Bug 898431: Update NSS to NSS 3.15.4 beta 6 (NSS_3_15_4_BETA6), r=me, a=bbajaj
authorBrian Smith <brian@briansmith.org>
Tue, 03 Dec 2013 20:20:55 -0800
changeset 167604 731470a7c4ca01a0fdbf2bf43802d9053f048794
parent 167603 f0cb5125f9704baa6a9c608f45dc4a5d11bba751
child 167605 cdd11c4a3224fe4ba0c78c27e6e867acf8e7227b
push id428
push userbbajaj@mozilla.com
push dateTue, 28 Jan 2014 00:16:25 +0000
treeherdermozilla-release@cd72a7ff3a75 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme, bbajaj
bugs898431
milestone27.0a2
Bug 898431: Update NSS to NSS 3.15.4 beta 6 (NSS_3_15_4_BETA6), r=me, a=bbajaj
security/nss/TAG-INFO
security/nss/coreconf/WIN32.mk
security/nss/coreconf/coreconf.dep
security/nss/lib/freebl/unix_rand.c
security/nss/lib/ssl/ssl3gthr.c
security/nss/lib/ssl/sslsecur.c
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_15_4_BETA4
+NSS_3_15_4_BETA6
--- a/security/nss/coreconf/WIN32.mk
+++ b/security/nss/coreconf/WIN32.mk
@@ -20,17 +20,17 @@ ifdef NS_USE_GCC
 	BSDECHO      = echo
 	RC           = windres.exe -O coff --use-temp-file
 	LINK_DLL      = $(CC) $(OS_DLLFLAGS) $(DLLFLAGS)
 else
 	CC           = cl
 	CCC          = cl
 	LINK         = link
 	AR           = lib
-	AR          += -NOLOGO -OUT:"$@"
+	AR          += -NOLOGO -OUT:$@
 	RANLIB       = echo
 	BSDECHO      = echo
 	RC           = rc.exe
 	MT           = mt.exe
 	# Determine compiler version
 	CC_VERSION  := $(shell $(CC) 2>&1 | sed -ne \
 		's|.* \([0-9]\+\.[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*|\1|p')
 	# Change the dots to spaces.
@@ -125,17 +125,17 @@ else # !NS_USE_GCC
     ifdef BUILD_OPT
 	OS_CFLAGS  += -MD
 	ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
 		OPTIMIZER += -O1
 	else
 		OPTIMIZER += -O2
 	endif
 	DEFINES    += -UDEBUG -U_DEBUG -DNDEBUG
-	DLLFLAGS   += -OUT:"$@"
+	DLLFLAGS   += -OUT:$@
 	ifdef MOZ_DEBUG_SYMBOLS
 		ifdef MOZ_DEBUG_FLAGS
 			OPTIMIZER += $(MOZ_DEBUG_FLAGS) -Fd$(OBJDIR)/
 		else
 			OPTIMIZER += -Zi -Fd$(OBJDIR)/
 		endif
 		DLLFLAGS += -DEBUG -OPT:REF
 		LDFLAGS += -DEBUG -OPT:REF
@@ -151,17 +151,17 @@ else # !NS_USE_GCC
 		OS_CFLAGS += -MD
 	endif
 	OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
 	NULLSTRING :=
 	SPACE      := $(NULLSTRING) # end of the line
 	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
 	USERNAME   := $(subst -,_,$(USERNAME))
 	DEFINES    += -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USERNAME)
-	DLLFLAGS   += -DEBUG -OUT:"$@"
+	DLLFLAGS   += -DEBUG -OUT:$@
 	LDFLAGS    += -DEBUG 
 ifeq ($(_MSC_VER),$(_MSC_VER_6))
 ifndef MOZ_DEBUG_SYMBOLS
 	LDFLAGS    += -PDB:NONE 
 endif
 endif
 	# Purify requires /FIXED:NO when linking EXEs.
 	LDFLAGS    += /FIXED:NO
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,9 +5,8 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
-
--- a/security/nss/lib/freebl/unix_rand.c
+++ b/security/nss/lib/freebl/unix_rand.c
@@ -954,39 +954,44 @@ void RNG_SystemInfoForRNG(void)
 
 }
 
 #define TOTAL_FILE_LIMIT 1000000	/* one million */
 
 size_t RNG_FileUpdate(const char *fileName, size_t limit)
 {
     FILE *        file;
-    size_t        bytes;
+    int           fd;
+    int           bytes;
     size_t        fileBytes = 0;
     struct stat   stat_buf;
     unsigned char buffer[BUFSIZ];
     static size_t totalFileBytes = 0;
     
