Update net/third_party/nss to NSS 3.15.4.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ skipping 93 matching lines @@
                                    int additionalDataLen);
 #endif
 
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
 /* This list of SSL3 cipher suites is sorted in descending order of
  * precedence (desirability).  It only includes cipher suites we implement.
  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
+ *
+ * Important: See bug 946147 before enabling, reordering, or adding any cipher
+ * suites to this list.
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
-   /*      cipher_suite                         policy      enabled is_present*/
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_RSA_WITH_AES_128_GCM_SHA256,        SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+   /*      cipher_suite                     policy       enabled   isPresent */
 
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,  SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+   /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
+    * bug 946147.
+    */
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_RSA_WITH_AES_256_CBC_SHA,           SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_RSA_WITH_AES_256_CBC_SHA256,        SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+
+ { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,    SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+
+ /* RSA */
+ { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_SEED_CBC_SHA,               SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_3DES_EDE_CBC_SHA,           SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_SHA,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_MD5,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+
+ /* 56-bit DES "domestic" cipher suites */
+ { SSL_DHE_RSA_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_DHE_DSS_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_DES_CBC_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_DES_CBC_SHA,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ /* export ciphersuites with 1024-bit public key exchange keys */
+ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ /* export ciphersuites with 512-bit public key exchange keys */
+ { SSL_RSA_EXPORT_WITH_RC4_40_MD5,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+
+ /* ciphersuites with no encryption */
 #ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_NULL_SHA,             SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_RSA_WITH_NULL_SHA,              SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDH_ECDSA_WITH_NULL_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { TLS_RSA_WITH_SEED_CBC_SHA,              SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 
- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA,           SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA256,        SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { SSL_RSA_WITH_NULL_SHA,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_SHA256,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_NULL_MD5,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+};
 
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+/* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
+ */
+#ifdef DEBUG
+void ssl3_CheckCipherSuiteOrderConsistency()
+{
+    unsigned int i;
 
+    /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
+     * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
+     */
+    PORT_Assert(SSL_NumImplementedCiphers >= PR_ARRAY_SIZE(cipherSuites));
 
- { SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
-
- { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
-
-#ifdef NSS_ENABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_RSA_WITH_NULL_SHA,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_RSA_WITH_NULL_SHA256,               SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
-
-};
+    for (i = 0; i < PR_ARRAY_SIZE(cipherSuites); ++i) {
+        PORT_Assert(SSL_ImplementedCiphers[i] == cipherSuites[i].cipher_suite);
+    }
+}
+#endif
 
 /* This list of SSL3 compression methods is sorted in descending order of
  * precedence (desirability).  It only includes compression methods we
  * implement.
  */
 static const /*SSLCompressionMethod*/ PRUint8 compressions [] = {
 #ifdef NSS_ENABLE_ZLIB
     ssl_compression_deflate,
 #endif
     ssl_compression_null
@@ skipping 272 matching lines @@
     { calg_chacha20 , CKM_NSS_CHACHA20_POLY1305         },
 /*  { calg_init     , (CK_MECHANISM_TYPE)0x7fffffffL    }  */
 };
 
 #define mmech_invalid  (CK_MECHANISM_TYPE)0x80000000L
 #define mmech_md5      CKM_SSL3_MD5_MAC
 #define mmech_sha      CKM_SSL3_SHA1_MAC
 #define mmech_md5_hmac CKM_MD5_HMAC
 #define mmech_sha_hmac CKM_SHA_1_HMAC
 #define mmech_sha256_hmac CKM_SHA256_HMAC
-#define mmech_sha384_hmac CKM_SHA384_HMAC
-#define mmech_sha512_hmac CKM_SHA512_HMAC
 
 static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
     /* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
     /* mac      mmech       pad_size  mac_size                       */
     { mac_null, mmech_invalid,    0,  0          },
     { mac_md5,  mmech_md5,       48,  MD5_LENGTH },
     { mac_sha,  mmech_sha,       40,  SHA1_LENGTH},
     {hmac_md5,  mmech_md5_hmac,   0,  MD5_LENGTH },
     {hmac_sha,  mmech_sha_hmac,   0,  SHA1_LENGTH},
     {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
@@ skipping 323 matching lines @@
 
 /* return number of cipher suites that match policy, enabled state and are
  * applicable for the configured protocol version range. */
 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
 static int
 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
 {
     int i, count = 0;
 
     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
-        return 0;
+        return 0;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
             count++;
     }
     if (count <= 0) {
         PORT_SetError(SSL_ERROR_SSL_DISABLED);
     }
     return count;
 }
@@ skipping 45 matching lines @@
 
     ss->version = PR_MIN(peerVersion, ss->vrange.max);
     PORT_Assert(ssl3_VersionIsSupported(ss->protocolVariant, ss->version));
 
     return SECSuccess;
 }
 
 static SECStatus
 ssl3_GetNewRandom(SSL3Random *random)
 {
-    PRUint32 gmt = ssl_Time();
     SECStatus rv;
 
-    random->rand[0] = (unsigned char)(gmt >> 24);
-    random->rand[1] = (unsigned char)(gmt >> 16);
-    random->rand[2] = (unsigned char)(gmt >>  8);
-    random->rand[3] = (unsigned char)(gmt);
-
     /* first 4 bytes are reserverd for time */
-    rv = PK11_GenerateRandom(&random->rand[4], SSL3_RANDOM_LENGTH - 4);
+    rv = PK11_GenerateRandom(random->rand, SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_GENERATE_RANDOM_FAILURE);
     }
     return rv;
 }
 
