nss: Upgrade to 3.17

CVE patches removed since they have been implemented upstream Rename patch dir (files) to generic PN name (From OE-Core rev: ff3ca87477f2caf9e2228ed100f243f5ea831577) Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Saul Wold <sgw@linux.intel.com> 2014-09-04 13:42:08 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-11-06 16:45:21 +0000
commit: 8569e10e59a539d0ac8d4f3db2cc81aa0681a7c8 (patch)
tree: 54bdca1a1eefd5d95667a80ca3d614b5afa69a0a /meta
parent: c1809c4b899994cf97686cc27345a2d7b262c547 (diff)
download: poky-8569e10e59a539d0ac8d4f3db2cc81aa0681a7c8.tar.gz
15 files changed, 9 insertions, 1281 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch
deleted file mode 100644
index 1a159c3934..0000000000
--- a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-Upstream-Status: Backport
-Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
--- a/nss/lib/ssl/ssl3con.c
-+++ b/nss/lib/ssl/ssl3con.c
-@@ -10509,7 +10509,7 @@ ssl_RemoveSSLv3CBCPadding(sslBuffer *pla
-     /* SSLv3 padding bytes are random and cannot be checked. */
-     t = plaintext->len;
-     t -= paddingLength+overhead;
-    /* If len >= padding_length+overhead then the MSB of t is zero. */
-+    /* If len >= paddingLength+overhead then the MSB of t is zero. */
-     good = DUPLICATE_MSB_TO_ALL(~t);
-     /* SSLv3 requires that the padding is minimal. */
-     t = blockSize - (paddingLength+1);
-@@ -10742,7 +10742,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
-        }
-     }
- 
-    good = (unsigned)-1;
-+    good = ~0U;
-     minLength = crSpec->mac_size;
-     if (cipher_def->type == type_block) {
-        /* CBC records have a padding length byte at the end. */
-@@ -10756,14 +10756,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
-     /* We can perform this test in variable time because the record's total
-      * length and the ciphersuite are both public knowledge. */
-     if (cText->buf->len < minLength) {
-       SSL_DBG(("%d: SSL3[%d]: HandleRecord, record too small.",
-                SSL_GETPID(), ss->fd));
-       /* must not hold spec lock when calling SSL3_SendAlert. */
-       ssl_ReleaseSpecReadLock(ss);
-       SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
-       /* always log mac error, in case attacker can read server logs. */
-       PORT_SetError(SSL_ERROR_BAD_MAC_READ);
-       return SECFailure;
-+       goto decrypt_loser;
-     }
- 
-     if (cipher_def->type == type_block &&
-@@ -10831,11 +10824,18 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
-        return SECFailure;
-     }
- 
-+    if (cipher_def->type == type_block &&
-+       ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
-+       goto decrypt_loser;
-+    }
-+
-     /* decrypt from cText buf to plaintext. */
-     rv = crSpec->decode(
-        crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
-        plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
-    good &= SECStatusToMask(rv);
-+    if (rv != SECSuccess) {
-+       goto decrypt_loser;
-+    }
- 
-     PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
- 
-@@ -10843,7 +10843,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
- 
-     /* If it's a block cipher, check and strip the padding. */
-     if (cipher_def->type == type_block) {
-       const unsigned int blockSize = cipher_def->iv_size;
-+       const unsigned int blockSize = cipher_def->block_size;
-        const unsigned int macSize = crSpec->mac_size;
- 
-        if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
-@@ -10899,10 +10899,11 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
-     }
- 
-     if (good == 0) {
-+decrypt_loser:
-        /* must not hold spec lock when calling SSL3_SendAlert. */
-        ssl_ReleaseSpecReadLock(ss);
- 
-       SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
-+       SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
- 
-        if (!IS_DTLS(ss)) {
-            SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
deleted file mode 100644
index 21da0c03b5..0000000000
--- a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-Upstream-Status: backport
-yanjun.zhu <yanjun.zhu@windriver.com>
--- a/nss/lib/util/secport.c
-+++ b/nss/lib/util/secport.c
-@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu
- PORTCharConversionFunc ucs2Utf8ConvertFunc;
- PORTCharConversionWSwapFunc  ucs2AsciiConvertFunc;
- 
-+/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc)
-+ * use the PRUint32 type for the size parameter. Before we pass a size_t or
-+ * unsigned long size to these functions, we need to ensure it is <= half of
-+ * the maximum PRUint32 value to avoid truncation and catch a negative size.
-+ */
-+#define MAX_SIZE (PR_UINT32_MAX >> 1)
-+
- void *
- PORT_Alloc(size_t bytes)
- {
-    void *rv;
-+    void *rv = NULL;
- 
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)PR_Malloc(bytes ? bytes : 1);
-+    if (bytes <= MAX_SIZE) {
-+       /* Always allocate a non-zero amount of bytes */
-+       rv = PR_Malloc(bytes ? bytes : 1);
-+    }
-     if (!rv) {
-        ++port_allocFailures;
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes)
- void *
- PORT_Realloc(void *oldptr, size_t bytes)
- {
-    void *rv;
-+    void *rv = NULL;
- 
-    rv = (void *)PR_Realloc(oldptr, bytes);
-+    if (bytes <= MAX_SIZE) {
-+       rv = PR_Realloc(oldptr, bytes);
-+    }
-     if (!rv) {
-        ++port_allocFailures;
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes)
- void *
- PORT_ZAlloc(size_t bytes)
- {
-    void *rv;
-+    void *rv = NULL;
- 
-    /* Always allocate a non-zero amount of bytes */
-    rv = (void *)PR_Calloc(1, bytes ? bytes : 1);
-+    if (bytes <= MAX_SIZE) {
-+       /* Always allocate a non-zero amount of bytes */
-+       rv = PR_Calloc(1, bytes ? bytes : 1);
-+    }
-     if (!rv) {
-        ++port_allocFailures;
-        PORT_SetError(SEC_ERROR_NO_MEMORY);
-@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize)
- {
-     PORTArenaPool *pool;
-     
-+    if (chunksize > MAX_SIZE) {
-+       PORT_SetError(SEC_ERROR_NO_MEMORY);
-+       return NULL;
-+    }
-     pool = PORT_ZNew(PORTArenaPool);
-     if (!pool) {
-        return NULL;
-@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize)
-     return(&pool->arena);
- }
- 
-#define MAX_SIZE 0x7fffffffUL
-
- void *
- PORT_ArenaAlloc(PLArenaPool *arena, size_t size)
- {
-@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void 
-     PORTArenaPool *pool = (PORTArenaPool *)arena;
-     PORT_Assert(newsize >= oldsize);
-     
-+    if (newsize > MAX_SIZE) {
-+       PORT_SetError(SEC_ERROR_NO_MEMORY);
-+       return NULL;
-+    }
-+
-     if (ARENAPOOL_MAGIC == pool->magic ) {
-        PZ_Lock(pool->lock);
-        /* Do we do a THREADMARK check here? */
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch
deleted file mode 100644
index 7203d02c78..0000000000
--- a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-5605.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-signed-off-by: Ryan Sleevi <ryan.sleevi@gmail.com>
-Upstream-Status: Backport
