Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.18, landing beta 1, r=wtc
authorKai Engert <kaie@kuix.de>
Sat, 25 Oct 2014 00:34:34 +0200
changeset 212318 f8e9b337e5d7
parent 212317 8add8629f765
child 212319 44aadcfb5f57
push id50934
push userkaie@kuix.de
push date2014-10-24 22:34 +0000
treeherdermozilla-inbound@f8e9b337e5d7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswtc
bugs1088969
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1088969 - Upgrade Mozilla 36 to use NSS 3.18, landing beta 1, r=wtc
security/nss/TAG-INFO
security/nss/cmd/lib/secutil.c
security/nss/cmd/rsaperf/rsaperf.c
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/tstclnt/tstclnt.c
security/nss/coreconf/coreconf.dep
security/nss/lib/crmf/respcli.c
security/nss/lib/freebl/cts.c
security/nss/lib/nss/nss.def
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11cert.c
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11util.c
security/nss/lib/softoken/legacydb/pcertdb.c
security/nss/lib/softoken/softkver.h
security/nss/lib/ssl/ssl3con.c
security/nss/lib/util/nssutil.h
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_17_2_RTM
+NSS_3_18_BETA1
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -286,16 +286,19 @@ secu_InitSlotPassword(PK11SlotInfo *slot
     PR_fprintf(PR_STDERR, 
         "Enter a password which will be used to encrypt your keys.\n"
      	"The password should be at least 8 characters long,\n"
      	"and should contain at least one non-alphabetic character.\n\n");
 
     output = fopen(consoleName, "w");
     if (output == NULL) {
 	PR_fprintf(PR_STDERR, "Error opening output terminal for write\n");
+#ifndef _WINDOWS
+	fclose(input);
+#endif
 	return NULL;
     }
 
 
     for (;;) {
 	if (p0) 
 	    PORT_Free(p0);
 	p0 = SEC_GetPassword(input, output, "Enter new password: ",
--- a/security/nss/cmd/rsaperf/rsaperf.c
+++ b/security/nss/cmd/rsaperf/rsaperf.c
@@ -396,18 +396,16 @@ main(int argc, char **argv)
 
     if ((doPriv && doPub) || (doIters && doTime) ||
         ((useTokenKey + useSessionKey + useBLKey) != PR_TRUE) ||
         (useTokenKey && keybits) || (useTokenKey && doKeyGen) ||
         (keybits && (keybits<MIN_KEY_BITS || keybits>MAX_KEY_BITS))) {
         Usage(progName);
     }
 
-    if (!doPriv && !doPub) doPriv = PR_TRUE;
-
     if (doIters && doTime) Usage(progName);
 
     if (!doTime) {
         doIters = PR_TRUE;
     }
 
     PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
 
@@ -425,19 +423,17 @@ main(int argc, char **argv)
 	if (rv != SECSuccess) {
 	    fprintf(stderr, "NSS_NoDB_Init failed.\n");
 	    exit(1);
 	}
     }
 
     if (useTokenKey) {
         CK_OBJECT_HANDLE kh = CK_INVALID_HANDLE;
-        CERTCertDBHandle* certdb = NULL;
-	certdb = CERT_GetDefaultCertDB();
-        
+
         cert = PK11_FindCertFromNickname(nickname, &pwData);
         if (cert == NULL) {
             fprintf(stderr,
                     "Can't find certificate by name \"%s\"\n", nickname);
             exit(1);
         }
         pubHighKey = CERT_ExtractPublicKey(cert);
         if (pubHighKey == NULL) {
@@ -485,19 +481,17 @@ main(int argc, char **argv)
         void             * params;
 
         slot = PK11_FindSlotByName(slotname); /* locate target slot */
         if (!slot) {
             fprintf(stderr, "Can't find slot \"%s\"\n", slotname);
             exit(1);
         }
 
-        doKeyGen = PR_TRUE; /* Always do a keygen for session keys.
-                               Import of hardcoded key is not supported */
-        /* do a temporary keygen in selected slot */        
+        /* do a temporary keygen in selected slot */
         if (!keybits) {
             keybits = DEFAULT_KEY_BITS;
         }
 
         printf("Using PKCS#11 with %ld bits session key in token %s.\n",
                keybits, PK11_GetTokenName(slot));
 
         rsaparams.keySizeInBits = keybits;
--- a/security/nss/cmd/ssltap/ssltap.c
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int)
   case 0x000098:    cs_str = "TLS/DH-RSA/SEED-CBC/SHA";		break;      
   case 0x000099:    cs_str = "TLS/DHE-DSS/SEED-CBC/SHA";	break;     
   case 0x00009A:    cs_str = "TLS/DHE-RSA/SEED-CBC/SHA";	break;     
   case 0x00009B:    cs_str = "TLS/DH-ANON/SEED-CBC/SHA";	break;     
   case 0x00009C:    cs_str = "TLS/RSA/AES128-GCM/SHA256";	break;     
   case 0x00009E:    cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256";	break;     
 
   case 0x0000FF:    cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break;
+  case 0x005600:    cs_str = "TLS_FALLBACK_SCSV"; break;
 
   case 0x00C001:    cs_str = "TLS/ECDH-ECDSA/NULL/SHA";         break;
   case 0x00C002:    cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA";      break;
   case 0x00C003:    cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break;
   case 0x00C004:    cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA";   break;
   case 0x00C005:    cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA";   break;
   case 0x00C006:    cs_str = "TLS/ECDHE-ECDSA/NULL/SHA";        break;
   case 0x00C007:    cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA";     break;
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void *
     }
 }
 
 static void PrintUsageHeader(const char *progName)
 {
     fprintf(stderr, 
 "Usage:  %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n"
                     "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n"
-                    "[-V [min-version]:[max-version]] [-T]\n"
+                    "[-V [min-version]:[max-version]] [-K] [-T]\n"
                     "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", 
             progName);
 }
 
 static void PrintParameterUsage(void)
 {
     fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n"
                     "%-20s handshake, 2nd_hs_name - at second handshake.\n"
@@ -201,16 +201,17 @@ static void PrintParameterUsage(void)
     fprintf(stderr, 
             "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B");
     fprintf(stderr, 
             "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
             "%-20s All versions are enabled by default.\n"
             "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
             "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
             "-V [min]:[max]", "", "", "");
+    fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
     fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S");
     fprintf(stderr, "%-20s Client speaks first. \n", "-f");
     fprintf(stderr, "%-20s Use synchronous certificate validation "
                     "(required for SSL2)\n", "-O");
     fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o");
     fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s");
     fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v");
     fprintf(stderr, "%-20s Use export policy.\n", "-x");
@@ -802,16 +803,17 @@ int main(int argc, char **argv)
     PRBool             enableSSL2 = PR_TRUE;
     int                bypassPKCS11 = 0;
     int                disableLocking = 0;
     int                useExportPolicy = 0;
     int                enableSessionTickets = 0;
     int                enableCompression = 0;
     int                enableFalseStart = 0;
     int                enableCertStatus = 0;
+    int                forceFallbackSCSV = 0;
     PRSocketOptionData opt;
     PRNetAddr          addr;
     PRPollDesc         pollset[2];
     PRBool             allowIPv4 = PR_TRUE;
     PRBool             allowIPv6 = PR_TRUE;
     PRBool             pingServerFirst = PR_FALSE;
     int                pingTimeoutSeconds = -1;
     PRBool             clientSpeaksFirst = PR_FALSE;
@@ -847,17 +849,17 @@ int main(int argc, char **argv)
        if (sec > 0) {
            maxInterval = PR_SecondsToInterval(sec);
        }
     }
 
     SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions);
 
     optstate = PL_CreateOptState(argc, argv,
-                                 "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
+                                 "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz");
     while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
 	switch (optstate->option) {
 	  case '?':
 	  default : Usage(progName); 			break;
 
           case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break;
           case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break;
 
@@ -869,16 +871,18 @@ int main(int argc, char **argv)
                     }
                     serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE;
                     break;
 
 	  case 'I': /* reserved for OCSP multi-stapling */ break;
 
           case 'O': serverCertAuth.shouldPause = PR_FALSE; break;
 
