Uprev NSS (in libssl) to NSS 3.21

net/third_party/nss/ssl/sslsecur.c

Index: net/third_party/nss/ssl/sslsecur.c
diff --git a/net/third_party/nss/ssl/sslsecur.c b/net/third_party/nss/ssl/sslsecur.c
index 00ab455b56cdba5a512ced839c81722b6e2a38d8..b4b8e9558b1ed194b514a0818f3f856885bcf8a3 100644
--- a/net/third_party/nss/ssl/sslsecur.c
+++ b/net/third_party/nss/ssl/sslsecur.c
@@ -138,6 +138,9 @@ ssl_FinishHandshake(sslSocket *ss)
     ss->gs.readOffset  = 0;
 
     if (ss->handshakeCallback) {
+      PORT_Assert(ss->version < SSL_LIBRARY_VERSION_3_0 ||
+                  (ss->ssl3.hs.preliminaryInfo & ssl_preinfo_all) ==
+                  ssl_preinfo_all);
 	(ss->handshakeCallback)(ss->fd, ss->handshakeCallbackData);
     }
 }
@@ -654,6 +657,16 @@ DoRecv(sslSocket *ss, unsigned char *out, int len, int flags)
 		     SSL_GETPID(), ss->fd, available));
     }
 
+    if (IS_DTLS(ss) && (len < available)) {
+        /* DTLS does not allow you to do partial reads */
+        SSL_TRC(30, ("%d: SSL[%d]: DTLS short read. len=%d available=%d",
+                     SSL_GETPID(), ss->fd, len, available));
+        ss->gs.readOffset += available;
+        PORT_SetError(SSL_ERROR_RX_SHORT_DTLS_READ);
+        rv = SECFailure;
+        goto done;
+    }
+
     /* Dole out clear data to reader */
     amount = PR_MIN(len, available);
     PORT_Memcpy(out, ss->gs.buf.buf + ss->gs.readOffset, amount);
@@ -693,6 +706,7 @@ NSS_FindCertKEAType(CERTCertificate * cert)
   case SEC_OID_PKCS1_RSA_ENCRYPTION:
     keaType = kt_rsa;
     break;
+  case SEC_OID_ANSIX9_DSA_SIGNATURE: /* hah, signature, not a key? */
   case SEC_OID_X942_DIFFIE_HELMAN_KEY:
     keaType = kt_dh;
     break;
@@ -789,6 +803,11 @@ ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
             goto loser;
         }
     }
+    if (kea == ssl_kea_dh || kea == ssl_kea_rsa) {
+        if (ssl3_SelectDHParams(ss) != SECSuccess) {
+            goto loser;
+        }
+     }
     return SECSuccess;
 
 loser:
@@ -1177,11 +1196,8 @@ ssl_SecureShutdown(sslSocket *ss, int nsprHow)
 int
 ssl_SecureRecv(sslSocket *ss, unsigned char *buf, int len, int flags)
 {
-    sslSecurityInfo *sec;
     int              rv   = 0;
 
-    sec = &ss->sec;
-
     if (ss->shutdownHow & ssl_SHUTDOWN_RCV) {
 	PORT_SetError(PR_SOCKET_SHUTDOWN_ERROR);
     	return PR_FAILURE;