Uprev NSS (in libssl) to NSS 3.21

net/third_party/nss/ssl/ssl3con.c

 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /*
  * SSL3 Protocol
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
 #define _GNU_SOURCE 1
 #include "cert.h"
 #include "ssl.h"
 #include "cryptohi.h"   /* for DSAU_ stuff */
 #include "keyhi.h"
 #include "secder.h"
 #include "secitem.h"
 #include "sechash.h"
 
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "sslerr.h"
 #include "prtime.h"
 #include "prinrval.h"
 #include "prerror.h"
 #include "pratom.h"
 #include "prthread.h"
+#include "nss.h"
+#include "nssoptions.h"
 
 #include "pk11func.h"
 #include "secmod.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
 
 /* This is a bodge to allow this code to be compiled against older NSS headers
  * that don't contain the TLS 1.2 changes. */
 #ifndef CKM_NSS_TLS_PRF_GENERAL_SHA256
@@ skipping 46 matching lines @@
 static SECStatus ssl3_SendCertificateRequest(sslSocket *ss);
 static SECStatus ssl3_SendNextProto(         sslSocket *ss);
 static SECStatus ssl3_SendEncryptedExtensions(sslSocket *ss);
 static SECStatus ssl3_SendFinished(          sslSocket *ss, PRInt32 flags);
 static SECStatus ssl3_SendServerHello(       sslSocket *ss);
 static SECStatus ssl3_SendServerHelloDone(   sslSocket *ss);
 static SECStatus ssl3_SendServerKeyExchange( sslSocket *ss);
 static SECStatus ssl3_UpdateHandshakeHashes( sslSocket *ss,
                                              const unsigned char *b,
                                              unsigned int l);
+static SECStatus ssl3_ComputeHandshakeHashes(sslSocket *ss,
+                                             ssl3CipherSpec *spec,
+                                             SSL3Hashes *hashes,
+                                             PRUint32 sender);
 static SECStatus ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags);
-static int       ssl3_OIDToTLSHashAlgorithm(SECOidTag oid);
 
 static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen,
                              int maxOutputLen, const unsigned char *input,
                              int inputLen);
 #ifndef NO_PKCS11_BYPASS
 static SECStatus ssl3_AESGCMBypass(ssl3KeyMaterial *keys, PRBool doDecrypt,
                                    unsigned char *out, int *outlen, int maxout,
                                    const unsigned char *in, int inlen,
                                    const unsigned char *additionalData,
                                    int additionalDataLen);
 #endif
 
 #define MAX_SEND_BUF_LENGTH 32000 /* watch for 16-bit integer overflow */
 #define MIN_SEND_BUF_LENGTH  4000
 
 /* This list of SSL3 cipher suites is sorted in descending order of
  * precedence (desirability).  It only includes cipher suites we implement.
  * This table is modified by SSL3_SetPolicy(). The ordering of cipher suites
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
  *
  * Important: See bug 946147 before enabling, reordering, or adding any cipher
  * suites to this list.
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
    /*      cipher_suite                     policy       enabled   isPresent */
 
 #ifndef NSS_DISABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,  SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
     * bug 946147.
     */
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_DISABLE_ECC */
 
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 
 #ifndef NSS_DISABLE_ECC
  { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
@@ skipping 37 matching lines @@
  { TLS_ECDHE_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_NULL_SHA,             SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_NULL_SHA,              SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_NULL_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 #endif /* NSS_DISABLE_ECC */
  { TLS_RSA_WITH_NULL_SHA,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_NULL_SHA256,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_NULL_MD5,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 };
 
+static const SSLSignatureAndHashAlg defaultSignatureAlgorithms[] = {
+    {ssl_hash_sha256, ssl_sign_rsa},
+    {ssl_hash_sha384, ssl_sign_rsa},
+    {ssl_hash_sha512, ssl_sign_rsa},
+    {ssl_hash_sha1, ssl_sign_rsa},
+#ifndef NSS_DISABLE_ECC
+    {ssl_hash_sha256, ssl_sign_ecdsa},
+    {ssl_hash_sha384, ssl_sign_ecdsa},
+    {ssl_hash_sha512, ssl_sign_ecdsa},
+    {ssl_hash_sha1, ssl_sign_ecdsa},
+#endif
+    {ssl_hash_sha256, ssl_sign_dsa},
+    {ssl_hash_sha1, ssl_sign_dsa}
+};
+PR_STATIC_ASSERT(PR_ARRAY_SIZE(defaultSignatureAlgorithms) <=
+                 MAX_SIGNATURE_ALGORITHMS);
+
 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
  */
 #ifdef DEBUG
 void ssl3_CheckCipherSuiteOrderConsistency()
 {
     unsigned int i;
 
     /* Note that SSL_ImplementedCiphers has more elements than cipherSuites
      * because it SSL_ImplementedCiphers includes SSL 2.0 cipher suites.
      */
@@ skipping 40 matching lines @@
 }
 
 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
     ct_RSA_sign,
 #ifndef NSS_DISABLE_ECC
     ct_ECDSA_sign,
 #endif /* NSS_DISABLE_ECC */
     ct_DSS_sign,
 };
 
-/* This block is the contents of the supported_signature_algorithms field of
- * our TLS 1.2 CertificateRequest message, in wire format. See
- * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
- *
- * This block contains only sha256 entries because we only support TLS 1.2
- * CertificateVerify messages that use the handshake hash. */
-static const PRUint8 supported_signature_algorithms[] = {
-    tls_hash_sha256, tls_sig_rsa,
-#ifndef NSS_DISABLE_ECC
-    tls_hash_sha256, tls_sig_ecdsa,
-#endif
-    tls_hash_sha256, tls_sig_dsa,
-};
-
 #define EXPORT_RSA_KEY_LENGTH 64        /* bytes */
 
 
 /* This global item is used only in servers.  It is is initialized by
 ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest().
 */
 CERTDistNames *ssl3_server_ca_list = NULL;
 static SSL3Statistics ssl3stats;
 
 /* indexed by SSL3BulkCipher */
@@ skipping 23 matching lines @@
     {cipher_aes_128_gcm,  calg_aes_gcm,     16,16, type_aead,   4, 0,16, 8},
     {cipher_chacha20,     calg_chacha20,    32,32, type_aead,   0, 0,16, 0},
     {cipher_missing,      calg_null,         0, 0, type_stream, 0, 0, 0, 0},
 };
 
 static const ssl3KEADef kea_defs[] =
 { /* indexed by SSL3KeyExchangeAlgorithm */
     /* kea            exchKeyType signKeyType is_limited limit tls_keygen ephemeral */
     {kea_null,           kt_null, sign_null,  PR_FALSE,   0, PR_FALSE, PR_FALSE},
     {kea_rsa,            kt_rsa,  sign_rsa,   PR_FALSE,   0, PR_FALSE, PR_FALSE},
-    {kea_rsa_export,     kt_rsa,  sign_rsa,   PR_TRUE,  512, PR_FALSE, PR_TRUE},
-    {kea_rsa_export_1024,kt_rsa,  sign_rsa,   PR_TRUE, 1024, PR_FALSE, PR_TRUE},
+    {kea_rsa_export,     kt_rsa,  sign_rsa,   PR_TRUE,  512, PR_FALSE, PR_FALSE},
+    {kea_rsa_export_1024,kt_rsa,  sign_rsa,   PR_TRUE, 1024, PR_FALSE, PR_FALSE},
     {kea_dh_dss,         kt_dh,   sign_dsa,   PR_FALSE,   0, PR_FALSE, PR_FALSE},
     {kea_dh_dss_export,  kt_dh,   sign_dsa,   PR_TRUE,  512, PR_FALSE, PR_FALSE},
     {kea_dh_rsa,         kt_dh,   sign_rsa,   PR_FALSE,   0, PR_FALSE, PR_FALSE},
     {kea_dh_rsa_export,  kt_dh,   sign_rsa,   PR_TRUE,  512, PR_FALSE, PR_FALSE},
     {kea_dhe_dss,        kt_dh,   sign_dsa,   PR_FALSE,   0, PR_FALSE, PR_TRUE},
     {kea_dhe_dss_export, kt_dh,   sign_dsa,   PR_TRUE,  512, PR_FALSE, PR_TRUE},
     {kea_dhe_rsa,        kt_dh,   sign_rsa,   PR_FALSE,   0, PR_FALSE, PR_TRUE},
     {kea_dhe_rsa_export, kt_dh,   sign_rsa,   PR_TRUE,  512, PR_FALSE, PR_TRUE},
     {kea_dh_anon,        kt_dh,   sign_null,  PR_FALSE,   0, PR_FALSE, PR_TRUE},
     {kea_dh_anon_export, kt_dh,   sign_null,  PR_TRUE,  512, PR_FALSE, PR_TRUE},
@@ skipping 99 matching lines @@
     {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
     {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
 
     {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
     {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
     {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
     {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
     {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_rsa},
     {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, cipher_chacha20, mac_aead, kea_ecdhe_ecdsa},
 
+    {TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, cipher_aes_128, hmac_sha256, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_dss},
+
 #ifndef NSS_DISABLE_ECC
     {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
 
     {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdhe_ecdsa},
@@ skipping 217 matching lines @@
      */
         return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
 
     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_RSA_WITH_AES_128_GCM_SHA256:
+    case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
+    case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
     case TLS_RSA_WITH_NULL_SHA256:
         return vrange->max == SSL_LIBRARY_VERSION_TLS_1_2;
 
     case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:
     case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305:
     case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
     case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
+    case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
         return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2;
 
     /* RFC 4492: ECC cipher suites need TLS extensions to negotiate curves and
      * point formats.*/
     case TLS_ECDH_ECDSA_WITH_NULL_SHA:
     case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
     case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
     case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
     case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
     case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
@@ skipping 102 matching lines @@
                     kea_defs[cipher_def->key_exchange_alg].exchKeyType;
 #ifdef NSS_DISABLE_ECC
             svrAuth = ss->serverCerts + exchKeyType;
 #else
             /* XXX SSLKEAType isn't really a good choice for 
              * indexing certificates. It doesn't work for
              * (EC)DHE-* ciphers. Here we use a hack to ensure
              * that the server uses an RSA cert for (EC)DHE-RSA.
              */
             switch (cipher_def->key_exchange_alg) {
+            case kea_dhe_dss:
+                svrAuth = ss->serverCerts + ssl_kea_dh;
+                break;
             case kea_ecdhe_rsa:
-#if NSS_SERVER_DHE_IMPLEMENTED
-            /* XXX NSS does not yet implement the server side of _DHE_
-             * cipher suites.  Correcting the computation for svrAuth,
-             * as the case below does, causes NSS SSL servers to begin to
-             * negotiate cipher suites they do not implement.  So, until
-             * server side _DHE_ is implemented, keep this disabled.
-             */
             case kea_dhe_rsa:
-#endif
                 svrAuth = ss->serverCerts + kt_rsa;
                 break;
             case kea_ecdh_ecdsa:
             case kea_ecdh_rsa:
                 /* 
                  * XXX We ought to have different indices for 
                  * ECDSA- and RSA-signed EC certificates so
                  * we could support both key exchange mechanisms
                  * simultaneously. For now, both of them use
                  * whatever is in the certificate slot for kt_ecdh
                  */
+            case kea_dhe_dss_export:
+            case kea_dhe_rsa_export:
             default:
                 svrAuth = ss->serverCerts + exchKeyType;
                 break;
             }
 #endif /* NSS_DISABLE_ECC */
 
             /* Mark the suites that are backed by real tokens, certs and keys */
             suite->isPresent = (PRBool)
                 (((exchKeyType == kt_null) ||
                    ((!isServer || (svrAuth->serverKeyPair &&
@@ skipping 16 matching lines @@
 /* return PR_TRUE if suite matches policy, enabled state and is applicable to
  * the given version range. */
 /* It would be a REALLY BAD THING (tm) if we ever permitted the use
 ** of a cipher that was NOT_ALLOWED.  So, if this is ever called with
 ** policy == SSL_NOT_ALLOWED, report no match.
 */
 /* adjust suite enabled to the availability of a token that can do the
  * cipher suite. */
 static PRBool
 config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled,
-             const SSLVersionRange *vrange)
+             const SSLVersionRange *vrange, const sslSocket *ss)
 {
+    const ssl3CipherSuiteDef *cipher_def;
+
     PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE);
     if (policy == SSL_NOT_ALLOWED || !enabled)
-        return PR_FALSE;
+        return PR_FALSE;
+
+    cipher_def = ssl_LookupCipherSuiteDef(suite->cipher_suite);
+    PORT_Assert(cipher_def != NULL);
+
+    PORT_Assert(ss != NULL);
+    if (ss->sec.isServer && !ss->opt.enableServerDhe &&
+        kea_defs[cipher_def->key_exchange_alg].exchKeyType == ssl_kea_dh)
+        return PR_FALSE;
+
     return (PRBool)(suite->enabled &&
                     suite->isPresent &&
                     suite->policy != SSL_NOT_ALLOWED &&
                     suite->policy <= policy &&
                     ssl3_CipherSuiteAllowedForVersionRange(
                         suite->cipher_suite, vrange));
 }
 
 /* return number of cipher suites that match policy, enabled state and are
  * applicable for the configured protocol version range. */
 /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */
 static int
 count_cipher_suites(sslSocket *ss, int policy, PRBool enabled)
 {
     int i, count = 0;
 
     if (SSL3_ALL_VERSIONS_DISABLED(&ss->vrange)) {
         return 0;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
-        if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange))
+        if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange, ss))
             count++;
     }
     if (count <= 0) {
         PORT_SetError(SSL_ERROR_SSL_DISABLED);
     }
     return count;
 }
 
 /*
  * Null compression, mac and encryption functions
@@ skipping 71 matching lines @@
 
     buf->data    = NULL;
 
     switch (key->keyType) {
     case rsaKey:
         hashItem.data = hash->u.raw;
         hashItem.len = hash->len;
         break;
     case dsaKey:
         doDerEncode = isTLS;
-        /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
+        /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash.
          * In that case, we use just the SHA1 part. */
-        if (hash->hashAlg == SEC_OID_UNKNOWN) {
+        if (hash->hashAlg == ssl_hash_none) {
             hashItem.data = hash->u.s.sha;
             hashItem.len = sizeof(hash->u.s.sha);
         } else {
             hashItem.data = hash->u.raw;
             hashItem.len = hash->len;
         }
         break;
 #ifndef NSS_DISABLE_ECC
     case ecKey:
         doDerEncode = PR_TRUE;
-        /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
+        /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash.
          * In that case, we use just the SHA1 part. */
-        if (hash->hashAlg == SEC_OID_UNKNOWN) {
+        if (hash->hashAlg == ssl_hash_none) {
             hashItem.data = hash->u.s.sha;
             hashItem.len = sizeof(hash->u.s.sha);
         } else {
             hashItem.data = hash->u.raw;
             hashItem.len = hash->len;
         }
         break;
 #endif /* NSS_DISABLE_ECC */
     default:
         PORT_SetError(SEC_ERROR_INVALID_KEY);
         goto done;
     }
     PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
 
-    if (hash->hashAlg == SEC_OID_UNKNOWN) {
+    if (hash->hashAlg == ssl_hash_none) {
         signatureLen = PK11_SignatureLen(key);
         if (signatureLen <= 0) {
             PORT_SetError(SEC_ERROR_INVALID_KEY);
             goto done;
         }
 
         buf->len  = (unsigned)signatureLen;
         buf->data = (unsigned char *)PORT_Alloc(signatureLen);
         if (!buf->data)
             goto done;  /* error code was set. */
 
         rv = PK11_Sign(key, buf, &hashItem);
     } else {
-        rv = SGN_Digest(key, hash->hashAlg, buf, &hashItem);
+        SECOidTag hashOID = ssl3_TLSHashAlgorithmToOID(hash->hashAlg);
+        rv = SGN_Digest(key, hashOID, buf, &hashItem);
     }
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_SIGN_HASHES_FAILURE);
     } else if (doDerEncode) {
         SECItem   derSig        = {siBuffer, NULL, 0};
 
         /* This also works for an ECDSA signature */
         rv = DSAU_EncodeDerSigWithLen(&derSig, buf, buf->len);
         if (rv == SECSuccess) {
             PORT_Free(buf->data);       /* discard unencoded signature. */
@@ skipping 27 matching lines @@
 
     PRINT_BUF(60, (NULL, "check signed hashes",
                   buf->data, buf->len));
 
     key = CERT_ExtractPublicKey(cert);
     if (key == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
         return SECFailure;
     }
 
-    hashAlg = hash->hashAlg;
+    hashAlg = ssl3_TLSHashAlgorithmToOID(hash->hashAlg);
     switch (key->keyType) {
     case rsaKey:
         encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION;
         hashItem.data = hash->u.raw;
         hashItem.len = hash->len;
         break;
     case dsaKey:
         encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE;
-        /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
+        /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash.
          * In that case, we use just the SHA1 part. */
-        if (hash->hashAlg == SEC_OID_UNKNOWN) {
+        if (hash->hashAlg == ssl_hash_none) {
             hashItem.data = hash->u.s.sha;
             hashItem.len = sizeof(hash->u.s.sha);
         } else {
             hashItem.data = hash->u.raw;
             hashItem.len = hash->len;
         }
         /* Allow DER encoded DSA signatures in SSL 3.0 */
         if (isTLS || buf->len != SECKEY_SignatureLen(key)) {
             signature = DSAU_DecodeDerSigToLen(buf, SECKEY_SignatureLen(key));
             if (!signature) {
                 PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
                 return SECFailure;
             }
             buf = signature;
         }
         break;
 
 #ifndef NSS_DISABLE_ECC
     case ecKey:
         encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
-        /* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
+        /* ssl_hash_none is used to specify the MD5/SHA1 concatenated hash.
          * In that case, we use just the SHA1 part.
          * ECDSA signatures always encode the integers r and s using ASN.1
          * (unlike DSA where ASN.1 encoding is used with TLS but not with
          * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
          */
-        if (hash->hashAlg == SEC_OID_UNKNOWN) {
+        if (hash->hashAlg == ssl_hash_none) {
             hashAlg = SEC_OID_SHA1;
             hashItem.data = hash->u.s.sha;
             hashItem.len = sizeof(hash->u.s.sha);
         } else {
             hashItem.data = hash->u.raw;
             hashItem.len = hash->len;
         }
         break;
 #endif /* NSS_DISABLE_ECC */
 
     default:
         SECKEY_DestroyPublicKey(key);
         PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
         return SECFailure;
     }
 
     PRINT_BUF(60, (NULL, "hash(es) to be verified",
                   hashItem.data, hashItem.len));
 
     if (hashAlg == SEC_OID_UNKNOWN || key->keyType == dsaKey) {
         /* VFY_VerifyDigestDirect requires DSA signatures to be DER-encoded.
          * DSA signatures are DER-encoded in TLS but not in SSL3 and the code
          * above always removes the DER encoding of DSA signatures when
          * present. Thus DSA signatures are always verified with PK11_Verify.
          */
         rv = PK11_Verify(key, buf, &hashItem, pwArg);
     } else {
-        rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
-                                    pwArg);
+        rv = VFY_VerifyDigestDirect(&hashItem, key, buf, encAlg, hashAlg,
+                                    pwArg);
     }
     SECKEY_DestroyPublicKey(key);
     if (signature) {
         SECITEM_FreeItem(signature, PR_TRUE);
     }
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
     }
     return rv;
 }
 
 
 /* Caller must set hiLevel error code. */
 /* Called from ssl3_ComputeExportRSAKeyHash
  *             ssl3_ComputeDHKeyHash
- * which are called from ssl3_HandleServerKeyExchange. 
+ * which are called from ssl3_HandleServerKeyExchange.
  *
- * hashAlg: either the OID for a hash algorithm or SEC_OID_UNKNOWN to specify
- * the pre-1.2, MD5/SHA1 combination hash.
+ * hashAlg: ssl_hash_none indicates the pre-1.2, MD5/SHA1 combination hash.
  */
 SECStatus
-ssl3_ComputeCommonKeyHash(SECOidTag hashAlg,
-                          PRUint8 * hashBuf, unsigned int bufLen,
-                          SSL3Hashes *hashes, PRBool bypassPKCS11)
+ssl3_ComputeCommonKeyHash(SSLHashType hashAlg,
+                          PRUint8 * hashBuf, unsigned int bufLen,
+                          SSL3Hashes *hashes, PRBool bypassPKCS11)
 {
-    SECStatus     rv            = SECSuccess;
+    SECStatus rv;
+    SECOidTag hashOID;
 
