Issue #1338 - Part 2: Update NSS to 3.48-RTM

6 files changed, 135 insertions, 13 deletions

diff --git a/security/nss/cpputil/freebl_scoped_ptrs.h b/security/nss/cpputil/freebl_scoped_ptrs.h
new file mode 100644
index 000000000..2f21ca903
--- /dev/null
+++ b/security/nss/cpputil/freebl_scoped_ptrs.h
@@ -0,0 +1,33 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef freebl_scoped_ptrs_h__
+#define freebl_scoped_ptrs_h__
+
+#include <memory>
+#include "blapi.h"
+
+struct ScopedDelete {
+  void operator()(CMACContext* ctx) { CMAC_Destroy(ctx, PR_TRUE); }
+};
+
+template <class T>
+struct ScopedMaybeDelete {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDelete del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
+
+SCOPED(CMACContext);
+
+#undef SCOPED
+
+#endif  // freebl_scoped_ptrs_h__
diff --git a/security/nss/cpputil/nss_scoped_ptrs.h b/security/nss/cpputil/nss_scoped_ptrs.h
index 03979f2c5..501f9dfe8 100644
--- a/security/nss/cpputil/nss_scoped_ptrs.h
+++ b/security/nss/cpputil/nss_scoped_ptrs.h
@@ -11,21 +11,30 @@
 #include "cert.h"
 #include "keyhi.h"
 #include "p12.h"
+#include "pk11pqg.h"
 #include "pk11pub.h"
 #include "pkcs11uri.h"
+#include "secmod.h"
 
 struct ScopedDelete {
   void operator()(CERTCertificate* cert) { CERT_DestroyCertificate(cert); }
   void operator()(CERTCertificateList* list) {
     CERT_DestroyCertificateList(list);
   }
+  void operator()(CERTDistNames* names) { CERT_FreeDistNames(names); }
   void operator()(CERTName* name) { CERT_DestroyName(name); }
   void operator()(CERTCertList* list) { CERT_DestroyCertList(list); }
   void operator()(CERTSubjectPublicKeyInfo* spki) {
     SECKEY_DestroySubjectPublicKeyInfo(spki);
   }
+  void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
+  void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
   void operator()(PK11SlotInfo* slot) { PK11_FreeSlot(slot); }
+  void operator()(PK11SlotList* slots) { PK11_FreeSlotList(slots); }
   void operator()(PK11SymKey* key) { PK11_FreeSymKey(key); }
+  void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); }
+  void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
+  void operator()(PQGParams* pqg) { PK11_PQG_DestroyParams(pqg); }
   void operator()(PRFileDesc* fd) { PR_Close(fd); }
   void operator()(SECAlgorithmID* id) { SECOID_DestroyAlgorithmID(id, true); }
   void operator()(SECKEYEncryptedPrivateKeyInfo* e) {
@@ -37,14 +46,10 @@ struct ScopedDelete {
   void operator()(SECKEYPrivateKeyList* list) {
     SECKEY_DestroyPrivateKeyList(list);
   }
-  void operator()(PK11URI* uri) { PK11URI_DestroyURI(uri); }
-  void operator()(PLArenaPool* arena) { PORT_FreeArena(arena, PR_FALSE); }
-  void operator()(PK11Context* context) { PK11_DestroyContext(context, true); }
-  void operator()(PK11GenericObject* obj) { PK11_DestroyGenericObject(obj); }
+  void operator()(SECMODModule* module) { SECMOD_DestroyModule(module); }
   void operator()(SEC_PKCS12DecoderContext* dcx) {
     SEC_PKCS12DecoderFinish(dcx);
   }
-  void operator()(CERTDistNames* names) { CERT_FreeDistNames(names); }
 };
 
 template <class T>
@@ -59,27 +64,36 @@ struct ScopedMaybeDelete {
 
 #define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDelete<x> > Scoped##x
 