-reference:https://hg.mozilla.org/projects/nss/rev/e79a09364b5e
--- a/nss/lib/ssl/ssl3con.c
-+++ b/nss/lib/ssl/ssl3con.c
-@@ -781,6 +781,11 @@ static SECStatus
- Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
-            const unsigned char *input, int inputLen)
- {
-+    if (inputLen > maxOutputLen) {
-+        *outputLen = 0;  /* Match PK11_CipherOp in setting outputLen */
-+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
-+        return SECFailure;
-+    }
-     *outputLen = inputLen;
-     if (input != output)
-        PORT_Memcpy(output, input, inputLen);
diff --git a/meta/recipes-support/nss/files/nss-CVE-2013-1740.patch b/meta/recipes-support/nss/files/nss-CVE-2013-1740.patch
deleted file mode 100644
index db3d6f9103..0000000000
--- a/meta/recipes-support/nss/files/nss-CVE-2013-1740.patch
+++ /dev/null
@@ -1,916 +0,0 @@
-nss: CVE-2013-1740
-Upstream-Status: Backport
-the patch comes from:
-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1740
-https://bugzilla.mozilla.org/show_bug.cgi?id=919877
-https://bugzilla.mozilla.org/show_bug.cgi?id=713933
-changeset:   10946:f28426e944ae
-user:        Wan-Teh Chang <wtc@google.com>
-date:        Tue Nov 26 16:44:39 2013 -0800
-summary:     Bug 713933: Handle the return value of both ssl3_HandleRecord calls
-changeset:   10945:774c7dec7565
-user:        Wan-Teh Chang <wtc@google.com>
-date:        Mon Nov 25 19:16:23 2013 -0800
-summary:     Bug 713933: Declare the |falseStart| local variable in the smallest
-changeset:   10848:141fae8fb2e8
-user:        Wan-Teh Chang <wtc@google.com>
-date:        Mon Sep 23 11:25:41 2013 -0700
-summary:     Bug 681839: Allow SSL_HandshakeNegotiatedExtension to be called before the handshake is finished, r=brian@briansmith.org
-changeset:   10898:1b9c43d28713
-user:        Brian Smith <brian@briansmith.org>
-date:        Thu Oct 31 15:40:42 2013 -0700
-summary:     Bug 713933: Make SSL False Start work with asynchronous certificate validation, r=wtc
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- nss/lib/ssl/ssl.def     |    7 ++
- nss/lib/ssl/ssl.h       |   54 +++++++++++---
- nss/lib/ssl/ssl3con.c   |  188 +++++++++++++++++++++++++++++++++++------------
- nss/lib/ssl/ssl3gthr.c  |   63 ++++++++++++----
- nss/lib/ssl/sslauth.c   |   10 +--
- nss/lib/ssl/sslimpl.h   |   22 +++++-
- nss/lib/ssl/sslinfo.c   |   10 +--
- nss/lib/ssl/sslreveal.c |    9 +--
- nss/lib/ssl/sslsecur.c  |  139 ++++++++++++++++++++++++++++-------
- nss/lib/ssl/sslsock.c   |   12 ++-
- 10 files changed, 386 insertions(+), 128 deletions(-)
-diff --git a/nss/lib/ssl/ssl.def b/nss/lib/ssl/ssl.def
-index fbf7fc5..e937bd4 100644
--- a/nss/lib/ssl/ssl.def
-+++ b/nss/lib/ssl/ssl.def
-@@ -163,3 +163,10 @@ SSL_SetStapledOCSPResponses;
- ;+    local:
- ;+*;
- ;+};
-+;+NSS_3.15.3 {    # NSS 3.15.3 release
-+;+    global:
-+SSL_RecommendedCanFalseStart;
-+SSL_SetCanFalseStartCallback;
-+;+    local:
-+;+*;
-+;+};
-diff --git a/nss/lib/ssl/ssl.h b/nss/lib/ssl/ssl.h
-index 6db0e34..ddeaaef 100644
--- a/nss/lib/ssl/ssl.h
-+++ b/nss/lib/ssl/ssl.h
-@@ -121,14 +121,17 @@ SSL_IMPORT PRFileDesc *DTLS_ImportFD(PRFileDesc *model, PRFileDesc *fd);
- #define SSL_ENABLE_FALSE_START         22 /* Enable SSL false start (off by */
-                                           /* default, applies only to       */
-                                           /* clients). False start is a     */
-/* mode where an SSL client will start sending application data before      */
-/* verifying the server's Finished message. This means that we could end up */
-/* sending data to an imposter. However, the data will be encrypted and     */
-/* only the true server can derive the session key. Thus, so long as the    */
-/* cipher isn't broken this is safe. Because of this, False Start will only */
-/* occur on RSA or DH ciphersuites where the cipher's key length is >= 80   */
-/* bits. The advantage of False Start is that it saves a round trip for     */
-/* client-speaks-first protocols when performing a full handshake.          */
-+/* mode where an SSL client will start sending application data before
-+ * verifying the server's Finished message. This means that we could end up
-+ * sending data to an imposter. However, the data will be encrypted and
-+ * only the true server can derive the session key. Thus, so long as the
-+ * cipher isn't broken this is safe. The advantage of false start is that
-+ * it saves a round trip for client-speaks-first protocols when performing a
-+ * full handshake.
-+ *
-+ * In addition to enabling this option, the application must register a
-+ * callback using the SSL_SetCanFalseStartCallback function.
-+ */
- 
- /* For SSL 3.0 and TLS 1.0, by default we prevent chosen plaintext attacks
-  * on SSL CBC mode cipher suites (see RFC 4346 Section F.3) by splitting
-@@ -653,14 +656,45 @@ SSL_IMPORT SECStatus SSL_SetMaxServerCacheLocks(PRUint32 maxLocks);
- SSL_IMPORT SECStatus SSL_InheritMPServerSIDCache(const char * envString);
- 
- /*
-** Set the callback on a particular socket that gets called when we finish
-** performing a handshake.
-+** Set the callback that gets called when a TLS handshake is complete. The
-+** handshake callback is called after verifying the peer's Finished message and
-+** before processing incoming application data.
-+**
-+** For the initial handshake: If the handshake false started (see
-+** SSL_ENABLE_FALSE_START), then application data may already have been sent
-+** before the handshake callback is called. If we did not false start then the
-+** callback will get called before any application data is sent.
- */
- typedef void (PR_CALLBACK *SSLHandshakeCallback)(PRFileDesc *fd,
-                                                  void *client_data);
- SSL_IMPORT SECStatus SSL_HandshakeCallback(PRFileDesc *fd, 
-                                  SSLHandshakeCallback cb, void *client_data);
- 
-+/* Applications that wish to enable TLS false start must set this callback
-+** function. NSS will invoke the functon to determine if a particular
-+** connection should use false start or not. SECSuccess indicates that the
-+** callback completed successfully, and if so *canFalseStart indicates if false
-+** start can be used. If the callback does not return SECSuccess then the
-+** handshake will be canceled. NSS's recommended criteria can be evaluated by
-+** calling SSL_RecommendedCanFalseStart.
-+**
-+** If no false start callback is registered then false start will never be
-+** done, even if the SSL_ENABLE_FALSE_START option is enabled.
-+**/
-+typedef SECStatus (PR_CALLBACK *SSLCanFalseStartCallback)(
-+    PRFileDesc *fd, void *arg, PRBool *canFalseStart);
-+
-+SSL_IMPORT SECStatus SSL_SetCanFalseStartCallback(
-+    PRFileDesc *fd, SSLCanFalseStartCallback callback, void *arg);
-+
-+/* This function sets *canFalseStart according to the recommended criteria for
-+** false start. These criteria may change from release to release and may depend
-+** on which handshake features have been negotiated and/or properties of the
-+** certifciates/keys used on the connection.