+          case 'K': forceFallbackSCSV = PR_TRUE; break;
+
           case 'M': switch (atoi(optstate->value)) {
                       case 1:
                           serverCertAuth.allowOCSPSideChannelData = PR_TRUE;
                           serverCertAuth.allowCRLSideChannelData = PR_FALSE;
                           break;
                       case 2:
                           serverCertAuth.allowOCSPSideChannelData = PR_FALSE;
                           serverCertAuth.allowCRLSideChannelData = PR_TRUE;
@@ -1213,16 +1217,24 @@ int main(int argc, char **argv)
 
     /* enable false start. */
     rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart);
     if (rv != SECSuccess) {
 	SECU_PrintError(progName, "error enabling false start");
 	return 1;
     }
 
+    if (forceFallbackSCSV) {
+        rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE);
+        if (rv != SECSuccess) {
+            SECU_PrintError(progName, "error forcing fallback scsv");
+            return 1;
+        }
+    }
+
     /* enable cert status (OCSP stapling). */
     rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus);
     if (rv != SECSuccess) {
         SECU_PrintError(progName, "error enabling cert status (OCSP stapling)");
         return 1;
     }
 
     SSL_SetPKCS11PinArg(s, &pwdata);
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/lib/crmf/respcli.c
+++ b/security/nss/lib/crmf/respcli.c
@@ -87,21 +87,23 @@ CMMF_CertRepContentGetResponseAtIndex(CM
 
     PORT_Assert(inCertRepContent != NULL &&
 		cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex));
     if (inCertRepContent == NULL ||
 	!cmmf_CertRepContentIsIndexValid(inCertRepContent, inIndex)) {
         return NULL;
     }
     certResponse = PORT_ZNew(CMMFCertResponse);
-    rv = cmmf_CopyCertResponse(NULL, certResponse, 
-			       inCertRepContent->response[inIndex]);
-    if (rv != SECSuccess) {
-        CMMF_DestroyCertResponse(certResponse);
-	certResponse = NULL;
+    if (certResponse){
+	rv = cmmf_CopyCertResponse(NULL, certResponse, 
+				   inCertRepContent->response[inIndex]);
+	if (rv != SECSuccess) {
+	    CMMF_DestroyCertResponse(certResponse);
+	    certResponse = NULL;
+	}
     }
     return certResponse;
 }
 
 CMMFPKIStatus
 CMMF_CertResponseGetPKIStatusInfoStatus(CMMFCertResponse *inCertResp)
 {
     PORT_Assert(inCertResp != NULL);
--- a/security/nss/lib/freebl/cts.c
+++ b/security/nss/lib/freebl/cts.c
@@ -234,17 +234,16 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
     }
     *outlen = fullblocks; /* AES low level doesn't set outlen */
     inbuf += fullblocks;
     inlen -= fullblocks;
     if (inlen == 0) {
 	return SECSuccess;
     }
     outbuf += fullblocks;
-    maxout -= fullblocks;
 
     /* recover the stolen text */
     PORT_Memset(lastBlock, 0, blocksize);
     PORT_Memcpy(lastBlock, inbuf, inlen);
     PORT_Memcpy(Cn_1, inbuf, inlen);
     Pn = outbuf-blocksize;
     /* inbuf points to Cn-1* in the input buffer */
     /* NOTE: below there are 2 sections marked "make up for the out of order
--- a/security/nss/lib/nss/nss.def
+++ b/security/nss/lib/nss/nss.def
@@ -1057,8 +1057,14 @@ SECMOD_InternaltoPubMechFlags;
 ;+    global:
 CERT_AddExtensionByOID;
 CERT_GetGeneralNameTypeFromString;
 PK11_PubEncrypt;
 PK11_PrivDecrypt;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.18 { 	# NSS 3.18 release
+;+    global:
+PK11_SetCertificateNickname;
+;+    local:
+;+       *;
+;+};
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -28,22 +28,22 @@
 
 /*
  * NSS's major version, minor version, patch level, build number, and whether
  * this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define NSS_VERSION  "3.17.2" _NSS_ECC_STRING _NSS_CUSTOMIZED
+#define NSS_VERSION  "3.18" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
 #define NSS_VMAJOR   3
-#define NSS_VMINOR   17
-#define NSS_VPATCH   2
+#define NSS_VMINOR   18
+#define NSS_VPATCH   0
 #define NSS_VBUILD   0
-#define NSS_BETA     PR_FALSE
+#define NSS_BETA     PR_TRUE
 