 #ifndef NO_PKCS11_BYPASS
     if (bypassPKCS11) {
-        if (hashAlg == SEC_OID_UNKNOWN) {
-            MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
-            SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
-            hashes->len = MD5_LENGTH + SHA1_LENGTH;
-        } else if (hashAlg == SEC_OID_SHA1) {
-            SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
-            hashes->len = SHA1_LENGTH;
-        } else if (hashAlg == SEC_OID_SHA256) {
-            SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
-            hashes->len = SHA256_LENGTH;
-        } else if (hashAlg == SEC_OID_SHA384) {
-            SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
-            hashes->len = SHA384_LENGTH;
-        } else if (hashAlg == SEC_OID_SHA512) {
-            SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
-            hashes->len = SHA512_LENGTH;
-        } else {
-            PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
-            return SECFailure;
-        }
-    } else 
+        if (hashAlg == ssl_hash_none) {
+            MD5_HashBuf (hashes->u.s.md5, hashBuf, bufLen);
+            SHA1_HashBuf(hashes->u.s.sha, hashBuf, bufLen);
+            hashes->len = MD5_LENGTH + SHA1_LENGTH;
+        } else if (hashAlg == ssl_hash_sha1) {
+            SHA1_HashBuf(hashes->u.raw, hashBuf, bufLen);
+            hashes->len = SHA1_LENGTH;
+        } else if (hashAlg == ssl_hash_sha256) {
+            SHA256_HashBuf(hashes->u.raw, hashBuf, bufLen);
+            hashes->len = SHA256_LENGTH;
+        } else if (hashAlg == ssl_hash_sha384) {
+            SHA384_HashBuf(hashes->u.raw, hashBuf, bufLen);
+            hashes->len = SHA384_LENGTH;
+        } else if (hashAlg == ssl_hash_sha512) {
+            SHA512_HashBuf(hashes->u.raw, hashBuf, bufLen);
+            hashes->len = SHA512_LENGTH;
+        } else {
+            PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+            return SECFailure;
+        }
+    } else
 #endif
     {
-        if (hashAlg == SEC_OID_UNKNOWN) {
-            rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
-            if (rv != SECSuccess) {
-                ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
-                rv = SECFailure;
-                goto done;
-            }
-
-            rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
-            if (rv != SECSuccess) {
-                ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
-                rv = SECFailure;
-            }
-            hashes->len = MD5_LENGTH + SHA1_LENGTH;
-        } else {
-            hashes->len = HASH_ResultLenByOidTag(hashAlg);
-            if (hashes->len > sizeof(hashes->u.raw)) {
-                ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
-                rv = SECFailure;
-                goto done;
-            }
-            rv = PK11_HashBuf(hashAlg, hashes->u.raw, hashBuf, bufLen);
-            if (rv != SECSuccess) {
-                ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
-                rv = SECFailure;
-            }
-        }
+        if (hashAlg == ssl_hash_none) {
+            rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
+            if (rv != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
+                return rv;
+            }
+            rv = PK11_HashBuf(SEC_OID_SHA1, hashes->u.s.sha, hashBuf, bufLen);
+            if (rv != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
+                return rv;
+            }
+            hashes->len = MD5_LENGTH + SHA1_LENGTH;
+        } else {
+            hashOID = ssl3_TLSHashAlgorithmToOID(hashAlg);
+            hashes->len = HASH_ResultLenByOidTag(hashOID);
+            if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) {
+                ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+                return SECFailure;
+            }
+            rv = PK11_HashBuf(hashOID, hashes->u.raw, hashBuf, bufLen);
+            if (rv != SECSuccess) {
+                ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
+                return rv;
+            }
+        }
     }
     hashes->hashAlg = hashAlg;
-
-done:
-    return rv;
+    return SECSuccess;
 }
 
 /* Caller must set hiLevel error code. 
 ** Called from ssl3_SendServerKeyExchange and 
 **             ssl3_HandleServerKeyExchange.
 */
 static SECStatus
-ssl3_ComputeExportRSAKeyHash(SECOidTag hashAlg,
-                             SECItem modulus, SECItem publicExponent,
-                             SSL3Random *client_rand, SSL3Random *server_rand,
-                             SSL3Hashes *hashes, PRBool bypassPKCS11)
+ssl3_ComputeExportRSAKeyHash(SSLHashType hashAlg,
+                             SECItem modulus, SECItem publicExponent,
+                             SSL3Random *client_rand, SSL3Random *server_rand,
+                             SSL3Hashes *hashes, PRBool bypassPKCS11)
 {
     PRUint8     * hashBuf;
     PRUint8     * pBuf;
     SECStatus     rv            = SECSuccess;
     unsigned int  bufLen;
     PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
 
     bufLen = 2*SSL3_RANDOM_LENGTH + 2 + modulus.len + 2 + publicExponent.len;
     if (bufLen <= sizeof buf) {
         hashBuf = buf;
@@ skipping 17 matching lines @@
     pBuf[1] = (PRUint8)(publicExponent.len);
         pBuf += 2;
     memcpy(pBuf, publicExponent.data, publicExponent.len);
         pBuf += publicExponent.len;
     PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
 
     rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
                                    bypassPKCS11);
 
     PRINT_BUF(95, (NULL, "RSAkey hash: ", hashBuf, bufLen));
-    if (hashAlg == SEC_OID_UNKNOWN) {
+    if (hashAlg == ssl_hash_none) {
         PRINT_BUF(95, (NULL, "RSAkey hash: MD5 result",
                   hashes->u.s.md5, MD5_LENGTH));
         PRINT_BUF(95, (NULL, "RSAkey hash: SHA1 result",
                   hashes->u.s.sha, SHA1_LENGTH));
     } else {
         PRINT_BUF(95, (NULL, "RSAkey hash: result",
                   hashes->u.raw, hashes->len));
     }
 
     if (hashBuf != buf && hashBuf != NULL)
         PORT_Free(hashBuf);
     return rv;
 }
 
 /* Caller must set hiLevel error code. */
 /* Called from ssl3_HandleServerKeyExchange. */
 static SECStatus
-ssl3_ComputeDHKeyHash(SECOidTag hashAlg,
-                      SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
-                      SSL3Random *client_rand, SSL3Random *server_rand,
-                      SSL3Hashes *hashes, PRBool bypassPKCS11)
+ssl3_ComputeDHKeyHash(SSLHashType hashAlg,
+                      SECItem dh_p, SECItem dh_g, SECItem dh_Ys,
+                      SSL3Random *client_rand, SSL3Random *server_rand,
+                      SSL3Hashes *hashes, PRBool bypassPKCS11)
 {
     PRUint8     * hashBuf;
     PRUint8     * pBuf;
     SECStatus     rv            = SECSuccess;
     unsigned int  bufLen;
     PRUint8       buf[2*SSL3_RANDOM_LENGTH + 2 + 4096/8 + 2 + 4096/8];
 
     bufLen = 2*SSL3_RANDOM_LENGTH + 2 + dh_p.len + 2 + dh_g.len + 2 + dh_Ys.len;
     if (bufLen <= sizeof buf) {
         hashBuf = buf;
@@ skipping 22 matching lines @@
     pBuf[1] = (PRUint8)(dh_Ys.len);
         pBuf += 2;
     memcpy(pBuf, dh_Ys.data, dh_Ys.len);
         pBuf += dh_Ys.len;
     PORT_Assert((unsigned int)(pBuf - hashBuf) == bufLen);
 
     rv = ssl3_ComputeCommonKeyHash(hashAlg, hashBuf, bufLen, hashes,
                                    bypassPKCS11);
 
     PRINT_BUF(95, (NULL, "DHkey hash: ", hashBuf, bufLen));
-    if (hashAlg == SEC_OID_UNKNOWN) {
+    if (hashAlg == ssl_hash_none) {
         PRINT_BUF(95, (NULL, "DHkey hash: MD5 result",
                   hashes->u.s.md5, MD5_LENGTH));
         PRINT_BUF(95, (NULL, "DHkey hash: SHA1 result",
                   hashes->u.s.sha, SHA1_LENGTH));
     } else {
         PRINT_BUF(95, (NULL, "DHkey hash: result",
                   hashes->u.raw, hashes->len));
     }
 
     if (hashBuf != buf && hashBuf != NULL)
@@ skipping 937 matching lines @@
 
 /* Complete the initialization of all keys, ciphers, MACs and their contexts
  * for the pending Cipher Spec.
  * Called from: ssl3_SendClientKeyExchange      (for Full handshake)
  *              ssl3_HandleRSAClientKeyExchange (for Full handshake)
  *              ssl3_HandleServerHello          (for session restart)
  *              ssl3_HandleClientHello          (for session restart)
  * Sets error code, but caller probably should override to disambiguate.
  * NULL pms means re-use old master_secret.
  *
- * This code is common to the bypass and PKCS11 execution paths.
+ *  This code is common to the bypass and PKCS11 execution paths. For
+ *  the bypass case, pms is NULL. If the old master secret is reused,
+ *  pms is NULL and the master secret is already in either
+ *  pwSpec->msItem.len (the bypass case) or pwSpec->master_secret.
+ *
  * For the bypass case,  pms is NULL.
  */
 SECStatus
 ssl3_InitPendingCipherSpec(sslSocket *ss, PK11SymKey *pms)
 {
     ssl3CipherSpec  *  pwSpec;
     ssl3CipherSpec  *  cwSpec;
     SECStatus          rv;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
@@ skipping 363 matching lines @@
                               const SSL3Opaque * pIn,
                               PRUint32           contentLen,
                               sslBuffer *        wrBuf)
 {
     const ssl3BulkCipherDef * cipher_def;
     SECStatus                 rv;
     PRUint32                  macLen = 0;
     PRUint32                  fragLen;
     PRUint32  p1Len, p2Len, oddLen = 0;
     PRUint16                  headerLen;
-    int                       ivLen = 0;
+    unsigned int ivLen = 0;
     int                       cipherBytes = 0;
     unsigned char             pseudoHeader[13];
     unsigned int              pseudoHeaderLen;
 
     cipher_def = cwSpec->cipher_def;
     headerLen = isDTLS ? DTLS_RECORD_HEADER_LENGTH : SSL3_RECORD_HEADER_LENGTH;
 
     if (cipher_def->type == type_block &&
         cwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_1) {
         /* Prepend the per-record explicit IV using technique 2b from
@@ skipping 541 matching lines @@
  * This function returns SECSuccess or SECFailure, never SECWouldBlock.
  * Always set sendBuf.len to 0, even when returning SECFailure.
  *
  * Called from ssl3_FlushHandshake
  */
 static SECStatus
 ssl3_FlushHandshakeMessages(sslSocket *ss, PRInt32 flags)
 {
     static const PRInt32 allowedFlags = ssl_SEND_FLAG_FORCE_INTO_BUFFER |
                                         ssl_SEND_FLAG_CAP_RECORD_VERSION;
-    PRInt32 rv = SECSuccess;
+    PRInt32 count = -1;
+    SECStatus rv = SECSuccess;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     if (!ss->sec.ci.sendBuf.buf || !ss->sec.ci.sendBuf.len)
         return rv;
 
     /* only these flags are allowed */
     PORT_Assert(!(flags & ~allowedFlags));
     if ((flags & ~allowedFlags) != 0) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         rv = SECFailure;
     } else {
-        rv = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
+        count = ssl3_SendRecord(ss, 0, content_handshake, ss->sec.ci.sendBuf.buf,
                              ss->sec.ci.sendBuf.len, flags);
     }
-    if (rv < 0) { 
+    if (count < 0) {
         int err = PORT_GetError();
         PORT_Assert(err != PR_WOULD_BLOCK_ERROR);
         if (err == PR_WOULD_BLOCK_ERROR) {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         }
-    } else if (rv < ss->sec.ci.sendBuf.len) {
+        rv = SECFailure;
+    } else if ((unsigned int)count < ss->sec.ci.sendBuf.len) {
         /* short write should never happen */
-        PORT_Assert(rv >= ss->sec.ci.sendBuf.len);
+        PORT_Assert((unsigned int)count >= ss->sec.ci.sendBuf.len);
         PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
         rv = SECFailure;
     } else {
         rv = SECSuccess;
     }
 
     /* Whether we succeeded or failed, toss the old handshake data. */
     ss->sec.ci.sendBuf.len = 0;
     return rv;
 }
@@ skipping 415 matching lines @@
     /* If we are really through with the old cipher prSpec
      * (Both the read and write sides have changed) destroy it.
      */
     if (ss->ssl3.prSpec == ss->ssl3.pwSpec) {
         ssl3_DestroyCipherSpec(ss->ssl3.prSpec, PR_FALSE/*freeSrvName*/);
     }
     ssl_ReleaseSpecWriteLock(ss);   /*************************************/
     return SECSuccess;
 }
 
-/* This method uses PKCS11 to derive the MS from the PMS, where PMS 
-** is a PKCS11 symkey. This is used in all cases except the 
-** "triple bypass" with RSA key exchange.
-** Called from ssl3_InitPendingCipherSpec.   prSpec is pwSpec.
+/* This method completes the derivation of the MS from the PMS.
+**
+** 1. Derive the MS, if possible, else return an error.
+**
+** 2. Check the version if |pms_version| is non-zero and if wrong,
+**    return an error.
+**
+** 3. If |msp| is nonzero, return MS in |*msp|.
+
+** Called from:
+**   ssl3_ComputeMasterSecretInt
+**   tls_ComputeExtendedMasterSecretInt
 */
 static SECStatus
-ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
+ssl3_ComputeMasterSecretFinish(sslSocket *ss,
+                               CK_MECHANISM_TYPE master_derive,
+                               CK_MECHANISM_TYPE key_derive,
+                               CK_VERSION *pms_version,
+                               SECItem *params, CK_FLAGS keyFlags,
+                               PK11SymKey *pms, PK11SymKey **msp)
+{
+    PK11SymKey *ms = NULL;
+
+    ms = PK11_DeriveWithFlags(pms, master_derive,
+                              params, key_derive,
+                              CKA_DERIVE, 0, keyFlags);
+    if (!ms) {
+        ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+        return SECFailure;
+    }
+
+    if (pms_version && ss->opt.detectRollBack) {
+        SSL3ProtocolVersion client_version;
+        client_version = pms_version->major << 8 | pms_version->minor;
+
+        if (IS_DTLS(ss)) {
+            client_version = dtls_DTLSVersionToTLSVersion(client_version);
+        }
+
+        if (client_version != ss->clientHelloVersion) {
+            /* Destroy MS.  Version roll-back detected. */
+            PK11_FreeSymKey(ms);
+            ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+            return SECFailure;
+        }
+    }
+
+    if (msp) {
+        *msp = ms;
+    } else {
+        PK11_FreeSymKey(ms);
+    }
+
+    return SECSuccess;
+}
+
+/*  Compute the ordinary (pre draft-ietf-tls-session-hash) master
+ ** secret and return it in |*msp|.
+ **
+ ** Called from: ssl3_ComputeMasterSecret
+ */
+static SECStatus
+ssl3_ComputeMasterSecretInt(sslSocket *ss, PK11SymKey *pms,
+                            PK11SymKey **msp)
 {
     ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
     const ssl3KEADef *kea_def= ss->ssl3.hs.kea_def;
     unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
     unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
     PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
                                 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
     PRBool            isTLS12=
             (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
-    /* 
+    /*
      * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH
      * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size
-     * data into a 48-byte value. 
+     * data into a 48-byte value, and does not expect to return the version.
      */
     PRBool    isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
                                (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
-    SECStatus         rv = SECFailure;
     CK_MECHANISM_TYPE master_derive;
     CK_MECHANISM_TYPE key_derive;
     SECItem           params;
     CK_FLAGS          keyFlags;
     CK_VERSION        pms_version;
-    CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
+    CK_VERSION       *pms_version_ptr = NULL;
+    /* master_params may be used as a CK_SSL3_MASTER_KEY_DERIVE_PARAMS */
+    CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
+    unsigned int      master_params_len;
 
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
-    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
-    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
     if (isTLS12) {
-        if(isDH) master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256;
-        else master_derive = CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
-        key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+        if(isDH) master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
+        else master_derive = CKM_TLS12_MASTER_KEY_DERIVE;
+        key_derive    = CKM_TLS12_KEY_AND_MAC_DERIVE;
         keyFlags      = CKF_SIGN | CKF_VERIFY;
     } else if (isTLS) {
         if(isDH) master_derive = CKM_TLS_MASTER_KEY_DERIVE_DH;
         else master_derive = CKM_TLS_MASTER_KEY_DERIVE;
         key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
         keyFlags      = CKF_SIGN | CKF_VERIFY;
     } else {
         if (isDH) master_derive = CKM_SSL3_MASTER_KEY_DERIVE_DH;
         else master_derive = CKM_SSL3_MASTER_KEY_DERIVE;
         key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
         keyFlags      = 0;
     }
 
-    if (pms || !pwSpec->master_secret) {
-        if (isDH) {
-            master_params.pVersion                     = NULL;
-        } else {
-            master_params.pVersion                     = &pms_version;
-        }
-        master_params.RandomInfo.pClientRandom     = cr;
-        master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
-        master_params.RandomInfo.pServerRandom     = sr;
-        master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
-
-        params.data = (unsigned char *) &master_params;
-        params.len  = sizeof master_params;
+    if (!isDH) {
+        pms_version_ptr = &pms_version;
     }
 
-    if (pms != NULL) {
-#if defined(TRACE)
-        if (ssl_trace >= 100) {
-            SECStatus extractRV = PK11_ExtractKeyValue(pms);
-            if (extractRV == SECSuccess) {
-                SECItem * keyData = PK11_GetKeyData(pms);
-                if (keyData && keyData->data && keyData->len) {
-                    ssl_PrintBuf(ss, "Pre-Master Secret", 
-                                 keyData->data, keyData->len);
-                }
-            }
-        }
-#endif
-        pwSpec->master_secret = PK11_DeriveWithFlags(pms, master_derive, 
-                                &params, key_derive, CKA_DERIVE, 0, keyFlags);
-        if (!isDH && pwSpec->master_secret && ss->opt.detectRollBack) {
-            SSL3ProtocolVersion client_version;
-            client_version = pms_version.major << 8 | pms_version.minor;
+    master_params.pVersion                     = pms_version_ptr;
+    master_params.RandomInfo.pClientRandom     = cr;
+    master_params.RandomInfo.ulClientRandomLen = SSL3_RANDOM_LENGTH;
+    master_params.RandomInfo.pServerRandom     = sr;
+    master_params.RandomInfo.ulServerRandomLen = SSL3_RANDOM_LENGTH;
+    if (isTLS12) {
+        master_params.prfHashMechanism = CKM_SHA256;
+        master_params_len = sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS);
+    } else {
+        /* prfHashMechanism is not relevant with this PRF */
+        master_params_len = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
+    }
 
-            if (IS_DTLS(ss)) {
-                client_version = dtls_DTLSVersionToTLSVersion(client_version);
-            }
+    params.data = (unsigned char *) &master_params;
+    params.len  = master_params_len;
 
-            if (client_version != ss->clientHelloVersion) {
-                /* Destroy it.  Version roll-back detected. */
-                PK11_FreeSymKey(pwSpec->master_secret);
-                pwSpec->master_secret = NULL;
-            }
-        }
-        if (pwSpec->master_secret == NULL) {
-            /* Generate a faux master secret in the same slot as the old one. */
-            PK11SlotInfo * slot = PK11_GetSlotFromKey((PK11SymKey *)pms);
-            PK11SymKey *   fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
+    return ssl3_ComputeMasterSecretFinish(ss, master_derive, key_derive,
+                                          pms_version_ptr, &params,
+                                          keyFlags, pms, msp);
+}
 
-            PK11_FreeSlot(slot);
-            if (fpms != NULL) {
-                pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
-                                        master_derive, &params, key_derive, 
-                                        CKA_DERIVE, 0, keyFlags);
-                PK11_FreeSymKey(fpms);
-            }
-        }
+/* Compute the draft-ietf-tls-session-hash master
+** secret and return it in |*msp|.
+**
+** Called from: ssl3_ComputeMasterSecret
+*/
+static SECStatus
+tls_ComputeExtendedMasterSecretInt(sslSocket *ss, PK11SymKey *pms,
+                                   PK11SymKey **msp)
+{
+    ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
+    CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS extended_master_params;
+    SSL3Hashes hashes;
+    /*
+     * Determine whether to use the DH/ECDH or RSA derivation modes.
+     */
+    /*
+     * TODO(ekr@rtfm.com): Verify that the slot can handle this key expansion
+     * mode. Bug 1198298 */
+    PRBool isDH = (PRBool) ((ss->ssl3.hs.kea_def->exchKeyType == kt_dh) ||
+                            (ss->ssl3.hs.kea_def->exchKeyType == kt_ecdh));
+    CK_MECHANISM_TYPE master_derive;
+    CK_MECHANISM_TYPE key_derive;
+    SECItem params;
+    const CK_FLAGS keyFlags = CKF_SIGN | CKF_VERIFY;
+    CK_VERSION pms_version;
+    CK_VERSION *pms_version_ptr = NULL;
+    SECStatus rv;
+
+    rv = ssl3_ComputeHandshakeHashes(ss, pwSpec, &hashes, 0);
+    if (rv != SECSuccess) {
+        PORT_Assert(0);  /* Should never fail */
+        ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
+        return SECFailure;
     }
-    if (pwSpec->master_secret == NULL) {
-        /* Generate a faux master secret from the internal slot. */
-        PK11SlotInfo *  slot = PK11_GetInternalSlot();
-        PK11SymKey *    fpms = ssl3_GenerateRSAPMS(ss, pwSpec, slot);
 