-+*/
-+SSL_IMPORT SECStatus SSL_RecommendedCanFalseStart(PRFileDesc *fd,
-+                                                  PRBool *canFalseStart);
-+
- /*
- ** For the server, request a new handshake.  For the client, begin a new
- ** handshake.  If flushCache is non-zero, the SSL3 cache entry will be 
-diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c
-index 61d24d9..f39ba09 100644
--- a/nss/lib/ssl/ssl3con.c
-+++ b/nss/lib/ssl/ssl3con.c
-@@ -2535,7 +2535,7 @@ ssl3_SendRecord(   sslSocket *        ss,
-     SSL_TRC(3, ("%d: SSL3[%d] SendRecord type: %s nIn=%d",
-                SSL_GETPID(), ss->fd, ssl3_DecodeContentType(type),
-                nIn));
-    PRINT_BUF(3, (ss, "Send record (plain text)", pIn, nIn));
-+    PRINT_BUF(50, (ss, "Send record (plain text)", pIn, nIn));
- 
-     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
- 
-@@ -6674,36 +6674,73 @@ done:
-     return rv;
- }
- 
-+static SECStatus
-+ssl3_CheckFalseStart(sslSocket *ss)
-+{
-+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-+    PORT_Assert( !ss->ssl3.hs.authCertificatePending );
-+    PORT_Assert( !ss->ssl3.hs.canFalseStart );
-+
-+    if (!ss->canFalseStartCallback) {
-+       SSL_TRC(3, ("%d: SSL[%d]: no false start callback so no false start",
-+                   SSL_GETPID(), ss->fd));
-+    } else {
-+       PRBool maybeFalseStart;
-+       SECStatus rv;
-+
-+       /* An attacker can control the selected ciphersuite so we only wish to
-+        * do False Start in the case that the selected ciphersuite is
-+        * sufficiently strong that the attack can gain no advantage.
-+        * Therefore we always require an 80-bit cipher. */
-+        ssl_GetSpecReadLock(ss);
-+        maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
-+        ssl_ReleaseSpecReadLock(ss);
-+
-+       if (!maybeFalseStart) {
-+           SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
-+                       SSL_GETPID(), ss->fd));
-+       } else {
-+           rv = (ss->canFalseStartCallback)(ss->fd,
-+                                            ss->canFalseStartCallbackData,
-+                                            &ss->ssl3.hs.canFalseStart);
-+           if (rv == SECSuccess) {
-+               SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
-+                           SSL_GETPID(), ss->fd,
-+                           ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
-+           } else {
-+               SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
-+                           SSL_GETPID(), ss->fd,
-+                           PR_ErrorToName(PR_GetError())));
-+           }
-+           return rv;
-+       }
-+    }
-+
-+    ss->ssl3.hs.canFalseStart = PR_FALSE;
-+    return SECSuccess;
-+}
-+
- PRBool
-ssl3_CanFalseStart(sslSocket *ss) {
-    PRBool rv;
-+ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
-+{
-+    PRBool result = PR_FALSE;
- 
-     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
- 
-    /* XXX: does not take into account whether we are waiting for
-     * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
-     * that is done, this function could return different results each time it
-     * would be called.
-     */
-+    switch (ss->ssl3.hs.ws) {
-+    case wait_new_session_ticket:
-+        result = PR_TRUE;
-+        break;
-+    case wait_change_cipher:
-+        result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
-+        break;
-+    case wait_finished:
-+        break;
-+    default:
-+        PR_NOT_REACHED("ssl3_WaitingForStartOfServerSecondRound");
-+    }
- 
-    ssl_GetSpecReadLock(ss);
-    rv = ss->opt.enableFalseStart &&
-        !ss->sec.isServer &&
-        !ss->ssl3.hs.isResuming &&
-        ss->ssl3.cwSpec &&
-
-        /* An attacker can control the selected ciphersuite so we only wish to
-         * do False Start in the case that the selected ciphersuite is
-         * sufficiently strong that the attack can gain no advantage.
-         * Therefore we require an 80-bit cipher and a forward-secret key
-         * exchange. */
-        ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
-       (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
-        ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-        ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa);
-    ssl_ReleaseSpecReadLock(ss);
-    return rv;
-+    return result;
- }
- 
- static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
-@@ -6785,6 +6822,9 @@ ssl3_SendClientSecondRound(sslSocket *ss)
-     }
-     if (ss->ssl3.hs.authCertificatePending &&
-        (sendClientCert || ss->ssl3.sendEmptyCert || ss->firstHsDone)) {
-+        SSL_TRC(3, ("%d: SSL3[%p]: deferring ssl3_SendClientSecondRound because"
-+                    " certificate authentication is still pending.",
-+                    SSL_GETPID(), ss->fd));
-        ss->ssl3.hs.restartTarget = ssl3_SendClientSecondRound;
-        return SECWouldBlock;
-     }
-@@ -6822,14 +6862,50 @@ ssl3_SendClientSecondRound(sslSocket *ss)
-        goto loser;     /* err code was set. */
-     }
- 
-    /* XXX: If the server's certificate hasn't been authenticated by this
-     * point, then we may be leaking this NPN message to an attacker.
-+    /* This must be done after we've set ss->ssl3.cwSpec in
-+     * ssl3_SendChangeCipherSpecs because SSL_GetChannelInfo uses information
-+     * from cwSpec. This must be done before we call ssl3_CheckFalseStart
-+     * because the false start callback (if any) may need the information from
-+     * the functions that depend on this being set.
-      */
-+    ss->enoughFirstHsDone = PR_TRUE;
-+
-     if (!ss->firstHsDone) {
-+        /* XXX: If the server's certificate hasn't been authenticated by this
-+         * point, then we may be leaking this NPN message to an attacker.
-+         */
-        rv = ssl3_SendNextProto(ss);
-        if (rv != SECSuccess) {
-            goto loser; /* err code was set. */
-        }
-+
-+        if (ss->opt.enableFalseStart) {
-+            if (!ss->ssl3.hs.authCertificatePending) {
-+                /* When we fix bug 589047, we will need to know whether we are
-+                 * false starting before we try to flush the client second
-+                 * round to the network. With that in mind, we purposefully
-+                 * call ssl3_CheckFalseStart before calling ssl3_SendFinished,
-+                 * which includes a call to ssl3_FlushHandshake, so that
-+                 * no application develops a reliance on such flushing being
-+                 * done before its false start callback is called.
-+                 */
-+                ssl_ReleaseXmitBufLock(ss);
-+                rv = ssl3_CheckFalseStart(ss);
-+                ssl_GetXmitBufLock(ss);
-+                if (rv != SECSuccess) {
-+                    goto loser;
-+                }
-+            } else {
-+                /* The certificate authentication and the server's Finished
-+                 * message are racing each other. If the certificate
-+                 * authentication wins, then we will try to false start in
-+                 * ssl3_AuthCertificateComplete.
