Issue #1693 - Update NSS to 3.59.1.1

This updates to MoonchildProductions/NSS@bd49b2b88 in the repo created for our
consumption of the library.

1 files changed, 63 insertions, 23 deletions

diff --git a/security/nss/gtests/ssl_gtest/tls_agent.cc b/security/nss/gtests/ssl_gtest/tls_agent.cc
index 2ea70cae3..2eafc5bcb 100644
--- a/security/nss/gtests/ssl_gtest/tls_agent.cc
+++ b/security/nss/gtests/ssl_gtest/tls_agent.cc
@@ -1,4 +1,5 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
@@ -48,6 +49,7 @@ const std::string TlsAgent::kServerEcdhEcdsa = "ecdh_ecdsa";
 const std::string TlsAgent::kServerDsa = "dsa";
 const std::string TlsAgent::kDelegatorEcdsa256 = "delegator_ecdsa256";
 const std::string TlsAgent::kDelegatorRsae2048 = "delegator_rsae2048";
+const std::string TlsAgent::kDelegatorRsaPss2048 = "delegator_rsa_pss2048";
 
 static const uint8_t kCannedTls13ServerHello[] = {
     0x03, 0x03, 0x9c, 0xbc, 0x14, 0x9b, 0x0e, 0x2e, 0xfa, 0x0d, 0xf3,
@@ -71,8 +73,8 @@ TlsAgent::TlsAgent(const std::string& nm, Role rl, SSLProtocolVariant var)
       falsestart_enabled_(false),
       expected_version_(0),
       expected_cipher_suite_(0),
-      expect_resumption_(false),
       expect_client_auth_(false),
+      expect_psk_(ssl_psk_none),
       can_falsestart_hook_called_(false),
       sni_hook_called_(false),
       auth_certificate_hook_called_(false),
@@ -299,7 +301,7 @@ bool TlsAgent::MaybeSetResumptionToken() {
 
     // rv is SECFailure with error set to SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR
     // if the resumption token was bad (expired/malformed/etc.).
-    if (expect_resumption_) {
+    if (expect_psk_ == ssl_psk_resume) {
       // Only in case we expect resumption this has to be successful. We might
       // not expect resumption due to some reason but the token is totally fine.
       EXPECT_EQ(SECSuccess, rv);
@@ -307,8 +309,8 @@ bool TlsAgent::MaybeSetResumptionToken() {
     if (rv != SECSuccess) {
       EXPECT_EQ(SSL_ERROR_BAD_RESUMPTION_TOKEN_ERROR, PORT_GetError());
       resumption_token_.clear();
-      EXPECT_FALSE(expect_resumption_);
-      if (expect_resumption_) return false;
+      EXPECT_FALSE(expect_psk_ == ssl_psk_resume);
+      if (expect_psk_ == ssl_psk_resume) return false;
     }
   }
 
@@ -632,7 +634,9 @@ void TlsAgent::CheckAuthType(SSLAuthType auth,
                              SSLSignatureScheme sig_scheme) const {
   EXPECT_EQ(STATE_CONNECTED, state_);
   EXPECT_EQ(auth, info_.authType);
-  EXPECT_EQ(server_key_bits_, info_.authKeyBits);
+  if (auth != ssl_auth_psk) {
+    EXPECT_EQ(server_key_bits_, info_.authKeyBits);
+  }
   if (expected_version_ < SSL_LIBRARY_VERSION_TLS_1_2) {
     switch (auth) {
       case ssl_auth_rsa_sign:
@@ -683,13 +687,31 @@ void TlsAgent::EnableFalseStart() {
   SetOption(SSL_ENABLE_FALSE_START, PR_TRUE);
 }
 