+SCOPED(CERTCertList);
 SCOPED(CERTCertificate);
 SCOPED(CERTCertificateList);
-SCOPED(CERTCertList);
+SCOPED(CERTDistNames);
 SCOPED(CERTName);
 SCOPED(CERTSubjectPublicKeyInfo);
+SCOPED(PK11Context);
+SCOPED(PK11GenericObject);
 SCOPED(PK11SlotInfo);
+SCOPED(PK11SlotList);
 SCOPED(PK11SymKey);
+SCOPED(PK11URI);
+SCOPED(PLArenaPool);
+SCOPED(PQGParams);
 SCOPED(PRFileDesc);
 SCOPED(SECAlgorithmID);
-SCOPED(SECKEYEncryptedPrivateKeyInfo);
 SCOPED(SECItem);
-SCOPED(SECKEYPublicKey);
+SCOPED(SECKEYEncryptedPrivateKeyInfo);
 SCOPED(SECKEYPrivateKey);
 SCOPED(SECKEYPrivateKeyList);
-SCOPED(PK11URI);
-SCOPED(PLArenaPool);
-SCOPED(PK11Context);
-SCOPED(PK11GenericObject);
+SCOPED(SECKEYPublicKey);
+SCOPED(SECMODModule);
 SCOPED(SEC_PKCS12DecoderContext);
-SCOPED(CERTDistNames);
 
 #undef SCOPED
 
+struct StackSECItem : public SECItem {
+  StackSECItem() : SECItem({siBuffer, nullptr, 0}) {}
+  ~StackSECItem() { Reset(); }
+  void Reset() { SECITEM_FreeItem(this, PR_FALSE); }
+};
+
 #endif  // nss_scoped_ptrs_h__
diff --git a/security/nss/cpputil/scoped_ptrs_smime.h b/security/nss/cpputil/scoped_ptrs_smime.h
new file mode 100644
index 000000000..fc235f7eb
--- /dev/null
+++ b/security/nss/cpputil/scoped_ptrs_smime.h
@@ -0,0 +1,34 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef scoped_ptrs_smime_h__
+#define scoped_ptrs_smime_h__
+
+#include <memory>
+#include "smime.h"
+
+struct ScopedDeleteSmime {
+  void operator()(NSSCMSMessage* id) { NSS_CMSMessage_Destroy(id); }
+};
+
+template <class T>
+struct ScopedMaybeDeleteSmime {
+  void operator()(T* ptr) {
+    if (ptr) {
+      ScopedDeleteSmime del;
+      del(ptr);
+    }
+  }
+};
+
+#define SCOPED(x) \
+  typedef std::unique_ptr<x, ScopedMaybeDeleteSmime<x> > Scoped##x
+
+SCOPED(NSSCMSMessage);
+
+#undef SCOPED
+
+#endif  // scoped_ptrs_smime_h__
diff --git a/security/nss/cpputil/scoped_ptrs_ssl.h b/security/nss/cpputil/scoped_ptrs_ssl.h
index 7eeae8f8f..474187540 100644
--- a/security/nss/cpputil/scoped_ptrs_ssl.h
+++ b/security/nss/cpputil/scoped_ptrs_ssl.h
@@ -11,6 +11,10 @@
 #include "sslexp.h"
 
 struct ScopedDeleteSSL {
+  void operator()(SSLAeadContext* ctx) { SSL_DestroyAead(ctx); }
+  void operator()(SSLAntiReplayContext* ctx) {
+    SSL_ReleaseAntiReplayContext(ctx);
+  }
   void operator()(SSLResumptionTokenInfo* token) {
     SSL_DestroyResumptionTokenInfo(token);
   }
@@ -28,6 +32,8 @@ struct ScopedMaybeDeleteSSL {
 
 #define SCOPED(x) typedef std::unique_ptr<x, ScopedMaybeDeleteSSL<x> > Scoped##x
 
+SCOPED(SSLAeadContext);
+SCOPED(SSLAntiReplayContext);
 SCOPED(SSLResumptionTokenInfo);
 
