Update net/third_party/nss/ssl to NSS 3.14.

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1994-2000
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Dr Stephen Henson <stephen.henson@gemplus.com>
- *   Dr Vipul Gupta <vipul.gupta@sun.com> and
- *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-/* $Id: ssl3con.c,v 1.173 2012/03/18 00:31:19 wtc%google.com Exp $ */
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/* $Id: ssl3con.c,v 1.192 2012/09/28 05:10:25 wtc%google.com Exp $ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"   /* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
 
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "sslerr.h"
 #include "prtime.h"
 #include "prinrval.h"
 #include "prerror.h"
 #include "pratom.h"
 #include "prthread.h"
 
 #include "pk11func.h"
 #include "secmod.h"
+#ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
+#endif
 
 #include <stdio.h>
 #ifdef NSS_ENABLE_ZLIB
 #include "zlib.h"
 #endif
 
-/* DSA_SIGNATURE_LEN is deprecated and replaced by DSA1_SIGNATURE_LEN
- * in NSS 3.14. Provide a backup definition when compiling against an
- * older system NSS library.
- */
-#ifndef DSA1_SIGNATURE_LEN
-#define DSA1_SIGNATURE_LEN      40      /* Bytes */
-#endif
-
 #ifndef PK11_SETATTRS
 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
                 (x)->pValue=(v); (x)->ulValueLen = (l);
 #endif
 
 static void      ssl3_CleanupPeerCerts(sslSocket *ss);
 static void      ssl3_CopyPeerCertsFromSID(sslSocket *ss, sslSessionID *sid);
 static PK11SymKey *ssl3_GenerateRSAPMS(sslSocket *ss, ssl3CipherSpec *spec,
                                        PK11SlotInfo * serverKeySlot);
 static SECStatus ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms);
@@ skipping 15 matching lines @@
                                              unsigned int l);
 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
 
 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
                              int maxOutputLen, const unsigned char *input,
                              int inputLen);
 
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
-#define MAX_CIPHER_SUITES 20
-
 /* This list of SSL3 cipher suites is sorted in descending order of
  * precedence (desirability).  It only includes cipher suites we implement.
  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
    /*      cipher_suite                         policy      enabled is_present*/
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_RSA_WITH_AES_256_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_RSA_WITH_AES_256_CBC_SHA,           SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,         SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_DHE_DSS_WITH_RC4_128_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,       SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDH_RSA_WITH_RC4_128_SHA,          SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,        SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { TLS_RSA_WITH_SEED_CBC_SHA,              SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, 
  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_RSA_WITH_RC4_128_SHA,               SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
  { SSL_RSA_WITH_RC4_128_MD5,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_WITH_AES_128_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { TLS_RSA_WITH_AES_128_CBC_SHA,           SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+ { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,      SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
- { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
  { SSL_RSA_WITH_3DES_EDE_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
 
 
  { SSL_DHE_RSA_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { SSL_DHE_DSS_WITH_DES_CBC_SHA,           SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
- { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_FIPS_WITH_DES_CBC_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_WITH_DES_CBC_SHA,               SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,    SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
 
- { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC4_40_MD5,         SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
+ { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,     SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
 
 #ifdef NSS_ENABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_NULL_SHA,          SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_NULL_SHA,            SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_NULL_SHA,             SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_NULL_SHA,           SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_ENABLE_ECC */
  { SSL_RSA_WITH_NULL_SHA,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
  { SSL_RSA_WITH_NULL_MD5,                  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
 
@@ skipping 131 matching lines @@
     {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_dss_export},
     {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_rsa_export},
 #endif
     {SSL_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
     {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
                                     cipher_3des,   mac_sha, kea_dhe_rsa},
 #if 0
     {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
-    {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4,    mac_md5, kea_dh_anon_export},
     {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_anon_export},
     {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
     {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
 #endif
 
 
 /* New TLS cipher suites */
     {TLS_RSA_WITH_AES_128_CBC_SHA,      cipher_aes_128, mac_sha, kea_rsa},
     {TLS_DHE_DSS_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_dhe_dss},
@@ skipping 223 matching lines @@
 {
     if ((sizeof *x) == sizeof(PRInt32)) {
         PR_ATOMIC_INCREMENT((PRInt32 *)x);
     } else {
         tooLong * tl = (tooLong *)x;
         if (PR_ATOMIC_INCREMENT(&tl->low) == 0)
             PR_ATOMIC_INCREMENT(&tl->high);
     }
 }
 
+static PRBool
+ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite,
+                                  SSL3ProtocolVersion version)
+{
+    switch (cipherSuite) {
+    /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
+     * later. This set of cipher suites is similar to, but different from, the
+     * set of cipher suites considered exportable by SSL_IsExportCipherSuite.
+     */
+    case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
+    case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
+    /*   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:      never implemented
+     *   SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:   never implemented
+     *   SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
+     *   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
+     *   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
+     *   SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5:     never implemented
+     *   SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:  never implemented
+     */
+        return version <= SSL_LIBRARY_VERSION_TLS_1_0;
+    default:
+        return PR_TRUE;
+    }
+}
+
 /* return pointer to ssl3CipherSuiteDef for suite, or NULL */
 /* XXX This does a linear search.  A binary search would be better. */
 static const ssl3CipherSuiteDef *
 ssl_LookupCipherSuiteDef(ssl3CipherSuite suite)
 {
     int cipher_suite_def_len =
         sizeof(cipher_suite_defs) / sizeof(cipher_suite_defs[0]);
     int i;
 
     for (i = 0; i < cipher_suite_def_len; i++) {
@@ skipping 323 matching lines @@
 
     switch (key->keyType) {
     case rsaKey:
         hashItem.data = hash->md5;
         hashItem.len = sizeof(SSL3Hashes);
         break;
     case dsaKey:
         hashItem.data = hash->sha;
         hashItem.len = sizeof(hash->sha);
         /* Allow DER encoded DSA signatures in SSL 3.0 */
-        if (isTLS || buf->len != DSA1_SIGNATURE_LEN) {
+        if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
             signature = DSAU_DecodeDerSig(buf);
             if (!signature) {
                 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
                 return SECFailure;
             }
             buf = signature;
         }
         break;
 