 /* Called by ssl3_SendServerKeyExchange and ssl3_SendCertificateVerify */
 SECStatus
 ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, 
                 PRBool isTLS)
@@ skipping 117 matching lines @@
          * In that case, we use just the SHA1 part. */
         if (hash->hashAlg == SEC_OID_UNKNOWN) {
             hashItem.data = hash->u.s.sha;
             hashItem.len = sizeof(hash->u.s.sha);
         } else {
             hashItem.data = hash->u.raw;
             hashItem.len = hash->len;
         }
         /* Allow DER encoded DSA signatures in SSL 3.0 */
         if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
-            signature = DSAU_DecodeDerSig(buf);
+            signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
             if (!signature) {
                 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
                 return SECFailure;
             }
             buf = signature;
         }
         break;
 
 #ifdef NSS_ENABLE_ECC
     case ecKey:
@@ skipping 564 matching lines @@
 
     PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert(ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
 
     pwSpec        = ss->ssl3.pwSpec;
     cipher_def    = pwSpec->cipher_def;
 
     calg = cipher_def->calg;
 
-    if (calg == calg_aes_gcm) {
+    if (calg == ssl_calg_aes_gcm) {
         pwSpec->encode = NULL;
         pwSpec->decode = NULL;
         pwSpec->destroy = NULL;
         pwSpec->encodeContext = NULL;
         pwSpec->decodeContext = NULL;
         pwSpec->aead = ssl3_AESGCMBypass;
         ssl3_InitCompressionContext(pwSpec);
         return SECSuccess;
     }
 
@@ skipping 95 matching lines @@
         * is decrypting, and vice versa.
         */
         optArg1 = !optArg1;
         break;
     /* kill warnings. */
     case ssl_calg_null:
     case ssl_calg_rc4:
     case ssl_calg_rc2:
     case ssl_calg_idea:
     case ssl_calg_fortezza:
+    case ssl_calg_aes_gcm:
         break;
     }
 
     rv = (*initFn)(clientContext,
                    pwSpec->client.write_key_item.data,
                    pwSpec->client.write_key_item.len,
                    pwSpec->client.write_iv_item.data,
                    mode, optArg1, optArg2);
     if (rv != SECSuccess) {
         PORT_Assert(0);
@@ skipping 733 matching lines @@
 
     PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
 
     if (rv != SECSuccess) {
         rv = SECFailure;
         ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
     }
     return rv;
 }
 
-/* This is a bodge to allow this code to be compiled against older NSS headers
- * that don't contain the CBC constant-time changes. */
-#ifndef CKM_NSS_HMAC_CONSTANT_TIME
-#define CKM_NSS_HMAC_CONSTANT_TIME (CKM_NSS + 19)
-#define CKM_NSS_SSL3_MAC_CONSTANT_TIME (CKM_NSS + 20)
-
-typedef struct CK_NSS_MAC_CONSTANT_TIME_PARAMS {
-    CK_MECHANISM_TYPE macAlg;   /* in */
-    CK_ULONG ulBodyTotalLen;    /* in */
-    CK_BYTE * pHeader;          /* in */
-    CK_ULONG ulHeaderLen;       /* in */
-} CK_NSS_MAC_CONSTANT_TIME_PARAMS;
-#endif
-
 /* Called from: ssl3_HandleRecord()
  * Caller must already hold the SpecReadLock. (wish we could assert that!)
  *
  * On entry:
  *   originalLen >= inputLen >= MAC size
 */
 static SECStatus
 ssl3_ComputeRecordMACConstantTime(
     ssl3CipherSpec *   spec,
     PRBool             useServerMacKey,
     const unsigned char *header,
     unsigned int       headerLen,
     const SSL3Opaque * input,
     int                inputLen,
     int                originalLen,
     unsigned char *    outbuf,
     unsigned int *     outLen)
 {
     CK_MECHANISM_TYPE            macType;
     CK_NSS_MAC_CONSTANT_TIME_PARAMS params;
-    PK11Context *                mac_context;
-    SECItem                      param;
+    SECItem                      param, inputItem, outputItem;
     SECStatus                    rv;
     PK11SymKey *                 key;
 
     PORT_Assert(inputLen >= spec->mac_size);
     PORT_Assert(originalLen >= inputLen);
 
     if (spec->bypassCiphers) {
         /* This function doesn't support PKCS#11 bypass. We fallback on the
          * non-constant time version. */
         goto fallback;
@@ skipping 11 matching lines @@
 
     params.macAlg = spec->mac_def->mmech;
     params.ulBodyTotalLen = originalLen;
     params.pHeader = (unsigned char *) header;  /* const cast */
     params.ulHeaderLen = headerLen;
 
     param.data = (unsigned char*) &params;
     param.len = sizeof(params);
     param.type = 0;
 
+    inputItem.data = (unsigned char *) input;
+    inputItem.len = inputLen;
+    inputItem.type = 0;
+
+    outputItem.data = outbuf;
+    outputItem.len = *outLen;
+    outputItem.type = 0;
+
     key = spec->server.write_mac_key;
     if (!useServerMacKey) {
         key = spec->client.write_mac_key;
     }
-    mac_context = PK11_CreateContextBySymKey(macType, CKA_SIGN, key, &param);
-    if (mac_context == NULL) {
-        /* Older versions of NSS may not support constant-time MAC. */
-        goto fallback;
+
+    rv = PK11_SignWithSymKey(key, macType, &param, &outputItem, &inputItem);
+    if (rv != SECSuccess) {
+        if (PORT_GetError() == SEC_ERROR_INVALID_ALGORITHM) {
+            goto fallback;
+        }
+
+        *outLen = 0;
+        rv = SECFailure;
+        ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
+        return rv;
     }
 
