Issue #1746 - Revert "Update to NSS 3.59.1.1"

1 files changed, 32 insertions, 27 deletions

diff --git a/security/nss/lib/ssl/dtlscon.c b/security/nss/lib/ssl/dtlscon.c
index 10e550e0fe..bbd2f6d79b 100644
--- a/security/nss/lib/ssl/dtlscon.c
+++ b/security/nss/lib/ssl/dtlscon.c
@@ -53,7 +53,7 @@ static const ssl3CipherSuite nonDTLSSuites[] = {
  * TLS             DTLS
  * 1.1 (0302)      1.0 (feff)
  * 1.2 (0303)      1.2 (fefd)
- * 1.3 (0304)      1.3 (0304)
+ * 1.3 (0304)      1.3 (fefc)
  */
 SSL3ProtocolVersion
 dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv)
@@ -68,7 +68,7 @@ dtls_TLSVersionToDTLSVersion(SSL3ProtocolVersion tlsv)
         return SSL_LIBRARY_VERSION_DTLS_1_3_WIRE;
     }
 
-    /* Anything else is an error, so return
+    /* Anything other than TLS 1.1 or 1.2 is an error, so return
      * the invalid version 0xffff. */
     return 0xffff;
 }
@@ -270,6 +270,12 @@ SECStatus
 dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
                      sslBuffer *origBuf)
 {
+    /* XXX OK for now.
+     * This doesn't work properly with asynchronous certificate validation.
+     * because that returns a WOULDBLOCK error. The current DTLS
+     * applications do not need asynchronous validation, but in the
+     * future we will need to add this.
+     */
     sslBuffer buf = *origBuf;
     SECStatus rv = SECSuccess;
     PRBool discarded = PR_FALSE;
@@ -304,8 +310,7 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
         if (message_length > MAX_HANDSHAKE_MSG_LEN) {
             (void)ssl3_DecodeError(ss);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
-            rv = SECFailure;
-            goto loser;
+            return SECFailure;
         }
 #undef MAX_HANDSHAKE_MSG_LEN
 
@@ -338,7 +343,6 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
             SSL_TRC(5, ("%d: DTLS[%d]: Received apparent 2nd ClientHello",
                         SSL_GETPID(), ss->fd));
             ss->ssl3.hs.recvMessageSeq = 1;
-            ss->ssl3.hs.helloRetry = PR_TRUE;
         }
 
         /* There are three ways we could not be ready for this packet.
@@ -480,7 +484,7 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
     }
 
     // This should never happen, but belt and suspenders.
-    if (rv != SECSuccess) {
+    if (rv == SECFailure) {
         PORT_Assert(0);
         goto loser;
     }
@@ -500,6 +504,9 @@ dtls_HandleHandshake(sslSocket *ss, DTLSEpoch epoch, sslSequenceNumber seqNum,
 
 loser:
     origBuf->len = 0; /* So ssl3_GatherAppDataRecord will keep looping. */
+
+    /* XXX OK for now. In future handle rv == SECWouldBlock safely in order
+     * to deal with asynchronous certificate verification */
     return rv;
 }
 
@@ -1327,14 +1334,6 @@ dtls_IsLongHeader(SSL3ProtocolVersion version, PRUint8 firstOctet)
 #endif
 }
 
-PRBool
-dtls_IsDtls13Ciphertext(SSL3ProtocolVersion version, PRUint8 firstOctet)
-{
-    // Allow no version in case we haven't negotiated one yet.
-    return (version == 0 || version >= SSL_LIBRARY_VERSION_TLS_1_3) &&
-           (firstOctet & 0xe0) == 0x20;
-}
-
 DTLSEpoch
 dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr)
 {
@@ -1349,12 +1348,13 @@ dtls_ReadEpoch(const ssl3CipherSpec *crSpec, const PRUint8 *hdr)
     /* A lot of how we recover the epoch here will depend on how we plan to
      * manage KeyUpdate.  In the case that we decide to install a new read spec
      * as a KeyUpdate is handled, crSpec will always be the highest epoch we can
-     * possibly receive.  That makes this easier to manage.
-     */
-    if (dtls_IsDtls13Ciphertext(crSpec->version, hdr[0])) {
-        /* TODO(ekr@rtfm.com: do something with the two-bit epoch. */
+     * possibly receive.  That makes this easier to manage. */
+    if ((hdr[0] & 0xe0) == 0x20) {
         /* Use crSpec->epoch, or crSpec->epoch - 1 if the last bit differs. */
-        return crSpec->epoch - ((hdr[0] ^ crSpec->epoch) & 0x3);
+        if (((hdr[0] >> 4) & 1) == (crSpec->epoch & 1)) {
+            return crSpec->epoch;
+        }
+        return crSpec->epoch - 1;
     }
 
     /* dtls_GatherData should ensure that this works. */
@@ -1397,15 +1397,20 @@ dtls_ReadSequenceNumber(const ssl3CipherSpec *spec, const PRUint8 *hdr)
      * sequence number is replaced.  If that causes the value to exceed the
      * maximum, subtract an entire range.
      */
-    if (hdr[0] & 0x08) {
-        cap = spec->nextSeqNum + (1ULL << 15);
-        partial = (((sslSequenceNumber)hdr[1]) << 8) |
-                  (sslSequenceNumber)hdr[2];
-        mask = (1ULL << 16) - 1;
+    if ((hdr[0] & 0xe0) == 0x20) {
+        /* A 12-bit sequence number. */
+        cap = spec->nextSeqNum + (1ULL << 11);
+        partial = (((sslSequenceNumber)hdr[0] & 0xf) << 8) |
+                  (sslSequenceNumber)hdr[1];
+        mask = (1ULL << 12) - 1;
     } else {
-        cap = spec->nextSeqNum + (1ULL << 7);
-        partial = (sslSequenceNumber)hdr[1];
-        mask = (1ULL << 8) - 1;
+        /* A 30-bit sequence number. */
+        cap = spec->nextSeqNum + (1ULL << 29);
+        partial = (((sslSequenceNumber)hdr[1] & 0x3f) << 24) |
+                  ((sslSequenceNumber)hdr[2] << 16) |
+                  ((sslSequenceNumber)hdr[3] << 8) |
+                  (sslSequenceNumber)hdr[4];
+        mask = (1ULL << 30) - 1;
     }
     seqNum = (cap & ~mask) | partial;
     /* The second check prevents the value from underflowing if we get a large