 #ifdef NSS_ENABLE_ECC
@@ skipping 45 matching lines @@
 /* Called from ssl3_ComputeExportRSAKeyHash
  *             ssl3_ComputeDHKeyHash
  * which are called from ssl3_HandleServerKeyExchange. 
  */
 SECStatus
 ssl3_ComputeCommonKeyHash(PRUint8 * hashBuf, unsigned int bufLen,
                              SSL3Hashes *hashes, PRBool bypassPKCS11)
 {
     SECStatus     rv            = SECSuccess;
 
+#ifndef NO_PKCS11_BYPASS
     if (bypassPKCS11) {
         MD5_HashBuf (hashes->md5, hashBuf, bufLen);
         SHA1_HashBuf(hashes->sha, hashBuf, bufLen);
-    } else {
+    } else 
+#endif
+    {
         rv = PK11_HashBuf(SEC_OID_MD5, hashes->md5, hashBuf, bufLen);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
             rv = SECFailure;
             goto done;
         }
 
         rv = PK11_HashBuf(SEC_OID_SHA1, hashes->sha, hashBuf, bufLen);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
@@ skipping 400 matching lines @@
 #endif /* NSS_ENABLE_ZLIB */
     default:
         PORT_Assert(0);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         return SECFailure;
     }
 
     return SECSuccess;
 }
 
+#ifndef NO_PKCS11_BYPASS
 /* Initialize encryption and MAC contexts for pending spec.
  * Master Secret already is derived in spec->msItem
  * Caller holds Spec write lock.
  */
 static SECStatus
 ssl3_InitPendingContextsBypass(sslSocket *ss)
 {
       ssl3CipherSpec  *  pwSpec;
       const ssl3BulkCipherDef *cipher_def;
       void *             serverContext = NULL;
@@ skipping 146 matching lines @@
     pwSpec->decodeContext = (ss->sec.isServer) ? clientContext : serverContext;
 
     ssl3_InitCompressionContext(pwSpec);
 
 success:
     return SECSuccess;
 
 bail_out:
     return SECFailure;
 }
+#endif
 
 /* This function should probably be moved to pk11wrap and be named 
  * PK11_ParamFromIVAndEffectiveKeyBits
  */
 static SECItem *
 ssl3_ParamFromIV(CK_MECHANISM_TYPE mtype, SECItem *iv, CK_ULONG ulEffectiveBits)
 {
     SECItem * param = PK11_ParamFromIV(mtype, iv);
     if (param && param->data  && param->len >= sizeof(CK_RC2_PARAMS)) {
         switch (mtype) {
@@ skipping 179 matching lines @@
 
     pwSpec        = ss->ssl3.pwSpec;
     cwSpec        = ss->ssl3.cwSpec;
 
     if (pms || (!pwSpec->msItem.len && !pwSpec->master_secret)) {
         rv = ssl3_DeriveMasterSecret(ss, pms);
         if (rv != SECSuccess) {
             goto done;  /* err code set by ssl3_DeriveMasterSecret */
         }
     }
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11 && pwSpec->msItem.len && pwSpec->msItem.data) {
         /* Double Bypass succeeded in extracting the master_secret */
         const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
         PRBool             isTLS   = (PRBool)(kea_def->tls_keygen ||
                                 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
         pwSpec->bypassCiphers = PR_TRUE;
         rv = ssl3_KeyAndMacDeriveBypass( pwSpec, 
                              (const unsigned char *)&ss->ssl3.hs.client_random,
                              (const unsigned char *)&ss->ssl3.hs.server_random,
                              isTLS, 
                              (PRBool)(kea_def->is_limited));
         if (rv == SECSuccess) {
             rv = ssl3_InitPendingContextsBypass(ss);
         }
-    } else if (pwSpec->master_secret) {
+    } else
+#endif
+    if (pwSpec->master_secret) {
         rv = ssl3_DeriveConnectionKeysPKCS11(ss);
         if (rv == SECSuccess) {
             rv = ssl3_InitPendingContextsPKCS11(ss);
         }
     } else {
         PORT_Assert(pwSpec->master_secret);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     }
     if (rv != SECSuccess) {
@@ skipping 65 matching lines @@
     SSL3ContentType    type,
     SSL3ProtocolVersion version,
     SSL3SequenceNumber seq_num,
     const SSL3Opaque * input,
     int                inputLength,
     unsigned char *    outbuf,
     unsigned int *     outLength)
 {
     const ssl3MACDef * mac_def;
     SECStatus          rv;
+#ifndef NO_PKCS11_BYPASS
     PRBool             isTLS;
+#endif
     unsigned int       tempLen;
     unsigned char      temp[MAX_MAC_LENGTH];
 
     temp[0] = (unsigned char)(seq_num.high >> 24);
     temp[1] = (unsigned char)(seq_num.high >> 16);
     temp[2] = (unsigned char)(seq_num.high >>  8);
     temp[3] = (unsigned char)(seq_num.high >>  0);
     temp[4] = (unsigned char)(seq_num.low  >> 24);
     temp[5] = (unsigned char)(seq_num.low  >> 16);
     temp[6] = (unsigned char)(seq_num.low  >>  8);
     temp[7] = (unsigned char)(seq_num.low  >>  0);
     temp[8] = type;
 
     /* TLS MAC includes the record's version field, SSL's doesn't.
     ** We decide which MAC defintiion to use based on the version of 
     ** the protocol that was negotiated when the spec became current,
     ** NOT based on the version value in the record itself.
     ** But, we use the record'v version value in the computation.
     */
     if (spec->version <= SSL_LIBRARY_VERSION_3_0) {
         temp[9]  = MSB(inputLength);
         temp[10] = LSB(inputLength);
         tempLen  = 11;
+#ifndef NO_PKCS11_BYPASS
         isTLS    = PR_FALSE;
+#endif
     } else {
         /* New TLS hash includes version. */
         if (isDTLS) {
             SSL3ProtocolVersion dtls_version;
 
             dtls_version = dtls_TLSVersionToDTLSVersion(version);
             temp[9]  = MSB(dtls_version);
             temp[10] = LSB(dtls_version);
         } else {
             temp[9]  = MSB(version);
             temp[10] = LSB(version);
         }
         temp[11] = MSB(inputLength);
         temp[12] = LSB(inputLength);
         tempLen  = 13;
+#ifndef NO_PKCS11_BYPASS
         isTLS    = PR_TRUE;
+#endif
     }
 