-+                 */
-+                SSL_TRC(3, ("%d: SSL3[%p]: deferring false start check because"
-+                            " certificate authentication is still pending.",
-+                            SSL_GETPID(), ss->fd));
-+            }
-+        }
-     }
- 
-     rv = ssl3_SendFinished(ss, 0);
-@@ -6844,10 +6920,7 @@ ssl3_SendClientSecondRound(sslSocket *ss)
-     else
-        ss->ssl3.hs.ws = wait_change_cipher;
- 
-    /* Do the handshake callback for sslv3 here, if we can false start. */
-    if (ss->handshakeCallback != NULL && ssl3_CanFalseStart(ss)) {
-       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-    }
-+    PORT_Assert(ssl3_WaitingForStartOfServerSecondRound(ss));
- 
-     return SECSuccess;
- 
-@@ -9421,13 +9494,6 @@ ssl3_AuthCertificate(sslSocket *ss)
- 
-            ss->ssl3.hs.authCertificatePending = PR_TRUE;
-            rv = SECSuccess;
-
-           /* XXX: Async cert validation and False Start don't work together
-            * safely yet; if we leave False Start enabled, we may end up false
-            * starting (sending application data) before we
-            * SSL_AuthCertificateComplete has been called.
-            */
-           ss->opt.enableFalseStart = PR_FALSE;
-        }
- 
-        if (rv != SECSuccess) {
-@@ -9551,6 +9617,12 @@ ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
-     } else if (ss->ssl3.hs.restartTarget != NULL) {
-        sslRestartTarget target = ss->ssl3.hs.restartTarget;
-        ss->ssl3.hs.restartTarget = NULL;
-+
-+        if (target == ssl3_FinishHandshake) {
-+            SSL_TRC(3,("%d: SSL3[%p]: certificate authentication lost the race"
-+                       " with peer's finished message", SSL_GETPID(), ss->fd));
-+        }
-+
-        rv = target(ss);
-        /* Even if we blocked here, we have accomplished enough to claim
-         * success. Any remaining work will be taken care of by subsequent
-@@ -9560,7 +9632,29 @@ ssl3_AuthCertificateComplete(sslSocket *ss, PRErrorCode error)
-            rv = SECSuccess;
-        }
-     } else {
-       rv = SECSuccess;
-+        SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
-+                    " peer's finished message", SSL_GETPID(), ss->fd));
-+
-+        PORT_Assert(!ss->firstHsDone);
-+        PORT_Assert(!ss->sec.isServer);
-+        PORT_Assert(!ss->ssl3.hs.isResuming);
-+        PORT_Assert(ss->ssl3.hs.ws == wait_new_session_ticket ||
-+                    ss->ssl3.hs.ws == wait_change_cipher ||
-+                    ss->ssl3.hs.ws == wait_finished);
-+ 
-+        /* ssl3_SendClientSecondRound deferred the false start check because
-+         * certificate authentication was pending, so we do it now if we still
-+          * haven't received any of the server's second round yet.
-+         */
-+        if (ss->opt.enableFalseStart &&
-+            !ss->firstHsDone &&
-+            !ss->sec.isServer &&
-+            !ss->ssl3.hs.isResuming &&
-+            ssl3_WaitingForStartOfServerSecondRound(ss)) {
-+            rv = ssl3_CheckFalseStart(ss);
-+        } else {
-+            rv = SECSuccess;
-+        }
-     }
- 
- done:
-@@ -10023,9 +10117,6 @@ xmit_loser:
-         return rv;
-     }
- 
-    ss->gs.writeOffset = 0;
-    ss->gs.readOffset  = 0;
-
-     if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
-        effectiveExchKeyType = kt_rsa;
-     } else {
-@@ -10090,6 +10181,9 @@ xmit_loser:
-     return rv;
- }
- 
-+/* The return type is SECStatus instead of void because this function needs
-+ * to have type sslRestartTarget.
-+ */
- SECStatus
- ssl3_FinishHandshake(sslSocket * ss)
- {
-@@ -10099,19 +10193,16 @@ ssl3_FinishHandshake(sslSocket * ss)
- 
-     /* The first handshake is now completed. */
-     ss->handshake           = NULL;
-    ss->firstHsDone         = PR_TRUE;
- 
-     if (ss->ssl3.hs.cacheSID) {
-        (*ss->sec.cache)(ss->sec.ci.sid);
-        ss->ssl3.hs.cacheSID = PR_FALSE;
-     }
- 
-+    ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
-     ss->ssl3.hs.ws = idle_handshake;
- 
-    /* Do the handshake callback for sslv3 here, if we cannot false start. */
-    if (ss->handshakeCallback != NULL && !ssl3_CanFalseStart(ss)) {
-       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-    }
-+    ssl_FinishHandshake(ss);
- 
-     return SECSuccess;
- }
-@@ -11045,7 +11136,6 @@ process_it:
- 
-     ssl_ReleaseSSL3HandshakeLock(ss);
-     return rv;
-
- }
- 
- /*
-diff --git a/nss/lib/ssl/ssl3gthr.c b/nss/lib/ssl/ssl3gthr.c
-index 6d62515..03e369d 100644
--- a/nss/lib/ssl/ssl3gthr.c
-+++ b/nss/lib/ssl/ssl3gthr.c
-@@ -275,11 +275,17 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
- {
-     SSL3Ciphertext cText;
-     int            rv;
-    PRBool         canFalseStart = PR_FALSE;
-+    PRBool         keepGoing = PR_TRUE;
- 
-     SSL_TRC(30, ("ssl3_GatherCompleteHandshake"));
- 
-+    /* ssl3_HandleRecord may end up eventually calling ssl_FinishHandshake,
-+     * which requires the 1stHandshakeLock, which must be acquired before the
-+     * RecvBufLock.
-+     */
-+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-+
-     do {
-        PRBool handleRecordNow = PR_FALSE;
- 
-@@ -368,20 +374,48 @@ ssl3_GatherCompleteHandshake(sslSocket *ss, int flags)
-        if (rv < 0) {
-            return ss->recvdCloseNotify ? 0 : rv;
-        }
-+        if (rv == (int) SECSuccess && ss->gs.buf.len > 0) {
-+            /* We have application data to return to the application. This
-+             * prioritizes returning application data to the application over
-+             * completing any renegotiation handshake we may be doing.
-+             */
-+            PORT_Assert(ss->firstHsDone);
-+            PORT_Assert(cText.type == content_application_data);
-+            break;
-+        }
- 
-       /* If we kicked off a false start in ssl3_HandleServerHelloDone, break
-        * out of this loop early without finishing the handshake.
-        */
-       if (ss->opt.enableFalseStart) {
-           ssl_GetSSL3HandshakeLock(ss);
-           canFalseStart = (ss->ssl3.hs.ws == wait_change_cipher ||
-                            ss->ssl3.hs.ws == wait_new_session_ticket) &&
-                           ssl3_CanFalseStart(ss);
-           ssl_ReleaseSSL3HandshakeLock(ss);
-+        PORT_Assert(keepGoing);
-+        ssl_GetSSL3HandshakeLock(ss);
-+        if (ss->ssl3.hs.ws == idle_handshake) {
-+            /* We are done with the current handshake so stop trying to
-+             * handshake. Note that it would be safe to test ss->firstHsDone
-+             * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead,
-+             * we prioritize completing a renegotiation handshake over sending
-+             * application data.
-+             */
-+            PORT_Assert(ss->firstHsDone);
-+            PORT_Assert(!ss->ssl3.hs.canFalseStart);
-+            keepGoing = PR_FALSE;
-+        } else if (ss->ssl3.hs.canFalseStart) {
-+            /* Prioritize sending application data over trying to complete
-+             * the handshake if we're false starting.
