net: boost AES-GCM ciphers if the machine has AES-NI.

net/third_party/nss/patches/cipherorder.patch

Index: net/third_party/nss/patches/cipherorder.patch
diff --git a/net/third_party/nss/patches/cipherorder.patch b/net/third_party/nss/patches/cipherorder.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d3a61546597550a38d48bec9342e80bbe79d2bb3
--- /dev/null
+++ b/net/third_party/nss/patches/cipherorder.patch
@@ -0,0 +1,104 @@
+diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
+index 67cc3a7..9899e0a 100644
+--- a/nss/lib/ssl/ssl.h
++++ b/nss/lib/ssl/ssl.h
+@@ -263,6 +263,13 @@ SSL_IMPORT SECStatus SSL_CipherPrefGetDefault(PRInt32 cipher, PRBool *enabled);
+ SSL_IMPORT SECStatus SSL_CipherPolicySet(PRInt32 cipher, PRInt32 policy);
+ SSL_IMPORT SECStatus SSL_CipherPolicyGet(PRInt32 cipher, PRInt32 *policy);
+ 
++/* SSL_CipherOrderSet sets the cipher suite preference order from |ciphers|,
++ * which must be an array of cipher suite ids of length |len|. All the given
++ * cipher suite ids must appear in the array that is returned by
++ * |SSL_GetImplementedCiphers| and may only appear once, at most. */
++SSL_IMPORT SECStatus SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers,
++                                        unsigned int len);
++
+ /* SSLChannelBindingType enumerates the types of supported channel binding
+  * values. See RFC 5929. */
+ typedef enum SSLChannelBindingType {
+diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
+index 0f1eea4..20dd5677 100644
+--- a/nss/lib/ssl/ssl3con.c
++++ b/nss/lib/ssl/ssl3con.c
+@@ -12408,6 +12408,44 @@ ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *enabled)
+     return rv;
+ }
+ 
++SECStatus
++ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int len)
++{
++    unsigned int i;
++
++    for (i = 0; i < len; i++) {
++	PRUint16 id = ciphers[i];
++	unsigned int existingIndex, j;
++	PRBool found = PR_FALSE;
++
++	for (j = i; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
++	    if (ss->cipherSuites[j].cipher_suite == id) {
++		existingIndex = j;
++		found = PR_TRUE;
++		break;
++	    }
++	}
++
++	if (!found) {
++	    PORT_SetError(SSL_ERROR_UNKNOWN_CIPHER_SUITE);
++	    return SECFailure;
++	}
++
++	if (existingIndex != i) {
++	    const ssl3CipherSuiteCfg temp = ss->cipherSuites[i];
++	    ss->cipherSuites[i] = ss->cipherSuites[existingIndex];
++	    ss->cipherSuites[existingIndex] = temp;
++	}
++    }
++
++    /* Disable all cipher suites that weren't included. */
++    for (; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
++	ss->cipherSuites[i].enabled = 0;
++    }
++
++    return SECSuccess;
++}
++
+ /* copy global default policy into socket. */
+ void
+ ssl3_InitSocketPolicy(sslSocket *ss)
+diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
+index 79aca60..2c4b632 100644
+--- a/nss/lib/ssl/sslimpl.h
++++ b/nss/lib/ssl/sslimpl.h
+@@ -1693,6 +1693,8 @@ extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool
+ extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
+ extern SECStatus ssl2_CipherPrefSet(sslSocket *ss, PRInt32 which, PRBool enabled);
+ extern SECStatus ssl2_CipherPrefGet(sslSocket *ss, PRInt32 which, PRBool *enabled);
++extern SECStatus ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *cipher,
++				     unsigned int len);
+ 
+ extern SECStatus ssl3_SetPolicy(ssl3CipherSuite which, PRInt32 policy);
+ extern SECStatus ssl3_GetPolicy(ssl3CipherSuite which, PRInt32 *policy);
+diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
+index b5c17f0..23a1b6b 100644
+--- a/nss/lib/ssl/sslsock.c
++++ b/nss/lib/ssl/sslsock.c
+@@ -1329,6 +1329,19 @@ SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
+     return rv;
+ }
+ 
++SECStatus
++SSL_CipherOrderSet(PRFileDesc *fd, const PRUint16 *ciphers, unsigned int len)
++{
++    sslSocket *ss = ssl_FindSocket(fd);
++
++    if (!ss) {
++	SSL_DBG(("%d: SSL[%d]: bad socket in CipherOrderSet", SSL_GETPID(),
++		fd));
++	return SECFailure;
++    }
++    return ssl3_CipherOrderSet(ss, ciphers, len);
++}
++
+ SECStatus 
+ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled)
+ {