+                                 (info.effectiveKeyBits >= 80 &&
+                                  !IsNSSCipherKEATypeSRP(info.keaType)));
       }
     }
 
@@ -185,6 +187,8 @@ int MapNSSError(PRErrorCode err) {
       return ERR_SSL_UNSAFE_NEGOTIATION;
     case SSL_ERROR_WEAK_SERVER_KEY:
       return ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY;
+    case SSL_ERROR_UNKNOWN_PSK_IDENTITY_ALERT:
+      return ERR_SSL_UNKNOWN_PSK_IDENTITY_ALERT;
 
     default: {
       if (IS_SSL_ERROR(err)) {
@@ -245,4 +249,13 @@ void LogFailedNSSFunction(const BoundNetLog& net_log,
       make_scoped_refptr(new SSLFailedNSSFunctionParams(function, param)));
 }
 
+// Returns true iff |kea_type|, an NSS cipher's key exchange algorithm (KEA),
+// uses SRP, including ciphers that also use certificates (e.g., SRP_SHA_RSA
+// and SRP_SHA_DSS).
+bool IsNSSCipherKEATypeSRP(SSLKEAType kea_type) {
+  return kea_type == ssl_kea_srp ||
+      kea_type == ssl_kea_srp_rsa ||
+      kea_type == ssl_kea_srp_dss;
+}
+
 }  // namespace net