-void TlsAgent::ExpectResumption() { expect_resumption_ = true; }
+void TlsAgent::ExpectPsk() { expect_psk_ = ssl_psk_external; }
+
+void TlsAgent::ExpectResumption() { expect_psk_ = ssl_psk_resume; }
 
 void TlsAgent::EnableAlpn(const uint8_t* val, size_t len) {
   EXPECT_TRUE(EnsureTlsSetup());
   EXPECT_EQ(SECSuccess, SSL_SetNextProtoNego(ssl_fd(), val, len));
 }
 
+void TlsAgent::AddPsk(const ScopedPK11SymKey& psk, std::string label,
+                      SSLHashType hash, uint16_t zeroRttSuite) {
+  EXPECT_TRUE(EnsureTlsSetup());
+  EXPECT_EQ(SECSuccess, SSL_AddExternalPsk0Rtt(
+                            ssl_fd(), psk.get(),
+                            reinterpret_cast<const uint8_t*>(label.data()),
+                            label.length(), hash, zeroRttSuite, 1000));
+}
+
+void TlsAgent::RemovePsk(std::string label) {
+  EXPECT_EQ(SECSuccess,
+            SSL_RemoveExternalPsk(
+                ssl_fd(), reinterpret_cast<const uint8_t*>(label.data()),
+                label.length()));
+}
+
 void TlsAgent::CheckAlpn(SSLNextProtoState expected_state,
                          const std::string& expected) const {
   SSLNextProtoState alpn_state;
@@ -819,22 +841,22 @@ void TlsAgent::CheckPreliminaryInfo() {
 void TlsAgent::CheckCallbacks() const {
   // If false start happens, the handshake is reported as being complete at the
   // point that false start happens.
-  if (expect_resumption_ || !falsestart_enabled_) {
+  if (expect_psk_ == ssl_psk_resume || !falsestart_enabled_) {
     EXPECT_TRUE(handshake_callback_called_);
   }
 
   // These callbacks shouldn't fire if we are resuming, except on TLS 1.3.
   if (role_ == SERVER) {
     PRBool have_sni = SSLInt_ExtensionNegotiated(ssl_fd(), ssl_server_name_xtn);
-    EXPECT_EQ(((!expect_resumption_ && have_sni) ||
+    EXPECT_EQ(((expect_psk_ != ssl_psk_resume && have_sni) ||
                expected_version_ >= SSL_LIBRARY_VERSION_TLS_1_3),
               sni_hook_called_);
   } else {
-    EXPECT_EQ(!expect_resumption_, auth_certificate_hook_called_);
+    EXPECT_EQ(expect_psk_ == ssl_psk_none, auth_certificate_hook_called_);
     // Note that this isn't unconditionally called, even with false start on.
     // But the callback is only skipped if a cipher that is ridiculously weak
     // (80 bits) is chosen.  Don't test that: plan to remove bad ciphers.
-    EXPECT_EQ(falsestart_enabled_ && !expect_resumption_,
+    EXPECT_EQ(falsestart_enabled_ && expect_psk_ != ssl_psk_resume,
               can_falsestart_hook_called_);
   }
 }
@@ -870,7 +892,7 @@ void TlsAgent::ValidateCipherSpecs() {
     } else {
       // For DTLS 1.1 and 1.2, the last endpoint to send maintains a cipher spec
       // until the holddown timer runs down.
-      if (expect_resumption_) {
+      if (expect_psk_ == ssl_psk_resume) {
         if (role_ == CLIENT) {
           expected = 3;
         }
@@ -908,7 +930,8 @@ void TlsAgent::Connected() {
   EXPECT_EQ(SECSuccess, rv);
   EXPECT_EQ(sizeof(info_), info_.length);
 
-  EXPECT_EQ(expect_resumption_, info_.resumed == PR_TRUE);
+  EXPECT_EQ(expect_psk_ == ssl_psk_resume, info_.resumed == PR_TRUE);
+  EXPECT_EQ(expect_psk_, info_.pskType);
 