     /* suppress valgrind warnings due to holes in struct stat */
     memset(&stat_buf, 0, sizeof(stat_buf));
 
     if (stat((char *)fileName, &stat_buf) < 0)
 	return fileBytes;
     RNG_RandomUpdate(&stat_buf, sizeof(stat_buf));
     
     file = fopen(fileName, "r");
     if (file != NULL) {
-	/* Set buffering mode to unbuffered I/O to avoid reading more bytes
-	 * than we need from /dev/urandom. Moreover, we read into a buffer
-	 * of size BUFSIZ, so buffered I/O has no performance advantage. */
-	setvbuf(file, NULL, _IONBF, 0);
+	/* Read from the underlying file descriptor directly to bypass stdio
+	 * buffering and avoid reading more bytes than we need from
+	 * /dev/urandom. NOTE: we can't use fread with unbuffered I/O because
+	 * fread may return EOF in unbuffered I/O mode on Android.
+	 *
+	 * Moreover, we read into a buffer of size BUFSIZ, so buffered I/O
+	 * has no performance advantage. */
+	fd = fileno(file);
 	while (limit > fileBytes) {
 	    bytes = PR_MIN(sizeof buffer, limit - fileBytes);
-	    bytes = fread(buffer, 1, bytes, file);
-	    if (bytes == 0) 
+	    bytes = read(fd, buffer, bytes);
+	    if (bytes <= 0)
 		break;
 	    RNG_RandomUpdate(buffer, bytes);
 	    fileBytes      += bytes;
 	    totalFileBytes += bytes;
 	    /* after TOTAL_FILE_LIMIT has been reached, only read in first
 	    ** buffer of data from each subsequent file.
 	    */
 	    if (totalFileBytes > TOTAL_FILE_LIMIT) 
@@ -1125,31 +1130,35 @@ static void rng_systemJitter(void)
    } else {
 	fileToRead++;
    }
 }
 
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
     FILE *file;
-    size_t bytes;
+    int fd;
+    int bytes;
     size_t fileBytes = 0;
     unsigned char *buffer = dest;
 
     file = fopen("/dev/urandom", "r");
     if (file == NULL) {
 	return rng_systemFromNoise(dest, maxLen);
     }
-    /* Set buffering mode to unbuffered I/O to avoid reading more bytes
-     * than we need from /dev/urandom. */
-    setvbuf(file, NULL, _IONBF, 0);
+    /* Read from the underlying file descriptor directly to bypass stdio
+     * buffering and avoid reading more bytes than we need from /dev/urandom.
+     * NOTE: we can't use fread with unbuffered I/O because fread may return
+     * EOF in unbuffered I/O mode on Android.
+     */
+    fd = fileno(file);
     while (maxLen > fileBytes) {
 	bytes = maxLen - fileBytes;
-	bytes = fread(buffer, 1, bytes, file);
-	if (bytes == 0) 
+	bytes = read(fd, buffer, bytes);
+	if (bytes <= 0)
 	    break;
 	fileBytes += bytes;
 	buffer += bytes;
     }
     fclose(file);
     if (fileBytes != maxLen) {
 	PORT_SetError(SEC_ERROR_NEED_RANDOM);  /* system RNG failed */
 	fileBytes = 0;
--- a/security/nss/lib/ssl/ssl3gthr.c
+++ b/security/nss/lib/ssl/ssl3gthr.c
@@ -320,16 +320,22 @@ ssl3_GatherCompleteHandshake(sslSocket *
 	    /* ssl3_HandleHandshake previously returned SECWouldBlock and the
 	     * as-yet-unprocessed plaintext of that previous handshake record.
 	     * We need to process it now before we overwrite it with the next
 	     * handshake record.
 	     */
 	    rv = ssl3_HandleRecord(ss, NULL, &ss->gs.buf);
 	} else {
 	    /* bring in the next sslv3 record. */
+	    if (ss->recvdCloseNotify) {
+		/* RFC 5246 Section 7.2.1:
+		 *   Any data received after a closure alert is ignored.
+		 */
+		return 0;
+	    }
 	    if (!IS_DTLS(ss)) {
 		rv = ssl3_GatherData(ss, &ss->gs, flags);
 	    } else {
 		rv = dtls_GatherData(ss, &ss->gs, flags);
 		
