Issue #1693 - Update NSS to 3.59.1.1

This updates to MoonchildProductions/NSS@bd49b2b88 in the repo created for our
consumption of the library.

1 files changed, 27 insertions, 32 deletions

diff --git a/security/nss/lib/ssl/dtlscon.c b/security/nss/lib/ssl/dtlscon.c
index bbd2f6d79b..10e550e0fe 100644
--- a/security/nss/lib/ssl/dtlscon.c
+++ b/security/nss/lib/ssl/dtlscon.c
@@ -53,7 +53,7 @@ static const ssl3CipherSuite nonDTLSSuites[] = {
  * TLS             DTLS
  * 1.1 (0302)      1.0 (feff)
  * 1.2 (0303)      1.2 (fefd)
- * 1.3 (0304)      1.3 (fefc)
+ * 1.3 (0304)      1.3 (0304)
  */
 SSL3ProtocolVersion
 dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv)
@@ -68,7 +68,7 @@ dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv)
         return SSL_LIBRARY_VERSION_DTLS_1_3_WIRE;
     }
 
-    /* Anything other than TLS 1.1 or 1.2 is an error, so return
+    /* Anything else is an error, so return
      * the invalid version 0xffff. */
     return 0xffff;
 }
@@ -270,12 +270,6 @@ SECStatus
 dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
                      sslBuffer *origBuf)
 {
-    /* XXX OK for now.
-     * This doesn't work properly with asynchronous certificate validation.
-     * because that returns a WOULDBLOCK error. The current DTLS
-     * applications do not need asynchronous validation, but in the
-     * future we will need to add this.
-     */
     sslBuffer buf = *origBuf;
     SECStatus rv = SECSuccess;
     PRBool discarded = PR_FALSE;
@@ -310,7 +304,8 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
         if (message_length > MAX_HANDSHAKE_MSG_LEN) {
             (void)ssl3_DecodeError(ss);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
-            return SECFailure;
+            rv = SECFailure;
+            goto loser;
         }
 #undef MAX_HANDSHAKE_MSG_LEN
 
@@ -343,6 +338,7 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
             SSL_TRC(5, ("%d: DTLS[%d]: Received apparent 2nd ClientHello",
                         SSL_GETPID(), ss->fd));
             ss->ssl3.hs.recvMessageSeq = 1;
+            ss->ssl3.hs.helloRetry = PR_TRUE;
         }
 
         /* There are three ways we could not be ready for this packet.
@@ -484,7 +480,7 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
     }
 
     // This should never happen, but belt and suspenders.
-    if (rv == SECFailure) {
+    if (rv != SECSuccess) {
         PORT_Assert(0);
         goto loser;
     }
@@ -504,9 +500,6 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
 
 loser:
     origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
-
-    /* XXX OK for now. In future handle rv == SECWouldBlock safely in order
-     * to deal with asynchronous certificate verification */
     return rv;
 }
 
@@ -1334,6 +1327,14 @@ dtls_IsLongHeader(SSL3ProtocolVersion version, PRUint8 firstOctet)
 #endif
 }
 
+PRBool
+dtls_IsDtls13Ciphertext(SSL3ProtocolVersion version, PRUint8 firstOctet)
+{
+    // Allow no version in case we haven't negotiated one yet.
+    return (version == 0 || version >= SSL_LIBRARY_VERSION_TLS_1_3) &&
+           (firstOctet & 0xe0) == 0x20;
+}
+
 DTLSEpoch
 dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr)
 {
@@ -1348,13 +1349,12 @@ dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr)
     /* A lot of how we recover the epoch here will depend on how we plan to
      * manage KeyUpdate.  In the case that we decide to install a new read spec
      * as a KeyUpdate is handled, crSpec will always be the highest epoch we can
-     * possibly receive.  That makes this easier to manage. */
-    if ((hdr[0] & 0xe0) == 0x20) {
+     * possibly receive.  That makes this easier to manage.
+     */
+    if (dtls_IsDtls13Ciphertext(crSpec->version, hdr[0])) {
+        /* TODO(ekr@rtfm.com: do something with the two-bit epoch. */
         /* Use crSpec->epoch, or crSpec->epoch - 1 if the last bit differs. */
-        if (((hdr[0] >> 4) & 1) == (crSpec->epoch & 1)) {
-            return crSpec->epoch;
-        }
-        return crSpec->epoch - 1;
+        return crSpec->epoch - ((hdr[0] ^ crSpec->epoch) & 0x3);
     }
 
     /* dtls_GatherData should ensure that this works. */
@@ -1397,20 +1397,15 @@ dtls_ReadSequenceNumber(const ssl3CipherSpec *spec, const PRUint8 *hdr)
      * sequence number is replaced.  If that causes the value to exceed the
      * maximum, subtract an entire range.
      */
-    if ((hdr[0] & 0xe0) == 0x20) {
-        /* A 12-bit sequence number. */
-        cap = spec->nextSeqNum + (1ULL << 11);
-        partial = (((sslSequenceNumber)hdr[0] & 0xf) << 8) |
-                  (sslSequenceNumber)hdr[1];
-        mask = (1ULL << 12) - 1;
+    if (hdr[0] & 0x08) {
+        cap = spec->nextSeqNum + (1ULL << 15);
+        partial = (((sslSequenceNumber)hdr[1]) << 8) |
+                  (sslSequenceNumber)hdr[2];
+        mask = (1ULL << 16) - 1;
     } else {
-        /* A 30-bit sequence number. */
-        cap = spec->nextSeqNum + (1ULL << 29);
-        partial = (((sslSequenceNumber)hdr[1] & 0x3f) << 24) |
-                  ((sslSequenceNumber)hdr[2] << 16) |
-                  ((sslSequenceNumber)hdr[3] << 8) |
-                  (sslSequenceNumber)hdr[4];
-        mask = (1ULL << 30) - 1;
+        cap = spec->nextSeqNum + (1ULL << 7);
+        partial = (sslSequenceNumber)hdr[1];
+        mask = (1ULL << 8) - 1;
     }
     seqNum = (cap & ~mask) | partial;
     /* The second check prevents the value from underflowing if we get a large