-    rv  = PK11_DigestBegin(mac_context);
-    rv |= PK11_DigestOp(mac_context, input, inputLen);
-    rv |= PK11_DigestFinal(mac_context, outbuf, outLen, spec->mac_size);
-    PK11_DestroyContext(mac_context, PR_TRUE);
+    PORT_Assert(outputItem.len == (unsigned)spec->mac_size);
+    *outLen = outputItem.len;
 
-    PORT_Assert(rv != SECSuccess || *outLen == (unsigned)spec->mac_size);
-
-    if (rv != SECSuccess) {
-        rv = SECFailure;
-        ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
-    }
     return rv;
 
 fallback:
     /* ssl3_ComputeRecordMAC expects the MAC to have been removed from the
      * length already. */
     inputLen -= spec->mac_size;
     return ssl3_ComputeRecordMAC(spec, useServerMacKey, header, headerLen,
                                  input, inputLen, outbuf, outLen);
 }
 
@@ skipping 262 matching lines @@
  * ssl_SEND_FLAG_USE_EPOCH (for DTLS)
  *    Forces the use of the provided epoch
  * ssl_SEND_FLAG_CAP_RECORD_VERSION
  *    Caps the record layer version number of TLS ClientHello to { 3, 1 }
  *    (TLS 1.0). Some TLS 1.0 servers (which seem to use F5 BIG-IP) ignore
  *    ClientHello.client_version and use the record layer version number
  *    (TLSPlaintext.version) instead when negotiating protocol versions. In
  *    addition, if the record layer version number of ClientHello is { 3, 2 }
  *    (TLS 1.1) or higher, these servers reset the TCP connections. Lastly,
  *    some F5 BIG-IP servers hang if a record containing a ClientHello has a
- *    version greater than 0x0301 and a length greater than 255. Set this flag
- *    to work around such servers.
+ *    version greater than { 3, 1 } and a length greater than 255. Set this
+ *    flag to work around such servers.
  */
 PRInt32
 ssl3_SendRecord(   sslSocket *        ss,
                    DTLSEpoch          epoch, /* DTLS only */
                    SSL3ContentType    type,
                    const SSL3Opaque * pIn,   /* input buffer */
                    PRInt32            nIn,   /* bytes of input */
                    PRInt32            flags)
 {
     sslBuffer      *          wrBuf       = &ss->sec.writeBuf;
@@ skipping 1119 matching lines @@
                 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                 return SECFailure;
             }
             ss->ssl3.hs.hashType = handshake_hash_single;
 
             if (PK11_DigestBegin(ss->ssl3.hs.sha) != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
                 return SECFailure;
             }
 
-            /* A backup SHA-1 hash for a potential client auth signature. */
+            /* Create a backup SHA-1 hash for a potential client auth
+             * signature.
+             *
+             * In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the
+             * handshake hash function (SHA-256). If the server or the client
+             * does not support SHA-256 as a signature hash, we can either
+             * maintain a backup SHA-1 handshake hash or buffer all handshake
+             * messages.
+             */
             if (!ss->sec.isServer) {
-                ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_SHA1);
-                if (ss->ssl3.hs.md5 == NULL) {
+                ss->ssl3.hs.backupHash = PK11_CreateDigestContext(SEC_OID_SHA1);
+                if (ss->ssl3.hs.backupHash == NULL) {
                     ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                     return SECFailure;
                 }
 
-                if (PK11_DigestBegin(ss->ssl3.hs.md5) != SECSuccess) {
+                if (PK11_DigestBegin(ss->ssl3.hs.backupHash) != SECSuccess) {
                     ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                     return SECFailure;
                 }
             }
         } else {
             /* Both ss->ssl3.hs.md5 and ss->ssl3.hs.sha should be NULL or
              * created successfully. */
             ss->ssl3.hs.md5 = PK11_CreateDigestContext(SEC_OID_MD5);
             if (ss->ssl3.hs.md5 == NULL) {
                 ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
@@ skipping 94 matching lines @@
         }
         return rv;
     }
 #endif
     if (ss->ssl3.hs.hashType == handshake_hash_single) {
         rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             return rv;
         }
-        if (ss->ssl3.hs.md5) {
-            rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
+        if (ss->ssl3.hs.backupHash) {
+            rv = PK11_DigestOp(ss->ssl3.hs.backupHash, b, l);
             if (rv != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
                 return rv;
             }
         }
     } else {
         rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
             return rv;
@@ skipping 740 matching lines @@
     return rv;
 }
 
 static SECStatus
 ssl3_ComputeBackupHandshakeHashes(sslSocket * ss,
                                   SSL3Hashes * hashes) /* output goes here. */
 {
     SECStatus rv = SECSuccess;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( !ss->sec.isServer );
     PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
 
-    rv = PK11_DigestFinal(ss->ssl3.hs.md5, hashes->u.raw, &hashes->len,
+    rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
                           sizeof(hashes->u.raw));
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
         rv = SECFailure;
         goto loser;
     }
     hashes->hashAlg = SEC_OID_SHA1;
 
 loser:
-    PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
-    ss->ssl3.hs.md5 = NULL;
+    PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
+    ss->ssl3.hs.backupHash = NULL;
     return rv;
 }
 