     PRINT_BUF(95, (NULL, "frag hash1: temp", temp, tempLen));
     PRINT_BUF(95, (NULL, "frag hash1: input", input, inputLength));
 
     mac_def = spec->mac_def;
     if (mac_def->mac == mac_null) {
         *outLength = 0;
         return SECSuccess;
     }
-    if (! spec->bypassCiphers) {
-        PK11Context *mac_context = 
-            (useServerMacKey ? spec->server.write_mac_context
-                             : spec->client.write_mac_context);
-        rv  = PK11_DigestBegin(mac_context);
-        rv |= PK11_DigestOp(mac_context, temp, tempLen);
-        rv |= PK11_DigestOp(mac_context, input, inputLength);
-        rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
-    } else {
+#ifndef NO_PKCS11_BYPASS
+    if (spec->bypassCiphers) {
         /* bypass version */
         const SECHashObject *hashObj = NULL;
         unsigned int       pad_bytes = 0;
         PRUint64           write_mac_context[MAX_MAC_CONTEXT_LLONGS];
 
         switch (mac_def->mac) {
         case ssl_mac_null:
             *outLength = 0;
             return SECSuccess;
         case ssl_mac_md5:
@@ skipping 62 matching lines @@
             }
             if (rv == SECSuccess) {
                 HMAC_Begin(cx);
                 HMAC_Update(cx, temp, tempLen);
                 HMAC_Update(cx, input, inputLength);
                 rv = HMAC_Finish(cx, outbuf, outLength, spec->mac_size);
                 HMAC_Destroy(cx, PR_FALSE);
             }
 #undef cx
         }
+    } else
+#endif
+    {
+        PK11Context *mac_context = 
+            (useServerMacKey ? spec->server.write_mac_context
+                             : spec->client.write_mac_context);
+        rv  = PK11_DigestBegin(mac_context);
+        rv |= PK11_DigestOp(mac_context, temp, tempLen);
+        rv |= PK11_DigestOp(mac_context, input, inputLength);
+        rv |= PK11_DigestFinal(mac_context, outbuf, outLength, spec->mac_size);
     }
 
     PORT_Assert(rv != SECSuccess || *outLength == (unsigned)spec->mac_size);
 
     PRINT_BUF(95, (NULL, "frag hash2: result", outbuf, *outLength));
 
     if (rv != SECSuccess) {
         rv = SECFailure;
         ssl_MapLowLevelError(SSL_ERROR_MAC_COMPUTATION_FAILURE);
     }
@@ skipping 765 matching lines @@
     default:                            desc = bad_certificate;     break;
     }
     SSL_DBG(("%d: SSL3[%d]: peer certificate is no good: error=%d",
              SSL_GETPID(), ss->fd, errCode));
 
     (void) SSL3_SendAlert(ss, alert_fatal, desc);
 }
 
 
 /*
- * Send handshake_Failure alert.  Set generic error number.
+ * Send decode_error alert.  Set generic error number.
  */
 SECStatus
 ssl3_DecodeError(sslSocket *ss)
 {
     (void)SSL3_SendAlert(ss, alert_fatal, 
                   ss->version > SSL_LIBRARY_VERSION_3_0 ? decode_error 
                                                         : illegal_parameter);
     PORT_SetError( ss->sec.isServer ? SSL_ERROR_BAD_CLIENT
                                     : SSL_ERROR_BAD_SERVER );
     return SECFailure;
@@ skipping 350 matching lines @@
             }
         }
         if (fpms) {
             PK11_FreeSymKey(fpms);
         }
     }
     if (pwSpec->master_secret == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
         return rv;
     }
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         SECItem * keydata;
         /* In hope of doing a "double bypass", 
          * need to extract the master secret's value from the key object 
          * and store it raw in the sslSocket struct.
          */
         rv = PK11_ExtractKeyValue(pwSpec->master_secret);
         if (rv != SECSuccess) {
 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
             /* The double bypass failed.  
@@ skipping 15 matching lines @@
         keydata = PK11_GetKeyData(pwSpec->master_secret);
         if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
             memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
             pwSpec->msItem.data = pwSpec->raw_master_secret;
             pwSpec->msItem.len  = keydata->len;
         } else {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
     }
+#endif
     return SECSuccess;
 }
 
 
 /* 
  * Derive encryption and MAC Keys (and IVs) from master secret
  * Sets a useful error code when returning SECFailure.
  *
  * Called only from ssl3_InitPendingCipherSpec(),
  * which in turn is called from
@@ skipping 127 matching lines @@
     if (symKey) PK11_FreeSymKey(symKey);
     ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
     return SECFailure;
 }
 
 static SECStatus 
 ssl3_RestartHandshakeHashes(sslSocket *ss)
 {
     SECStatus rv = SECSuccess;
 
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         ss->ssl3.hs.messages.len = 0;
         MD5_Begin((MD5Context *)ss->ssl3.hs.md5_cx);
         SHA1_Begin((SHA1Context *)ss->ssl3.hs.sha_cx);
-    } else {
+    } else 
+#endif
+    {
         rv = PK11_DigestBegin(ss->ssl3.hs.md5);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
             return rv;
         }
         rv = PK11_DigestBegin(ss->ssl3.hs.sha);
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
             return rv;
         }
     }
     return rv;
 }
 
 static SECStatus
 ssl3_NewHandshakeHashes(sslSocket *ss)
 {
     PK11Context *md5  = NULL;
     PK11Context *sha  = NULL;
 
     /*
      * note: We should probably lookup an SSL3 slot for these
      * handshake hashes in hopes that we wind up with the same slots
      * that the master secret will wind up in ...
      */
     SSL_TRC(30,("%d: SSL3[%d]: start handshake hashes", SSL_GETPID(), ss->fd));
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         PORT_Assert(!ss->ssl3.hs.messages.buf && !ss->ssl3.hs.messages.space);
         ss->ssl3.hs.messages.buf = NULL;
         ss->ssl3.hs.messages.space = 0;
-    } else {
+    } else 
+#endif
+    {
         ss->ssl3.hs.md5 = md5 = PK11_CreateDigestContext(SEC_OID_MD5);
         ss->ssl3.hs.sha = sha = PK11_CreateDigestContext(SEC_OID_SHA1);
         if (md5 == NULL) {
             ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
             goto loser;
         }
         if (sha == NULL) {
             ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
             goto loser;
         }
@@ skipping 27 matching lines @@
 static SECStatus
 ssl3_UpdateHandshakeHashes(sslSocket *ss, const unsigned char *b,
                            unsigned int l)
 {
     SECStatus  rv = SECSuccess;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     PRINT_BUF(90, (NULL, "MD5 & SHA handshake hash input:", b, l));
 