-+             *
-+             * If we were to do this check at the beginning of the loop instead
-+             * of here, then this function would become be a no-op after
-+             * receiving the ServerHelloDone in the false start case, and we
-+             * would never complete the handshake.
-+             */
-+            PORT_Assert(!ss->firstHsDone);
-+ 
-+            if (ssl3_WaitingForStartOfServerSecondRound(ss)) {
-+                keepGoing = PR_FALSE;
-+            } else {
-+                ss->ssl3.hs.canFalseStart = PR_FALSE;
-+            }
-        }
-    } while (ss->ssl3.hs.ws != idle_handshake &&
-             !canFalseStart &&
-             ss->gs.buf.len == 0);
-+        ssl_ReleaseSSL3HandshakeLock(ss);
-+     } while (keepGoing);
-+
- 
-     ss->gs.readOffset = 0;
-     ss->gs.writeOffset = ss->gs.buf.len;
-@@ -404,7 +438,10 @@ ssl3_GatherAppDataRecord(sslSocket *ss, int flags)
- {
-     int            rv;
- 
-+    /* ssl3_GatherCompleteHandshake requires both of these locks. */
-+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-+
-     do {
-        rv = ssl3_GatherCompleteHandshake(ss, flags);
-     } while (rv > 0 && ss->gs.buf.len == 0);
-diff --git a/nss/lib/ssl/sslauth.c b/nss/lib/ssl/sslauth.c
-index d2f57bf..cb956d4 100644
--- a/nss/lib/ssl/sslauth.c
-+++ b/nss/lib/ssl/sslauth.c
-@@ -60,7 +60,6 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
-     sslSocket *ss;
-     const char *cipherName;
-     PRBool isDes = PR_FALSE;
-    PRBool enoughFirstHsDone = PR_FALSE;
- 
-     ss = ssl_FindSocket(fd);
-     if (!ss) {
-@@ -78,14 +77,7 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1,
-        *op = SSL_SECURITY_STATUS_OFF;
-     }
- 
-    if (ss->firstHsDone) {
-       enoughFirstHsDone = PR_TRUE;
-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-              ssl3_CanFalseStart(ss)) {
-       enoughFirstHsDone = PR_TRUE;
-    }
-
-    if (ss->opt.useSecurity && enoughFirstHsDone) {
-+    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
-        if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-            cipherName = ssl_cipherName[ss->sec.cipherType];
-        } else {
-diff --git a/nss/lib/ssl/sslimpl.h b/nss/lib/ssl/sslimpl.h
-index 90e9567..bf0d67f 100644
--- a/nss/lib/ssl/sslimpl.h
-+++ b/nss/lib/ssl/sslimpl.h
-@@ -842,6 +842,8 @@ const ssl3CipherSuiteDef *suite_def;
-     /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
-     PRBool                cacheSID;
- 
-+    PRBool                canFalseStart;   /* Can/did we False Start */
-+
-     /* clientSigAndHash contains the contents of the signature_algorithms
-      * extension (if any) from the client. This is only valid for TLS 1.2
-      * or later. */
-@@ -1116,6 +1118,10 @@ struct sslSocketStr {
-     unsigned long    clientAuthRequested;
-     unsigned long    delayDisabled;       /* Nagle delay disabled */
-     unsigned long    firstHsDone;         /* first handshake is complete. */
-+    unsigned long    enoughFirstHsDone;   /* enough of the first handshake is
-+                                           * done for callbacks to be able to
-+                                           * retrieve channel security
-+                                           * parameters from the SSL socket. */
-     unsigned long    handshakeBegun;     
-     unsigned long    lastWriteBlocked;   
-     unsigned long    recvdCloseNotify;    /* received SSL EOF. */
-@@ -1156,6 +1162,8 @@ const unsigned char *  preferredCipher;
-     void                     *badCertArg;
-     SSLHandshakeCallback      handshakeCallback;
-     void                     *handshakeCallbackData;
-+    SSLCanFalseStartCallback  canFalseStartCallback;
-+    void                     *canFalseStartCallbackData;
-     void                     *pkcs11PinArg;
-     SSLNextProtoCallback      nextProtoCallback;
-     void                     *nextProtoArg;
-@@ -1358,7 +1366,19 @@ extern void      ssl3_SetAlwaysBlock(sslSocket *ss);
- 
- extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled);
- 
-extern PRBool    ssl3_CanFalseStart(sslSocket *ss);
-+extern void      ssl_FinishHandshake(sslSocket *ss);
-+
-+/* Returns PR_TRUE if we are still waiting for the server to respond to our
-+ * client second round. Once we've received any part of the server's second
-+ * round then we don't bother trying to false start since it is almost always
-+ * the case that the NewSessionTicket, ChangeCipherSoec, and Finished messages
-+ * were sent in the same packet and we want to process them all at the same
-+ * time. If we were to try to false start in the middle of the server's second
-+ * round, then we would increase the number of I/O operations
-+ * (SSL_ForceHandshake/PR_Recv/PR_Send/etc.) needed to finish the handshake.
-+ */
-+extern PRBool    ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss);
-+
- extern SECStatus
- ssl3_CompressMACEncryptRecord(ssl3CipherSpec *   cwSpec,
-                              PRBool             isServer,
-diff --git a/nss/lib/ssl/sslinfo.c b/nss/lib/ssl/sslinfo.c
-index 9f2597e..d0c23b7 100644
--- a/nss/lib/ssl/sslinfo.c
-+++ b/nss/lib/ssl/sslinfo.c
-@@ -26,7 +26,6 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
-     sslSocket *      ss;
-     SSLChannelInfo   inf;
-     sslSessionID *   sid;
-    PRBool           enoughFirstHsDone = PR_FALSE;
- 
-     if (!info || len < sizeof inf.length) { 
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -43,14 +42,7 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len)
-     memset(&inf, 0, sizeof inf);
-     inf.length = PR_MIN(sizeof inf, len);
- 
-    if (ss->firstHsDone) {
-       enoughFirstHsDone = PR_TRUE;
-    } else if (ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-              ssl3_CanFalseStart(ss)) {
-       enoughFirstHsDone = PR_TRUE;
-    }
-
-    if (ss->opt.useSecurity && enoughFirstHsDone) {
-+    if (ss->opt.useSecurity && ss->enoughFirstHsDone) {
-         sid = ss->sec.ci.sid;
-        inf.protocolVersion  = ss->version;
-        inf.authKeyBits      = ss->sec.authKeyBits;