 		/* If we got a would block error, that means that no data was
 		 * available, so we check the timer to see if it's time to
 		 * retransmit */
@@ -365,30 +371,29 @@ ssl3_GatherCompleteHandshake(sslSocket *
 		    cText.seq_num.high <<= 8; cText.seq_num.low <<= 8;
 		    cText.seq_num.high |= ss->gs.hdr[3 + i];
 		    cText.seq_num.low |= ss->gs.hdr[7 + i];
 		}
 	    }
 
 	    cText.buf     = &ss->gs.inbuf;
 	    rv = ssl3_HandleRecord(ss, &cText, &ss->gs.buf);
-
-	    if (rv == (int) SECSuccess && ss->gs.buf.len > 0) {
-		/* We have application data to return to the application. This
-		 * prioritizes returning application data to the application over
-		 * completing any renegotiation handshake we may be doing.
-		 */
-		PORT_Assert(ss->firstHsDone);
-		PORT_Assert(cText.type == content_application_data);
-		break;
-	    }
 	}
 	if (rv < 0) {
 	    return ss->recvdCloseNotify ? 0 : rv;
 	}
+	if (ss->gs.buf.len > 0) {
+	    /* We have application data to return to the application. This
+	     * prioritizes returning application data to the application over
+	     * completing any renegotiation handshake we may be doing.
+	     */
+	    PORT_Assert(ss->firstHsDone);
+	    PORT_Assert(cText.type == content_application_data);
+	    break;
+	}
 
 	PORT_Assert(keepGoing);
 	ssl_GetSSL3HandshakeLock(ss);
 	if (ss->ssl3.hs.ws == idle_handshake) {
 	    /* We are done with the current handshake so stop trying to
 	     * handshake. Note that it would be safe to test ss->firstHsDone
 	     * instead of ss->ssl3.hs.ws. By testing ss->ssl3.hs.ws instead,
 	     * we prioritize completing a renegotiation handshake over sending
--- a/security/nss/lib/ssl/sslsecur.c
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -272,17 +272,17 @@ SSL_ReHandshake(PRFileDesc *fd, PRBool f
 
     if (!ss->opt.useSecurity)
 	return SECSuccess;
     
     ssl_Get1stHandshakeLock(ss);
 
     /* SSL v2 protocol does not support subsequent handshakes. */
     if (ss->version < SSL_LIBRARY_VERSION_3_0) {
-	PORT_SetError(SEC_ERROR_INVALID_ARGS);
+	PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2);
 	rv = SECFailure;
     } else {
 	ssl_GetSSL3HandshakeLock(ss);
 	rv = ssl3_RedoHandshake(ss, flushCache); /* force full handshake. */
 	ssl_ReleaseSSL3HandshakeLock(ss);
     }
 
     ssl_Release1stHandshakeLock(ss);
@@ -1232,17 +1232,16 @@ ssl_SecureRead(sslSocket *ss, unsigned c
     return ssl_SecureRecv(ss, buf, len, 0);
 }
 
 /* Caller holds the SSL Socket's write lock. SSL_LOCK_WRITER(ss) */
 int
 ssl_SecureSend(sslSocket *ss, const unsigned char *buf, int len, int flags)
 {
     int rv = 0;
-    PRBool falseStart = PR_FALSE;
 
     SSL_TRC(2, ("%d: SSL[%d]: SecureSend: sending %d bytes",
 		SSL_GETPID(), ss->fd, len));
 
     if (ss->shutdownHow & ssl_SHUTDOWN_SEND) {
 	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
     	rv = PR_FAILURE;
 	goto done;
@@ -1267,16 +1266,17 @@ ssl_SecureSend(sslSocket *ss, const unsi
     if (rv < 0) {
 	goto done;
     }
 
     if (len > 0) 
     	ss->writerThread = PR_GetCurrentThread();
     /* If any of these is non-zero, the initial handshake is not done. */
     if (!ss->firstHsDone) {
+	PRBool falseStart = PR_FALSE;
 	ssl_Get1stHandshakeLock(ss);
 	if (ss->opt.enableFalseStart &&
 	    ss->version >= SSL_LIBRARY_VERSION_3_0) {
 	    ssl_GetSSL3HandshakeLock(ss);
 	    falseStart = ss->ssl3.hs.canFalseStart;
 	    ssl_ReleaseSSL3HandshakeLock(ss);
 	}
 	if (!falseStart &&