 #ifndef RC_INVOKED
 
 #include "seccomon.h"
 
 typedef struct NSSInitParametersStr NSSInitParameters;
 
 /*
--- a/security/nss/lib/pk11wrap/pk11cert.c
+++ b/security/nss/lib/pk11wrap/pk11cert.c
@@ -2148,17 +2148,16 @@ PK11_FindCertFromDERCert(PK11SlotInfo *s
 
 CERTCertificate *
 PK11_FindCertFromDERCertItem(PK11SlotInfo *slot, const SECItem *inDerCert,
 								 void *wincx)
 
 {
     NSSDER derCert;
     NSSToken *tok;
-    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
     nssCryptokiObject *co = NULL;
     SECStatus rv;
 
     tok = PK11Slot_GetNSSToken(slot);
     NSSITEM_FROM_SECITEM(&derCert, inDerCert);
     rv = pk11_AuthenticateUnfriendly(slot, PR_TRUE, wincx);
     if (rv != SECSuccess) {
 	PK11_FreeSlot(slot);
@@ -2682,8 +2681,19 @@ PK11_GetAllSlotsForCert(CERTCertificate 
 	PK11_FreeSlotList(slotList);
 	PORT_SetError(SEC_ERROR_NO_TOKEN);
 	slotList = NULL;
     }
 
     nssCryptokiObjectArray_Destroy(instances);
     return slotList;
 }
+
+SECStatus
+PK11_SetCertificateNickname(CERTCertificate *cert, const char *nickname)
+{
+    /* Can't set nickname of temp cert. */
+    if (!cert->slot || cert->pkcs11ID == CK_INVALID_HANDLE) {
+        return SEC_ERROR_INVALID_ARGS;
+    }
+    return PK11_SetObjectNickname(cert->slot, cert->pkcs11ID, nickname);
+}
+
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -453,16 +453,18 @@ SECKEYPrivateKey * PK11_LoadPrivKey(PK11
 char * PK11_GetSymKeyNickname(PK11SymKey *symKey);
 char * PK11_GetPrivateKeyNickname(SECKEYPrivateKey *privKey);
 char * PK11_GetPublicKeyNickname(SECKEYPublicKey *pubKey);
 SECStatus PK11_SetSymKeyNickname(PK11SymKey *symKey, const char *nickname);
 SECStatus PK11_SetPrivateKeyNickname(SECKEYPrivateKey *privKey, 
 							const char *nickname);
 SECStatus PK11_SetPublicKeyNickname(SECKEYPublicKey *pubKey, 
 							const char *nickname);
+SECStatus PK11_SetCertificateNickname(CERTCertificate *cert,
+                                      const char *nickname);
 
 /* size to hold key in bytes */
 unsigned int PK11_GetKeyLength(PK11SymKey *key);
 /* size of actual secret parts of key in bits */
 /* algid is because RC4 strength is determined by the effective bits as well
  * as the key bits */
 unsigned int PK11_GetKeyStrength(PK11SymKey *key,SECAlgorithmID *algid);
 SECStatus PK11_ExtractKeyValue(PK11SymKey *symKey);
--- a/security/nss/lib/pk11wrap/pk11util.c
+++ b/security/nss/lib/pk11wrap/pk11util.c
@@ -1180,17 +1180,17 @@ end_wait:
  * This function "wakes up" WaitForAnyTokenEvent. It's a pretty drastic
  * function, possibly bringing down the pkcs #11 module in question. This
  * should be OK because 1) it does reinitialize, and 2) it should only be
  * called when we are on our way to tear the whole system down anyway.
  */
 SECStatus
 SECMOD_CancelWait(SECMODModule *mod)
 {
-    unsigned long controlMask = mod->evControlMask;
+    unsigned long controlMask;
     SECStatus rv = SECSuccess;
     CK_RV crv;
 
     PZ_Lock(mod->refLock);
     mod->evControlMask |= SECMOD_END_WAIT;
     controlMask = mod->evControlMask;
     if (controlMask & SECMOD_WAIT_PKCS11_EVENT) {
         if (!pk11_getFinalizeModulesOption()) {
--- a/security/nss/lib/softoken/legacydb/pcertdb.c
+++ b/security/nss/lib/softoken/legacydb/pcertdb.c
@@ -4728,27 +4728,26 @@ nsslowcert_FindTrustByKey(NSSLOWCERTCert
  */
 NSSLOWCERTCertificate *
 nsslowcert_FindCertByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, NSSLOWCERTIssuerAndSN *issuerAndSN)
 {
     SECItem certKey;
     SECItem *sn = &issuerAndSN->serialNumber;
     SECItem *issuer = &issuerAndSN->derIssuer;
     NSSLOWCERTCertificate *cert;
-    int data_left = sn->len-1;
     int data_len = sn->len;
     int index = 0;
 
     /* automatically detect DER encoded serial numbers and remove the der
      * encoding since the database expects unencoded data. 
      * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
     if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
 	/* remove the der encoding of the serial number before generating the
 	 * key.. */
-	data_left = sn->len-2;
+	int data_left = sn->len-2;
 	data_len = sn->data[1];
 	index = 2;
 
 	/* extended length ? (not very likely for a serial number) */
 	if (data_len & 0x80) {
 	    int len_count = data_len & 0x7f;
 
 	    data_len = 0;
@@ -4813,28 +4812,27 @@ NSSLOWCERTTrust *
 nsslowcert_FindTrustByIssuerAndSN(NSSLOWCERTCertDBHandle *handle, 
 					NSSLOWCERTIssuerAndSN *issuerAndSN)
 {
     SECItem certKey;
     SECItem *sn = &issuerAndSN->serialNumber;
     SECItem *issuer = &issuerAndSN->derIssuer;
     NSSLOWCERTTrust *trust;
     unsigned char keyBuf[512];
-    int data_left = sn->len-1;
     int data_len = sn->len;
     int index = 0;
     int len;
 
     /* automatically detect DER encoded serial numbers and remove the der
      * encoding since the database expects unencoded data. 
      * if it's DER encoded, there must be at least 3 bytes, tag, len, data */
     if ((sn->len >= 3) && (sn->data[0] == 0x2)) {
 	/* remove the der encoding of the serial number before generating the
 	 * key.. */
-	data_left = sn->len-2;
+	int data_left = sn->len-2;
 	data_len = sn->data[1];
 	index = 2;
 
 	/* extended length ? (not very likely for a serial number) */
 	if (data_len & 0x80) {
 	    int len_count = data_len & 0x7f;
 
 	    data_len = 0;
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -20,16 +20,16 @@
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
-#define SOFTOKEN_VERSION  "3.17.2" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION  "3.18" SOFTOKEN_ECC_STRING " Beta"
 #define SOFTOKEN_VMAJOR   3
-#define SOFTOKEN_VMINOR   17
-#define SOFTOKEN_VPATCH   2
+#define SOFTOKEN_VMINOR   18
+#define SOFTOKEN_VPATCH   0
 #define SOFTOKEN_VBUILD   0
-#define SOFTOKEN_BETA     PR_FALSE
+#define SOFTOKEN_BETA     PR_TRUE
 
 #endif /* _SOFTKVER_H_ */
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -5111,17 +5111,16 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
 	PRUint32 maxBytes = 65535; /* 2^16 - 1 */
 	PRInt32  extLen;
 
 	extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
 	if (extLen < 0) {
 	    if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
 	    return SECFailure;
 	}
-	maxBytes        -= extLen;
 	total_exten_len += extLen;
 
 	if (total_exten_len > 0)
 	    total_exten_len += 2;
     }
 
 #ifndef NSS_DISABLE_ECC
     if (!total_exten_len || !isTLS) {
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -14,22 +14,22 @@
 
 /*
  * NSS utilities's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION  "3.17.2"
+#define NSSUTIL_VERSION  "3.18 Beta"
 #define NSSUTIL_VMAJOR   3
-#define NSSUTIL_VMINOR   17
-#define NSSUTIL_VPATCH   2
+#define NSSUTIL_VMINOR   18
+#define NSSUTIL_VPATCH   0
 #define NSSUTIL_VBUILD   0
-#define NSSUTIL_BETA     PR_FALSE
+#define NSSUTIL_BETA     PR_TRUE
 
 SEC_BEGIN_PROTOS
 
 /*
  * Returns a const string of the UTIL library version.
  */
 extern const char *NSSUTIL_GetVersion(void);