net: don't set NSS options in a callback.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
  * The contents of this file are subject to the Mozilla Public License Version
  * 1.1 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ skipping 6090 matching lines @@
     /* XXX: does not take into account whether we are waiting for
      * SSL_AuthCertificateComplete or SSL_RestartHandshakeAfterCertReq. If/when
      * that is done, this function could return different results each time it
      * would be called.
      */
 
     ssl_GetSpecReadLock(ss);
     rv = ss->opt.enableFalseStart &&
          !ss->sec.isServer &&
          !ss->ssl3.hs.isResuming &&
+         /* This check for NPN is performed here because we can't call
+          * SSL_HandshakeNegotiatedExtension in the auth callback because of
+          * lock ordering issues. See crbug.com/125299 */
+         ssl3_ExtensionNegotiated(ss, ssl_next_proto_nego_xtn) &&
          ss->ssl3.cwSpec &&
 
          /* An attacker can control the selected ciphersuite so we only wish to
           * do False Start in the case that the selected ciphersuite is
           * sufficiently strong that the attack can gain no advantage.
           * Therefore we require an 80-bit cipher and a forward-secret key
           * exchange. */
          ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10 &&
         (ss->ssl3.hs.kea_def->kea == kea_dhe_dss ||
          ss->ssl3.hs.kea_def->kea == kea_dhe_rsa ||
@@ skipping 4339 matching lines @@
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */