Update NSS to 3.38

- Added HACL*Poly1305 32-bit (INRIA/Microsoft)
- Updated to final TLS 1.3 draft version (28)
- Removed TLS 1.3 prerelease draft limit check
- Removed NPN code
- Enabled dev/urandom-only RNG on Linux with NSS_SEED_ONLY_DEV_URANDOM for non-standard environments
- Fixed several bugs with TLS 1.3 negotiation
- Updated internal certificate store
- Added support for the TLS Record Size Limit Extension.
- Fixed CVE-2018-0495
- Various security fixes in the ASN.1 code.

1 files changed, 6 insertions, 5 deletions

diff --git a/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
index fa2238be7..ec289bdd6 100644
--- a/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/security/nss/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -166,8 +166,8 @@ class TlsCipherSuiteTestBase : public TlsConnectTestBase {
       case ssl_calg_seed:
         break;
     }
-    EXPECT_TRUE(false) << "No limit for " << csinfo_.cipherSuiteName;
-    return 1ULL < 48;
+    ADD_FAILURE() << "No limit for " << csinfo_.cipherSuiteName;
+    return 0;
   }
 
   uint64_t last_safe_write() const {
@@ -246,12 +246,13 @@ TEST_P(TlsCipherSuiteTest, ReadLimit) {
 
     client_->SendData(10, 10);
     server_->ReadBytes();  // This should be OK.
+    server_->ReadBytes();  // Read twice to flush any 1,N-1 record splitting.
   } else {
     // In TLS 1.3, reading or writing triggers a KeyUpdate.  That would mean
     // that the sequence numbers would reset and we wouldn't hit the limit.  So
-    // we move the sequence number to one less than the limit directly and don't
-    // test sending and receiving just before the limit.
-    uint64_t last = record_limit() - 1;
+    // move the sequence number to the limit directly and don't test sending and
+    // receiving just before the limit.
+    uint64_t last = record_limit();
     EXPECT_EQ(SECSuccess, SSLInt_AdvanceReadSeqNum(server_->ssl_fd(), last));
   }