 /*
  * SSL 2 based implementations pass in the initial outbound buffer
  * so that the handshake hash can contain the included information.
  *
  * Called from ssl2_BeginClientHandshake() in sslcon.c
  */
 SECStatus
@@ skipping 59 matching lines @@
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
     ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
     PORT_Assert(IS_DTLS(ss) || !resending);
 
+    SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
+    ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
+
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     rv = ssl3_RestartHandshakeHashes(ss);
     if (rv != SECSuccess) {
         return rv;
     }
 
@@ skipping 104 matching lines @@
                 (*ss->sec.uncache)(sid);
             ssl_FreeSID(sid);
             sid = NULL;
         }
     }
 
     if (sid) {
         requestingResume = PR_TRUE;
         SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_hits );
 
-        /* Are we attempting a stateless session resume? */
-        if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
-            sid->u.ssl3.sessionTicket.ticket.data)
-            SSL_AtomicIncrementLong(& ssl3stats.sch_sid_stateless_resumes );
-
         PRINT_BUF(4, (ss, "client, found session-id:", sid->u.ssl3.sessionID,
                       sid->u.ssl3.sessionIDLength));
 
         ss->ssl3.policy = sid->u.ssl3.policy;
     } else {
         SSL_AtomicIncrementLong(& ssl3stats.sch_sid_cache_misses );
 
         /*
          * Windows SChannel compares the client_version inside the RSA
          * EncryptedPreMasterSecret of a renegotiation with the
@@ skipping 48 matching lines @@
     /* HACK for SCSV in SSL 3.0.  On initial handshake, prepend SCSV,
      * only if TLS is disabled.
      */
     if (!ss->firstHsDone && !isTLS) {
         /* Must set this before calling Hello Extension Senders, 
          * to suppress sending of empty RI extension.
          */
         ss->ssl3.hs.sendingSCSV = PR_TRUE;
     }
 
+    /* When we attempt session resumption (only), we must lock the sid to
+     * prevent races with other resumption connections that receive a
+     * NewSessionTicket that will cause the ticket in the sid to be replaced.
+     * Once we've copied the session ticket into our ClientHello message, it
+     * is OK for the ticket to change, so we just need to make sure we hold
+     * the lock across the calls to ssl3_CallHelloExtensionSenders.
+     */
+    if (sid->u.ssl3.lock) {
+        PR_RWLock_Rlock(sid->u.ssl3.lock);
+    }
+
     if (isTLS || (ss->firstHsDone && ss->peerRequestedProtection)) {
         PRUint32 maxBytes = 65535; /* 2^16 - 1 */
         PRInt32  extLen;
 
         extLen = ssl3_CallHelloExtensionSenders(ss, PR_FALSE, maxBytes, NULL);
         if (extLen < 0) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return SECFailure;
         }
         maxBytes        -= extLen;
         total_exten_len += extLen;
 
         if (total_exten_len > 0)
             total_exten_len += 2;
     }
 
 #if defined(NSS_ENABLE_ECC)
     if (!total_exten_len || !isTLS) {
         /* not sending the elliptic_curves and ec_point_formats extensions */
         ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
 #endif
 
     if (IS_DTLS(ss)) {
         ssl3_DisableNonDTLSSuites(ss);
     }
 
     if (!ssl3_HasGCMSupport()) {
         ssl3_DisableGCMSuites(ss);
     }
 
     /* how many suites are permitted by policy and user preference? */
     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
-    if (!num_suites)
+    if (!num_suites) {
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         return SECFailure;      /* count_cipher_suites has set error code. */
+    }
 
     fallbackSCSV = ss->opt.enableFallbackSCSV && (!requestingResume ||
                                                   ss->version < sid->version);
     /* make room for SCSV */
     if (ss->ssl3.hs.sendingSCSV) {
         ++num_suites;
     }
     if (fallbackSCSV) {
         ++num_suites;
     }
@@ skipping 22 matching lines @@
     if (!IS_DTLS(ss) && isTLS && !ss->firstHsDone) {
         paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length);
         total_exten_len += paddingExtensionLen;
         length += paddingExtensionLen;
     } else {
         paddingExtensionLen = 0;
     }
 
     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
     if (rv != SECSuccess) {
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (ss->firstHsDone) {
         /* The client hello version must stay unchanged to work around
          * the Windows SChannel bug described above. */
         PORT_Assert(ss->version == ss->clientHelloVersion);
     }
     ss->clientHelloVersion = ss->version;
     if (IS_DTLS(ss)) {
         PRUint16 version;
 
         version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
         rv = ssl3_AppendHandshakeNumber(ss, version, 2);
     } else {
         rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
     }
     if (rv != SECSuccess) {
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (!resending) { /* Don't re-generate if we are in DTLS re-sending mode */
         rv = ssl3_GetNewRandom(&ss->ssl3.hs.client_random);
         if (rv != SECSuccess) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return rv;  /* err set by GetNewRandom. */
         }
     }
     rv = ssl3_AppendHandshake(ss, &ss->ssl3.hs.client_random,
                               SSL3_RANDOM_LENGTH);
     if (rv != SECSuccess) {
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (sid)
         rv = ssl3_AppendHandshakeVariable(
             ss, sid->u.ssl3.sessionID, sid->u.ssl3.sessionIDLength, 1);
     else
         rv = ssl3_AppendHandshakeVariable(ss, NULL, 0, 1);
     if (rv != SECSuccess) {
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (IS_DTLS(ss)) {
         rv = ssl3_AppendHandshakeVariable(
             ss, ss->ssl3.hs.cookie, ss->ssl3.hs.cookieLen, 1);
         if (rv != SECSuccess) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return rv;  /* err set by ssl3_AppendHandshake* */
         }
     }
 