-        PK11_FreeSlot(slot);
-        if (fpms != NULL) {
-            pwSpec->master_secret = PK11_DeriveWithFlags(fpms, 
-                                        master_derive, &params, key_derive, 
-                                        CKA_DERIVE, 0, keyFlags);
-            if (pwSpec->master_secret == NULL) {
-                pwSpec->master_secret = fpms; /* use the fpms as the master. */
-                fpms = NULL;
-            }
-        }
-        if (fpms) {
-            PK11_FreeSymKey(fpms);
-        }
+    if (isDH) {
+        master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH;
+    } else {
+        master_derive = CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE;
+        pms_version_ptr = &pms_version;
     }
-    if (pwSpec->master_secret == NULL) {
-        ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
-        return rv;
+
+    if (pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+        /* TLS 1.2 */
+        extended_master_params.prfHashMechanism = CKM_SHA256;
+        key_derive = CKM_TLS12_KEY_AND_MAC_DERIVE;
+    } else {
+        /* TLS < 1.2 */
+        extended_master_params.prfHashMechanism = CKM_TLS_PRF;
+        key_derive = CKM_TLS_KEY_AND_MAC_DERIVE;
     }
+
+    extended_master_params.pVersion = pms_version_ptr;
+    extended_master_params.pSessionHash = hashes.u.raw;
+    extended_master_params.ulSessionHashLen = hashes.len;
+
+    params.data = (unsigned char *) &extended_master_params;
+    params.len = sizeof extended_master_params;
+
+    return ssl3_ComputeMasterSecretFinish(ss, master_derive, key_derive,
+                                          pms_version_ptr, &params,
+                                          keyFlags, pms, msp);
+}
+
+
+/* Wrapper method to compute the master secret and return it in |*msp|.
+**
+** Called from ssl3_ComputeMasterSecret
+*/
+static SECStatus
+ssl3_ComputeMasterSecret(sslSocket *ss, PK11SymKey *pms,
+                         PK11SymKey **msp)
+{
+    PORT_Assert(pms != NULL);
+    PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+
+    if (ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) {
+        return tls_ComputeExtendedMasterSecretInt(ss, pms, msp);
+    } else {
+        return ssl3_ComputeMasterSecretInt(ss, pms, msp);
+    }
+}
+
+/* This method uses PKCS11 to derive the MS from the PMS, where PMS
+** is a PKCS11 symkey. We call ssl3_ComputeMasterSecret to do the
+** computations and then modify the pwSpec->state as a side effect.
+**
+** This is used in all cases except the "triple bypass" with RSA key
+** exchange.
+**
+** Called from ssl3_InitPendingCipherSpec.   prSpec is pwSpec.
+*/
+static SECStatus
+ssl3_DeriveMasterSecret(sslSocket *ss, PK11SymKey *pms)
+{
+    SECStatus rv;
+    PK11SymKey* ms = NULL;
+    ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
+    PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
+
+    if (pms) {
+        rv = ssl3_ComputeMasterSecret(ss, pms, &ms);
+        pwSpec->master_secret = ms;
+        if (rv != SECSuccess)
+            return rv;
+    }
+
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
         SECItem * keydata;
         /* In hope of doing a "double bypass", 
          * need to extract the master secret's value from the key object 
          * and store it raw in the sslSocket struct.
          */
         rv = PK11_ExtractKeyValue(pwSpec->master_secret);
         if (rv != SECSuccess) {
             return rv;
-        } 
+        }
         /* This returns the address of the secItem inside the key struct,
          * not a copy or a reference.  So, there's no need to free it.
          */
         keydata = PK11_GetKeyData(pwSpec->master_secret);
         if (keydata && keydata->len <= sizeof pwSpec->raw_master_secret) {
             memcpy(pwSpec->raw_master_secret, keydata->data, keydata->len);
             pwSpec->msItem.data = pwSpec->raw_master_secret;
             pwSpec->msItem.len  = keydata->len;
         } else {
             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
             return SECFailure;
         }
     }
 #endif
+
     return SECSuccess;
 }
 
-
 /* 
  * Derive encryption and MAC Keys (and IVs) from master secret
  * Sets a useful error code when returning SECFailure.
  *
  * Called only from ssl3_InitPendingCipherSpec(),
  * which in turn is called from
  *              sendRSAClientKeyExchange        (for Full handshake)
  *              sendDHClientKeyExchange         (for Full handshake)
  *              ssl3_HandleClientKeyExchange    (for Full handshake)
  *              ssl3_HandleServerHello          (for session restart)
@@ skipping 12 matching lines @@
     PRBool            isTLS  = (PRBool)(kea_def->tls_keygen ||
                                 (pwSpec->version > SSL_LIBRARY_VERSION_3_0));
     PRBool            isTLS12=
             (PRBool)(isTLS && pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
     /* following variables used in PKCS11 path */
     const ssl3BulkCipherDef *cipher_def = pwSpec->cipher_def;
     PK11SlotInfo *         slot   = NULL;
     PK11SymKey *           symKey = NULL;
     void *                 pwArg  = ss->pkcs11PinArg;
     int                    keySize;
-    CK_SSL3_KEY_MAT_PARAMS key_material_params;
+    CK_TLS12_KEY_MAT_PARAMS key_material_params; /* may be used as a
+                                                  * CK_SSL3_KEY_MAT_PARAMS */
+    unsigned int           key_material_params_len;
     CK_SSL3_KEY_MAT_OUT    returnedKeys;
     CK_MECHANISM_TYPE      key_derive;
     CK_MECHANISM_TYPE      bulk_mechanism;
     SSLCipherAlgorithm     calg;
     SECItem                params;
     PRBool         skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null);
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSpecWriteLock(ss));
     PORT_Assert(ss->ssl3.prSpec == ss->ssl3.pwSpec);
@@ skipping 33 matching lines @@
         key_material_params.ulKeySizeInBits = 0;
         key_material_params.ulIVSizeInBits  = 0;
         returnedKeys.pIVClient              = NULL;
         returnedKeys.pIVServer              = NULL;
     }
 
     calg = cipher_def->calg;
     PORT_Assert(     alg2Mech[calg].calg == calg);
     bulk_mechanism = alg2Mech[calg].cmech;
 
-    params.data    = (unsigned char *)&key_material_params;
-    params.len     = sizeof(key_material_params);
-
     if (isTLS12) {
-        key_derive    = CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+        key_derive    = CKM_TLS12_KEY_AND_MAC_DERIVE;
+        key_material_params.prfHashMechanism = CKM_SHA256;
+        key_material_params_len = sizeof(CK_TLS12_KEY_MAT_PARAMS);
     } else if (isTLS) {
         key_derive    = CKM_TLS_KEY_AND_MAC_DERIVE;
+        key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
     } else {
         key_derive    = CKM_SSL3_KEY_AND_MAC_DERIVE;
+        key_material_params_len = sizeof(CK_SSL3_KEY_MAT_PARAMS);
     }
 
+    params.data = (unsigned char *)&key_material_params;
+    params.len  = key_material_params_len;
+
     /* CKM_SSL3_KEY_AND_MAC_DERIVE is defined to set ENCRYPT, DECRYPT, and
      * DERIVE by DEFAULT */
     symKey = PK11_Derive(pwSpec->master_secret, key_derive, &params,
                          bulk_mechanism, CKA_ENCRYPT, keySize);
     if (!symKey) {
         ssl_MapLowLevelError(SSL_ERROR_SESSION_KEY_GEN_FAILURE);
         return SECFailure;
     }
     /* we really should use the actual mac'ing mechanism here, but we
      * don't because these types are used to map keytype anyway and both
@@ skipping 290 matching lines @@
     return SECSuccess;
 }
 
 SECStatus
 ssl3_AppendHandshakeNumber(sslSocket *ss, PRInt32 num, PRInt32 lenSize)
 {
     SECStatus rv;
     PRUint8   b[4];
     PRUint8 * p = b;
 
+    PORT_Assert(lenSize <= 4 && lenSize > 0);
+    if (lenSize < 4 && num >= (1L << (lenSize * 8))) {
+        PORT_SetError(SSL_ERROR_TX_RECORD_TOO_LONG);
+        return SECFailure;
+    }
+
     switch (lenSize) {
       case 4:
         *p++ = (num >> 24) & 0xff;
       case 3:
         *p++ = (num >> 16) & 0xff;
       case 2:
         *p++ = (num >> 8) & 0xff;
       case 1:
         *p = num & 0xff;
     }
@@ skipping 72 matching lines @@
         }
     }
 
     return rv;          /* error code set by AppendHandshake, if applicable. */
 }
 
 /* ssl3_AppendSignatureAndHashAlgorithm appends the serialisation of
  * |sigAndHash| to the current handshake message. */
 SECStatus
 ssl3_AppendSignatureAndHashAlgorithm(
-        sslSocket *ss, const SSL3SignatureAndHashAlgorithm* sigAndHash)
+    sslSocket *ss, const SSLSignatureAndHashAlg* sigAndHash)
 {
-    unsigned char serialized[2];
+    PRUint8 serialized[2];
 
-    serialized[0] = ssl3_OIDToTLSHashAlgorithm(sigAndHash->hashAlg);
-    if (serialized[0] == 0) {
-        PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
-        return SECFailure;
-    }
-
-    serialized[1] = sigAndHash->sigAlg;
+    serialized[0] = (PRUint8)sigAndHash->hashAlg;
+    serialized[1] = (PRUint8)sigAndHash->sigAlg;
 
     return ssl3_AppendHandshake(ss, serialized, sizeof(serialized));
 }
 
 /**************************************************************************
  * Consume Handshake functions.
  *
  * All data used in these functions is protected by two locks,
  * the RecvBufLock and the SSL3HandshakeLock
  **************************************************************************/
@@ skipping 74 matching lines @@
  */
 SECStatus
 ssl3_ConsumeHandshakeVariable(sslSocket *ss, SECItem *i, PRInt32 bytes,
                               SSL3Opaque **b, PRUint32 *length)
 {
     PRInt32   count;
 
     PORT_Assert(bytes <= 3);
     i->len  = 0;
     i->data = NULL;
+    i->type = siBuffer;
     count = ssl3_ConsumeHandshakeNumber(ss, bytes, b, length);
     if (count < 0) {            /* Can't test for SECSuccess here. */
         return SECFailure;
     }
     if (count > 0) {
         if ((PRUint32)count > *length) {
             return ssl3_DecodeError(ss);
         }
         i->data = *b;
         i->len  = count;
         *b      += count;
         *length -= count;
     }
     return SECSuccess;
 }
 
 /* tlsHashOIDMap contains the mapping between TLS hash identifiers and the
  * SECOidTag used internally by NSS. */
 static const struct {
-    int tlsHash;
+    SSLHashType tlsHash;
     SECOidTag oid;
 } tlsHashOIDMap[] = {
-    { tls_hash_md5, SEC_OID_MD5 },
-    { tls_hash_sha1, SEC_OID_SHA1 },
-    { tls_hash_sha224, SEC_OID_SHA224 },
-    { tls_hash_sha256, SEC_OID_SHA256 },
-    { tls_hash_sha384, SEC_OID_SHA384 },
-    { tls_hash_sha512, SEC_OID_SHA512 }
+    { ssl_hash_sha1, SEC_OID_SHA1 },
+    { ssl_hash_sha256, SEC_OID_SHA256 },
+    { ssl_hash_sha384, SEC_OID_SHA384 },
+    { ssl_hash_sha512, SEC_OID_SHA512 }
 };
 
 /* ssl3_TLSHashAlgorithmToOID converts a TLS hash identifier into an OID value.
  * If the hash is not recognised, SEC_OID_UNKNOWN is returned.
  *
  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 SECOidTag
-ssl3_TLSHashAlgorithmToOID(int hashFunc)
+ssl3_TLSHashAlgorithmToOID(SSLHashType hashFunc)
 {
     unsigned int i;
 
     for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
         if (hashFunc == tlsHashOIDMap[i].tlsHash) {
             return tlsHashOIDMap[i].oid;
         }
     }
     return SEC_OID_UNKNOWN;
 }
 
-/* ssl3_OIDToTLSHashAlgorithm converts an OID to a TLS hash algorithm
- * identifier. If the hash is not recognised, zero is returned.
- *
- * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
-static int
-ssl3_OIDToTLSHashAlgorithm(SECOidTag oid)
-{
-    unsigned int i;
-
-    for (i = 0; i < PR_ARRAY_SIZE(tlsHashOIDMap); i++) {
-        if (oid == tlsHashOIDMap[i].oid) {
-            return tlsHashOIDMap[i].tlsHash;
-        }
-    }
-    return 0;
-}
-
 /* ssl3_TLSSignatureAlgorithmForKeyType returns the TLS 1.2 signature algorithm
  * identifier for a given KeyType. */
 static SECStatus
-ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType,
-                                     TLSSignatureAlgorithm *out)
+ssl3_TLSSignatureAlgorithmForKeyType(KeyType keyType, SSLSignType *out)
 {
     switch (keyType) {
     case rsaKey:
-        *out = tls_sig_rsa;
-        return SECSuccess;
+        *out = ssl_sign_rsa;
+        return SECSuccess;
     case dsaKey:
-        *out = tls_sig_dsa;
-        return SECSuccess;
+        *out = ssl_sign_dsa;
+        return SECSuccess;
     case ecKey:
-        *out = tls_sig_ecdsa;
-        return SECSuccess;
+        *out = ssl_sign_ecdsa;
+        return SECSuccess;
     default:
-        PORT_SetError(SEC_ERROR_INVALID_KEY);
-        return SECFailure;
+        PORT_SetError(SEC_ERROR_INVALID_KEY);
+        return SECFailure;
     }
 }
 
 /* ssl3_TLSSignatureAlgorithmForCertificate returns the TLS 1.2 signature
  * algorithm identifier for the given certificate. */
 static SECStatus
 ssl3_TLSSignatureAlgorithmForCertificate(CERTCertificate *cert,
-                                         TLSSignatureAlgorithm *out)
+                                         SSLSignType *out)
 {
     SECKEYPublicKey *key;
     KeyType keyType;
 
     key = CERT_ExtractPublicKey(cert);
     if (key == NULL) {
-        ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
-        return SECFailure;
+        ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+        return SECFailure;
     }
 
     keyType = key->keyType;
     SECKEY_DestroyPublicKey(key);
     return ssl3_TLSSignatureAlgorithmForKeyType(keyType, out);
 }
 
 /* ssl3_CheckSignatureAndHashAlgorithmConsistency checks that the signature
  * algorithm identifier in |sigAndHash| is consistent with the public key in
- * |cert|. If so, SECSuccess is returned. Otherwise, PORT_SetError is called
- * and SECFailure is returned. */
+ * |cert|. It also checks the hash algorithm against the configured signature
+ * algorithms.  If all the tests pass, SECSuccess is returned. Otherwise,
+ * PORT_SetError is called and SECFailure is returned. */
 SECStatus
 ssl3_CheckSignatureAndHashAlgorithmConsistency(
-        const SSL3SignatureAndHashAlgorithm *sigAndHash, CERTCertificate* cert)
+    sslSocket *ss, const SSLSignatureAndHashAlg *sigAndHash,
+    CERTCertificate* cert)
 {
     SECStatus rv;
-    TLSSignatureAlgorithm sigAlg;
+    SSLSignType sigAlg;
+    unsigned int i;
 
     rv = ssl3_TLSSignatureAlgorithmForCertificate(cert, &sigAlg);
     if (rv != SECSuccess) {
-        return rv;
+        return rv;
     }
     if (sigAlg != sigAndHash->sigAlg) {
-        PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
-        return SECFailure;
+        PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
+        return SECFailure;
     }
-    return SECSuccess;
+
+    for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
+        const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i];
+        if (sigAndHash->sigAlg == alg->sigAlg &&
+            sigAndHash->hashAlg == alg->hashAlg) {
+            return SECSuccess;
+        }
+    }
+    PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+    return SECFailure;
+}
+
+PRBool
+ssl3_IsSupportedSignatureAlgorithm(const SSLSignatureAndHashAlg *alg)
+{
+    static const SSLHashType supportedHashes[] = {
+        ssl_hash_sha1,
+        ssl_hash_sha256,
+        ssl_hash_sha384,
+        ssl_hash_sha512
+    };
+
+    static const SSLSignType supportedSigAlgs[] = {
+        ssl_sign_rsa,
+#ifndef NSS_DISABLE_ECC
+        ssl_sign_ecdsa,
+#endif
+        ssl_sign_dsa
+    };
+
+    unsigned int i;
+    PRBool hashOK = PR_FALSE;
+    PRBool signOK = PR_FALSE;
+
+    for (i = 0; i < PR_ARRAY_SIZE(supportedHashes); ++i) {
+        if (alg->hashAlg == supportedHashes[i]) {
+            hashOK = PR_TRUE;
+            break;
+        }
+    }
+
+    for (i = 0; i < PR_ARRAY_SIZE(supportedSigAlgs); ++i) {
+        if (alg->sigAlg == supportedSigAlgs[i]) {
+            signOK = PR_TRUE;
+            break;
+        }
+    }
+
+    return hashOK && signOK;
 }
 
 /* ssl3_ConsumeSignatureAndHashAlgorithm reads a SignatureAndHashAlgorithm
  * structure from |b| and puts the resulting value into |out|. |b| and |length|
  * are updated accordingly.
  *
  * See https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 SECStatus
 ssl3_ConsumeSignatureAndHashAlgorithm(sslSocket *ss,
-                                      SSL3Opaque **b,
-                                      PRUint32 *length,
-                                      SSL3SignatureAndHashAlgorithm *out)
+                                      SSL3Opaque **b,
+                                      PRUint32 *length,
+                                      SSLSignatureAndHashAlg *out)
 {
-    unsigned char bytes[2];
+    PRUint8 bytes[2];
     SECStatus rv;
 
     rv = ssl3_ConsumeHandshake(ss, bytes, sizeof(bytes), b, length);
     if (rv != SECSuccess) {
-        return rv;
+        return rv;
     }
 
-    out->hashAlg = ssl3_TLSHashAlgorithmToOID(bytes[0]);
-    if (out->hashAlg == SEC_OID_UNKNOWN) {
-        PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
-        return SECFailure;
+    out->hashAlg = (SSLHashType)bytes[0];
+    out->sigAlg = (SSLSignType)bytes[1];
+    if (!ssl3_IsSupportedSignatureAlgorithm(out)) {
+        PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+        return SECFailure;
     }
-
-    out->sigAlg = bytes[1];
     return SECSuccess;
 }
 
 /**************************************************************************
  * end of Consume Handshake functions.
  **************************************************************************/
 
 /* Extract the hashes of handshake messages to this point.
  * Called from ssl3_SendCertificateVerify
  *             ssl3_SendFinished
  *             ssl3_HandleHandshakeMessage
  *
  * Caller must hold the SSL3HandshakeLock.
  * Caller must hold a read or write lock on the Spec R/W lock.
  *      (There is presently no way to assert on a Read lock.)
  */
 static SECStatus
 ssl3_ComputeHandshakeHashes(sslSocket *     ss,
                             ssl3CipherSpec *spec,   /* uses ->master_secret */
                             SSL3Hashes *    hashes, /* output goes here. */
                             PRUint32        sender)
 {
     SECStatus     rv        = SECSuccess;
     PRBool        isTLS     = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0);
     unsigned int  outLength;
     SSL3Opaque    md5_inner[MAX_MAC_LENGTH];
     SSL3Opaque    sha_inner[MAX_MAC_LENGTH];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
-    hashes->hashAlg = SEC_OID_UNKNOWN;
+    if (ss->ssl3.hs.hashType == handshake_hash_unknown) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    hashes->hashAlg = ssl_hash_none;
 
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11 &&
         ss->ssl3.hs.hashType == handshake_hash_single) {
         /* compute them without PKCS11 */
         PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
 
-        if (!spec->msItem.data) {
-            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
-            return SECFailure;
-        }
-
         ss->ssl3.hs.sha_clone(sha_cx, ss->ssl3.hs.sha_cx);
         ss->ssl3.hs.sha_obj->end(sha_cx, hashes->u.raw, &hashes->len,
                                  sizeof(hashes->u.raw));
 
         PRINT_BUF(60, (NULL, "SHA-256: result", hashes->u.raw, hashes->len));
 
         /* If we ever support ciphersuites where the PRF hash isn't SHA-256
          * then this will need to be updated. */
-        hashes->hashAlg = SEC_OID_SHA256;
+        hashes->hashAlg = ssl_hash_sha256;
         rv = SECSuccess;
     } else if (ss->opt.bypassPKCS11) {
         /* compute them without PKCS11 */
         PRUint64      md5_cx[MAX_MAC_CONTEXT_LLONGS];
         PRUint64      sha_cx[MAX_MAC_CONTEXT_LLONGS];
 
 #define md5cx ((MD5Context *)md5_cx)
 #define shacx ((SHA1Context *)sha_cx)
 
-        if (!spec->msItem.data) {
-            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
-            return SECFailure;
-        }
-
         MD5_Clone (md5cx,  (MD5Context *)ss->ssl3.hs.md5_cx);
         SHA1_Clone(shacx, (SHA1Context *)ss->ssl3.hs.sha_cx);
 
         if (!isTLS) {
             /* compute hashes for SSL3. */
             unsigned char s[4];
 
