1 diff -pu a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c 2 --- a/nss/lib/ssl/ssl3con.c 2013-07-31 14:12:19.414856329 -0700 3 +++ b/nss/lib/ssl/ssl3con.c 2013-07-31 14:13:56.916288878 -0700 4 @@ -31,6 +31,15 @@ 5 #include "blapi.h" 6 #endif 7 8 +/* This is a bodge to allow this code to be compiled against older NSS headers 9 + * that don't contain the TLS 1.2 changes. */ 10 +#ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256 11 +#define CKM_NSS_TLS_PRF_GENERAL_SHA256 (CKM_NSS + 21) 12 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256 (CKM_NSS + 22) 13 +#define CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256 (CKM_NSS + 23) 14 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) 15 +#endif 16 + 17 #include <stdio.h> 18 #ifdef NSS_ENABLE_ZLIB 19 #include "zlib.h" 20 diff -pu a/nss/lib/ssl/ssl3ecc.c b/nss/lib/ssl/ssl3ecc.c 21 --- a/nss/lib/ssl/ssl3ecc.c 2013-07-31 14:13:15.115674638 -0700 22 +++ b/nss/lib/ssl/ssl3ecc.c 2013-07-31 14:13:56.916288878 -0700 23 @@ -30,6 +30,12 @@ 24 25 #include <stdio.h> 26 27 +/* This is a bodge to allow this code to be compiled against older NSS headers 28 + * that don't contain the TLS 1.2 changes. */ 29 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 30 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) 31 +#endif 32 + 33 #ifdef NSS_ENABLE_ECC 34 35 /* 36 diff -pu a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c 37 --- a/nss/lib/ssl/sslsock.c 2013-07-31 14:10:35.113325316 -0700 38 +++ b/nss/lib/ssl/sslsock.c 2013-07-31 14:16:39.538677991 -0700 39 @@ -17,8 +17,15 @@ 40 #ifndef NO_PKCS11_BYPASS 41 #include "blapi.h" 42 #endif 43 +#include "pk11pub.h" 44 #include "nss.h" 45 46 +/* This is a bodge to allow this code to be compiled against older NSS headers 47 + * that don't contain the TLS 1.2 changes. */ 48 +#ifndef CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 49 +#define CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256 (CKM_NSS + 24) 50 +#endif 51 + 52 #define SET_ERROR_CODE /* reminder */ 53 54 struct cipherPolicyStr { 55 @@ -1900,6 +1907,24 @@ SSL_VersionRangeGet(PRFileDesc *fd, SSLV 56 return SECSuccess; 57 } 58 59 +static PRCallOnceType checkTLS12TokenOnce; 60 +static PRBool tls12TokenExists; 61 + 62 +static PRStatus 63 +ssl_CheckTLS12Token(void) 64 +{ 65 + tls12TokenExists = 66 + PK11_TokenExists(CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256); 67 + return PR_SUCCESS; 68 +} 69 + 70 +static PRBool 71 +ssl_TLS12TokenExists(void) 72 +{ 73 + (void) PR_CallOnce(&checkTLS12TokenOnce, ssl_CheckTLS12Token); 74 + return tls12TokenExists; 75 +} 76 + 77 SECStatus 78 SSL_VersionRangeSet(PRFileDesc *fd, const SSLVersionRange *vrange) 79 { 80 @@ -1920,6 +1945,20 @@ SSL_VersionRangeSet(PRFileDesc *fd, cons 81 ssl_GetSSL3HandshakeLock(ss); 82 83 ss->vrange = *vrange; 84 + /* If we don't have a sufficiently up-to-date softoken then we cannot do 85 + * TLS 1.2. */ 86 + if (ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_2 && 87 + !ssl_TLS12TokenExists()) { 88 + /* If the user requested a minimum version of 1.2, then we don't 89 + * silently downgrade. */ 90 + if (ss->vrange.min >= SSL_LIBRARY_VERSION_TLS_1_2) { 91 + ssl_ReleaseSSL3HandshakeLock(ss); 92 + ssl_Release1stHandshakeLock(ss); 93 + PORT_SetError(SSL_ERROR_INVALID_VERSION_RANGE); 94 + return SECFailure; 95 + } 96 + ss->vrange.max = SSL_LIBRARY_VERSION_TLS_1_1; 97 + } 98 99 ssl_ReleaseSSL3HandshakeLock(ss); 100 ssl_Release1stHandshakeLock(ss); 101