     rv = ssl3_AppendHandshakeNumber(ss, num_suites*sizeof(ssl3CipherSuite), 2);
     if (rv != SECSuccess) {
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (ss->ssl3.hs.sendingSCSV) {
         /* Add the actual SCSV */
         rv = ssl3_AppendHandshakeNumber(ss, TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
                                         sizeof(ssl3CipherSuite));
         if (rv != SECSuccess) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return rv;  /* err set by ssl3_AppendHandshake* */
         }
         actual_count++;
     }
     if (fallbackSCSV) {
         rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
                                         sizeof(ssl3CipherSuite));
         if (rv != SECSuccess) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return rv;  /* err set by ssl3_AppendHandshake* */
         }
         actual_count++;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
         if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
             actual_count++;
             if (actual_count > num_suites) {
+                if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
                 /* set error card removal/insertion error */
                 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
                 return SECFailure;
             }
             rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
                                             sizeof(ssl3CipherSuite));
             if (rv != SECSuccess) {
+                if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
                 return rv;      /* err set by ssl3_AppendHandshake* */
             }
         }
     }
 
     /* if cards were removed or inserted between count_cipher_suites and
      * generating our list, detect the error here rather than send it off to
      * the server.. */
     if (actual_count != num_suites) {
         /* Card removal/insertion error */
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
         return SECFailure;
     }
 
     rv = ssl3_AppendHandshakeNumber(ss, numCompressionMethods, 1);
     if (rv != SECSuccess) {
+        if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
     for (i = 0; i < compressionMethodsCount; i++) {
         if (!compressionEnabled(ss, compressions[i]))
             continue;
         rv = ssl3_AppendHandshakeNumber(ss, compressions[i], 1);
         if (rv != SECSuccess) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return rv;  /* err set by ssl3_AppendHandshake* */
         }
     }
 
     if (total_exten_len) {
         PRUint32 maxBytes = total_exten_len - 2;
         PRInt32  extLen;
 
         rv = ssl3_AppendHandshakeNumber(ss, maxBytes, 2);
         if (rv != SECSuccess) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return rv;  /* err set by AppendHandshake. */
         }
 
         extLen = ssl3_CallHelloExtensionSenders(ss, PR_TRUE, maxBytes, NULL);
         if (extLen < 0) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return SECFailure;
         }
         maxBytes -= extLen;
 
         extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes);
         if (extLen < 0) {
+            if (sid->u.ssl3.lock) { PR_RWLock_Unlock(sid->u.ssl3.lock); }
             return SECFailure;
         }
         maxBytes -= extLen;
 
         PORT_Assert(!maxBytes);
     } 
+
+    if (sid->u.ssl3.lock) {
+        PR_RWLock_Unlock(sid->u.ssl3.lock);
+    }
+
+    if (ss->xtnData.sentSessionTicketInClientHello) {
+        SSL_AtomicIncrementLong(&ssl3stats.sch_sid_stateless_resumes);
+    }
+
     if (ss->ssl3.hs.sendingSCSV) {
         /* Since we sent the SCSV, pretend we sent empty RI extension. */
         TLSExtensionData *xtnData = &ss->xtnData;
         xtnData->advertised[xtnData->numAdvertised++] = 
             ssl_renegotiation_info_xtn;
     }
 
     flags = 0;
     if (!ss->firstHsDone && !IS_DTLS(ss)) {
         flags |= ssl_SEND_FLAG_CAP_RECORD_VERSION;
@@ skipping 786 matching lines @@
     unsigned int  len;
     SSL3SignatureAndHashAlgorithm sigAndHash;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
                 SSL_GETPID(), ss->fd));
 
     ssl_GetSpecReadLock(ss);
-    /* In TLS 1.2, ssl3_ComputeHandshakeHashes always uses the handshake hash
-     * function (SHA-256). If the server or the client does not support SHA-256
-     * as a signature hash, we can either maintain a backup SHA-1 handshake
-     * hash or buffer all handshake messages.
-     */
-    if (ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) {
+    if (ss->ssl3.hs.hashType == handshake_hash_single &&
+        ss->ssl3.hs.backupHash) {
         rv = ssl3_ComputeBackupHandshakeHashes(ss, &hashes);
-        PORT_Assert(ss->ssl3.hs.md5 == NULL);
+        PORT_Assert(!ss->ssl3.hs.backupHash);
     } else {
         rv = ssl3_ComputeHandshakeHashes(ss, ss->ssl3.pwSpec, &hashes, 0);
     }
     ssl_ReleaseSpecReadLock(ss);
     if (rv != SECSuccess) {
         goto done;      /* err code was set by ssl3_ComputeHandshakeHashes */
     }
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
@@ skipping 375 matching lines @@
             PK11_FreeSlot(slot);
             if (pwSpec->master_secret == NULL) {
                 break; 
             }
         }
 
         /* Got a Match */
         SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_hits );
 
         /* If we sent a session ticket, then this is a stateless resume. */
-        if (sid->version > SSL_LIBRARY_VERSION_3_0 &&
-            sid->u.ssl3.sessionTicket.ticket.data != NULL)
+        if (ss->xtnData.sentSessionTicketInClientHello)
             SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_stateless_resumes );
 
         if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn))
             ss->ssl3.hs.ws = wait_new_session_ticket;
         else
             ss->ssl3.hs.ws = wait_change_cipher;
 
         ss->ssl3.hs.isResuming = PR_TRUE;
 