+            if (!spec->msItem.data) {
+                PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
+                return SECFailure;
+            }
+
             s[0] = (unsigned char)(sender >> 24);
             s[1] = (unsigned char)(sender >> 16);
             s[2] = (unsigned char)(sender >> 8);
             s[3] = (unsigned char)sender;
 
             if (sender != 0) {
                 MD5_Update(md5cx, s, 4);
                 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
             }
 
@@ skipping 52 matching lines @@
 #undef shacx
     } else 
 #endif
     if (ss->ssl3.hs.hashType == handshake_hash_single) {
         /* compute hashes with PKCS11 */
         PK11Context *h;
         unsigned int  stateLen;
         unsigned char stackBuf[1024];
         unsigned char *stateBuf = NULL;
 
-        if (!spec->master_secret) {
-            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
-            return SECFailure;
-        }
-
         h = ss->ssl3.hs.sha;
         stateBuf = PK11_SaveContextAlloc(h, stackBuf,
                                          sizeof(stackBuf), &stateLen);
         if (stateBuf == NULL) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             goto tls12_loser;
         }
         rv |= PK11_DigestFinal(h, hashes->u.raw, &hashes->len,
                                sizeof(hashes->u.raw));
         if (rv != SECSuccess) {
             ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
             rv = SECFailure;
             goto tls12_loser;
         }
         /* If we ever support ciphersuites where the PRF hash isn't SHA-256
          * then this will need to be updated. */
-        hashes->hashAlg = SEC_OID_SHA256;
+        hashes->hashAlg = ssl_hash_sha256;
         rv = SECSuccess;
 
 tls12_loser:
         if (stateBuf) {
             if (PK11_RestoreContext(h, stateBuf, stateLen) != SECSuccess) {
                 ssl_MapLowLevelError(SSL_ERROR_DIGEST_FAILURE);
                 rv = SECFailure;
             }
             if (stateBuf != stackBuf) {
                 PORT_ZFree(stateBuf, stateLen);
             }
         }
     } else {
         /* compute hashes with PKCS11 */
         PK11Context * md5;
         PK11Context * sha       = NULL;
         unsigned char *md5StateBuf = NULL;
         unsigned char *shaStateBuf = NULL;
         unsigned int  md5StateLen, shaStateLen;
         unsigned char md5StackBuf[256];
         unsigned char shaStackBuf[512];
 
-        if (!spec->master_secret) {
-            PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
-            return SECFailure;
-        }
-
         md5StateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.md5, md5StackBuf,
                                             sizeof md5StackBuf, &md5StateLen);
         if (md5StateBuf == NULL) {
             ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
             goto loser;
         }
         md5 = ss->ssl3.hs.md5;
 
         shaStateBuf = PK11_SaveContextAlloc(ss->ssl3.hs.sha, shaStackBuf,
                                             sizeof shaStackBuf, &shaStateLen);
         if (shaStateBuf == NULL) {
             ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
             goto loser;
         }
         sha = ss->ssl3.hs.sha;
 
         if (!isTLS) {
             /* compute hashes for SSL3. */
             unsigned char s[4];
 
+            if (!spec->master_secret) {
+                PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE);
+                return SECFailure;
+            }
+
             s[0] = (unsigned char)(sender >> 24);
             s[1] = (unsigned char)(sender >> 16);
             s[2] = (unsigned char)(sender >> 8);
             s[3] = (unsigned char)sender;
 
             if (sender != 0) {
                 rv |= PK11_DigestOp(md5, s, 4);
                 PRINT_BUF(95, (NULL, "MD5 inner: sender", s, 4));
             }
 
@@ skipping 111 matching lines @@
     PORT_Assert( !ss->sec.isServer );
     PORT_Assert( ss->ssl3.hs.hashType == handshake_hash_single );
 
     rv = PK11_DigestFinal(ss->ssl3.hs.backupHash, hashes->u.raw, &hashes->len,
                           sizeof(hashes->u.raw));
     if (rv != SECSuccess) {
         ssl_MapLowLevelError(SSL_ERROR_SHA_DIGEST_FAILURE);
         rv = SECFailure;
         goto loser;
     }
-    hashes->hashAlg = SEC_OID_SHA1;
+    hashes->hashAlg = ssl_hash_sha1;
 
 loser:
     PK11_DestroyContext(ss->ssl3.hs.backupHash, PR_TRUE);
     ss->ssl3.hs.backupHash = NULL;
     return rv;
 }
 
 /*
  * SSL 2 based implementations pass in the initial outbound buffer
  * so that the handshake hash can contain the included information.
@@ skipping 60 matching lines @@
     SSL_TRC(3, ("%d: SSL3[%d]: send client_hello handshake", SSL_GETPID(),
                 ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss) );
 
     rv = ssl3_InitState(ss);
     if (rv != SECSuccess) {
         return rv;              /* ssl3_InitState has set the error code. */
     }
-    ss->ssl3.hs.sendingSCSV = PR_FALSE; /* Must be reset every handshake */
+    /* These must be reset every handshake. */
+    ss->ssl3.hs.sendingSCSV = PR_FALSE;
+    ss->ssl3.hs.preliminaryInfo = 0;
     PORT_Assert(IS_DTLS(ss) || !resending);
 
     SECITEM_FreeItem(&ss->ssl3.hs.newSessionTicket.ticket, PR_FALSE);
     ss->ssl3.hs.receivedNewSessionTicket = PR_FALSE;
 
     /* We might be starting a session renegotiation in which case we should
      * clear previous state.
      */
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
@@ skipping 355 matching lines @@
         rv = ssl3_AppendHandshakeNumber(ss, TLS_FALLBACK_SCSV,
                                         sizeof(ssl3CipherSuite));
         if (rv != SECSuccess) {
             if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
             return rv;  /* err set by ssl3_AppendHandshake* */
         }
         actual_count++;
     }
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-        if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) {
+        if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange, ss)) {
             actual_count++;
             if (actual_count > num_suites) {
                 if (sid->u.ssl3.lock) { NSSRWLock_UnlockRead(sid->u.ssl3.lock); }
                 /* set error card removal/insertion error */
                 PORT_SetError(SSL_ERROR_TOKEN_INSERTION_REMOVAL);
                 return SECFailure;
             }
             rv = ssl3_AppendHandshakeNumber(ss, suite->cipher_suite,
                                             sizeof(ssl3CipherSuite));
             if (rv != SECSuccess) {
@@ skipping 637 matching lines @@
                     hexEncode(buf + 21, keyData->data, 48);
                     buf[sizeof(buf) - 1] = '\n';
 
                     fwrite(buf, sizeof(buf), 1, ssl_keylog_iob);
                     fflush(ssl_keylog_iob);
                 }
             }
         }
     }
 
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms); pms = NULL;
-
-    if (rv != SECSuccess) {
-        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-        goto loser;
-    }
-
     rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
                                     isTLS ? enc_pms.len + 2 : enc_pms.len);
     if (rv != SECSuccess) {
         goto loser;     /* err set by ssl3_AppendHandshake* */
     }
     if (isTLS) {
         rv = ssl3_AppendHandshakeVariable(ss, enc_pms.data, enc_pms.len, 2);
     } else {
         rv = ssl3_AppendHandshake(ss, enc_pms.data, enc_pms.len);
     }
     if (rv != SECSuccess) {
         goto loser;     /* err set by ssl3_AppendHandshake* */
     }
 
+    rv = ssl3_InitPendingCipherSpec(ss, pms);
+    PK11_FreeSymKey(pms);
+    pms = NULL;
+
+    if (rv != SECSuccess) {
+        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+        goto loser;
+    }
+
     rv = SECSuccess;
 
 loser:
     if (enc_pms.data != NULL) {
         PORT_Free(enc_pms.data);
     }
     if (pms != NULL) {
         PK11_FreeSymKey(pms);
     }
     return rv;
@@ skipping 49 matching lines @@
                             CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
 
     if (pms == NULL) {
         ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
         goto loser;
     }
 
     SECKEY_DestroyPrivateKey(privKey);
     privKey = NULL;
 
-    rv = ssl3_InitPendingCipherSpec(ss,  pms);
-    PK11_FreeSymKey(pms); pms = NULL;
-
-    if (rv != SECSuccess) {
-        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
-        goto loser;
-    }
-
     rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, 
                                         pubKey->u.dh.publicValue.len + 2);
     if (rv != SECSuccess) {
         goto loser;     /* err set by ssl3_AppendHandshake* */
     }
     rv = ssl3_AppendHandshakeVariable(ss, 
                                         pubKey->u.dh.publicValue.data,
                                         pubKey->u.dh.publicValue.len, 2);
     SECKEY_DestroyPublicKey(pubKey);
     pubKey = NULL;
 
     if (rv != SECSuccess) {
         goto loser;     /* err set by ssl3_AppendHandshake* */
     }
 
+    rv = ssl3_InitPendingCipherSpec(ss, pms);
+    PK11_FreeSymKey(pms);
+    pms = NULL;
+
+    if (rv != SECSuccess) {
+        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+        goto loser;
+    }
+
     rv = SECSuccess;
 
-
 loser:
 
     if(pms) PK11_FreeSymKey(pms);
     if(privKey) SECKEY_DestroyPrivateKey(privKey);
     if(pubKey) SECKEY_DestroyPublicKey(pubKey);
     return rv;
 }
 
 
 
@@ skipping 20 matching lines @@
             return SECFailure;
         }
     } else {
         serverKey = ss->sec.peerKey;
         ss->sec.peerKey = NULL; /* we're done with it now */
     }
 
     isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
     /* enforce limits on kea key sizes. */
     if (ss->ssl3.hs.kea_def->is_limited) {
-        int keyLen = SECKEY_PublicKeyStrength(serverKey);       /* bytes */
+        unsigned int keyLen = SECKEY_PublicKeyStrengthInBits(serverKey);
 
-        if (keyLen * BPB > ss->ssl3.hs.kea_def->key_size_limit) {
+        if (keyLen > ss->ssl3.hs.kea_def->key_size_limit) {
             if (isTLS)
                 (void)SSL3_SendAlert(ss, alert_fatal, export_restriction);
             else
                 (void)ssl3_HandshakeFailure(ss);
             PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
             goto loser;
         }
     }
 
     ss->sec.keaType    = ss->ssl3.hs.kea_def->exchKeyType;
@@ skipping 34 matching lines @@
 static SECStatus
 ssl3_SendCertificateVerify(sslSocket *ss)
 {
     SECStatus     rv            = SECFailure;
     PRBool        isTLS;
     PRBool        isTLS12;
     SECItem       buf           = {siBuffer, NULL, 0};
     SSL3Hashes    hashes;
     KeyType       keyType;
     unsigned int  len;
-    SSL3SignatureAndHashAlgorithm sigAndHash;
+    SSLSignatureAndHashAlg sigAndHash;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_verify handshake",
                 SSL_GETPID(), ss->fd));
 
     ssl_GetSpecReadLock(ss);
     if (ss->ssl3.hs.hashType == handshake_hash_single &&
         ss->ssl3.hs.backupHash) {
@@ skipping 44 matching lines @@
     }
 
     len = buf.len + 2 + (isTLS12 ? 2 : 0);
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_verify, len);
     if (rv != SECSuccess) {
         goto done;      /* error code set by AppendHandshake */
     }
     if (isTLS12) {
         rv = ssl3_TLSSignatureAlgorithmForKeyType(keyType,
-                                                  &sigAndHash.sigAlg);
+                                                  &sigAndHash.sigAlg);
         if (rv != SECSuccess) {
             goto done;
         }
-        sigAndHash.hashAlg = hashes.hashAlg;
+        sigAndHash.hashAlg = hashes.hashAlg;
 
         rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
         if (rv != SECSuccess) {
             goto done;  /* err set by AppendHandshake. */
         }
     }
     rv = ssl3_AppendHandshakeVariable(ss, buf.data, buf.len, 2);
     if (rv != SECSuccess) {
         goto done;      /* error code set by AppendHandshake */
     }
@@ skipping 87 matching lines @@
         }
     }
 
     rv = ssl3_NegotiateVersion(ss, version, PR_FALSE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_UNSUPPORTED_VERSION;
         goto alert_loser;
     }
+    ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
     isTLS = (ss->version > SSL_LIBRARY_VERSION_3_0);
 
     rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
         desc = internal_error;
         errCode = PORT_GetError();
         goto alert_loser;
     }
 
     rv = ssl3_ConsumeHandshake(
@@ skipping 15 matching lines @@
     /* find selected cipher suite in our list. */
     temp = ssl3_ConsumeHandshakeNumber(ss, 2, &b, &length);
     if (temp < 0) {
         goto loser;     /* alert has been sent */
     }
     ssl3_config_match_init(ss);
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
         if (temp == suite->cipher_suite) {
             SSLVersionRange vrange = {ss->version, ss->version};
-            if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
+            if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
                 /* config_match already checks whether the cipher suite is
                  * acceptable for the version, but the check is repeated here
                  * in order to give a more precise error code. */
                 if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) {
                     desc    = handshake_failure;
                     errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION;
                     goto alert_loser;
                 }
 
                 break;  /* failure */
             }
         
             suite_found = PR_TRUE;
             break;      /* success */
         }
     }
     if (!suite_found) {
         desc    = handshake_failure;
         errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
         goto alert_loser;
     }
     ss->ssl3.hs.cipher_suite = (ssl3CipherSuite)temp;
     ss->ssl3.hs.suite_def    = ssl_LookupCipherSuiteDef((ssl3CipherSuite)temp);
+    ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
     PORT_Assert(ss->ssl3.hs.suite_def);
     if (!ss->ssl3.hs.suite_def) {
         PORT_SetError(errCode = SEC_ERROR_LIBRARY_FAILURE);
         goto loser;     /* we don't send alerts for our screw-ups. */
     }
 
     /* find selected compression method in our list. */
     temp = ssl3_ConsumeHandshakeNumber(ss, 1, &b, &length);
     if (temp < 0) {
         goto loser;     /* alert has been sent */
@@ skipping 66 matching lines @@
         sidBytes.len == sid->u.ssl3.sessionIDLength &&
         !PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len));
 
     if (sid_match &&
         sid->version == ss->version &&
         sid->u.ssl3.cipherSuite == ss->ssl3.hs.cipher_suite) do {
         ssl3CipherSpec *pwSpec = ss->ssl3.pwSpec;
 
         SECItem       wrappedMS;   /* wrapped master secret. */
 
+        /* [draft-ietf-tls-session-hash-06; Section 5.3]
+         *
+         * o  If the original session did not use the "extended_master_secret"
+         *    extension but the new ServerHello contains the extension, the
+         *    client MUST abort the handshake.
+        */
+        if (!sid->u.ssl3.keys.extendedMasterSecretUsed &&
+            ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) {
+            errCode = SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET;
+            goto alert_loser;
+        }
+
+        /*
+         *   o  If the original session used an extended master secret but the new
+         *      ServerHello does not contain the "extended_master_secret"
+         *      extension, the client SHOULD abort the handshake.
+         *
+         * TODO(ekr@rtfm.com): Add option to refuse to resume when EMS is not
+         * used at all (bug 1176526).
+        */
+        if (sid->u.ssl3.keys.extendedMasterSecretUsed &&
+            !ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) {
+            errCode = SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET;
+            goto alert_loser;
+        }
+
         ss->sec.authAlgorithm = sid->authAlgorithm;
         ss->sec.authKeyBits   = sid->authKeyBits;
         ss->sec.keaType       = sid->keaType;
         ss->sec.keaKeyBits    = sid->keaKeyBits;
 
         /* 3 cases here:
          * a) key is wrapped (implies using PKCS11)
          * b) key is unwrapped, but we're still using PKCS11
          * c) key is unwrapped, and we're bypassing PKCS11.
          */
@@ skipping 82 matching lines @@
             ss->ssl3.hs.ws = wait_change_cipher;
 
         ss->ssl3.hs.isResuming = PR_TRUE;
 
         /* copy the peer cert from the SID */
         if (sid->peerCert != NULL) {
             ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);
             ssl3_CopyPeerCertsFromSID(ss, sid);
         }
 
-        /* NULL value for PMS signifies re-use of the old MS */
+        /* NULL value for PMS because we are reusing the old MS */
         rv = ssl3_InitPendingCipherSpec(ss,  NULL);
         if (rv != SECSuccess) {
             goto alert_loser;   /* err code was set */
         }
         goto winner;
     } while (0);
 
     if (sid_match)
         SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_not_ok );
     else
         SSL_AtomicIncrementLong(& ssl3stats.hsh_sid_cache_misses );
 
     /* throw the old one away */
     sid->u.ssl3.keys.resumable = PR_FALSE;
     if (ss->sec.uncache)
         (*ss->sec.uncache)(sid);
     ssl_FreeSID(sid);
 
     /* get a new sid */
     ss->sec.ci.sid = sid = ssl3_NewSessionID(ss, PR_FALSE);
     if (sid == NULL) {
         goto alert_loser;       /* memory error is set. */
     }
 
     sid->version = ss->version;
     sid->u.ssl3.sessionIDLength = sidBytes.len;
     PORT_Memcpy(sid->u.ssl3.sessionID, sidBytes.data, sidBytes.len);
 
+    sid->u.ssl3.keys.extendedMasterSecretUsed =
+            ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn);
+
     /* Copy Signed Certificate Timestamps, if any. */
     if (ss->xtnData.signedCertTimestamps.data) {
         rv = SECITEM_CopyItem(NULL, &sid->u.ssl3.signedCertTimestamps,
                               &ss->xtnData.signedCertTimestamps);
         if (rv != SECSuccess)
             goto loser;
     }
 
     ss->ssl3.hs.isResuming = PR_FALSE;
     if (ss->ssl3.hs.kea_def->signKeyType != sign_null) {
         /* All current cipher suites other than those with sign_null (i.e.,
-         * DH_anon_* suites) require a certificate, so use that signal. */
+         * (EC)DH_anon_* suites) require a certificate, so use that signal. */
         ss->ssl3.hs.ws = wait_server_cert;
-    } else if (ss->ssl3.hs.kea_def->ephemeral) {
-        /* Only ephemeral cipher suites use ServerKeyExchange. */
+    } else {
+        /* All the remaining cipher suites must be (EC)DH_anon_* and so
+         * must be ephemeral. Note, if we ever add PSK this might
+         * change. */
+        PORT_Assert(ss->ssl3.hs.kea_def->ephemeral);
         ss->ssl3.hs.ws = wait_server_key;
-    } else {
-        ss->ssl3.hs.ws = wait_cert_request;
     }
 
 winner:
     /* Clean up the temporary pointer to the handshake buffer. */
     ss->xtnData.signedCertTimestamps.data = NULL;
     ss->xtnData.signedCertTimestamps.len = 0;
 
     /* If we will need a ChannelID key then we make the callback now. This
      * allows the handshake to be restarted cleanly if the callback returns
      * SECWouldBlock. */
@@ skipping 19 matching lines @@
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 
 loser:
     /* Clean up the temporary pointer to the handshake buffer. */
     ss->xtnData.signedCertTimestamps.data = NULL;
     ss->xtnData.signedCertTimestamps.len = 0;
     errCode = ssl_MapLowLevelError(errCode);
     return SECFailure;
 }
 
-/* ssl3_BigIntGreaterThanOne returns true iff |mpint|, taken as an unsigned,
- * big-endian integer is > 1 */
-static PRBool
-ssl3_BigIntGreaterThanOne(const SECItem* mpint) {
-    unsigned char firstNonZeroByte = 0;
-    unsigned int i;
-
-    for (i = 0; i < mpint->len; i++) {
-        if (mpint->data[i]) {
-            firstNonZeroByte = mpint->data[i];
-            break;
-        }
-    }
-
-    if (firstNonZeroByte == 0)
-        return PR_FALSE;
-    if (firstNonZeroByte > 1)
-        return PR_TRUE;
-
-    /* firstNonZeroByte == 1, therefore mpint > 1 iff the first non-zero byte
-     * is followed by another byte. */
-    return (i < mpint->len - 1);
-}
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 ServerKeyExchange message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     PLArenaPool *    arena     = NULL;
     SECKEYPublicKey *peerKey   = NULL;
     PRBool           isTLS, isTLS12;
     SECStatus        rv;
     int              errCode   = SSL_ERROR_RX_MALFORMED_SERVER_KEY_EXCH;
     SSL3AlertDescription desc  = illegal_parameter;
     SSL3Hashes       hashes;
     SECItem          signature = {siBuffer, NULL, 0};
-    SSL3SignatureAndHashAlgorithm sigAndHash;
+    SSLSignatureAndHashAlg sigAndHash;
 
-    sigAndHash.hashAlg = SEC_OID_UNKNOWN;
+    sigAndHash.hashAlg = ssl_hash_none;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle server_key_exchange handshake",
                 SSL_GETPID(), ss->fd));
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_server_key) {
         errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH;
         desc = unexpected_message;
         goto alert_loser;
     }
 