   // Preliminary values are exposed through callbacks during the handshake.
   // If either expected values were set or the callbacks were called, check
@@ -1063,21 +1086,28 @@ void TlsAgent::SendBuffer(const DataBuffer& buf) {
 bool TlsAgent::SendEncryptedRecord(const std::shared_ptr<TlsCipherSpec>& spec,
                                    uint64_t seq, uint8_t ct,
                                    const DataBuffer& buf) {
-  LOGV("Encrypting " << buf.len() << " bytes");
   // Ensure that we are doing TLS 1.3.
   EXPECT_GE(expected_version_, SSL_LIBRARY_VERSION_TLS_1_3);
-  TlsRecordHeader header(variant_, expected_version_, ssl_ct_application_data,
-                         seq);
+  if (variant_ != ssl_variant_datagram) {
+    ADD_FAILURE();
+    return false;
+  }
+
+  LOGV("Encrypting " << buf.len() << " bytes");
+  uint8_t dtls13_ct = kCtDtlsCiphertext | kCtDtlsCiphertext16bSeqno |
+                      kCtDtlsCiphertextLengthPresent;
+  TlsRecordHeader header(variant_, expected_version_, dtls13_ct, seq);
+  TlsRecordHeader out_header(header);
   DataBuffer padded = buf;
   padded.Write(padded.len(), ct, 1);
   DataBuffer ciphertext;
-  if (!spec->Protect(header, padded, &ciphertext)) {
+  if (!spec->Protect(header, padded, &ciphertext, &out_header)) {
     return false;
   }
 
   DataBuffer record;
-  auto rv = header.Write(&record, 0, ciphertext);
-  EXPECT_EQ(header.header_length() + ciphertext.len(), rv);
+  auto rv = out_header.Write(&record, 0, ciphertext);
+  EXPECT_EQ(out_header.header_length() + ciphertext.len(), rv);
   SendDirect(record);
   return true;
 }
@@ -1124,7 +1154,7 @@ void TlsAgent::ReadBytes(size_t amount) {
   }
 }
 
-void TlsAgent::ResetSentBytes() { send_ctr_ = 0; }
+void TlsAgent::ResetSentBytes(size_t bytes) { send_ctr_ = bytes; }
 
 void TlsAgent::SetOption(int32_t option, int value) {
   ASSERT_TRUE(EnsureTlsSetup());
@@ -1201,16 +1231,26 @@ void TlsAgentTestBase::MakeRecord(SSLProtocolVariant variant, uint8_t type,
                                   uint16_t version, const uint8_t* buf,
                                   size_t len, DataBuffer* out,
                                   uint64_t sequence_number) {
+  // Fixup the content type for DTLSCiphertext
+  if (variant == ssl_variant_datagram &&
+      version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
+      type == ssl_ct_application_data) {
+    type = kCtDtlsCiphertext | kCtDtlsCiphertext16bSeqno |
+           kCtDtlsCiphertextLengthPresent;
+  }
+
   size_t index = 0;
-  index = out->Write(index, type, 1);
   if (variant == ssl_variant_stream) {
+    index = out->Write(index, type, 1);
     index = out->Write(index, version, 2);
   } else if (version >= SSL_LIBRARY_VERSION_TLS_1_3 &&
-             type == ssl_ct_application_data) {
+             (type & kCtDtlsCiphertextMask) == kCtDtlsCiphertext) {
     uint32_t epoch = (sequence_number >> 48) & 0x3;
-    uint32_t seqno = sequence_number & ((1ULL << 30) - 1);
-    index = out->Write(index, (epoch << 30) | seqno, 4);
+    index = out->Write(index, type | epoch, 1);
+    uint32_t seqno = sequence_number & ((1ULL << 16) - 1);
+    index = out->Write(index, seqno, 2);
   } else {
+    index = out->Write(index, type, 1);
     index = out->Write(index, TlsVersionToDtlsVersion(version), 2);
     index = out->Write(index, sequence_number >> 32, 4);
     index = out->Write(index, sequence_number & PR_UINT32_MAX, 4);