         /* copy the peer cert from the SID */
@@ skipping 404 matching lines @@
      * Estonian ID cards that have 1024-bit RSA keys. In FIPS 186-2 and
      * older, DSA key size is at most 1024 bits and the hash function must
      * be SHA-1.
      */
     if (pubk->keyType == rsaKey || pubk->keyType == dsaKey) {
         *preferSha1 = SECKEY_PublicKeyStrength(pubk) <= 128;
     } else {
         *preferSha1 = PR_FALSE;
     }
 
-  done:
+done:
     if (pubk)
         SECKEY_DestroyPublicKey(pubk);
     return rv;
 }
 
 /* Destroys the backup handshake hash context if we don't need it. Note that
  * this function selects the hash algorithm for client authentication
  * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
  * to determine whether to use SHA-1 or SHA-256. */
 static void
 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
                                            const SECItem *algorithms)
 {
     SECStatus rv;
     TLSSignatureAlgorithm sigAlg;
     PRBool preferSha1;
     PRBool supportsSha1 = PR_FALSE;
     PRBool supportsSha256 = PR_FALSE;
     PRBool needBackupHash = PR_FALSE;
     unsigned int i;
 
-    PORT_Assert(ss->ssl3.hs.md5);
+#ifndef NO_PKCS11_BYPASS
+    /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
+    if (ss->opt.bypassPKCS11) {
+        PORT_Assert(!ss->ssl3.hs.backupHash);
+        return;
+    }
+#endif
+    PORT_Assert(ss->ssl3.hs.backupHash);
 
     /* Determine the key's signature algorithm and whether it prefers SHA-1. */
     rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
     if (rv != SECSuccess) {
         goto done;
     }
 
     /* Determine the server's hash support for that signature algorithm. */
     for (i = 0; i < algorithms->len; i += 2) {
         if (algorithms->data[i+1] == sigAlg) {
             if (algorithms->data[i] == tls_hash_sha1) {
                 supportsSha1 = PR_TRUE;
             } else if (algorithms->data[i] == tls_hash_sha256) {
                 supportsSha256 = PR_TRUE;
             }
         }
     }
 
     /* If either the server does not support SHA-256 or the client key prefers
      * SHA-1, leave the backup hash. */
     if (supportsSha1 && (preferSha1 || !supportsSha256)) {
         needBackupHash = PR_TRUE;
     }
 
 done:
     if (!needBackupHash) {
-        PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
-        ss->ssl3.hs.md5 = NULL;
+        PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
+        ss->ssl3.hs.backupHash = NULL;
     }
 }
 
 typedef struct dnameNode {
     struct dnameNode *next;
     SECItem           name;
 } dnameNode;
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Certificate Request message.
@@ skipping 175 matching lines @@
                 if (ss->ssl3.clientCertificate != NULL) {
                     CERT_DestroyCertificate(ss->ssl3.clientCertificate);
                     ss->ssl3.clientCertificate = NULL;
                 }
                 if (ss->ssl3.platformClientKey) {
                     ssl_FreePlatformKey(ss->ssl3.platformClientKey);
                     ss->ssl3.platformClientKey = (PlatformKey)NULL;
                 }
                 goto send_no_certificate;
             }
-            if (isTLS12) {
+            if (ss->ssl3.hs.hashType == handshake_hash_single) {
                 ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
             }
             break;  /* not an error */
         }
 #endif   /* NSS_PLATFORM_CLIENT_AUTH */
         /* check what the callback function returned */
         if ((!ss->ssl3.clientCertificate) || (!ss->ssl3.clientPrivateKey)) {
             /* we are missing either the key or cert */
             if (ss->ssl3.clientCertificate) {
                 /* got a cert, but no key - free it */
                 CERT_DestroyCertificate(ss->ssl3.clientCertificate);
                 ss->ssl3.clientCertificate = NULL;
             }
             if (ss->ssl3.clientPrivateKey) {
                 /* got a key, but no cert - free it */
                 SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
                 ss->ssl3.clientPrivateKey = NULL;
             }
             goto send_no_certificate;
         }
         /* Setting ssl3.clientCertChain non-NULL will cause
          * ssl3_HandleServerHelloDone to call SendCertificate.
          */
         ss->ssl3.clientCertChain = CERT_CertChainFromCert(
                                         ss->ssl3.clientCertificate,
                                         certUsageSSLClient, PR_FALSE);
         if (ss->ssl3.clientCertChain == NULL) {
-            if (ss->ssl3.clientCertificate != NULL) {
-                CERT_DestroyCertificate(ss->ssl3.clientCertificate);
-                ss->ssl3.clientCertificate = NULL;
-            }
-            if (ss->ssl3.clientPrivateKey != NULL) {
-                SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
-                ss->ssl3.clientPrivateKey = NULL;
-            }
+            CERT_DestroyCertificate(ss->ssl3.clientCertificate);
+            ss->ssl3.clientCertificate = NULL;
+            SECKEY_DestroyPrivateKey(ss->ssl3.clientPrivateKey);
+            ss->ssl3.clientPrivateKey = NULL;
             goto send_no_certificate;
         }
-        if (isTLS12) {
+        if (ss->ssl3.hs.hashType == handshake_hash_single) {
             ssl3_DestroyBackupHandshakeHashIfNotNeeded(ss, &algorithms);
         }
         break;  /* not an error */
 