     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
     isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
 
     switch (ss->ssl3.hs.kea_def->exchKeyType) {
 
     case kt_rsa: {
         SECItem          modulus   = {siBuffer, NULL, 0};
         SECItem          exponent  = {siBuffer, NULL, 0};
 
         rv = ssl3_ConsumeHandshakeVariable(ss, &modulus, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
+        /* This exchange method is only used by export cipher suites.
+         * Those are broken and so this code will eventually be removed. */
+        if (SECKEY_BigIntegerBitLength(&modulus) < 512) {
+            desc = isTLS ? insufficient_security : illegal_parameter;
+            goto alert_loser;
+        }
         rv = ssl3_ConsumeHandshakeVariable(ss, &exponent, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
         if (isTLS12) {
             rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
                                                        &sigAndHash);
             if (rv != SECSuccess) {
                 goto loser;     /* malformed or unsupported. */
             }
-            rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
+            rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(ss,
                     &sigAndHash, ss->sec.peerCert);
             if (rv != SECSuccess) {
                 goto loser;
             }
         }
         rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
         if (length != 0) {
             if (isTLS)
                 desc = decode_error;
             goto alert_loser;           /* malformed. */
         }
 
         /* failures after this point are not malformed handshakes. */
         /* TLS: send decrypt_error if signature failed. */
         desc = isTLS ? decrypt_error : handshake_failure;
 
         /*
          *  check to make sure the hash is signed by right guy
          */
-        rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
-                                          &ss->ssl3.hs.client_random,
-                                          &ss->ssl3.hs.server_random, 
-                                          &hashes, ss->opt.bypassPKCS11);
+        rv = ssl3_ComputeExportRSAKeyHash(sigAndHash.hashAlg, modulus, exponent,
+                                          &ss->ssl3.hs.client_random,
+                                          &ss->ssl3.hs.server_random,
+                                          &hashes, ss->opt.bypassPKCS11);
         if (rv != SECSuccess) {
             errCode =
                 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
             goto alert_loser;
         }
         rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
                                     isTLS, ss->pkcs11PinArg);
         if (rv != SECSuccess)  {
             errCode =
                 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
             goto alert_loser;
         }
 
         /*
          * we really need to build a new key here because we can no longer
          * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
          * pkcs11 slots and ID's.
          */
         arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
         if (arena == NULL) {
             goto no_memory;
         }
 
         peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
         if (peerKey == NULL) {
-            PORT_FreeArena(arena, PR_FALSE);
             goto no_memory;
         }
 
         peerKey->arena              = arena;
         peerKey->keyType            = rsaKey;
         peerKey->pkcs11Slot         = NULL;
         peerKey->pkcs11ID           = CK_INVALID_HANDLE;
         if (SECITEM_CopyItem(arena, &peerKey->u.rsa.modulus,        &modulus) ||
             SECITEM_CopyItem(arena, &peerKey->u.rsa.publicExponent, &exponent))
         {
-            PORT_FreeArena(arena, PR_FALSE);
             goto no_memory;
         }
         ss->sec.peerKey = peerKey;
         ss->ssl3.hs.ws = wait_cert_request;
         return SECSuccess;
     }
 
     case kt_dh: {
         SECItem          dh_p      = {siBuffer, NULL, 0};
         SECItem          dh_g      = {siBuffer, NULL, 0};
         SECItem          dh_Ys     = {siBuffer, NULL, 0};
+        unsigned dh_p_bits;
+        unsigned dh_g_bits;
+        unsigned dh_Ys_bits;
+        PRInt32  minDH;
 
         rv = ssl3_ConsumeHandshakeVariable(ss, &dh_p, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
-        if (dh_p.len < 1024/8 ||
-            (dh_p.len == 1024/8 && (dh_p.data[0] & 0x80) == 0)) {
+
+        rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
+        if (rv != SECSuccess) {
+            minDH = SSL_DH_MIN_P_BITS;
+        }
+        dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
+        if (dh_p_bits < minDH) {
             errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
             goto alert_loser;
         }
         rv = ssl3_ConsumeHandshakeVariable(ss, &dh_g, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
-        if (dh_g.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_g))
+        /* Abort if dh_g is 0, 1, or obviously too big. */
+        dh_g_bits = SECKEY_BigIntegerBitLength(&dh_g);
+        if (dh_g_bits > dh_p_bits || dh_g_bits <= 1)
             goto alert_loser;
         rv = ssl3_ConsumeHandshakeVariable(ss, &dh_Ys, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
-        if (dh_Ys.len > dh_p.len || !ssl3_BigIntGreaterThanOne(&dh_Ys))
+        dh_Ys_bits = SECKEY_BigIntegerBitLength(&dh_Ys);
+        if (dh_Ys_bits > dh_p_bits || dh_Ys_bits <= 1)
             goto alert_loser;
         if (isTLS12) {
             rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
                                                        &sigAndHash);
             if (rv != SECSuccess) {
                 goto loser;     /* malformed or unsupported. */
             }
-            rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
+            rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(ss,
                     &sigAndHash, ss->sec.peerCert);
             if (rv != SECSuccess) {
                 goto loser;
             }
         }
         rv = ssl3_ConsumeHandshakeVariable(ss, &signature, 2, &b, &length);
         if (rv != SECSuccess) {
             goto loser;         /* malformed. */
         }
         if (length != 0) {
             if (isTLS)
                 desc = decode_error;
             goto alert_loser;           /* malformed. */
         }
 
         PRINT_BUF(60, (NULL, "Server DH p", dh_p.data, dh_p.len));
         PRINT_BUF(60, (NULL, "Server DH g", dh_g.data, dh_g.len));
         PRINT_BUF(60, (NULL, "Server DH Ys", dh_Ys.data, dh_Ys.len));
 
         /* failures after this point are not malformed handshakes. */
         /* TLS: send decrypt_error if signature failed. */
         desc = isTLS ? decrypt_error : handshake_failure;
 
         /*
          *  check to make sure the hash is signed by right guy
          */
-        rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
-                                          &ss->ssl3.hs.client_random,
-                                          &ss->ssl3.hs.server_random, 
-                                          &hashes, ss->opt.bypassPKCS11);
+        rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg, dh_p, dh_g, dh_Ys,
+                                   &ss->ssl3.hs.client_random,
+                                   &ss->ssl3.hs.server_random, 
+                                   &hashes, ss->opt.bypassPKCS11);
         if (rv != SECSuccess) {
             errCode =
                 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
             goto alert_loser;
         }
         rv = ssl3_VerifySignedHashes(&hashes, ss->sec.peerCert, &signature,
                                     isTLS, ss->pkcs11PinArg);
         if (rv != SECSuccess)  {
             errCode =
                 ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
             goto alert_loser;
         }
 
         /*
          * we really need to build a new key here because we can no longer
          * ignore calling SECKEY_DestroyPublicKey. Using the key may allocate
          * pkcs11 slots and ID's.
          */
         arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
         if (arena == NULL) {
             goto no_memory;
         }
 
-        ss->sec.peerKey = peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
+        peerKey = PORT_ArenaZNew(arena, SECKEYPublicKey);
         if (peerKey == NULL) {
             goto no_memory;
         }
 
         peerKey->arena              = arena;
         peerKey->keyType            = dhKey;
         peerKey->pkcs11Slot         = NULL;
         peerKey->pkcs11ID           = CK_INVALID_HANDLE;
 
         if (SECITEM_CopyItem(arena, &peerKey->u.dh.prime,        &dh_p) ||
             SECITEM_CopyItem(arena, &peerKey->u.dh.base,         &dh_g) ||
             SECITEM_CopyItem(arena, &peerKey->u.dh.publicValue,  &dh_Ys))
         {
-            PORT_FreeArena(arena, PR_FALSE);
             goto no_memory;
         }
         ss->sec.peerKey = peerKey;
         ss->ssl3.hs.ws = wait_cert_request;
         return SECSuccess;
     }
 
 #ifndef NSS_DISABLE_ECC
     case kt_ecdh:
         rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
         return rv;
 #endif /* NSS_DISABLE_ECC */
 
     default:
         desc    = handshake_failure;
         errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
         break;          /* goto alert_loser; */
     }
 
 alert_loser:
     (void)SSL3_SendAlert(ss, alert_fatal, desc);
 loser:
+    if (arena) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
     PORT_SetError( errCode );
     return SECFailure;
 
 no_memory:      /* no-memory error has already been set. */
+    if (arena) {
+        PORT_FreeArena(arena, PR_FALSE);
+    }
     ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
     return SECFailure;
 }
 
 /*
  * Returns the TLS signature algorithm for the client authentication key and
  * whether it is an RSA or DSA key that may be able to sign only SHA-1 hashes.
  */
 static SECStatus
 ssl3_ExtractClientKeyInfo(sslSocket *ss,
-                          TLSSignatureAlgorithm *sigAlg,
+                          SSLSignType *sigAlg,
                           PRBool *preferSha1)
 {
     SECStatus rv = SECSuccess;
     SECKEYPublicKey *pubk;
 
     pubk = CERT_ExtractPublicKey(ss->ssl3.clientCertificate);
     if (pubk == NULL) {
         rv = SECFailure;
         goto done;
     }
@@ skipping 35 matching lines @@
 
 /* Destroys the backup handshake hash context if we don't need it. Note that
  * this function selects the hash algorithm for client authentication
  * signatures; ssl3_SendCertificateVerify uses the presence of the backup hash
  * to determine whether to use SHA-1 or SHA-256. */
 static void
 ssl3_DestroyBackupHandshakeHashIfNotNeeded(sslSocket *ss,
                                            const SECItem *algorithms)
 {
     SECStatus rv;
-    TLSSignatureAlgorithm sigAlg;
+    SSLSignType sigAlg;
     PRBool preferSha1;
     PRBool supportsSha1 = PR_FALSE;
     PRBool supportsSha256 = PR_FALSE;
     PRBool needBackupHash = PR_FALSE;
     unsigned int i;
 
 #ifndef NO_PKCS11_BYPASS
     /* Backup handshake hash is not supported in PKCS #11 bypass mode. */
     if (ss->opt.bypassPKCS11) {
         PORT_Assert(!ss->ssl3.hs.backupHash);
         return;
     }
 #endif
     PORT_Assert(ss->ssl3.hs.backupHash);
 
     /* Determine the key's signature algorithm and whether it prefers SHA-1. */
     rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
     if (rv != SECSuccess) {
         goto done;
     }
 
     /* Determine the server's hash support for that signature algorithm. */
     for (i = 0; i < algorithms->len; i += 2) {
         if (algorithms->data[i+1] == sigAlg) {
-            if (algorithms->data[i] == tls_hash_sha1) {
+            if (algorithms->data[i] == ssl_hash_sha1) {
                 supportsSha1 = PR_TRUE;
-            } else if (algorithms->data[i] == tls_hash_sha256) {
+            } else if (algorithms->data[i] == ssl_hash_sha256) {
                 supportsSha256 = PR_TRUE;
             }
         }
     }
 
     /* If either the server does not support SHA-256 or the client key prefers
      * SHA-1, leave the backup hash. */
     if (supportsSha1 && (preferSha1 || !supportsSha256)) {
         needBackupHash = PR_TRUE;
     }
@@ skipping 138 matching lines @@
         rv = (SECStatus)(*ss->getPlatformClientAuthData)(
                                         ss->getPlatformClientAuthDataArg,
                                         ss->fd, &ca_list,
                                         &platform_cert_list,
                                         (void**)&ss->ssl3.platformClientKey,
                                         &ss->ssl3.clientCertificate,
                                         &ss->ssl3.clientPrivateKey);
     } else
 #endif
     if (ss->getClientAuthData != NULL) {
+        PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) ==
+                    ssl_preinfo_all);
         /* XXX Should pass cert_types and algorithms in this call!! */
         rv = (SECStatus)(*ss->getClientAuthData)(ss->getClientAuthDataArg,
                                                  ss->fd, &ca_list,
                                                  &ss->ssl3.clientCertificate,
                                                  &ss->ssl3.clientPrivateKey);
     } else {
         rv = SECFailure; /* force it to send a no_certificate alert */
     }
 
     switch (rv) {
@@ skipping 211 matching lines @@
          * sufficiently strong that the attack can gain no advantage.
          * Therefore we always require an 80-bit cipher. */
         ssl_GetSpecReadLock(ss);
         maybeFalseStart = ss->ssl3.cwSpec->cipher_def->secret_key_size >= 10;
         ssl_ReleaseSpecReadLock(ss);
 
         if (!maybeFalseStart) {
             SSL_TRC(3, ("%d: SSL[%d]: no false start due to weak cipher",
                         SSL_GETPID(), ss->fd));
         } else {
+            PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) ==
+                        ssl_preinfo_all);
             rv = (ss->canFalseStartCallback)(ss->fd,
                                              ss->canFalseStartCallbackData,
                                              &ss->ssl3.hs.canFalseStart);
             if (rv == SECSuccess) {
                 SSL_TRC(3, ("%d: SSL[%d]: false start callback returned %s",
                             SSL_GETPID(), ss->fd,
                             ss->ssl3.hs.canFalseStart ? "TRUE" : "FALSE"));
             } else {
                 SSL_TRC(3, ("%d: SSL[%d]: false start callback failed (%s)",
                             SSL_GETPID(), ss->fd,
@@ skipping 338 matching lines @@
     sid->addr           = ss->sec.ci.peer;
     sid->port           = ss->sec.ci.port;
     sid->references     = 1;
     sid->cached         = never_cached;
     sid->version        = ss->version;
 
     sid->u.ssl3.keys.resumable = PR_TRUE;
     sid->u.ssl3.policy         = SSL_ALLOWED;
     sid->u.ssl3.clientWriteKey = NULL;
     sid->u.ssl3.serverWriteKey = NULL;
+    sid->u.ssl3.keys.extendedMasterSecretUsed = PR_FALSE;
 
     if (is_server) {
         SECStatus rv;
         int       pid = SSL_GETPID();
 
         sid->u.ssl3.sessionIDLength = SSL3_SESSIONID_BYTES;
         sid->u.ssl3.sessionID[0]    = (pid >> 8) & 0xff;
         sid->u.ssl3.sessionID[1]    =  pid       & 0xff;
         rv = PK11_GenerateRandom(sid->u.ssl3.sessionID + 2,
                                  SSL3_SESSIONID_BYTES -2);
@@ skipping 32 matching lines @@
         return rv;      /* error code is set. */
     }
     /* We have to do this after the call to ssl3_SendServerHello,
      * because kea_def is set up by ssl3_SendServerHello().
      */
     kea_def = ss->ssl3.hs.kea_def;
     ss->ssl3.hs.usedStepDownKey = PR_FALSE;
 
     if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) {
         /* see if we can legally use the key in the cert. */
-        int keyLen;  /* bytes */
+        unsigned int keyLen;  /* bytes */
 
         keyLen = PK11_GetPrivateModulusLen(
                             ss->serverCerts[kea_def->exchKeyType].SERVERKEY);
 
         if (keyLen > 0 &&
             keyLen * BPB <= kea_def->key_size_limit ) {
             /* XXX AND cert is not signing only!! */
             /* just fall through and use it. */
         } else if (ss->stepDownKeyPair != NULL) {
             ss->ssl3.hs.usedStepDownKey = PR_TRUE;
@@ skipping 26 matching lines @@
     }
 
     ss->ssl3.hs.ws = (ss->opt.requestCertificate) ? wait_client_cert
                                                : wait_client_key;
     return SECSuccess;
 }
 
 /* An empty TLS Renegotiation Info (RI) extension */
 static const PRUint8 emptyRIext[5] = {0xff, 0x01, 0x00, 0x01, 0x00};
 
+static PRBool
+ssl3_KEAAllowsSessionTicket(SSL3KeyExchangeAlgorithm kea)
+{
+    switch (kea) {
+        case kea_dhe_dss:
+        case kea_dhe_dss_export:
+        case kea_dh_dss_export:
+        case kea_dh_dss:
+            /* TODO: Fix session tickets for DSS. The server code rejects the
+             * session ticket received from the client. Bug 1174677 */
+            return PR_FALSE;
+        default:
+            return PR_TRUE;
+    };
+}
+
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 Client Hello message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleClientHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     sslSessionID *      sid      = NULL;
     PRInt32             tmp;
     unsigned int        i;
     int                 j;
     SECStatus           rv;
     int                 errCode  = SSL_ERROR_RX_MALFORMED_CLIENT_HELLO;
     SSL3AlertDescription desc    = illegal_parameter;
     SSL3AlertLevel      level    = alert_fatal;
     SSL3ProtocolVersion version;
     SECItem             sidBytes = {siBuffer, NULL, 0};
     SECItem             cookieBytes = {siBuffer, NULL, 0};
     SECItem             suites   = {siBuffer, NULL, 0};
     SECItem             comps    = {siBuffer, NULL, 0};
     PRBool              haveSpecWriteLock = PR_FALSE;
     PRBool              haveXmitBufLock   = PR_FALSE;
+    PRBool              canOfferSessionTicket = PR_FALSE;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_hello handshake",
         SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
     PORT_Assert( ss->ssl3.initialized );
+    ss->ssl3.hs.preliminaryInfo = 0;
 
     if (!ss->sec.isServer ||
         (ss->ssl3.hs.ws != wait_client_hello &&
          ss->ssl3.hs.ws != idle_handshake)) {
         desc = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CLIENT_HELLO;
         goto alert_loser;
     }
     if (ss->ssl3.hs.ws == idle_handshake &&
         ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
@@ skipping 45 matching lines @@
         ss->clientHelloVersion = version = (SSL3ProtocolVersion)tmp;
     }
 
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version 
                                                    : handshake_failure;
         errCode = SSL_ERROR_UNSUPPORTED_VERSION;
         goto alert_loser;
     }
+    ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
 
     rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
         desc = internal_error;
         errCode = PORT_GetError();
         goto alert_loser;
     }
 
     /* grab the client random data. */
     rv = ssl3_ConsumeHandshake(
@@ skipping 147 matching lines @@
      * the extension and we are unable to do either a stateful or
      * stateless resume.
      *
      * TODO: send a session ticket if performing a stateful
      * resumption.  (As per RFC4507, a server may issue a session
      * ticket while doing a (stateless or stateful) session resume,
      * but OpenSSL-0.9.8g does not accept session tickets while
      * resuming.)
      */
     if (ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) && sid == NULL) {
-        ssl3_RegisterServerHelloExtensionSender(ss,
-            ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
+        canOfferSessionTicket = PR_TRUE;
     }
 
     if (sid != NULL) {
         /* We've found a session cache entry for this client.
          * Now, if we're going to require a client-auth cert,
          * and we don't already have this client's cert in the session cache,
          * and this is the first handshake on this connection (not a redo),
          * then drop this old cache entry and start a new session.
          */
         if ((sid->peerCert == NULL) && ss->opt.requestCertificate &&
@@ skipping 62 matching lines @@
         }
         PORT_Assert(j > 0);
         if (j <= 0)
             break;
 #ifdef PARANOID
         /* Double check that the cached cipher suite is still enabled,
          * implemented, and allowed by policy.  Might have been disabled.
          * The product policy won't change during the process lifetime.  
          * Implemented ("isPresent") shouldn't change for servers.
          */
-        if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange))
+        if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss))
             break;
 #else
         if (!suite->enabled)
             break;
 #endif
         /* Double check that the cached cipher suite is in the client's list */
         for (i = 0; i + 1 < suites.len; i += 2) {
             PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
             if (suite_i == suite->cipher_suite) {
                 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
                 ss->ssl3.hs.suite_def =
                     ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+                ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
 
                 /* Use the cached compression method. */
                 ss->ssl3.hs.compression = sid->u.ssl3.compression;
                 goto compression_found;
             }
         }
     } while (0);
 
     /* START A NEW SESSION */
 
@@ skipping 16 matching lines @@
     ** 1.0 and selecting one of those export cipher suites. However, a secure
     ** TLS 1.1 client should not have export cipher suites enabled at all,
     ** and a TLS 1.1 client should definitely not be offering *only* export
     ** cipher suites. Therefore, we refuse to negotiate export cipher suites
     ** with any client that indicates support for TLS 1.1 or higher when we
     ** (the server) have TLS 1.1 support enabled.
     */
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
         SSLVersionRange vrange = {ss->version, ss->version};
-        if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
+        if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
             continue;
         }
         for (i = 0; i + 1 < suites.len; i += 2) {
             PRUint16 suite_i = (suites.data[i] << 8) | suites.data[i + 1];
             if (suite_i == suite->cipher_suite) {
                 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
                 ss->ssl3.hs.suite_def =
                     ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+                ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
                 goto suite_found;
             }
         }
     }
     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
     goto alert_loser;
 
 suite_found:
+    if (canOfferSessionTicket)
+        canOfferSessionTicket = ssl3_KEAAllowsSessionTicket(
+                                    ss->ssl3.hs.suite_def->key_exchange_alg);
+
+    if (canOfferSessionTicket) {
+        ssl3_RegisterServerHelloExtensionSender(ss,
+            ssl_session_ticket_xtn, ssl3_SendSessionTicketXtn);
+    }
+
     /* Select a compression algorithm. */
     for (i = 0; i < comps.len; i++) {
         if (!compressionEnabled(ss, comps.data[i]))
             continue;
         for (j = 0; j < compressionMethodsCount; j++) {
             if (comps.data[i] == compressions[j]) {
                 ss->ssl3.hs.compression = 
                                         (SSLCompressionMethod)compressions[j];
                 goto compression_found;
             }
         }
     }
     errCode = SSL_ERROR_NO_COMPRESSION_OVERLAP;
                                 /* null compression must be supported */
     goto alert_loser;
 
 compression_found:
     suites.data = NULL;
     comps.data = NULL;
 
     ss->sec.send = ssl3_SendApplicationData;
 