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         MD5_Update((MD5Context *)ss->ssl3.hs.md5_cx, b, l);
         SHA1_Update((SHA1Context *)ss->ssl3.hs.sha_cx, b, l);
 #if defined(NSS_SURVIVE_DOUBLE_BYPASS_FAILURE)
         rv = sslBuffer_Append(&ss->ssl3.hs.messages, b, l);
 #endif
         return rv;
     }
+#endif
     rv = PK11_DigestOp(ss->ssl3.hs.md5, b, l);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
         return rv;
     }
     rv = PK11_DigestOp(ss->ssl3.hs.sha, b, l);
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
         return rv;
     }
@@ skipping 273 matching lines @@
                             PRUint32        sender)
 {
     SECStatus     rv        = SECSuccess;
     PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
     unsigned int  outLength;
     SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
     SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         /* compute them without PKCS11 */
         PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
         PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
 
 #define md5cx ((MD5Context *)md5_cx)
 #define shacx ((SHA1Context *)sha_cx)
 
         if (!spec->msItem.data) {
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
@@ skipping 62 matching lines @@
             SHA1_Update(shacx, mac_pad_2, mac_defs[mac_sha].pad_size);
             SHA1_Update(shacx, sha_inner, SHA1_LENGTH);
         }
         SHA1_End(shacx, hashes->sha, &outLength, SHA1_LENGTH);
 
         PRINT_BUF(60, (NULL, "SHA outer: result", hashes->sha, SHA1_LENGTH));
 
         rv = SECSuccess;
 #undef md5cx
 #undef shacx
-    } else {
+    } else 
+#endif
+    {
         /* compute hases with PKCS11 */
         PK11Context * md5;
         PK11Context * sha       = NULL;
         unsigned char *md5StateBuf = NULL;
         unsigned char *shaStateBuf = NULL;
         unsigned int  md5StateLen, shaStateLen;
         unsigned char md5StackBuf[256];
         unsigned char shaStackBuf[512];
 
         if (!spec->master_secret) {
@@ skipping 452 matching lines @@
     if (IS_DTLS(ss)) {
         length += 1 + ss->ssl3.hs.cookieLen;
     }
 
     rv = ssl3_AppendHandshakeHeader(ss, client_hello, length);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_AppendHandshake* */
     }
 
     if (ss->firstHsDone) {
-        /* Work around the Windows SChannel bug described above. */ 
+        /* The client hello version must stay unchanged to work around
+         * the Windows SChannel bug described above. */
         PORT_Assert(ss->version == ss->clientHelloVersion);
     }
     ss->clientHelloVersion = ss->version;
     if (IS_DTLS(ss)) {
         PRUint16 version;
 
         version = dtls_TLSVersionToDTLSVersion(ss->clientHelloVersion);
         rv = ssl3_AppendHandshakeNumber(ss, version, 2);
     } else {
         rv = ssl3_AppendHandshakeNumber(ss, ss->clientHelloVersion, 2);
@@ skipping 595 matching lines @@
     }
 
 loser:
 done:
     PZ_Unlock(symWrapKeysLock);
     return unwrappedWrappingKey;
 }
 
 /* hexEncode hex encodes |length| bytes from |in| and writes it as |length*2|
  * bytes to |out|. */
-static void hexEncode(char *out, const unsigned char *in, size_t length) {
+static void
+hexEncode(char *out, const unsigned char *in, unsigned int length)
+{
     static const char hextable[] = "0123456789abcdef";
-    size_t i;
+    unsigned int i;
 
     for (i = 0; i < length; i++) {
         *(out++) = hextable[in[i] >> 4];
         *(out++) = hextable[in[i] & 15];
     }
 }
 
 /* Called from ssl3_SendClientKeyExchange(). */
 /* Presently, this always uses PKCS11.  There is no bypass for this. */
 static SECStatus
@@ skipping 449 matching lines @@
     }
 
     /* find selected cipher suite in our list. */
     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (temp < 0) {
         goto loser;     /* alert has been sent */
     }
     ssl3_config_match_init(ss);
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-        if ((temp == suite->cipher_suite) &&
-            (config_match(suite, ss->ssl3.policy, PR_TRUE))) {
+        if (temp == suite->cipher_suite) {
+            if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) {
+                break;  /* failure */
+            }
+            if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+                                                   ss->version)) {
+                desc    = handshake_failure;
+                errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
+                goto alert_loser;
+            }
+        
             suite_found = PR_TRUE;
             break;      /* success */
         }
     }
     if (!suite_found) {
         desc    = handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
     ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
     ss->ssl3.hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
     PORT_Assert(ss->ssl3.hs.suite_def);
     if (!ss->ssl3.hs.suite_def) {
         PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
         goto loser;     /* we don't send alerts for our screw-ups. */
     }
 
     /* find selected compression method in our list. */
     temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
     if (temp < 0) {
         goto loser;     /* alert has been sent */
     }
     suite_found = PR_FALSE;
     for (i = 0; i < compressionMethodsCount; i++) {
-        if (temp == compressions[i] &&
-            compressionEnabled(ss, compressions[i]))  {
+        if (temp == compressions[i]) {
+            if (!compressionEnabled(ss, compressions[i])) {
+                break;  /* failure */
+            }
             suite_found = PR_TRUE;
             break;      /* success */
         }
     }
     if (!suite_found) {
         desc    = handshake_failure;
         errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
         goto alert_loser;
     }
     ss->ssl3.hs.compression = (SSLCompressionMethod)temp;
@@ skipping 64 matching lines @@
         /* 3 cases here:
          * a) key is wrapped (implies using PKCS11)
          * b) key is unwrapped, but we're still using PKCS11
          * c) key is unwrapped, and we're bypassing PKCS11.
          */
         if (sid->u.ssl3.keys.msIsWrapped) {
             PK11SlotInfo *slot;
             PK11SymKey *  wrapKey;     /* wrapping key */
             CK_FLAGS      keyFlags      = 0;
 
+#ifndef NO_PKCS11_BYPASS
             if (ss->opt.bypassPKCS11) {
                 /* we cannot restart a non-bypass session in a 
                 ** bypass socket.
                 */
                 break;  
             }
+#endif
             /* unwrap master secret with PKCS11 */
             slot = SECMOD_LookupSlot(sid->u.ssl3.masterModuleID,
                                      sid->u.ssl3.masterSlotID);
             if (slot == NULL) {
                 break;          /* not considered an error. */
             }
             if (!PK11_IsPresent(slot)) {
                 PK11_FreeSlot(slot);
                 break;          /* not considered an error. */
             }
@@ skipping 14 matching lines @@
             wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
             pwSpec->master_secret =
                 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
                             NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
                             CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
             errCode = PORT_GetError();
             PK11_FreeSymKey(wrapKey);
             if (pwSpec->master_secret == NULL) {
                 break;  /* errorCode set just after call to UnwrapSymKey. */
             }
+#ifndef NO_PKCS11_BYPASS
         } else if (ss->opt.bypassPKCS11) {
             /* MS is not wrapped */
             wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
             wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
             memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
             pwSpec->msItem.data = pwSpec->raw_master_secret;
             pwSpec->msItem.len  = wrappedMS.len;
+#endif
         } else {
             /* We CAN restart a bypass session in a non-bypass socket. */
             /* need to import the raw master secret to session object */
             PK11SlotInfo *slot = PK11_GetInternalSlot();
             wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
             wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
             pwSpec->master_secret =  
                 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 
                                   PK11_OriginUnwrap, CKA_ENCRYPT, 
                                   &wrappedMS, NULL);
@@ skipping 17 matching lines @@
             ss->ssl3.hs.ws = wait_change_cipher;
 
         ss->ssl3.hs.isResuming = PR_TRUE;
 
         /* copy the peer cert from the SID */
         if (sid->peerCert != NULL) {
             ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
             ssl3_CopyPeerCertsFromSID(ss, sid);
         }
 
+
         /* NULL value for PMS signifies re-use of the old MS */
         rv = ssl3_InitPendingCipherSpec(ss,  NULL);
         if (rv != SECSuccess) {
             goto alert_loser;   /* err code was set */
         }
         goto winner;
     } while (0);
 
     if (sid_match)
         SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
@@ skipping 42 matching lines @@
     return SECSuccess;
 
 alert_loser:
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 
 loser:
     errCode = ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
 
-/* ssl3_BigIntGreaterThan1 returns true iff |mpint|, taken as an unsigned,
+/* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned,
  * big-endian integer is > 1 */
 static PRBool
-ssl3_BigIntGreaterThan1(const SECItem* mpint) {
+ssl3_BigIntGreaterThanOne(const SECItem* mpint) {
     unsigned char firstNonZeroByte = 0;
     unsigned int i;
 
     for (i = 0; i < mpint->len; i++) {
         if (mpint->data[i]) {
             firstNonZeroByte = mpint->data[i];
             break;
         }
     }
 
     if (firstNonZeroByte == 0)
         return PR_FALSE;
     if (firstNonZeroByte > 1)
         return PR_TRUE;
 
-    // firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte
-    // is followed by another byte.
+    /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte
+     * is followed by another byte. */
     return (i < mpint->len - 1);
 }
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 ServerKeyExchange message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
@@ skipping 114 matching lines @@
             goto loser;         /* malformed. */
         }
         if (dh_p.len < 512/8) {
             errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
             goto alert_loser;
         }
         rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
-        if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThan1(&dh_g))
+        if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
             goto alert_loser;
         rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
-        if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThan1(&dh_Ys))
+        if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
             goto alert_loser;
         rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
         if (length != 0) {
             if (isTLS)
                 desc = decode_error;
             goto alert_loser;           /* malformed. */
         }
@@ skipping 1127 matching lines @@
 #ifndef PARANOID
     /* Look for a matching cipher suite. */
     j = ssl3_config_match_init(ss);
     if (j <= 0) {               /* no ciphers are working/supported by PK11 */
         errCode = PORT_GetError();      /* error code is already set. */
         goto alert_loser;
     }
 #endif
 
     /* Select a cipher suite.
+    **
     ** NOTE: This suite selection algorithm should be the same as the one in
-    ** ssl3_HandleV2ClientHello().  
+    ** ssl3_HandleV2ClientHello().
+    **
+    ** If TLS 1.0 is enabled, we could handle the case where the client
+    ** offered TLS 1.1 but offered only export cipher suites by choosing TLS
+    ** 1.0 and selecting one of those export cipher suites. However, a secure
+    ** TLS 1.1 client should not have export cipher suites enabled at all,
+    ** and a TLS 1.1 client should definitely not be offering *only* export
+    ** cipher suites. Therefore, we refuse to negotiate export cipher suites
+    ** with any client that indicates support for TLS 1.1 or higher when we
+    ** (the server) have TLS 1.1 support enabled.
     */
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-        if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
+        if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
+            !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+                                               ss->version)) {
             continue;
+        }
         for (i = 0; i + 1 < suites.len; i += 2) {
             PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
             if (suite_i == suite->cipher_suite) {
                 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
                 ss->ssl3.hs.suite_def =
                     ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
                 goto suite_found;
             }
         }
     }
     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
     goto alert_loser;
 
 suite_found:
     /* Look for a matching compression algorithm. */
     for (i = 0; i < comps.len; i++) {
+        if (!compressionEnabled(ss, comps.data[i]))
+            continue;
         for (j = 0; j < compressionMethodsCount; j++) {
-            if (comps.data[i] == compressions[j] &&
-                compressionEnabled(ss, compressions[j])) {
+            if (comps.data[i] == compressions[j]) {
                 ss->ssl3.hs.compression = 
                                         (SSLCompressionMethod)compressions[j];
                 goto compression_found;
             }
         }
     }
     errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
                                 /* null compression must be supported */
     goto alert_loser;
 
 compression_found:
     suites.data = NULL;
     comps.data = NULL;
 
     ss->sec.send = ssl3_SendApplicationData;
 