     case SECFailure:
     default:
 send_no_certificate:
         if (isTLS) {
             ss->ssl3.sendEmptyCert = PR_TRUE;
         } else {
@@ skipping 217 matching lines @@
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     sendClientCert = !ss->ssl3.sendEmptyCert &&
                      ss->ssl3.clientCertChain  != NULL &&
                      (ss->ssl3.platformClientKey ||
                      ss->ssl3.clientPrivateKey != NULL);
 
     if (!sendClientCert &&
-        ss->ssl3.hs.hashType == handshake_hash_single && ss->ssl3.hs.md5) {
+        ss->ssl3.hs.hashType == handshake_hash_single &&
+        ss->ssl3.hs.backupHash) {
         /* Don't need the backup handshake hash. */
-        PK11_DestroyContext(ss->ssl3.hs.md5, PR_TRUE);
-        ss->ssl3.hs.md5 = NULL;
+        PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
+        ss->ssl3.hs.backupHash = NULL;
     }
 
     /* We must wait for the server's certificate to be authenticated before
      * sending the client certificate in order to disclosing the client
      * certificate to an attacker that does not have a valid cert for the
      * domain we are connecting to.
      *
      * XXX: We should do the same for the NPN extension, but for that we
      * need an option to give the application the ability to leak the NPN
      * information to get better performance.
@@ skipping 748 matching lines @@
                 ss->ssl3.hs.suite_def =
                     ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
                 goto suite_found;
             }
         }
     }
     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
     goto alert_loser;
 
 suite_found:
-    /* Look for a matching compression algorithm. */
+    /* Select a compression algorithm. */
     for (i = 0; i < comps.len; i++) {
         if (!compressionEnabled(ss, comps.data[i]))
             continue;
         for (j = 0; j < compressionMethodsCount; j++) {
             if (comps.data[i] == compressions[j]) {
                 ss->ssl3.hs.compression = 
                                         (SSLCompressionMethod)compressions[j];
                 goto compression_found;
             }
         }
@@ skipping 1421 matching lines @@
     rv = ssl3_AppendHandshakeHeader(ss, certificate, 3);
     if (rv == SECSuccess) {
         rv = ssl3_AppendHandshakeNumber(ss, 0, 3);
     }
     return rv;  /* error, if any, set by functions called above. */
 }
 
 SECStatus
 ssl3_HandleNewSessionTicket(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
-    SECStatus         rv;
-    NewSessionTicket  session_ticket;
+    SECStatus rv;
+    SECItem ticketData;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle session_ticket handshake",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
+    PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
+    PORT_Assert(!ss->ssl3.hs.receivedNewSessionTicket);
+
     if (ss->ssl3.hs.ws != wait_new_session_ticket) {
         SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
         return SECFailure;
     }
 
-    session_ticket.received_timestamp = ssl_Time();
+    /* RFC5077 Section 3.3: "The client MUST NOT treat the ticket as valid
+     * until it has verified the server's Finished message." See the comment in
+     * ssl3_FinishHandshake for more details.
+     */
+    ss->ssl3.hs.newSessionTicket.received_timestamp = ssl_Time();
     if (length < 4) {
         (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
         return SECFailure;
     }
-    session_ticket.ticket_lifetime_hint =
+    ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
         (PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
 
-    rv = ssl3_ConsumeHandshakeVariable(ss, &session_ticket.ticket, 2,
-        &b, &length);
+    rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
     if (length != 0 || rv != SECSuccess) {
         (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
         PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
         return SECFailure;  /* malformed */
     }
+    rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
+                          &ticketData);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
 
-    rv = ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &session_ticket);
-    if (rv != SECSuccess) {
-        (void)SSL3_SendAlert(ss, alert_fatal, handshake_failure);
-        PORT_SetError(SSL_ERROR_INTERNAL_ERROR_ALERT);
-        return SECFailure;
-    }
     ss->ssl3.hs.ws = wait_change_cipher;
     return SECSuccess;
 }
 
 #ifdef NISCC_TEST
 static PRInt32 connNum = 0;
 
 static SECStatus 
 get_fake_cert(SECItem *pCertItem, int *pIndex)
 {
@@ skipping 670 matching lines @@
          * success. Any remaining work will be taken care of by subsequent
          * calls to SSL_ForceHandshake/PR_Send/PR_Read/etc. 
          */
         if (rv == SECWouldBlock) {
             rv = SECSuccess;
         }
     } else {
         SSL_TRC(3, ("%d: SSL3[%p]: certificate authentication won the race with"
                     " peer's finished message", SSL_GETPID(), ss->fd));
 
-        PORT_Assert(!ss->firstHsDone);
-        PORT_Assert(!ss->sec.isServer);
         PORT_Assert(!ss->ssl3.hs.isResuming);
         PORT_Assert(ss->ssl3.hs.ws != idle_handshake);
 
         if (ss->opt.enableFalseStart &&
             !ss->firstHsDone &&
-            !ss->sec.isServer &&
             !ss->ssl3.hs.isResuming &&
             ssl3_WaitingForStartOfServerSecondRound(ss)) {
             /* ssl3_SendClientSecondRound deferred the false start check because
              * certificate authentication was pending, so we do it now if we still
              * haven't received any of the server's second round yet.
              */
             rv = ssl3_CheckFalseStart(ss);
         } else {
             rv = SECSuccess;
         }
@@ skipping 78 matching lines @@
                             &outData, isFIPS);
         } else {
             rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
         }
         PORT_Assert(rv != SECSuccess || outData.len == outLen);
 #endif
     }
     return rv;
 }
 