     /* If there are any failures while processing the old sid,
      * we don't consider them to be errors.  Instead, We just behave
      * as if the client had sent us no sid to begin with, and make a new one.
+     * The exception here is attempts to resume extended_master_secret
+     * sessions without the extension, which causes an alert.
      */
     if (sid != NULL) do {
         ssl3CipherSpec *pwSpec;
         SECItem         wrappedMS;      /* wrapped key */
 
         if (sid->version != ss->version  ||
             sid->u.ssl3.cipherSuite != ss->ssl3.hs.cipher_suite ||
             sid->u.ssl3.compression != ss->ssl3.hs.compression) {
             break;      /* not an error */
         }
 
+        /* [draft-ietf-tls-session-hash-06; Section 5.3]
+         * o  If the original session did not use the "extended_master_secret"
+         *    extension but the new ClientHello contains the extension, then the
+         *    server MUST NOT perform the abbreviated handshake.  Instead, it
+         *    SHOULD continue with a full handshake (as described in
+         *    Section 5.2) to negotiate a new session.
+         *
+         * o  If the original session used the "extended_master_secret"
+         *    extension but the new ClientHello does not contain the extension,
+         *    the server MUST abort the abbreviated handshake.
+         */
+        if (ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn)) {
+            if (!sid->u.ssl3.keys.extendedMasterSecretUsed) {
+                break;  /* not an error */
+            }
+        } else {
+            if (sid->u.ssl3.keys.extendedMasterSecretUsed) {
+                /* Note: we do not destroy the session */
+                desc = handshake_failure;
+                errCode = SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET;
+                goto alert_loser;
+            }
+        }
+
         if (ss->sec.ci.sid) {
             if (ss->sec.uncache)
                 ss->sec.uncache(ss->sec.ci.sid);
             PORT_Assert(ss->sec.ci.sid != sid);  /* should be impossible, but ... */
             if (ss->sec.ci.sid != sid) {
                 ssl_FreeSID(ss->sec.ci.sid);
             }
             ss->sec.ci.sid = NULL;
         }
         /* we need to resurrect the master secret.... */
@@ skipping 121 matching lines @@
         if (rv != SECSuccess) {
             errCode = PORT_GetError();
             goto loser;
         }
 
         if (haveSpecWriteLock) {
             ssl_ReleaseSpecWriteLock(ss);
             haveSpecWriteLock = PR_FALSE;
         }
 
-        /* NULL value for PMS signifies re-use of the old MS */
+        /* NULL value for PMS because we are re-using the old MS */
         rv = ssl3_InitPendingCipherSpec(ss,  NULL);
         if (rv != SECSuccess) {
             errCode = PORT_GetError();
             goto loser;
         }
 
         rv = ssl3_SendChangeCipherSpecs(ss);
         if (rv != SECSuccess) {
             errCode = PORT_GetError();
             goto loser;
@@ skipping 23 matching lines @@
         if (ss->sec.uncache)
             ss->sec.uncache(sid);
         ssl_FreeSID(sid);
         sid = NULL;
     }
     SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_misses );
 
     if (ssl3_ExtensionNegotiated(ss, ssl_server_name_xtn)) {
         int ret = 0;
         if (ss->sniSocketConfig) do { /* not a loop */
+            PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) ==
+                        ssl_preinfo_all);
+
             ret = SSL_SNI_SEND_ALERT;
             /* If extension is negotiated, the len of names should > 0. */
             if (ss->xtnData.sniNameArrSize) {
                 /* Calling client callback to reconfigure the socket. */
                 ret = (SECStatus)(*ss->sniSocketConfig)(ss->fd,
                                          ss->xtnData.sniNameArr,
                                       ss->xtnData.sniNameArrSize,
                                           ss->sniSocketConfigArg);
             }
             if (ret <= SSL_SNI_SEND_ALERT) {
@@ skipping 27 matching lines @@
                 if (cwsName->data) {
                     rv = SECITEM_CopyItem(NULL, pwsName, cwsName);
                 }
                 ssl_ReleaseSpecWriteLock(ss);  /**************************/
                 if (rv != SECSuccess) {
                     errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
                     desc = internal_error;
                     ret = SSL_SNI_SEND_ALERT;
                     break;
                 }
-            } else if (ret < ss->xtnData.sniNameArrSize) {
+            } else if ((unsigned int)ret < ss->xtnData.sniNameArrSize) {
                 /* Application has configured new socket info. Lets check it
                  * and save the name. */
                 SECStatus       rv;
                 SECItem *       name = &ss->xtnData.sniNameArr[ret];
                 int             configedCiphers;
                 SECItem *       pwsName;
 
                 /* get rid of the old name and save the newly picked. */
                 /* This code is protected by ssl3HandshakeLock. */
                 ssl_GetSpecWriteLock(ss);  /*******************************/
@@ skipping 30 matching lines @@
                     ret = SSL_SNI_SEND_ALERT;
                     break;
                 }
                 /* Need to tell the client that application has picked
                  * the name from the offered list and reconfigured the socket.
                  */
                 ssl3_RegisterServerHelloExtensionSender(ss, ssl_server_name_xtn,
                                                         ssl3_SendServerNameXtn);
             } else {
                 /* Callback returned index outside of the boundary. */
-                PORT_Assert(ret < ss->xtnData.sniNameArrSize);
+                PORT_Assert((unsigned int)ret < ss->xtnData.sniNameArrSize);
                 errCode = SSL_ERROR_INTERNAL_ERROR_ALERT;
                 desc = internal_error;
                 ret = SSL_SNI_SEND_ALERT;
                 break;
             }
         } while (0);
         /* Free sniNameArr. The data that each SECItem in the array
          * points into is the data from the input buffer "b". It will
          * not be available outside the scope of this or it's child
          * functions.*/
@@ skipping 25 matching lines @@
     }
 #endif
 
     sid = ssl3_NewSessionID(ss, PR_TRUE);
     if (sid == NULL) {
         errCode = PORT_GetError();
         goto loser;     /* memory error is set. */
     }
     ss->sec.ci.sid = sid;
 
+    sid->u.ssl3.keys.extendedMasterSecretUsed =
+            ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn);
     ss->ssl3.hs.isResuming = PR_FALSE;
     ssl_GetXmitBufLock(ss);
     rv = ssl3_SendServerHelloSequence(ss);
     ssl_ReleaseXmitBufLock(ss);
     if (rv != SECSuccess) {
-        errCode = PORT_GetError();
-        goto loser;
+        errCode = PORT_GetError();
+        desc = handshake_failure;
+        goto alert_loser;
     }
 
     if (haveXmitBufLock) {
         ssl_ReleaseXmitBufLock(ss);
         haveXmitBufLock = PR_FALSE;
     }
 
     return SECSuccess;
 
 alert_loser:
@@ skipping 71 matching lines @@
     ss->clientHelloVersion = version;
 
     rv = ssl3_NegotiateVersion(ss, version, PR_TRUE);
     if (rv != SECSuccess) {
         /* send back which ever alert client will understand. */
         desc = (version > SSL_LIBRARY_VERSION_3_0) ? protocol_version
                                                    : handshake_failure;
         errCode = SSL_ERROR_UNSUPPORTED_VERSION;
         goto alert_loser;
     }
+    ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_version;
 
     rv = ssl3_InitHandshakeHashes(ss);
     if (rv != SECSuccess) {
         desc = internal_error;
         errCode = PORT_GetError();
         goto alert_loser;
     }
 
     /* if we get a non-zero SID, just ignore it. */
     if (length !=
@@ skipping 35 matching lines @@
     /* Select a cipher suite.
     **
     ** NOTE: This suite selection algorithm should be the same as the one in
     ** ssl3_HandleClientHello().
     **
     ** See the comments about export cipher suites in ssl3_HandleClientHello().
     */
     for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
         SSLVersionRange vrange = {ss->version, ss->version};
-        if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) {
+        if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange, ss)) {
             continue;
         }
         for (i = 0; i+2 < suite_length; i += 3) {
             PRUint32 suite_i = (suites[i] << 16)|(suites[i+1] << 8)|suites[i+2];
             if (suite_i == suite->cipher_suite) {
                 ss->ssl3.hs.cipher_suite = suite->cipher_suite;
                 ss->ssl3.hs.suite_def =
                     ssl_LookupCipherSuiteDef(ss->ssl3.hs.cipher_suite);
+                ss->ssl3.hs.preliminaryInfo |= ssl_preinfo_cipher_suite;
                 goto suite_found;
             }
         }
     }
     errCode = SSL_ERROR_NO_CYPHER_OVERLAP;
     goto alert_loser;
 
 suite_found:
 
     /* Look for the SCSV, and if found, treat it just like an empty RI 
@@ skipping 170 matching lines @@
         }
     }
     rv = ssl3_SetupPendingCipherSpec(ss);
     if (rv != SECSuccess) {
         return rv;      /* err set by ssl3_SetupPendingCipherSpec */
     }
 
     return SECSuccess;
 }
 
+static SECStatus
+ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
+                                SSLSignatureAndHashAlg* out);
+
+static SECStatus
+ssl3_SendDHServerKeyExchange(sslSocket *ss)
+{
+    const ssl3KEADef * kea_def = ss->ssl3.hs.kea_def;
+    SECStatus          rv = SECFailure;
+    int                length;
+    PRBool             isTLS;
+    SECItem            signed_hash = {siBuffer, NULL, 0};
+    SSL3Hashes         hashes;
+    SSLSignatureAndHashAlg sigAndHash;
+    SECKEYDHParams dhParam;
+
+    ssl3KeyPair *keyPair = NULL;
+    SECKEYPublicKey *pubKey = NULL; /* Ephemeral DH key */
+    SECKEYPrivateKey *privKey = NULL; /* Ephemeral DH key */
+    int certIndex = -1;
+
+    if (kea_def->kea != kea_dhe_dss && kea_def->kea != kea_dhe_rsa) {
+        /* TODO: Support DH_anon. It might be sufficient to drop the signature.
+           See bug 1170510. */
+        PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        return SECFailure;
+    }
+
+    dhParam.prime.data = ss->dheParams->prime.data;
+    dhParam.prime.len = ss->dheParams->prime.len;
+    dhParam.base.data = ss->dheParams->base.data;
+    dhParam.base.len = ss->dheParams->base.len;
+
+    PRINT_BUF(60, (NULL, "Server DH p", dhParam.prime.data,
+                   dhParam.prime.len));
+    PRINT_BUF(60, (NULL, "Server DH g", dhParam.base.data,
+                   dhParam.base.len));
+
+    /* Generate ephemeral DH keypair */
+    privKey = SECKEY_CreateDHPrivateKey(&dhParam, &pubKey, NULL);
+    if (!privKey || !pubKey) {
+        ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+        rv = SECFailure;
+        goto loser;
+    }
+
+    keyPair = ssl3_NewKeyPair(privKey, pubKey);
+    if (!keyPair) {
+        ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+        goto loser;
+    }
+
+    PRINT_BUF(50, (ss, "DH public value:",
+                   pubKey->u.dh.publicValue.data,
+                   pubKey->u.dh.publicValue.len));
+
+    if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
+        ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
+        goto loser;
+    }
+
+    rv = ssl3_ComputeDHKeyHash(sigAndHash.hashAlg,
+                               pubKey->u.dh.prime,
+                               pubKey->u.dh.base,
+                               pubKey->u.dh.publicValue,
+                               &ss->ssl3.hs.client_random,
+                               &ss->ssl3.hs.server_random,
+                               &hashes, ss->opt.bypassPKCS11);
+    if (rv != SECSuccess) {
+        ssl_MapLowLevelError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        goto loser;
+    }
+
+    /* It has been suggested to test kea_def->signKeyType instead, and to use
+     * ssl_auth_* instead. Investigate what to do. See bug 102794. */
+    if (kea_def->kea == kea_dhe_rsa)
+        certIndex = ssl_kea_rsa;
+    else
+        certIndex = ssl_kea_dh;
+
+    isTLS = (PRBool)(ss->ssl3.pwSpec->version > SSL_LIBRARY_VERSION_3_0);
+    rv = ssl3_SignHashes(&hashes, ss->serverCerts[certIndex].SERVERKEY,
+                         &signed_hash, isTLS);
+    if (rv != SECSuccess) {
+        goto loser;             /* ssl3_SignHashes has set err. */
+    }
+    if (signed_hash.data == NULL) {
+        PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
+        goto loser;
+    }
+    length = 2 + pubKey->u.dh.prime.len +
+        2 + pubKey->u.dh.base.len +
+        2 + pubKey->u.dh.publicValue.len +
+        2 + signed_hash.len;
+
+    if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+        length += 2;
+    }
+
+    rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
+    if (rv != SECSuccess) {
+        goto loser;     /* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.prime.data,
+                                      pubKey->u.dh.prime.len, 2);
+    if (rv != SECSuccess) {
+        goto loser;     /* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.base.data,
+                                      pubKey->u.dh.base.len, 2);
+    if (rv != SECSuccess) {
+        goto loser;     /* err set by AppendHandshake. */
+    }
+
+    rv = ssl3_AppendHandshakeVariable(ss, pubKey->u.dh.publicValue.data,
+                                      pubKey->u.dh.publicValue.len, 2);
+    if (rv != SECSuccess) {
+        goto loser;     /* err set by AppendHandshake. */
+    }
+
+    if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+        rv = ssl3_AppendSignatureAndHashAlgorithm(ss, &sigAndHash);
+        if (rv != SECSuccess) {
+            goto loser; /* err set by AppendHandshake. */
+        }
+    }
+
+    rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
+                                      signed_hash.len, 2);
+    if (rv != SECSuccess) {
+        goto loser;     /* err set by AppendHandshake. */
+    }
+    PORT_Free(signed_hash.data);
+    ss->dheKeyPair = keyPair;
+    return SECSuccess;
+
+loser:
+    if (signed_hash.data)
+        PORT_Free(signed_hash.data);
+    if (privKey)
+        SECKEY_DestroyPrivateKey(privKey);
+    if (pubKey)
+        SECKEY_DestroyPublicKey(pubKey);
+    return SECFailure;
+}
+
 /* ssl3_PickSignatureHashAlgorithm selects a hash algorithm to use when signing
  * elements of the handshake. (The negotiated cipher suite determines the
  * signature algorithm.) Prior to TLS 1.2, the MD5/SHA1 combination is always
  * used. With TLS 1.2, a client may advertise its support for signature and
  * hash combinations. */
 static SECStatus
 ssl3_PickSignatureHashAlgorithm(sslSocket *ss,
-                                SSL3SignatureAndHashAlgorithm* out)
+                                SSLSignatureAndHashAlg* out)
 {
-    TLSSignatureAlgorithm sigAlg;
+    SSLSignType sigAlg;
+    PRUint32 policy;
     unsigned int i, j;
-    /* hashPreference expresses our preferences for hash algorithms, most
-     * preferable first. */
-    static const SECOidTag hashPreference[] = {
-        SEC_OID_SHA256,
-        SEC_OID_SHA384,
-        SEC_OID_SHA512,
-        SEC_OID_SHA1,
-    };
 
     switch (ss->ssl3.hs.kea_def->kea) {
     case kea_rsa:
     case kea_rsa_export:
     case kea_rsa_export_1024:
     case kea_dh_rsa:
     case kea_dh_rsa_export:
     case kea_dhe_rsa:
     case kea_dhe_rsa_export:
     case kea_rsa_fips:
     case kea_ecdh_rsa:
     case kea_ecdhe_rsa:
-        sigAlg = tls_sig_rsa;
-        break;
+        sigAlg = ssl_sign_rsa;
+        break;
     case kea_dh_dss:
     case kea_dh_dss_export:
     case kea_dhe_dss:
     case kea_dhe_dss_export:
-        sigAlg = tls_sig_dsa;
-        break;
+        sigAlg = ssl_sign_dsa;
+        break;
     case kea_ecdh_ecdsa:
     case kea_ecdhe_ecdsa:
-        sigAlg = tls_sig_ecdsa;
-        break;
+        sigAlg = ssl_sign_ecdsa;
+        break;
     default:
-        PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-        return SECFailure;
+        PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+        return SECFailure;
     }
     out->sigAlg = sigAlg;
 
     if (ss->version <= SSL_LIBRARY_VERSION_TLS_1_1) {
-        /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
-         * prior. */
-        out->hashAlg = SEC_OID_UNKNOWN;
-        return SECSuccess;
+        /* SEC_OID_UNKNOWN means the MD5/SHA1 combo hash used in TLS 1.1 and
+         * prior. */
+        out->hashAlg = ssl_hash_none;
+        return SECSuccess;
     }
 
     if (ss->ssl3.hs.numClientSigAndHash == 0) {
-        /* If the client didn't provide any signature_algorithms extension then
-         * we can assume that they support SHA-1:
-         * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
-        out->hashAlg = SEC_OID_SHA1;
-        return SECSuccess;
+        /* If the client didn't provide any signature_algorithms extension then
+         * we can assume that they support SHA-1:
+         * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
+        out->hashAlg = ssl_hash_sha1;
+        return SECSuccess;
     }
 
-    for (i = 0; i < PR_ARRAY_SIZE(hashPreference); i++) {
-        for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
-            const SSL3SignatureAndHashAlgorithm* sh =
-                &ss->ssl3.hs.clientSigAndHash[j];
-            if (sh->sigAlg == sigAlg && sh->hashAlg == hashPreference[i]) {
-                out->hashAlg = sh->hashAlg;
-                return SECSuccess;
-            }
+    /* Here we look for the first server preference that the client has
+     * indicated support for in their signature_algorithms extension. */
+    for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
+        const SSLSignatureAndHashAlg *serverPref =
+                &ss->ssl3.signatureAlgorithms[i];
+        SECOidTag hashOID;
+        if (serverPref->sigAlg != sigAlg) {
+            continue;
+        }
+        hashOID = ssl3_TLSHashAlgorithmToOID(serverPref->hashAlg);
+        if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess)
+            || !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+            /* we ignore hashes we don't support */
+            continue;
         }
+        for (j = 0; j < ss->ssl3.hs.numClientSigAndHash; j++) {
+            const SSLSignatureAndHashAlg *clientPref =
+                &ss->ssl3.hs.clientSigAndHash[j];
+            if (clientPref->hashAlg == serverPref->hashAlg &&
+                clientPref->sigAlg == sigAlg) {
+                out->hashAlg = serverPref->hashAlg;
+                return SECSuccess;
+            }
+        }
     }
 
     PORT_SetError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
     return SECFailure;
 }
 
 
 static SECStatus
 ssl3_SendServerKeyExchange(sslSocket *ss)
 {
     const ssl3KEADef * kea_def     = ss->ssl3.hs.kea_def;
     SECStatus          rv          = SECFailure;
     int                length;
     PRBool             isTLS;
     SECItem            signed_hash = {siBuffer, NULL, 0};
     SSL3Hashes         hashes;
     SECKEYPublicKey *  sdPub;   /* public key for step-down */
-    SSL3SignatureAndHashAlgorithm sigAndHash;
+    SSLSignatureAndHashAlg sigAndHash;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send server_key_exchange handshake",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     if (ssl3_PickSignatureHashAlgorithm(ss, &sigAndHash) != SECSuccess) {
         return SECFailure;
     }
@@ skipping 26 matching lines @@
         }
         if (signed_hash.data == NULL) {
             /* how can this happen and rv == SECSuccess ?? */
             PORT_SetError(SSL_ERROR_SERVER_KEY_EXCHANGE_FAILURE);
             goto loser;
         }
         length = 2 + sdPub->u.rsa.modulus.len +
                  2 + sdPub->u.rsa.publicExponent.len +
                  2 + signed_hash.len;
 
+        if (ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+            length += 2;
+        }
+
         rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length);
         if (rv != SECSuccess) {
             goto loser;         /* err set by AppendHandshake. */
         }
 
         rv = ssl3_AppendHandshakeVariable(ss, sdPub->u.rsa.modulus.data,
                                           sdPub->u.rsa.modulus.len, 2);
         if (rv != SECSuccess) {
             goto loser;         /* err set by AppendHandshake. */
         }
@@ skipping 13 matching lines @@
         }
 
         rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
                                           signed_hash.len, 2);
         if (rv != SECSuccess) {
             goto loser;         /* err set by AppendHandshake. */
         }
         PORT_Free(signed_hash.data);
         return SECSuccess;
 
+    case ssl_kea_dh: {
+        rv = ssl3_SendDHServerKeyExchange(ss);
+        return rv;
+    }
+
 #ifndef NSS_DISABLE_ECC
     case kt_ecdh: {
         rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
         return rv;
     }
 #endif /* NSS_DISABLE_ECC */
 
-    case kt_dh:
     case kt_null:
     default:
         PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
         break;
     }
 loser:
     if (signed_hash.data != NULL) 
         PORT_Free(signed_hash.data);
     return SECFailure;
 }
 
