Bug 1572593 - Reset advertised extensions in ssl_ConstructExtensions …

…r=mt,kjacobs

Reset the list of advertised extensions before sending a new set.

This reverts the changes of https://hg.mozilla.org/projects/nss/rev/1ca362213631d6edc885b6b965b52ecffcf29afd

Differential Revision: https://phabricator.services.mozilla.com/D41302

--HG--
extra : moz-landing-system : lando

gtests/ssl_gtest/tls_agent.cc

@@ -249,10 +249,6 @@ bool TlsAgent::EnsureTlsSetup(PRFileDesc* modelSocket) {
     if (rv != SECSuccess) return false;
   }
 
-  ScopedCERTCertList anchors(CERT_NewCertList());
-  rv = SSL_SetTrustAnchors(ssl_fd(), anchors.get());
-  if (rv != SECSuccess) return false;
-
   if (role_ == SERVER) {
     EXPECT_TRUE(ConfigServerCert(name_, true));
 
@@ -325,7 +321,7 @@ void TlsAgent::SetupClientAuth() {
                                       reinterpret_cast<void*>(this)));
 }
 
-void CheckCertReqAgainstDefaultCAs(const CERTDistNames* caNames) {
+static void CheckCertReqAgainstDefaultCAs(const CERTDistNames* caNames) {
   ScopedCERTDistNames expected(CERT_GetSSLCACerts(nullptr));
 
   ASSERT_EQ(expected->nnames, caNames->nnames);
@@ -344,8 +340,7 @@ SECStatus TlsAgent::GetClientAuthDataHook(void* self, PRFileDesc* fd,
   ScopedCERTCertificate peerCert(SSL_PeerCertificate(agent->ssl_fd()));
   EXPECT_TRUE(peerCert) << "Client should be able to see the server cert";
 
-  // See bug 1457716
-  // CheckCertReqAgainstDefaultCAs(caNames);
+  CheckCertReqAgainstDefaultCAs(caNames);
 
   ScopedCERTCertificate cert;
   ScopedSECKEYPrivateKey priv;

lib/ssl/ssl3ext.c

@@ -714,6 +714,9 @@ ssl_ConstructExtensions(sslSocket *ss, sslBuffer *buf, SSLHandshakeType message)
 
     PORT_Assert(buf->len == 0);
 
+    /* Clear out any extensions previously advertised */
+    ss->xtnData.numAdvertised = 0;
+
     switch (message) {
         case ssl_hs_client_hello:
             if (ss->vrange.max > SSL_LIBRARY_VERSION_3_0) {