-diff --git a/nss/lib/ssl/sslreveal.c b/nss/lib/ssl/sslreveal.c
-index dc14794..d972998 100644
--- a/nss/lib/ssl/sslreveal.c
-+++ b/nss/lib/ssl/sslreveal.c
-@@ -77,7 +77,6 @@ SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
- {
-   /* some decisions derived from SSL_GetChannelInfo */
-   sslSocket * sslsocket = NULL;
-  PRBool enoughFirstHsDone = PR_FALSE;
- 
-   if (!pYes) {
-     PORT_SetError(SEC_ERROR_INVALID_ARGS);
-@@ -93,14 +92,8 @@ SSL_HandshakeNegotiatedExtension(PRFileDesc * socket,
- 
-   *pYes = PR_FALSE;
- 
-  if (sslsocket->firstHsDone) {
-    enoughFirstHsDone = PR_TRUE;
-  } else if (sslsocket->ssl3.initialized && ssl3_CanFalseStart(sslsocket)) {
-    enoughFirstHsDone = PR_TRUE;
-  }
-
-   /* according to public API SSL_GetChannelInfo, this doesn't need a lock */
-  if (sslsocket->opt.useSecurity && enoughFirstHsDone) {
-+  if (sslsocket->opt.useSecurity) {
-     if (sslsocket->ssl3.initialized) { /* SSL3 and TLS */
-       /* now we know this socket went through ssl3_InitState() and
-        * ss->xtnData got initialized, which is the only member accessed by
-diff --git a/nss/lib/ssl/sslsecur.c b/nss/lib/ssl/sslsecur.c
-index 49bb42b..d0df442 100644
--- a/nss/lib/ssl/sslsecur.c
-+++ b/nss/lib/ssl/sslsecur.c
-@@ -97,23 +97,13 @@ ssl_Do1stHandshake(sslSocket *ss)
-            ss->securityHandshake = 0;
-        }
-        if (ss->handshake == 0) {
-           ssl_GetRecvBufLock(ss);
-           ss->gs.recordLen = 0;
-           ssl_ReleaseRecvBufLock(ss);
-
-           SSL_TRC(3, ("%d: SSL[%d]: handshake is completed",
-                       SSL_GETPID(), ss->fd));
-            /* call handshake callback for ssl v2 */
-           /* for v3 this is done in ssl3_HandleFinished() */
-           if ((ss->handshakeCallback != NULL) && /* has callback */
-               (!ss->firstHsDone) &&              /* only first time */
-               (ss->version < SSL_LIBRARY_VERSION_3_0)) {  /* not ssl3 */
-               ss->firstHsDone     = PR_TRUE;
-               (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-+            /* for v3 this is done in ssl3_FinishHandshake */
-+            if (!ss->firstHsDone && ss->version < SSL_LIBRARY_VERSION_3_0) {
-+                ssl_GetRecvBufLock(ss);
-+                ss->gs.recordLen = 0;
-+                ssl_FinishHandshake(ss);
-+                ssl_ReleaseRecvBufLock(ss);
-            }
-           ss->firstHsDone         = PR_TRUE;
-           ss->gs.writeOffset = 0;
-           ss->gs.readOffset  = 0;
-            break;
-        }
-        rv = (*ss->handshake)(ss);
-@@ -134,6 +124,24 @@ ssl_Do1stHandshake(sslSocket *ss)
-     return rv;
- }
- 
-+void
-+ssl_FinishHandshake(sslSocket *ss)
-+{
-+    PORT_Assert( ss->opt.noLocks || ssl_Have1stHandshakeLock(ss) );
-+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
-+
-+    SSL_TRC(3, ("%d: SSL[%d]: handshake is completed", SSL_GETPID(), ss->fd));
-+
-+    ss->firstHsDone = PR_TRUE;
-+    ss->enoughFirstHsDone = PR_TRUE;
-+    ss->gs.writeOffset = 0;
-+    ss->gs.readOffset  = 0;
-+
-+    if (ss->handshakeCallback) {
-+       (ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
-+    }
-+}
-+
- /*
-  * Handshake function that blocks.  Used to force a
-  * retry on a connection on the next read/write.
-@@ -206,6 +214,7 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
-     ssl_Get1stHandshakeLock(ss);
- 
-     ss->firstHsDone = PR_FALSE;
-+    ss->enoughFirstHsDone = PR_FALSE;
-     if ( asServer ) {
-        ss->handshake = ssl2_BeginServerHandshake;
-        ss->handshaking = sslHandshakingAsServer;
-@@ -221,6 +230,8 @@ SSL_ResetHandshake(PRFileDesc *s, PRBool asServer)
-     ssl_ReleaseRecvBufLock(ss);
- 
-     ssl_GetSSL3HandshakeLock(ss);
-+    ss->ssl3.hs.canFalseStart = PR_FALSE;
-+    ss->ssl3.hs.restartTarget = NULL;
- 
-     /*
-     ** Blow away old security state and get a fresh setup.
-@@ -331,6 +342,71 @@ SSL_HandshakeCallback(PRFileDesc *fd, SSLHandshakeCallback cb,
-     return SECSuccess;
- }
- 
-+/* Register an application callback to be called when false start may happen.
-+** Acquires and releases HandshakeLock.
-+*/
-+SECStatus
-+SSL_SetCanFalseStartCallback(PRFileDesc *fd, SSLCanFalseStartCallback cb,
-+                            void *arg)
-+{
-+    sslSocket *ss;
-+
-+    ss = ssl_FindSocket(fd);
-+    if (!ss) {
-+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SetCanFalseStartCallback",
-+                SSL_GETPID(), fd));
-+       return SECFailure;
-+    }
-+
-+    if (!ss->opt.useSecurity) {
-+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+       return SECFailure;
-+    }
-+
-+    ssl_Get1stHandshakeLock(ss);
-+    ssl_GetSSL3HandshakeLock(ss);
-+
-+    ss->canFalseStartCallback     = cb;
-+    ss->canFalseStartCallbackData = arg;
-+
-+    ssl_ReleaseSSL3HandshakeLock(ss);
-+    ssl_Release1stHandshakeLock(ss);
-+
-+    return SECSuccess;
-+}
-+
-+SECStatus
-+SSL_RecommendedCanFalseStart(PRFileDesc *fd, PRBool *canFalseStart)
-+{
-+    sslSocket *ss;
-+
-+    *canFalseStart = PR_FALSE;
-+    ss = ssl_FindSocket(fd);
-+    if (!ss) {
-+       SSL_DBG(("%d: SSL[%d]: bad socket in SSL_RecommendedCanFalseStart",
-+                SSL_GETPID(), fd));
-+       return SECFailure;
-+    }
-+
-+    if (!ss->ssl3.initialized) {
-+       PORT_SetError(SEC_ERROR_INVALID_ARGS);
-+       return SECFailure;
-+    }
-+
-+    if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-+       PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
-+       return SECFailure;
-+    }
-+
-+    /* Require a forward-secret key exchange. */
-+    *canFalseStart = ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
-+                    ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
-+                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
-+                    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa;
-+
-+    return SECSuccess;
-+}
-+
- /* Try to make progress on an SSL handshake by attempting to read the 
- ** next handshake from the peer, and sending any responses.