     /* If there are any failures while processing the old sid,
      * we don't consider them to be errors.  Instead, We just behave
      * as if the client had sent us no sid to begin with, and make a new one.
      */
     if (sid != NULL) do {
         ssl3CipherSpec *pwSpec;
         SECItem         wrappedMS;      /* wrapped key */
 
         if (sid->version != ss->version  ||
-            sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite) {
+            sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite ||
+            sid->u.ssl3.compression != ss->ssl3.hs.compression) {
             break;      /* not an error */
         }
 
         if (ss->sec.ci.sid) {
             if (ss->sec.uncache)
                 ss->sec.uncache(ss->sec.ci.sid);
             PORT_Assert(ss->sec.ci.sid != sid);  /* should be impossible, but ... */
             if (ss->sec.ci.sid != sid) {
                 ssl_FreeSID(ss->sec.ci.sid);
             }
             ss->sec.ci.sid = NULL;
         }
         /* we need to resurrect the master secret.... */
 
         ssl_GetSpecWriteLock(ss);  haveSpecWriteLock = PR_TRUE;
         pwSpec = ss->ssl3.pwSpec;
         if (sid->u.ssl3.keys.msIsWrapped) {
             PK11SymKey *    wrapKey;    /* wrapping key */
             CK_FLAGS        keyFlags      = 0;
+#ifndef NO_PKCS11_BYPASS
             if (ss->opt.bypassPKCS11) {
                 /* we cannot restart a non-bypass session in a 
                 ** bypass socket.
                 */
                 break;  
             }
+#endif
 
             wrapKey = getWrappingKey(ss, NULL, sid->u.ssl3.exchKeyType,
                                      sid->u.ssl3.masterWrapMech, 
                                      ss->pkcs11PinArg);
             if (!wrapKey) {
                 /* we have a SID cache entry, but no wrapping key for it??? */
                 break;
             }
 
             if (ss->version > SSL_LIBRARY_VERSION_3_0) {        /* isTLS */
                 keyFlags = CKF_SIGN | CKF_VERIFY;
             }
 
             wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
             wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
 
             /* unwrap the master secret. */
             pwSpec->master_secret =
                 PK11_UnwrapSymKeyWithFlags(wrapKey, sid->u.ssl3.masterWrapMech, 
                             NULL, &wrappedMS, CKM_SSL3_MASTER_KEY_DERIVE,
                             CKA_DERIVE, sizeof(SSL3MasterSecret), keyFlags);
             PK11_FreeSymKey(wrapKey);
             if (pwSpec->master_secret == NULL) {
                 break;  /* not an error */
             }
+#ifndef NO_PKCS11_BYPASS
         } else if (ss->opt.bypassPKCS11) {
             wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
             wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
             memcpy(pwSpec->raw_master_secret, wrappedMS.data, wrappedMS.len);
             pwSpec->msItem.data = pwSpec->raw_master_secret;
             pwSpec->msItem.len  = wrappedMS.len;
+#endif
         } else {
             /* We CAN restart a bypass session in a non-bypass socket. */
             /* need to import the raw master secret to session object */
             PK11SlotInfo * slot;
             wrappedMS.data = sid->u.ssl3.keys.wrapped_master_secret;
             wrappedMS.len  = sid->u.ssl3.keys.wrapped_master_secret_len;
             slot = PK11_GetInternalSlot();
             pwSpec->master_secret =  
                 PK11_ImportSymKey(slot, CKM_SSL3_MASTER_KEY_DERIVE, 
                                   PK11_OriginUnwrap, CKA_ENCRYPT, &wrappedMS, 
@@ skipping 383 matching lines @@
     /* Disable any ECC cipher suites for which we have no cert. */
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
     i = ssl3_config_match_init(ss);
     if (i <= 0) {
         errCode = PORT_GetError();      /* error code is already set. */
         goto alert_loser;
     }
 
     /* Select a cipher suite.
+    **
     ** NOTE: This suite selection algorithm should be the same as the one in
-    ** ssl3_HandleClientHello().  
+    ** ssl3_HandleClientHello().
+    **
+    ** See the comments about export cipher suites in ssl3_HandleClientHello().
     */
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
-        if (!config_match(suite, ss->ssl3.policy, PR_TRUE))
+        if (!config_match(suite, ss->ssl3.policy, PR_TRUE) ||
+            !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite,
+                                               ss->version)) {
             continue;
+        }
         for (i = 0; i+2 < suite_length; i += 3) {
             PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
             if (suite_i == suite->cipher_suite) {
                 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
                 ss->ssl3.hs.suite_def =
                     ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
                 goto suite_found;
             }
         }
     }
@@ skipping 305 matching lines @@
     ca_list = ss->ssl3.ca_list;
     if (!ca_list) {
         ca_list = ssl3_server_ca_list;
     }
 
     if (ca_list != NULL) {
         names = ca_list->names;
         nnames = ca_list->nnames;
     }
 
-    /* There used to be a test here to require a CA, but there
-     * are cases where you want to have no CAs offered. */
     for (i = 0, name = names; i < nnames; i++, name++) {
         calen += 2 + name->len;
     }
 
     certTypes       = certificate_types;
     certTypesLength = sizeof certificate_types;
 
     length = 1 + certTypesLength + 2 + calen;
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
@@ skipping 185 matching lines @@
  *
  * Called from ssl3_HandleClientKeyExchange
  */
 static SECStatus
 ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
                                 SSL3Opaque *b,
                                 PRUint32 length,
                                 SECKEYPrivateKey *serverKey)
 {
     PK11SymKey *      pms;
+#ifndef NO_PKCS11_BYPASS
     unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
     unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
     ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
     unsigned int      outLen = 0;
+#endif
     PRBool            isTLS  = PR_FALSE;
     SECStatus         rv;
     SECItem           enc_pms;
     unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
     SECItem           pmsItem = {siBuffer, NULL, 0};
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     enc_pms.data = b;
     enc_pms.len  = length;
     pmsItem.data = rsaPmsBuf;
     pmsItem.len  = sizeof rsaPmsBuf;
 
     if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
         PRInt32 kLen;
         kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
         if (kLen < 0) {
             PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
             return SECFailure;
         }
         if ((unsigned)kLen < enc_pms.len) {
             enc_pms.len = kLen;
         }
         isTLS = PR_TRUE;
     } else {
         isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
     }
 
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         /* TRIPLE BYPASS, get PMS directly from RSA decryption.
          * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, 
          * then, check for version rollback attack, then 
          * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in 
          * pwSpec->msItem.  Finally call ssl3_InitPendingCipherSpec with 
          * ss and NULL, so that it will use the MS we've already derived here. 
          */
 
         rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
@@ skipping 16 matching lines @@
         }
         /* have PMS, build MS without PKCS11 */
         rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
                                         PR_TRUE);
         if (rv != SECSuccess) {
             pwSpec->msItem.data = pwSpec->raw_master_secret;
             pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
             PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
         }
         rv = ssl3_InitPendingCipherSpec(ss,  NULL);
-    } else {
+    } else 
+#endif
+    {
+#ifndef NO_PKCS11_BYPASS
 double_bypass:
+#endif
         /*
          * unwrap pms out of the incoming buffer
          * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do 
          *      the unwrap.  Rather, it is the mechanism with which the 
          *      unwrapped pms will be used.
          */
         pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
                                    CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
         if (pms != NULL) {
             PRINT_BUF(60, (ss, "decrypted premaster secret:",
@@ skipping 871 matching lines @@
 
         rv  = PK11_DigestBegin(prf_context);
         rv |= PK11_DigestOp(prf_context, (unsigned char *) label, labelLen);
         rv |= PK11_DigestOp(prf_context, val, valLen);
         rv |= PK11_DigestFinal(prf_context, out, &retLen, outLen);
         PORT_Assert(rv != SECSuccess || retLen == outLen);
 