-/* called from ssl3_HandleServerHelloDone
+/* called from ssl3_SendClientSecondRound
+ *             ssl3_HandleFinished
  */
 static SECStatus
 ssl3_SendNextProto(sslSocket *ss)
 {
     SECStatus rv;
     int padding_len;
     static const unsigned char padding[32] = {0};
 
     if (ss->ssl3.nextProto.len == 0 ||
         ss->ssl3.nextProtoState == SSL_NEXT_PROTO_SELECTED) {
@@ skipping 252 matching lines @@
     if (ss->ssl3.channelIDPub)
         SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
 
     ss->handshake = ssl_GatherRecord1stHandshake;
     ss->ssl3.channelID = channelID;
     ss->ssl3.channelIDPub = channelIDPub;
 
     return SECSuccess;
 }
 
-/* called from ssl3_HandleServerHelloDone
+/* called from ssl3_SendClientSecondRound
  *             ssl3_HandleClientHello
  *             ssl3_HandleFinished
  */
 static SECStatus
 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
 {
     ssl3CipherSpec *cwSpec;
     PRBool          isTLS;
     PRBool          isServer = ss->sec.isServer;
     SECStatus       rv;
@@ skipping 215 matching lines @@
         PRInt32 flags = 0;
 
         /* Send a NewSessionTicket message if the client sent us
          * either an empty session ticket, or one that did not verify.
          * (Note that if either of these conditions was met, then the
          * server has sent a SessionTicket extension in the
          * ServerHello message.)
          */
         if (isServer && !ss->ssl3.hs.isResuming &&
             ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
+            /* RFC 5077 Section 3.3: "In the case of a full handshake, the
+             * server MUST verify the client's Finished message before sending
+             * the ticket." Presumably, this also means that the client's
+             * certificate, if any, must be verified beforehand too.
+             */
             rv = ssl3_SendNewSessionTicket(ss);
             if (rv != SECSuccess) {
                 goto xmit_loser;
             }
         }
 
         rv = ssl3_SendChangeCipherSpecs(ss);
         if (rv != SECSuccess) {
             goto xmit_loser;    /* err is set. */
         }
@@ skipping 104 matching lines @@
 SECStatus
 ssl3_FinishHandshake(sslSocket * ss)
 {
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->ssl3.hs.restartTarget == NULL );
 
     /* The first handshake is now completed. */
     ss->handshake           = NULL;
 
+    /* RFC 5077 Section 3.3: "The client MUST NOT treat the ticket as valid
+     * until it has verified the server's Finished message." When the server
+     * sends a NewSessionTicket in a resumption handshake, we must wait until
+     * the handshake is finished (we have verified the server's Finished
+     * AND the server's certificate) before we update the ticket in the sid.
+     *
+     * This must be done before we call (*ss->sec.cache)(ss->sec.ci.sid)
+     * because CacheSID requires the session ticket to already be set, and also
+     * because of the lazy lock creation scheme used by CacheSID and
+     * ssl3_SetSIDSessionTicket.
+     */
+    if (ss->ssl3.hs.receivedNewSessionTicket) {
+        PORT_Assert(!ss->sec.isServer);
+        ssl3_SetSIDSessionTicket(ss->sec.ci.sid, &ss->ssl3.hs.newSessionTicket);
+        /* The sid took over the ticket data */
+        PORT_Assert(!ss->ssl3.hs.newSessionTicket.ticket.data);
+        ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
+    }
+
     if (ss->ssl3.hs.cacheSID && ss->sec.isServer) {
+        PORT_Assert(ss->sec.ci.sid->cached == never_cached);
         (*ss->sec.cache)(ss->sec.ci.sid);
         ss->ssl3.hs.cacheSID = PR_FALSE;
     }
 
     ss->ssl3.hs.canFalseStart = PR_FALSE; /* False Start phase is complete */
     ss->ssl3.hs.ws = idle_handshake;
 
     ssl_FinishHandshake(ss);
 
     return SECSuccess;
@@ skipping 1050 matching lines @@
         ss->ssl3.hs.rtRetries = 0;
         ss->ssl3.hs.recvdHighWater = -1;
         PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
         dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
     }
 
     PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
     ss->ssl3.hs.messages.buf = NULL;
     ss->ssl3.hs.messages.space = 0;
 
+    ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
+    PORT_Memset(&ss->ssl3.hs.newSessionTicket, 0,
+                sizeof(ss->ssl3.hs.newSessionTicket));
+
     ss->ssl3.initialized = PR_TRUE;
     return SECSuccess;
 }
 
 /* Returns a reference counted object that contains a key pair.
  * Or NULL on failure.  Initial ref count is 1.
  * Uses the keys in the pair as input.
  */
 ssl3KeyPair *
 ssl3_NewKeyPair( SECKEYPrivateKey * privKey, SECKEYPublicKey * pubKey)
@@ skipping 414 matching lines @@
     if (ss->ssl3.hs.messages.buf) {
         PORT_Free(ss->ssl3.hs.messages.buf);
         ss->ssl3.hs.messages.buf = NULL;
         ss->ssl3.hs.messages.len = 0;
         ss->ssl3.hs.messages.space = 0;
     }
 
     /* free the SSL3Buffer (msg_body) */
     PORT_Free(ss->ssl3.hs.msg_body.buf);
 
+    SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
+
     /* free up the CipherSpecs */
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
 
     /* Destroy the DTLS data */
     if (IS_DTLS(ss)) {
         dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
         if (ss->ssl3.hs.recvdFragments.buf) {
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */