Bug 934378, Bug 898431: Update NSS to NSS 3.15.4 beta 2 (NSS_3_15_4_BETA2), r=me
authorBrian Smith <brian@briansmith.org>
Sat, 09 Nov 2013 11:02:17 -0800
changeset 154285 61fb80e560def2b5b96a6c27318beb8c2e67f852
parent 154284 23e213d57704ab58d8fd03da8bcdb9c17432e2dc
child 154286 b539bdc3e6b763bb4ecb938045961a09499ed072
push id25634
push usercbook@mozilla.com
push dateMon, 11 Nov 2013 07:54:04 +0000
treeherdermozilla-central@86afe33114e7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme
bugs934378, 898431
milestone28.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 934378, Bug 898431: Update NSS to NSS 3.15.4 beta 2 (NSS_3_15_4_BETA2), r=me
configure.in
security/nss/TAG-INFO
security/nss/coreconf/coreconf.dep
security/nss/lib/ssl/ssl3con.c
security/nss/tests/ocsp/ocsp.sh
--- a/configure.in
+++ b/configure.in
@@ -3663,17 +3663,17 @@ dnl = If NSS was not detected in the sys
 dnl = use the one in the source tree (mozilla/security/nss)
 dnl ========================================================
 
 MOZ_ARG_WITH_BOOL(system-nss,
 [  --with-system-nss       Use system installed NSS],
     _USE_SYSTEM_NSS=1 )
 
 if test -n "$_USE_SYSTEM_NSS"; then
-    AM_PATH_NSS(3.15.3, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
+    AM_PATH_NSS(3.15.4, [MOZ_NATIVE_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
 fi
 
 if test -n "$MOZ_NATIVE_NSS"; then
    NSS_LIBS="$NSS_LIBS -lcrmf"
 else
    NSS_CFLAGS='-I$(LIBXUL_DIST)/include/nss'
 
    if test -z "$GNU_CC" -a "$OS_ARCH" = "WINNT" -o "$OS_ARCH" = "OS2"; then
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_15_4_BETA1
+NSS_3_15_4_BETA2
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -7038,31 +7038,30 @@ ssl3_CheckFalseStart(sslSocket *ss)
 
     ss->ssl3.hs.canFalseStart = PR_FALSE;
     return SECSuccess;
 }
 
 PRBool
 ssl3_WaitingForStartOfServerSecondRound(sslSocket *ss)
 {
-    PRBool result = PR_FALSE;
+    PRBool result;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     switch (ss->ssl3.hs.ws) {
     case wait_new_session_ticket:
         result = PR_TRUE;
         break;
     case wait_change_cipher:
         result = !ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn);
         break;
-    case wait_finished:
+    default:
+        result = PR_FALSE;
         break;
-    default:
-        PR_NOT_REACHED("ssl3_WaitingForStartOfServerSecondRound");
     }
 
     return result;
 }
 
 static SECStatus ssl3_SendClientSecondRound(sslSocket *ss);
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
@@ -9962,29 +9961,27 @@ ssl3_AuthCertificateComplete(sslSocket *
 	}
     } else {
 	SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
         	    " peer's finished message", SSL_GETPID(), ss->fd));
 
 	PORT_Assert(!ss->firstHsDone);
 	PORT_Assert(!ss->sec.isServer);
 	PORT_Assert(!ss->ssl3.hs.isResuming);
-	PORT_Assert(ss->ssl3.hs.ws == wait_new_session_ticket ||
-		    ss->ssl3.hs.ws == wait_change_cipher ||
-		    ss->ssl3.hs.ws == wait_finished);
-
-	/* ssl3_SendClientSecondRound deferred the false start check because
-	 * certificate authentication was pending, so we do it now if we still
-         * haven't received any of the server's second round yet.
-	 */
+	PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
+
 	if (ss->opt.enableFalseStart &&
 	    !ss->firstHsDone &&
 	    !ss->sec.isServer &&
 	    !ss->ssl3.hs.isResuming &&
 	    ssl3_WaitingForStartOfServerSecondRound(ss)) {
+	    /* ssl3_SendClientSecondRound deferred the false start check because
+	     * certificate authentication was pending, so we do it now if we still
+	     * haven't received any of the server's second round yet.
+	     */
 	    rv = ssl3_CheckFalseStart(ss);
 	} else {
 	    rv = SECSuccess;
 	}
     }
 
 done:
     ssl_ReleaseSSL3HandshakeLock(ss);
--- a/security/nss/tests/ocsp/ocsp.sh
+++ b/security/nss/tests/ocsp/ocsp.sh
@@ -55,21 +55,21 @@ ocsp_stapling()
   # on some build bot slaves.
 
   TESTNAME="startssl valid, supports OCSP stapling"
   echo "$SCRIPTNAME: $TESTNAME"
   echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}"
   ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5143 -d . < ${REQF}
   html_msg $? 0 "$TESTNAME"
 
-  TESTNAME="startssl revoked, supports OCSP stapling"
-  echo "$SCRIPTNAME: $TESTNAME"
-  echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}"
-  ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}
-  html_msg $? 3 "$TESTNAME"
+#  TESTNAME="startssl revoked, supports OCSP stapling"
+#  echo "$SCRIPTNAME: $TESTNAME"
+#  echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}"
+#  ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5144 -d . < ${REQF}
+#  html_msg $? 3 "$TESTNAME"
 
   TESTNAME="comodo trial test expired revoked, supports OCSP stapling"
   echo "$SCRIPTNAME: $TESTNAME"
   echo "tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}"
   ${BINDIR}/tstclnt -4 -V tls1.0: -T -v -F -M 1 -O -h kuix.de -p 5145 -d . < ${REQF}
   html_msg $? 1 "$TESTNAME"
 
   TESTNAME="thawte (expired) valid, supports OCSP stapling"