- ** For non-blocking sockets, returns PR_ERROR_WOULD_BLOCK  if it cannot 
-@@ -524,6 +600,9 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
-     int              amount;
-     int              available;
- 
-+    /* ssl3_GatherAppDataRecord may call ssl_FinishHandshake, which needs the
-+     * 1stHandshakeLock. */
-+    ssl_Get1stHandshakeLock(ss);
-     ssl_GetRecvBufLock(ss);
- 
-     available = ss->gs.writeOffset - ss->gs.readOffset;
-@@ -590,6 +669,7 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
- 
- done:
-     ssl_ReleaseRecvBufLock(ss);
-+    ssl_Release1stHandshakeLock(ss);
-     return rv;
- }
- 
-@@ -1156,7 +1236,7 @@ ssl_SecureRead(sslSocket *ss, unsigned char *buf, int len)
- int
- ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
- {
-    int              rv                = 0;
-+    int rv = 0;
- 
-     SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
-                SSL_GETPID(), ss->fd, len));
-@@ -1191,19 +1271,15 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
-        ss->writerThread = PR_GetCurrentThread();
-     /* If any of these is non-zero, the initial handshake is not done. */
-     if (!ss->firstHsDone) {
-       PRBool canFalseStart = PR_FALSE;
-+        PRBool falseStart = PR_FALSE;
-        ssl_Get1stHandshakeLock(ss);
-       if (ss->version >= SSL_LIBRARY_VERSION_3_0) {
-+        if (ss->opt.enableFalseStart &&
-+            ss->version >= SSL_LIBRARY_VERSION_3_0) {
-            ssl_GetSSL3HandshakeLock(ss);
-           if ((ss->ssl3.hs.ws == wait_change_cipher ||
-               ss->ssl3.hs.ws == wait_finished ||
-               ss->ssl3.hs.ws == wait_new_session_ticket) &&
-               ssl3_CanFalseStart(ss)) {
-               canFalseStart = PR_TRUE;
-           }
-+           falseStart = ss->ssl3.hs.canFalseStart;
-            ssl_ReleaseSSL3HandshakeLock(ss);
-        }
-       if (!canFalseStart &&
-+       if (!falseStart &&
-            (ss->handshake || ss->nextHandshake || ss->securityHandshake)) {
-            rv = ssl_Do1stHandshake(ss);
-        }
-@@ -1228,6 +1304,17 @@ ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
-        goto done;
-     }
- 
-+    if (!ss->firstHsDone) {
-+       PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_3_0);
-+#ifdef DEBUG
-+       ssl_GetSSL3HandshakeLock(ss);
-+       PORT_Assert(ss->ssl3.hs.canFalseStart);
-+       ssl_ReleaseSSL3HandshakeLock(ss);
-+#endif
-+       SSL_TRC(3, ("%d: SSL[%d]: SecureSend: sending data due to false start",
-+                   SSL_GETPID(), ss->fd));
-+    }
-+
-     /* Send out the data using one of these functions:
-      * ssl2_SendClear, ssl2_SendStream, ssl2_SendBlock, 
-      *  ssl3_SendApplicationData
-diff --git a/nss/lib/ssl/sslsock.c b/nss/lib/ssl/sslsock.c
-index cd4a7a7..73e069b 100644
--- a/nss/lib/ssl/sslsock.c
-+++ b/nss/lib/ssl/sslsock.c
-@@ -349,6 +349,8 @@ ssl_DupSocket(sslSocket *os)
-            ss->badCertArg            = os->badCertArg;
-            ss->handshakeCallback     = os->handshakeCallback;
-            ss->handshakeCallbackData = os->handshakeCallbackData;
-+            ss->canFalseStartCallback = os->canFalseStartCallback;
-+            ss->canFalseStartCallbackData = os->canFalseStartCallbackData;
-            ss->pkcs11PinArg          = os->pkcs11PinArg;
-     
-            /* Create security data */
-@@ -2341,10 +2343,14 @@ ssl_Poll(PRFileDesc *fd, PRInt16 how_flags, PRInt16 *p_out_flags)
-            } else if (new_flags & PR_POLL_WRITE) {
-                    /* The caller is trying to write, but the handshake is 
-                    ** blocked waiting for data to read, and the first 
-                   ** handshake has been sent.  so do NOT to poll on write.
-+                    ** handshake has been sent.  So do NOT to poll on write
-+                    ** unless we did false start.
-                    */
-                   new_flags ^=  PR_POLL_WRITE;   /* don't select on write. */
-                   new_flags |=  PR_POLL_READ;    /* do    select on read. */
-+                    if (!(ss->version >= SSL_LIBRARY_VERSION_3_0 &&
-+                        ss->ssl3.hs.canFalseStart)) {
-+                        new_flags ^= PR_POLL_WRITE; /* don't select on write. */
-+                    }
-+                    new_flags |= PR_POLL_READ;      /* do    select on read. */
-            }
-        }
-     } else if ((new_flags & PR_POLL_READ) && (SSL_DataPending(fd) > 0)) {
-- 
-1.7.9.5
diff --git a/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch b/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch
deleted file mode 100644
index f30475b16b..0000000000
--- a/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-nss: CVE-2013-5606
-Upstream-Status: Backport
-the patch comes from:
-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606
-https://bugzilla.mozilla.org/show_bug.cgi?id=910438
-http://hg.mozilla.org/projects/nss/rev/d29898e0981c
-The CERT_VerifyCert function in lib/certhigh/certvfy.c in
-Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
-an unexpected return value for an incompatible key-usage certificate
-when the CERTVerifyLog argument is valid, which might allow remote
-attackers to bypass intended access restrictions via a crafted certificate.
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- nss/lib/certhigh/certvfy.c |    7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c
-index f364ceb..f450205 100644
--- a/nss/lib/certhigh/certvfy.c
-+++ b/nss/lib/certhigh/certvfy.c
-@@ -1312,7 +1312,7 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-        PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
-        LOG_ERROR_OR_EXIT(log,cert,0,flags);
-     } else if (trusted) {
-       goto winner;
-+       goto done;
-     }
- 
- 
-@@ -1340,7 +1340,10 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
-        }
-     }
- 
-winner:
-+done:
-+    if (log && log->head) {
-+        return SECFailure;
-+    }
-     return(SECSuccess);
- 
- loser:
-- 
-1.7.9.5
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch
deleted file mode 100644
index 1be8a17870..0000000000
--- a/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-nss: CVE-2014-1492
-Upstream-Status: Backport
-the patch comes from:
-http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492
-https://bugzilla.mozilla.org/show_bug.cgi?id=903885
-changeset:   11063:709d4e597979
-user:        Kai Engert <kaie@kuix.de>
-date:        Wed Mar 05 18:38:55 2014 +0100
-summary:     Bug 903885, address requests to clarify comments from wtc
-changeset:   11046:2ffa40a3ff55
-tag:         tip
-user:        Wan-Teh Chang <wtc@google.com>
-date:        Tue Feb 25 18:17:08 2014 +0100
-summary:     Bug 903885, fix IDNA wildcard handling v4, r=kaie
-changeset:   11045:15ea62260c21
-user:        Christian Heimes <sites@cheimes.de>
-date:        Mon Feb 24 17:50:25 2014 +0100
-summary:     Bug 903885, fix IDNA wildcard handling, r=kaie
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- nss/lib/certdb/certdb.c |   15 +++++++++------
- 1 file changed, 9 insertions(+), 6 deletions(-)
-diff --git a/nss/lib/certdb/certdb.c b/nss/lib/certdb/certdb.c
-index b7d22bd..91877b7 100644
--- a/nss/lib/certdb/certdb.c
-+++ b/nss/lib/certdb/certdb.c
-@@ -1381,7 +1381,7 @@ cert_TestHostName(char * cn, const char * hn)
-            return rv;
-        }
-     } else {
-       /* New approach conforms to RFC 2818. */
-+       /* New approach conforms to RFC 6125. */
-        char *wildcard    = PORT_Strchr(cn, '*');
-        char *firstcndot  = PORT_Strchr(cn, '.');
-        char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
-@@ -1390,14 +1390,17 @@ cert_TestHostName(char * cn, const char * hn)
-        /* For a cn pattern to be considered valid, the wildcard character...