 #undef SCOPED
diff --git a/security/nss/cpputil/scoped_ptrs_util.h b/security/nss/cpputil/scoped_ptrs_util.h
index 2dbf34e1d..d0a42ee0b 100644
--- a/security/nss/cpputil/scoped_ptrs_util.h
+++ b/security/nss/cpputil/scoped_ptrs_util.h
@@ -33,7 +33,13 @@ struct ScopedMaybeDelete {
 SCOPED(SECAlgorithmID);
 SCOPED(SECItem);
 SCOPED(PK11URI);
+SCOPED(PLArenaPool);
 
 #undef SCOPED
 
+struct StackSECItem : public SECItem {
+  StackSECItem() : SECItem({siBuffer, nullptr, 0}) {}
+  ~StackSECItem() { SECITEM_FreeItem(this, PR_FALSE); }
+};
+
 #endif  // scoped_ptrs_util_h__
diff --git a/security/nss/cpputil/tls_parser.h b/security/nss/cpputil/tls_parser.h
index cd9e28fc3..05dd99fc8 100644
--- a/security/nss/cpputil/tls_parser.h
+++ b/security/nss/cpputil/tls_parser.h
@@ -31,6 +31,7 @@ const uint8_t kTlsHandshakeCertificateRequest = 13;
 const uint8_t kTlsHandshakeCertificateVerify = 15;
 const uint8_t kTlsHandshakeClientKeyExchange = 16;
 const uint8_t kTlsHandshakeFinished = 20;
+const uint8_t kTlsHandshakeKeyUpdate = 24;
 
 const uint8_t kTlsAlertWarning = 1;
 const uint8_t kTlsAlertFatal = 2;
@@ -47,11 +48,13 @@ const uint8_t kTlsAlertIllegalParameter = 47;
 const uint8_t kTlsAlertDecodeError = 50;
 const uint8_t kTlsAlertDecryptError = 51;
 const uint8_t kTlsAlertProtocolVersion = 70;
+const uint8_t kTlsAlertInsufficientSecurity = 71;
 const uint8_t kTlsAlertInternalError = 80;
 const uint8_t kTlsAlertInappropriateFallback = 86;
 const uint8_t kTlsAlertMissingExtension = 109;
 const uint8_t kTlsAlertUnsupportedExtension = 110;
 const uint8_t kTlsAlertUnrecognizedName = 112;
+const uint8_t kTlsAlertCertificateRequired = 116;
 const uint8_t kTlsAlertNoApplicationProtocol = 120;
 
 const uint8_t kTlsFakeChangeCipherSpec[] = {
@@ -80,6 +83,32 @@ inline std::ostream& operator<<(std::ostream& os, SSLProtocolVariant v) {
   return os << ((v == ssl_variant_stream) ? "TLS" : "DTLS");
 }
 
+inline std::ostream& operator<<(std::ostream& os, SSLContentType v) {
+  switch (v) {
+    case ssl_ct_change_cipher_spec:
+      return os << "CCS";
+    case ssl_ct_alert:
+      return os << "alert";
+    case ssl_ct_handshake:
+      return os << "handshake";
+    case ssl_ct_application_data:
+      return os << "application data";
+    case ssl_ct_ack:
+      return os << "ack";
+  }
+  return os << "UNKNOWN content type " << static_cast<int>(v);
+}
+
+inline std::ostream& operator<<(std::ostream& os, SSLSecretDirection v) {
+  switch (v) {
+    case ssl_secret_read:
+      return os << "read";
+    case ssl_secret_write:
+      return os << "write";
+  }
+  return os << "UNKNOWN secret direction " << static_cast<int>(v);
+}
+
 inline bool IsDtls(uint16_t version) { return (version & 0x8000) == 0x8000; }
 
 inline uint16_t NormalizeTlsVersion(uint16_t version) {