+static SECStatus
+ssl3_EncodeCertificateRequestSigAlgs(sslSocket *ss, PRUint8 *buf,
+                                     unsigned maxLen, PRUint32 *len)
+{
+    unsigned int i;
+
+    PORT_Assert(maxLen >= ss->ssl3.signatureAlgorithmCount * 2);
+    if (maxLen < ss->ssl3.signatureAlgorithmCount * 2) {
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
+    *len = 0;
+    for (i = 0; i < ss->ssl3.signatureAlgorithmCount; ++i) {
+        const SSLSignatureAndHashAlg *alg = &ss->ssl3.signatureAlgorithms[i];
+        /* Note that we don't support a handshake hash with anything other than
+         * SHA-256, so asking for a signature from clients for something else
+         * would be inviting disaster. */
+        if (alg->hashAlg == ssl_hash_sha256) {
+            buf[(*len)++] = (PRUint8)alg->hashAlg;
+            buf[(*len)++] = (PRUint8)alg->sigAlg;
+        }
+    }
+
+    if (*len == 0) {
+        PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
 
 static SECStatus
 ssl3_SendCertificateRequest(sslSocket *ss)
 {
     PRBool         isTLS12;
     SECItem *      name;
     CERTDistNames *ca_list;
     const PRUint8 *certTypes;
-    const PRUint8 *sigAlgs;
     SECItem *      names        = NULL;
     SECStatus      rv;
     int            length;
     int            i;
     int            calen        = 0;
     int            nnames       = 0;
     int            certTypesLength;
-    int            sigAlgsLength;
+    PRUint8        sigAlgs[MAX_SIGNATURE_ALGORITHMS * 2];
+    unsigned int   sigAlgsLength = 0;
 
     SSL_TRC(3, ("%d: SSL3[%d]: send certificate_request handshake",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
 
     isTLS12 = (PRBool)(ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
 
     /* ssl3.ca_list is initialized to NULL, and never changed. */
     ca_list = ss->ssl3.ca_list;
     if (!ca_list) {
         ca_list = ssl3_server_ca_list;
     }
 
     if (ca_list != NULL) {
         names = ca_list->names;
         nnames = ca_list->nnames;
     }
 
     for (i = 0, name = names; i < nnames; i++, name++) {
         calen += 2 + name->len;
     }
 
     certTypes       = certificate_types;
     certTypesLength = sizeof certificate_types;
-    sigAlgs         = supported_signature_algorithms;
-    sigAlgsLength   = sizeof supported_signature_algorithms;
 
     length = 1 + certTypesLength + 2 + calen;
     if (isTLS12) {
-        length += 2 + sigAlgsLength;
+        rv = ssl3_EncodeCertificateRequestSigAlgs(ss, sigAlgs, sizeof(sigAlgs),
+                                                  &sigAlgsLength);
+        if (rv != SECSuccess) {
+            return rv;
+        }
+        length += 2 + sigAlgsLength;
     }
 
     rv = ssl3_AppendHandshakeHeader(ss, certificate_request, length);
     if (rv != SECSuccess) {
         return rv;              /* err set by AppendHandshake. */
     }
     rv = ssl3_AppendHandshakeVariable(ss, certTypes, certTypesLength, 1);
     if (rv != SECSuccess) {
         return rv;              /* err set by AppendHandshake. */
     }
@@ skipping 45 matching lines @@
  */
 static SECStatus
 ssl3_HandleCertificateVerify(sslSocket *ss, SSL3Opaque *b, PRUint32 length,
                              SSL3Hashes *hashes)
 {
     SECItem              signed_hash = {siBuffer, NULL, 0};
     SECStatus            rv;
     int                  errCode     = SSL_ERROR_RX_MALFORMED_CERT_VERIFY;
     SSL3AlertDescription desc        = handshake_failure;
     PRBool               isTLS, isTLS12;
-    SSL3SignatureAndHashAlgorithm sigAndHash;
+    SSLSignatureAndHashAlg sigAndHash;
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle certificate_verify handshake",
                 SSL_GETPID(), ss->fd));
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
     isTLS12 = (PRBool)(ss->ssl3.prSpec->version >= SSL_LIBRARY_VERSION_TLS_1_2);
 
     if (ss->ssl3.hs.ws != wait_cert_verify) {
         desc    = unexpected_message;
         errCode = SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY;
         goto alert_loser;
     }
 
+    if (!hashes) {
+        PORT_Assert(0);
+        desc    = internal_error;
+        errCode = SEC_ERROR_LIBRARY_FAILURE;
+        goto alert_loser;
+    }
+
     if (isTLS12) {
         rv = ssl3_ConsumeSignatureAndHashAlgorithm(ss, &b, &length,
                                                    &sigAndHash);
         if (rv != SECSuccess) {
             goto loser; /* malformed or unsupported. */
         }
         rv = ssl3_CheckSignatureAndHashAlgorithmConsistency(
-                &sigAndHash, ss->sec.peerCert);
+            ss, &sigAndHash, ss->sec.peerCert);
         if (rv != SECSuccess) {
             errCode = PORT_GetError();
             desc = decrypt_error;
             goto alert_loser;
         }
 
         /* We only support CertificateVerify messages that use the handshake
          * hash. */
-        if (sigAndHash.hashAlg != hashes->hashAlg) {
+        if (sigAndHash.hashAlg != hashes->hashAlg) {
             errCode = SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM;
             desc = decrypt_error;
             goto alert_loser;
         }
     }
 
     rv = ssl3_ConsumeHandshakeVariable(ss, &signed_hash, 2, &b, &length);
     if (rv != SECSuccess) {
         goto loser;             /* malformed. */
     }
@@ skipping 110 matching lines @@
  * the failure must occur.
  *
  * Called from ssl3_HandleClientKeyExchange
  */
 static SECStatus
 ssl3_HandleRSAClientKeyExchange(sslSocket *ss,
                                 SSL3Opaque *b,
                                 PRUint32 length,
                                 SECKEYPrivateKey *serverKey)
 {
-    PK11SymKey *      pms;
 #ifndef NO_PKCS11_BYPASS
     unsigned char *   cr     = (unsigned char *)&ss->ssl3.hs.client_random;
     unsigned char *   sr     = (unsigned char *)&ss->ssl3.hs.server_random;
     ssl3CipherSpec *  pwSpec = ss->ssl3.pwSpec;
     unsigned int      outLen = 0;
+    PRBool            isTLS  = PR_FALSE;
+    SECItem           pmsItem = {siBuffer, NULL, 0};
+    unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
 #endif
-    PRBool            isTLS  = PR_FALSE;
     SECStatus         rv;
     SECItem           enc_pms;
-    unsigned char     rsaPmsBuf[SSL3_RSA_PMS_LENGTH];
-    SECItem           pmsItem = {siBuffer, NULL, 0};
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     PORT_Assert( ss->ssl3.prSpec == ss->ssl3.pwSpec );
 
     enc_pms.data = b;
     enc_pms.len  = length;
+#ifndef NO_PKCS11_BYPASS
     pmsItem.data = rsaPmsBuf;
     pmsItem.len  = sizeof rsaPmsBuf;
+#endif
 
     if (ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0) { /* isTLS */
         PRInt32 kLen;
         kLen = ssl3_ConsumeHandshakeNumber(ss, 2, &enc_pms.data, &enc_pms.len);
         if (kLen < 0) {
             PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
             return SECFailure;
         }
         if ((unsigned)kLen < enc_pms.len) {
             enc_pms.len = kLen;
         }
+#ifndef NO_PKCS11_BYPASS
         isTLS = PR_TRUE;
+#endif
     } else {
+#ifndef NO_PKCS11_BYPASS
         isTLS = (PRBool)(ss->ssl3.hs.kea_def->tls_keygen != 0);
+#endif
     }
 
 #ifndef NO_PKCS11_BYPASS
     if (ss->opt.bypassPKCS11) {
+        /* We have not implemented a tls_ExtendedMasterKeyDeriveBypass
+         * and will not negotiate this extension in bypass mode. This
+         * assert just double-checks that.
+         */
+        PORT_Assert(
+            !ssl3_ExtensionNegotiated(ss, ssl_extended_master_secret_xtn));
+
         /* TRIPLE BYPASS, get PMS directly from RSA decryption.
          * Use PK11_PrivDecryptPKCS1 to decrypt the PMS to a buffer, 
          * then, check for version rollback attack, then 
          * do the equivalent of ssl3_DeriveMasterSecret, placing the MS in 
          * pwSpec->msItem.  Finally call ssl3_InitPendingCipherSpec with 
          * ss and NULL, so that it will use the MS we've already derived here. 
          */
 
         rv = PK11_PrivDecryptPKCS1(serverKey, rsaPmsBuf, &outLen, 
                                    sizeof rsaPmsBuf, enc_pms.data, enc_pms.len);
         if (rv != SECSuccess) {
             /* triple bypass failed.  Let's try for a double bypass. */
             goto double_bypass;
         } else if (ss->opt.detectRollBack) {
             SSL3ProtocolVersion client_version = 
                                          (rsaPmsBuf[0] << 8) | rsaPmsBuf[1];
 
             if (IS_DTLS(ss)) {
                 client_version = dtls_DTLSVersionToTLSVersion(client_version);
             }
 
             if (client_version != ss->clientHelloVersion) {
                 /* Version roll-back detected. ensure failure.  */
                 rv = PK11_GenerateRandom(rsaPmsBuf, sizeof rsaPmsBuf);
             }
         }
         /* have PMS, build MS without PKCS11 */
-        rv = ssl3_MasterKeyDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
-                                        PR_TRUE);
+        rv = ssl3_MasterSecretDeriveBypass(pwSpec, cr, sr, &pmsItem, isTLS, 
+                                           PR_TRUE);
         if (rv != SECSuccess) {
             pwSpec->msItem.data = pwSpec->raw_master_secret;
             pwSpec->msItem.len  = SSL3_MASTER_SECRET_LENGTH;
             PK11_GenerateRandom(pwSpec->msItem.data, pwSpec->msItem.len);
         }
         rv = ssl3_InitPendingCipherSpec(ss,  NULL);
     } else 
 #endif
     {
+        PK11SymKey *tmpPms[2] = {NULL, NULL};
+        PK11SlotInfo *slot;
+        int useFauxPms = 0;
+#define currentPms tmpPms[!useFauxPms]
+#define unusedPms  tmpPms[useFauxPms]
+#define realPms    tmpPms[1]
+#define fauxPms    tmpPms[0]
+
 #ifndef NO_PKCS11_BYPASS
 double_bypass:
 #endif
-        /*
-         * unwrap pms out of the incoming buffer
-         * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do 
-         *      the unwrap.  Rather, it is the mechanism with which the 
-         *      unwrapped pms will be used.
-         */
-        pms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
-                                   CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
-        if (pms != NULL) {
-            PRINT_BUF(60, (ss, "decrypted premaster secret:",
-                           PK11_GetKeyData(pms)->data,
-                           PK11_GetKeyData(pms)->len));
-        } else {
-            /* unwrap failed. Generate a bogus PMS and carry on. */
-            PK11SlotInfo *  slot   = PK11_GetSlotFromPrivateKey(serverKey);
 
-            ssl_GetSpecWriteLock(ss);
-            pms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
-            ssl_ReleaseSpecWriteLock(ss);
-            PK11_FreeSlot(slot);
-        }
+        /*
+         * Get as close to algorithm 2 from RFC 5246; Section 7.4.7.1
+         * as we can within the constraints of the PKCS#11 interface.
+         *
+         * 1. Unconditionally generate a bogus PMS (what RFC 5246
+         *    calls R).
+         * 2. Attempt the RSA decryption to recover the PMS (what
+         *    RFC 5246 calls M).
+         * 3. Set PMS = (M == NULL) ? R : M
+         * 4. Use ssl3_ComputeMasterSecret(PMS) to attempt to derive
+         *    the MS from PMS. This includes performing the version
+         *    check and length check.
+         * 5. If either the initial RSA decryption failed or
+         *    ssl3_ComputeMasterSecret(PMS) failed, then discard
+         *    M and set PMS = R. Else, discard R and set PMS = M.
+         *
+         * We do two derivations here because we can't rely on having
+         * a function that only performs the PMS version and length
+         * check. The only redundant cost is that this runs the PRF,
+         * which isn't necessary here.
+         */
 
-        if (pms == NULL) {
-            /* last gasp.  */
+        /* Generate the bogus PMS (R) */
+        slot = PK11_GetSlotFromPrivateKey(serverKey);
+        if (!slot) {
+            PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+            return SECFailure;
+        }
+
+        if (!PK11_DoesMechanism(slot, CKM_SSL3_MASTER_KEY_DERIVE)) {
+            PK11_FreeSlot(slot);
+            slot = PK11_GetBestSlot(CKM_SSL3_MASTER_KEY_DERIVE, NULL);
+            if (!slot) {
+                PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+                return SECFailure;
+            }
+        }
+
+        ssl_GetSpecWriteLock(ss);
+        fauxPms = ssl3_GenerateRSAPMS(ss, ss->ssl3.prSpec, slot);
+        ssl_ReleaseSpecWriteLock(ss);
+        PK11_FreeSlot(slot);
+
+        if (fauxPms == NULL) {
             ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
             return SECFailure;
         }
 
+        /*
+         * unwrap pms out of the incoming buffer
+         * Note: CKM_SSL3_MASTER_KEY_DERIVE is NOT the mechanism used to do
+         *      the unwrap.  Rather, it is the mechanism with which the
+         *      unwrapped pms will be used.
+         */
+        realPms = PK11_PubUnwrapSymKey(serverKey, &enc_pms,
+                                          CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0);
+        /* Temporarily use the PMS if unwrapping the real PMS fails. */
+        useFauxPms |= (realPms == NULL);
+
+        /* Attempt to derive the MS from the PMS. This is the only way to
+         * check the version field in the RSA PMS. If this fails, we
+         * then use the faux PMS in place of the PMS. Note that this
+         * operation should never fail if we are using the faux PMS
+         * since it is correctly formatted. */
+        rv = ssl3_ComputeMasterSecret(ss, currentPms, NULL);
+
+        /* If we succeeded, then select the true PMS and discard the
+         * FPMS. Else, select the FPMS and select the true PMS */
+        useFauxPms |= (rv != SECSuccess);
+
+        if (unusedPms) {
+            PK11_FreeSymKey(unusedPms);
+        }
+
         /* This step will derive the MS from the PMS, among other things. */
-        rv = ssl3_InitPendingCipherSpec(ss,  pms);
-        PK11_FreeSymKey(pms);
+        rv = ssl3_InitPendingCipherSpec(ss, currentPms);
+        PK11_FreeSymKey(currentPms);
     }
 
     if (rv != SECSuccess) {
         SEND_ALERT
         return SECFailure; /* error code set by ssl3_InitPendingCipherSpec */
     }
+
+#undef currentPms
+#undef unusedPms
+#undef realPms
+#undef fauxPms
+
     return SECSuccess;
 }
 
+static SECStatus
+ssl3_HandleDHClientKeyExchange(sslSocket *ss,
+                               SSL3Opaque *b,
+                               PRUint32 length,
+                               SECKEYPublicKey *srvrPubKey,
+                               SECKEYPrivateKey *serverKey)
+{
+    PK11SymKey            *pms;
+    SECStatus              rv;
+    SECKEYPublicKey        clntPubKey;
+    CK_MECHANISM_TYPE   target;
+    PRBool                 isTLS;
+
+    PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
+    PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
+    PORT_Assert( srvrPubKey );
+
+    clntPubKey.keyType = dhKey;
+    clntPubKey.u.dh.prime.len = srvrPubKey->u.dh.prime.len;
+    clntPubKey.u.dh.prime.data = srvrPubKey->u.dh.prime.data;
+    clntPubKey.u.dh.base.len = srvrPubKey->u.dh.base.len;
+    clntPubKey.u.dh.base.data = srvrPubKey->u.dh.base.data;
+
+    rv = ssl3_ConsumeHandshakeVariable(ss, &clntPubKey.u.dh.publicValue,
+                                       2, &b, &length);
+    if (rv != SECSuccess) {
+        goto loser;
+    }
+
+    isTLS = (PRBool)(ss->ssl3.prSpec->version > SSL_LIBRARY_VERSION_3_0);
+
+    if (isTLS) target = CKM_TLS_MASTER_KEY_DERIVE_DH;
+    else target = CKM_SSL3_MASTER_KEY_DERIVE_DH;
+
+    /*  Determine the PMS */
+    pms = PK11_PubDerive(serverKey, &clntPubKey, PR_FALSE, NULL, NULL,
+                         CKM_DH_PKCS_DERIVE, target, CKA_DERIVE, 0, NULL);
+    if (pms == NULL) {
+        ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
+        goto loser;
+    }
+
+    rv = ssl3_InitPendingCipherSpec(ss,  pms);
+    PK11_FreeSymKey(pms); pms = NULL;
+
+loser:
+    if (ss->dheKeyPair) {
+        ssl3_FreeKeyPair(ss->dheKeyPair);
+        ss->dheKeyPair = NULL;
+    }
+    return rv;
+}
+
 
 /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete
  * ssl3 ClientKeyExchange message from the remote client
  * Caller must hold Handshake and RecvBuf locks.
  */
 static SECStatus
 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECKEYPrivateKey *serverKey         = NULL;
     SECStatus         rv;
     const ssl3KEADef *kea_def;
     ssl3KeyPair     *serverKeyPair      = NULL;
-#ifndef NSS_DISABLE_ECC
     SECKEYPublicKey *serverPubKey       = NULL;
-#endif /* NSS_DISABLE_ECC */
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
                 SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_client_key) {
         SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
         return SECFailure;
     }
 
     kea_def   = ss->ssl3.hs.kea_def;
 
     if (ss->ssl3.hs.usedStepDownKey) {
          PORT_Assert(kea_def->is_limited /* XXX OR cert is signing only */
                  && kea_def->exchKeyType == kt_rsa 
                  && ss->stepDownKeyPair != NULL);
          if (!kea_def->is_limited  ||
               kea_def->exchKeyType != kt_rsa ||
               ss->stepDownKeyPair == NULL) {
                 /* shouldn't happen, don't use step down if it does */
                 goto skip;
          }
         serverKeyPair = ss->stepDownKeyPair;
         ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
     } else 
 skip:
+    if (kea_def->kea == kea_dhe_dss ||
+        kea_def->kea == kea_dhe_rsa) {
+        if (ss->dheKeyPair) {
+            serverKeyPair = ss->dheKeyPair;
+            if (serverKeyPair->pubKey) {
+                ss->sec.keaKeyBits =
+                    SECKEY_PublicKeyStrengthInBits(serverKeyPair->pubKey);
+            }
+        }
+    } else
 #ifndef NSS_DISABLE_ECC
     /* XXX Using SSLKEAType to index server certifiates
      * does not work for (EC)DHE ciphers. Until we have
      * an indexing mechanism general enough for all key
      * exchange algorithms, we'll need to deal with each
      * one seprately.
      */
     if ((kea_def->kea == kea_ecdhe_rsa) ||
                (kea_def->kea == kea_ecdhe_ecdsa)) {
         if (ss->ephemeralECDHKeyPair != NULL) {
@@ skipping 25 matching lines @@
 
     switch (kea_def->exchKeyType) {
     case kt_rsa:
         rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
         if (rv != SECSuccess) {
             SEND_ALERT
             return SECFailure;  /* error code set */
         }
         break;
 
+    case ssl_kea_dh:
+        if (ss->dheKeyPair && ss->dheKeyPair->pubKey) {
+            serverPubKey = ss->dheKeyPair->pubKey;
+        }
+        if (!serverPubKey) {
+            PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE);
+            return SECFailure;
+        }
+        rv = ssl3_HandleDHClientKeyExchange(ss, b, length,
+                                            serverPubKey, serverKey);
+        if (rv != SECSuccess) {
+            SSL3_SendAlert(ss, alert_fatal, handshake_failure);
+            return SECFailure;  /* error code set */
+        }
+        break;
 
 #ifndef NSS_DISABLE_ECC
     case kt_ecdh:
         /* XXX We really ought to be able to store multiple
          * EC certs (a requirement if we wish to support both
          * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
          * When we make that change, we'll need an index other
          * than kt_ecdh to pick the right EC certificate.
          */
         if (serverKeyPair) {
@@ skipping 609 matching lines @@
 
 static SECStatus
 ssl3_AuthCertificate(sslSocket *ss)
 {
     SECStatus        rv;
     PRBool           isServer   = (PRBool)(!!ss->sec.isServer);
     int              errCode;
 
     ss->ssl3.hs.authCertificatePending = PR_FALSE;
 
+    PORT_Assert((ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) ==
+                ssl_preinfo_all);
     /*
      * Ask caller-supplied callback function to validate cert chain.
      */
     rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd,
                                            PR_TRUE, isServer);
     if (rv) {
         errCode = PORT_GetError();
         if (rv != SECWouldBlock) {
             if (ss->handleBadCert) {
                 rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd);
@@ skipping 24 matching lines @@
         CERTCertificate *cert = ss->sec.peerCert;
 
         /* set the server authentication and key exchange types and sizes
         ** from the value in the cert.  If the key exchange key is different,
         ** it will get fixed when we handle the server key exchange message.
         */
         SECKEYPublicKey * pubKey  = CERT_ExtractPublicKey(cert);
         ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
         ss->sec.keaType       = ss->ssl3.hs.kea_def->exchKeyType;
         if (pubKey) {
+            KeyType pubKeyType;
+            PRInt32  minKey;
             ss->sec.keaKeyBits = ss->sec.authKeyBits =
                 SECKEY_PublicKeyStrengthInBits(pubKey);
-#ifndef NSS_DISABLE_ECC
-            if (ss->sec.keaType == kt_ecdh) {
-                /* Get authKeyBits from signing key.
-                 * XXX The code below uses a quick approximation of
-                 * key size based on cert->signatureWrap.signature.data
-                 * (which contains the DER encoded signature). The field
-                 * cert->signatureWrap.signature.len contains the
-                 * length of the encoded signature in bits.
-                 */
-                if (ss->ssl3.hs.kea_def->kea == kea_ecdh_ecdsa) {
-                    ss->sec.authKeyBits = 
-                        cert->signatureWrap.signature.data[3]*8;
-                    if (cert->signatureWrap.signature.data[4] == 0x00)
-                            ss->sec.authKeyBits -= 8;
-                    /* 
-                     * XXX: if cert is not signed by ecdsa we should
-                     * destroy pubKey and goto bad_cert
-                     */
-                } else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
-                    ss->sec.authKeyBits = cert->signatureWrap.signature.len;
-                    /* 
-                     * XXX: if cert is not signed by rsa we should
-                     * destroy pubKey and goto bad_cert
-                     */
+            pubKeyType = SECKEY_GetPublicKeyType(pubKey);
+            minKey = ss->sec.authKeyBits;
+            switch (pubKeyType) {
+            case rsaKey:
+            case rsaPssKey:
+            case rsaOaepKey:
+                rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minKey);
+                if (rv != SECSuccess) {
+                    minKey = SSL_RSA_MIN_MODULUS_BITS;
                 }
+                break;
+            case dsaKey:
+                rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minKey);
+                if (rv != SECSuccess) {
+                    minKey = SSL_DSA_MIN_P_BITS;
+                }
+                break;
+            case dhKey:
+                rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minKey);
+                if (rv != SECSuccess) {
+                    minKey = SSL_DH_MIN_P_BITS;
+                }
+                break;
+            default:
+                break;
             }
-#endif /* NSS_DISABLE_ECC */
+
+            /* Too small: not good enough. Send a fatal alert. */
+            /* We aren't checking EC here on the understanding that we only
+             * support curves we like, a decision that might need revisiting. */
+            if ( ss->sec.authKeyBits < minKey) {
+                PORT_SetError(SSL_ERROR_WEAK_SERVER_CERT_KEY);
+                (void)SSL3_SendAlert(ss, alert_fatal,
+                                     ss->version >= SSL_LIBRARY_VERSION_TLS_1_0
+                                     ? insufficient_security
+                                     : illegal_parameter);
+                SECKEY_DestroyPublicKey(pubKey);
+                return SECFailure;
+            }
             SECKEY_DestroyPublicKey(pubKey); 
             pubKey = NULL;
         }
 
-        if (ss->ssl3.hs.kea_def->ephemeral) {
+        /* Ephemeral suites require ServerKeyExchange. Export cipher suites
+         * with RSA key exchange also require ServerKeyExchange if the
+         * authentication key exceeds the key size limit. */
+        if (ss->ssl3.hs.kea_def->ephemeral ||
+            (ss->ssl3.hs.kea_def->is_limited &&
+             ss->ssl3.hs.kea_def->exchKeyType == ssl_kea_rsa &&
+             ss->sec.authKeyBits > ss->ssl3.hs.kea_def->key_size_limit)) {
             ss->ssl3.hs.ws = wait_server_key; /* require server_key_exchange */
         } else {
             ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
         }
     } else {
         ss->ssl3.hs.ws = wait_client_key;
     }
 
     PORT_Assert(rv == SECSuccess);
     if (rv != SECSuccess) {
@@ skipping 91 matching lines @@
 
     return rv;
 }
 
 static SECStatus
 ssl3_ComputeTLSFinished(ssl3CipherSpec *spec,
                         PRBool          isServer,
                 const   SSL3Hashes   *  hashes,
                         TLSFinished  *  tlsFinished)
 {
-    const char * label;
-    unsigned int len;
-    SECStatus    rv;
+    SECStatus rv;
+    CK_TLS_MAC_PARAMS tls_mac_params;
+    SECItem param = {siBuffer, NULL, 0};
+    PK11Context *prf_context;
+    unsigned int retLen;
 
-    label = isServer ? "server finished" : "client finished";
-    len   = 15;
+    if (!spec->master_secret || spec->bypassCiphers) {
+        const char *label = isServer ? "server finished" : "client finished";
+        unsigned int len = 15;
 
-    rv = ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
-        hashes->len, tlsFinished->verify_data,
-        sizeof tlsFinished->verify_data);
+        return ssl3_TLSPRFWithMasterSecret(spec, label, len, hashes->u.raw,
+            hashes->len, tlsFinished->verify_data,
+            sizeof tlsFinished->verify_data);
+    }
+
+    if (spec->version < SSL_LIBRARY_VERSION_TLS_1_2) {
+        tls_mac_params.prfMechanism = CKM_TLS_PRF;
+    } else {
+        tls_mac_params.prfMechanism = CKM_SHA256;
+    }
+    tls_mac_params.ulMacLength = 12;
+    tls_mac_params.ulServerOrClient = isServer ? 1 : 2;
+    param.data = (unsigned char *)&tls_mac_params;
+    param.len = sizeof(tls_mac_params);
+    prf_context = PK11_CreateContextBySymKey(CKM_TLS_MAC, CKA_SIGN,
+                                             spec->master_secret, &param);
+    if (!prf_context)
+        return SECFailure;
+
+    rv  = PK11_DigestBegin(prf_context);
+    rv |= PK11_DigestOp(prf_context, hashes->u.raw, hashes->len);
+    rv |= PK11_DigestFinal(prf_context, tlsFinished->verify_data, &retLen,
+                           sizeof tlsFinished->verify_data);
+    PORT_Assert(rv != SECSuccess || retLen == sizeof tlsFinished->verify_data);
+
+    PK11_DestroyContext(prf_context, PR_TRUE);
 
     return rv;
 }
 
 /* The calling function must acquire and release the appropriate
  * lock (e.g., ssl_GetSpecReadLock / ssl_ReleaseSpecReadLock for
  * ss->ssl3.crSpec).
  */
 SECStatus
 ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec, const char *label,
@@ skipping 497 matching lines @@
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle finished handshake",
         SSL_GETPID(), ss->fd));
 
     if (ss->ssl3.hs.ws != wait_finished) {
         SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNEXPECTED_FINISHED);
         return SECFailure;
     }
 
+    if (!hashes) {
+        PORT_Assert(0);
+        SSL3_SendAlert(ss, alert_fatal, internal_error);
+        PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+        return SECFailure;
+    }
+
     isTLS = (PRBool)(ss->ssl3.crSpec->version > SSL_LIBRARY_VERSION_3_0);
     if (isTLS) {
         TLSFinished tlsFinished;
 
         if (length != sizeof tlsFinished) {
             (void)SSL3_SendAlert(ss, alert_fatal, decode_error);
             PORT_SetError(SSL_ERROR_RX_MALFORMED_FINISHED);
             return SECFailure;
         }
         rv = ssl3_ComputeTLSFinished(ss->ssl3.crSpec, !isServer, 
@@ skipping 35 matching lines @@
         (!isServer && ss->ssl3.hs.isResuming)) {
         PRInt32 flags = 0;
 
         /* Send a NewSessionTicket message if the client sent us
          * either an empty session ticket, or one that did not verify.
          * (Note that if either of these conditions was met, then the
          * server has sent a SessionTicket extension in the
          * ServerHello message.)
          */
         if (isServer && !ss->ssl3.hs.isResuming &&
-            ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn)) {
+            ssl3_ExtensionNegotiated(ss, ssl_session_ticket_xtn) &&
+            ssl3_KEAAllowsSessionTicket(ss->ssl3.hs.suite_def->key_exchange_alg)) {
             /* RFC 5077 Section 3.3: "In the case of a full handshake, the
              * server MUST verify the client's Finished message before sending
              * the ticket." Presumably, this also means that the client's
              * certificate, if any, must be verified beforehand too.
              */
             rv = ssl3_SendNewSessionTicket(ss);
             if (rv != SECSuccess) {
                 goto xmit_loser;
             }
         }
@@ skipping 32 matching lines @@
             goto xmit_loser;    /* err is set. */
         }
     }
 
 xmit_loser:
     ssl_ReleaseXmitBufLock(ss); /*************************************/
     if (rv != SECSuccess) {
         return rv;
     }
 
-    if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa) {
+    if (ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
+        ss->ssl3.hs.kea_def->kea == kea_dhe_rsa) {
         effectiveExchKeyType = kt_rsa;
     } else {
         effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
     }
 
     if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
         /* fill in the sid */
         sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
         sid->u.ssl3.compression = ss->ssl3.hs.compression;
         sid->u.ssl3.policy      = ss->ssl3.policy;
@@ skipping 99 matching lines @@
 /* Called from ssl3_HandleHandshake() when it has gathered a complete ssl3
  * hanshake message.
  * Caller must hold Handshake and RecvBuf locks.
  */
 SECStatus
 ssl3_HandleHandshakeMessage(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECStatus         rv        = SECSuccess;
     SSL3HandshakeType type      = ss->ssl3.hs.msg_type;
     SSL3Hashes        hashes;   /* computed hashes are put here. */
+    SSL3Hashes       *hashesPtr = NULL;  /* Set when hashes are computed */
     PRUint8           hdr[4];
     PRUint8           dtlsData[8];
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
     /*
      * We have to compute the hashes before we update them with the
      * current message.
      */
     ssl_GetSpecReadLock(ss);    /************************************/
-    if((type == finished) || (type == certificate_verify)) {
+    if(((type == finished) && (ss->ssl3.hs.ws == wait_finished)) ||
+       ((type == certificate_verify) && (ss->ssl3.hs.ws == wait_cert_verify))) {
         SSL3Sender      sender = (SSL3Sender)0;
         ssl3CipherSpec *rSpec  = ss->ssl3.prSpec;
 
         if (type == finished) {
             sender = ss->sec.isServer ? sender_client : sender_server;
             rSpec  = ss->ssl3.crSpec;
         }
         rv = ssl3_ComputeHandshakeHashes(ss, rSpec, &hashes, sender);
+        if (rv == SECSuccess) {
+            hashesPtr = &hashes;
+        }
     }
     ssl_ReleaseSpecReadLock(ss); /************************************/
     if (rv != SECSuccess) {
         return rv;      /* error code was set by ssl3_ComputeHandshakeHashes*/
     }
     SSL_TRC(30,("%d: SSL3[%d]: handle handshake message: %s", SSL_GETPID(),
                 ss->fd, ssl3_DecodeHandshakeType(ss->ssl3.hs.msg_type)));
 
     hdr[0] = (PRUint8)ss->ssl3.hs.msg_type;
     hdr[1] = (PRUint8)(length >> 16);
@@ skipping 130 matching lines @@
             return SECFailure;
         }
         rv = ssl3_HandleServerHelloDone(ss);
         break;
     case certificate_verify:
         if (!ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CERT_VERIFY);
             return SECFailure;
         }
-        rv = ssl3_HandleCertificateVerify(ss, b, length, &hashes);
+        rv = ssl3_HandleCertificateVerify(ss, b, length, hashesPtr);
         break;
     case client_key_exchange:
         if (!ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CLIENT_KEY_EXCH);
             return SECFailure;
         }
         rv = ssl3_HandleClientKeyExchange(ss, b, length);
         break;
     case new_session_ticket:
         if (ss->sec.isServer) {
             (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
             PORT_SetError(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET);
             return SECFailure;
         }
         rv = ssl3_HandleNewSessionTicket(ss, b, length);
         break;
     case finished:
-        rv = ssl3_HandleFinished(ss, b, length, &hashes);
+        rv = ssl3_HandleFinished(ss, b, length, hashesPtr);
         break;
     default:
         (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message);
         PORT_SetError(SSL_ERROR_RX_UNKNOWN_HANDSHAKE);
         rv = SECFailure;
     }
 
     if (IS_DTLS(ss) && (rv != SECFailure)) {
         /* Increment the expected sequence number */
         ss->ssl3.hs.recvMessageSeq++;
@@ skipping 34 matching lines @@
             if (ss->ssl3.hs.header_bytes++ == 0)
                 ss->ssl3.hs.msg_type = (SSL3HandshakeType)t;
             else
                 ss->ssl3.hs.msg_len = (ss->ssl3.hs.msg_len << 8) + t;
             if (ss->ssl3.hs.header_bytes < 4)
                 continue;
 
 #define MAX_HANDSHAKE_MSG_LEN 0x1ffff   /* 128k - 1 */
             if (ss->ssl3.hs.msg_len > MAX_HANDSHAKE_MSG_LEN) {
                 (void)ssl3_DecodeError(ss);
-                PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG);
+                PORT_SetError(SSL_ERROR_RX_MALFORMED_HANDSHAKE);
                 return SECFailure;
             }
 #undef MAX_HANDSHAKE_MSG_LEN
 
             /* If msg_len is zero, be sure we fall through, 
             ** even if buf->len is zero. 
             */
             if (ss->ssl3.hs.msg_len > 0) 
                 continue;
         }
@@ skipping 280 matching lines @@
     ssl3CipherSpec *     crSpec;
     SECStatus            rv;
     unsigned int         hashBytes = MAX_MAC_LENGTH + 1;
     PRBool               isTLS;
     SSL3ContentType      rType;
     SSL3Opaque           hash[MAX_MAC_LENGTH];
     SSL3Opaque           givenHashBuf[MAX_MAC_LENGTH];
     SSL3Opaque          *givenHash;
     sslBuffer           *plaintext;
     sslBuffer            temp_buf;
-    PRUint64             dtls_seq_num;
+    PRUint64             dtls_seq_num = 0;
     unsigned int         ivLen = 0;
     unsigned int         originalLen = 0;
     unsigned int         good;
     unsigned int         minLength;
     unsigned char        header[13];
     unsigned int         headerLen;
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
 
     if (!ss->ssl3.initialized) {
@@ skipping 460 matching lines @@
         return SECSuccess;      /* Function should be idempotent */
 
     ss->ssl3.policy = SSL_ALLOWED;
 
     ssl_GetSpecWriteLock(ss);
     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
     ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
     ss->ssl3.hs.sendingSCSV = PR_FALSE;
     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
+    ss->ssl3.hs.preliminaryInfo = 0;
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
 #ifndef NSS_DISABLE_ECC
     ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss);
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     if (IS_DTLS(ss)) {
@@ skipping 53 matching lines @@
     PRInt32 newCount =  PR_ATOMIC_DECREMENT(&keyPair->refCount);
     if (!newCount) {
         if (keyPair->privKey)
             SECKEY_DestroyPrivateKey(keyPair->privKey);
         if (keyPair->pubKey)
             SECKEY_DestroyPublicKey( keyPair->pubKey);
         PORT_Free(keyPair);
     }
 }
 
-
-
 /*
  * Creates the public and private RSA keys for SSL Step down.
  * Called from SSL_ConfigSecureServer in sslsecur.c
  */
 SECStatus
 ssl3_CreateRSAStepDownKeys(sslSocket *ss)
 {
     SECStatus             rv     = SECSuccess;
     SECKEYPrivateKey *    privKey;              /* RSA step down key */
     SECKEYPublicKey *     pubKey;               /* RSA step down key */
@@ skipping 11 matching lines @@
         if (!privKey || !pubKey ||
             !(ss->stepDownKeyPair = ssl3_NewKeyPair(privKey, pubKey))) {
             ssl_MapLowLevelError(SEC_ERROR_KEYGEN_FAIL);
             rv = SECFailure;
         }
     }
 #endif
     return rv;
 }
 
-
 /* record the export policy for this cipher suite */
 SECStatus
 ssl3_SetPolicy(ssl3CipherSuite which, int policy)
 {
     ssl3CipherSuiteCfg *suite;
 
     suite = ssl_LookupCipherSuiteCfg(which, cipherSuites);
     if (suite == NULL) {
         return SECFailure; /* err code was set by ssl_LookupCipherSuiteCfg */
     }
@@ skipping 81 matching lines @@
         rv     = SECSuccess;
     } else {
         pref   = SSL_NOT_ALLOWED;
         rv     = SECFailure;    /* err code was set by Lookup. */
     }
     *enabled = pref;
     return rv;
 }
 
 SECStatus
+SSL_SignaturePrefSet(PRFileDesc *fd, const SSLSignatureAndHashAlg *algorithms,
+                     unsigned int count)
+{
+    sslSocket *ss;
+    unsigned int i;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SignaturePrefSet",
+                 SSL_GETPID(), fd));
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (!count || count > MAX_SIGNATURE_ALGORITHMS) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    ss->ssl3.signatureAlgorithmCount = 0;
+    for (i = 0; i < count; ++i) {
+        if (!ssl3_IsSupportedSignatureAlgorithm(&algorithms[i])) {
+            SSL_DBG(("%d: SSL[%d]: invalid signature algorithm set %d/%d",
+                     SSL_GETPID(), fd, algorithms[i].sigAlg,
+                     algorithms[i].hashAlg));
+            continue;
+        }
+
+        ss->ssl3.signatureAlgorithms[ss->ssl3.signatureAlgorithmCount++] =
+                algorithms[i];
+    }
+
+    if (ss->ssl3.signatureAlgorithmCount == 0) {
+        PORT_SetError(SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+SECStatus
+SSL_SignaturePrefGet(PRFileDesc *fd, SSLSignatureAndHashAlg *algorithms,
+                     unsigned int *count, unsigned int maxCount)
+{
+    sslSocket *ss;
+    unsigned int requiredSpace;
+
+    ss = ssl_FindSocket(fd);
+    if (!ss) {
+        SSL_DBG(("%d: SSL[%d]: bad socket in SSL_SignaturePrefGet",
+                 SSL_GETPID(), fd));
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    if (!algorithms || !count ||
+        maxCount < ss->ssl3.signatureAlgorithmCount) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
+    }
+
+    requiredSpace =
+            ss->ssl3.signatureAlgorithmCount * sizeof(SSLSignatureAndHashAlg);
+    PORT_Memcpy(algorithms, ss->ssl3.signatureAlgorithms, requiredSpace);
+    *count = ss->ssl3.signatureAlgorithmCount;
+    return SECSuccess;
+}
+
+unsigned int
+SSL_SignatureMaxCount() {
+    return MAX_SIGNATURE_ALGORITHMS;
+}
+
+SECStatus
 ssl3_CipherOrderSet(sslSocket *ss, const ssl3CipherSuite *ciphers, unsigned int len)
 {
     /* |i| iterates over |ciphers| while |done| and |j| iterate over
      * |ss->cipherSuites|. */
     unsigned int i, done;
 
     for (i = done = 0; i < len; i++) {
         PRUint16 id = ciphers[i];
         unsigned int existingIndex, j;
         PRBool found = PR_FALSE;
@@ skipping 24 matching lines @@
     }
 
     return SECSuccess;
 }
 
 /* copy global default policy into socket. */
 void
 ssl3_InitSocketPolicy(sslSocket *ss)
 {
     PORT_Memcpy(ss->cipherSuites, cipherSuites, sizeof cipherSuites);
+    PORT_Memcpy(ss->ssl3.signatureAlgorithms, defaultSignatureAlgorithms,
+                sizeof(defaultSignatureAlgorithms));
+    ss->ssl3.signatureAlgorithmCount = PR_ARRAY_SIZE(defaultSignatureAlgorithms);
 }
 
 SECStatus
 ssl3_GetTLSUniqueChannelBinding(sslSocket *ss,
                                 unsigned char *out,
                                 unsigned int *outLen,
                                 unsigned int outLenMax) {
     PRBool       isTLS;
     int          index = 0;
     unsigned int len;
@@ skipping 69 matching lines @@
         return SECSuccess;
     }
     if (cs == NULL) {
         *size = count_cipher_suites(ss, SSL_ALLOWED, PR_TRUE);
         return SECSuccess;
     }
 
     /* ssl3_config_match_init was called by the caller of this function. */
     for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) {
         ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i];
-        if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) {
+        if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange, ss)) {
             if (cs != NULL) {
                 *cs++ = 0x00;
                 *cs++ = (suite->cipher_suite >> 8) & 0xFF;
                 *cs++ =  suite->cipher_suite       & 0xFF;
             }
             count++;
         }
     }
     *size = count;
     return SECSuccess;
@@ skipping 113 matching lines @@
     ssl3_DestroyCipherSpec(&ss->ssl3.specs[1], PR_TRUE/*freeSrvName*/);
 
     /* Destroy the DTLS data */
     if (IS_DTLS(ss)) {
         dtls_FreeHandshakeMessages(&ss->ssl3.hs.lastMessageFlight);
         if (ss->ssl3.hs.recvdFragments.buf) {
             PORT_Free(ss->ssl3.hs.recvdFragments.buf);
         }
     }
 
+    if (ss->ssl3.dheGroups) {
+        PORT_Free(ss->ssl3.dheGroups);
+    }
+
     ss->ssl3.initialized = PR_FALSE;
 
     SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
 }
 
 /* End of ssl3con.c */