-         * - may occur only in a DNS name with at least 3 components, and
-         * - may occur only as last character in the first component, and
-        * - may be preceded by additional characters
-+         * - may be preceded by additional characters, and
-+         * - must not be preceded by an IDNA ACE prefix (xn--)
-         */
-        if (wildcard && secondcndot && secondcndot[1] && firsthndot 
-           && firstcndot  - wildcard  == 1
-           && secondcndot - firstcndot > 1
-           && PORT_Strrchr(cn, '*') == wildcard
-+            && firstcndot  - wildcard  == 1 /* wildcard is last char in first component */
-+            && secondcndot - firstcndot > 1 /* second component is non-empty */
-+            && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
-            && !PORT_Strncasecmp(cn, hn, wildcard - cn)
-           && !PORT_Strcasecmp(firstcndot, firsthndot)) {
-+            && !PORT_Strcasecmp(firstcndot, firsthndot)
-+               /* If hn starts with xn--, then cn must start with wildcard */
-+            && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
-            /* valid wildcard pattern match */
-            return SECSuccess;
-        }
-- 
-1.7.9.5
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch
deleted file mode 100644
index d6434dfe23..0000000000
--- a/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-nss: CVE-2014-1544
-the patch comes from:
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544
-https://hg.mozilla.org/projects/nss/rev/204f22c527f8
-author  Robert Relyea <rrelyea@redhat.com>
-https://bugzilla.mozilla.org/show_bug.cgi?id=963150
-Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls
-to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from
-freeing the CERTCertificate associated with the NSSCertificate. r=wtc.
-Upstream-Status: Pending
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- nss/lib/pk11wrap/pk11cert.c |    7 +++++++
- 1 file changed, 7 insertions(+)
-diff --git a/nss/lib/pk11wrap/pk11cert.c b/nss/lib/pk11wrap/pk11cert.c
-index 39168b9..3f3edb1 100644
--- a/nss/lib/pk11wrap/pk11cert.c
-+++ b/nss/lib/pk11wrap/pk11cert.c
-@@ -981,8 +981,15 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
-      * CERTCertificate, and finish
-      */
-     nssPKIObject_AddInstance(&c->object, certobj);
-+    /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
-+     * replace 'c' by a different value. So we add a reference to 'c' to
-+     * prevent 'c' from being destroyed. */
-+    nssCertificate_AddRef(c);
-     nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
-+    /* XXX should we pass the original value of 'c' to
-+     * STAN_ForceCERTCertificateUpdate? */
-     (void)STAN_ForceCERTCertificateUpdate(c);
-+    nssCertificate_Destroy(c);
-     SECITEM_FreeItem(keyID,PR_TRUE);
-     return SECSuccess;
- loser:
-- 
-1.7.9.5
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index ce7bff4e5d..e5e30961cc 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -16,20 +16,13 @@ SRC_URI = "\
    file://nss-fix-support-cross-compiling.patch \
    file://nss-no-rpath-for-cross-compiling.patch \
    file://nss-fix-incorrect-shebang-of-perl.patch \
-    file://nss-3.15.1-fix-CVE-2013-1741.patch \
-    file://nss-3.15.1-fix-CVE-2013-5605.patch \
-    file://nss-CVE-2014-1492.patch \
-    file://nss-CVE-2013-1740.patch \
-    file://nss-3.15.1-fix-CVE-2013-1739.patch \
-    file://nss-CVE-2013-5606.patch \
-    file://nss-CVE-2014-1544.patch \
 "
 SRC_URI_append = "\
    file://nss.pc.in \
    file://signlibs.sh \
 "
 inherit siteinfo
-PR = "r0"
 DEPENDS = "sqlite3 nspr zlib nss-native"
 DEPENDS_class-native = "sqlite3-native nspr-native zlib-native"
 RDEPENDS_${PN} = "perl"
diff --git a/meta/recipes-support/nss/files/nss-fix-incorrect-shebang-of-perl.patch b/meta/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch
index 547594d5b6..547594d5b6 100644
--- a/meta/recipes-support/nss/files/nss-fix-incorrect-shebang-of-perl.patch
+++ b/meta/recipes-support/nss/nss/nss-fix-incorrect-shebang-of-perl.patch
diff --git a/meta/recipes-support/nss/files/nss-fix-support-cross-compiling.patch b/meta/recipes-support/nss/nss/nss-fix-support-cross-compiling.patch
index f0b3550bff..f0b3550bff 100644
--- a/meta/recipes-support/nss/files/nss-fix-support-cross-compiling.patch
+++ b/meta/recipes-support/nss/nss/nss-fix-support-cross-compiling.patch
diff --git a/meta/recipes-support/nss/files/nss-no-rpath-for-cross-compiling.patch b/meta/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch
index 7661dc93a0..7661dc93a0 100644
--- a/meta/recipes-support/nss/files/nss-no-rpath-for-cross-compiling.patch
+++ b/meta/recipes-support/nss/nss/nss-no-rpath-for-cross-compiling.patch
diff --git a/meta/recipes-support/nss/files/nss.pc.in b/meta/recipes-support/nss/nss/nss.pc.in
index 200f635c65..200f635c65 100644
--- a/meta/recipes-support/nss/files/nss.pc.in
+++ b/meta/recipes-support/nss/nss/nss.pc.in
diff --git a/meta/recipes-support/nss/files/signlibs.sh b/meta/recipes-support/nss/nss/signlibs.sh
index 1ec79f4576..1ec79f4576 100644
--- a/meta/recipes-support/nss/files/signlibs.sh
+++ b/meta/recipes-support/nss/nss/signlibs.sh
diff --git a/meta/recipes-support/nss/nss_3.15.1.bb b/meta/recipes-support/nss/nss_3.15.1.bb
deleted file mode 100644
index 7b06f00cde..0000000000
--- a/meta/recipes-support/nss/nss_3.15.1.bb
+++ /dev/null
@@ -1,9 +0,0 @@
-require nss.inc
-SRC_URI += "\
-    http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/${BPN}-${PV}.tar.gz \
-"
-SRC_URI[md5sum] = "fb68f4d210ac9397dd0d3c39c4f938eb"
-SRC_URI[sha256sum] = "f994106a33d1f3210f4151bbb3419a1c28fd1cb545caa7dc9afdebd6da626284"
diff --git a/meta/recipes-support/nss/nss_3.17.bb b/meta/recipes-support/nss/nss_3.17.bb
new file mode 100644
index 0000000000..804783f3c0
--- /dev/null
+++ b/meta/recipes-support/nss/nss_3.17.bb
@@ -0,0 +1,8 @@
+require nss.inc
+SRC_URI += "\
+    http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_17_RTM/src/${BPN}-${PV}.tar.gz \
+"
+SRC_URI[md5sum] = "081dd99afa12af589c09e2d7cb5f5c6d"
+SRC_URI[sha256sum] = "3b1abcd8f89211dda2cc739bfa76552d080f7ea80482ef2727b006548a7f0c81"
author	Saul Wold <sgw@linux.intel.com>	2014-09-04 13:42:08 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-11-06 16:45:21 +0000
commit	8569e10e59a539d0ac8d4f3db2cc81aa0681a7c8 (patch)
tree	54bdca1a1eefd5d95667a80ca3d614b5afa69a0a /meta
parent	c1809c4b899994cf97686cc27345a2d7b262c547 (diff)
download	poky-8569e10e59a539d0ac8d4f3db2cc81aa0681a7c8.tar.gz