         PK11_DestroyContext(prf_context, PR_TRUE);
     } else {
         /* bypass PKCS11 */
+#ifdef NO_PKCS11_BYPASS
+        PORT_Assert(spec->master_secret);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        rv = SECFailure;
+#else
         SECItem inData  = { siBuffer, };
         SECItem outData = { siBuffer, };
         PRBool isFIPS   = PR_FALSE;
 
         inData.data  = (unsigned char *) val;
         inData.len   = valLen;
         outData.data = out;
         outData.len  = outLen;
         rv = TLS_PRF(&spec->msItem, label, &inData, &outData, isFIPS);
         PORT_Assert(rv != SECSuccess || outData.len == outLen);
+#endif
     }
     return rv;
 }
 
 /* called from ssl3_HandleServerHelloDone
  */
 static SECStatus
 ssl3_SendNextProto(sslSocket *ss)
 {
     SECStatus rv;
@@ skipping 18 matching lines @@
     if (rv != SECSuccess) {
         return rv;      /* error code set by AppendHandshake */
     }
     rv = ssl3_AppendHandshakeVariable(ss, padding, padding_len, 1);
     if (rv != SECSuccess) {
         return rv;      /* error code set by AppendHandshake */
     }
     return rv;
 }
 
+/* called from ssl3_SendFinished
+ *
+ * This function is simply a debugging aid and therefore does not return a
+ * SECStatus. */
+static void
+ssl3_RecordKeyLog(sslSocket *ss)
+{
+    sslSessionID *sid;
+    SECStatus rv;
+    SECItem *keyData;
+    char buf[14 /* "CLIENT_RANDOM " */ +
+             SSL3_RANDOM_LENGTH*2 /* client_random */ +
+             1 /* " " */ +
+             48*2 /* master secret */ +
+             1 /* new line */];
+    unsigned int j;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+
+    sid = ss->sec.ci.sid;
+
+    if (!ssl_keylog_iob)
+        return;
+
+    rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
+    if (rv != SECSuccess)
+        return;
+
+    ssl_GetSpecReadLock(ss);
+
+    /* keyData does not need to be freed. */
+    keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
+    if (!keyData || !keyData->data || keyData->len != 48) {
+        ssl_ReleaseSpecReadLock(ss);
+        return;
+    }
+
+    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
+
+    /* There could be multiple, concurrent writers to the
+     * keylog, so we have to do everything in a single call to
+     * fwrite. */
+
+    memcpy(buf, "CLIENT_RANDOM ", 14);
+    j = 14;
+    hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
+    j += SSL3_RANDOM_LENGTH*2;
+    buf[j++] = ' ';
+    hexEncode(buf + j, keyData->data, 48);
+    j += 48*2;
+    buf[j++] = '\n';
+
+    PORT_Assert(j == sizeof(buf));
+
+    ssl_ReleaseSpecReadLock(ss);
+
+    if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
+        return;
+    fflush(ssl_keylog_iob);
+    return;
+}
+
 /* called from ssl3_SendClientSecondRound
  *           ssl3_HandleFinished
  */
 static SECStatus
 ssl3_SendEncryptedExtensions(sslSocket *ss)
 {
     static const char CHANNEL_ID_MAGIC[] = "TLS Channel ID signature";
     /* This is the ASN.1 prefix for a P-256 public key. Specifically it's:
      * SEQUENCE
      *   SEQUENCE
@@ skipping 138 matching lines @@
     if (ss->ssl3.channelIDPub)
         SECKEY_DestroyPublicKey(ss->ssl3.channelIDPub);
 
     ss->handshake = ssl_GatherRecord1stHandshake;
     ss->ssl3.channelID = channelID;
     ss->ssl3.channelIDPub = channelIDPub;
 
     return SECSuccess;
 }
 
-/* called from ssl3_SendFinished
- *
- * Caller must already hold the SpecReadLock. (wish we could assert that!).
- * This function is simply a debugging aid and therefore does not return a
- * SECStatus. */
-static void
-ssl3_RecordKeyLog(sslSocket *ss)
-{
-    sslSessionID *sid;
-    SECStatus rv;
-    SECItem *keyData;
-    char buf[14 /* "CLIENT_RANDOM " */ +
-             SSL3_RANDOM_LENGTH*2 /* client_random */ +
-             1 /* " " */ +
-             48*2 /* master secret */ +
-             1 /* new line */];
-    unsigned int j;
-
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-
-    sid = ss->sec.ci.sid;
-
-    if (!ssl_keylog_iob)
-        return;
-
-    rv = PK11_ExtractKeyValue(ss->ssl3.cwSpec->master_secret);
-    if (rv != SECSuccess)
-        return;
-
-    ssl_GetSpecReadLock(ss);
-
-    /* keyData does not need to be freed. */
-    keyData = PK11_GetKeyData(ss->ssl3.cwSpec->master_secret);
-    if (!keyData || !keyData->data || keyData->len != 48) {
-        ssl_ReleaseSpecReadLock(ss);
-        return;
-    }
-
-    /* https://developer.mozilla.org/en/NSS_Key_Log_Format */
-
-    /* There could be multiple, concurrent writers to the
-     * keylog, so we have to do everything in a single call to
-     * fwrite. */
-
-    memcpy(buf, "CLIENT_RANDOM ", 14);
-    j = 14;
-    hexEncode(buf + j, ss->ssl3.hs.client_random.rand, SSL3_RANDOM_LENGTH);
-    j += SSL3_RANDOM_LENGTH*2;
-    buf[j++] = ' ';
-    hexEncode(buf + j, keyData->data, 48);
-    j += 48*2;
-    buf[j++] = '\n';
-
-    PORT_Assert(j == sizeof(buf));
-
-    ssl_ReleaseSpecReadLock(ss);
-
-    if (fwrite(buf, sizeof(buf), 1, ssl_keylog_iob) != 1)
-        return;
-    fflush(ssl_keylog_iob);
-    return;
-}
-
 /* called from ssl3_HandleServerHelloDone
  *             ssl3_HandleClientHello
  *             ssl3_HandleFinished
  */
 static SECStatus
 ssl3_SendFinished(sslSocket *ss, PRInt32 flags)
 {
     ssl3CipherSpec *cwSpec;
     PRBool          isTLS;
     PRBool          isServer = ss->sec.isServer;
@@ skipping 685 matching lines @@
             buf->len -= ss->ssl3.hs.msg_len;
             ss->ssl3.hs.msg_len = 0;
             ss->ssl3.hs.header_bytes = 0;
             if (rv != SECSuccess) { /* return if SECWouldBlock. */
                 return rv;
             }
         } else {
             /* must be copied to msg_body and dealt with from there */
             unsigned int bytes;
 
