Index: net/third_party/nss/patches/cipherorder.patch |
diff --git a/net/third_party/nss/patches/cipherorder.patch b/net/third_party/nss/patches/cipherorder.patch |
new file mode 100644 |
index 0000000000000000000000000000000000000000..e364c50dd854f5b1730ad75fe4ad4cb84ad98e4e |
--- /dev/null |
+++ b/net/third_party/nss/patches/cipherorder.patch |
@@ -0,0 +1,103 @@ |
+diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h |
+index 47468a0..bd93bc5 100644 |
+--- a/nss/lib/ssl/ssl.h |
++++ b/nss/lib/ssl/ssl.h |
+@@ -267,6 +267,12 @@ SSL_IMPORT SECStatus SSL_CipherPrefSetDefault(PRInt32 cipher, PRBool enabled); |
+ SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled); |
+ SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy); |
+ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy); |
++/* SSL_CipherOrderSet sets the cipher suite preference order from |ciphers|, |
++ * which must be an array of cipher suite ids of length |len|. All the given |
++ * cipher suite ids must appear in the array that is returned by |
++ * |SSL_GetImplementedCiphers| and may only appear once, at most. */ |
++SSL_IMPORT SECStatus SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, |
++ size_t len); |
+ |
+ /* SSLChannelBindingType enumerates the types of supported channel binding |
+ * values. See RFC 5929. */ |
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
+index 882e356..ab22891 100644 |
+--- a/nss/lib/ssl/ssl3con.c |
++++ b/nss/lib/ssl/ssl3con.c |
+@@ -12365,6 +12365,45 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled) |
+ return rv; |
+ } |
+ |
++SECStatus |
++ssl3_CipherOrderSet(sslSocket *ss, const PRUint16 *ciphers, size_t len) |
++{ |
++ size_t i, done; |
++ |
++ for (i = done = 0; i < len; i++) { |
++ PRUint16 id = ciphers[i]; |
++ size_t existingIndex, j; |
++ char found = 0; |
++ |
++ for (j = done; j < ssl_V3_SUITES_IMPLEMENTED; j++) { |
++ if (ss->cipherSuites[j].cipher_suite == id) { |
++ existingIndex = j; |
++ found = 1; |
++ break; |
++ } |
++ } |
++ |
++ if (!found) { |
++ PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE); |
++ return SECFailure; |
++ } |
++ |
++ if (existingIndex != done) { |
++ const ssl3CipherSuiteCfg temp = ss->cipherSuites[done]; |
++ ss->cipherSuites[done] = ss->cipherSuites[existingIndex]; |
++ ss->cipherSuites[existingIndex] = temp; |
++ } |
++ done++; |
++ } |
++ |
++ /* Disable all cipher suites that weren't included. */ |
++ for (; i < ssl_V3_SUITES_IMPLEMENTED; i++) { |
++ ss->cipherSuites[i].enabled = 0; |
++ } |
++ |
++ return SECSuccess; |
++} |
++ |
+ /* copy global default policy into socket. */ |
+ void |
+ ssl3_InitSocketPolicy(sslSocket *ss) |
+diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h |
+index 9c789bf..63a06c9 100644 |
+--- a/nss/lib/ssl/sslimpl.h |
++++ b/nss/lib/ssl/sslimpl.h |
+@@ -1672,6 +1672,7 @@ extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool |
+ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on); |
+ extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled); |
+ extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled); |
++extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const PRUint16 *cipher, size_t len); |
+ |
+ extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy); |
+ extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy); |
+diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c |
+index 072fad5..931ba32 100644 |
+--- a/nss/lib/ssl/sslsock.c |
++++ b/nss/lib/ssl/sslsock.c |
+@@ -1327,6 +1327,19 @@ SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled) |
+ return rv; |
+ } |
+ |
++SECStatus |
++SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, size_t len) |
++{ |
++ sslSocket *ss = ssl_FindSocket(fd); |
++ |
++ if (!ss) { |
++ SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(), |
++ fd)); |
++ return SECFailure; |
++ } |
++ return ssl3_CipherOrderSet(ss, ciphers, len); |
++} |
++ |
+ SECStatus |
+ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) |
+ { |