-            PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
+            PORT_Assert(ss->ssl3.hs.msg_body.len < ss->ssl3.hs.msg_len);
             bytes = PR_MIN(buf->len, ss->ssl3.hs.msg_len - ss->ssl3.hs.msg_body.len);
 
             /* Grow the buffer if needed */
             rv = sslBuffer_Grow(&ss->ssl3.hs.msg_body, ss->ssl3.hs.msg_len);
             if (rv != SECSuccess) {
                 /* sslBuffer_Grow has set a memory error code. */
                 return SECFailure;
             }
 
             PORT_Memcpy(ss->ssl3.hs.msg_body.buf + ss->ssl3.hs.msg_body.len,
                         buf->buf, bytes);
             ss->ssl3.hs.msg_body.len += bytes;
             buf->buf += bytes;
             buf->len -= bytes;
 
             PORT_Assert(ss->ssl3.hs.msg_body.len <= ss->ssl3.hs.msg_len);
 
             /* if we have a whole message, do it */
             if (ss->ssl3.hs.msg_body.len == ss->ssl3.hs.msg_len) {
                 rv = ssl3_HandleHandshakeMessage(
                     ss, ss->ssl3.hs.msg_body.buf, ss->ssl3.hs.msg_len);
-                /*
-                 * XXX This appears to be wrong.  This error handling
-                 * should clean up after a SECWouldBlock return, like the
-                 * error handling used 40 lines before/above this one,
-                 */
-                if (rv != SECSuccess) {
-                    /* ssl3_HandleHandshakeMessage MUST set error code. */
+                if (rv == SECFailure) {
+                    /* This test wants to fall through on either
+                     * SECSuccess or SECWouldBlock.
+                     * ssl3_HandleHandshakeMessage MUST set error code.
+                     */
                     return rv;
                 }
                 ss->ssl3.hs.msg_body.len = 0;
-                ss->ssl3.hs.msg_len      = 0;
+                ss->ssl3.hs.msg_len = 0;
                 ss->ssl3.hs.header_bytes = 0;
+                if (rv != SECSuccess) { /* return if SECWouldBlock. */
+                    return rv;
+                }
             } else {
                 PORT_Assert(buf->len == 0);
                 break;
             }
         }
     }   /* end loop */
 
     origBuf->len = 0;   /* So ssl3_GatherAppDataRecord will keep looping. */
     buf->buf = NULL;    /* not a leak. */
     return SECSuccess;
@@ skipping 468 matching lines @@
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     if (IS_DTLS(ss)) {
         ss->ssl3.hs.sendMessageSeq = 0;
         ss->ssl3.hs.recvMessageSeq = 0;
         ss->ssl3.hs.rtTimeoutMs = INITIAL_DTLS_TIMEOUT_MS;
         ss->ssl3.hs.rtRetries = 0;
-
-        /* Have to allocate this because ssl_FreeSocket relocates
-         * this structure in DEBUG mode */
-        if (!(ss->ssl3.hs.lastMessageFlight = PORT_New(PRCList)))
-            return SECFailure;
         ss->ssl3.hs.recvdHighWater = -1;
-        PR_INIT_CLIST(ss->ssl3.hs.lastMessageFlight);
+        PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
         dtls_SetMTU(ss, 0); /* Set the MTU to the highest plateau */
     }
 
     rv = ssl3_NewHandshakeHashes(ss);
     if (rv == SECSuccess) {
         ss->ssl3.initialized = PR_TRUE;
     }
 
     return rv;
 }
@@ skipping 352 matching lines @@
 
     if (ss->ssl3.peerCertArena != NULL)
         ssl3_CleanupPeerCerts(ss);
 
     if (ss->ssl3.clientCertChain != NULL) {
        CERT_DestroyCertificateList(ss->ssl3.clientCertChain);
        ss->ssl3.clientCertChain = NULL;
     }
 
     /* clean up handshake */
+#ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         SHA1_DestroyContext((SHA1Context *)ss->ssl3.hs.sha_cx, PR_FALSE);
         MD5_DestroyContext((MD5Context *)ss->ssl3.hs.md5_cx, PR_FALSE);
     } 
+#endif
     if (ss->ssl3.hs.md5) {
         PK11_DestroyContext(ss->ssl3.hs.md5,PR_TRUE);
     }
     if (ss->ssl3.hs.sha) {
         PK11_DestroyContext(ss->ssl3.hs.sha,PR_TRUE);
     }
     if (ss->ssl3.hs.messages.buf) {
         PORT_Free(ss->ssl3.hs.messages.buf);
         ss->ssl3.hs.messages.buf = NULL;
         ss->ssl3.hs.messages.len = 0;
         ss->ssl3.hs.messages.space = 0;
     }
     if (ss->ssl3.hs.pending_cert_msg.data) {
         SECITEM_FreeItem(&ss->ssl3.hs.pending_cert_msg, PR_FALSE);
     }
     if (ss->ssl3.hs.cert_status.data) {
         SECITEM_FreeItem(&ss->ssl3.hs.cert_status, PR_FALSE);
     }
 
     /* free the SSL3Buffer (msg_body) */
     PORT_Free(ss->ssl3.hs.msg_body.buf);
 
     /* free up the CipherSpecs */
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[0], PR_TRUE/*freeSrvName*/);
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
 
     /* Destroy the DTLS data */
     if (IS_DTLS(ss)) {
-        if (ss->ssl3.hs.lastMessageFlight) {
-            dtls_FreeHandshakeMessages(ss->ssl3.hs.lastMessageFlight);
-            PORT_Free(ss->ssl3.hs.lastMessageFlight);
-        }
+        dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
         if (ss->ssl3.hs.recvdFragments.buf) {
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */